Apple = Crapple

eagle33199 · Sep 17, 2007

<div class='quotetop'>QUOTE(Boulder Bum @ Sep 17 2007, 02:13 AM) [snapback]513573[/snapback]</div>

The difference is that iTunes IS the Apple product. Again, I think it's incorrect to think of Apple as a computer manufacturer anymore. They're incresingly a vendor of digital entertainment so it's vital that their digital entertainment software works.
[/b]
Click to expand...

Have you called Apple and informed them of the problem? I write software too (and trust me, mine has to be a lot more perfect than yours... a failure rate of 0.001% kills people), and every piece of software has bugs in it. Give them a chance to correct the problem...

If the iPod were simply a hard drive, I'd agree, but it's not. The iPod is a device with a layer of software/firmware to control its operation. If the device can receive and propegate viruses, then its that devices responsibility to fix the problem. Period. If it doesn't then that's a design flaw.
[/b]
Click to expand...

Guess what - a camera with a memory stick in it is a device with software/firmware that can propagate viruses. a USB drive has firmware (and in some cases software) on it, and it can propagate viruses. It's not the responsibility of the device to ensure it's protected - it's the responsibility of the user. Computers aren't immune to viruses, and after the 30 day trial expires you have to go buy some software if you want continued protection. Giving ANY device the ability to act as an external hard drive or memory stick for a computer exposes it to viruses and places the device under the protection of the OS and whatever anti-virus software is installed on the computer.

I'd hold my smartphone (and the iPhone) up to the same standards.
It's the responsibility of the software layer on top of my hard drive (my OS & utilities) to guard against attack. For instance, public websites viewed through IE cannot write to my disk or run arbitrary code on my computer as a matter of OS security policy. It's relegated to the "Internet Zone" which defines a very limited set of permissions. In Windows .NET programming, you have a related concept with "ApplicationDomains" and "Zones" which restrict the power of a running process to make sure, for example, that a low-privilaged program or plug-in can't read registry keys.
[/b]
Click to expand...

Is that really the case, though? Seems to me that if that was, then we wouldn't have so many viruses and so many millions of PC's on the botnets. I'll admit thats the general idea behind the security policies, but there are holes and ways around all that. For that, i would say every piece of software and hardware on your computer is flawed. Every single piece of it can be used to propagate and distribute viruses.

Apple, for their part, should have designed their device to limit the damage of outside actors to exploit their device, and they should have had tighter quality control besides to better contain the virus.
[/b]
Click to expand...

I'll agree that the virus should have been detected before the iPods hit the shelf. however, there's no possible way to give the end user the desired look and feel of a hard drive while providing the type of security you seem to expect from a consumer device.

vtie · Sep 17, 2007

<div class='quotetop'>QUOTE(FourOhFour @ Sep 17 2007, 02:09 PM) [snapback]513611[/snapback]</div>

Oh, sure, but I don't believe the gold master image was contaminated. As I recall, it was a PC (used for quality control, maybe? I don't remember) at the manufacturer (which isn't Apple) that was infected and contaminated all iPods that were connected to it.
If the GM image was contaminated, that would certainly be Apple's fault.
[/b]
Click to expand...

Personally, I don't make that distinction. Apple sells the product, they are responsible for it. They chose their manufacturers, determine the production process and the quality control. As a customer, I don't need and don't want to know these details.

Of course, Apple may blame it internally on one of their subcontractors, and transfer any damage claims if any. But that doesn't change my relation as a customer towards them.

boulder_bum · Sep 17, 2007

<div class='quotetop'>QUOTE(eagle33199 @ Sep 17 2007, 07:51 AM) [snapback]513648[/snapback]</div>

Give them a chance to correct the problem...
[/b]
Click to expand...

I am, though they haven't gotten back to me after I sent in a support ticket. :angry:

<div class='quotetop'>QUOTE(eagle33199 @ Sep 17 2007, 07:51 AM) [snapback]513648[/snapback]</div>

It's not the responsibility of the device to ensure it's protected - it's the responsibility of the user.
[/b]
Click to expand...

I strongly disagree . You should never rely on the user to uphold the security of a system, you should prevent the user from having the ability to break anything. "It's a training issue" is an excuse for sloppy design.

From IBM security principles whitepaper:

http://www-128.ibm.com/developerworks/libr....html#resources

Principle 9: Don't extend trust easily
People might more often realize their secrets are at risk if they understood that they can't trust clients that are in the hands of end users, because end users can't be trusted to use clients as they were intended. [/b]
Click to expand...

