Filed under: Bad Apple
Mac OS X 10.4.7 Phones Home
Daniel Jalkut has discovered that the Mac OS X 10.4.7 update released last week is causing his computer to phone home to Apple. Every eight hours, a process called "dashboardadvisoryd" is contacting two different servers hosted by Apple, ostensibly to verify that the Dashboard plug-ins you have installed are the same versions as the ones provided by Apple.While this certainly isn't as insidious as Microsoft's much-maligned Windows Genuine Advantage program phoning home to verify the authenticity of your operating system's license code, I find myself agreeing with Daniel that Apple should provide us a way to turn this feature off. For my few computers at home, I doubt that I'll care much whether each is talking to Apple's servers, but in my work environment where I manage many hundreds of computers, I now need to evaluate whether this change is going to have a negative effect on my network. I've already got network administrators mistaking Bonjour traffic as PC viruses, the last thing I need is to have another discussion with our firewall administrator to explain why our lab computers are all hitting an Apple server at scheduled periods.
I've been debating all summer whether or not our computers in the Fall would have Dashboard enabled. I have no choice now but to disable Dashboard on our lab and classroom computers until there's an easier way (other than using Little Snitch) to turn off this phoning home feature.
![TUAW [Cafepress]](http://www.blogsmithmedia.com/www.tuaw.com/media/tuaw-cafepress-promo.png)
Reader Comments (Page 1 of 2)
nosidam said 7:29PM on 7-04-2006
Cult of Mac has an easy way to turn it off...
http://blog.wired.com/cultofmac/index.blog?entry_id=1515043
Reply
Mark Gilbert said 7:36PM on 7-04-2006
Is it just me or does it seem odd to anyone else that Apple would do this? Why is there a need to check dashboard plug-ins are the same version as the ones supplied by Apple? What purpose does this serve? Why does it need to check dashboard plug-ins every 8 hours? The time-scale of the calls home should set alarm bells ringing, especially with the stated reason for calling home. I think there is more to this particular incident than is first apparent. Time will tell though. This could be a similar thing to Microsoft's WGA tool, it certainly acts in a similar way, or it may be nothing.
Reply
Dan said 8:01PM on 7-04-2006
Picture proof:
http://flickr.com/photos/uneasysilence/181934745/
Reply
Jer said 8:03PM on 7-04-2006
Hmm, I'm using Little Snitch and it hasn't said a peep about this. Maybe I'm using an older version that 10.4.7 has found a way to sneak around.
Cheeky.
Reply
Jordan said 8:11PM on 7-04-2006
Wow, an application checking with a central server checking to see if it is up to date. Everyone better get out their tin-foil hats in order to welcome this era of auto update.
Reply
Don Wilson said 8:18PM on 7-04-2006
Old - http://www.google.com/search?q=dashboardadvisoryd
Reply
Henry said 8:32PM on 7-04-2006
Could be that Apple is trying to see how many people activly update and use their dashboards and how many people don't bother or don't use it at all.
Reply
Van Daniel said 8:34PM on 7-04-2006
I agree with Jordan; what is the deal with mass paranoia over something that doesn't matter. So many people get religiously offended at the thought of the computer talking to company servers, my attitude: it doesn't matter. I truly have better things to do.
Reply
viperteq said 8:50PM on 7-04-2006
Daniel,
I, like you, work in a computing lab environment. At my university we manage close to 100 G4 iMacs. Anyway, you said in the article that you're debating if you're going to have Dashboard enabled in the Fall. I think this will only affect you IF you are planning on updating all of your Macs to 10.4.7; We are just now upgrading to 10.4.5 - this will not afect our Macs and consequently our network. If you hold off on updating the Macs for a while until Apple comes up with a resolution (which they will now that this is starting to get out), then you will not have to disable Dashboard for your users.
Reply
Macster said 9:13PM on 7-04-2006
It wasn't long ago that any program that contacted another computer without the user's knowledge was neither exceptable nor tolerated . Sad that no one seems to care anymore.
Reply
Joey said 9:27PM on 7-04-2006
They may be checking to see how often the dashboard is used. If this is true then they must be considering removing the dashboard.
