The Mac Sucks!

According to Computerworld and several other sources, a bug in Mac OS X Snow Leopard has the potential to delete all personal data from a Macintosh. CNET says that Apple has acknowledged the problem and is working on a fix. CNET also reports that “Snow Leopard has been plagued with bugs since its release, including problems with the Finder hanging or crashing, incompatibility with certain apps, and the AirPort connection dropping.”

I mention this because it’s important to note that every operating system update has issues after it’s first released. There were issues with Leopard when it was released, such as the “blue screen of death” problem. Similarly, there were problems with Vista when it first came out, and issues with Windows XP. There have been issues with Linux releases as well. Undoubtedly, Windows 7 will have its problems, too.

Apple’s software isn’t immune to bugs, including serious bugs like this one that can cause significant data loss. Having said that, it’s only fair to note that this bug isn’t widespread (in terms of the number of users affected) and that it does require the use of the Guest account, which I suspect not too many Mac owners utilize. What’s surprising, though, is that such a significant bug would have slipped past internal testing and code reviews at Apple.

Microsoft learned that offering Windows 7 for public beta testing was beneficial. I saw first-hand that issues which might have impacted my opinion of the software on initial release were corrected during the various beta versions Microsoft released. On my main HP notebook, for example, the earlier releases of Windows 7 caused a blue-screen at shutdown. (My desktop and netbook systems had no such issue.) I submitted those crash reports to Microsoft and a later beta release resolved the issue. Similarly, applications that didn’t work with earlier betas started working in the later ones. It was very clear to me that Microsoft was in fact receiving and acting on the feedback from users like me who had issues with Windows 7 during beta testing. Because so many thousands (if not millions) of people tested Windows 7 in real-world conditions during the betas, I believe Windows 7 will be a smoother transition than it might otherwise have been. (For instance, had I not been allowed to participate in the beta, the blue-screen issue with my HP notebook might not have been found until after Windows 7 hit the marketplace and LOTS of people had the problem.) Will it be a perfect, trouble-free transition? I doubt it, but I do believe it will be smoother than it might have been had Windows 7 been kept relatively secret and available only to developers who paid for a TechNet subscription.

I’d like to see Apple learn that same lesson. Would a public beta program have eliminated the problems being seen by Snow Leopard users? Would it have caught and fixed the “blue screen of death” issue in Leopard? There’s no way to really know. Maybe these are, as Apple implied in its public responses on various web sites, isolated issues that affect only a very small number of people. But if even a couple of these people had been given the chance to test a beta version of Leopard or Snow Leopard, it’s possible the problem could have been found and fixed when it affected only a single beta tester (who presumably would have expected potential problems) rather than hitting many users who actually paid for the software.

To be fair, Apple does beta test OS X releases. However, beta testing is generally limited to software and peripheral developers who have a paid development kit subscription and non-disclosure agreement with Apple. While it is quite reasonable and logical to expect third-party developers to report bugs in OS X that affect their products or which affect basic OS X usage, it’s not reasonable to suggest that these same people will catch the bugs a typical end user will see. End users will hit parts of OS X that developers have no need to touch. They’ll load OS X on systems that contain components and peripherals that developers (and even Apple’s own testers) may not have access to. Thus, it seems only logical for Apple to have some kind of public beta testing to catch the sort of things developers and Apple itself might miss. Unfortunately, such a program would potentially “spill the beans” about upcoming OS X features since beta testers would undoubtedly share information with others. While Apple might argue that this could hurt their sales by leaking feature data to the public ahead of release dates, public beta testing doesn’t seem to have affected the sales of Windows 7 so far. About the only way I can see it hurting Apple is if they pull a feature out of OS X between the beta and the final release, but even that could be “spun” as a way of protecting Apple customers from features that showed significant problems during testing. They’ve had to do that before.

About nine months ago, a security flaw was found in the Java Virtual Machine. The flaw allowed a malicious Java applet to execute arbitrary (read “unauthorized”) programs on your computer. This flaw affected all implementations of Java, including that on Windows, Linux, and of course Mac OS X. Because the implementations of Java for the “non-Macintosh” platforms come from Sun Microsystems, they were all fixed relatively quickly. The Mac version was finally fixed this week by Apple.

In the earliest days of Mac OS X, Apple bragged openly about how OS X would be a premier platform for Java. Just to show their commitment to Java, Apple penned an agreement with Sun Microsystems that prevents Sun from creating a Mac version of Java. Under the agreement, only Apple can release Java for OS X.

