Seems malware (especially ransomware encrypting your data and backups) is increasingly targeting open-source projects just read about the third case (Transmission 2.90) within the last two weeks so I guess I need to be more careful when downloading binaries
What were the other two cases? Nothing else has shown up on my radar.
Damn idiots! That’s all we need, at a time when developers are trying to build up their business outside of the App Store, is a reason for users to only buy from the App Store!
For years the first links to popular open source apps have been links to websites where you download those and get an installer with additional stuff like adware or toolbars or simply switch your search engine or browser…
Only load from official website…
And it may help to inspect package before installing.
All those repositories like Softonic, CNet and other junkware mongers are a real plague with their “installers” which sole purpose is to litter users disks. Windows apps only have that mess to get their programs known. Luck Mac developers who have the MAS.
[quote=251520:@Christian Schmitz]For years the first links to popular open source apps have been links to websites where you download those and get an installer with additional stuff like adware or toolbars or simply switch your search engine or browser…
Only load from official website…
And it may help to inspect package before installing.[/quote]
The infected version did come from the official website. Those who updated through the app got a safe version.
Heres a bit more information on that: http://researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer/
There was a compromised installer package placed on the developers website with a valid developer certificate.
That’s my favorite aspect of open source - ANYONE can hack it, change it, infect it, claim it…
I fact, this is a discussion that I had with Eric Raymond and Richard Stallman back in 1997 at Duke University. Richard’s response (once you got beyond his sermon) was that the community wouldn’t let that happen.
I downloaded PDFMerge today from Download.com and it was infected. Luckily the Malware detector on the windows laptop caught it before it could wreck havoc.
I then downloaded a competitor to it and it wasnt infected but made me install java so I felt just as dirty then.
As a matter of course, I always try to locate the author’s site in order to have the original file. But sometimes it is not that easy. A fantastic utility for PC is ToolWiz Timefreeze. I creates a virtual environment which exposes a copy of the system to the installer, so if it tries to install pest, after you quit the TimeFreeze virtual bubble, it goes into smoke.
Just found another response that I’d received on that from another of Stallman’s disciples -
“Because the projects are open source, there’s no reason for viruses or trojens to be an issue since the user can check the source code for validity.”
Okay everyone, please inform your users that they must now perform full source code audits on any open source project. Yea, that’s reassure the non-programming majority that their code is safe.
This is an example of why we pulled all of our products from Downloads.com after they had to be the host.
[quote=251690:@Tim Jones]Just found another response that I’d received on that from another of Stallman’s disciples -
“Because the projects are open source, there’s no reason for viruses or trojens to be an issue since the user can check the source code for validity.”
Okay everyone, please inform your users that they must now perform full source code audits on any open source project. Yea, that’s reassure the non-programming majority that their code is safe.[/quote]
The assumption that there will be lots of eyes on any given project to prevent infection, malicious code etc is core to open source but the vast majority of open source projects have a very tiny group of committers
A handful have lots
Stallman, and most of us for that matter, live in a tech bubble where code literacy is high, so it does make sense to run programs one can read “in the text”. Unfortunately, the world has changed since the onset of Open Source, and the number of people using computing devices like they would a magic mirror in fairy tales has skyrocketed.
In the 90’s, it was common belief that the generalized Internet would boost computer knowledge. Well, that is not quite the case twenty years later, is it ?
Now that it seems that a bit more of security on a Mac is advisable: Here are some really great free tools, including blockblock which notifies you each time some app tries to install a persistent service.
Hmm, site I never heard of by a bloke I don’t know with software that is completely unknown and some dubious claims (“Malware for OS X is trivial to write and unfortunately has become ever more pervasive.”) is this social engineering, the number ONE attack route for malware???
How do I know that in my eagerness to prevent malware I’m not installing malware?
Ask the developer: https://objective-see.com/about.html, or rewrite his tools by the tips he is giving: https://objective-see.com/blog.html.
Oh, and part of his tools are open source too: Synack · GitHub.
If he should try to deploy malware, hes certainly not taking the easiest path.
I believe this wasn’t specifically open-source related - reports are that the malware authors hacked into the web server and replaced the legit download DMG with a hacked one. That’s different than, say, an open-source project being corrupted by malware in the source code.
Although to the victim it’s probably a distinction w/o a difference
Thank you. With KnockKnock I just discovered a pesky Poppit program I had never installed. This kind of pest was current in Windows, it is now polluting Mac OS X …
Clicking the like button did seem strange, therefore better: Youre welcome, Michel.
And about his claims Apples security would be easy to bypass: Theres a lot of interesting reads on his and his companys sites, like https://s3.amazonaws.com/s3.synack.com/infiltrate.pdf and https://www.synack.com/r-d-projects/os-x-security-research/