PDA

View Full Version : How can I detect a keylogger on MY system?


mac_attck
01-27-2007, 10:55 AM
I was wondering if anyone knew of any software (freeware would be super) that I could run to see if a Spector type program or similar is installed on my computer? It is not a work computer, it is my own personal system.
I am using a Powerbook G4, OSX
Thank you :)

benwiggy
01-27-2007, 12:05 PM
Well, I'd just have a look at Activity Monitor and see if there are any suspect processes. This is in Applications/Utilities.
As it's your own machine, what makes you think it's been compromised?

If you suspect that the security of your computer has been jeopardised, you should do a clean system install and then make sure that you have to log in with a password to use the machine. Make sure the Firewall is turned on and sharing is turned off.
You can also put a password on the screen saver, so that the machine secure when you walk away from it for a cup of tea.

cwtnospam
01-27-2007, 12:18 PM
If you suspect that the security of your computer has been jeopardised, you should do a clean system install...
If you are a recent switcher and don't have strong evidence that your Mac has been compromised, I suggest you hold off on reinstalling. Nothing is 100% secure, but the Mac OS is much more secure than that other OS. It isn't likely that you've got a key logger you don't know about on your own system.

Post the evidence you have here, and somebody will be able to tell you if your system is owned. A screenshot of your activity monitor would be a good start.

benwiggy
01-27-2007, 12:43 PM
Yes, I may have come over a bit gung-ho. I've been reading this:

http://www.nsa.gov/snac/downloads_macX.cfm?MenuID=scg10.3.1.1

which is good advice for securing your Mac from the folks at the NSA!
Mind you, it's for Panther, so needs updating.

theHyperOne
01-27-2007, 01:15 PM
I would assume that since you chose the name mac_attck, you're probably not a new convert. I'd also wonder what prompts you to think you could be keylogged. Simple paranoia? Conspiracy theorist? (intent is curiousity, not insult)

FYI, I recently had an extended family member who lived with me who wasn't particularly trustworthy. I did give him an account on one of my Macs, with the understanding he wouldn't visit the internet's "dark side." Browser history can be cleared and IMs are not logged, so I was looking for a keylogging program for OS X so I could check up on him. I thought this should not be difficult as quite a few of these types of programs started life on UNIX.

As it turns out, the methodology Apple uses to capture keystrokes in their GUI is fundamentally different from the way every other UNIX does it. UNIX keyloggers will not function in OS X's GUI. You could setup a program that does this function for shell (Terminal) sessions, but not in standard OS X programs. At least, this is what I was told by the UNIX/OSX technical community.

If anyone has more information, post away!

cwtnospam
01-27-2007, 01:47 PM
There is at least one key logger, but you need to have access to the machine, and it doesn't hide as easily as on Windows. It shows up in Activity Monitor, and in your login items. See this thread (http://forums.macosxhints.com/showthread.php?t=66450).

ArcticStones
01-27-2007, 02:14 PM
http://www.nsa.gov/snac/downloads_macX.cfm?MenuID=scg10.3.1.1

which is good advice for securing your Mac from the folks at the NSA!
Mind you, it's for Panther, so needs updating.
Thanks for bringing this to my attention. I was not aware that the National Security Agency provided this public service. It does, however, make great sense. :)

mac_attck
01-28-2007, 08:31 AM
My boyfriend borrowed my computer...I have no idea why since he has 2 new ones. He spent the day putting virtual pc on his computers...why he needed mine I have no idea.
If I go to Activity Monitor what exacty am I looking for? I just recently made the switch to Mac.
I decided to run the trial version of mac scan, but it just found some adware and isolated it

roncross@cox.net
01-28-2007, 10:14 AM
Did you ask him why he needed to borrow it? Maybe he did something to it that you are not aware of. Did you give him an administrative account? If so, anything goes.

cwtnospam
01-28-2007, 10:26 AM
If I go to Activity Monitor what exacty am I looking for? I just recently made the switch to Mac.
...I decided to run the trial version of mac scan, but it just found some adware and isolated it
Since there's more than one key logger, it's probably best to post a screen shot of your Activity monitor (Shift-Apple-4, then hit space bar and the cursor will be a camera. Click any open window and it will put a file (picture 1) on your desktop) that you can post so we can see if there's anything funky.

Adware on a Mac? Most likely they're just cookies.

roncross@cox.net
01-28-2007, 01:12 PM
If there is a key logger, can she use little snitch to see if it is trying phone home?

ThreeDee
01-28-2007, 01:22 PM
Perhaps. Little Snitch cannot detect servers responding to a client request, like CarbonKeys. I actually downloaded MacScan. Detected CarbonKeys, SNET Spy (not really spyware, just a remote screen viewer), and OSXVNC. No cookies.

Any reason why he would be spying on you?

benwiggy
01-29-2007, 02:05 PM
My boyfriend borrowed my computer...I have no idea why since he has 2 new ones. He spent the day putting virtual pc on his computers...why he needed mine I have no idea.


Ah. I see the problem. You need to upgrade your boyfriend. :D (Only joking)

You can post the results of Activity Monitor here, and someone will spot anything untoward. Or any of the software probes mentioned here will help.

Or you could ask him what he did....

roncross@cox.net
01-29-2007, 02:39 PM
For security concerns, it is never wise to give your computer to someone you do not trust. The fact that the thread is here shows the lack of trust to the person you let borrow your computer.

If you must lend your computer to someone, it is best not to give them an admin account and put your own account under some kind of security protection such as file vault. It is also wise to ask the person what they will be doing to your computer?

If for some reason, there is objectionable material or malware, etc... you will be held responsible because it is your machine.

Annham
03-17-2008, 11:51 PM
Hi, can someone look at a capture of my activity monitor? I am concerned I am being spied upon. Which screen should I post?

cwtnospam
03-18-2008, 08:34 AM
Take a screen shot with "All Processes" showing and sorted so that the most active are at the top. A key logger is likely to appear near the top, especially if you don't have any busy programs opened.

Mailman42
03-18-2008, 09:17 AM
A screen shot, may not, show everything.

IMHO, get Activity Monitor (A.M.) running, along with TextEdit.

Set A.M. to "view all" processes. Highlight ALL (command - a), then copy (command-c) to copy.

Switch to TextEdit, and paste (command-v) the results.

You can then paste into here for us to view the results.

You should see "you"/your account running a number of process, along with root, daemon, and a few others.

We can then compare yours to ours.

If you are so worried about someone "watching" you, why not re-install (after archiving what you need)?

Mikey-San
03-18-2008, 09:46 AM
Running this command in Terminal is simple and more informative:

ps axww

This will give you more than simply the names of processes.

Mailman42
03-18-2008, 09:57 AM
I had thought about that, but (always one of those) most people windos & OS X folke appear are not to be comfortable with the shell, which is why I gave all gui items to use.

Mikey-San
03-18-2008, 10:06 AM
Well, if you want to look for a keylogger, you want to know the launch paths of the processes. Getting this far means you're going to be staring at a Terminal window.

butterthief
01-26-2009, 02:12 PM
i am pretty sure some one (former roommate who kept a copy of the apartment key...) has broken in to my apt, put a keylogger/backdoor/something on my macbook and then stole my mac software so i can't just 'wipe & go'...i did the textedit copies of 'activity monitor' and 'terminal: ps axww' suggested earlier in this thread. i don't know how/where to attach these, tho.

i am not sure what all this means, but i do know that now the option to require a password to wake from sleep/boot is not greyed out and can be unchecked at will even if the lock is closed on my security preferences and there is a 'details' and a 'drop arrow' on the password entry screen that leads to options other than entering a password or canceling...does anyone have any suggestions as to my options to secure my machine and, preferably, find out where any hijacked data is going?

mac specs:
macBook2,1
2.16 GHz Intel Core 2 Duo
1 GB 667 MHz DDR2 SDRAM

thanks for your help. your assistance is greatly appreciated!

trevor
01-27-2009, 12:36 PM
If you have evidence that someone had physical access to your computer and compromised it, then nothing that the computer tells you can be trusted. The only way to know for sure that your computer is clean is to

1. Backup any important data files that you want to keep onto an external hard drive. Do not back up any program files.

2. Erase your entire hard drive and install a fresh copy of OS X on it from your OS X Install disc. Then install your applications from their original media, NOT from any backup.

3. Finally, restore the data files from your backup.

This will result in a known-clean computer. Anything less will not.

Trevor

roncross@cox.net
01-27-2009, 08:51 PM
1. Backup any important data files that you want to keep onto an external hard drive. Do not back up any program files.




Can data files be executable in disguise? Even if they aren't couldn't they be compromised altered, etc...?

jmh324
07-24-2009, 09:03 PM
Hi, I've been searching all over the internet, trying to find info on how to detect keylogger software like NetNanny or something. I suspect my boyfriend has put something on my computer but I have no proof. I have a macbook and have searched but no luck. If I paste my activity monitor info can someone take a look and see if they see anything suspicious? Also, would NetNanny be visible anywhere else? Here is my activity monitor info. Any help you can provide would be greatly appreciated. I thought about bringing it to the Genius Bar at Apple but not sure if they would be able to tell me anything. If there is something I need to get it off my computer- I am furious at this possible invasion of privacy, and there will be consequences for him if I find something.

899 Activity Monitor 1.9 5 12.11 MB 972.64 MB Intel
145 AirPort Base Station Agent 0.0 2 3.05 MB 908.71 MB Intel
217 AppleSpell.service 0.0 1 5.07 MB 601.73 MB Intel
171 Archive Assistant Scheduler 0.0 2 11.23 MB 914.37 MB PowerPC
155 ATSServer 0.0 2 7.33 MB 642.52 MB Intel
40 autofsd root 0.0 1 664.00 KB 585.62 MB Intel
55 blued root 0.0 1 2.32 MB 596.92 MB Intel
37 configd root 0.0 3 2.32 MB 587.20 MB Intel
157 coreaudiod root 0.0 2 2.54 MB 589.33 MB Intel
45 coreservicesd root 0.0 4 15.60 MB 611.54 MB Intel
15 cron root 0.0 1 632.00 KB 586.69 MB Intel
397 DashboardClient 0.0 4 13.68 MB 921.41 MB Intel
396 DashboardClient 0.0 10 21.05 MB 960.16 MB Intel
398 DashboardClient 0.0 4 9.41 MB 917.01 MB Intel
695 Database Daemon 0.1 3 16.23 MB 1,007.81 MB PowerPC
35 DirectoryService root 0.0 5 3.53 MB 588.82 MB Intel
34 diskarbitrationd root 0.0 1 1,012.00 KB 585.69 MB Intel
42 distnoted daemon 0.0 1 788.00 KB 585.59 MB Intel
156 Dock 0.0 2 14.26 MB 925.84 MB Intel
32 dynamic_pager root 0.0 1 696.00 KB 585.61 MB Intel
159 Finder 0.0 7 16.25 MB 942.94 MB Intel
185 Firefox 45.0 22 201.29 MB 1.38 GB Intel
30 fseventsd root 0.0 12 1.37 MB 592.66 MB Intel
29 hidd root 0.0 2 592.00 KB 586.12 MB Intel
168 HP Communications 0.1 5 16.32 MB 960.65 MB PowerPC
165 HP Event Handler 0.0 3 3.21 MB 859.62 MB Intel
96 hpusbmond root 0.0 1 780.00 KB 586.78 MB Intel
176 iChatAgent 0.0 2 2.95 MB 854.53 MB Intel
170 iTunes Helper 0.0 2 2.45 MB 858.67 MB Intel
0 kernel_task root 1.8 55 79.00 MB 1.09 GB Intel
27 KernelEventAgent root 0.0 2 648.00 KB 585.68 MB Intel
10 kextd root 0.0 2 1.30 MB 586.19 MB Intel
1 launchd root 0.0 3 552.00 KB 586.74 MB Intel
70 launchd 0.0 3 540.00 KB 585.74 MB Intel
213 launchd _securityagent 0.0 3 452.00 KB 585.74 MB Intel
51 launchd _mdnsresponder 0.0 3 456.00 KB 585.74 MB Intel
92 llipd root 0.0 1 208.00 KB 585.59 MB Intel
26 loginwindow 0.0 3 6.86 MB 920.62 MB Intel
172 MacallyMouseHelper 0.0 2 9.86 MB 910.21 MB PowerPC
174 MagicMenu 0.0 1 5.22 MB 915.40 MB Intel
177 Mail 0.0 13 48.24 MB 1,001.34 MB Intel
25 mDNSResponder _mdnsresponder 0.0 2 2.41 MB 588.02 MB Intel
24 mds root 0.3 16 58.98 MB 810.20 MB Intel
846 mdworker 0.1 4 8.36 MB 608.55 MB Intel
63 nmnetmgrd root 0.0 4 1.68 MB 590.82 MB Intel
11 notifyd root 0.0 2 468.00 KB 586.17 MB Intel
13 ntpd root 0.0 1 860.00 KB 586.12 MB Intel
154 pboard 0.0 1 580.00 KB 586.63 MB Intel
180 pipedaemon 0.0 1 2.00 MB 642.04 MB PowerPC
900 pmTool root 1.2 1 1.31 MB 595.69 MB Intel
694 PowerPoint 0.4 9 97.97 MB 1.34 GB PowerPC
323 Preview 0.0 6 36.41 MB 973.44 MB Intel
126 pvsnatd root 0.0 3 528.00 KB 588.73 MB Intel
22 securityd root 0.0 2 1.92 MB 587.35 MB Intel
41 socketfilterfw root 0.0 3 1.54 MB 585.93 MB Intel
149 Spotlight 0.0 6 12.32 MB 1,023.21 MB Intel
20 syslogd root 0.0 4 488.00 KB 587.24 MB Intel
188 System Events 0.0 1 4.44 MB 879.98 MB Intel
18 SystemStarter root 0.0 1 680.00 KB 585.61 MB Intel
158 SystemUIServer 0.2 11 13.50 MB 936.00 MB Intel
216 TextEdit 0.0 8 12.25 MB 934.89 MB Intel
17 update root 0.0 1 280.00 KB 585.57 MB Intel
16 usbmuxd _usbmuxd 0.0 2 936.00 KB 587.46 MB Intel
150 UserEventAgent 0.0 3 2.80 MB 600.57 MB Intel
56 WindowServer _windowserver 1.0 5 38.62 MB 942.05 MB Intel

anika123
07-25-2009, 08:06 AM
I do not see anything unusual in your activity monitor. You mention netnanny, do you suspect someone is monitoring what sites you visit. This can be done through osx preference pane "parent controls".

josephine
08-14-2009, 07:18 AM
Can anyone help... I have a copy of my monitor activity here below. I have restored the whole mac but I'm not sure weather the keylogger has gone. There was a keylogger because my ex commented on somethings that the only way he could know was by seeing what I was doing on the computer.

Any help would be appreciated.

http://i197.photobucket.com/albums/aa169/josephine110776/monitoractivityaugust2009.jpg

josephine
08-14-2009, 12:06 PM
Can anyone see if something is wrong here. I had a keylogger and I restored the mac. But Im not sure if it is still there.

Any help would be great....

