Apple accidentally Approved a piece of Malware to Run on MacOS

[Bombastinator]

1 hour ago, Mark Kaine said:

For this to happen it would need to be mostly one thing.  Be better than Windows.  You already noticed many reasons why it's not popular,  but like everyone who want Linux "to happen"  you're missing the main reason it's just not going to,  and that's because at its core   as a desktop OS, it's neither better nor more modern than Windows.  

 

Look at Android,  proof that people don't hate Linux / Unix,  the difference is,  it's easily accessible,  has a unified graphical interface and doesn't need a lot of user input to "just work".

 

This is indeed a chicken and egg problem, you'd first need someone to develop and push a "Linux OS" that's usable and *useful* for the masses,  but then you'd end up with the same issues all established OS have,  a paternalised userbase that's depending on the whims of yet another "super company"  (that doesn't need to follow rules because it's too big for its own good) 

 

Still some competition would be nice, but it's impossible for Linux to get that breakthrough because currently the people doing work on it are so far away from the needs of the general PC user it will just remain in its niche forever I'm afraid. 

 

 

IOS is a BSD, Android is a Linux. It sort of already happened.  *nix is ubiquitous on phones.

[Doobeedoo]

Oof

[Sandro Linux]

6 minutes ago, Bombastinator said:

IOS is a BSD, Android is a Linux. It sort of already happened.  *nix is ubiquitous on phones.

But not in the desktop market although Mac OS is based on BSD

[Drama Lama]

Macs don’t get Viruses it’s easy

 

am I wrong or is Mac malware now growing faster than that of Windows?

[Bombastinator]

14 minutes ago, Sandro Linux said:

But not in the desktop market although Mac OS is based on BSD

So your statement could be translated as “so why won’t Linux just kill Windows already!” I refer you to other comments on that one.

[Bombastinator]

10 minutes ago, Drama Lama said:

Macs don’t get Viruses it’s easy

 

am I wrong or is Mac malware now growing faster than that of Windows?

Depends on how you measure it I suspect 1 to 2 is a 100% jump whereas 1000 to 1001 is nearly nothing.  Is there more malware being written for Apple stuff than windows stuff? I kinda doubt it.

[Sandro Linux]

34 minutes ago, Drama Lama said:

Macs don’t get Viruses it’s easy

 

am I wrong or is Mac malware now growing faster than that of Windows?

Macs do get viruses but it usually is a bit harder to get them than on Windows.

[Drama Lama]

55 minutes ago, Sandro Linux said:

Macs do get viruses but it usually is a bit harder to get them than on Windows.

I know 

i was just joking at the old „ a Mac doesn’t get viruses „ advertisement

[Kisai]

2 hours ago, Mark Kaine said:

For this to happen it would need to be mostly one thing.  Be better than Windows.  You already noticed many reasons why it's not popular,  but like everyone who want Linux "to happen"  you're missing the main reason it's just not going to,  and that's because at its core   as a desktop OS, it's neither better nor more modern than Windows.  

Because the entire process from installing Linux to downloading applications/installing them, to configuring the operating system to not fall over the second you walk away from it is a huge hassle and something that Microsoft has figured out, but no Linux vendor has. MacOS only gets a free pass there because it only installs to ONE computer built by the OS manufacturer. Linux's entire user experience, is charitably considered functional, and at worst is miserable.

 

2 hours ago, Mark Kaine said:

Look at Android,  proof that people don't hate Linux / Unix,  the difference is,  it's easily accessible,  has a unified graphical interface and doesn't need a lot of user input to "just work".

Android uses Linux components, but calling it Linux is like calling every beverage in a can "coke". It's wrong for a number of reasons. Android does not use the GNU c library, nor the windowing managers found on Linux systems with a GUI, so the only thing android shares with something like Ubuntu is the Linux Kernel and drivers. That's it.

 

Which a way to simplify this for mundane people who haven't used anything else:

A "Linux" distro is "Linux Kernel" , "Flavor of linux userland", "Flavor of Linux window manager (install one of 40, with usually one pushed as default)"

Android is "Linux Kernel", "Android userland", "Android window manager"

FreeBSD is "FreeBSD Kernel", "FreeBSD userland", "no window manager (install one of three)"

MacOS X is "Darwin Kernel", "FreeBSD* userland","MacOS X Window manager"

 

You can compile and run stuff on FreeBSD, A Linux, or a MacOS X, fairly easily because if it compiles with Clang+LLVM (FreeBSD/Mac OSX) , it will usually compile with GCC (Linux, and 4.2 MacOS X 10.7 (XCode 4.1)/ 2.95 FreeBSD 4.x-FreeBSD 9 ), at least until it needs GUI stuff, in which case nothing compiled for Linux will run on FreeBSD or MacOS X unless compiled against the base x11 window manager, and even then, that requires support on OSX that isn't there by default.

