Panic's source code got stolen

  1. 3 months ago

    Beatrix W

    May 18 Pre-Release Testers Europe (Germany)

    Have a look at https://panic.com/blog/stolen-source-code/ to see how easy it was to steal source code.

  2. Christoph D

    May 18 Pre-Release Testers, Xojo Pro
    Edited 3 months ago by Christoph D

    Well, Handbrake was also a target some days ago with malware versions got spread. It seems popular open source apps are a target for hackers now.

    On the dark side: macOS will loose it's name of being a 'save' OS free from virus, malware, ..
    On the bright side: this could leverage non-free apps.

  3. Christoph D

    May 18 Pre-Release Testers, Xojo Pro

    Also interesting:

    https://blog.malwarebytes.com/threat-analysis/mac-threat-analysis/2017/05/handbrake-hacked-to-drop-new-variant-of-proton-malware/

    And this quote:
    "Interestingly, the only two Mac apps ever to be hacked in this manner—Transmission, and now HandBrake—were both originally developed by Eric Petit. Though I don’t know if it means anything at all, it’s certainly a fair question to wonder who has access to both of these projects that could be abused in this manner."

  4. Sam R

    May 18 Pre-Release Testers, Xojo Pro Hengchun, Pingtung, Taiwan

    The Transmission hack is why I wrote my article on "Application Integrity checking" for xDev magazine. The aim was to *reduce* the likelihood of our Xojo made applications becoming trojan horses. You'll never be able to prevent a well seasoned hacker, but you can make it difficult for them.

    The sad thing is if Apple use this to make a future version of the macOS only run Mac App Store apps, like Windows 10S.

  5. Christoph D

    May 18 Pre-Release Testers, Xojo Pro

    @Sam R The sad thing is if Apple use this to make a future version of the macOS only run Mac App Store apps, like Windows 10S.

    That's be very unlikely. That would render macOS down to only be a large iPad-kinda-device.
    There are so many apps that cannot be made sandboxed. Apple knows this too.

    I do think they will remove the possibility to run non-codesigned apps. That would be a good thing though.

  6. Sam R

    May 18 Pre-Release Testers, Xojo Pro Hengchun, Pingtung, Taiwan

    @Christoph Dnbsp;Vocht That's be very unlikely. That would render macOS down to only be a large iPad-kinda-device.
    There are so many apps that cannot be made sandboxed. Apple knows this too.

    I do think they will remove the possibility to run non-codesigned apps. That would be a good thing though.

    Couple of things...

    1. I think Apple would prefer it if everyone was running iOS with a non-touch based iPad ;)
    2. The way MS is approaching it, is that you can pay extra to upgrade to the full version of Windows (although it's currently FREE for a limited time). This way, your average consumer will probably not, but your more advanced user and developers will.
    3. This WWDC is very important; it will highlight if Apple really is serious about retaining Pro level customers or if all the talk earlier on in the year was just your typical PR speak that Apple has gotten very good at spewing. I sadly see too many of my Photography customers jumping ship.
  7. Karen A

    May 18 Pre-Release Testers

    @Christoph Dnbsp;Vocht I do think they will remove the possibility to run non-codesigned apps. That would be a good thing though.

    No it would not!!!!

    It would prevent using Xojo for a lot of in-house stuff for work produced by "Citizen Developers"... I have written a a lot of apps to help me and others at work overt the years... Not were originally sanctioned by the company when they were deployed and internal IT was not happy about it... but after a time were seen as valuable...

    Because of that to have I would have had to pay for a certificate out of my own pocket (as well as Xojo as I did) to be able to do that. (never mind figuring out how to do the signing - which as I have seen here often far from trivial!)

    - Karen

  8. Dave S

    May 18 San Diego, California USA

    I am still an advocate of the notion that Xojo itself should support code-signing as part of the build process ... automagically with no intervention from the developer other than to specify the certificates (once... just like Xcode). And for the "citizen developers", I agree with Karen, and then Xojo should notice "Ah.... no certs.... compile like we did before"

  9. Tim P

    May 18 Pre-Release Testers, Xojo Pro

    I agree that Xojo should sign as part of the build process, but from all the headaches Sam has with this stuff I think that for the moment it's better to have the engineers focus on other things. For now the automagic build scripts provided by AppWrapper are a working solution (that I love and rely on).

  10. Tim J

    May 18 Pre-Release Testers, Xojo Pro Phoenix, AZ USA

    @Sam R 3. This WWDC is very important; it will highlight if Apple really is serious about retaining Pro level customers or if all the talk earlier on in the year was just your typical PR speak that Apple has gotten very good at spewing. I sadly see too many of my Photography customers jumping ship.

