Summary: E-mail thread exposing and discussing an ongoing pattern of misinformation published by security experts (such as, sadly, Gadi Evron) and antivirus software companies, that is a major factor in keeping most computer users confused about security and obsessing over meaningless trivia while ignoring real security concerns. Particular examples of misleading, bad advice from the aforementioned security expert are dissected.






[The incident started with a post by Gadi to the Skeptix mailing list, where he tried to convince Mac-cultist Wade T. Smith (sorry, Wade) that Microsoft Windows is now inherently safer than is Macintosh OS X because several "exploits" against particular states and configurations of OS X had been found over the preceding two years, and that OS X had previously escaped criminal attack only through obscurity. Challenged, he posted four examples, along with overblown rhetoric about how dire a threat they supposedly constituted.

As a Linux/Unix sysadmin studying security, I joined the conversation to chide Gadi for dispensing bad advice, saying that those examples were just not credible as they relied on improbable conditions and/or mind-boggling stupidity on the part of the computer user, that they were distortive of the truth, and that he knew better. (Note carefully: I didn't dispute that the "exploits" exist in a tenuous, could-happen-if-you-deliberately-shoot-at-your-feet way; I merely said they weren't the least bit credible.) Here is most of that thread. (I no longer have the whole thing.)]






From: Gadi Evron
To: Scientific discussion of extraordinary things (skeptix@lists.opn.org)
Subject: Re: security snake-oil
X-Mailer: Apple Mail (2.936)
Date: Sat, 14 Nov 2009 19:29:52 +0200

On Nov 14, 2009, at 6:01 PM, Wade T Smith wrote:

> Look, proof of concept is one thing, but active variants in the
> wild is another. None of your examples happened to people who did
> nothing- there are no OSX exploits which do not require
> interaction.

Actually, except for the post from 2007 when it all begun, which I linked to, no one treats these continued releases of Mac malware [as] proof of concepts. Check out the other links I kindly took the time to find for you. In fact, while much of the current Windows malware requires user interaction to work, I actually did show you 2 distinct cases where the Mac malware didn't need it at all, using exploits.

> The dare is still there. 40,000,000 Macs out there. That ain't
> obscurity.

Exactly! 40M users ain't no obscurity, which is why Macs are now targeted. They are targeted less as the criminals don't think "equal opportunity exploitation" but rather "which population is bigger", and attack that.

But now the Mac is indeed, gladly, getting big enough, it is unfortunately being attacked. With exploits, without exploits, and with increasing security updates from Apple to cover published vulnerabilities, indicating yet again, the same trend.

> Meanwhile, I will continue to operate my five Macs with no malware
> apps. Sorry, but nothing you've shown me convinces me the hackers
> out there have the chops.

That is your right. I don't use any security software on my Mac either.

> But, sure, thanks for keeping your eyes on the skies.

I keep my eyes on the skies, especially when the sun is out. The rest of the time I watch botnets and the millions of infected computers connecting to them, and counting the increasing number of Mac machines.

Can you say "this was a religious debate?" Well, I can, which is why the result doesn't surprise me. You can't expect someone to change their faith, or to acknowledge the other side might be right.

I never for one moment attacked that the Mac isn't more secure, and I even mentioned I'm a Mac user. Yet this attack on your belief system makes you unwilling to concede that your original arguments as to why the Mac is secure no longer hold any water. Viruses for the Mac do exist, they are in-the-wild, and the trend is increasing even while the Mac is still more secure.

I am sorry you take this personally. All the best,

Gadi.






[The bit about "I never for one moment attacked that the Mac isn't more secure" is back-pedaling; in an earlier message, Gadi launched this whole discussion, in the first place, by claiming to Wade that release of Windows Vista had suddenly rendered Windows malware-hardened to a degree he claimed was lacking in OS X. Anyway, in addition to challenging Gadi's examples (below), I also gave some side-advice to Wade T. Smith, to help him better evaluate security information, generally:]






Date: Thu, 12 Nov 2009 23:46:48 -0800
From: Rick Moen (rick@linuxmafia.com)
To: skeptix@lists.opn.org
Subject: Re: security snake-oil
Organization: Dis-

Quoting Wade T Smith:

> OK, I'm not an expert....

