Unlike windows, mac provides program installation as an OS service. An mpkg is an installable file, not an installer. The malware was not running it's own code, it was triggering the operating system's installer feature. Until you allow the OS to install the program nothing is going to happen to your mac. For sure it's arguably bad that safari automatically asks you to install a random program from the internet, but it's not running untrusted code - it's asking you whether you want to trust (and install) this code.
That's an excellent description of the details of OS X.mpkg files. Thank you.
The fact is, the average non-techie user values "interactive" over "secure".
That's nonsense.
Average non-technical users value "secure" at least as much as they value "interactive". But they are not domain experts, much like average car drivers are not master mechanics.
They simply don't know what to look for, what to worry about, how to interpret so much geek-ese in their software. The true failing is with us software developers. We create confusing, overly technical and complex crap, and expect people should have to spend 90% of their waking lives understanding it in order to use it safely.
We should be delivering them safe-by-default products that Just Work, and when something out of the ordinary happens, we should make it easy for them to understand and make an informed choice. No, making them Google what's going on is not acceptable.
It didn't. It was you who decided not to trust the system.
The fact that Safari will automatically download and execute installers may be technically safe -- just an annoyance, at worst -- but expecting users of OS X to know that OS X installers are 100% safe little furry friendly creatures that cannot possibly do any harm whatsoever to your computer is asking a bit much since installers work different on, well, every other OS in existence, in my (very broad) experience.
On other operating systems, installers are foreign code that can do all sorts of harm to the contents of your $HOME directory at the very least.
After Safari downloaded and unzipped the zip file, you would then have ended up with a file in your ~/Downloads directory - the case I've seen is MacProtector.mpkg which is an installer package that has to be double-clicked on to launch and then this software needs an Administrator password to be entered.
Let me be very clear on one point. Safari automatically ran the installer after the download completed. I was skeptical that my wife was accurate when she said that to me, so I tested it myself. Her story was the truth. Automatic download and execution of installer. It never asked for an administrator password (probably because we didn't step through the installer?).
The message I seem to be getting in this thread (besides "it's all your fault, stupid") is that OS X installers are completely and utterly 100% no-questions-asked cute little furry safe friendly creatures that can only possibly do harm if you step through them.
Since that is not the case with installers on any other OS I've used -- and as a long-time software developer, I've probably used dozens -- I assumed that, at the very least, the contents of her $HOME directory were compromised.
In any case, I think Safari has some stunningly bad defaults, and I'm disappointed Apple would choose such defaults.
I think you're expecting users to be far too familiar with the technical details of OS X installers.
On other operating systems, installers are not harmless little fuzzy creatures. If an installer is running, scary foreign code has already run. Sure, it might not have the security to install a keylogger, but at the very least, the contents of your $HOME directory have potentially already been compromised.
This is part of the reason Slashdot sucks. If we were talking about cars instead, Slashdot would expect everyone to be a master mechanic, otherwise the Slashdot crowd would consider the person a "haha idiot n00b!".
A lot of people use their computer as a tool to achieve some other goal. They don't use a computer just for the sake of using a computer. Expecting them to know that OS X installers are harmless little fuzzy creatures where nothing bad can possibly happen if you just exit the installer is asking a bit much.
So basically you are blaming Apple for a default setting which resulted in a completely harmless situation which prompted you - without referencing anyone on the matter - to reinstall OS X?
It's harmless for Safari to automatically download and execute installers? That's not supposed to concern users that aren't overly geekly familiar with OS X?
In other news: I just noticed a blinking light on my dashboard, so instead of calling my car dealership, I just assumed the worst and torched the car.
I Googled the problem first and there was so little information about it that it was unsafe to draw any solid conclusions.
Isn't it disingenuous to criticize Apple for putting you into a situation that you have decided is unfalsifiably dangerous?
I did Google before I panicked too much. There is, so far, not a whole lot of confident sounding information on MacDefender / MacProtector.
If it was splattered all over the Internet that it's safe to cancel out of the installer and go on your merry way, that's probably what I would have done.
