Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Fake Word 2004 demo file causes irradication of a mac's Hom...
- Thread starter MacBytes
- Start date
- Sort by reaction score
JtheLemur said:
Quote from eonblue.com:
"another Trojan" - this is not even a trojan.
"potentially the same codebase" - what great evidence, "potentially" the same codebase. I hate to break it to you, we know it's definitely not the same codebase.
"what looks like the same activation mechanism" - wow, the same activation mechanism, what would that be, you have to execute the file?
"that actually deletes files" - now that's certainly compelling evidence, how could anyone possibly have the exact same absurd idea (deleting files) as Intego without actually being Intego?
Huh?
123 said:
if you have access to damn near pure h2o, you can easily use your computer under water (well, except for moving parts).
it is not the h2o that conducts, it is the impurities in it. i believe salt (nacl?) is the main conductor, could be wrong.
Flowbee said:
Not to mention there are several great alternatives to photoshop that range from free to not-too-much. If you really need the Photoshop name, get LE 2. It's under $100 and as a student I paid $50.
In most tap water it's Ca^2+, CO_3^2-, F^-, and Pb^+2, but the dust in the computer would work just as well.idkew said:
On topic, I consider this an ID ten t error, resulting from a PBKAC.
Flowbee said:
wouldn't one notice the size of the file? ms word 2004 is not going to be a MB or so. unless the download was full of other stuff to make the size look legit, but certainly a tiny download would cry foul.
Avoiding trojans is a matter of trust. Consider all of these situations where you can aquire software:
1) Download from P2P
2) Receive via e-mail
3) Download from a website you've never seen before
4) Receive on a disk from a friend
5) Download from a popular server used by many people you know
6) Download from a popular server and verify the checksum of the file
7) Download from a server that includes a cryptographic signature of the file
8) Download from a server that includes a cryptographic signature made from a key signed by a trusted authority
You might notice that list is loosely ordered from least trustworthy sources to most trustworthy sources. Frankly, anybody that trusts software from the first four sources is asking for trouble.
The first and second are downright trivial to spoof. The third can be spoofed too, but the effort of running a website makes it harder, plus it tends to provide contact information that can lead back to you easily. This is a big source of spyware in the Windows world, though.
The fourth relies on your friend being capable of knowing whether his source is trustworthy, and with some friends I just couldn't trust that. The fifth is basic law of averages. If it worked for most people, it should work for you.
The sixth prevents certain malicious attacks. The seventh and eighth defeat nearly any malicious attack and establish explicit levels of trust. In the case of the seventh, you have to trust the person that signed it is who they say they are. In the eighth, you have to trust the trusted authority that believes the person that signed is who they say they are.
So basically, don't trust the first two ever. Never run an application you downloaded from P2P. Scan any data files first if you must have them. Same with e-mail attachments. Not downloading files from strange websites is something Windows users need to learn more than Mac users, but better to learn it now, before Mac spyware exists. Use your own judgement when it comes to software your friends give you.
Downloading from popular websites tends to be safe. There isn't really any protection in it, but if a virus is put on a popular website, it will be found pretty quickly. Adding checksums to the mix is pretty much the same thing, but is handy when there may be a malicious hacker trying to mess with the file.
The final two options are for the paranoid. There are cases where that is a good thing. Cryptograhpic signatures are a very good idea when there is a central distribution server that can be attacked. This is the case with things such as OS patches, browser plugins, and package repositories. If it's centralized and used by a lot of people, paranoid security is a very good idea.
Just a little trust and security primer. This guy running an application he got from P2P is indeed a stupid thing to have done. Trojans will exist, so learn what you can trust and what you can't. It's as simple as that.
1) Download from P2P
2) Receive via e-mail
3) Download from a website you've never seen before
4) Receive on a disk from a friend
5) Download from a popular server used by many people you know
6) Download from a popular server and verify the checksum of the file
7) Download from a server that includes a cryptographic signature of the file
8) Download from a server that includes a cryptographic signature made from a key signed by a trusted authority
You might notice that list is loosely ordered from least trustworthy sources to most trustworthy sources. Frankly, anybody that trusts software from the first four sources is asking for trouble.
The first and second are downright trivial to spoof. The third can be spoofed too, but the effort of running a website makes it harder, plus it tends to provide contact information that can lead back to you easily. This is a big source of spyware in the Windows world, though.
The fourth relies on your friend being capable of knowing whether his source is trustworthy, and with some friends I just couldn't trust that. The fifth is basic law of averages. If it worked for most people, it should work for you.
The sixth prevents certain malicious attacks. The seventh and eighth defeat nearly any malicious attack and establish explicit levels of trust. In the case of the seventh, you have to trust the person that signed it is who they say they are. In the eighth, you have to trust the trusted authority that believes the person that signed is who they say they are.
