The Talk Show: Live From WWDC
7:00pm Tuesday  •  California Theatre
Tickets Available  •  Fun Will Be Had

By John Gruber

• Archive
• The Talk Show
• Dithering
• Projects
• Contact
• Colophon
• Feeds / Social
• Sponsorship

Linked List: April 20, 2007

Friday, 20 April 2007

CanSec Macbook Challenge Won, Exploiting Flaw in Safari ★

The CanSecWest weblog reports:

One OSX box has been owned! At this point all we can say is there is an exploitable flaw in Safari which can be triggered within a malicious web page. Of course all of the latest security patches have been applied. This one is 0day folks.

Makes me wonder whether it’s another exploit against Safari’s on-by-default “Open ‘Safe’ Files” preference. Update: A good source says it’s not “Open ‘Safe’ Files”. My next guess is that it’s a pseudo-URL protocol handler.

Thomas Ptacek confirms that the winners are Shane MacCauley and Dino Dai Zovi.

Semi-Crappy IDG News Service Story on the CanSecWest Hack Contest ★

A lot of crap, not much more additional information in this story by Nancy Gohring:

Initially, contestants were invited to try to access one of two Macs through a wireless access point while the Macs had no programs running. No attackers managed to do so, and so conference organizers allowed participants to try to get in through the browser by sending URLs via e-mail. …

The URL opened a blank page but exposed a vulnerability in input handling in Safari, Comeau said.

My money is still on an exploit against “Open ‘Safe’ Files”, but it’s impossible to say from any of the descriptions thus far. Update: A good source says it’s not “Open ‘Safe’ Files”.

One reason Macs haven’t been much of a target for hackers is that there are fewer to attack, said Terri Forslof, manager of security response for TippingPoint. “It’s an incentive issue. The Mac is not as widely deployed of a platform as say Windows,” she said. In this case, the cash may have provided motivation.

I like the “as say Windows” part. As opposed to what other operating system other than Windows that has a larger user base than Mac OS X?

Also, Apple is “extremely litigious when people do find stuff,” noted Theo de Raadt, OpenBSD project leader and an attendee at the conference.

Yes, that’s right, find a bug in Mac OS X and Apple will sue you.

Ten Years of Panic ★

Steven Frank:

Sunday, the 22nd of April, marks the tenth anniversary of Panic’s incorporation.

And:

It is by a more or less random coincidence that on the day after our company’s tenth birthday, we will be conducting by far our biggest, most ambitious new software launch of all time.

MacBook Hijacking Bounty Raised to $10,000 ★

The original offer was that anyone at the CanSecWest conference who hijacked an up-to-date MacBook Pro got to keep the machine. From the CNet report by Joris Evers:

There had been some rumblings among event attendees that the reward was not big enough to draw interest.

That sounds suspiciously like “No one can do it” to me.

Update: A little birdie tells me someone’s already won the prize. Can’t find a story on it yet, though.

I’d Rather Be Microsoft Than Yahoo ★

Jason Fried:

And it’s not like Yahoo is being attacked on all sides. They’re not being eaten alive by a gang of rats. They are being devoured by the 900-pound Googlerilla in the room. Google’s revenue is growing at twice the rate of the Internet ad business overall and 9× faster than sales at Yahoo.

Fried has a good point: for all of Microsoft’s problems, they are still #1 in a bunch of very profitable markets. Where is Yahoo #1? Exclamation marks?

Valleywag Compares Google’s and Yahoo’s Quarterly Revenue Growth ★

This is why I think Semel’s goose is cooked.

Law of Optical Volumes: The Math Behind Wired’s New Logo ★

Good rule of thumb for kerning.

Oddlaa Extras ★

Illustrator vector art recreation of Safari’s browser window, for higher-quality printed versions of web mockups. (Thanks to Chris Pepper.)

Apple: A Romance ★

Buzz Andersen, recently of the Soundtrack Pro team, on leaving Apple:

As with any whirlwind romance, though, the honeymoon couldn’t last forever.  Apple may be a very special company, but it’s still just that: a company.  And, like any company, at the end of day it needs to take care of business.  In Apple’s case (or at least the part of Apple I work in), that business is shipping amazing software on impossible schedules with astonishingly small teams.  It’s been Apple’s business since the “90 Hours a Week and Loving It!” days of the original Mac team, and the grand tradition continues to the present day (just ask anyone on the iPhone team how much vacation they’ve had in the last year).