Apple widget checks raise eyebrows

A few Mac users are concerned about a feature in the latest update to Mac OS that directs their computers to check in with Apple Computer's servers on a regular basis without the user's knowledge or permission.

Apple released an update to Mac OS last week that fixed a few bugs and added some features. One feature Apple added was described as the ability to verify that a widget was an authentic program. Widgets are small software programs that provide Mac users with little bits of useful information, like the weather report or stock tickers.

Some bloggers have become concerned that Apple is collecting information without their authorization, after the recent furor caused by Microsoft's Windows Genuine Advantage Notification program. Microsoft inserted a prerelease program in a regular Windows update that checks Windows PCs to make sure they are running a genuine copy of the operating system, but the company included that beta feature without telling users and has since posted instructions on how to remove it after a backlash.

Apple's Dashboard Advisory verification software was designed as a security feature, a company representative said. "Apple takes protecting user privacy very seriously. The Dashboard Advisory feature is a security tool that ensures that the correct version of a widget has been downloaded from a third-party site and no personal information is transmitted back to Apple," the company said in a statement.

Dashboard Advisory looks at just widgets, not the rest of the operating system. Widgets available on Apple's Downloads page are actually hosted by the companies that developed the widgets, not Apple. The verification feature is designed to ensure that the widget advertised on Apple's Download page is the same widget that gets installed on a Mac, or to prevent someone from spoofing a link to trick a user into downloading a different program.

A Mac with the latest version of Mac OS, version 10.4.7, sends a HTTP (hypertext transfer protocol) GET command to Apple's servers to verify that the widget is authentic, the company representative said. There is no way to turn off the transmission, which takes place about every eight hours, and the user is not prompted before the transmission is made.

[GGGlen]

OK, Apple

Please explain to me why it's necessary to "phone home" every 8
hours.

[JulesLt]

Bad Widgets

Here's a thought.

Widget's can make operating system calls through the system
extension. Of course they can only do things that the user has
security to do.

Let us imagine there is a privilege execution problem in a low
level command. This is a traditional way to gain control of a Unix
box at a level higher than you are entitled to.

Or easier still, let us imagine a widget that prompts the user to
enter their admin account/password to authorise something that
sounds realistic ('install new version').

Let's also consider that widget's are mostly written in JavaScript
which has a far higher development audience than Objective-C,
and that most people think widgets are fun things that can't do
any harm.

At the simplest level someone could write a widget that just did
an rm * on your iTunes and iMovies collection. It would be your
fault for trusting and running it, and it would not last long
before word go around, but most end users expectation is that a
widget wouldn't do that sort of thing. Psychology is the biggest
thing hackers exploit.

Given all that, perhaps Apple wanted to put in a way to block /
kill bad widgets, without actually announcing a new security tool
for Dashboard. (CNET Headline 'Apple Dashboard Security Flaw'
- a proof of concept Trojan widget has been created by a
security researcher).

[kieranmullen]

Please tell me why

Please tell me why boneheads put article root on crap?

[GGGlen]

OK, Apple

Please explain to me why it's necessary to "phone home" every 8
hours.

[JulesLt]

Bad Widgets

Here's a thought.

Widget's can make operating system calls through the system
extension. Of course they can only do things that the user has
security to do.

Let us imagine there is a privilege execution problem in a low
level command. This is a traditional way to gain control of a Unix
box at a level higher than you are entitled to.

Or easier still, let us imagine a widget that prompts the user to
enter their admin account/password to authorise something that
sounds realistic ('install new version').

Let's also consider that widget's are mostly written in JavaScript
which has a far higher development audience than Objective-C,
and that most people think widgets are fun things that can't do
any harm.

At the simplest level someone could write a widget that just did
an rm * on your iTunes and iMovies collection. It would be your
fault for trusting and running it, and it would not last long
before word go around, but most end users expectation is that a
widget wouldn't do that sort of thing. Psychology is the biggest
thing hackers exploit.

Given all that, perhaps Apple wanted to put in a way to block /
kill bad widgets, without actually announcing a new security tool
for Dashboard. (CNET Headline 'Apple Dashboard Security Flaw'
- a proof of concept Trojan widget has been created by a
security researcher).

[kieranmullen]

Please tell me why

Please tell me why boneheads put article root on crap?

[Llib Setag]

Turn Off The dotMAC SYNC.

System Preferences People...

This is a simple user error, nothing else.

No news here people, move along...

[nicmart]

Not exactly

That would only apply to someone who had a .Mac account since
the sync pref isn't otherwise available. And it is not the case that
Apple's widget probe only applies to people with .Mac accounts. I
don't think it is a big issue, but it is another example of Apple
treating customers like adolescents.

[Christopher Hall]

Ah, I see

So when Apple does this stuff, it's "simple user error" but when Microsoft does it, it's spyware. How interesting a little perspective is.

nicmart's right. It's Apple treating their customers like children, which is where the real "not news" is. Apple is control, always have been, always will be.