 

Also important to point out the toxicity of the GPLv3 licence is why LLVM exists at all.

 

2 hours ago, Mark Kaine said:

This is indeed a chicken and egg problem, you'd first need someone to develop and push a "Linux OS" that's usable and *useful* for the masses,  but then you'd end up with the same issues all established OS have,  a paternalised userbase that's depending on the whims of yet another "super company"  (that doesn't need to follow rules because it's too big for its own good) 

 

Still some competition would be nice, but it's impossible for Linux to get that breakthrough because currently the people doing work on it are so far away from the needs of the general PC user it will just remain in its niche forever I'm afraid. 

 

 

See the thing is, Linux can not ever replace Microsoft Windows because Linux vendors are a bunch of cats that don't heard well. At least there isn't a new flavor of BSD popping up every week, but the most popular fork of Unix in the desktop space is in fact MacOS X. Most "forks" of Unix/BSD use different kernels and userlands, but the drivers are the same, they just go about CPU/Memory management differently, with the significant change in FreeBSD 4.x-5.x(2003) dealing with multiple CPU's, which was also the same time OSX shifted from PPC to Intel. So it's easy to say that how each OS deals with multiple CPU's is absolutely different, with x86 darwin only running on Pentium III hardware, before OSX was available on Intel. 

 

There is literately nothing stopping someone from Forking Darwin and making something like "DarwinBSD" except that all the drivers that exist are only MacOS X drivers, there are drivers for nothing else. MacOS X's BSD components match FreeBSD 5.0, and that's not saying much. As such, a current version of PureDarwin does exist.

 

Android only counts as a Linux if the only thing that makes something a Linux is using the Linux kernel. The Android userland, and the Android runtime ensure that no Linux software works on it.

 

Linux is relegated to "also-ran" status in the desktop space because anyone can fork the OS.

Repeat that about 50 times for Linux.

https://distrowatch.com/dwres.php?resource=family-tree

 

That's like two new forks of Linux, per year. At least FreeBSD/NetBSD/OpenBSD were forked in 1993 and the only forks since were NeXT(MacOSX) , and some lesser-used forks. 

 

At least when Microsoft or Apple decide to take the reins, they have some direction they want to take the OS, good or bad. But Linux, it's more like every time someone takes the reins, they're bucked off the horse and left to fend for themselves.

 

 

[Catsrules]

On 8/31/2020 at 7:26 PM, Bombastinator said:

You mean the same 30% that everyone takes?  I don’t necessarily have a problem with lowering the number, but this “only Apple does this” line is getting old. It’s an industry standard.  It may be too high, but if it’s too high for them it’s too high for everyone.

I never said only Apple does this I am just pointing out why Apple want to do this on the Mac I am positive Microsoft wants and to do the exact same thing on the Windows Side after all it has already happened Windows S.

I also see nothing wrong with charging whatever cut you want from your store. It is your store you can do what you want.
But I will say Apple is one of the only major companies that force users to only use their store. (At least on the mobile side of things) That is why I think they get a lot of the crap where the other companies would get a pass. 

[Bombastinator]

9 minutes ago, Catsrules said:

I never said only Apple does this I am just pointing out why Apple want to do this on the Mac I am positive Microsoft wants and to do the exact same thing on the Windows Side after all it has already happened Windows S.

I also see nothing wrong with charging whatever cut you want from your store. It is your store you can do what you want.
But I will say Apple is one of the only major companies that force users to only use their store. (At least on the mobile side of things) That is why I think they get a lot of the crap where the other companies would get a pass. 

This may be true.  It becomes a chicken and egg question.  Does apple do so in order to provide safety to its users? Or does apple talk about increased safety for users in order to do it?   What percentage of android users buy from outside the store that comes pre-mounted in their machine? There is generally the google store and sometimes the hardware manufacturer store.  For Apple those are the same.   Google does make some phones.  In those instances the manufacturer and the OS builder are the same. It might make an interesting piece of data to compare with.  
 

