Mac OS X 10.2.8

Is out, weighing in at 40MB, so fire up Software Update and let the downloading begin. Standalone updates aren't available as I type this, but they're bound to show up.

According to MacNN, this update "delivers enhanced functionality and improved reliability for the following applications, services and technologies: Audio, Bluetooth, Classic compatibility, Finder, Graphics, LDAP, Power Management, Safari, and FireWire and USB device compatibility. The update also provides updated security services and includes the latest Security Updates."

Hmm... I wonder if they patched SSH already? MacRumors leads me to think so, but I'll have to check. Anyway, the mention of USB 2.0 support (even for third-party cards) in the Apple KB is a nice touch, and I'm curious as to what enhancements have been made to Applications/Safari and LDAP.

10.2.7 seems to be G5-only, then.

Update: As is bloody usual, using Software Update via Netcabo's transparent proxies is nigh on impossible. Don't even try it, unless you feel like wasting hours of your time with interrupted downloads. Just do as I did - use another connection, or get the combo update with a quick wget when it's released.

Update 2: If, like me, you suffer from knowing altogether too much about security in general and criptography in particular, I heartily recommend reading Peter Gutmann's analysis of CIPE and vtun (which is currently causing significant furore over at /.) while you wait for Software Update to finish. It just goes to show that no matter how much you publicise common security flaws, not even Open Source geeks get it right. My favorite quote: At least Microsoft eventually tries to fix their stuff, given sufficient public embarrassment and the odd hundred thousand or so computers being taken out by attackers.

Heck, I'm going to quote the entire "Thoughts" section (yes, Software Update is taking that long, I'm that bored and I pretty much agree with all of it):

  • These programs have been around for years (CIPE goes back to 1996 and vtun to 1998) and (apparently) have quite sizeable user communities without anyone having noticed (or caring, after flaws were pointed out) that they have security problems. I only heard of CIPE when a friend of mine mentioned it to me in passing, and came across vtun by coincidence when I was looking for more info on CIPE. Who knows how many more insecure Linux crypto-tunnel products there may be floating around out there.
  • It's possible to create insecure "security" products just as readily with open-source as with closed-source software. CIPE and vtun must be the OSS community's answer to Microsoft's PPTP implementation. What's even worse is that some of the flaws were pointed out nearly two years ago, but despite the hype about open-source products being quicker with security fixes, some of the protocols still haven't been fixed. At least Microsoft eventually tries to fix their stuff, given sufficient public embarrassment and the odd hundred thousand or so computers being taken out by attackers.
  • For all of these VPN apps, the authors state that they were motivated to create them as a reaction to the perceived complexity of protocols like SSL, SSH, and IPSec. The means of reducing the complexity was to strip out all those nasty security features that made the protocols complex (and secure). Now if you're Bruce Schneier or Niels Ferguson, you're allowed to reinvent SSL ("Practical Cryptography", John Wiley & Sons, 2003). Unfortunately the people who created these programs are no Bruce or Niels. The results are predictable.
  • Whenever someone thinks that they can replace SSL/SSH with something much better that they designed this morning over coffee, their computer speakers should generate some sort of penis-shaped sound wave and plunge it repeatedly into their skulls until they achieve enlightenment. Replacing the SSL/SSH data channel is marginally justifiable, although usually just running SSL/SSH over UDP would be sufficient. Replacing the SSL/SSH control channel is never justifiable - even the WAP guys, with strong non-SSL/SSH requirements, simply adapted SSL rather than trying to invent their own protocol.

Peter's words, not mine. But I wholeheartedly agree.

By the way, after Software Update, Applications/Safari was bumped up to 1.0 (v85.5) - a .5 revision? Hmmm... Maybe it's the fix for John Gruber's white stripes bug. :)

See Also: