File extensions are absolutely irrelevant. If your malware security relies in any way on users knowing what file extensions are it's broken.
There's no confusing programs for data on Macs as any downloaded executable that isn't signed won't run without explicitly allowing it (individually or by changing the default security setting).
First of all plenty of users are still in 10.6.xx and further more every "power" user changes the settings.
Only about 8% are still on Snow Leopard. And you have no idea what setting people have for this. The smart money is on most people still having the default setting - with is not to allow untrusted apps. I'm certainly a power user and I still have the default setting. On the extremely rare occasions I want to run something downloaded from the internet that doesn't have a security cert, I use the one off button on System Preferences to just approve that one binary.
For some reason there is no: "never ask again for this app" option.
Once you've approved it, it never will ask again for that app. Of course if you then download another version, that's no longer the same app.
Non-App Store programs often check for software updates on a regular basis. Worst are those that autorun a daemon specifically for this: Adobe is one of the worst offenders (and indeed many other software crimes.)
Have you spotted any other common categories of why they might do so?
people in the UK are just generally unfamiliar with alternatives (as was I before living here).
That may be true but doesn't apply to me. I've lived for years in two other countries besides the UK and have been hospitalised and had a serious operation in a third. And I know a bit about the US system from following US political news.
I don't know about the Australian system so can't argue with you there. But your original post seemed to be more than a little inspired by right wing private sector good/public sector bad ideology. And in the UK that has not been true.
Furthermore, whilst the American "Obamacare" system is still private, it was characterised as "socialized healthcare" and predicted to be a failure. But in fact other than some short term issues with the web site, the outcomes of Obamacare so far have been very positive.
And I only had to pay the gap between the base rate (covered by medicare) and the private provider. Here in the UK I have to pay the whole lot.
Good. There are better things to do with NHS funds than using them to subsidise private patients. One of the reasons the NHS is more efficient than private insurance health systems is that it's a single payer system. Diluting it by encouraging people to go private would be a bad step.
If someone was bent on ethnic cleansing, limiting who can travel to a new planet would have the same net effect.
The plus is that this genetically cleansed group would be having a bad time of it. Living on a planet with no outdoor atmosphere or flora and fauna would be pretty miserable.
The NHS has demonstrated to me the absolute categorical failure of large centralised planning (the same thing that undoes communism).
The problem with that argument is that the NHS has progressively got worse as it's moved from central planning to every more devolved decision making and private ownership.
And the US comparison is bogus. They don't have universal coverage there, and still manage to pay 2.5 times more per capita for healthcare. If the NHS budget was multiplied by 2.5, then there wouldn't be any waiting lists - and they'd still have universal coverage.
Similarly, the UK train system has only got worse as services were privatised. The franchisee for the East Coast Line pulled out prematurely in 2009, and since then it;s been run by the public sector. And under government hands it's the most efficient of all the franchises. Whilst the private sector organisations take subsidies, the East Coast line actually returns a profit to the government.
Yet still, because of ignorant right wing ideology, the government is attempting to put this service back in to private hands. Insane.
I hadn't realised the police had access to petrol station forecourt cameras. You're right. It's not universal, but apparently some petrol stations do feed data from their private ANPR systems to the police.
I think the point of not issuing tax discs now is that all enforcement work is done with Automatic Number Plate Recognition. Those cameras have been around for a few years, so they probably stopped manually checking some time ago.
Last year I had a van with an expired tax disc that I needed to take to a motor auction. I planned my route very carefully to stay off the motorway and out in the sticks to be sure I didn't pass any ANPR cameras, and there was less chance of encountering an ANPR equipped police car.
and of course the cost savings of not having to manufacture, print, and post the decals every year, and the lower government labor costs from an entirely automated online system, will surely be passed on to taxpayers in the form of lower fees, right? right?? RIGHT???
Of course not. The UK is still recovering from the crash of 2008. It's a time of austerity. Tax cuts need to be specifically targeted only towards people who might donate to the Conservative party coffers.