There are third party iOS software stores. They generally require a rooted phone though, which Apple seems to work hard at making impossible.  I happen to have a phone that could be rooted.  I specifically bought it directly from Apple rather than on a contract so I could do that, and it was also one of the ones old enough to use the latest root exploit.  I chose not to do so even though there would have been real material benefit for me to do so.  I didn’t. 
 

why (I don’t know why I felt compelled to explain this)

Spoiler

I am totally dependent on PIMs.  I used to buy franklin covey stuff before PDAs even existed.  Ever pay a hundred bucks for a tiny ring binder?  I did.  When PDAs appeared They were a bright shining light for a single reason:  they beeped.  I need my alarms loud and strident. Very loud and strident. Insistently so.The best PIM I ever had was a Psion5.  Not because it had the keyboard it did (though that was nice) but because it had a primitive alarm with a very piercing speaker that would not shut up till you turned the alarm off or the battery died. (which took days) 
People would actually bring it to me at parties with stern looks on their faces because an alarm went off and no one could ignore it.  It was what I needed.  Not wanted, needed.

 I used that thing till they stopped making them, then till the screen died, and then I bought used ones with working screens to harvest the ribbon cable to keep my now artifact device functioning.  A day came that I couldn’t keep it going though.  I had a backup already bought and prepared because I knew it was coming and I couldn’t go more than a day without a PIM.  I think it was a Palm 505.  Palm died though so the cycle repeated.  I ran a Samsung note3 for a while, which wasn’t near as good, but the tracking bugged me.  Apple has garbage alarms.  They can’t be made loud, and they can’t be made repetitive.  There are apps on the rooted store that can fix that.  The rooted store (There are several)  is so creepy to me that I chose not to.  Instead I set 5 or more alarms minutes apart for every appointment and hope I hear one.  I want my psion5 speaker back.  I can’t have it though. 

 

[Catsrules]

13 minutes ago, Bombastinator said:

This may be true.  It becomes a chicken and egg question.  Does apple do so in order to provide safety to its users? Or does apple talk about increased safety for users in order to do it?   What percentage of android users buy from outside the store that comes pre-mounted in their machine? There is generally the google store and sometimes the hardware manufacturer store.  For Apple those are the same.   Google does make some phones.  In those instances the manufacturer and the OS builder are the same. It might make an interesting piece of data to compare with. 

I am enjoying talking with you but I feel bad we are kind of hijacking this thread on a little bit off topic, so I will try and be short.

 

The safety argument is a hard one as we can only speculate on Apple's motives. I can't deny Apple does protect the user from themselves by only allowing the App store. It is hard to get tricked or blindly following some instructions on how to install non app store apps when the end user has no options to do that.

But personally I think the safety argument is just a good public reason for not allowing secondary stores. There are very safe ways Apple could implement to enabling third party apps. For example my thought would be when you very first turn on the device it will be part of the setup process. Third party sources will be off by default, you could hide it in some advanced menu or something and the only way to change it is do a factory reset on the device check enable.

14 minutes ago, Bombastinator said:

There are third party iOS software stores. They generally require a rooted phone though, which Apple seems to work hard at making impossible.  I happen to have a phone that could be rooted.  I specifically bought it directly from Apple rather than on a contract so I could do that, and it was also one of the ones old enough to use the latest root exploit.  I chose not to do so even though there would have been real material benefit for me to do so.

This kind of tells me Apple doesn't really value user security as much as they say they do. Clearly there is a market for third party software store. If Apple is so concerned about user safety and security why don't they provide a safer way to install third party stores? They way it works now is you need an older phone with known security vulnerabilities and often times you can't upgrade to the latest iOS or it will break the jailbreak. So no one is getting the new security patches.

[Bombastinator]

21 minutes ago, Catsrules said:

I am enjoying talking with you but I feel bad we are kind of hijacking this thread on a little bit off topic, so I will try and be short.

 

The safety argument is a hard one as we can only speculate on Apple's motives. I can't deny Apple does protect the user from themselves by only allowing the App store. It is hard to get tricked or blindly following some instructions on how to install non app store apps when the end user has no options to do that.

But personally I think the safety argument is just a good public reason for not allowing secondary stores. There are very safe ways Apple could implement to enabling third party apps. For example my thought would be when you very first turn on the device it will be part of the setup process. Third party sources will be off by default, you could hide it in some advanced menu or something and the only way to change it is do a factory reset on the device check enable.

