Slashdot Mirror
Large Prize Offered For Writing Mac Virus
Mordant writes "Some experienced Mac developers are offering a $25K prize to the first person to successfully infect two 'naked' Internet-connected Macs running stock Apple software. The best part is that if any Symantec employee succeeds in infecting the Macs, the prize goes up to $50K (Symantec has been fanning the flames of totally bogus "Macs aren't more secure, it's just that Windows is a bigger target" technical-equivalence propaganda)!" Update: 03/26 20:24 GMT by Z : Well, that was quick. Jack Campbell has cancelled the contest, after he "...was contacted by a large number of Mac users, and Mac software professionals who shared their thinking with me about the contest."
This has got to be one of the stupidest contests of this type I've heard about.
1) If a virus has spread over every Mac on the Internet, then it's harmful.
2) Many people would say that ANY virus is harmful, just by virtue of it being a virus (spreading, infecting.)
3) I'm so sure it's worth $50,000 for Symantec to finally put that "Antivirus companies don't write viruses" myth to bed.
4) We're going to use antivirus software to determine if we've been infected... which will only catch previously known viruses.
5) Hey you guy that wrote the virus that spread to every Mac on the Internet: just identify yourself afterwards, and we'll pay you.
for days when someone suceeds at this. Never dare someone to do stuff like this, it is just too tempting of a target.
Nice balanced submission you got there. As far as I'm aware there is no conclusive evidence that shows Macs are inherently more secure and would not suffer the virus problem that Windows does if it had Windows' market share. Note that a lot of the virus problem comes from users showing bad practice (clicking 'Yes' to install things they really shouldn't, opening attachments they really shouldn't). I wouldn't be suprised if Mac users were on average more savy, and this could contribute.
At what point does a virus become hamless and benign, i'm interested in what the /. community think so fthat statement.
This is the notorious Jack Campbell, one of the shadiest characters around. It's undoubtedly a publicity stunt for his business. What a jerk.
Even a virus would be more useful.
No boom today. Boom tomorrow. There's always a boom tomorrow. - Cmdr. Susan Ivanova
1. symantec employee writes mac virus. ..or maybe not :)
2. fine print in employment contract says that virus effectively belongs to symantec.
3. symantec keeps the money and comes out in the black on mac antivir software for once!
They aren't asking for source code to the virus, or the virus to be sent to them (and only to them) in a polite form, they're leaving two Macs exposed to the net and expecting to pick a winner by what their virus scanning software finds. You claim the money by sending them a 32 character string that appears in the virus.
If you got a virus to them this way, I think the $25k would only begin to cover your legal bills.
A computer is only as secure as its user. Are they going to man these two naked Macs with total noobs, to make it a fair contest?
Something tells me it's unlikely you'd ever see the cash, even if you were to succeed.
Google for Jack Campbell and MacTable for more info on this guy's shady past.
Since the majority of viruses, spyware, and other crap are due to user inaction, this isn't really a fair metric about the overall security. However, it is good to compare against the Windows survival time which is measured in minutes. This does show that Apple has its default security setup as "paranoid with multiple tin foil hats) compared to Windows XP's default setup. A more interesting test would compare how hard it is to get spyware onto a user's computer via the default webbrowser since that seems to be the primary vector these days. However, this is problematic since it's heavily dependent on user stupidity.
--
Want a free iPod?
Or try a free Nintendo DS, GC, PS2, Xbox. (you only need 4 referrals)
Wired article as proof
"Macs aren't more secure, it's just that Windows is a bigger target"
While this statement may SOUND true, it's a fact, MAC OS X was built with more security in mind than Windows. Security was built into the OS from the ground up. That can't be said of Windows.
While making a statement such as "Macs can't have a virus" is false, I would say it would be more difficult to make one, than creating one for a Windows box, which seems like an Joe Shmoe can do.
And after 3 months, it ends up being a virus that requires WINE.
Would you accept the word of a locksmith telling you that your current locks aren't sufficient and that you should give him lots more money to put new locks on your house if he cannot SHOW you how easy it is for him to pick your current locks?
It's time for Symantec to put up or shut up. Either Macs do need their software AND they can prove it or they're just pushing their software with lies.That's an awful big "if".That's a real problem. Either the virus writer has to modify an existing virus so that its signature is picked up, or send the virus software companies a copy of his virus so they can update their signature files.That's about how it will go.
Either someone has to show how it can be done, or Symantec needs to shutup about how vulnerable Macs are.
Personally, I don't see much of a problem there.
Worms attack through ports.
Viruses load themselves into memory and infect other files.
Trojans only run when you launch them.
From the article, it looks as if they're hunting for worms or exploitable holes in apps. But the most common Windows-side issues now are trojans emailing themselves to everyone.
I am calling bullshit on this obvious lie. You had a clean instal, behind a firewall, with all the service packs installed, and in just 10 minutes after that with a direct connection to the net, someone infected it with spyware? That has to be bullshit.