Apple having control of Java development for Mac OS X could actually be a good thing in some ways. For example, since it’s treated as an operating system component in OS X, Apple could be tweaking and tuning Java so that it performs optimally on their hardware and operating system. And, if Apple was keeping close tabs on Java security and patching its version quickly, Mac users would have the best of both worlds… a secure Java implementation that performs well on their OS and hardware. Unfortunately, this hasn’t been the reality – at least not for a while. As MacWorld’s Dan Moren reported back in May, “Apple should be more aggressive on security, rather than resting on the laurels of its safety record. That way, if an attack does come, the company won’t be caught with its virtual pants down.”

When Apple introduced OS X in 2000, Steve Jobs announced that it would be one of the best platforms for developing Java applications. Apple was so committed to Java that it signed an agreement with Sun saying that Apple would handle all Java development for the Mac OS X platform, forbidding Sun to produce a Mac version of the popular language. At the 2006 WDC, Apple claimed it was following Sun’s Java releases “very closely” with its own version. A year later, Jobs publicly derided Java as a platform that was no longer significant because it was bloated and no one used it anymore. (I guess that’s why “only” 3,000 people attended the Devoxx Java conference last year, 1100 attended one specific session at Java One 2008, etc. By comparison, 5200 attended Apple’s WWDC in 2008 and that covers more than just one subject area.) Today, the version of Java available in OS X is quite a bit behind the version available for other platforms. Still, Apple keeps its agreement in place that restricts Sun from providing a more current version for the platform. A consequence of this “about face” by Apple on Java is that Mac users are far more vulnerable to Java security issues than users of other platforms. A recent Slashdot post indicates that Macs are vulnerable to a 6-month-old Java flaw that has been patched on other platforms.

Java is still quite relevant today. My ISP uses it for some control panel functions. Popular game site “pogo.com” makes extensive use of Java. The OpenOffice.org suite uses Java. Lots of other applications use Java. I don’t have the figures to back this up, but I wouldn’t be surprised if as many people develop Java applications as develop Mac applications. It’s far from something “nobody uses anymore”. Just check the job ads. Java programmers are still in demand.

Even assuming I’m wrong and “nobody” uses Java today, why does Apple keep the Java development agreement in place that prevents Sun from releasing Java for the Mac? Why not terminate that agreement and let Sun’s developers “waste their time” developing Java for the Mac rather than using Apple engineers’ time to maintain something “nobody” uses? Is it that important for Apple to control everything associated with its products? Maybe it’s time for Apple to practice some of that “think different” stuff and let go of Java…

ZDNet’s Ryan Naraine posted the text of an interview with computer security researcher Charlie Miller, the guy who broke into a fully-patched Apple MacBook using a Safari exploit at the CanSecWest security conference during its “Pwn2Own” challenge.

When asked about the vulnerability used at CanSecWest, Miller indicated that he was under a non-disclosure agreement and couldn’t say much, but that “It was an exploit against Safari 4 and it also works on Safari 3.” Miller doesn’t know if it works on Safari for Windows.

Underscoring the fact that security exploitation, including the writing of viruses, worms, Trojans, etc., is much more a business now than ever before, Miller says that he never gives the bugs he finds away free. “I have a new campaign,” he says, “It’s called NO MORE FREE BUGS. Vulnerabilities have a market value so it makes no sense to work hard to find a bug, write an exploit and then give it away. Apple pays people to do the same job so we know there’s value to this work. No more free bugs.“

When asked why he didn’t go after Internet Explorer or Firefox, Miller said “It’s really simple. Safari on the Mac is easier to exploit. The things that Windows do to make it harder (for an exploit to work), Macs don’t do. Hacking into Macs is so much easier. You don’t have to jump through hoops and deal with all the anti-exploit mitigations you’d find in Windows. It’s more about the operating system than the (target) program. Firefox on Mac is pretty easy too. The underlying OS doesn’t have anti-exploit stuff built into it.”

When asked about the relative ease of exploiting a system, Miller said that “For all the browsers on operating systems, the hardest target is Firefox on Windows. With Firefox on Mac OS X, you can do whatever you want. There’s nothing in the Mac operating system that will stop you.”

Regardless, every browser and every operating system has flaws. Most Windows users recognize this and employ firewalls, antivirus software, etc., to help mitigate the threat. Linux users also typically employ tools to protect themselves from attack. Mac users, by and large, seem to have bought into an idea that OS X is virtually impenetrable to attack and for the most part do not take extra steps to protect themselves. Are they right, or are they inviting an inevitable attack? Only time will tell.

According to CNET, after promising minimal changes to the look and feel of Mac OS X in the upcoming Snow Leopard release, Apple is rumored to be making some visible changes after all. According to AppleInsider, Apple is preparing for a significant user interface overhaul in Snow Leopard.

