Forgot your password?
typodupeerror
Security Businesses OS X Operating Systems Apple

Apple Fixes 'Misleading' Leopard Firewall Settings 264

Posted by Zonk
from the walls-need-to-be-just-a-teensy-bit-thicker dept.
4 for 52 writes "ZDNet is reporting that Apple has fessed up to at least three serious design weaknesses in the new application-based firewall that ships with Mac OS X Leopard. The acknowledgment comes less than a month after independent researchers threw cold water on Apple's claim that Leopard's firewall can block all incoming connections. The firewall patches come 24 hours after a Mac OS X update that provided cover for at least 41 security vulnerabilities."
This discussion has been archived. No new comments can be posted.

Apple Fixes 'Misleading' Leopard Firewall Settings

Comments Filter:
  • by daveschroeder (516195) * on Thursday November 15, 2007 @06:24PM (#21371211)
    Apple's "everything just works" niceties depend on things like Bonjour, in particular, being able to be accessed, and most users would end up selecting "Block all incoming collections" when making a firewall choice, because they won't really understand anything else...and "more" is "better", right? So blocking all must mean I'm super secure! Firewall good! Hacker bad! ...Except that now when I get my AppleTV and buy my son or daughter an iMac and expect to be able to do all the cool stuff that doesn't require any configuration and "just works"...nothing works. Why doesn't it work?

    They won't be able to answer that any more than they know what to pick on the Firewall preferences screen.

    So what Apple does is a little bit of deciding for the user what makes sense. The first step was going to an intelligent application level firewall that makes it a lot more functional and easier to use. The next was making some policies that allow services Apple considers "essential" to the whole Mac OS X user experience. And like it or not, Bonjour is an integral part of that.

    Anyone who knows enough to know, for certain, that they don't want, e.g., Bonjour open, also knows how to use any of a number of free or commercial commandline or graphical options to set up ipfw or other network level protections any way they wish. That's the bottom line: anyone who knows enough to "know" they "really" want to disable all incoming connections can still easily do so.

    This is about making security easy for typical, average users, while still keeping things that make the Mac experience "just work".

    Now, I *do* wish that Apple had one more option: Block *everything*, but explain, hey, this is going to break some things like Bonjour, etc., so be SURE that you want to do this, and don't complain if all of a sudden your AppleTV syncing and iTunes sharing and automatic local machine discovery no longer work.

    Apple describes all of this very explicitly here [apple.com]:

    The 10.5.0 Application Firewall blocked all but:

    Processes that are running as UID 0
    mDNSResponder

    The 10.5.1 Application Firewall blocks all but:

    configd, which implements DHCP and other network configuration services
    mDNSResponder, which implements Bonjour
    racoon, which implements IPSec

    So, while I haven't extensively tested yet, it does NOT appear to allow UID 0 processes, but rather only the above processes.

    And from here [apple.com]:

    CVE-ID: CVE-2007-4702

    Available for: Mac OS X v10.5, Mac OS X Server v10.5

    Impact: The "Block all incoming connections" setting for the firewall is misleading

    Description: The "Block all incoming connections" setting for the Application Firewall allows any process running as user "root" (UID 0) to receive incoming connections, and also allows mDNSResponder to receive connections. This could result in the unexpected exposure of network services. This update addresses the issue by more accurately describing the option as "Allow only essential services, and by limiting the processes permitted to receive incoming connections under this setting to a small fixed set of system services: configd (for DHCP and other network configuration protocols), mDNSResponder (for Bonjour), and racoon (for IPSec). The "Help" content for the Application Firewall is also updated to provide further information. This issue does not affect systems prior to Mac OS X v10.5.

    CVE-ID: CVE-2007-4703

    Available for: Mac OS X v10.5, Mac OS X Server v10.5

    Impact: Processes running as user "root" (UID 0) cannot be blocked when the firewall is set to "Set access for specific services and applications"

    • by liquidpele (663430) on Thursday November 15, 2007 @06:40PM (#21371399) Journal
      Damn. That's one hell of a first post.
      Is there even anything left to say?
    • Re: (Score:3, Insightful)

      by djh101010 (656795) *
      There ya go, Dave, being all informative, complete, accurate, and factual. You realize the haters are about to label you, let's see, what is it this time? Fanboi, apologist, and employee of Apple I think is due this time, right?

      For the record, I saw the writeup and was hoping you'd have written a response, and am glad to see you did. Those of us who are capable of understanding facts and logic, rather than knee-jerk pretending that "w000, this is just as bad as Vista on a good day" and all that, appreci
      • There ya go, Dave, being all informative, complete, accurate, and factual. You realize the haters are about to label you, let's see, what is it this time? Fanboi, apologist, and employee of Apple I think is due this time, right?

        For the record, I saw the writeup and was hoping you'd have written a response, and am glad to see you did.

