| | May 17, 2004: Another Mac OS X security issue comes to light, and this one has a fun proof-of-concept web page. Meanwhile, Gwyneth Paltrow names her kid "Apple," and the G5 cluster at Virginia Tech may be vanishing from the next list of the top supercomputers... | | |
But First, A Word From Our Sponsors |
| | |
|
| |
|
Fun With(out) Security (5/17/04)
|
|
| |
Woo-hoo, it's like we Mac users have been in Security Issue Heaven recently, isn't it? After years and years of watching forlornly as Windows users had all the fun, Macfolk are finally starting to see a little action these days. First there was that questionable but clever little demo Trojan whereby arbitrary executable code was embedded in the ID3 tags of an MP3 file. Then there was this fake Word 2004 installer floating around, which was just a "delete everything we can" script with a custom icon pasted on top-- not exactly a security hole, since any system that lets you delete any files would be susceptible to that sort of thing, but still, it was a real piece of Mac OS X malware found in the wild.
And now there's this new hole in Mac OS X that apparently lets the bad guys exploit Help Viewer to run code on your system just by getting you to click a single link on a web site they set up. Faithful viewer Bernd Schnitker was the first to inform us that, as detailed by the security web site Secunia, "the 'help' URI handler allows execution of arbitrary local scripts (.scpt) via the classic directory traversal character sequence using 'help:runscript.'" In other words, Help Viewer is allowed to run AppleScripts and the like, provided they're somewhere on your system, and will do so if instructed to via a web link to "help:runscript=..." which specifies where the script resides. The upshot is that some clever folks could slap together a web page that automatically sends you a .dmg disk image (which, with default settings, Safari etc. will automatically mount), waits a little while, and then redirects your browser to the help:runscript URI pointing to the script included on the mounted disk image.
Don't believe it could work? Well, the site insecure.ws not only has a description of the problem, but also put together a proof-of-concept web page that exploits the hole. Click here to see it in action; while it won't actually harm your system, it'll prove that it could if it wanted to; if you haven't messed with any relevant default Safari settings, you'll see a disk image mount on the Desktop, Help Viewer launch, and Terminal spawn a new window informing you that you've been compromised. Don't forget to toss that scary "owned.txt" file that the script slapped into your home directory just to make you sleep a little less soundly at night. (We don't sleep anyway, so we're thinking of keeping it around. It classes up the joint a little.)
For what it's worth, if you want to protect yourself from this sort of thing happening until Apple issues another Security Update, it's not too difficult; you can either tell Safari (or whatever browser you use) not to mount downloaded disk images (uncheck "Open 'safe' files after downloading" in the General Preferences), or better yet, use something like the More Internet preference pane to rename the help URI handler. Geez, three security issues of varying degrees of ickiness in the space of less than six weeks; multiply that by ten, and we'll almost be where Windows is! Enterprise sales, here we come!
| |
| |
|
SceneLink (4698)
| |
|
"It's A... Golden Delicious!" (5/17/04)
|
|
| |
Huzzahs and hosannas to the new little person! We're not sure how closely you follow the entertainment news (you should be studying it like a bloodhound on espresso, because you never know when another Ashton-Demi pairing might send pork belly futures soaring again), but faithful viewer Keith Bradnam informed us over the weekend that, according to the BBC News, the lovely and talented Gwyneth Paltrow gave birth to a healthy baby girl last Friday. And granted, while the Beeb isn't necessarily as well-known for this sort of coverage as, say, Entertainment Weekly or the Weekly World News (which has apparently been forced into hiatus by Elvis-worshipping alien government conspirators), we figure it's probably still generally accurate as far as this sort of thing is concerned.
Why is this relevant, you ask? Well, apart from being news about a celebrity's personal life, which is always crucial to know under any circumstances, the BBC reports that Gwyneth's bouncing nine-pound-eleven-ouncer is, in fact, a "baby Apple." And while at first the headline caused us a fair bit of confusion (since we had been assuming for years that offspring was more or less generally of the same species as the parents, to say nothing of the same genus, family, order, class, phylum and kingdom), only after an hour or two of pondering some profoundly disturbing mental images of the birth, we soon came around to the realization that the baby isn't destined for the "Unnatural Vegetation" section of some circus sideshow, and that "Apple" is merely the oh-so-human child's name.
Now, you'll have to admit that "Apple" is a relatively unusual name for a child-- and one verging on emotional abuse, guaranteeing as it does a childhood brimming with cruel schoolyard taunts and the like. Whether Paltrow's sprout sharing the moniker of our fave computer digital lifestyle company is a mere coincidence or Gwyneth is just sucking up to get moved to the front of the miniPod waiting list is a matter of some speculation. But in any case, "both mother and baby were said to be doing well," which is good news in any circumstances. Well, unless you know for sure you're dealing with a Rosemary's Baby sort of situation, but those comprise fewer than one in five births these days, so why worry?