AppleInsider reports that “Among the changes under consideration for the new build is a striking overhaul to the Mac OS X user interface, which is expected to surrender its platinum theme. Apple has reportedly been working on this new interface since day one, despite public claims that Snow Leopard would forego forward-facing improvements for a focus strictly on under-the-hood enhancements.”

The pictures of the rumored interface changes on AppleInsider are reminiscent of a cross between Windows Vista and Mac OS X. The images show the familiar “lickable” OS X buttons but window frames that are black, similar to the Windows Vista task bar. The new GUI is also expected to draw elements from the iPhone user interface.

According to InformationWeek’s Thomas Claburn, proof-of-concept exploit code has been posted online for six kernel vulnerabilities, five of which affect Apple’s Mac OS X 10.5.6, the most-current version of the operating system and are unpatched.

Neil Kettle of Convergent Network Solutions said that they published the exploit code because “We wanted to show how easy it still is to break production kernels in well-used operating systems.” The vulnerabilities, according to the CTO of Panda Security, “demonstrate the code can take control of a machine, either via creating a privilege escalation modifying the users or launching DoS (Denial of Service) local attacks” against the Mac. The code has the ability to create a new system volume, call some OS functions, change the User ID, and so on, without administrative privileges.

The first of the bugs, it is said, would actually allow for remote exploitation of the OS X kernel “if Apple’s AppleTalk implementation was actually *correct* and did not contain a rather simple development bug”.

Another, the “fifth” in the list, “exploits a local arbitrary kernel memory overwrite in the HFS IOCTL handler. The vulnerability is a little under four years old, and is present in all versions of Mac OS X Tiger and Leopard (and Snow Leopard betas), that is, OS X >= 10.4.0.” This particular bug allows “arbitrary code” (think “a virus or worm”) to run with kernel level privileges (meaning it has virtually unlimited access to the system).

“There is much less malware for the Apple Mac than there is for Windows, but that doesn’t mean that Apple fans can hide their head in the sand like ostriches. Mac users are no different [than] Windows users when it comes to falling for social engineering tricks like this,” according to a senior technology consultant for Sophos.

If you browse the mainstream media sites long enough, you’ll inevitably read about a security flaw in Windows which leads to a Mac user declaring that such flaws don’t exist in OS X, that the Mac’s built-in security will stop any exploit dead in its tracks, etc. That’s simply not the case. All operating systems have flaws, OS X included. Some percentage of those flaws can be exploited to gain control of the machine. As Informationweek reports:

“…while there is malware for the Mac, such as the Trojan identified by Sophos, such code isn’t likely to have a significant impact until Mac market share reaches 15%, which isn’t that far away… hacking is a business and… the focus remains on Windows vulnerabilities, at least for the time being.”

In the past, we’ve detailed on this site how you can set yourself up as the administrator of any Macintosh to which you have keyboard access. This basically boils down to starting the machine in Single-User Mode and fooling it into thinking that Apple’s OS X setup hasn’t been completed yet by deleting a file named “.AppleSetupDone”. The account it helpfully creates for you on the next reboot will have administrator privileges on the machine, giving you full control.

The helpful folks over at Macworld have provided an even easier method, provided you have access to the machine’s keyboard, mouse, and optical drive (and that the firmware isn’t password protected). Their method:

1. Boot the machine from its installer disc.
2. Choose a language and then click the “continue” arrow.
3. When the “Welcome” screen appears, wait for the menu bar to materialize and choose “Reset Password” from the “Utilities” menu.
4. In the menu, choose the user whose password you want to reset.
5. Enter and confirm a new password in the appropriate fields and click Save to make the change.

The above method reportedly does not reset the login keychain password. This will retain the old password.

According to the Free Trader Beowulf blog, there is a flaw in Mac OS X Leopard’s handling of Microsoft Windows Active Directory accounts that results in some users being grated root access upon login, even though they had no special privileges on Windows (and should not have any on OS X).

The details for reproducing the error are provided on the blog as they were reported to Apple.

Although blogger Charles Profitt says that this isn’t a critical bug, it does seem like a pretty big mistake on Apple’s part to grant root access to normal users when it’s not appropriate.

I’ve covered this before, but not in quite this detail. As an iPod Touch owner, I find it very inappropriate that Apple blocks App Store availability for applications that it deems “offensive” or “competitive” with its own plans for the device. If you’re one of the people who defend their position, perhaps another look at the situation could help you see my point.

The iPhone is essentially a portable computer running a stripped-down variant of Mac OS X. Let’s imagine for a moment that Apple had instituted an App Store when it launched OS X. Let’s further imagine that Apple had exercised the same kinds of restrictions on its Mac App Store (hereafter “MAS”) that it currently uses to judge iPhone applications. What might the Mac software landscape look like?