    We are witnessing this in the pro film and TV environments as well (the big studios as well as smaller VFX and Post shops). To support one of our studio customers, we just brought in a batch of new HP Z-series systems. All I can say is "HOLY COW!" The performance difference between a $1,500 HP and my $5,000 Mac Pro Canister is like comparing a Bugatti to a Bicycle. Using Resolve, Premiere Pro, and After Effects as benchmarks leaves no doubt as to why folks are moving. Even running generic tests with ffmpeg (non-hacked :)

    As for the hack, so long as we are forced to use shared/dynamic libraries behind our apps, we will always be open to .dylib/.so/.dll replacement potentials.

    The first bug that I ever submitted against OS X (back in the pre-release beta days) was that there was no CRT0.a available to allow static builds. Apple has stuck to the story that they did not believe that static applications were necessary.

  11. Michel B

    May 18 Pre-Release Testers, Xojo Pro

    I have seen such big companies as Kodak and Polaroid tell customers what they should like before the second went belly up, and the first one had to downsize dramatically its activities.

    For Kodak it is all the more stupid as the very first digital camera, Sony's Mavica, was using a Kodak hard drive. They could have embraced digital photography, they were too certain that argentic photography was better, they never understood that customers vote with their credit card.

    I would certainly hate seeing Apple lose it, but the current dogmatism they exhibit about Mac, together with apparently a total loss of touch (pun intended) with their customers, in particular photographers, but also graphic artists, is a very bad sign.

  12. Emile S

    May 18 Europe (France, Strasbourg)

    @Dave S I am still an advocate of the notion that Xojo itself should support code-signing as part of the build process ... automagically with no intervention from the developer other than to specify the certificates (once... just like Xcode). And for the "citizen developers", I agree with Karen, and then Xojo should notice "Ah.... no certs.... compile like we did before"

    To get this, Xojo competitors have to add these first, so Xojo have to add them to be competitive (as I can see the things from my window part of the world).

    Think different. What will you do if your competitor add a brand new feature you do not have in your own application ? You add it and rush release it as fast as you can putting on hold what you are doing (love to add/have in your application).

    BTW: i realize we are a bit far away from op… post !

  13. Daniel T

    May 18 Pre-Release Testers

    @Christoph Dnbsp;Vocht On the dark side: macOS will loose it's name of being a 'save' OS free from virus, malware, ..

    Doubtful. This is only news to the Mac community because of how rare incidents like this are, and very few people were affected. It comes on the heels of Windows being slammed by cryptoviruses (again) using zero day exploits (again) leaked courtesy of the U.S. government (hey! something new). There was so much damage that it made international headlines, i.e. even my mom knew about it.

    Most 'normies' have caught on that safer != 100% immune. The occasional small hit on macOS or even iOS, promptly dealt with, will not destroy Apple's reputation.

    Microsoft, on the other hand, doesn't have a security reputation left to destroy.

  14. Michel B

    May 18 Pre-Release Testers, Xojo Pro

    It makes sense open source apps be attacked or patched. A commercial app would require reverse engineering not necessary with Open Source.

    Windows indeed does not have the legend of being immune from viruses. But Apple's immunity from viruses, worms and other pests is not as complete as it is cracked up to be. There have been accounts of infection, ever since the MacOS era.

    That said, sandboxed app such as distributed on the MAS should be very resistant to patches.

    Sam is right about Windows S. Being able to only install Windows Store apps is an excellent way to prevent infections.

    Somehow I doubt it is commercially valid, though. The same kind of thing existed with ARM Windows tablets, and they were not a success. Only when Microsoft released full PCs, did they commercially pick up.

  15. Derk J

    May 18 Pre-Release Testers, Xojo Pro

    Just be patient soon your application will be distributed trough a blockchain. Making it impossible be changed by others. Source-chain is also something coming.

  16. Emile S

    May 18 Europe (France, Strasbourg)

    Cost price ?

  17. Sam R

    May 18 Pre-Release Testers, Xojo Pro Hengchun, Pingtung, Taiwan

    @Dave S I am still an advocate of the notion that Xojo itself should support code-signing as part of the build process ... automagically with no intervention from the developer other than to specify the certificates (once... just like Xcode). And for the "citizen developers", I agree with Karen, and then Xojo should notice "Ah.... no certs.... compile like we did before"

    Originally I (believe it or not) also wanted this, I think I may have even made a Feedback request for it; that was back in the day when code signing was as simple as a single line of code in the terminal.

    Now is a very different story, it may surprise you to know that I even have a couple of Swift developers who use App Wrapper, because Xcode's built-in code signing function is inadequate.

    @Emile S To get this, Xojo competitors have to add these first, so Xojo have to add them to be competitive (as I can see the things from my window part of the world).

    Don't see this happening as most of Xojo's competitors don't even make apps that Apple approves for the Mac App Store.

    @Michel B There have been accounts of infection, ever since the MacOS era.

    I can concur

    @Tim J The first bug that I ever submitted against OS X (back in the pre-release beta days) was that there was no CRT0.a available to allow static builds. Apple has stuck to the story that they did not believe that static applications were necessary.

    I have submitted one security risk to Apple (which I'm not going to repeat here) and I got told, "don't do this". It's still present today and isn't constrained by the App Sandbox.

or Sign Up to reply!