July 5, 2006 5:35 PM PDT

Apple widget checks raise eyebrows

A few Mac users are concerned about a feature in the latest update to Mac OS that directs their computers to check in with Apple Computer's servers on a regular basis without the user's knowledge or permission.

Apple released an update to Mac OS last week that fixed a few bugs and added some features. One feature Apple added was described as the ability to verify that a widget was an authentic program. Widgets are small software programs that provide Mac users with little bits of useful information, like the weather report or stock tickers.

Some bloggers have become concerned that Apple is collecting information without their authorization, after the recent furor caused by Microsoft's Windows Genuine Advantage Notification program. Microsoft inserted a prerelease program in a regular Windows update that checks Windows PCs to make sure they are running a genuine copy of the operating system, but the company included that beta feature without telling users and has since posted instructions on how to remove it after a backlash.

Apple's Dashboard Advisory verification software was designed as a security feature, a company representative said. "Apple takes protecting user privacy very seriously. The Dashboard Advisory feature is a security tool that ensures that the correct version of a widget has been downloaded from a third-party site and no personal information is transmitted back to Apple," the company said in a statement.

Dashboard Advisory looks at just widgets, not the rest of the operating system. Widgets available on Apple's Downloads page are actually hosted by the companies that developed the widgets, not Apple. The verification feature is designed to ensure that the widget advertised on Apple's Download page is the same widget that gets installed on a Mac, or to prevent someone from spoofing a link to trick a user into downloading a different program.

A Mac with the latest version of Mac OS, version 10.4.7, sends a HTTP (hypertext transfer protocol) GET command to Apple's servers to verify that the widget is authentic, the company representative said. There is no way to turn off the transmission, which takes place about every eight hours, and the user is not prompted before the transmission is made.

See more CNET content tagged:
Apple Computer, company representative, Apple Mac OS, Apple Macintosh, dashboard

104 comments

Join the conversation!
Add your comment
OK, Apple
Please explain to me why it's necessary to "phone home" every 8
hours.
Posted by GGGlen (491 comments )
Reply Link Flag
Bad Widgets
Here's a thought.

Widget's can make operating system calls through the system
extension. Of course they can only do things that the user has
security to do.

Let us imagine there is a privilege execution problem in a low
level command. This is a traditional way to gain control of a Unix
box at a level higher than you are entitled to.

Or easier still, let us imagine a widget that prompts the user to
enter their admin account/password to authorise something that
sounds realistic ('install new version').

Let's also consider that widget's are mostly written in JavaScript
which has a far higher development audience than Objective-C,
and that most people think widgets are fun things that can't do
any harm.

At the simplest level someone could write a widget that just did
an rm * on your iTunes and iMovies collection. It would be your
fault for trusting and running it, and it would not last long
before word go around, but most end users expectation is that a
widget wouldn't do that sort of thing. Psychology is the biggest
thing hackers exploit.

Given all that, perhaps Apple wanted to put in a way to block /
kill bad widgets, without actually announcing a new security tool
for Dashboard. (CNET Headline 'Apple Dashboard Security Flaw'
- a proof of concept Trojan widget has been created by a
security researcher).
Posted by JulesLt (110 comments )
Link Flag
Please tell me why
Please tell me why boneheads put article root on crap?
Posted by kieranmullen (1070 comments )
Link Flag
OK, Apple
Please explain to me why it's necessary to "phone home" every 8
hours.
Posted by GGGlen (491 comments )
Reply Link Flag
Bad Widgets
Here's a thought.

Widget's can make operating system calls through the system
extension. Of course they can only do things that the user has
security to do.

Let us imagine there is a privilege execution problem in a low
level command. This is a traditional way to gain control of a Unix
box at a level higher than you are entitled to.

Or easier still, let us imagine a widget that prompts the user to
enter their admin account/password to authorise something that
sounds realistic ('install new version').

