Personally, I was looking at it as a pain in the ass from a user perspective more so than a admin perspective.
noexec is a pain in the ass for your home dir as a user, and is only really useful if they have no way they can write to any location that isn't noexec, which is easy enough to do, but easy enough to miss someplace as well.
That's one account having its passwords and cc info gleefully distributed, among other things.
Investigate the OSX keychain and how it works, your apps aren't stealing passwords that any of my other apps use, they are in the keychain, a system level provider of protected storage that is designed to insure that only the app that created the data can access the data unless it specifically does so in such a way to allow other apps to access it.
This won't lead to any password theft without a password being entered to completely unlock the keychain allowing it to be viewed by any app... which throws a big nasty 'you should NEVER EVER DO THIS' message up and prompts you for your password to confirm.
So, while you are right, once its installed, it its far easier to trick a user into doing something, thats still one more step, and its required before they can even think about stealing passwords (well, until someone figures out a keychain exploit or something along those lines)
Right Linux users never grab stuff from random repositories... they always use the ones built in with the OS install and never add their own.
As far as the Mac userbase being like Windows... well, you do realize that anyone who isn't just a 'Linux Zealot' and actually just likes UNIX in general pretty much loves OSX because its UNIX WITH a pretty GUI and apps that weren't designed by high school kids with no ability to focus or consider the people they are 'developing the software for'
I don't think you could possibly be more wrong about the user base. Before OSX you would probably be right, but after OSX was released, pretty much every UNIX lover on the planet got a boner over it, myself included. Most people that rant on about OSX for various reasons are typically Linux Zealots. This isn't a troll, I don't mean Linux users are jealous, most don't give a shit. The wants that rant and rave and make stupid statements like yourself however, are most certainly nothing more than ignorant zealots 9 times out of 10.
OSX Users may be less computer literate because they don't have to be UNIX admins to make the OS work, but many UNIX admins love it. On the other hand, you aren't running Linux unless your a geek or the fact that its Linux is completely hidden from you (Like in say, a TiVo or router or something). No non-geek has ever went out and looked for how to use Linux, certainly unlikely any non-geek installed it without a geek to guide them through the process.
Your zealotry has you completely out of touch with reality.
I'd love to see it get my banking passwords out of my Keychain without my password...
The OSX keychain exists to make sure that isn't a problem, so they only time it would be a problem is if you were using some banking software that didn't use the keychain. Remember, an app can't even ask for another apps data from the keychain unless the original app that wrote it made it available for other apps.
Can it infect OSX, sure, is it going to be stealing passwords? Not from any app that matters and was intelligent enough to use the keychain rather than trying to reinvent the wheel, so probably not anything your bank is using either... since lets face it, your banking passwords are being used in Safari, which uses the keychain.
Yes, and I pointed that out in my post, there are several ways it could do something to infect others, but it doesn't, it does things in an absolutely stupid way.
They are either complete and total idiots, or simply dragging this thing out as long as possible by using the easiest way every time and then as soon as that is 'fixed' they use the next one on the list.
The problem with that logic is that they fucked up by having the password prompt previously and NOT installing a kext at that point in time to do really nasty stuff, now all it will take is people realizing that the shouldn't be entering there password, which only requires a slight amount of education and is far easier to do as more publicity comes for this sort of stuff.
So... they clearly aren't doing this because they want to drag it out, the people/person writing this thing doesn't have an clue what they are doing, this is the sort of shit you did back in middle school and high school to screw with the PCs in your local Stables/BestBuy/CircuitCity/Walmart/BigBoxStore, it doesn't take talent, skills or even very much knowledge, just a malicious little kid that thinks its cool that he knows a way to trick people into doing something.
Just putting itself in the Applications directory doesn't do anything special, users still have to run it. The Applications directory isn't setuid or anything like that, it doesn't make the app run as root, it doesn't have anything to do with startup or anything else, you're just allowed to create files in the Applications directory.
As I pointed out elsewhere, the intelligent thing to do would be to install to the users home directory as most non-techie Mac users will NEVER look in their home directory and notice it, thats just someplace they don't generally have to go, thats what the Documents, Pictures, Music and other folders are for. Unlike the Applications directory where users are bound to be looking at least once in a while.
The end result would be the same, all its going to do is effect a single user.
Now if it was intelligent, it'd modify the plist of an existing app to take itself on as the app launcher, then start the real app itself, which would possibly be used by other users on the system. You wouldn't be able to do it to the Apple builtin apps as permissions still require you to be root to modify it, but some other app the user installed will be owned by them and modifiable.
Back when they were asking for a password, they should have been installing a kernel extension to cloak themselves and make removal without booting from a clean drive impossible.
