Considering the length of my reply to this post I decided to make this a thread of its own rather than a lengthy reply...

------
One thing people need to remember tho is that the system - any system regardless if it's OS X, Linux, Unix etc - is only as strong as the weakest link. And the weakest link is always the user. Why? Lemme give you a practical example:

I once wrote a thesis concerning computer and data security. During the research I created a small experiment for one of my study groups, the group consisted of computer experts skilled in OS X, Windows and UNIX systems. The members were not aware of this experiment but the results were disclosed to them once it was over. The secrecy was needed to make the experiment as authentic as possible. After the experiment I would interview each member and ask them about what they did on their systems, why the did it and how they solved any potential issues.

Each member of this group had their own system, pre-configured by themselves and they ran whatever software they needed for their work. Some ran Windows (NT 4.0 and 2000 at the time), some ran Linux and one member ran OS X which was brand new at the time. Windows had its usual assortment of security tools, Linux as always relied on its root user authentication for critical system changes and no security software since it was deemed uneeded for such safe system as Linux. OS X relied on its occasional administrative password prompt. Only Windows ran a dedicated antivirus software. All of us connected to a shared intranet with various file repositories needed for our work.

My experiment consisted simply of modifying some of the repository files with some custom code. I infected the Windows tools with a custom written trojan that would popup a message on the screen as well as alther the path variable to include the tool. With the Linux files I simply replaced it with a custom application that would silently write messages to the log and console. The app itself was padded to the same file size as the original, as well as rights, time stamps etc duplicated in case the member paid extra attention. The OS X app was a combination of the Windows and Linux tool, writing messages to logs and console but at the same time make the clock go extra fast (every second I would push the computer clock forward a minute). The same kind of size padding and stamp adjustments were made to the OS X tool as well. All three tools were coded to intercept any keyboard shortcuts for shutting down the tool and block it.

One night I replaced the original files with my prepared ones and waited the next day for the result.

So what happened?

Windows: The antivirus tool popped up with a warning that the file could be infected. The user simply ignored the message thinking that the file was still OK, after all he has used this particular application before. So it was probably a false positive. Shortly after messages started to pop up on the screen and the more he pressed ALT-F4 the more messages popped up. He finally managed to kill the app through the task manager but not without having half the screen filled with messages.

Linux: He ran the tool and per usual it asked for his root password to allow installation. After all Linux is a safe OS and always asks for authentication before you can install anything. He gladly entered his root password without giving it any second thought and waited for the tool to popup. But it never did since the tool had been replaced by my own creation. He ran it again, entered the root password again and waited. Nothing. He checked his running processes and noticed that it was running so he killed the process and tried to run it once again. At last he looked up the repository again, checked the filename, access rights etc and started to fiddle with the security settings for the application. At the end he asked one of us if we had tried the tool since he couldn't get it started, after all it had worked the day before and all of us used it. By this time I had admitted to him that he was part of an experiment and that I had replaced the files with modified ones. I also told him to check his logs and console output, something he had not paid any attention to before I told him.

OS X: Much like in the Linux case he ran the tool, entered his admin password and waited. He repeated this two or three times before giving up. He never asked anyone for help and I only found out he had run the tool when I asked him later if he had tried it. He didn't even pay any attention to why it wasn't running.

So, what happened on each system by the end of the day and what result would it have give if it were a real malware?

On NT it would have probably popped up a few more antivirus warnings, and a wary user would have probably investigated why a trusted software would give off warnings like this. But the damage would have already been done since no measures were taken to prevent the execution of the software, and the antivirus works best when it can actually properly detect the malware. Since mine was custom coded it would only guess that it was bad. And as in so many cases users just click by the warnings.

Linux sure required an admin password, but the user entered it as usual, nothing new about that. He wanted to install a tool and so it required raised privs asking the user for account info that had such privs. By now the trojan could have installed itself and done whatever it wanted. A backdoor trojan for example doesn't need any further access beyond its initial one so it could have happily sent whatever secure info it wanted. At the very best the user could have run the tool in an isolated manner, running it under a separate user account, locking it out from anything else but this wouldn't be common use and it would deemed to be too much for a smallish tool. After all we're not all paranoid and need to setup separate sandbox accounts for each new app we download right?

OS X: Happened much like with the Linux system, the user didn't even notice the tool at all at the end. Again, the tool could have been run in a separate process under a separate user, but this isn't done by default. Result: infection.