Let's also consider that widget's are mostly written in JavaScript
which has a far higher development audience than Objective-C,
and that most people think widgets are fun things that can't do
any harm.

At the simplest level someone could write a widget that just did
an rm * on your iTunes and iMovies collection. It would be your
fault for trusting and running it, and it would not last long
before word go around, but most end users expectation is that a
widget wouldn't do that sort of thing. Psychology is the biggest
thing hackers exploit.

Given all that, perhaps Apple wanted to put in a way to block /
kill bad widgets, without actually announcing a new security tool
for Dashboard. (CNET Headline 'Apple Dashboard Security Flaw'
- a proof of concept Trojan widget has been created by a
security researcher).
Posted by JulesLt (110 comments )
Link Flag
Please tell me why
Please tell me why boneheads put article root on crap?
Posted by kieranmullen (1070 comments )
Link Flag
Turn Off The dotMAC SYNC.
System Preferences People...

This is a simple user error, nothing else.

No news here people, move along...
Posted by Llib Setag (951 comments )
Reply Link Flag
Not exactly
That would only apply to someone who had a .Mac account since
the sync pref isn't otherwise available. And it is not the case that
Apple's widget probe only applies to people with .Mac accounts. I
don't think it is a big issue, but it is another example of Apple
treating customers like adolescents.
Posted by nicmart (1829 comments )
Link Flag
Ah, I see
So when Apple does this stuff, it's "simple user error" but when Microsoft does it, it's spyware. How interesting a little perspective is.

nicmart's right. It's Apple treating their customers like children, which is where the real "not news" is. Apple is control, always have been, always will be.
Posted by Christopher Hall (1205 comments )
Link Flag
Turn Off The dotMAC SYNC.
System Preferences People...

This is a simple user error, nothing else.

No news here people, move along...
Posted by Llib Setag (951 comments )
Reply Link Flag
Not exactly
That would only apply to someone who had a .Mac account since
the sync pref isn't otherwise available. And it is not the case that
Apple's widget probe only applies to people with .Mac accounts. I
don't think it is a big issue, but it is another example of Apple
treating customers like adolescents.
Posted by nicmart (1829 comments )
Link Flag
Ah, I see
So when Apple does this stuff, it's "simple user error" but when Microsoft does it, it's spyware. How interesting a little perspective is.

nicmart's right. It's Apple treating their customers like children, which is where the real "not news" is. Apple is control, always have been, always will be.
Posted by Christopher Hall (1205 comments )
Link Flag
One would think companies would figure it out by now
users are suspicious of any software phoning home. They could avoid a lot of trouble, rumors (like the kill switch rumor for MS WGA), and bad press by being responsible and acting in good faith by disclosing these sort of features up front and not hiding it in EULA or not mentioning it at all.
Posted by unknown unknown (1951 comments )
Reply Link Flag
One would think companies would figure it out by now
users are suspicious of any software phoning home. They could avoid a lot of trouble, rumors (like the kill switch rumor for MS WGA), and bad press by being responsible and acting in good faith by disclosing these sort of features up front and not hiding it in EULA or not mentioning it at all.
Posted by unknown unknown (1951 comments )
Reply Link Flag
Reading comprehension not a necessary skill
it would seem.

This feature of 10.4.7 - UNLIKE WGA - only checks on the
validity of third party widgets on your dashboard.

It does not "snoop" on your operating system, record your
keystrokes, or do any other tinfoil hat wearing stupid post which
i'm sure will make its way to this comments section soon
enough.