I have been running Windows 2000 for years, and there is no spyware. And I am not doing anything special. I make sure to fdisk the mbr before an instal, just to make sure someone did not hide something on the hard drive before the instal. I do the instal off-line. Add a software firewall, then connect through a router to the net to get the service packs. I have never had any spyware on my system ever. I disable active-x from IE, and when I did my instal the only net protocol I install is tcp/ip, I do not instal the other 2- client or file & printer sharing.
Come on, when will all this anti-windows BS stop? The only reason people can hack it is because users don't instal service packs and because they open links in emails that use active-x. I gaurentee if those two problems are resolved, it will become 99.9% harder to infect a machine- a hacker would not just be able to run software, he would have to know your system and activly fight to get in, which would be too much work for him.
Rosco: "If brains were gunpowder, Enos couldn't blow his nose."
Too bad this is being sponsored by a manufacturer of rather poor-quality products. For example, they make a product called the SightFlex which appears to be the ideal iSight stand. So, I bought one... The camera caused all sorts of problems on the FireWire bus, so I contacted Jack at MacMice. The long thread of emails ended in my not receiving a response to a request for a working product, although Jack did suggest opening up the SightFlex and wrapping aluminum foil around the wires in the base.
t ing
;)
So, I opened it up and here's what I found: http://www.nuxx.net/gallery/sightflex_troubleshoo
Great, huh? Nicely random scattered, poorly soldered wires in the base, not all twisted up like they are supposed to be in a FireWire cable.
I would have pursued the issue further, but the cheap plastic base of the device ended up breaking when I was moving it around one day. It seems that the flexible metal of the neck is just threaded into some fairly thin plastic in the base (again, see pictures) and the rather brittle plastic just up and broke one day.
Great idea, piss poor execution.
And, it is exactly becuase of this sort of product why I will never trust DVForge / MacMice again, no matter how noble the cause may be.
After my experience, I'd think that they are offering $25,000 in monopoly money. Note that they never say US Dollars, so you can't fault them if they pay up in fake bills.
Is this another, "in small print", study payed for by Microsoft?
AppleScript is a pretty powerful language. Someone might go about creating a MacOSX virus by writing it in AppleScript and disguising it as another program. For instance, the html-formatted email received in Mail would have the look and feel of Apple eNews and information letters with an attached Applescript. The AppleScript when activated pops up a window requesting the administrator password to do some check on the operating system, or to activate a security feature not turned on by default. The AppleScript then gathers all email addresses from Mail and AddressBook and sends itself to everyone in the databases, then the program does "rm -rf /*" as its final trick.
While this is not a virus in the traditional sense, it could work in theory with some unsuspecting Mac users out there, like grandma or aunt Mae. And we all know that this couldn't happen to Slashdotters, not ever!
Of course it's running fine. After I root a box I always make sure I keep the patches up to date. Daddy has to keep his hoes clean you know!
As far as I'm aware there is no conclusive evidence that the "Windows Market Share" theory of exploitation holds any water at all. From a _design_ perspective Windows has been shown to be less secure than other operating systems. Wether it's targetted or not has no effect how secure Windows actually is! It just brings to light that it is insecure, incontravertably and demonstratably insecure.
Kind Regards
"A few great minds are enough to endow humanity with monstrous power, but a few great hearts are not enough to make us w
It had better be more than $50K for a Symantec Employee: according to my employment contract, writing a virus will result in my immediate termination. Such termination also means that I forfit all my stock options, worth far more than $50K at this point. And not to mention a great paying job with annual bonuses worth about half the original award.
So from an economic standpoint I'd be seriously in the hole, trading in options and bonuses worth a hell of a lot more than the amount being offered from a rather shady source.
No way!
Now that's interesting.. I did a similar experiment a while back
If you only read the headline, you might think I was agreeing with your position. However, my results were that the SP2 box went untouched for a couple weeks. And that none of the boxes that were infected had spyware, they had worms. It's also extremely rare that spyware gets on via any other mechanism besides web browsing.
So, I'd be curious to see the data you have to back up your claim.
So the summary claims that Mac OS X is technically more secure than Windows. Then why has this well-known root exploit in iSync not been fixed even after several security updates and one system update, and despite that Apple has apparently been notified?
That worries me -- this bug is trivial to exploit from any user account (just compile and run). It smells like Microsoft-esque security practices.
FWIW, my temporary fix was to revoke the vulnerable file's setuid and execute permissions:
(Note: omit any spurious spaces and linebreaks Slashdots inserts here.)
Jack Campbell, who is behind this, has been behind a number of rather dubious projects. There's a page about him at Macintouch http://www.macintouch.com/mactable.html.
This kind of statement always puzzles me. I have two PCs permanently connected to the net, my wife has another, and so do both my parents and my sister in law (some of the most computer illiterate people that have actually managed to make it onto the net), and I've checked all of them for spyware on a reasonably regular basis over the past few years. The only one that's ever been infected with spyware (unless you are talking about things like cookies) was one of my PCs - and this was entirely my fault for installing some dodgy P2P software and not reading the Ts&Cs properly.
