A Little .Mac Security Flaw 328
deleuth writes "The de facto online connectivity software sold along with many Apple computers, .Mac, has a Web interface through which users can check their 'iDisk' while away from their own computer. However, there is no Log-Out button in this Web interface, so most users just close the browser and walk away... not realizing that their iDisk has been cached by the browser and that anyone who wants to can open up the browser, go back to the link in History, and get into their iDisk completely logged in. From here, files can be downloaded and/or deleted. This seems like a minor security flaw via bad interface design, and podcaster Klaatu (of thebadapples.info) posted this on the discussion.apple.com site, only to have his post removed by Apple. Furthermore, feedback at apple.com/feedback has gone unanswered. The problem remains: there is no way for the average computer user to log-out of their iDisk on public computers. A quick review of any public terminal's browser history could bring up all kinds of interesting things."
Apple's response? (Score:5, Insightful)
Re:Apple's response? (Score:5, Funny)
0H N0ES U DIDNT APPLE IS TEH PERFECT
A minor flaw? Tosh. (Score:5, Insightful)
Indeed; I'm somewhat amused that this is described as a "minor" security flaw in the summary and blamed on the user interface. If it was a Microsoft web site it would be described as a major flaw and the foaming at the mouth would begin. Nor is it a user interface problem; by using session cookies closing the browser would logout the user, with or without a logout button.
The site listed (but not linked [thebadapples.info]) in the summary doesn't describe the issue as minor, or a UI problem, so one can only assume that description comes from the summary author.
Re:A minor flaw? Tosh. (Score:5, Funny)
Re: (Score:3, Funny)
Basically if you see Einstein, Picasso, or Vivaldi, or even Gauss or Heisenberg, using a public computer then Apple will treat this vulnerability as serious.
Last I checked scientists, power-managers and artists don't use computers other than their own, so why should Apple care about this "vulnerability"?
Re: (Score:2)
Re:A minor flaw? Tosh. (Score:4, Informative)
And I thought it was over 5 percent now [macnn.com]...
Here's the thing. The only people that have to be worried are Mac users with a dot-mac account. I have an iMac but I wouldn't dream of getting
a place to share photos online (which I do for free with Photobucket)
your own personal web-space (which for personal use, Blogger does the job just fine for me)
email access anywhere, even on an iPhone (but the iPhone shows your regular ISP email anyway, which is set up the first time you plug your iPhone into your Mac thanks to the settings in the Mail program, and GMail is accessed anywhere with internet connectivity too)
remote access to your Mac (which I personally have never needed)
the ability to sync your favourite stuff to the computer you're using (my iGoogle page shows me all the stuff I usually bookmark on any computer I decide to log into Google
10GB of storage online for files (XDrive gives 5GB away for free, eSnips gies 5GB away for free, my photos on Photobucket, my videos that I want people to see on YouTube...)
Online backup if I don't have OS X 10.5 Leopard (or I can just buy Leopard and get all the new-fangled doohickeys too)...
What's the point? It's the equivalent of when people had CompuServe in the early-to-mid 90s. They'd pay through the nose to use a proprietary web browser and get access to groups that only other CIS users could use. It's the internet for people that don't know what's out there for nowt, a gated net community.
Re:A minor flaw? Tosh. (Score:5, Funny)
hmmm...sounds familiar...what was the name of that?
Ah, Oh weLl.
I can't remember right now.
Re: (Score:3, Insightful)
Re: (Score:3, Funny)
I dunno. When was the last time Microsoft did anything professional?
I agree that Microsoft would get a lot of abuse in this venue even when they did things well/right. But if you ask me, Microsoft doing things well/right hasn't been much of an issue for quite some years.
Re:A minor flaw? Tosh. (Score:4, Insightful)
Sorry, but the aggregate of all of those conditions is probably 0.000001%. Is it a problem? Yes? A major flaw? No. Worth discussing? Hardly. Check 100,000 public terminals and will you find one instance of the problem? Doubtful. In fact, I'd say that the fact that we're just now discovering the issue five years after
Should it be fixed? Sure.
