There’s a new Cyberduck out, which I’m hoping will be less flakey than the last one. I’m downloading it now over a connection that feels slower than dialup. (Cyberduck is an open-source FTP client for Mac OS X.)
Beta of the day: QuickSilver β24 has been out for a while, but I missed it. The download is buried in their forums in accordance with QS’s current “drive potential users away” policy.
Statistic of the day: Infected Windows PCs Now Source Of 80% Of Spam (from Slashdot)
Daring Fireball reports that the latest Security Update (2004-06-07) closes the Mac hole completely. There goes our big vulnerability, and it never even got exploited. I’ll be keeping RCDefaultApp around for its handy file-type handling, but the days of running a real, leaky, hack-me-hard OS are over for my mac.
Just a few days back, Daring Fireball blogged an interesting “broken windows” theory of PC viruses and spyware:
My answer to question posed earlier — why are Windows users besieged with security exploits, while Mac users suffer none? — is that Windows is like a bad neighborhood, strewn with litter, mysterious odors, panhandlers, and untold dozens of petty annoyances. Many Windows users are simply resigned to the fact that their computers contain software that is not under their control. And if they’ll tolerate an annoying application that badgers them with pop-up ads, well, why not a spyware virus that logs every key you type, then sends them back to the creator? (That’s a real virus, by the way, Korgo, which hit Windows at the end of May and is spreading quickly.)
The Mac is like a good neighborhood, where the streets are clean and the crime rate low. You don’t need bars on your windows in a good neighborhood; you don’t need anti-virus software on the Mac.
I think the issue is even more basic than adware leading to viruses in the way that one broken window leads to many broken windows. If I were to make the broken window analogy, it would be the broken windows sold by Microsoft that lead to both adware and viruses. If you expect the OS to behave erratically - chewing up your files, popping up mysterious error messages, crashing, and requiring frequent reinstalls for no adequately explained reason - then you already have the bad neighborhood that makes adware and viruses seem natural. You didn’t watch your lovely block going bad as the crack-ho’s moved in - no, you bought a fixer-upper in the ‘hood with your eyes wide open.
That is to say, you tolerated the broken windows by paying Microsoft for them in the first place. Mac users demand a functional OS not by our postulated eternal vigilance (of which there’s neither need nor evidence) against spyware, but by buying a functional OS in the first place. We’ve moved out to the ‘burbs.
Lorem Ipsum of the day: The Motherlode can even generate Morse Code
Veronica asked me about FTP clients for the Mac. I’ve been using command line ftp since OS 10.1 - it’s free and reminds me of my misspent youth on SunOS. The first thing that sprang to mind was, of course, Transit (links are coming), but that costs money - I know because I stopped using it when my demo expired.
You never know when a new FTP client has come out (well, I do, but I’m speaking rhetorically here), so I tried Google and discovered…Pure Mac is back! Pure Mac isn’t an FTP client - it’s the ultimate index of Mac shareware. It used to be the site to visit to find Mac software, and then they stopped updating. But now it’s being revived and the FTP page is one of the ones that has already been updated.
So with the help of Pure Mac I was able to recommend - and download for myself - Cyberduck, a free FTP client for MacOS X (10.3 and above) with a very cool icon.
As long as I’m maccing, here’s a link dump:
Birthday of the day: Jerie - keep on shippin’!
According to the maker of Paranoid Android, the latest security update from Apple (2004-05-24) fixes Help but hasn’t fixed everything. Nevertheless, I was unable to get his sample malware to hack my mac. See his whitepaper on the hole for the examples.
Now that help: is fixed, I think I’ll disable afp:, ftp:, gopher:, disk:, and disks: with RCDefaultApp until I hear more definite info on the subject of protocol registration. I usually ftp from the command line and never use the other protocols. [Update:] I was wondering about telnet: and DaringFireball confirms that it’s a problem, but ssh: isn’t.
I’m sorry this mac problem has distracted me once again from my next Boston in the Third World post. I have to post my growing collection of links tomorrow, because… well, I’ll explain then.