        I wonder why you would be hoping to see his response unless he had some sort of pattern to his posts... What do you call someone who, without fail, defends a particular co
        • by djh101010 (656795) *

          I wonder why you would be hoping to see his response unless he had some sort of pattern to his posts... What do you call someone who, without fail, defends a particular company?

          Informative/insightful, in this case. He knows what he's talking about, and has the communication skills to present it in such a way that anyone who isn't blind to reality will understand. And it's not so much "defend(ing) a particular company", it's more about sharing his subject matter expertise with the group. Just because someone is correct and consistent doesn't somehow undermine their credibility - quite the opposite, in fact.

    • by Rodyland (947093) on Thursday November 15, 2007 @06:45PM (#21371485)
      Let me first say that I get what you're saying, and I can understand where Apple are coming from....


      But... can anyone here honestly say that if you took the entire story about the 'dodgy' firewall and replaced Apple with Microsoft that there wouldn't be people literally screaming themselves blue in the face about how insecure MS is _by_design_?

      Seriously, if an MS-shipped firewall decided (without telling you) that 'block all incoming connections' really meant 'block all incoming connections except for MSN Messenger and oh, I don't know, maybe Media Player', would you be making excuses about how it was really necessary and understandable to deliver the "Microsoft Experience(TM)"?

      No, I didn't think so either.


      Yes, Apple should be applauded for recognising a problem in their software, as well as a problem in the way their software presents itself, and fixing it.

      But they should not be forgiven for creating the problem in the first place because their hearts were in the right place. That kind of thinking leads to bad places.

      • Re: (Score:3, Insightful)

        by geekoid (135745)
        It's about reputation.
        MS has a well deserved crappy reputation. Apple has a well deserved good reputation.

        Historically speaking, MS would avoid, pretend it doesn't exist, refuse to take the blame, and release a patch 2 weeks later that just happened to fix this issue.

        Yeah,Apple screwed up but they are fixing it and the admit it. Integerity can go a long way.

        In your world it seems nothing and nobody can every be forgiven for making a mistake. How sad.

        Appl ewas very clear about what it does:
        The 10.5.0 Applica
        • Re: (Score:3, Funny)

          by davidsyes (765062)
          "In your world it seems nothing and nobody can [*every*] be forgiven for making a mistake. How sad."

          ON MEE-SA-PLANET, WEE-SA CALL A BIG MAC A NABU ROYALE... How's daaad????
          • by Lars T. (470328)

            "In your world it seems nothing and nobody can [*every*] be forgiven for making a mistake. How sad."

            ON MEE-SA-PLANET, WEE-SA CALL A BIG MAC A NABU ROYALE... How's daaad????
            No, in his world nobody can ever be forgiven for making the same mistakes over and over and over again. Sucks if that is you, but not because you are not forgiven...
            • by davidsyes (765062)
              I recall: "Misery likes company", and someone updating it to "NO, misery DEMANDS company..."

              I am fallible. I will not achieve perfection in this lifetime. I have too much negative karma to zero out, and that will probably take me several more lifetimes.

              To borrow Mira Sorvino's character's phrase in the "The Replacement Killers", (paraphrasing here):

              "I keep wondering if I'm going to do that ONE right thing that can wipe out ALL the bad shit I've done." But, I know, in this lifetime I might only knock out 5 o
              • by davidsyes (765062)
                So, my prev gets modded off topic, and my 2, funny gets modded off-topic. Somebody's gunning after me....

                A lot of humorless wretches out there...
      • Re: (Score:3, Insightful)

        by dave562 (969951)
        Apple is facing the same problem that Microsoft is facing. Microsoft wanted to make their software appear user friendly and easy to use. They went ahead and created ActiveX and in numerous places like with network shares, setup the default permissions so that everyone could use it. That eventually came back in the end to bite them in the ass. Luckily for Apple, they are able to learn from the collective wisdom of all who have gone before them. But like this instance shows, Apple is not necessarily any
        • by 99BottlesOfBeerInMyF (813746) on Thursday November 15, 2007 @07:41PM (#21372127)

          Microsoft wanted to make their software appear user friendly and easy to use. They went ahead and created ActiveX and in numerous places like with network shares, setup the default permissions so that everyone could use it.

          There is a significant difference between Apple's firewall settings and MS's use of DirectX. Apple changed the way the firewall worked to be application level and sandboxed the services that it let by the firewall. Unfortunately they misleadingly labeled that setting. When users tested it, they became upset. Apple needs to keep customers happy in order to make money, so they changed it to conform to what customers wanted. It is good business and the way the market is supposed to work. Apple wants to make money, so acting out of what could be called avarice, they give users what they want.

          Microsoft has monopoly influence in the desktop OS market as well as a few other markets. They included ActiveX partly to motivate sales, but also partly to try to make Web applications tied to their monopoly to lock in customers and help leverage that OS monopoly into a Web monopoly and into the online media and services markets. It makes them a lot of money, even if it brings negative consequences to users. Users don't want to be locked in making migrations and cross-platform tools hard. Users don't gain benefit from MS taking over other markets. Because MS has a monopoly, however, it doesn't matter what users want. Since they don't have to keep users happy, MS has literally no financial motivation to fix the security problems ActiveX creates and they have significant financial motivation to not fix it.