But hey, don't let that stop you from your 15 minutes of ranting
fame.
Posted by (13 comments )
Reply Link Flag
as your understanding of the issue proves
WGA does not 'snoop'. Very clearly, as stated from the beginning, it checks to see if you are running a legit copy of Windows. Totally above board. Also, the only reason WGA picked up the phone every reboot was to read a control file off the MS servers, not send info like keystrokes; so your ignorance is set in stone for all to see.
Just like WGA, however, Apple did not fully or clearly detail what it is you were downloading, nor the fact it would dial out on a regular basis, nor what it was sending.
You Apple apologist truly know no bounds. Almost any action if vilified or ignored, simply because of who is doing it.
Posted by catch23 (436 comments )
Link Flag
Your foolish complacency
As a Mac user I see no reason for my Mac to check back in with anyone for any reason. I would also prefer to know before hand and having the option of not participating in such checks. Your complacency is certainly not indicative of most competent Mac owners I know.
Posted by Buzz_Friendly (74 comments )
Link Flag
Reading comprehension not a necessary skill
it would seem.

This feature of 10.4.7 - UNLIKE WGA - only checks on the
validity of third party widgets on your dashboard.

It does not "snoop" on your operating system, record your
keystrokes, or do any other tinfoil hat wearing stupid post which
i'm sure will make its way to this comments section soon
enough.

But hey, don't let that stop you from your 15 minutes of ranting
fame.
Posted by (13 comments )
Reply Link Flag
as your understanding of the issue proves
WGA does not 'snoop'. Very clearly, as stated from the beginning, it checks to see if you are running a legit copy of Windows. Totally above board. Also, the only reason WGA picked up the phone every reboot was to read a control file off the MS servers, not send info like keystrokes; so your ignorance is set in stone for all to see.
Just like WGA, however, Apple did not fully or clearly detail what it is you were downloading, nor the fact it would dial out on a regular basis, nor what it was sending.
You Apple apologist truly know no bounds. Almost any action if vilified or ignored, simply because of who is doing it.
Posted by catch23 (436 comments )
Link Flag
Your foolish complacency
As a Mac user I see no reason for my Mac to check back in with anyone for any reason. I would also prefer to know before hand and having the option of not participating in such checks. Your complacency is certainly not indicative of most competent Mac owners I know.
Posted by Buzz_Friendly (74 comments )
Link Flag
You CAN disable it
I think it needs to be pointed out that you CAN disable this:

<a class="jive-link-external" href="http://blog.wired.com/cultofmac/index.blog?entry_id=1515043" target="_newWindow">http://blog.wired.com/cultofmac/index.blog?entry_id=1515043</a>
Posted by galendw (5 comments )
Reply Link Flag
You CAN disable it
I think it needs to be pointed out that you CAN disable this:

<a class="jive-link-external" href="http://blog.wired.com/cultofmac/index.blog?entry_id=1515043" target="_newWindow">http://blog.wired.com/cultofmac/index.blog?entry_id=1515043</a>
Posted by galendw (5 comments )
Reply Link Flag
Sad no one learned from the SONY BMG rootkit !
Sad, for it shows no one has learned a thing!, from the SONY BMG phone home rootkit illegal virus saga of last year!

It does amply demonstrate, the age of the user's absolute control of his or her computer as an independent entity!, is rapidly coming to an end though!, should either Apple or the monolith like Microsoft gain the upperhand!

It will always remain about free choices and fair use!
Posted by heystoopid (691 comments )
Reply Link Flag
heystoopid
Comparing this to the Sony rookit is, well, stoopid.
Posted by Thrudheim (306 comments )
Link Flag
Sad no one learned from the SONY BMG rootkit !
Sad, for it shows no one has learned a thing!, from the SONY BMG phone home rootkit illegal virus saga of last year!

It does amply demonstrate, the age of the user's absolute control of his or her computer as an independent entity!, is rapidly coming to an end though!, should either Apple or the monolith like Microsoft gain the upperhand!

It will always remain about free choices and fair use!
Posted by heystoopid (691 comments )
Reply Link Flag
heystoopid
Comparing this to the Sony rookit is, well, stoopid.
Posted by Thrudheim (306 comments )
Link Flag
Apple becoming Microsoft?
What next? Blue screens of death added to next version of Mac OS X?
<a class="jive-link-external" href="http://www.techknowcafe.com/content/view/551/43/" target="_newWindow">http://www.techknowcafe.com/content/view/551/43/</a>
Posted by (156 comments )
Reply Link Flag
No, but the is a reason CNET's banner is yellow...
Yellow journalism?!