If you want to get a working knowledge of real computer/network security:

1. Read Bill Cheswick and Steve Bellovin's book on firewalls and Internet security, which is accessible to the interested layman and will give you a good fundamental understanding.

2. Reading a few of Marcus Ranum's more mordant essays, such as

...will help you detect and reject the pervasive bullshit emanating from practically all people working in the security field.






[Then, turning to Gadi himself:]






Date: Fri, 13 Nov 2009 00:18:56 -0800
From: Rick Moen (rick@linuxmafia.com)
To: skeptix@lists.opn.org
Subject: Re: security snake-oil
Organization: Dis-

Gadi Evron suckered Wade T. Smith (and now me) into a rather silly discussion with:

> As to naming names, you didn't like my last URL due to how I define a
> virus. How about this one?
> http://www.theregister.co.uk/2009/01/26/more_mac_malware/

Article summary: Four examples are cited of downloadable code that has been trojaned. Two of them are bootlegged proprietary software distributed by software criminals. Two others (Macsweeper and iMunizator) are alleged antimalware programs that the cited article labels as being malware. However, upon examination, it turns out that they're not malware at all, but just not very good as antimalware utilities, and make preposterous and bogus complaints about perfectly OK files to motivate the user to pay money to register them ("scareware"):
http://en.wikipedia.org/wiki/MacSweeper
http://www.sophos.com/pressoffice/news/articles/2008/03/imunizator.html

So, news flash: People willing to be talked into doing incredibly and obviously stupid things with root-user authority can and will hurt their systems. Wow, I never knew that before! Thank you so much. (That's two of the examples, and the other two aren't even malware, just really bad downloadable programs.)

> Okay, here's another one:
> http://voices.washingtonpost.com/securityfix/2008/06/new_trojan_leverages_unpatched.html

Hey, am I being trolled?

Posting references to "Hey, download me and I'll mail you a lollipop" trojans isn't new. Throwing in two local privilege-escalation attacks to silently gain root on unpatched systems, if the user is dumb enough to download and run untrustworthy code from nobody in particular, isn't new either.

So, wow: A user acting in an extremely stupid manner is likely to hurt his/her system. News at 11.






[I elaborate extensively on what "unpatched systems" and "untrustworthy code from nobody in particular" in my later follow-up to Wade, further down this page. Essentially, "another one" was an obscure, unlikely vulnerability, that existed during a brief 1.5 month period in 2008, in a quite specialised and never-normally-enabled "Remote Desktop" network service. Exploiting that obscure and unlikely vulnerability still also required that a remote attacker already possess login credentials into the target system for Remote Desktop purposes. (The vulnerability merely let the user run programs with root privilege, once logged in.)

Gadi posted a rather evasive reply at this point, partially quoted in my further response, that unfortunately is missing from the mailing list archive.]






Date: Fri, 13 Nov 2009 18:42:20 -0800
From: Rick Moen (rick@linuxmafia.com)
To: skeptix@lists.opn.org
Subject: Re: security snake-oil
Organization: Dis-

Quoting Gadi Evron:

> So your whole attack against my arguments of risk analysis, criminal
> activity trends and security architecture is that you don't like the
> URLs of example malware?

You could try addressing the substance of what I wrote. Of course, pretending that I just "don't like the URLs of example malware" is admittedly a great deal easier. That might be deemed a compelling advantage.

> Do you dispute the existence of the malware?

See, folks, this is what I mean when I spoke of "pervasive bullshit emanating from practically all people working in the security field".

Gadi, it might be indeed that you're buddies with Bill Cheswick, Steve Bellovin, Marcus Ranum, and Fred Cohen. For all I know, you also conduct weekly seances with the ghosts of Richard Stevens and Fred Brooks, plus have tea with Donald Knuth every Tuesday at 4 PM. But I know for damned sure that none of them has ever gone around spewing time-wasting bullshit.

