On Nov 1, 2007, at 2:11 PM, Roland Dobbins wrote:

>
> On Nov 2, 2007, at 1:45 AM, Dave Schroeder wrote:
>
>> But it's a Trojan, which requires user interaction, downloading
>> something manually, and expressly granting it administrative
>> privileges to your machine.
>
> This brings up an interesting point - how many Mac users go to the
> trouble of setting up a nonprivileged account and then do their
> normal work under that? I don't know, but my guess is that it's a
> pretty low percentage, especially as, at least with Tiger, one runs
> into some issues such as borked /Applications perms/ownership which
> require a *NIX background to even understand, much less remedy.

Even if users did set up a non-admin account, they'd still be prompted
for admin access just the same...there is no distinction in this
trojan's behavior, or the results, whether it's run under and admin or
non-admin account. If they're prompted for admin access and give it,
the game is over.

> How many Mac users have been faced with a seemingly-random request
> to grant a non-obvious background app/utility Keychain access, not
> to mention commonly-used apps asking for it without an easily-
> discerned reason? And in such situation, what do they typically
> tend to do (I've my own opinion about this, but clue welcomed).

I think the answer is the same for Mac users as it is for Windows, as
majority desktop platform: they'll grant the request. And if it's
something that will cause the system harm, the damage is done (or has
just begun). The point is that the really interesting, damaging, and
massive problems in recent memory have been exploits that have spread
in an automated fashion with little or no user interaction.

Trojans that require manual interaction and expressly granting them
root-equivalent privileges and which aren't taking advantage of any
bug/vulnerability/etc. in the OS, no matter how nifty or crafty they
might be, are really completely uninteresting to me, on Mac OS X or
any other platform. I don't care if it's "targeting" Mac OS X: this is
nothing new! Why do people act like it's the first time every time we
encounter the next piece of Mac OS X malware, with sensationalist
proclamations that "skilled" "hackers" are "targeting" Mac OS X? So
what? They've been "targeting" it for years. Or are they targeting it
"more" now?

The problem isn't the discussion that happens on lists like this. The
problem is that a relatively low-impact, low-danger, manifestly boring
and uninteresting "trojan" will now be covered as if the sky is
falling on the Mac platform far and wide in the press, including some
mainstream press (watch: I wouldn't be surprised if the likes of AP or
CNN picked this up DAYS later). And then, millions of more people are
casually exposed to news that they can't parse the nuance of, and are
left with the impression that Mac OS X is "insecure".

I'm not quite sure what purpose that serves...the coverage of Mac OS X
malware is still largely sensationalistic, and not much more.

- Dave0? *?H?÷

 ?0?

10 +0? *?H?÷


 ?>0?ô0?] 
DM0
 *?H?÷


0S10 UUS10U
Equifax Secure Inc.1&0$UEquifax Secure eBusiness CA-10
050829160720Z
150829160720Z0?10 UUS1+0)U
"Division of Information Technology1#0!UFaculty - Staff - Students1(0&UUniversity of Wisconsin-Madison0?0
 *?H?÷



0?èHQÜ%wË ktëùNßM}V?ïȶÂ#¹.³S*?¥I|R±%ö3?~?cëG:!+·Ä? ÇL$ò­©«
8)?¿.Æ01qL|?I?¿Öm²\×[¼'¯íG̪»´V ?ëùçe><|¯÷?°
æp;?Ã??

£?0?0U

ÿ
?0U?RRbG,k,
¸iñ©7,#$0U
#0?Jx2RÛY6^ßÁ6@jG|L¡0U

ÿ0

ÿ09U2000. , *?(http://cr
l.geotrust.com/crls/ebizca1.crl0
 *?H?÷


%ñDX3wç֍ת· ?7kæÞßµ±z°c_?+åLÓPpGOsÉ>ف¬ÐDÓ±Ü-++?ü}£Z??d£Áù'öTï¡*)ÿw~G²?¨ø
Oµö¬U~ºbSJh,óN¨GTaßs\ÇDØéR#êeb¨Åg0?B0?« 
?0
 *?H?÷


0?10 UUS1+0)U
"Division of Information Technology1#0!UFaculty - Staff - Students1(0&UUniversity of Wisconsin-Madison0
070724175606Z
080920175606Z0Ð10 UUS10U Wisconsin10UMadison1(0&U
University of Wisconsin-Madison1#0!UFaculty - Staff - Students10UToken -10UDavid Schroeder1 0 *?H?÷


das (at) doit.wisc (dot) edu0 [email concealed]?0
 *?H?÷



0????èöÆ?³G¡J[¨×
Qò?sJ?'Uî.øë
ÂC«ÓmÂ?5(¢?äðÛ¢1?Hµ8iä¬C°«é£ Ê¢4ÝsR|F?Sû?©¶2±ï?Æ?´zó?¬ÿPïí?ð?ÖÜ5àò?ݐ?ÕÍnæ?y
>ªÛ% ?ä¹

£p0n0U

ÿà0;U40200 . ,?*http://crl.geotrust.com/cr
ls/wisconsin.crl0U#0??RRbG,k,
¸iñ©7,#$0
 *?H?÷


ß¢úx IíN®?tý¼¬Åƪ¡q?Þ¦`,]H?)u?Há?tm³°é¥¾0ñÊOV6¾Ô?
&@v?@¯IÿßO=?~ÿuC"i?Â?N??0ÔÉ® G¥ªÙ»rs5ì#¯P?ÑËpÍX¯âô³©ÖÙ?Ðz?YuVC?ö?1?â0?Þ

00?10 UUS1+0)U
"Division of Information Technology1#0!UFaculty - Staff - Students1(0&UUniversity of Wisconsin-Madison?0 + ?
§0 *?H?÷

1 *?H?÷


0 *?H?÷

1
071101192248Z0# *?H?÷

18æi¶ê& m@Cò
ý2Î"îbwÖ0¡ +

?71?00?10 UUS1+0)U
"Division of Information Technology1#0!UFaculty - Staff - Students1(0&UUniversity of Wisconsin-Madison?0£*?H?÷

1? 0?10 UUS1+0)U
"Division of Information Technology1#0!UFaculty - Staff - Students1(0&UUniversity of Wisconsin-Madison?0
 *?H?÷



?tÉÅïý¯ä#? æ1Êy
lßÒçµWÑ?©è]tì¶9î?¾ce³?\DÂ4Õ|N1Ý¥K¿yã¶<£Ò¿&¯h·ÊòúFt./pB<Ê!3¶H?c>×W'P

°;&%u@"¯Óº¾È?;¥¼Båè_)drQ?e&v^
¦áD±

[ reply ]