How the other side lives

I haven't even had my morning-after coffee yet, and my inbox is just abuzz that there's probably some serious malware possibly making the rounds on Mac OSX.

Ah well, I need something to bang on while I'm waiting for the coffee to brew and my morning infusion of the nectar of the bean lets me think in a more coherent and structured way.

Yes, it's pretty much real, as there are already forms of malware on Mac OS X, and have been in what constitutes the fairly feeble Mac underground for quite awhile.

And no, this does not mean the Mac has made vast marketshare strides, significant enough that hackers are now seriously turning their attention to it. This is just people getting around to it.

And yes, this 'rootkit' of sorts has been around for awhile, and this is primarily about someone finding it on a machine and people being worried about how it actually got there.

And yes, this thing is a little more special as it's more akin to something like the Windows Agobot than the relatively simplistic offerings heretofore available to the l33t kiddies on the Mac.

And no, while this is something to definitely worry about and keep in mind, it's not nearly on the scale of something like Agobot, which is just a freaking nightmare to deal with any way you slice it.

And yes, this is the kind of thing I warned about back in 'Recognizing a warning shot' and there is a longer take on some of these points there.

And yes, all things considered, it's still probably easier to actually write some serious malware on Mac OS X than it is on something like Windows.

And no, nothing has really changed from that original post linked above. With the advent of Mac OS X, the problem with writing malware on the mac has never been about the capability, it's primarily about attack vectors.

And yes, that's why you don't hear more about this sort of thing, as while it exists, actually getting it onto the users System is such a bitch due to the low availability of attack vectors (again, think of this as trying to catch five goldfish in a lake of trout) it is rarely widespread enough to get a whole lot of notice.

And yes, if you are a big fan of Mac-oriented P2P sites, or have to deal with opening things you can't implicitly trust, or have to deal with machines where you can't trust what the user will do when you're not there, I wouldn't laugh at you for investing in some Anti-Virus software for piece of mind.

And no, if you are nice and patched with the security updates from Apple you shouldn't have to worry about contracting this through browsing the web unless there is another major vulnerability that's known to the undesirables but not to others.

And yes, this type of thing primarily spreads through trojans on P2P, usenet, instant messaging and other types of networks because again, the problem is about attack vectors and bang for buck as referenced in the prior post I linked to.

And yes, this means if you are talking to 'Butterfly_Eyez_1984' on iChat, and she tells you she'd like to send you her pictures, but she only has them in a slideshow which she can send to you and you can run double-click... even as a Mac user your brain should be hardcore into Danger-Will-Robinson! mode.

And no, as shown this doesn't have to have any form of authentication or notice to the end user, as it is primarily after user data and most Mac users are running as Admins, which is the equivalent of being between a user and root.

And yes, that means that just because nothing has asked you for your password, it doesn't mean nothing bad is going on.

And yes, for this thing to be able to really act System-wide and have its way with all the users on the box, it would need some form of authentication to get that, as Startup Items generally run as the equivalent of root... and your general privileges apply to anything you spawn. This is something that things like SELinux are making inroads towars, and SEDarwin is starting to look at, but basically most of the data you care about as a normal user will be hosed.

And yes, there might be fancy ways to get around that in some cases by say, embedding a line in someone's .bash_rc or .bash_profile or a gazillion other esoteric things you might see on other platforms, but the bang-for-buck thing rears it's lovely head again and it's not something I'm terribly concerned about.

And yes, something like this could be attached to pretty much anything you download and run, and you'd never see any form of authentication dialog asking for your password, it'd just be taking your data on the quiet.

And no, I'm not especially paranoid about the above as while it's very, very real most attackers would like their zombie boxen to survive a reboot.

And yes, I probably should be more paranoid about the above as it isn't too difficult to whip up a fake-but-authentic-looking box to ask for your password so Safari can access your Keychain or something.

And yes, this is exactly the kind of nastiness that could have easily exploited the major vulnerability referenced in the prior post was discovered, and I'm sure it happened, but it still couldn't become more widespread due to the attack vector problem.

And yes, Mac users scare the absolute shite out of me when it comes to this stuff, simply because they've been conditioned by experience and, more egregiously, other Mac users gloating and actively encouraging them not to give a second thought to firewalls, viruses and malware, helping to create a passive, apathetic culture of clicky-clicky that in many ways makes them the scariest users of all.

And yes, in a way the being asked to enter your password on Mac OS X from every app you use that might access the keychain for things every time you install something of note can't help but desensitize your average user to giving up their password like it's prom night.

And yes, that desensitization is a real problem, as to your normal user it's inconvenient, annoying, and tedious to have to click to deal with authorizing things over and over. And people tend to mentally glaze over things that are inconvenient, annoying, and tedious.