<div class='quotetop'>QUOTE(eagle33199 @ Sep 17 2007, 07:51 AM) [snapback]513648[/snapback]</div>

Is that really the case, though? Seems to me that if that was, then we wouldn't have so many viruses and so many millions of PC's on the botnets. I'll admit thats the general idea behind the security policies, but there are holes and ways around all that.
[/b]
Click to expand...

The problem is not that software can't be secured, it's that most programmers don't code securely. Hardly anyone uses AppDomains and security zones, for example, even when they might be applicable, and I can't count the number of times I've seen "senior" software engineers using concatinated ad-hoc SQL with no regards for things like injection vulnerabilities.

I'd agree that software quality is lacking nowadays, however (you should hear me rail on the problems with SharePoint).

<div class='quotetop'>QUOTE(vtie @ Sep 17 2007, 08:00 AM) [snapback]513653[/snapback]</div>

They chose their manufacturers, determine the production process and the quality control. As a customer, I don't need and don't want to know these details.
[/b]
Click to expand...

I concur. It's like Fisher Price with it's lead-based paint on toys. The correct thing to do is not to point fingers at the manufacturers a parent company hired, but to make the parent company own the mistake and work for the prevention of any future mistakes.

eagle33199 · Sep 17, 2007

Yes, software can be secured... but that often comes at the price of opening up the system to potential problems. Ultimate security (in todays age): Unplug from the internet. However, people aren't willing to do that. So you plug in. Lets say you've got a good firewall, and configure it to only allow access to certain ports. you're still vulnerable on those ports - at least more so than you were. And i would challenge you to find ANY piece of software that can't be tricked if someone tried hard enough.

The simple fact is that any device that is connected to your computer is going to rely on you (or the software you have on your system) to keep it secure. If you want your iPod to act like a hard drive, then it HAS to be open to writing to it - that means that you can open a document and save it there straight from Word, Adobe, whatever. There simply is NO user-acceptable way to get around that.

You have to realize that, despite what us programmers may want to do, the systems are designed for the end user. you have to give the user what they want in the way they want it, and sometimes that means leaving some of your security in the hands of others. Otherwise your system will be so locked down it would take someone with our skill levels to do so much as create a text document.

hyo silver · Sep 17, 2007

<div class='quotetop'>QUOTE(eagle33199 @ 2007 09 17 14:32) [snapback]513906[/snapback]</div>

...Ultimate security (in todays age): Unplug from the internet...
[/b]
Click to expand...

Done. One PC with all the client's data, no internet. For everything else, there's Apple. Still not perfect, I know, but the risk is minimal in comparison.

boulder_bum · Sep 17, 2007

<div class='quotetop'>QUOTE(eagle33199 @ Sep 17 2007, 03:32 PM) [snapback]513906[/snapback]</div>

Yes, software can be secured... but that often comes at the price of opening up the system to potential problems. Ultimate security (in todays age): Unplug from the internet. However, people aren't willing to do that. So you plug in. Lets say you've got a good firewall, and configure it to only allow access to certain ports. you're still vulnerable on those ports - at least more so than you were. And i would challenge you to find ANY piece of software that can't be tricked if someone tried hard enough.

The simple fact is that any device that is connected to your computer is going to rely on you (or the software you have on your system) to keep it secure. If you want your iPod to act like a hard drive, then it HAS to be open to writing to it - that means that you can open a document and save it there straight from Word, Adobe, whatever. There simply is NO user-acceptable way to get around that.

You have to realize that, despite what us programmers may want to do, the systems are designed for the end user. you have to give the user what they want in the way they want it, and sometimes that means leaving some of your security in the hands of others. Otherwise your system will be so locked down it would take someone with our skill levels to do so much as create a text document.
[/b]
Click to expand...

Well, I think you're presenting a bit of a false dilemma. It isn't correct to say that software needs to be insecure or it will be completely unusable. I think you'll agreee there is a balance, and it's this balance that "the principle of least privilage" addresses. A system should allow just enough functionality to perform its purpose, but no more.

Case in point, one of Microsoft's biggest source of security problems is that they sometimes try to pack too much power into their products. ActiveX controls, for example, gave web applications carte blanche to wreck havoc on a user's computer, where web applications should have had far fewer privilages. The result is a myriad of exploits and viruses launched by ActiveX controls that many users loaded onto their system without knowing what they were doing.

That's why IE now has about four prompts and warnings before the user downloads a control.

In contrast, Java's web client technology tried to "sandbox" itself to limit the potential damage caused by web-based Applets (though people still found vulnerabilities).

In the case of the virus the Apple hardware spread, the players purpose was to store, play, and transfer content by synching to another computer. Ideally, it will be designed in a way to enable this capability, but not to, say, propegate a virus when you plug the device into the computer.

