Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Source Code for Several Panic Apps Stolen via HandBrake Malware Attack

KALLT said:
HandBrake is GPL-licensed software. Apple’s terms and conditions are at odds with this licence.

They don’t even need the App Store, all they need is a developer certificate to code-sign their releases. As it turns out, they don’t even have this and it doesn’t appear that this is going to change soon.
Click to expand...

The "GPL-licensed" is a red herring. Apple has no problem allowing GPL-licensed software on the store. (The only problem is that when you download an app from the App Store, you pay for the license to use it, not for the app, and GPL allows you to charge for the app, but not for the license - to get your app on the store without breach of one of the licenses, it must be free). Of course you need to fulfil your GPL-licensing obligations as well. You could easily include all the sources in the app, and have a button that puts all the sources on the user's hard drive.

The problem is that _some_ GPL developers don't want their code on the App Store. And Apple will withdraw an app if a genuine copyright holder says they don't want their app there. Apple does _not_ check if the next developer has the right to use the GPL licensed code or not, if the first developer complains.
 
roland.g said:
(A)m I the only one wondering why he was downloading a utility like Handbrake onto a machine with the company source code. Seems like that was not the wisest move.
Click to expand...

Due to license and sandboxing issues, there are hundreds of reasons legitimate apps cannot be distributed on the App Store.

I'd guess the majority of developers (myself included) have a stable of "non-AppStore" apps we keep installed on our machines at all times (Handbrake being one of the most common; there's really no better -- or less expensive -- way to convert videos used in demos, training materials, etc). Many small developers also act as their company's marketing, sales and promotional staff as well, and video conversion is a common task in that arena.
 
Stella said:
Someone has already replied specifically why handbrake cannot be distributed via Mac appstore....

In short: Reason they gave was "GPL licensing. Apple dont allow it"
Click to expand...
If that is what someone gave as the reason, they are talking nonsense. Apple has no problem allowing GPL licensed code on the store. However, some developers of GPL licensed code had a problem with it, complained, and Apple removed the code. Apple doesn't allow code on the store if the copyright holder doesn't allow it.

Zirel said:
It's not Apple not allowing it, it's the GPL license that's incompatible.
Click to expand...
No, the license is not the problem. The problem happens when some developer A developed a library, developer B uses it in his product, wants to put it on the app store, and developer A doesn't like it. Developer A complains to Apple, and Apple takes the app down. If all the developers are Ok with it, then everything is fine. Apple allows multiple licenses on the store (Apple's license, and your own license, which may be GPL).

KALLT said:
The GPL covers way more than ‘distributing an app for free’. You should have a look at this article that explains the issue in more detail: https://www.engadget.com/2011/01/09/the-gpl-the-app-store-and-you/.
Click to expand...
That article explains it quite nicely, but the trigger is not any incompatibility between the licenses, but the fact that the copyright holder complained to Apple and didn't want his app on the store. And that's enough for Apple to remove it. If you use GPL licensed software where the copyright holder doesn't mind if his app is on the app store, then you are fine.

[doublepost=1495122161][/doublepost]
Nuvi said:
Just deleted all my Panic apps. Why? Because I'm afraid the hackers will be pushing malware version of Panic apps thru normal update channels. Regarding Panics data protection procedures, they seem to suck hard. Why on earth are they not running something like Bitdefender?!? It's probably the fastest anti virus program with awesome detection rate. No proper firewall either for outgoing traffic. Idiots! Even Little Snitch would have stopped the malware on its tracks. The one responsible for this mess should be hanged... not literally but severe action needs to be taken.
Click to expand...
That's the most stupid thing I've ever heard.
 
Last edited:
gnasher729 said:
The "GPL-licensed" is a red herring. Apple has no problem allowing GPL-licensed software on the store. (The only problem is that when you download an app from the App Store, you pay for the license to use it, not for the app, and GPL allows you to charge for the app, but not for the license - to get your app on the store without breach of one of the licenses, it must be free). Of course you need to fulfil your GPL-licensing obligations as well. You could easily include all the sources in the app, and have a button that puts all the sources on the user's hard drive.

The problem is that _some_ GPL developers don't want their code on the App Store. And Apple will withdraw an app if a genuine copyright holder says they don't want their app there. Apple does _not_ check if the next developer has the right to use the GPL licensed code or not, if the first developer complains.
Click to expand...