As to your commments, I'm pretty sure I've ever seen anyone at anytime claim that Apple or Mac or OS X or the iPod or the iPhone is "PERFECT". Better, perhaps, but perfect? Nope. One has only to look at the tech notes and Software Updates to realize that. As such your entire anti-fanboi rant is pretty much just a strawman setup so you can knock him down, and pat yourself on the back in the process.
A better issue would have been followed from "A quick review of any public terminal's browser history could bring up all kinds of interesting things." Like failing to log out of Gmail or an Amazon account. But no. We have to do yet another Apple vs. Microsoft vs. Linux flamewar. Guess it's another slow Sunday at
Finally, the summary says, "feedback at apple.com/feedback has gone unanswered"... which is ALWAYS the case. It's a feedback site. It says feedback will be unanswered. To quote, "We read all feedback carefully, but please note that we cannot respond to the comments you submit." But again no, we have to make sure it looks like Apple is ignoring the "problem".
Re:A minor flaw? Tosh. (Score:4, Funny)
Re: (Score:3, Insightful)
And yet the whole of Slashdot can go ahead bashing Apple without actually investigating the problem. Had anyone actually checked, they'd have noticed that the main .Mac page—which is how one accesses the iDisk interface—has this nifty little logout button, as seen in this screenshot [mac.com].
But it's more fun to bash Apple unconditionally.
Perhaps it's a minor oversight that the self-contained iD
I noticed that, too... (Score:2)
Apple, which has a long history of this, seems to go unnoticed.
When Will Apple Learn (Score:5, Insightful)
However, there is one thing that I am very troubled by and it is simply this: Apple apparent arrogance and ignorance when it comes to security.
Apple has enjoyed a "blanket" of security because it is low profile and a niche. However, as its market share and mind share expands, this period of respite will soon fade.
You would think that, during this time, Apple would have used the opportunity to develop and internal culture, policies and procedures, as well as infrastructure for dealing effectively with security issues. However, the complete opposite appears to be the case.
Apple has failed miserably to publicly and actively address such issues. It also fails to respond in anything that could be called a rapid manner to reports of exploitable security holes. Taking actions such as deleting posts that point out security problems makes the situation worse, not better. Failing to publicly document the existence, status and nature of defects makes the situation worse, not better. Being secretive makes the situation worse, not better.
Apple makes decent hardware. Leopard is very nice to use, though far from perfect. The whole ecosystem and vertical integration is nice. However, the whole thing could come crashing down because of a serious security flaw. If people think Microsoft is susceptible to such a scenario, the Apple empire is even more so.
It's not a question of if, but when. Will Apple be prepared? So far, all signs point to "NO".
PS... the CAPTCHA word for this post was "condom".. how appropriate considering the whole point is to have a good profolactic. A good metaphore for Apple's current approach to security.
Re: (Score:3, Informative)
I see no proof of this. Apple responds relatively quickly to
No, incident does prove Apple is lacking ... (Score:5, Insightful)
You are very mistaken, this incident does prove that Apple's security policies and responses are indeed lacking. Don't get fixated on the deletion of a post, consider that they did not respond by adding a logout option to a *web* interface.
Re:No, incident does prove Apple is lacking ... (Score:4, Informative)
Apple has a bug reporting system and an email for security issues. Use them, not the forums, if you want to make sure the post is actually evaluated by someone with understanding of... well, anything technical.
Re: (Score:2, Insightful)
Feedback never gets a response from what I have heard, but is listened to. Look at the new feature in the latest Garageband update for example.
As for the forums, they say quite clearly they are for user to user technical support, not discussion of policies.
Re:No, incident does prove Apple is lacking ... (Score:5, Informative)
Re:No, incident does prove Apple is lacking ... (Score:4, Informative)
Her response _also_ repeated the point that Apple (quite naturally) prefers receiving bugreports through the proper (secure) channels and not having to cull them from unrestricted forum postings.
Re: (Score:3, Interesting)
The few times I have submitted comments/bugs to the ADC bugreport email address, I've always received an answer back (even if it's "we're working on it"). The first time it happened I was completely shocked - it was a real email written by a real person with a real answer. Brilliant.