This is a check for updates. The sort of check almost every
piece of modern software has a feature.

It can be disabled, it doesn't report information to the company,
and there is no reason to have it as such as prominent headline,
except that CNET knows the "controversy" will draw page views.

Whatever. That's the business model of the blog: spread FUD
and get clicks.
Posted by dotmike (154 comments )
Link Flag
No, but there is a reason CNET's banner is yellow...
Yellow journalism?!

This is a check for updates. The sort of check almost every
piece of modern software has a feature.

It can be disabled, it doesn't report information to the company,
and there is no reason to have it as such as prominent headline,
except that CNET knows the "controversy" will draw page views.

Whatever. That's the business model of the blog: spread FUD
and get clicks.
Posted by dotmike (154 comments )
Link Flag
Apple becoming Microsoft?
What next? Blue screens of death added to next version of Mac OS X?
<a class="jive-link-external" href="http://www.techknowcafe.com/content/view/551/43/" target="_newWindow">http://www.techknowcafe.com/content/view/551/43/</a>
Posted by (156 comments )
Reply Link Flag
No, but the is a reason CNET's banner is yellow...
Yellow journalism?!

This is a check for updates. The sort of check almost every
piece of modern software has a feature.

It can be disabled, it doesn't report information to the company,
and there is no reason to have it as such as prominent headline,
except that CNET knows the "controversy" will draw page views.

Whatever. That's the business model of the blog: spread FUD
and get clicks.
Posted by dotmike (154 comments )
Link Flag
No, but there is a reason CNET's banner is yellow...
Yellow journalism?!

This is a check for updates. The sort of check almost every
piece of modern software has a feature.

It can be disabled, it doesn't report information to the company,
and there is no reason to have it as such as prominent headline,
except that CNET knows the "controversy" will draw page views.

