Rui CarmoSo, before I try to get a decent night's sleep (literally) under the sheets, here's a couple of topics I'd like to comment on - both pretty well covered by now, but that need either a bit more logic and common sense (and henceforth less FUD) or a bit more practicality.
Ah, So Security Is About Selective Disclosure And Show-Off?
Thomas Ptacek takes a stab at both Gruber's post and mine by using selective quotes (a great mechanism for de-contextualizing my points) and wrapping a bunch of childish arguments around them.
I guess that's what comes from bothering to write in a way normal people can understand the issues (such as the difference between exploiting a UNIX vs. a Windows environment and how much easier it is to gain "impressive" control once you do get in) instead of harping on like a stuck-up pseudo-scholarly "security expert" using a hermetic, rather snobbish vocabulary.
Mental note: People tend to take comprehensive writing at face value, and it's easier to mis-quote, too. Next time, I have to dip in to my rhetoric side, pull out all the stops and make them look up "hermeneutics" as well.
Besides completely sidelining the points I made regarding the Washington Post's tabloid approach to the news, what renders Thomas's post null and void is that if David Maynor and Jon Ellch had bothered to present new active profiling techniques and their exploit by explaining them properly instead of -
- posting a rather cheesy video
- letting a reporter quote them on how they like to counter the Mac community's "smugness" about security and
- bragging about what they can do before publishing their methods and results,
...I'd actually be worried about my Mac's security (incidentally, I don't own a MacBook - if he'd actually bothered to check, he'd have known).
As it is, I'm more concerned about the security community falling for the allure of the limelight instead of doing the admittedly more ungrateful work of sticking to a more staid (one might even risk saying serious) demeanor and publishing before giving interviews.
And the counter-argument to Gruber that -
... because if they actually demonstrated the vulnerability, Gruber, they’d effectively be publishing the exploit. Wireless, get it?
...is, well, childish. They were doing a video, and by that token, and for all intents and purposes, they did "publish the exploit" for the third-party dongle within the confines of the room the video was shot in.
Of course, since video is, as yet, unable to convey 2.4GHz radio, they could just as well have done it by exploiting the MacBook's built-in Wi-Fi adapter.
Get it?
That's why I have trouble considering Thomas's post as representative of "the Mac people who really do security", since he did, in fact, write a rather dumb argument. Which is OK by me - since I think he is the one overreacting.
Update: He has since posted not one, but two replies to my posts (and another to Jim's), in which he continues to assume I side with the "the Mac is invulnerable" peanut gallery and that I am trying to sweep the exploit technique under the carpet. Which I'm not - I'm questioning the way and sequence of events during which it was made public, before a comprehensive technical disclosure, and the loose ends thereof. Since Thomas (incidentally) happens to know Maynor, I must assume he's qualified to comment on that later with a timeline of the events and the way they were covered in the press, no?
I get the issues - I'm not your stereotypical Mac user, even if I do have a strong opinion on the button shapes in Mail.app as well (heck, I have to use the thing, how could I not?).
And yes, there is something of interest in the way the exploit actually works (regardless of hardware used), since it not only shows (like I explained in the bits that Thomas didn't bother to quote) that device drivers are, in more than a few cases, very poorly written and tested, but also that poor coding can affect any OS.
Thomas also glossed over the points about the Intel monoculture, completely misunderstanding my point about the PowerPC and mis-quoting the relevant bits to fit his view.
The thing is, the "blind, sweaty panic" Thomas accuses the Mac community of being in is the usual FUD mechanism "security professionals" like to use to forcefully get across their point that "oooh, look, this is really, really serious".
They're just amazed that it isn't causing widespread panic outside of the media (despite the timing), and taking it out on the Mac-related critics instead of sticking to the point and targeting the device driver developers.
But hey, when's the last time you were able to track a commercial driver back to its writer? Is there any press in trying to do that?
Meh. Of course not. I leave you to draw your own conclusions on the whole affair.
A Word On List Selection
John Gruber takes pains to detail the list selection behavior in Cocoa, which is one of the things Tim Bray (quite rightfully, in my opinion) complained about a while back. John is extremely methodical in both what he writes about and how he writes about it, but even after reading through his piece and related commentary (such as Pierre Igot's post), I still have an issue with the default Cocoa behavior, regardless of the contexts it is applicable in or not.
It is extremely annoying for whoever uses non-Mac environments on a daily basis. I would even brand it as counter-cultural instead of merely counter-intuitive, since there are some borderline cases where it can be made to make sense. But then you can prove anything makes sense if you understand enough of the rules of any formal logic system, no?
Plus that list selection behavior it is likely to be proven counter-intuitive from before GUIs. There were plenty of terminal-based UIs with selection lists and the precursors to drop boxes, and it should be possible to find prior evidence (probably say, in IBM's CUA, which had some formal documentation at one point, even if not much) that unanchored selection is just plain wrong and counter-intuitive.
I, for one, don't recall Lotus 1-2-3 using it.
As to the arguments why it isn't all that important, it's not just about taking the hands off the keyboard and using a mouse to bypass that behavior, or about "only Mac nerds" using the keyboard. There are a lot of people who can't use the mouse at all, or who simply prefer not to, and who are not "Mac nerds" (you think I'm interested in Assistive Technologies just for the fun of it?).
The truth is, there are lots of perfectly ordinary users who find unanchored selection extremely confusing. Quite a few of them happen to come from the Windows world, are much more familiar with the keyboard, and prefer using it. But the Windows default behavior is the "correct" one not just because it's what they're used to, but also what everyone expects.
But there are more peculiar circumstances in which this is very noticeable, and I don't just mean the ones with special needs.
I'm predominantly right-handed. But I prefer using a PowerMate with my left hand than using the mouse wheel to scroll. It leaves my right key free to type, move the text caret (or exert finer control) with the cursor keys, or use Exposé. I was not always right-handed and still eat and handle some tools with my left, but you get the point.
As it happens, I use the PowerMate (with the right shift key) to select messages in Mail.app's message list, and the default behavior drove me completely batty, since a flick of the wrist backwards to compensate over-selection expands the selection from the top (which is why I've set up Nevyn's fix).
So yeah, I think this needs to be fixed - Apple's UI is pretty damn good, but when it has issues, they're pretty annoying ones.