          On a very basic level, a monopolist will almost always be worse at innovating and giving users what they want than a company competing in a healthy market. The #1 best way I can think of to fix all of Window's security problems is to break up MS. Split the company into two new companies, forbid them from any non-public communication or collusion, and give both the rights to all the code, copyrights, trademarks, and patents in Windows. Users want security and both will start making real improvements since otherwise the other will be getting the money from consumers. It is my firm belief that until MS's monopoly is broken one way or another, MS will never be able to compete with Apple or Linux when it comes to security. They just aren't motivated.

          • Re: (Score:3, Insightful)

            by Anonymous Coward

            Microsoft has monopoly influence in the desktop OS market as well as a few other markets. They included ActiveX partly to motivate sales, but also partly to try to make Web applications tied to their monopoly to lock in customers and help leverage that OS monopoly into a Web monopoly and into the online media and services markets. It makes them a lot of money, even if it brings negative consequences to users. Users don't want to be locked in making migrations and cross-platform tools hard. Users don't gain benefit from MS taking over other markets. Because MS has a monopoly, however, it doesn't matter what users want. Since they don't have to keep users happy, MS has literally no financial motivation to fix the security problems ActiveX creates and they have significant financial motivation to not fix it.

            What ??? Do you even read what you type? Since when is making money bad and trying to get maximum market share for your platform/service bad? People weren't forced to **DEVELOP** applications for activeX even if it came installed with the OS. They were certainly not tied in or locked in any way shape or form. Technically competent people were capable of easily disabling it (which is bad for the newbies.. i agree) Other software firms still had the option of creating their own standard. Hello... Java??

            On a very basic level, a monopolist will almost always be worse at innovating and giving users what they want than a company competing in a healthy market. The #1 best way I can think of to fix all of Window's security problems is to break up MS. Split the company into two new companies, forbid them from any non-public communication or collusion, and give both the rights to all the code, copyrights, trademarks, and patents in Windows. Users want security and both will start making real improvements since otherwise the other will be getting the money from consumers. It is my firm belief that until MS's monopoly is broken one way or another, MS will never be able to compete with Apple or Linux when it comes to security.

            Wow

            • I've been running windows since Windows 3.1 and have never been infected by a virus, spyware or rootkit and nor has my installation ever been compromised. No matter what horror stories you have about Windows they are almost always the result of somebody's stupidity.

              Well played, sir! But just between us: did you keep a straight face while writing that, or did it get the best of you?

            • Re: (Score:3, Insightful)

              What ??? Do you even read what you type? Since when is making money bad and trying to get maximum market share for your platform/service bad?

              Making money and maximizing market share is fine, when they lead to increased efficiency and innovation in the market. That is why capitalism is so successful, because in a capitalist system competition for custom leads to innovation and efficiency. The problem is monopolies break capitalism and lead to reduced innovation and inefficiency. It is sort of like combining the worst aspects of socialism and the worst aspects of capitalism. That is why abusing monopolies is illegal, pretty much everywhere. They

          • by dave562 (969951) on Thursday November 15, 2007 @09:05PM (#21372905) Journal
            Were you actively using computers when ActiveX was introduced? Were you involved in doing any web development? On one hand you can go on and on about how Microsoft leveraged their monopoly to get into the web arena. I will agree with you there. Perhaps you can realize that at the time that Microsoft introduced ActiveX, there weren't any other technologies out there that allowed the content delivery and functionality with the ease that ActiveX and IE did. It was a big fat security hole and no one in their right mind will argue against that. However the reason that they rolled it out was to enable developers to target web users with applications. I'd say they were right on the money with the need for that. They went ahead and picked ease of use over security to allow app developers to develop web content. We all know how that worked out with regard to malware. You can't argue that it didn't allow content developers to get their content out there... even if 85% of it was unwanted. ;)

            I disagree that Microsoft doesn't have any financial motivation to fix the problems in ActiveX and their various technologies. Take a look at IE7. Where are all the ActiveX exploits that target IE7? Microsoft has a HUGE installed userbase that depends on IE/IIS and Visual Studio for development. They have a huge incentive to keep that cash cow secure.

            From real world experience, I can tell you that Microsoft does just fine with security. I have hands on experience with literally thousands of desktops and hundreds of servers running 2000/XP/2003 and zero security incidents. With good firewalls, security policies, group policies, WSUS, AV, etc. it is possible to secure Microsoft networks. You just have to know what you are doing and stay abreast of the latest developments. It also helps if you use some open source tools like Snort, nmap and the like to keep an eye on what is going on behind the scenes.

            The original point of my first post still stands though. As Apple moves forward, they are going to have to face the same challenges that Microsoft faced... balancing the user expectation of an easy to use interface and "it just works" mentality with security needs.

