[Sealobo]

if you called that a ripoff, there will be no innovation.

everything is a ripoff in this world. you copy somebody's stuff and refine it, that's how everything gets pushed forward. isn't that right?

[iluvmypowerbook]

The next thing you'll hear is people saying Apple ripped of developers of Cocktail, Onyx and other such similar applications. Simply because they had these scripts built into the OS but decided to make them more "available" by building a, dare I say, 'widget' for them.

I mean who does Apple think they are? Making their own OS more user friendly and efficient.... is there no justice left in this world.

[Millennium]

Originally posted by Jan Van Boghout:
Edit: oh I think you meant that normal web pages would be able to access everything?

That's what I meant, yes.

I highly doubt that, that would be a very illogical (and stupid) thing to do.

Oh, I don't think Apple would do it intentionally. Even Microsoft isn't that stupid. But bugs happen, and when they do, the exploits will come.

I want to know exactly what kinds of mechanisms Apple has in place to differentiate a Web page from a widget, so that it can be sure not to allow Web pages that kind of access. And when I find those methods, I want to know exactly what makes them unbreakable. Can such methods be written? Probably. But I am not confident in Apple's ability to get it right on the first try. No one ever gets it right on the first try, and so the "first try" needs to be designed to fail, because it inevitably will. When it does, it must not be able to breach security. Putting in more advanced features can be done later, when the security model has been put through its paces. This has, sad to say, not happened, and the consequences will be dire.

We already know that these things have Address Book access, because otherwise the Address Book widget used in the demonstration wouldn't work. It stands to reason that they probably have generic OSA access, because otherwise the iTunes control wouldn't work. Actually, this is probably how they get their Address Book access as well. Further, we know that they can send data out, because Hyatt himself said that they support XmlHttpRequest.

Scared yet? No? Let's go deeper. Safari bookmarks are OSA-accessible as well. So we have on our hands the possibility of a malicious widget which can grab the contents of your Address Book and bookmarks and send them out to arbitrary Web addresses, which could collect the data for spam lists.

Now are you scared? No? Consider this: if even one bug is found in this whole mess, suddenly you have a Web page which can silently grab your data -conveniently accessible through OSA- and then do whatever it wants with that data. The key word here is silently; it won't need your password. In addition to building spam lists, it could then send this data out to other people -potentially based on your Address Book contents themselves- as a link or possibly even an e-mail message. All a user would need to do is have JavaScript turned on for e-mail, and suddenly you've got yourself an e-mail/Web-based worm, capable of attacking on multiple fronts. Thanks to the ability to modify bookmarks, it's even possible to set the machine to silently update the server's listings every so often (whenever the user visits one or several specific sites) and because Safari doesn't display a status bar by default there won't even be the basic things other users have which could alert them to this fact.

That's only the basic design of such a system, but I came up with it in a matter of minutes. This thing could be coded in a day or two, and then it's just a matter of waiting for the inevitable exploit.

Congratulations, Apple; you've done just what I feared you would do with WebCore: you've integrated it too tightly into your OS, just like Microsoft did, and with similar potential consequences. I will not be using Safari again until I can be assured you have locked things down sufficiently, and that will not be for several years at least.

When will companies learn that Web browsing is not a legitimate function of an operating system?

[GoGoReggieXPowars]

Well said, Mill!

Though I think abandoning Safari at this stage is a bit much, ie. if you're still on Panther.

[Millennium]

Originally posted by GoGoReggieXPowars:
Well said, Mill!

Though I think abandoning Safari at this stage is a bit much, ie. if you're still on Panther.

I figure there's no harm in getting used to it. Trying to figure out whether to go with Firefox or Camino, though; Firefox has good extensibility, but Camino has the bookmark-management model from Safari.

[Earth Mk. II]

Originally posted by Millennium:
Scared yet? No? Let's go deeper. Safari bookmarks are OSA-accessible as well. So we have on our hands the possibility of a malicious widget which can grab the contents of your Address Book and bookmarks and send them out to arbitrary Web addresses, which could collect the data for spam lists.

You have a very valid point about the level of access allowed to those functions from within a normal webpage, and your caution is prudent.

