On Sun, 06 Jul 2003 12:03:06 -0700, "Anthony D. Minkoff"
<adminkoff[at]NOSPAMcox.net> wrote:

>In article <flippo-5C86ED.13052206072003[at]news.central.cox.net>,
> flip <flippo[at]mac.com> wrote:
>
>> Anyone who leaves a computer where strangers can get to it and be
>> undisturbed for more than 5 minutes (plus the additional time to get
>> what they need) isn't going to be very concerned about security.
>
>Not necessarily. There are applications (kiosks) in which untrusted
>users have keyboard access, but no physical access to the machine.
>There are also environments (such as public computer labs) in which
>physical tampering with the machine would be very conspicuous, but an
>exploit that requires only keyboard activity could be pulled off.
>
>I don't think that this particular vulnerability is likely to be a
>serious issue, but I think it's inappropriate to dismiss it by lumping
>it into the "requires physical access to machine" class.

Unless you happen to be at a data center (not that there are any Macs
at those, but anyway...) and the senior LAN admin walked away from his
Mac, you walk up, do the exploit, and delete every data file the
company owns on every server the company owns.

foo wrote:

> On Sun, 06 Jul 2003 12:03:06 -0700, "Anthony D. Minkoff"
> <adminkoff[at]NOSPAMcox.net> wrote:
>
>>In article <flippo-5C86ED.13052206072003[at]news.central.cox.net>,
>> flip <flippo[at]mac.com> wrote:
>>
>>> Anyone who leaves a computer where strangers can get to it and be
>>> undisturbed for more than 5 minutes (plus the additional time to get
>>> what they need) isn't going to be very concerned about security.
>>
>>Not necessarily. There are applications (kiosks) in which untrusted
>>users have keyboard access, but no physical access to the machine.
>>There are also environments (such as public computer labs) in which
>>physical tampering with the machine would be very conspicuous, but an
>>exploit that requires only keyboard activity could be pulled off.
>>
>>I don't think that this particular vulnerability is likely to be a
>>serious issue, but I think it's inappropriate to dismiss it by lumping
>>it into the "requires physical access to machine" class.
>
> Unless you happen to be at a data center (not that there are any Macs
> at those, but anyway...) and the senior LAN admin walked away from his
> Mac, you walk up, do the exploit, and delete every data file the
> company owns on every server the company owns.

Which they then restore from backup.

--
And the beast shall be made legion. Its numbers shall be increased a
thousand thousand fold. The din of a million keyboards like unto a great
storm shall cover the earth, and the followers of Mammon shall tremble.

>> Unless you happen to be at a data center (not that there are any Macs
>> at those, but anyway...) and the senior LAN admin walked away from his
>> Mac, you walk up, do the exploit, and delete every data file the
>> company owns on every server the company owns.
>
> Which they then restore from backup.

Gee, you're right, that's no big deal whatsoever. Wow, what a bunch of
morons. I can't believe people are even arguing this point. I guess there
are a lot of 30+ year old losers out there who's only need for security is
keeping their mother from entering their room and seeing how much net porn
they have.

For the rest of us, there are numerous scenarios where we need the
screensaver for security protection...in an office where co-workers could
see confidential email while you're out to lunch, or in a dorm room where
your roommate could access your files...ALL KINDS OF PLACES!

Why the hell do you think it was put there in the first place?

I have still yet to be able to recreate this problem on any of my desktops.
I'm suspecting that it's a PowerBook specific issue.

If it does in fact exist, it really needs to be patched quick.

--keved

On Mon, 07 Jul 2003 00:07:53 GMT, knowbodies
<mark.ritchie.REMOVETHIS[at]shaw.ca> wrote:

>foo wrote:
>
>> On Sun, 06 Jul 2003 12:03:06 -0700, "Anthony D. Minkoff"
>> <adminkoff[at]NOSPAMcox.net> wrote:
>>
>>>In article <flippo-5C86ED.13052206072003[at]news.central.cox.net>,
>>> flip <flippo[at]mac.com> wrote:
>>>
>>>> Anyone who leaves a computer where strangers can get to it and be
>>>> undisturbed for more than 5 minutes (plus the additional time to get
>>>> what they need) isn't going to be very concerned about security.
>>>
>>>Not necessarily. There are applications (kiosks) in which untrusted
>>>users have keyboard access, but no physical access to the machine.
>>>There are also environments (such as public computer labs) in which
>>>physical tampering with the machine would be very conspicuous, but an
>>>exploit that requires only keyboard activity could be pulled off.
>>>
>>>I don't think that this particular vulnerability is likely to be a
>>>serious issue, but I think it's inappropriate to dismiss it by lumping
>>>it into the "requires physical access to machine" class.
>>
>> Unless you happen to be at a data center (not that there are any Macs
>> at those, but anyway...) and the senior LAN admin walked away from his
>> Mac, you walk up, do the exploit, and delete every data file the
>> company owns on every server the company owns.
>
>Which they then restore from backup.

LOL. Riiight. And as the entire enterprise grinds to a halt or hours
or days because their data is gone, hey - no problem - just restore it
from backup!

Face it - this is a serious flaw. XP's got plenty of problems,
security being a big one of them, but to not acknowledge this as a
serious flaw is stupid.

On Mon, 07 Jul 2003 00:50:45 GMT, keved
<kevedAFRAIDOFSPAM[at]pacbell.net> wrote:

>
>>> Unless you happen to be at a data center (not that there are any Macs
>>> at those, but anyway...) and the senior LAN admin walked away from his
>>> Mac, you walk up, do the exploit, and delete every data file the
>>> company owns on every server the company owns.
>>
>> Which they then restore from backup.
>
>Gee, you're right, that's no big deal whatsoever. Wow, what a bunch of
>morons. I can't believe people are even arguing this point. I guess there
>are a lot of 30+ year old losers out there who's only need for security is
>keeping their mother from entering their room and seeing how much net porn
>they have.
>
>For the rest of us, there are numerous scenarios where we need the
>screensaver for security protection...in an office where co-workers could
>see confidential email while you're out to lunch, or in a dorm room where
>your roommate could access your files...ALL KINDS OF PLACES!
>
>Why the hell do you think it was put there in the first place?
>
>I have still yet to be able to recreate this problem on any of my desktops.
>I'm suspecting that it's a PowerBook specific issue.
>
>If it does in fact exist, it really needs to be patched quick.
>
>--keved

It's said to be patched in 10.3, but it isn't a PB-specific issue.

http://macslash.org/comments.pl?sid=3493&cid=42899
is a another link.

In article <jtbhgvs7vo8iab3no495mm22rjpfug5b2v[at]4ax.com>,
foo <foo[at]bar.com> wrote:

> On Sun, 06 Jul 2003 12:03:06 -0700, "Anthony D. Minkoff"
> <adminkoff[at]NOSPAMcox.net> wrote:
>
> >In article <flippo-5C86ED.13052206072003[at]news.central.cox.net>,
> > flip <flippo[at]mac.com> wrote:
> >
> >> Anyone who leaves a computer where strangers can get to it and be
> >> undisturbed for more than 5 minutes (plus the additional time to get
> >> what they need) isn't going to be very concerned about security.
> >
> >Not necessarily. There are applications (kiosks) in which untrusted
> >users have keyboard access, but no physical access to the machine.
> >There are also environments (such as public computer labs) in which
> >physical tampering with the machine would be very conspicuous, but an
> >exploit that requires only keyboard activity could be pulled off.
> >
> >I don't think that this particular vulnerability is likely to be a
> >serious issue, but I think it's inappropriate to dismiss it by lumping
> >it into the "requires physical access to machine" class.
>
> Unless you happen to be at a data center (not that there are any Macs
> at those, but anyway...) and the senior LAN admin walked away from his
> Mac, you walk up, do the exploit, and delete every data file the
> company owns on every server the company owns.

Without the password? Hardly.

foo wrote:

> On Mon, 07 Jul 2003 00:07:53 GMT, knowbodies
> <mark.ritchie.REMOVETHIS[at]shaw.ca> wrote:
>
>>foo wrote:
>>
>>> On Sun, 06 Jul 2003 12:03:06 -0700, "Anthony D. Minkoff"
>>> <adminkoff[at]NOSPAMcox.net> wrote:
>>>
>>>>In article <flippo-5C86ED.13052206072003[at]news.central.cox.net>,
>>>> flip <flippo[at]mac.com> wrote:
>>>>
>>>>> Anyone who leaves a computer where strangers can get to it and be
>>>>> undisturbed for more than 5 minutes (plus the additional time to get
>>>>> what they need) isn't going to be very concerned about security.
>>>>
>>>>Not necessarily. There are applications (kiosks) in which untrusted
>>>>users have keyboard access, but no physical access to the machine.
>>>>There are also environments (such as public computer labs) in which
>>>>physical tampering with the machine would be very conspicuous, but an
>>>>exploit that requires only keyboard activity could be pulled off.
>>>>
>>>>I don't think that this particular vulnerability is likely to be a
>>>>serious issue, but I think it's inappropriate to dismiss it by lumping
>>>>it into the "requires physical access to machine" class.
>>>
>>> Unless you happen to be at a data center (not that there are any Macs
>>> at those, but anyway...) and the senior LAN admin walked away from his
>>> Mac, you walk up, do the exploit, and delete every data file the
>>> company owns on every server the company owns.
>>
>>Which they then restore from backup.
>
> LOL. Riiight. And as the entire enterprise grinds to a halt or hours
> or days because their data is gone, hey - no problem - just restore it
> from backup!

You postulated an unlocked datacenter that any moron could walk into. I
would suggest locking the door rather than the screen.

> Face it - this is a serious flaw. XP's got plenty of problems,
> security being a big one of them, but to not acknowledge this as a
> serious flaw is stupid.

The sky is falling!!! The sky is falling!!!

There exists a simple work around for now. Simply log out when you're not at
your workstation. It's really not much more work than locking the screen.

But please continue to rant as if the world is coming to an end if it makes
you feel better.

--
And the beast shall be made legion. Its numbers shall be increased a
thousand thousand fold. The din of a million keyboards like unto a great
storm shall cover the earth, and the followers of Mammon shall tremble.

foo wrote:

>>You postulated an unlocked datacenter that any moron could walk into. I
>>would suggest locking the door rather than the screen.
>
> Or it could be a disgruntled contractor, or someone who wants to get
> employee A in trouble. There are plenty of valid scenarios,
> apologist.

If you can't trust your employees or coworkers then you're fucked anyway.
Minor security flaws won't stop that.

>>> Face it - this is a serious flaw. XP's got plenty of problems,
>>> security being a big one of them, but to not acknowledge this as a
>>> serious flaw is stupid.
>>
>>The sky is falling!!! The sky is falling!!!
>>
>>There exists a simple work around for now. Simply log out when you're not
>>at your workstation. It's really not much more work than locking the
>>screen.
>
> LOL. Riiight!

Please explain how simply logging out is too onerous compared to locking a
workstation. I'll accept that long running calculations may cause some
problems but for most users it's a non-existant problem.

>>But please continue to rant as if the world is coming to an end if it
>>makes you feel better.
>
> Apologist.

Chicken Little.

There, now we're even. Perhaps we can a middle ground where the world won't
come to an end?

--
And the beast shall be made legion. Its numbers shall be increased a
thousand thousand fold. The din of a million keyboards like unto a great
storm shall cover the earth, and the followers of Mammon shall tremble.

knowbodies wrote:

> There exists a simple work around for now. Simply log out when you're not at
> your workstation.

Does OSX have a "Switch User" like function?

--

Peter

Remove NOSPAM. to e-mail

In article <dmkbeb.4p1.ln[at]vlad.seahaze>,
Peter Hayes <peter[at]NOSPAM.seahaze.demon.co.uk> wrote:

> knowbodies wrote:
>
> > There exists a simple work around for now. Simply log out when you're not at
> > your workstation.
>
> Does OSX have a "Switch User" like function?