            • Re: (Score:3, Insightful)

              Were you actively using computers when ActiveX was introduced? ... Perhaps you can realize that at the time that Microsoft introduced ActiveX, there weren't any other technologies out there that allowed the content delivery and functionality with the ease that ActiveX and IE did.

              Yup, one year after Sun introduced a Java runtime for Windows and MS started bundling a broken version to undermine the platform (perhaps you recall the antitrust conviction).

              However the reason that they rolled it out was to enable developers to target web users with applications.

              ... and to make sure those applications were tied to Windows so that people could to easily target multiple platforms using the Web, a strategy they still pursue with their refusal to support newer Web technologies, or even older and capable Web technologies fully and in accordance with the specs.

              You can't argue that it didn't allow content developers to get their content out there... even if 85% of it was unwanted. ;)

              I can and do, however, argue th

      • by 99BottlesOfBeerInMyF (813746) on Thursday November 15, 2007 @07:24PM (#21371905)

        But... can anyone here honestly say that if you took the entire story about the 'dodgy' firewall and replaced Apple with Microsoft that there wouldn't be people literally screaming themselves blue in the face about how insecure MS is _by_design_?

        Umm, people were screaming themselves blue about how Apple's firewall was broken or fundamentally flawed or misleading. There were dozens of articles about it and hundreds of postings in discussion groups.

        The difference between Apple and MS (or for that matter Linux developers and MS) is that Apple does not have a monopoly so they actually have to listen to their users and make changes to make them happy. They very quickly made sensible changes to make it clearer how the firewall behaves and addressed pretty much everyone's concerns, even those of people who really didn't know what they were talking about.

        But they should not be forgiven for creating the problem in the first place because their hearts were in the right place. That kind of thinking leads to bad places.

        Security is a journey not a destination. Security is about trying to allow users to do what they want while stopping things they don't want from happening. There will always be security holes and room for improvement. Concentrating on mistakes made by any vendor is counter productive. So long as the vendor responds and fixes the problem and takes a responsible attitude, they're doing fine by me.

        • Re: (Score:3, Interesting)

          by Rodyland (947093)
          I agree wholeheartedly with your post. What I objected to mostly was the way the OP explained away why it was broken like it didn't matter. It does matter when companies put out software that doesn't do what it says it does, moreso when it's security software and what it doesn't do is make things more secure.

          Don't explain it away with "the apple experience". Apple stuffed up badly, and now have fixed it. Simple

        • The difference between Apple and MS (or for that matter Linux developers and MS) is that Apple does not have a monopoly so they actually have to listen to their users and make changes to make them happy.

          Really? How many people sell kit for Apple hardware? How many can people sell FairPlay tracks for ipods? Apple's as much of a monopolist as MS, it's just not as successful (yet).
          • How many people sell kit for Apple hardware?

            http://www.sonnettech.com/ [sonnettech.com]
            http://www.powerlogix.com/products/index.html [powerlogix.com]
            http://macspeedzone.com/html/hubs/central/upgrades/processor/ [macspeedzone.com] (not recent stuff, but that's not the point)
            http:/// [http] any hard drive manufacturer

            There used to be a few graphics cards available before the move to x86, although they've dried up now. Apple are doing nothing to stop ATi and nVidia from making retail cards for the Mac, so I guess it's just the appearance of low sales (they can only t
          • Really? How many people sell kit for Apple hardware?

            Kit? Lots of people sell hardware and software for Apple systems.

            How many can people sell FairPlay tracks for ipods?

            Umm, since FairPlay is an Apple brand, none. Lots of people sell music that plays on iPods now, and Apple is phasing out Fairplay anyway and moving to non-DRMed music.

            Apple's as much of a monopolist as MS, it's just not as successful (yet).

            It is quite obvious you have no idea what a monopolist is.

            The only market Apple is close to being a monopoly in is portable digital music players, and as they gain in market share (they are near the 70% level where some jurisdictions begin investigating). As that shore i

      • Meh. I think you're kind of right, but the reasons are semi-valid. Every time there's any kind of a problem with Linux or OSX, someone makes a big todo about "If this happened with Windows, you all would be screaming bloody murder!"

        But the things that piss people off about Microsoft are usually... well.... worse. No one is accusing Apple of misuse of hidden APIs or anything. It's not like, "You enable the firewall and Firefox stops working, but suspiciously Safari works fine!" It's not as though these

      • There was a story here last week, and plenty of people did scream themselves blue in the face about how Apple was insecure by design.

        You're right though - it was bad design and Apple were pulled up on it. I think it's okay to make mistakes as long as they're fixed reasonably quickly, like this was. It's not wonderful to make the mistakes in the first place, but it's always good to learn from them.
    • Re: (Score:2, Insightful)

      by rmerry72 (934528)

      So what Apple does is a little bit of deciding for the user what makes sense.