However, I fail to see how this particular point is different from including malicious calls to NSAppleScript within any cocoa application.

Any Cocoa app has potentially the same or greater access to system level functions that could be used to compromise privacy and security - now.

[Millennium]

Originally posted by Earth Mk. II:
However, I fail to see how this particular point is different from including malicious calls to NSAppleScript within any cocoa application.

Any Cocoa app has potentially the same or greater access to system level functions that could be used to compromise privacy and security - now.

What you say is all true.

My problem is that this is just one bug away from allowing innocent-looking Web pages and e-mails to do it invisibly, with no opportunity for user intervention. No download needed (except for the page/e-mail itself), no passwords asked for, and all handled in the background.

At least a Cocoa app calling NSAppleScript requires user intervention; a poor defense, but better than nothing. If any bug is found in the security measures in WebCore, then existing apps -Safari, Mail, the Help Viewer, or anything else that uses WebCore- has the potential to become a gateway.

[Earth Mk. II]

Yeah, I'm just trying to make sure we're on the level of "prudent caution" and not "rampant paranoia" here.

I'm also curious and cautious about how Apple is going to manage the access rights for the various functions. Unfortunately, I'm guessing we'll have to wait until 10.4 is no longer covered by NDA to really know and experiment.

[Socially Awkward Solo]

This should shut your pie holes:

http://daringfireball.net/2004/06/da...s_konfabulator

[wataru]

Here is the best summary of the situation that I've read so far.

Millenium, your points are interesting and very disturbing. I say, "Go Firefox!"

Edit: Dammit, beaten by 2 minutes!

[leperkuhn]

Originally posted by Millennium:

That's only the basic design of such a system, but I came up with it in a matter of minutes. This thing could be coded in a day or two, and then it's just a matter of waiting for the inevitable exploit.

Congratulations, Apple; you've done just what I feared you would do with WebCore: you've integrated it too tightly into your OS, just like Microsoft did, and with similar potential consequences. I will not be using Safari again until I can be assured you have locked things down sufficiently, and that will not be for several years at least.

When will companies learn that Web browsing is not a legitimate function of an operating system?

OK, so when I read your post, I pictured you crying. Grab a tissue, and for just a moment, consider the possibility that Apple has thought about this.

Countermeasure #1: These widgets can only work if they are in the Widgets folder. This prevents random web pages from changing your song in itunes, reading your address book, whatever.

Countermeasure #2: Safari might not allow the exploitation of the widgets within Safari itself. Just because it's witten with the syntax of the web does not mean it will run in your web browser. There is most likely going to be a preventative measure against it.

I'm sorry but I'm a little less impressed with your huge rant than other people here seem to be. I also think that Apple just might take security a little more seriously (and have the means to do so) than Microsoft. Get a grip.

[fireside]

Originally posted by leperkuhn:
Countermeasure #1: These widgets can only work if they are in the Widgets folder. This prevents random web pages from changing your song in itunes, reading your address book, whatever.

Countermeasure #2: Safari might not allow the exploitation of the widgets within Safari itself. Just because it's witten with the syntax of the web does not mean it will run in your web browser. There is most likely going to be a preventative measure against it.

oh, and about Arlo? he's a big asshole.

[Adam Betts]

Originally posted by leperkuhn:
I'm sorry but I'm a little less impressed with your huge rant than other people here seem to be. I also think that Apple just might take security a little more seriously (and have the means to do so) than Microsoft. Get a grip.

Don't worry about Millennium. He just like to argue for the sake of it.

[- - e r i k - -]

Originally posted by leperkuhn:
Countermeasure #2: Safari might not allow the exploitation of the widgets within Safari itself. Just because it's witten with the syntax of the web does not mean it will run in your web browser. There is most likely going to be a preventative measure against it.

Preventive measures you say? Why don't you try out these gadgets for yourself?

Address Book
Calculator
iTunes
Stickies
Tile Game
World Clock

To be fair, even when run locally in Safari, all the gadgets that interfere with the system info, most importantly Adress Book is non-functional. You can't even change the iTunes-track So there's clearly more to gadgets than just HTML+JavaScript.

