The entire point behind gatekeeper is that it prevents (most) of the most common attack vectors: web downloads and email-borne malware. Using the XProtect engine, it does a really good job of this. So much so that most of the malware authors that were targeting these attack vectors have since moved on to the greener pasture that is Android. However, until the common torrent clients start setting the download flag on files, cracked commercial software and "videos" downloaded via torrents will still be a really easy way to take over a victim's Mac.

Of course, if someone's downloading cracked software, they're going to expect the checksum to fail anyway, and use the right-click-"open" method to evade GateKeeper even if the torrent clients start setting the metadata appropriately.

The clueless meter went off the charts for me at "by the addition of new security features such as Gatekeeper and XProtect to OS X recently" -- XProtect has been around since mid-10.6, and Gatekeeper is just a wrapper around XProtect.

The actual Synack presentation is better (I saw the precursor at CSW): "Gatekeeper doesn't verify an extra content in the apps. So if I can find an Apple-approved app and get it to load external content, when the user runs it, it will bypass Gatekeeper," is the real security flaw here. CSW had a good presentation on how to do this leveraging dylibs. With a simple exploit dropping a crafted dylib, you can run any code you can force the user to download via drive-by as root. And it's persistent, without adding a bunch of extra junk to the target system.

That said, this method still relies on working exploits (or more often, patched torrents of popular software). The skill level to pull off the entire attack chain is fairly high too -- you're going to see governments and organized crime using these techniques, not your average bot herder.

Sticks of gum in your area sound puny. I like my 10cm x 4cm gum sticks.

...which is itself myopic. OpenStep can run on top of Windows OR Linux OR BSD, and would be a perfectly fine environment in which do to iOS dev work.

However, I don't see the Mac market vanishing any time soon; it might shrink a bit, get a bit more expensive/specialized, but there are still a number of markets that lean heavily on Macs and would be loathe to give them up for whitebox + POSIX OS.

What's with the blame-adverse atmosphere that seems to be going around these days? In this case, I place the blame all over the place, to be shared unequally by many involved.

First off, an operative was compromised and taken captive. Someone fell down on their job for this to happen. Secondly, Obama issued the executive order that caused him (and many others) to be killed. Somewhere in between those two events, other operatives and military intelligence lost track of where their missing operative was being held. Also, they misidentified what was actually taking place at that AQ hideout. Finally, we've got the Pakistani government involved in all this, giving a foreign power carte blanche to send a drone in to kill other foreigners on its soil.

After all that, we get back to blaming the AQ strategists who messed up using foreigners as a human wall to protect their commanders -- because someone forgot to let the enemy know that this was happening. Unless, of course, they didn't, and both people killed were actually government operatives that were considered expendable for the cause -- but their cover can't be blown without implicating others (hence the delay) -- even though it looks like AQ already blew their cover long ago. Not saying this is what happened, but it's just as much a possibility as the official story. Ant everyone on all sides of the conflict made lots of mistakes here, many of which could be learned from and avoided in the future. Kudos to Obama for at least admitting this and aiming to do something towards these ends.

Your mistake was in leaving out the " " :)

I find that the more spaces you use, the more secure you feel. Increase your password security feelings with "Your &nbsp&nbsp&nbsp&nbsp&nbsp&nbsp gut!"

I don't disagree with the climate change cut. After all, the studies are already done. We've already decided to ignore them (both sets). So what good does funding more studies to tell us what we already know (or believe we know) do?

...and any time you needed a password for something, you could go with your gut!

Well... I took THAT out of context. I forgot what window I had open and thought this was a discussion on Creationism vs Evolution.

I think I may re-post your comment to one of those threads sometime :D

Canada is one of the outliers because the US pushed the 70 year term as a condition on a number of treaties. But you're right about the "not totally senseless" side -- I thought this change was old news: it's a requirement of the latest round of trade treaties with the US. Doing it got Canada some other trade "concessions" with the US.

Didn't LinkedIn get in trouble for doing this a while back? They ended up mining everyone's address books and then leaking that data out to anyone and everyone based on received calls? What are the privacy controls on this?

Precisely.

on the other hand, your stomach could be a good power source -- kinetic energy, electrolyte source, AND it keeps a steady temperature. I think your colon would be even better though :)

Or vice versa: you could ingest a device that pretends to use your biometrics for security validation, but actually copies your biometrics and broadcasts for someone else to spoof or collect for various purposes not approved by you.

"biometrics" are only metric at the point they're being read -- the resulting hashes etc. are by no means biometric, and are instead a static constant to be used/abused by whomever.

I think the idea here is that the system would be two-part: challenge/response key, but with extra biodata, meaning it has to be activated by your particular stomach in order for the challenge to be accepted in the first place.

However, there are all sorts of problems with that:
1) Our bodies change over time.
2) The information must be broadcast, at which point any receiver can grab that info (unless it's protected by ANOTHER c/r system)
3) Spoofing this would be relatively easy with a replay attack.