• Safari: Since Apple provides a web browser with OS X, it would block from the MAS competing browsers like Firefox, Opera, Camino, etc.
• iPhoto and Aperture: Say goodbye to Adobe Photoshop, since it competes with these.
• iTunes: Say goodbye to VLC and other media players for the Mac.
• QuickTime: It’s a video codec, and an Apple product, meaning all other video codecs out there would be competitive and therefore eliminated.
• iWork: Say goodbye to Microsoft Office, OpenOffice.org, and any other office productivity suite.
• Boot Camp: Parallels and VMWare Fusion compete with this, so they’re blocked.
• Final Cut: This is your only video editing option aside from iMovie.
• Preview and OS X: These provide PDF viewing and generation functionality, so there’s no need for the competitive Adobe Acrobat products.
• iWeb: Adobe Dreamweaver competes with this, so it’s banned.
• Stuffit: There are built-in file compression tools in OS X (tar, gzip, etc.) so this app gets blocked.
• Games: Depending on how broadly you define “offensive”, many action games would get blocked because of excessive violence, profanity, sexual content, etc.

These are just a few examples. Remember, in this scenario we’re assuming that you can’t install an application on the Macintosh except through the Mac App Store. If Apple bans an app from the MAS, it’s no longer an option for you unless you “jailbreak” your Mac and run the risk of “bricking” it.

In other words, many of the third-party applications that Mac users love and rely on wouldn’t exist on the Mac if Apple exercised the same tight control of that platform that it does of the iPhone.

I read an interesting article today on the EdTechDev web site entitled “Don’t Use Mac OS X as a Server” by Doug Holton. This January 31, 2009, piece explains why Apple’s operating system makes a poor web server. Holton’s reasoning includes:

• Apple excludes a lot of popular PHP modules from its OS X build. Adding these is “tricky” and requires recompiling PHP.
• Cron tasks can stop working after a reboot, a claim he backs up with a story and workaround. (I’ll admit that I never noticed this in my Mac admin days, but I also didn’t monitor it exhaustively.)
• LDAP isn’t standard on the Mac and doesn’t work with the php-ldap module used by many apps.
• Apple uses non-standard locations for standard configuration files, and uses cryptic XML files for many of its configuration details.
• Macs are usually “way behind” with respect to Java. Steve Jobs reportedly disavowed Java a few years after marketing OS X as “the premier Java development platform“.
• Macs leave behind a bunch of redundantly named files starting with a period when copying to other platforms.

Holton recommends Linux over OS X for web servers. That linked article, written by Johannes Truschnigg, says that the Mac lacks proper package management, default configurations of popular software are awkward, and OS X is “going astray from the ‘one true way’ of UNIX. Truschnigg does say that he likes OS X’s “Postfix” mail transfer agent and its manual pages.

While Apple is busy thinking up “pretty interesting ideas” for a netbook, the hacker community is busy figuring out how to get Mac OS X running on currently-available netbooks from MSI, Lenovo, Dell, etc. In fact, the BoingBoing.net Gadgets blog posted a chart back in December 2008 showing the compatibility of various netbooks with the cracked version of Mac OS X Leopard:

The interesting surprise here is the Dell Inspiron Mini 9, which apparently works well with Mac OS X Leopard. The Mini 9 can be purchased in the $249 to $412 range as of this writing, making it a very inexpensive (new) Hackintosh.

Interestingly, the netbook I personally use (the Asus Eee PC 1000H) also made the list, with only the Ethernet and audio not working. Checking the link provided in the table, I find that on the eNik blog that “sound is now partially working” and that with an “inexpensive MacBook Air USB to Ethernet Adaptor” you could even get Ethernet going. However, looking at the detailed steps on this blog, I’m not crazy about the idea of flashing the machine with a BIOS that’s been modified by someone I don’t know. I’m also, of course, not crazy about the idea of potentially finding myself in the same legal boat as the folks from Psystar… though I’ve never heard of Apple suing individuals for running a Hackintosh.

Adam Fisher-Cox of AppleTell posted “The Finder Is An Idiot” on February 15, 2009, in which he details the reasons why the OS X Finder (file browser) is frustrating to use. Specifically, his complaints are:

1. The Path Bar should be spring-loaded like other Finder folder icons.
2. There’s no “sticky move” feature to pick up a file in one place and put it down in another.
3. Undesirable window size changes.
4. Files get stuck in the trash can because they’re “in use” without any indication of what’s using them.

Some of the above are issues with Windows as well. I’m thinking specifically of 3 and 4. Item 2, at least as I understand the explanation of it, isn’t a problem on Windows. Right-click and drag a file in Windows, or cut and paste, lets you pick up a file and put it down where you want it.

