The Mac virus Flashback was distributed via WordPress blogs that had also been hacked. About 1% of Macs are still infected, and even Jon Gruber admits its an “epidemic”.
We run an up-to-date WordPress site here, and we don’t run the infected plugin, so Mac users are safe from that threat, at least, when visiting B-J.
Baud
Thank God I browse the web on a PC.
[1000 comment thread guaranteed–you’re welcome, John]
Handy
Mac or PC viruses SUCK in a major way.
Schlemizel
Computers are here to make your life easier
. . .
Repeat until you believe this
banging head on desk will speed the process
cathyx
I thought they came up with a download to fix or prevent it. No?
MikeJ
I do seem to recall this blog getting hacked a couple of times.
West of the Cascades
I thought Macs didn’t get viruses? That’s what supercilious Mac users have told me when peering down their noses at my Dell laptop.
victory
Thank god. Last thing I want is a virus from a B-J.
MattF
@cathyx: ‘Yes’ to both questions, via the ‘Software update…’ Apple menu item.
Eric U.
what’s funny is that windows pc’s shouldn’t get viruses nearly as often as they do, but Mr. Softy encourages unsafe behavior (running normal users as administrator). My kids computers have both been saved by not giving them administrator accounts. It’s not a failsafe, by any means.
Marcellus Shale, Public Dick
@victory:
i think i saw a lifetime movie about that. by saw i mean, read the preview in the onscreen guide and watched something else.
Schlemizel
@West of the Cascades:
AAAAAAAANNNNNNNNNNNNNNNNNND there @Baud: hears the starting gun for the predicted 1000 comment thread!
otto
If overpaying for a sticker that shows you are a mac user won’t protect you from a virus, what will?
dmsilev
@cathyx: Yes. Run Software Update on your Mac and download the updated Java version. I believe the latest version also comes with a removal tool that will check for this particular infection.
mistermix
@MikeJ: Not since I’ve been reading it (a few years), but I wouldn’t be surprised, WP has been hacked a lot.
dmsilev
@Baud:
Pfft. Piker. Watch this: “Vi sucks. Emacs rules.”
ericblair
@dmsilev:
Real men use sed. So pfffttttttht.
gaz
oops. lol.
Hopefully a plurality of those infected users are the ones that believe Macs can’t get viruses.
News flash. Viruses can infect anything. The reason Macs aren’t often targeted is due to marketshare, not security features. They just aren’t a very appealing target.
If Mac had the market share of windows, they’d be getting creamed at least as bad as win machines. probably worse, considering they’ve never had to harden the OS in the face of major attacks before.
gaz
@Eric U.:
So you still run windows 95, apparently.
Here comes the clue train, last stop – you!
Windows does not run your user accounts as admin, unless you go out of your way to make it that way. Pretty much the way unix works.
gaz
@West of the Cascades:
I wonder how many of them were infected at the time and just didn’t know. heh.
Roger Moore
@ericblair:
FTFY. Actually, real programmers use C-x M-c M-butterfly.
gaz
@Roger Moore: I just telnet to port 80 and type
GET / HTTP/1.1
Host: balloon-juice.com
…
and then I read the tags I get back.
sed is for pussies. emacs and vi too
Southern Beale
What is Flashback? Do I have it on my WP blog?
gaz
@Eric U.: Please don’t spread misinformation about computers. If your average lUser would just STFU and stop pretending to know something, chances are people wouldn’t get infected as much.
Ex Regis
Not a virus. This is a Trojan. Will not, cannot spread from infected machine to uninfected machine. To this day there are exactly ZERO Mac OS X viruses in the wild. Compared to thousands on other OSes, for whatever that is worth mentioning.
However, this was a lazy moment for Apple. It knew about the Java bug and did not fix it until the Trojan became widespread. A previous version of the same Trojan could attack users by means of a phony Adobe Flash install. Apple did stop installing both Java and Flash on new Macs, leaving it up to users who wanted or needed them. But older machines were vulnerable.
Southern Beale
@West of the Cascades:
That’s simply because there’s no point in writing a virus for a platform that makes up such a small % of computer users out there. As more people ditch their sucky PCs for Macs you’ll see more viruses written for the platform.
I’ve been a Mac user for over 20 years and you couldn’t pay me to use a PC. Husband is always having issues with his.
gaz
@Southern Beale:
This.
Also, I won’t begrudge you your Mac use. I run windows because, well, if I want to do X, chances are very good that I can find software to do X. Again, it’s a marketshare thing.