In any case, how can anyone seriously defend Apple for Safari defaults that automatically download something and run an installer?
Seriously, you have got to be kidding me. Apple fucked up bad on this one, and should be called out for it. How can you not criticize Apple for this?
I'm sorry to say I no longer have the link. I can tell you my wife was searching for something to the effect of "fairy wings" or "tinkerbell wings" with my young daughter, and that the link she ultimately clicked on was a.ms address. That might help you hunt down the same link, since this happened less than 8 hours ago.
What happened? I am assuming it downloaded an actual executable Mac application
I don't recall the exact thing it downloaded, but I recall it ended with.mpkg and was actually a directory I was able to navigate into using Terminal.
It automatically popped up some kind of installer for MacProtector, which is apparently malware (based on my Googling). I'm pretty good on Windows and Linux, but I know next to nothing about the Mac. I'm not aware of any really low level geekery details like "Mac installers are always 100% safe! Just cancel out of them!" or anything like that. I'm confident it didn't have root access, but even with just my wife's login credentials, my suspicion is that it could have done a lot of damage.
What *exactly* executed, and what was the result?
She clicked on a Google search result. The Downloads dialog box popped up. It downloaded something almost too quickly for the eye to see. Some kind of malware installer than displayed a GUI. It looked like the very first step of the installer. There was a Continue button.
I would be interested to know what malware got past, and what her settings in Safari were.
I'm sure her Safari settings were almost entirely set to their defaults. The Mac is supposed to be the "safe" computer. Or so we thought...
I'm sure the Slashdot crowd will come down hard on me over this. I fully expect my intelligence to be questioned and to be modded into oblivion. But really, I don't see how an average user should respond to this except to assume the worst and reinstall OS X.
And I really do blame Apple for setting absolutely bone headed defaults on Safari.
It did not download and execute, it downloaded and opend the installer. Your wife would have had to go clicking through a an installer, and provided her admin credentials, in order to have installed/run something.
Sorry, I'm not a Mac expert. All I know is that it automatically downloaded something, and automatically executed something. I'm not technically knowledgeable enough about OS X to know that, even though we immediately exited the malware installer, that nothing bad could possibly have happened.
And I'm still not convinced the malware installer didn't do something bad before it popped up its first GUI window. I'm not accusing you of being a liar, but my wife uses her Mac to access our bank accounts and such. I have no choice but to nuke the site from orbit (reinstall OS X). I'd like to trust that because someone on the Internet said I'm safe and not to worry about it, that I can just plain not worry about it, but I just can't take that risk.
At the end of the day, Apple/Safari's amazingly fucked up defaults burned us good and hard. It'll take me days to fully reload and reconfigure her machine.
Strange!/. always worked for me smooth as silk except very long threads can take some time to open. I am a lame Windows user and it worked just fine with XP+Firefox and now 7+Firefox.
My computer is a single core 1.66 GHz Atom, so I'm somewhat used to things being kind of slow, but Slashdot takes the cake. (Running Windows 7)
I am not very good with computers and programming - am I missing something?
I don't think you're missing anything. The new Slashdot is just poorly written.
It actually drives me insane, it is markedly worse, I read less stories because of it (because I do not like the feel of the site so much).
The "Many more" button (to get more stories) has never worked for me. This is across multiple computers and operating systems. I read less Slashdot because I simply can't easily get to the older stories.
I'm sure it has something to do with my account setup, but -- bah. The new Slashdot is a train wreck.
In this day and age, is it too much to ask that a web browser have a built-in spell checker for filling out web forms? IE still doesn't have one.
Amen to that!
People use a lot of web based applications these days. A spell checker (and spelling suggestions) built into the browser seems like a no-brainer. Why the IE team continues to neglect such an easy-to-implement but yet invaluable-to-the-user feature is mystifying.
As of version 9, IE is starting to get interesting again, but missing such basic features still means IE is an undesirable browser.
When the Wii was there where still a lot of none HD TVs in peoples homes so Nintendo targeted standard def and kept the prices low. Now HDTV is very common and thanks to Moores law Nintendo can come out with a console that will probably outperform the 360 and PS/3 and be cheaper. Now Nintendo can produce a new machine that will out perform the completion and cost less just as the Wii sales start to drop. Brilliant marketing plan and it will sell like hotcakes.