This 'malware' is like most Mac users, its a joke, its not even a little bit impressive, it just happens to be the first one noticed.
Just wait until the Windows malware writers start putting some effort into OSX, THEN it'll get nasty.
Unless you encrypt your backups and forget your password or your backups are stolen, its pretty much pointless.
I really don't see the point in encrypting my backups because well, if someone can get to my backups, they'd be far better off just taking the source data off my laptop.
Seriously, by the time someone can get to your backups, they have a larger more important device at their finger tips... you know, the device that the iPhone got the data from in the first place, just use the source.
This is basically like being proud that you can decompile a windows app... and ignoring the fact that you already have the source code since you wrote the app in the first place.
As is typical with people that think they 'know about security and encryption', you read one part of Schneier's statement and completely neglected the 'why' behind it.
Go read the rest of his paper, then come back. By the rest of it, I mean that it doesn't end after the first paragraph.
You don't do drive encryption with asymmetric encryption, not if you actually want to use your data at any reasonable rate.
You generate a large key for symmetric encryption, then encrypt that key using asymmetric encryption.
Browsers for instance only use RSA for the initial key exchange, and then fall back to using AES or whatever is supported by both ends. Your https sessions use RSA for about 80 bytes of data exchange before the web server actually starts communicating with the client, your GET / request is sent using symmetric encryption, as is the response that comes back.
Ahh, I love when people with no clue repeat crap they found on the Internet.
Show me something that doesnt' generate keys using an algorithm... I won't be holding my breath. Any good security system uses an algorithm for key generation... with a RANDOM mutator. Not all keys are created equal, some are known to be weak, throwing those out is paramount and users simply aren't worth shit at generating random keys, so you use an algorithm known to generate strong keys with a random mutator.
Let me help you out as to the standard way all of us that actually know about encryption do it: RFC 2898
Again, please do not talk about security and encryption when you clearly have no idea what you're talking about and are just spewing some blurbs you read from someone on the Internet, which again, you clearly didn't understand them when you read them.
especially these days when the consoles are loss leaders.
No, they aren't. I wish people would stop saying that.
They sell for less than cost for a short while at introduction. There is no current console on the market selling without making the manufacture a profit. Wii, Xbox, and PS3 are all making a clear profit on each console sale at this point. I'm not positive if the PS3 has recouped all of the initial investment costs (especially if you could developing bluray as part of that cost, which it shouldn't be counted as), but the 360 and Wii most certainly have, a while ago.
All of this needs to be open source, so we don't have to suck on idiotic interfaces and features sets that cow tow to the entertainment industry's idea of a great set of features (i.e. no time shifting, no space shifting, and pay through the nose).
So since you want to use OSS, I presume you want to have suck interfaces and feature sets that cow tow to the basement dwellers who run Linux idea of a great set of features (i.e. 5000 options that only one person cares about, all spewed at the user with little to no USEFUL information about them unless you're a computer geek, with all the general features that normal users want obscured by all the weird settings they are forced to swim through)?
I realize this sounds like a troll, and maybe it is, but seriously, OSS software stereotypically has the absolute worst fucking UIs in existence, the fact that you don't recognize this tells me you are completely disconnected from what the majority of people want.
You do realize you can do DRM on HTML5 video right? HTML5 video isn't exactly 'a standard', you can use whatever codec you want because everyone decided to be douches and not agree on how it was going to work.
For instance, my netflix client on my Blu ray player is horrible but on my 360 its great.
Really? The 360 player is absolute crap for navigation and finding stuff without naming a specific title. I do all my selection online, put it in my instant queue and avoid the xbox interface as much as possible because its so crappy.
Did your bluray player simply not work at all cause thats about the only way it could be worse than the 360.
Really? From the onset? You mean right after the tsunami happened, like the next day they already knew reactors 1-3 had at least partially melted down? Thats pretty cool because apparently 2-3 hadn't actually melted down until a few days later.
So they knew it happened before it actually happened which... means they had no clue and they were speculating like everyone else.
Voice doesn't have the same issue in general. People physically can not say on the phone talking ALL THE TIME. If nothing else, they sleep at some point, but in reality, people do many things besides dedicate themselves to a phone call. Phone calls also use a pretty insignificant amount of data thanks to modern compression technics.
Phones with apps that continually do stuff in the background or play full motion acceptable resolution video on the other hand can continually put a large load on the network without the owner of the device being in any way involved with the process. Hell, I burned through a 2g iPad data plan the other day just because I turned the volume down on iheartradio and left work without noticing... so it switched from wifi to cellular and proceeded to rapidly eat away the data while it was laying covered on my coffee table and I played video games and slept.
