Yup, it's going to be really hard "dealing with" not downloading dodgy-sounding security apps from obscure websites, and then ignoring the warnings and just running them anyway.
It's actually very hard. That's been the biggest security issue on Windows by far for years, and while Microsoft, Mozilla and Google have taken some fairly impressive steps to deal with it, they've only managed to reduce the problem and not eliminate it.
Looking at the video: the "convincing" is done with images of OS X dialogs on a web page telling users that they have a virus. Heck, it might as well be an animated GIF. From there on, its the standard package installer with standard messages.
The standard package installer messages are, unfortunately, rather unhelpful. They tell you that you're installing something from somewhere, but the malware creator gets to control both what it says the program is and where the user thinks it came from. (The author of this malware also hasn't customised the package as much as they could've. In theory they could've changed both the background image and the introduction message displayed on the first page of the installer, but those options are badly documented.)
The user has to voluntarily click two or three times to confirm that, yes, they want to install this software.
The problem is - which software and from where? There's a big difference between asking someone if they want to install "Some Misleading Name" and asking them if they want to install something claiming to be "Some Misleading Name" from fishysoundingwebsite.com. Apple seems to have unwisely chosen the former.
Adding a few more clicks and a couple of yellow triangles (to bring it in line with internet explorer) might deter some, but by this stage the victim has decided that they want to download and install the software
They can change their mind. Giving them doubts about the origin and authenticity of the software is probably the best way of helping them to do so.
1. Don't fall for the fake alerts in the first place.
Doesn't help - the malware has hijacked various sites and search results, and no interaction with the website is required for it to download and ask you to install it.
2. Don't have "Open Safe Files After Downloading" enabled in Safari.
Unfortunately, Apple in their infinite wisdom made that the default, and very few users change the defaults when doing so makes their life less convenient.
3. If they DO have that option enabled, don't allow the application to run when OS X puts up the "This application was downloaded from the Internet..." dialog.
As far as I can tell, most users haven't been getting that dialog for some reason. They get an installer prompt that they can decline to avoid being infected, but it doesn't have any warnings on. (There's also the problem of users totally disabling that warning because "Macs don't get viruses" and it's annoying them.)
4. Think about why the application immediately wants CC info, and do not enter it until doing further research.
That stops your credit card details from being stolen - probably, anyway - but you still have the problem of a computer that's infected by malware.
So, Mr. Smarty-Pants Communist; just exactly HOW would YOU "fix" an OS (any OS) so that the user can't be social-engineered?
The normal practice in this case seems to be difficult-to-ignore and scary warning messages to tell you that you're downloading and running random software off the Internet. Mac OS X is meant to have them, but for some reason they don't seem to be appearing for most people this malware tries to infect.
The lawsuit preventing Tesco from selling Levis used a cunning legal trick, as I recall. The Levis were imported from other countries on the grey market, which meant that they were marketed by a different Levi subsidary than the subsidary that held the UK trademark on the name, one that didn't have the right to sell them in the UK. Levi used this to successfully argue that Tesco was infringing on their trademark by importing genuine Levi jeans from abroad and selling them. There have been similar cases elsewhere.
Basically it's just another example of a company wanting to keep all the benefits of globalisation to themself.
That's what you get to see when this RogueAV tries to get on the system. There's nothing automatic about it, there is tons of user input, and that's precisely why it's not much to get worried about as a Mac user.
Just two clicks required to install malicious software after you've visited a hijacked site, with none of the usual warnings about downloading software from the internet that most platforms have added - with good reason, I might add? That's definitely a problem. Sure, no matter what you do there'll always be someone daft enough to jump through the hoops required to do something nasty, but making it that easy for websites to convince users to install software - and giving them that much control over the messages displayed - is just unwise.
Funny story: I have actually come across a Linux ELF virus in the wild. It was so ancient and badly-written that it caused most of the programs it infected to crash, which kinda blew its cover. Pretty much all of the Linux viruses out there are ancient, proofs-of-concept or both - several of them you even have to compile from source yourself!
