Just get LittleSnitch and turn it off for good.

I'm a die-hard Apple fan, but not an ignorant one. This "feature" is pure BS... 3 times a day to check to see if your clock widget is OK? WTF good is that? I truly do hope that Apple backs up off of this one. If not, I fear them adding more "features" like this one that sure as hell aren't wanted nor needed.

Perhaps Ubuntu really is the way to go anymore.

Linux is the answer. Suse is a nice alternative, you looked into it?

That is incorrect. I just turned mine off via Termial last night thanks to Cult of Mac.

They havean easy way to turn it off...

http://blog.wired.com/cultofmac/index.blog?entry_id=1515043

It doesn't simply check if your widgets are "up to date": it checks to make sure the widgets you download matches the version that apple is offering.

This is a SECURITY check to make sure a user hasn't been told they are downloading an authentic Apple widget but instead is given some malicious widget instead.

Do you want your OS provider to be proactive about your security or not? If some malicious widgets got out there and Apple hadn't done anything, everybody would be crying foul about that.

Apple should have mentioned that the OS would do this, just in the interest of full disclosure (and to prevent expose posts such as this). The activity itself is not questionable but instead commendable.

People who complain about privcy issues are just way too paranoid! Most widgets contact their makers anyway to check for updates, so this really isn't much difference!

I'd be happy if they issued a statement about this. Not overly concerned about the activity, just the stealthy nature of introducing it.

I don't mind. All my stuff is legit. I just don't like you not telling me. Thats what is not right.

If you ask me, this is not just for security. Lets say someone has a pay-for-use widget that checks for a serial number. Hacking the widget to operate without said serial number is trivial. However, such changes would be caught by this system. This might be more for widget commerce than security.

Widgets are powerful and anyone can make them. Ensure that widgets don't contain malicious code is VERY important. I am not sure if I agree with an automatic check like this though - it should be controllable by the user.

In my opinion all widgets, and I mean ALL widgets, should be free. If you need to charge for it, it shouldn't be a widget. And I am a developer.

Padriac, why would Apple need your computer to phone home 3 times a day in order to make sure you are downloading an authentic Apple widget? Apple would just need to check at installation time.

So is Apple going to stop airing that commericial where they say that "everything is inside the box" or something...i presume that's what they say in all of them..

I'm kind of glad my mac is usually asleep all day.

Kinda bothers me, and i don't even use widgets. I have like 2 or 3, and they're stock widgets. I never got into those things.

Big deal. Lots of your applications do a version check. The only ones who do care probably have pirated software on their machine.

I think Widgets is an exposure to OS X, and Apple is probably trying to keep a handle on them. If Apple was really worried about such things, they should be more proactive and create an app that will scan your machine for potential problems, but that would be admitting there's a problem.

I have yet to find a useful widget that I use on a daily basis and have ended up turning off all dashboard shortcuts and disabling it using the hint from macworld.
http://www.macworld.com/weblogs/macosxhints/2005/08/disabledashboard/index.php

How is this any different than Apple's Software Update checking to see if I need to update my OS X software? Security issue, ha! Apple has been doing this for years.

I say just disable dashboard (with tinker tool), use Yahoo! Widgets (Konfabulator) and get Little Snitch!

Done :)

I checked out this story on Digg the other day and it was flagged as false information. The general consensus was that it's not a security issue as no data is sent to Apple's servers. The comparison is done on the local machine from data that is sent to you, and the widgets will update if they do not match. This is a non-story.

Security holes? In OSX? What?

i remember early on, when i'd pop into dashboard the weather / rss widgets would take a second to jump into action, they'd show old info "Cupertino: -5' C" for a second and then *bang* "Cupertino 25' C"... this doesn't happen anymore, not that the 1 second delay bothered me, its just nit-picking... but it looks like this update fixed it.

i don't know for sure - possibly 'phoning home' here too... i read the personaltechpipeline, i don't like their attitude at all; are all their readers pirates?

I agree with Padriac.

If you want a good protection, then this is a good idea.

I don't think Apple would steal information, why would they.

Apple doesn't care if you pirate their OS. They don't make you activate it, there's no registration involved, they make enough money off of the hardware and the iPod that a couple of people downloading OSX doesn't bother them.

one more for LittleSnitch.. it's DENIED FOREVER!

I HAVE FAITH IN YOU, APPLE!