Check the link I posted earlier. The GPL is incompatible with Apple’s terms of use, specifically because of something that you haven’t touched upon in your post: the fact that you cannot share the downloaded application with whomever you like, free of constraints. App Store software is DRM-encumbered. Apple is legally not allowed to host this app in the App Store under these conditions and bind customers to rules that the GPL does not allow. Since you pointed out that Apple would likely comply with a takedown request, it makes this endeavour shaky from the start and such not a serious solution for this problem.

The App Store is just not a legitimate solution for every software out there and not just because of sandboxing or other technical restrictions. There are legal restrictions that matter just as much. People shouldn’t believe that because something isn’t on the App Store that it is somehow the fault of the developer that this happened.

manu chao said:
Define 'on time'. Technically, 'on time' would mean before a single computer is infected. Or rather before a single computer outside of the pool of test computers got attacked. But how could an anti-malware author ensure that his or her computers get attacked before anybody elses? You can run honeytraps, but in this case that wouldn’t have helped.

I think the real yardstick is whether anti-malware apps detect something before the general media (like Macrumors) report about it. Or before X computers get infected.
Click to expand...

I responded to the suggestion that having Bitdefender installed would have made a difference in this case. It would not.

manu chao said:
What should one do if, eg, Handbrake, asks to connect to something called edge-analytics.com? You could clamp down on anything that is not the domain of the software vendor. But who remembers all domains for all their applications. Adobe products still frequently phone home to macromedia.com, refusing all such other domain requests could easily block things like software update checks.
Click to expand...

That’s in a nutshell the problem with software like Little Snitch. It is a rather complicated tool, not because it is hard to use but because applying it is seriously difficult even for advanced users. There is no way to tell that it would have prevented this particular infection, had the developer used Little Snitch.

manu chao said:
The attacker tricked the developer into entering their admin password. Once that is done, it doesn't really matter what account is launching the infected app.
Click to expand...

As I said earlier, this malware isn’t after administrator access to begin with. If this developer had kept the git credentials in a separate keychain, such as by using a separate account, this would not have happened.
 
Last edited:
  • Like
Reactions: sudo1996
KALLT said:
I responded to the suggestion that having Bitdefender installed would have made a difference in this case. It would not.

That’s in a nutshell the problem with software like Little Snitch. It is a rather complicated tool, not because it is hard to use but because applying it is seriously difficult even for advanced users. There is no way to tell that it would have prevented this particular infection, had the developer used Little Snitch.
Click to expand...
And I am implicitly arguing that it doesn't matter whether any particular element would have prevent this specific attack as long as these particular elements protect against some threats.
As I said earlier, this malware isn’t after administrator access to begin with. If this developer had kept the git credentials in a separate keychain, such as by using a separate account, this would not have happened.
Click to expand...
That is argument for using a different password for the keychain than for the user account, not one for using a non-admin user account.
 
manu chao said:
What is there to not understand?
Click to expand...

Apparently in your case more than I would have thought. Please don't attempt to explain it again. I didn't read past your first sentence. And I'm not really sure what your mission here is. Or whether it will self destruct.
[doublepost=1495127470][/doublepost]
VeryVito said:
Due to license and sandboxing issues, there are hundreds of reasons legitimate apps cannot be distributed on the App Store.

I'd guess the majority of developers (myself included) have a stable of "non-AppStore" apps we keep installed on our machines at all times (Handbrake being one of the most common; there's really no better -- or less expensive -- way to convert videos used in demos, training materials, etc). Many small developers also act as their company's marketing, sales and promotional staff as well, and video conversion is a common task in that arena.
Click to expand...
That does make sense. I just know at my company we go to great lengths to protect our source code.
 
foobarbaz said:
I'd take that bet.

For piracy only *one* person has to rip the disk. Everybody else just conveniently downloads/streams it from the web. They don't even know what Handbrake is.
Click to expand...

But they could be using it to transcode things they've downloaded into other codecs/sizes/whatever.

Anyway, it's not a big deal. I know from personal experience that there are perfectly legitimate uses for the tool. That's just where my head went when I read the article. :)
 
Val-kyrie said:
Any suggestions for better user security?

