The Old Joel on Software Forum: Part 3 (of 5)

WMP for X!

It was indeed a sorry sight to hear all the sad stories about Windows users unhappy with iTunes. But all news is not bad, there is now good news! Bill has released Windows Media Player for OS X!!! And it rocks!!

Finally we Mac heads can get rid of the dog that is iTunes and make use of a REAL multimedia program with skins and support for all the most commonly used formats that were somehow 'forgotten' to include in iTunes and QuickTime player. :

http://www.microsoft.com/windows/windowsmedia/software/macintosh/osx/default.aspx

Yee haw! I feel like at last I am joining the real world!

Ed the Millwright
Wednesday, November 12, 2003

huh, I was actually interested enough to download it as well.

Nearly got it installed, was really going to until its installer asked for my _administrator password_ before it would continue.

wtf does a music player need an administrator password for?

ah well...I really rather like itunes...

FullNameRequired
Wednesday, November 12, 2003

The open source mplayer utility is all one should need for OS X video. I'm not sure why you'd want to use it as an iTunes replacement though. The only real reason to have WMP is for ASX video.

Skins? As someone once eloquently stated on jwz's site, "Whenever a programmer thinks, "Hey, skins, what a cool idea", their computer's speakers should create some sort of cock-shaped soundwave and plunge it repeatedly through their skulls."

Rhys Keepence
Wednesday, November 12, 2003

BTW- what is this, slashdot for micros~1 fans?

Rhys Keepence
Wednesday, November 12, 2003

Is this news?

I've had WMP sitting on my Mac for... well... quite some time now. Unless this is an upgrade, the OS X version doesn't play everything the Windows version does.

Walter Rumsby
Wednesday, November 12, 2003

"I've had WMP sitting on my Mac for... well... quite some time now."

whats it like? Im trying to persuade myself to give it the admin password....but so far I just cant do it...I mean..._why_?

FullNameRequired
Wednesday, November 12, 2003

FNR,

Now you got me worried. Talk to me. Seems like every single program nowadays wants to run as root. I know that 'theoretically' it's a problem, but in practice if I say no then I'm limited to the software that came on the computer since every installer seems to ask for the password. Is it really so dangerous? What's the alternative? And does anyone know why every program wants to run as root?

Ed the Millwright
Wednesday, November 12, 2003

"Seems like every single program nowadays wants to run as root."

interesting...almost none of the programs I usually install do. What kinds of programs are these?

"Is it really so dangerous?"

yes and no.

a lot depends on _why_ it wants it, certain things are safe and certain things are usually not.
<g> Im not going to go into all the possibilities here, if you want to beef up on your knowledge of security issues in unix there are plenty of places you can do so.

given who wrote the program, and given that you downloaded it from a trusted source, the chances are pretty damn good that giving it the password wont be a problem.

The point is though, that _automatically_ giving the password to any program that asks is a bad habit.
Giving your admin password is a _security issue_, programs (like WMP for osx) that encourage you to do so are bad, and particularly annoy me for two reasons.

(1) In unix its _totally_ unnecessary, anything at all that they want to install can go as happily into your home directory as into the toplevel directories..this includes drivers and any other technical thingies.

(2) I forget what 2 is...Ive been writing this over 2 hours between working and Ive forgotten my second point. <g> hate when that happens.

Obviously where you want to draw the bar is up to you, I tend to give up the admin password if (a) I really, really want to use the program or (b) the program is polite about the requests and tells me exactly what it wants it for and how long it will keep it.
(will wmp store the password anywhere? I dunno, it didn't say...)

one other thing to remember is that as long as you are installing things only into your user space (not giving up the admin password), you can remove everything they do simply by logging in as a different user...once the program has your admin password htats no longer necessarily true.

FullNameRequired
Wednesday, November 12, 2003

I've seen several *installers*, "VISE installers" I think, that ask for the password, including Media Player's.

I think its something that happens during the install and probably not when running the application.

Robert Moir
Wednesday, November 12, 2003

<paranoid>
Given that recent MS software has a tendency to phone home, I would be really wary of giving it my root password. </paranoid>

Tapiwa
Wednesday, November 12, 2003

Asking for the admin password is sloppy installation on the part of the programmer - but increasingly common as software development gets dumbed down.

The installer needs the admin password only for doing certain things that should be optional, and should not be performed without obtaining the explicit permission of the user first.

.
Wednesday, November 12, 2003

The Administrator password on OS X is required for installing anything outside of your Home directory. Thus if the software insists on storing information in /Library or /System it needs your authority.

Global preferences or globally shared code (Office has them, they're DLL-esque), will need to reside outside of ~/ in order to be accessed by other programs.

Of course there should be an alternate installation scheme that says, "No, I'm really sure I just want to install it for just this user."

Lou
Wednesday, November 12, 2003

I think OSX made the right choice by getting people used to providing a password for potentially dangerous actions like installing software or decrypting stored website passwords. Most home Windows users run with administrative privileges ALL the time; no need to enter passwords, but less security as well.

Dan Maas
Wednesday, November 12, 2003

OTOH I believe getting your users trained on typing in the admin password on cue is terrible.
Developers should follow a least priveleges approach and platforms should provide granular security environments to offer the developers an environment to match.

Just me (Sir to you)
Thursday, November 13, 2003

I agree that regularly prompting the user for an admin password is a terrible idea.

This trains the typical user to enter their password whenever something pops up asking them for it. They think of things in terms of "I clicked OK and it worked so now I should always click OK". Training them to enter their password whenever prompted to get things to work breaks down resistance to entering a password. This makes them more susceptable to password prompts from trojans or web pages designed to look like an OS window.

A good example of this sort of training is the Internet Explorer ActiveX control install prompt. Users have learned that in order to get certain things working (such as Flash content), they have to agree when this prompt appears. So now they agree whenever prompted resulting in countless users with spyware and popup ads from no where.

SomeBody
Thursday, November 13, 2003