1. Turn off automatic open in safari 2. Safari tells you that you're about to open an application, "Do you want to open this?"

Well, when I turn off "Automatically open safe files", clicking a link just downloads it. I don't get asked questions like "Do you want to open this". That sounds plain stupid (I turned off auto-open the second time I used Safari, the first time I didn't realize it was on until I noticed a DMG had mounted, and I apparently was too stupid to figure out how to turn it off until I asked someone).

I've never liked auto-open, but mainly because I multi-task when browsing. I generally am downloading several things in a session, but don't plan using them/checking them out until later. So I have no desire for 16000 mounted images waiting for me to run some installer.

Other than that, I can see that it's a problem.

Well, other than that, I see that (a) its allowing you to open a file that can do direct damage to your computer, which it won't let you do, say, for an app, or a shell script (it won't for a shell script, right?), and (b) that Apple seems to think that any file should be opened automatically. "Safe" to apple is basically any file that you've already told OS X that you want to open, and with what app. It doesn't matter whether its from the internet or from your hard drive.

BTW, turning off auto-update only stops the malware, but not the trojans (i.e. you double-clicking a widget because you think it'll be good). No way around that.

Yep, and you'll get the added benefit of not auto-opening PDFs, QuickTime movies and other content that you really _do_ want to auto-open. Apple clearly needs to fix Safari so that it won't auto-launch spyware Dashboard widgets.

Nope. Most files like PDFs and QT movies are controlled and displayed via plug-ins. If you don't have a PDF plug-in, then, yes, it will prevent them from launching. [However, I'm one of those weird people who hate the PDF plug-ins. I always forget I'm in the browser, and invariably close the window when I'm finished looking at the PDF.]

BTW, does anyone know if the same sort of thing could be done with Word (that is, going to a page auto-downloads a word file, which in turn launches word, which in turn runs some Macro, which in turn wipes your user directory].

Oh, one other huge problem with this. WTF is this whole "downloads the widget when you go to the web page" thing? I thought browsers were supposed to be secure, as in not letting a web-page do things like download files to your computer without you specifically clicking a link or OK'ing the action.

BTW, I consider this a 100% Safari issue. Dashboard theoretically is working in its own local world, there just needs to be safeguards against the outside world accessing it directly. That's where safari comes in.

To me, this is just another example of how Apple is becoming more and more like MS. They spend too much time on whiz-bang, and no time on security (or even thinking about security). In fact, part of the blame probably goes squarely on the fact there's no communication between groups working on different tasks (this also bears in mind because apparently iPhoto moved some of their files around, but Backup doesn't know about it yet). Someone needed to inform the Safari folks about Dashboard, the problems involved, and what needed to be handled for security.

Their argument (while partly correct) will most likely be "We do such and such to give the user the best user experience possible within the bounds of trying to stay secure", for while I agree with some of the complaints, I also think some of the solutions (force users to download then find files, launch them separately) makes the user's experience downright irritating. But it would be nice if Apple showed at least a little sign of looking at software and saying "OK, now that we've got a design, and know how this is going to work, let's spend a week coming up with all the ways this is going to cause vulnberablities.

I also want to know where the h*** were all the beta-testers and 3rd-party developers for the last year. Doesn't anyone think of these things before release?

Does anyone know what this stupid thing does? I'm curious, but don't feel like testing it out.

This is just a new kind of Desk Accessory. Are you people such newbies that you don't remember DAs?

ever notice that the safari app warning for widgets doesn't occur for all widgets? I don't mind the auto-install so much. Just like Konfabulator, you can run commands etc from the widgets, but you have to launch them. The application warning itself bothers me anyways. It's more of a reason to turn off 'safe' file opening to begin with (where's the 'don't ask me again button'?) The majority of desk accessories were done and pretty much stuck around. Now they're pretty much back with some extras. Apple has their own site for downloading widgets so you hope that's trustsed and reviewed code. If you don't know exactly what it does and/or don't know enough about the author to trust them, then don't run the widget. Learn how to make them yourself.

Automator, Dashboard, Smart Folders, Applescript, and all the other easy languages in 10.4 bring back progamability to the macintosh in a big way.

Sooner or later the average user will figure out that the library in their directory is where stuff gets stored. We're pretty stable on where things are supposed to go and how they should be written w/ 10.4 and it shouldn't change in a major way. It's not like the old 10. beta and up days of Mac OS X being a "Moving Target". Sure there are some inconsistancies, ex: why aren't all backups of mass storage stored in one location?, but those will get filled in and hopefully Apple will stop letting developers scatter things all over so that proper program design gets followed.

Securitywise here is were we are: No good virus scanner, auto-installation of widgets with no firstrun warning (although I'm not about to try the rm -rf * one), trusted sources limited to vendors and user not coder review. Under the hood there are some improvements so we're in a little better place than we were in 10.3 and a h*** of a lot better place than anyone running windows. Just be careful what you do and install. If it asks for your password at least check the file list.

Does anyone know what this stupid thing does? I'm curious, but don't feel like testing it out.

I believe its a proof-of-concept, so I doubt it does much but show how, by going to the site, the widget will auto-download and install. You still have to open it, but being that its in the dashboard dock, you probably will at some point, just to see what it is (people are like that).

This is just a new kind of Desk Accessory. Are you people such newbies that you don't remember DAs?

Sure, I remember DAs. I also remember that you needed to use the Font/DA Mover to install a new DA, it wouldn't install automatically (pre-system 7), or that you had to manually copy the DA to your Apple Menu folder. I don't recall them auto-installing.