This kind of tells me Apple doesn't really value user security as much as they say they do. Clearly there is a market for third party software store. If Apple is so concerned about user safety and security why don't they provide a safer way to install third party stores? They way it works now is you need an older phone with known security vulnerabilities and often times you can't upgrade to the latest iOS or it will break the jailbreak. So no one is getting the new security patches.

But there really kind of isnt. That’s one of the problems.  I am in a very tiny fraction of humanity that has a true use for something there and even I didn’t want it bad enough to use it.  I was able to kludge a not real good work around. The most popular apps there are weird little reskinning things of questionable utility. 

Back to the topic though which was the bit of malware.  I still don’t know how long the thing was in the store, how often this happens, and  how much it got downloaded.  As an argument for the App Store  not being an effective safety mechanism this is sort of critical, and must be compared to the frequency, duration, and download number of other malware apps in other stores. 
 

The impression I get from a single instance being news, is that it doesn’t happen very often. 

[Video Beagle]

4 hours ago, Catsrules said:

If Apple is so concerned about user safety and security why don't they provide a safer way to install third party stores?

You're asking why Apple doesn't make it easier to hack the iPhone?

[Sandro Linux]

28 minutes ago, Video Beagle said:

You're asking why Apple doesn't make it easier to hack the iPhone?

Not hack the iPhone just let people download things from outside the store

[Catsrules]

9 hours ago, Bombastinator said:

Back to the topic though which was the bit of malware.  I still don’t know how long the thing was in the store, how often this happens, and  how much it got downloaded.  As an argument for the App Store  not being an effective safety mechanism this is sort of critical, and must be compared to the frequency, duration, and download number of other malware apps in other stores. 
 

The impression I get from a single instance being news, is that it doesn’t happen very often. 

The malware was never in the app store on MAC OS. I belive it was just downloaded from a website online. But the installer was signed as "safe" by Apple. As far as I can tell all that means is the developers submitted the program to Apple's automated systems it scanned the software for viruses it didn't find any so it signed it as safe. When people download it online Apples compares the file to the one it scanned if they both are the same then it is good. The issue came up when it turns out there was actually Malware in the installer that the automated systems didn't catch it when the file was submitted by the developers.

 

As for malware being on the App Store, I really haven't looked into it. I have heard a few news stories over the years of things getting slipped though. But over all I would say Apple does do a good job all things considered of keeping the App Store malware free. I do think the App Store systems is much more involved then whatever automated system was used in checking this software. So it may have been caught if it was submitted to the App Store.

5 hours ago, Video Beagle said:

You're asking why Apple doesn't make it easier to hack the iPhone?

No, I am saying I wish Apple would provide a way for people to install software from other sources besides just Apple's App Store. The only reason why hacking is mentioned is because Apple does not provide a way so people end up having to hack their own phone to get around Apple's security in order to install what they want to install.

[RejZoR]

5 hours ago, Sandro Linux said:

Not hack the iPhone just let people download things from outside the store

So that people can then complain about Apple when they install some piece of software that steals their private info and credit card details?

[Blademaster91]

14 minutes ago, Catsrules said:

No, I am saying I wish Apple would provide a way for people to install software from other sources besides just Apple's App Store. The only reason why hacking is mentioned is because Apple does not provide a way so people end up having to hack their own phone to get around Apple's security in order to install what they want to install.

No no being able to install what you want on your own phone is hacking and if people do stupid stuff with their device its always the companies fault.

[dalekphalm]

18 minutes ago, Catsrules said:

No, I am saying I wish Apple would provide a way for people to install software from other sources besides just Apple's App Store. The only reason why hacking is mentioned is because Apple does not provide a way so people end up having to hack their own phone to get around Apple's security in order to install what they want to install.

I get what you're saying, but that goes entirely against the Apple ethos for managing apps on a mobile system. If they enable a way to install third party apps outside of the app store, then they are opening a new attack vector into their mobile system. They would have significantly less control over ensuring system security in that environment.

 

Maybe that's the way it should be, but I 100% understand why Apple would fight tooth and nail against it.

 

Personally, I think that if Apple is forced to provide some kind of alternative way to get apps on their phones, then they should provide a 100% unsupported method of installing a different OS (eg: Android) - Boot camp style.

 

The problem, ultimately, with that strategy would be drivers: who makes them? Does Apple then write drivers for Android? Or do you rely on the community to make their own?

 

Or, perhaps a simple toggle that allows third party app stores but with a legally binding contract that says you forfeit all software support by enabling this (hardware warranty should remain unaffected).

 

Either way, there's literally no good solution, because every solution adds other problems. I guess you pick your poison and try for the least bad solution.

 

[Catsrules]

6 minutes ago, RejZoR said:

So that people can then complain about Apple when they install some piece of software that steals their private info and credit card details?

 

2 minutes ago, Blademaster91 said:

No no being able to install what you want on your own phone is hacking and if people do stupid stuff with their device its always the companies fault.

 

Of for sure this is totally going to happen, people are stupid and don't want to take responsibility for their own mistakes. But as far as I can tell it really hasn't been that big of an issue on the Android side of things. Although I haven't really looked for stories or news about this.

 

[RejZoR]

7 minutes ago, Catsrules said:

 

 

Of for sure this is totally going to happen, people are stupid and don't want to take responsibility for their own mistakes. But as far as I can tell it really hasn't been that big of an issue on the Android side of things. Although I haven't really looked for stories or news about this.

 

Who will even take responsibility with Android? Google? Samsung? 3rd party ROM maker like LineageOS ? With Apple, it's rather clear, Apple is responsible. Which is why they don't allow things because of that exact reason. People are dumb.

[Catsrules]

29 minutes ago, dalekphalm said:

I get what you're saying, but that goes entirely against the Apple ethos for managing apps on a mobile system. If they enable a way to install third party apps outside of the app store, then they are opening a new attack vector into their mobile system. They would have significantly less control over ensuring system security in that environment.

Actually I would argue it would make iOS more secure long term. Security is all about layers. Adding a way to enable third party apps outside the app doesn't open up new attack because those attack vectors already existed. They where just less likely because it is very very hard to get a program install without going thought the app store. Now that you can install program without the App Store this would force a harder look at secondary security layers that may not have been looked at as much because the first layer was so protective. 

And don't get my wrong I totally think if you really are concerned with security you should stick with the App Store and don't Enable Third party sources.

 

But shouldn't that be up to the end user to decide how secure they want their phone to be?

[Bombastinator]

54 minutes ago, Catsrules said:

The malware was never in the app store on MAC OS. I belive it was just downloaded from a website online. But the installer was signed as "safe" by Apple. As far as I can tell all that means is the developers submitted the program to Apple's automated systems it scanned the software for viruses it didn't find any so it signed it as safe. When people download it online Apples compares the file to the one it scanned if they both are the same then it is good. The issue came up when it turns out there was actually Malware in the installer that the automated systems didn't catch it when the file was submitted by the developers.

 

As for malware being on the App Store, I really haven't looked into it. I have heard a few news stories over the years of things getting slipped though. But over all I would say Apple does do a good job all things considered of keeping the App Store malware free. I do think the App Store systems is much more involved then whatever automated system was used in checking this software. So it may have been caught if it was submitted to the App Store.

No, I am saying I wish Apple would provide a way for people to install software from other sources besides just Apple's App Store. The only reason why hacking is mentioned is because Apple does not provide a way so people end up having to hack their own phone to get around Apple's security in order to install what they want to install.

So it never even got to the App Store in the first place where users could even download it?  So a non-problem for users and an example that limitations of the App Store are functional rather than non functional?

[Catsrules]

11 minutes ago, RejZoR said:

Who will even take responsibility with Android? Google? Samsung? 3rd party ROM maker like LineageOS ? With Apple, it's rather clear, Apple is responsible. Which is why they don't allow things because of that exact reason. People are dumb.

Why would any of them take responsibility it wasn't their fault. It is the End users fault. Sure the Dumb end user might not agree but what exactly are they going to do, shout into the void about how horrible Apple is. Nothing new there.  lol 

 

[Catsrules]

4 minutes ago, Bombastinator said:

So it never even got to the App Store in the first place where users could even download it?  So a non-problem for users and an example that limitations of the App Store are functional rather than non functional?

Exploits in existing Apps and iOS itself. Malware can be hidden in a photo or video file when it gets opened boom your infected. Even strings of text can be used if the app reading the text doesn't handle it correctly.

 

Sure it is very hard to do and usually Apple is pretty on top of patching when stuff like this does happen but again it can and does happen.