I just started online banking and use 1Password with unique, long, randomly generated passwords for every account and website, but I still feel uneasy.
Click to expand...
I'm no expert, and I've never used 1Password, but I think the way to be safe with Keychain is to keep it locked more. It's always open by default, but you can open Keychain Access, select a keychain, and change its settings to lock after a period inactivity and/or when your Mac sleeps. This means you'll have to enter the keychain password to use them.

If you only want certain passwords to be more secure, you can put them in a separate keychain that you assign tougher settings while you leave the less important stuff unlocked. I think macOS should assist users or do this by default with bank-related stuff, but it doesn't.
[doublepost=1495142985][/doublepost]
Nuvi said:
Just deleted all my Panic apps. Why? Because I'm afraid the hackers will be pushing malware version of Panic apps thru normal update channels. Regarding Panics data protection procedures, they seem to suck hard. Why on earth are they not running something like Bitdefender?!? It's probably the fastest anti virus program with awesome detection rate. No proper firewall either for outgoing traffic. Idiots! Even Little Snitch would have stopped the malware on its tracks. The one responsible for this mess should be hanged... not literally but severe action needs to be taken.
Click to expand...
Antimalware tends to be bloated and always requires tons of updates, which makes you more vulnerable in practice. Firewall software like Little Snitch is maybe a good idea, but it's hard to manage.
[doublepost=1495143718][/doublepost]
roland.g said:
Not that I wish anything bad on anyone but am I the only one wondering why he was downloading a utility like Handbrake onto a machine with the company source code. Seems like that was not the wisest move.
Click to expand...
People screw up, and Mac security sucks by default. You have to do things like what I mentioned to protect yourself, which is cumbersome and unintuitive. There's nothing telling users that they have to calculate checksums when they download software from unidentified developers, and people are used to clicking "OK." Windows is even worse, much worse. You shouldn't need to be tech-savvy to stay secure. They need to address this.
[doublepost=1495144016][/doublepost]
gnasher729 said:
If that is what someone gave as the reason, they are talking nonsense. Apple has no problem allowing GPL licensed code on the store. However, some developers of GPL licensed code had a problem with it, complained, and Apple removed the code. Apple doesn't allow code on the store if the copyright holder doesn't allow it.
Click to expand...
Seriously, screw GPL. You use someone's library in your project, and now you have to license the whole thing under GPL. It's like "you can only use my code if you can afford to build off it without making money." Looks like it used to be cool, but now everything I see is under the MIT or BSD or Apache license. Android is under GPL, but we know that gets violated all over the place, not by Google but by others.
 
Last edited:
gnasher729 said:
That article explains it quite nicely, but the trigger is not any incompatibility between the licenses, but the fact that the copyright holder complained to Apple and didn't want his app on the store. And that's enough for Apple to remove it. If you use GPL licensed software where the copyright holder doesn’t mind if his app is on the app store, then you are fine.
Click to expand...

The fact that a copyright holder can complain is precisely the problem here. Pretending that this has nothing to do with the GPL is the actual red herring. The GPL confers inadequate rights in the software on its maintainers to have them sell it on the App Store without risking takedown requests. This is exactly what the GPL is meant for. Licensing issues are always complainer-based, whether Apple is pre-emptively screening and rejecting GPL-licensed software or not is IMO irrelevant. HandBrake could not confidently put it on the App Store. VLC is now in the App Store, because its maintainers rewrote or re-licensed those GPL parts.
 
  • Like
Reactions: sudo1996
roland.g said:
Apparently in your case more than I would have thought. Please don't attempt to explain it again. I didn't read past your first sentence.
Click to expand...
Not reading past the first sentence is a great approach to not understand things, which apparently is your mission.
[doublepost=1495191280][/doublepost]
sudo1996 said:
There's nothing telling users that they have to calculate checksums when they download software from unidentified developers, and people are used to clicking "OK."
Click to expand...
With Handbrake's server compromised, changing the checksums displayed on the website as well isn't that hard a job for the hackers.
 
manu chao said:
With Handbrake's server compromised, changing the checksums displayed on the website as well isn't that hard a job for the hackers.
Click to expand...
True, but in this case, they only hacked one of the mirrors, not Handbrake's site, and they also put the checksums on GitHub so people can cross-check. The mirrors are probably under less scrutiny and are riskier. If they take the site, they can also sign the malicious binaries with some random Apple developer certificate. I can think of ways to mitigate this risk, but they're costly. At least their site uses HTTPS.
 
