PETER DA SILVA  Needs a "GURU MEDITATION" mode.  
(Version 2.0.1)

PETER DA SILVA  Why do you need an installer at all? Even Microsoft doesn't demand you use an installer, they have one, but when I installed Office X it gave me the option of running the installer or just copying the appdir to Applications. What's the point of installers for trivial apps?

(which does raise the question, why do you need AOL desktop at all?)  
(Version 1.5b6)

PETER DA SILVA  Well, if it was a screen saver that might be amusing...  
(Version 1.0)

PETER DA SILVA  Do we NEED an alternative to Flash?

I'm not convinced we need Flash.

And this isn't because it's not open, it's because it replaces a clean linkable interface under the control of the user, with one that's under the control of the publisher. Flash is like, "what if half the books you read were only available in encrypted versions that you couldn't make bookmarks in, photocopy, make notes on, ...".  
(Version 2.0)

PETER DA SILVA  "Description: Multiple vulnerabilities exist in vim 7.0, the most serious of which may lead to arbitrary code execution when working with maliciously crafted files. This update addresses the issues by updating to vim 7.2.0.22. Further information is available via the vim website at http://www.vim.org/"

Alternatively, replace vim with nvi. :)  
(Version 2008-007)

PETER DA SILVA  Does it work as a Service, like WordService?  
(Version 2.9)

PETER DA SILVA  I'm confused, and the comments haven't really helped. What does this do that the Apple's own software doesn't do? Or is this just for people who want to move their libraries from XBox to Mac?  
(Version 0.5.21)

PETER DA SILVA  Where do you get 1.0.1? Their site says "Drawit Lite is not available for Tiger and never will be".  
(Version 1.3)

PETER DA SILVA  Thank you for removing Google Updater from this product. Not only is GU unnecessary bloat, but I'm worried about the security implications of the extensions it implements in browsers that allow you yo "push" an update from your website.

Google: I've asked this in support requests, on your forums, in email to your security people, and even on slashdot... could you explain the security model of Google Updater, and the undocumented _GU_*() javascript API in Firefox and IE?  
(Version 1.6.0.1552)

PETER DA SILVA  Is there a similar program for Nero and Toast image files?  
(Version 1.1)

PETER DA SILVA  I have griped about people calling a minimum change to Webkit a new browser, but if this really does provide process isolation inside a tabbed model then it actually DOES bring something worthwhile to the table and so it's not reasonable to dismiss it blithely as merely another 'my first browser' in Webkit.  
(Version 0.1)

PETER DA SILVA  The tab position at the top of the window above the address bar is unfortunate. I believe Google's reasoning for putting the tabs there is wrong: the content of the address bar widget itself may change with the tab, but so does the title bar... and the layout and overall content of the address bar (and bookmark and status bars, if present) is not associated with the tab it is in.

This scheme is too much like the horrid old Microsoft MDI model, and it's annoying enough in Opera that it was enough to make me switch back to Firefox from Opera on Windows.

Please at least make it optional.  
(Version 0.1)

PETER DA SILVA  Wanted an option to swap the other way, because I prefer the PC layout, so I just sent the author a patch for that. Hopefully 0.5 will come out soon. :)  
(Version 0.4)

PETER DA SILVA  I have a small script I wrote called "MountWatch" that does some of the same things... at least lets you see what's got mounted devices open, so you know what to close. It's not polished but DOES run on 10.4. If there's interest I could see about putting it up somewhere after I get power back at home (stupid hurricane).  
(Version 1.8)

PETER DA SILVA  Disabling the iTunes store isn't the same as deleting the iTunes store quicklinks, goldarnit.  
(Version 1.0)

PETER DA SILVA  Removing doublequotes is something you need to do with care.

What happens when you have a row like this....

"1","2,3","4 - ""bob"" - 5","6"  
(Version 1.0.1)

PETER DA SILVA  How does it handle saving and restoring HFS+ metadata?  
(Version 8.06)

PETER DA SILVA  How mysql-specific is it, could it be extended to support postgresql and sqlite?  
(Version 0.9)

PETER DA SILVA  There are other kinds of importers... bookmark importers for browsers and address book importers for all kinds of things and photo importers for photoshop and document importers for office suites.  
(Version 1.0)

PETER DA SILVA  Imports to *what*?  
(Version 1.0)

PETER DA SILVA  Like to try it and see what the improvements are... but iAlertU works on 10.4 and Lockdown doesn't.  
(Version 1.0.4)

PETER DA SILVA  Here's a better USB cat:

http://icanhascheezburger.com/2008/08/05/funny-pictures-now-remove-usb-cat-sfely/  
(Version 2.0.2)

PETER DA SILVA  Thank you so much for fixing the audio cutout!