(Interestingly, that page's description of the BadBunny virus seems to be a bit off... it's actually a cross-platform OpenOffice macro virus what runs on Windows, OS X and Linux.)
I'm sure you can find GCC binaries for OSX outside of XCode.
Requires Apple's special forked version of GCC as I recall, and Apple are moving to LLVM so that they don't have to release the source code to their compiler at all.
Uhhh...hadn't tried GOG have you? Not only do they split the games into 1Gb chunks if you desire, but they also have an Adobe AIR app that lets you set bandwidth speeds, and resume broken downloads from where you left off, so even if you have an intermittent connection you can still buy from GOG.
Wow - that would allow download of the game within at most a year of its release even with fairly bad internet access. Wait - that's not amazing at all!
That said if your net is so shitty you can't even download a single game you might seriously want to upgrade or even move. So much is becoming based around the net that not having a reliable broadband connection is becoming like not having electricity in that you are relegated to second class citizen status.
Because obviously that's an option available to everyone, even if they don't have the money or it would involve moving countries (you are aware just how immigration-hostile the governments of most nations with decent internet connectivity are, right?)
Given the way Japan's current civilization managed to ignore some fairly simple tsunami warnings from only a few centuries ago, I think we're being a bit optimistic if we think we can come up with nuclear warning labels that will be understood for tens of thousands of years into the future...
As for peddle bed reactors? When were they determined not be safe? They never even entered the main stream let alone had any problems.
Some rather nasty issues showed up in analysis of the pebble bed reactors that no-one's figured out a good solution to, as I understand it. It turns out the pebbles release far more radioactive material into the reactor than they're meant to, there's no good way of monitoring and controlling reactor temperatures, and the risk of meltdown is a lot higher than initially estimated even if you assume the flammable graphite in the pebbles will never catch fire. Not to mention the small issue of an accidental release of radiation by one of the early reactors that was covered up and blamed on Chernobyl.
There haven't been any major disasters involving pebble bed reactors, but since they never entered the mainstream that's not terribly surprising. You need to pay attention to the issues that didn't lead to a major disaster if you want a good idea of the risks involved.
It all sounds quite sensible the way they describe it - most of the code is in user mode. It packs commands into packets and calls kernel mode code whose sole purpose is to add the packets into a DMA list. Graphics hardware then DMAs the commands and executes them.
Of course, the open source Linux drivers for ATI/AMD graphics have used pretty much the same approach since more or less forever...
Yeah, like the serious reports from about 40 years ago that states that the nuclear power plant design used was inherently unsafe?
You mean the ones that were essentially ignored because they must obviously just be the work of anti-nuclear troublemakers, and because the shiny new nuclear plants had cost so much to build that shutting them down would result in the power companies losing masses of money?
Any ones that are left powered on. Transistors last apparently indefinitely if you leave them powered on, it's only when cycling the power that you have a chance for them to blow (after the "infant mortality" period of a few weeks/months anyway).
I think you're getting confused with valves or something, though even those don't last indefinitely. Transistor-based designs are a bit different - the longer you run them for (and the higher the voltage and temperature you run them at), the more likely the transistors are to die.
Did anyone stick a gun to your head and make you buy it off of Steam? You had the choice of the (IMHO superior) GOG version, with no need for crap running in the background (like Steam), incredibly easy to backup, and all around hassle free version, or you could buy the DRM version from Steam and D2D.
You're forgetting that some users don't have good enough internet connections to download large games or just want the physical bits that come with the boxed edition. (The boxed version had DRM too by the way.)
Actually, there is a great difference between apartheid (discrimination of citizens based on race), occupation (governing by military force over population) and siege (preventing/filtering produce as part of an ongoing war effort).
It's not that clear a distinction. The black regions of South Africa during apartheid were nominally independent states too, just with nothing resembling an independant economy or political system - much like Palestine. What's more, there was a very definite campaign of ethnic cleansing used to drive out the non-Jewish residents of what became Israel proper. As for the difference between occupation and siege... which it's closer to at the time seems to vary depending on the mood of Israeli politicians
The Palestinians living inside Israel are equal rights citizens.
Nominally equal. In practice they don't really have much in the way of political representation, the major parties have to be restrained from outlawing any political party that tries to represent them by the courts, there's fairly impressive racism in employment and housing and provision of services to majority-Arab cities, etc... (To be fair, a lot of this isn't unique to Israel - the US at least has similar race problems.)
Where do you get that? Interfaith marriage is not illegal in Israel, and non-jews can certainly own land.
I'm guessing slightly mangled second-hand information. The current state of affairs is that interfaith marriages are legally recognised by Israel, but it's impossible to actually conduct a legal interfaith marriage within Israel (or indeed any kind of secular marriage), due to the political influence of orthodox Judaism IIRC. Oh, and while it is legal for non-Jews to own land, a lot of the land is owned by organisations that are forbidden to lease to non-Jews or to sell it outright to anyone.
There is no factual error in that quote. Israel is an apartheid state.
Pretty much, yeah. All the arguments against this that I've seen seem to fundamentally misunderstand either how apartheid actually worked in South Africa or just how little independence Palestine actually has...
Standard Microsoft reputation management response to malware discussions.
Have you read the discussions here on/. and elsewhere about the latest Mac OS X malware? Apparently it's all the user's fault for deliberately installing malicious software and anyone blaming Apple in any way is spreading FUD.
The day Microsoft stops trying to deflect blame with this tired old furphy, and starts taking Human Factors science seriously, is the day Windows starts becoming secure.
They've at least put some effort into this since the XP era. At this point, they're probably a lot better than Apple, who still seem to think that letting untrusted websites automatically download and launch installer packages, and then giving the site significant control over what the installation prompt says, is a good idea.
It's not what happened, but rather what didn't happen. To my knowledge the woman hasn't taken a single course from the law school curriculum and she's obviously not sufficiently aware of the extent of her own ignorance.
Of course, anyone complaining about this violation of moral and legal principles must be a woman-hating rapist themselves, because that's the only reason that someone would complain about this idea. There's a reason I don't support feminism. (Actually, there's numerous reasons, most of them related, but that's one of them.)
Oh, and like all the really unjust feminist-proposed ideas, it was suggested safe in the knowledge that neither the person proposing it nor any other people she had any empathy for would be affected by it, because it was carefully aimed at men only.
The trouble is when a "non-governmental entity" grows so large that it becomes a de facto "governmental" body, or filter on what people receive.
Which, ironically, is an effect that anti-porn groups often make use of to censor pornography. Obviously they're less happy when it happens to them.... (Though to be honest most of the Facebook anti-porn groups are probably in repeated violation of their rules on harassment anyway.)
This still requires the user to deliberately install the malware.
Something like 97% of Windows malware infections these days are caused by users "deliberately" installing malware, and that's with Windows putting a lot more obstacles in the way of websites wanting to convince users they should install something malicious than Mac OS X does. Doesn't stop Windows malware infections from being a big selling point for Macs. (Even in the bad old days of Windows security, an awful lot of infections were due to users agreeing to install the malware.)
Look at the Max Mosley case, his reward didn't even really cover his legal fees.
The libel case also spectacularly failed to put the genie back in the bottle - if anything it focused more press attention on him, which is probably what the News of the World were counting on to let them get away lawsuit-free. In fact, I suspect his lawsuit had less to do with protecting him and more to do with stopping the tabloids from dragging everyone else involved through the mud. (I think someone who ran a spanking website that may at some point have featured one of the women involved was sacked from his day job as a result of one of the tabloids splashing him on the front page. Not to mention that the News of the World itself was essentially trying to blackmail the other women involved into selling it juicy stories by threatening to put their names and photos on the front page if they didn't...)
Slashdot Mirror
Yup, it's going to be really hard "dealing with" not downloading dodgy-sounding security apps from obscure websites, and then ignoring the warnings and just running them anyway.
It's actually very hard. That's been the biggest security issue on Windows by far for years, and while Microsoft, Mozilla and Google have taken some fairly impressive steps to deal with it, they've only managed to reduce the problem and not eliminate it.
Looking at the video: the "convincing" is done with images of OS X dialogs on a web page telling users that they have a virus. Heck, it might as well be an animated GIF. From there on, its the standard package installer with standard messages.
The standard package installer messages are, unfortunately, rather unhelpful. They tell you that you're installing something from somewhere, but the malware creator gets to control both what it says the program is and where the user thinks it came from. (The author of this malware also hasn't customised the package as much as they could've. In theory they could've changed both the background image and the introduction message displayed on the first page of the installer, but those options are badly documented.)
The user has to voluntarily click two or three times to confirm that, yes, they want to install this software.
The problem is - which software and from where? There's a big difference between asking someone if they want to install "Some Misleading Name" and asking them if they want to install something claiming to be "Some Misleading Name" from fishysoundingwebsite.com. Apple seems to have unwisely chosen the former.
Adding a few more clicks and a couple of yellow triangles (to bring it in line with internet explorer) might deter some, but by this stage the victim has decided that they want to download and install the software
They can change their mind. Giving them doubts about the origin and authenticity of the software is probably the best way of helping them to do so.
1. Don't fall for the fake alerts in the first place.
Doesn't help - the malware has hijacked various sites and search results, and no interaction with the website is required for it to download and ask you to install it.
2. Don't have "Open Safe Files After Downloading" enabled in Safari.
Unfortunately, Apple in their infinite wisdom made that the default, and very few users change the defaults when doing so makes their life less convenient.
3. If they DO have that option enabled, don't allow the application to run when OS X puts up the "This application was downloaded from the Internet..." dialog.
As far as I can tell, most users haven't been getting that dialog for some reason. They get an installer prompt that they can decline to avoid being infected, but it doesn't have any warnings on. (There's also the problem of users totally disabling that warning because "Macs don't get viruses" and it's annoying them.)
4. Think about why the application immediately wants CC info, and do not enter it until doing further research.
That stops your credit card details from being stolen - probably, anyway - but you still have the problem of a computer that's infected by malware.
So, Mr. Smarty-Pants Communist; just exactly HOW would YOU "fix" an OS (any OS) so that the user can't be social-engineered?
The normal practice in this case seems to be difficult-to-ignore and scary warning messages to tell you that you're downloading and running random software off the Internet. Mac OS X is meant to have them, but for some reason they don't seem to be appearing for most people this malware tries to infect.
The lawsuit preventing Tesco from selling Levis used a cunning legal trick, as I recall. The Levis were imported from other countries on the grey market, which meant that they were marketed by a different Levi subsidary than the subsidary that held the UK trademark on the name, one that didn't have the right to sell them in the UK. Levi used this to successfully argue that Tesco was infringing on their trademark by importing genuine Levi jeans from abroad and selling them. There have been similar cases elsewhere.
Basically it's just another example of a company wanting to keep all the benefits of globalisation to themself.
That's what you get to see when this RogueAV tries to get on the system. There's nothing automatic about it, there is tons of user input, and that's precisely why it's not much to get worried about as a Mac user.
Just two clicks required to install malicious software after you've visited a hijacked site, with none of the usual warnings about downloading software from the internet that most platforms have added - with good reason, I might add? That's definitely a problem. Sure, no matter what you do there'll always be someone daft enough to jump through the hoops required to do something nasty, but making it that easy for websites to convince users to install software - and giving them that much control over the messages displayed - is just unwise.
You should at least try using a search engine before making a remark like that:
https://help.ubuntu.com/community/Linuxvirus [ubuntu.com]
Funny story: I have actually come across a Linux ELF virus in the wild. It was so ancient and badly-written that it caused most of the programs it infected to crash, which kinda blew its cover. Pretty much all of the Linux viruses out there are ancient, proofs-of-concept or both - several of them you even have to compile from source yourself!
(Interestingly, that page's description of the BadBunny virus seems to be a bit off... it's actually a cross-platform OpenOffice macro virus what runs on Windows, OS X and Linux.)
I'm sure you can find GCC binaries for OSX outside of XCode.
Requires Apple's special forked version of GCC as I recall, and Apple are moving to LLVM so that they don't have to release the source code to their compiler at all.
Uhhh...hadn't tried GOG have you? Not only do they split the games into 1Gb chunks if you desire, but they also have an Adobe AIR app that lets you set bandwidth speeds, and resume broken downloads from where you left off, so even if you have an intermittent connection you can still buy from GOG.
Wow - that would allow download of the game within at most a year of its release even with fairly bad internet access. Wait - that's not amazing at all!
That said if your net is so shitty you can't even download a single game you might seriously want to upgrade or even move. So much is becoming based around the net that not having a reliable broadband connection is becoming like not having electricity in that you are relegated to second class citizen status.
Because obviously that's an option available to everyone, even if they don't have the money or it would involve moving countries (you are aware just how immigration-hostile the governments of most nations with decent internet connectivity are, right?)
Sadly not. Everyone and their dog seems to be BitCoin mining these days, mostly with AMD GPUs (though there are a few miners out there using FPGAs).
Given the way Japan's current civilization managed to ignore some fairly simple tsunami warnings from only a few centuries ago, I think we're being a bit optimistic if we think we can come up with nuclear warning labels that will be understood for tens of thousands of years into the future...
In that case, gold must be REALLY hard and expensive to mine! It must be WAY more dangerous than uranium!
As it happens gold mining is fairly dangerous, yes, though unlike uranium most of the cost is due to scarcity of the gold itself.
As for peddle bed reactors? When were they determined not be safe? They never even entered the main stream let alone had any problems.
Some rather nasty issues showed up in analysis of the pebble bed reactors that no-one's figured out a good solution to, as I understand it. It turns out the pebbles release far more radioactive material into the reactor than they're meant to, there's no good way of monitoring and controlling reactor temperatures, and the risk of meltdown is a lot higher than initially estimated even if you assume the flammable graphite in the pebbles will never catch fire. Not to mention the small issue of an accidental release of radiation by one of the early reactors that was covered up and blamed on Chernobyl.
There haven't been any major disasters involving pebble bed reactors, but since they never entered the mainstream that's not terribly surprising. You need to pay attention to the issues that didn't lead to a major disaster if you want a good idea of the risks involved.
It all sounds quite sensible the way they describe it - most of the code is in user mode. It packs commands into packets and calls kernel mode code whose sole purpose is to add the packets into a DMA list. Graphics hardware then DMAs the commands and executes them.
Of course, the open source Linux drivers for ATI/AMD graphics have used pretty much the same approach since more or less forever...
Yeah, like the serious reports from about 40 years ago that states that the nuclear power plant design used was inherently unsafe?
You mean the ones that were essentially ignored because they must obviously just be the work of anti-nuclear troublemakers, and because the shiny new nuclear plants had cost so much to build that shutting them down would result in the power companies losing masses of money?
Any ones that are left powered on. Transistors last apparently indefinitely if you leave them powered on, it's only when cycling the power that you have a chance for them to blow (after the "infant mortality" period of a few weeks/months anyway).
I think you're getting confused with valves or something, though even those don't last indefinitely. Transistor-based designs are a bit different - the longer you run them for (and the higher the voltage and temperature you run them at), the more likely the transistors are to die.
Did anyone stick a gun to your head and make you buy it off of Steam? You had the choice of the (IMHO superior) GOG version, with no need for crap running in the background (like Steam), incredibly easy to backup, and all around hassle free version, or you could buy the DRM version from Steam and D2D.
You're forgetting that some users don't have good enough internet connections to download large games or just want the physical bits that come with the boxed edition. (The boxed version had DRM too by the way.)
Actually, there is a great difference between apartheid (discrimination of citizens based on race), occupation (governing by military force over population) and siege (preventing/filtering produce as part of an ongoing war effort).
