Apple accidentally Approved a piece of Malware to Run on MacOS

[RejZoR]

1 hour ago, AndreiArgeanu said:

lmao, it's apple what do you expect? A competent company that cares about their customers?

Low effort bashing. If anyone care how much shit gets released daily, mistakes can happen. Being some grey area adware or something is far from end of the world if it was allowe to run.

[Catsrules]

3 minutes ago, pythonmegapixel said:

Yeah but not win10 keys. The free upgrade program stopped years ago, and even if it hadn't, this doesn't solve the problem that the world has become too dependent on a buggy, closed-source piece of software under the control of a single company who could decide to stop supporting it, lock it down or break it at any moment.

 

We really need to be reconsidering how much trust we put in companies such as Microsoft, Apple and Google.

It still works. Using windows 7 keys to upgrade to Windows 10. Although it is not official any more. MS has just quietly let it continue for whatever reason.

 

Yeah I am still rooting for Linux. It has come a long way over the past 5 years but it is still stuck with the chicken and the egg problems. Very small user base because of lack of software support and very small software support because of the lack of user base.

 

 

 

[Moonzy]

18 minutes ago, pythonmegapixel said:

The free upgrade program stopped years ago

you can still use the keys, regardless

 

18 minutes ago, pythonmegapixel said:

this doesn't solve the problem that the world has become too dependent on a buggy, closed-source piece of software under the control of a single company who could decide to stop supporting it, lock it down or break it at any moment.

i dont see any other successful companies making a competent/better OS

maybe because it's hard? that's why it's buggy

 

19 minutes ago, pythonmegapixel said:

We really need to be reconsidering how much trust we put in companies such as Microsoft, Apple and Google.

we should but we can't, unfortunately

[Sandro Linux]

1 minute ago, RejZoR said:

Low effort bashing. If anyone care how much shit gets released daily, mistakes can happen. Being some grey area adware or something is far from end of the world if it was allowe to run.

True. Adware is not as bad as other malware 

[RejZoR]

The thing is, if one company has control, they can better dictate standards. Because whatever they say it's the law basically. Or they collaborate with large vendors like Intel, AMD or NVIDIA. Where Linux with like 8 core versions and gazillion distros is a standardization nightmare. And poor standardization means companies won't bother implementing things if it's too much hassle for no effect.

[pythonmegapixel]

16 minutes ago, Moonzy said:

i dont see any other successful companies making a competent/better OS

There is this incredibly bizarre situation where Linux runs a huge amount of the world's computing, but is a negligible proportion of the desktop computing market.

 

The problem - and you've already touched on it - is that it doesn't have the backing, as a desktop OS, of a huge company like Microsoft. So there's nobody to sell it, and nobody to standardise it. And because of that, it's hard to get hold of a PC running Linux.

 

But just imagine, for a moment, what the world would be like if Llnux was the majority OS. You don't like the version that your OEM preloaded? Cool - swap it out for another one with no loss of compatibility. Your OS does something unpopular that you don't like? Fine, swap it out. And OEMs have an incentive to contribute to the open source projects (though they would have to be licensed "virally" so that companies couldn't produce closed-source adaptations). And custom PC builders have a huge wealth of choices, and can even build their own if they have the technical know-how. And nobody would ever have to give any money to Microsoft. Freedom in both respects ("free lunch/free beer" and "free speech" if you aren't aware)

 

But, descending to reality once again -  we're back at the chicken-and-egg that @Catsrules mentions. Hardware vendors and software developers won't make an effort to support Linux, because the user base is too small. But the user base can't grow without the backing of hardware vendors and software developers. Until that changes, we are stuck with Microsoft having a dangerous amount of control over the entire world.

 

11 minutes ago, RejZoR said:

The thing is, if one company has control, they can better dictate standards. Because whatever they say it's the law basically. Or they collaborate with large vendors like Intel, AMD or NVIDIA. Where Linux with like 8 core versions and gazillion distros is a standardization nightmare. And poor standardization means companies won't bother implementing things if it's too much hassle for no effect.

Modern Linux distros work with package managers and packaging formats specific to their distro, but there's no reason it has to be this way.

There is a cross-distribution package manager (Flatpak) and a standard for cross-distribution executables (AppImage). If those became the industry standards - which I think they will, with time - then the problem of lots of different strands effectively goes away.

 

And the lots of different strands are, as I said earlier, actually beneficial in the long run. The problem with Windows is that it gives Microsoft huge control over everything. This is inherently bad.