This has been my experience as well. I've submitted several bugs. The first one was responded to by the next day and that was to ask for more information. It was followed up after a couple of days with a patch emailed to me. They asked me to test it to see if it fixed the issue - it did and was included in the next roll-up patch. The others received answers along the lines of "Thanks, someone else has already reported this, we are working on it, if you have any new information please reference xyz ti
Re: (Score:2)
Re:No, incident does prove Apple is lacking ... (Score:5, Informative)
How? What is the causal connection? Unless you have specific information about Apple's internal organization, and the relationship between the people who admin their forums and the people who work on OS security, the only connection is the one in your mind. Apple is not a monolithic entity with the ever-vigilant head of Steve Jobs on constant watch. It's a large corporation with multiple divisions, each of which has their regions of control and expertise. The decision to nuke posts about a security flaw, while stupid and short-sighted, does not immediately mean that Apple's OS security people are lax or lazy. They may be working on a fix already. They may not. They may roll it out in a week. They may not. And an article may appear tomorrow which proves that this security "flaw" was vastly overrated and is not that serious.
If you wanted to critique Apple's security prowess you could compile a list of known security flaws, with their severity and a list of how long it took Apple to patch them. That would be a logically constructed argument. However, this is Slashdot, so I won't hold my breath. This is the same lax "logic" which leads to a lot of the Microsoft bashing around here, and it looks stupid no matter which way it's pointed.
Re: (Score:2)
You claim that what forum admins do is unrelated to security. That is mistaken. Either a forum admin failed to report a security issue or they forum admin reported it and no one felt the need to update a *web interface* in a timely manner. Either scen
Re:No, incident does prove Apple is lacking ... (Score:5, Insightful)
Or it indicates that user forums are not the place to report security flaws, and that user forum administrators are in no way able to evaluate what is a stupid user error vs what is an actual security issue across the hundreds of different hardware and software combinations Apple offers. If you think every forum post should simply be echoed to the bug tracker, that's your prerogative, but it seems to be a great way to waste a lot of the qualified bug-squashers' time.
Re: (Score:3, Insightful)
That's precisely what you're saying, otherwise Apple should just pay it's security team to be the forum administrators so that nothing is missed. You can't tell someone to forward some things and not others without asking them to evaluate the messages to determine which need forwarding. In order to evaluate which need forwarding, you need technical knowledge about what is being discussed.
Re: (Score:3, Insightful)
Re: (Score:3, Insightful)
Apple is not a monolithic entity with the ever-vigilant head of Steve Jobs on constant watch. It's a large corporation with multiple divisions, each of which has their regions of control and expertise. The decision to nuke posts about a security flaw, while stupid and short-sighted, does not immediately mean that Apple's OS security people are lax or lazy.
Wrong - it means exactly that.
If their security folks weren't lax and/or lazy there would be a well known and well understood process within Apple for all the divisions to follow when a possibly security flaw was reported. The process should include tracking, reporting, and escalation procedures to ensure that big things don't get categorized as small things and overlooked.
Re:No, incident does prove Apple is lacking ... (Score:4, Insightful)
There is a well known and well understood process, it's called bugreporter.apple.com. The process does include tracking, reporting, and escalation procedures to ensure that big things don't get categorized as small things and overlooked.
What you're complaining about is that random forum administrators don't have the responsibility, time or technical ability to personally evaluate every forum post for whether it contains a bug or a security flaw as opposed to a stupid user error.
Re: (Score:3, Insightful)
Re: (Score:2)
To be fair, this is so silly that it should never have been a security problem. This shouldn't be measured by how quick they fix it, but rather how long they let it last.
"Apple's overzealous moderation of their own forums is well known, and unfortunate. But it has nothing to do with how well they manage their OS security and how well they respond to exploits."
I don't think you entirely got
Re: (Score:2)
I'm not sure you comprehend what it takes to engineer something like a Macbook, or even a MacPro. Saying they just choose the components is like saying I just choose the steel when I design something like Southern Cross Station [wikipedia.org]. It's a >little more complex than that. They certainly do engineer their own motherboa
Re: (Score:2, Insightful)
I guess my point was that what they do is make good decisions--that's much more significant than any minor layout tasks they might do. I've worked for a few companies that had engineers working at creating their own chip designs, board layouts, etc. Although it can be "Engineering", it's not particularly hard. (By Hard I mean
Re: (Score:3, Interesting)
And Apple does more than just pick components to cram into a laptop. The MacBook Pro, for example, was designed from the ground up by Apple, and does feature custom designed internals - yes, obviously some components are standard (the CPU, GPU, etc.) but the motherboard, etc. is original.
