Slashdot Mirror
Large Prize Offered For Writing Mac Virus
Mordant writes "Some experienced Mac developers are offering a $25K prize to the first person to successfully infect two 'naked' Internet-connected Macs running stock Apple software. The best part is that if any Symantec employee succeeds in infecting the Macs, the prize goes up to $50K (Symantec has been fanning the flames of totally bogus "Macs aren't more secure, it's just that Windows is a bigger target" technical-equivalence propaganda)!" Update: 03/26 20:24 GMT by Z : Well, that was quick. Jack Campbell has cancelled the contest, after he "...was contacted by a large number of Mac users, and Mac software professionals who shared their thinking with me about the contest."
for days when someone suceeds at this. Never dare someone to do stuff like this, it is just too tempting of a target.
well. the contest is REALLY about finding a remote exploit hole in a mac.
because that's what it burns down to, making it self replicating wouldn't be much of an addition.
but why bother.. just send a chain letter with an executable for mac.. that amounts to what is some of windows viruses nowadays anyways(and that's what all symbian viruses are and they're getting awful lot of attention - they're just self replicating 'mailers' that the user needs to install themselfs).. and points out that a system that has no holes doesn't really protect you from everything(it doesn't protect the user if the user WANTS to install the software, which many do).
world was created 5 seconds before this post as it is.
A computer is only as secure as its user. Are they going to man these two naked Macs with total noobs, to make it a fair contest?
I am calling bullshit on this obvious lie. You had a clean instal, behind a firewall, with all the service packs installed, and in just 10 minutes after that with a direct connection to the net, someone infected it with spyware? That has to be bullshit.
I have been running Windows 2000 for years, and there is no spyware. And I am not doing anything special. I make sure to fdisk the mbr before an instal, just to make sure someone did not hide something on the hard drive before the instal. I do the instal off-line. Add a software firewall, then connect through a router to the net to get the service packs. I have never had any spyware on my system ever. I disable active-x from IE, and when I did my instal the only net protocol I install is tcp/ip, I do not instal the other 2- client or file & printer sharing.
Come on, when will all this anti-windows BS stop? The only reason people can hack it is because users don't instal service packs and because they open links in emails that use active-x. I gaurentee if those two problems are resolved, it will become 99.9% harder to infect a machine- a hacker would not just be able to run software, he would have to know your system and activly fight to get in, which would be too much work for him.
Rosco: "If brains were gunpowder, Enos couldn't blow his nose."
In particular, appfolders have had some pretty nasty broken-by-design security exploits like the URL handler variants where an internet enabled DMG would self-mount itself into the filing system and automatically reconfigure URL schemes in Safari, all without the user doing anything other than visiting a web page. I think (hope) they fixed that but it was still several months until all the holes and variants of this technique were "fixed" (really just hacked around). The help system exploits Apple suffered were similar in nature.
Essentially, Apple haven't proven themselves any more skilled at designing secure desktops than Microsoft have. That said, this sort of competition is fairly pointless: being able to "infect" a machine with no action taken by the user boils down to finding buffer/heap overflows and the like in running software. Many viruses propogate with a bit of help from the user, even if all that involves is surfing the web.
Sending an executable as a mail attachment is easy, but fooling a user into launching is is much harder on the Mac than it is on Windows.
Unlike Windows, the MacOS uses filesystem embedded filetype and resource fork information to determine what kind of file a file is. You can't just change the filename into photo.jpg or letter.doc to make the attachment look like a photo or a word document. If it is an executable, the Mac will show it as such.
This means you will have to convince the user that the ececutable in question comes from a trusted source and that it is safe to launch. Even then, MacOS X will open a dialog that explains to the user that this is the first time this application is about to be launched, that it might be dangerous and then ask if the user wants to proceed. At that point most Mac users will cancel if they are not sure what this application is and where it came from.
But even if they proceed to launch the application, then the application still won't be able to install anything on the user's machine. If it tries to do that, the user will again be notified that some software is about to be installed and that an administrator password is required to do so.
Somebody would have to be incredibly naive to ignore all the warnings and still proceed.
This type of attack is rather unlikely to be successful in causing a spreading of the trojan. The propagation mechanism is far too weak. The news about such an attack will be all over the net before the trojan had a chance to propagate.
If anybody is to succeed with an attack against the Mac, it would have to be an exploit of some security flaw in the OS or in a privileged application.
the macintosh asterisk mailing list http://www.astm
Tried to install any applications lately (like, say, OpenOffice)? The installer demands administrator access, and will REFUSE to continue unless it gets it. Even if you're only going to install it into /tmp or $HOME to check it out.