But these are NOT just a new kind of DA. The only connection to DAs is that they're supposed to be small apps. But DAs would work within the current programs application/memory space. They could be accessed and dealt with while working. Dashboard widgets work on their own layer, needing to be brought forward to be displayed, then hidden to get back to work. Which means if you're working on a document and need to do some calculations, you can't just move the calculator to the right, start typing in your document, and when you need it, just read-off the calculator's result and type it into the document. You'll need to (a) activate dashboard, (b) read and remember the result, or copy it (assuming you don't mind losing what's in the clipboard), (c) hide dashboard, and (d) paste or type in the calculator value. Yeah, so much like DAs that I can't believe they didn't call it "Assistant DA".

The only thing its good for, to me at least, are programs that you only run occasionally stand-alone (without need to interact with another program), but want it accessible AND out of the way. Which might be weather (to some people), stock quotes (although if you actually care enough what the price of a stock is at any time, you probably want to know it ALL the time, so you're not missing any ups/downs), maybe a dictionary/thesaurus. But stickies need to be visible (in my opinion, you wouldn't right a bunch of regular stickies and shove them into a pile in a drawer, would you?), calculator (at times), activity monitor (I saw a complaint about an activity monitor, person thought it was immensely cool and useful, until he realized that you couldn't see it all the time, so, what, you need to bring up dashboard every five minutes to see if you have a run-away process?), etc.

I see it as nothing more than something for Apple to tout/hype. Its usefulness is probably limited to most users (as is Expose, which most people probably don't use).

This is funny in a way, because just this morning I was thinking about the benefits of a .Mac subscription, which got me to thinking about Virex, which got me to thinking about the fact that there are no Mac viruses, which led to think when something would be added to OS X accidentally that would enable virus-like infection ... and I conjectured that the new Dashboard feature would be the first to allow such activity. Not that this particular exploit is a virus. And I'm not saying that a .Mac subscription or Virex would protect anyone from such exploits. Anyway, just an interesting coincidence for me.

I've had auto open off since installing tiger and I can view QT and PDF content just fine. The auto open feature relates to downloaded files. If it's on, basically when the download finishes it, Safari double clicks the file for you. If it's a dmg, it tells you that the dmg has an application in it and asks you if you want to mount it (security against any nasty automount installer scripts). For the most part, it's a good system but something needs to be done about both ends of this problem.

Safari needs to ask you before it moves a widget to the dashboard every time, especially when it's been downloaded via a meta tag rather than clicking on a download link which would cause the download manager window to display and do it's thing. Alternatively, just disable the auto install ability when the widget/any other file is downloaded via a meta tag.

There needs to be an addition to the dashboard pref pane to include a manager capability. A simple list of widgets with a checkbox to turn them on and off would suffice. When the pref pane closes, send a message to dashboard to reload it's little browser with the new set of widgets, or even do it as each checkbox is turned on or off so that when you open dashboard while in the pref pane, you can see you changes have taken immediate effect. Lastly, have the ability to select a widget in this list and click a delete button. Second lastly, have the ability to drag a widget from the finder into this list to have it install in the Library folder. Since most mac users wouldn't know what to do with the Library folder, it seems like common sense to me to keep them out of it if possible.

my 2c.

it was the second thought after hearing about dashboard. my first thought was about how the konfabulator people would react. makes me wonder if the same thing could be done with konfabulator widgets as well.

Oops...looks like I spoke too soon:

http://www.versiontracker.com/dyn/moreinfo/macosx/26627

So there IS a way to have individual DB widgets on screen all the time. How long before Apple incorporates this into DB?

[My earlier post of this got eaten up somehow...]

"Dashboard widgets work on their own layer, needing to be brought forward to be displayed, then hidden to get back to work...I can't believe they didn't call it "Assistant DA".

Amen, brother. It was a big letdown when I realized this, as I had thought that DB (along with Spotlight) would be one of the killer features of Tiger. I did find something called Amnesty (link posted above) that lets you have DB widgets on screen all the time. This, coupled with Widget Manager:

http://www.versiontracker.com/dyn/moreinfo/macosx/26692

actually makes DB worth using.

"I see it as nothing more than something for Apple to tout/hype. Its usefulness is probably limited to most users (as is Expose, which most people probably don't use)."

I have to disagree with you, there. On our campus Expose is THE one killer feature in Panther that has people wowed -- esp. faculty, who tend to have 5-6 apps open at once with 3-5 windows open in each. I use it many many many times a day.

But you're absolutely correct about DB being just another bullet point in Apple's Keynote presentations meant to wow people. But hey, DB is only version 1.0 (or whatever...there's no .app icon to Get Info on). Let's see what DB is like come OS X 10.4.5...I'm sure a lot of our gripes will be addressed (and I'm sure they'll give us new reasons to gripe!).

But you're absolutely correct about DB being just another bullet point in Apple's Keynote presentations meant to wow people. But hey, DB is only version 1.0 (or whatever...there's no .app icon to Get Info on). Let's see what DB is like come OS X 10.4.5...I'm sure a lot of our gripes will be addressed (and I'm sure they'll give us new reasons to gripe!).

My only gripe on the v1.0 comment is that Apple has a severe history of including features in OS X, then just ignoring them. Sherlock, for example.

how can they do that to apple?? :( :( :(

Hope it comes with a bar of soap and directions for its use (in French of course)

Both Dashboard and Konfabulator widgets are basically "canned" web pages. Palm came up with this idea on the Palm VII to deal with the low bandwidth available on palm.net. They had these little canned weblets called "PQAs" that looked more like Palm apps than web pages, that you could bring up and page around in and run queries from without having to download the pages until you actually did the query.