MacOS X 10.3 has one, yes.

--
Sandman[.net]

Sandman wrote:

> In article <dmkbeb.4p1.ln[at]vlad.seahaze>,
> Peter Hayes <peter[at]NOSPAM.seahaze.demon.co.uk> wrote:
>
>> knowbodies wrote:
>>
>> > There exists a simple work around for now. Simply log out when you're not
>> > at your workstation.
>>
>> Does OSX have a "Switch User" like function?
>
> MacOS X 10.3 has one, yes.

In the context of this thread then, if you logged out, all your tasks would
terminate, background rendering for example, so instead would it be possible
to switch user and log out of that, leaving the machine churning away at your
render but needing a password to return? (until Apple fixed the security
problem, which they will do several times faster tham Microsoft).

--

Peter

Remove NOSPAM. to e-mail

On Mon, 7 Jul 2003 13:28:38 +0000 (UTC), Peter Hayes
<peter[at]NOSPAM.seahaze.demon.co.uk> wrote:

>Sandman wrote:
>
>> In article <dmkbeb.4p1.ln[at]vlad.seahaze>,
>> Peter Hayes <peter[at]NOSPAM.seahaze.demon.co.uk> wrote:
>>
>>> knowbodies wrote:
>>>
>>> > There exists a simple work around for now. Simply log out when you're not
>>> > at your workstation.
>>>
>>> Does OSX have a "Switch User" like function?
>>
>> MacOS X 10.3 has one, yes.
>
>In the context of this thread then, if you logged out, all your tasks would
>terminate, background rendering for example, so instead would it be possible
>to switch user and log out of that, leaving the machine churning away at your
>render but needing a password to return? (until Apple fixed the security
>problem, which they will do several times faster tham Microsoft).

The feeling is any cocoa app can be killed in a similar manner - check
out those two links for more info.

In article <jvvbeb.it1.ln[at]vlad.seahaze>,
Peter Hayes <peter[at]NOSPAM.seahaze.demon.co.uk> wrote:

> >> knowbodies wrote:
> >>
> >> > There exists a simple work around for now. Simply log out when you're not
> >> > at your workstation.
> >>
> >> Does OSX have a "Switch User" like function?
> >
> > MacOS X 10.3 has one, yes.
>
> In the context of this thread then, if you logged out, all your tasks would
> terminate, background rendering for example, so instead would it be possible
> to switch user and log out of that, leaving the machine churning away at your
> render but needing a password to return? (until Apple fixed the security
> problem, which they will do several times faster tham Microsoft).

This is possible in 10.3 yes. You don't have to switch user, you can exit out
to the login window but still be logged in.

--
Sandman[.net]

If this was a Windows security flaw Polak would have been all over it like
white on rice.

"knowbodies" <mark.ritchie.REMOVETHIS[at]shaw.ca> wrote in message
news:yF5Oa.401844$Vi5.10378495[at]news1.calgary.shaw.ca...
> foo wrote:
>
> > On Mon, 07 Jul 2003 00:07:53 GMT, knowbodies
> > <mark.ritchie.REMOVETHIS[at]shaw.ca> wrote:
> >
> >>foo wrote:
> >>
> >>> On Sun, 06 Jul 2003 12:03:06 -0700, "Anthony D. Minkoff"
> >>> <adminkoff[at]NOSPAMcox.net> wrote:
> >>>
> >>>>In article <flippo-5C86ED.13052206072003[at]news.central.cox.net>,
> >>>> flip <flippo[at]mac.com> wrote:
> >>>>
> >>>>> Anyone who leaves a computer where strangers can get to it and be
> >>>>> undisturbed for more than 5 minutes (plus the additional time to get
> >>>>> what they need) isn't going to be very concerned about security.
> >>>>
> >>>>Not necessarily. There are applications (kiosks) in which untrusted
> >>>>users have keyboard access, but no physical access to the machine.
> >>>>There are also environments (such as public computer labs) in which
> >>>>physical tampering with the machine would be very conspicuous, but an
> >>>>exploit that requires only keyboard activity could be pulled off.
> >>>>
> >>>>I don't think that this particular vulnerability is likely to be a
> >>>>serious issue, but I think it's inappropriate to dismiss it by lumping
> >>>>it into the "requires physical access to machine" class.
> >>>
> >>> Unless you happen to be at a data center (not that there are any Macs
> >>> at those, but anyway...) and the senior LAN admin walked away from his
> >>> Mac, you walk up, do the exploit, and delete every data file the
> >>> company owns on every server the company owns.
> >>
> >>Which they then restore from backup.
> >
> > LOL. Riiight. And as the entire enterprise grinds to a halt or hours
> > or days because their data is gone, hey - no problem - just restore it
> > from backup!
>
> You postulated an unlocked datacenter that any moron could walk into. I
> would suggest locking the door rather than the screen.
>
> > Face it - this is a serious flaw. XP's got plenty of problems,
> > security being a big one of them, but to not acknowledge this as a
> > serious flaw is stupid.
>
> The sky is falling!!! The sky is falling!!!
>
> There exists a simple work around for now. Simply log out when you're not
at
> your workstation. It's really not much more work than locking the screen.
>
> But please continue to rant as if the world is coming to an end if it
makes
> you feel better.
>
> --
> And the beast shall be made legion. Its numbers shall be increased a
> thousand thousand fold. The din of a million keyboards like unto a great
> storm shall cover the earth, and the followers of Mammon shall tremble.

Alan Baker wrote in <alangbaker-70F841.22532609072003[at]news.telus.net>:

>In article <25tpgv495v99djgbluhj8mjmt33ruecngn[at]4ax.com>,
> Steve Hanson <icustomercare[at]usps.com> wrote:
>
>> Alan Baker wrote in <alangbaker-C0612F.00274209072003[at]news.telus.net>:
>>
>> >In article <befcfr$4eq08$1[at]ID-180643.news.dfncis.de>,
>> > "MuahMan" <muahman[at]yahoo.com> wrote:
>> >
>> >> You are right about there not being a single Mac at a datacenter. LOL
>> >
>> >I'd say "don't let this blow too many brain cells", but that would be
>> >incorrect.
>> >
>> >Don't let this blow your last brain cell:
>> >
>> ><http://chuck.forest.net/images/C65-datacenter/>
>>
>>
>> So how about that security vulnerability? Pretty serious business.
>> Is there no desktop lockdown in OS X? For shame!
>
>He made a statement. I refuted it.

Yeah, yeah, the data center thing. Whatever. But how do *you*
lockdown an OS X desktop? Just curious.

In article <lg5rgv8cc6gri6vdvdrqk2pjmnlhdei9m1[at]4ax.com>,
Steve Hanson <icustomercare[at]usps.com> wrote:

> Alan Baker wrote in <alangbaker-70F841.22532609072003[at]news.telus.net>:
>
> >In article <25tpgv495v99djgbluhj8mjmt33ruecngn[at]4ax.com>,
> > Steve Hanson <icustomercare[at]usps.com> wrote:
> >
> >> Alan Baker wrote in <alangbaker-C0612F.00274209072003[at]news.telus.net>:
> >>
> >> >In article <befcfr$4eq08$1[at]ID-180643.news.dfncis.de>,
> >> > "MuahMan" <muahman[at]yahoo.com> wrote:
> >> >
> >> >> You are right about there not being a single Mac at a datacenter. LOL
> >> >
> >> >I'd say "don't let this blow too many brain cells", but that would be
> >> >incorrect.
> >> >
> >> >Don't let this blow your last brain cell:
> >> >
> >> ><http://chuck.forest.net/images/C65-datacenter/>
> >>
> >>
> >> So how about that security vulnerability? Pretty serious business.
> >> Is there no desktop lockdown in OS X? For shame!
> >
> >He made a statement. I refuted it.
>
> Yeah, yeah, the data center thing. Whatever. But how do *you*
> lockdown an OS X desktop? Just curious.

Log out.

--
Alan Baker
Vancouver, British Columbia
"If you raise the ceiling 4 feet, move the fireplace from that wall
to that wall, you'll still only get the full stereophonic effect
if you sit in the bottom of that cupboard."

On Thu, 10 Jul 2003 21:09:21 GMT, Alan Baker <alangbaker[at]telus.net>
wrote:

>In article <lg5rgv8cc6gri6vdvdrqk2pjmnlhdei9m1[at]4ax.com>,
> Steve Hanson <icustomercare[at]usps.com> wrote:
>
>> Alan Baker wrote in <alangbaker-70F841.22532609072003[at]news.telus.net>:
>>
>> >In article <25tpgv495v99djgbluhj8mjmt33ruecngn[at]4ax.com>,
>> > Steve Hanson <icustomercare[at]usps.com> wrote:
>> >
>> >> Alan Baker wrote in <alangbaker-C0612F.00274209072003[at]news.telus.net>:
>> >>
>> >> >In article <befcfr$4eq08$1[at]ID-180643.news.dfncis.de>,
>> >> > "MuahMan" <muahman[at]yahoo.com> wrote:
>> >> >
>> >> >> You are right about there not being a single Mac at a datacenter. LOL
>> >> >
>> >> >I'd say "don't let this blow too many brain cells", but that would be
>> >> >incorrect.
>> >> >
>> >> >Don't let this blow your last brain cell:
>> >> >
>> >> ><http://chuck.forest.net/images/C65-datacenter/>
>> >>
>> >>
>> >> So how about that security vulnerability? Pretty serious business.
>> >> Is there no desktop lockdown in OS X? For shame!
>> >
>> >He made a statement. I refuted it.
>>
>> Yeah, yeah, the data center thing. Whatever. But how do *you*
>> lockdown an OS X desktop? Just curious.
>
>Log out.

That's a really bad/annoying solution, Alan. Apple should fix the
issue. Yet another $129-service-pack fixes, perhaps.

In article <05srgvkiiievlkqfg5ddkfj422ggd7ldnc[at]4ax.com>,
foo <foo[at]bar.com> wrote:

> On Thu, 10 Jul 2003 21:09:21 GMT, Alan Baker <alangbaker[at]telus.net>
> wrote:
>
> >In article <lg5rgv8cc6gri6vdvdrqk2pjmnlhdei9m1[at]4ax.com>,
> > Steve Hanson <icustomercare[at]usps.com> wrote:
> >
> >> Alan Baker wrote in <alangbaker-70F841.22532609072003[at]news.telus.net>:
> >>
> >> >In article <25tpgv495v99djgbluhj8mjmt33ruecngn[at]4ax.com>,
> >> > Steve Hanson <icustomercare[at]usps.com> wrote:
> >> >
> >> >> Alan Baker wrote in <alangbaker-C0612F.00274209072003[at]news.telus.net>:
> >> >>
> >> >> >In article <befcfr$4eq08$1[at]ID-180643.news.dfncis.de>,
> >> >> > "MuahMan" <muahman[at]yahoo.com> wrote:
> >> >> >
> >> >> >> You are right about there not being a single Mac at a datacenter. LOL
> >> >> >
> >> >> >I'd say "don't let this blow too many brain cells", but that would be
> >> >> >incorrect.
> >> >> >
> >> >> >Don't let this blow your last brain cell:
> >> >> >
> >> >> ><http://chuck.forest.net/images/C65-datacenter/>
> >> >>
> >> >>
> >> >> So how about that security vulnerability? Pretty serious business.
> >> >> Is there no desktop lockdown in OS X? For shame!
> >> >
> >> >He made a statement. I refuted it.
> >>
> >> Yeah, yeah, the data center thing. Whatever. But how do *you*
> >> lockdown an OS X desktop? Just curious.
> >
> >Log out.
>
> That's a really bad/annoying solution, Alan. Apple should fix the
> issue. Yet another $129-service-pack fixes, perhaps.

Why?