Speaking as the owner of a Wii, I don't think I'd buy another, unless they change the remotes. The Wiimotes are very fun for a very limited number of games, but they're too clumsy for most games -- in my opinion.
Sums it up nicely. For years we've been complaining that we'd gladly pay a reasonable fee for unlimited streaming, and not only does Netflix finally deliver that, it does it on more internet-enabled devices than any other provider.
Except it's not really unlimited (99.9% of us have download caps, enforced by our broadband provider) and Netflix's streaming service tends not to include the majority of the content most of us would consider good (though that is slowly improving).
This is coming from a Netflix subscriber that does use Netflix streaming on a regular basis.
What we should have done was created a GUI which has exact formal one-for-one-correspondence with the underlying CLI, so that for any given task, you can use the interface of your choice that works for you - or create new graphical interfaces for the special custom jobs you end up doing multiple times.
This has been done. On the AS/400, for example, you can type in the name of a program and hit F4. From there, you get a GUI-ish interface where you populate all the named parameters with your desired values. Need help on a parameter? Press F1.
When you are done, and actually execute the command, the entire command line is generated, so you can copy and paste that into scripts, or what have you.
As a computing professional, I find all of this whining about Free Software license complexity rather embarrassing frankly.
Who's whining? Please, don't be unnecessarily rude.
I understand licenses such as the GPL very well. I'm not whining, and I don't find the license complex in the least. I'm simply pointing out that for commercial software developers, GPL'd code is often not an option.
I also write software for my wife's small business with no plans to distribute, but I avoid GPL code in those projects, too, in case I ever do decide to commercialize what I've created. I don't want to get trapped into too much reliance on something with too high a cost, then be forced to refactor at great expense in terms of time later down the road.
I have no problem with other people using GPL code if they want to.
Electronic Arts and Oracle can manage navigating this "quagmire". Why can't you?
Why the hostile and rude attitude?
One really wonders what an SBA audit of you whiners would turn up.
Wow...fuck you, too.
I don't pirate anything. Anything. Not software. Not music. Not movies. Your thinly veiled accusation that I'm a thief is assholery in the top degree.
Actually I find the Copy left licences have far more demands than any commercial licence. You can spend huge amounts of time figuring out if you can link or not link, how you must publish the code and how you can distribute the application.
As a commercial software developer myself, I'm glad at least one other person on Slashdot understands this!
For some of us, copyleft code is, by far, the most expensive code there is. In fact, it's pretty much poison.
How? When? How is it worth having to use worse video until then?
That's a straw man. You've lost the context of the thread. Now you're trying to change the context to score points.
In this thread, nobody suggested MS and IE being forced to only support Ogg Theora. That, of course, is ridiculous.
The context of this thread is that perhaps MS should worry about making their own browser not completely suck, rather than adding H.264 support to Chrome.
Patents expire after 20 years. The patents in question will be long gone before Ogg Theora or competing non-patent formats are technically competitive with H.264.
Troll.
And even then, the obvious choice for true believers will be to abandon inferior formats and switch to H.264.
Troll. Loaded language: "true believers". You should try not being an ass for a while.
Slashdot Mirror
Unlike windows, mac provides program installation as an OS service. An mpkg is an installable file, not an installer. The malware was not running it's own code, it was triggering the operating system's installer feature. Until you allow the OS to install the program nothing is going to happen to your mac. For sure it's arguably bad that safari automatically asks you to install a random program from the internet, but it's not running untrusted code - it's asking you whether you want to trust (and install) this code.
That's an excellent description of the details of OS X .mpkg files. Thank you.
I disagree. It's a very convenient setting
We finally agree!
It's a very convenient setting... for malware authors.
The fact is, the average non-techie user values "interactive" over "secure".
That's nonsense.
Average non-technical users value "secure" at least as much as they value "interactive". But they are not domain experts, much like average car drivers are not master mechanics.