[Llib Setag]

Turn Off The dotMAC SYNC.

System Preferences People...

This is a simple user error, nothing else.

No news here people, move along...

[nicmart]

Not exactly

That would only apply to someone who had a .Mac account since
the sync pref isn't otherwise available. And it is not the case that
Apple's widget probe only applies to people with .Mac accounts. I
don't think it is a big issue, but it is another example of Apple
treating customers like adolescents.

[Christopher Hall]

Ah, I see

So when Apple does this stuff, it's "simple user error" but when Microsoft does it, it's spyware. How interesting a little perspective is.

nicmart's right. It's Apple treating their customers like children, which is where the real "not news" is. Apple is control, always have been, always will be.

[unknown unknown]

One would think companies would figure it out by now

users are suspicious of any software phoning home. They could avoid a lot of trouble, rumors (like the kill switch rumor for MS WGA), and bad press by being responsible and acting in good faith by disclosing these sort of features up front and not hiding it in EULA or not mentioning it at all.

[unknown unknown]

One would think companies would figure it out by now

users are suspicious of any software phoning home. They could avoid a lot of trouble, rumors (like the kill switch rumor for MS WGA), and bad press by being responsible and acting in good faith by disclosing these sort of features up front and not hiding it in EULA or not mentioning it at all.

Reading comprehension not a necessary skill

it would seem.

This feature of 10.4.7 - UNLIKE WGA - only checks on the
validity of third party widgets on your dashboard.

It does not "snoop" on your operating system, record your
keystrokes, or do any other tinfoil hat wearing stupid post which
i'm sure will make its way to this comments section soon
enough.

But hey, don't let that stop you from your 15 minutes of ranting
fame.

[catch23]

as your understanding of the issue proves

WGA does not 'snoop'. Very clearly, as stated from the beginning, it checks to see if you are running a legit copy of Windows. Totally above board. Also, the only reason WGA picked up the phone every reboot was to read a control file off the MS servers, not send info like keystrokes; so your ignorance is set in stone for all to see.
Just like WGA, however, Apple did not fully or clearly detail what it is you were downloading, nor the fact it would dial out on a regular basis, nor what it was sending.
You Apple apologist truly know no bounds. Almost any action if vilified or ignored, simply because of who is doing it.

[Buzz_Friendly]

Your foolish complacency

As a Mac user I see no reason for my Mac to check back in with anyone for any reason. I would also prefer to know before hand and having the option of not participating in such checks. Your complacency is certainly not indicative of most competent Mac owners I know.

Reading comprehension not a necessary skill

it would seem.

This feature of 10.4.7 - UNLIKE WGA - only checks on the
validity of third party widgets on your dashboard.

It does not "snoop" on your operating system, record your
keystrokes, or do any other tinfoil hat wearing stupid post which
i'm sure will make its way to this comments section soon
enough.

But hey, don't let that stop you from your 15 minutes of ranting
fame.

[catch23]

as your understanding of the issue proves

WGA does not 'snoop'. Very clearly, as stated from the beginning, it checks to see if you are running a legit copy of Windows. Totally above board. Also, the only reason WGA picked up the phone every reboot was to read a control file off the MS servers, not send info like keystrokes; so your ignorance is set in stone for all to see.
Just like WGA, however, Apple did not fully or clearly detail what it is you were downloading, nor the fact it would dial out on a regular basis, nor what it was sending.
You Apple apologist truly know no bounds. Almost any action if vilified or ignored, simply because of who is doing it.

[Buzz_Friendly]

Your foolish complacency

As a Mac user I see no reason for my Mac to check back in with anyone for any reason. I would also prefer to know before hand and having the option of not participating in such checks. Your complacency is certainly not indicative of most competent Mac owners I know.

[galendw]

You CAN disable it

I think it needs to be pointed out that you CAN disable this:

http://blog.wired.com/cultofmac/index.blog?entry_id=1515043

[galendw]

You CAN disable it

I think it needs to be pointed out that you CAN disable this:

http://blog.wired.com/cultofmac/index.blog?entry_id=1515043

[heystoopid]

Sad no one learned from the SONY BMG rootkit !

Sad, for it shows no one has learned a thing!, from the SONY BMG phone home rootkit illegal virus saga of last year!

It does amply demonstrate, the age of the user's absolute control of his or her computer as an independent entity!, is rapidly coming to an end though!, should either Apple or the monolith like Microsoft gain the upperhand!

It will always remain about free choices and fair use!

[Thrudheim]

heystoopid

Comparing this to the Sony rookit is, well, stoopid.

[heystoopid]

Sad no one learned from the SONY BMG rootkit !

Sad, for it shows no one has learned a thing!, from the SONY BMG phone home rootkit illegal virus saga of last year!

It does amply demonstrate, the age of the user's absolute control of his or her computer as an independent entity!, is rapidly coming to an end though!, should either Apple or the monolith like Microsoft gain the upperhand!

It will always remain about free choices and fair use!

