Dashboard Questions

I skipped Tiger so I'm kind of behind on Dashboard and related security.
I've done some reading but I seem to keep running across the same
references from when Dashboard was first introduced. It seems that many
times when I access the Dashboard, Little Snitch reports a whole bunch
of attempts to access various web sites. The Apple ones are OK
(according to what I've read)... right? But what about the others?
Bloomberg, SecondLife, Google, Yahoo, SpyMac and others. I don't
understand what is going on or whether these outgoing calls are safe.
It is certainly a big PITA to have this happening so often.

I have only a few widgets to include a currency converter, weather,
dictionary, calculator, calendar, clock, unit converter and translator.
Any references or help would be appreciated. Thanks.

Madeleine

Madwen wrote:
> I skipped Tiger so I'm kind of behind on Dashboard and related security.
> I've done some reading but I seem to keep running across the same
> references from when Dashboard was first introduced. It seems that many
> times when I access the Dashboard, Little Snitch reports a whole bunch
> of attempts to access various web sites. The Apple ones are OK
> (according to what I've read)... right? But what about the others?
> Bloomberg, SecondLife, Google, Yahoo, SpyMac and others. I don't
> understand what is going on or whether these outgoing calls are safe.
> It is certainly a big PITA to have this happening so often.
>
> I have only a few widgets to include a currency converter, weather,
> dictionary, calculator, calendar, clock, unit converter and translator.
> Any references or help would be appreciated. Thanks.
>
> Madeleine

You can turn off the ones you don't want in dashboard itself, click the
'manage widgets' button. But to be sure, you can delete them from
/Library/Widgets/ completely.

Essentially it's the same as accessing a webpage and has the same risks,
except that you aren't actually watching while they access the sites,
and they can do anything that you as the user can do because they are
owned by you and have more capabilities than the usual javascript in
websites. I'd delete anything I don't really need and only use things
from somewhere I trust, which in my case is just a few apple ones,
seeing as there is no point in not trusting apple, and the BBC weather
widget because it gives nicer forecasts. I know there have been
'security improvements' since they were introduced, but why have
unnecessary potential risks?

I don't use Safari, but if you are you might need to check that it isn't
set to automatically open 'safe' files. If you are using a different
browser then widgets can't self-install.

Andy

In article <fkv4hu$dbq$>, nospamatall <>
wrote:

> Madwen wrote:
> > I skipped Tiger so I'm kind of behind on Dashboard and related security.
> > I've done some reading but I seem to keep running across the same
> > references from when Dashboard was first introduced. It seems that many
> > times when I access the Dashboard, Little Snitch reports a whole bunch
> > of attempts to access various web sites. The Apple ones are OK
> > (according to what I've read)... right? But what about the others?
> > Bloomberg, SecondLife, Google, Yahoo, SpyMac and others. I don't
> > understand what is going on or whether these outgoing calls are safe.
> > It is certainly a big PITA to have this happening so often.
> >
> > I have only a few widgets to include a currency converter, weather,
> > dictionary, calculator, calendar, clock, unit converter and translator.
> > Any references or help would be appreciated. Thanks.
> >
> > Madeleine
>
> You can turn off the ones you don't want in dashboard itself, click the
> 'manage widgets' button. But to be sure, you can delete them from
> /Library/Widgets/ completely.
>
> Essentially it's the same as accessing a webpage and has the same risks,
> except that you aren't actually watching while they access the sites,
> and they can do anything that you as the user can do because they are
> owned by you and have more capabilities than the usual javascript in
> websites. I'd delete anything I don't really need and only use things
> from somewhere I trust, which in my case is just a few apple ones,
> seeing as there is no point in not trusting apple, and the BBC weather
> widget because it gives nicer forecasts. I know there have been
> 'security improvements' since they were introduced, but why have
> unnecessary potential risks?
>
> I don't use Safari, but if you are you might need to check that it isn't
> set to automatically open 'safe' files. If you are using a different
> browser then widgets can't self-install.

Thanks. I rarely use Safari but my prefs are set correctly. I use
Firefox +99% of the time. I've also deleted the widgets I don't want.
But I do find the few I noted to be very convenient except for the
calling out. And I was hoping to add a few more. Are you saying that
they "call out" whether or not they are enabled and that removal is the
sole way to stop it?

Unless that is true, I guess I'll just have to disable all but one,
enable one at a time, see which web site belongs to which widget,
determine what happens if I won't let it call out, and attempt to make
some kind of trust assessment. I've never seen software that seems to
want to call out so much and it's a pain.