And who says that Apple won't fix it. They've fixed other problems
before, and not with major OS upgrades.

--
Alan Baker
Vancouver, British Columbia
"If you raise the ceiling 4 feet, move the fireplace from that wall
to that wall, you'll still only get the full stereophonic effect
if you sit in the bottom of that cupboard."

On Thu, 10 Jul 2003 23:35:14 GMT, Alan Baker <alangbaker[at]telus.net>
wrote:

>In article <18trgvka3n48vvfsqle5r0nf83e9hrohf0[at]4ax.com>,
> foo <foo[at]bar.com> wrote:
>
>> On Thu, 10 Jul 2003 23:10:35 GMT, Alan Baker <alangbaker[at]telus.net>
>> wrote:
>>
>> >In article <05srgvkiiievlkqfg5ddkfj422ggd7ldnc[at]4ax.com>,
>> > foo <foo[at]bar.com> wrote:
>> >
>> >> On Thu, 10 Jul 2003 21:09:21 GMT, Alan Baker <alangbaker[at]telus.net>
>> >> wrote:
>> >>
>> >> >In article <lg5rgv8cc6gri6vdvdrqk2pjmnlhdei9m1[at]4ax.com>,
>> >> > Steve Hanson <icustomercare[at]usps.com> wrote:
>> >> >
>> >> >> Alan Baker wrote in <alangbaker-70F841.22532609072003[at]news.telus.net>:
>> >> >>
>> >> >> >In article <25tpgv495v99djgbluhj8mjmt33ruecngn[at]4ax.com>,
>> >> >> > Steve Hanson <icustomercare[at]usps.com> wrote:
>> >> >> >
>> >> >> >> Alan Baker wrote in
>> >> >> >> <alangbaker-C0612F.00274209072003[at]news.telus.net>:
>> >> >> >>
>> >> >> >> >In article <befcfr$4eq08$1[at]ID-180643.news.dfncis.de>,
>> >> >> >> > "MuahMan" <muahman[at]yahoo.com> wrote:
>> >> >> >> >
>> >> >> >> >> You are right about there not being a single Mac at a datacenter.
>> >> >> >> >> LOL
>> >> >> >> >
>> >> >> >> >I'd say "don't let this blow too many brain cells", but that would
>> >> >> >> >be
>> >> >> >> >incorrect.
>> >> >> >> >
>> >> >> >> >Don't let this blow your last brain cell:
>> >> >> >> >
>> >> >> >> ><http://chuck.forest.net/images/C65-datacenter/>
>> >> >> >>
>> >> >> >>
>> >> >> >> So how about that security vulnerability? Pretty serious business.
>> >> >> >> Is there no desktop lockdown in OS X? For shame!
>> >> >> >
>> >> >> >He made a statement. I refuted it.
>> >> >>
>> >> >> Yeah, yeah, the data center thing. Whatever. But how do *you*
>> >> >> lockdown an OS X desktop? Just curious.
>> >> >
>> >> >Log out.
>> >>
>> >> That's a really bad/annoying solution, Alan. Apple should fix the
>> >> issue. Yet another $129-service-pack fixes, perhaps.
>> >
>> >Why?
>>
>> Why should they fix it? Is that a serious question?
>>
>> >And who says that Apple won't fix it.
>>
>> It isn't fixed yet. It apparently impacts the entire Carbon
>> subsystem. If this were a Windows issue and it had taken this long to
>> find a fix some Maccies would be pissing in their pants with glee.
>
>To what problem are you referring? I assumed that the PP was referring
>to the screensaver problem. If that's the case, I would assume a fix to
>the screensaver would be the route to eliminating the problem.

Exactly right. Where is it?

>> >They've fixed other problems
>> >before, and not with major OS upgrades.
>>
>> Indeed they have. Where's 10.2.7? Rumors of 10.2.7? Any information
>> at all from Apple on a fix? An acknowledgement of the issue?
>> Anything?
>
>Which issue? I don't know where 10.2.7 is, but since they don't
>necessarily wait for point revisions to fix security problems, that's
>moot. Try visiting Apple's support site and typing in security. Looks a
>lot like they fix security problems without charging anyone $129...

I'm talking about this specific instance, Alan. There is no
information out there - it appears Apple pretends it doesn't exist.

>> Nothing. But we've got people stating 10.3 fixes it. Do you have any
>> additional information?
>
>Nope.

In article <18trgvka3n48vvfsqle5r0nf83e9hrohf0[at]4ax.com>,
foo <foo[at]bar.com> wrote:

> On Thu, 10 Jul 2003 23:10:35 GMT, Alan Baker <alangbaker[at]telus.net>
> wrote:
>
> >In article <05srgvkiiievlkqfg5ddkfj422ggd7ldnc[at]4ax.com>,
> > foo <foo[at]bar.com> wrote:
> >
> >> On Thu, 10 Jul 2003 21:09:21 GMT, Alan Baker <alangbaker[at]telus.net>
> >> wrote:
> >>
> >> >In article <lg5rgv8cc6gri6vdvdrqk2pjmnlhdei9m1[at]4ax.com>,
> >> > Steve Hanson <icustomercare[at]usps.com> wrote:
> >> >
> >> >> Alan Baker wrote in <alangbaker-70F841.22532609072003[at]news.telus.net>:
> >> >>
> >> >> >In article <25tpgv495v99djgbluhj8mjmt33ruecngn[at]4ax.com>,
> >> >> > Steve Hanson <icustomercare[at]usps.com> wrote:
> >> >> >
> >> >> >> Alan Baker wrote in
> >> >> >> <alangbaker-C0612F.00274209072003[at]news.telus.net>:
> >> >> >>
> >> >> >> >In article <befcfr$4eq08$1[at]ID-180643.news.dfncis.de>,
> >> >> >> > "MuahMan" <muahman[at]yahoo.com> wrote:
> >> >> >> >
> >> >> >> >> You are right about there not being a single Mac at a datacenter.
> >> >> >> >> LOL
> >> >> >> >
> >> >> >> >I'd say "don't let this blow too many brain cells", but that would
> >> >> >> >be
> >> >> >> >incorrect.
> >> >> >> >
> >> >> >> >Don't let this blow your last brain cell:
> >> >> >> >
> >> >> >> ><http://chuck.forest.net/images/C65-datacenter/>
> >> >> >>
> >> >> >>
> >> >> >> So how about that security vulnerability? Pretty serious business.
> >> >> >> Is there no desktop lockdown in OS X? For shame!
> >> >> >
> >> >> >He made a statement. I refuted it.
> >> >>
> >> >> Yeah, yeah, the data center thing. Whatever. But how do *you*
> >> >> lockdown an OS X desktop? Just curious.
> >> >
> >> >Log out.
> >>
> >> That's a really bad/annoying solution, Alan. Apple should fix the
> >> issue. Yet another $129-service-pack fixes, perhaps.
> >
> >Why?
>
> Why should they fix it? Is that a serious question?
>
> >And who says that Apple won't fix it.
>
> It isn't fixed yet. It apparently impacts the entire Carbon
> subsystem. If this were a Windows issue and it had taken this long to
> find a fix some Maccies would be pissing in their pants with glee.

To what problem are you referring? I assumed that the PP was referring
to the screensaver problem. If that's the case, I would assume a fix to
the screensaver would be the route to eliminating the problem.

>
> >They've fixed other problems
> >before, and not with major OS upgrades.
>
> Indeed they have. Where's 10.2.7? Rumors of 10.2.7? Any information
> at all from Apple on a fix? An acknowledgement of the issue?
> Anything?

Which issue? I don't know where 10.2.7 is, but since they don't
necessarily wait for point revisions to fix security problems, that's
moot. Try visiting Apple's support site and typing in security. Looks a
lot like they fix security problems without charging anyone $129...

>
> Nothing. But we've got people stating 10.3 fixes it. Do you have any
> additional information?

Nope.

--
Alan Baker
Vancouver, British Columbia
"If you raise the ceiling 4 feet, move the fireplace from that wall
to that wall, you'll still only get the full stereophonic effect
if you sit in the bottom of that cupboard."

In article <e4urgv4ronva1tl2dtvu02o323sckfjhou[at]4ax.com>,
foo <foo[at]bar.com> wrote:

> On Thu, 10 Jul 2003 23:35:14 GMT, Alan Baker <alangbaker[at]telus.net>
> wrote:
>
> >In article <18trgvka3n48vvfsqle5r0nf83e9hrohf0[at]4ax.com>,
> > foo <foo[at]bar.com> wrote:
> >
> >> On Thu, 10 Jul 2003 23:10:35 GMT, Alan Baker <alangbaker[at]telus.net>
> >> wrote:
> >>
> >> >In article <05srgvkiiievlkqfg5ddkfj422ggd7ldnc[at]4ax.com>,
> >> > foo <foo[at]bar.com> wrote:
> >> >
> >> >> On Thu, 10 Jul 2003 21:09:21 GMT, Alan Baker <alangbaker[at]telus.net>
> >> >> wrote:
> >> >>
> >> >> >In article <lg5rgv8cc6gri6vdvdrqk2pjmnlhdei9m1[at]4ax.com>,
> >> >> > Steve Hanson <icustomercare[at]usps.com> wrote:
> >> >> >
> >> >> >> Alan Baker wrote in
> >> >> >> <alangbaker-70F841.22532609072003[at]news.telus.net>:
> >> >> >>
> >> >> >> >In article <25tpgv495v99djgbluhj8mjmt33ruecngn[at]4ax.com>,
> >> >> >> > Steve Hanson <icustomercare[at]usps.com> wrote:
> >> >> >> >
> >> >> >> >> Alan Baker wrote in
> >> >> >> >> <alangbaker-C0612F.00274209072003[at]news.telus.net>:
> >> >> >> >>
> >> >> >> >> >In article <befcfr$4eq08$1[at]ID-180643.news.dfncis.de>,
> >> >> >> >> > "MuahMan" <muahman[at]yahoo.com> wrote:
> >> >> >> >> >
> >> >> >> >> >> You are right about there not being a single Mac at a
> >> >> >> >> >> datacenter.
> >> >> >> >> >> LOL
> >> >> >> >> >
> >> >> >> >> >I'd say "don't let this blow too many brain cells", but that
> >> >> >> >> >would
> >> >> >> >> >be
> >> >> >> >> >incorrect.
> >> >> >> >> >
> >> >> >> >> >Don't let this blow your last brain cell:
> >> >> >> >> >
> >> >> >> >> ><http://chuck.forest.net/images/C65-datacenter/>
> >> >> >> >>
> >> >> >> >>
> >> >> >> >> So how about that security vulnerability? Pretty serious
> >> >> >> >> business.
> >> >> >> >> Is there no desktop lockdown in OS X? For shame!
> >> >> >> >
> >> >> >> >He made a statement. I refuted it.
> >> >> >>
> >> >> >> Yeah, yeah, the data center thing. Whatever. But how do *you*
> >> >> >> lockdown an OS X desktop? Just curious.
> >> >> >
> >> >> >Log out.
> >> >>
> >> >> That's a really bad/annoying solution, Alan. Apple should fix the
> >> >> issue. Yet another $129-service-pack fixes, perhaps.
> >> >
> >> >Why?
> >>
> >> Why should they fix it? Is that a serious question?
> >>
> >> >And who says that Apple won't fix it.
> >>
> >> It isn't fixed yet. It apparently impacts the entire Carbon
> >> subsystem. If this were a Windows issue and it had taken this long to
> >> find a fix some Maccies would be pissing in their pants with glee.
> >
> >To what problem are you referring? I assumed that the PP was referring
> >to the screensaver problem. If that's the case, I would assume a fix to
> >the screensaver would be the route to eliminating the problem.
>
> Exactly right. Where is it?

How long has the problem been identified now? *Four* days!