> Alright, I shall present arguments and references, and you can feel free
> to name them junk. I could hope for such strong opposition everywhere.

I'm still waiting for the part where you cease ignoring my having dissected, in this space, your several bullshit examples (e.g., from The Register, which of course was basically reprinting press releases from self-promoting anti-malware companies like Kaspersky) elsewhere in the thread.

> My best response to that is: chicken?

Thanks, but only if it's free-range. But if you're offering that, delivery at the address on my Web page will be gladly accepted.

> It is misleading that you should attack me ad hominem, generalize my
> arguments as junk, and claim authority, if you don't intend to back it
> up. It is getting tiresome.

I'm sorry, but what part of my having posted that separately was unclear?

I'm just not promising to debunk a continual stream of that sort of misleading rubbish so-called examples that turn out to be just another variety of bullshit own-goal, since I have other priorities. Come to think of it, I hope and expect that you do, too.






In a posting missing from the archive, but whose primary sentences are all quoted below, Gadi cited several more OS X "threats": a 2008 Apple Remote Desktop Agent vulnerability (not malware), the 2007 OSX.RSPlug.A trojan, the 2008 OSX/DNSChanger trojan, the 2006 OSX.Leap.A worm, and the 2005 OSX.Inqtana.A worm. All of these overblown examples of supposed "threats" get debunked in my mail below.

At this point, mailing list administrator Garrison Hilliard forbade further posts to that discussion thread. So, I continued my analysis with Wade off-list, in e-mail, CC'd to Gadi:]






Date: Tue, 17 Nov 2009 21:49:56 -0800
From: Rick Moen <rick@linuxmafia.com>
To: Wade T Smith
Cc: Gadi Evron
Subject: Re: security snake-oil

Wade, I'd been intending to eventually respond to Gadi on-mailing-list, but see that Garrison has forbidden further comment. So, I'm going to close the loop with Gadi, as I would have on-list. I'm not seeking further discussion.


Quoting Gadi Evron:

> So what is the substance of what you wrote? I don't get it.

Very brief analysis sufficed to show that all four of his alleged examples of "threats" were pretty laughable, in that two of them required that the user take unbelievably stupid actions, manually, with root-user authority (what you in MacOS technopeasant land would probably call "giving your credentials", which results in GUIfied invocation of sudo), manually running malware with system authority.

The other two examples were a single trick twice, which involved taking an unbelievably stupid action, manually, with regular user authority, and then having an unpatched bug in your local system that permitted a piece of malware to execute on your system and then exploit the unpatched bug to escalate privilege to gain system-level authority, and then hurt your system.

[RM notes: All of those examples are dissected in detail, further down this page.]

So, every one of his examples involved the easily and (pretty much) automatically avoidable user-level stupidity inherent in running untrustworthy code off the Internet. One of them (provided twice, as a claimed total of two) actually included a slightly interesting privilege-escalation that is claimed to have been briefly likely to work, because Apple, Inc. is claimed to have at that point ( June 18, 2008) not yet rolled out the fix for that local privilege-escalation bug in a software update, for, in that case, the "Apple Remote Desktop Agent vulnerability". The other two required the jaw-breaking stupidity of running untrustworthy code off the Internet as root.

The bit about system updates is something I had mentioned, separately: There have been a number of cases when Apple, Inc. has been a bit slow about rolling out fixes to particular holes. In general, if I recall correctly, those holes have been mostly theoretical and not devastating even if they were exploitable, and not holes with known exploits at that time. However, I noted this slowness as something to know about.

No offence intended, but I lack specifics on that matter in front of me because I really don't give a damn about MacOS or its user community, whom I consider in general to be nice folks but not worth my time to assist. I have other priorities. For similar reasons, I have zero interest in defending Apple, Inc. or its products against critics per se. I just get rather insulted by reading junk arguments, especially by people who know better.