I do share his frustration with the trash can in OS X and the recycle bin in Windows. In either case, I think the OS should allow you to see what has the file open and give you the option to delete it anyway. Several times Windows or OS X will tell me that a file is “in use” when I can’t identify what process might have it in use. I suspect the same is true of OS X, but on Windows there are some third-party tools (even free ones) that help with this, though I agree with Fisher-Cox that this really ought to be a feature of any modern OS and shouldn’t require a third-party tool.

According to a post on Slashdot, Apple has released an update to Mac OS X that breaks the extremely popular Perl programming language. The Slashdot post says that Apple’s update includes mis-matched versions of the Perl IO.bundle and IO.pm. Perhaps almost as bad, the version they’re updating to was released back in 2006, providing additional evidence to back up what security experts have said for years – that Apple is slow to update the open source components in Mac OS X.

Although Apple would like to convey the image of OS X as a sort of impenetrable fortress, the reality of the situation is that OS X has security bugs just like any other software product. The OS X update Apple released today contains fixes for mroe than two dozen vulnerabilities, including holes in Safari, AFP Server, CoreText, X11, and Remote Apple Events. According to an article on CNET, these vulnerabilities could lead to arbitrary code execution (meaning a hacker could run any desired program on the compromised system) and disclosure of sensitive information.

According to CNet’s Tom Krazit, Apple has withdrawn a software update that was supposed to resolve graphics issues with MacBooks, but “apparently failed to solve many of the problems.”

We point this incident out for a few reasons. It’s a common misconception that Microsoft issues patches that don’t fix problems, while Apple’s (as the advertising goes) “just work”. Here is a perfect example of Apple issuing a patch that doesn’t seem to solve the problem and which (judging from the fact that they’re pulling it from the web site) may even cause other problems. If you’re a potential switcher who thinks bad patches are just a “Microsoft problem” that you’re going to get away from by going to the Mac, you’re mistaken. Programmers and engineers, no matter who they work for, can and do make mistakes… that includes the ones in Cupertino.

This story seems to indicate that with Steve Jobs more in the background, Apple is more willing to admit mistakes. That’s a good sign. Instead of continuing to distribute a patch that isn’t resolving many problems (reportedly), encouraging many people to apply a “fix” that “doesn’t”, Apple is doing the responsible thing and withdrawing it until the problems are resolved.

Finally, this incident shows Apple still needs to do a better job testing its software, including patches. It only took days after release for message boards (according to Krazit) to fill up with complaints that “the update didn’t seem to fix the problem for everyone and in some cases, made the problem worse.” It seems unlikely that a well-tested update would get this kind of feedback that quickly.

According to an article on The Register, "A computer security researcher has discovered a new way to inject hostile code directly into the memory of machines running Apple’s OS X operating system, a technique that makes it significantly harder for investigators to detect Mac attacks using today’s forensic practices."

This new attack method allows software to be installed on a Mac without leaving traces of the attack code or other signs that the machine has been compromised.  The author suggests that it’s only a matter of time until malware developers begin using this attack in the wild.  The researchers are in the process of extending the technique to the iPhone operating system.

According to an article on The Register:

Less than a week after researchers spotted new malware targeting naïve Mac users, two additional titles have been spotted. 

Security mavens at Mac antivirus provider Intego say Trojan-horse software dubbed OSX.Trojan.iServices.B hitches a ride on pirated copies of Adobe PhotoShop Cs4 for Mac that are being distributed in warez channels.  A program used to generate a valid serial number to unlock the Adobe app installs a backdoor on machines that makes them part of a botnet. 

The discovery comes four days after Intego warned of a Trojan that piggybacked off illicit copies of Apple’s iWork 09 productivity suite.

While users who purchase legitimate copies of iWork 09 or Adobe PhotoShop CS4 have nothing at all to fear from the malware packed with these pirated versions, it does call to mind the recent incident where an Apple employee posted a recommendation that Mac users install antivirus software, only for the company to pull that recommendation a short time later.  (Apple claimed the recommendation was pulled because it was “old information” and that Macs contain protection “out of the box”.)

As Apple’s products grow in popularity, they become a bigger and more lucrative target for malware writers and botnet operators.  While it’s too soon yet to say that these two incidents indicate a “rising tide” of Mac malware, if I was a Mac user I would definitely invest in some antivirus software.  Even though I wouldn’t pirate Mac software, I couldn’t be sure that people I exchanged files with hadn’t come into contact with malware like this.