[Sandro Linux]

1 minute ago, pythonmegapixel said:

There is this incredibly bizarre situation where Linux runs a huge amount of the world's computing, but is a negligible proportion of the desktop computing market.

 

The problem - and you've already touched on it - is that it doesn't have the backing, as a desktop OS, of a huge company like Microsoft. So there's nobody to sell it, and nobody to standardise it. And because of that, it's hard to get hold of a PC running Linux.

 

But just imagine, for a moment, what the world would be like if Llnux was the majority OS. You don't like the version that your OEM preloaded? Cool - swap it out for another one with no loss of compatibility. Your OS does something unpopular that you don't like? Fine, swap it out. And OEMs have an incentive to contribute to the open source projects (though they would have to be licensed "virally" so that companies couldn't produce closed-source adaptations). And custom PC builders have a huge wealth of choices, and can even build their own if they have the technical know-how.

 

But, descending to reality once again -  we're back at the chicken-and-egg that @Catsrules mentions. Hardware vendors and software developers won't make an effort to support Linux, because the user base is too small. But the user base can't grow without the backing of hardware vendors and software developers. Until that changes, we are stuck with Microsoft having a dangerous amount of control over the entire world.

 

Modern Linux distros work with package managers and packaging formats specific to their distro, but there's no reason it has to be this way.

There is a cross-distribution package manager (Flatpak) and a standard for cross-distribution executables (AppImage). If those became the industry standards - which I think they will, with time - then the problem of lots of different strands effectively goes away.

 

And the lots of different strands are, as I said earlier, actually beneficial in the long run. The problem with Windows is that it gives Microsoft huge control over everything. This is inherently bad.

True. The only place Linux is not popular is in the consumer market. 

[Commodus]

1 hour ago, Catsrules said:

My bet is this is where Apple is headed unfortunately. They want that sweet sweet 30% off all software sales on their platform.

Not very likely. The Mac App Store isn't as popular as its iOS counterpart, and Apple is clearly aware that expectations for desktop platforms are different. The whole reason it created that Developer ID notarization was to strike a balance between trust and flexibility so you could install non-App Store titles with a security failsafe if things go wrong.

 

I'd only see it change if the Mac App Store takes off, or if the store's policies loosen up to the point where developers wouldn't mind as much about reduced distribution options.

[HM-2]

This is far more common than you'd think. There's a huge black market for compromised code signing certificates and developer accounts, being able to ride on the trusted reputation of third parties basically guarantees that your app will get published. Even putting that aside there's been a history of shady orgs who've published benign but inane apps then used their trusted relationship with the marketplace to push adware or malware.

[spartaman64]

3 hours ago, Ashley said:

i run antivirus on my Mac so 

 

4 hours ago, Sandro Linux said:

I hope so too. I have a Mac and I run Bitdefender on it.

i wonder how an antivirus would interact with this since the program has a certificate that says its trusted right? do antiviruses take stuff like that into account?

[Kisai]

5 hours ago, Sandro Linux said:

True. Adware is not as bad as other malware 

Adware is a backdoor for malware. Don't frame it otherwise.

 

 

[Bombastinator]

9 hours ago, Catsrules said:

My bet is this is where Apple is headed unfortunately. They want that sweet sweet 30% off all software sales on their platform.

You mean the same 30% that everyone takes?  I don’t necessarily have a problem with lowering the number, but this “only Apple does this” line is getting old. It’s an industry standard.  It may be too high, but if it’s too high for them it’s too high for everyone.

[Bombastinator]

10 hours ago, Sandro Linux said:

Summary

Apple accidentally gave notarization certificates to a piece of adware called Slayer (letting it run on Macs) but Apple found out and revoked Slayer’s notarization certificates.

 

Quotes

 

My thoughts

I think this will make people more wary of Mac software and maybe question the security of Apple’s products.

 

Sources

https://www.wired.com/story/apple-approved-malware-macos-notarization-shlayer/

For how long was it up?  Iirc steam pulled something over a thousand apps many of which had been there for years.  Imperfection doesn’t preclude superior performance.  The other entrants would have to be perfect themselves. 

[AlTech]

I'm generally not a fan of macOS notarization. It's just a way for Apple to force all Mac devs to pat $99/year and to block apps that Apple doesn't like.

[hishnash]

1 hour ago, AluminiumTech said:

 and to block apps that Apple doesn't like.

No apple has not used it for that, and the legal terms around it are very clear that if they did you could sue apple and gets lot fo money from them so they will not do that. It will (and has) only been used to kill malware.  MS have a very ver smilier kill switch they can flick in windows defender.
 