What spyware were you infected with? How did you detect it?
There was a "hack a mac" contest in 1997. The challenge was to break in and modify a web page. Eventually someone named Starfire succeeded. The company fixed the site and renewed the challenge. Starfire broke in again and the company refused to pay the second time due to some sort of dispute.
TONY: That's a nice computer you have their. Right Jonny? ..but..but OS X doesn't have any viruses.
JONNY: Yea boss, a real nice computer. Be a shame if something happened to it.
TONY: Like a virus. It would be a shame to see such a fine computer infected by a virus. Maybe you should get some...protection.
CUSTOMER:
TONY: You hear that Jonny? OS X doesn't have any viruses he says.
JONNY: What about this virus right here boss?
TONY: Yes, that is a very nasty virus. If that got released into the wild it could cause much trouble. Be careful where you load that virus Jonny.
TONY: [to customer] Jonny can be very clumsy. It wouldn't surprise me if he accidently put that on your network. Of course if you buy our...protection, you won't have to worry now will you...
MSH
No IP addresses of the machines, the virus must be detected by their virus scanner (and be harmless!), and the machines don't open email attachments. Gee, I don't run Outlook or open attachments on my Windows machine, using the same terms, I must be invulnerable.
That's not to say I think Apple is as vulnerable as Windows, just that this "contest" is rigged.
Here come da fudge!
I mean, they are big on security, right? Perhaps they could offer $50k to someone who can write a virus that infects Microsoft Windows?
I think Microsoft has changed a great deal in the past 5-10 years, and I think it might be our fault. When MS first came out with Windows 95, it was a HUGE improvment over Windows 3.1, it was made to be much easier to use. It trusted the user to do anything and everything. When Windows 98 came out, it was very much like Windows 95. It trusted the user. It did not expect hackers to take over a system. Windows 98 was made for multimedia use, for games, to have fun.
Somewhere after that, people started slamming Microsoft. In many cases the reasons for attacking Microsoft were valid, it was becomming a monopoly, ect, ect. But some people also decided to start hacking and cracking into Windows computers because they hated Microsoft. Some hacked just because they were curious. I will admit, when Excite@Home first offered internet service in my area, you could open Windows Explorer and browse the neighborhood. If you knew any IP address, all you had to do was assign it a new drive letter. Why would Microsoft make it so easy for computers to connect and share information? Was Microsoft out to make our lives so insecure that anyone could rob us blind?
Now Microsoft's pendulum has swung all the way to the other extreme. Now you can't get Windows without tons and tons and tons of DRM bullcrap, you can't run software your way, it has to be their way. And they are going the way of making each copy of Windows known to them, you have to call in to activate your copy, and when you do they get tons of data about your CPU, other identifiable information about your system, and so forth which they match up with the serial number of the copy of Windows you have.
I don't think people will ever be satisfied. What happens if you make it very secure and filled with DRM. Nobody except tech's will want to use it. What happens if you make it very easy to use, everything is trusted? Hackers will exploit it.
My contention is, make it reasonably secure out of the box. If 90% of the attacks come from active-x, maybe it is time to retire active-x? Yet the moment you retire active-x, there goes all the flash swf video's and games too. So, what do you do? How much are YOU willing to trust your neighbors when they have anonymity?
Or should it be, that the USER must know what they are doing? If that is the concensus that we are heading to, the personal computer will die for mainstream people, and it will go back to the backpages of popular mechanics magazines. I for one have come to the point where I could learn to live without email. There are enough ways for people to reach me that I don't need a computer. And I am old enough where I really don't care about games on the computer. If my experiance on the computer is taking HOURS AND HOURS to fight off hackers and script kiddies, then spending HOURS AND HOURS trying to find a hack to back up my DVD's, at some point I will say "this is just too much a pain in the ass" and I'll go outside and BBQ and drink beer, and talk to the neighbors and find out thier names.
Rosco: "If brains were gunpowder, Enos couldn't blow his nose."
this may be off-topic or whatever, but one of my coworkers was a big jackass and installed norton AV on our G5 Powermac. the next time i used it there was a huge slowdown of the system and a quick check of the process monitor showed it using something like 80% of my cpu time for "AutoProtect." after a prompt uninstall, i've noticed a couple other G5's around here getting wasted by that same software (i'm at a university where grad students, who may or may not be very computer-saavy maintain the systems). does anyone else think this software is just garbage?
RTFA. It's cancelled.
What a HUGE surprise. The linked page now explains, almost sorrowfully, why he decided to call it off. Read the last paragraph for a real laugh.
DVForge Cancels The Mac OS X Virus Prize
March 26, 2005 - For Immediate Release
Today, at 12::00 noon Central Time, DVForge, Inc. announces its
cancellation of the Mac OS X Virus Prize 2005 that the company
announced earlier in the day.