Whatever. That's the business model of the blog: spread FUD
and get clicks.
Posted by dotmike (154 comments )
Link Flag
Privacy
Privacy entails that I can *choose* with whom I - and by
extension my computer - want to communicate with. Apple did
not offer a choice, but failed to mention that there is a 'phoning
home' feature in OS 10.4.7. If they would have let everybody
know about it, and would have provided their customers with an
option to turn it off, nobody would feel violated. As it stands,
there are going to be an awful lot of unhappy Mac users... very
soon.
Posted by Tui Pohutukawa (366 comments )
Reply Link Flag
no Mac user will be unhappy
because the God Jobs did this so it must be good for them and no real issue.
Posted by The user with no name (259 comments )
Link Flag
Privacy
Privacy entails that I can *choose* with whom I - and by
extension my computer - want to communicate with. Apple did
not offer a choice, but failed to mention that there is a 'phoning
home' feature in OS 10.4.7. If they would have let everybody
know about it, and would have provided their customers with an
option to turn it off, nobody would feel violated. As it stands,
there are going to be an awful lot of unhappy Mac users... very
soon.
Posted by Tui Pohutukawa (366 comments )
Reply Link Flag
no Mac user will be unhappy
because the God Jobs did this so it must be good for them and no real issue.
Posted by The user with no name (259 comments )
Link Flag
Microsoft invented it first, Apple just copied it (LOL)
Wouldn't you know, of all things to steal from microsoft, it would be this? How ironic! After reading the story, I'm still sitting here shaking my head wondering, "How many operating systems does it take to screw in a bad idea (light bulb blinking over the head)?"
Posted by Seaspray0 (9714 comments )
Reply Link Flag
Oh, that's rich!
What a wonderful way to put it, too! Of all things to copy from Microsoft, Apple chooses this. Thumbs up, Jobsy. Thumbs WAY up.
Posted by Christopher Hall (1205 comments )
Link Flag
Microsoft invented it first, Apple just copied it (LOL)
Wouldn't you know, of all things to steal from microsoft, it would be this? How ironic! After reading the story, I'm still sitting here shaking my head wondering, "How many operating systems does it take to screw in a bad idea (light bulb blinking over the head)?"
Posted by Seaspray0 (9714 comments )
Reply Link Flag
Oh, that's rich!
What a wonderful way to put it, too! Of all things to copy from Microsoft, Apple chooses this. Thumbs up, Jobsy. Thumbs WAY up.
Posted by Christopher Hall (1205 comments )
Link Flag
The Slippery Slope. . . .
If we're going to start "verifying" now that widgets are authentic,
then why stop there? Why not "verify" all the other programs on
your computer? From there it's a slippery slope, with Apple
deciding what programs are worthy of verification, and who is
allowed to create "official" programs for the Mac -- and maybe
even eventually going the way of Nintendo and Sony, requiring
all Mac software to be licensed and shutting out hobbyists,
shutting out shareware, shutting out emulators or any other
programs they object to.
Posted by tonybelding (49 comments )
Reply Link Flag
The Slippery Slope. . . .
If we're going to start "verifying" now that widgets are authentic,
then why stop there? Why not "verify" all the other programs on
your computer? From there it's a slippery slope, with Apple
deciding what programs are worthy of verification, and who is
allowed to create "official" programs for the Mac -- and maybe
even eventually going the way of Nintendo and Sony, requiring
all Mac software to be licensed and shutting out hobbyists,
shutting out shareware, shutting out emulators or any other
programs they object to.
Posted by tonybelding (49 comments )
Reply Link Flag
And this suprises people why?
OSX already requires you to put in personal information including name, address and telephone number when you start up a new Mac or reinstall your OS. It will not let you leave this info blank. That info gets transmitted back to Apple. At least MS doesn't <i>require</i> you to register.
Posted by Methuss (101 comments )
Reply Link Flag
COMPLETELY FALSE
I have *NEVER* put in that info. When you get to that section, hit Apple-Q (or Command-Q according to some people -- it's the same key anyway). It will then ask you if you want to decline registration at that time. Say yes, and there you go!
Posted by chris_d (195 comments )
Link Flag
On the other hand
the Mac OS doesn't require one to enter license keys.

Asking for registration is really quite modest. I really don't have
a problem with Apple wanting to find out who their customers
are.

As the other poster said, you can bypass the process by quitting
(which is not as hidden as you describe since, I think, Quit is
available as a menu choice -- besides command-Q is hardly
undocumented; it's been the way to quit any Mac program since
1984). Or, you can supply phony contact information if it really
bothers you.
Posted by Thrudheim (306 comments )
Link Flag
And this suprises people why?
OSX already requires you to put in personal information including name, address and telephone number when you start up a new Mac or reinstall your OS. It will not let you leave this info blank. That info gets transmitted back to Apple. At least MS doesn't <i>require</i> you to register.
Posted by Methuss (101 comments )
Reply Link Flag
COMPLETELY FALSE
I have *NEVER* put in that info. When you get to that section, hit Apple-Q (or Command-Q according to some people -- it's the same key anyway). It will then ask you if you want to decline registration at that time. Say yes, and there you go!
Posted by chris_d (195 comments )
Link Flag
On the other hand
the Mac OS doesn't require one to enter license keys.

Asking for registration is really quite modest. I really don't have
a problem with Apple wanting to find out who their customers
are.