331 Activity Monitor shevawnfletcher 1.6 5 17.14 MB 969.14 MB Intel
155 AirPort Base Station Agent shevawnfletcher 0.0 2 5.25 MB 2.86 GB Intel (64 bit)
196 Alerts Daemon shevawnfletcher 0.0 3 7.27 MB 902.33 MB Intel
290 AppleSpell.service shevawnfletcher 0.0 1 4.07 MB 601.73 MB Intel
166 ATSServer shevawnfletcher 0.0 2 7.71 MB 636.86 MB Intel
968 authorizationhos root 0.0 1 1.51 MB 596.64 MB Intel
39 autofsd root 0.0 1 672.00 KB 585.62 MB Intel
82 blued root 0.0 2 2.01 MB 597.00 MB Intel
36 configd root 0.0 4 1.94 MB 587.71 MB Intel
164 coreaudiod root 0.0 2 2.21 MB 588.75 MB Intel
45 coreservicesd root 0.0 4 14.66 MB 607.09 MB Intel
716 DashboardClient shevawnfletcher 0.0 4 21.54 MB 920.53 MB Intel
34 DirectoryService root 0.0 5 3.42 MB 588.82 MB Intel
33 diskarbitrationd root 0.0 1 996.00 KB 585.69 MB Intel
42 distnoted daemon 0.0 1 804.00 KB 585.59 MB Intel
165 Dock shevawnfletcher 0.0 2 10.70 MB 893.66 MB Intel
31 dynamic_pager root 0.0 1 704.00 KB 17.52 MB Intel
168 Finder shevawnfletcher 0.0 6 15.52 MB 931.73 MB Intel
280 Firefox shevawnfletcher 0.5 19 173.13 MB 1.09 GB Intel
29 fseventsd root 0.0 13 1.43 MB 593.16 MB Intel
28 hidd root 0.0 2 604.00 KB 586.12 MB Intel
0 kernel_task root 0.5 54 188.71 MB 960.74 MB Intel
26 KernelEventAgent root 0.0 2 652.00 KB 585.68 MB Intel
10 kextd root 0.0 2 6.68 MB 591.52 MB Intel
190 KeyboardViewerServer shevawnfletcher 0.5 1 6.10 MB 909.73 MB Intel
1 launchd root 0.0 3 556.00 KB 586.74 MB Intel
151 launchd shevawnfletcher 0.0 3 536.00 KB 585.74 MB Intel
25 loginwindow shevawnfletcher 0.0 3 5.43 MB 866.17 MB Intel
393 Mail shevawnfletcher 0.0 12 34.46 MB 972.88 MB Intel
24 mDNSResponder _mdnsresponder 0.0 2 1.16 MB 587.49 MB Intel
23 mds root 0.0 17 32.59 MB 720.64 MB Intel
908 mdworker shevawnfletcher 0.0 3 7.36 MB 604.75 MB Intel
970 mdworker _spotlight 0.0 3 2.04 MB 598.43 MB Intel
181 Microsoft Messenger shevawnfletcher 0.5 10 29.21 MB 962.33 MB Intel
187 Microsoft Messenger Daemon shevawnfletcher 0.0 2 2.05 MB 848.58 MB Intel
11 notifyd root 0.0 2 460.00 KB 586.17 MB Intel
13 ntpd root 0.0 1 860.00 KB 586.12 MB Intel
161 pboard shevawnfletcher 0.0 1 540.00 KB 586.63 MB Intel
332 pmTool root 0.8 1 1.32 MB 595.70 MB Intel
416 Preview shevawnfletcher 0.0 12 13.91 MB 948.45 MB Intel
969 SecurityAgent _securityagent 0.0 5 6.20 MB 912.49 MB Intel
21 securityd root 0.0 3 2.14 MB 588.09 MB Intel
40 socketfilterfw root 0.0 3 1.57 MB 585.93 MB Intel
159 Spotlight shevawnfletcher 0.0 2 4.46 MB 862.52 MB Intel
18 syslogd root 0.0 4 452.00 KB 587.24 MB Intel
167 SystemUIServer shevawnfletcher 0.0 7 8.39 MB 907.11 MB Intel
307 TextEdit shevawnfletcher 0.0 5 9.57 MB 912.37 MB Intel
16 update root 0.0 1 288.00 KB 585.57 MB Intel
14 usbmuxd _usbmuxd 0.0 2 908.00 KB 587.46 MB Intel
160 UserEventAgent shevawnfletcher 0.0 3 2.77 MB 598.74 MB Intel
94 WindowServer _windowserver 0.2 5 60.70 MB 976.91 MB Intel
284 Yahoo! Messenger shevawnfletcher 0.1 21 60.03 MB 1,009.15 MB Intel

cwtnospam
08-14-2009, 01:09 PM
How do you know you had a key logger? Did you install it yourself? Did you know that some one else had installed one, such as your employer?

trevor
08-14-2009, 01:38 PM
Can anyone help... I have a copy of my monitor activity here below. I have restored the whole mac but I'm not sure weather the keylogger has gone.

Can you tell us in more detail what you mean by "restored the whole mac"? Did you do an Archive and Install? Or an Erase and Install? Or did you do something else?

There was a keylogger because my ex commented on somethings that the only way he could know was by seeing what I was doing on the computer.

While keyloggers certainly exist for the Mac, and can be installed on a Mac by someone with an administrator account, remember that a lot of "hacks", probably the majority of them, are social hacks, not technological ones. There are other ways to find stuff out, like talking to mutual friends, looking through garbage put out on the curb, calling people and pretending to be someone else, that might not come to mind right away.

Trevor

denise
08-24-2009, 07:15 AM
I know I have been but I wanna know how...can u look at my logs and tell me...

722 Activity Monitor localadmin 5.8 6 22.06 MB 419.33 MB Intel
673 Agent localadmin 0.0 5 16.86 MB 947.29 MB Intel
674 AirPort Base Station Agent localadmin 0.0 3 2.92 MB 892.34 MB Intel
683 ATSServer localadmin 0.0 2 4.63 MB 640.74 MB Intel
51 autofsd root 0.0 1 304.00 KB 585.62 MB Intel
50 blued root 0.0 2 1.39 MB 597.00 MB Intel
16 configd root 0.0 4 1.52 MB 587.71 MB Intel
208 coreaudiod root 0.0 2 1.66 MB 588.19 MB Intel
69 coreservicesd root 0.0 4 16.41 MB 608.81 MB Intel
28 cron root 0.0 1 280.00 KB 586.69 MB Intel
13 DirectoryService root 0.0 6 2.83 MB 589.36 MB Intel
46 diskarbitrationd root 0.0 1 724.00 KB 585.69 MB Intel
17 distnoted daemon 0.0 1 416.00 KB 585.59 MB Intel
684 Dock localadmin 0.0 3 10.68 MB 901.96 MB Intel
43 dynamic_pager root 0.0 1 324.00 KB 585.61 MB Intel
689 Finder localadmin 0.0 7 16.97 MB 952.61 MB Intel
996 Firefox localadmin 0.1 15 66.82 MB 1,020.31 MB Intel
669 Folder Actions Dispatcher localadmin 0.0 1 2.78 MB 860.12 MB Intel
41 fseventsd root 0.0 10 820.00 KB 591.19 MB Intel
40 hidd root 0.0 2 276.00 KB 586.14 MB Intel
704 HP Event Handler localadmin 0.0 3 2.98 MB 859.63 MB Intel
705 HP Scheduler localadmin 0.0 1 2.43 MB 857.84 MB Intel
98 hpusbmond root 0.0 1 536.00 KB 586.78 MB Intel
89 HWNetCfg root 0.0 1 536.00 KB 586.68 MB Intel
90 HWPortCfg root 0.0 1 596.00 KB 586.63 MB Intel
711 iChatAgent localadmin 0.0 2 2.36 MB 854.23 MB Intel
719 installdb _installer 0.0 1 1.00 MB 586.69 MB Intel
38 kdcmond root 0.0 2 524.00 KB 585.73 MB Intel
0 kernel_task root 1.4 57 117.66 MB 287.29 MB Intel
37 KernelEventAgent root 0.0 2 296.00 KB 585.68 MB Intel
12 kextd root 0.0 2 1.01 MB 586.19 MB Intel
71 krb5kdc root 0.0 1 796.00 KB 586.05 MB Intel
1 launchd root 0.0 3 444.00 KB 18.64 MB Intel
666 launchd localadmin 0.0 3 516.00 KB 17.64 MB Intel
643 loginwindow localadmin 0.0 3 5.34 MB 867.04 MB Intel
670 Mac_SwapperDemon localadmin 0.0 1 1.77 MB 596.42 MB Intel
18 mDNSResponder _mdnsresponder 0.0 2 896.00 KB 587.49 MB Intel
35 mds root 0.2 16 24.18 MB 722.30 MB Intel
724 mdworker localadmin 0.0 4 3.12 MB 600.26 MB Intel
727 mdworker _spotlight 0.0 3 2.34 MB 599.25 MB Intel
14 notifyd root 0.0 2 340.00 KB 586.17 MB Intel
27 ntpd root 0.0 1 464.00 KB 586.12 MB Intel
682 pboard localadmin 0.0 1 588.00 KB 586.63 MB Intel
707 PhoneViewHelper localadmin 0.0 2 2.27 MB 848.50 MB Intel
723 pmTool root 1.4 1 1.34 MB 595.70 MB Intel
22 securityd root 0.0 2 1.66 MB 587.33 MB Intel
53 socketfilterfw root 0.0 3 1.19 MB 585.93 MB Intel
678 Spotlight localadmin 0.0 6 19.43 MB 1,023.74 MB Intel
54 spsecure root 0.5 7 10.79 MB 615.80 MB Intel
15 syslogd root 0.0 4 344.00 KB 587.24 MB Intel
31 SystemStarter root 0.0 1 264.00 KB 585.61 MB Intel
687 SystemUIServer localadmin 0.0 11 10.91 MB 931.80 MB Intel
30 update root 0.0 1 124.00 KB 585.57 MB Intel
29 usbmuxd _usbmuxd 0.0 2 584.00 KB 587.46 MB Intel
679 UserEventAgent localadmin 0.0 3 2.81 MB 856.22 MB Intel
672 VirusScan Reporter localadmin 0.0 1 3.36 MB 893.86 MB Intel
56 VShieldScanManag root 0.8 11 2.86 MB 592.52 MB Intel
80 VShieldScanner root 0.0 2 83.22 MB 671.99 MB Intel
82 VShieldScanner root 0.4 2 83.21 MB 671.99 MB Intel
81 VShieldScanner root 0.4 2 83.13 MB 671.99 MB Intel
644 WindowServer _windowserver 0.7 5 33.29 MB 934.98 MB Intel

hayne
08-24-2009, 08:49 AM
I know I have been but I wanna know how...can u look at my logs and tell me
1) How do you "know" that you have been?
2) In general, it isn't possible to tell from the logs or a process list (what you showed) whether or not your computer has "been hacked". The malicious software could (if cleverly enough written) completely hide all traces of itself.

cwtnospam
08-24-2009, 10:12 AM
Why is it always the people with 1 or 2 posts that are convinced they've been infected with a virus, have a key logger, or have otherwise had their Macs compromised? If I were the suspicious type, and I am, I would think that the "security" industry is planting FUD. Possibly they're doing it to Windows switchers, or they're trying to do it here. Hard to say.

SirDice
08-24-2009, 11:19 AM
Why is it always the people with 1 or 2 posts that are convinced they've been infected with a virus, have a key logger, or have otherwise had their Macs compromised?
Probably for the same reason(s) a regular Windows user would post the same question.

If I were the suspicious type, and I am, I would think that the "security" industry is planting FUD. Possibly they're doing it to Windows switchers, or they're trying to do it here. Hard to say.
It's not FUD when these things actually happen. It's also not FUD when the tools to make this happen already exist. Do realize that the really nefarious stuff like rootkits actually have their origins on *nix.

Sure you would need to type your password for this stuff to even install. But that's a lot easier to archive then most would think. Social engineering isn't that hard.

cwtnospam
08-24-2009, 12:24 PM
You've missed my point. I agree that it's technically possible, but the fact that it's always somebody with very few posts here who is convinced that they've been attacked makes me think there's something going on that doesn't require a successful attack on an individual's computer.

Because actual, successful attacks on real world Mac users are so rare, I believe that it's likely that either the user has been conditioned to believe that every hiccup is a virus/trojan/keylogger/othermalware or they work for somebody who is conditioning people to believe that.

Basically, I think there is a great deal of social engineering going on!

SirDice
08-24-2009, 01:30 PM
You've missed my point. I agree that it's technically possible, but the fact that it's always somebody with very few posts here who is convinced that they've been attacked makes me think there's something going on that doesn't require a successful attack on an individual's computer.
You missed my point ;)

Because actual, successful attacks on real world Mac users are so rare, I believe that it's likely that either the user has been conditioned to believe that every hiccup is a virus/trojan/keylogger/othermalware or they work for somebody who is conditioning people to believe that.
Point is, a lot of Windows users think the same way. I've seen quite a lot of posts asking exactly the same thing on Windows forums. Whenever something happens they can't simply explain they'll immediately think someone's out to get them. Even when the "problem" isn't really related to it or the "problem" doesn't even exist (I think so-and-so is reading my e-mail). Of course you have a high chance of contracting something but this doesn't necessary mean it's always the case.

Basically, I think there is a great deal of social engineering going on!
Funnily enough, a lot of worms and viruses on windows spread because of that. Most of them don't even abuse bugs in the system. The only "bug" being abused is the one between the ears of the user. "Hey, look at this link", "Something I found that might interest you", "Some celebrity nekkid" etc. etc.

cwtnospam
08-24-2009, 02:27 PM
Maybe I'm not being explicit enough: I don't think that we're seeing Mac users post these questions. I think we're seeing recent switchers who are not yet experienced enough with Macs to be called Mac users, and/or shills for the so-called "security" industry. The switchers are Windows users, and the security people are shills.

The social engineering I'm talking about isn't aimed at controlling your computer. It's aimed at controlling your buying habits. The idea is to condition you to believe that you need to buy AV software no matter what OS you use.

SirDice
08-24-2009, 02:33 PM
The idea is to condition you to believe that you need to buy AV software no matter what OS you use.

Which is true to some extend. There's absolutely nothing in OS-X that would make it bulletproof against malware.

On the other hand I've been a Windows user for many years, never had a virusscanner and never, ever, got infected with anything.

(I do have to admit I'm a security professional so I do know what I'm doing ;) )

detorn
08-24-2009, 02:50 PM
Q: how can you tell if you have a virus/key logger?

A:
-Zero wipe your hard drive, reinstall the OS. This will kill anything currently known.
-create non-trivial passwords (https://www.grc.com/ppp.htm) and don't share them,
-add a guest account to your computer that doesn't have privileges to install apps if you need to let others use it.
-Don't steal software.
-keep all apps and OS up-to-date.
-Stop being friends or even dealing with people you do not trust, simple.

cwtnospam
08-24-2009, 03:59 PM
Which is true to some extend.
So then you must know of some AV software which will protect against future attacks against currently unknown vulnerabilities!

SirDice
08-24-2009, 04:40 PM
So then you must know of some AV software which will protect against future attacks against currently unknown vulnerabilities!

You and I both know this is impossible.

But most AV can at least protect you against known attacks. The people not versed in all the malware techniques, which I assume most users are, would find it beneficial. Prevention is always better then a cure. Even if the amount of malware is still relatively minute :D

trevor
08-24-2009, 05:00 PM
But most AV can at least protect you against known attacks.

But antivirus software doesn't protect you against anything at all, not even known attacks. All it does is cleanup known attacks from your hard drive after they've already come, or at best cleanup known attack programs from emails that are already on your computer.

Protections from viruses and some other types of malware are things like Mandatory Access Control (weren't you just talking about this in another thread recently?) and MLS operating environments. But not AV software.

Trevor

cwtnospam
08-24-2009, 05:11 PM
Prevention is always better then a cure.
Not if the prevention is more costly than the illness, in terms of dollars spent on the software and $$ wasted time $$, both computer and human.

There are many examples in medicine where the risks and costs of taking a particular vaccine outweigh the risks and costs associated with the disease it may (or may not) protect against. Autism due to vaccinations is one that recently made the news.

fazstp
08-24-2009, 06:13 PM
Autism due to vaccinations is one that recently made the news.


OT but I think any link has been pretty much ruled out.

MajorMinor
08-24-2009, 10:51 PM
Question for the experts here - i have been checking out Applescript, so would it be possible for Mac Attck's - OP - boyfriend to write a script that sent a copy of any email opened by Mac Attck to another address and secondly, i guess that it would not be picked up by Little Snitch if one had LS installed.

cwtnospam
08-24-2009, 10:58 PM
You could do that with a Rule in Mail. No need for any script. Of course, it would only be hidden in plain site. ;)

SirDice
08-25-2009, 02:20 AM
But antivirus software doesn't protect you against anything at all, not even known attacks. All it does is cleanup known attacks from your hard drive after they've already come, or at best cleanup known attack programs from emails that are already on your computer.