Here, we begin to examine Gadi's closing post, about which we'll speak more later on:

>> See, folks, this is what I mean when I spoke of "pervasive bullshit
>> emanating from practically all people working in the security field".
>
> Excuse me, but what is it you claim, than? You said there are no threats
> for the Mac, I demonstrated several.

Gadi knows perfectly well that I said nothing even remotely like "there are no threats for the Mac". I said his particular examples were laughable.


Now, Wade, the thing is, once you start to learn the basics of security, you start to spot the aforementioned "pervasive bullshit emanating from practically all people working in the security field". Way back in the late 1980s, I had my suspicions. Even though the main environments I was obliged to work in were MS-Windows 3.x and Mac System 6.0.x, which were nearly devoid of security infrastructure (e.g., no privilege levels), I had a theory: "Hey, suppose I tried the strategy of keeping my system upgraded, not running sucky software, dealing with malware by just not running it, and keeping good backups in case of that or other mishap?" I stripped off all of the corporate-mandated anti-malware crap.

And there were two immediate results. 1. My systems became much more stable and better-performing. 2. The strategy worked perfectly.

I had to keep an eye out for sucky software. E.g., MS-Office apps turned out to have the horrible design defect of autorunning docs' Autoopen macros without notification by default. MS-Outlook/MS-Outlook Express turned out to have the horrible design defect of autorunning attachments by default (in "three-pane view").

As I learned more, I got better at knowing how to avoid having sucky software on my system at all. As I moved my computing over to Unixes, I learned about privilege levels, privilege escalation, how to understand and prune what runs, how to make sure that problematically designed app software (e.g., MSIE, Outlook, Outlook Express) isn't even present, how malware, automated probes, rootkits, IDSes, NIDSes, and so on work; what buffer overflows and stack smashing are, safe /tmp file handling, race conditions, why security through obscurity is rubbish, and more.

I learned that "viruses" (meaning malware in general, including trojans, worms, logic bombs) are not security problems, but rather secondary effects of security problems. People talking about the threat from malware, as Gadi does, have already ignored reality and gone straight to bullshit talk -- which is insulting, because in general it's deliberate.

It's bullshit talk because all of those code categories are just automated exploits (or manually launched shoot-at-your-own-feet exercises like Gadi's four "examples") of a real, actual system security vulnerability. You should have asked yourself: Isn't the hole the real problem, not the automated attack against it? No hole, then the attack is harmless and can be ignored.

Does the hole even exist on your system? As even Gadi acknowledges in some of his less misleading paragraphs, a lot of the alleged attacks "rely on vulnerabilities to gain access". Which in most cases involve either almost non-existent or literally non-existent windows of opportunity for hapless users to hurt themselves.


Example: The "Apple Remote Desktop Agent vulnerability" rested on a flaw in ARDAgent, which is a daemon. Is ARDAgent even running at all? (Turns out, it isn't by default.) If I cared about MacOS, I'd have checked that back in 2008. I'd have found that Apple had, at the time, screwed it up through negligence. See: http://www.matasano.com/log/1069/apple-ships-suids-with-applescript-dictionaries-hilarity-ensues/

This is one of the many reasons why I don't trust my computing to Apple, Inc. However, they pushed out the "Oops, we shouldn't have done that" patch in Security Update 2008-005 on July 31, 2008. So, even hapless OS X 10.4 and 10.5 users had a period of a bit under 1.5 months during which if they were stupid enough to let random strangers have Remote Desktop access (and run that network service, never normally enabled in the first place), those strangers would have root privilege. So, unlike other supposed examples, it didn't require that the local user run untrustworthy code off the Internet, but did require even less likely things.


But the larger point is: Why the fsck would you run untrustworthy code off the Internet? Gadi's favourite scenarios mostly seem to involve morons who download warez off eMule and then act all surprised when it's crammed full of malware. Please.