Did you add some more animations or just reset the animation settings when I upgraded? I'm pretty sure the foundation wasn't swinging around like that before, but I didn't keep the old version to check.  
(Version 1.3.3)

PETER DA SILVA  :)

Wasn't Sweet 16 originally a 16 bit virtual machine running on the Apple ][+?

Oh yeh...

http://6502.org/source/interpreters/sweet16.htm  
(Version 2.0b18)

PETER DA SILVA  When I start it up I get a WHOLE bunch of errors...

> Iterator

Cannot create node of class "QCSmooth" and identifier "(null)"

> Iterator

Cannot create node of class "QCSmooth" and identifier "(null)"

> Iterator

Cannot create node of class "QCSmooth" and identifier "(null)"

[...]  
(Version 1.0)

PETER DA SILVA  Your logic is too subtle for me, longboy.  
(Version 0.12)

PETER DA SILVA  Also, Adium requires 10.4 these days.  
(Version 0.12)

PETER DA SILVA  I'm still using the older deepsleep app, I don't use widgets.

Since Security Update 2008-005 this application just hangs. I suspect it was depending on some setuid applescript backdoor to work. :p  
(Version 1.0)

PETER DA SILVA  The question is... what does it actually DO?

When you don't need to run AOL software to log in to AOL, what benefit do you get from AOL Desktop? What does it actually do?  
(Version 1.5b2)

PETER DA SILVA  I normally just use "sudo lsof | grep Trash"... but I gotta agree that's a great icon. :)  
(Version 1.3)

PETER DA SILVA  Note that for some phones they don't support, you can modify an XML file in iSync to add support. I did this for my Nokia 6263 by telling iSync it's an N40 series phone.

http://scarydevil.com/~peter/io/nokia6263.html  
(Version 1v1)

PETER DA SILVA  dent du midi works for me, and I can change the instruments in Garage Band  
(Version 1.2)

PETER DA SILVA  Even if this didn't use APE it would still have to use some kind of code injection, and MacSpeech would still object to it. If you have problems with MacSpeech software that seem related to it, then disable it for that program and if that fixes the problem just uninstall it before sending them any *other* trouble reports. If that doesn't fix the problem, then removing it won't either, so either way as long as you remove it before you send them any trouble reports you should be fine.  
(Version 1.5b4)

PETER DA SILVA  You can tell APE not to run in specific applications, have you tried that?  
(Version 1.5b4)

PETER DA SILVA  Try dropping back to iScrobbler 1.5. It's much smaller and tighter.  
(Version 2.2b4)

PETER DA SILVA  8-track? Man, does that tickle my nostalgia bone.  
(Version 2.1.3)

PETER DA SILVA  I think we have pretty well confirmed that the ARD exploit does NOT exist (at least not in Tiger) if you have not run ARDAgent. That's not "counter to reality", that's just the way osascript works... it doesn't go grovelling through the disk looking for programs that might register with Applescript.  
(Version 1.2)

PETER DA SILVA  That's precisely correct: I'm not putting your work down, and if your patch allows people to use ARD safely, that's great. If they don't have a need for ARD, though, don't you think it might be possible to remove the registration of ARDAgent's Applescript dictionary so that osascript doesn't use it?  
(Version 1.2)

PETER DA SILVA  If you were going to do something useful, like say stripping Adium of all the webkit spam so it runs on 10.3 again, I'd be excited.  
(Version 1.0b1)

PETER DA SILVA  I wish people who insist that "the article is correct" would try it.  
(Version 1.1)

PETER DA SILVA  I suggest you try it on a Mac taken straight out of the box. Seriously.

Until you run ARDAgent, its Applescript dictionaries do not seem to be registered with anything. You don't have to poke around in the .plist and you don't have to start up remote management. I have tested this on my Mac which is, as far as ARD is concerned, taken straight out of the box, and the "do shell script" does NOT run ARDAgent.

If you do not use ARD, then how do you imagine osascript will know how to find ARDAgent?  
(Version 1.1)

PETER DA SILVA  Friend, I do understand how it works. I've getting on for 30 years experience with UNIX, and 20 years as a network and security administrator, and I have not only read the original report and article, I've tried several variations of the attack.

What I got was an error message, no shell script ran. Unless ARDAgent has run, there is no way for osascript to pass the "do shell script" command (or any other command) to the privileged ARDAgent process... because there is no such process for it to pass it to. Either my copy of Tiger is fundamentally different from every other copy of Tiger out there, or there's something else involved in this attack than simply "do shell script".  
(Version 1.0)

PETER DA SILVA  I have not been able to reproduce the ARD attack on my machine. If you do not have ARD enabled, then the ARD component required to launch the attack is not running and accepting Applescript messages.  
(Version 1.0)