8 hours ago, spartaman64 said:

 

i wonder how an antivirus would interact with this since the program has a certificate that says its trusted right? do antiviruses take stuff like that into account?

Normally they will also do their own checks based on known signatures and bad app behaviour. But like the notarisation process they will only detect `known` issues since it is all automated. 

 

[Senzelian]

15 hours ago, StDragon said:

 

1. Launch

2. Growth

3. Restructure

4.  Maturity

5. Decline

Great, that means LTT will never die, as maturity is something Linus will never achieve.

[Sandro Linux]

5 hours ago, Bombastinator said:

You mean the same 30% that everyone takes?  I don’t necessarily have a problem with lowering the number, but this “only Apple does this” line is getting old. It’s an industry standard.  It may be too high, but if it’s too high for them it’s too high for everyone.

But other companies (eg Google) let you download from other places yet IOS does not so iPhone and iPad users are stuck paying 30% to Apple

[Video Beagle]

16 hours ago, pythonmegapixel said:

Unix-like systems, as fantastic as they, simply don't have the support behind them at the moment to step in as the default for typical consumer use. And as long as Microsoft and Apple have their duopoly, they'll abuse it.

MacOS is a "Unix-like system"...it is in fact a Unix system.

 

Should be noted that the user in the story would have lowered his security settings to install the malware. (Makes sense as a homebrew user, and i assume developer in his own right). A Mac with full security settings enabled wouldn't install it.

 

The full article is interesting, really it's just about the constant fight between security and bad actors... A new security is developed, bad actors circumvent, so new methods are developed, rinse/repeat.

 

Remains that the best defense is to be aware of what you're doing and installing and don't go to hinky places for software.

[Video Beagle]

1 hour ago, Sandro Linux said:

But other companies (eg Google) let you download from other places yet IOS does not so iPhone and iPad users are stuck paying 30% to Apple

This thread...which you started...is about Mac OS security.  Not iOS policies. There are plenty of threads to go on ad nauseum about your issues with that.

[Guest]

18 hours ago, Den-Fi said:

something something low effort apple worm pun blah blah something something

An early Apple catches the worm.

[Trik'Stari]

bUt ThE aPp StOrE kEePs YoU sAfE. wHy ShOuLd ApPlE lEt YoU iNsTaLl SoFtWaRe ThEy DiDn'T mAkE tO tHeIr DeViCe?!

 

1 hour ago, Video Beagle said:

This thread...which you started...is about Mac OS security.  Not iOS policies. There are plenty of threads to go on ad nauseum about your issues with that.

It's fair to point out that their policies create an attack vector, and thus make the user less secure.

[leadeater]

6 minutes ago, Trik'Stari said:

It's fair to point out that their policies create an attack vector, and thus make the user less secure.

But that's not actually a problem, Apple would never make a mistake so you can trust them.

 

Spoiler

*Reads topic title*

 

[Mark Kaine]

18 hours ago, pythonmegapixel said:

But just imagine, for a moment, what the world would be like if Llnux was the majority OS

For this to happen it would need to be mostly one thing.  Be better than Windows.  You already noticed many reasons why it's not popular,  but like everyone who want Linux "to happen"  you're missing the main reason it's just not going to,  and that's because at its core   as a desktop OS, it's neither better nor more modern than Windows.  

 

Look at Android,  proof that people don't hate Linux / Unix,  the difference is,  it's easily accessible,  has a unified graphical interface and doesn't need a lot of user input to "just work".

 

This is indeed a chicken and egg problem, you'd first need someone to develop and push a "Linux OS" that's usable and *useful* for the masses,  but then you'd end up with the same issues all established OS have,  a paternalised userbase that's depending on the whims of yet another "super company"  (that doesn't need to follow rules because it's too big for its own good) 

 

Still some competition would be nice, but it's impossible for Linux to get that breakthrough because currently the people doing work on it are so far away from the needs of the general PC user it will just remain in its niche forever I'm afraid. 

 

 

[StDragon]

PEBCAK. It's what happens when stupidity is backed by determination.

[Bombastinator]

6 hours ago, Sandro Linux said:

But other companies (eg Google) let you download from other places yet IOS does not so iPhone and iPad users are stuck paying 30% to Apple

They’re stuck paying 30% to someone most of the time.  I’m not sure that getting to choose whom the money is paid to makes that much difference.  Except that you can choose to download a bunch of malware whereas that is harder to do with Apple.