They simply don't know what to look for, what to worry about, how to interpret so much geek-ese in their software. The true failing is with us software developers. We create confusing, overly technical and complex crap, and expect people should have to spend 90% of their waking lives understanding it in order to use it safely.
We should be delivering them safe-by-default products that Just Work, and when something out of the ordinary happens, we should make it easy for them to understand and make an informed choice. No, making them Google what's going on is not acceptable.
It didn't. It was you who decided not to trust the system.
The fact that Safari will automatically download and execute installers may be technically safe -- just an annoyance, at worst -- but expecting users of OS X to know that OS X installers are 100% safe little furry friendly creatures that cannot possibly do any harm whatsoever to your computer is asking a bit much since installers work different on, well, every other OS in existence, in my (very broad) experience.
On other operating systems, installers are foreign code that can do all sorts of harm to the contents of your $HOME directory at the very least.
After Safari downloaded and unzipped the zip file, you would then have ended up with a file in your ~/Downloads directory - the case I've seen is MacProtector.mpkg which is an installer package that has to be double-clicked on to launch and then this software needs an Administrator password to be entered.
Let me be very clear on one point. Safari automatically ran the installer after the download completed. I was skeptical that my wife was accurate when she said that to me, so I tested it myself. Her story was the truth. Automatic download and execution of installer. It never asked for an administrator password (probably because we didn't step through the installer?).
The message I seem to be getting in this thread (besides "it's all your fault, stupid") is that OS X installers are completely and utterly 100% no-questions-asked cute little furry safe friendly creatures that can only possibly do harm if you step through them.
Since that is not the case with installers on any other OS I've used -- and as a long-time software developer, I've probably used dozens -- I assumed that, at the very least, the contents of her $HOME directory were compromised.
In any case, I think Safari has some stunningly bad defaults, and I'm disappointed Apple would choose such defaults.
Not a Mac issue, but a user issue.
I think you're expecting users to be far too familiar with the technical details of OS X installers.
On other operating systems, installers are not harmless little fuzzy creatures. If an installer is running, scary foreign code has already run. Sure, it might not have the security to install a keylogger, but at the very least, the contents of your $HOME directory have potentially already been compromised.
This is part of the reason Slashdot sucks. If we were talking about cars instead, Slashdot would expect everyone to be a master mechanic, otherwise the Slashdot crowd would consider the person a "haha idiot n00b!".
A lot of people use their computer as a tool to achieve some other goal. They don't use a computer just for the sake of using a computer. Expecting them to know that OS X installers are harmless little fuzzy creatures where nothing bad can possibly happen if you just exit the installer is asking a bit much.
So basically you are blaming Apple for a default setting which resulted in a completely harmless situation which prompted you - without referencing anyone on the matter - to reinstall OS X?
It's harmless for Safari to automatically download and execute installers? That's not supposed to concern users that aren't overly geekly familiar with OS X?
In other news: I just noticed a blinking light on my dashboard, so instead of calling my car dealership, I just assumed the worst and torched the car.
I Googled the problem first and there was so little information about it that it was unsafe to draw any solid conclusions.
Isn't it disingenuous to criticize Apple for putting you into a situation that you have decided is unfalsifiably dangerous?
I did Google before I panicked too much. There is, so far, not a whole lot of confident sounding information on MacDefender / MacProtector.
If it was splattered all over the Internet that it's safe to cancel out of the installer and go on your merry way, that's probably what I would have done.
In any case, how can anyone seriously defend Apple for Safari defaults that automatically download something and run an installer?
Seriously, you have got to be kidding me. Apple fucked up bad on this one, and should be called out for it. How can you not criticize Apple for this?
What was the link? What was the malware?
I'm sorry to say I no longer have the link. I can tell you my wife was searching for something to the effect of "fairy wings" or "tinkerbell wings" with my young daughter, and that the link she ultimately clicked on was a .ms address. That might help you hunt down the same link, since this happened less than 8 hours ago.
What happened? I am assuming it downloaded an actual executable Mac application
I don't recall the exact thing it downloaded, but I recall it ended with .mpkg and was actually a directory I was able to navigate into using Terminal.
