[griffman]

Images aren't allowed, but you could use one of the public services, or you could email it to me if you want and I'll toss it up on one of mine... (robg at macosxhints dot com)
-rob.

[d00d]

In reply to:

---

We can be irked by bugs in software, but deliberate policies by Apple in which it sends data back and forth from our computers without our knowledge and consent is a serious matter -- irrespective of what the data are. This has to stop -- period.

---

Yeah, and what about all that suspicious packet activity with time.apple.com. What I do with my time is none of their business.

/forums/ubbthreads/images/graemlins/tongue.gif

[scottellsworth]

Jeff: read the Apple comments. They make the potential exploit pretty clear.
Widgets on Apple's page link to individual developer pages. Not Apple's servers.
Individual developer pages can be spoofed, without Apple knowing.
This is not 'software update' which can be done manually. This is checking that the widgets you downloaded from a page Apple linked to is actually the widget Apple thought they were linking you to.
Ideally, they would have learned by now that phoning home is not something to do without warning, but that said, this is not something that users can do on their own, much like virus scans on the PC side need to be done automatically, every single time.
Scott

[ac3boy]

Everyone should have Little Snitch running. Best $25 bucks you can spend to monitor what your machine is doing.
http://www.obdev.at/...itch/index.html

[OM_user]

Hmm, I'm not sure I completely buy that explanation, but I also realize that Apple is in almost a no-win situation here. If they left the potential for users to download a widget that was masquerading as the genuine article from their pages, they would have been admonished for not taking security seriously enough. So, they do what they believe is the right thing and include a check to avoid a potentially bad situation and then get admonished for doing it.
But the simple and easy way to not get slammed by users like Jeff would have been to simply let everyone know what they were doing in the first place, exactly as has been mentioned here. I think most of us agree this isn't the worst thing for the system to do, but not mentioning a word about this 'feature' is the crux of the problem.
I really thought Apple would have learned a lesson from the stir that came up around the iTunes ministore, but I guess someone at Cupertino has low memory retention or something. /forums/ubbthreads/images/graemlins/tongue.gif
I'm also a bit miffed about the fact that you can't easily turn this off. The ministore was, for me at least, a non-event because it was trivial to not only see and glean what it was doing, but stupidly easy to turn it off after looking through the menus for about 10 seconds. That meant it was easy for even the most non-technical user to turn this feature off if they didn't want it. That simply doesn't apply here. The average user out there who just installed 10.4.7 is not even going to KNOW that the system is phoning home, let alone know how to turn it off. Even if they read this article, most non-techy users are afraid of mucking around in the Terminal and there's no reason they should have to.
Apple really should have known better than to do this.

[jmincey]

"I really thought Apple would have learned a lesson from the stir that came up around the iTunes ministore, but I guess someone at Cupertino has low memory retention or something."
This is the key. After the outcry over the MiniStore, how hard would it have been for Steve Jobs (or one of his direct reports) to send out a company-wide e-mail which says this:
If you develop software for Apple, you are absolutely NOT to write code in OS X or any of its bundled components which covertly contacts Apple servers or networks in a way which is unknown to the user or without his explicit or implicit approval.
Now that's not so hard, is it?
As for the examples others in this thread have given of other supposed covert activity which already takes place within OS X, they fail to qualify because they all involve a configurable setting by the user. Not so with this "widget emergency." I also reject out of hand any suggestion that Apple is unable to engineer a solution to the counterfeit widget problem which can be implemented with the user's knowledge and approval. I'm sorry, but these suggestions are preposterous.
I have run Little Snitch and tcpdump from time to time, but frankly I don't want to live like that and be "at the ready" every moment as I use my computer. I would rather assume integrity and good faith on the part of software developers so that I can simply enjoy the use of my computer without such concerns. But now that Apple has erred not once but twice, at what point do we say this is not about "erring" to begin with but is instead a deliberate policy on Apple's part?
Do we begin to ask this question the THIRD time Apple does this? The fourth time? When do we go from being irked to saying that we refuse to stand for this?
And to those who say this is no big deal in the scheme of things because, after all, it's only about widgets, let me try an analogy on you. Suppose the police stop someone who is driving erratically and who come to discover that the driver is severely drunk behind the wheel. Suppose also that absolutely no one is injured in the least as a result of this driver. Would you regard this as a trivial violation so long as no one is hurt and no property is damaged? Does this become a serious offense only when an injury or death occurs, or do we not treat the act itself of driving while intoxicated as a serious matter?
I think we need to divorce the purpose of Apple's covert network activity from the act itself. It's the act itself that I find problematic.
So, do you suppose that Steve Jobs will finally send out that global e-mail to his employees NOW? Or will he wait for this nonsense to happen a third or fourth time?

[d00d]

In reply to:

---

But now that Apple has erred not once but twice, at what point do we say this is not about "erring" to begin with but is instead a deliberate policy on Apple's part?

---

There's a huge difference here Jeff. If Apple really wanted to try to pull a fast one with some kind of malicious intent, there are far better ways they could do it without the user's knowledge. If they're really trying to fool us, then they're doing a very poor job. Unless of course you want to infer that Apple is just trying to find the best way to do it with these recent faux pas.
Start the conspiracy theories! I'll start caring when I really feel like it's a problem.