But hey, have fun with the calculator and the tile game. Ripple-effect not included

[iluvmypowerbook]

Originally posted by - - e r i k - -:
Preventive measures you say? Why don't you try out these gadgets for yourself?

Address Book
Calculator
iTunes
Stickies
Tile Game
World Clock

To be fair, even when run locally in Safari, all the gadgets that interfere with the system info, most importantly Adress Book is non-functional. You can't even change the iTunes-track So there's clearly more to gadgets than just HTML+JavaScript.

But hey, have fun with the calculator and the tile game. Ripple-effect not included

But these aren't Apple built. not part of the OS so what is the point of them Erik in relation to the earlier rant by Millenium?

[fireside]

Originally posted by - - e r i k - -:
But hey, have fun with the calculator and the tile game. Ripple-effect not included

hey! that tile game caused safari to crash.

[Thorin]

Originally posted by wataru:
Here is the best summary of the situation that I've read so far.

Millenium, your points are interesting and very disturbing. I say, "Go Firefox!"

Edit: Dammit, beaten by 2 minutes!

Taken from that link:

Plus, Dashboard gadgets are further extensible using Cocoa. You don�t need to use Cocoa � fully functional gadgets can be made using nothing more than HTML, CSS, and JavaScript � but the option to use Cocoa is there for doing things JavaScript alone can�t do.

So maybe the webcore won't have access to address book etc. That'll be handled through cocoa?

[- - e r i k - -]

Originally posted by iluvmypowerbook:
But these aren't Apple built. not part of the OS so what is the point of them Erik in relation to the earlier rant by Millenium?

Yes, these are the actual gadgets included in Tiger. Check out my web page for more information: http://www.erikveland.com/

[- - e r i k - -]

Originally posted by fireside:
hey! that tile game caused safari to crash.

Works in Safari 2.0 just fine

[- - e r i k - -]

Originally posted by Thorin:
Taken from that link:
So maybe the webcore won't have access to address book etc. That'll be handled through cocoa?

Judging from my experience this seems to be the case.

[Thorin]

Originally posted by - - e r i k - -:
Works in Safari 2.0 just fine

Works fine for me in 1.2.2 as well. No problem at all.

Thanks for posting those, very interesting to have a look at them!

[- - e r i k - -]

Originally posted by Thorin:
Works fine for me in 1.2.2 as well. No problem at all.

Thanks for posting those, very interesting to have a look at them!

You might want to save those locally, somehow I suspect Apple won't be too please seing them on the web like that

[iluvmypowerbook]

Take a look at the article in MacNN news concerning this issue.

A very relevant point made:-

http://www.macnn.com/news/25296

[Earth Mk. II]

Originally posted by - - e r i k - -:
To be fair, even when run locally in Safari, all the gadgets that interfere with the system info, most importantly Adress Book is non-functional. You can't even change the iTunes-track So there's clearly more to gadgets than just HTML+JavaScript.

But hey, have fun with the calculator and the tile game. Ripple-effect not included

What I'm thinking might be going on (and this is entirely a shot in the dark, since I don't have access to 10.4, but it seems like a valid approach to this problem) is that any unhandled JS object gets passed of into a delegation system of some sort. If the app doesn't register a delegate with WebKit - then that unrecognized JS object gets ignored.

That way WebKit could handle the actual parsing of JavaScript, but the execution is handled by an entirely different object. This would also allow for a selective extension of JS (as opposed to the, perhaps more obvious, restriction or sandboxing of JS execution), and Dashboard's cocoa extendibility as suggested by the Daring Fireball blog posting.

Again - just a guess, perhaps an educated one, but a guess just the same.

(Yes, I find the "How'd they Do That?" game fun.)

[Jan Van Boghout]

For those acting all paranoid about widgets going to destroy your system, as Erik said they can't be run in a normal WebKit app, and the super duper security measures needed to prevent any misuses (unless someone writes a malicious widget but that's equivalent to any application) is:

if requesting application is Dashboard application -> allow access

I wonder why people make such a fuss about this like it's the same as auto-executing code in outlook express�

[philzilla]

Originally posted by Socially Awkward Solo:
This should shut your pie holes:

http://daringfireball.net/2004/06/da...s_konfabulator

nice read, thanks for pointing that out, about time you came in handy for something, after all these years.

