I don’t agree with the author. Of course, this is MacWorld—some amount of Apple butt-kissing is to be expected—but I find his attitude very worrying.
First, “Responsible disclosure” vs “Full disclosure” is a choice of researchers, and privileged authors of the press shouldn’t be using their personal ethical judgements about it to suppress public information about flaws simply on that basis. That alone is reason enough to simply distrust any further writings of the author. I am personally of the opinion that we are well past the usefulness of “Responsible disclosure” as a strategy; giving companies rope, but not quite enough to hang themselves with, isn’t moving security forward any faster. Second, and more important, a privilege escalation vulnerability isn’t a problem for advanced users, who already know what Glen is suggesting, i.e. don’t run dodgy software. It is precisely those people who have been trained, per the standard advice, not to type in their passwords when they are suspicious who will be most hit by the root bypass. Obviously, better advice would be “Just don’t trust anyone”, but that’s not how the world works, sadly. I think it’s time for us to acknowledge that the Mac, once a peaceful neighbourhood with only the occasional bit of easily-preventable rogue badness that you could get rid of by just clicking “No” or “Cancel” or whatever, is now increasingly occupied by bad software that is well-advertised, easily installed and hard to recognise by a lot of inexperienced people, and anybody giving a Mac to somebody to keep them (the recipient) quiet and out of their (the donor’s) hair now needs to hold Apple’s once glorious patch turnaround times to account. This is *especially* true if the donor has delivered the Mac with a limited user account and all necessary software already installed or only accessible from the Mac App Store, because as soon as Flash becomes the vector, we’re all finished. Microsoft have learned their security lessons the hard and painful way, and now it’s Apple’s turn. Please don’t give apologists fodder for their absurd denials. -- You received this message because you are subscribed to the Google Groups "MacVisionaries" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/macvisionaries. For more options, visit https://groups.google.com/d/optout.