But also, technically Macs are “PC”‘s. PC’s running Mac OS. They’re even Intel nowadays. If someone gave me a mac, I’d install windows on it, for the reasons I mentioned above.
But also because I don’t mind getting my hands dirty.
Odie Hugh Manatee
Pshaw, everyone knows those Macs never get viruses! They are truly machines of perfection, incapable of being infected due solely to the perfection that was bestowed upon them by the late great Saint Jobs of Apple.
Roger Moore
@Southern Beale:
There’s more to it than that. Because if everybody is attacking Windows, they’re competing for the available infectable machines. Nobody is going to be able to take over all of them because somebody else has gotten to a lot of them first. OTOH, if you’re the only attacker against a platform, you have a free field and can potentially take over every machine on the planet. So there ought to be a minority of malware writers who are targeting OSX, Linux, etc. How easy those systems are to attack does play a role in how much they get targeted.
A classic example of this is in web servers. For a very long time, the Open Source Apache web server has been the dominant platform; it’s rarely been less than half the total web servers out there. But despite that market dominance, the main target of people going after web servers was Microsoft’s IIS. Why? Because IIS had enough servers to be worth targeting and was so much more vulnerable that it was a much more appealing target. So there really is some real-world tendency to target the most vulnerable systems rather than just the most numerous ones.
Rheinhard
Oh, Lord, the tired old “security through obscurity” myth again.
Have you missed the umpty-dozens of articles the last few years of how over 50% of new PC sales are Macs? And how it’s much higher than that among students and younger professionals? The Mac market share in terms of total computers (considering the legacy installed base of out of date Windows machines) is certainly over 25%. By your argument shouldn’t there be at least 25% of viruses be for Mac by now? Can you tell me the magic market share that will suddenly cause these mythic virus writers to target mac?
Now it’s certainly untrue that the Mac “can’t” get a virus – it is a system built by humans and so therefore certainly has some imperfections. But it is also incontrovertibly true that it is technically harder to write a virus for the Mac than Windows, for specific technical operating system design reasons in Windows going back to the early days of the browser wars.
In the 90s Bill Gates got spooked by Netscape and the world wide web, and feared that this could be the magic bullet to break the Windows stranglehold. So he ordered the development of Windows Internet Explorer, and further decreed that it would not only be used to surf the web, but would be directly integrated to the OS and be used for browsing files on your hard drive and other basic services. As a result, a web browser (which to a sane software engineer should be no different than any other software application, with no special privileges no other program has) is directly hooked into the lowest level of the Windows OS.
It is this conscious design decision by Microsoft, made for no other reason than to fuck over Netscape and steal their market, that it is ridiculously easy to build malicious operating system commands (erase the hard drive, email the code to everyone in your address book, etc) that execute from the web browser.
Apple, never having been tainted by this brand of insanity, designed its OS and web browser as any sane software engineer would, in a series of interacting layers each with its own privileges and responsibilities. There may be some oversights since humans can’t foresee all ends, but the ability of the web software to direct the entire machine is not part of Apple’s design.
So, NO, it is not just as easy to write a virus for Mac (and BTW the thing in question here isn’t even a virus, it’s a trojan, which is a different ball of wax), and anyone who mouth this tired old “when macs have a bigger market share they’ll get exactly as many viruses” is just another ignorant hipster douchebag
mac
I have missed all the reports of 50% of PC shares being appl, possibly because the actual 2011 share was 10.7%…
gaz
@Roger Moore:
You’re blaming an OS, instead of blaming the administrator of the OS.
It’s true that unix servers are often administered by professionals, while windows machines are administered by nova monkeys. That’s not the OS’s fault.
I proved this point long ago by co-locating a windows 95 machine and offering $100 to anyone on any of the #2600 channels out there on the big 3 IRC networks. After a full year or so (before I took it offline) It was never hacked. Attempts were made. I even had SMB/NetBIOS/Filesharing enabled (with a patch to prevent an OOB DOS attack)
I never had to pay out.
If you think that Mac’s target demographic is as savvy as the unix demographic, I’ve got a bridge to sell you.
Long story short – any OS is precisely as secure as the administrator is savvy. It’s that simple.
Also, I cut my teeth hacking USDA.gov, sony’s public web, my local ISPs, and AT&T’s system they used for allowing sales reps to activate phones and pagers. All unix.
Also, 7 year statute of limitations is up, so I don’t mind admitting it.
gaz
@Rheinhard: I’d address your points, except you are an idiot, a liar, and not worth my time.
