Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the 'A warning on a new destructive 'company press release'' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
A warning on a new destructive 'company press release'
Authored by: CarlosD on May 12, '04 08:44:56PM

No offense to you Rob, since I think you do a great job here, but I think the online Mac press has done somewhat of a disservice by the implication of threat and of not countering the assertion:

"This Trojan horse highlights a serious weakness with Mac OS X. Since it is built on a Unix foundation, it can run powerful commands very easily. These commands can delete or damage a user's files with no warning, and AppleScript offers no protection against malicious commands."

As this release is coming from a development company, where people know better, and which can stand to gain from fear, the whole issue begins to look a bit suspicious. Downloading any executable, on any platform, and then executing that file involves risk.

As an AppleScript, this trick does not require Unix power (it could be done solely through AppleScript). The same trick could be done in Java (locally installed) or in OS 9 or a number of ways, as pointed out by others. Heck, even true installers can do damage if they are not properly configured.

People can be fooled by the changing of an icon. But there are also many ways to fool people. At some point, the press has to distiguish between a threat, which people can reasonably run into -- such as merely clicking on an email -- and a foolish gesture -- such as dowloading "Microsoft Installers" from Gnutella. That is the real story here, not a "trojan horse", and definitely not a "serious weakness in Mac OS X," but an occasional weakness in human nature.

Leave off the name of any for-profit company that stands to benefit from the reporting of supposed malware. Let threat reports come from and be credited to only those reputable agencies tasked with looking out for such things. The Mac press should band together to distill the true threats and leave behind press releases meant for marketing.



[ Reply to This | # ]
A warning on a new destructive 'company press release'
Authored by: robg on May 12, '04 10:14:29PM

If you'll carefully re-read what I posted, you'll see that I did my very best not to spread FUD. I explained what I thought it was, how I thought it worked, and how, at its heart, it was basically an exercise in social engineering.

My main reasons for posting it were to (a) let people know it was out there, because it *is* dangerous, and (b) to discuss how it worked, so that people could be more aware when using their machines...

I'm in complete agreement with everything you said, other than the fact that I do think people need to know these exist...

-rob.



[ Reply to This | # ]
A warning on a new destructive 'company press release'
Authored by: CarlosD on May 13, '04 03:36:23PM

I do see that you made the effort to separate the issues more clearly. My comment was more directed at the Mac online press in general. I understand you had to react to the alarmist stories on other sites and all, and you did a good job of it, for which reason I hope(d) that you did not take offense to my comment. So, forgive me if I was not clear.

We may disagree on a few things:

I don't believe Intego merits a link to it's site, press release, or name, even. But I understand it is an editorial decision for you.

We also disagree on what is the threat that needs to be highlighted. Most sites are warning about AS.MS2004, or whatever it is called, and its evil methods. But variants are likely, under different names, with different methods, and maybe only partially caught by so-called virus barriers.

In short: rm, AppleScript, UNIX, and even Mac OS X do not matter here.

Power users know to beware of software from unknown sources. Newer users just need to be taught this as a part of the basics of using a computer. Applications execute. Mind their origins. This is as basic as: do not empty the trash if you trashed a file you wish to preserve. Or: do not edit and then select "save" when you don't wish to overwrite the original version of a file.

Apple needs to do nothing.

I strongly disagree with the idea that AppleScript needs to have a preference for its shell command activation. What would be the default? On? Then we have a supposed "security hole". Off? Many good, powerful, enabling scripts break. Prompts would confuse newer users, and make the technology far less useful. Would we do the same for 'getURL' or 'tell app "x" to launch'?

This would still not mitigate the *root cause* which is someone downloading an untrusted app and executing.

I also think there is a legitimate reason for read-only scripts. Some code may be copyrighted, proprietary, or, maybe an admin doesn't want users to see specific settings. There needs to be some confidence that code can remain in the hands of an administrator.

This inflames passion in me not because of zealotry -- the Mac has it vulnerabilities -- but because it points us in a futile, useless direction to address *true* threats.

A *true* threat is when:

1) You use a trusted application / tool / OS component

2) in a common-sense fashion or as-given / as-prescribed / normal configuration and then

3) your system is damaged, compromised, or mad vulnerable.

If someone uses Microsoft Outlook, as installed or reasonably configured, and merely clicks to read an email, and their system is compromised, *that* is a threat.

We need to focus on those as they come up for Mac OS X.



[ Reply to This | # ]
A warning on a new destructive 'company press release'
Authored by: davidbodonnell on May 13, '04 05:38:58PM

Very well said!



[ Reply to This | # ]
Missing the bright side of all this...
Authored by: MattHaffner on May 13, '04 11:25:22AM
Someone on /. got to this before I did, but it bears repeating here.

Losing your home directory to some random act of bad karma/decision-making is a huge setback. It is a real loss, of course, if you don't do regular backups. As many, many have pointed out here, there is very little you can do about this 'weakness' without crippling the user's access to their file space or the system's flexibility.

But keep the big picture in mind here. This particular, easily written, easily understood 'trojan' (which is a stretch) only affects a home directory. There may not be a lot of distinction for the average home user (especially those of us that migrated from OS 9) since we keep most of our 'data' there anyway, but in a corporate setting (and even in a multi-user home setting), this is a tremendous benefit. Windows (even XP I believe), OS 9, and tons of OS's before them that have less respect for user-space privileges would have rendered the computer completely useless with such a simple script.

Now, there's nothing to say that a more complicated attempt wouldn't be able to leverage the Installer or something similar to ask you to grant itself amin privileges, but we haven't seen that yet. But there's nothing on any other OS that couldn't do the same. Scripts run regularly on many *nix systems as a part of installations (Rethat RPM's, Debian packages, etc.) and a single malicious line of code in such a thing can wipe your whole installation when you are installing system-wide software.

I completely agree with the parent post in the assertion that the press release written by said company was absolute hyperbole and written (deliberately) completely out of context of the whole OS picture. I personally wouldn't have minded a very strong statement from Apple rejecting such claims, but then again, maybe it's not worth drawing attention to such idiotic statements.



[ Reply to This | # ]