Networks treated voice badly years ago, when they didn't have capacity for it really, now that they've built out, voice is pretty easy for them to handle at essentially no cost and it makes them a fortune, more than data for most people.
Its hard to think there are 'web developers' still that don't realize how easily they can be replaced.
Its funny that you think you're so special you can tell your customers what they have to do. Well, I suppose you can tell them what to do right up until they are no longer customers.
I hate it because... its true, and thats where we are.
I really wish we (the entire world, its not unique to the US) we just a LITTLE less selfish on the extreme ends. A little selfishness is a good thing for the species, competition helps, but we really just need to nop off the top few percent of the greediest that cause this sort of problem.
Not really, I watched the WTC collapse on a live video stream on my cable modem because we didn't have cable TV at the time. From a technology perspective the only thing thats changed to me is that my laptop runs longer... and hotter. I still pretty much do the same stuff (and I'm a developer) at about the same speed. The Internet is supposedly faster, but I really can't tell. I'm sure, my cable modem max speed has went from 3mb/s to 10mb/s but for the most part, 3 was just enough to do pretty much everything. Sure, not HD video, but youtube doesn't take 3mb/s either.
The tech that gets you fast youtube videos is about 20 years old, its just finally getting to be ubiquitous enough that we're starting to actually USE it.
Yes you will, Digum has support contract (which is the 2 years they are covering) which require security fixes as part of the contract.
You may not get any new features, but the whole reason people PAY for support contracts is to ensure they will get support for a minimum period of time. The contracts define that level of support. Digum's support contracts are pretty good (I've admined a asterisk setup for a small company), I expect they'll take good care of their customers in the interim and use this as an opportunity to point out why you want to avoid anything Microsoft gets involved in.
The only people who use Skype are people too cheap to pay for a real phone call. No one anywhere that matters uses Skype to communicate. It may dominate the 'shitty VoIP services' market, but again, no one cares.
VoIP over the Internet is a retarded plan until the network infrastructure has proper QoS support, until then its a crap shoot while you hope that congestion doesn't ruin the call or disconnect you.
Personally, I was looking at it as a pain in the ass from a user perspective more so than a admin perspective.
noexec is a pain in the ass for your home dir as a user, and is only really useful if they have no way they can write to any location that isn't noexec, which is easy enough to do, but easy enough to miss someplace as well.
That's one account having its passwords and cc info gleefully distributed, among other things.
Investigate the OSX keychain and how it works, your apps aren't stealing passwords that any of my other apps use, they are in the keychain, a system level provider of protected storage that is designed to insure that only the app that created the data can access the data unless it specifically does so in such a way to allow other apps to access it.
This won't lead to any password theft without a password being entered to completely unlock the keychain allowing it to be viewed by any app ... which throws a big nasty 'you should NEVER EVER DO THIS' message up and prompts you for your password to confirm.
So, while you are right, once its installed, it its far easier to trick a user into doing something, thats still one more step, and its required before they can even think about stealing passwords (well, until someone figures out a keychain exploit or something along those lines)
Right Linux users never grab stuff from random repositories ... they always use the ones built in with the OS install and never add their own.
As far as the Mac userbase being like Windows ... well, you do realize that anyone who isn't just a 'Linux Zealot' and actually just likes UNIX in general pretty much loves OSX because its UNIX WITH a pretty GUI and apps that weren't designed by high school kids with no ability to focus or consider the people they are 'developing the software for'
I don't think you could possibly be more wrong about the user base. Before OSX you would probably be right, but after OSX was released, pretty much every UNIX lover on the planet got a boner over it, myself included. Most people that rant on about OSX for various reasons are typically Linux Zealots. This isn't a troll, I don't mean Linux users are jealous, most don't give a shit. The wants that rant and rave and make stupid statements like yourself however, are most certainly nothing more than ignorant zealots 9 times out of 10.
OSX Users may be less computer literate because they don't have to be UNIX admins to make the OS work, but many UNIX admins love it. On the other hand, you aren't running Linux unless your a geek or the fact that its Linux is completely hidden from you (Like in say, a TiVo or router or something). No non-geek has ever went out and looked for how to use Linux, certainly unlikely any non-geek installed it without a geek to guide them through the process.
Your zealotry has you completely out of touch with reality.
I'd love to see it get my banking passwords out of my Keychain without my password ...
The OSX keychain exists to make sure that isn't a problem, so they only time it would be a problem is if you were using some banking software that didn't use the keychain. Remember, an app can't even ask for another apps data from the keychain unless the original app that wrote it made it available for other apps.