      MS did exactly the same with Windows. All those nice important services that are on and open and insecure just for the user. Comcast do the same for all their users - let you do what makes sense and block everything else. Sony also did what makes sense with their rootkit - after all a CD shouldn't be played i a computer, right, that's what a CD player is for?

      And all LIED about it and misled paying customers.

      But this is Apple

    • by yo_tuco (795102)
      "Based on this, I'd say that several major issues with the Application Firewall have been addressed."

      So what do you do when you're at Starbucks with your PowerBook and you want to ensure that *ALL* connections are closed except TCP, ports (80, 443)? Maybe you would like to quickly change your settings to this scenario in a nice GUI without having to writing new ipfw rules you can't remember off the top of your head while sipping your quad latte.
      • So what do you do when you're at Starbucks with your PowerBook and you want to ensure that *ALL* connections are closed except TCP, ports (80, 443)?

        Umm, I don't want to, since it disables some pretty nice services I use, services that are sandboxed for added security anyway. If I did I'd configure the firewall with those settings. Note: ZeroConf (AKA Bonjour) rules at the coffee shop. There is nothing like being able to send an IM to all the mac users on the local LAN and see if anyone has a Firewire cable I can borrow.

        Maybe you would like to quickly change your settings to this scenario in a nice GUI without having to writing new ipfw rules you can't remember off the top of your head while sipping your quad latte.

        There are several third party, GUIs to configure the firewall for 10.4, including at least one that allows you to save multiple c

        • by yo_tuco (795102)
          "Umm, I don't want to, since it disables some pretty nice services I use..." The scenario has you in a hostile environment. It is untrusted. You shouldn't want to expose anything except the bare minimum. Save the "nice" services for when you are on a trusted network. I don't want 3rd party.
          • by 99BottlesOfBeerInMyF (813746) on Thursday November 15, 2007 @08:37PM (#21372639)

            The scenario has you in a hostile environment. It is untrusted. You shouldn't want to expose anything except the bare minimum.

            Funny. Technically, I don't need to use the Web at all in coffee shops, so by your argument I should block all traffic. On the other hand, I prefer my computer to be functional, when that functionality does not pose a significant security risk. Guess what, I also have SSH enabled for access, even though I only need to access it occasionally. The service I originally referred to (Bonjour) is unlikely to pose a security risk, especially since in addition to finding an exploit in it, an attacker would have to find an exploit in the Mandatory Access Control sandbox OS X runs it in by default. I'm a lot more likely to be exploited by an attack on my Mail.app than by an attack on Bonjour. Do you also advocate that I do not check my e-mail while at the coffee shop?

            Save the "nice" services for when you are on a trusted network.

            Screw that. Half the benefit of Bonjour enabled chatting is that I can easily talk to people I don't have in my "buddy" list while at conferences and coffee shops. Sacrificing function out of unjustified fear is not my cup of tea.

            I don't want 3rd party.

            Umm, okay, then don't use it. Good luck finding a capable first party GUI firewall configuration tool on a platform that is not riddled with security holes.

            Honestly, it sounds to me like you're looking for something to complain about. I really wish people with your sort of an attitude on security would revisit your basic assumptions. Security is about allowing users to do what they want with a system, and prevent things they don't want from happening, especially without their permission. Reducing functionality just means users turn off security features or move to a system where they have more functionality. If I had a dollar for every time I've seen someone at a LAN party shut off their firewall completely because it was restricting something they wanted to do and was too hard to enable just that application/behavior... well, I'd have enough cash to buy a good steak and some scotch anyway.

            • by yo_tuco (795102)
              "Honestly, it sounds to me like you're looking for something to complain about."

              No, it should be my choice what my security policy is. And I had that with 10.4. I could, with a few clicks of check box, reconfigure my policy. Now what do I get?
      • by Lars T. (470328)

        "Based on this, I'd say that several major issues with the Application Firewall have been addressed."

        So what do you do when you're at Starbucks with your PowerBook and you want to ensure that *ALL* connections are closed except TCP, ports (80, 443)?
        Then you don't use the Application Based Firewall which doesn't handle "ports".
  • by Hatta (162192) on Thursday November 15, 2007 @06:48PM (#21371519) Journal
    My biggest concern about Leopard is the bug which causes it to delete files you're moving if the destination becomes unavailable. They forgot to put in a check to see whether the move completed correctly. So it just deletes them whether it finished or not. Is this behavior fixed with this update?
    • by attemptedgoalie (634133) on Thursday November 15, 2007 @06:53PM (#21371573)

      http://docs.info.apple.com/article.html?artnum=306907 [apple.com]

      - Addresses a potential data loss issue when moving files across partitions in the Finder.
    • Re: (Score:2, Informative)

      by slyn (1111419)
      Yes. [appleinsider.com]

      Its listed under system and finder.
    • by argent (18001)
      Luckily another design flaw in OS X makes it hard to trigger this bug. Because of the single-button mouse the only way to move files from one volume to another (rather than copying them) requires you to hold down some meta-key while dragging. If you just drag the files you get a copy.
      • Re: (Score:3, Insightful)

        by arlanTLDR (1120447) *
        All apple computers now ship with two button mice, and have for a while. Just because it looks like it has only one button, doesn't mean it lacks two button functionally. Also, I cant see why it would be a flaw to have the default action of a drag and drop be a copy instead of a move. I understand that it's a flaw to delete the moved files without checking to see if the move was successful, but really you should be just copying and then manually deleting after confirming that your files moved properly.
        • by argent (18001)
          All apple computers now ship with two button mice, and have for a while.