Now, one of the costs of all this bullshit is that it distracts people's attention from actual realistic threat models, things worth actually spending time preventing or mitigating. For example, JavaScript and Adobe/Macromedia Flash are Typhoid Marys. Use of ISP recursive nameservers is another Typhoid Mary.

See, those are real, actual issues. They're why I go through Firefox/Iceweasel's config options carefully, and have (among other things) Adblock Plus, CustomizeGoogle, NoScript, and User Agent Switcher in it. (See "Important note" in http://linuxmafia.com/~rick/faq/index.php?page=kicking#linuxbrowser about Firefox options.)

And you won't hear the Gadis of the world talking about those real issues. Instead, you hear non-technical fluff talk about how mafiosi are after you with basically bullshit trojans, network worms, and viruses (once again, quoting Gadi's post):

I'd like to begin by pointing out an article from 2007, by David Harley. He has a lot of experience with Mac malware (dating back from to the first Macs), and he provides with a good, balanced view on what it means and if it is real, back when we started seeing the problem: http://blogs.securiteam.com/index.php/archives/1029

(Linked article discusses the OSX.RSPlug.A trojan of 2007.)

One of the really tiresome aspects about the lucubrations of security industry people is that getting actual information about the mechanism of an alleged attack is often like pulling teeth. Were I a MacOS X user (or rather, had I been one back in November 2007), the very first question I'd want the answer to about OSX.RSPlug.A aka OSX/Puper is "How does the thing get executed?"

And the referenced article has nothing. Nothing at all, except that it's a "trojan". All of that apocalyptic virtual ink spilled, and the guy can't even bother telling how it works.

Upstream link is to http://www.intego.com/news/ism0705.asp, where finally you can get "How does the thing get executed?" answered. Answer: Trojan requires presence of a stupid user, willing to install untrustworthy software off the Internet -- with root authority, even. In this case, it's an alleged video codec (housing the trojan) supposedly required to see porn. The assumption seems to be that guys thinking with their gonads aren't able to realise it's stupid to install untrustworthy software off the Internet.

OK, so we have another example of "Don't install untrustworthy software off the Internet", which is somehow expected to be big news, with or without the addendum "...with root authority".

Continuing with our analysis of Gadi's post:

If seeing is believing, here is Alex Eckelberry providing with a screenshot of that 2007 virus: http://sunbeltblog.blogspot.com/2007/10/screenshot-of-new-mac-trojan.html

(Again, this is still the OSX.RSPlug.A trojan from 2007 he's talking about -- which, one notes in passing, is not a virus.) Wow, would-be porn-watcher shoots himself in the foot. GIF at 11!

Here is a 2008 video illustrating a different Mac virus which infected many, many, people: http://www.f-secure.com/weblog/archives/00001366.html

Again, absolutely nothing about the "How does the thing get executed?" question.

This particular thing is dubbed "OSX/DNSChanger" (likewise, not a virus). Turns out, wow, hey, get this for novelty: It's an alleged video codec required to see porn, that houses a trojan and has to be installed by a stupid user willing to install untrustworthy software off the Internet with root authority.

And here are two trojans discussed, with more illustrative pictures, and a vulnerability to exploit rather than human interaction (so that Rick is happy): http://www.f-secure.com/weblog/archives/00001461.html

Hey, wow, get this for novelty: It's an alleged installable piece of software (a poker game) that houses a trojan and has to be installed by a stupid user willing to install untrustworthy software off the Internet. If you were that stupid, and had the additional poor luck to be in that 1 1/2 month period in mid-2008 before Security Update 2008-005 came out, then you would do system damage. (The second example was a proof-of-concept demonstration of the ARDAgent problem, without a hi-are-you-stupid housing.)

Here are the slides all the way back to a 2006 lecture on analyzing a Mac binary virus: http://www.virusbtn.com/conference/vb2006/abstracts/vanOers.xml?mobile_on=yes

Referenced malware in said slides were:

You can sing it along with me, this time: "How does the thing get executed?"