Not true. http://en.wikipedia.org/wiki/Real-time_protection

Protections from viruses and some other types of malware are things like Mandatory Access Control (weren't you just talking about this in another thread recently?) and MLS operating environments. But not AV software.
MAC would help but not as much. A user still needs to be able to do things. Anything a user can do malware can too.

EatsWithFingers
08-25-2009, 03:12 AM
MAC would help but not as much. A user still needs to be able to do things. Anything a user can do malware can too.
Very true. The problem, as far as I see it, is that pretty much every OS still views the Internet as a domain on an equal integrity footing as the user's computer. As such, Web browsers are run with the same privileges as the user. In my view, Web browsers should have a lower level of privilege and then browser-borne exploits would be greatly reduced (since malware would have lower read/write/execute privileges than the user*, and similarly for code run by the browser itself).

*yes, this won't prevent social engineering attacks

EDIT: hell, make all programs have lower permissions than the user, with file open/save dialogs (done via OS APIs) have implicit user authentication built in. Basically, treat every program like a separate user in a traditional MLS system.

trevor
08-25-2009, 12:08 PM
Not true. http://en.wikipedia.org/wiki/Real-time_protection

Yeah, you're right, some AV apps claim to do that, but they do it in a very shoddy (http://www.theregister.co.uk/2009/08/06/vista_anti_virus_tests/) way. (More here (http://www.theregister.co.uk/2007/08/03/64bitvista_av_tests/), here (http://www.channelregister.co.uk/2007/12/21/dwindling_antivirus_protection/), and several other places).

Is the 'treatment' worse than the cure? (http://www.attrition.org/security/rant/av-spammers.html)

Trevor

SirDice
08-26-2009, 02:10 AM
The problem with most current AV is that they work on a signature basis. As soon as a few bytes change of the malware the signature changes. Since malware makers push out variants like there's no tomorrow signature based AV can't keep up. Meaning you run the risk of false negatives.

The other side is using heuristics. That will look at certain 'questionable' code. When code like that is detected the file is flagged. The downside of that is that that 'questionable' code can sometimes appear in normal executables. This results in a false positive.

Unfortunately there's no panacea and there probably will never be. Currently the best malware detector is the person sitting behind the computer. Don't believe for a second that just because you use a Mac you will never, ever, get infected. Times are changing.

benwiggy
08-26-2009, 04:31 AM
Interestingly, Snow Leopard is reported to come with some built-in AV features.

There are many examples in medicine where the risks and costs of taking a particular vaccine outweigh the risks and costs associated with the disease it may (or may not) protect against. Autism due to vaccinations is one that recently made the news.

OT, but: Autism as a consequence of vaccinations was a media scare, not a medical evaluation. There is no scientifically proven link. The only guy who claimed there was a connection has been shown to be a kook with an axe to grind.

SirDice
08-26-2009, 04:49 AM
Interestingly, Snow Leopard is reported to come with some built-in AV features.
AFAIK it comes with some additional features that would make exploiting a bug successfully more difficult. Known tricks other OSs have used for decades. Solaris/SPARC i.e. has had a non-executable stack since 2.6. They won't make it impossible, just a bit more difficult.

cwtnospam
08-26-2009, 08:27 AM
OT, but: Autism as a consequence of vaccinations was a media scare...
Or a corporate cover up like cigarettes and cancer, lead paint and brain damage, DDT and its health issues, and the list goes on...

cwtnospam
08-26-2009, 08:29 AM
They won't make it impossible, just a bit more difficult.
:rolleyes: So because it's not impossible, we should all act as if the sky is about to fall and go out and buy AV software! :rolleyes:

SirDice
08-26-2009, 09:25 AM
:rolleyes: So because it's not impossible, we should all act as if the sky is about to fall and go out and buy AV software! :rolleyes:

No, that's not what I'm saying. What I am saying is just because you use a Mac you're not invulnerable. Unfortunately, a lot of Mac (and Linux) users seem to have that mind set. Bugs exist and will get exploited, despite the security features. And a lot of the current malware doesn't even abuse any bugs.

A lot of people view an AV as some sort of inoculation. Once they have an AV running they think they can click on anything. This is simply not correct, an AV is a tool to aid in the detection of malware and should be used as such. You still need to be careful of the things you run.

cwtnospam
08-26-2009, 09:52 AM
No, that's not what I'm saying. What I am saying is just because you use a Mac you're not invulnerable...
And I'm saying that AV software does not make you any less vulnerable. On the contrary, it creates a false sense of security as you've pointed out. So when you say:
people not versed in all the malware techniques, which I assume most users are, would find it beneficial.
what you're really saying is that by spending money on AV software neophytes somehow find a false sense of security to be beneficial!

The reality is that AV software merely shifts the bulk of the liability from the OS provider (where it belongs) to the users (where it doesn't belong*) while adding extra costs for the users.

*Please spare me the: can't protect users from themselves argument. That one is spread far too thin to cover for example, the millions of bots sending spam at this very moment. It also is demonstrably false because successful attacks on Macs are nowhere near as high as they need to be to account for market share.

SirDice
08-26-2009, 12:36 PM
what you're really saying is that by spending money on AV software neophytes somehow find a false sense of security to be beneficial!
No, I'm saying that users who are not versed in malware techniques can at least get a warning something bad is happening. As opposed to no warning at all and ending up as a zombie.

The reality is that AV software merely shifts the bulk of the liability from the OS provider (where it belongs) to the users (where it doesn't belong*) while adding extra costs for the users.
No, it's the user's responsibility. The OS cannot protect a user from being stupid (or naive). Try, as root, rm -rf /, did the OS try to stop you? The only way to archive that would be to create a system with a set number of functions and no way for a user to ever expand or change any of it.

*Please spare me the: can't protect users from themselves argument. That one is spread far too thin to cover for example, the millions of bots sending spam at this very moment. It also is demonstrably false because successful attacks on Macs are nowhere near as high as they need to be to account for market share.
When you send a file to a random person you still have a 90% chance of that person running Windows. Only 1 in 10 would be a Mac. If I was a malware writer trying to make big money, guess which system I would choose. It's all about statistics.

cwtnospam
08-26-2009, 01:50 PM
No, I'm saying that users who are not versed in malware techniques can at least get a warning something bad is happening. As opposed to no warning at all and ending up as a zombie.
No, you're saying that they might get a warning, which is what sets them up for a false sense of security.
No, it's the user's responsibility. The OS cannot protect a user from being stupid (or naive). Try, as root, rm -rf /, did the OS try to stop you? The only way to archive that would be to create a system with a set number of functions and no way for a user to ever expand or change any of it.
:rolleyes: :rolleyes:
Yeah, and if I drop my Mac in my swimming pool, the OS won't protect me from my actions there either. So what?

When you send a file to a random person you still have a 90% chance of that person running Windows. Only 1 in 10 would be a Mac. If I was a malware writer trying to make big money, guess which system I would choose. It's all about statistics.
Please! There are zero successful attacks on Mac users. Notice that I didn't say there were zero attacks. There have been several. None of them could be called successful, unless you count generating "news" stories a success. Or maybe you think that a proof of concept is a success, even if the concept has always been accepted as fact!

SirDice
08-26-2009, 02:10 PM
Yeah, and if I drop my Mac in my swimming pool, the OS won't protect me from my actions there either. So what?
Err.. Liability? How does that compare to running an executable downloaded from the web? You are the one that decides to run it, not the OS. The OS won't stop you from running it. Yeah, yeah, you need to type in a password to install anything really deep into the OS. So what? Given enough social engineering I'm quite sure a small percentage will actually type in that password without questioning it. Then who's to blame? The OS or the user?

Please! There are zero successful attacks on Mac users. Notice that I didn't say there were zero attacks. There have been several. None of them could be called successful, unless you count generating "news" stories a success. Or maybe you think that a proof of concept is a success, even if the concept has always been accepted as fact!
Successful by which standard? A single successful attack or do you call successful a news item that says XX number of hosts are infected?

How do you know it has never happened and nobody was ever infected?

Just because you don't see it happening doesn't mean it doesn't exist.

cwtnospam
08-26-2009, 06:58 PM
A single attack on a single computer is insignificant, unless its yours and therefore not successful.

Wake me when you know of a successful attack. In the mean time, I'm done here.

ArcticStones
08-26-2009, 10:57 PM
.
This looks interesting! (http://www.macrumors.com/2009/08/26/snow-leopard-antimalware-feature-gaining-publicity/)
I also wish Apple would integrate Little Snitch into their OS. Great software!
.

onceagain
08-27-2009, 02:34 AM
It is interesting that people are so paranoid. It is also interesting that people who are so suspicious of their significant other are still with that person.

Aside from all of that, if you have any reason at all to be suspicious, just clean install, secure your machine, and stop worrying about it.

By the way - there are ways to get into a "secure" mac. The easiest way is to boot into single user mode, mount the file system, and set the root password, then reboot. The person can now log into the multi-user system as root. They can install anything they want. They can make a complete copy of your home directory onto an external device and examine it later.

Encrypt your stuff.

SirDice
08-27-2009, 02:42 AM
A single attack on a single computer is insignificant, unless its yours and therefore not successful.
So how many single successful attacks would it take for you to call it successfull? 10? 100? A million?

So you only believe it's real when there's a news item about it that says XX number of hosts are infected. I thought you didn't believe the hype? Perhaps all those millions of infected Windows computers didn't happen either. I never had one so it must be a spin by the AV companies.

Wake me when you know of a successful attack. In the mean time, I'm done here.
Don't worry. And don't say I didn't warn you when the ***** starts hitting the fan;)

SirDice
08-27-2009, 02:48 AM
It is interesting that people are so paranoid. It is also interesting that people who are so suspicious of their significant other are still with that person.
Yeah, I find that odd too. I always thought that trust was the cornerstone of every relationship.

By the way - there are ways to get into a "secure" mac. The easiest way is to boot into single user mode, mount the file system, and set the root password, then reboot. The person can now log into the multi-user system as root. They can install anything they want. They can make a complete copy of your home directory onto an external device and examine it later.
When you have physical access to a box all bets are off.

Encrypt your stuff.
Exactly. This doesn't protect you from malware though. It does protect you against the situation described above.

anika123
08-27-2009, 06:56 AM
The problem with most current AV is that they work on a signature basis.

The Real problem with AV is that you have to wait to get a virus before it starts to work. Our whole attack method is backwards as far as I can see. The OS and entire Software industry needs to be reorganized into more of a preventative stance. I hate to say but the iphone OS model would work and may be the way to go. I can hear the growns now and yes open solutions would probably suffer a little at first.

It would be a huge step for a company to do this but really what are the alternatives. Are we going to spend bazillions of resources on AV and other solutions forever? Lets get some smart people together and a company with some Ba$#s and its own OS and have a real virus free computer.

SirDice
08-27-2009, 07:12 AM
The Real problem with AV is that you have to wait to get a virus before it starts to work.
How is it supposed to work when you haven't received anything yet?

I hate to say but the iphone OS model would work and may be the way to go.
I haven't look at the iPhone at all, yet. Care to explain why that model would work? Why would it be any better?

Or do you mean you can only run Apple approved software on it? That's something I (and I'm sure a lot of others) really don't want to see happening. It's the biggest reason for me not to get an iPhone.

anika123
08-27-2009, 11:13 AM
How is it supposed to work when you haven't received anything yet?

Thats exactly how it works. The whole computer software model would have to change from what we have now. All software would be registered with some service or company and not allowed to install on any computer until it meets all "clean" standards.

Its just a general concept that obviously I don't have all the 'details' to but it could look something like what Apple is doing with the iphone.

Care to explain why that model would work?

It would work because only 'clean' registered software would get to your computer. So here is the scenario:

A developer would submit an app which is determined to be safe, this would take some resources of course, then a signature is developed for the app somehow. You install the app after the OS or a firmware chip checks that the signature and app has not changed.

This way the burden of stopping a virus is on the developer, the OS and not the idiot computer operator. In this way we would severely limit or stop the spread of viruses.

It's the biggest reason for me not to get an iPhone.

Yes, I know. That is why I said it would take a company with some bal#s. You don't think there is a market or will be in the future for a guaranteed virus free computing platform? How do you suppose this platform would come to be. It certainly will not happen the way we have it now.
I too love the freedom of installing whatever, whenever but there will come to a point where too many resources are going to stopping viruses and people will get sick of it. Look at the Apple mac adds that are running now.

SirDice
08-27-2009, 11:37 AM
You don't think there is a market or will be in the future for a guaranteed virus free computing platform?
There's no such thing and there never will be. As long as there's money to be made they'll find a way to exploit the system.

I too love the freedom of installing whatever, whenever but there will come to a point where too many resources are going to stopping viruses and people will get sick of it.
That freedom to install anything you want will be gone. If Apple (or whatever company that would implement such a thing) doesn't like your program it will never be signed. Simply look at what's happening now with the iPhone. I want the freedom to install a VoIP client if I want to. I want to have that choice. I do not like it when other people start making choices for me. That's not what freedom is about. So I take my money to a company that does allow me to install anything I want.

I really hope that people will get sick of it and then, hopefully, realize it's actually their own actions that lead to it. Maybe then this crap will stop.

Everybody hates to get spam, everybody knows it, everybody gets it and we're all sick of it. But even if only 0.1% of the people that receive spam clicks on the add and buys something the spammers win. That's why they continue to spam us. I'd say we hunt down that 0.1% and beat the crap out of them :D

cwtnospam
08-27-2009, 12:00 PM
How is it supposed to work when you haven't received anything yet?
It's supposed to block it. If it can't do that, it's completely useless. Oh, and I don't give a rats ass if you or any AV company thinks that's being too demanding. If you can't take the heat, get out of the business.
So how many single successful attacks would it take for you to call it successfull? 10? 100? A million?
At least 5,000. Less than that, and you're probably below the number of people who will spill something on their keyboards this month: Not worth thinking about.
So you only believe it's real when there's a news item about it that says XX number of hosts are infected. I thought you didn't believe the hype? Perhaps all those millions of infected Windows computers didn't happen either. I never had one so it must be a spin by the AV companies.
There's a real chance that I'll get struck by an asteroid in the next 24 hours. I'm not going to worry about that either.
Don't worry. And don't say I didn't warn you when the ***** starts hitting the fan;)
Total BS!

First, I'm only worried about AV shills promoting AV on my preferred platform. Second, if a successful virus ever does make the rounds, the easiest way to deal with it will be to take care about what I open and wait for the system update to come out. Third, at the rate Macs are being successfully attacked, I expect to be dead for about twenty years before it's a real concern.

I just wasted several hours of my life getting rid of Windows malware call: Total Security (http://www.myantispyware.com/2009/03/21/how-to-remove-total-security-uninstall-instructions/). My only consolation is that I'll never need to do that on my Mac.

SirDice
08-27-2009, 12:11 PM
It's supposed to block it. If it can't do that, it's completely useless. Oh, and I don't give a rats ass if you or any AV company thinks that's being too demanding. If you can't take the heat, get out of the business.
It cannot block something it hasn't received yet. It needs to receive something in order to analyze it and detect it's something bad. An AV is not clairvoyant.


I just wasted several hours of my life getting rid of Windows malware call: Total Security (http://www.myantispyware.com/2009/03/21/how-to-remove-total-security-uninstall-instructions/).
I'm sorry to hear but somebody clicked on "Install" to install a program that detects something that's not really there. If it was you that did it I'd say you are susceptible to social engineering and it really wouldn't matter if it happened on Windows or on OS-X.

