Extra Pepperoni

MacFUSE is great. I wrote a short bit on it for TidBITS. The elevator pitch is: MacFUSE allows mounting SFTP servers just like AFP/SMB/NFS shares, read-write access to NTFS filesystems (Tiger’s built-in NTFS access is read-only), and a whole passel of other filesystem options.

The article, “MacFUSE Explodes Options for Mac File Systems” is at: http://db.tidbits.com/article/8835.

There is a binary installer for the NTFS-3g module (ideal for Boot Camp users), but it doesn’t yet have a stable home. Currently, you must visit the macfuse-devel mailing list http://groups.google.com/group/macfuse-devel and look for a posting with the latest URL (as of today, see http://groups.google.com/group/macfuse-devel/browse_thread/thread/ee1c4555d3c90f4f).

Rich has been told to stop blogging about techonology. This is a shame, as he had worthwhile things to say.

Having very little information on what happened, I have to assume it’s a blanket policy intended to protect Gartner’s intellectual property, by reducing competition from non-Gartner IP (such as public blogs). I wonder how bad the backlash will be. This is aside from the fact that Rich was a) careful not to post Gartner content and b) not shy about mentioning what you could get if you were a Gartner client.

It’s a pity.

http://securosis.com/2007/01/16/securosis-will-no-longer-cover-technology/

.Mac sync doesn’t work without saving your password in the Apple Keychain — BROKEN! I don’t want to save my password on a laptop that’s likely to get stolen.

If you delete your .Mac password from the keychain, Sync Now from the iSync menu fails with an error, but without an opportunity to enter the password:

In System Preferences:.Mac:Sync, clicking Sync Now generates the same error message with a different icon:

After entering a password in System Preferences:.Mac:Sign In, the system pops up a keychain password prompt. If a password is provided, the .Mac password is immediately saved to the default keychain. This is the only keychain access dialog I’m aware of which doesn’t offer a checkbox to save the password, and instead forces password saving on — BROKEN!:

No .Mac renewals for me.

So the MoAB released a bug announcement with exploit code for Colloquy, an IRC client.

MOAB-16-01-2007: Multiple Colloquy IRC Format String Vulnerabilities Colloquy is vulnerable to a format string vulnerability in the handling of INVITE requests, that can be abused by remote users and requires no interaction at all, leading to a denial of service and potential arbitrary code execution. Further information: Multiple Colloquy IRC Format String Vulnerabilities Exploit: MOAB-16-01-2007.rb

Apparently someone used their exploit:

Thanks to str0ke for donating to the project and mirroring exploits and other code. In other news, we’ve heard rumors about someone using this exploit to take people down from several Mac-related IRC channels (#macdev, #mac, #macosx, #opendarwin, #colloquy itself…). This is an unfortunate prank, and has no relation with us at all (except the fact of developing the proof of concept and distributing it to some people). They had fun for sure, anyway. Definitely ranting on IRC is a high risk activity.

Do you see anything strange here? They announced several bugs to the world, and provided instructions for exploiting them. People did exploit them, and MoAB now says “no relation to us at all”. Well, no. If you made these activities possible, there’s a strong relationship.

We’re lucky this happened with Colloquy, a relatively obscure product with a more sophisticated audience and very quick developers. Things would have been much worse with a serious attack on Mac OS X or Office.

MOAB-14-01-2007: AppleTalk ATPsndrsp() Heap Buffer Overflow Vulnerability

The Month of Apple Bugs project has just announced an AppleTalk bug! This is much more a ‘real’ Apple issue than cross-platform VLC issues, but who cares about AppleTalk bugs? What proportion of people/Macs have AppleTalk running on their systems — 1%? More importantly, ISPs don’t carry AppleTalk traffic, so this is really only a concern for Local Area Networks (particularly colleges).

I am impressed they found it, though.

The Month of Apple Bugs guys wrote a (deliberately limited) piece of spyware which tracked IPs of people who ran their (pre-release) exploit sample. Then they complained because it leaked (not really a surprise here, at least).

http://applefun.blogspot.com/2007/01/canary-trap-leak-and-mole.html

People complained they were “installing root-kits”, and MoAB responded that the users did it to themselves. Well, duh! That’s how most viruses & spyware get distributed and installed, through ignorance combined with malicious intent on the part of the distributor. It doesn’t make this any less obnoxious.

The building I work in at The Rockefeller University is almost a hundred years old. It has a history of important science and medicine performed within its walls, and is thus a national historic landmark. On the other hand, it’s in awful shape. The University cannot replace it, so they have decided to gut our building (Theobald Smith Hall) and the adjacent Flexner Hall; the buildings will then be completely rebuilt internally, and converted to open lab space.

The renovations and landscaping are expected to take several year, at which point IT won’t be moving back, because the buildings will be only for labs, so we’ll get put somewhere else. Unfortunately, IT does not get good offices. We are currently scattered across several floors of 3 buildings, with servers in 4 rooms across 3 buildings — and insufficient environmental support for all our equipment. Construction always takes longer than planned, and it seems likely they will renovate another building after our two are finished, which means the space crunch will continue longer.

The immediate impact: in the early spring we will be moving to a new temporary structure (the “Super-Tent” — “it’s not a tent!”). It’s being assembled right now, two stories tall. It will be real office space, but it’s going to be crowded and noisy. I hope it has sufficient heating, cooling, power, and networking, but we can’t know yet. Here’s a picture of the “Super-Tent” under construction:

I’ve been looking forward to replacing my (quite beat-up) Treo 650 with something newer. I could really use the larger on-board RAM capacity of the 680 or 700p, but instead it looks like I will be switching (in June! Alas alack!) to an Apple iPhone instead. I hope there’s a plucker replacement quickly, but with Safari built-in, that shouldn’t be terrible.

Actually, guess I will simply whack sites into local directories using wget and browse them that way…

I will miss the 60gb capacity of my iPod photo, though — I’ve been looking forward to a larger drive to fit all my music, and didn’t want to get the current 80gb video, instead preferring to wait for a larger screen. Now it looks like I can have either 480×320 or 80gb. Right now, I have 500mb of photos on the iPod, and about 50gb of MP3s; I’ve been dying for more capacity, partially for video…

The 60gb will probably become a permanent part of our home stereo.

Bluetooth has been a long time coming, but who thought an iPod device would support 7 frequencies? a/b/g/n (I don’t know if it will actually associate with an 802.11a-only netowork, but apparently .11n includes 5GHz support), BT2, and quad-band GSM/EDGE.

The Apple tv is very nice, but doesn’t fulfill an immediate need for us. If we didn’t have Julia, buying TV shows from the Apple Store might be a same-cost replacement for our cable + TiVo bill, but it doesn’t make that much sense for us right now. That said, if we weren’t still dealing with real estate, or had a serious home stereo connected to a TV, Apple tv might be an impulse buy.

Aha! New AirPort Extreme (that also looks like a slice o’ mini, or a scale), with draft N. I’m skeptical of Apple’s “super-compatible” claims, though…

See also: Playlist: Who’s Afraid of the Apple iPhone Megamix.

I frequently need to read manual pages from Suns and Linux systems, but prefer to read in BBEdit. Today’s trick facilitates this, by grabbing the manual page from a remote machine via ssh, unformatting it with col, and dumping it into a BBEdit window (which doesn’t ask to be saved).

function manb () { ssh $1 man $2 | col -b | bbedit -t "$2@$1" --clean --view-top }

Usage is “manb host command“, so “manb www up2date” opens a window titled “up2date@www” with www’s up2date manual page.