Sure things have changed since then, now we got firewalls, smarter anti-malware tools, smarter operating systems and easier access to security tools, but in the end the main problem is the same as with the experiment: The User. In all three cases the user allowed the tool to run regardless of the various warnings and issues that popped up. No checks were done to see if the original files were proper, nor did anyone make a sweep of their system to see if any potential harm was done. All three could have gotten infected by potentially dangerous software that could not only endanger their own data but also breach a corporate network or shared resource pool. In the end the user trusted their own system to be "clean" and the source to be clean so they didn't pay any attention.

So what do I want to say? The problem here isn't the software, the OS or the hardware, it's the user. As long as you want to have your freedom into running whatever you want on whatever hardware you want you will always be in the risk zone for potential problems. And the more wide spread a system gets and the more "unskilled" users that use it, the more risk is involved for the system to get infected. Linux rarely gets infected today because the absolute majority of the users are professionals, needing skill to even do basic tasks with the system. It's also not as wide spread as a client system (The majority of linux systems are servers, running a limited amount of software and rarely requires new software to be installed) so the benefits of an advanced trojan are small.

With OS X it's much like with Linux but it changes fast, OS X is quickly becoming popular and to please the ever growing "unskilled" users Apple have to make a few sacrifices when it comes to security. Sure, Apple has neglected security but for the same reason as Linux, the benefits of trojans has been small since the platform has not been wide spread enough. But as I said, that's changing so the malware for this platform will be more and more common (as it's already been shown).

With Windows it could have been both easier and harder to infect it. It's easier because it doesn't have any proper "root authentication" system (which has started to change with Vista and Windows 7 but it's far from perfect, reasons explained further down) but also harder since most Windows users run some kind of malware protection today which helps in reducing the risk of infection. But it's not perfect and users need to both maintain the protection as well as pay attention to the warnings. The problem with most protections in Windows (and it's not limited to Windows only but any system with similiar protection designs) is that it cries wolf too many times. After a while the users senses are dulled and you automatically click "Allow" without thinking. It's like when your parent nag at you, after a while you say "yeah, sure, whatever" without paying attention to what's being said. So when a real trojan pops up you may just allow it to run and you will only notice issues when your system experiences side effects from the trojans. Look at any normal user today, they may have Norton or whatever installed and I bet you that they are still infected one way or another. It may be harmless or in a dormant state, but the system is still infected. And to unskilled users it's hard work to detect and fix issues, they just want the computer to run. They don't care about prevention or anything, if it breaks they send it off to a tech guy or they buy a new system.

Sadly, the only real way to make systems more secure is what Apple is doing with AppStore. Only verified software is allowed on it, and your hardware is limited in terms what you can do with it. You can only install apps from verified sources and the software has to go through a hard process to be verified. And even this fails at times since in the end, verification is made by users - the same users that blindly click "allow". People that jailbreak their iOS systems has had their issues with (so far) minor malware, and malware is a growing pain for Android users since it allows you to install software from various (and sometimes unverified) sources. And with any growing platform there are more unskilled users running more and more software.

So what can we do? Nothing probably. One good way would be to have all software signed by the developers in a way that it can't be altered, and then having the OS actively refuse to run it if the signature mismatches. Problem here is that malware creators could sign their own stuff as well. Developers could have encrypted signatures only issued from a single source, but this would severely limit the options for development as anyone wouldn't be able to code their own stuff and make others to run it. The OS could also deal with any number of checks - signatures, checksums, central databases etc but in every case it would limit the small developers.

One first step would be to force all applications to run in their own user space - i.e a sandbox. That would limit the access to the rest of the system and other running processes. Unfortunately this is also quite easy to bypass, but it would eliminate the common scriptkiddie malware. But as with everything, if you want freedom then you can't be limited.

It's just not easy to fix. But what seems to be easy for people (and I've seen it here on this board as well) is to mock a system or developer for being careless about security. It's always easy to judge when you got all the facts in your hand. It's not so easy to predict how the future would look like and then implement security features protecting you against unknown threats, something antivirus software has done for years, with clear disadvantages (false positives and the dulling of minds because of it).

You can never have a fully secure system and expect you can run whatever you want on it. It's impossible, it's simply an utopian way of thinking. It's like wanting a completely free world and then expect that everyone WILL choose peace and harmony. But someone will create chaos (explanation that he's free and thus have the right to cause it), people will demand a stop to chaos and thus, the freedom is being limited and cut down. We can only do so much to protect ourselves, but a start is to run the appropriate security software, never download data from untrusted sources, never allow any software to gain full control of the system (i.e admin/root) (this includes running the system as admin/root) and be wary of any suspicious activity on the system. Naturally the OS developers need to do their part to prevent obvious flaws, but you as the user need to take responsibility as well, you can't just sit and blame all the issues on the developers. If you want someone to dress, feed and do everything for you then you should expect that you can't do whatever you want either.