>
> >> >They've fixed other problems
> >> >before, and not with major OS upgrades.
> >>
> >> Indeed they have. Where's 10.2.7? Rumors of 10.2.7? Any information
> >> at all from Apple on a fix? An acknowledgement of the issue?
> >> Anything?
> >
> >Which issue? I don't know where 10.2.7 is, but since they don't
> >necessarily wait for point revisions to fix security problems, that's
> >moot. Try visiting Apple's support site and typing in security. Looks a
> >lot like they fix security problems without charging anyone $129...
>
> I'm talking about this specific instance, Alan. There is no
> information out there - it appears Apple pretends it doesn't exist.

Golly. And it's been so long. Four days, David.

>
> >> Nothing. But we've got people stating 10.3 fixes it. Do you have any
> >> additional information?
> >
> >Nope.
>

--
Alan Baker
Vancouver, British Columbia
"If you raise the ceiling 4 feet, move the fireplace from that wall
to that wall, you'll still only get the full stereophonic effect
if you sit in the bottom of that cupboard."

On Thu, 10 Jul 2003 23:45:11 GMT, Alan Baker <alangbaker[at]telus.net>
wrote:

>In article <e4urgv4ronva1tl2dtvu02o323sckfjhou[at]4ax.com>,
> foo <foo[at]bar.com> wrote:
>
>> On Thu, 10 Jul 2003 23:35:14 GMT, Alan Baker <alangbaker[at]telus.net>
>> wrote:
>>
>> >In article <18trgvka3n48vvfsqle5r0nf83e9hrohf0[at]4ax.com>,
>> > foo <foo[at]bar.com> wrote:
>> >
>> >> On Thu, 10 Jul 2003 23:10:35 GMT, Alan Baker <alangbaker[at]telus.net>
>> >> wrote:
>> >>
>> >> >In article <05srgvkiiievlkqfg5ddkfj422ggd7ldnc[at]4ax.com>,
>> >> > foo <foo[at]bar.com> wrote:
>> >> >
>> >> >> On Thu, 10 Jul 2003 21:09:21 GMT, Alan Baker <alangbaker[at]telus.net>
>> >> >> wrote:
>> >> >>
>> >> >> >In article <lg5rgv8cc6gri6vdvdrqk2pjmnlhdei9m1[at]4ax.com>,
>> >> >> > Steve Hanson <icustomercare[at]usps.com> wrote:
>> >> >> >
>> >> >> >> Alan Baker wrote in
>> >> >> >> <alangbaker-70F841.22532609072003[at]news.telus.net>:
>> >> >> >>
>> >> >> >> >In article <25tpgv495v99djgbluhj8mjmt33ruecngn[at]4ax.com>,
>> >> >> >> > Steve Hanson <icustomercare[at]usps.com> wrote:
>> >> >> >> >
>> >> >> >> >> Alan Baker wrote in
>> >> >> >> >> <alangbaker-C0612F.00274209072003[at]news.telus.net>:
>> >> >> >> >>
>> >> >> >> >> >In article <befcfr$4eq08$1[at]ID-180643.news.dfncis.de>,
>> >> >> >> >> > "MuahMan" <muahman[at]yahoo.com> wrote:
>> >> >> >> >> >
>> >> >> >> >> >> You are right about there not being a single Mac at a
>> >> >> >> >> >> datacenter.
>> >> >> >> >> >> LOL
>> >> >> >> >> >
>> >> >> >> >> >I'd say "don't let this blow too many brain cells", but that
>> >> >> >> >> >would
>> >> >> >> >> >be
>> >> >> >> >> >incorrect.
>> >> >> >> >> >
>> >> >> >> >> >Don't let this blow your last brain cell:
>> >> >> >> >> >
>> >> >> >> >> ><http://chuck.forest.net/images/C65-datacenter/>
>> >> >> >> >>
>> >> >> >> >>
>> >> >> >> >> So how about that security vulnerability? Pretty serious
>> >> >> >> >> business.
>> >> >> >> >> Is there no desktop lockdown in OS X? For shame!
>> >> >> >> >
>> >> >> >> >He made a statement. I refuted it.
>> >> >> >>
>> >> >> >> Yeah, yeah, the data center thing. Whatever. But how do *you*
>> >> >> >> lockdown an OS X desktop? Just curious.
>> >> >> >
>> >> >> >Log out.
>> >> >>
>> >> >> That's a really bad/annoying solution, Alan. Apple should fix the
>> >> >> issue. Yet another $129-service-pack fixes, perhaps.
>> >> >
>> >> >Why?
>> >>
>> >> Why should they fix it? Is that a serious question?
>> >>
>> >> >And who says that Apple won't fix it.
>> >>
>> >> It isn't fixed yet. It apparently impacts the entire Carbon
>> >> subsystem. If this were a Windows issue and it had taken this long to
>> >> find a fix some Maccies would be pissing in their pants with glee.
>> >
>> >To what problem are you referring? I assumed that the PP was referring
>> >to the screensaver problem. If that's the case, I would assume a fix to
>> >the screensaver would be the route to eliminating the problem.
>>
>> Exactly right. Where is it?
>
>How long has the problem been identified now? *Four* days!

No, Apple's had it, if the OP is to be believed, since late June /
July 1.

In article <rh4sgvkmlnvstm3p2he18t5bvo400ilvrl[at]4ax.com>,
foo <foo[at]bar.com> wrote:

> On Thu, 10 Jul 2003 23:45:11 GMT, Alan Baker <alangbaker[at]telus.net>
> wrote:
>
> >In article <e4urgv4ronva1tl2dtvu02o323sckfjhou[at]4ax.com>,
> > foo <foo[at]bar.com> wrote:
> >
> >> On Thu, 10 Jul 2003 23:35:14 GMT, Alan Baker <alangbaker[at]telus.net>
> >> wrote:
> >>
> >> >In article <18trgvka3n48vvfsqle5r0nf83e9hrohf0[at]4ax.com>,
> >> > foo <foo[at]bar.com> wrote:
> >> >
> >> >> On Thu, 10 Jul 2003 23:10:35 GMT, Alan Baker <alangbaker[at]telus.net>
> >> >> wrote:
> >> >>
> >> >> >In article <05srgvkiiievlkqfg5ddkfj422ggd7ldnc[at]4ax.com>,
> >> >> > foo <foo[at]bar.com> wrote:
> >> >> >
> >> >> >> On Thu, 10 Jul 2003 21:09:21 GMT, Alan Baker <alangbaker[at]telus.net>
> >> >> >> wrote:
> >> >> >>
> >> >> >> >In article <lg5rgv8cc6gri6vdvdrqk2pjmnlhdei9m1[at]4ax.com>,
> >> >> >> > Steve Hanson <icustomercare[at]usps.com> wrote:
> >> >> >> >
> >> >> >> >> Alan Baker wrote in
> >> >> >> >> <alangbaker-70F841.22532609072003[at]news.telus.net>:
> >> >> >> >>
> >> >> >> >> >In article <25tpgv495v99djgbluhj8mjmt33ruecngn[at]4ax.com>,
> >> >> >> >> > Steve Hanson <icustomercare[at]usps.com> wrote:
> >> >> >> >> >
> >> >> >> >> >> Alan Baker wrote in
> >> >> >> >> >> <alangbaker-C0612F.00274209072003[at]news.telus.net>:
> >> >> >> >> >>
> >> >> >> >> >> >In article <befcfr$4eq08$1[at]ID-180643.news.dfncis.de>,
> >> >> >> >> >> > "MuahMan" <muahman[at]yahoo.com> wrote:
> >> >> >> >> >> >
> >> >> >> >> >> >> You are right about there not being a single Mac at a
> >> >> >> >> >> >> datacenter.
> >> >> >> >> >> >> LOL
> >> >> >> >> >> >
> >> >> >> >> >> >I'd say "don't let this blow too many brain cells", but that
> >> >> >> >> >> >would
> >> >> >> >> >> >be
> >> >> >> >> >> >incorrect.
> >> >> >> >> >> >
> >> >> >> >> >> >Don't let this blow your last brain cell:
> >> >> >> >> >> >
> >> >> >> >> >> ><http://chuck.forest.net/images/C65-datacenter/>
> >> >> >> >> >>
> >> >> >> >> >>
> >> >> >> >> >> So how about that security vulnerability? Pretty serious
> >> >> >> >> >> business.
> >> >> >> >> >> Is there no desktop lockdown in OS X? For shame!
> >> >> >> >> >
> >> >> >> >> >He made a statement. I refuted it.
> >> >> >> >>
> >> >> >> >> Yeah, yeah, the data center thing. Whatever. But how do *you*
> >> >> >> >> lockdown an OS X desktop? Just curious.
> >> >> >> >
> >> >> >> >Log out.
> >> >> >>
> >> >> >> That's a really bad/annoying solution, Alan. Apple should fix the
> >> >> >> issue. Yet another $129-service-pack fixes, perhaps.
> >> >> >
> >> >> >Why?
> >> >>
> >> >> Why should they fix it? Is that a serious question?
> >> >>
> >> >> >And who says that Apple won't fix it.
> >> >>
> >> >> It isn't fixed yet. It apparently impacts the entire Carbon
> >> >> subsystem. If this were a Windows issue and it had taken this long to
> >> >> find a fix some Maccies would be pissing in their pants with glee.
> >> >
> >> >To what problem are you referring? I assumed that the PP was referring
> >> >to the screensaver problem. If that's the case, I would assume a fix to
> >> >the screensaver would be the route to eliminating the problem.
> >>
> >> Exactly right. Where is it?
> >
> >How long has the problem been identified now? *Four* days!
>
> No, Apple's had it, if the OP is to be believed, since late June /
> July 1.

Interesting that the security advisory site only has it from July 6...

But even so: Wow. 11 days. Apple should have fixed this and ensured that
every computer ever sold by them has had the patch applied!

C'mon, Dave. 2 weeks is not very long.

--
Alan Baker
Vancouver, British Columbia
"If you raise the ceiling 4 feet, move the fireplace from that wall
to that wall, you'll still only get the full stereophonic effect
if you sit in the bottom of that cupboard."

Alan Baker wrote in <alangbaker-B5CC95.14092110072003[at]news.telus.net>:

>In article <lg5rgv8cc6gri6vdvdrqk2pjmnlhdei9m1[at]4ax.com>,
> Steve Hanson <icustomercare[at]usps.com> wrote:
>
>> Alan Baker wrote in <alangbaker-70F841.22532609072003[at]news.telus.net>:
>>
>> >In article <25tpgv495v99djgbluhj8mjmt33ruecngn[at]4ax.com>,
>> > Steve Hanson <icustomercare[at]usps.com> wrote:
>> >
>> >> Alan Baker wrote in <alangbaker-C0612F.00274209072003[at]news.telus.net>:
>> >>
>> >> >In article <befcfr$4eq08$1[at]ID-180643.news.dfncis.de>,
>> >> > "MuahMan" <muahman[at]yahoo.com> wrote:
>> >> >
>> >> >> You are right about there not being a single Mac at a datacenter. LOL
>> >> >
>> >> >I'd say "don't let this blow too many brain cells", but that would be
>> >> >incorrect.
>> >> >
>> >> >Don't let this blow your last brain cell:
>> >> >
>> >> ><http://chuck.forest.net/images/C65-datacenter/>
>> >>
>> >>
>> >> So how about that security vulnerability? Pretty serious business.
>> >> Is there no desktop lockdown in OS X? For shame!
>> >
>> >He made a statement. I refuted it.
>>
>> Yeah, yeah, the data center thing. Whatever. But how do *you*
>> lockdown an OS X desktop? Just curious.
>
>Log out.

That's your only option? Sad. All applications closed and documents
have to be saved, the whole logon process to go through again and
restarting the apps. Just sad. Maybe one day you'll get a secure
method of locking the desktop. Then you won't have to try to use your
screensaver to keep your computers safe.