If the MacBook Pro was just a bunch of off the shelf components, there would be a lot more 1" thick 5.4 pound laptops out there.
Re: (Score:2)
For example, your "Apple doesn't even try" example was called OpenDoc, and it was hardly a secret.
Comment removed (Score:4, Insightful)
Re: (Score:3, Insightful)
Saying apple makes good hardware though? Don't they just order and piece together hardware just like joe shmoe's computer shop would? Do they manufacture motherboards, CPUs, ram or hard drives? They might make the cases, I doubt they make the power supplies.
Apple is an OEM like Dell or actually, more like Sony. Most of the components they use are standardized, but they do have motherboards designed just for them, they design how all the components go together, which ones to use, and what the required specifications (acceptable failure rate) are. Not all machines are created equal in this regard. Just take a look at the percentage of machines returned due to failed hardware that consumer reports publishes each year and you'll see Apple at the top of the list,
Re: (Score:3, Insightful)
Apple hasn't experienced a real virus outbreak, but they thought ahead to implement these features before anything has happened. They beat Microsoft in many of these areas.
Re: (Score:2)
Re:When Will Apple Learn (Score:5, Informative)
You would think that, during this time, Apple would have used the opportunity to develop and internal culture, policies and procedures, as well as infrastructure for dealing effectively with security issues. However, the complete opposite appears to be the case.
Apple has failed miserably to publicly and actively address such issues. It also fails to respond in anything that could be called a rapid manner to reports of exploitable security holes. Taking actions such as deleting posts that point out security problems makes the situation worse, not better. Failing to publicly document the existence, status and nature of defects makes the situation worse, not better. Being secretive makes the situation worse, not better.
You are incorrect in so many ways, I find it hard to begin.
1. There is no proof what so ever that Apple's install base is the reason Macs are more secure than Windows. Having network servers off by default and having a default web browser that doesn't run code written in C++, visual basic, and whatever the hell else ActiveX supports these days to be FAR more important than the install base. There are reasons that in the past, if you took a Windows computer out of a brand new box, hooked up via a DSL or Cable modem that your machine was hacked before you were finished logging in for the first time, and it isn't because of the installed base (you do remember that don't you). The Windows machine has active network servers running.
2. Apple doesn't ignore security updates and issues. They fix them. Sometimes even before someone posts about them. If you don't like their update schedule and want Apache or whatnot to be running up-to-date you can install from the CVS just like the Linux and BSD people do. To me it's like saying Red hat doesn't respond rapidly to security holes. If you want a day zero fix, update from CVS. For the common user all of this is irrelevant, since their default install isn't listening to network traffic. Apple has also included other under the hood improvements, just like all other venders, to minimize the risk of buffer over flows.
I'm sorry, Apple's not walking some kind of security minefield just getting lucky all the time. Just like Linux isn't. Unix style security just works very well and is easy to manage. Your computer isn't magic, there's a reason why Microsoft's operating systems are getting owned all the time. There are a LOT of reasons for this, most of them boil down to bad default installs and the environment Microsoft has created within it's developer community. An environment that fosters laziness and has typically done very little to stop their bad practices. Things like making applications that require the admin to be login in order to run. Which in turn leads to the floor level tech just giving everyone admin access.
You computer is not made of magic, there are reasons Microsoft's operating systems suck and people complain about them and it's not because they are "not Apple and have a small install base".
Re: (Score:3, Informative)
I'm not sure how programming in Objective-C is safer than C++, but I d
Re: (Score:2)
Re:When Will Apple Learn (Score:5, Informative)
However, there is one thing that I am very troubled by and it is simply this: Apple apparent arrogance and ignorance when it comes to security.
