That's what I was thinking. Do not (ever never) accept a self-signed certificate unless you are absolutely sure (an have absolutely no doubt) of who signed it. Oh, and if it's a self-signed root certificate, just don't accept it.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
New Java-Based Malware Targets Mac OS X, But Threat Level Disputed
- Thread starter MacRumors
- Start date
- Sort by reaction score
That's what I was thinking. Do not (ever never) accept a self-signed certificate unless you are absolutely sure (an have absolutely no doubt) of who signed it. Oh, and if it's a self-signed root certificate, just don't accept it.
Why do Mac users fuss so much over whether something is defined as a virus or a trojan? Malware is malware - you just have to learn how to deal with it.
or the sentence: This root certificate is not trusted ... and it's in RED
Well, a lots of self-signed certificate might show as "untrusted"... but a root certificate... just click "cancel".
Because they want to hang onto the idea that Macs don't get viruses. But Windows doesn't get viruses anymore either. It's all stuff you have to be stupid enough to install yourself for the most part. But if Apple is continuing to grow at their current pace, these sorts of things will increasingly target the Mac (and their iOS devices). Code is code. Not sure why people think one platform would be immune to malicious code.
Relatives got hold of my Mac the past couple of hours. Going to check the whole system with ClamXav. Just making sure that there are no files around that could mess with my Windows Partition.
i wouldn't doubt that some of the malware on the internet is made by companies that sell stuff that protect you from it.
Another of 10 Billion Reasons to Disable Java in Your Browser
Why would you let a random web developer run an application on your machine? Disable Java in the browser preferences. Enable it when you need to use it. There is nothing good about a Java app running without permission from you.
Why would you let a random web developer run an application on your machine? Disable Java in the browser preferences. Enable it when you need to use it. There is nothing good about a Java app running without permission from you.
A while back I noticed that keepvid.com started giving a similar message about needing access to your computer and having an untrusted certificate. That's when I stopped using keepvid.com.
When run, the installer modifies system files to bypass the need for passwords, allowing outside access to all files on the system. Additionally, the trojan sets itself to run invisibly in the background at startup, and periodically checks in with command and control servers to report information on the infected system.
That's awesome.
But clicking one link and you're infected? That's impressive. Just think of all those "Rickroll" pranks that happened a year ago and then pretend to use the same technique with this trojan.
That's awesome.
But clicking one link and you're infected? That's impressive. Just think of all those "Rickroll" pranks that happened a year ago and then pretend to use the same technique with this trojan.
In Mac OS X when an installer launches, it asks for your password to be run. Once you enter your password, the installer runs and then the trojan bypasses the need for a password. You have to enter your password to run the trojan's installer. Hence, it is a trojan and not a virus.
BTW, how long does everyone think it will take for a definition of this trojan to be added to XProtect that is built in to Snow Leopard?
To those of you saying "you have to be stupid to blah blah blah" and "it's highlighted in red blah blah blah", keep in mind that you don't see the part in red with the initial message, which will look more like this:
You don't see the red text and you don't see "not trusted" until you click Show Details. I don't care how smart you are in how many categories, everybody is stupid in something, so save your petty judgements and maybe your mind will open up enough to see how some very smart people who aren't as computer-savvy might be tricked into such a move.
You don't see the red text and you don't see "not trusted" until you click Show Details. I don't care how smart you are in how many categories, everybody is stupid in something, so save your petty judgements and maybe your mind will open up enough to see how some very smart people who aren't as computer-savvy might be tricked into such a move.
Because there is nothing the user can do to prevent themselves from getting a virus.
A trojan, on the other hand, is impossible to defend against.
Real-world analogy: a virus picks your locks and sneaks in the back door. The fix? Get a better lock!
A Trojan rings the doorbell and asks to be let in the front door. If you let him in, that's not a security issue, that's an idiot issue.
That being said, security warnings like the one pictured should have Cancel/No/etc as the default option.
Who called it a virus? Read the next sentence and there's the word trojan right there plain as day. If you read the article it states no password or administrator privileges is needed. Are you refuting that claim?
Ok, what in your view is the difference between a virus and a worm?
The definition of a worm is that it can spread from computer to computer without any user action beyond connecting to a network or connect a physical device (eg, a USB stick).
The definition of a virus has to different origins:
a) it is attached/hidden in something else, a file, an e-mail, a download, or even a physical device (eg, USB stick)
b) it can replicate and spread itself
The definition of a trojan is that it tricks the user into doing something.
