Peeve Farm

g r o t t o 1 1

Peeve Farm
Breeding peeves for show, not just to keep as pets

  Blog \Blôg\, n. [Jrg, fr. Jrg. "Web-log".
     See {Blogger, BlogSpot, LiveJournal}.]
     A stream-of-consciousness Web journal, containing
     links, commentary, and pointless drivel.

On My Blog Menu:

InstaPundit
USS Clueless
James Lileks
Little Green Footballs
As the Apple Turns
Entropicana
Cold Fury
Capitalist Lion
Red Letter Day
Eric S. Raymond
Tal G in Jerusalem
Secular Islam
Aziz Poonawalla
Corsair the Rational Pirate
.clue

« ? Blogging Brians # »

Book Plug:

Buy it and I get
money. I think.
BSD Mall

10/6/2003 -  10/8/2003
9/29/2003 -  10/5/2003
9/22/2003 -  9/28/2003
9/15/2003 -  9/21/2003
  9/8/2003 -  9/14/2003
  9/1/2003 -   9/7/2003
8/25/2003 -  8/31/2003
8/18/2003 -  8/24/2003
8/11/2003 -  8/17/2003
  8/4/2003 -  8/10/2003
7/28/2003 -   8/3/2003
7/21/2003 -  7/27/2003
7/14/2003 -  7/20/2003
  7/7/2003 -  7/13/2003
6/30/2003 -   7/6/2003
6/23/2003 -  6/29/2003
6/16/2003 -  6/22/2003
  6/9/2003 -  6/15/2003
  6/2/2003 -   6/8/2003
5/26/2003 -   6/1/2003
5/19/2003 -  5/25/2003
5/12/2003 -  5/18/2003
  5/5/2003 -  5/11/2003
4/28/2003 -   5/4/2003
4/21/2003 -  4/27/2003
4/14/2003 -  4/20/2003
  4/7/2003 -  4/13/2003
3/31/2003 -   4/6/2003
3/24/2003 -  3/30/2003
3/17/2003 -  3/23/2003
3/10/2003 -  3/16/2003
  3/3/2003 -   3/9/2003
2/24/2003 -   3/2/2003
2/17/2003 -  2/23/2003
2/10/2003 -  2/16/2003
  2/3/2003 -   2/9/2003
1/27/2003 -   2/2/2003
1/20/2003 -  1/26/2003
1/13/2003 -  1/19/2003
  1/6/2003 -  1/12/2003
12/30/2002 -   1/5/2003
12/23/2002 - 12/29/2002
12/16/2002 - 12/22/2002
12/9/2002 - 12/15/2002
12/2/2002 -  12/8/2002
11/25/2002 -  12/1/2002
11/18/2002 - 11/24/2002
11/11/2002 - 11/17/2002
11/4/2002 - 11/10/2002
10/28/2002 -  11/3/2002
10/21/2002 - 10/27/2002
10/14/2002 - 10/20/2002
10/7/2002 - 10/13/2002
9/30/2002 -  10/6/2002
9/23/2002 -  9/29/2002
9/16/2002 -  9/22/2002
  9/9/2002 -  9/15/2002
  9/2/2002 -   9/8/2002
8/26/2002 -   9/1/2002
8/19/2002 -  8/25/2002
8/12/2002 -  8/18/2002
  8/5/2002 -  8/11/2002
7/29/2002 -   8/4/2002
7/22/2002 -  7/28/2002
7/15/2002 -  7/21/2002
  7/8/2002 -  7/14/2002
  7/1/2002 -   7/7/2002
6/24/2002 -  6/30/2002
6/17/2002 -  6/23/2002
6/10/2002 -  6/16/2002
  6/3/2002 -   6/9/2002
5/27/2002 -   6/2/2002
5/20/2002 -  5/26/2002
5/13/2002 -  5/19/2002
  5/6/2002 -  5/12/2002
4/29/2002 -   5/5/2002
4/22/2002 -  4/28/2002
4/15/2002 -  4/21/2002
  4/8/2002 -  4/14/2002
  4/1/2002 -   4/7/2002
3/25/2002 -  3/31/2002
3/18/2002 -  3/24/2002
3/11/2002 -  3/17/2002
  3/4/2002 -  3/10/2002
2/25/2002 -   3/3/2002
2/18/2002 -  2/24/2002
2/11/2002 -  2/17/2002
  2/4/2002 -  2/10/2002
1/28/2002 -   2/3/2002
1/21/2002 -  1/27/2002
1/14/2002 -  1/20/2002
  1/7/2002 -  1/13/2002
12/31/2001 -   1/6/2002
12/24/2001 - 12/30/2001
12/17/2001 - 12/23/2001

Tuesday, July 9, 2002
12:22 - But then, this rather sucks... http://www.vnunet.com/News/1133364	(top)
Hey, why be left out of the game? At least save a major security hole for us poor Mac users. The update mechanism carries out its tasks over plain old HTTP without any form of authentication. "Using well known techniques, such as DNS spoofing, or DNS cache poisoning, it is trivial to trick a user into installing a malicious program posing as an update from Apple," warned Harding. DNS spoofing and cache poisoning are methods of fooling a machine into thinking that a rogue computer is legitimate. For those in the know, it is easy to carry out. The vulnerability is further compounded by the fact that Mac OSX updates are installed as root. "Exploiting this vulnerability can lead to root compromise on affected systems. These are known to include Mac OS 10.1.X and possibly 10.0.X," said Harding. Harding has released a full exploit for this vulnerability in a bid to "convince Apple that it needs, at the very least, some basic authentication in SoftwareUpdate". The package includes everything needed to impersonate the update site. Apple has not yet released any sort of patch, but is looking into the matter. Their commitment to quick turnaround on the discovery of security holes was given a good bolstering with the recent SSH patch, but this one's going to be a bit more problematic; it's not a two-day turnaround kind of thing for them to add MD5 checksums and authentication to Software Update. (To say nothing of the fact that to update Software Update to the fixed version, people are going to have to run Software Update.) TechFocus says, "Once again, I ask, who's running the show over at Apple? Wait, let me answer my own question: the moronic Jobs - fresh on the heels of his graduation from a*sclown school" ... Now, c'mon, isn't that a little bit unfair? Does he say the same things about Microsoft's security holes? There are an awful lot more of them. But even so, it seems that Software Update was written very na�vely. The only security in it is that it points to a specific DNS-based host, and DNS is hardly flaw-free. Sure, in an ideal world, it would have been fine, but... well, sometimes ideals aren't the best things in the world.