Leo Gomes: As Duo Publicizes Bugs In OS X, Mac Owners Rush to the Rescue

[David Farber <dave () farber net>]

Begin forwarded message:

From: "John F. McMullen" <observer () westnet com>
Date: January 24, 2007 3:13:51 PM EST
To: "johnmac's living room" <johnmacsgroup () yahoogroups com>
Cc: Dave Farber <farber () cis upenn edu>, Dewayne Hendricks  
<dewayne () warpspeed com>
Subject: Leo Gomes: As Duo Publicizes Bugs In OS X, Mac Owners Rush  
to the Rescue

From the Wall Street Journal -- http://online.wsj.com/article/ 
SB116959186618385482.html?mod=technology_main_promo_left

As Duo Publicizes Bugs In OS X, Mac Owners Rush to the Rescue
by Lee Gomes

With the launch of Microsoft's new Vista operating system next week,  
this was supposed to be the month for Windows to be in the limelight.  
But thanks to a pair of self-styled security experts, the Macintosh  
is also getting its share of attention, though not the sort Apple  
particularly likes.

Late last month, a notice began circulating in computer security  
forums that January would be the "Month of Apple Bugs." It sounds  
like a merry old festival, and it is, in a perverse way. Each day, a  
new security flaw involving the Mac's OS X operating system was to be  
posted online. Two men made the promise: Kevin Finisterre, a 26-year- 
old Ohioan with a history of being interested in Apple security  
questions, and his partner, "LMH." The latter refuses to divulge any  
personal information about himself, though others, by tracing his IP  
address, say he is based in Europe, probably Spain.

LMH explained in an email that, "We are doing this for a few reasons.  
One of them is having fun, enjoying working on new possibilities and  
researching OS X security. Another important one is the flawed  
assumption caused by Apple, publicizing the 'fact' that 'Macs are  
more secure than PCs.' "

Looking for flaws in software is an entirely honorable calling.  
Indeed, there have been other "Month of Bugs" efforts involving other  
big pieces of code, including Linux. And while reasonable people can  
debate the extent to which Macs are, or are not, inherently more  
secure than PCs -- as opposed to just being a lesser target for virus  
makers by virtue of their smaller market share -- it doesn't hurt any  
piece of software for it to be poked and prodded.

The polite way to do this, though, is to find what you think is a bug  
and then to quietly alert the software company responsible for it,  
giving the company a decent amount of time to fix the problem before  
it's publicized. But that's pointedly not what the Month of Apple  
Bugs duo is doing. Instead, the two are telling everyone about each  
daily bug at the same time.

The pair's attitude seems to be that two wrongs do make a right. When  
I asked LMH if their course of action was the responsible thing to  
do, he emailed back, "The irresponsible thing is making someone pay  
more than 2k US dollars for a nifty machine with broken software."

Apple's response is that the Mac has a peerless security record overall.

Meanwhile, as soon as the bugs started coming over the transom, Mac  
owners came to the rescue, notably Landon Fuller, a 24-year-old  
programmer who briefly worked at Apple but who now heads up computer  
operations at a San Francisco game maker.

On New Year's Day, Mr. Fuller put word out on the Web that he would  
try to create a fix for each Apple bug as soon as it was publicized.  
Others wrote in offering their help, and there quickly emerged a  
cadre of programmers who each morning would get to work on fixing the  
bug du jour.

"It is a technically very challenging thing to do," says Mr. Fuller  
in explaining his motivation. He also didn't at all like the idea of  
not telling software makers about the flaws before publicizing them.

A week or so after Mr. Fuller started his bug-patching program, Mr.  
Finisterre and LMH emailed him and offered to make him their partner.  
He would be told early about each bug so that he could start working  
on his patch, but only on the condition that he not tell anyone else  
before they announced the bug. Mr. Fuller declined, saying that would  
make him complicit in a practice he strongly disagreed with.

You may not like the bug-spotting duo's sense of computer ethics. Or  
their sense of humor: Some visitors to their Web site get redirected  
to a porn site. But you have to admire their productivity. As of  
Monday, Jan. 22, they were right on track with 22 reported bugs.

Fortunately for Mac owners, not all bugs are created equal. Mr.  
Fuller says that while a number of the flaws were significant, many  
others pose little or no security threat. They would simply cause a  
program to stop working. And some have long been known about in one  
form or another. Indeed, a number of the affected programs weren't  
even written by Apple, but by software companies selling products for  
the Mac, some of which have quite small shares of the market.

There was, though, at least one "showstopper" bug, says Mr. Fuller: a  
flaw in Apple's QuickTime movie player that, in theory at least,  
could allow a Web site to use a specially crafted QuickTime video to  
take over someone's computer. There is no report of any miscreants  
taking advantage of the bug. If you're worried about it, you can get  
Mr. Fuller's patch at landonf.bikemonkey.org, though be warned, the  
site is something of a geek-only affair.

Apple released a fix for the QuickTime problem yesterday afternoon;  
patches for any other serious bugs should be available soon.  
Unfortunately, it will be a slightly longer wait for the glorious day  
when computer owners no longer have to worry about this sort of  
nonsense.

Email me at Lee.Gomes () wsj com.
*** FAIR USE NOTICE. This message contains copyrighted material whose  
use
has not been specifically authorized by the copyright owner. The
'johnmacsgroup' Internet discussion group is making it available without
profit to group members who have expressed a prior interest in receiving
the included information in their efforts to advance the  
understanding of
literary, educational, political, and economic issues, for non-profit
research and educational purposes only. I believe that this  
constitutes a
'fair use' of the copyrighted material as provided for in section 107 of
the U.S. Copyright Law. If you wish to use this copyrighted material for
purposes of your own that go beyond 'fair use,' you must obtain  
permission
from the copyright owner.

For more information go to:
http://www.law.cornell.edu/uscode/17/107.shtml

   "When you come to the fork in the road, take it" - L.P. Berra
   "Always make new mistakes" -- Esther Dyson
   "Any sufficiently advanced technology is indistinguishable from  
magic"
    -- Sir Arthur C. Clarke
   "You Gotta Believe" - Frank "Tug" McGraw (1944 - 2004 RIP)
   "Do the right thing. It will gratify some people and astonish the  
rest"
     -- Samuel Clemens
                          John F. McMullen
   johnmac () acm org johnmac13 () gmail com johnmac () sdf lonestar org
       johnmac@panix johnmac () echonyc com johnmac13 () mac com
jmcmullen () monroecollege edu johnmac () alumni iona edu  
john.mcmullen1 () marist edu
    ICQ: 4368412 Skype, AIM, Yahoo Messenger & Google Talk: johnmac13
  BLOGS: http://johnmacrants.blogspot.com/, http:// 
johnmac13.multiply.com/



-------------------------------------------
-----------------------------------------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
http://v2.listbox.com/member/?listname=ip

Archives at: 
Archives: http://archives.listbox.com/247/
Modify Your Subscription: http://v2.listbox.com/member/?member_id=1788750&user_secret=f2ab41d2
Unsubscribe: http://v2.listbox.com/unsubscribe/?id=1788750-f2ab41d2-wwox71lf
Powered by Listbox: http://www.listbox.com