On Fri, 11 Jul 2003 07:41:23 GMT, Alan Baker <alangbaker[at]telus.net>
wrote:

>In article <rh4sgvkmlnvstm3p2he18t5bvo400ilvrl[at]4ax.com>,
> foo <foo[at]bar.com> wrote:
>
>> On Thu, 10 Jul 2003 23:45:11 GMT, Alan Baker <alangbaker[at]telus.net>
>> wrote:
>>
>> >In article <e4urgv4ronva1tl2dtvu02o323sckfjhou[at]4ax.com>,
>> > foo <foo[at]bar.com> wrote:
>> >
>> >> On Thu, 10 Jul 2003 23:35:14 GMT, Alan Baker <alangbaker[at]telus.net>
>> >> wrote:
>> >>
>> >> >In article <18trgvka3n48vvfsqle5r0nf83e9hrohf0[at]4ax.com>,
>> >> > foo <foo[at]bar.com> wrote:
>> >> >
>> >> >> On Thu, 10 Jul 2003 23:10:35 GMT, Alan Baker <alangbaker[at]telus.net>
>> >> >> wrote:
>> >> >>
>> >> >> >In article <05srgvkiiievlkqfg5ddkfj422ggd7ldnc[at]4ax.com>,
>> >> >> > foo <foo[at]bar.com> wrote:
>> >> >> >
>> >> >> >> On Thu, 10 Jul 2003 21:09:21 GMT, Alan Baker <alangbaker[at]telus.net>
>> >> >> >> wrote:
>> >> >> >>
>> >> >> >> >In article <lg5rgv8cc6gri6vdvdrqk2pjmnlhdei9m1[at]4ax.com>,
>> >> >> >> > Steve Hanson <icustomercare[at]usps.com> wrote:
>> >> >> >> >
>> >> >> >> >> Alan Baker wrote in
>> >> >> >> >> <alangbaker-70F841.22532609072003[at]news.telus.net>:
>> >> >> >> >>
>> >> >> >> >> >In article <25tpgv495v99djgbluhj8mjmt33ruecngn[at]4ax.com>,
>> >> >> >> >> > Steve Hanson <icustomercare[at]usps.com> wrote:
>> >> >> >> >> >
>> >> >> >> >> >> Alan Baker wrote in
>> >> >> >> >> >> <alangbaker-C0612F.00274209072003[at]news.telus.net>:
>> >> >> >> >> >>
>> >> >> >> >> >> >In article <befcfr$4eq08$1[at]ID-180643.news.dfncis.de>,
>> >> >> >> >> >> > "MuahMan" <muahman[at]yahoo.com> wrote:
>> >> >> >> >> >> >
>> >> >> >> >> >> >> You are right about there not being a single Mac at a
>> >> >> >> >> >> >> datacenter.
>> >> >> >> >> >> >> LOL
>> >> >> >> >> >> >
>> >> >> >> >> >> >I'd say "don't let this blow too many brain cells", but that
>> >> >> >> >> >> >would
>> >> >> >> >> >> >be
>> >> >> >> >> >> >incorrect.
>> >> >> >> >> >> >
>> >> >> >> >> >> >Don't let this blow your last brain cell:
>> >> >> >> >> >> >
>> >> >> >> >> >> ><http://chuck.forest.net/images/C65-datacenter/>
>> >> >> >> >> >>
>> >> >> >> >> >>
>> >> >> >> >> >> So how about that security vulnerability? Pretty serious
>> >> >> >> >> >> business.
>> >> >> >> >> >> Is there no desktop lockdown in OS X? For shame!
>> >> >> >> >> >
>> >> >> >> >> >He made a statement. I refuted it.
>> >> >> >> >>
>> >> >> >> >> Yeah, yeah, the data center thing. Whatever. But how do *you*
>> >> >> >> >> lockdown an OS X desktop? Just curious.
>> >> >> >> >
>> >> >> >> >Log out.
>> >> >> >>
>> >> >> >> That's a really bad/annoying solution, Alan. Apple should fix the
>> >> >> >> issue. Yet another $129-service-pack fixes, perhaps.
>> >> >> >
>> >> >> >Why?
>> >> >>
>> >> >> Why should they fix it? Is that a serious question?
>> >> >>
>> >> >> >And who says that Apple won't fix it.
>> >> >>
>> >> >> It isn't fixed yet. It apparently impacts the entire Carbon
>> >> >> subsystem. If this were a Windows issue and it had taken this long to
>> >> >> find a fix some Maccies would be pissing in their pants with glee.
>> >> >
>> >> >To what problem are you referring? I assumed that the PP was referring
>> >> >to the screensaver problem. If that's the case, I would assume a fix to
>> >> >the screensaver would be the route to eliminating the problem.
>> >>
>> >> Exactly right. Where is it?
>> >
>> >How long has the problem been identified now? *Four* days!
>>
>> No, Apple's had it, if the OP is to be believed, since late June /
>> July 1.
>
>Interesting that the security advisory site only has it from July 6...

Read what the OP wrote about the topic - he said he'd send it to the
security folks in X days if nothing was done.

>But even so: Wow. 11 days. Apple should have fixed this and ensured that
>every computer ever sold by them has had the patch applied!

They should provide an update to it, definately. And it's good you
finally acknowledge a problem exists; flip apparently still can't
understand what the issue is.

On Fri, 11 Jul 2003 18:39:23 GMT, Flip <flip[at]flippo.com> wrote:

>Unlike Windows, of course, where any Tom, Dick, or Harry can compromise
>your system - without even having access to the computer.

Really? Assume I have the latest XP servicepacks, and you have access
to my XP box over my router, which is exactly how any Tom, Dick, or
Harry would have access to it - how would you get in?

Now, remove the router - how would you get in?

In article <k4bneb.r73.ln[at]vlad.seahaze>,
Peter Hayes <peter[at]NOSPAM.seahaze.demon.co.uk> wrote:

> foo wrote:
>
> > On Fri, 11 Jul 2003 07:41:23 GMT, Alan Baker <alangbaker[at]telus.net>
> > wrote:
>
> <...>
>
> >>But even so: Wow. 11 days. Apple should have fixed this and ensured that
> >>every computer ever sold by them has had the patch applied!
> >
> > They should provide an update to it, definately. And it's good you
> > finally acknowledge a problem exists; flip apparently still can't
> > understand what the issue is.
>
> He understands right enough, he's just in denial.

I'm not in denial at all.

The issue only affects people where ALL of the following apply:

1. Using a PowerBook (and possibly not even all of those)
2. Relying on the screen saver for security.
3. In an environment where someone can get physical access to their
computer for 5 minutes without being detected.


That's just not likely to happen all that often. When you compare it to
the alternative that foo is proposing (Windows), the difference is
laughable. There are probably 100 security holes in Windows worse than
this one.

foo wrote:

> On Fri, 11 Jul 2003 07:41:23 GMT, Alan Baker <alangbaker[at]telus.net>
> wrote:

<...>

>>But even so: Wow. 11 days. Apple should have fixed this and ensured that
>>every computer ever sold by them has had the patch applied!
>
> They should provide an update to it, definately. And it's good you
> finally acknowledge a problem exists; flip apparently still can't
> understand what the issue is.

He understands right enough, he's just in denial.

--

Peter

Remove NOSPAM. to e-mail

In article <f84ugv4smmmu02l5bfi4j6lm2b0oh6o2fg[at]4ax.com>,
foo <foo[at]bar.com> wrote:

> On Fri, 11 Jul 2003 18:39:23 GMT, Flip <flip[at]flippo.com> wrote:
>
> >Unlike Windows, of course, where any Tom, Dick, or Harry can compromise
> >your system - without even having access to the computer.
>
> Really? Assume I have the latest XP servicepacks, and you have access
> to my XP box over my router, which is exactly how any Tom, Dick, or
> Harry would have access to it - how would you get in?
>
> Now, remove the router - how would you get in?

What a brilliant idea! Wow! In order to secure my Windows-based web
server, all I have to do is unplug it from the router! Hey, I should
hire you as a security consultant. We need one at Infernosoft.

--
Woofbert, Chief Rocket Surgeon, Infernosoft
Woofbert's Law on Learning Linux: When attempting to learn Linux,
study it thoroughly before you begin.

On Fri, 11 Jul 2003 21:12:59 GMT, Flip <flip[at]flippo.com> wrote:

>In article <i54ugvg7gisnrbco5ap6ifhji0tqnu59eo[at]4ax.com>,
> foo <foo[at]bar.com> wrote:
>
>> On Fri, 11 Jul 2003 07:41:23 GMT, Alan Baker <alangbaker[at]telus.net>
>> wrote:
>>
>> >In article <rh4sgvkmlnvstm3p2he18t5bvo400ilvrl[at]4ax.com>,
>> > foo <foo[at]bar.com> wrote:
>> >
>> >> On Thu, 10 Jul 2003 23:45:11 GMT, Alan Baker <alangbaker[at]telus.net>
>> >> wrote:
>> >>
>> >> >In article <e4urgv4ronva1tl2dtvu02o323sckfjhou[at]4ax.com>,
>> >> > foo <foo[at]bar.com> wrote:
>> >> >
>> >> >> On Thu, 10 Jul 2003 23:35:14 GMT, Alan Baker <alangbaker[at]telus.net>
>> >> >> wrote:
>> >> >>
>> >> >> >In article <18trgvka3n48vvfsqle5r0nf83e9hrohf0[at]4ax.com>,
>> >> >> > foo <foo[at]bar.com> wrote:
>> >> >> >
>> >> >> >> On Thu, 10 Jul 2003 23:10:35 GMT, Alan Baker <alangbaker[at]telus.net>
>> >> >> >> wrote:
>> >> >> >>
>> >> >> >> >In article <05srgvkiiievlkqfg5ddkfj422ggd7ldnc[at]4ax.com>,
>> >> >> >> > foo <foo[at]bar.com> wrote:
>> >> >> >> >
>> >> >> >> >> On Thu, 10 Jul 2003 21:09:21 GMT, Alan Baker
>> >> >> >> >> <alangbaker[at]telus.net>
>> >> >> >> >> wrote:
>> >> >> >> >>
>> >> >> >> >> >In article <lg5rgv8cc6gri6vdvdrqk2pjmnlhdei9m1[at]4ax.com>,
>> >> >> >> >> > Steve Hanson <icustomercare[at]usps.com> wrote:
>> >> >> >> >> >
>> >> >> >> >> >> Alan Baker wrote in
>> >> >> >> >> >> <alangbaker-70F841.22532609072003[at]news.telus.net>:
>> >> >> >> >> >>
>> >> >> >> >> >> >In article <25tpgv495v99djgbluhj8mjmt33ruecngn[at]4ax.com>,
>> >> >> >> >> >> > Steve Hanson <icustomercare[at]usps.com> wrote:
>> >> >> >> >> >> >
>> >> >> >> >> >> >> Alan Baker wrote in
>> >> >> >> >> >> >> <alangbaker-C0612F.00274209072003[at]news.telus.net>:
>> >> >> >> >> >> >>
>> >> >> >> >> >> >> >In article <befcfr$4eq08$1[at]ID-180643.news.dfncis.de>,
>> >> >> >> >> >> >> > "MuahMan" <muahman[at]yahoo.com> wrote:
>> >> >> >> >> >> >> >
>> >> >> >> >> >> >> >> You are right about there not being a single Mac at a
>> >> >> >> >> >> >> >> datacenter.
>> >> >> >> >> >> >> >> LOL
>> >> >> >> >> >> >> >
>> >> >> >> >> >> >> >I'd say "don't let this blow too many brain cells", but
>> >> >> >> >> >> >> >that
>> >> >> >> >> >> >> >would
>> >> >> >> >> >> >> >be
>> >> >> >> >> >> >> >incorrect.
>> >> >> >> >> >> >> >
>> >> >> >> >> >> >> >Don't let this blow your last brain cell:
>> >> >> >> >> >> >> >
>> >> >> >> >> >> >> ><http://chuck.forest.net/images/C65-datacenter/>
>> >> >> >> >> >> >>
>> >> >> >> >> >> >>
>> >> >> >> >> >> >> So how about that security vulnerability? Pretty serious
>> >> >> >> >> >> >> business.
>> >> >> >> >> >> >> Is there no desktop lockdown in OS X? For shame!
>> >> >> >> >> >> >
>> >> >> >> >> >> >He made a statement. I refuted it.
>> >> >> >> >> >>
>> >> >> >> >> >> Yeah, yeah, the data center thing. Whatever. But how do
>> >> >> >> >> >> *you*
>> >> >> >> >> >> lockdown an OS X desktop? Just curious.
>> >> >> >> >> >
>> >> >> >> >> >Log out.
>> >> >> >> >>
>> >> >> >> >> That's a really bad/annoying solution, Alan. Apple should fix
>> >> >> >> >> the
>> >> >> >> >> issue. Yet another $129-service-pack fixes, perhaps.
>> >> >> >> >
>> >> >> >> >Why?
>> >> >> >>
>> >> >> >> Why should they fix it? Is that a serious question?
>> >> >> >>
>> >> >> >> >And who says that Apple won't fix it.
>> >> >> >>
>> >> >> >> It isn't fixed yet. It apparently impacts the entire Carbon
>> >> >> >> subsystem. If this were a Windows issue and it had taken this long
>> >> >> >> to
>> >> >> >> find a fix some Maccies would be pissing in their pants with glee.
>> >> >> >
>> >> >> >To what problem are you referring? I assumed that the PP was referring
>> >> >> >to the screensaver problem. If that's the case, I would assume a fix
>> >> >> >to
>> >> >> >the screensaver would be the route to eliminating the problem.
>> >> >>
>> >> >> Exactly right. Where is it?
>> >> >
>> >> >How long has the problem been identified now? *Four* days!
>> >>
>> >> No, Apple's had it, if the OP is to be believed, since late June /
>> >> July 1.
>> >
>> >Interesting that the security advisory site only has it from July 6...
>>
>> Read what the OP wrote about the topic - he said he'd send it to the
>> security folks in X days if nothing was done.
>>
>> >But even so: Wow. 11 days. Apple should have fixed this and ensured that
>> >every computer ever sold by them has had the patch applied!
>>
>> They should provide an update to it, definately. And it's good you
>> finally acknowledge a problem exists; flip apparently still can't
>> understand what the issue is.
>
>I'm quite aware of what the problem is. It's just not a big deal for
>very many people.