And no, there isn't really a solution to the preceding desensitization problem, as it's part of using a system built for multiple users but usually just used by one. Microsoft tried to end-run around this problem with previous versions of Windows and learned the hard way that while this type of security creates inconvenience, it's nothing compared to the inconvenience down the road unless you have something equivalent in place in a networked world. If you need an analogy, think regular dental checkups.

And no, that's not the whole picture of security on Windows, but it illustrates a point I'll go into further at another time.

And no, the differences between Mac OS X's and WindowsNT+'s security models are not somehow night and day with Windows being vastly inferior, Apple just does a much, much better job of enforcing theirs, sacrificing a little convenience over security, which MS is swinging back to.

And yes, things would, in many ways, be a hell of a lot more convenient for your average user if Mac OS X, for all intents and purposes, just let you run as root. Anyone ever having to deal with esoteric permissions errors because they can't get anything to print will see the immediate appeal of what OS9 offered.

And no, I don't have a problem with a little gloating about the relative lack of security headaches afforded to your average user as compared to Windows and even touting it as a feature: it is.

And yes, I've heard various Mac people on various lists and other places actively gloat about how they can click on any attachment in their email and well, basically click anything, anywhere, because they don't have to worry as they're not using Windows.

And yes, I've heard various Mac people ridicule Windows users who are new to the platform, or just users in general who ask about a good firewall or a decent anti-virus/malware solution for the Mac.

And yes, these type of people piss me off enough with their unadulterated, abject and unrepentant ignorance that they make it into my kill file, only to have one of their email addy's randomly googled because I know they're prime examples of idiotic and dangerous advice in general, and googling for "idiotic and dangerous computer advice" and finding something suitable would take longer than just seeing if one of them has a homepage.

And yes, it can be difficult not to call them up and ask them why they are such an asshat to users to who don't know any better when you realize that when you google for someone's email along with the term "news network" that you get phone number and address info that they may not have bothered to plugin with false data.

And no, there's nothing inherently wrong with not having anti-viral apps or a firewall on the Mac. But to do so without a realistic understanding of what the risks are is inviting trouble, and to give someone a false understanding so you can circle-jerk in your love for your platform of choice borders on negligence.

And yes, these types of asshats exist on every platform in their own form, sorta like how every first person shooter game has a variant of the sniper rifle.

And no, Mac people are not smarter and more knowledgeable than Windows users when it comes to these things.

And yes, you're about to tell me about that crazy study that showed Mac users were smarter than PC users, but will have nothing to say when I ask you to explain the existence of this, so let's just save ourselves the time.

And yes, I can believe the study that shows Mac users are more affluent as a whole than Windows users. You sorta have to be if you find it entirely reasonable to be forced to spend $1.5k+ just to get a computer that supports more than one internal drive.

And no, there's nothing wrong with that.

And yes, it may be that Mac users are smarter and more informed in general than your average well-diluted sample of PC users, but it's completely irrelevant as the gap between knowing what you know and knowing what you need to know is huge, as the ham story is intended to illustrate.

And yes, there is a different between being knowledgeable about using your computer of choice and actually having a clue as to what's going on underneath the prettiness.

And no, I don't believe the fact that you sit at an angle due to the thickness of your wallet has any bearing on how informed you are as a computer user: you need to stop setting up other users for disaster in the future simply because you get off on your Mac-OS-X-is-invulnerable-bullet-point.

And yes, I believe in being realistic over being paranoid, but where it's realistic to be paranoid, be paranoid.

And yes, that means that it's over the top to only use Quicken on a computer that's never connected to the internet and never had foreign media introduced to it, but it's not over the top to not download every app you happen to find on the internet unless you know it's been well-vetted and has a solid reputation.

And yes, if you're a Mac user it's worth spending a few minutes reading how Apple suggests you live, and then spending a few minutes learning how the other side lives, and not only figuring out what applies to you as a Mac user and what doesn't, but knowing why it doesn't apply so that if the situation happens to change, you can change your behavior to match the situation.

And yes, I'm aware that a normal user going to Apple's site wouldn't find the link I referenced unless they were having a really lucky day with keyword searches.

And no, I don't know why that is, and I'm still in the afterglow of Apple "clearing up the misunderstanding" and giving better information with their security updates since I ranted about it, so I don't feel like going off on this one right now.

And no, don't trust everything I'm telling you about the either... as when it comes to a blog, it's realistic to be paranoid.

Posted by drunkenbatman
October 23, 2004, at 07:13 AM

Comments ⁽¹²⁾

Posted by: MM at October 23, 2004 09:20 AM

...and to give someone a false understanding so you can circle-jerk in your love for your platform of choice borders on negligence

DB, I laughed out loud when I read that part, but surely there must be a more politically correct way to say the same thing?!?! You have good points I would like to be able to forward and link to this... Leave the iMac G5 link in though, that was great. :-) Please consider changing some of the language?