According to BetaNews, Apple’s Mac OS X 10.5.6 Update is causing a rash of complaints among the Mac user community. To quote BetaNews, “The blue screen has typically been the unofficial Windows logo, at least in and around Macintosh circles. But this morning, users of Mac OS X have been reporting a number of problems, most of which fall into the same category, and some of which are leaving users’ computers booting up with nothing on their screens but a field of blue.”

It’s said that one business reported a simultaneous hang in all seven of its Macs using the 10.5.6 updater. BetaNews also says that “Many users since yesterday have been reporting permissions failures in [Time Machine]“, and others are getting USB power errors depending on the order in which their USB devices are chained to the PC.

The commentary below the article contains the usual array of Mac support and attack flaming, which some useful observations and information available here and there if you’re willing to sift through the “battle text” to get to it.

While I generally advise caution in applying ANY vendor’s OS updates too soon after release, Apple seems to be making a habit out of “blue screen” type errors with Leopard updates since its release, so I would encourage a little extra caution any time they bump up the version number.

The author of The Lame Leopard blog (which has as its tagline “Add new bugs to your Mac”) is continuing to lament the problems experienced since purchasing a new MacBook Pro with Leopard.  The biggest recurring problem experienced is that the machine’s wake/sleep functionality doesn’t seem to work properly.  For example, in a recently cited experience of the problem, we’re told:

(After having closed the lid while going to make some coffee.) “Now I’m back and open the MBP and the screen stays dark.  The white power LED did turn off. There is no way to get the screen back on. Only a reboot works. I lose my workspace and some open files. Lame. What is this? Some Wintel piece of crap?”

As I often do when I read something on The Lame Leopard, I can feel the writer’s pain and frustration coming through the article.  This is a relatively new laptop, running virtually no strange software, and yet a seemingly simple function like wake/sleep isn’t working properly, leading to lost data.

With my Asus netbook, I make a fair amount of use of wake/sleep and hibernation with both Windows XP Pro and Ubuntu Linux.  I’ve yet to see a problem like the one being described here. I’m not saying that it won’t ever, or couldn’t ever, happen.  I’m sure people can and do have problems with it.  I’ve just never seen it be as problematic as it is for this blogger. 

If you’re thinking about buying a new MacBook Pro and move about a lot with it, and the possibility of data lost to wake/sleep problems is intolerable to you, you may want to rethink that purchase.  The Lame Leopard has experienced quite a bit of trouble with wake/sleep functionality not just on this new MacBook Pro but previous models running Leopard.  And according to at least one commenter, it’s “quite a widespread issue in Leopard” based on “a web search”… for what that’s worth.

According to CNet, an Apple executive was quoted at a UNIX conference as saying that OS X Snow Leopard 10.6 would be released in the first quarter of 2009.  The author of the CNet article goes on to suggest that “first quarter” might actually mean the MacWorld conference on January 5, 2009.  After having to delay 10.5 for iPhone work, I doubt Apple will openly declare a precise release date for Snow Leopard yet, but it wouldn’t surprise me if they at least announce a release date at MacWorld.  The real question is, if Apple delivers on its promise to include mostly “fixes” in Snow Leopard and no significant new features, will people bother to buy it?

In the security world, there are two kinds of threats that IT departments protect against. One threat comes from outside the company, when a malicious email message, virus, trojan, worm, or hacker tries to breach the company’s defenses and get at your systems and data. It’s clear from Apple’s actions that it understands this kind of threat and takes it seriously, as it should. 