Cris (without an H)
This doesn’t make much sense to me, but maybe I don’t really understand the motivations of virus programmers. I do recognize that malware can be a profitable endeavor — every spammer would be happy to have an army of zombies at their disposal — but a lot of viruses are just vandalism, the kind of thing you do to show that it can be done.
In the ’90s, I worked at an office that was infected by Michaelangelo. You know what Michaelangelo did? It nulled your hard drive. Rendered it unusable. The person who wrote that wasn’t concerned with market share, they were just looking to fuck shit up.
To that kind of virus writer, I’d think the Mac would make a more desirable target — everybody says it can’t be done, watch me do it!
gaz
@Cris (without an H): “The person who wrote that wasn’t concerned with market share, they were just looking to fuck shit up.”
Speaking as a former teenaged vandal, it is to a large degree, still about marketshare.
Would you rather screw up a few macs, or a ton of windows boxes. It’s about bragging rights. The more damage, the harder the stiffy.
Adding, and the general consensus on macs was, any idiot could hack one of those lUsers. Macs were marketed to people that thought computers were confusing and mysterious. And teachers.
scav
No real problem with Macs as machines. They do what they do. Do have a problem with the Apple Company, ethos and PR hype especially. #1 problem I’ve got with Macs are their fucking evangelical hard-line users that preen and overstate the glory of the one and only digital way. They’re basically hard-line SUV drivers that refuse to believe others might want to drive a Smart car, pick-up truck, Porsche or battered Volvo because they choose to drive a SUV. There are sane Mac users, they just don’t get heard as often because Evangelicals of all stripes tend to be the noisy ones.
Have we gotten to the user than’s reading BJ in binary yet?
ETA: or wait, could we possibly get to one using copper wires and vacuum tubes while we’re at it?
bjacques
On internet, WordPress F**ks YOU!
Rheinhard
This.
The “security through obscurity” myth also ignores a key component of hacker mindset, which is the desire for “street cred”. The first hacker to develop a real self-propagating virus for the Mac which spreads rapidly and infects a high percentage of the installed base would be the absolute cock-of-the-walk among “black hats”. Developing some new piddly PC virus is no big deal anymore since there are scores of “script kiddie” packages floating around making it easy to make small variations on known un-patched exploits. That no one has managed to create a real virus yet for the mac, and only a few of these sort of trojans (which require the user to consciously agree to install malicious code) are extant, ought to say something about the nature of the malware development problem, well above the “well macs only have x% of market share”…
gaz
Also, from a technical standpoint, while this is not necessarily true anymore, it was at one point:
Two little words: “Surface Area”. It’s a term we (hats of varying shades of black & white) use to speak about the number of avenues presented which we can use to connect to a machine, roughly speaking.
Out of the box, unix has historically had the most hackable “surface area”.
Followed by windows.
Followed by mac.
The less surface area you expose, the less likely you are to be hacked. But because of the internet, the dynamics of this are changing. Now most machines have a ton of exposed, hackable “surface area”. Blame the internet. If you didn’t always want to connect online, you’d not have so many holes. But you also cannot really do anything on a network, in that case.
gaz
@Rheinhard: There’s not many critical systems running Mac. No fun hacking them. Hacking unix is still king.
And for all of your talk about “street cred” and such, you sound like a nova monkey, who has never hacked shit, who’s never been to a con, and who knows absolutely jack shit about computers or hackers. Mac lUsers like you make intelligent Mac users look bad.
gaz
@Rheinhard: Adding, if what you said were true Lulzsec would have gotten props for hacking the ps3 net. They didn’t. They just sort of don’t exist anymore.
Roger Moore
@gaz:
I agree that admin quality is important, but it’s not everything. You’re a lot more likely to shoot yourself in the foot with a gun that comes loaded, cocked, and with the safety off than one that comes unloaded and requires some basic gun skills to get to shoot. Windows may have on average lower quality admins than Linux, but for years Microsoft added to the problem by treating security as secondary. They responded to the lower quality admins by assuming they wouldn’t know how to turn stuff off and “helpfully” turning vulnerable services on by default. That’s great for getting a system up and running easily but terrible for security. They’ve definitely gotten better about that to the point that their default setup is pretty reasonable, but they still have problems with legacy programs that depend on the old, insecure behavior.
gaz
@Roger Moore: There’s nothing about that statement that I disagree with.
in fact, I’ll cosign it.