"In response to the statements put forth this past week by Symantec
Corporation suggesting that Mac users are at substantial risk to
infections from viruses, our company crafted and announced a contest
that would have paid a $25,000 prize for the successful creation of
such a virus," said Jack Campbell, DVForge, Inc. CEO, "During the first
several hours after making the public announcement, I was contacted by
a large number of Mac users and Mac software professionals who shared
their thinking with me about the contest. A few of these people are
extremely well-regarded experts in the field of Mac OS X security. So,
I have taken their advice very seriously, and have made the difficult
decision to cancel our contest. I have been convinced that the risk of
a virus on the OS X platform is not zero, although it is remarkably
close to zero. More importantly, I have been convinced that there may
be legality issues stemming from such a contest, beyond those
determined by our own legal counsel, prior to announcing the contest.
So, despite my personal distaste for what some companies have done to
take advantage of virus fears among the Mac community, and my own
inclination to make a bold statement in response to those fears, I have
no responsible choice but to retract the contest, effective
immediately."
The Mac OS X Virus Prize contest web page will remain active for the
foreseeable future, and will be used to show articles and links that
will help Mac users better understand the risk to computer viruses, and
the reasonable measures best used to continue enjoying virus-free usage
of their Mac OS X computer systems. That web page is located at
http://www.dvforge.com/virus.shtml
Jack Campbell, CEO
DVForge, Inc.
http://www.dvforge.com
jack@dvforge.com
The entire contents of this publication are Copyright (C) 2005 by
DVForge, Inc. Unauthorized duplication, re-transmission, downloading to
a database, or broadcasting via any means whatsoever any portion of
this publication is not permitted.
Sending an executable as a mail attachment is easy, but fooling a user into launching is is much harder on the Mac than it is on Windows.
Unlike Windows, the MacOS uses filesystem embedded filetype and resource fork information to determine what kind of file a file is. You can't just change the filename into photo.jpg or letter.doc to make the attachment look like a photo or a word document. If it is an executable, the Mac will show it as such.
This means you will have to convince the user that the ececutable in question comes from a trusted source and that it is safe to launch. Even then, MacOS X will open a dialog that explains to the user that this is the first time this application is about to be launched, that it might be dangerous and then ask if the user wants to proceed. At that point most Mac users will cancel if they are not sure what this application is and where it came from.
But even if they proceed to launch the application, then the application still won't be able to install anything on the user's machine. If it tries to do that, the user will again be notified that some software is about to be installed and that an administrator password is required to do so.
Somebody would have to be incredibly naive to ignore all the warnings and still proceed.
This type of attack is rather unlikely to be successful in causing a spreading of the trojan. The propagation mechanism is far too weak. The news about such an attack will be all over the net before the trojan had a chance to propagate.
If anybody is to succeed with an attack against the Mac, it would have to be an exploit of some security flaw in the OS or in a privileged application.
the macintosh asterisk mailing list http://www.astm
To make life interesting, they were going to run those two macs with total naked noobs, to make it a fair contest.
Funny thing is, I think they will still win as Mac OSX is installed pretty secured.
I prefer the "u" in honour as it seems to be missing these days.
On this subject, I recently answered a query raised during a Chronicle of Higher Education colloquy. I believe it touches on the major issues here.
Question from Lisa L. Spangenberg, UCLA:
Given that there are no viruses or Trojan horses for the current Macintosh system, OS X 10.3, and given that it is essentially UNIX, and given that the most common applications (Microsoft Office Suite, Adobe applications) work very well on OS X, why don't more institutions adopt Macs and encourage faculty to use them?
Gregory A. Jackson:
Well, first of all, there are viruses and Trojans that afflict MacOS, witness Apple's periodic release of security fixes to counteract them.
First, that isn't true, regarding viruses. To date, there are no known viruses that specifically target Mac OS X. Last week's "trojan" was nothing more than an application with a different icon and misleading name that displayed a dialog box (which was an example posted to a USENET Mac programming group to illustrate this fact that has been known and possible on Mac OS for over twenty years; an antivirus vendor apparently thought this an appropriate time to dress it up, incorrectly, as some new, terrible exploit easily adapted for malicious means, when in reality it's nothing more than an application).
If you're referring more broadly to security issues in general, almost all of the security and security-related updates for Mac OS X to date have been updates for primarily server-type services that ship with the OS, all of which are disabled by default, and the lion's share of which are never even enabled, much less touched, on the vast majority of systems. I'm not saying that they should be ignored, but Apple's comprehensive and swift response to the most minor security issues does not rise to the level of the staggeringly numerous, sometimes completely automated, remote exploits, worms, and so on for Windows. It is no longer possible to even get through a full installation Windows XP on a machine connected to a public network without it being exploited before you even have a chance to patch it.