It automatically popped up some kind of installer for MacProtector, which is apparently malware (based on my Googling). I'm pretty good on Windows and Linux, but I know next to nothing about the Mac. I'm not aware of any really low level geekery details like "Mac installers are always 100% safe! Just cancel out of them!" or anything like that. I'm confident it didn't have root access, but even with just my wife's login credentials, my suspicion is that it could have done a lot of damage.
What *exactly* executed, and what was the result?
She clicked on a Google search result. The Downloads dialog box popped up. It downloaded something almost too quickly for the eye to see. Some kind of malware installer than displayed a GUI. It looked like the very first step of the installer. There was a Continue button.
I would be interested to know what malware got past, and what her settings in Safari were.
I'm sure her Safari settings were almost entirely set to their defaults. The Mac is supposed to be the "safe" computer. Or so we thought...
I'm sure the Slashdot crowd will come down hard on me over this. I fully expect my intelligence to be questioned and to be modded into oblivion. But really, I don't see how an average user should respond to this except to assume the worst and reinstall OS X.
And I really do blame Apple for setting absolutely bone headed defaults on Safari.
It did not download and execute, it downloaded and opend the installer. Your wife would have had to go clicking through a an installer, and provided her admin credentials, in order to have installed/run something.
Sorry, I'm not a Mac expert. All I know is that it automatically downloaded something, and automatically executed something. I'm not technically knowledgeable enough about OS X to know that, even though we immediately exited the malware installer, that nothing bad could possibly have happened.
And I'm still not convinced the malware installer didn't do something bad before it popped up its first GUI window. I'm not accusing you of being a liar, but my wife uses her Mac to access our bank accounts and such. I have no choice but to nuke the site from orbit (reinstall OS X). I'd like to trust that because someone on the Internet said I'm safe and not to worry about it, that I can just plain not worry about it, but I just can't take that risk.
At the end of the day, Apple/Safari's amazingly fucked up defaults burned us good and hard. It'll take me days to fully reload and reconfigure her machine.
Thanks, Apple...
My wife got bitten by this just today.
She navigated to a web page from a Google search result, and Safari automatically downloaded some malware and executed it.
I didn't believe my wife's story at first, so I tried it. Sure enough, automatic download and execution on Mac/Safari.
What the fuck, Apple and Safari?
The only question that remains is whether I'll be moving her to Firefox or Chrome...
Apache Tomcat is written with Java.
And it runs on a JVM written in C/C++.
They got Java, if they figure out they can squeeze money out of something else that will just be an added bonus.
How can Oracle monetize Java, enough to make the mammoth purchase price of Sun worth it?
Serious question.
You've already got 3 repository type systems for OSX : Fink [finkproject.org], MacPorts [macports.org] and Homebrew [github.com].
I can't speak for Fink or Homebrew, but MacPorts upgrades often mysteriously fail, and many of the ports are hideously out of date.
Also, building from source is painfully slow for any non-trivial number of applications.
Strange! /. always worked for me smooth as silk except very long threads can take some time to open. I am a lame Windows user and it worked just fine with XP+Firefox and now 7+Firefox.
My computer is a single core 1.66 GHz Atom, so I'm somewhat used to things being kind of slow, but Slashdot takes the cake. (Running Windows 7)
I am not very good with computers and programming - am I missing something?
I don't think you're missing anything. The new Slashdot is just poorly written.
It actually drives me insane, it is markedly worse, I read less stories because of it (because I do not like the feel of the site so much).
The "Many more" button (to get more stories) has never worked for me. This is across multiple computers and operating systems. I read less Slashdot because I simply can't easily get to the older stories.
I'm sure it has something to do with my account setup, but -- bah. The new Slashdot is a train wreck.
In this day and age, is it too much to ask that a web browser have a built-in spell checker for filling out web forms? IE still doesn't have one.
Amen to that!
People use a lot of web based applications these days. A spell checker (and spelling suggestions) built into the browser seems like a no-brainer. Why the IE team continues to neglect such an easy-to-implement but yet invaluable-to-the-user feature is mystifying.