The US motto is "In God We Trust". One imaginary being is no more ridiculous than another.
It's the coat of arms of the British monarch (The Crown). And the unicorn is has some Scottish significance. It may well date back to a time when Unicorns were thought to be real! BTW, the Scottish Unicorn was featured on Last Week Tonight, the week before the Scottish independence vote. Pretty funny.
Given that most Macs can't run untrusted software, the mostly likely vector for malware is a trojan. Possibly attached to pirate versions of well known applications. Users of such pirate software would expect to have to explicitly give permission to untrusted software.
For sure they COULD be lying, and open them selves up to bad press and legal action when they are found out. But so could ANY company, so what other choice is there than to go with the probability that their privacy policy is what they say it is.
I do need to use a search engine, and I know for a fact that Google save searches, and I have a feeling that Bing and Yahoo do, though I haven't checked recently. So it's a pretty easy choice.
DuckDuckGo's plugin isn't malware, and as a Mac user it isn't relevant to me. Even if it was there's no way of software being installed without my permission.
DuckDuckGo doesn't save search history, Google does. So it's a very easy choice.
Phones are sold with the latest OS version. Jailbreaks take months to come out for a particular OS version, if they come out at all.
For example there is no iOS 8 jailbreak. So no iPhone 6 or any iOS device running iOS 8 is jailbroken.
I can believe that a good proportion of pre-owned phones come with a jailbreak. But not new phones, even if they are grey market or intercepted by corrupt governments.
Crazy isn't it. It's perfectly obvious that terrorism is acts that are designed to terrorise. After 9/11 plenty of people were scared to fly, use other forms of public transport, visit large cities, or go to any busy public place. That's what made it terrorism. The act itself was mass murder - it's that larger intent to use fear to change behaviour that makes it terrorism.
Governments, politicians and security services are obviously intelligent enough to know this. Which makes their misuse of the word nothing less than deliberate propaganda.
I'm on a long term quest to watch all available episodes of Horizon (a BBC science documentary series going since the 1960s).
One of them is called "How to commit a perfect murder". I'm glad I use duckduckgo as a search engine rather than Google when I was looking that one up.
Just one example of why it's a bad idea to to let governments or corporations profile people based on what they search for.
The discovery of this is proof that many eyes DO find problems
No it isn't. The chance that these two vulnerabilities that hung round for 1-2 decades are the only ones is vanishingly small. They are an illustration that even the most mainstream of OSS code that's been around a long time hasn't been code reviewed properly.
They are proof that that many uncoordinated and unrewarded eyes DON'T find problems. Because they don't even look.
Furthermore, this was a feature it wasn't entirely a security bug
Bullshit. The vulnerability it deminstrates has been demonstrated, it is not documented, and it doesn't make any sense that that's what it does. That's not a feature.
The possibility that some people are using it in software doesn't make it a feature either. The very definition of hacking is using technology in a way that is not intended. That's what those programs are doing. Indeed malware is software that deliberately uses vulnerabilities, and that doesn't make those vulnerabilities features.
With more people aware of this new attack vector, bash is going to get more attention--- MORE eyes again.
AFTER 20 years. Having to scramble to fix something 2 decades late is not in any way an endorsement of a development practice. It's a condemnation of it. And in any case it's no different from what commercial closed source software teams would do it they similarly found out they'd been negligent with a particular code base for 20 years.
"More eyes" is a myth. You have to be a blind zealot to still believe it.
Slashdot Mirror
File extensions are absolutely irrelevant. If your malware security relies in any way on users knowing what file extensions are it's broken.
There's no confusing programs for data on Macs as any downloaded executable that isn't signed won't run without explicitly allowing it (individually or by changing the default security setting).
Neither the fact that other people have repeated it extensively before, nor whines about "political correctness" excuse your homophobia.