How? Well, for the sake of argument let's say that the virus propegates itself by using loading an autorun.inf file to a drive so that merely plugging it in runs a program that copies the virus to a host. For an iPod, adding or changing that file may affect the operation of the device, so reasonable countermeasures should be in place to prevent such an exploit if the product was designed with security in mind.

Likewise, perhaps it's reasonable to suggest that the copying of data to and from the iPod should be relegated only to approved processes/users like iTunes running under an authenticated user's credentials. In that case, there are ways to protect the file system to ensure such integrity.

The actual approach and implementation depends on the goals and requirements for the system, but the point is that responsible design can address the security without any unwelcome imposition or inconvenience for the user.

eagle33199 · Sep 18, 2007

<div class='quotetop'>QUOTE(Boulder Bum @ Sep 17 2007, 06:49 PM) [snapback]513984[/snapback]</div>

Well, I think you're presenting a bit of a false dilemma. It isn't correct to say that software needs to be insecure or it will be completely unusable. I think you'll agreee there is a balance, and it's this balance that "the principle of least privilage" addresses. A system should allow just enough functionality to perform its purpose, but no more.

Case in point, one of Microsoft's biggest source of security problems is that they sometimes try to pack too much power into their products. ActiveX controls, for example, gave web applications carte blanche to wreck havoc on a user's computer, where web applications should have had far fewer privilages. The result is a myriad of exploits and viruses launched by ActiveX controls that many users loaded onto their system without knowing what they were doing.

That's why IE now has about four prompts and warnings before the user downloads a control.

In contrast, Java's web client technology tried to "sandbox" itself to limit the potential damage caused by web-based Applets (though people still found vulnerabilities).
[/b]
Click to expand...

As you said, there's a balance... but by definition such a balance means you're trading off some security for the sake of the user experience. You can't have a usable system if it prompts you to verify every single write access to the hard drive. Even if you have a number of "trusted" programs, who's to say someone can't design a virus that starts off by either simulating one of those processes, or infiltrates one that's already running, using that same trusted process to do its dirty work.

Yes, IE (and other things M$) are bloated, buggy, insecure pieces of doo-doo. And as you said, they used proper practices for things like Java, and yet people still can find vulnerabilities. Any piece of software that has an input and an output is going to be vulnerable to something, by definition.

In the case of the virus the Apple hardware spread, the players purpose was to store, play, and transfer content by synching to another computer. Ideally, it will be designed in a way to enable this capability, but not to, say, propegate a virus when you plug the device into the computer.

How? Well, for the sake of argument let's say that the virus propegates itself by using loading an autorun.inf file to a drive so that merely plugging it in runs a program that copies the virus to a host. For an iPod, adding or changing that file may affect the operation of the device, so reasonable countermeasures should be in place to prevent such an exploit if the product was designed with security in mind.

Likewise, perhaps it's reasonable to suggest that the copying of data to and from the iPod should be relegated only to approved processes/users like iTunes running under an authenticated user's credentials. In that case, there are ways to protect the file system to ensure such integrity.

The actual approach and implementation depends on the goals and requirements for the system, but the point is that responsible design can address the security without any unwelcome imposition or inconvenience for the user.
[/b]
Click to expand...

So, like i said before... how do you relegate that access when one of the "features" of an iPod is to act as a portable hard drive? By definition a hard drive has to allow programs to write to it. It has to let you save directly to it from Word or Excel or Matlab or any of a million other programs. How do you regulate that ability? As it was in this case, the virus in question was RavMonE.exe, which does not effect things like autorun.inf. When activated, it saves itself to the local drives and adds a run command to the registry. Other than that, it's just a file. a nasty one, but just a file that's saved to the hard drive. How do you prevent that without imposing a series of inconvenient steps to the user that marketing would never approve?

One of the requirements of the system is that it be as transparent to the user as possible and act just like another hard drive hooked up to the system. There's no way to secure that from this type of attack.

scargi01 · Sep 18, 2007

<div class='quotetop'>QUOTE(eagle33199 @ Sep 17 2007, 04:32 PM) [snapback]513906[/snapback]</div>

Otherwise your system will be so locked down it would take someone with our skill levels to do so much as create a text document.
[/b]
Click to expand...

And that would be called "job security"

boulder_bum · Sep 24, 2007

<div class='quotetop'>QUOTE(eagle33199 @ Sep 18 2007, 07:55 AM) [snapback]514240[/snapback]</div>

As you said, there's a balance... but by definition such a balance means you're trading off some security for the sake of the user experience. You can't have a usable system if it prompts you to verify every single write access to the hard drive.
[/b]
Click to expand...

Agreed, but I think it's a false dilemma to claim that iPods need to be able to carry viruses or they'll be completely unusable.