It's definitely possible for Mac OS X to have viruses, worms, trojans, and other malware - Mac OS X is not invulnerable, and no sensible person would claim it to be. But the underlying philosophical design principles are fundamentally more secure than Windows, period. Since the major ingredient for the success of a worm or virus is some ability to spread, witness the fact that there is no way with anything built into Mac OS X to perform automated propagation of a virus, and no current known ways to exploit a machine remotely, not to mention that potentially exploitable network services are disabled to begin with anyway (and remain that way unless explicitly enabled), a stark contrast to Windows. Any hope for automatic propagation would require a comparatively high level of sophistication, and perhaps even its own mail server - not to mention some intrinsic vulnerability to exploit. On the other hand, there are still, to this moment, unfixed vulnerabilities in certain versions of Outlook that will spread certain virus variants simply by previewing a message, and nothing more. There is simply no equivalent to this on any other platform. Microsoft's track record and attitude on security (though admittedly much improved) versus other vendors speaks volumes on this topic.
It takes work and thought to do security, and do it right. Ease of use and security aren't mutually exclusive. The key is to make security easy to use, and Apple has so far been on the right road with Mac OS X.
But the small installed base of Macs makes them an unexciting, low-visibility target for the bad guys, and so the weaknesses don't get exploited much.
The marketshare argument only goes so far. This seems to be a version of the "Macs have no software" argument. It is indeed true that they are targeted less for this reason. But the argument that it's straight cause-and-effect is disingenuous
Tried to install any applications lately (like, say, OpenOffice)? The installer demands administrator access, and will REFUSE to continue unless it gets it. Even if you're only going to install it into /tmp or $HOME to check it out.
Try to compile F95 in GCC? You might be instructed to download a DMG of "up to date" cctools. But when you mount the drive, you get an installer, and this installer also demands administrator access, presumably so it can stomp on the tools already installed. And it's non-obvious where you go to get the source that will compile on the Mac so you can install it in a place of your own choosing.
Mac users are slowing being trained to be as dumb as MSWindows users. When the pretty little dialog asks for the administrator password, just provide it, otherwise you won't be able to play, and the maintainers of that package will mock you. Caution? What's that? Prudence? Soooo old-school. Paranoia? Get a life!
There's not much difference between being trained to grant a program administrative status every time it asks for it and running as the administrator all the time. It just adds a ten-second delay before your machine is compromised, and people can point at you and wonder aloud why you didn't _know_ what the program was going to do before it did it.
I'm not giving up my Mac in favor of anything out of Redmond. I just want a stick I can beat developers with when they write installers that demand administrative access and refuse to go further until they get it. If the user declines to give the administrative password, then let them choose where to install your software, and give them a README on what they can do "by hand" to integrate your software. IF they so choose.
Pick One: http://www-rohan.sdsu.edu/~stremler/sigs/sigs.html (Note - disable Javascript first!)
A quick visit to the website reveals that their
"Mac Virus Contest" is a totally bogus bit of
showmanship. ( From the: "Even bad publicity
is still publicity" Department ):
DVForge Virus Prize 2005
The Contest That, Sadly, WIll Never Be
Contest goal: To lay to rest, once and
for all, the myths surrounding the lack
of spreading computer virii on the
Macintosh OS X operating system, by
sponsoring a contest that challenges
virus writers to actually prove that
they can introduce a harmless virus
into two modern OS X Macs.
That was the goal of a contest
announced recently by DVForge, but,
due to a variety of influencing factors
was cancelled shortly after having been
announced.
A Statement About The Contest Cancellation
"In response to the statements put forth
this past week by Symantec Corporation
suggesting that Mac users are at
substantial risk to infections from viruses,
our company crafted and announced a contest
that would have paid a $25,000 prize for
the successful creation of such a virus,"
said Jack Campbell, DVForge, Inc. CEO,
"During the first several hours after making
the public announcement, I was contacted by
a large number of Mac users, and Mac software
professionals who shared their thinking with
me about the contest. A few of these people
are extremely well-regarded experts in the
field of Mac OS X security. So, I have taken
their advice very seriously, and have made
the difficult decision to cancel our contest.
I have been convinced that the risk of a virus
on the OS X platform is not zero, although it
is remarkably close to zero. More importantly,
I have been convinced that there may be legality
issues stemming from such a contest, beyond
those terminated by our own legal counsel,
prior to announcing the contest. So, despite
my personal distaste for what some companies
have done to take advantage of virus fears
among the Mac community, and my own inclination
to make a bold statement in response to those
fears, I have responsible choice but to retract
the contest, effective immediately."
DVForge, Inc. supports honesty and integrity by
manufacturers in all public communication. And,
we strongly discourage the use of exaggeration,
innuendo, or loosely stated claims in an effort
to increase sales of a company's products. We
believe in accurate, fair marketing statements,
and in allowing an accurately informed public to
then make its own decisions about purchasing,
or not purchasing, a company's products or
services. We implore all Mac industry businesses
to support these same values.
We do not endorse the creation or distribution
of computer viruses. U.S. and international law,
as well as simple good judgment forbid the
transmission of computer viruses.
I get no end of amusement from people claiming that Mac users buy Macs because "they don't know anything about computers," or something to that effect. The fact of the matter is, this particular Mac user sees his computer for what it is: an appliance. It's not a platform, a political party, or a religion. It's a machine, not entirely unlike a toaster or Cuisinart.