          But the user interface is defined in terms of a single button mouse.

          I cant see why it would be a flaw to have the default action of a drag and drop be a copy instead of a move.

          The default action of a drag and drop in the situation where this flaw can occur *IS* a copy instead of a move. The only way to trigger the flaw is to hold down a meta-key while dragging.

          It's only a move when it's on the same disk, and so the underlying operation
        • by Stamen (745223) on Thursday November 15, 2007 @07:12PM (#21371785)
          Stop bringing facts into Myth propagation. Without the ability to propagate myths, what would many /. users do? You insensitive clod.

          Macs have one mouse button. Java is slow. You can't run Office on a Mac, so it's useless. Windows machines lock up every 14.5 minutes. Microsoft innovates (tm). An iPod can't play mp3s.

          / Myths are cool
          // So are slashies
          // Oh, sorry, this isn't Fark

          • by geekoid (135745)
            Java IS slow. Ask anyu JAve programmers with experience in other languages. Of course that doesn't mean it's worth less or that it shouldn't be used.

            Java is like VB without the stigma.
            Yes, you can use that, but credit me.

            • by Stamen (745223)
              I'm not sure how you define "slow", but Java is hardly slow whether you mean performant or scalability. It has slow startup times, and uses a lot of memory, compared to c for example, but it is hardly slow at runtime tasks (these two things are irrelevant where Java is used most, which is the server). Please to be showing me the benchmarks that shows it to be slow (not from 2002).
          • All myths, indeed. Well, except that Windows machines lock up every 4.5 minutes, not 14.5.
        • by Ash Vince (602485)

          . I understand that it's a flaw to delete the moved files without checking to see if the move was successful, but really you should be just copying and then manually deleting after confirming that your files moved properly.

          Are you serious?

          Moving a file is fairly basic functionality that has been in windows since the last versions of MS-DOS. It has been in unix since long before I have been using it.

          The process you describe for moving a file in your post is so basic that it should be child's play to automate and combine it into a single function.

          • by argent (18001)
            The process you describe for moving a file in your post is so basic that it should be child's play to automate and combine it into a single function.

            And yet the default behavior in Windows is the same as on the Mac. Funny thing, that.

            The only difference is that on Windows you can drag with a different button to change the behavior, where on the Mac you have to hold down a meta-key (which also works on Windows, by the way). This is where Apple lucked out: it's harder to accidentally trigger the bad behavior
            • You can map your right mouse button on a Mac to be the same meta-key that would MOVE instead of COPY. But then again, why would you want to make a Mac more like a PC? For that torture, I'll just boot up in PC mode.
          • If it is so wrong to default to COPY when moving files, then why does every version of Windows do it across a network? You can't stick this one solely on Mac. Hell, even if you don't like it, you can't say it isn't a well thought-out design element on Apple's behalf (and probably copied by Windows a few years back).
      • by djh101010 (656795) *

        Luckily another design flaw in OS X makes it hard to trigger this bug. Because of the single-button mouse the only way to move files from one volume to another (rather than copying them) requires you to hold down some meta-key while dragging. If you just drag the files you get a copy.
        1998 called, it wants its FUD back.
        • by argent (18001)
          OK, how do you drag files from one volume to another, triggering this bug, without holding down a meta-key?

          (and how is pointing out that it's a minor problem FUD?)
          • by djh101010 (656795) *

            OK, how do you drag files from one volume to another, triggering this bug, without holding down a meta-key?

            (and how is pointing out that it's a minor problem FUD?)
            Apparently, you're actually ignorant rather than lying. First for everything I guess. News to you apparently but, plug in an n-button USB mouse and for the last decade or so, It Just Works.
            • by argent (18001)
              News to you apparently but, plug in an n-button USB mouse and for the last decade or so, It Just Works.

              Yes, I know, I use a Microsoft optical mouse on my Mac.

              Now, plug in a 47 button USB mouse on your Mac. Having done that tell me how you drag files from one volume to another and thus trigger this bug using only the mouse? You can't do it. You have to deliberately hold down a meta-key on the keyboard while dragging to force OS X to MOVE rather then (as it does by default) COPY the files.
  • by Ford Prefect (8777) on Thursday November 15, 2007 @06:52PM (#21371551) Homepage
    A rather entertaining issue - if you have the firewall enabled and run Skype then quit it, then Skype gets horribly broken [itwire.com], and doesn't start again. Nobody can decide if it's Leopard cryptographically signing (and modifying) the Skype executable and tripping up Skype's own excessive intrusion detection, or Skype modifying its own executable and tripping up Leopard's checks that it's the same application being allowed access to the interweb. I suspect it's the former - as older installations of Skype got killed on my two recently upgraded machines in that way.