Last edited:
thisisnotmyname said:
But they could be using it to transcode things they've downloaded into other codecs/sizes/whatever.

Anyway, it's not a big deal. I know from personal experience that there are perfectly legitimate uses for the tool. That's just where my head went when I read the article. :)
Click to expand...


There are apps all over the AppStore that do the same thing. Some charge €20 or €30.
Are you going to insinuate that all the people who use those apps are up to no good?
If suddenly there was a price of €100 put on HandBrake - would you somehow see it as a legit app?

Should they (HandBrake) make one of those standard animations of somebody using it on their laptop while sitting at a table in a house - then zoom outside through the window and (you get the picture) with the nice muted pastel colours along with some ukulele or piano belting out a stupid tune in the background, stick it on the homepage (obviously with parallax scrolling - razzmatazz yeah...) with a buy now button for €100. Would your perception change then? Of course it would.

Is FFMPEG nefarious also? Where does it end for you? No OpenSource?
 
Last edited:
mossy said:
There are apps all over the AppStore that do the same thing. Some charge €20 or €30.
Are you going to insinuate that all the people who use those apps are up to no good?
If suddenly there was a price of €100 put on HandBrake - would you somehow see it as a legit app?

Should they (HandBrake) make one of those standard animations of somebody using it on their laptop while sitting at a table in a house - then zoom outside through the window and (you get the picture) with the nice muted pastel colours along with some ukulele or piano belting out a stupid tune in the background, stick it on the homepage (obviously with parallax scrolling - razzmatazz yeah...) with a buy now button for €100. Would your perception change then? Of course it would.

Is FFMPEG nefarious also? Where does it end for you? No OpenSource?
Click to expand...

Some mighty big leaps you're making there, be careful when doing your own stunts.

If you read back through the thread you'll find that I am a user of Handbreak and for legitimate purposes.

lightenupfrancis.gif
 
thisisnotmyname said:
Some mighty big leaps you're making there, be careful when doing your own stunts.

If you read back through the thread you'll find that I am a user of Handbreak and for legitimate purposes.
Click to expand...


So I am making big leaps?

thisisnotmyname said:
So I know there are legitimate reasons to use Handbrake (I used it myself to create electronic versions of physical media I own) but I also know that there are probably more Handbrake users involved in piracy than not. I just say this as it would be ironic if that leads to piracy of Panic products.
Click to expand...

This is an outrageous claim - and you know it well.
 
sudo1996 said:
True, but in this case, they only hacked one of the mirrors, not Handbrake's site, and they also put the checksums on GitHub so people can cross-check. The mirrors are probably under less scrutiny and are riskier. If they take the site, they can also sign the malicious binaries with some random Apple developer certificate. I can think of ways to mitigate this risk, but they're costly. At least their site uses HTTPS.
Click to expand...
For many years I have said that in my mind the easiest attack vector is to hack a small third-party developer's site and put malware in their binaries. Of course that requires an 'in' to their servers, them not noticing it and to make the malware as unnoticeable as possible (the Handbrake malware was noticeable but only to the very skilled ones). But it is something that is almost impossible to protect against as a user, except by only getting apps from a curated app store (ie, the Mac App Store).
 
  • Like
Reactions: sudo1996
manu chao said:
For many years I have said that in my mind the easiest attack vector is to hack a small third-party developer's site and put malware in their binaries. Of course that requires an 'in' to their servers, them not noticing it and to make the malware as unnoticeable as possible (the Handbrake malware was noticeable but only to the very skilled ones). But it is something that is almost impossible to protect against as a user, except by only getting apps from a curated app store (ie, the Mac App Store).
Click to expand...
Or be the developer :D I mean, the official Java installers try to install malware like the Yahoo! toolbar or similar crap.
When I was a troublemaking kid in high school, I made an entire Bukkit plugin that was actually useful, planning to release a backdoor update later that would allow me to become "op" (admin user who can cheat ingame) on Minecraft servers that use it. Nothing destructive but definitely not cool, and I ended up deciding against it once I got users.
 
Last edited:
Or put another way, the MAS is a dumpster fire.

mabhatter said:
The App Store doesn't allow a lot of the cross-application integration and system level access that you need... for web stack development apps that work with system setting files.
Click to expand...
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back