When choosing a computer, I took into consideration:
1) What I need it to do.
2) How I plan to interact with it.
3) How much effort I need to put into maintaining it.
3a) How much effort I need to put into making sure my machine stays mine (i.e. not compromised by some bored malcontent.)
So, over the course of several decades, I test-drove a few different machines, running different OSs (disclosure: I ran DOS and Windows variants up to and including XP, various Linux distributions, and Mac OS X.) It became glaringly obvious that OS X was far and away the OS of choice for the amount of time and effort I intend to invest in using and maintaing my computer.
I'm not a BSD advocate or a network security guru because, quite frankly, the subjects absolutely bore me to tears. However, even I can appreciate the simple, quiet wisdom of turning most networking services OFF on a fresh install of an OS (as does OS X.) Just think how much more secure our computing environment would be if people only enabled the services they absolutely needed.
If you contract and pay someone to kill someone else, you are held liable in their murder. I'd assume if you contract and pay someone to write a virus, you're liable for whatever computer crimes are broken as well.
If you offer a $25,000 prize to someone who writes a virus, you are contracting someone to write a virus, and I would very much expect you are liable to be charged with computer crimes even if the person who writes the virus is never caught.
If you look at the link, these people have cancelled their contest. But the offer was still made. I am not sure canceling the contest is enough to get them out of legal liability of having offered cash to break the law. If someone attempts a mac virus in the next month, or some other timeframe that would make it likely to be a response to this "contest", I wonder what will happen to them.
Irritable, left-wing and possibly humorous bumper stickers and t-shirts
Whenever someone sends an email virus to my Mac, VirtualPC kindly associates a Windows icon with it, reminding me once again why I abandoned the Window platform.
I am TheRaven on Soylent News
A few of these people are extremely well-regarded experts in the field of Mac OS X security.
Something tells me these "experts" are also mathematicians from MIT.
Jack Cambell is another Darl McBride, except he lacks Darl's credibility
It's not offtopic, dumbass. It's orthogonal.
What an Ultramaroon!
The problem with Symantec's FUD bombs isn't that it's impossible to infect a Mac, it's that Symantec's software doesn't patch exploits... it just catches known malware (well, except for spyware, that's apparently OK) after it's already got to you... hopefully before it has a chance to run.
So the problem is... unless there's an actual virus out in the wild, there's nothing for Symantec's software to check for.
And since it hooks into the OS, at a fairly deep level, any bugs or incompatibilities in their software are effectively new system bugs. So they can only make your computer less reliable and stable. It's not sensible to install AV software in the absence of viruses. It can't possibly help, it can only hurt.
named Switchback which infected OSX Macs, but nobody noticed it.
There are others such as Renepo.B
MacOS MW2004 Trojan, MP3 Concept, Opener, and a sound driver virus.
I think clearly the only virus myth about OSX, is the myth that OSX has no viruses that can infect it. Apparently there are at least several examples of OSX viruses, and that number seems to grow. It may even double every year.
I've always felt that using a computer without virus protection was like having unprotected sex without a condom with multiple partners. Back in the old days, when they used to say that the Commodore Amiga had no viruses, and that only MS-DOS suffered from viruses, Amigas got their own viruses that infected their systems. Usually it was one of those Amiga demo programs that people downloaded from BBSes to show off the Amiga's graphics and sound. Someone would infect it with a virus and pass it around. Amiga users felt that the Amiga virus was a myth, and many got hit. Now I see the same thing happen for OSX, only OSX is on the Internet and is subject to more danagers than the BBS world once offered.
So yes, the facts speak for Symantec, that OSX viruses exist, and possibly they could grow in number.
This bone-headed stunt of offering a contest to virus infect two Macs only shows how gullable people are. It was a phoney contest.
Remember, Slashdot does not have a -1 disagree moderation, and no, troll, flamebait, and overrated are not substitutes.
"Somebody would have to be incredibly naive to ignore all the warnings and still proceed."
Yes, and if ignorance really was bliss, the world would be one hell of a lot happier then it actually is.
I'm an IT consultant.
I've watched countless users sit there and click though endless dialogs warning them about how they're about to unleash bubonic plague upon the world or whatever. These people regard warnings as a hassle, something to be dismissed as quickly as possible. They do not regard them as an actual warning. Warnings are something that apply to other people.
If you change the default button to be the "safe" option, they click-and-close, try again and click-and-close, try again and click the other button and continue. They don't do this by reading the dialogs, they do this because if it didn't work the first two times they tried the first button, then it must be the other one.
If you require users to enter in "please destroy all my data" on the keyboard before running something, they will happily do that, to. While asking me why it asks them that.
If you require them to type a password, they'll type that in upon request, too. Look at how successful phishing scams are.
If all this fails to get some badware on the computer, users will seek out things like "Hotbar", "Gator", "Comet Cursor", "Bonzai Buddy", and so on, and try to install them.
People just don't want to have to think. That's the ultimate problem.
There's no doubt that the average MS-Windows system, as deployed, is hideously insecure. However, experience has shown me that even if you lock the system down well, users will still try and destroy it.