Agreed - if we posit that the Mac is used primarily at home or in
small single-use non-networked or non-critically networked
environments (as I'm sure is correct), you're absolutely right.

But that still doesn't mean it shouldn't be fixed, and on the 14th, it
appears it will be. That's A Good Thing.

>It's interesting, though, to see a Windows fan complaining about the
>security problems in other operating systems.

How so?

>Perhaps you should read your bible - something about removing the plank
>from your own eye.......

Have I ever suggested Windows has never had a security flaw?

On Fri, 11 Jul 2003 21:14:43 GMT, Flip <flip[at]flippo.com> wrote:

>In article <k4bneb.r73.ln[at]vlad.seahaze>,
> Peter Hayes <peter[at]NOSPAM.seahaze.demon.co.uk> wrote:
>
>> foo wrote:
>>
>> > On Fri, 11 Jul 2003 07:41:23 GMT, Alan Baker <alangbaker[at]telus.net>
>> > wrote:
>>
>> <...>
>>
>> >>But even so: Wow. 11 days. Apple should have fixed this and ensured that
>> >>every computer ever sold by them has had the patch applied!
>> >
>> > They should provide an update to it, definately. And it's good you
>> > finally acknowledge a problem exists; flip apparently still can't
>> > understand what the issue is.
>>
>> He understands right enough, he's just in denial.
>
>I'm not in denial at all.
>
>The issue only affects people where ALL of the following apply:
>
>1. Using a PowerBook (and possibly not even all of those)

Who has authoritively said it's just the PBs? It's a carbon issue.

>2. Relying on the screen saver for security.

As is normal in a networked data center...

>3. In an environment where someone can get physical access to their
>computer for 5 minutes without being detected.

Trivial.

>That's just not likely to happen all that often.

In a home market, sure. In a datacenter, that's trivial, flip -
simply trivial.

>When you compare it to
>the alternative that foo is proposing (Windows), the difference is
>laughable. There are probably 100 security holes in Windows worse than
>this one.

Really? Tell me about it, then - I've asked you once already (I
understand you haven't read it yet, but I look forward to your reply.)

On Fri, 11 Jul 2003 22:08:43 GMT, Woofbert
<woofbert.spam[at]infernosoft.com> wrote:

>In article <f84ugv4smmmu02l5bfi4j6lm2b0oh6o2fg[at]4ax.com>,
> foo <foo[at]bar.com> wrote:
>
>> On Fri, 11 Jul 2003 18:39:23 GMT, Flip <flip[at]flippo.com> wrote:
>>
>> >Unlike Windows, of course, where any Tom, Dick, or Harry can compromise
>> >your system - without even having access to the computer.
>>
>> Really? Assume I have the latest XP servicepacks, and you have access
>> to my XP box over my router, which is exactly how any Tom, Dick, or
>> Harry would have access to it - how would you get in?
>>
>> Now, remove the router - how would you get in?
>
>What a brilliant idea! Wow! In order to secure my Windows-based web
>server, all I have to do is unplug it from the router! Hey, I should
>hire you as a security consultant. We need one at Infernosoft.

Let me rephrase, since I know you *love* to creatively attack what I
write:

Remove the router ... and plug the WinXP box directly to the
internet. What now?

C'mon - did I really need to write that for you?

I suggest you try any attacks you feel are valid on msnbc.com - I'm
sure everyone else does, and yet somehow the site is still up...

In article <b8lugv0i1b39hsufh85v79lr7bhsnqa1ga[at]4ax.com>,
foo <foo[at]bar.com> wrote:

> On Fri, 11 Jul 2003 22:08:43 GMT, Woofbert
> <woofbert.spam[at]infernosoft.com> wrote:
>
> >In article <f84ugv4smmmu02l5bfi4j6lm2b0oh6o2fg[at]4ax.com>,
> > foo <foo[at]bar.com> wrote:
> >
> >> On Fri, 11 Jul 2003 18:39:23 GMT, Flip <flip[at]flippo.com> wrote:
> >>
> >> >Unlike Windows, of course, where any Tom, Dick, or Harry can compromise
> >> >your system - without even having access to the computer.
> >>
> >> Really? Assume I have the latest XP servicepacks, and you have access
> >> to my XP box over my router, which is exactly how any Tom, Dick, or
> >> Harry would have access to it - how would you get in?
> >>
> >> Now, remove the router - how would you get in?
> >
> >What a brilliant idea! Wow! In order to secure my Windows-based web
> >server, all I have to do is unplug it from the router! Hey, I should
> >hire you as a security consultant. We need one at Infernosoft.
>
> Let me rephrase, since I know you *love* to creatively attack what I
> write:

It is far, far better to do it creatively rather than by rote.


> Remove the router ... and plug the WinXP box directly to the
> internet. What now?

Uuh ... let me guess. Instead of having your machine vulnerable to a
rampaging horde of untrustworthy cow orkers[1], your machine is safe in
the hands of perfectly trustworthy strangers on the Internet?


> C'mon - did I really need to write that for you?

Well, yes. I would never have thought that moving a machine from the
inside of a firewall to the oustide would make it safe from hackers.


> I suggest you try any attacks you feel are valid on msnbc.com - I'm
> sure everyone else does, and yet somehow the site is still up...

No, you've got me all wrong! I'm one of those trustworthy Internet
users. You meany!


[1] The first known instance of "cow orkers" on newsgroups dates from
August 11, 1989:
http://groups.google.com/groups?q=+%22cow+orker%22&hl=en&lr=&ie=UTF-8&saf
e=off&scoring=d&as_drrb=b&as_mind=12&as_minm=5&as_miny=1981&as_maxd=12&as
_maxm=5&as_maxy=1990&selm=1139%40midgard.Midgard.MN.ORG&rnum=1

--
Woofbert, Chief Rocket Surgeon, Infernosoft
Woofbert's Law on Learning Linux: When attempting to learn Linux,
study it thoroughly before you begin.

On Sat, 12 Jul 2003 01:05:44 GMT, Woofbert
<woofbert.spam[at]infernosoft.com> wrote:

>In article <b8lugv0i1b39hsufh85v79lr7bhsnqa1ga[at]4ax.com>,
> foo <foo[at]bar.com> wrote:
>
>> On Fri, 11 Jul 2003 22:08:43 GMT, Woofbert
>> <woofbert.spam[at]infernosoft.com> wrote:
>>
>> >In article <f84ugv4smmmu02l5bfi4j6lm2b0oh6o2fg[at]4ax.com>,
>> > foo <foo[at]bar.com> wrote:
>> >
>> >> On Fri, 11 Jul 2003 18:39:23 GMT, Flip <flip[at]flippo.com> wrote:
>> >>
>> >> >Unlike Windows, of course, where any Tom, Dick, or Harry can compromise
>> >> >your system - without even having access to the computer.
>> >>
>> >> Really? Assume I have the latest XP servicepacks, and you have access
>> >> to my XP box over my router, which is exactly how any Tom, Dick, or
>> >> Harry would have access to it - how would you get in?
>> >>
>> >> Now, remove the router - how would you get in?
>> >
>> >What a brilliant idea! Wow! In order to secure my Windows-based web
>> >server, all I have to do is unplug it from the router! Hey, I should
>> >hire you as a security consultant. We need one at Infernosoft.
>>
>> Let me rephrase, since I know you *love* to creatively attack what I
>> write:
>
>It is far, far better to do it creatively rather than by rote.
>
>
>> Remove the router ... and plug the WinXP box directly to the
>> internet. What now?
>
>Uuh ... let me guess. Instead of having your machine vulnerable to a
>rampaging horde of untrustworthy cow orkers[1], your machine is safe in
>the hands of perfectly trustworthy strangers on the Internet?

Yet MSNBC.com manages to stay up. How do they do that, if you can
instantly get into a Windows box?

>> C'mon - did I really need to write that for you?
>
>Well, yes. I would never have thought that moving a machine from the
>inside of a firewall to the oustide would make it safe from hackers.
>
>
>> I suggest you try any attacks you feel are valid on msnbc.com - I'm
>> sure everyone else does, and yet somehow the site is still up...
>
>No, you've got me all wrong! I'm one of those trustworthy Internet
>users. You meany!

Yet somehow, in spite of Maccies attempts to portray Windows OSs as
inherently unreliable or insecure, MSNBC stays up and running.