First of all plenty of users are still in 10.6.xx and further more every "power" user changes the settings.
Only about 8% are still on Snow Leopard. And you have no idea what setting people have for this. The smart money is on most people still having the default setting - with is not to allow untrusted apps. I'm certainly a power user and I still have the default setting. On the extremely rare occasions I want to run something downloaded from the internet that doesn't have a security cert, I use the one off button on System Preferences to just approve that one binary.
For some reason there is no: "never ask again for this app" option.
Once you've approved it, it never will ask again for that app. Of course if you then download another version, that's no longer the same app.
Non-App Store programs often check for software updates on a regular basis. Worst are those that autorun a daemon specifically for this: Adobe is one of the worst offenders (and indeed many other software crimes.)
Have you spotted any other common categories of why they might do so?
people in the UK are just generally unfamiliar with alternatives (as was I before living here).
That may be true but doesn't apply to me. I've lived for years in two other countries besides the UK and have been hospitalised and had a serious operation in a third. And I know a bit about the US system from following US political news.
I don't know about the Australian system so can't argue with you there. But your original post seemed to be more than a little inspired by right wing private sector good/public sector bad ideology. And in the UK that has not been true.
Furthermore, whilst the American "Obamacare" system is still private, it was characterised as "socialized healthcare" and predicted to be a failure. But in fact other than some short term issues with the web site, the outcomes of Obamacare so far have been very positive.
And I only had to pay the gap between the base rate (covered by medicare) and the private provider. Here in the UK I have to pay the whole lot.
Good. There are better things to do with NHS funds than using them to subsidise private patients. One of the reasons the NHS is more efficient than private insurance health systems is that it's a single payer system. Diluting it by encouraging people to go private would be a bad step.
If someone was bent on ethnic cleansing, limiting who can travel to a new planet would have the same net effect.
The plus is that this genetically cleansed group would be having a bad time of it. Living on a planet with no outdoor atmosphere or flora and fauna would be pretty miserable.
Sending one women, and then having the inseminated with a hand picked material will have a greater chance of birth a genetically superior child.
Blond and blue eyed of course.
Do you (or your employer) have to do annual insurance paperwork?
The NHS has demonstrated to me the absolute categorical failure of large centralised planning (the same thing that undoes communism).
The problem with that argument is that the NHS has progressively got worse as it's moved from central planning to every more devolved decision making and private ownership.
And the US comparison is bogus. They don't have universal coverage there, and still manage to pay 2.5 times more per capita for healthcare. If the NHS budget was multiplied by 2.5, then there wouldn't be any waiting lists - and they'd still have universal coverage.
Similarly, the UK train system has only got worse as services were privatised. The franchisee for the East Coast Line pulled out prematurely in 2009, and since then it;s been run by the public sector. And under government hands it's the most efficient of all the franchises. Whilst the private sector organisations take subsidies, the East Coast line actually returns a profit to the government.
Yet still, because of ignorant right wing ideology, the government is attempting to put this service back in to private hands. Insane.
I hadn't realised the police had access to petrol station forecourt cameras. You're right. It's not universal, but apparently some petrol stations do feed data from their private ANPR systems to the police.
Always? Blimey, that predates Colossus.
I think the point of not issuing tax discs now is that all enforcement work is done with Automatic Number Plate Recognition. Those cameras have been around for a few years, so they probably stopped manually checking some time ago.
Last year I had a van with an expired tax disc that I needed to take to a motor auction. I planned my route very carefully to stay off the motorway and out in the sticks to be sure I didn't pass any ANPR cameras, and there was less chance of encountering an ANPR equipped police car.
and of course the cost savings of not having to manufacture, print, and post the decals every year, and the lower government labor costs from an entirely automated online system, will surely be passed on to taxpayers in the form of lower fees, right? right?? RIGHT???
Of course not. The UK is still recovering from the crash of 2008. It's a time of austerity. Tax cuts need to be specifically targeted only towards people who might donate to the Conservative party coffers.