Now it does not take an English major to figure out that these definitions do not exclude each other. Some people have taken it thus that any malware that fits the definition of a virus and a trojan should only be called a trojan.
It is unclear whether malware that requires nothing else but visiting a webpage should be called a trojan or a virus (it definitely is not a worm).
To those of you saying "you have to be stupid to blah blah blah" and "it's highlighted in red blah blah blah", keep in mind that you don't see the part in red with the initial message, which will look more like this:
You don't see the red text and you don't see "not trusted" until you click Show Details. I don't care how smart you are in how many categories, everybody is stupid in something, so save your petty judgements and maybe your mind will open up enough to see how some very smart people who aren't as computer-savvy might be tricked into such a move.
+1
This is directly from that article:
It says exactly what I summarized before but it leaves out some details to create a more sensational article. To run, it needs your password.
Send me a link to the video and I will take screen shots. I tried to find it for fun but was not able to do so.
To those of you saying "you have to be stupid to blah blah blah" and "it's highlighted in red blah blah blah", keep in mind that you don't see the part in red with the initial message, which will look more like this:
You don't see the red text and you don't see "not trusted" until you click Show Details. I don't care how smart you are in how many categories, everybody is stupid in something, so save your petty judgements and maybe your mind will open up enough to see how some very smart people who aren't as computer-savvy might be tricked into such a move.
How do I get that prompt from KeepVid? I want to check it out.
The design consideration and implementation of security will certainly affect how vulnerable an OS is. You are right that code is code, but its more that PEOPLE write code, so it is not immune to faults/security vulnerabilities.
However, a properly designed OS with security policies that are not just an afterthought will certainly be more secure than an OS which put in security in the back burner. Now I am not saying that Windows does this in particular, but because of quite a few legacy support that even new Windows include, it actually compromises the security advancements of a NEWER Windows OS.
Imagine you are at a lab where secure areas are planed and drawn into the floor plan. You have double door hallways with keycard access, elevators with level restriction, etc. And then at another lab, instead of building these features in, you just create random walls in the middle of the room, putting a sign up that says "restricted entry" with a double swing door, and giving out keycards that have full access privilege to anyone in the lab regardless of clearance level. Which is more secure?
The nature of Unix or a Unix based system is more secure is because it has security in mind first and foremost. That is why in practice Unix systems are more secure than their windows counterparts. If you remember back in the windows 3.1, 95, 98, ME days, these systems were more or less built on "consumer" mentality, so multi-user logins and other security features were spotty... with Windows 2000 and XP coming along they realized the need for this and added in "security" systems but because of backwards compatibility (say a program, number munchers) needed full root access in order for it to work (like writing to a system DLL), MS had no choice but to give access, or sandbox the application...
This is STILL the case today (XP mode anyone?) and with supporting a lot of legacy software means it's a pain in the ass for microsoft to think about all the corner cases where these security holes can exist. Couple this with the fact that it's PEOPLE who write code, you'll introduce vulnerabilities.
So after that long statement (man i'm bored at work)... You can't just say "code is code" and "But Windows doesn't get viruses anymore either" because the FUNDAMENTAL difference in a Unix Based system and a Windows Based System IS how it handles security.
Viruses/Trojans/Worms (lets not get into technicalities about how to name them shall we?) deals the most damage attaching itself onto system files and/or running as a background daemon etc. So in a Unix-based system (in this case OS X), your username/password or your user input is needed for it to even get to the place it wants to go. While in windows, it still sorta/kinda does but there are certainly more ways to access those files without so much security barriers.
To those of you saying "you have to be stupid to blah blah blah" and "it's highlighted in red blah blah blah", keep in mind that you don't see the part in red with the initial message, which will look more like this:
You don't see the red text and you don't see "not trusted" until you click Show Details. I don't care how smart you are in how many categories, everybody is stupid in something, so save your petty judgements and maybe your mind will open up enough to see how some very smart people who aren't as computer-savvy might be tricked into such a move.
Fantastic response.
Also, cybaster, when reading about the security mitigations in Windows 7, the problem not only includes greater support for legacy software that does not utilize the security mitigations but also that even recent releases of popular third party software do not use these security mitigations as well.
This issue with third party software not using the security mitigations in Windows 7 is shown in this article.
This issue with third party software not using the security mitigations in Windows 7 is shown in this article.
That's absurd. There's a huge difference. The fact is that Windows machines get infected without any user interaction; Mac can only (so far) get infected by tricking the user into doing something. It's the difference between forcible rape and seduction.
Until now I never thought I'd actually prefer a car analogy.
Analogies just don't work. Stop it.