[jmincey]

To those who continue to say I overstate the seriousness of this issue or that I'm paranoid, etc., don't forget the PR consequences to Apple over these continued blunders. I assume all of us who are fans of Apple and its products hate to see it take hits in the media -- even where those hits are deserved. Well, in addition to the coverage in Macworld, here are but two additional examples of the coverage Apple is getting over this -- the kind of attention a company most certainly does not want:
New Mac OS X Feature Raises Privacy Concern

Apple: Please Stop the Silent Notifications!
So even if you don't agree with my other reasons, I should think you would join me in calling for Apple to cease this nonsense lest it pay an even greater PR price in the future.

[jmincey]

"Start the conspiracy theories!"
Derik, all I'm saying is that if we see this problem pop up again and again, at some point we have to conclude that it's a deliberate Apple policy -- either that or Apple cannot police its own development staff.
And the only thing I'm calling for is that (except for applications whose express purpose is communication, such as e-mail, web browsers, IM software, etc), Apple disclose to its customers when OS X makes contact with remote networks. I mean, how hard is that?
Too much to ask? I don't think so. Why then doesn't Apple DO it -- particularly in light of the PR cost?

[d00d]

"if we see this problem pop up again and again, at some point we have to conclude that it's a deliberate Apple policy"
Yes! A policy to deliberately, continually get caught sending out network traffic. It all makes sense now.
"All I'm calling for is that Apple disclose to its customers when OS X makes contact with remote networks."
You know Jeff, that may have been the most succinct thing you've said in this entire thread. I finally didn't feel compelled to skim.
I think it boils down to some of us simply being very practical about this. There were borderline concerns with the mini store, but the content of this communication is even more slight. What I think is interesting is that some of the people crying the loudest about the ministore are now completely dismissing this as worth any concern.
I think Kirk McElhearn said it best: Feh.

[Philbert]

Exactly, Derik! As I said, if Apple wanted to ... what better way to get the deepest, darkest dirt on someone than to compel users to hit Software Update for a security update and instead drop in a hidden keylogger.

In reply to:

---

And to those who say this is no big deal in the scheme of things because, after all, it's only about widgets

---

It has nothing to do with Widgets, or the iTunes mini store, or even Apple conversing with my machine without my knowledge --- it's no big deal in the grand scheme of things because there's no such thing as "privacy". "Personal information" is an illusion for ANYONE who participates in modern society.
The only real "protection" we have is trying to limit WHO has WHAT information. Through years of purchases, Apple has several of my credit card numbers, checking account numbers, address, etc, and I'm fine with that. What do I care if they check that some software is up to date (yes, even WITHOUT my knowledge)? It's Apple and I trust they're not rooting around in my QuickBooks file and figuring out a way to drain my checking account. I mean, really - what is it that you think Apple might do? Steal your identity? Tap into your iSight and watch you lounge around on the couch - what? I just don't get the fear.
(Do you "trust" our (U.S.) government? For your sake, I hope so because they know everything about you there is to know. Frankly, I'm a bit more concerned about that than Apple checking my iTunes collection without telling me first.)
But I agree with you on one thing - Apple absolutely needs to address this in the future by disclosure upfront. Not because I now feel compelled to sleep with one eye open, but to avoid the negative PR from all the WHINING! /forums/ubbthreads/images/graemlins/wink.gif
(that, and it's the right thing to do)

[macnews]

I kind of agree with Jeff in that some one must have been brain dead. The whole contacting the "mothership" type of communication has been frowned upon by the vast marjority of consumers on all platforms.
The biggest thing most people say is "if they just told me so I knew." Notice, no "tell me how to shut it off", just tell me! I'm not as hacked off as Jeff and willing to give Apple a bit of a pass - BUT PLEASE LEARN FROM THIS! JUST TELL ME NEXT TIME!
Frankly, could care less about dashboard checking in. The windows thing, that goes too far so somewhere in between is my "over the line" spot.

[jmincey]

In reply to:

---

Exactly, Derik! As I said, if Apple wanted to ... what better way to get the deepest, darkest dirt on someone than to compel users to hit Software Update for a security update and instead drop in a hidden keylogger.

---

You guys just don't get it. When I speak of "deliberate policy" your eyes (apparently) read "evil intent." You seem to think I'm saying the sky is falling, and I'm not. But I do think there is a danger that we will become "the frog in the frying pan." If enough of this activity takes place over time, we will just grow accustomed to it and have all these ho-hum reactions. (One person in this thread actually typed, "Yawn.") And if the market as a whole comes to feel that way, then we will be less attentive to the times when our information may truly be compromised in some way.
Obviously if Apple had no integrity and wished to jeopardize its business, it could easily do so via all its customer records and especially via its online store and iTMS. But between the extremes of thinking Apple is (1) violating our privacy and stealing our data and (2) doing no harm, lies some middle ground, and that's the area I'm trying to stake here.
I think computers and networks are for the use of those who own them, and any use of those networks by software not regarded as communications-oriented should be disclosed to the user for his knowledge and consent. This is a very modest position. If the chorus of users contend that this is a tempest in a teapot and no big deal, it sends the wrong message to developers.
Yes, in isolation, maybe this particular case is of no consequence. But what about the next time?
I think Apple customers should make a stand on this and call for full disclosure in advance. That way -- if Apple agrees -- we need not concern ourselves with whether a given case is serious or not because there will be no case to assess to start with. And I dare say this is something we would all be happy about -- including those who in this instance think this is no big deal.

[danmusician]

In reply to:

---

To those who continue to say I overstate the seriousness of this issue or that I'm paranoid, etc.

---

Always remember:
JUST BECAUSE YOU'RE PARANOID DOESN'T MEAN THEY WON'T GET YOU!
Sleep well!