Re: A Flame - Was: Re: [Fed-Talk] Security Update Broke my ftp service (Very important)
Re: A Flame - Was: Re: [Fed-Talk] Security Update Broke my ftp service (Very important)
- Subject: Re: A Flame - Was: Re: [Fed-Talk] Security Update Broke my ftp service (Very important)
- From: Dave Schroeder <email@hidden>
- Date: Wed, 25 Apr 2007 18:34:24 -0500
Michael,
No offense intended or taken, but you're missing the point. I
understand you created this package. But file sharing sites, even
ones you have an account with on GoDaddy, are very, very different
from, say, a departmental or personal web site within a university,
governmental, or institutional organization, to say nothing of having
people download a package they don't understand, that requires
administrative privileges to boot, from a post on a mailing list.
Also, anyone who doesn't know enough to need this installer in the
first place doesn't know enough to examine its contents and ensure
that it isn't doing anything malicious. The fact that we all know you
wrote this installer is irrelevant. The biggest in-the-wild infection
of Mac OS X systems to date has occurred by someone posting a zip
file purporting to be "Leopard screen shots" on a forum from a web
file sharing service.
There are several points here:
Something like editing a plist is an extremely, extremely basic
aspect of Mac OS X Server administration. If a person whose job
duties include running such servers, especially servers that are
purportedly "critical", don't have this capability, then they
absolutely need to have support contracts with Apple for Mac OS X
Server, any of which would have solved this problem:
http://www.apple.com/support/products/macosxserver_sw_supt.html
Preferably, you would have such knowledge AND an current Mac OS X
Server software support service contract.
Finally, even with best intentions, using third party tools that
alter system components that isn't from a known vendor, especially if
you don't know what they're doing, is a Very Bad Idea. This is
exactly the vector that most Mac malware will use to spread, and
already has. Desensitizing people to this truth, which isn't in
dispute, is why I posted my initial responses. There are current,
outstanding local root and browser exploits that don't require
anything more than downloading a zip file. I realize your GoDaddy
file sharing site is "yours", etc., but frankly, no one knows that
but you.
Granted, there's a lot of nuance, here, and the bottom line is that
an Apple update had some bad QA and broke peoples' services. But this
is the nature of IT administration, and people need to be equipped to
deal with such problems.
Ironically, folks complaining that Apple didn't offer support for
this issue on discussion forums or lists (which I'm frankly surprised
anyone even expects), the PURPOSE of the discussion forums and lists
actually was served: you got an interim solution from the community.
If you want a support solution from Apple, it will only come via
AppleCare (or, possibly your Apple channel), not via a random Apple
list or discussion board. That's simply not what they're for, at all.
I understand you're just trying to help, but the fact is, this is an
installer that the people who are installing have zero idea what it
does, hosted on a completely unaccountable web file sharing service.
Even if YOUR file is legitimate, that's a recipe for disaster. A much
better option would be, at a minimum, to host it on a company/
institutional web site (and I understand that's simply not an option
for some people), or, preferably, providing step by step instructions
about how people can edit the plist, which they should absolutely be
able to do. And that's not an advanced task, that's an incredibly
basic task that anyone claiming any responsibility for running Mac OS
X Server systems should either, 1.) already be able to do, or 2.) learn.
Yes, Apple broke this, but it's a very simple problem and a very
simple fix, and anyone who contacted the *appropriate* channels at
AppleCare would already have had this solution. Apple's not going to
issue press releases and post hot news items because FTP got broken
in Mac OS X Server by a security update. You're going to get your
support via AppleCare, period. And, sometime in the next few days or
week or so, we'll either see a "1.1" version of the Security Update
or another patcher that fixes this issue for persons who have not yet
updated or been affected.
- Dave
On Apr 25, 2007, at 6:12 PM, Michael Pike wrote:
David:
No offense, but that is not an anonymous website... and that package
was written by me.. so I know it's not malicious.. that website is
linked to my personal account. I wouldn't hand out an anonymous
installer.
1) it's not a random installer, it was written by me and works fine on
all of our X SERVERS
2) it's not an anonymous site, it's a personal site of mine.
Thanks,
Mike
On 4/25/07, Dave Schroeder <email@hidden> wrote:
Um, yeah...
Even if this is perfectly legitimate, please do NOT run non-vetted
random installers from anonymous download sites on your systems.
You'd have to be an absolute fool to do this.
And anyone who is administering Mac OS X Server systems
professionally who doesn't know how to edit a plist file (in numerous
ways) should probably not be administering Mac OS X Server systems...
- Dave
On Apr 25, 2007, at 3:29 PM, Michael Pike wrote:
> Link to file (ftp server fix, quick and dirty, don't run on client
> only server):
>
> http://www.onlinefilefolder.com/index.php?
>
action=getshare&type=0&user_num=46969&share_id=131326&hash=6dd0d83bf7
b
> 95a3e31e516deb6a8a45d
>
>
> On 4/25/07, Paul Nelson <email@hidden> wrote:
>> Who at Apple are you expecting a response from? Is it the
>> AppleCare people
>> that are not responding?
>>
>> Paul Nelson
>> Thursby Software Systems, Inc.
>>
>> on 4/25/07 1:08 PM, Roy Mendelssohn at email@hidden
>> wrote:
>>
>> > It is not that Apple made a mistake - that happens - it is the
>> total
>> > silence from anyone at Apple about this and the zero lack of
>> response
>> > from Apple. If you expect people to run operational shops using
>> your
>> > hardware/software - you had better do a better job than this.
>>
>>
>> _______________________________________________
>> Do not post admin requests to the list. They will be ignored.
>> Fed-talk mailing list (email@hidden)
>> Help/Unsubscribe/Update your Subscription:
40gmail.com
>>
>> This email sent to email@hidden
>>
>
>
> --
> Michael Pike
> iChat/AIM: email@hidden
> Jabber / GoogleTalk: email@hidden
> Windows Live Messenger: email@hidden
> Yahoo Messenger: email@hidden
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Fed-talk mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
--
Michael Pike
iChat/AIM: email@hidden
Jabber / GoogleTalk: email@hidden
Windows Live Messenger: email@hidden
Yahoo Messenger: email@hidden
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden