Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the 'A warning on a new destructive 'trojan horse'' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
A warning on a new destructive 'trojan horse'
Authored by: kirkmc on May 13, '04 02:47:59PM

Having followed this story since before it became news, and having discussed this issue with Rob before he posted this article, I'd like to toss out two ideas that seem interesting.

First of all - and I pointed this out to Rob earlier today - the comments in this forum are far more intelligent than just about any other forum comments I've seen about this issue. Hats off to you all.

Second, and more important, I'm a bit surprised by the many comments that focus on the method (AppleScript with custom icon) as opposed the the actual damage that this can cause. Frankly, the method is moot if it works. Saying, "Oh, you've been able to paste a custom icon on any kind of file for years" does not resolve the problem that you can, indeed, paste a custom icon on any kind of file.

Ignoring the questions of the complacency of many Mac users - and we are lucky to not have to deal with viruses like our Windows-using friends - and the sad state of Mac zealotry which tends to treat any such news as a personal attack, there remains a problem that Mac OS X does have vulnerabliities. Whether they are the result of natural selection, bad karma or whatever, these things shouldn't happen - a user shouldn't be able to lose all their files just because they double-click on something.

I think it would be much more useful to ignore the method used (though I agree with Rob for discussing it in this case) and look at the far-reaching problem of the fragility of Mac OS X. This is certainly no more fragile than other OSes, but there are weaknesses that should be addressed. Constantly shooting the messenger, as many fora are doing regarding this Trojan, serves little purpose, other than letting some people vent their anger. (It should be noted that Intego did not break this story; Macworld UK did. I don't see much criticism of them for doing so...)

There are weaknesses, and this Trojan is not the last that we'll see. There are bad people out there, some of whom may (gasp!) even be Mac users. Eventually, someone is going to find out ways of doing more damage and spreading their malware. The Mac community should work harder to get solutions to any weaknesses that are discovered; a Trojan horse like this should be considered a hidden gift. By pointing out a weakness (even though some people don't see it as such) it allows us to find a solution before it's too late.



[ Reply to This | # ]
A warning on a new destructive 'press release'
Authored by: CarlosD on May 13, '04 03:54:42PM

Forgive me for echoing something here, because I noticed your comment and wanted to repeat something from another post which I thought would otherwise be lost.

rm, AppleScript, UNIX, and even Mac OS X do not matter here.

Power users know to beware of software from unknown sources. Newer users just need to be taught this as a part of the basics of using a computer. Applications execute. Mind their origins. This is as basic as: do not empty the trash if you trashed a file you wish to preserve. Or: do not edit and then select "save" when you don't wish to overwrite the original version of a file.

Apple needs to do nothing.

This inflames passion in me not because of zealotry -- the Mac has it vulnerabilities -- but because it points us in a futile, useless direction to address *true* threats.

A *true* threat is when:

1) You use a trusted application / tool / OS component

2) in a common-sense fashion or as-given / as-prescribed / normal configuration and then

3) your system is damaged, compromised, or made vulnerable.

If someone uses Microsoft Outlook, as installed or reasonably configured, and merely clicks to read an email, and their system is compromised, *that* is a threat.

We need to focus on those as they come up for Mac OS X.

---
Carlos D
===
my music
http://music.altamar.dynalias.org/



[ Reply to This | # ]
A warning on a new destructive 'press release'
Authored by: kirkmc on May 13, '04 05:41:49PM

Your point is well-taken. But what, exactly, is a trusted source? Apple? And the iTunes installer that erased hard dsks... Microsoft? Their software has been known to cause problems?

While I agree that stupidity and gullibility play a large role here, the fact still remains that the system allows what is a very drastic operation with no warning. Even when you empty the Trash (unless you have consciously changed the default prefs) you get a warning.

Sure, you can say that the guy who found this DLed it with the hopes of getting something for nothing, but it still doesn't address the fact that the OS allows a serious operation without a blink. Hey, if you want to delete a user account from the System Prefs, you get a warning...



[ Reply to This | # ]
A warning on a new destructive 'press release'
Authored by: Spades on May 13, '04 06:50:29PM

Figuring out what is a trusted source is, just as in real life, all about common sense. Is Apple a trusted source? Almost certainly. I'm not familiar with this installer that erased the hard drive, but it sounds more like a bug than a malicious attack. Is P2P a trusted source? Absolutely not. P2P is the equivalent of taking candy from strangers. You were taught to not take candy from strangers, right?

If you want explicit levels of trust, then there's nothing stopping you. What you're looking for are software that is cryptographically signed. Requiring that though is borderline paranoia, and you're not going to find much signed software. It is much less troublesome to apply what you've learned about trust in life to computers.



[ Reply to This | # ]
A warning on a new destructive 'press release'
Authored by: CarlosD on May 14, '04 03:17:51PM

Yes, Apple and Microsoft are what I would consider trusted sources. (Though people are very much questioning the latter. ;) )

This is not to say that they are perfect, but to clarify and define what is a "threat".

A security breach, as you point out, can eminate from trusted sources. That is precisely the point. **That's** when we should sound the threat alarm.

The candy from the stranger analogy is a good one. When buying food from an established grocery store, or other outlet (in the industrialized world, at least), you expect that you can trust the integrity of the food. If it is bad or poisoned, you hear the alarm on the evening news. Recent example: Did you hear about the frog in the salad of a major airline?

But if you got food -- hot dogs, let's say -- from someone on the street -- no cart, no license stickers, never seen before, etc. -- and you get sick, do you try and ban all hot dogs?

Warnings are fine, but at some point, there has to be a limit to what prompts a warning. Extreme example:

[Someone typed the letter 'A'. The state of memory will be changed by this insertion. Do you wish the letter 'A' to be inserted into this document?]

One suggestion is to have a cache of trusted certificates for signed executables. But I strongly feel this should not be a default way of operating. It will add more burden to getting things done and make development and regular installation under all the different supported sub-platforms (BSD, X11, Java, Cocoa, Carbon) more difficult. Also, Apple would almost be guaranteeing a future 'security crisis' if one of the certificates got out or got cracked.

No. A simpler way, is to tell users not to take candy, or hot dogs, from strangers.

---
Carlos D
===
my music
http://music.altamar.dynalias.org/



[ Reply to This | # ]