It took MS until XPsp2 to change their development and culture at the company and adopt a “secure by default” mantra. And that’s still problematic because of backward compatibility as you say.
I’m not about to say Mac’s better. I’ve never seen a company harden an OS until after it’s been regularly attacked. Apple has yet to face any of this. If/when marketshare grows, and more people start backing critical systems on Mac, we’ll see it. I do not trust any OS that has not faced the full brunt of the nitty gritty nastiness of a large public network. That will come with marketshare, eventually.
MattF
I’m mostly OS agnostic, myself– OS X if I’m given a choice, but various flavors of Windows, Unix, Linux are OK, if not inspiring. My big problem is with MS Office– Word, Powerpoint, Outlook, Excel. All tooth-grindingly bad. And all, sad to say, are standard issue on both Windows and OS X boxes. Word, in particular, is just horrible:
http://www.slate.com/articles/technology/technology/2012/04/microsoft_word_is_cumbersome_inefficient_and_obsolete_it_s_time_for_it_to_die_.html
gaz
@MattF: Right tool for the job. That’s how you can tell someone that knows something from those who don’t. The ones who don’t are zealots.
I prefer windows. I’m careful with it, like I would be with any machine that can connect online.
The biggest problem that Mac users, or any computer user faces, is the mentality that for example Reinhardt expresses: to wit, essentially: By virtue of using [X] OS, I’m basically immune to being hacked. Such mentality is at least as old as computers. And they’ve always been wrong. And they’ve always been surprised, and fux0red when they finally figure out just how wrong they were.
Software does not protect you.
gaz
Note: If I still had the time and inclination to be a vandal (and I don’t, growing up has that effect, I suspect) I’d be paying close attention to anyone on this thread that believes Reinhard’s “security by obscurity is still security” lie. They make easy targets.
Mike Daisey's remaining credibility
mistermix seems to have some residual butthurt concerning Jon Gruber. Care to explain, or shall we attribute this to ideology?
Rheinhard
Right, yes, that’s why I spend 60% of my time on my Mac in Terminal, and why I’ve spent the last decade and a half or more developing orbital numerical algorithms in C++ for NASA and GPS systems.
I have not claimed anywhere Macs were immune to all hacking. I wrote several times that any systems designed by men are bound to have vulnerabilities, but that the casual “Macs are just as bad as Windows just no one bothers to hack them yet” is simply lazy writing. If you’d read what I actually wrote instead of insisting on fighting a “this person disagrees with my blanket assertions and therefore must be a clueless newb” strawman” you’d see that.
If I had a dime for every teenage Starbucks barista who claimed he could totally write the super-awesomest virus which would take down all those Mac lusers I could retire early.
Pococurante
@Ex Regis:
And yet I simply highlighted “Mac OS X virus” in your post, right clicked and chose “Google for” and immediately came up with thousands of hits going back to 2006 that disagree with you.
gene108
@gaz:
The Macs don’t get viruses bit was probably from when Macs used Motorola chips. Since the design of Motorola chips is different than Intel chips, it made hacking Macs harder for whatever reason.
When Apple switched to Intel chips, they basically opened themselves up to the problems PC’s can encounter.
gaz
@gene108: That’s certainly part of it. But the dynamics of the general situation still apply. Security by obscurity is not security. It’s a false sense of security, which is usually worse than NO security – (ask a net admin).
gaz
@Pococurante: We hackers have a name for folks like Ex Regis: We call them targets.
gene108
@gaz:
Apple’s doing just fine with whatever market share it currently has. It’s moved beyond the desktop/laptop consumer market into other personal mobile computing devices.
Apple doesn’t need to occupy the large industrial server space.
If hackers successful hack iPhones, iPads, etc., then Apple would have an issue.
gaz
@gene108: I don’t disagree at all. But I’d add that having an iPad is no excuse for not being safe. It’s not Apple that has an issue, in any case. It’s a plurality of their customers that do.
gaz
@Roger Moore:
Preacher, meet choir. I code in C++, =)
Adding, quality of administration is NOT the only factor, but I’ll assert to my dying breath that it’s singularly the most important factor, by a vast margin.
gaz
@Rheinhard: And if I had a nickel for every hubris infused fuckwit on the internet who spread lies about computer security, I’d have more money than carlos slim.
Also, I give you the blistering lack of self-awareness award. You’re posting on a thread about a bunch of Macs getting compromised. You should probably remember that.
Pococurante
@gaz: lol!
