BORLOX  It looks like some people don't understand the privacy implications of this and other cloud-data services.

When you use Dropbox, you're handing your personal data over to the developer. What happens to it after that is not under your control. You may or may not care about this lack of privacy, but don't be misled into thinking it doesn't exist.

The documentation cited below says that data is encrypted in transmission (using SSL) and in storage on the servers. "Online access to your files requires your username and password." But the Dropbox admins *know* your username and password. They may have a policy of not allowing their employees to access customer data, but it's just a policy; you're relying on them to enforce it. In some circumstances, such as under subpoena or after a sale or liquidation of the company, the policy may be unenforceable. In no way is it the same as if the client application were to encrypt the data locally before uploading, using a key known only to you. Then they *could not* read your data even if they wanted to.  
(Version 0.6.570)

BORLOX  Afraid not. Changing the owner of the link has no effect. For your approach to work, you'd have to change the permissions of the user Library folder so that it couldn't be written by the user. That would of course create a lot of problems.

There's no easy workaround for the security hole created by this software. The developer could fix it, but he seems not to want to.  
(Version 0.9.7a)

BORLOX  "That way, if any user-privileged script/app tries to write to the local domain it will fail as it really points to the system domain, requiring system install privs."

Unless the script simply deletes your link and replaces it with a folder.  
(Version 0.9.7a)

BORLOX  I use Twin to back up about 40 GB of data to Amazon Web Services.

Pros:

Data persistence. Amazon won't go out of business suddenly, taking your data with it. You don't need Twin to retrieve the data. If the developer disappears or the app stops working, you can still get to your backups with third-party tools.

Data privacy. Data is encrypted with the standard AES algorithm before being transmitted. You can decrypt the archives with open-source tools.

Stability. No crashes in several months of using this app.

Flexible scheduling. You can set Twin to back up periodically and/or when the network becomes available -- useful for portables that aren't always connected.

Cons:

Inefficient use of bandwidth. Data is packaged in archives of fixed size, which is decided at setup and can't afterwards be changed. The default is 1 MB. So if you change a single byte in a small file, at least that amount of data has to be sent. If you change a single byte in a large file, the whole file has to be sent. It would be better if Twin used something like librsync to back up only the parts of files that have changed.

Mirror backups only. The backup contains the most recent version of each file you've selected. There's no option for incremental backup.

No obvious warning of failure. The interface is normally hidden. The only indication of a failed or incomplete backup is in the interface. If you don't look for it, you won't see it.

Suggestion:

Offsite backup is a last resort in case of total destruction of your primary site, including your local backups. Put all the data you need to recover your backups on a small USB flash drive (encrypted, of course) and keep it with you at all times. That would include, at a minimum, your AWS public and secret access codes, your backup encryption keys, and your Twin registration data.  
(Version 1.1.2)

BORLOX  There's a serious security issue with this software that users should be aware of before they decide whether to install it. From the developer's site:

---

Once you've installed SIMBL, you need to drop some bundles into the Plugins folder. (/Library/Application Support/SIMBL/Plugins) SIMBL scans this folder for bundles each time an application launches. It will check both the Local and User domain for this special folder.

This means that it will check ~/Library/Application Support/SIMBL/Plugins before looking in /Library/Application Support/SIMBL/Plugins.

---

One of the few trojans to successfully exploit Mac OS X in the wild was called "Oompa-Loompa." It worked by installing an input manager in the home directory of any user who ran it. As a result, user-domain input managers were disabled in Leopard, and the permissions of the local Input Managers folder were changed so that root privileges were required to install anything into it.

SIMBL appears to re-open the security hole that was closed in Leopard. A trojan, only slightly different from the one described above, can install a SIMBL plugin in the user's home directory. Any application can then effectively be replaced by the trojan, even if the user is not a member of the admin group and doesn't have permission to modify the applications directly. You might think that because you're not running as an admin, applications such as Safari or Keychain Access are safe from unintended modification, but with SIMBL installed, you'd be wrong.

If you're going to use SIMBL, you should take steps to ensure that plugins can't be installed without your knowledge. How you do that is up to you, but if you don't have a strategy, you shouldn't be using it.

The developer should, in my opinion, change the way SIMBL works so that it doesn't load plugins from the user domain. That would mitigate the danger.  
(Version 0.9.6c)

BORLOX  I haven't used this, but it looks like an extension of Unison, which is free and open-source, and works very well, though it has a clunky UI. Before licensing this rather expensive app, you should find out whether Unison meets your needs:

http://www.cis.upenn.edu/~bcpierce/unison/  
(Version 4.73a)

BORLOX  How to disable the auto-updating:

http://www.macosxhints.com/article.php?story=20090424045847496  
(Version 5.1.3506.3999)

BORLOX  Your problem is caused by the outrageous Interlok rootkit that this application installs. It has to be updated to infect Snow Leopard. But don't worry -- "MIKAELF" says it's good for you.  
(Version 5.3.5)

BORLOX  "Make Uninstaller a root application" means setting the SUID bit on the executable, so that it always runs as root without the need for an administrator to authenticate. Apparently this doesn't work in 10.6, which is a good thing in my opinion.

