Slashdot Mirror
Large Prize Offered For Writing Mac Virus
Mordant writes "Some experienced Mac developers are offering a $25K prize to the first person to successfully infect two 'naked' Internet-connected Macs running stock Apple software. The best part is that if any Symantec employee succeeds in infecting the Macs, the prize goes up to $50K (Symantec has been fanning the flames of totally bogus "Macs aren't more secure, it's just that Windows is a bigger target" technical-equivalence propaganda)!" Update: 03/26 20:24 GMT by Z : Well, that was quick. Jack Campbell has cancelled the contest, after he "...was contacted by a large number of Mac users, and Mac software professionals who shared their thinking with me about the contest."
Anyone want to dig up the Slashdot story from way back where a OS X Mac users machine was "infected" because the guy downloaded and proceeded to run "Office for Mac" (which was mysteriously less then 1MB) off a P2P network, and found out every folder he had rights to was deleted (the program was just a shell script that was likely written by an 8 year who had just discovered that they existed and that you could use the delete command in them).
Puts things in perspective: If a user downloading and voluntarely running an obvious trojan are enough to count as a newsworthy event so far as Mac security is concerned, there can't be that many people trying to infect the 2 Mac users connected to the internet.
As far as I'm aware there is no conclusive evidence that shows Macs are inherently more secure and would not suffer the virus problem that Windows does if it had Windows' market share.
The conclusive evidence is that OS X is a flavour of *BSD.
If that doesn't strike you as conclusive, then feel free to explain how it is that Apache running on *BSD has such a better security record than IIS running on Windows, despite the fact that the Apache setup has, always has had, and most likely always will have too, a market share far greater than that of IIS.
That certainly strikes *me* as being a pretty compelling counterargument to the greater market share theory of hacker victimization, anyway...
clicking 'Yes' to install things they really shouldn't
Macs use verbs in dialog boxes, instead of 'Yes', 'No' and 'Cancel'. The button to install software on a Mac would be 'Install Software', not 'Yes', so clueless users have a better sense of what they are doing.
Discussed better here
Guy asked me for a quarter for a cup of coffee. So I bit him.
It had better be more than $50K for a Symantec Employee: according to my employment contract, writing a virus will result in my immediate termination. Such termination also means that I forfit all my stock options, worth far more than $50K at this point. And not to mention a great paying job with annual bonuses worth about half the original award.
So from an economic standpoint I'd be seriously in the hole, trading in options and bonuses worth a hell of a lot more than the amount being offered from a rather shady source.
No way!
Hartman: Private Joker, do you believe in the Virgin Mary?
Joker: Sir, no sir!
Hartman: Well Private Joker! I don't believe I heard you correctly.
Joker: Sir, the private said "No sir!", sir!
Hartman: Well, you little maggot, you make me want to vomit!
...
Hartman: Are you trying to OFFEND me?
Joker: Sir, negative sir! Sir, the private believes that any answer he gives will be wrong, and the senior drill instructor will beat him harder if he reverses himself, sir!
Hartman: Who's your squad leader, scumbag?
Joker: Sir, the private's leader is Private Snowball, sir.
Hartman: Private Snowball!
Snowball: Sir! Private Snowball reporting as ordered, sir!
Hartman: Private Snowball, you're fired! Private Joker is promoted to squad leader.
Snowball: Sir, aye aye sir!
Hartman: Disapear scumbag!
Snowball: Sir, aye aye sir!
Hartman: Private Pyle!
Pyle: Sir, Private Pyle reporting as ordered, sir!
Hartman: Private Pyle, from now on, Private Joker is your new squad leader, and you WILL bunk with him. He'll teach you everything, he'll teach you how to pee!
Pyle: Sir, yes sir!
Hartman: Private Joker is silly and he's he ignorant, but he's got guts, and guts is enough.
What a HUGE surprise. The linked page now explains, almost sorrowfully, why he decided to call it off. Read the last paragraph for a real laugh.
On this subject, I recently answered a query raised during a Chronicle of Higher Education colloquy. I believe it touches on the major issues here.
Question from Lisa L. Spangenberg, UCLA:
Given that there are no viruses or Trojan horses for the current Macintosh system, OS X 10.3, and given that it is essentially UNIX, and given that the most common applications (Microsoft Office Suite, Adobe applications) work very well on OS X, why don't more institutions adopt Macs and encourage faculty to use them?
Gregory A. Jackson:
Well, first of all, there are viruses and Trojans that afflict MacOS, witness Apple's periodic release of security fixes to counteract them.
First, that isn't true, regarding viruses. To date, there are no known viruses that specifically target Mac OS X. Last week's "trojan" was nothing more than an application with a different icon and misleading name that displayed a dialog box (which was an example posted to a USENET Mac programming group to illustrate this fact that has been known and possible on Mac OS for over twenty years; an antivirus vendor apparently thought this an appropriate time to dress it up, incorrectly, as some new, terrible exploit easily adapted for malicious means, when in reality it's nothing more than an application).
