The parental controls built into the Mac OS X Mail client can be easily bypassed by anyone who knows the email address of the child and his/her parent. The Mail client can be fooled into adding any address to the child’s whitelist (i.e., the list of addresses with whom the child is allowed to correspond), as if the parent had approved the address, without his/her knowledge or consent. This vulnerability can be taken advantage of by the child or by any third party anywhere on the Internet.
Archive for the ‘Computers’ Category
Mac OS X Mail parental controls vulnerability
Tuesday, August 3rd, 2010![[Digg]](http://blog.kamens.us/wp-content/plugins/bookmarkify/digg.png)
![[Facebook]](http://blog.kamens.us/wp-content/plugins/bookmarkify/facebook.png)
![[Email]](http://blog.kamens.us/wp-content/plugins/bookmarkify/email.png)
I guess I’m now a Mozilla core developer, too
Friday, July 23rd, 2010
About a month ago, I dived into the world of Mozilla add-on development by adopting the abandoned Thunderbird “Send Later” add-on and porting it to Thunderbird 3.1. The learning curve was pretty steep, and it took a lot more work than I expected to stabilize the add-on, but I think it was worth it, considering that in the two weeks since I released it, almost 2,000 people have downloaded it and at least 444 of them are using it.
Emboldened by that, I decided to take a stab at fixing two bugs in the core Thunderbird code that have been driving me crazy. That, too, required a steep learning curve, but in the end, I was able to submit fixes for two bugs, one quite old and one new in Thunderbird 3.1, affecting a whole bunch of people:
- It was impossible to remove attachments from some MIME messages, including MIME messages generated by the Mac Mail client (Mozilla bug #351224). This bug has been reported by at least 30 different people and was first reported almost four years ago. Fixing it required rewriting pretty much an entire module within C++ source code for Thunderbird.
- Thunderbird was incorrectly inserting a couple extra spaces at the beginning of some sent email messages (Mozilla bug #564737). This bug was first reported just a few months ago and has already been reported by at least 56 different people. This bug is in the core code that is shared between all Mozilla applications, which means that the fix will impact Firefox, Seamonkey, etc. as well as Thunderbird.
Needless to say, there are other things I should have been working on when I got distracted by fixing these bugs. But I’d almost forgotten how rewarding it is to be able to contribute to open-source software in ways that benefit a lot of people.
Yad Sarah: Good work, bad fundraising
Monday, July 12th, 2010I periodically post about organizations which can’t handle one of these two simple requests: (1) don’t spam me; (2) don’t send me junk mail. If an organization is incapable of implementing effective policies and procedures to accommodate these two straightforward requests from donors, they are probably also incapable of implementing effective, efficient policies and procedures for doing the work for which donors are sending them money.
I’ve had run-ins of varying magnitude about this with numerous organizations over the years. The ones that I post about here are the worst of the worst. They have either overtly refused to accommodate my requests, or claimed repeatedly, but falsely, that they had done so.
Today, I am forced to add Yad Sarah to this disreputable bunch. I am sorry to do this, because the work Yad Sarah claims to do is important, and because they appear to be respected by other organizations which I respect and tend to trust. However, after my experience with them, I must wonder how efficiently and effectively they use the money entrusted to them by donors to perform their mission.
I guess I’m a Mozilla add-on developer now
Sunday, July 11th, 2010I just released a port of the “Send Later” Mozilla Thunderbird add-on for Thunderbird 3.1+.
The old version is not compatible with Thunderbird 3, and its author and maintainer appears to have abandoned it.
I’d love for him to integrate my changes into his version and resume maintaining it, but in the meantime, for the sake of making it available to people, I’ve released the new version myself.
Here’s a picture:
Interestingly, it’s been less than two days since I released it, and it’s already been downloaded by 71 people. Sweet!
Citizens Bank idiocy round-up
Thursday, June 24th, 2010Citizens Bank has been particularly idiotic recently. Here’s the round-up of all the disappointments we’ve suffered at their hands…
(more…)
Solving the GNU Mailman MIME message footer problem
Tuesday, May 25th, 2010
If you administer a GNU Mailman installation, you are probably aware that message footers don’t always work quite right: if a message submitted to a list is entirely plain text with no attachments, then the footer is fine, but if it’s formatted in HTML or has attachments, then the footer is added to the message as a separate message part, and some email clients display it as an attachment which must be clicked on to view, rather than displaying it as part of the message text.
This is a significant problem, since Microsoft Outlook, which has by far the biggest market share of any email client, is one of the clients that displays Mailman footers incorrectly.