Hey, OSX is a police state already. Roll with it.

"Perhaps Ubuntu really is the way to go anymore"

That's got to be the ugliest ever sentence structure I've ever seen in my young life, ever. Anymore. wtf.

wow.. I didn't know that "bad" widgets have been a problem enough for Apple to implement a 3 times a day check for them.

> This is a SECURITY check to make sure a user hasn't
> been told they are downloading an authentic Apple
> widget but instead is given some malicious widget
> instead.


> Do you want your OS provider to be proactive about
> your security or not? If some malicious widgets got
> out there and Apple hadn't done anything, everybody
> would be crying foul about that.

yes, and i'd love for the government to listen into all my phone calls and read all my emails 'to protect me from the terrorists' too... it's an extreme comparison, but not unjustified.

if people are downloading 'malicious widgets' that are attached to spam, maybe they need to learn how to use their computers. why do we not expect the same from any other consumer product?

BUT I POURED THE COFFEE IN THE TOASTER TO HEAT IT UP! WHY DID IT BURN MY HOUSE DOWN? WHO CAN I SUE?

This is a check for updates. The sort of check a lot of modern software has a feature.

What happens is the software sends an http GET request for a small piece of information, often a single integer.

For example, say you launch ABC Company's BananaCounter v1.0.2. At startup it may hit the ABC server and retrieve the integer "103." The software could then present a dialog saying,

"A later version of BananaCounter is available. Do you want to download version 1.0.3?"

Many pieces of modern software have this check. It is a convenience for the user.

It can be disabled, it doesn't report information to the company, and the only real reason to have this "shocking revelation" as such as prominent headline everywhere, is that the sites knows the "controversy" will draw page views.

I guess that's the business model of the blog: spread FUD and get clicks!

In the end, when it comes to socially engineered malware, it all boils down to what eventually gets installed should the user choose to do so. Period. Whether said malware gets installed by morons who "need to learn to use their computers" or computer experts who legitimately got duped or even really bright people who just don't have the time to scour the internet for hours everyday learning about the latest threats is of no consequence. When user error is at fault, the only way to protect the user is to help them undo their mistakes.

No amount of password verification or OS security will prevent a perfectly, socially executed piece of malware. The last line of defense is the user's hard drive itself. Phoning home at installation (Tim) won't even cut it (one can easily imagine a hack where the malware installs after the authentication phase).

Others have detailed what is actually getting reported to Apple: the name of a widget that is possibly malware and an IP address. Apple gains NO information about you. What is so wrong with this approach? You can still "pirate" widgets should you be so inclined (markm; and, yes, all widgets should be free) and Apple doesn't know who you are or what you are doing. Just that you have X widget installed. This same information is available whomever you downloaded the widget from (which is likely Apple anyways).

There is no question that we need to remain vigilant when it comes to Big Brother tactics. But we should not throw the baby out with the bath water: all instances of an app phoning home are not necessarily evil. In this case an app is phoning home to save you from your own (potential) mistakes. Sounds good to me, but Apple needs to DISCLOSE this stuff outright to avoid looking shady: "Hey guys, dashboard is going to connect to our servers to make sure you haven't been tricked by malware. This is the information it collects and sends to us. We don't store this information. Contact us if you have any further concerns. Thanks."

I'm pretty sure I just skipped over the documented masters thesis right above me and only concentrated on the kid that pointed out the horrible grammar. Way to go young person! My question would be, why connect 3 times a day to check Widgets that I'm sure a small minority actually heavily use? I don't, but maybe thats because I have a PC...

OMG. Who cares?! Who on Earth are the paranoid freaks who think every call to a server is "an invasion of privacy?!" I guess it's worth noting *if* it's actually a problem, but stories like this make those who are on the fence jump right over to looneyville. Just say "no."

I'm surprised at how many people are saying, "No big deal!" when those SAME PEOPLE constantly lambaste Microsoft for the WGA phoning home.

Phoning home is a bitch, but you know what - it's going to happen more and more.

You guys are pathetic. You Mac obsessed robots are always trying to defend Apple "Oh they're doing it for your benefit". WHY are you supporting an act of blatant breech of privacy. Sure it's just some minscule information but so what? And the fact that it can't *easily* be shut off makes me question Apple's supposed integrity. Apple is just another company looking for better ways to make money. It is not some messianic saviour from the bondage of Wintel. I'm a huge Mac fan and mac user, but I will not be submissive to a company secretly taking info from me. You blind and ever-faithful can do what you want, but don't be surprised of another WGA episode.

Do people even read the posts before making comments anymore?
It has already been stated that information is NOT sent to Apple servers, but infact information is sent TO your computer for a comparison to take place. This simply means that (as stated above)if someone has downloaded a dodgy widget, their computer will realise and update/inform them.
If the Mac platform really does take off, and its market share does increase sharply, then the ratio of stupid people per computer will also increase... due to all the switchers...so stuff like this will be useful to stop future (probably immanent) infections from malware, virus attacks etc. :p

I just read some more comments as they were added here...*you are blind* * i will not be submissive* *socially engineered malware* maybe you guys should chill, spend a little less time talking big on a forum and spend a little more time working on that novel you've been working on...

Ok, now we should complain about Apple for a while...
As stated, this is for checking that your your "Dashboard Widgets are up-to-date". All programs these days use atomatic updates and check if there is a new version. Nothing starnge in that. But, I guess Apple should inform about it and make so you can dissable it.

I honestly don't think this is anything malicious, but like the iTunes Mini Store, it might cross the line a little bit.
Regardless of their intent, it's a feature I don't need so why not just turn it off: http://www.macosxhints.com/article.php?story=20060705012530786

Big deal. Windows, if not most of my Windows applications check for updates when they start up. However Apple should have let user know what is happening.

Is this new feature optional (i.e. can you turn it off)?

I think it's a control issue.

Meh. I can't believe everyone's making such a big deal about this, though I suspected as much after the iTunes Mini Store thing. (Though that, at least, was a lot more justified than this one.)

I noticed Little Snitch alerting me after I updated to 10.4.7 so I checked it out with Ethereal. It's innocuous, at least as far as I'm concerned, so I let it go.

It looks like a security mechanism to check if any malicious/blacklisted widgets are installed. (As my system sends no information whatsoever it's pretty likely that it's a blacklist.)

For the paranoid, here's a recent packet capture I did of the conversation. Basically, dashboardadvisoryd makes two HTTP GET requests and, amazingly, gets two responses from Apple's webservers. Your system sends NO OTHER INFORMATION, though Apple does get your IP address, just like every other webserver does. Oh the horror!

Here's the skinny:

--------- GET number 1 ---------

------ client request ------

GET /widgets/widgetadvisory HTTP/1.1
User-Agent: CFNetwork/129.16
Connection: close
Host: www.apple.com

------ server response ------

HTTP/1.1 200 OK
Age: 11392
X-Cache-TTL: 75008
Accept-Ranges: bytes
Date: Fri, 07 Jul 2006 15:49:40 GMT
Content-Length: 2095
Content-Type: text/plain
Expires: Sat, 08 Jul 2006 15:49:40 GMT
Cache-Control: max-age=86400
Server: Apache/1.3.33 (Darwin) PHP/4.3.10
Last-Modified: Thu, 08 Jun 2006 22:08:55 GMT
ETag: "82f-44889ff7"
X-Cached-Time: Wed, 28 Jun 2006 06:14:24 GMT