It's not that clear a distinction. The black regions of South Africa during apartheid were nominally independent states too, just with nothing resembling an independant economy or political system - much like Palestine. What's more, there was a very definite campaign of ethnic cleansing used to drive out the non-Jewish residents of what became Israel proper. As for the difference between occupation and siege... which it's closer to at the time seems to vary depending on the mood of Israeli politicians
The Palestinians living inside Israel are equal rights citizens.
Nominally equal. In practice they don't really have much in the way of political representation, the major parties have to be restrained from outlawing any political party that tries to represent them by the courts, there's fairly impressive racism in employment and housing and provision of services to majority-Arab cities, etc... (To be fair, a lot of this isn't unique to Israel - the US at least has similar race problems.)
Where do you get that? Interfaith marriage is not illegal in Israel, and non-jews can certainly own land.
I'm guessing slightly mangled second-hand information. The current state of affairs is that interfaith marriages are legally recognised by Israel, but it's impossible to actually conduct a legal interfaith marriage within Israel (or indeed any kind of secular marriage), due to the political influence of orthodox Judaism IIRC. Oh, and while it is legal for non-Jews to own land, a lot of the land is owned by organisations that are forbidden to lease to non-Jews or to sell it outright to anyone.
There is no factual error in that quote. Israel is an apartheid state.
Pretty much, yeah. All the arguments against this that I've seen seem to fundamentally misunderstand either how apartheid actually worked in South Africa or just how little independence Palestine actually has...
Standard Microsoft reputation management response to malware discussions.
Have you read the discussions here on /. and elsewhere about the latest Mac OS X malware? Apparently it's all the user's fault for deliberately installing malicious software and anyone blaming Apple in any way is spreading FUD.
The day Microsoft stops trying to deflect blame with this tired old furphy, and starts taking Human Factors science seriously, is the day Windows starts becoming secure.
They've at least put some effort into this since the XP era. At this point, they're probably a lot better than Apple, who still seem to think that letting untrusted websites automatically download and launch installer packages, and then giving the site significant control over what the installation prompt says, is a good idea.
It's not what happened, but rather what didn't happen. To my knowledge the woman hasn't taken a single course from the law school curriculum and she's obviously not sufficiently aware of the extent of her own ignorance.
Of course, anyone complaining about this violation of moral and legal principles must be a woman-hating rapist themselves, because that's the only reason that someone would complain about this idea. There's a reason I don't support feminism. (Actually, there's numerous reasons, most of them related, but that's one of them.)
Oh, and like all the really unjust feminist-proposed ideas, it was suggested safe in the knowledge that neither the person proposing it nor any other people she had any empathy for would be affected by it, because it was carefully aimed at men only.
The trouble is when a "non-governmental entity" grows so large that it becomes a de facto "governmental" body, or filter on what people receive.
Which, ironically, is an effect that anti-porn groups often make use of to censor pornography. Obviously they're less happy when it happens to them.... (Though to be honest most of the Facebook anti-porn groups are probably in repeated violation of their rules on harassment anyway.)
This still requires the user to deliberately install the malware.
Something like 97% of Windows malware infections these days are caused by users "deliberately" installing malware, and that's with Windows putting a lot more obstacles in the way of websites wanting to convince users they should install something malicious than Mac OS X does. Doesn't stop Windows malware infections from being a big selling point for Macs. (Even in the bad old days of Windows security, an awful lot of infections were due to users agreeing to install the malware.)
Look at the Max Mosley case, his reward didn't even really cover his legal fees.
The libel case also spectacularly failed to put the genie back in the bottle - if anything it focused more press attention on him, which is probably what the News of the World were counting on to let them get away lawsuit-free. In fact, I suspect his lawsuit had less to do with protecting him and more to do with stopping the tabloids from dragging everyone else involved through the mud. (I think someone who ran a spanking website that may at some point have featured one of the women involved was sacked from his day job as a result of one of the tabloids splashing him on the front page. Not to mention that the News of the World itself was essentially trying to blackmail the other women involved into selling it juicy stories by threatening to put their names and photos on the front page if they didn't...)