So basically, don't trust the first two ever. Never run an application you downloaded from P2P. Scan any data files first if you must have them. Same with e-mail attachments. Not downloading files from strange websites is something Windows users need to learn more than Mac users, but better to learn it now, before Mac spyware exists. Use your own judgement when it comes to software your friends give you.
Downloading from popular websites tends to be safe. There isn't really any protection in it, but if a virus is put on a popular website, it will be found pretty quickly. Adding checksums to the mix is pretty much the same thing, but is handy when there may be a malicious hacker trying to mess with the file.
The final two options are for the paranoid. There are cases where that is a good thing. Cryptograhpic signatures are a very good idea when there is a central distribution server that can be attacked. This is the case with things such as OS patches, browser plugins, and package repositories. If it's centralized and used by a lot of people, paranoid security is a very good idea.
Just a little trust and security primer. This guy running an application he got from P2P is indeed a stupid thing to have done. Trojans will exist, so learn what you can trust and what you can't. It's as simple as that.
Flowbee said:
There is a really obvious one...if you download and lose your home folder then...yes, it is a fraud. There, isn't that simple enough...just be sure to test for the fraud using your friends mac...or better yet, download, take a CD to an applestore and install away!
twalkabout said:
Sure. And I want to drive a car without having to understand anything about traffic rules, driving physics etc. I also want world peace and that all people love each other.
twalkabout said:
I also don't want somebody to be able to steal my money when walking in the mall or break into my house when I'm not at home.
twalkabout said:
The fact of life is that there are certain risks that you should be aware of. You are free to ignore them but in that case it's really no help to complain about it if you get hit.
twalkabout said:
You can't get more security without losing some freedom. Of course it would be possible to e.g. create an OS that would ask you for permission every time some app wants to delete a file. But - trust me - you do not want that. Applications need to create and delete files all day long. That's what they are made for: handling data.
You have to draw a line somewhere. If you want some data to be more secure, there are several options. Store it in some folder outside your home directory where you have no write access. Store it on an external drive. Store it on a separate computer, etc etc.
Andreas
'Borg3of5 said:
Your Dictionary at http://www.yourdictionary.com/
defines steal as: To take (the property of another) without right or permission.
I would not doubt it if the "legal" definition is outdated and still states it as different, but the fact of the matter is it is stealing. The software and music is the intellectual property of the owner and you don't have the right or persmission unless you pay for it. I get tired of people saying it is not stealing...it is! You didn't create it, you don't get to benefit from it unless you buy it! Pretty simple if you ask me.
Take the Kinkos case a few years back where they were copying copywrited books (actual physical books) and selling the packets to college students for a premium. That was deemed illegeal by the courts and they paid millions of dollars in damages. No different than copying (downloading is the same as copying) some physical computer code...it is actually a physical thing just like a book as the code is written on hard drives, removable media, etc at the creators site and consists of numbers and such that make up the software code. Music is the same way...it consists of "data" on a CD, (hard drive), or other recorder and is a physical thing.
The thing I take justice in knowing is that all these people who steal music and software will probably be running a company or band someday that has to deal with the theives, but they will be on the other end...I hope at least!
Johnny <------stepping off soapbox now
Awimoway said:
That's, in general, a very good idea. No application launched within a given user account can effect anything outside the user's home directory without asking for an administrator's password, in principle.
Snowy_River said:
That's not true. You may have write access to directories and/or files outside your home directory.
One example is files you created yourself in /Users/Shared/
Still - everything that's not created by you and not explicitly altered to give you write access is safe.
Andreas
davecuse said:
Well, actually, if they did that, they'd be in some serious trouble. It would be a trivial matter for someone to file an intentionally wronged suit against MS, simply stating that they thought this was a legitimate 'demo' of the product.
No, MS would have to do it a little differently if they were to try a tactic like this. For example, they might be able to get away with providing an illegal copy on P2P networks that would dig to find personal information about you and send it to MS. Oh, wait, they already do that....
nagromme said:
Just as a nit-picking point, the app didn't claim to be MS Office. It claimed to be a web-installer for a Demo version of MS Word. Being a web-installer, the small file size was completely reasonable. Also, being an installer for a demo version, it can hardly be said that he was pirating. I'd say it's just a demonstration of his foolishness not to go to the MS website to try to find the original (which of course doesn't exist). However, perhaps I can also understand his not doing so. I've had more than one experience where I was looking for a file on the MS site that I knew was available, and it took me forever to find it. That site is labyrinthine!
idkew said:
In point of fact, even pure water conducts electricity, as some of the water molecules dissociate into OH- and H+ ions. So, if you really wanted to be safe with running your computer underwater, you'd have to use de-ionized water, which is a step up from pure.
FosterKanig said:
my thoughts exactly! why to dl any kind of demo stuff from elsewhere than the publisher's site?
still, this troyan horse thing ain't nice. I can see the face of a PC lover when he/she reads this news. "HAH! MAC HAS VULNERABILITIES! WHAT DO YOU SAY NOW?! HUH?! HUH?!!"