My only consolation is that I'll never need to do that on my Mac.
Guess again: http://www.cnet.com.au/mac-users-targeted-by-fake-antivirus-tool-339285176.htm

cwtnospam
08-27-2009, 12:41 PM
It cannot block something it hasn't received yet. It needs to receive something in order to analyze it and detect it's something bad. An AV is not clairvoyant.
Then it's useless and pointless. Stop it at the door, or stay off of my system.
I'm sorry to hear but somebody clicked on "Install" to install a program that detects something that's not really there. If it was you that did it I'd say you are susceptible to social engineering and it really wouldn't matter if it happened on Windows or on OS-X.
Well the person whose PC was infected swears he didn't install it and he's the only one who uses it. I don't really care either way.
Guess again: http://www.cnet.com.au/mac-users-targeted-by-fake-antivirus-tool-339285176.htm
Gambling! Gambling in this establishment! (http://tvtropes.org/pmwiki/pmwiki.php/Main/Casablanca)
:rolleyes: :rolleyes:
I'm shocked, shocked to learn that somebody's written a Trojan! Well then, I'll run right out and buy me some of that there AV software, and while I'm at it I'll build myself a bunker to protect against errant asteroids!
:rolleyes::rolleyes:

SirDice
08-27-2009, 01:38 PM
I'm shocked, shocked to learn that somebody's written a Trojan! Well then, I'll run right out and buy me some of that there AV software,

From the removal article you so kindly posted (emphasis mine):
The rogue usually installed itself onto your computer without your permission, through the use trojans.

Maybe you don't need it but that poor sap you cleaned up after probably needs one. He can't even remember installing it, so it's quite likely he'll fall for the same gag if he was using OS-X.

anika123
08-27-2009, 01:51 PM
So I take my money to a company that does allow me to install anything I want.

That is fine let us have a paid for virus free computing platform. You will still be able to buy one that is riddled with crap and you have to constantly battle the hackers and update your junk to the latest virus remover or installer or whatever. That would be perfectly fine for me.

As long as there's money to be made

As aready proven, there is a ton of money in anti-virus that could be better spent on a better solution to the current situation.

cwtnospam
08-27-2009, 01:57 PM
Maybe you don't need it but that poor sap you cleaned up after probably needs one. He can't even remember installing it, so it's quite likely he'll fall for the same gag if he was using OS-X.
First, you have zero proof that he installed it. Second:
The rogue usually installed itself onto your computer without your permission, through the use trojans.
is jibberish. If it installed on your computer without your permission, it is by definition NOT a trojan. It's a worm or a virus, but not a trojan.

SirDice
08-27-2009, 01:59 PM
You will still be able to buy one that is riddled with crap and you have to constantly battle the hackers and update your junk to the latest virus remover or installer or whatever.
Not really, as I've mentioned before I've been using Windows for at least 15 years now, never installed a virusscanner and never got infected. So I'm quite confident I will remain that way, whatever system I'm using.


As aready proven, there is a ton of money in anti-virus that could be better spent on a better solution to the current situation.
Yes, but you should put the blame on the people that make the malware, not the OS that allows it to run. Only a handful of people have ever been arrested for creating malware. The chances of getting caught are slim to none. Even when caught some of them got nice paying jobs instead of jail time, talk about screwed up. Perhaps we should invest more in that?

cwtnospam
08-27-2009, 02:11 PM
Not really, as I've mentioned before I've been using Windows for at least 15 years now, never installed a virusscanner and never got infected. So I'm quite confident I will remain that way, whatever system I'm using.
:rolleyes:
Yeah, with all the Windows users who say the same thing, it's a wonder anyone's system ever gets infected! Still, millions of PCs send out billions of spam messages...

Lots of people's Windows PCs are infected and and they don't know it. You could easily be one of them. Get your own house in order before "warning" Mac users.

anika123
08-27-2009, 02:13 PM
put the blame on the people that make the malware, not the OS that allows it to run

This is exactly what needs to change. I guess this will be a bigger uphill battle than I think :{

You have already basically said that if there is a weakness someone will exploit it for money. I totally agree.
That is why the money spent would be more productive at the Pre OS level as I have described before. If you apply logic to it and forget your needs for software freedom then you will see that the benefits of a pro defense is better than what we have now. IMHO

and never got infected.

Are you saying that you can spot and stop viruses at will? :) Really though, you think that you will never fall for a virus?

I still say the analyze bits at a factory level will work better.

Also, I wonder if most of this thread should be moved to coat room? We are not solving any keystroke capture problems.

SirDice
08-27-2009, 02:41 PM
Yeah, with all the Windows users who say the same thing, it's a wonder anyone's system ever gets infected! Still, millions of PCs send out billions of spam messages...

Lots of people's Windows PCs are infected and and they don't know it. You could easily be one of them. Get your own house in order before "warning" Mac users.
Errr, I'm not the avarage user, heck, probably even way beyond power user. I'm a security professional, dealing with malware ever since I laid my eyes on virus code back in the '80s. Which means I'm quite confident my own "house" is in order :p

cwtnospam
08-27-2009, 02:45 PM
We are not solving any keystroke capture problems.
The problem is that keyloggers are part of the Big Lie that says that Macs are just as vulnerable as Windows PCs. That's what needs to be solved here. While you can't say that Macs are 100% secure, it's at least as wrong to say that they're just as vulnerable. I think it's worse because it indoctrinates people into thinking that there's nothing they can do but shell out cash and waste their time dealing with AV software.

cwtnospam
08-27-2009, 02:46 PM
I'm a security professional...
:rolleyes: :rolleyes:
Yeah, that doesn't help your credibility.

anika123
08-27-2009, 02:48 PM
Lots of people's Windows PCs are infected and and they don't know it.

I have personal experience here, my sister asked me to 'upgrade' her computer and I was stunned. I removed crap embedded in her computer for 4 hours and finally realized that I would have to wipe the whole thing. Of course, the Norton Anti-virus said it was all clean. There was so much stuff in the windows registry or root that no matter what I did the viruses came back. I wiped everything and started from scratch. I actually think some of them probably survived.

She probably will not notice for another 7 years. :D :D

onceagain
08-27-2009, 02:51 PM
We are not solving any keystroke capture problems.The bottom line is that (for the reason I indicated above) if someone else has physical access to your machine, you have no assurance whatsoever that your machine is secure (in this case, you have no keylogger installed). Someone can easily install a keylogger, and configure and name it in such a way that it looks like a normal system process. Hell, someone could replace launchd with something that does everything launchd does, PLUS log keystrokes. You just never know.

So - that said - if you have concerns, then clean install, encrypt your stuff, and keep the computer itself in a physical secure location (such as in a safe, locked drawer, or whatever). If you can't do these things, then you have no security.

anika123
08-27-2009, 02:58 PM
encrypt your stuff,

What does this do? I have never looked into it. So if someone stole or electronically viewed your hard drive they would see gibberish? Would that not make my old macbook pro really slow?

SirDice
08-27-2009, 02:58 PM
You have already basically said that if there is a weakness someone will exploit it for money. I totally agree.
That is why the money spent would be more productive at the Pre OS level as I have described before. If you apply logic to it and forget your needs for software freedom then you will see that the benefits of a pro defense is better than what we have now. IMHO
Even though you have a point I'm not so sure people are willing to give up that freedom to install everything.


Are you saying that you can spot and stop viruses at will?
Yes, been there, done that.

:) Really though, you think that you will never fall for a virus?
I can smell them a mile away.

Also, I wonder if most of this thread should be moved to coat room? We are not solving any keystroke capture problems.
I would agree, it's gone a bit off-topic but a good subject to discuss nonetheless ;)

SirDice
08-27-2009, 03:03 PM
What does this do? I have never looked into it. So if someone stole or electronically viewed your hard drive they would see gibberish?

Exactly, they would also need to obtain the key to unlock the data.

There's a snag though, if you're currently using it, it means it's decoded because you supplied the key. Any software you run at that point would also be able to access it.

It's main use however is to protect the data in case your laptop (or memory stick, external hd etc.) gets stolen or lost.

anika123
08-27-2009, 03:09 PM
it means it's decoded because you supplied the key.

Thats what I thought, pandora's box.

SirDice
08-27-2009, 03:10 PM
The bottom line is that (for the reason I indicated above) if someone else has physical access to your machine, you have no assurance whatsoever that your machine is secure (in this case, you have no keylogger installed). Someone can easily install a keylogger, and configure and name it in such a way that it looks like a normal system process. Hell, someone could replace launchd with something that does everything launchd does, PLUS log keystrokes. You just never know.
You don't really require physical access but as I said before with physical access all bets are off.

Here's an interesting read on how to hide and subvert stuff in OS-X. It's quite hefty on the technical details but an interesting read nonetheless.
http://www.phrack.org/issues.html?issue=66&id=16#article

onceagain
08-27-2009, 03:16 PM
What does this do? I have never looked into it. So if someone stole or electronically viewed your hard drive they would see gibberish? Would that not make my old macbook pro really slow?It gives you a chance to keep your private stuff private when your machine is out of your hands, by requiring a password (of sorts) to view it. Without it, it looks like trash (mileage may vary, depending on the quality of the encryption package used).

It does NOT make a machine run really slow, at least in my experience. Ran just fine on my Powerbook G4 12".

While it may not be perfect, it's a hell of of a lot better than leaving your stuff unencrypted.

You don't really require physical access but as I said before with physical access all bets are off.Sure - the OP was concerned about snooping boyfriends and such that have physical access - that's what I was addressing. Physical access makes a big difference.

anika123
08-27-2009, 03:27 PM
SD that is some good reading. Makes perfect sense to me. Thanks

SirDice
08-27-2009, 04:08 PM
If it installed on your computer without your permission, it is by definition NOT a trojan. It's a worm or a virus, but not a trojan.
Wrong. A trojan is, by definition, something that does an action you didn't expect or agreed too. Like installing a virus scanner that isn't really a virus scanner. Or by clicking on a link agreeing to scan your pc or disinfect some non-existing virus. Perhaps you should look up the greek saga that lent it's name to this type of malware.

A worm and a virus are both self replicating. The difference between a worm and a virus is that a worm is self contained. A virus needs to 'attach' itself to other programs. Those fake anti-virus programs do not self replicate.

cwtnospam
08-27-2009, 08:45 PM
And how do you know it isn't self replicating? The only person that uses the computer says he didn't install it. The fake av software might not be a Trojan but the payload of a virus, designed to get the unsuspecting to fork over credit card information.

onceagain
08-27-2009, 08:54 PM
I wonder if you can get infertility treatments for fake AV programs that can't self-replicate.

SirDice
08-28-2009, 03:51 AM
And how do you know it isn't self replicating? The only person that uses the computer says he didn't install it.
Contrary to what you might think malware doesn't spontaneously execute itself once it arrives on your system.

The fake av software might not be a Trojan but the payload of a virus, designed to get the unsuspecting to fork over credit card information.
Sigh.. Fake AV software is the very definition of a trojan. And no it's not delivered as a virus (a virus needs to attach itself to another executable). It could be delivered using a worm but someone has to execute it. It doesn't automagically start itself.

cwtnospam
08-28-2009, 07:06 AM
:rolleyes: :rolleyes: :rolleyes:
TRIPLE SIGH.
Guess what? If it's delivered by a worm or a virus, there is nothing to stop said worm/virus from running the Trojan.
:rolleyes: :rolleyes:

SirDice
08-28-2009, 07:28 AM
Guess what? If it's delivered by a worm or a virus, there is nothing to stop said worm/virus from running the Trojan.
You really have absolutely no clue whatsoever on how malware works do you?

cwtnospam
08-28-2009, 07:33 AM
I know how software works and I know you're trying to spread FUD.

Viruses run. It doesn't matter when they run, as long as they do. What they do is up to the virus writer.

SirDice
08-28-2009, 07:52 AM
I know how software works and I know you're trying to spread FUD.
The only one spreading FUD is you my friend. You're the one that goes to great length trying to "debunk" the truth, creating uncertainty and doubt by using false and inaccurate arguments.

Get your facts straight and you will realize there is nothing magical about OS-X that would make it invulnerable to malware. Once you realize that you can take action that will mitigate the risks. For some people that action might be to install an AV. For you perhaps not, I'll let you decide that for yourself.

As for the fear, it keeps you on your toes, keeps you alert. There's nothing wrong with that.

cwtnospam
08-28-2009, 09:00 AM
The only one spreading FUD is you my friend. You're the one that goes to great length trying to "debunk" the truth, creating uncertainty and doubt by using false and inaccurate arguments.

Get your facts straight and you will realize there is nothing magical about OS-X that would make it invulnerable to malware. Once you realize that you can take action that will mitigate the risks. For some people that action might be to install an AV. For you perhaps not, I'll let you decide that for yourself.

As for the fear, it keeps you on your toes, keeps you alert. There's nothing wrong with that.
Fact: There is nothing magical about AV software that will make ANY system 100% secure.

Fact: Many users think that AV software protects them, so they're less careful about what they do.

Fact: AV software is yet another avenue of attack for malware.

Fact: You've recommended no action that will increase security. Zero. Nada. All you've done is try to scare people.

Fact: You've tried to claim that a virus couldn't install a trojan, and you've claimed that it is not (as in never) "delivered as a virus" when you must know that a virus can do anything it likes once it runs.

Fact: You've used the usual technique employed by those pushing FUD. First, claim that OS X isn't 100% secure. An easy claim, since no system is, was, or ever will be. Next, you make the huge leap from less than 100% secure to the idea that Mac users aren't vigilant enough. Then you offer the phony solution of using AV software.

You're right, you are a "security professional," and I mean that in the worst possible way. :mad:

ArcticStones
08-28-2009, 09:11 AM
.
SirDice and CWT, the content of this discussion is interesting -- but this is turning into a duel. I strongly suggest you both lower the hostility a few notches, alternatively continue your exchange in the form of Private Messages.

-- ArcticStones
.

SirDice
08-28-2009, 09:20 AM
Fact: There is nothing magical about AV software that will make ANY system 100% secure.
I never claimed it would make it 100% secure.

Fact: Many users think that AV software protects them, so they're less careful about what they do.
I've said exactly the same thing, you might want to read back.

Fact: AV software is yet another avenue of attack for malware.
Partly true. Running no AV will certainly not be any worse.

Fact: You've recommended no action that will increase security. Zero. Nada. All you've done is try to scare people.
No, I'm trying to create awareness. Something you seem to lack.

Fact: You've tried to claim that a virus couldn't install a trojan, and you've claimed that it is not (as in never) "delivered as a virus" when you must know that a virus can do anything it likes once it runs.
Sure a virus or worm can do what ever it wants but when a payload is delivered by a virus or a worm it's not in the form of a trojan. That would be rather pointless, wouldn't it?

Fact: You've used the usual technique employed by those pushing FUD. First, claim that OS X isn't 100% secure. An easy claim, since no system is, was, or ever will be.
I never claimed another OS was, is or will be. I do notice however a lot of Mac users seem to think it is.

Next, you make the huge leap from less than 100% secure to the idea that Mac users aren't vigilant enough.
A lot of Mac users bought a Mac because they didn't want to deal with all the "technical" details of using a computer. I also know that quite a few bought a Mac because they were tired of getting malware on "that other" platform. So yeah, I am assuming they're not vigilant enough.

Then you offer the phony solution of using AV software.
Not a phony solution. It's part of a solution.

You're right, you are a "security professional," and I mean that in the worst possible way.
Calling me names doesn't prove me wrong.

SirDice
08-28-2009, 09:25 AM
.
SirDice and CWT, the content of this discussion is interesting -- but this is turning into a duel. I strongly suggest you both lower the hostility a few notches, alternatively continue your exchange in the form of Private Messages.

You're right. I got a little carried away.

cwtnospam
08-28-2009, 09:50 AM
I never claimed it would make it 100% secure.
Sure you have. It's the implied basis for your argument: The Mac OS isn't 100% secure, so you need AV software. To do what, keep it less than 100% secure? :confused: :confused:
I've said exactly the same thing, you might want to read back.
Yes, but you've said it with the intention of scaring them further. Maybe they're not using the right software. I'm sure you've got a particular brand to offer them.
Partly true. Running no AV will certainly not be any worse.
??
No, I'm trying to create awareness. Something you seem to lack.
Awareness of what?