If you're referring more broadly to security issues in general, almost all of the security and security-related updates for Mac OS X to date have been updates for primarily server-type services that ship with the OS, all of which are disabled by default, and the lion's share of which are never even enabled, much less touched, on the vast majority of systems. I'm not saying that they should be ignored, but Apple's comprehensive and swift response to the most minor security issues does not rise to the level of the staggeringly numerous, sometimes completely automated, remote exploits, worms, and so on for Windows. It is no longer possible to even get through a full installation Windows XP on a machine connected to a public network without it being exploited before you even have a chance to patch it.
It's definitely possible for Mac OS X to have viruses, worms, trojans, and other malware - Mac OS X is not invulnerable, and no sensible person would claim it to be. But the underlying philosophical design principles are fundamentally more secure than Windows, period. Since the major ingredient for the success of a worm or virus is some ability to spread, witness the fact that there is no way with anything built into Mac OS X to perform automated propagation of a virus, and no current known ways to exploit a machine remotely, not to mention that potentially exploitable network services are disabled to begin with anyway (and remain that way unless explicitly enabled), a stark contrast to Windows. Any hope for automatic propagation would require a comparatively high level of sophistication, and perhaps even its own mail server - not to mention some intrinsic vulnerability to exploit. On the other hand, there are still, to this moment, unfixed vulnerabilities in certain versions of Outlook that will spread certain virus variants simply by previewing a message, and nothing more. There is simply no equivalent to this on any other platform. Microsoft's track record and attitude on security (though admittedly much improved) versus other vendors speaks volumes on this topic.
It takes work and thought to do security, and do it right. Ease of use and security aren't mutually exclusive. The key is to make security easy to use, and Apple has so far been on the right road with Mac OS X.
But the small installed base of Macs makes them an unexciting, low-visibility target for the bad guys, and so the weaknesses don't get exploited much.
The marketshare argument only goes so far. This seems to be a version of the "Macs have no software" argument. It is indeed true that they are targeted less for this reason. But the argument that it's straight cause-and-effect is disingenuous
A quick visit to the website reveals that their
"Mac Virus Contest" is a totally bogus bit of
showmanship. ( From the: "Even bad publicity
is still publicity" Department ):
DVForge Virus Prize 2005
The Contest That, Sadly, WIll Never Be
Contest goal: To lay to rest, once and
for all, the myths surrounding the lack
of spreading computer virii on the
Macintosh OS X operating system, by
sponsoring a contest that challenges
virus writers to actually prove that
they can introduce a harmless virus
into two modern OS X Macs.
That was the goal of a contest
announced recently by DVForge, but,
due to a variety of influencing factors
was cancelled shortly after having been
announced.
A Statement About The Contest Cancellation
"In response to the statements put forth
this past week by Symantec Corporation
suggesting that Mac users are at
substantial risk to infections from viruses,
our company crafted and announced a contest
that would have paid a $25,000 prize for
the successful creation of such a virus,"
said Jack Campbell, DVForge, Inc. CEO,
"During the first several hours after making
the public announcement, I was contacted by
a large number of Mac users, and Mac software
professionals who shared their thinking with
me about the contest. A few of these people
are extremely well-regarded experts in the
field of Mac OS X security. So, I have taken
their advice very seriously, and have made
the difficult decision to cancel our contest.
I have been convinced that the risk of a virus
on the OS X platform is not zero, although it
is remarkably close to zero. More importantly,
I have been convinced that there may be legality
issues stemming from such a contest, beyond
those terminated by our own legal counsel,
prior to announcing the contest. So, despite
my personal distaste for what some companies
have done to take advantage of virus fears
among the Mac community, and my own inclination
to make a bold statement in response to those
fears, I have responsible choice but to retract
the contest, effective immediately."
DVForge, Inc. supports honesty and integrity by
manufacturers in all public communication. And,
we strongly discourage the use of exaggeration,
innuendo, or loosely stated claims in an effort
to increase sales of a company's products. We
believe in accurate, fair marketing statements,
and in allowing an accurately informed public to
then make its own decisions about purchasing,
or not purchasing, a company's products or
services. We implore all Mac industry businesses
to support these same values.
We do not endorse the creation or distribution
of computer viruses. U.S. and international law,
as well as simple good judgment forbid the
transmission of computer viruses.
I get no end of amusement from people claiming that Mac users buy Macs because "they don't know anything about computers," or something to that effect. The fact of the matter is, this particular Mac user sees his computer for what it is: an appliance. It's not a platform, a political party, or a religion. It's a machine, not entirely unlike a toaster or Cuisinart.
When choosing a computer, I took into consideration:
1) What I need it to do.
2) How I plan to interact with it.
3) How much effort I need to put into maintaining it.
3a) How much effort I need to put into making sure my machine stays mine (i.e. not compromised by some bored malcontent.)