Madwen wrote:
> In article <fkv4hu$dbq$>, nospamatall <>
> wrote:
>
>> Madwen wrote:
>>> I skipped Tiger so I'm kind of behind on Dashboard and related security.
>>> I've done some reading but I seem to keep running across the same
>>> references from when Dashboard was first introduced. It seems that many
>>> times when I access the Dashboard, Little Snitch reports a whole bunch
>>> of attempts to access various web sites. The Apple ones are OK
>>> (according to what I've read)... right? But what about the others?
>>> Bloomberg, SecondLife, Google, Yahoo, SpyMac and others. I don't
>>> understand what is going on or whether these outgoing calls are safe.
>>> It is certainly a big PITA to have this happening so often.
>>>
>>> I have only a few widgets to include a currency converter, weather,
>>> dictionary, calculator, calendar, clock, unit converter and translator.
>>> Any references or help would be appreciated. Thanks.
>>>
>>> Madeleine
>> You can turn off the ones you don't want in dashboard itself, click the
>> 'manage widgets' button. But to be sure, you can delete them from
>> /Library/Widgets/ completely.
>>
>> Essentially it's the same as accessing a webpage and has the same risks,
>> except that you aren't actually watching while they access the sites,
>> and they can do anything that you as the user can do because they are
>> owned by you and have more capabilities than the usual javascript in
>> websites. I'd delete anything I don't really need and only use things
>> from somewhere I trust, which in my case is just a few apple ones,
>> seeing as there is no point in not trusting apple, and the BBC weather
>> widget because it gives nicer forecasts. I know there have been
>> 'security improvements' since they were introduced, but why have
>> unnecessary potential risks?
>>
>> I don't use Safari, but if you are you might need to check that it isn't
>> set to automatically open 'safe' files. If you are using a different
>> browser then widgets can't self-install.
>
> Thanks. I rarely use Safari but my prefs are set correctly. I use
> Firefox +99% of the time. I've also deleted the widgets I don't want.
> But I do find the few I noted to be very convenient except for the
> calling out. And I was hoping to add a few more. Are you saying that
> they "call out" whether or not they are enabled and that removal is the
> sole way to stop it?

No, It's okay, I'm probably just over-cautious. I don't imagine they can
do anything when switched off. I just chuck out the ones I don't need
because it's no loss.
>
> Unless that is true, I guess I'll just have to disable all but one,
> enable one at a time, see which web site belongs to which widget,
> determine what happens if I won't let it call out, and attempt to make
> some kind of trust assessment. I've never seen software that seems to
> want to call out so much and it's a pain.

They are like mini web browsers, they call out periodically to check the
equivalent of a web page. Some might call google for something like
google analytics, which some websites use for stats. If you don't have a
widget for google you could just tell LS not to let it access that site.
Best thing would be to "deny once" on everything you're not sure about,
and then see what widgets are not working, then by trial and error you
can see what is essential for the ones you do want. If you click on one
of the widgets, like to change something by clicking on the little 'i'
symbol, that might activate just that one and make LS come up with the
dialog again, and let you see which sites it is trying to access without
all the others confusing the issue.

I'm sure others would be interested to know if any disabled widgets call
out. I would. I remember reading somewhere a long time ago that widgets
were not entirely disabled when turned off. I can't remember where, or
in what way, but I thought I may as well completely delete those, just
to be absolutely sure.

Andy

In article <fl0a4k$ip2$>, nospamatall <>
wrote:

> Madwen wrote:
> >>> I skipped Tiger so I'm kind of behind on Dashboard....
> >>>
> >> You can turn off the ones you don't want in dashboard itself, click the
> >> 'manage widgets' button. But to be sure, you can delete them from
> >> /Library/Widgets/ completely.
> >>
> >> Essentially it's the same as accessing a webpage and has the same risks,
> >> except that you aren't actually watching while they access the sites,
> >> and they can do anything that you as the user can do because they are
> >> owned by you and have more capabilities than the usual javascript in
> >> websites. I'd delete anything I don't really need and only use things
> >> from somewhere I trust, which in my case is just a few apple ones,
> >> seeing as there is no point in not trusting apple, and the BBC weather
> >> widget because it gives nicer forecasts. I know there have been
> >> 'security improvements' since they were introduced, but why have
> >> unnecessary potential risks?
[...]
> > ...Are you saying that they "call out" whether or not they are
> > enabled and that removal is the sole way to stop it?
>
> No, It's okay, I'm probably just over-cautious. I don't imagine they can
> do anything when switched off. I just chuck out the ones I don't need
> because it's no loss.
> >
> > Unless that is true, I guess I'll just have to disable all but one,
> > enable one at a time, see which web site belongs to which widget,
> > determine what happens if I won't let it call out, and attempt to make
> > some kind of trust assessment. I've never seen software that seems to
> > want to call out so much and it's a pain.
>
> They are like mini web browsers, they call out periodically to check the
> equivalent of a web page. Some might call google for something like
> google analytics, which some websites use for stats. If you don't have a
> widget for google you could just tell LS not to let it access that site.
> Best thing would be to "deny once" on everything you're not sure about,
> and then see what widgets are not working, then by trial and error you
> can see what is essential for the ones you do want. If you click on one
> of the widgets, like to change something by clicking on the little 'i'
> symbol, that might activate just that one and make LS come up with the
> dialog again, and let you see which sites it is trying to access without
> all the others confusing the issue.
>
> I'm sure others would be interested to know if any disabled widgets call
> out. I would. I remember reading somewhere a long time ago that widgets
> were not entirely disabled when turned off. I can't remember where, or
> in what way, but I thought I may as well completely delete those, just
> to be absolutely sure.

Thanks so much. You've been a big help as I really did not understand
how the widgets worked. Having at least a rough idea of that really
helps. I'll do my little tests and see what happens. And if anything
meaningful comes of it, I'll certainly post a follow-up.

Madeleine