Another, in some ways more dangerous, threat comes from the individuals inside your company. Depending on your security precautions, insiders can represent a more serious threat because they come in behind your firewall and perimeter security. They can (accidentally or intentionally) bring in a virus-infected disc, (if they have permission) disable security precautions like firewalls and antivirus, visit malicious web sites, etc. That’s why most companies limit the level of access employees have to their computer systems. The typical employee in most companies can’t install software, turn off antivirus, disable the firewall, or do anything else deemed “dangerous” by the IT security people. In OS X terms, most users aren’t administrators or “root” on their own Macs. It’s this kind of security that Apple, and the occasional third-party Mac software vendor, doesn’t quite “get”. Allow me to illustrate with a real world example from the Washington Post.
Back in June of this year (yes, I know I’m going back a bit, but this example just landed in my mailbox today so it’s new to me), a significant vulnerability was discovered in Mac OS X 10.5 (Leopard). To exploit this flaw, all an attacker needs is access to a Mac’s command line interface. With said access, the attacker can enter a relatively simple command that tells the Apple Remote Desktop Agent to run an AppleScript. That AppleScript will run as “root” (super-administrator) and be able to do anything you can do with AppleScript. In other words, it gives anyone with physical access to the machine the virtual “keys to the kingdom”. Best practice in corporate IT security dictates that you give a user the minimum level of security permission they need in order to do their job. For some users, that’s the ability to login and run programs, for others it might include installing software, and for a select few, complete access. By not giving everyone the keys to the kingdom, you’re better able to prevent the spread of malware, protect confidential data, and ensure the integrity of business processes. In most environments, there is more potential for an authorized user (independent of their security privileges) to intentionally or unintentionally harm corporate systems than an outsider, so this kind of security is in many ways even more important than firewalls and perimeter security.
When contacted about the vulnerability, Apple told users it was “not a cause for concern.” If it’s not a cause for concern when anyone can bypass all the operating system’s security features, then what exactly IS a cause for concern? This is what I mean when I say that Apple doesn’t quite “get” security. They respond well enough, albeit sometimes a bit slowly, when a flaw can lead to remote attacks on a Mac, but their response to “elevation of privilege” attacks shows that they don’t see the bigger picture. Columnists talk about how Apple and the Mac aren’t ready for a starring role in enterprise computing. This is a part of what they mean.
If Apple wants to continue being a niche player in the market, focusing on consumer computing and digital arts, then it can afford to be a little lax about “threats from inside”. But if it really wants to have an effective presence in the corporate world, it needs to step up its game. Say what you will about Microsoft’s security problems, but they understand the importance of both kinds of threats and don’t downplay the concerns of their corporate customers. As Ryan Naraine said in the ZDNet article linked above, “hip and cool can only take you so far in the enterprise.”

We speculated a while back that one thing Apple could do to destroy the lawsuit filed against them by Psystar would be to release a “full” OS X license that could be installed on third-party hardware, at a price above the current $129 licenses and (ideally) in line with Microsoft Windows licensing at the higher end.  There’s some talk in the media that Apple might do away with the Mac Mini at its upcoming desktop product launch. 

How does the demise of the Mac Mini imply the possibility of licensing the Mac OS for non-Apple hardware?  Consider what CNet.com says was the point of the Mini in Apple’s product line: “The Mac Mini was an experiment in affordability and minimalism on Apple’s part back in 2005. The small desktop was initially a hit with critics and consumers, but as the world’s PC preferences tilted strongly in favor of notebooks over the last several years, Apple spent more time updating and promoting the MacBook and iMac all-in-one desktops than the cute little cube…[snip]… It would, however, eliminate the cheapest Mac from Apple’s arsenal, raising the starting price of (officially, at least) entering the Mac OS X universe to $999. Analysts have been a little worried that the Mac is expensive in the midst of this year’s economic turmoil”.

So, by dropping the Mini, Apple raises a barrier to entry for potential Mac switchers.  Instead of being able to acquire a Mini for $600 and use existing peripherals to enter the Mac world cheaply, users would have to move to the $999 MacBooks.  If Apple wants to still be able to service those folks who can’t spend the $999 for a MacBook, releasing a “full” OS X license for use on third party hardware (at say, $299) is one way they could fill the void they’re leaving by dropping the Mini.  If a Psystar-type company wants to produce Mac clones, Apple can let them do so, while sitting back and collecting $299 on each one sold without having to do more than burn a CD and stuff it into a box.  If Apple makes it clear that they’ll only provide tech support for items on a pre-defined compatibility list, they can minimize the support costs this might generate while increasing revenue.

Thus, instead of the barrier to “Mac ownership” being a $599 Mac Mini, it would now be “the hardware you probably already have” plus only $299.  It might be worth $299 to me to have a machine at the house that is able to legally run OS X… and it just might to others, too.  In any case, it will be interesting to see if they do dump the Mini as predicted, and what they do about filling the void (if anything).

I can already see the commercial…

“Hi, I’m a Mac.”

“And I’m a PC. Say, what do you have there, Mac?”

“It’s a full license for OS X. I got it as a present for you.”

“For me? You shouldn’t have… I didn’t get you anything.”

“Go ahead, try it on.”

[screen fades, comes back, PC and Mac are either both the same guy, or both dressed alike]

“Hello, I’m a Mac.”

“…and so am I…”

[this would be followed by information about how you can now buy Mac OS X and legally use it on non-Apple hardware. to see if yours is compatible, go to xxx web address..]

Imagine the uproar in Redmond after seeing that commercial.  Even I am forced to admit it would definitely trump anything I can imagine Microsoft coming up with, and in time for the holidays, no less…  I think I’d pay to see that.  And it could explain why Apple has never really gone after the OSx86 site for running OS X on non-Apple hardware… they were using them as market research and a source for their compatibility list…

A recent visitor to this site posted an article on his own blog criticizing my suggestion that it might be easier to find and install an application on Linux than OS X, and that Apple will likely build an App Store into OS X after their success with the store on the iPhone.  I feel the need to respond to that reader’s comments.

