10 Comments

Summary:

This guy noticed with the 10.4.7 update there were some interesting phone-home things going on. The comments dig into the new process called dashboardadvisoryd, which seems to snag two apple.com resources. The support note says “You can now verify whether or not a Dashboard widget you […]

This guy noticed with the 10.4.7 update there were some interesting phone-home things going on. The comments dig into the new process called dashboardadvisoryd, which seems to snag two apple.com resources. The support note says “You can now verify whether or not a Dashboard widget you downloaded is the same version as a widget featured on (www.apple.com) before installing it.”

There is no doubt Apple collects statistics on their website traffic. No one is arguing that for Dashboard to work effectively, it needs to connect to the Internet. Is it ok for these two things to combine? As computer users, should we give up a little privacy to ensure security? I suppose the bigger picture is the boiled frog syndrome, where we continue to slowly give up our information until the web knows more about us than we know ourselves.

To date, Apple has a pretty good track record in this arena, and dashboardadvisoryd hasn’t shown it collects your ‘Me card’ from your address book and ships it off to Apple along with the last 50 websites visited. It does seem that Apple is on the look out for outdated widgets and creating an update mechanism for these miniapps. Perhaps this little process is capable of acting as a sort of antispyware mechanism as well.

Trust me on this, the days of spyware widgets are near. If you know that, and you’re on Apple’s Dashboard team, how do you prevent that day from ever occuring? By keeping one step ahead of the people who would make such a widget.

—-Edit:

Apple has posted a response via CNET

  1. personally i’ve got exactly zero problems with apple collecting usage/widget information about my dashboard. if anything it’ll help them improve (like by preventing spyware or keeping stuff up-to-date like you said)…

    i really don’t get the people who get all fussy about this. newsflash apple doesn’t care enough about you to get any personal information… what’re they going to do with it? sell it to someone? unlikely, it would be a PR nightmare and could hardly be that big of a money maker for them. similarly this isn’t like microsoft trying to break your os if there is any chance in hell your product key is invalid, it’s just apple trying to keep tabs on what’s going on with dashboard… THAT’S ALL!

    Share
  2. what ryan said

    Share
  3. Todd – I think you’re absolutely spot on. Having a kill switch for rogue widgets is absolutely necessary. It strikes me as the weakest part of Apple’s platform on some very simple grounds – a LOT more people know JavaScript than know Cocoa. And people don’t think of them as applications.

    Let’s think about the consequences of the following two links :

    http://www.alastairs-place.net/archives/000079.html

    http://www.oreillynet.com/mac/blog/2006/07/giving_your_widget_that_sudo_v_1.html?CMP=OTC-13IV03560550&ATT=Giving Your Widget that sudo Voodoo

    I’m thinking – an otherwise useful widget throws up – ‘There is a new version of this Widget. Install. Cancel’. Pressing Install throws up something that looks like the standard ‘You do not have permissions. Authenticate’ dialog. Then uses that to open network sharing and send the admin password out somewhere public.

    Share
  4. Well if they say that they are doing it, no problem with me, a company collecting info this way to better their product and openly admiting it says to me “good company trying to better their product”. On the other hand even if they aren’t doing anything with the info(other than making the program better) why “hide” it from me
    or not actively inform me as a good PR manager whould probably call it. I might be a little paranoid but when for example my supermarket does this in the form of a bonus card, i know they save a lot of money from reaserch but i’m getting something back from it in the form of cheaper products(the same way i would get something back from better software), the difference is they are open about it, that makes alot of people feel more comfortable about it, as a result my supermarket gets 0 complains about it. I’m guessing apple is going to get a lot of people asking questions about this.
    But i really don’t have a big problem with this kind of reaserch in general, as long as my name isn’t put next to the data for “future use in case of company money problems” of course. :)

    Share
  5. Jules,

    Once you give a rogue widget (or anything on the system, for that matter) your password, then it can do whatever it’s scripted to do.

    One of my wishes for 10.5 or later is the option during setup to separate the admin account privilege completely from the user created. The problem with this is I don’t have a better idea for Unix security and ease than what Apple already did. Perhaps, it is better then to just set a different password than to match what the user and root have. Sure this can be done as an afterthought, but realistically most users don’t know to open Terminal and issue ‘sudo passwd root’, or to set a master password for the system.

    The industry has created a lot of problems for itself! Security versus convenience has a long way to go…

    Share
  6. I’m ok with my computer sending some info back home, but I wish it did it in a more proper way.

    I won’t doubt that it’s done for our security but, at first sight, it looked like a security threat itself. A warning message or an option to turn this thing on and off would be the best practice to do it.

    Share
  7. I don’t have a problem with Apple verifying a widget but — eventually everything is ‘spoofable’. Eventually people who believe nothing bad can happen to a mac (who will never employ a silly thing such as a firewall) will have no idea which widgets are accessing which ports and for what reason.

    (I am not affiliated with any software companies, but…) I use LittleSnitch on my Powerbook and Zone Alarm on the PCs in my house.

    – i’m not insecure. i just don’t trust a lot of people

    Share
  8. This is related to the 10.4.7 update, but not the dashboard phoning home. I noticed my apple and spotlight on the menu have become smaller after the update. Has anyone else experienced the same thing, or I am just imagining it?

    Share
  9. It is infact smaller… very strange. My fiance was holding off updating her macbook just to see what happened with the ‘guinea pigs’ first :) and I checked it against hers last week before the update… Sure enough, it’s smaller on my powerbook now. I actually kind of like it.

    Share
  10. I feel secure with my widgets as long as I have an app like Little Snitch. It alerted me when dashboardadvisoryd came up.

    Share

Comments have been disabled for this post