Apple is a mixed bag when it comes to security. They have employees they acquired from other companies specializing in Web technologies, graphics, video, and numerous other topics, as well as old-school Apple employees many of whom do not take security seriously enough. On the other hand they have all the Next employees and all the old-school Unix guys they've hired on to manage the guts, who live and breath security. As a result, in some ways Apple is way ahead of the game for security (like with their new sandboxing and signing frameworks in Leopard) and in others they seem oblivious. I can't think of another consumer desktop oriented OS that ships with so few services running, and with almost all of those sandboxed. Then you get to other things Apple, like some of their userland applications and Web services and you wonder that the same company could produce both of them. Apple is pretty schizo in this regard.
Apple has enjoyed a "blanket" of security because it is low profile and a niche. However, as its market share and mind share expands, this period of respite will soon fade.
I disagree. Apple is a juicy target for exploitation for many reasons. They are less likely to be exploited due to a number of market and social factors, but in general, Apple's security has been fairly sound and that is why they are not worm food. Further, I don't see Apple's security record becoming poor in the future. Apple, Linux, Solaris, etc. all have one major thing that will keep them more secure than Windows is today... motivation. If Apple's security starts to fail for their users, Apple loses money as they move away. Thus, Apple has direct financial motivation to fix the problem, and they will. This is the advantage of a free market. Microsoft, however, has a monopoly, so even when their users are screaming out for better security, MS loses very few, if any, if they ignore their customers and focus instead on locking in a new market and this latter action will make them more money. They have direct financial motivation to do little more than provide the appearance that they are doing something security-wise, and that is what they keep delivering.
You would think that, during this time, Apple would have used the opportunity to develop and internal culture, policies and procedures, as well as infrastructure for dealing effectively with security issues. However, the complete opposite appears to be the case. Apple has failed miserably to publicly and actively address such issues. It also fails to respond in anything that could be called a rapid manner to reports of exploitable security holes. Taking actions such as deleting posts that point out security problems makes the situation worse, not better. Failing to publicly document the existence, status and nature of defects makes the situation worse, not better. Being secretive makes the situation worse, not better.
Here is my experience with Apple's security response. My co-worker found a potentially exploitable hole in OS X. He went to Apple's Web site and reported it as a security bug in the bug report section, not commenting the forums that are for users not Apple employees. Apple sent him a message a few days later saying they'd look into it. A few weeks later the next security update for OS X came out and fixed the problem, including crediting my co-worker with discovering it. It was painless and quite rapid for that large of a project, considering the time for research, coding a fix, testing, and rollout, in fact a lot faster than our average response time to that same priority of bug (and we sell much more critical security devices). From everything I've seen, Apple responds fairly quickly to security issues reported to them and the only instances where there are major problems are where researchers refuse to give Apple details before p
Re: (Score:3, Interesting)
Actual thing is http://bugreporter.apple.com/ [apple.com] , "New Problem" "Security" from drop down menu.
He seems as an advanced user/developer and yet uses the "Feedback" form. Than posts to public forums ignoring their policies punishing those non techie
Here is the complete open Mozilla project security issue reporting guideline
"IMPORTANT: Anyone who believes they have found a Mozilla-related security vulne
Re: (Score:2, Insightful)
I don't think it's the best way to deal with the problem, but I can see logic in taking down the post. The less people who know about this the better. The only thing a thread would achieve is a) People all going "WTF LULZ APPLE FIX DIS IMMEDIATELY" which would have no effect on Apple's speed in providing a solution, or b) "Wow that's a cool trick, I'm going to try it at my local net cafe" - not something we want.
However Apple, like most corporations, clearly hasn't heard of the "Streisand effect" http://e [wikipedia.org]
Re: (Score:2)
Apple can't take it down from anywhere else, (eg, here) so all it does is make them look like
Re: (Score:2)
Re: (Score:2)
I still haven't decide if I should like them or not, I guess they are as bad as Microsoft.
Your .sig (Score:2)
Your basic premise is wrong.
Other Apple security controversy (Score:5, Informative)
http://www.theregister.co.uk/2007/12/15/apple_security_fixes/ [theregister.co.uk]
Re: (Score:2)
Their main competitor is MS. As long as their users remain less likely to have security problems than MS's users, they do not have a problem. They have no reason to waste resources on security.