[Millennium]

Originally posted by leperkuhn:
OK, so when I read your post, I pictured you crying. Grab a tissue, and for just a moment, consider the possibility that Apple has thought about this.

Oh, I know Apple has thought about this; don't get me wrong. But forgive me if I don't entirely trust their QA process.

Countermeasure #1: These widgets can only work if they are in the Widgets folder. This prevents random web pages from changing your song in itunes, reading your address book, whatever.

You're assuming that there are no bugs in the software. A valid security model has to be designed to withstand its own bugs in the software, at least to some degree. This is does not seem to be the case with the extensions needed to run WebCore.

Countermeasure #2: Safari might not allow the exploitation of the widgets within Safari itself. Just because it's witten with the syntax of the web does not mean it will run in your web browser. There is most likely going to be a preventative measure against it.

What about other WebCore apps? As long as the code to run these apps is part of WebCore -and Hyatt himself has confirmed that this is the case- then WebCore can be tricked. It's just a matter of how easy that's going to turn out to be.

[Earth Mk. II]

Originally posted by Millennium:
You're assuming that there are no bugs in the software. A valid security model has to be designed to withstand its own bugs in the software, at least to some degree. This is does not seem to be the case with the extensions needed to run WebCore.

Mill: your thoughts on my proposed solution above (re: class delegation)

I think the key lies in a given app's ability to selectively extend the JavaScript, over the much less secure method of each application selectively restricting the JavaScript (or having access to JavaScript restricted for it).

The latter model of execution requires some form of checking to ensure that code is allowed to run. This implies that the code to be executed must already exist in WebKit before WebKit loads. This is a rather difficult execution model to secure (as it requires consistant checking to ensure that an application is allowed to access JS class X), but it is also a much more difficult model to extend, and even more so to extend safely.

The former is much more secure simply in it's implementation. The code that would allow access to a given function (say, the JS class that allows one to access AddressBook data), simply does not exist unless the application (or widget) loads it into WebKit itself. This, of course, requires a JS parser that won't explode when it comes across an unknown class, but the parser should already be that robust. Also, the former execution method allows for the ability to extend Dashboard's abilities through Cocoa. Something that is problematic with a simply restrictive implementation model.

Again, I don't have 10.4, I only know what I've read by other people who do have 10.4 (Dave Hyatt and John_Gruber, mostly), and making an educated guess based upon that.

[- - e r i k - -]

Originally posted by Millennium:
What about other WebCore apps? As long as the code to run these apps is part of WebCore -and Hyatt himself has confirmed that this is the case- then WebCore can be tricked. It's just a matter of how easy that's going to turn out to be.

The cocoa hooks appear to only work when run within the Dashboard enviroment.

Of course, that doesn't prevent one from writing a malicious Dashboard-gadget though and serve it up as a trojan. But this of course require the user to be malfunctioning as well. Downloading untrusted gadgets for example. But this is no different than downloading a malicious Apple Script, and we haven't exactly seen many of those though. I wouldn't worry too much about it.

[Developer]

Originally posted by - - e r i k - -:
Downloading untrusted gadgets for example.

That's why we need digitally signed widgets. Then the user can make sure that the widget is from a trusted source.

[jorgem4]

From my mind, Dashboard is not a ripoff of Konfabulator....simply because apple have had does wigets in the system a long way back...and then Dashboard will work far better than Konf. for the simple fact that wigets like the ones that are offer should be part of the system and not just floating around your desktop...that is why I did not like Konf.

My $0.02

[philzilla]

Originally posted by - - e r i k - -:
But this is no different than downloading a malicious Apple Script, and we haven't exactly seen many of those though. I wouldn't worry too much about it.

are you forgetting the one which made such a big stink all over the place in the last month or so?

[Zimphire]

Originally posted by philzilla:
are you forgetting the one which made such a big stink all over the place in the last month or so?

The one no one got?

[OptimusG4]

Originally posted by Zimphire:
The one no one got?

