If only there was a way to securely distribute Mac software that was verified and came from the actual developer and customers would have some kind of assurance that it was not malware or hacked versions of legit apps...
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Source Code for Several Panic Apps Stolen via HandBrake Malware Attack
- Thread starter MacRumors
- Start date
- Sort by reaction score
His personal computer and work computer are probably one in the same.
Someone has already replied specifically why handbrake cannot be distributed via Mac appstore....
In short: Reason they gave was "GPL licensing. Apple dont allow it"
In short: Reason they gave was "GPL licensing. Apple dont allow it"
With all these hacks the world been through, it looks like good old pen and paper is going to become very fashionable again.
Yes, and ...
How did they "obtain" usernames and passwords without needing the password of his computer? Sounds like he was storing this information insecurely somehow. Macs have come with an encrypted password manager since the first version of OS X. There's _no_ excuse for Mac users to be storing passwords in plain-text anywhere!
So the hackers have the source code? I'll pay the ransom if they figure out how to finally add Panic Sync to Transmit
I love Panic, too. But this is a good example of poor password management, and I expect better from Panic. They would not hesitate to encourage their customers to practice safe password management, so why/how were they lacking on this?
Reminds me of a situation a couple of years ago where a Git hosting provider that I was using got hacked, and their Amazon accounts were held hostage in exchange for ransom. When they didn't pay, the data was deleted. Everything was lost. Company no more. Customers left hanging. They never did reply to any of my support calls. They, too, failed to manage login credentials properly, including not using 2FA.
You can pull all the information out of the Keychain with ease if you have access to the machine. I know, we've sold a product to the government that does so since 2008.
I didn't state it well, I was implying that if he had been using it nefariously it would be ironic. But for all I know he was using it in a completely innocent manner. And I misused the word ironic anyway.
It's like raaaiiiaaaneee...
I assume that since his Mac was unlocked at the time when he gave the Trojan access, it was able to query the Keychain as any other app would - plus it probably retained the credentials to sign in if locked.
They basically traded usability for security. I understand their reasoning even if I don't fully agree with it. Allowing non-sandboxed apps and warning (aka educating) the user when they load these apps would be better.
Well..... technically ripping DVDs you own that have anti-piracy software on it is also illegal.
Not by default, but they support it. But this wouldn't do any good either way. They could just clone it and copy it from his Mac using this trojan. What they could have done, which nobody really does, is keep the Keychain always locked and put a password on any git SSH keys used.
Last edited:
This really sucks. I hope they get the best possible outcome. They're great guys and don't deserve this. I use nearly all of their Mac and iOS apps. I don't know what I'd do without Coda every single day. I'm thinking about buying Firewatch to help support them through this tough time. I've been meaning to play it but haven't had the time. It looks beautiful.
This malware shows a fake authorisation prompt that asks for administrator credentials to install 'additional codecs'. In truth, it is simply phishing for the keychain password.
They are indeed mutually exclusive.
It never occurred to me. If Handbrake weren't available, there are plenty of tools like VLC to do it. And VLC is also what pirates use to watch videos because people always release them in weird formats for some reason.
[doublepost=1495069226][/doublepost]
What would that solve? Their source code is out. The problem isn't piracy; that could be done before. I doubt their src is safe even if they pay the ransom.
[doublepost=1495069460][/doublepost]
It's kept unlocked by default. When's the last time you entered your password to allow access to your Keychain?
I don't believe in root permissions. Things need to be sandboxed properly in this day and age...
Last edited:
Personally, I cannot stand this Electron rubbish. They generally perform poorly for me in terms of speed and memory usage and I couldn't count the issues and bugs I've experienced with any of these apps ostensibly because of it.
Far too few decent Cocoa applications nowadays.
Github "has" 2FA. You're not compelled to enabled it. Your point is well taken though. 2FA is simple to set up, takes an extra couple of seconds to log in every couple of days, and would have avoided this breach. Our non-profit develops open-source software yet we still have 2FA turned on at Github.
It's sad though. Panic makes quality products. Coda is great, Fire Watch was fun, and Transmit is super useful. I hope this gets under control.
Git != GitHub
The wording in the MacRumors article is incorrect. They never said they use an externally hosted Git service like GitHub, only that "git credentials" were stolen. It's extremely unlikely they're using an external Git hosting service and much more likely that they're running their own internal Git server.
Ah, good point. The article says Github; their blog just says git. Respectfully though, lot of small shops use cloud services for infrastructure so it's not entirely unthinkable.
Agree and also they should have used little snitch a very inexpensive firewall software that could have saved their company