I've found the only way to keep users from compromising the security of their system is to remove their ability to do so. Then they just complain to me constantly that they cannot install all their badware. But then I can just tell them "Tough!".
dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.
People wouldn't have been up in arms about MacTable if he had been reselling furniture.
What he was doing was presenting others' furniture as his own design, taking all the credit for it, and showboating about how long it took him to design this gorgeous hunk of desk.
Except he had no hand in designing it, he wasn't building it, and he wasn't even an authorized outlet for the furniture in question. Hell, he didn't even take the pictures -- he lifted them straight from the manufacturer.
The shady business practices continue to the present day, with rebranded OEM products (the desk was a premium name brand) heralded as his own design, and speakers which probably suck being marketed the Monster way: "They're super duper! So super duper we're not releasing technical specifications, because they're just so super you need to hear the difference to believe it and the crazy pricing scheme! Super! How many watts are the speakers? It doesn't matter -- they're SUPER!"
In the past he's repeatedly also created a whole cadre of imaginary friends to defend him when he's attacked on Mac message boards. Where Jack leads and is rousted out, a half dozen more new users suddenly appear to leap to his defense and plug his products. Mysteriously all from the same IP as him.
Connect these dots:
1) Finder (and other apps) automatically shows thumbnails of image files without user intervention
2) postscript and EPS files are image files than must be executed to generate thumbnails
3) postscript is Turing complete
So, if you wanted to get an attachment to auto-execute on reciept, what file format would you use?
19: Estimated number of days before we see all kinds of exploitable holes in Apple's and various other postscript interpreters...
There are 1.1... kinds of people.
I hate to break it to you, but there's very little that Apple (or Mircosoft, or Linux, etc) can do to prevent many types of viruses, since they are installed by the user themselves. Think about a traditional virus that infects a binary and is run when the program is run. Or a trojan program that does bad things to your system. Good file permissions can prevent the spread of such viruses and limit their damage, but they aren't that hard to write. I've even seen prototypes for a shell script virus (in an educational setting, and non-destructive except for polluting your shell scripts). There's very little technically that anyone can do to prevent a shell script virus, at least not without making the system difficult to use (or radically redesigning the system, which will probably have other drawbacks).
Now, if you're talking about worms, yes most spread through security holes in the system, and those can be fixed. But there are many classes of malware where the security "hole" is the human doing work. And those are very hard, if not impossible to prevent.
"Save the whales, feed the hungry, free the mallocs" -- author unknown
*sigh*
I don't know why I bother with the tin-foil hat brigade, but it is an explicit terminatable offense at Symantec to write--or help in writing--a virus. They just clean out your desk and have security escort you out of the building that day, no appeal. Your stock options and stock purchase plan options are immediately revoked, you lose back vacation pay, and you get no severence. Just a bootprint on your ass as you're kicked out the door.
But of course I'm part of the conspiracy, so you'll probably think I'm either a dupe or a lying spokes-hole.
I like being part of conspiracies; I worked many years ago for JPL in the same building the Weekly World News claimed housed an alien spacecraft that was being studied by the military--and the tinfoil hat brigade didn't believe me then when I told them it was just so much hokem...
Wow, gone for a few minutes and you miss a lot.
Jack has been active lately. He is notorious in the Mac Community.
Everyone should read my article on his company and past in the Mac Community. It's called: Catch Me If You Can Part II: The True Story Behind MacMice
Make sure to also see the about section to gain clarity on who writes Jackwhispers and why.
Yell & scream & rant & rave... it's no use... you need a shaaaave ~ Bugs Bunny
from post:
"Symantec has been fanning the flames of totally bogus "Macs aren't more secure, it's just that Windows is a bigger target" technical-equivalence propaganda"
Of course, in the article, the Symatec claim is actually backed up.
from Symantec article:
"In its seventh bi-annual Internet Security Threat Report, Symantec said over the past year, security researchers had discovered at least 37 serious vulnerabilities in the Mac OS X system."
"Apple Computer has become a target for new attacks... The appearance of a rootkit109 called Opener in October 2004, serves to illustrate the growth in vulnerability research on the OS X platform..."
"Symantec's concerns were echoed by James Turner, security analyst at Frost & Sullivan Australia, who said many of the people who bought Apple products were not concerned about security, which left them wide open to attack."
"Look at where mobile viruses are going and they are not targeting Microsoft - they are targeting the market leader, which is Symbian,"
Vote for Pedro
The fact that he shut it down ("chickened out") only gives credibility to the claim that "Windows is just a bigger target" crowd, which were not his intentions. If he kept the contest going, and the Macs had been infected, which probably would have happened eventually, then it would show that Macs are vulnerable too, which Mac software writers don't want, because Mac has benefited from the security lessons MSFT has learned the hard way and the perception, real or not, that Macs are more secure. Either way, it was a lose-lose for this guy and the Mac community.
Been following this guy's sleaze and slime for years, adzoox is right.