What are users who are not happy with Apple over this going to do? Switch to Windows?
Re: (Score:2)
From the forums Terms of Service [apple.com]: Post constructive comments and questions. Unless otherwise noted, your Submission should either be a technical support question or a technical support answer. Constructive feedback about product features is welcome as well. If your Submission contains the phrase "Im sorry for the rant, but" you are likely in violation of this poli
this is common (Score:2)
This happens all the time on corporate forums. The really infuriating part is that the admins also delete posts advocating a move to another forum without censorship. The only way to take discussion to sane place is to find topics before they've been deleted, see who's interested enough to post in those threads, and PM the
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Oh. I get it now.
[disclaimer: I actually adore the Macintosh operating system and I've got a dual G5 tower sitting under my desk. It's just that I love dicking with the mac fans who get all red in the face whenever something challenges their Weltanschauung.]
Slant much? (Score:4, Insightful)
I love how this is a "little", "minor" security flaw, and even though Apple actively deleted the post exposing this information nobody's really up in arms as it's just due to "bad interface design". If this were a Microsoft property, people would be screaming bloody murder.
Clear private data (Score:3, Interesting)
Not having a log out button is bad design but many people forget to click them, you need a decent timeout to reduce the risk for those that don't log out.
Does this system keep you logged in (via cookies) if you close the browser and restart it? If so that's a very bad design.
Re: (Score:2)
2. Slashdot keeps you logged in if you close the browser and restart it.. is that a bad design?
3. Many other sites do too.. it's called convenience.
Otherwise, yes, you're right a decent timeout is a good idea.. but what is "decent"? Sounds pretty subjective.
Re:Clear private data (Score:4, Insightful)
Slashdot has a "public" option. If you click that when you log in, your login state is only stored for the session and freed when you close the browser.
Many other sites also implement a "public" mode like Slashdot has. Just as two other examples, Microsoft's Outlook Web Access (OWA) lets you choose "public" or "private" when you login, and Microsoft's Passport/Windows Live ID gives you the option to save email + password, just email, or nothing (the latter two are effectively session-only logins, as you still need the user's password in order to login subsequently). As well, every other site also has the ability to logout, which .Mac is missing.
A "decent timeout" is trivially simple -- mark your cookie only valid for the current session (aka, use a "session cookie"). This is at odds with persistent login designs, so you have to give users the option -- login with a session cookie ("public terminal") that will expire when you close the browser, or login with a persistent cookie ("private terminal") that will remain valid for some period of time. If you only choose the latter, like .Mac, you must also provide a "logout" option. Anything less is a security violation.
Re: (Score:2)
The server cannot trust an unknown browser to expire the cookie and the server cannot detect when a remot
Security Through Obscurity (Score:3, Funny)
Ah, well, see, so long as Apple makes sure no knows about this, it won't be a problem. Surly everyone on Slashdot sees the validity of this strategy. (God I love my sig)
Re: (Score:2)
I hope this doesn't get modded informative.
Re: (Score:2)
Huh? (Score:5, Informative)
After accessing your iDisk in Firefox:
In Safari:
Or if you remember to do so before visiting .Mac's iDisk page:
Problem solved.
So yes, there are ways for the average user to log-out of their iDisk from a public terminal. They just simply have to use the existing facilities at their disposal.
Yaz.
Re: (Score:2, Interesting)
Re: (Score:2, Insightful)
Re: (Score:2)
If the real world worked that way there'd be no guard rails.
Re:Huh? (Score:5, Insightful)
Anyway, as computer nerds, we're supposed to be concerned about computer security. Most people aren't. They have their own concerns. I'm glad that they're around to look after other things, so I don't have to be concerned about my bank running out of money, or my medication not being poisoned, or my car falling apart while I drive it, or all those nice other things that could be a really big problem if there weren't people making sure we were safe.
Anyway, a good computer security example is antivirus software. I stay the hell away from the stuff, it's slow and buggy and bogs down my system more than most viruses do. On linux, it's not an issue since security issues there are better handled by better configuration and monitoring, and on my windows box I just use manual system/network diagnostic tools to keep an eye on it and fix whatever's needed.