    I had to re-download and install Skype, and now I have to run it with the firewall switched off. Pending a fixed Skype in 'a few weeks' [skype.com]. Aaaargh...

    Time Machine doesn't work on my old-fashioned partitioned external hard disk (half is an NTFS partition for Windows backups...), the Leopard installer initially wouldn't detect my MacBook Pro's own hard disk, and my iMac got nearly deaded [apple.com] by the upgrade (fortunately I had SSH enabled, and was able to get in and run Software Update from the command line, and thus could install the important iMac updates). Oh, and it's all a little bit crashy. It's nearly fantastic - apart from those issues... ;-)
    • I had to re-download and install Skype, and now I have to run it with the firewall switched off.

      The firewall is not an essential component on a UNIX system the way it is on Windows, because you can actually turn off all listening ports and go "dead" without having to firewall off internal services that can't run without a TCP port open.

      A computer system with no open ports is just as secure whether it's firewalled or not.
      • Not every program has the option to only listen on specific interfaces; it has to be coded into the program. You need a firewall if you want to run one of these programs without exposing it.
      • Re: (Score:3, Informative)

        by sqlrob (173498)
        The firewall is not an essential component on a UNIX system the way it is on Windows, because you can actually turn off all listening ports and go "dead" without having to firewall off internal services that can't run without a TCP port open.

        Not all Unix systems. cf. OS X 10.5, which is a certified Unix.

        A computer system with no open ports is just as secure whether it's firewalled or not.
        Probably true on a modern system, but not a completely accurate statement. If there's flaws in the TCP stack, it doesn't
        • by Lars T. (470328)

          The firewall is not an essential component on a UNIX system the way it is on Windows, because you can actually turn off all listening ports and go "dead" without having to firewall off internal services that can't run without a TCP port open.

          Not all Unix systems. cf. OS X 10.5, which is a certified Unix.
          Just fire up IPFW.
    • by dave562 (969951)
      You must have been modded redundent for posting about this in another thread. As far as I can tell, you're right target with this one. Skype doesn't work with the new firewall.
      • You must have been modded redundent for posting about this in another thread. As far as I can tell, you're right target with this one. Skype doesn't work with the new firewall.

        No idea about the moderation (only found the problem last night!) but the good news is that the problem appears just about fixed with 10.5.1. When the firewall is enabled, Leopard will now ask about allowing incoming connections every time Skype is started - which is an improvement on it working once, then refusing to start again.

    • by Lars T. (470328)

      A rather entertaining issue - if you have the firewall enabled and run Skype then quit it, then Skype gets horribly broken [itwire.com], and doesn't start again. Nobody can decide if it's Leopard cryptographically signing (and modifying) the Skype executable and tripping up Skype's own excessive intrusion detection, or Skype modifying its own executable and tripping up Leopard's checks that it's the same application being allowed access to the interweb. I suspect it's the former - as older installations of Skype got killed on my two recently upgraded machines in that way.

      Actually, it's that Skype didn't update their shit for 10.5, even so Apple has told developers for months what to do. [Knock-knock] Hello Skype, anybody home?

  • by dal20402 (895630) * <dal20402@Nospam.mac.com> on Thursday November 15, 2007 @07:09PM (#21371747) Journal

    Wow. Our lovely tag trolls have been forced to go all the way back to 1986.

    I remember the endless "macs sux" ... "dos sux" ... repeat ad nauseam flamefests on BBSes. Evidently nothing has changed since we were all 8 and had nothing better to do than keep our parents from using the phone.

    Seriously, people, if you don't want to hear about Mac OS X, is it really that hard to turn off the Apple stories in your /. preferences?

    • Evidently nothing has changed since we were all 8 and had nothing better to do than keep our parents from using the phone.
      Well nothing has changed other than Macs no longer suck.
  • modes (Score:3, Interesting)

    by Anonymous Coward on Thursday November 15, 2007 @07:17PM (#21371837)
    In all honesty, why don't integrated firewalls have a basic/advanced settings mode?
    Basic is ideal for most folks, but if you're so inclined just click on the advanced tab and not only have more configuration options but also a through, detailed explanation oh what the firewall is actually doing.

    That'd be a great feature.
  • by ickoonite (639305) on Thursday November 15, 2007 @07:25PM (#21371915) Homepage
    The firewall patches come 24 hours after a Mac OS X update that provided cover for at least 41 security vulnerabilities.

    Yes, that was an update for Mac OS X 10.4. This patch is for Mac OS X 10.5. The two are essentially unrelated, so trying to imply that this represents some kind of patch frenzy is at least a little disingenuous.

