This is a big part of why we're at such an exciting point with autonomous vehicles: there are several highly promising, meaningfully different methodologies contending right now, including Google's top-down approach, Tesla's incremental approach, and even Comma.ai's maverick pure-learning approach.
I think there is something to say to how the media is portraying bloody rivalry between tech companies. I'm sure most of them don't have the same tension we have in media, and they are all hang out with each other.
As an anecdote, I know that Steve Jobs used to hang out a lot with Bill Gates and Eric Schmidt, and I also know a few Microsoft employees who are really good friends with Apple and Google employees.
I'm curious as to why you decided to left out push notification. That was one of my favourite Parse features, and I think it's why a lot of people use it.
Was it too hard or time consuming to re implement?
I'd like to add that this is a great example of how a great In App Purchase can be utilised in place of free trials. People are so against IAP because of companies like Zynga, but there are good examples of IAP like this one.
Isn't this the time when Mac App Store supposed to shine? When they found something that's dodgy and linked to a company that has apps on App Store, can't they just turn on the kill switch? That way the malware won't have anywhere to direct the users to.
It's not clear whether this "adware installer" is signed by a developer cert. I'm gonna guess it isn't, which means under the default settings, if a user double-clicks it to execute it, they'll be presented with a message saying that the app can't be run because it's "from an unknown developer" and the current settings disallow it. The user can get around that by right-clicking it and choosing "Open" (or switching Gatekeeper to be more relaxed), but the error message doesn't allude to this.
Edit: And if it is signed: yes, I believe Apple could and presumably would push out a malware update that would invalidate the cert.
I'm getting at the fact a shell script with this exploit can be made to look like an "app" and be "double-clickable", and doesn't require any code signing.
Gatekeeper also watches over shell scripts, so when you double click the shell script it will tell you that you can't open it because it is from an unidentified developer.
You're thinking of quarantine. You'll get a warning saying the script was downloaded from the Internet, asking if you're sure you want to open it. Again, nothing to do with code signing.
I think you are misunderstanding something. Shell scripts and unsigned code are treated exactly the same by Gatekeeper.
When you double click a shell script downloaded from the internet, the warning will not ask you if you want to open the file. The warning will tell you that you can't open it because it is from an unidentified developer.
Let me try to clarify this:
"Quarantine" is a flag set on files downloaded from the internet.
When you open a file with the quarantine flag, Gatekeeper checks the code signature. If it is valid, it asks you if you want to open this file that you downloaded from the web. If the code signature is not valid, or if the file has no code signature, you wont be able to open it.
There are several ways to execute shell scripts downloaded from the internet:
1) Check "Allow all Applications" in System Preferences
2) Right click, select open. Then the warning will have a second option to open it despite being unsigned
3) Execute it from the command line
All of these presumably require the user to know what they are doing...
I haven't gotten to try it to confirm but I'm having trouble imagining why an unsigned .app bundle containing a binary executable would get the code-signing error but one containing a script wouldn't. Is that in fact the case?
Sorry for not making this more clear. Create a shell script with the exploit, then remove the .sh extension. You can edit the icon to make it appear as any application and when double-clicked it will open and run in Terminal.app.
Ah, thanks for clarifying. I suppose it wouldn't have execute permissions if downloaded from a browser, but it could if copied with Finder from a network share (or directly accessed, of course), so that sounds like a potential vector.
This is bullshit. If you actually put that disk image on a web server, and then download it, you'll get the unidentified developer warning and you can't run the script (there will be no button to open it).
Gatekeeper and code signing work hand-in-hand. You can run any unsigned code you want, as long as you didn't download it from the web. For example, gatekeeper won't prevent you from running usigned code you compiled yourself, or from running code you installed using a package manager.
OS X is smart enough to know that a shell script is equivalent to an application. You can't fool Gatekeeper quite that easily.
Oh, yeah, I should've thought about dmgs. Yikes... that seems "not OK"; but if they made shell scripts require signing I imagine that'd probably break lots of stuff.
> When they found something that's dodgy and linked to a company that has apps on App Store, can't they just turn on the kill switch? That way the malware won't have anywhere to direct the users to.
If Apple did this you could take down any app from the App Store by writing some malware and making it "advertise" the App Store listing.
It actually makes me hopeful that New Horizons will have a chance to look further on things in the Kuiper Belt. It's a very interesting area that doesn't get much attention.
I was upset about not orbiting Pluto initially but the objects they've identified in the Kuiper Belt are dissimilar so that information will be just as valuable IMO.
I think in the long run Google might be building the correct solution for greater number of people.