Many people have complained about this problem to the maintainers of GNU Mailman, but they have declined to address it. I don’t agree with their reasoning, but it is of course their prerogative as the volunteer maintainers of free software to decide that they’d rather maintain some sort of vision of purity in their code rather than actually make the it do what their users want it to. Jan Ploski also has some interesting thoughts about this.
Fortunately, it’s our prerogative as users to fix it ourselves if they don’t 
. Adrian Bye did this with a patch to Mailman way back in 2005, but the maintainers rejected his patch and it’s now out-of-date and incompatible with the current stable Mailman release. Others have hacked together site-specific solutions using mimedefang, but no one has implemented a generic solution that can be deployed on top of a standard Mailman installation. Until now, that is.
I’ve just released a script that can be deployed easily into a mimedefang installation to automatically reformat outbound Mailman messages to insert the footer into the text and/or HTML bodies of the message rather than as a separate attachment. All you need to do to use it is install it into your mimedefang installation using the provided instructions, then modify the msg_footer setting inside Mailman to add a couple of special tokens which tell the script to reformat your footers.
Share and enjoy! And hey, if you find this useful, maybe you can show your appreciation.
Spam-Rape from Robert Wexler continues, this time via Scott Maddox
Tuesday, May 18th, 2010Yet another chapter in the saga of the political spam I can’t seem to put a stop to, courtesy of ex-Congressman Robert Wexler. I’ve just been spammed by Scott Maddox, who is running for Florida Commissioner of Agriculture & Consumer Services. Like I care!
Think twice before buying a Hitachi hard drive
Friday, May 7th, 2010
I recently rebuilt my workhorse PC at home after a contractor fried my old one by plugging a sheetrock saw into my UPS. One of the new components I bought was a Hitachi Deskstar 1TB hard drive. The drive comes with a three-year warranty.
Less than six months later, the drive began to fail, and my computer told me to back up and replace the drive immediately.
The first sign that getting Hitachi to replace the drive under warranty was not going to be entirely straightforward was when I entered the drive’s serial number into Hitachi’s “Is My Drive in Warranty?” form and got back “Invalid serial”. Um… no. [I later learned that this was because the serial number returned by SMART has extra characters at the beginning that aren't in the serial number printed on the drive label, and the web app doesn't know what to do with those extra characters. Stupid!]
High Tech Ventures strikes again
Monday, April 19th, 2010A few minutes ago, I got the following email message from Ed at High Tech Ventures, a recruiting firm I have trashed on my blog in the past:
Subject: Company Name specs
I placed the cto. He’s a great guy and asked me to help with a couple engineering roles. I’ve attached the job specs.
Company Name has been know as Old Company Name 1 and Old Company Name 2.
would you recommend Current Coworker Name?
any other suggestions?
Ed
Here’s what I wrote back:
I will reply to you now as I replied to you the last time you contacted me, last November:
I have asked your company multiple times not to contact me.
I have even decried your failure to leave me alone on my blog.
One of my friends commented on my blog that at one point his wife told your company that he had died just to get you to stop calling him.
Get the message?
Jonathan Kamens
As for Current Coworker Name, he is currently employed where I work, and he has not chosen to mention to me that he is looking for a new position, so whether he is or isn’t, dropping his name to me was entirely inappropriate. The fact that you felt comfortable doing that is yet another reason why people should avoid your company like the plague.
Please do not contact me again.
Jonathan Kamens
Idiots.
Supposed SysAdmin & Network Security experts don’t know how to run a secure Web site
Friday, April 9th, 2010Yesterday, I decided I wanted to unsubscribe from one of the e-newsletters published by SANS, which bills itself as, “the most trusted source for computer security training, certification and research.”
There were no instructions in the e-newsletter for how to unsubscribe, so I went to their Web site. It told me that I had to sign into my Portal account; the only problem is that I’ve never had a Portal account, and I subscribed to the SANS e-newsletters long before such a thing existed. I figured that perhaps they auto-created an account for me at some point, so I gave the site my email address and told it that I’d forgotten my password. It claimed to have mailed password reset instructions to me and told me that I had to follow them within two hours, but over ten minutes later, they still hadn’t arrived.
Thinking that perhaps I could register my email address for a Portal account and would then “inherit” any legacy subscriptions under that email address, I tried registering. It rejected my registration form, telling me that I needed to enter a valid email address. I couldn’t tell whether it was rejecting the form because the email I entered was already in its database, or because it incorrectly believed that “jik@kamens.brookline.ma.us” was not a valid address (a lot of Web sites can’t seem to handle the idea that “kamens.brookline.ma.us” is a valid email domain).
At this point, I threw up my hands and sent them email describing everything that had happened and asking what the heck I should do. I ended my email with, “The fact that you guys are supposedly experts at secure Web site design make this rather ironic.”