Can it infect OSX, sure, is it going to be stealing passwords? Not from any app that matters and was intelligent enough to use the keychain rather than trying to reinvent the wheel, so probably not anything your bank is using either ... since lets face it, your banking passwords are being used in Safari, which uses the keychain.
Yes, and I pointed that out in my post, there are several ways it could do something to infect others, but it doesn't, it does things in an absolutely stupid way.
They are either complete and total idiots, or simply dragging this thing out as long as possible by using the easiest way every time and then as soon as that is 'fixed' they use the next one on the list.
The problem with that logic is that they fucked up by having the password prompt previously and NOT installing a kext at that point in time to do really nasty stuff, now all it will take is people realizing that the shouldn't be entering there password, which only requires a slight amount of education and is far easier to do as more publicity comes for this sort of stuff.
So ... they clearly aren't doing this because they want to drag it out, the people/person writing this thing doesn't have an clue what they are doing, this is the sort of shit you did back in middle school and high school to screw with the PCs in your local Stables/BestBuy/CircuitCity/Walmart/BigBoxStore, it doesn't take talent, skills or even very much knowledge, just a malicious little kid that thinks its cool that he knows a way to trick people into doing something.
Just putting itself in the Applications directory doesn't do anything special, users still have to run it. The Applications directory isn't setuid or anything like that, it doesn't make the app run as root, it doesn't have anything to do with startup or anything else, you're just allowed to create files in the Applications directory.
As I pointed out elsewhere, the intelligent thing to do would be to install to the users home directory as most non-techie Mac users will NEVER look in their home directory and notice it, thats just someplace they don't generally have to go, thats what the Documents, Pictures, Music and other folders are for. Unlike the Applications directory where users are bound to be looking at least once in a while.
The end result would be the same, all its going to do is effect a single user.
Now if it was intelligent, it'd modify the plist of an existing app to take itself on as the app launcher, then start the real app itself, which would possibly be used by other users on the system. You wouldn't be able to do it to the Apple builtin apps as permissions still require you to be root to modify it, but some other app the user installed will be owned by them and modifiable.
Back when they were asking for a password, they should have been installing a kernel extension to cloak themselves and make removal without booting from a clean drive impossible.
This 'malware' is like most Mac users, its a joke, its not even a little bit impressive, it just happens to be the first one noticed.
Just wait until the Windows malware writers start putting some effort into OSX, THEN it'll get nasty.
Unless you encrypt your backups and forget your password or your backups are stolen, its pretty much pointless.
I really don't see the point in encrypting my backups because well, if someone can get to my backups, they'd be far better off just taking the source data off my laptop.
Seriously, by the time someone can get to your backups, they have a larger more important device at their finger tips ... you know, the device that the iPhone got the data from in the first place, just use the source.
This is basically like being proud that you can decompile a windows app ... and ignoring the fact that you already have the source code since you wrote the app in the first place.
As is typical with people that think they 'know about security and encryption', you read one part of Schneier's statement and completely neglected the 'why' behind it.
Go read the rest of his paper, then come back. By the rest of it, I mean that it doesn't end after the first paragraph.
You don't do drive encryption with asymmetric encryption, not if you actually want to use your data at any reasonable rate.
You generate a large key for symmetric encryption, then encrypt that key using asymmetric encryption.
Browsers for instance only use RSA for the initial key exchange, and then fall back to using AES or whatever is supported by both ends. Your https sessions use RSA for about 80 bytes of data exchange before the web server actually starts communicating with the client, your GET / request is sent using symmetric encryption, as is the response that comes back.
Ahh, I love when people with no clue repeat crap they found on the Internet.
Show me something that doesnt' generate keys using an algorithm ... I won't be holding my breath. Any good security system uses an algorithm for key generation ... with a RANDOM mutator. Not all keys are created equal, some are known to be weak, throwing those out is paramount and users simply aren't worth shit at generating random keys, so you use an algorithm known to generate strong keys with a random mutator.
Let me help you out as to the standard way all of us that actually know about encryption do it: RFC 2898
Again, please do not talk about security and encryption when you clearly have no idea what you're talking about and are just spewing some blurbs you read from someone on the Internet, which again, you clearly didn't understand them when you read them.
jsp is java, not javascript, which is entirely different other than the name.
Your definition of 'lightning fast' is my definition of 'painfully slow language' even in the new JS engines.
uhm, thats pretty much EXACTLY what Javascript was intended for ... you do know where it came from ... right?
especially these days when the consoles are loss leaders.
No, they aren't. I wish people would stop saying that.