And if you got a idiot proof system that works without taking away our freedom to run our own software and at the same time keep it 100% safe then patent it and go and cash out your Nobel Prize as well. Because if you got a solution then you're sure way smarter than 20 years of highly skilled coding from many of the worlds leading experts of computing.

A least on OS X:

1. Go to System Preferences, Users and Groups, and remove the malware from startup.
2. Reboot.
3. Voila, the virus is removed! You can also use Spotlight optionally, to find where it is.

On Windows there are more than 1 way to startup programs: Scheduled Tasks, Registry, Autorun folder, so it makes it harder to remove.

I think the same in Linux. Because there is no such thing in OS X as to be loginned to a a root user, and if there's a startup, it's a regular user one.

I really hope Pwned that you'd don't believe that will solve all OS X infections. Just look at the current "popular" one doing the rounds - flashback. That certainly won't show in startup items.

Really enjoyed reading that post Mr P. Nice read and perfectly proves what security experts know all along - most problems start with the user.

Flashback utilized the vulnerabilities in Java and MS Office. So that's an exploit. Just update your system frequently and everything will be OK.

My friend across the road is evidence of this. I remove viruses every so often from his computer ranging from ransomware to rogue AVs. At least he tips me a decent amount for it.
There's nothing new with people saying the weakest link is the user, it's always been true since computers were invented (except for when moths flew in and caused a machine bug )

Very good post, i too enjoyed the read. Flashback has definitely been a game changer for Apple - they have never had to deal with an outbreak of this magnitude before, and clearly were not equipped to respond quickly (a place Microsoft were nearly 10 years ago), but i imagine their responses will improve.

At least the patches for Java at least may improve, as Apple is moving away from maintaining Java updates themselves.

As Biohead stated, most problems start with the user, and managing the risk the user poses is the million dollar question.

Except Apple took how long to issue a fix?

And they didn't have to do anything besides push the fix that Oracle had already produced.


The user will always be the weakest point in any remotely secure system. The problem with Apple at the moment is their patching record is poor, so often malware can simply bypass the user anyway. It's an attitude thing quite frankly. Over the past 10 years, security has moved from being something they issued a patch for after the fact to being a regular part of every process that goes on at Microsoft - even outside of development. You'll read reports fairly often of MS Legal helping law enforcement to track down and disable botnets for example. Apple currently seem to have the attitude that security is something that happens to other people. The only security they prioritise is where it affects their walled gardens.

Also, Apple need to recognise that the user is ultimately the weak link. Microsoft does, and despite getting some crap for being a little overzealous with their efforts sometimes, they do make an effort to protect and educate the user. Look at Smartscreen in Windows 8. It's been painted as deliberately alarming the user, but its no doubt going to help secure against known malware. The integration of MSE will also help there.

Actually, Apple integrated some sort of security (not a full Antivirus Suite though), to not allow running apps that are recognized as a virus. Also, I think it's Sun's fault to make the Java so buggy and open to exploits, because Flashback works on all 3 major Operating Systems, not just OS X.

Regardless of the fact that it's not itself a vulnerability in OS X, it's proves how easy it is for it, or any other system, to fall.
I've got to say the advances in security from XP to 7 are phenomenal - but that by no means make windows an infallible system either. All MS, Apple etc can do is ensure their core OS is as secure as possible, then react to exploits from other software as quickly as possible. As Hounsell said, Apple took too long this time round - but it was their first big one and should learn from it.

Yes, that's correct. What you said and Sun should make better Java. Enough said.

Though the Java update for OS X and Linux released only a few days later (which I think is fine).

The security patch was released by Oracle on other platforms something like *6 weeks* before Apple finally got round to pushing it.

That is not acceptable. 6 weeks is a huge amount of time for a widely documented 0-day flaw to remain open.

One important thing to remember with Linux is that you usually install applications with the packagemanger, and as long as you don't install from other places the software should be safe. Getting unsafe software into the official repos is very hard, I don't think I've heard of any cases like that. But when that is said, if you download a tool from another source and then run it as root, Linux is just as safe as Windows and Mac OS when it comes to malware and trojans.

Yes, but you don't need to use the official repos either, if you have a couple of them and one get compromised then the damage is done already. It's not like you verify each package against some MD5 table to see if everything is OK.