OSX.Leap.A: Someone sends you an IM file attachment, a gzipped archive called "latestpics.tgz". One of the contents of the archive is a PowerPC OS X binary called "latestpics", with a false icon claiming that the file is a JPEG. It is in fact a network worm program. It is assumed that you will execute this untrustworthy software off the Internet because you assume that OS X will protect you and would not allow a file to have an incorrect icon. If you do, you are fooling yourself, because OS X has no such ability. Stuff downloaded off the Internet should not be trusted, and that certainly includes alleged image files.

Frankly, one of the many reasons I never trusted the click-a-document-icon-and-implicitly-launch-its-associated-application model introduced with MacOS and aped by MS-Windows is that I always want to make sure I know what I'm telling a computer to do, and the icon-association model is just way too fallible.

So, if someone e-mails me a picture file, I never double-click it in anything. I explicitly open an image-viewing application of my choosing, and use the app to view it. If the app can't read the file, maybe it's not an image file at all.

And yes, I was that cautious on Mac System 6.0.7, too. If someone mailed me an alleged MS-Word document, I saved it, opened MacWord, and used Word to open it. I've never regretted this discipline.

You as a Mac OS user are ingrained in the icon-app model, so you're probably going to go on being trusting. That's part of why I don't care about the Mac user community. Too hapless.

Anyway, OSX.Leap.A does require the user to do something stupid, to execute the malware. But it was at least competent social-engineering against the unwary, who might assume files from nobody in particular off the Internet are safe if they claim to be picture files.


OSX.Inqtana.A: Someone who's nobody in particular pushes a Bluetooth file transfer at your computer. You see a dialogue asking you if you wish to accept a copy. For some reason, you say "Sure". This should be harmless, even at that, even though the contents are a PowerPC-compiled network daemon worm binary in a tar-gzip archive and two startup files to ensure that the daemon gets relaunched at subsequent restarts. However, for a brief period in 2005, Apple had screwed up handling of incoming Bluetooth file transfers (failed to do input validation) such that the transfer could specify a non-default directory to land in, and OSX.Inqtana.A used this brief screw-up -- if still present -- to put the startup files where launchd would act on them at startup time.

That worm appeared in February 18, 2006. Apple's 10.4.1 Update (May 19, 2005 -- nine months before) fixed Apple's "Oops, we screwed up Bluetooth" coding error. So, the only hapless Mac users who could shoot themselves in the foot with this particular bullet were naive Bluetooth users who refuse system updates.


Now, all of the above took a fair amount of time to research and explain, which is part of the problem. This sort of dopey "Mac users are in trouble because criminals are finally noticing them" line that Gadi puts out takes him almost no time to compose, but takes serious time to debunk.

But now, Wade, you might be starting to see why I get frustrated with the sheer volume of bullshit from such people, when I know that they know better.








Date: Wed, 18 Nov 2009 20:24:30 -0800
From: Rick Moen <rick@linuxmafia.com>
To: Wade T Smith
Subject: Re: security snake-oil

Quoting Wade T Smith:

> I don't know much beyond squat, but I've also been frustrated by those
> malware reports not seeming to be complete. I figured they were being
> careful about letting too much info out there.

Yes, that's one of the things I used to think might account for it, too. When I found out that the anti-malware/security-industry people lack that excuse, and are just being deliberately vague, that was one of several things that made me a bit annoyed.

It's true that proprietary software vendors like to be vague about the exact details of vulnerabilities when they're first announced. That's on a theory that it'll add a few days to the period until the vulnerability is exploitable. You'll see this effect on the Bugtraq mailing list and similar places: Vendor announcements are of the form, "Um, yeah, turns out that we had a flaw somewhere in our SQL database that theoretically might allow someone to send you a carefully crafted set of packets that would result in your database dumping all of its data and e-mailing it to al-Queda. We recommend that you install Software Update 2009-01." No specifics about what that "set of packets" would be or how it would achieve the desired effect.

However, the point is that, when the announcement concerns a piece of malware that is allegedly already a real threat, the horse is already out of the barn. If it exploits a vulnerability, then the vulnerability is no longer something that can be hidden.