Sure a virus or worm can do what ever it wants but when a payload is delivered by a virus or a worm it's not in the form of a trojan. That would be rather pointless, wouldn't it?
It would be brilliant: use a virus to install software purporting to be AV software and you've got lots of opportunities in small businesses where a user might be new to the company, not have admin rights, and assumes that the software is a legitimate purchase of the business. When it comes time for an "upgrade" he/she gets the boss (who will pay little attention to a minor thing like this) to fork over the company credit card.
I never claimed another OS was, is or will be. I do notice however a lot of Mac users seem to think it is.
Pfft. Same thing. You're upset that Mac users feel secure because of their experience. That makes it hard to sell AV software to them, so you claim that they're not being vigilant enough. Naturally, for you this justifies scaring them.
A lot of Mac users bought a Mac because they didn't want to deal with all the "technical" details of using a computer. I also know that quite a few bought a Mac because they were tired of getting malware on "that other" platform. So yeah, I am assuming they're not vigilant enough.
:rolleyes:
So:
A) They're tired of getting viruses.
B) They take drastic action by changing platforms.
and:
C) You conclude that they're not vigilant!

:rolleyes:


Not a phony solution. It's part of a solution.
Of course it's phony. You can't claim the OS is less than 100% secure and then offer a solution that isn't 100% secure without being phony.

SirDice
08-28-2009, 10:22 AM
It's pointless discussing this any further with you.

cwtnospam
08-28-2009, 01:47 PM
Meh.

I've used OS X since the public beta. Every year since then, I've watched as so-called experts tried to tell Mac users that they were too complacent and that a plague of viruses was sure to descend on them sometime "soon."

While I don't doubt that there will be the occasional small scale successful exploit affecting a few users, I seriously doubt that Mac users will ever see the kind of trouble Windows users have come to accept as a fact of life. Heck, even Windows will some day be secure enough to keep large scale exploits at bay. If you want to claim otherwise, you'll need a lot more than your "expert opinion" or those of other alleged security experts. Together you've all destroyed your credibility.

EatsWithFingers
08-29-2009, 08:14 AM
At the risk of being drawn into this back-and-forth :p , isn't the real problem (of viruses and worms, not trojans) with users whose OS/apps/plugins/etc, regardless of vendor, haven't been fully patched? The vast majority of systems which get infected do so because they haven't updated their OS/apps/plugins/etc to patch a known security hole. Yes, there will always be 0-day exploits, but they are mercifully rare.

As a result, AV software should not be necessary if you're running a fully patched system, assuming the various vendors publish work-arounds for avoiding infection until a patch is produced. Add into this, the fact that there are no known viruses/worms for OS X currently in the wild, and the need for many Mac users to run AV software which just detects known viruses/worms evaporates completely. OK, so the virus landscape may change in the future, but we're not in the future.

People should be conditioned to use sensible computing habits, not conditioned to use AV software. If a time comes when using AV software is considered to be a sensible computing habit on OS X, then so be it, but that time has not yet come.

For the sake of completeness, and to check that I'm not missing anything out myself, my "sensible computing habits" for any platform are listed below, albeit with some tailored towards OS X specifically:


Don't make your daily account an admin account (thus anything which runs in your daily account will not have permission to modify system files)
Use strong passwords for your admin account and daily account that friends/family/etc cannot guess
Disable automatic login
Never enter your admin details when using your daily account (unless you need to change something in System Preferences or Finder, and even then make sure that the program requesting your admin details is in fact System Preferences/Finder)
Only install software from sources you trust, and using your admin account (thus anything which runs in your daily account will not have permission to modify installed apps)
If you must install software from sources you do not trust, use your daily account to evaluate the app, and be suspicious if you are asked to enter your admin details (if asked, do not enter them). Yes, some benign programs still require admin rights to install, but all such programs should come from sources you trust.
Be aware of what processes typically run on your system, and periodically check Activity Monitor and your Login Items for suspicious processes.
Keep your OS and all other software fully up to date (in rare circumstances, you may have to update your OS to run the updated software).
If you have a wireless network, use WPA with AES encryption, or WPA2. WEP is 'really broken' and WPA with TKIP is partially compromised (http://arstechnica.com/security/news/2008/11/wpa-cracked.ars). Again, use a strong password.
Store sensitive data in encrypted disk images, or if you're really paranoid, encrypt your entire home folder
Limit which apps are allowed outbound/inbound network connections
Don't open e-mail attachments or downloaded files that you don't trust (and be wary of your friends sending you executable files in an e-mail)


Now, I'll agree that this list doesn't make you bulletproof (e.g. it won't protect your files from being read/modified by a malicious program you run in your daily account, and it won't prevent people with physical access tampering with your machine), but AV software should be unnecessary if you do the above. And even in the worst-case-scenario future, when viruses for OS X are rampant, scanning downloaded files and periodically scanning your home folder (e.g. once a week), should be more than enough. But, as stated above, we're not there yet.

SirDice
08-29-2009, 08:27 AM
At the risk of being drawn into this back-and-forth :p , isn't the real problem (of viruses and worms, not trojans) with users whose OS/apps/plugins/etc, regardless of vendor, haven't been fully patched?
This is not always the case. Quite a lot of worms replicate without abusing any bugs in the system. Have a look at MyDoom, NetSky and a few others. These worms dominated the top10 for months on end.

cwtnospam
08-29-2009, 09:01 AM
Quite a lot of worms replicate without abusing any bugs in the system.
:eek: The idea that the system isn't flawed yet a hacker or malicious code can attack it is a brilliant example of doublethink (http://en.wikipedia.org/wiki/Doublethink)!
:rolleyes:
Malware attacks a weakness in the system. A weakness in the system is a flaw, and flaws are bugs. Even social engineering attacks require the use of software, and the fact that the software can't recognize and help defend against these attacks is a flaw/bug that will eventually be fixed at least to a large degree. ...And yes, this will be done without requiring AV software.

Let's try to avoid Orwellian Newspeak.

EatsWithFingers
08-29-2009, 09:09 AM
This is not always the case. Quite a lot of worms replicate without abusing any bugs in the system. Have a look at MyDoom, NetSky and a few others. These worms dominated the top10 for months on end.

Both MyDoom and NetSky were distributed as e-mail attachments which, when run by the user, would e-mail itself to any address found on the user's system.
http://en.wikipedia.org/wiki/Mydoom#Technical_overview
http://en.wikipedia.org/wiki/Netsky_(computer_worm)

I've since added "don't open unknown attachments" to my previous list of sensible computing habits. Plus, both Leopard and Snow Leopard will warn you when you try to run potentially unsafe files obtained from the Internet (e.g. via your browser or mail client). However, it still doesn't change the fact that there are no known worms or viruses in the wild targeting a fully patched OS X.

The OSX.Inqtana.A (http://www.securityfocus.com/brief/143) worm was a proof of concept which "exploits old vulnerabilities in Apple's Bluetooth implementation [and was] patched by Apple in June 2005."

The OS X/Leap-A (http://en.wikipedia.org/wiki/Leap_virus) virus cannot infect apps owned by a different account, so running it in a non-admin account cannot affect apps installed using an admin account (hence once of the points in my previous post). Furthermore, it also only affects OS X 10.4 (Tiger), not 10.5 (Leopard) or 10.6 (Snow Leopard).

And the OSX.RSPlug.A (http://www.symantec.com/security_response/writeup.jsp?docid=2007-110101-2320-99) and iServices (http://www.intego.com/news/ism0901.asp) trojans infect people who install apps/plugins from untrusted sources. Additionally, both of these are detected by Snow Leopard now.

Do let me know if I've overlooked any.

EDIT: There'e also the keyboard firmware vulnerability (http://www.macworld.com/article/142115/2009/08/keyboard_vulnerability.html), but it's still at the proof-of-concept stage; an AV program wouldn't detect modified firmware; and infection would be mitigated by not running programs downloaded from untrusted sites, not providing your admin details whenever asked, etc.

SirDice
08-30-2009, 05:40 AM
The idea that the system isn't flawed yet a hacker or malicious code can attack it is a brilliant example of doublethink (http://en.wikipedia.org/wiki/Doublethink)!
Please educate yourself in how those worms work before claiming this.

SirDice
08-30-2009, 05:45 AM
I've since added "don't open unknown attachments" to my previous list of sensible computing habits. Plus, both Leopard and Snow Leopard will warn you when you try to run potentially unsafe files obtained from the Internet (e.g. via your browser or mail client).
This does help. At least you will get a warning when you try to run worms that work similarly to MyDoom and NetSky. Unfortunately you get that same warning with pretty much every file you download via the Internet (mail or web). Even the benign ones you receive from colleagues and/or friends. After a while people will click on accept habitually.

However, it still doesn't change the fact that there are no known worms or viruses in the wild targeting a fully patched OS X.
This is no guarantee it will never happen in the future.

SirDice
08-30-2009, 05:49 AM
Let's, for the sake of argument, we are in the (near?) future. Assume OS-X has a 90% coverage of the desktop market. Windows has only 10. Completely reverse to what it is now. The demographics of the users are the same as it is now (people never seem to change).

Would malware be eradicated? Describe what would be the reason(s) malware doesn't stand a chance.

ArcticStones
08-30-2009, 06:01 AM
.
One security weakness on a Mac is that they are vulnerable to so-called macro viruses. As I understand it, that is a Microsoft weakness, and not a Mac OS weakness per se.

CWT once suggested a great way to protect against this: make your Word template (normal.dot) read-only. :)
.

SirDice
08-30-2009, 06:03 AM
.
One security weakness on a Mac is that they are vulnerable to so-called macro viruses. As I understand it, that is a Microsoft weakness, and not a Mac OS weakness per se.
Correct. The latest Office products however warn you when a document contains a macro and asks you to run it.

cwtnospam
08-30-2009, 09:00 AM
Would malware be eradicated? Describe what would be the reason(s) malware doesn't stand a chance.
Any OS is finiite. That means there are a limited number of weaknesses in it, and over time those weaknesses can be located and corrected. Naturally, new ones will crop up, but they will be fixed as they're found.

Even Windows will benefit from the above. The security advantage of OS X over Windows starts from the fact that OS X started with far fewer egregious flaws and extends to the fact that Apple is willing to abandon old technology in favor of newer, better technology. This means that they don't need to carry forward known flaws in order to maintain backwards compatibility. They've done it with the switch from OS 9 to OS X, from PowerPC to Intel*, and now with Leopard to Snow Leopard. Each step made it more difficult to crack the system while making it easier to create updates to fix security issues. There's no reason to think they won't keep doing that.

On the other hand, even if the OSes don't get more secure, there is still no good reason to waste money on AV software unless you're sticking with an amazingly insecure OS like Windows.

AV software doesn't make you more secure. It's actually been used by malware to attack PCs! Any extra security it does manage to provide is offset by the high cost of using it. Users much are better off using a system with less vulnerability than Windows and keeping it up to date.



* I note that the switch to Intel wasn't necessarily to a better technology. The first Intel Macs were slightly faster than the G5s and G4s they replaced, but they were also about two years newer and should have been significantly faster.

detorn
08-30-2009, 10:54 AM
My local sports franchise is better than yours.

cwtnospam
08-30-2009, 10:58 AM
Nah, yours is infected by worms.

detorn
08-30-2009, 11:00 AM
http://www.wormmainea.com/images/image002.gif

EatsWithFingers
08-30-2009, 11:44 AM
Let's, for the sake of argument, we are in the (near?) future. Assume OS-X has a 90% coverage of the desktop market. Windows has only 10. Completely reverse to what it is now. The demographics of the users are the same as it is now (people never seem to change).

Would malware be eradicated? Describe what would be the reason(s) malware doesn't stand a chance.
OK, let's assume (in this hypothetical future) that OS X used the following implementation of the MLS paradigm (http://en.wikipedia.org/wiki/Multilevel_security), then we may be able to severely limit the damage that any malware would do, and thus limit their spread, effectiveness, appeal to criminals, etc.


Treat non-system programs as first-class users, thereby meaning that a program cannot read/write/execute files belonging to the system, other programs, or indeed the user running the program. The built in open/save dialog and the drag/drop route would provide implicit authorisation to read/write specific user files, so programs using the OS-provided API calls would still work as expected.

The upshot of this is that a program could only read/write program files as well as user files that the user had given explicit consent to read/write (via the open/save/'save as' commands, etc). That is, a malicious program could not read or modify arbitrary user files, or those related to any other program.

Basically, any interaction that a program would have with user files would be explicitly sanctioned by the user, in a way which is no different to the current interactions that a user has with programs they run.

OK, so I'm not 100% sure how you'd handle user-programs that launch other programs, but given the restrictions upon the launched programs outlined above, I can't see there being any serious security issue.

So, to summarise, unless the user granted permission:


viruses couldn't read/modify any existing files, therefore would have no effect
worms couldn't access user files (e.g. address book, browser history) to spread effectively
macro viruses could only affect the document containing the macros, thus not being able to spread


The only effective malware would be trojans, but they would not have free reign over the user's files. Also, as noted before, I have no sympathy for users who download software from untrusted sources (OK, so the legitimate source could have been hacked...).

From a security perspective, this just leaves 0-day exploits, but the effect of any such exploit would be greatly diminished (e.g. an exploited program would still be limited in what it could read/write).

roncross@cox.net
08-30-2009, 12:55 PM
Let's, for the sake of argument, we are in the (near?) future. Assume OS-X has a 90% coverage of the desktop market. Windows has only 10. Completely reverse to what it is now. The demographics of the users are the same as it is now (people never seem to change).

Would malware be eradicated? Describe what would be the reason(s) malware doesn't stand a chance.

Certainly, malware wouldn't be erradicated but that doesn't mean it would increase because there are more Mac users and less Windows users. I want to make sure I understand what you are saying. Are you implying that if it were reversed, then there would be more or less successful attacks in the form of malware, viruses, and such?

SirDice
08-30-2009, 05:28 PM
I want to make sure I understand what you are saying. Are you implying that if it were reversed, then there would be more or less successful attacks in the form of malware, viruses, and such?
Exactly. I'm more or less stating that when the roles are reversed it would be the Mac users who would be facing those 40.000+ viruses/worms/whatever.

SirDice
08-30-2009, 05:31 PM
Any OS is finiite. That means there are a limited number of weaknesses in it, and over time those weaknesses can be located and corrected. Naturally, new ones will crop up, but they will be fixed as they're found.
You still don't seem to get the fact that MyDoom, NetSky and a few other do NOT abuse bugs in the system.

To help you a bit: http://vil.nai.com/vil/content/v_101080.htm
Please point out which vulnerability it uses.

SirDice
08-30-2009, 05:38 PM
OK, let's assume (in this hypothetical future) that OS X used the following implementation of the MLS paradigm (http://en.wikipedia.org/wiki/Multilevel_security), then we may be able to severely limit the damage that any malware would do, and thus limit their spread, effectiveness, appeal to criminals, etc.
Is this implemented yet? If so, could you point me to it's documentation? I'd like to read up a bit on it.

I do believe you're on the right track. But I'm not so sure if users want this. Since nobody knows exactly what all the different users in the world are doing with their computer it'll be hard to settle on a default configuration for this. So the default would probably be either too restrictive (and users will start hating it) or too relaxed (and offer too little protection).

roncross@cox.net
08-30-2009, 06:34 PM
Exactly. I'm more or less stating that when the roles are reversed it would be the Mac users who would be facing those 40.000+ viruses/worms/whatever.


I think you are dead wrong and it hurts your credibility to state this. I know a true security expert, Jay, that I have worked with in the past and he has whole heartily refute your claim that just because Mac has more market share, they are more vulnerable. His statement is below and I'm sure even you will find this hard to dispute. You are starting to sound more like a novice than an expert.

I'll rest my case:

"
Of course, only time will tell, but I have a *really* hard time buying
this argument. I do not believe that the number of installations for a
given platform really has any significant bearing on the number of virii
or exploits for that platform.

**All else being equal**, this argument might work. However, in the real
world, "all else" is not equal. Platforms (OS, applications, protocols,
whatever) are very different. We can not say that OS X, Windows, Linux,
Solaris, etc... are the "same" from a security perspective except for the
number of virii for each platform. This would be far from the truth. These
platforms are all very different and each has its strengths and
weaknesses. Some are better at security than others.

All else being equal, more market share equals more security problems. Ok,
I will buy that. However, in the real world, that does not seem to hold
up. Here are some non-scientific examples:

* There are dozens of MILLIONS of non-Windows machines in the world.
However, 99.999999% (or some ridiciulous number) of all virii are only
Windows specific. If someone could write an effective UNIX virus, they
would have the potential of hitting 50+ MILLION (a conservative
number) machines. Sounds like a good sized pool of targets to me, but
there are effectively no significant UNIX virii.

* The Apache web server has well over 65% market share, while IIS has
about 20%. However, there are MANY more severe
virii/exploits/vulnerabilities in IIS than there are in Apache. Note: I am
NOT saying Apache does not have any vulnerabilities. I am simply saying
that if the market share argument were accurate in the real world, the
number of Apache exploits should be more than triple the number of IIS
exploits. This is not even close to being the case. Increased market share
does not equal decreased security.

* When we look at DNS servers, it is even better. BIND has over 80%
market share, but it does not have rampant security problems. Think of all
the havoc a little script kiddie could cause by hitting 80% of the world's
DNS servers! However, this has not happened. We do not see tons of new
BIND virii every day. Why? Increased market share does not equal decreased
security.

* Sendmail+Qmail+Postfix account for easily 80% of the world's email
servers. However, compared to Exchange, the share of security problems is
nowhere near proportional to market share. Increased market share does not
equal decreased security.

Again, only time will tell for sure.

~Jay"

Sesquipedalian
08-30-2009, 07:14 PM
You still don't seem to get the fact that MyDoom, NetSky and a few other do NOT abuse bugs in the system.

To help you a bit: http://vil.nai.com/vil/content/v_101080.htm
Please point out which vulnerability it uses.

This seems like one to me:
System changes
The worm copies itself into %WinDir% (eg. C:\WINDOWS) folder using the filename FOODING.EXE.

C:\%WinDir%\fooding.exe (22,016 bytes)
Note: A valid file exists in the %Sysdir% directory.

A Registry key is created to load the worm at system start.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run
"Antivirus" = %WinDir%\fooding.exe -antivirus service

cwtnospam
08-30-2009, 08:18 PM
You still don't seem to get the fact that MyDoom, NetSky and a few other do NOT abuse bugs in the system.
No, you refuse to accept the fact that a flaw which can be abused by software is a bug. Therefore, any successful malware must abuse bugs in the system. Trojans for example abuse the flaw in the design of every current OS which allows any application to disguise itself as any other application. No doubt it will be decades before there is even an attempt to fix this flaw, but that doesn't change the fact that it is a flaw/bug.

Of course, I understand that you can't accept this fact. It would require putting the blame for weak security back on the OS and that wouldn't be good for selling useless AV software. Better to blame the users.

ArcticStones
08-31-2009, 01:09 AM
.
Exactly. I'm more or less stating that when the roles are reversed it would be the Mac users who would be facing those 40.000+ viruses/worms/whatever.

I agree with Ron Cross: You are dead wrong. Market share is not the reason for Mac OS X being virus free to date! Let me just add one small point to Ron’s thorough rebuttal. Many viruses are created by hackers to attain status in their community, hence a natural question is:

What do you think would give you most prestige -- designing Virus No. 114,001 for Windows, or designing the very first one for Mac OS X?

Since 2001 OS X has been available for Mac desktops (and since 1999 for servers). And yet there is still no self-replicating OS X virus in the wild. Why, even for Classic there is still only a handful!

After more than 8 years, no hackers has stepped forward to claim his due fame.

I rest my case.
.

EatsWithFingers
08-31-2009, 06:18 AM
Is this implemented yet? If so, could you point me to it's documentation? I'd like to read up a bit on it.
Sorry, but there's no implementation of this as far as I am aware. It's just an idea that I had a month or so ago when thinking about some of the "virus free" claims that Google were making about their upcoming Chrome OS.

I do believe you're on the right track. But I'm not so sure if users want this. Since nobody knows exactly what all the different users in the world are doing with their computer it'll be hard to settle on a default configuration for this. So the default would probably be either too restrictive (and users will start hating it) or too relaxed (and offer too little protection).
Indeed. There is always a trade-off between security and useability. There's no point in making a super-secure OS if no-one wants to use it.

SirDice
08-31-2009, 07:07 AM
This seems like one to me:

That's not a bug.

cwtnospam
08-31-2009, 07:16 AM
that's not a bug.

lol! Ahahaha! Lol! Ahahaha! Lol! Ahahaha! Lol! Ahahaha!

I suppose it's a feature?

lol! Ahahaha! Lol! Ahahaha! Lol! Ahahaha! Lol! Ahahaha!

SirDice
08-31-2009, 07:17 AM
No, you refuse to accept the fact that a flaw which can be abused by software is a bug. Therefore, any successful malware must abuse bugs in the system. Trojans for example abuse the flaw in the design of every current OS which allows any application to disguise itself as any other application. No doubt it will be decades before there is even an attempt to fix this flaw, but that doesn't change the fact that it is a flaw/bug.
It is not a bug. Just because a standard user is able write there doesn't make it a bug. It's similar to an OS-X admin user being able to write to /Applications (and quite a few other directories). Remove the admin/administrator privileges and it won't work anymore.

That said removing admin/administrator is no guarantee. If you simply rewrite NetSky to use HKEY_CURRENT_USER instead of HKEY_LOCAL_MACHINE and %APPDATA% instead of %WINDIR%, NetSky won't need administrator privileges and it would just be as potent.

Similarly an OS-X variant could use ~/Applications and/or ~/Library/LaunchAgents/.

SirDice
08-31-2009, 07:21 AM
Many viruses are created by hackers to attain status in their community
This may have been true a couple of years ago, it certainly isn't anymore. These days it's about money, how to get WoW, Steam, whatever accounts. How to get into your bank account, steal your CC information etc..

cwtnospam
08-31-2009, 07:32 AM
This may have been true a couple of years ago, it certainly isn't anymore. These days it's about money, how to get WoW, Steam, whatever accounts. How to get into your bank account, steal your CC information etc..
:rolleyes:
Yeah, so you're saying that for 6 out of the 8 years these guys were dying to write a Mac virus but couldn't? And we're all supposed to ignore the enormous attention (relative to market share) that is paid to the Mac OS at various "Black Hat" conventions and the celebration at the success of a mere proof of concept attack?

And Mac users have less money than PC users, so why attack them? No, wait! I've got that backwards, don't I?

One more thing: Bugs come in all shapes and sizes. It is not necessary for a bug to cause a buffer overflow or some other error in order to be a bug. There can be, and are, bugs in the overall design of a system.

cwtnospam
08-31-2009, 07:35 AM
It is not a bug. Just because a standard user is able write there doesn't make it a bug. It's similar to an OS-X admin user being able to write to /Applications (and quite a few other directories). Remove the admin/administrator privileges and it won't work anymore.
:rolleyes:
Yeah, so where's the OS X equivalent of these attacks? Answer: nowhere.

SirDice
08-31-2009, 07:44 AM
:rolleyes:
Yeah, so you're saying that for 6 out of the 8 years these guys were dying to write a Mac virus but couldn't? And we're all supposed to ignore the enormous attention (relative to market share) that is paid to the Mac OS at various "Black Hat" conventions and the celebration at the success of a mere proof of concept attack?
There have been various attacks. None of them reached a big audience simply because of the numbers involved. As I've said before there's still only a 1 in 10 chance a visitor on your website or a recipient of your email is a Mac user. It simply has more impact to write for the predominant OS on the desktop.

One more thing: Bugs come in all shapes and sizes. It is not necessary for a bug to cause a buffer overflow or some other error in order to be a bug. There can be, and are, bugs in the overall design of a system.
Which only means that OS-X has similar "bugs".

ArcticStones
08-31-2009, 07:55 AM
.
lol! Ahahaha! Lol! Ahahaha! Lol! Ahahaha! Lol! Ahahaha!

I suppose it's a feature?

lol! Ahahaha! Lol! Ahahaha! Lol! Ahahaha! Lol! Ahahaha!

Please, gentlemen. Tempting though it may be, no smiling out loud!
Oh, heck. Iím grinning from ear to ear myself... :D
.

cwtnospam
08-31-2009, 08:58 AM
Which only means that OS-X has similar "bugs".
Which means that your argument fails yet again: there aren't similar successful attacks anywhere near 10% of the scale found in Windows. There aren't even 0.01% of the number of successful attacks.

hayne
08-31-2009, 10:06 AM
Since this thread has become a discussion, I moved it to the Coat Room.

anika123
08-31-2009, 10:58 AM
Thanks hayne, Any way Here is some more fuel for the fire or maybe slightly interesting.

http://www.informationweek.com/news/hardware/mac/showArticle.jhtml?articleID=219500492

cwtnospam
08-31-2009, 11:10 AM
Thanks hayne, Any way Here is some more fuel for the fire or maybe slightly interesting.

http://www.informationweek.com/news/hardware/mac/showArticle.jhtml?articleID=219500492

Well that really captures the essence of what's going on here:

Mac users are getting new security features with the arrival of Apple's Mac OS X 10.6, but some security vendors say those enhancements are lightweight.
and:
The release on Friday of Apple's Mac OS X 10.6, known as "Snow Leopard," has elicited criticism from security companies, which may have business to lose if Apple's latest operating system reduces interest in third-party security software.

Prediction: No matter what any OS vendor does to their system, "security" companies will always claim that it's not enough, and that their users are too complacent. That is of course only if they feel they aren't making enough sales to users of that OS. If they're making good sales, then all is as it should be. Quantity and quality of actual exploits is irrelevant.

SirDice
08-31-2009, 11:45 AM
Which means that your argument fails yet again: there aren't similar successful attacks anywhere near 10% of the scale found in Windows. There aren't even 0.01% of the number of successful attacks.

Because the security features (or bugs depending on your view) of both OS-X and Windows are similar this discrepancy must have a different underlying reason. Simply stating there's less malware for OS-X because of it's security features uses circular reasoning and adds nothing to the question: What makes OS-X less attractive for malware writers?

There are plenty of opportunities (and I don't mean bugs) for malware to infect OS-X. I see no reason why the number of OS-X malware wouldn't rise when it's market share will be at 90% (opposite to what it is now). Given enough years at that level I'm quite sure the total amount will equal or perhaps surpass the numbers we see now attacking Windows.

cwtnospam
08-31-2009, 11:56 AM
What makes OS-X less attractive for malware writers?
The answer is obvious: degree of difficulty. Every announced exploit for OS X to date requires too many special circumstances to be successful. There's no reason to think that will change.
There are plenty of opportunities (and I don't mean bugs) for malware to infect OS-X. I see no reason why the number of OS-X malware wouldn't rise when it's market share will be at 90% (opposite to what it is now).
You do mean bugs. There's no other way to infect any system of any kind than to exploit a bug in the system.

Of course the amount of malware will rise over time! It's impossible to stay at zero forever. The question is, how much time? At the current rate, I'd expect the Sun to vaporize us first.
Given enough years at that level I'm quite sure the total amount will equal or perhaps surpass the numbers we see now attacking Windows.
Sure, but by that time our civilization will have long since vanished.

ArcticStones
08-31-2009, 01:56 PM
.
Simply stating there's less malware for OS-X because of it's security features uses circular reasoning and adds nothing to the question: What makes OS-X less attractive for malware writers?
(my emphasis)

Quite the contrary. As I pointed out in my post below, there is a whole class of hackers for whom OS X is more attractive than Windows. The question is why none of them have been able to write a successful, self-replicating virus.

Let me repeat the salient point of my post:

What do you think would give you most prestige -- designing Virus No. 114,001 for Windows, or designing the very first one for Mac OS X?


After more than 8 years, no hacker has stepped forward to claim his due fame.

SirDice
08-31-2009, 03:11 PM
You do mean bugs. There's no other way to infect any system of any kind than to exploit a bug in the system.
No, I can write a perfectly working NetSky variant for OS-X. No need to abuse bugs.

SirDice
08-31-2009, 03:25 PM
Let me repeat the salient point of my post:

What do you think would give you most prestige -- designing Virus No. 114,001 for Windows, or designing the very first one for Mac OS X?

This is simply due to numbers. As I've said before the number of OS-X users hasn't gained critical mass yet that would allow a worm or a virus to wreak havoc.

Suppose a worm became active on your system, it starts harvesting email addresses from your computer and sends out copies of itself. There's only a 1 in 10 chance the recipient will also be running OS-X. This means that propagation will be extremely slow. Too slow to sustain it and it will die a slow death infecting only a few people.

cwtnospam
08-31-2009, 03:32 PM
No, I can write a perfectly working NetSky variant for OS-X. No need to abuse bugs.
A) I won't hold my breath.
B) All that would prove is that the Mac OS had a similar flaw/bug.

Suppose a worm became active on your system, it starts harvesting email addresses from your computer and sends out copies of itself. There's only a 1 in 10 chance the recipient will also be running OS-X. This means that propagation will be extremely slow. Too slow to sustain it and it will die a slow death infecting only a few people.
:rolleyes:
Which explains how viruses have never successfully run on other platforms with far fewer users than the Mac. Oh, wait, there have been successful viruses on those platforms! Never mind.
:rolleyes:

SirDice
08-31-2009, 03:45 PM
Oh, wait, there have been successful viruses on those platforms!
And those are?

cwtnospam
08-31-2009, 04:34 PM
You're kidding, right? There have been viruses for Linux, which has about 10% of the market share of OS X, there were viruses for the Symbian OS early on when it had just a few hundred thousand users, there have been viruses for embedded systems, etc.

EatsWithFingers
08-31-2009, 04:42 PM
I see no reason why the number of OS-X malware wouldn't rise when it's market share will be at 90% (opposite to what it is now). Given enough years at that level I'm quite sure the total amount will equal or perhaps surpass the numbers we see now attacking Windows.
This is simply due to numbers. As I've said before the number of OS-X users hasn't gained critical mass yet that would allow a worm or a virus to wreak havoc.
To side with SirDice for a change, there is merit in these statements.

EDIT: the following should probably be couched in terms of non-trojan malware, since no OS can protect against those. (all forms of malware is probably more accurate)

Many people (not necessarily those participating in this thread) seem to believe that there is a linear relationship between the market share of a given OS and the amount of malware targeting that platform. Using this assumption, since Windows has 32 times the market share (3% to 96%), there should be 1/32 as many pieces of malware for OS X (i.e. 6250 - assuming 200000 pieces of malware for Windows).

Now, because there aren't 6250 pieces of malware tagetting OS X, people then assume that OS X must be more secure.

However, the relationship between market share and malware proliferation is unlikely to be linear. Imagine, if you will, that the amount of malware doubles for every extra 5% of market share (i.e. an exponential relationship). Then, OS X should have roughly 1/(2^18) as much malware.

And what is 200000 * 1/(2^18)? It's 0.763. Seems pretty accurate, no? (i.e. Windows and OS X are about equal in terms of security)


OK, so the relationship may not be the exponential one I suggested either, but the argument is basically this: has OS X reached the critical mass of users where malware authors think it is worthwhile spending time and money to target the platform? SirDice appears to think not, cwtnospam and ArcticStones appear to think so. Personally, I'm not sure - but would have to say "not" if really pushed (EDIT: I feel ~10% will be the litmus test).

NaOH
08-31-2009, 04:45 PM
As I've said before the number of OS-X users hasn't gained critical mass yet that would allow a worm or a virus to wreak havoc.

I've spoken to a couple dozen friends and family who have considered switching to Apple. Invariably, security is one of the issues discussed, and I've told them all the same thing, that in 25+ years of Apple ownership I have never used antivirus-type software.

Mind you, these are not advanced users, so they're always amazed. Of course, they ask why I don't take such a common measure which is something nearly all PC users do. My answer is always the same, and it comes down to three points, in no particular order.

Security: The Apple OS and its built-in software are inherently more secure than the Microsoft equivalents.

Market Share: Hackers who are out to do harm are like people who send spam. The more potential targets they can lure with one fell swoop, the better it is for them. At the same time, the significant increase in the number of Apple computers in the last 5-8 years has not been met with a corresponding increase in viruses/malware/trojans, etc.