And as with all security the user is always the weakest point. Why the need to invest in a multi billion dollar super mainframe to crack encryption when all you need is a $5 wrench and beat the password out of the user? . Fingerprints? Cut off the fingers (or just fool the sensors, it's easy enough). Pin code? Same method as the password. Iris scan? Sure, but it's expensive and uncomfortable... Kevin Mitnick himself proved that the best way to hack a system is not the Hollywood way, i.e fancy screens scrolling by and caffeine-doped teenagers burning away at the keyboards, no, it's social hacking which is the most efficient. Do your research about the company, then call some mid-level manager and fool him into thinking you're from the IT dept or something and they will more than ever share their passwords with you. And then work your way into the system... I mean, people store their passwords on post-it notes under the keyboard or even on the screen, not to mention using stupid passwords that are easy to crack.

Um, actually no: http://research.swtch.com/openssl

He said "should". In most cases, Linux is safer because the official repos are policed and Linux doesn't have enough of a market share for it to be worth coding viruses for. Never mind the variations between distros. Linux IS just as safe as Mac OS and Windows, but given how often Windows boxes can get viruses and malware, that's not really saying much.



I wonder if there's an app out there that lets you do that. It'd take a lot longer to install packages, but the added security might be worth it.

Well, if you want to be sure about the authenticity of the packages, just compile them. Usually, it's quite painful, but Slackware and Gentoo deal with it really great.

Actually, the amount of servers running Linux is far greater than that of desktops running Linux. If you could figure out how to infect a Linux server without any user interaction then you could take down thousands if not millions of websites.

For what concerns PC (and average user) security these are the facts, with trustable sources [*] for software being the only way to achieve real protection.
Something I really regret about Linux (and other unix systems) is that by default they ask for root authentication even for some trivial tasks, so users end up not caring anymore about giving their root password...
Ok, this is acceptable for power users and sysadmins, but I think it's too much power and responsibility on average users' hands.
Linux on the desktop would benefit from some more flexible security policy.

And actually,when it comes to web servers, number of Linux systems is also greater than Windows ones.
I think the "Linux ain't no interesting target for viruses" thing is just a myth too.

[*]: Hey, from mrpijey's post seems that AppStore is the only example of trustable source, and since the rant is also about Linux i can't stand it.
As some other users pointed out, Linux distribution repositories are safe enough, and, let me say it, they've come 15 years before AppStore.
And if you still don't trust repos, follow pkubaj's advice: compile open source application from their sources, nothing can beat that in security.
Never underestimate the power of security through trasparency.

Just because you have the source doesn't mean it's not malicious. What are the chances that you'll see some random subroutine that has been slipped into some random dependency that was required and grabbed as an extra? What are the chances that you'll actually look over every line of code to make sure they're not doing anything bad?
Compiling it on your own machine is no more secure than downloading a pre-compiled binary if the exploit is in the source. I've seen it before where a tool is released online with the source to go with it, and the first revision has a few extra lines that allow the writer to "track" where it's gone. The moment someone realizes that the code has tracking in it, it's probably too late because plenty of people have already downloaded and installed it thinking it was safe.

The only safe way to be sure that there are no trojans or viruses hiding, is to write every line of code yourself.

Yeah right, and that's someway "funny".
But in order to avoid any misunderstanding, I never meant to say open source is the ultimate in security (which can't be achieved actually using a computer).
I just said "nothing can beat source code security", which means you can't get any better result with feasible alternatives (and yes, writing all software by yourself isn't one of them).

I think it would be good to clarify some other points too.
I don't expect users to check the code by themself, but instead I say that popular software projects are subject to peer review processes, so if the application I'm going to install is malicious someone should have noticed it before by analysing its code.
For what concerns dependencies, go recursive: if dependencies are open source, you're still "safe".
I also say "never underestimate the power of security through trasparency", but I think it's also important to not overstimate it.
I'm just confident that open source can be a winning model for desktop applications security.

Yes, I remember the UnrealIRCd exploit.

But you usually do. Most major Linux versions today ship way more software in the repos than you actually need, like Ubuntu and Debian. For example, on my school laptop running Ubuntu I don't think I have added any un-official repos yet, maybe I have to Spotify repo, but that should be considered safe. On my Debian server I have only added some un-official repos for getting newer versions of Mono than the verion that Debian is shipping, but that is kind of unusual. My point is that a normal "stupid" user wouldn't add any unoffical repos. But still, somebody might trick the user to download a piece and software and run it (On Ubuntu you have to explicit set the executeable permissions to all executables downloaded from the web, so it is still kind of hard), as root, so you are still kind of right.

I still don't think that we will see any widely spread virus or maleware on Linux for these, and other reasons I haven't mentioned.

I wish i could share that post to Facebook, ive got some newbs on there who should learn about security