And, anyway, it's always the case that, if you dig long enough with a Web browser (sometimes up to, say, ten minutes), you can always find somewhere that very clearly explains how the malware gets executed.

But it's rarely a page at one of the anti-malware or security-consultancy companies. Or, if it is, it's made to be obscure. And my point about that is that it's the logical first question.

Like, OK, there's a bit of code I don't want to run. How does one run it, so I can best determine how not to? Seems like a really obvious question to me, and yet they bury the answers.


> Yup. What I get equally (more?) frustrated by is that it seems that
> the discovery of one, or two, pieces of evil code against the Mac will
> get trumpeted as the season it joins Windows in the unsafe camp.

Yes. Sheer numbers of malware pieces are completely meaningless. In many cases, first of all, you have minor variations on the same code that might as well be the same virus/trojan/worm for all the difference it makes. In other cases, they're attacks against vulnerabilities that are already fixed, or open for ridiculously small time windows, or are farfetched to begin with. And be no means are all malware pieces of the same importance, because the vulnerabilities they target aren't. And, you may recall, I was saying that it's not the malware that's the threat, anyway, but rather the vulnerability. Why is an exploitable vulnerability with 10 pieces of malware designed for it ten times worse than one with 1 piece of malware designed for it? Why is the malware a concern at all? Exploitable is exploitable, with or without malware. The people who count malware are either stupid, or think you are.


I have carefully ignored all the news about Vista and Windows 7, so I cannot comment on Gadi's claims about how supposedly safe MS-Windows now is. I can only mention the lesson of the transition from Win95/98/ME to Windows NT/2000/XP:

Back before NT, it was truly feasible to deal with security threats on a desktop box by just not running untrustworthy software. But NT introduced a number of network daemons that are running all the time, including an RPC (remote procedure call) portmapper.

We in the Unix world know about RPC portmappers. Sun Microsystems invented them, and then found out that they're a horrific security risk, such that protocols that rely on Sun RPC (NFS, NIS, NIS+) are deemed semi-safe only behind vigilantly defended corporate firewalls. You might have heard the jokes about NFS = No Friggin' Security, or Nightmare File System. That's largely because of RPCs.

And now, all NT and successor operating systems are running an RPC portmapper and a bunch of other publicly advertised network services, all the time, and the users aren't even aware of this.

The worst network worm of all time, SQL Slammer, was an automated attack against (primarily) the Microsoft Desktop Engine (MSDE), an embedded miniature copy of MS SQL Server that's included on an OEM basis in many MS-Windows consumer applications -- and that listens on a default TCP port for incoming network connections.

SQL Slammer saturated the global Internet in under 15 minutes, total, making large stretches of the Net borderline-unusable for days.

And MS-Windows users typically have no idea what network daemons ("services") they're running. Even if they did, they'd have no idea what'd break if they turned some of them off -- and they have no way of, say, reconfiguring MSDE to listen for database connections only on the localhost (internal-only) IP address 127.0.0.1.








Date: Mon, 23 Nov 2009 15:15:33 -0800
From: Rick Moen <rick@linuxmafia.com>
To: skeptic@lists.johnshopkins.edu
Subject: Re: New iPhone worm more serious than first thought
Organization: Dis-

Quoting PHarrison/interEng:

> A second worm to hit the iPhone has been unearthed by Finnish anti-virus
> software company F-Secure.
>
> It is specifically targeting people who are using their iPhones for
> Internet banking in the Netherlands.
>
> It redirects the Dutch bank's customers to a lookalike site with a
> log-in screen.
>
> The new worm is more serious than the first because it can behave like a
> botnet, warns F-Secure.

As usual, F-Secure says nothing whatsoever in the quoted text about the pivotal question: "How does the thing get executed?" The fact that the anti-malware companies -- and, sadly, most security experts, in general carefully avoid addressing that question is part of what maintains an air of mystery and magical agency enshrouding what's actually a pretty simple topic.

