In the hopes that developers will use this to promote their Tiger-ready projects, I present you with a gigantic Tiger logo layered Photoshop file. The dimensions of this thing are huge — 2576 x 3067! It includes the OS X logo, drop shadow, grey spotlight, and black background, all on their own layer (or as layer effects). I’m sure Apple has some guidelines on all logos and branding, so in the interest of channel guidelines, please use it tastefully. Enjoy (7.7 MB zipped).
Xbox-Scene recently posted a link to an Xbox 360 introduction video:
The first official Xbox360 is out – and it confirms pretty much everything we knew so far, the ‘Xbox360’ name, the Xbox360 logo, the wireless controllers, the specs, the skinnable front plates, the look and design of the console, contoller and much more.
I want one.
I created these RSS and XML badges for a project, and I was happy with how they turned out. I’ve seen bunch of tutorials on the web about how to create aqua-looking images, so I thought I would add this to the list. You can obtain the original layered Photoshop files here, for RSS and XML. They were saved in Photoshop CS2 with compatibility mode on, so they should open with past versions just as easily. Feel free to use them for whatever you want.
Yesterday, an article on Slashdot about Dashboard widgets got my attention. It has been discovered that widgets pose a possible threat to users’ systems, as they are automatically run when downloaded. A specially crafted web page can direct your browser to download a widget, and Safari’s default behavior is to decompress the .zip archive. The Finder recognizes the .wdgt extension of the newly unzipped file, and launches the widget. In most cases, this makes for a very user-friendly Dashboard experience. However, user-friendliness almost always comes at a cost. Any code contained within the widget gets run, and that’s where the threat comes in. Some code gets run on the target system without any action on the user’s part, other than loading a web page in Safari.
Widgets do have a security layer provided by Apple, and it is built into the Info.plist files within each widget. A standard widget has no access to the internet, the command-line, files outside the widget bundle, Java applets, browser plugins, or widget plugins. In short, without your permission, a widget is effectively in its own sandbox and can do nothing harmful. When a widget needs access to one or more of these resources, it asks for your permission upon launch. When you click “Accept”, the widget can do whatever it needs.
From a security-oriented point of view, I think the main problem with the widget security layer is that the would-be “attacker,” a widget with bad intentions, defines its own security limitations. Mentioned above, each widget’s security is controlled by the Info.plist file written by it’s author and stored inside the widget bundle. A better solution might be to present the user with a dialog that details what resources the widget is requesting, allowing the user to decide what the widget should be allowed to do. This problem is made worse by an overly simple security interface. Different levels of security controlled by one “Accept” button. If the widget is going to define it’s own security limitations and the user will only see one button for any or all of them, why have more than one level of security? A single “AllowFullAccess” key in the Info.plist file would suffice. Future versions of Dashboard may see a security preference where users can control the level of access they would like widgets to have. This may be a bit of a problem, though, because not all users are aware of what a widget needs to do it’s job, and they really shouldn’t have to know. A solution lies somewhere between what the user knows about the inner workings of a widget and what security allowances are necessary for the widget to function. At best, the user needs to be able to easily control what a widget can do without knowing how it works. This is the type of situation in which Apple’s wizards excel, and I look forward to an elegant yet effective solution.
So what can you do to protect yourself right now? The front line for stopping harmful widgets from automatically installing themselves is to change your Safari download settings, as Safari expands widget archives upon download. In Safari’s “General” preferences tab, uncheck “Open ‘Safe’ files after downloading.” With this unchecked, all widgets and files that download and would normally be auto-opened are simply saved to your default download location in their respective format. While you can still “infect” yourself by opening the archive and running the widget, nothing happens automatically without your permission. Turning off the opening of “safe” files may cause you to go through one more step after downloading something, but your computer’s security is worth the time it takes to switch out of Safari and examine a file before you run it.
The second thing you can do to help protect yourself is learn where widgets are stored in Mac OS X. While widgets can be run from any location via a double-click, they aren’t listed in the Widget Bar (which is activated by clicking the plus symbol in the lower-left of Dashboard). Widgets listed there are kept in the main Library folder inside the Widgets folder, at /Library/Widgets/ inside your boot drive. Optionally, widgets can be kept in separate folders for each user, under your Home folder, then following the same structure above. You can add or remove widgets from either folder, and the Widget Bar will be updated. Stephan.com, the origin of the widget security threat report, claims that “the Dashboard bar is not very good about updating when a widget is removed, but eventually it figures things out.” From my own testing, though, I find that the Widget Bar gets updated as soon as you add or remove widgets and activate it again. Alternatively, you could use Widget Manager to control all the widgets you use.
Finally, you can also learn how to stop an active widget in its tracks. By opening Activity Monitor, in the /Applications/Utilities/ folder, you can see all current processes running on your machine. If you type “dashboard” into the “Filter” search field at the top, you will filter the process list to only dashboard widgets (and whatever else may happen to have “dashboard” in its title). Using the list of widgets, you can click on one and click the red “Quit Process” button, then “Force Quit,” and that widget will be stopped, regardless of what it was doing. While not the best solution, it’s a fairly simple way to end an annoying widget that just won’t quit.
Update: Several other sites commented on the widget problem:
- The Unofficial Apple Weblog: The Problem With Widgets (Part 1, Part 2)
- Macworld:News: Dashboard: Widget (In)Security
- Macworld:News: ‘Zaptastic’ widget demonstrates Dashboard exploit
- The Mac Observer: Developer Demonstrates Dashboard Exploit
I still find a surprising amount of people who are convinced that they won’t be able to open a Mac Mini and upgrade it. It’s incredibly easy to do. Other World Computing has a great (200MB!) video tutorial on opening and upgrading the Mac Mini, and it can be found here, along with videos for a bunch of other Mac models.
TV Tracker is a Dashboard widget which pulls down Yahoo TV listings and displays them in a clean, glossy, very Mac-like interface. Immediately after opening and playing with TV Tracker, you’ll notice how responsive the interface is, as well as little details such as the progress dots on the back and custom scroll bar on the front. Like all widgets should be, it was idiot-proof to set up and use. TV Tracker is a prime example of a well polished third-party widget.
The gang from The Screen Savers (Leo Laporte, Patrick Norton, Kevin Rose, and Robert Heron) have started a Podcast called “This Week In Tech.” I’m glad to finally have a consistent stream of tech related content, be it audio or video. The newest “This Week In Tech” Podcast is an hour long, and I couldn’t be happier about it. Audio is a nice medium for this because you can listen to it on the way to or during work, whereas video takes more attention and bandwidth. However, I’m also looking forward to Kevin Rose’s new video project, Systm (no ‘e’). Keep up the awesome work, guys! Glad to have you back.
Here is a link to Leo’s This Week In Tech web page with torrents for bookmarkable AAC files, which will play on iPods, iTunes, and QuickTime Player. Bookmarkable AAC files are my choice for audio content of this sort because you can pause it, and the playhead position is saved so you can come back to it later and pick up right where you left off. Better living through audio formats. Enjoy!