----- BEGIN SIGNATURE -----
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAaCAJIAEOi+qBbNkDp0nAQAAAAAAAAAAAAAuAAAAAAAAACYAAAAAAAAAAABIOEHzTnY9yhcFfWh/8KSqN7WlRXUAAAAAAACgggO2MIIDsjCCApqgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBgMQswCQYDVQQGEwJVUzEdMBsGA1UEChMUQXBwbGUgQ29tcHV0ZXIsIEluYy4xEjAQBgNVBAsTCURhc2hib2FyZDEeMBwGA1UEAxMVRGFzaGJvYXJkIEFkdmlzb3J5IENBMB4XDTA2MDUxNzE4MDkxN1oXDTM2MDQyOTE4MDkxN1owXTELMAkGA1UEBhMCVVMxHTAbBgNVBAoTFEFwcGxlIENvbXB1dGVyLCBJbmMuMRIwEAYDVQQLEwlEYXNoYm9hcmQxGzAZBgNVBAMTEkRhc2hib2FyZCBBZHZpc29yeTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANJkOc7PdgTrpeDvBwZ59e7CDdWiTauUxSDwm8SA4JgrQ+Gwj7c/T1KgJI57F8Eq8fju+Ckq0/p+uVLUQJ2beCYPydyKJpH5Je5g9iB9iUUoO8uamSloFOJMFOYOPn8kPKjtKvYEs2NSf8+LK+S8tOTO0ng8jfPmcTDpiTVFh3rmukoypZJ722iBXJS5MOjXwGeMd8eib3mbPrHi4kFhQzuG48d7f7LrPdQ+mIfMk69yAymGtyQf7Uubi8wXGgKxUBXkS3EE8l8Pd6mybz5Yz/42RPfEG2FrinaggJE/TaW4Kb9Di5S4jt/j8csA+6YYMR7GxGuC/hoo+gHimG+kD1UCAwEAAaN6MHgwDgYDVR0PAQH/BAQDAgeAMA8GA1UdEwEB/wQFMAMCAQAwFQYDVR0lBA4wDAYKKoZIhvdjZAQBBDAdBgNVHQ4EFgQUlxwKOog1HQ1DbOELsmm3KEMOVuYwHwYDVR0jBBgwFoAUSr8UjJUmkWRrNzinPFKtr9B5FN4wDQYJKoZIhvcNAQEFBQADggEBAHOofvRSyOEIXgYsaWZDIBFdV61hZ3CTkdTD9rq6DnECW/gwhTcLZHuAG/MfWJeake+jKUGPTNnVIcRczCqOXoqlLgoKwAzzg+DOqsa5UpEqvL3lrhELbBcj+c0cg1Pbng4w+VIpQgE0t29umqV4TXH/jkBygQrl0IsQoDKsW1HxAAMjrm1xF7Z6RYXpIi5QNw26768puZu+BUWj12vE89Z5GqXigvnet+M83jgiRvBYMQrlDnuITZ3ZPtlKowIqGvqYMJ4gUXJR//1Pd/oMKJv0GHQZtm6E4KXxpbpqZytNV2S1xxYvzjvsd+Txe04GzSZPMDvZ8JtcZPuG6pmyaLYxggGMMIIBiAIBATBlMGAxCzAJBgNVBAYTAlVTMR0wGwYDVQQKExRBcHBsZSBDb21wdXRlciwgSW5jLjESMBAGA1UECxMJRGFzaGJvYXJkMR4wHAYDVQQDExVEYXNoYm9hcmQgQWR2aXNvcnkgQ0ECAQIwCQYFKw4DAhoFADANBgkqhkiG9w0BAQEFAASCAQCwtBTzu2nqG44g13ihSNGgyYVhDdIknwGCkJeGR1brO8X/TQskasXeqLsUFjtMtZyDKcFiMPq7BCfaM/SkwCi8lCmCrYxQVccBIQt19sHpQFj/+u2C0KI7603jgbOCN8rgvojmvCPVYkc13/bM5vwl7Oxtu5fgnmCqwSk5lkZJl4AJT0Ju9kBXY7dnRGgb5mCkCJCdU5CW5FQ4wlguARLmir6wR3f8n6xRTyYru2OlJJZwEr0ayqrEKBHgXY3+BYcpN+P3MPmpCoS83vNcYzItHbNmh9v6Ln7uUR3H2l5lFshqK2p3pgqXBYBTmv03uAp2L2pF0J6MdBirohWiqq31AAAAAAAA
----- END SIGNATURE -----
BEGIN;
INSERT OR REPLACE INTO meta VALUES ('serial-number', 1);
COMMIT;

--------- GET number 2 ---------

------ client request ------

GET /widgets/parser.info HTTP/1.1
User-Agent: CFNetwork/129.16
Connection: close
Host: www.apple.com

------ server response ------

HTTP/1.1 200 OK
Age: 11586
X-Cache-TTL: 74814
Accept-Ranges: bytes
Date: Fri, 07 Jul 2006 15:46:26 GMT
Content-Length: 4
Content-Type: text/plain
Expires: Sat, 08 Jul 2006 15:46:26 GMT
Cache-Control: max-age=86400
Server: Apache/1.3.33 (Darwin) PHP/4.3.10
Last-Modified: Thu, 18 May 2006 21:51:56 GMT
ETag: "4-446cec7c"
X-Cached-Time: Tue, 04 Jul 2006 22:24:46 GMT

....

--------- end ---------