So, over the course of several decades, I test-drove a few different machines, running different OSs (disclosure: I ran DOS and Windows variants up to and including XP, various Linux distributions, and Mac OS X.) It became glaringly obvious that OS X was far and away the OS of choice for the amount of time and effort I intend to invest in using and maintaing my computer.
I'm not a BSD advocate or a network security guru because, quite frankly, the subjects absolutely bore me to tears. However, even I can appreciate the simple, quiet wisdom of turning most networking services OFF on a fresh install of an OS (as does OS X.) Just think how much more secure our computing environment would be if people only enabled the services they absolutely needed.
No the article doesn't say that explicitly, you'd have to understand how viruses spread, and make a logical connection to get there.
Let me help you out.
Here's my paraphrasing of the individual claims, from memory. I'd quote better, but oh look, they've cancelled already.
-We have two Macs on different Internet connections. We won't tell you the IPs.
-We're going to check for the next couple of months and see if they are infected, just by being on the Internet.
-(Vague statements about being successful enough in the wild)
Leaving alone the email vector, which I've agreed elsewhere is(was) viable, how do the viruses get onto their two Macs? Has to be both, mind you.
named Switchback which infected OSX Macs, but nobody noticed it.
There are others such as Renepo.B
MacOS MW2004 Trojan, MP3 Concept, Opener, and a sound driver virus.
I think clearly the only virus myth about OSX, is the myth that OSX has no viruses that can infect it. Apparently there are at least several examples of OSX viruses, and that number seems to grow. It may even double every year.
I've always felt that using a computer without virus protection was like having unprotected sex without a condom with multiple partners. Back in the old days, when they used to say that the Commodore Amiga had no viruses, and that only MS-DOS suffered from viruses, Amigas got their own viruses that infected their systems. Usually it was one of those Amiga demo programs that people downloaded from BBSes to show off the Amiga's graphics and sound. Someone would infect it with a virus and pass it around. Amiga users felt that the Amiga virus was a myth, and many got hit. Now I see the same thing happen for OSX, only OSX is on the Internet and is subject to more danagers than the BBS world once offered.
So yes, the facts speak for Symantec, that OSX viruses exist, and possibly they could grow in number.
This bone-headed stunt of offering a contest to virus infect two Macs only shows how gullable people are. It was a phoney contest.
Remember, Slashdot does not have a -1 disagree moderation, and no, troll, flamebait, and overrated are not substitutes.
*sigh*
I don't know why I bother with the tin-foil hat brigade, but it is an explicit terminatable offense at Symantec to write--or help in writing--a virus. They just clean out your desk and have security escort you out of the building that day, no appeal. Your stock options and stock purchase plan options are immediately revoked, you lose back vacation pay, and you get no severence. Just a bootprint on your ass as you're kicked out the door.
But of course I'm part of the conspiracy, so you'll probably think I'm either a dupe or a lying spokes-hole.
I like being part of conspiracies; I worked many years ago for JPL in the same building the Weekly World News claimed housed an alien spacecraft that was being studied by the military--and the tinfoil hat brigade didn't believe me then when I told them it was just so much hokem...
That's a direct result of the design of Windows. Whenever i use Windows, I am constantly amazed at the number of stupid dialog boxes one has to click through, to perform even simple tasks. Making things worse, their dialogs are often confusing and poorly-written. Many of them even mangle the English language.
If Microsoft had not conditioned users to view dialog boxes as mere annoyances, then maybe they would not dismiss them so quickly without reading them. In contrast, dialog boxes are much rarer on Macs, and they are written much more clearly, and are more useful. They encourage the user to pay attention to them.
... and then they built the supercollider.
"A critical security update is needed for your $RANDOM_APP. The update has been downloaded. Installing update..."
[Password Dialog Here]
Or somesuch.
I think that's the sort of thing a security-minded expert would prefer, and the average user would be overwhelmed by. Yes, it would. I believe that Debian kinda-sorta does this with "fakeroot". I'd like an actual sandbox... Yup! I've been pondering the need for this sort of thing for awhile. If it's clean enough, and robust enough, you can run _all_ of your applications in their own sandboxes. I think that this approach is simple enough to work for both the average home user and powerful enough to make a security guru happy. Exactly. And if you want to keep the changes, you can put it in $HOME/.sandboxes/appname, or, since we're on the Mac, perhaps $HOME/Sandboxes/Appname/...I like the way you're thinking.
Pick One: http://www-rohan.sdsu.edu/~stremler/sigs/sigs.html (Note - disable Javascript first!)
NeXT figured out that this could potentially be a gigantic security hole and switched off file access from display postscript.
This thread has the wrong idea about how this feature works. The dialog does not appear the first time any app is launched. It only appears if you try to open a document or URL that results in the Finder having to launch an app that you have never launched before. There are very few legitimate situations where you would have to do this, so it's quite likely that some users have never seen the message before.
This dialog is meant to deter the following exploit: