How can I detect a keylogger on MY system?

[cwtnospam]

Quote: Originally Posted by SirDice I never claimed it would make it 100% secure.

Sure you have. It's the implied basis for your argument: The Mac OS isn't 100% secure, so you need AV software. To do what, keep it less than 100% secure?

Quote: Originally Posted by SirDice I've said exactly the same thing, you might want to read back.

Yes, but you've said it with the intention of scaring them further. Maybe they're not using the right software. I'm sure you've got a particular brand to offer them.

Quote: Originally Posted by SirDice Partly true. Running no AV will certainly not be any worse.

??

Quote: Originally Posted by SirDice No, I'm trying to create awareness. Something you seem to lack.

Awareness of what?

Quote: Originally Posted by SirDice Sure a virus or worm can do what ever it wants but when a payload is delivered by a virus or a worm it's not in the form of a trojan. That would be rather pointless, wouldn't it?

It would be brilliant: use a virus to install software purporting to be AV software and you've got lots of opportunities in small businesses where a user might be new to the company, not have admin rights, and assumes that the software is a legitimate purchase of the business. When it comes time for an "upgrade" he/she gets the boss (who will pay little attention to a minor thing like this) to fork over the company credit card.

Quote: Originally Posted by SirDice I never claimed another OS was, is or will be. I do notice however a lot of Mac users seem to think it is.

Pfft. Same thing. You're upset that Mac users feel secure because of their experience. That makes it hard to sell AV software to them, so you claim that they're not being vigilant enough. Naturally, for you this justifies scaring them.

Quote: Originally Posted by SirDice A lot of Mac users bought a Mac because they didn't want to deal with all the "technical" details of using a computer. I also know that quite a few bought a Mac because they were tired of getting malware on "that other" platform. So yeah, I am assuming they're not vigilant enough.

So:
A) They're tired of getting viruses.
B) They take drastic action by changing platforms.
and:
C) You conclude that they're not vigilant!

Quote: Originally Posted by SirDice Not a phony solution. It's part of a solution.

Of course it's phony. You can't claim the OS is less than 100% secure and then offer a solution that isn't 100% secure without being phony.

[SirDice]

It's pointless discussing this any further with you.

[cwtnospam]

Meh.

I've used OS X since the public beta. Every year since then, I've watched as so-called experts tried to tell Mac users that they were too complacent and that a plague of viruses was sure to descend on them sometime "soon."

While I don't doubt that there will be the occasional small scale successful exploit affecting a few users, I seriously doubt that Mac users will ever see the kind of trouble Windows users have come to accept as a fact of life. Heck, even Windows will some day be secure enough to keep large scale exploits at bay. If you want to claim otherwise, you'll need a lot more than your "expert opinion" or those of other alleged security experts. Together you've all destroyed your credibility.

[EatsWithFingers]

At the risk of being drawn into this back-and-forth , isn't the real problem (of viruses and worms, not trojans) with users whose OS/apps/plugins/etc, regardless of vendor, haven't been fully patched? The vast majority of systems which get infected do so because they haven't updated their OS/apps/plugins/etc to patch a known security hole. Yes, there will always be 0-day exploits, but they are mercifully rare.

As a result, AV software should not be necessary if you're running a fully patched system, assuming the various vendors publish work-arounds for avoiding infection until a patch is produced. Add into this, the fact that there are no known viruses/worms for OS X currently in the wild, and the need for many Mac users to run AV software which just detects known viruses/worms evaporates completely. OK, so the virus landscape may change in the future, but we're not in the future.

People should be conditioned to use sensible computing habits, not conditioned to use AV software. If a time comes when using AV software is considered to be a sensible computing habit on OS X, then so be it, but that time has not yet come.

For the sake of completeness, and to check that I'm not missing anything out myself, my "sensible computing habits" for any platform are listed below, albeit with some tailored towards OS X specifically:

• Don't make your daily account an admin account (thus anything which runs in your daily account will not have permission to modify system files)
• Use strong passwords for your admin account and daily account that friends/family/etc cannot guess
• Disable automatic login
• Never enter your admin details when using your daily account (unless you need to change something in System Preferences or Finder, and even then make sure that the program requesting your admin details is in fact System Preferences/Finder)
• Only install software from sources you trust, and using your admin account (thus anything which runs in your daily account will not have permission to modify installed apps)
• If you must install software from sources you do not trust, use your daily account to evaluate the app, and be suspicious if you are asked to enter your admin details (if asked, do not enter them). Yes, some benign programs still require admin rights to install, but all such programs should come from sources you trust.
• Be aware of what processes typically run on your system, and periodically check Activity Monitor and your Login Items for suspicious processes.
• Keep your OS and all other software fully up to date (in rare circumstances, you may have to update your OS to run the updated software).
• If you have a wireless network, use WPA with AES encryption, or WPA2. WEP is 'really broken' and WPA with TKIP is partially compromised. Again, use a strong password.
• Store sensitive data in encrypted disk images, or if you're really paranoid, encrypt your entire home folder
• Limit which apps are allowed outbound/inbound network connections
• Don't open e-mail attachments or downloaded files that you don't trust (and be wary of your friends sending you executable files in an e-mail)

Now, I'll agree that this list doesn't make you bulletproof (e.g. it won't protect your files from being read/modified by a malicious program you run in your daily account, and it won't prevent people with physical access tampering with your machine), but AV software should be unnecessary if you do the above. And even in the worst-case-scenario future, when viruses for OS X are rampant, scanning downloaded files and periodically scanning your home folder (e.g. once a week), should be more than enough. But, as stated above, we're not there yet.

[SirDice]

Quote: Originally Posted by EatsWithFingers At the risk of being drawn into this back-and-forth , isn't the real problem (of viruses and worms, not trojans) with users whose OS/apps/plugins/etc, regardless of vendor, haven't been fully patched?

This is not always the case. Quite a lot of worms replicate without abusing any bugs in the system. Have a look at MyDoom, NetSky and a few others. These worms dominated the top10 for months on end.

[cwtnospam]

Quote: Originally Posted by SirDice Quite a lot of worms replicate without abusing any bugs in the system.

The idea that the system isn't flawed yet a hacker or malicious code can attack it is a brilliant example of doublethink!

Malware attacks a weakness in the system. A weakness in the system is a flaw, and flaws are bugs. Even social engineering attacks require the use of software, and the fact that the software can't recognize and help defend against these attacks is a flaw/bug that will eventually be fixed at least to a large degree. ...And yes, this will be done without requiring AV software.

Let's try to avoid Orwellian Newspeak.

[EatsWithFingers]

Quote: Originally Posted by SirDice This is not always the case. Quite a lot of worms replicate without abusing any bugs in the system. Have a look at MyDoom, NetSky and a few others. These worms dominated the top10 for months on end.

Both MyDoom and NetSky were distributed as e-mail attachments which, when run by the user, would e-mail itself to any address found on the user's system.
http://en.wikipedia.org/wiki/Mydoom#Technical_overview
http://en.wikipedia.org/wiki/Netsky_(computer_worm)

I've since added "don't open unknown attachments" to my previous list of sensible computing habits. Plus, both Leopard and Snow Leopard will warn you when you try to run potentially unsafe files obtained from the Internet (e.g. via your browser or mail client). However, it still doesn't change the fact that there are no known worms or viruses in the wild targeting a fully patched OS X.

The OSX.Inqtana.A worm was a proof of concept which "exploits old vulnerabilities in Apple's Bluetooth implementation [and was] patched by Apple in June 2005."

The OS X/Leap-A virus cannot infect apps owned by a different account, so running it in a non-admin account cannot affect apps installed using an admin account (hence once of the points in my previous post). Furthermore, it also only affects OS X 10.4 (Tiger), not 10.5 (Leopard) or 10.6 (Snow Leopard).

And the OSX.RSPlug.A and iServices trojans infect people who install apps/plugins from untrusted sources. Additionally, both of these are detected by Snow Leopard now.

Do let me know if I've overlooked any.

EDIT: There'e also the keyboard firmware vulnerability, but it's still at the proof-of-concept stage; an AV program wouldn't detect modified firmware; and infection would be mitigated by not running programs downloaded from untrusted sites, not providing your admin details whenever asked, etc.

[SirDice]

Quote: Originally Posted by cwtnospam The idea that the system isn't flawed yet a hacker or malicious code can attack it is a brilliant example of doublethink!

Please educate yourself in how those worms work before claiming this.

[SirDice]

Quote: Originally Posted by EatsWithFingers I've since added "don't open unknown attachments" to my previous list of sensible computing habits. Plus, both Leopard and Snow Leopard will warn you when you try to run potentially unsafe files obtained from the Internet (e.g. via your browser or mail client).

This does help. At least you will get a warning when you try to run worms that work similarly to MyDoom and NetSky. Unfortunately you get that same warning with pretty much every file you download via the Internet (mail or web). Even the benign ones you receive from colleagues and/or friends. After a while people will click on accept habitually.

Quote: However, it still doesn't change the fact that there are no known worms or viruses in the wild targeting a fully patched OS X.

This is no guarantee it will never happen in the future.

[SirDice]

Let's, for the sake of argument, we are in the (near?) future. Assume OS-X has a 90% coverage of the desktop market. Windows has only 10. Completely reverse to what it is now. The demographics of the users are the same as it is now (people never seem to change).

Would malware be eradicated? Describe what would be the reason(s) malware doesn't stand a chance.

[ArcticStones]

.
One security weakness on a Mac is that they are vulnerable to so-called macro viruses. As I understand it, that is a Microsoft weakness, and not a Mac OS weakness per se.

CWT once suggested a great way to protect against this: make your Word template (normal.dot) read-only.
.

[SirDice]

Quote: Originally Posted by ArcticStones . One security weakness on a Mac is that they are vulnerable to so-called macro viruses. As I understand it, that is a Microsoft weakness, and not a Mac OS weakness per se.

Correct. The latest Office products however warn you when a document contains a macro and asks you to run it.

[cwtnospam]

Quote: Originally Posted by SirDice Would malware be eradicated? Describe what would be the reason(s) malware doesn't stand a chance.

Any OS is finiite. That means there are a limited number of weaknesses in it, and over time those weaknesses can be located and corrected. Naturally, new ones will crop up, but they will be fixed as they're found.

Even Windows will benefit from the above. The security advantage of OS X over Windows starts from the fact that OS X started with far fewer egregious flaws and extends to the fact that Apple is willing to abandon old technology in favor of newer, better technology. This means that they don't need to carry forward known flaws in order to maintain backwards compatibility. They've done it with the switch from OS 9 to OS X, from PowerPC to Intel*, and now with Leopard to Snow Leopard. Each step made it more difficult to crack the system while making it easier to create updates to fix security issues. There's no reason to think they won't keep doing that.

On the other hand, even if the OSes don't get more secure, there is still no good reason to waste money on AV software unless you're sticking with an amazingly insecure OS like Windows.

AV software doesn't make you more secure. It's actually been used by malware to attack PCs! Any extra security it does manage to provide is offset by the high cost of using it. Users much are better off using a system with less vulnerability than Windows and keeping it up to date.



* I note that the switch to Intel wasn't necessarily to a better technology. The first Intel Macs were slightly faster than the G5s and G4s they replaced, but they were also about two years newer and should have been significantly faster.

[detorn]

My local sports franchise is better than yours.

[cwtnospam]

Nah, yours is infected by worms.

[detorn]

[EatsWithFingers]

Quote: Originally Posted by SirDice Let's, for the sake of argument, we are in the (near?) future. Assume OS-X has a 90% coverage of the desktop market. Windows has only 10. Completely reverse to what it is now. The demographics of the users are the same as it is now (people never seem to change). Would malware be eradicated? Describe what would be the reason(s) malware doesn't stand a chance.

OK, let's assume (in this hypothetical future) that OS X used the following implementation of the MLS paradigm, then we may be able to severely limit the damage that any malware would do, and thus limit their spread, effectiveness, appeal to criminals, etc.


Treat non-system programs as first-class users, thereby meaning that a program cannot read/write/execute files belonging to the system, other programs, or indeed the user running the program. The built in open/save dialog and the drag/drop route would provide implicit authorisation to read/write specific user files, so programs using the OS-provided API calls would still work as expected.

The upshot of this is that a program could only read/write program files as well as user files that the user had given explicit consent to read/write (via the open/save/'save as' commands, etc). That is, a malicious program could not read or modify arbitrary user files, or those related to any other program.

Basically, any interaction that a program would have with user files would be explicitly sanctioned by the user, in a way which is no different to the current interactions that a user has with programs they run.

OK, so I'm not 100% sure how you'd handle user-programs that launch other programs, but given the restrictions upon the launched programs outlined above, I can't see there being any serious security issue.

So, to summarise, unless the user granted permission:

• viruses couldn't read/modify any existing files, therefore would have no effect
• worms couldn't access user files (e.g. address book, browser history) to spread effectively
• macro viruses could only affect the document containing the macros, thus not being able to spread

The only effective malware would be trojans, but they would not have free reign over the user's files. Also, as noted before, I have no sympathy for users who download software from untrusted sources (OK, so the legitimate source could have been hacked...).

From a security perspective, this just leaves 0-day exploits, but the effect of any such exploit would be greatly diminished (e.g. an exploited program would still be limited in what it could read/write).

[roncross@cox.net]

Quote: Originally Posted by SirDice Let's, for the sake of argument, we are in the (near?) future. Assume OS-X has a 90% coverage of the desktop market. Windows has only 10. Completely reverse to what it is now. The demographics of the users are the same as it is now (people never seem to change). Would malware be eradicated? Describe what would be the reason(s) malware doesn't stand a chance.

Certainly, malware wouldn't be erradicated but that doesn't mean it would increase because there are more Mac users and less Windows users. I want to make sure I understand what you are saying. Are you implying that if it were reversed, then there would be more or less successful attacks in the form of malware, viruses, and such?

[SirDice]

Quote: Originally Posted by roncross@cox.net I want to make sure I understand what you are saying. Are you implying that if it were reversed, then there would be more or less successful attacks in the form of malware, viruses, and such?

Exactly. I'm more or less stating that when the roles are reversed it would be the Mac users who would be facing those 40.000+ viruses/worms/whatever.

[SirDice]

Quote: Originally Posted by cwtnospam Any OS is finiite. That means there are a limited number of weaknesses in it, and over time those weaknesses can be located and corrected. Naturally, new ones will crop up, but they will be fixed as they're found.

You still don't seem to get the fact that MyDoom, NetSky and a few other do NOT abuse bugs in the system.

To help you a bit: http://vil.nai.com/vil/content/v_101080.htm
Please point out which vulnerability it uses.