>
>[1] The first known instance of "cow orkers" on newsgroups dates from
>August 11, 1989:
>http://groups.google.com/groups?q=+%22cow+orker%22&hl=en&lr=&ie=UTF-8&saf
>e=off&scoring=d&as_drrb=b&as_mind=12&as_minm=5&as_miny=1981&as_maxd=12&as
>_maxm=5&as_maxy=1990&selm=1139%40midgard.Midgard.MN.ORG&rnum=1

On Sat, 12 Jul 2003 03:27:28 GMT, flip <flippo[at]mac.com> wrote:

>In article <j3lugv43d57rfp5c770476mv8n9mm52vu8[at]4ax.com>,
> foo <foo[at]bar.com> wrote:
>
>> On Fri, 11 Jul 2003 21:14:43 GMT, Flip <flip[at]flippo.com> wrote:
>>
>> >In article <k4bneb.r73.ln[at]vlad.seahaze>,
>> > Peter Hayes <peter[at]NOSPAM.seahaze.demon.co.uk> wrote:
>> >
>> >> foo wrote:
>> >>
>> >> > On Fri, 11 Jul 2003 07:41:23 GMT, Alan Baker <alangbaker[at]telus.net>
>> >> > wrote:
>> >>
>> >> <...>
>> >>
>> >> >>But even so: Wow. 11 days. Apple should have fixed this and ensured that
>> >> >>every computer ever sold by them has had the patch applied!
>> >> >
>> >> > They should provide an update to it, definately. And it's good you
>> >> > finally acknowledge a problem exists; flip apparently still can't
>> >> > understand what the issue is.
>> >>
>> >> He understands right enough, he's just in denial.
>> >
>> >I'm not in denial at all.
>> >
>> >The issue only affects people where ALL of the following apply:
>> >
>> >1. Using a PowerBook (and possibly not even all of those)
>>
>> Who has authoritively said it's just the PBs? It's a carbon issue.
>
>The only reports that have been published have been power books.

Nope:
http://lists.netsys.com/pipermail/full-disclosure/2003-July/011054.html

It's an OS issue, not a Powerbook issue.

>> >2. Relying on the screen saver for security.
>>
>> As is normal in a networked data center...
>
>And which data center do you know of where a stranger can walk in and
>play with a computer for 5 minutes?

Who's talking about a stranger doing this? It could be a contractor
or a disgruntled employee.

>> >3. In an environment where someone can get physical access to their
>> >computer for 5 minutes without being detected.
>>
>> Trivial.
>
>Hardly.

Yes, trivial. Absolutely trivial.

>>
>> >That's just not likely to happen all that often.
>>
>> In a home market, sure. In a datacenter, that's trivial, flip -
>> simply trivial.
>
>Right. People can just wander into a data center and fiddle around for 5
>minutes.

Yes.

>If that's the case, they have much bigger problems than their screen
>saver.

How do you propose to find out who would or wouldn't do harm to the
system? Do you have a way of knowing future intent in people that no
one else does?

>> >When you compare it to
>> >the alternative that foo is proposing (Windows), the difference is
>> >laughable. There are probably 100 security holes in Windows worse than
>> >this one.
>>
>> Really? Tell me about it, then - I've asked you once already (I
>> understand you haven't read it yet, but I look forward to your reply.)
>
>Why don't you explain why Microsoft is releasing 'critical' patches
>weekly?

Why don't you tell me why MSNBC.com is still up if it has "probably
100 security holes worse than this one".

On Sat, 12 Jul 2003 03:31:34 GMT, flip <flippo[at]mac.com> wrote:

>In article <72gneb.5h3.ln[at]vlad.seahaze>,
> Peter Hayes <peter[at]NOSPAM.seahaze.demon.co.uk> wrote:
>
>> Flip wrote:
>>
>> > In article <k4bneb.r73.ln[at]vlad.seahaze>,
>> > Peter Hayes <peter[at]NOSPAM.seahaze.demon.co.uk> wrote:
>> >
>> >> foo wrote:
>> >>
>> >> > On Fri, 11 Jul 2003 07:41:23 GMT, Alan Baker <alangbaker[at]telus.net>
>> >> > wrote:
>> >>
>> >> <...>
>> >>
>> >> >>But even so: Wow. 11 days. Apple should have fixed this and ensured that
>> >> >>every computer ever sold by them has had the patch applied!
>> >> >
>> >> > They should provide an update to it, definately. And it's good you
>> >> > finally acknowledge a problem exists; flip apparently still can't
>> >> > understand what the issue is.
>> >>
>> >> He understands right enough, he's just in denial.
>> >
>> > I'm not in denial at all.
>> >
>> > The issue only affects people where ALL of the following apply:
>> >
>> > 1. Using a PowerBook (and possibly not even all of those)
>>
>> I thought it was any Carbon systen.
>
>So far, the only published reports are for PowerBooks.

Maybe in csma, but not out in the real world. It's OS X, not PBs.

Just out of curiosity, why do you think the PBs would have the problem
and the rest of the systems wouldn't? Do you think their screensaver
is somehow different?

>> > 2. Relying on the screen saver for security.
>>
>> Well, the invitation's there.
>>
>> > 3. In an environment where someone can get physical access to their
>> > computer for 5 minutes without being detected.
>>
>> More common that you're implying.
>
>In an environment where they're concerned about security?

Yep. Anywhere there are people, there is a potential for a problem.
Obviously you aren't in IT, but this (impersonating someone else,
especially those with elevated privs) is a major concern in the IT
market.

>> > That's just not likely to happen all that often.
>>
>> Once is too often if it's your data that's stolen or destroyed. They just
>> need
>> to get lucky once, you need to be lucky all the time.
>
>Patch is ready.

No, it isn't. It will be ready (tested) and distributed, hopefully,
7/14.

>> > When you compare it to
>> > the alternative that foo is proposing (Windows), the difference is
>> > laughable. There are probably 100 security holes in Windows worse than
>> > this one.
>>
>> Oh, I agree. Just click on the e-mail virus/worm du jour.
>
>Which is the entire point. No one said that any system is 100% perfectly
>secure. But when a Windows fan uses this to criticize Apple's security,
>it's just plain laughable.

Yet, in spite of your silly claims, MSNBC is still up. If it was as
full of holes as you claim, you'd think it would be running on Suns or
something... In fact, if you look at Netcraft, there's a *LOT* of
Win32 servers out there. How do those manage to stay up, if your
claims are true?

flip wrote:

> In article <72gneb.5h3.ln[at]vlad.seahaze>,
> Peter Hayes <peter[at]NOSPAM.seahaze.demon.co.uk> wrote:
>
>> Flip wrote:
>>
>> > In article <k4bneb.r73.ln[at]vlad.seahaze>,
>> > Peter Hayes <peter[at]NOSPAM.seahaze.demon.co.uk> wrote:
>> >
>> >> foo wrote:
>> >>
>> >> > On Fri, 11 Jul 2003 07:41:23 GMT, Alan Baker <alangbaker[at]telus.net>
>> >> > wrote:
>> >>
>> >> <...>
>> >>
>> >> >>But even so: Wow. 11 days. Apple should have fixed this and ensured
>> >> >>that every computer ever sold by them has had the patch applied!
>> >> >
>> >> > They should provide an update to it, definately. And it's good you
>> >> > finally acknowledge a problem exists; flip apparently still can't
>> >> > understand what the issue is.
>> >>
>> >> He understands right enough, he's just in denial.
>> >
>> > I'm not in denial at all.
>> >
>> > The issue only affects people where ALL of the following apply:
>> >
>> > 1. Using a PowerBook (and possibly not even all of those)
>>
>> I thought it was any Carbon systen.
>
> So far, the only published reports are for PowerBooks.

That's been shown not to be the case.

>> > 2. Relying on the screen saver for security.
>>
>> Well, the invitation's there.
>>
>> > 3. In an environment where someone can get physical access to their
>> > computer for 5 minutes without being detected.
>>
>> More common that you're implying.
>
> In an environment where they're concerned about security?

There's 1001 ways someone might appear to be legitimate when they're not. Just
use a little imagination.

>> > That's just not likely to happen all that often.
>>
>> Once is too often if it's your data that's stolen or destroyed. They just
>> need to get lucky once, you need to be lucky all the time.
>
> Patch is ready.

Just about. And the speed with which it has been produced suggests Apple
realise the seriousness of the vulnerability.

>> > When you compare it to
>> > the alternative that foo is proposing (Windows), the difference is
>> > laughable. There are probably 100 security holes in Windows worse than
>> > this one.
>>
>> Oh, I agree. Just click on the e-mail virus/worm du jour.
>
> Which is the entire point. No one said that any system is 100% perfectly
> secure. But when a Windows fan uses this to criticize Apple's security,
> it's just plain laughable.

It doesn't matter who is criticising Apple's security, the vulnerability is
still there. Microsoft's security holes are only worse because of the ease
with which the intruder can gain access, either through software engineering
or through social engineering. That's the point.

--

Peter

Remove NOSPAM. to e-mail

In article <ibloeb.ni4.ln[at]vlad.seahaze>,
Peter Hayes <peter[at]NOSPAM.seahaze.demon.co.uk> wrote:

> flip wrote:
>
> > In article <72gneb.5h3.ln[at]vlad.seahaze>,
> > Peter Hayes <peter[at]NOSPAM.seahaze.demon.co.uk> wrote:
> >
> >> Flip wrote:
> >>
> >> > In article <k4bneb.r73.ln[at]vlad.seahaze>,
> >> > Peter Hayes <peter[at]NOSPAM.seahaze.demon.co.uk> wrote:
> >> >
> >> >> foo wrote:
> >> >>
> >> >> > On Fri, 11 Jul 2003 07:41:23 GMT, Alan Baker <alangbaker[at]telus.net>
> >> >> > wrote:
> >> >>
> >> >> <...>
> >> >>
> >> >> >>But even so: Wow. 11 days. Apple should have fixed this and ensured
> >> >> >>that every computer ever sold by them has had the patch applied!
> >> >> >
> >> >> > They should provide an update to it, definately. And it's good you
> >> >> > finally acknowledge a problem exists; flip apparently still can't
> >> >> > understand what the issue is.
> >> >>
> >> >> He understands right enough, he's just in denial.
> >> >
> >> > I'm not in denial at all.
> >> >
> >> > The issue only affects people where ALL of the following apply:
> >> >
> >> > 1. Using a PowerBook (and possibly not even all of those)
> >>
> >> I thought it was any Carbon systen.
> >
> > So far, the only published reports are for PowerBooks.
>
> That's been shown not to be the case.

Where? Every report I've seen says that it only affects PowerBooks - and
not even all of them.

>
> >> > 2. Relying on the screen saver for security.
> >>
> >> Well, the invitation's there.
> >>
> >> > 3. In an environment where someone can get physical access to their
> >> > computer for 5 minutes without being detected.
> >>
> >> More common that you're implying.
> >
> > In an environment where they're concerned about security?
>
> There's 1001 ways someone might appear to be legitimate when they're not.
> Just
> use a little imagination.

Right. It's interesting that you're hypothesizing a location where data
security is critical, but they leave all their computers wide open to
the public in an unlocked room and let total strangers wander around
without question.

>
> >> > That's just not likely to happen all that often.
> >>
> >> Once is too often if it's your data that's stolen or destroyed. They just
> >> need to get lucky once, you need to be lucky all the time.
> >
> > Patch is ready.
>
> Just about. And the speed with which it has been produced suggests Apple
> realise the seriousness of the vulnerability.
>
> >> > When you compare it to
> >> > the alternative that foo is proposing (Windows), the difference is
> >> > laughable. There are probably 100 security holes in Windows worse than
> >> > this one.
> >>
> >> Oh, I agree. Just click on the e-mail virus/worm du jour.
> >
> > Which is the entire point. No one said that any system is 100% perfectly
> > secure. But when a Windows fan uses this to criticize Apple's security,
> > it's just plain laughable.
>
> It doesn't matter who is criticising Apple's security, the vulnerability is
> still there. Microsoft's security holes are only worse because of the ease
> with which the intruder can gain access, either through software engineering
> or through social engineering. That's the point.

I never said that there was no vulnerability. But _every_ system has
vulnerabilities. When you compare this with the major competition
(Windows), it's insignificant.