In terms of the actual installation, if you already have the app in your possession (i.e., you’ve got a CD in hand or you’ve downloaded it off the web), then the critic may be right… it all depends on whether the Mac app in question is a “drag install” (which most are) or whether it has an actual “installer” (which is less common on OS X)… and what form the distribution of the Linux app happens to take.  If the Mac app is a drag install and the Linux app is only distributed as source code, then the critic is absolutely right, hands down, and I don’t argue with him.  But if we’re talking about the entire process from determining you need an application to the point of launching that application for the first time, I would argue that (on Ubuntu at least) it’s easier than on OS X in many cases to install a Linux application.

Let’s take the perspective of a prospective “switcher” from Windows (or Mac for that matter) to the Ubuntu distribution.  Let’s say that our hypothetical switcher wants to use a drawing program but doesn’t know what’s available for the platform they’re using now.  Starting from their newly-acquired computer’s desktop, what’s the process like on Ubuntu (the distro I happen to be most familiar with)?

First, the user might look under the Application menu to see what’s already there.  Let’s assume our user has done that and hasn’t found something they like.  (Note that by default, OpenOffice’s Draw program appears in the Ubuntu app menu. If the user liked that, they’d be done already.) 

The user sees the “Add/Remove…” option and decides to look there to see if they might be able to find the application they’re looking for:

Ubuntu brings up the Add/Remove Programs application for the user:

The user could browse down to the graphics section to look at what’s available, but let’s say they want to do a search instead.  They’re looking for a drawing program, so they search on the word “drawing”:

Note that the user has a number of application options available at this point.  The applications already installed on the system appear with checkboxes next to their names, telling the user that they’re already installed.  In this example, let’s assume the user likes the sound of the “Inkscape” drawing tool. They checkmark its name.

The user clicks “Apply” and Ubuntu confirms their selection(s):

At this point, Ubuntu begins downloading the application, any libraries or other packages on which Inkscape is dependent, and installs it all without further interaction with the user.  When it’s finished, it lets the user know:

The user can close out of Add/Remove programs by clicking the Close button or install additional software by clicking the “Add/Remove More Applications” button.  Assume the user clicks “Close” and goes back to the Applications menu.

The user clicks on Inkscape and about a second or so later, there it is:

That’s all it took for our hypothetical switcher to Ubuntu to find a drawing program, install it, and launch it.

Continue reading »

As I recall, one of Apple’s big bragging points about Mac OS X early on was its support for the Java programming language as a core part of the OS.  The unfortunate thing for Mac users is that Java on OS X isn’t the same as Java on Windows or Linux.  On non-Mac platforms, the Java environment is developed and maintained by Sun Microsystems.  On the Mac, Java comes from Apple and is updated at Apple’s whim.

Because Java on the Mac comes from Apple, it’s no surprise that the Mac implementation of Java is usually the last one to get security and bug fixes.  Yes, I know the mantra.  No one (so far) has released a serious exploit for Mac OS X in the wild so even though the Mac isn’t patched, (Mac fans believe) it’s still more secure than anything else. Even though the Mac’s vulnerabilities haven’t been aggressively targeted by hackers to date doesn’t mean it’s any more secure than Windows Vista or one of the main Linux variants.  It just happens to have been “lucky”.

But the real issue here is more than security.  Java is intended to be a cross-platform programming environment, leading to a consistent application experience regardless of the operating system and hardware you’re using.  Just as it improves the Mac “user experience” to have consistency across the Mac product line, it improves Java to have consistency across platforms.  Unfortunately, with Apple in control of Java in OS X, it’s always going to be “out of step” with Linux and Windows.  It’s the Mac users who suffer for Apple’s arrogance and need to control the implementation of Java in OS X.

Computerworld’s Eric Lai asks the question “Will Apple ever fully liberalize Mac OS X virtualization?”. In his article, he points out that “Over the past two years, running Windows and Windows apps virtually on Apple Inc. hardware has become a popular way for consumers to dump their PCs in favor of Mac gear. Microsoft Corp.’s liberal attitude, while hurting hardware partners such as Hewlett-Packard and Dell, has also enabled the spread of Windows to Apple’s previously inaccessible hardware. In contrast, Apple has only grudgingly allowed Mac OS X to be run on virtual machines. The regular client version of Leopard cannot be run virtually, whether on Apple’s hardware or not.”

Regardless, there are sites out there which can help Mac users virtualize OS X client in VMWare Fusion, a product called DiscCloud that allows you to run Leopard on VMWare, and a Parallels tool that allows OS X Server to run virtually.