The application can still run with root privileges after authentication.  
(Version 1.12.2)

BORLOX  Use this if you want (I sure won't), but read the privacy policy first. It IS adware and it DOES collect personal information for the developer's use.  
(Version 3.0.1)

BORLOX  This suspicious-sounding app seems to be innocuous. It's a wrapper for a trivial Automator workflow that empties the user's Trash folder with root privileges after prompting for an administrator password. There's no real need for it.

On general principle, such things should be avoided.  
(Version 1.0)

BORLOX  It's a problem because my computer belongs to me, not to a software developer. The Interlok rootkit modifies the whole operating system in ways completely unknown and unknowable to the user. The rootkit developer, PACE, isn't answerable to the end user and doesn't care about his interests.

From the PACE website:

Are there any known issues where machines spontaneously reboot or freeze when using PACE protected software?

... It should be noted that InterLok does have mechinisms whereby it can reboot the machine if it detects aberrant behavior that could be trying to compromise the security of the wrapped application.

http://paceantipiracy.com/ilqanda.html

So if Interlok thinks you might be trying to do something the application developer wouldn't approve of, it can shut down your whole system, destroying whatever you may be working on in the process. If it's acceptable to you to give that kind of control over your computer to someone you don't know or trust, fine. To me it isn't and never will be.  
(Version 5.3.4)

BORLOX  WARNING: Installs the Interlok DRM rootkit.  
(Version 5.3.3)

BORLOX  Anyone who uses this app should be aware that it tries to hide a timestamp in a preference file named "com.apple.services.plist", which is apparently supposed to look like a file created by the OS. It isn't.  
(Version 2.0)

BORLOX  To convert the man page with title 'fubar' to publication-quality PDF:

Open a Terminal window.

Enter "man -t fubar | open -a -f Preview" (without the quotes.)

Yes, it involves some text entry, but if you're reading man pages you need to do that anyway.

Besides ManOpen, another free alternative to be aware of is Bwana.  
(Version 2.0)

BORLOX  Just in case anyone is confused about what this does: it uploads your images to a remote server, apparently in Italy, where the processing takes place, and then downloads the results back to you.

I just checked the Terms of Use and Privacy Policy pages on the developer's site. Both are blank. Maybe you have to open an account to see that information. I have no idea what rights the developer considers himself to have to his customers' data.

I wouldn't use this product for anything serious without consult a lawyer first. An Italian lawyer.  
(Version 2.1.3)

BORLOX  I don't like to criticize a free application that many people apparently find useful, but deleting swap files? What's supposed to be the point of that? They're deleted automatically anyway at startup.  
(Version 1.5)

BORLOX  Promising, but doesn't yet deliver.

I tried to use this to back up my home directory to S3. I chose an encrypted compressed disk image as the archive type. It made a complete local copy of the source directory, including all the files I had excluded from backup, then stalled with the progress dialog showing "idle". No data was uploaded.

Also, I noticed that it can't create a new bucket if one already exists.

If the developer keeps working on it, this might be a useful app someday.  
(Version 1.0b11)

BORLOX  Am I the only one who thinks this is a bad idea?

Applications that don't need to access the network, shouldn't. The Mac OS is moving toward a sandbox security model in which applications can be selectively allowed access to kernel facilities such as I/O and networking. This framework conflicts with that model.

A security-conscious user should have an admin account that is used only for administrative tasks such as software installation. Only the apps that are required for those tasks should run in that account. All other work should be done in another account, without admin privileges. Sparkle conflicts with that model, too.

The one time I tried it, Sparkle installed an app bundle with wrong, wide open, permissions.

Unfortunately, more and more developers are included this waste of disk space in their products, and you can't remove it, because then the apps won't launch.  
(Version 1.5b4)

BORLOX  The installer package phones home without asking permission from the user. It also tries to cover its tracks.

When you run the installer, it installs, among a lot of other stuff you probably don't want, an application called "Pingie." Pingie is launched automatically by the postflight installer script, then deleted, so you never know it was there.

By runnings strings(1) on the executable in the Pingie.app bundle, you can see that it contacts a server at http://hints.netflame.cc/, which redirects to a Digital River marketing site. It sends, at least, the product version and your IP address.