As the other poster said, you can bypass the process by quitting
(which is not as hidden as you describe since, I think, Quit is
available as a menu choice -- besides command-Q is hardly
undocumented; it's been the way to quit any Mac program since
1984). Or, you can supply phony contact information if it really
bothers you.
Posted by Thrudheim (306 comments )
Link Flag
Solution: Little Snitch
Grab a copy of the utility "Little Snitch" and the problem is solved. It will tell you when ANY software is trying to connect to the net and allow you to disable it.
Posted by R. U. Sirius (745 comments )
Reply Link Flag
it's easier than that
Galendw posted a link above that details exactly how to turn this
off. In case people are paranoid about clicking links (I am when
using a winblows box), the instructions are as follows:

1. Open Terminal.
2. sudo mv /etc/mach_init.d/dashboardadvisoryd.plist /etc
mach_init.d/ dashboardadvisoryd.plist.disabled
3. Reboot.

Not so bad. Ever go through removing that WGD (Winblows
Genuine DISadvantage) trash from your system before? I have,
let's just say it's not quite so easy.

Since we're comparing this to WGD, would someone mind telling
me how Apple could use this to disable your system? That's what
ticked me off about WGD - I couldn't use my own computer for a
few days until I called M$ and read them a bunch of useless
numbers, then entered another bunch of useless numbers. And
for those who figure I'm a nefarious type, no my XP license isn't
in question (it's perfectly legal) and no I haven't upgraded
anything on my box in years (same processor, memory,
motherboard, HD, etc). WGD literally locked up my computer
because my firewall prevented it from phoning home upon
installation (it can be argued that's my fault, since I blocked it). I
seriously doubt Apple could do the same with this.

That said, this wasn't a good move for Apple to say the least. I
wish these companies would learn to come clean about stuff like
this, it wouldn't bother people as much as discovering it this way
does.
Posted by Dalkorian (3000 comments )
Link Flag
Solution: Little Snitch
Grab a copy of the utility "Little Snitch" and the problem is solved. It will tell you when ANY software is trying to connect to the net and allow you to disable it.
Posted by R. U. Sirius (745 comments )
Reply Link Flag
it's easier than that
Galendw posted a link above that details exactly how to turn this
off. In case people are paranoid about clicking links (I am when
using a winblows box), the instructions are as follows:

1. Open Terminal.
2. sudo mv /etc/mach_init.d/dashboardadvisoryd.plist /etc
mach_init.d/ dashboardadvisoryd.plist.disabled
3. Reboot.

Not so bad. Ever go through removing that WGD (Winblows
Genuine DISadvantage) trash from your system before? I have,
let's just say it's not quite so easy.

Since we're comparing this to WGD, would someone mind telling
me how Apple could use this to disable your system? That's what
ticked me off about WGD - I couldn't use my own computer for a
few days until I called M$ and read them a bunch of useless
numbers, then entered another bunch of useless numbers. And
for those who figure I'm a nefarious type, no my XP license isn't
in question (it's perfectly legal) and no I haven't upgraded
anything on my box in years (same processor, memory,
motherboard, HD, etc). WGD literally locked up my computer
because my firewall prevented it from phoning home upon
installation (it can be argued that's my fault, since I blocked it). I
seriously doubt Apple could do the same with this.

That said, this wasn't a good move for Apple to say the least. I
wish these companies would learn to come clean about stuff like
this, it wouldn't bother people as much as discovering it this way
does.
Posted by Dalkorian (3000 comments )
Link Flag
Not anything like WGA in the slightest, folks.
There is a vast difference between an app that checks to see if an installed widget came from where it says it had come from (and if not is actually helpful in detecting trojans), and a program that screams back to MSFT whenever it thinks you're not legit in your CD key or whatever.

Of course, that won't stop ignorant folks from spreading the usual FUD...
Posted by Penguinisto (5042 comments )
Reply Link Flag
Like he said, exactly like WGA completely, folks.
There is NO difference between an app that checks to see if an installed OS came from where it says it had come from (and if not is actually helpful in detecting trojans), and a program that screams back to Apple whenever it thinks your wiget is not legit or whatever.

Of course, that won't stop ignorant folks from spreading the usual FUD...
Posted by sanenazok (3449 comments )
Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.