Meanwhile, on a slightly more litigious note, sources inform us that little Apple may be off to a rocky start: Apple Corps (the parent company of the Beatles' record label, Apple Records) has already filed suit against the child, alleging blatant trademark infringement. In a statement to the press, Apple Corps general counsel insisted that Apple Martin's very existence on the face of the planet constitutes an illegal usage of the Apple trademark; since fully half of her genetic material derives from her dad, musician Chris Martin of the band Coldplay, in the eyes of the law, her own DNA clearly defines her as a product of the music industry, and, as everyone knows, any use whatsoever of the word "apple" in a music context constitutes a vile act of assault on the Beatles' intellectual property.
Compounding the sheer evil of her having been born in the first place is the fact that her surname is unapologetically an infringement of the intellectual property of the Beatles' former producer George Martin, whose lawyers are currently hoping to settle out of court. Not exactly a peaceful introduction to this crazy world, although it's maybe a pretty representative one. Don't worry, little Apple; we're sure that Mummy and Daddy have got some mighty fine lawyers at their disposal.
| |
| |
|
SceneLink (4699)
| |
|
3 to Nowhere With A Bullet (5/17/04)
|
|
| |
Say, remember just six months ago when Apple (the computer company, not Baby Paltrow, who was merely a human bean at the time) made waves in the hardcore geek community because Virginia Tech managed to build the world's third-fastest supercomputer out of off-the-shelf Power Mac G5s in a matter of months for a cost normally associated less with massive parallel computational clusters and more with, for example, a large fries and a Coke? Well, faithful viewer mrmgraphics notes that Apple is still milking that massive PR win for every drop of happy juice it can; the company has just launched a whole new section of its web site devoted to High Performance Computing, and a link to more about Virginia Tech's "System X" features prominently on the main page: "Not only is Mac OS X [sic] the world's fastest, most powerful 'home-built' supercomputer, it quite possibly has the lowest price/performance of any supercomputer on the TOP500 list."
There's just one leetle problem, here: due to a recent reduction in computational performance, System X might not actually be on the TOP500 list for much longer. In fact, the AtAT staff happens to own a Mac-based system that currently outperforms System X's latest output: it's called a Macintosh SE, and its single 8 MHz 68000 chip is running rings around System X right this second-- because System X isn't processing squat. And according to a Think Secret article pointed out to us by faithful viewer frozen tundra, since the cluster isn't so much as spitting a flying toaster onto the screen, it'll actually "temporarily drop off the Linpack Top 500 Supercomputer list" when the new stats are published next month.
Why this embarrassing development? Well, remember when Virginia Tech announced that it would be replacing all 1,100 Power Macs in System X with 1,100 Xserve G5s? It sounded like a great idea at the time, since keeping 1,100 Power Macs in racks is sort of like storing peanut butter in Ziploc sandwich bags; you can do it, but there's obviously a better way. Xserves would provide roughly the same computational power while cutting the system's physical size "by a factor of three" and chewing up far less power for cooling, and of course the only reason Virginia Tech didn't build the cluster that way in the first place was because Xserve G5s didn't exist last summer.
So Virginia Tech planned its little plans and expected that the switchover would be "complete by May," but May is more than half over and the lights are still out down System X way. Apparently the school hadn't counted on IBM's G5 yield problems and Apple's ensuing Xserve shipping delays, because the school has already sold off its Power Macs in anticipation of the new Xserves arriving, and now the cluster isn't so much a cluster as it is a "massive datacenter of customized racks" currently hosting nothing more than a few tumbleweeds and the sound of crickets. Reports apparently conflict slightly on the Xserve shipping status; Think Secret reports that one source says Xserves won't start arriving until next month, while another says a few have finally started to trickle in. In any case, though, it sounds like System X will still be offline by the time the new TOP500 list is published, which will apparently return to its former Macless state for half a year. Bummer.
On the plus side, though, Think Secret's sources indicate that "when the Xserve upgrade is complete, the cluster may have even more nodes," so when it pops back onto the list come November, maybe it'll have pumped its score a bit higher past the 10-teraflop mark. Of course, supercomputers are being built and expanded all the time, so there's no telling what slot System X will win in six months' time. We're keeping our fingers crossed for a top-5 placement, just so it gets to win back its cool little blurb on the TOP500 home page. It's all about the home page...
| |
| |
|
SceneLink (4700)
| |
|
|
|