Posted by: Adam at October 23, 2004 10:10 AM

....but it's not over the top to not download every app you happen to find on the internet unless you know it's been well vetted and has a solid reputation....

Or you could do like me and install Debian! I only use software that has source code available and build from that. That way there are no surprises!

Was there not a Mac developer recently who had code to delete your entire home directory if it thought you had a pirated access code? Google...

Posted by: Anonymous Coward at October 23, 2004 10:28 AM

Most dangerous of all? That's crap.

When was the last time you installed Windows or watched a Windows user? They are just as trained to click "Yes" at every prompt.

Posted by: isle.yi.org at October 23, 2004 10:30 AM

I hate to 'call you out', but this has absolutely nothing to do with security unless you call a bad security practice related to Mac OS X.

Someone got in through either a local compromise, or you opened up something (OS X doesn't leave anything open by default, the #1 criticism of Windows by people who do know what they're doing) like ssh and allowed someone to beat on it for 2 weeks.

A quick guide to security for the lazy and ignorant:

1) Never put the machine with all your important stuff directly to the internet. This includes incoming port forwarding. Use a bastion host.

2) root should /never/ be accessible from outside the machine. SSH has controls to completely disable root logins and while I don't know if OS X uses PAM, that can do it too.

3) If you aren't using it and someone else can access it, it doesn't need to run. This includes services like samba that you only use occasionally to get files from one machine to another. You don't need to kill the service (the Finder will complain), blocking the port should be good.

4) Your password is the key to your digital life. I'm sure I don't have to expound on that, but any less than military-grade protection is silly. Keep in mind that password unlocks your Keyring too, so a good practice is to not store really important passwords in your Keyring at all.

5) Services that send a password over plain text should not be used any where else, but really, you should be bitching at your administrator to get a SSL-capable version of that service. If that administrator is you, approach the mirror and follow the rest of the directions, as you have no excuse.

Posted by: isle.yi.org at October 23, 2004 10:35 AM

Sorry. #5 should read: "Services that send a password over plain text should have a password that is not used anywhere else".

Posted by: Adam at October 23, 2004 10:49 AM

AC I think he means most dangerous of all because they click but believe they are immune. Windows users know they are targets...

Posted by: Monite at October 23, 2004 05:32 PM

Yes, there is complacency in Mac users about safe computing and thank you for not saying the sky is falling and putting it into perspective. But do you expect it to be taken seriously when there are so few issues? Besides, People don't run backups regularly until they lose data the first time I am sure it is the same.

There is more Apple could do to educate their users. Phishing is not a technology problem but Microsoft still has information available on their website that is easy to find. But if their users don't care is this Apple's job?

For the man you linked, he is obviously not very stable to begin with and I say this as a Kerry supporter and is not a good representative for the cult. :)

Posted by: Alex at October 23, 2004 06:25 PM

Damn drunk I can't believe you did that. I know this guy! His name is Charles Martin or _Chas_ and YES he is a zealot. You are being a little harsh, he does give a lot of help to users. He is helpful on many Macintosh mailing lists, but he usually wears out his welcome with flaming because of how he is.

Posted by: Octopussea at October 24, 2004 12:10 PM

Using a Mac just lowers your risk of having malware problems to statistically low levels, like cars and motorcycles. As far as risk Windows is like a motorcycle. If you have the proper training and equipment your risk of being killed is low but still higher than if you are in a car. If you put any fool on a motorcycle their risk of being killed skyrockets.

If you put any fool in a car (My Mac!) their risk of injury is still statistically much lower than a motorcycle but still real. With proper training and caution your statistical risk becomes insanely low. But still wear your seat belt!

Posted by: Mindflayer at October 27, 2004 12:12 AM

It's like safe sex - you have to use your brain and use protection. Ditto using a computer, of any OS.

The idea that Debian, or Linux, or FreeBSD, or OpenBSD, or UberOS is safer since it's open source is insanity. I don't know how many Linux boxes I have seen with root kits installed.

Posted by: Tania Olson at October 30, 2004 11:24 AM

"Yes, it's pretty much real, as there are already forms of malware on Mac OS X, and have been in what constitutes the fairly feeble Mac underground for quite awhile."

I found this while looking around that forum where the script was written. I am now officially very afraid of the "feeble" Mac Underground... WOW. I also just signed up. :)

Posted by: cDc Member at November 5, 2004 08:58 AM

A mac user that actually acknowlages the existance and proliferation of Malware on the MAC. Impressive. I myself am not particularly fond of MACs, though, this is mainly due to hardware limitations. MacOSX is more or less a Unix overlay. Kudos to Apple for this. Though I won't be moving away from Slackware at home for some time. Again, nice blog. I might actually be tempted to return.

DrunkenBlog