Does that mean I recommend the same to my friends? Hell no! I make sure they always run both a good antivirus and a firewall at all times. Otherwise they get viruses constantly. They just don't have the background to understand what they should and shouldn't do to avoid the things, not to mention the lack of skill necessary to deal with viruses as they come.
My friends aren't stupid (most of them anyway), it's just not what they do. They use computers as tools to get things done, and if they're not making it safe and easy to do the work they want, then the computers aren't working right. That's just how it is, and that's why services that allow people to use public terminals need to be built from the ground up to make it secure to use a public terminal.
You'd think Apple of all people (er, companies) would understand the need to make the right interface for different kinds of applications. Well, maybe I'm thinking back to the Eighties, way before their brushed metal/colorful candy era. If I had my way, they'd have canonized Raskin by now.
Re: (Score:2)
They did make the right interface. Fact is, this is not a security flaw [slashdot.org]. No, seriously.
Re:Huh? (Score:5, Informative)
Re: (Score:2)
Re: (Score:3, Insightful)
Moreover, look at even the phrasing of the examples
Re: (Score:2)
Re:Huh? (Score:5, Insightful)
That's why all bank sites I know log you out if you are inactive for a while. Seems like a good idea.
Session cookie (Score:2)
another security aspect (Score:2, Interesting)
This sounds like a job that some sort of graphical SSH frontend could do better. (since OS X has ssh support built in)
In other news... (Score:5, Funny)
Re:In other news... (Score:5, Funny)
I don't know about M. deleuth, but if Apple's Reality Distortion Field(R) can make kdsawson disappear, I'm buying another Mac. Maybe two.
Re: (Score:3, Funny)
That's interesting (Score:4, Interesting)
In real experience terms, this isn't going to be much of an issue until it's fixed, but does put a small stain on the portability of the service. Which is one of Apples main advertising points for it. Gotta remember though, Apple, like all other companies is filled with a lot of people. There are moderators on Apple forums, for all we know one of them removed it then notified management of the problem and it's working it's way up the command. It's not like Steve Jobs read it and said, "OMGWTFBBQ!?!?! PULL THAT NOW!".
Though, the extra publicity will help.
Re: (Score:2)
Re: (Score:2)
If you have a bug report, Apple asks that you submit it via the usual channels. They don't, however, respond to these.
I'd imagine (and it is only imagination, since I'm not SteveJ or anyone who works for him) that they don't routinely respond to bug reports posted online because there's a helluva lot of "bug reports" posted online (in itali
Just another hit against Apple... (Score:3, Insightful)
Re: (Score:2)
Personally, I just don't expect a publicly traded company to look out for me (unless I am a shareholder, but even then...)
Wait, what?? (Score:5, Interesting)
You are a heretic, sir! (Score:5, Funny)
Ah, but this is Slashdot, where corporations are composed of primordial evil and capitalism is the beefy fart of the Devil. Every slip up is cause for running to the hills to prepare revolutionary strikes, and then run to the other hills and plan counter-revolutionary terror, and we all run around like decapitated chickens shouting comforting mantras like "Information wants to be free!" and "It am teh suk!"
This just in! (Score:2)
If you let someone have full access to your computer, they can delete personal files and directories! News at 11!
Browser Sessions (Score:2)
Does it use cookies? (Score:2)
Logout for HTTP Basic Authentication (Score:2)
I don't know if
This is NOT a security flaw! (Score:2)
But wait... (Score:2)
(/sarcasm)
There is in fact a logout button. Top right. (Score:2)
They deserve it (Score:2)
Re:How many people actually use iDisk? (Score:4, Interesting)
Re:My testing (Score:4, Informative)
Re:My testing (Score:4, Informative)
Re: (Score:3, Insightful)
...chuckling not only at the security issues that are popping up, but at Apple's reaction to all of them.
I've been working in the security industry for years. I've submitted bugs to Apple, MS, and various Linux and BSD projects. Apple's reaction to such submissions has been better than average. For the most part, they seem to acknowledge security related bugs and fix them before they are exploited, including providing credit to the bug reporter. I guess what I'm saying is, if you're judging "Apple's" response to security related bugs, maybe looking at how they handle problems reported to them through their