The only reference to all this in the installation documents is in the middle of the legal boilerplate of the EULA:

"During the installation process and through use of the software covered hereunder, we may collect non-personally identifiable information, as well as personally-identifiable information, all as set forth in our Privacy Policy, available at http://www.divx.com/legal/privacy.php; please read it."

Read it indeed. And better yet, don't run the installer at all. Use Pacifist or some other tool to extract only the files you want from the package. In my case, that was only the QuickTime decoder component. I had no use for the player or any of the other questionable stuff in the package.  
(Version 6.7.2)

BORLOX  Excellent stuff. I've been using it for years. If you're running a public SSH server, you MUST install this. It's for advanced users -- a Python script, not a GUI application -- but it well repays the effort to learn how to set it up.

What it does is to watch a log file for unsuccessful attempts to connect to your SSH server. If there are too many attempts from a particular IP address, DenyHosts blocks all further SSH connections from that address. Optionally, it also connects to a central server and downloads the IP addresses of hosts that have attacked other users. Those hosts are then blocked too, usually before they ever attack you. Your attackers' addresses are also uploaded to the server. This creates a group-immunity effect.

It can also notify you by email when a host is blocked.  
(Version 2.6)

BORLOX  This piece of garbage prompts to start a root daemon every time it runs, even after you've told it not to, and after you cancel, it asks for an admin password anyway because it wants to write to a file in the application bundle.

Somehow, Real always manages to outdo itself by making each new version worse than the last one.  
(Version 11.0 build 876)

BORLOX  Appropriately, the screenshot is a threat of criminal prosecution.  
(Version 2.0.1447)

BORLOX  Another scam widget. This one passes domain-name queries through to the developer so he can register the names first and sell them back to the user.  
(Version 1.0.4)

BORLOX  A good example of the sort of widget to avoid. It provides no information you couldn't get just as easily from apple.com. All it does is direct queries to the developer's site so he can collect personal data for his own use.  
(Version 1.0.1)

BORLOX  Being based on MacFUSE, it only supports password authentication, which SSH servers exposed to the Internet shouldn't use.  
(Version 1.1)

BORLOX  It will only run if it has write access to the application bundle, which means you either have to run it in an admin account (if it's installed in the Applications folder), or you have to install it in your home directory, where it's only available to one user. Either option violates the UNIX security model.  
(Version 1.8)

BORLOX  I don't know what this guy is up to, but there is absolutely no reason for anybody to use this app or pay for it. It's just a disguised, defective wrapper for the DiskImages framework. The mysterious super-secret vaults it creates are merely obfuscated sparseimages, the same kind you can create for free using Disk Utility, or with cheaper, better third-party apps such as DropDMG. The only differences I can see are, first, that this app somehow manages to impose a spurious 10-GB limitation on the size of the image, and second, that the files can't be shared with anyone who doesn't also have this app installed. Well, actually they can, if the recipient goes to the trouble of extracting the sparseimage file from the bundle it's hidden in, but what's the point?  
(Version 1.1.4)

BORLOX  Firmware password protection can be bypassed by changing the RAM configuration. Its only use is to prevent rebooting something like a kiosk machine in single-user mode, where the box is physically locked up and only the keyboard and mouse are accessible. Otherwise it's worthless.

Physical security of data comes from encryption, not from being unable to boot the machine. If the developer wants to do something useful, he should try devising a two-factor authentication system like the SmartCard support already built into the Mac, but without the need for specialized hardware and media.  
(Version 1.2)

BORLOX  I don't like to criticize someone who contributes a free (as in beer) project, but it seems the developer is considering charging money for it. I've known 9-year-old children who could bypass this by booting in single-user mode. No one should install it with the idea that it provides any security against tampering by an attacker with physical access to the computer. There are ways to provide that kind of security, but this isn't one of them. I really can't see any point in this software at all.  
(Version 1.0)

BORLOX  This is the only usable product of its kind for the Mac. The only competition is the embarrassingly-named Little Snitch, which has such a broken security model that nobody should use it.

The important difference between GW and LS is that unprivileged users can use GW without being given control over other users' processes. The firewall rules are set by the system administrator, but they apply to all users. With LS, the foreground user can allow or deny access to the network for any process running as any user. Even if you're the only user of your machine, that's a huge security hole, because it means that any application you run could potentially open the firewall without your knowledge. LS supposedly takes some precautions against this, but the model is fundamentally bad.

The GW interface isn't beautiful, but it's adequate. The menu bar item has crashed on me once. Otherwise no problems with stability.

The Mac platform needs the functionality that this application provides. Users who are conscious of privacy and security should support the developer.  
(Version 1.5.3b2)