Reply
Darren Stone said 9:27PM on 7-04-2006
dashboardadvisoryd periodically downloads this file:
http://www.apple.com/widgets/widgetadvisory
This file contains signatures of known malicious dashboard widgets. dashboardadvisoryd checks if you have any of these malicious widgets, and if so runs widgetadvisory.app (in /System/Library/CoreServices/Dock.app/Contents/Resources) which prompts you to remove the malicious widget from your system.
dashboardadvisoryd uses a simple HTTP GET to download the widget signatures and does not contain any identifiable information about you or your computer, other than your IP address. Besides, Apple already knows everything about you and your system through Software Update; it doesn't need to use dashboardadvisoryd for that purpose.
If you don't want Dashboard to periodically check for malicious widgets then you should disable dashboardadvisoryd.
Reply
Derek said 9:32PM on 7-04-2006
I think that all people are asking for is a simple preference to turn it off or on. It's no different than auto update or network time. I'm sure Apple will improve this feature in a future update.
Reply
Perry The Cynic said 10:43PM on 7-04-2006
Damien,
It downloads a list-of-known-nasty-widgets. No information about your system is transmitted (other than your IP address, obviously).
> I have no choice now but to disable Dashboard on our lab and classroom
> computers until there's an easier way (other than using Little Snitch) to turn
> off this phoning home feature.
Hm... if your stated policy is to uninstall and turn off anything that might cause network traffic, you better turn off everything that uses X509 certificate logic, including all SSL in Safari and Mail (and iChat and... well, most places). Any of these can reach out and download CRLs and/or OCSP responses while evaluating certificate validity. Which is, in the big picture, pretty much what the widget "advisory" list is - a revocation list for widgets.
And yes, I know of what I speak. Email if you want to discuss.
Cheers
-- perry
Reply
Tony said 10:56PM on 7-04-2006
I believe my work just has the dashboard totally disabled. Though, it could just be obscured, as they've done (poorly) with the iTunes store.
Reply
icerabbit said 11:01PM on 7-04-2006
I actually saw that one pop up today. I thought it was part of some widget checking for an update ... not Dashboard / Apple phoning home.
Reply
Bjorn Townsend said 4:20AM on 7-05-2006
There is really nothing to get excited about here. I've looked at the traffic on the wire, and dashboardadvisoryd is just making a simple GET request in each case. It's not sending Apple any data whatsoever. This is no more inimical than your Mac periodically checking for software updates.
Here's the sum total content of the data sent to Apple:
GET /widgets/widgetadvisory HTTP/1.1
User-Agent: CFNetwork/4.0
Connection: close
Host: www.apple.com
(apple response)
GET /widgets/parser.info HTTP/1.1
User-Agent: CFNetwork/4.0
Connection: close
Host: www.apple.com
Not very exciting, is it?
Now the *response* from Apple is a little more interesting in that it appears to contain some SQL commands:
(this is in response to the widgets/widgetadvisory request)
HTTP/1.1 200 OK
Age: 1459
X-Cache-TTL: 84941
Accept-Ranges: bytes
Date: Wed, 05 Jul 2006 05:31:15 GMT
Content-Length: 2095
Content-Type: text/plain
Expires: Thu, 06 Jul 2006 05:31:15 GMT
Cache-Control: max-age=86400