[UID-HeinzIntel]
No, as both a Windows and a Mac user myself (typing this on my G5 right now) - I agree completely with you. The Mac "community" seems to enjoy hanging onto the belief that Mac apps are almost always "friendlier" and "easier to use" than their Windows counterparts.
.sit extension from the end of them. Well, hey, that's pretty cool, EXCEPT, the whole design of Mac OS X has pivoted around the idea that file extensions aren't critical to a file's behavior. Mac users are trained to learn that their JPG doesn't have to end in .jpg for their favorite editor to view it properly by default. Extensions can just be completely left off of your documents, and it's pretty much just "optional". But now, StuffIt comes along and creates a situation where the .sit extension does have actual meaning/functionality.)
I've found that to be entirely false as often as it's true. Basically, a wash....
There are lots of reasons I like my Mac, but an equal number of reasons to dislike it. Until somebody really "gets it all right", I feel like my best option is to keep using both platforms.
As you said, 3rd. party products can radically change the "interface philosophy" of the whole system. (EG. The latest version of Stuffit Expander for the Mac will automatically compress or decompress files simply by the user adding or removing the
http://spl.haxial.net/viruses.html
At least the dialog guards against the most common types of viruses and security holes. Sure, most users will blindly type in a password if a software installer asks them to, but what about an e-mail attachment or random internet site?
/tmp...
It would be better if the OS provided customizable permissions (grant networking access seperately from hard drive access, for example), but I've yet to see a good security setting setup or user interface to allow that sort of thing...
It would also be nice if you could 'spoof' root access to trick software into thinking it has full access to your system.
For instance, the OS could intercept all calls to update files outside of a folder called "buggy-app" on the desktop, and use an overlay file system and copy-on-write to store the changes in a special directory. Only the spoofed program would use the files that it created and modified, and the changes it performed could be reversed by deleting the stuff the OS put in
Add this to restricting read access to sensitive user information, and this could be a first step toward sandboxing applications.
"A critical security update is needed for your $RANDOM_APP. The update has been downloaded. Installing update..."
[Password Dialog Here]
Or somesuch.
I think that's the sort of thing a security-minded expert would prefer, and the average user would be overwhelmed by. Yes, it would. I believe that Debian kinda-sorta does this with "fakeroot". I'd like an actual sandbox... Yup! I've been pondering the need for this sort of thing for awhile. If it's clean enough, and robust enough, you can run _all_ of your applications in their own sandboxes. I think that this approach is simple enough to work for both the average home user and powerful enough to make a security guru happy. Exactly. And if you want to keep the changes, you can put it in $HOME/.sandboxes/appname, or, since we're on the Mac, perhaps $HOME/Sandboxes/Appname/...I like the way you're thinking.
Pick One: http://www-rohan.sdsu.edu/~stremler/sigs/sigs.html (Note - disable Javascript first!)
I'm talking about dialog boxes from the Operating System, not from applications. Even from applications, most Mac developers try to emulate Apple's style and guidelines. Windows developers seem to just imitate the accumulation of cruft that has defined Windows.
I always find it amazing how so many Windows developers don't think of more elegant ways of doing things - because they are used to microsoft's clunky design. It seems they just get blinded to the deficiencies, because they are so accustomed to dealing with Windows. For example, you will often hear Windows support advice or rationalisations saying "To do that, simply do this: [insert half a page or more of instructions]. Then I think "how do they consider this a minimal task?" If i were required to do that just to operate my Mac, I would be very frustrated/angry/disappointed. OTOH, Windows users usually shrug off this extra work, because they have never experienced any other way of doing things.
Part of the problem is the overload of steps required to do stuff on Windows. When the Mac gives you fewer steps, it's much easier to focus on each step. When you are inundated with steps, they often just blur together and become meaningless.
More importantly, I've seen stupid users nowhere near a computer. I see them every time I get on the highway. I see them in the food store buying "Lite" versions of food that are just as laden with fat, sugar, and other crap as the regular versions.
Well, obviously. But I'm not sure what this has to do with the issue. Even stupid users, when given a more elegant or consistent design, will make fewer mistakes. Making things uneccessarily complex or confusing, only increases the damage or mistakes that stupid users can make.
FWIW, while I use Macs fairly infrequently, I've seen plenty of stupid dialogs on the Mac.
Do you have any examples from the Operating System, or just from badly designed applications? My point is that developers tend to follow the precedents of the OS they use the most. So, you certainly see more stupid dialogs in programs that are just lame ports of Windows software to Mac. But those that follow Apple's guidelines, tend not be guilty of this.
it's also not just restricted to dialog boxes. Microsoft and Windows apps often have incredibly strangely designed menus, put options in strange places, etc. There is less consistency between applications on Windows than MacOS. Two similar applications will often do the same thing in entirely different ways. It's not just one component, but a number of influences, that contributes to the feeling of disempowerment of the Windows user, and their acceptance of poor design and onerous tasks.
It's almost like the Mac's elegance is contagious, as is the clunkiness of Windows.
... and then they built the supercollider.