As of version 9, IE is starting to get interesting again, but missing such basic features still means IE is an undesirable browser.
When the Wii was there where still a lot of none HD TVs in peoples homes so Nintendo targeted standard def and kept the prices low. Now HDTV is very common and thanks to Moores law Nintendo can come out with a console that will probably outperform the 360 and PS/3 and be cheaper. Now Nintendo can produce a new machine that will out perform the completion and cost less just as the Wii sales start to drop. Brilliant marketing plan and it will sell like hotcakes.
Speaking as the owner of a Wii, I don't think I'd buy another, unless they change the remotes. The Wiimotes are very fun for a very limited number of games, but they're too clumsy for most games -- in my opinion.
They could really use some help.
I think it's finally time for me to step up to the plate and help out on a FOSS project. Your post helped me realize it's finally time.
I'll start working immediately on the ball-gag module.
No, it really is unlimited. If your ISP caps you, that isn't Netflix's fault.
I wasn't assigning blame, just stating a truth. In pragmatic terms, there is a limit.
Sums it up nicely. For years we've been complaining that we'd gladly pay a reasonable fee for unlimited streaming, and not only does Netflix finally deliver that, it does it on more internet-enabled devices than any other provider.
Except it's not really unlimited (99.9% of us have download caps, enforced by our broadband provider) and Netflix's streaming service tends not to include the majority of the content most of us would consider good (though that is slowly improving).
This is coming from a Netflix subscriber that does use Netflix streaming on a regular basis.
What we should have done was created a GUI which has exact formal one-for-one-correspondence with the underlying CLI, so that for any given task, you can use the interface of your choice that works for you - or create new graphical interfaces for the special custom jobs you end up doing multiple times.
This has been done. On the AS/400, for example, you can type in the name of a program and hit F4. From there, you get a GUI-ish interface where you populate all the named parameters with your desired values. Need help on a parameter? Press F1.
When you are done, and actually execute the command, the entire command line is generated, so you can copy and paste that into scripts, or what have you.
Welcome to decades ago. :-)
As a computing professional, I find all of this whining about Free Software license complexity rather embarrassing frankly.
Who's whining? Please, don't be unnecessarily rude.
I understand licenses such as the GPL very well. I'm not whining, and I don't find the license complex in the least. I'm simply pointing out that for commercial software developers, GPL'd code is often not an option.
I also write software for my wife's small business with no plans to distribute, but I avoid GPL code in those projects, too, in case I ever do decide to commercialize what I've created. I don't want to get trapped into too much reliance on something with too high a cost, then be forced to refactor at great expense in terms of time later down the road.
I have no problem with other people using GPL code if they want to.
Electronic Arts and Oracle can manage navigating this "quagmire". Why can't you?
Why the hostile and rude attitude?
One really wonders what an SBA audit of you whiners would turn up.
Wow...fuck you, too.
I don't pirate anything. Anything. Not software. Not music. Not movies. Your thinly veiled accusation that I'm a thief is assholery in the top degree.
Actually I find the Copy left licences have far more demands than any commercial licence. You can spend huge amounts of time figuring out if you can link or not link, how you must publish the code and how you can distribute the application.
As a commercial software developer myself, I'm glad at least one other person on Slashdot understands this!
For some of us, copyleft code is, by far, the most expensive code there is. In fact, it's pretty much poison.
How? When? How is it worth having to use worse video until then?
That's a straw man. You've lost the context of the thread. Now you're trying to change the context to score points.
In this thread, nobody suggested MS and IE being forced to only support Ogg Theora. That, of course, is ridiculous.
The context of this thread is that perhaps MS should worry about making their own browser not completely suck, rather than adding H.264 support to Chrome.
Patents expire after 20 years. The patents in question will be long gone before Ogg Theora or competing non-patent formats are technically competitive with H.264.
Troll.
And even then, the obvious choice for true believers will be to abandon inferior formats and switch to H.264.
Troll. Loaded language: "true believers". You should try not being an ass for a while.
Feel free to get in the last word.