In article <b90vgv0kv872k17t4shhm4k7k5hgs3pd33[at]4ax.com>,
foo <foo[at]bar.com> wrote:

> On Sat, 12 Jul 2003 03:27:28 GMT, flip <flippo[at]mac.com> wrote:
>
> >In article <j3lugv43d57rfp5c770476mv8n9mm52vu8[at]4ax.com>,
> > foo <foo[at]bar.com> wrote:
> >
> >> On Fri, 11 Jul 2003 21:14:43 GMT, Flip <flip[at]flippo.com> wrote:
> >>
> >> >In article <k4bneb.r73.ln[at]vlad.seahaze>,
> >> > Peter Hayes <peter[at]NOSPAM.seahaze.demon.co.uk> wrote:
> >> >
> >> >> foo wrote:
> >> >>
> >> >> > On Fri, 11 Jul 2003 07:41:23 GMT, Alan Baker <alangbaker[at]telus.net>
> >> >> > wrote:
> >> >>
> >> >> <...>
> >> >>
> >> >> >>But even so: Wow. 11 days. Apple should have fixed this and ensured
> >> >> >>that
> >> >> >>every computer ever sold by them has had the patch applied!
> >> >> >
> >> >> > They should provide an update to it, definately. And it's good you
> >> >> > finally acknowledge a problem exists; flip apparently still can't
> >> >> > understand what the issue is.
> >> >>
> >> >> He understands right enough, he's just in denial.
> >> >
> >> >I'm not in denial at all.
> >> >
> >> >The issue only affects people where ALL of the following apply:
> >> >
> >> >1. Using a PowerBook (and possibly not even all of those)
> >>
> >> Who has authoritively said it's just the PBs? It's a carbon issue.
> >
> >The only reports that have been published have been power books.
>
> Nope:
> http://lists.netsys.com/pipermail/full-disclosure/2003-July/011054.html
>
> It's an OS issue, not a Powerbook issue.

Well, gee. You finally came up with an example.

It still requires physical access to your computer.

>
> >> >2. Relying on the screen saver for security.
> >>
> >> As is normal in a networked data center...
> >
> >And which data center do you know of where a stranger can walk in and
> >play with a computer for 5 minutes?
>
> Who's talking about a stranger doing this? It could be a contractor
> or a disgruntled employee.

A disgruntled employee has other ways to do this. Heck, they can unplug
the computer and smash the hard drive with a hammer if they have 5
minutes.

>
> >> >3. In an environment where someone can get physical access to their
> >> >computer for 5 minutes without being detected.
> >>
> >> Trivial.
> >
> >Hardly.
>
> Yes, trivial. Absolutely trivial.

Not in an environment that's concerned about computer security.

Heck, my company is probably better than average in this regard, but
we're not world class. A stranger messing with our computers would be
caught in 5 seconds.

>
> >>
> >> >That's just not likely to happen all that often.
> >>
> >> In a home market, sure. In a datacenter, that's trivial, flip -
> >> simply trivial.
> >
> >Right. People can just wander into a data center and fiddle around for 5
> >minutes.
>
> Yes.

Then they have much bigger problems than OS X screen savers.

>
> >If that's the case, they have much bigger problems than their screen
> >saver.
>
> How do you propose to find out who would or wouldn't do harm to the
> system? Do you have a way of knowing future intent in people that no
> one else does?

You know if there's a stranger in your facility or an employee who
shouldn't be there. If they _are_ entitled to be there, they can do the
damage just as easily in other ways.

>
> >> >When you compare it to
> >> >the alternative that foo is proposing (Windows), the difference is
> >> >laughable. There are probably 100 security holes in Windows worse than
> >> >this one.
> >>
> >> Really? Tell me about it, then - I've asked you once already (I
> >> understand you haven't read it yet, but I look forward to your reply.)
> >
> >Why don't you explain why Microsoft is releasing 'critical' patches
> >weekly?
>
> Why don't you tell me why MSNBC.com is still up if it has "probably
> 100 security holes worse than this one".

By that stupid logic, the fact that _I_ haven't seen the above
vulnerability means that it doesn't exist. Thanks for pointing that out.

In article <n5pugvsiqsm2v1n134e68s8hk5gbmmbflt[at]4ax.com>,
foo <foo[at]bar.com> wrote:

> On Sat, 12 Jul 2003 01:05:44 GMT, Woofbert
> <woofbert.spam[at]infernosoft.com> wrote:
>
> >In article <b8lugv0i1b39hsufh85v79lr7bhsnqa1ga[at]4ax.com>,
> > foo <foo[at]bar.com> wrote:
> >
> >> On Fri, 11 Jul 2003 22:08:43 GMT, Woofbert
> >> <woofbert.spam[at]infernosoft.com> wrote:
> >>
> >> >In article <f84ugv4smmmu02l5bfi4j6lm2b0oh6o2fg[at]4ax.com>,
> >> > foo <foo[at]bar.com> wrote:
> >> >
> >> >> On Fri, 11 Jul 2003 18:39:23 GMT, Flip <flip[at]flippo.com> wrote:
> >> >>
> >> >> >Unlike Windows, of course, where any Tom, Dick, or Harry can
> >> >> >compromise
> >> >> >your system - without even having access to the computer.
> >> >>
> >> >> Really? Assume I have the latest XP servicepacks, and you have access
> >> >> to my XP box over my router, which is exactly how any Tom, Dick, or
> >> >> Harry would have access to it - how would you get in?
> >> >>
> >> >> Now, remove the router - how would you get in?
> >> >
> >> >What a brilliant idea! Wow! In order to secure my Windows-based web
> >> >server, all I have to do is unplug it from the router! Hey, I should
> >> >hire you as a security consultant. We need one at Infernosoft.
> >>
> >> Let me rephrase, since I know you *love* to creatively attack what I
> >> write:
> >
> >It is far, far better to do it creatively rather than by rote.
> >
> >
> >> Remove the router ... and plug the WinXP box directly to the
> >> internet. What now?
> >
> >Uuh ... let me guess. Instead of having your machine vulnerable to a
> >rampaging horde of untrustworthy cow orkers[1], your machine is safe in
> >the hands of perfectly trustworthy strangers on the Internet?
>
> Yet MSNBC.com manages to stay up. How do they do that, if you can
> instantly get into a Windows box?

How do you know MSNBC hasn't been hacked?

Not to mention, of course, that your continued use of this argument is
absurd. You can point to one system that you _think_ is secure. From
that, you pretend that it applies to every Windows system out there -
even though it's a known fact that it doesn't.

But I'll use foo-logic. I haven't experienced the screen saver
vulnerability on my computer, so it doesn't exist.

>
> >> C'mon - did I really need to write that for you?
> >
> >Well, yes. I would never have thought that moving a machine from the
> >inside of a firewall to the oustide would make it safe from hackers.
> >
> >
> >> I suggest you try any attacks you feel are valid on msnbc.com - I'm
> >> sure everyone else does, and yet somehow the site is still up...
> >
> >No, you've got me all wrong! I'm one of those trustworthy Internet
> >users. You meany!
>
> Yet somehow, in spite of Maccies attempts to portray Windows OSs as
> inherently unreliable or insecure, MSNBC stays up and running.

See above.

In article <n5pugvsiqsm2v1n134e68s8hk5gbmmbflt[at]4ax.com>, foo <foo[at]bar.com>
wrote:

> >Uuh ... let me guess. Instead of having your machine vulnerable to a
> >rampaging horde of untrustworthy cow orkers[1], your machine is safe in
> >the hands of perfectly trustworthy strangers on the Internet?
>
> Yet MSNBC.com manages to stay up. How do they do that, if you can
> instantly get into a Windows box?

Firewall.

--
Sandman[.net]

Flip wrote:

> In article <ibloeb.ni4.ln[at]vlad.seahaze>,
> Peter Hayes <peter[at]NOSPAM.seahaze.demon.co.uk> wrote:
>
>> flip wrote:
>>
>> > In article <72gneb.5h3.ln[at]vlad.seahaze>,
>> > Peter Hayes <peter[at]NOSPAM.seahaze.demon.co.uk> wrote:
>> >
>> >> Flip wrote:
>> >>
>> >> > In article <k4bneb.r73.ln[at]vlad.seahaze>,
>> >> > Peter Hayes <peter[at]NOSPAM.seahaze.demon.co.uk> wrote:
>> >> >
>> >> >> foo wrote:
>> >> >>
>> >> >> > On Fri, 11 Jul 2003 07:41:23 GMT, Alan Baker <alangbaker[at]telus.net>
>> >> >> > wrote:
>> >> >>
>> >> >> <...>
>> >> >>
>> >> >> >>But even so: Wow. 11 days. Apple should have fixed this and ensured
>> >> >> >>that every computer ever sold by them has had the patch applied!
>> >> >> >
>> >> >> > They should provide an update to it, definately. And it's good you
>> >> >> > finally acknowledge a problem exists; flip apparently still can't
>> >> >> > understand what the issue is.
>> >> >>
>> >> >> He understands right enough, he's just in denial.
>> >> >
>> >> > I'm not in denial at all.
>> >> >
>> >> > The issue only affects people where ALL of the following apply:
>> >> >
>> >> > 1. Using a PowerBook (and possibly not even all of those)
>> >>
>> >> I thought it was any Carbon systen.
>> >
>> > So far, the only published reports are for PowerBooks.
>>
>> That's been shown not to be the case.
>
> Where? Every report I've seen says that it only affects PowerBooks - and
> not even all of them.

http://lists.netsys.com/pipermail/full-disclosure/2003-July/011054.html

"With regards to the above vulnerability, I tested 3 Machines (1: G4
450 & 2: Dual G4 1.2G) They all had the mentioned screen saver vulnerability."

The link was posted by foo, but maybe you missed it...

>> >> > 2. Relying on the screen saver for security.
>> >>
>> >> Well, the invitation's there.
>> >>
>> >> > 3. In an environment where someone can get physical access to their
>> >> > computer for 5 minutes without being detected.
>> >>
>> >> More common that you're implying.
>> >
>> > In an environment where they're concerned about security?
>>
>> There's 1001 ways someone might appear to be legitimate when they're not.
>> Just
>> use a little imagination.
>
> Right. It's interesting that you're hypothesizing a location where data
> security is critical, but they leave all their computers wide open to
> the public in an unlocked room and let total strangers wander around
> without question.

A dishonest employee may have legitimate reasons to be in the secure area.
Meantime s/he's rifling the credit card databank.

A disgruntled employee may have legitimate reasons to be in the secure area.
Meantime s/he's altering data that'll have devastating results on the
company's balance sheet, or installs a password sniffer, or...

<...>

>> >> > When you compare it to
>> >> > the alternative that foo is proposing (Windows), the difference is
>> >> > laughable. There are probably 100 security holes in Windows worse than
>> >> > this one.
>> >>
>> >> Oh, I agree. Just click on the e-mail virus/worm du jour.
>> >
>> > Which is the entire point. No one said that any system is 100% perfectly
>> > secure. But when a Windows fan uses this to criticize Apple's security,
>> > it's just plain laughable.
>>
>> It doesn't matter who is criticising Apple's security, the vulnerability is
>> still there. Microsoft's security holes are only worse because of the ease
>> with which the intruder can gain access, either through software
>> engineering or through social engineering. That's the point.
>
> I never said that there was no vulnerability. But _every_ system has
> vulnerabilities. When you compare this with the major competition
> (Windows), it's insignificant.

In pure numerical terms, yes, but that's only because Windows machines form
99.999% or thereby of networked business machines, as opposed to the less
business sensitive tasks Macs tend to perform. In other words, someone will
want my CC details, not my video.

--

Peter

Remove NOSPAM. to e-mail

On Sat, 12 Jul 2003 11:21:19 GMT, Flip <flip[at]flippo.com> wrote:

>In article <ibloeb.ni4.ln[at]vlad.seahaze>,
> Peter Hayes <peter[at]NOSPAM.seahaze.demon.co.uk> wrote:
>
>> flip wrote:
>>
>> > In article <72gneb.5h3.ln[at]vlad.seahaze>,
>> > Peter Hayes <peter[at]NOSPAM.seahaze.demon.co.uk> wrote:
>> >
>> >> Flip wrote:
>>