Some timely Mac and blog links:
The celebrations have been somewhat muted, but Mac OS X now has a real, live exploit. It’s not a virus or a worm but a security flaw in Help that can be exploited by a web browser. Like the recent trojan scare, the Help bug was discovered by a nice Mac user, not an evil hacker - unless someone exploits the exploit before Apple patches it, we still won’t have made a splash in the big world of PC viral malice.
Insecure.ws has an announcement about the problem, Jay Allen has a good discussion, and macosxhints [fixed link] goes into it as well.
Here’s the short form: Help will run any AppleScript you tell it to. Most, if not all, Mac browsers will pass the help: protocol to, not surprisingly, the Help Viewer. Here’s a (harmless) example: help:runscript=../../Scripts/Info Scripts/Current Date & Time.scpt.
There has to be a script somewhere for Help to run. Where would it come from? If you have Safari set up to automatically open disk images (.dmg files) it can come from there, but unfortunately there’s also a disk: protocol that Mac browsers can use to open a remote disk image. People have advised that you turn off the auto-open option and disable the disk protocol, or alternately that you chmod 000 Help or otherwise hack the misbehaving Help program.
It sounds like the best approach is to disable the help: protocol itself. That’s all I did - I didn’t bother with disk:. I hear you can use IE to change the help protocol’s behavior, but I did it by downloading and installing the MoreInternet pref panel, opening System Preferences, and changing the helper for the help protocol. I set the protocol to open TextEdit rather than Help. TextEdit will sit there and look confused when Safari passes it a help: request, but no harm is done.
If for some reason you want to undo this change - say, when Apple patches the problem, or to test the link above like I just did - you can find Help at /System/Library/CoreServices/Help Viewer.app when MoreInternet or IE asks for your new helper application. MoreInternet makes the changes live so you don’t have to reboot or close any browsers. I can’t vouch for the IE approach.
Link of the day: Pixelpalooza winners
It’s a toasty 66° here in Boston, down from the 80’s earlier in the day. I helped Veronica install Panther on her iMac tonight - which is to say, I helped her sit around and watch Panther install itself without any problems. The hardest part of the job was turning off BrickHouse in favor of the built-in 10.3 firewall. Convincing her to use cool 10.3 software like QuickSilver, PithHelmet, and NetNewsWire wasn’t easy, either, and I forgot all about the latest version of Konfabulator (1.6).
Veronica seems to have no interest in a life of DivX crime, which is just as well since her old iMac probably isn’t speedy enough for optimal movie viewing. Her cable modem was also dropping down almost to dialup speed - not good when you have lots of updates to download.
Metaphor of the day: the Titanic, on its anniversary. (Thanks to Seema for the link.)
QuickSilver is up to Beta #22, though not much seems to have changed. You can read about it and other Launchers for Mac OS X at MacDevCenter.
But my big Mac discovery for the day is Celestia, a cross-platform 3D outer-space simulator. It’s not exactly user-friendly, but you Windows and Linux people should be used to that by now. I downloaded it for sci-fi writing purposes, though it has educational and entertainment value as well. It’s free and the documentation is linked on-site and also in the Celestia users’ forum.
As long as I’m mac-geeking, here are a few more mac links that have been piling up:
Thanks to Liz for alerting me to the first Mac trojan horse ever. The OS has made the big time, even though the virus doesn’t actually do anything and isn’t contagious either.
It’s just nice to know somebody out there cares enough to write for OS X.
Horseman of the Apocalypse: Ghost Town (also here)
So I was reading about a cool browser history browser at slashdot - TrailBlazer. I was wondering, not particularly hopefully, whether it would run on OSX. It turns out it only runs on OSX. Those of us who remember the Bad Old Days sometimes forget that Macs are now Too Cool For Words.
Trailblazer is just a toy, but everyone’s gushing over a new launcher called QuickSilver. It’s amazingly cool and absolutely free - don’t Mac without it. The documentation leaves much to be desired, but this quick tutorial will get you going. MacOS 10.3 is required.