<div class='quotetop'>QUOTE(eagle33199 @ Sep 18 2007, 07:55 AM) [snapback]514240[/snapback]</div>

Even if you have a number of "trusted" programs, who's to say someone can't design a virus that starts off by either simulating one of those processes, or infiltrates one that's already running, using that same trusted process to do its dirty work.
[/b]
Click to expand...

In security circles, you'll find that no one claims they're completely eliminating the possibility for attack, the goal is to simply raise the bar as much as possible. Encryption, for example, can be broken if someone gets ahold of the keys, but that doesn't mean you give up on encryption because of that danger. You simply make the data difficult to compromise with encryption and then you make the keys hard to get to.

<div class='quotetop'>QUOTE(eagle33199 @ Sep 18 2007, 07:55 AM) [snapback]514240[/snapback]</div>

And as you said, they used proper practices for things like Java, and yet people still can find vulnerabilities. Any piece of software that has an input and an output is going to be vulnerable to something, by definition.
[/b]
Click to expand...

The difference is that Sun and Microsoft acknowledge their flaws and work to fix them. Apple passed the buck for their vulnerability.

<div class='quotetop'>QUOTE(eagle33199 @ Sep 18 2007, 07:55 AM) [snapback]514240[/snapback]</div>

So, like i said before... how do you relegate that access when one of the "features" of an iPod is to act as a portable hard drive? By definition a hard drive has to allow programs to write to it.
[/b]
Click to expand...

The first thing I'd do is question the decision to use the iPod as a hard drive, since the vast majority of users simply use the iPod to play music, and keep a portable hard drive or thumb drive handy for storage. The hard drive feature increases the "attack surface" and is at the core of both the security vulnerability and some early compatibility problems with Vista.

If you still wanted the hard drive feature, however, there are steps that can be taken. Turn "enable disk usage" off by default. Default to deny execute permission on the appropriate directories so no code automatically runs and thus propegates itself without user interaction and/or reconfiguration. Use a proprietary secure file system instead of the aging FAT 32, require password protection on the storage part of the drive (which is a good idea anyway), etc.

Also, just as important would be to secure the computers at the factory to prevent this from happening in the first place. The manufacturers' computers should have had the ability to copy over the firmware and nothing else.

The way Apple would go about their implementation can, and probably would differ from the suggestions above, but it's absolutely false to say there's no way to make iPods more secure and no way this sort of thing couldn't have been prevented.

I wonder if Apple blames Microsoft for this sort of breach, too: <_<
http://www.cnn.com/2004/TECH/internet/04/09/apple.trojan/
http://www.theregister.co.uk/2006/05/09/mc..._security_risk/

I also liked this:

http://www.applematters.com/index.php/sect...pple-arrogance/

The iPod Virus: Apple Arrogance

In September, an undisclosed number of Video iPods were sold with a Windows virus called RavMon.exe on them. This is a serious issue and one that should be dealt with swiftly and effectively. These things happen and the way to separate the great companies from the bad ones is to see how they respond.

Appleâ€™s response was terrible. They said:

As you might imagine, we are upset at Windows for not being more hardy against such viruses
Iâ€™m sorry we broke in to your house, they say. You should have stronger locks.

There isnâ€™t a hint of an apology on their page disclosing the issue, only an aloof sense surprise that people actually use Windows.

Wake up, Apple- your biggest cash cow is the iPod and most of them are used by Windows users. Insult them all you like in the Mac ads, but your iPod users are Windows users. And you just sold them a virus for $400.
[/b]
Click to expand...

desertbriez · Sep 25, 2007

<div class='quotetop'>QUOTE(hyo silver @ Sep 16 2007, 08:20 AM) [snapback]513305[/snapback]</div>

Vista's notorious for not working with lots of things, like PCs for instance.
[/b]
Click to expand...

AMEN! hubby HAD to have a new laptop... that, of course, came with vista.... now he's finding out some of his stuff doesn't want to play with vista! UGH!

Apple = Crapple

eagle33199 Platinum Member

vtie New Member

boulder_bum Senior Member

eagle33199 Platinum Member

hyo silver Awaaaaay

boulder_bum Senior Member

eagle33199 Platinum Member

scargi01 Active Member

boulder_bum Senior Member

desertbriez New Member

About PriusChat

Quick Navigation

Like us on Facebook

Buy us a beer!

Useful Searches

Apple = Crapple

eagle33199 Platinum Member

vtie New Member

boulder_bum Senior Member

eagle33199 Platinum Member

hyo silver Awaaaaay

boulder_bum Senior Member

eagle33199 Platinum Member

scargi01 Active Member

boulder_bum Senior Member

desertbriez New Member