They sell for less than cost for a short while at introduction. There is no current console on the market selling without making the manufacture a profit. Wii, Xbox, and PS3 are all making a clear profit on each console sale at this point. I'm not positive if the PS3 has recouped all of the initial investment costs (especially if you could developing bluray as part of that cost, which it shouldn't be counted as), but the 360 and Wii most certainly have, a while ago.
All of this needs to be open source, so we don't have to suck on idiotic interfaces and features sets that cow tow to the entertainment industry's idea of a great set of features (i.e. no time shifting, no space shifting, and pay through the nose).
So since you want to use OSS, I presume you want to have suck interfaces and feature sets that cow tow to the basement dwellers who run Linux idea of a great set of features (i.e. 5000 options that only one person cares about, all spewed at the user with little to no USEFUL information about them unless you're a computer geek, with all the general features that normal users want obscured by all the weird settings they are forced to swim through)?
I realize this sounds like a troll, and maybe it is, but seriously, OSS software stereotypically has the absolute worst fucking UIs in existence, the fact that you don't recognize this tells me you are completely disconnected from what the majority of people want.
You do realize you can do DRM on HTML5 video right? HTML5 video isn't exactly 'a standard', you can use whatever codec you want because everyone decided to be douches and not agree on how it was going to work.
For instance, my netflix client on my Blu ray player is horrible but on my 360 its great.
Really? The 360 player is absolute crap for navigation and finding stuff without naming a specific title. I do all my selection online, put it in my instant queue and avoid the xbox interface as much as possible because its so crappy.
Did your bluray player simply not work at all cause thats about the only way it could be worse than the 360.
Really? From the onset? You mean right after the tsunami happened, like the next day they already knew reactors 1-3 had at least partially melted down? Thats pretty cool because apparently 2-3 hadn't actually melted down until a few days later.
So they knew it happened before it actually happened which ... means they had no clue and they were speculating like everyone else.
Voice doesn't have the same issue in general. People physically can not say on the phone talking ALL THE TIME. If nothing else, they sleep at some point, but in reality, people do many things besides dedicate themselves to a phone call. Phone calls also use a pretty insignificant amount of data thanks to modern compression technics.
Phones with apps that continually do stuff in the background or play full motion acceptable resolution video on the other hand can continually put a large load on the network without the owner of the device being in any way involved with the process. Hell, I burned through a 2g iPad data plan the other day just because I turned the volume down on iheartradio and left work without noticing ... so it switched from wifi to cellular and proceeded to rapidly eat away the data while it was laying covered on my coffee table and I played video games and slept.
Networks treated voice badly years ago, when they didn't have capacity for it really, now that they've built out, voice is pretty easy for them to handle at essentially no cost and it makes them a fortune, more than data for most people.
Its hard to think there are 'web developers' still that don't realize how easily they can be replaced.
Its funny that you think you're so special you can tell your customers what they have to do. Well, I suppose you can tell them what to do right up until they are no longer customers.
Good luck with that.
Yea ... well, except that MS announced they were killing their own product a few months back.
I hate the fact that you made this post.
I hate it because ... its true, and thats where we are.
I really wish we (the entire world, its not unique to the US) we just a LITTLE less selfish on the extreme ends. A little selfishness is a good thing for the species, competition helps, but we really just need to nop off the top few percent of the greediest that cause this sort of problem.
Not really, I watched the WTC collapse on a live video stream on my cable modem because we didn't have cable TV at the time. From a technology perspective the only thing thats changed to me is that my laptop runs longer ... and hotter. I still pretty much do the same stuff (and I'm a developer) at about the same speed. The Internet is supposedly faster, but I really can't tell. I'm sure, my cable modem max speed has went from 3mb/s to 10mb/s but for the most part, 3 was just enough to do pretty much everything. Sure, not HD video, but youtube doesn't take 3mb/s either.
The tech that gets you fast youtube videos is about 20 years old, its just finally getting to be ubiquitous enough that we're starting to actually USE it.
Yes you will, Digum has support contract (which is the 2 years they are covering) which require security fixes as part of the contract.
You may not get any new features, but the whole reason people PAY for support contracts is to ensure they will get support for a minimum period of time. The contracts define that level of support. Digum's support contracts are pretty good (I've admined a asterisk setup for a small company), I expect they'll take good care of their customers in the interim and use this as an opportunity to point out why you want to avoid anything Microsoft gets involved in.
Dominance? Seriously?
The only people who use Skype are people too cheap to pay for a real phone call. No one anywhere that matters uses Skype to communicate. It may dominate the 'shitty VoIP services' market, but again, no one cares.
VoIP over the Internet is a retarded plan until the network infrastructure has proper QoS support, until then its a crap shoot while you hope that congestion doesn't ruin the call or disconnect you.