The US motto is "In God We Trust". One imaginary being is no more ridiculous than another.
It's the coat of arms of the British monarch (The Crown). And the unicorn is has some Scottish significance. It may well date back to a time when Unicorns were thought to be real! BTW, the Scottish Unicorn was featured on Last Week Tonight, the week before the Scottish independence vote. Pretty funny.
It appears to be Vodafone, a telco, that failed to provide enough bandwidth.
First day scaling issues.
So...they get infected just like Windows does?
Just like ANY OS that accepts 3rd party software does.
Your homophobia is noted.
Given that most Macs can't run untrusted software, the mostly likely vector for malware is a trojan. Possibly attached to pirate versions of well known applications. Users of such pirate software would expect to have to explicitly give permission to untrusted software.
According to DuckDuckGo.
https://duckduckgo.com/privacy
For sure they COULD be lying, and open them selves up to bad press and legal action when they are found out. But so could ANY company, so what other choice is there than to go with the probability that their privacy policy is what they say it is.
I do need to use a search engine, and I know for a fact that Google save searches, and I have a feeling that Bing and Yahoo do, though I haven't checked recently. So it's a pretty easy choice.
What search engine do YOU use?
I accept that official definition. However governments, including the US government, misuse the term in practice.
DuckDuckGo's plugin isn't malware, and as a Mac user it isn't relevant to me. Even if it was there's no way of software being installed without my permission.
DuckDuckGo doesn't save search history, Google does. So it's a very easy choice.
Phones are sold with the latest OS version. Jailbreaks take months to come out for a particular OS version, if they come out at all.
For example there is no iOS 8 jailbreak. So no iPhone 6 or any iOS device running iOS 8 is jailbroken.
I can believe that a good proportion of pre-owned phones come with a jailbreak. But not new phones, even if they are grey market or intercepted by corrupt governments.
Stefen Esser.
And the trojan is called Xsser?
Connection?
Crazy isn't it. It's perfectly obvious that terrorism is acts that are designed to terrorise. After 9/11 plenty of people were scared to fly, use other forms of public transport, visit large cities, or go to any busy public place. That's what made it terrorism. The act itself was mass murder - it's that larger intent to use fear to change behaviour that makes it terrorism.
Governments, politicians and security services are obviously intelligent enough to know this. Which makes their misuse of the word nothing less than deliberate propaganda.
I'm on a long term quest to watch all available episodes of Horizon (a BBC science documentary series going since the 1960s).
One of them is called "How to commit a perfect murder". I'm glad I use duckduckgo as a search engine rather than Google when I was looking that one up.
Just one example of why it's a bad idea to to let governments or corporations profile people based on what they search for.
The discovery of this is proof that many eyes DO find problems
No it isn't. The chance that these two vulnerabilities that hung round for 1-2 decades are the only ones is vanishingly small. They are an illustration that even the most mainstream of OSS code that's been around a long time hasn't been code reviewed properly.
They are proof that that many uncoordinated and unrewarded eyes DON'T find problems. Because they don't even look.
Furthermore, this was a feature it wasn't entirely a security bug
Bullshit. The vulnerability it deminstrates has been demonstrated, it is not documented, and it doesn't make any sense that that's what it does. That's not a feature.
The possibility that some people are using it in software doesn't make it a feature either. The very definition of hacking is using technology in a way that is not intended. That's what those programs are doing. Indeed malware is software that deliberately uses vulnerabilities, and that doesn't make those vulnerabilities features.
With more people aware of this new attack vector, bash is going to get more attention--- MORE eyes again.
AFTER 20 years. Having to scramble to fix something 2 decades late is not in any way an endorsement of a development practice. It's a condemnation of it. And in any case it's no different from what commercial closed source software teams would do it they similarly found out they'd been negligent with a particular code base for 20 years.
"More eyes" is a myth. You have to be a blind zealot to still believe it.