Yea... from Mr "I thought MS would have a demo for download on Limewire". Idiot.

[philzilla]

Originally posted by Zimphire:
The one no one got?

it still made the news all over the place, which is how you knew what i was on about.

[Stradlater]

Originally posted by Developer:
That's why we need digitally signed widgets. Then the user can make sure that the widget is from a trusted source.

Apple will be, apparently, hosting extra wi/gadgets on their downloads site; these will probably be tested and trusted. Users that wish to download other third-party wi/gadgets are just going to have to deal with the risk.

[Zimphire]

Originally posted by philzilla:
it still made the news all over the place, which is how you knew what i was on about.

Yes and most of that news was

"It was overblown hype from a company trying to sell it's product"

[Proudest Monkey]

Originally posted by itistoday:


but when windows users and your parents see this built into Tiger, they'll fall head over heels.

really?

[Hawkeye_a]

I think someone should come up with a way to use Konfabulator widgets with dashboard and vice versa. Therefore allowing Konfabulator to become more of an easy creation tool for widgits that can be used in dash board. maybe ?

[Zimphire]

Originally posted by Hawkeye_a:
I think someone should come up with a way to use Konfabulator widgets with dashboard and vice versa. Therefore allowing Konfabulator to become more of an easy creation tool for widgits that can be used in dash board. maybe ?

The Konfab people should start making HIGH QUALITY dashboard widgets and sell them as shareware.

[Zimphire]

I thought this was a good comparison



Bigger pic of the DA

[thunderous_funker]

Originally posted by Socially Awkward Solo:
This should shut your pie holes:

http://daringfireball.net/2004/06/da...s_konfabulator

As I posted in the MacOS X thread:

Mother of the Father of all Smackdowns!! The Konfab guys better STFU about being "ripped off" because they don't have a leg to stand on.

Just imagine what millions of web devs are gonna be able to do with Dashboard in the next 12 months. Awesome, Awesome, Awesome.

[Millennium]

Originally posted by Hawkeye_a:
I think someone should come up with a way to use Konfabulator widgets with dashboard and vice versa. Therefore allowing Konfabulator to become more of an easy creation tool for widgits that can be used in dash board. maybe ?

That's much harder than it might seem. Konfabulator widgets are built with their own XML format, while Dashboard gadgets will use HTML/XHTML.

It might be possible to translate the raw XML into XHTML using an XSLT stylesheet, but even then, the APIs are bound to be at least a little different, and those differences will need to be accounted for.

[fireside]

Originally posted by Hawkeye_a:
I think someone should come up with a way to use Konfabulator widgets with dashboard and vice versa. Therefore allowing Konfabulator to become more of an easy creation tool for widgits that can be used in dash board. maybe ?

Konfab isn't a creation tool for widgets. you still have to code it by hand, in a text editor. there is no widget editor or developer.

[fireside]

Originally posted by Zimphire:
The Konfab people should start making HIGH QUALITY dashboard widgets and sell them as shareware.

Zimph, no one is going to buy widgets. ever.

[Zimphire]

Originally posted by fireside:
Zimph, no one is going to buy widgets. ever.

Eh, if people pay for a icon viewer...

Do you honestly not think someone will charge for their gadgets?

[ambush]

Originally posted by Zimphire:
Eh, if people pay for a icon viewer...

Do you honestly not think someone will charge for their gadgets?

Yo Zimph.

What's the status on your personal anti-Moore crusade?

[Zimphire]

Originally posted by ambush:
Yo Zimph.

What's the status on your personal anti-Moore crusade?

Yo Ambush, that should have been a private message.

Try using it Yo!

It's teh DOPEST!!11

[- - e r i k - -]

Aw ****... both Kottke and Paul Thurrot linked me. I guess I'm an internet celebrity now


I already had twice the hits in the first day of July than all of June :/

[Developer]

And since he linked you, I suggest you all read Paul Thurrott's article Derivative, not innovative: Apple's Dashboard is a Konfabulator rip-off. Don't let the controversial name distract you, this is actually a very insightful and intelligent article. A little bit longish, but well worth the read.