    :|
  • Misleading! (Score:3, Informative)

    by ducasi (106725) on Thursday November 15, 2007 @07:26PM (#21371933) Journal
    The article blurb is misleading - the "41 security fixes" released in the Mac OS X update was part of 10.4.11.

    The three issues in the 10.5 firewall were the only security fixes for 10.5.

  • the flawed firewall application is just a GUI app for a standard UN*X firewall, so the firewall wasn't flawed, just the settings and GUI for the settings.
    • Re: (Score:3, Insightful)

      the flawed firewall application is just a GUI app for a standard UN*X firewall, so the firewall wasn't flawed, just the settings and GUI for the settings.

      I'd argue that the GUI an CLI are both standard interfaces to the firewall. A flaw where either of them incorrectly informs the user about the settings is a flaw in the firewall. I'd further argue that since the GUI is the more used interface, the flaw reflected there is more serious than a flaw in the CLI.

    • by Lars T. (470328)

      the flawed firewall application is just a GUI app for a standard UN*X firewall, so the firewall wasn't flawed, just the settings and GUI for the settings.
      You only got the last bit right - that is no "standard UN*X firewall".
  • Oxymoron (Score:2, Insightful)

    by osu-neko (2604)

    Hopefully you can just turn the bloody thing off.

    "Software firewall" is an oxymoron. A firewall is a physical box that sits between two networks, filtering the exchange of information between them.

    For those of us who actually have firewalls, having the operating system muck things up with a "software firewall" is just a nuisance. For those who don't, it's a false and dangerous sense of security.

    • Re: (Score:2, Insightful)

      by Ant P. (974313)
      And how do you think that physical box works? Hard-wired transistors between the ethernet ports?
    • by rs232 (849320)
      '"Software firewall" is an oxymoron. A firewall is a physical box that sits between two networks, filtering the exchange of information between them'

      And you only really need a firewall if you are running services on ports that you don't want visible on the Internet. And in this day and age a firewall is next to useless as so many services are being piggybacked over HTML, in order to bypass the firewall ...

      was Re:Oxymoron
  • first of all - i do not subscribe to the concept that the only secure computer is the one that's turned off, unplugged, and not getting data. That's retarded. A box firewalled to the point where nothing can come in our out might as well not be plugged in.

    now - i 100% agree that if it says "everything closed" it damn well better be.

    But its still comforting to know that despite the legitimate problem - there was not galaxy-wide pandemonium as all the Macs running 10.5 cried out in terror. In fact, there we
    • by pev (2186)

      That's retarded. A box firewalled to the point where nothing can come in our out might as well not be plugged in.

      I guess you're not old enough to remember a time before the internet when computers were use for meaningful things then?

      ~Pev
  • In Tiger I had a bunch of drop-down options, like, say, hmmm, 'selection only' or say, duplex. This is entirely gone in Leopard for the printers that I have tried (i.e. HP 4050).

    There is an app online that can do this for you, but it seems to only be for native programs (Safari, mail, etc...). Is it just me or should those options be built into the OS.

    Everything else on Leopard has been very impressive, most of all it sped my computer up. Everything is faster, which I find very impressive for a new
    • Re: (Score:3, Informative)

      Those options are still there. When you "print" something and it brings up the window with the option to "Save as PDF", click the downward facing black on blue triangle right next to the printer name and it'll expand the window and give you all the other options like duplexing, color matching, paper handling and so on. To get those other options, select the drop-down box with the name of the application you're printing from after hitting the triangle and you'll see the rest of the options. At least, that
  • by Just Some Guy (3352) <kirk+slashdot@strauser.com> on Thursday November 15, 2007 @10:20PM (#21373619) Homepage Journal

    I upgraded from Tiger to Leopard last week and love it, except that I can no longer use IPv6. I've triple-checked my router, address, and prefix length manual settings and they're all correct. I just can't get out of the machine at all:

    $ ping6 www.kame.net
    ping6: nodename nor servname provided, or not known
    $ ping6 2001:200:0:8002:203:47ff:fea5:3085
    ping6: UDP connect: No route to host
    $ ifconfig -a | grep inet6
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
    inet6 ::1 prefixlen 128

    Even though I have an address and router set up, it doesn't seem to be actually configuring any interfaces to use them. Another machine on the same network has no trouble:

    $ ping6 www.kame.net
    16 bytes from 2001:200:0:8002:203:47ff:fea5:3085, icmp_seq=0 hlim=55 time=207.462 ms
    16 bytes from 2001:200:0:8002:203:47ff:fea5:3085, icmp_seq=1 hlim=55 time=206.939 ms
    16 bytes from 2001:200:0:8002:203:47ff:fea5:3085, icmp_seq=2 hlim=54 time=339.163 ms

    Even our old CRT iMac running Tiger works perfectly. Is anyone else successfully using IPv6 on Leopard? Is there some new gotcha that everyone but me knows about?

Never appeal to a man's "better nature." He may not have one. Invoking his self-interest gives you more leverage. -- Lazarus Long

Working...