Living in the Good Part of Town: I think this idea came from Gruber, but I'm not certain. The Apple user base is like living in an affluent neighborhood. People respond quickly, decisively and cooperatively to threats, just like homeowners in such a neighborhood respond to acts of vandalism.

The Windows world, in contrast, is like living in a bad neighborhood where various crimes are considered part of the territory. You can hear this in the casual way PC users say things like, "I had to take my PC in to the shop because it got all messed up by something the kids downloaded." They're annoyed by the inconvenience, but they accept this as part of living in the Windows neighborhood.


None of this is to say things can't or won't change for Apple users. For now, though, it's ridiculously secure for the average user. And to say that Apple security is strictly due to market share is specious, narrow-minded, and blindingly imperceptive since few things in this world are actually so black and white.

cwtnospam
08-31-2009, 04:53 PM
To side with SirDice for a change, there is merit in these statements.
There is accuracy in saying that with increase exposure and the passage of time, the number of attacks will likely rise, but not merit. It has no other purpose other than to scare people into wasting money on AV software. Sure, attacks will rise, but there's no reason to believe they'll be widespread or significantly successful. Even if someday they are successful, nothing a user does now will mitigate them. We simply have to wait and see, then react if it becomes necessary.

EatsWithFingers
08-31-2009, 05:03 PM
There is accuracy in saying that with increase exposure and the passage of time, the number of attacks will likely rise, but not merit. It has no other purpose other than to scare people into wasting money on AV software. Sure, attacks will rise, but there's no reason to believe they'll be widespread or significantly successful. Even if someday they are successful, nothing a user does now will mitigate them. We simply have to wait and see, then react if it becomes necessary.

Maybe accuracy would have been a better choice of word. Regardless, I wasn't suggesting that OS X users need to use AV software now. In fact, I said as much in my first post in this thread (http://forums.macosxhints.com/showpost.php?p=549335&postcount=104):

People should be conditioned to use sensible computing habits, not conditioned to use AV software. If a time comes when using AV software is considered to be a sensible computing habit on OS X, then so be it, but that time has not yet come.
(emphasis added)

cwtnospam
08-31-2009, 05:15 PM
.I wasn't suggesting that OS X users need to use AV software now.
Sorry, I didn't mean to imply that you were! My problem is with those who call Mac users complacent because we're not wasting time and money on it.

newspypig
08-31-2009, 10:50 PM
Just checked your activity monitor image.
There is no spy software in it

SirDice
09-01-2009, 02:56 PM
OK, so the relationship may not be the exponential one I suggested either, but the argument is basically this: has OS X reached the critical mass of users where malware authors think it is worthwhile spending time and money to target the platform? SirDice appears to think not, cwtnospam and ArcticStones appear to think so. Personally, I'm not sure - but would have to say "not" if really pushed (EDIT: I feel ~10% will be the litmus test).
That's exactly my point and you're spot on about the non-linearity of the amount of malware :D

I found a nice little formula that explains a bit of the propagation factors of a worm, I hope I can put it down here using only ascii and still be readable...

N(t) = e^( ( g - a ) * ( t / Ti ) )

N = total number of worms
t = amount of time passed
e = Euler's number (2.71828 etc.)
g = number of copies a worm sends out in an infection cycle
a = number of worms that are absorbed (i.e. Mac worm sent to a Windows host)
Ti = infection cycle

The infection cycle (Ti) is about 1 hour for e-mail worms. This might even be a little less these days as a lot of people have an 'always on' connection and check their e-mail every 5 min.

For the total amount of worms (N) to grow exponentially over time (g -a) needs to be > 1. To make that happen either g needs to increase dramatically or a needs to decrease. Since g is pretty much limited to the average bandwidth a user has, a worm has an upper limit on the amount of copies sent out in an infection cycle.

Currently (g-a) < 1 which means that any worm send out now will die a slow death on it's own. When the market share of OS-X increases at some point (g-a) > 1 (critical mass) and that's when the proverbial ***** will hit the fan.

SirDice
09-01-2009, 03:09 PM
I've spoken to a couple dozen friends and family who have considered switching to Apple. Invariably, security is one of the issues discussed, and I've told them all the same thing, that in 25+ years of Apple ownership I have never used antivirus-type software.
I know it's a long time ago but (one of) the very first viruses was written for non other then..... (drum roll).... Apple

http://en.wikipedia.org/wiki/Elk_Cloner_%28computer_virus%29

Oh, and I've been using Windows since 3.1 (that's 15+ years ago) and I never used any anti-virus either.

Security: The Apple OS and its built-in software are inherently more secure than the Microsoft equivalents.
Have you actually used any Windows after W9x? You do realize Windows has the exact same security model?


Market Share: Hackers who are out to do harm are like people who send spam. The more potential targets they can lure with one fell swoop, the better it is for them. At the same time, the significant increase in the number of Apple computers in the last 5-8 years has not been met with a corresponding increase in viruses/malware/trojans, etc.
Yes there's a significant increase but it still pales in comparison to 90%.. Suppose you had $5 and had a choice between 2 lottery tickets, one with a 10% chance of winning $50.000 or one with a 90% chance of winning $10.000. Which would you choose?


Living in the Good Part of Town: I think this idea came from Gruber, but I'm not certain. The Apple user base is like living in an affluent neighborhood. People respond quickly, decisively and cooperatively to threats, just like homeowners in such a neighborhood respond to acts of vandalism.

The Windows world, in contrast, is like living in a bad neighborhood where various crimes are considered part of the territory. You can hear this in the casual way PC users say things like, "I had to take my PC in to the shop because it got all messed up by something the kids downloaded." They're annoyed by the inconvenience, but they accept this as part of living in the Windows neighborhood.

Nice :)
But times will change when the baddies will move into your nice little neighborhood. This is what inevitably will happen when market share increases. Everybody wants to live in that nice neighborhood. Since Apple is about making money they will sell to anyone that forks over the cash. Including all the dweebs, noobs and lowlifes that now plague the Windows neighborhood. Soon they will become your new neighbors and the value of your property will drop :eek:

cwtnospam
09-01-2009, 03:17 PM
Very impressive looking.
Unfortunately, your understanding of the equation is lacking or you wouldn't have bothered posting it. Let g be a small number, say 10, and let 'a' be a smaller number, say 5, then let 't' be any number of weeks and 'Ti' be 2 weeks and you've got an exponentially increasing attack:
N(t) = e^(5*t/2) = e^2.5t

Obviously not going to happen.

Thanks for playing though.

cwtnospam
09-01-2009, 03:21 PM
Have you actually used any Windows after W9x? You do realize Windows has the exact same security model?
:rolleyes:
Of course they do! They also have the exact same UI model: point and click. The difference in both cases is poor execution.

SirDice
09-01-2009, 03:36 PM
You're kidding, right? There have been viruses for Linux, which has about 10% of the market share of OS X, there were viruses for the Symbian OS early on when it had just a few hundred thousand users, there have been viruses for embedded systems, etc.

According to cwtnospam none of those are considered 'successful'.

Those Linux viruses where aimed at servers. There are quite a lot more Linux servers compared to OS-X. Slightly different ratios compared to desktop OS. Nonetheless, even on Linux you need to be careful.

The Symbian worms hardly made a dent. Heck, even I wouldn't consider them successful. Doesn't mean they don't exist or you shouldn't be aware of them.

But thanks for proving my point. I'm trying to convey here that you need to be aware viruses, worms and malware in general are possible on all sorts of systems, including OS-X.

SirDice
09-01-2009, 03:38 PM
Very impressive looking.
Unfortunately, your understanding of the equation is lacking or you wouldn't have bothered posting it. Let g be a small number, say 10, and let 'a' be a smaller number, say 5, then let 't' be any number of weeks and 'Ti' be 2 weeks and you've got an exponentially increasing attack:
N(t) = e^(5*t/2) = e^2.5t

Obviously not going to happen.
Ha.. For a to be 5 there would need to be at least a 50% market share, hence proving my point of a critical mass :p

a is the number of duds sent out. So that'll be vigilant Mac users that don't trust it (and therefor don't execute it) and Windows users that simply cannot run it (plus a few other factors like getting corrupted during sending etc).

So for your simple number g=10, a is at least 9 (OS-X only has 10% market share remember?) making (g-a)=1.

cwtnospam
09-01-2009, 05:43 PM
According to cwtnospam none of those are considered 'successful'.

Those Linux viruses where aimed at servers. There are quite a lot more Linux servers compared to OS-X. Slightly different ratios compared to desktop OS. Nonetheless, even on Linux you need to be careful.

The Symbian worms hardly made a dent. Heck, even I wouldn't consider them successful. Doesn't mean they don't exist or you shouldn't be aware of them.
First, they affected a much larger percentage of their respective systems than any OS X attack to date.
Second, The Symbian worms hit thousands of users at a time when there were well under a million phones that had the OS. You're right that it's not a dent: it's a major collision.
I'm trying to convey here that you need to be aware viruses, worms and malware in general are possible on all sorts of systems, including OS-X.
No, you're trying to sell snake oil.
Ha.. For a to be 5 there would need to be at least a 50% market share, hence proving my point of a critical mass :p
No, I'm saying that with an arbitrary set of possible numbers (as in 10 worms and 5 infections) your equation falls apart. It's not a good representation of reality, especially since we are talking about a very small number of potential attacks at any point in time. You're trying to use Science as a marketing tool without doing any real science.

EatsWithFingers
09-01-2009, 05:46 PM
I found a nice little formula that explains a bit of the propagation factors of a worm, I hope I can put it down here using only ascii and still be readable...

N(t) = e^( ( g - a ) * ( t / Ti ) )

[..]


If you mean the SIS formula for epidemic outbreaks (http://en.wikipedia.org/wiki/Epidemic_model#The_SIS_Model_with_Births_and_Deaths) then the formula you want is:

N(t) = z(1-p) / ( z + (1-p-z)e^-((B-d)t) )

where N(t) is the fraction of hosts infected after time t, z is the fraction of hosts initially infected, B is the birth rate (i.e. number of copies a single worm sends out each time), d is the death rate (i.e. number of worms sent out which fail to infect a new host), p is d/B (i.e. the fraction of immune hosts) and e is Euler's number as before (2.71828... ).

(Source (http://www.mathaware.org/mam/06/Chen.pdf))

Just to be clear, SirDice, I am not saying your version of the formula is wrong, but rather providing additional information

Some points to note are:


The initial fraction of infected hosts, z, can be assumed to be tiny (i.e. one computer on the Internet)
1-p is equal to the chance that a random machine can be infected (e.g. currently 0.05 for OS X, 0.92 for Windows, 0.03 for Linux)
As time tends to infinity, the percentage of infected hosts will tend towards 1-p (this is because the SIS model does not take into account the possibility of non-immune targets becoming immune at a later stage)
The rate at which the worm spreads is entirely dependent upon (B-d) - the other numbers in the formula constitute linear multipliers of e^((B-d)t) and are thus insignificant when compared to an exponential factor
The intention behind AV software is to increase d (EDIT: of course, many other things can help too - e.g. keeping your OS fully patched)


However, the above formula does not concern itself with how likely an outbreak is in the first place. It just deals with modelling the resulting spread. In other words, it does not answer the question of how likely it is that new malware will appear for a particular OS platform (which brings us back to debating the presence or otherwise of a motivation for malware writers to target OS X).

SirDice
09-02-2009, 02:11 AM
No, I'm saying that with an arbitrary set of possible numbers (as in 10 worms and 5 infections) your equation falls apart.
Your assumption of the numbers is wrong as a is directly related to market share. Currently when a worm sends out 10 copies, 9 of them end up on a Windows host and can do no harm there. Getting 5 infections when sending out 10 worms means there's a 50% market share.

It's not a good representation of reality, especially since we are talking about a very small number of potential attacks at any point in time. You're trying to use Science as a marketing tool without doing any real science.
No, I'm trying to explain why there hasn't been a major outbreak. Currently there's indeed a small chance, the formula shows that any worm will die out by itself at this point in time. However, it also shows that when the numbers are right there will be an epidemic.

SirDice
09-02-2009, 02:19 AM
However, the above formula does not concern itself with how likely an outbreak is in the first place. It just deals with modelling the resulting spread. In other words, it does not answer the question of how likely it is that new malware will appear for a particular OS platform (which brings us back to debating the presence or otherwise of a motivation for malware writers to target OS X).

It more or less does prove the likelyhood. Albeit indirect perhaps. As the numbers are right now it's clear that a worm will die out by itself and never reach it's full potential even if it would use 'killer code' that can infect every single OS-X host it encounters. So writing one to become the next Melissa for Mac is somewhat futile at this point in time.

EatsWithFingers
09-02-2009, 05:16 AM
It more or less does prove the likelyhood. Albeit indirect perhaps.
Maybe I wasn't clear with my final statement. What I meant was the formula only models the spread of a worm once it exists. It does not deal with the likelihood of that worm existing in the first place. And that is the contentious point when it comes to discussing the relative security of two different platforms.

As the numbers are right now it's clear that a worm will die out by itself and never reach it's full potential even if it would use 'killer code' that can infect every single OS-X host it encounters. So writing one to become the next Melissa for Mac is somewhat futile at this point in time.
I'm not sure about your formula, but the one I posted shows that any given worm will eventually infect all possible hosts. So, in your example, all systems running OS X that remained unpatched would become infected. This is independent from the market share of OS X and only relies on every Mac being somehow connected to another Mac (e.g., every Mac owner having the e-mail address of at least one other Mac owner in their address book).

EDIT: I do agree that the rate of spread is related to market share, and thus in the case of OS X, it will be low enough that the vast majority of systems will be patched before any real damage is done.

ArcticStones
09-02-2009, 05:25 AM
.
Thank you for your impressive thoroughness and patience, EatsWithFingers.

As I understand it, we can now permanently park the notion that 8 virus-free years of OS X is due to low market share, as misguided.
.

SirDice
09-02-2009, 06:29 AM
Maybe I wasn't clear with my final statement. What I meant was the formula only models the spread of a worm once it exists. It does not deal with the likelihood of that worm existing in the first place.
Yes, I agree to that. But perhaps I wasn't too clear either. What I meant was that currently the rate of propagation is too low for anyone to even bother writing a worm for OS-X. It simply doesn't have enough impact to make it big.

So, in your example, all systems running OS X that remained unpatched would become infected.
As I've mentioned before, worms don't necessarily propagate because of bugs. Some do, most don't. I've mentioned NetSky as an example, it does not abuse any bugs. No amount of patching will stop a worm like that.

cwtnospam
09-02-2009, 06:33 AM
As I've mentioned before, worms don't necessarily propagate because of bugs. Some do, most don't. I've mentioned NetSky as an example, it does not abuse any bugs. No amount of patching will stop a worm like that.

Geez, if 10% of what you say were true, the Mac would be full of malware by now. We've got hackers salivating every time anyone announces any kind of OS X vulnerability, and writing lame trojans that can't get past the first ten people to see them, yet you'd have us believe they're not interested in trying to write malware!

What color is the sky in your world?

NaOH
09-02-2009, 06:40 AM
currently the rate of propagation is too low for anyone to even bother writing a worm for OS-X.

I thought the issue was market share, not the speed of propagation. How much slower is the rate of propagation for the current 100 million people using an OS X-based platform compared to if the install base reaches 150 million? 33%?

If a self-described security professional can't be clear about all this, it's no wonder billions of computer users have trouble understanding the risks and how they might best protect themselves.

SirDice
09-02-2009, 06:41 AM
I thought the issue was market share, not the speed of propagation.
Then you haven't been paying attention. Propagation speed is directly related to market share.

cwtnospam
09-02-2009, 06:55 AM
Speed, not interest in creating one. But I'm sure you'll go on ignoring all those guys who spend months creating an implausible real world hack (like pre-infecting a Mac to make cracking it easy) just so they can go to a black hat convention and demonstrate a theoretical Mac vulnerability.

NaOH
09-02-2009, 07:04 AM
Speed is not related to market share. Breadth of impact is. If you think I haven't been paying attention, please explain the following market share-related quotes, all by you:

I see no reason why the number of OS-X malware wouldn't rise when it's market share will be at 90% (opposite to what it is now).