Here's how both the "ikee" and "Duh" network worms get executed:

One fine day, you decide to jailbreak your iPhone, perhaps because you got tired of the Church of Steve being in sole control of a device you paid good money to (supposedly) own. You then decide to install and run the ssh daemon (an advertised TCP/IP network service for remote login). Despite your just having made remote network login available for the entire public to your telephone, it somehow never dawns on you that you should change the default root-user password for which all iPhones are set (which is apparently "alpine").

So, an automated process (in this case the "Duh" worm) enters through the carelessly unlocked (and, really, left ajar with a neon sign saying "suckerville" would be a better metaphor) front door, and sets out to do various nefarious things thereafter.

So, victims of the attack would need to simultaneously be sophisticated enough to jailbreak their Apple-DRMed smartphones and stupid enough to install and run a globally reachable remote login daemon without bothering to change the factory default root-user password.

F-Secure's implicit message is that you need its help to protect you against dire threats you cannot understand. Pretty much always, the supposed threat isn't dire, is easy to understand once you find the answer to the question they carefully don't address, and can be easily averted without F-Secure's help. (I don't mean to single out F-Secure especially; they're all bad in that respect.)








Date: Tue, 24 Nov 2009 12:04:25 -0800
From: Rick Moen <rick@linuxmafia.com>
To: Wade T Smith
Subject: (forw) Re: New iPhone worm more serious than first thought

Need I mention that this F-Secure press release masquerading as a news article is precisely the sort of deliberately bad security advice that Gadi Evron also specialises in?

Before Garrison banned further discussion on Skeptix, I was intending, among other things, to debunk the article several people cited as a good summary of anti-malware measures Mac OS users should take. Without getting into details, let's just say it suffers the same vendor-focussed myopia and magical thinking that the F-Secure press release / article does, including the (key) failure to consider mechanism.

Looking from the open source Linux/BSD community perspective, the entire commercial anti-malware / computer security industry is basically founded on intellectual fraud, and its recommendations are absurd. Real security rests on these principles:

  1. You, the user, are responsible for what processes you choose to run. Therefore:
  2. Don't download and run processes off the Internet you have no reason to trust, including "postcards", supposed video codecs, games, antivirus software from firms you've never heard of, "Internet accelerators" from firms you've never heard of, and so on.
  3. Try not to run avoidable software that is known to be badly ridden and have ongoing security problems. (This is a central point of several of Marcus Ranum's security essays.)
  4. Use only maintained operating systems and applications (i.e., ones for which you get and apply security updates).
  5. Don't do stupid chump moves just because a piece of software that you have no reason to trust asks you to (including providing your root-user access credentials).
  6. If something seems not quite right, e.g., a request to accept a file via Bluetooth pops up that you weren't expecting, assume that it's against your interests.
  7. Subscribe to the security alert announcements mailing list for your operating system / distribution, and skim-read for any relevant to your situation.

Really, item #1 actually covers the subject: The others just elaborate further on that concept, and are ramifications of it.

We of the open source community rely on those guidelines and no other protection -- and it works. Companies like F-Secure keep trying to sell "anti-malware" software for Linux and the BSDs, but completely fail to make sales because we just laugh at them.

Something many Linux users including yrs. truly have been slow to understand is the reason why many MS-Windows and MacOS users tend to fail on step #4, applying security updates. Why on earth would such users not apply updates? On MacOS X, there's even that "Software Update" pop-up thingie to remind you of the need, and to make the process semi-automatic.

The reason: Software bootlegging, along with unwillingness to pay for upgrades. People install and use unsupported, obsolete MS-Windows and MacOS X versions because they use stolen media / activation keys, and are unwilling to pay for current releases. We open source people don't have the "pay us money if you want bug fixes" problem, so it's easy to forget that's a pervasive reality for other people.

Users of unmaintained, obsolete proprietary operating systems are probably thus the real target of the sort of malware Gadi yammers on about (e.g., many of the trojans and worms).