September 15, 2003
I have heard the voice of god, the sonic stylings of the creator of the universe...and it has a Bossa Nova beat, and swings more than a playground full of kids on a sugar high.
Every once in a while an artist comes along that you have to absorb. Not just listen to. You have to absorb every note into your skin until it becomes a part of you. You must feel the music, until it is a part of your very soul.
Richard Cheese, aka "The Dick" is that artist.
Yes, lounge versions of pop music have been around forever, including Bill Murray's infamous lounge lizard on Saturday Night Live.
They were nothing compared to The Dick. Children, amatuers, posers. The Dick is the Master. You have not heard vocal stylings until you've heard "Baby Got Back" with a Bossa Nova beat. Yes, almost "Girl from Ipanema" - ish. Listen to "Closer", and tell me you don't feel closer to all of humanity afterwards.
But it's not just the sensual stylings of The Dick's smooth, dare I say, near Mel Torme-like lush vocals. The muscianship smokes. The piano intro for "Hot For Teacher" damn near scorches the paint of the walls.
I am in awe. Absolute groupie heaven. I'm about to buy a tux, a Sure, and start drinking highballs. I want to be Richard Cheese. I want to listen to his cover of "Stairway to Heaven" over and over again. (and I am a Zeppelin fan and a half kids...I don't normally do anything but DESPISE covers of "Stairway" But The Dick, he can do no wrong.)
Go to his website, listen to the samples, buy his stuff. Buy all of it. Find your inner Dick.| Comments ()
September 6, 2003
On Safe Updating
Well, time for a followup on the previous article about MacMac's oblivious smugness with regard to being cracked, or attacked by virii.
Some of the comments I received were the typically smug retorts:
- "saying that a Mac is just as vulnerable is absurd...."
- "not once has there been a virus for OSX, because the method of spreading it would be impossible to sustain, where in Windows world, it is an everyday occurrence..."
- "It's extremely unlikely OSX users will ever get a virus, the machines just aren't shipped in such a way to allow for it. Sure, someone could break into every Mac user's house, boot from the start up disk, enable root, open ports, then go back and "try" to write some code to make it replicate between the now "open" machines... but I'd bet they wouldn't be able to break into 40 people's homes before they were caught and in Jail, thus... STOPPING ANY VIRUS. Face the facts! PC's are mainly using Windows, THAT is the Problem, NOT computers in general."
Some incorrect comments:
- "and saying a Mac is less secure when it ships with firewalls turned on, and Windows ships with firewalls turned off is equally absurd...."
Some interesting ones that I don't agree with, but at least show some thought:
- "Worm and virus writers don't just wake up ready to go - they have hone their craft - what mac viruses can they actually study? The one from 1990? And I would say if they could write mac/cocoa/darwin code, they could actually make money - why bother fiddling with wasting time trying to write a virus that has to get past mostly closed ports, no real access to overwriting parts of the system software and an OS that pretty much waits for the operator to okay anything?"
But people forget, there are so many ways to crack a machine, and Mac OS X, no matter how brilliant the code, can stop all of them. This quote from Macintouch is the perfect example:
The article also mentions at the end:
Now, let's take a look at VersionTracker, and do a search for drivers. Boy, there sure are a lot, and from some trusted names, like Kensington. Let's go to the Kensington site, and download a driver. Wow, again, look at that, all the drivers for my Expert Mouse Pro, right there online. So convenient.
But there's no security. It's not an https link, there's no MD5 hash that I can use to verify. I'm completely trusting that no one has hijacked my connection to Kensington and created bogus malware drivers for me to download that will give others control over my system.
Hmm...well, that's because we don't need that much security, right? I mean, it's not like Apple does anything like that with Software Update...oh wait, they DO. In fact, if you recall, Security Update 7-18-02 contained Software Update client 1.4.7 which added cryptographic signature updates to the softwareupdate command line tool. Security Update 7-12-02 added security to the GUI Software Update tool, to add signing and verification tools to this process. Details are in this Kbase article.
Looking back at articles that came out when the hole that these updates patched was discovered, you see that people took this pretty seriously. Articles such as the one by Russell Harding that detailed the problem, and others, like mine, took this hole pretty seriously, and with good reason. Insecure OS updates are A BAD THING.
So why is it okay for everyone else to do this? The Kensington, (no, I'm not picking on them for any other reason than I use their products every day, and they're a good example here. All my love to the Expert Mouse!) driver is a Kernel Extentsion. It works at the lowest layer of the OS. It can do almost anything it wants, or that the programmer who created it wants. Bad drivers are the fastest way to a kernel panic in the Mac Universe. But there's no security in the download process, so unless I can trace and analyze the connection, (and I happen to have the skills and the tools to do this, but it's not something that a normal human user will do), I have no hint of assurance that this is indeed Kensington, or anyone who I think it is. It's an http connection to a site. That's all I know.
Yes, it's just as dumb when I do it as when anyone else does it. If it's wrong for Apple to use insecure software updates, then it's wrong for anyone else to do it. You may be thinking, "Well sure, but Apple's updating the OS, they have to be more secure. Hmm...go back and read that part about what a Kernel Extension plugs into.
I'm thinking that a secure connection using SSL is not such a bad idea. MD5 hashes on the site that I can verify against what I'm about to install aren't such a bad idea after all.
Also, before the "Well, OS X has better security" cries start..how many of you verify anything when an installer asks you for that administrator password?
I hear the crickets.
Every time you do that, you are giving that installer root access. It can now do almost anything to your system, and do it before you have a prayer of stopping it. Yet Mac users, even the smarter ones do this every day. Blindly.
It's dumb, and it needs to stop before some talented slime takes advantage of that. I would really like to see more Mac companies using certificates to help secure and verify the download process. I'd like to see Apple do more to help ISVs use the SSL architecture in every copy of Mac OS X to help verify the installer when it needs to get that administrator password. I'd like to see Mac users stop downloading drivers from sites that offer no security, or verification whatsoever.
I'd like to see the intelligent, sensible steps taken before they have to be. That would be wisdom. Waiting until the problem explodes in your face is experience.
Wisdom is always less painful than experience.
john| Comments ()