PeterJ
@Mike Daisey’s remaining credibility:
I’m not speaking for mistermix, but Jon Gruber admitting that it’s an epidemic, that’s like the most partisan Republican admitting that the GOP has a problem.
Doug Danger
Gaz seems to be forgetting that all of Apple’s IT people use portable machines. All of Apple’s employees use portables.
You think 15k+ people in Silicon Valley alone using Macs that hold the most valuable IP in the valley isn’t a nice target? Apple’s workforce doesn’t get hacked or cracked on a regular basis – this I know.
Google, Facebook, and many other ‘new’ companies around here have workforces that are over 50% Mac. And you know why their IT departments love the Macs? More security, less overhead.
No matter how or why, less overhead. More security. It’s a freakin’ tool, and Apple makes a Snap-On level product to Microsoft’s store-brand tools. Both work and fit the same tasks. One is easier to own. The other is easier to pwn.
Doug Danger
@gene108:
Severely uninformed. You think chip architecture has how much exactly to do with OS vulnerabilities?
We’re not even talking about an OS-level vulnerability here – we’re talking about Apple being slow in updating their Java distribution to defeat the latest holes in Java, not Mac OS X.
This is a trojan; it requires user intervention to propagate – and it masquerades as a legitimate “Software installer” package, which is a path Apple is already discouraging developers from taking.
In other words:
1. Not a vulnerability with Macs per se, but a definite and ongoing problem with Apple being slow to update and distribute security updates for third-party technologies as well as their own OS.
2. Has exactly ZERO to do with machine architecture. Intel, PowerPC, Chocolate Chip – doesn’t matter. PowerPC long ago went the embedded controller route, and had zero future in PC-level devices. Apple took too long, if anything, to move to Intel, since OPENSTEP was running there in 1995.
3. Is not a ‘hacking’ or a ‘cracking’ of anything at or made by Apple.
4. There is still no known successful virus (self-spreading malicious software) for Mac OS X. Mac OS X was introduced in 2001, over a decade ago and Apple’s by all accounts has improved the OS markedly with every single (inexpensive compared to Windows) update.
gaz
@Doug Danger:
I can say nearly the same thing about developers at MS – having been one for years myself. Not all of them use portables and have remote access, but MANY do.
They don’t get hacked.
You didn’t really say anything of substance. Right now, you just look like an Apple apologist/zealot
Also, to me you look like a target. Because you believe that running an Apple vs a windows machine makes you somehow more secure, in and of itself. I used to love people who thought that way. Easy marks.
Rheinhard
And I have said multiple times now, it surely is possible for Macs to be compromised, they’re not “perfect”, but the blanket “they’re exactly as bad as Windows just no one has bothered to hack them yet” is not valid either. Where is the lie in that statement?
I do not believe in “security by obscurity”, as you seem to imply. Good security design certainly requires forethought and planning in increasingly complex systems. But I likewise do not believe in “Macs only seem more secure because of obscurity”.
So have we now arrived at the implied “You’d better not disagree with me too loudly or you’re opening yourself up for an attack” phase?
gaz
@Rheinhard: Your BIG lie is that “security by obscurity” is actual security. It’s not. It’s a fallacy, and it leads to being compromised.
See for reference, the entire history of compsec.
Organizations like CERT would be quick to disagree with you.
Any of the little fallacies you propagate pale in comparison to your ONE BIG LIE.
Rheinhard
My ONE BIG LIE is something I explicitly said I do not believe. You now seem to be arguing against straw men that seem to exist only in your head.
Ex Regis
@Pococurante: Those are not viruses. A virus is a self-replicating piece of code .that attempts to spread itself to other computers. Look at all the people here calling Flashback a virus.
Any OS is subject to Trojans as long as users are able to install software.
I said viruses in the wild, meaning spread among user computers and not exploits in the lab. If there are so many, name one please.
gaz
Well, in my head, and also in the post where you said
I’ve excluded the context in which you made this statement. But the context was, I was already arguing that security through obscurity IS A myth.
So in that context, you pretty well implied that the myth of security through obscurity is not in fact a myth.
If I read you wrong, it’s because, if nothing else, THAT statement.
Doug Danger
Let’s all bow to gaz, the black-white hat hacker who used to work at Microsoft, won’t acknowledge anyone’s proven points about Mac security, and who calls other people zealots.
Rich.
gaz
@Doug Danger: Or let’s not bow to me.
If you’ve proven anything, it’s that you’re just another sucker.
Keep in mind, I have no desire to change your mind. There’s no upside to me. In fact, the more suckers out there, the merrier!