Server: Apache/1.3.33 (Darwin) PHP/4.3.10
Last-Modified: Thu, 08 Jun 2006 22:08:55 GMT
ETag: "82f-44889ff7"
X-Cached-Time: Mon, 03 Jul 2006 22:08:14 GMT
----- BEGIN SIGNATURE -----
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAaCAJIAEOi+qBbNkDp0nAQAAAAAAAAAAAAAuAAAAAAAAACYAAAAAAAAAAABIOEHzTnY9yhcFfWh/8KSqN7WlRXUAAAAAAACgggO2MIIDsjCCApqgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBgMQswCQYDVQQGEwJVUzEdMBsGA1UEChMUQXBwbGUgQ29tcHV0ZXIsIEluYy4xEjAQBgNVBAsTCURhc2hib2FyZDEeMBwGA1UEAxMVRGFzaGJvYXJkIEFkdmlzb3J5IENBMB4XDTA2MDUxNzE4MDkxN1oXDTM2MDQyOTE4MDkxN1owXTELMAkGA1UEBhMCVVMxHTAbBgNVBAoTFEFwcGxlIENvbXB1dGVyLCBJbmMuMRIwEAYDVQQLEwlEYXNoYm9hcmQxGzAZBgNVBAMTEkRhc2hib2FyZCBBZHZpc29yeTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANJkOc7PdgTrpeDvBwZ59e7CDdWiTauUxSDwm8SA4JgrQ+Gwj7c/T1KgJI57F8Eq8fju+Ckq0/p+uVLUQJ2beCYPydyKJpH5Je5g9iB9iUUoO8uamSloFOJMFOYOPn8kPKjtKvYEs2NSf8+LK+S8tOTO0ng8jfPmcTDpiTVFh3rmukoypZJ722iBXJS5MOjXwGeMd8eib3mbPrHi4kFhQzuG48d7f7LrPdQ+mIfMk69yAymGtyQf7Uubi8wXGgKxUBXkS3EE8l8Pd6mybz5Yz/42RPfEG2FrinaggJE/TaW4Kb9Di5S4jt/j8csA+6YYMR7GxGuC/hoo+gHimG+kD1UCAwEAAaN6MHgwDgYDVR0PAQH/BAQDAgeAMA8GA1UdEwEB/wQFMAMCAQAwFQYDVR0lBA4wDAYKKoZIhvd
ZAQBBDAdBgNVHQ4EFgQUlxwKOog1HQ1DbOELsmm3KEMOVuYwHwYDVR0jBBgwFoAUSr8UjJUmkWRrNzi
PFKtr9B5FN4wDQYJKoZIhvcNAQEFBQADggEBAHOofvRSyOEIXgYsaWZDIBFdV61hZ3CTkdTD9rq6DnECW/gwhTcLZHuAG/MfWJeake+jKUGPTNnVIcRczCqOXoqlLgoKwAzzg+DOqsa5UpEqvL3lrhELbBcj+c0cg1Pbng4w+VIpQgE0t29umqV4TXH/jkBygQrl0IsQoDKsW1HxAAMjrm1xF7Z6RYXpIi5QNw26768puZu+BUWj12vE89Z5GqXigvnet+M83jgiRvBYMQrlDnuITZ3ZPtlKowIqGvqYMJ4gUXJR//1Pd/oMKJv0GHQZtm6E4KXxpbpqZytNV2S1xxYvzjvsd+Txe04GzSZPMDvZ8JtcZPuG6pmyaLYxggGMMIIBiAIBATBlMGAxCzAJBgNVBAYTAlVTMR0wGwYDVQQKExRBcHBsZSBDb21wdXRlciwgSW5jLjESMBAGA1UECxMJRGFzaGJvYXJkMR4wHAYDVQQDExVEYXNoYm9hcmQgQWR2aXNvcnkgQ0ECAQIwCQYFKw4DAhoFADANBgkqhkiG9w0BAQEFAASCAQCwtBTzu2nqG44g13ihSNGgyYVhDdIknwGCkJeGR1brO8X/TQskasXeqLsUFjtMtZyDKcFiMPq7BCfaM/SkwCi8lCmCrYxQVccBIQt19sHpQFj/+u2C0KI7603jgbOCN8rgvojmvCPVYkc13/bM5vwl7Oxtu5fgnmCqwSk5lkZJl4AJT0Ju9kBXY7dnRGgb5mCkCJCdU5CW5FQ4wlguARLmir6wR3f8n6xRTyYru2OlJJZwEr0ayqrEKBHgXY3+BYcpN+P3MPmpCoS83vNcYzItHbNmh9v6Ln7uUR3H2l5lFshqK2p3pgqXBYBTmv03uAp2L2pF0J6MdBirohWiqq31AAAAAAAA
----- END SIGNATURE -----
BEGIN;
INSERT OR REPLACE INTO meta VALUES ('serial-number', 1);
COMMIT;
So that makes me kind of wonder if someone spoofing apple.com couldn't do some SQL injection here, but since Apple is signing the file it should be easy to detect and there is probably a mechanism in place to prevent this.
All in all, nothing to get your knickers in a twist over.
Reply
Jimbob said 7:38AM on 7-05-2006
I have no objections to Apple making sure I don't have anything malicious on my Mac :)
However it may have been an idea to mention this in the update.
Reply
Brad said 10:32AM on 7-05-2006
I haven't encountered this yet, but it must be because of the fact that I don't use Dashboard. I doubt it's activated when the user doesn't use Dashboard.
And it's not like Dashboard is worth my time, anyway...
Reply
Jeffrey Bergier said 11:51AM on 7-05-2006
Dashboardadvisoryd is located
/System/Library/CoreServices/Dock.app/Contents/Resources/dashboardadvisoryd
if you want to disable it in little snitch. And again, I don't care that it doesn't send personal data. I just hate the idea that my computer is doing something without me ever requesting... or even worse ever knowing about it doing. So screw apple and their stupid dashboardadvisory daemon.
Reply