Try to compile F95 in GCC? You might be instructed to download a DMG of "up to date" cctools. But when you mount the drive, you get an installer, and this installer also demands administrator access, presumably so it can stomp on the tools already installed. And it's non-obvious where you go to get the source that will compile on the Mac so you can install it in a place of your own choosing.
Mac users are slowing being trained to be as dumb as MSWindows users. When the pretty little dialog asks for the administrator password, just provide it, otherwise you won't be able to play, and the maintainers of that package will mock you. Caution? What's that? Prudence? Soooo old-school. Paranoia? Get a life!
There's not much difference between being trained to grant a program administrative status every time it asks for it and running as the administrator all the time. It just adds a ten-second delay before your machine is compromised, and people can point at you and wonder aloud why you didn't _know_ what the program was going to do before it did it.
I'm not giving up my Mac in favor of anything out of Redmond. I just want a stick I can beat developers with when they write installers that demand administrative access and refuse to go further until they get it. If the user declines to give the administrative password, then let them choose where to install your software, and give them a README on what they can do "by hand" to integrate your software. IF they so choose.
Pick One: http://www-rohan.sdsu.edu/~stremler/sigs/sigs.html (Note - disable Javascript first!)
The conclusive evidence is that OS X is a flavour of *BSD.
This is a meaningless statement. It is unclear what bearing the BSD heritage has on the ability of OS X to thwart the kind of trojan/malware attacks that Windows users are subjected to.
If that doesn't strike you as conclusive, then feel free to explain how it is that Apache running on *BSD has such a better security record than IIS running on Windows
Without knowing which versions of Apache, BSD, IIS and Windows you are referring to, it is impossible to establish whether your assertion that the Apache/BSD combo is more secure than the IIS/Windows combo is actually true.
And even if it were universally true, it is unclear what bearing any purported security benefit of Apache/BSD over IIS/Windows has on the ability of OS X to thwart the mostly email-propagated attacks that Windows users are subjected to.
That certainly strikes *me* as being a pretty compelling counterargument to the greater market share theory of hacker victimization, anyway...
If you think a non-sequitur based on unsubstantiated premises qualifies as a "compelling counterargument" of any sort, I suppose.
"Somebody would have to be incredibly naive to ignore all the warnings and still proceed."
Yes, and if ignorance really was bliss, the world would be one hell of a lot happier then it actually is.
I'm an IT consultant.
I've watched countless users sit there and click though endless dialogs warning them about how they're about to unleash bubonic plague upon the world or whatever. These people regard warnings as a hassle, something to be dismissed as quickly as possible. They do not regard them as an actual warning. Warnings are something that apply to other people.
If you change the default button to be the "safe" option, they click-and-close, try again and click-and-close, try again and click the other button and continue. They don't do this by reading the dialogs, they do this because if it didn't work the first two times they tried the first button, then it must be the other one.
If you require users to enter in "please destroy all my data" on the keyboard before running something, they will happily do that, to. While asking me why it asks them that.
If you require them to type a password, they'll type that in upon request, too. Look at how successful phishing scams are.
If all this fails to get some badware on the computer, users will seek out things like "Hotbar", "Gator", "Comet Cursor", "Bonzai Buddy", and so on, and try to install them.
People just don't want to have to think. That's the ultimate problem.
There's no doubt that the average MS-Windows system, as deployed, is hideously insecure. However, experience has shown me that even if you lock the system down well, users will still try and destroy it.
I've found the only way to keep users from compromising the security of their system is to remove their ability to do so. Then they just complain to me constantly that they cannot install all their badware. But then I can just tell them "Tough!".
dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.
I hate to break it to you, but there's very little that Apple (or Mircosoft, or Linux, etc) can do to prevent many types of viruses, since they are installed by the user themselves. Think about a traditional virus that infects a binary and is run when the program is run. Or a trojan program that does bad things to your system. Good file permissions can prevent the spread of such viruses and limit their damage, but they aren't that hard to write. I've even seen prototypes for a shell script virus (in an educational setting, and non-destructive except for polluting your shell scripts). There's very little technically that anyone can do to prevent a shell script virus, at least not without making the system difficult to use (or radically redesigning the system, which will probably have other drawbacks).
Now, if you're talking about worms, yes most spread through security holes in the system, and those can be fixed. But there are many classes of malware where the security "hole" is the human doing work. And those are very hard, if not impossible to prevent.
"Save the whales, feed the hungry, free the mallocs" -- author unknown
Nice theory, but here's a few more points for you:
Postscript has been around two decades now, and AFAIK the only "virus" ever reported written it couldn't do anything but reset your Apple Laserwriter password. If you think you can write a Postscript program which reformats my hard drive, talks to my mail client, or even just brings up a dialogue box on my screen that says "Hi, I'm PostScript!", you're welcome to start hackin' now.