Exactly. I'm more or less stating that when the roles are reversed it would be the Mac users who would be facing those 40.000+ viruses/worms/whatever.

There have been various attacks [on the Mac]. None of them reached a big audience simply because of the numbers involved.

I see no reason why the number of OS-X malware wouldn't rise when it's market share will be at 90% (opposite to what it is now). Given enough years at that level I'm quite sure the total amount will equal or perhaps surpass the numbers we see now attacking Windows.

As I've said before the number of OS-X users hasn't gained critical mass yet that would allow a worm or a virus to wreak havoc.

But times will change when the baddies will move into your nice little [Apple] neighborhood. This is what inevitably will happen when market share increases.

Please, have a look at what you've written before suggesting I'm not paying attention. One minute you've claimed that the Mac will have the same number of malware threats as Windows when the user base reaches some imaginary critical mass you've not defined.

At other times you're saying your point is simply that people should be careful, but you've spent loads more time defending your baseless conjecture rather than offering a semblance of helpful advice to those who might stand to learn something about security.

After that, you slide into statements like a Mac "worm will die out by itself and never reach it's full potential." Please, I'm no security expert, but by that logic no worm will ever reach its full potential until every living person has an infinite amount of computers and they're all connected to the Internet.

And you've made all those claims without any supporting evidence other than the fact that no OS is completely secure. Seriously, imagine you're charged with submitting an OS X security procedures proposal that will be subjected to scientific peer review. What would you say, because none of what you've said here would fly in such an environment.

EatsWithFingers
09-02-2009, 08:11 AM
What I meant was that currently the rate of propagation is too low for anyone to even bother writing a worm for OS-X. It simply doesn't have enough impact to make it big.
Worms are typically used as a delivery mechanism for more insidious malware. That is, there is no point in writing a worm if the target system cannot be infected by its payload.

As I've mentioned before, worms don't necessarily propagate because of bugs. Some do, most don't. I've mentioned NetSky as an example, it does not abuse any bugs. No amount of patching will stop a worm like that.
True, but the patching can prevent the worm having any effect on the host system (other than being used to spread the worm itself whenever the file containing the worm is executed).

As you've pointed out, it is possible to write an e-mail worm that spreads amongst Macs (or any OS for that matter), but for that worm to do anything other than simply replicate there needs to be bugs in the OS which can be exploited. EDIT: OK, so MyDoom overwrites system files, but that is trivial to prevent by using a non-admin account for daily use (covered by one of my "sensible habits" (http://forums.macosxhints.com/showpost.php?p=549335&postcount=104)).

The question then is, "does a benign worm that requires user initiation to replicate constitute a security threat?" My answer would be "no, it does not."

roncross@cox.net
09-02-2009, 05:13 PM
Yes, I agree to that. But perhaps I wasn't too clear either. What I meant was that currently the rate of propagation is too low for anyone to even bother writing a worm for OS-X. It simply doesn't have enough impact to make it big.


Well if this is the case, then why worry about having antivirus protection and such if there is no impact.
I recall in your earlier post advocating for this, but it contradicts the statement you made later. You are not showing clarity in your thought process which is why you are unable to persuade anyone.


If a self-described security professional can't be clear about all this, it's no wonder billions of computer users have trouble understanding the risks and how they might best protect themselves.

Hey, I'm also a self described security profession and I use no antivirus, firewall, etc.. and I feel safe:D


Please, have a look at what you've written before suggesting I'm not paying attention. One minute you've claimed that the Mac will have the same number of malware threats as Windows when the user base reaches some imaginary critical mass you've not defined.

At other times you're saying your point is simply that people should be careful, but you've spent loads more time defending your baseless conjecture rather than offering a semblance of helpful advice to those who might stand to learn something about security.

After that, you slide into statements like a Mac "worm will die out by itself and never reach it's full potential." Please, I'm no security expert, but by that logic no worm will ever reach its full potential until every living person has an infinite amount of computers and they're all connected to the Internet.

And you've made all those claims without any supporting evidence other than the fact that no OS is completely secure. Seriously, imagine you're charged with submitting an OS X security procedures proposal that will be subjected to scientific peer review. What would you say, because none of what you've said here would fly in such an environment.

SirDice, will you be able to clearly summarize your points so that we know once and for all how you view this issue? I for one am very confused.:confused::confused::confused:

EatsWithFingers
09-02-2009, 06:07 PM
OK, let's assume (in this hypothetical future) that OS X used the following implementation of the MLS paradigm, then we may be able to severely limit the damage that any malware would do, and thus limit their spread, effectiveness, appeal to criminals, etc.

[..]
Is this implemented yet? If so, could you point me to it's documentation? I'd like to read up a bit on it.
Sorry, but there's no implementation of this as far as I am aware.
Apologies for digging up these (http://forums.macosxhints.com/showpost.php?p=549592&postcount=121) earlier (http://forums.macosxhints.com/showpost.php?p=549535&postcount=117) posts (http://forums.macosxhints.com/showpost.php?p=549670&postcount=126), but I've since read about FreeBSD Jails (http://en.wikipedia.org/wiki/FreeBSD_jail) and the concepts appear to be very similar. And increased security is precisely the motivation behind them.

butterthief
05-12-2010, 08:48 PM
macbook 10.4.11...grrrr...don't have the specs (as i am running a live ubuntu disk for privacy) but they are decent, intel based.

i think my mac *may* have been compromised...i have a 'significant other' who works in the software world and may be spying on my computer. we're having challenges. sorry if i am posting in the wrong place...it sounded like a security/privacy topic.:)

this post says to check the activity monitor (ha!) but thats all gobbledygook to me. how can i tell what is malicious and what is standard?

also, i would like to run a scan to check my mac before i keep writing 7 layers of zeroes and re-installing over and over again. is it possible that something can hide from a re-install, like 'rootkits' in pcs?

or can something be stealth-installed from reading his emails? even ones without pics?

yes, i am paranoid. just because you're paranoid doesn't mean they aren't out to get you.

i just want to communicate with the dignity of personal choice and personal privacy.

thanks in advance for any help you may offer.

emonroe1925
08-03-2010, 12:01 PM
this is what comes up on my activity monitor:
Activity Monitor
Aosnotifyd
AppleSpell.service
ATTSServer
BBLauchAgent
Diskimages-helpe
Dock
FileSyncAgent
Finder
Firefox
iCal
iTunes Helper
launchd
loginwindow
mdworker
Microsoft Database Daemon
Microsoft Word
Pboard
Spotlight
SystemUIServer
UserEventAgent

NaOH
08-03-2010, 12:46 PM
All of those are legitimate processes. Generally, the most helpful first action is to do a web search for any process whose name you can't identify. For example, searching for Aosnotifyd will lead to information discussing how this is a sync process for the computer and MobileMe.

Blackcurrant
01-05-2011, 11:19 AM
Hi Guys
Anyone still there?
I've just switched from Windows and feel insecure ( psychologically at least ) about the malware discussion and what I should do for my Mac.

I am running OSX 10.6.5 While I sorted out whether I believe the 'We're safe' or 'you need protection' brigade I downloaded ProtectMac AntiVirus trial while I thought about it. 4 days to go!

I admit to being 56, female, unfamiliar with Macs, and would pay for an AV program that would do the job, but which one?? I care most about not getting a key logger because I want to bank online. I don't have the clarity and memory anymore to delve in the backwoods like I used to on my PC (even back in DOS days). I just want to be as safe as poss.

I've read the golden rules but can't be sure I've kept them! :(
I have a separate standard account for everyday use, but do often get asked for admin passwords, and keychain is a mystery to me because it doesn't behave consistently, to my mind. I've downloaded some programs like flip4mac, a wma converter, dropbox - things I'd expect to be ok. But can you pick up trojans from just surfing? I've also played some online games, like bejeweled (bless). I'd like to download some but don't know when to trust a game site, or how to find which to trust. It's all very well saying don't make that mistake, but if you are to stray further than what comes with your new Mac, you have to take a risk, including entering your admin password, don't you??

If you don't understand how I can be this isn't feeble and still be allowed to use a computer, just try to imagine how you'd help your Grandma to have a good and safe experience with her Mac :confused: cos she couldn't get out and needed to shop online. That's not unlike my situation. So I'd be so grateful if you can help, suggest, and put my mind at rest if I'm OK here? I've posted my standard user's Activity Monitor below, if you'd take a look please? I did start googling them, but I got so tired.

More risky is my father's behaviour, playing on poker sites, clicking everywhere, and no password, just hit return! :eek: He's 84. You try getting him to remember! He has is own Mac, thank God, but I want to help him bank online, and a keystroke logger would be disastrous!

If I ever decide to do a reinstall, can you tell me this: Does the installation disc contain all the additional apps that came on the new machine, ie The iLife components like Garage Band?


My activity monitor for my standard user is here( spacing a bit odd, but I think everything got expanding to view):
Am I clean, and would it be a different picture for my admin account do you think? Did someone say Key loggers can hide? Might they not show up here then? Perhaps I should just stay in bed!

Thanks so much
B


1 launchd
83048 WindowServer
14 syslogd
56 socketfilterfw
28 securityd
30 ptmd
48 ProtectMacAntiVirus
23 ntpd
11 notifyd
83205 mdworker
31 mds
32 mDNSResponder
83047 loginwindow
83085 launchd
83144 WebKitPluginAgent
83181 Flash Player (Safari Internet plug-in)
83109 UserEventAgent
83209 TextEdit
83090 SystemUIServer
83135 Safari
83203 Quick Look Helper
83117 ProtectMacAntiVirusAgent
83104 pboard
83123 iTunesHelper
83122 GrowlHelperApp
83099 fontd
83091 Finder
83124 Dropbox
83131 dbfseventsd
83089 Dock
83146 AppleSpell.service
83115 AirPort Base Station Agent
83229 Activity Monitor
10 kextd
34 KernelEventAgent
36 hidd
83078 hdiejectd
37 fseventsd
39 dynamic_pager
16 distnoted
83074 diskimages-helper
12 diskarbitrationd
15 DirectoryService
76 cvmsServ
83212 cupsd
51 coreservicesd
87 coreaudiod
13 configd
74770 clamd
17 blued
45 autofsd
83231 activitymonitord
0 kernel_task

wally
07-23-2011, 02:06 PM
Hey All....

OK so im very very new to MAC(had it for like a month now). Heres my problem:

A few days ago someone hacked my gmail, hotmail and facebook and changed all backup information and passwords. I have managed to get gmail and facebook back but not hotmail.

i have reason to bel that there might be a key logger on my comp...i really need to get this checked.

activity monitor is below: PLEASE HELP!!!!

369 Activity Monitor waleedelahi 3.7 2 29.7 MB Intel (64 bit)
118 AirPort Base Station Agent waleedelahi 0.0 4 5.8 MB Intel (64 bit)
140 AppleSpell.service waleedelahi 0.0 2 7.5 MB Intel (64 bit)
113 AppleVNCServer waleedelahi 0.0 4 3.9 MB Intel (64 bit)
96 Dock waleedelahi 0.0 3 24.4 MB Intel (64 bit)
98 Finder waleedelahi 0.0 4 12.5 MB Intel (64 bit)
343 Flash Player (Safari Internet plug-in) waleedelahi 0.3 13 27.7 MB Intel
102 fontd waleedelahi 0.0 2 5.1 MB Intel (64 bit)
376 googletalkbrowserplugin (Safari Internet plug-in) waleedelahi 0.0 3 3.9 MB Intel
377 GoogleTalkPlugin waleedelahi 0.0 8 9.9 MB Intel
120 imagent waleedelahi 0.0 5 6.1 MB Intel (64 bit)
126 iTunesHelper waleedelahi 0.0 3 2.9 MB Intel (64 bit)
92 launchd waleedelahi 0.0 2 1.0 MB Intel (64 bit)
38 loginwindow waleedelahi 0.0 2 8.0 MB Intel (64 bit)
100 pboard waleedelahi 0.0 1 856 KB Intel (64 bit)
135 Safari waleedelahi 3.1 10 354.0 MB Intel (64 bit)
97 SystemUIServer waleedelahi 0.0 3 14.3 MB Intel (64 bit)
110 UserEventAgent waleedelahi 0.0 3 7.1 MB Intel (64 bit)
379 VDCAssistant waleedelahi 0.0 4 4.1 MB Intel (64 bit)
141 WebKitPluginAgent waleedelahi 0.0 2 1,020 KB Intel (64 bit)

cabiesesch
09-22-2011, 01:04 PM
141 Activity Monitor marinescabieses 10.0 6 29.6 MB Intel (64 bit)
143 activitymonitord root 1.5 1 1.1 MB Intel (64 bit)
119 AirPort Base Station Agent marinescabieses 0.0 3 1.6 MB Intel (64 bit)
46 autofsd root 0.0 2 976 KB Intel (64 bit)
17 blued root 0.0 3 4.2 MB Intel (64 bit)
13 configd root 0.0 7 3.0 MB Intel (64 bit)
77 coreaudiod _coreaudiod 0.0 2 2.2 MB Intel (64 bit)
54 coreservicesd root 0.5 5 12.7 MB Intel (64 bit)
24 cupsd root 0.0 3 2.2 MB Intel (64 bit)
66 cvmsServ root 0.0 1 804 KB Intel (64 bit)
15 DirectoryService root 0.0 6 4.6 MB Intel (64 bit)
12 diskarbitrationd root 0.0 2 1.4 MB Intel (64 bit)
16 distnoted daemon 0.0 3 1.2 MB Intel (64 bit)
103 Dock marinescabieses 0.0 3 13.3 MB Intel (64 bit)
40 dynamic_pager root 0.0 1 788 KB Intel (64 bit)
105 Finder marinescabieses 0.0 6 30.5 MB Intel (64 bit)
108 fontd marinescabieses 0.0 2 4.3 MB Intel (64 bit)
38 fseventsd root 0.0 12 1.6 MB Intel (64 bit)
37 hidd root 0.0 3 1.5 MB Intel (64 bit)
127 iTunesHelper marinescabieses 0.0 3 2.8 MB Intel (64 bit)
0 kernel_task root 0.9 58 84.2 MB Intel
35 KernelEventAgent root 0.0 3 1,004 KB Intel (64 bit)
10 kextd root 0.0 2 2.6 MB Intel (64 bit)
1 launchd root 0.0 3 1.2 MB Intel (64 bit)

revdarkwolf
09-26-2011, 03:07 PM
Blackcurrant, and wally I'm not sure what all you have heard, I had been a Mac user since they 1st came out, I worked for Apple in San Jose. It is not hard at all to monitor someone's activity on your Mac. The program will cost you some money just over 100 I do believe. I personally use it to keep track of my kids my ex-wife, and that is why she is my ex-wife, and have just recently found a great name used for. It will log all these little back door injuries to your information while you're surfing the web. I'm not sure if the programmers you realize what it does since they don't advertise for that. The program is called Specter. They have for Windows and Mac. Best money I ever spent. It records every keystroke every webpage every e-mail, I just cannot say enough about it. You're worried that someone is accessing your computer get Specter it runs completely hidden, even stays out of the activity files. The only way to detect if you have Spector on your computer is to buy it and try to install it. I hope this helps you in your right there is nothing wrong with being paranoid because they are out to get you a you may not know who but somebody always wants something from you.

betrayed
01-31-2013, 04:12 AM
My mac makes a soft bling noise (never did before) when I reopen my computer. I took a screen shot of my activity monitor but I am not good at computer skills. I cannot figure out how to copy/paste it here. I feel so stupid.

benwiggy
01-31-2013, 12:21 PM
My mac makes a soft bling noise (never did before) when I reopen my computer. I took a screen shot of my activity monitor but I am not good at computer skills. I cannot figure out how to copy/paste it here. I feel so stupid.
You should start a new thread, really as this is a two-year-old dormant conversation.

Macs always make a soft chord (C major first inversion, I think!) when they are powered up. You will always hear this, unless the sound is muted. If you mean something else, like this happens when it wakes from sleep or you open the lid?
It's unlikely that spyware would advertise itself in this way, of course. If you have other programs running -- iMessage, Notification Centre, Mail -- these may make beeps when newly activated after sleep.