[Thrudheim]

heystoopid

Comparing this to the Sony rookit is, well, stoopid.

Apple becoming Microsoft?

What next? Blue screens of death added to next version of Mac OS X?
http://www.techknowcafe.com/content/view/551/43/

[dotmike]

No, but the is a reason CNET's banner is yellow...

Yellow journalism?!

This is a check for updates. The sort of check almost every
piece of modern software has a feature.

It can be disabled, it doesn't report information to the company,
and there is no reason to have it as such as prominent headline,
except that CNET knows the "controversy" will draw page views.

Whatever. That's the business model of the blog: spread FUD
and get clicks.

[dotmike]

No, but there is a reason CNET's banner is yellow...

Yellow journalism?!

This is a check for updates. The sort of check almost every
piece of modern software has a feature.

It can be disabled, it doesn't report information to the company,
and there is no reason to have it as such as prominent headline,
except that CNET knows the "controversy" will draw page views.

Whatever. That's the business model of the blog: spread FUD
and get clicks.

Apple becoming Microsoft?

What next? Blue screens of death added to next version of Mac OS X?
http://www.techknowcafe.com/content/view/551/43/

[dotmike]

No, but the is a reason CNET's banner is yellow...

Yellow journalism?!

This is a check for updates. The sort of check almost every
piece of modern software has a feature.

It can be disabled, it doesn't report information to the company,
and there is no reason to have it as such as prominent headline,
except that CNET knows the "controversy" will draw page views.

Whatever. That's the business model of the blog: spread FUD
and get clicks.

[dotmike]

No, but there is a reason CNET's banner is yellow...

Yellow journalism?!

This is a check for updates. The sort of check almost every
piece of modern software has a feature.

It can be disabled, it doesn't report information to the company,
and there is no reason to have it as such as prominent headline,
except that CNET knows the "controversy" will draw page views.

Whatever. That's the business model of the blog: spread FUD
and get clicks.

[Tui Pohutukawa]

Privacy

Privacy entails that I can *choose* with whom I - and by
extension my computer - want to communicate with. Apple did
not offer a choice, but failed to mention that there is a 'phoning
home' feature in OS 10.4.7. If they would have let everybody
know about it, and would have provided their customers with an
option to turn it off, nobody would feel violated. As it stands,
there are going to be an awful lot of unhappy Mac users... very
soon.

[The user with no name]

no Mac user will be unhappy

because the God Jobs did this so it must be good for them and no real issue.

[Tui Pohutukawa]

Privacy

Privacy entails that I can *choose* with whom I - and by
extension my computer - want to communicate with. Apple did
not offer a choice, but failed to mention that there is a 'phoning
home' feature in OS 10.4.7. If they would have let everybody
know about it, and would have provided their customers with an
option to turn it off, nobody would feel violated. As it stands,
there are going to be an awful lot of unhappy Mac users... very
soon.

[The user with no name]

no Mac user will be unhappy

because the God Jobs did this so it must be good for them and no real issue.

[Seaspray0]

Microsoft invented it first, Apple just copied it (LOL)

Wouldn't you know, of all things to steal from microsoft, it would be this? How ironic! After reading the story, I'm still sitting here shaking my head wondering, "How many operating systems does it take to screw in a bad idea (light bulb blinking over the head)?"

[Christopher Hall]

Oh, that's rich!

What a wonderful way to put it, too! Of all things to copy from Microsoft, Apple chooses this. Thumbs up, Jobsy. Thumbs WAY up.

[Seaspray0]

Microsoft invented it first, Apple just copied it (LOL)

Wouldn't you know, of all things to steal from microsoft, it would be this? How ironic! After reading the story, I'm still sitting here shaking my head wondering, "How many operating systems does it take to screw in a bad idea (light bulb blinking over the head)?"

[Christopher Hall]

Oh, that's rich!

What a wonderful way to put it, too! Of all things to copy from Microsoft, Apple chooses this. Thumbs up, Jobsy. Thumbs WAY up.

[tonybelding]

The Slippery Slope. . . .

If we're going to start "verifying" now that widgets are authentic,
then why stop there? Why not "verify" all the other programs on
your computer? From there it's a slippery slope, with Apple
deciding what programs are worthy of verification, and who is
allowed to create "official" programs for the Mac -- and maybe
even eventually going the way of Nintendo and Sony, requiring
all Mac software to be licensed and shutting out hobbyists,
shutting out shareware, shutting out emulators or any other
programs they object to.

[tonybelding]

The Slippery Slope. . . .

If we're going to start "verifying" now that widgets are authentic,
then why stop there? Why not "verify" all the other programs on
your computer? From there it's a slippery slope, with Apple
deciding what programs are worthy of verification, and who is
allowed to create "official" programs for the Mac -- and maybe
even eventually going the way of Nintendo and Sony, requiring
all Mac software to be licensed and shutting out hobbyists,
shutting out shareware, shutting out emulators or any other
programs they object to.