back to article Malware hidden in vid app is so nasty, victims should wipe their Macs

It's going to be an unpleasant weekend for some Mac users who are facing a complete system wipe and reinstall – after hackers stashed malware in legitimate applications. Eltima Software, which makes the popular Elmedia Player and download manager Folx, today confessed the latest versions of those two apps came with an …

  1. scrubber
    Mushroom

    Nuke from orbit

    Or wait for lil Kim to do it for you.

    1. Elmer Phud

      Re: Nuke from orbit

      Or that other chappie?

      1. charlieboywoof

        Re: Nuke from orbit

        Mostly they come at night, mostly

        1. sloshnmosh

          Re: Nuke from orbit

          Oh how I love a good Alien(s2) reference!

  2. Charles 9

    Still waiting for that nuke-proof malware where even re-installation doesn't remove it...

    1. bazza Silver badge

      Erm, aren't they called firmware viruses?

      I seem to recall Lenovo put something into some of their device driver firmware that would reinstall bloatware. Or something like that. Ok so that's not a Mac, but then Macs and PCs aren't so very different.

      1. Haku

        Re: Macs and PCs aren't so very different

        Yes they are, one has an army of fanatics that will defend their choice of platform against their rival to the bitter end, and the other has a larger army of fanatics that will defend their choice of platform against their rival to the bitter end.

        1. Not also known as SC

          Re: Macs and PCs aren't so very different

          @Haku,

          A perfect explanation.

        2. Anonymous Coward
          Anonymous Coward

          Re: Macs and PCs aren't so very different

          So what are the people running MacOS on a PC VM?

          and while you're at it....what's the iair-speed velocity of an unladen swallow?

          1. Anonymous Coward
            Anonymous Coward

            Re: Macs and PCs aren't so very different

            Running macOS on a PC is strictly prohibited by the licence, so of course nobody does it.

            Nobody at all. Honest guv.

            1. HieronymusBloggs

              Re: Macs and PCs aren't so very different

              "Running macOS on a PC is strictly prohibited by the licence"

              So users of Intel Macs are breaking the licence terms?

          2. Elmer Phud

            Re: Macs and PCs aren't so very different

            African or European?

            1. PNGuinn
              Trollface

              Re: Macs and PCs aren't so very different

              "African or European?"

              Simple to check. It'd be the swallow with the rounded corners, natch.

              It's a pleasure - I'm here all week.

          3. chivo243 Silver badge
            Windows

            Re: Macs and PCs aren't so very different

            African or European?

            1. J. R. Hartley

              Re: Macs and PCs aren't so very different

              I don't know that.

              1. hplasm
                Happy

                Re: Macs and PCs aren't so very different

                "I don't know that!"

                AAAAAaaaaaaaa!

          4. Irongut

            Re: Macs and PCs aren't so very different

            "and while you're at it....what's the iair-speed velocity of an unladen swallow?"

            Sorry can't calculate iair-speed, I'm on a PC.

          5. Anonymous Coward
            Anonymous Coward

            Re: Macs and PCs aren't so very different

            Same as the drag coefficient of the tassels on a flying carpet.

        3. macjules

          Re: Macs and PCs aren't so very different

          And not forgetting that one side was founded by a charismatic, obsessive compulsive with psychological issues, while the other side was founded by a charismatic, obsessive compulsive with psychological issues ..

          1. Snorlax Silver badge

            Re: Macs and PCs aren't so very different

            @macjules:"And not forgetting that one side was founded by a charismatic, obsessive compulsive with psychological issues, while the other side was founded by a charismatic, obsessive compulsive with psychological issues .."

            ...while Linus is an obsessive compulsive with psychological issues and no charisma.

        4. J. R. Hartley

          Re: Macs and PCs aren't so very different

          As a famous Commodore engineer once said: There's nothing nasty about Bill Gates, and there's nothing nice about Steve Jobs.

          1. Anonymous Coward
            Anonymous Coward

            Re: Macs and PCs aren't so very different

            "As a famous Commodore engineer once said: There's nothing nasty about Bill Gates, and there's nothing nice about Steve Jobs.

            ... and oh boy was he wrong.

            Bill-boy was at least as nasty as Steve, but on different level because market position. So much nasty they stalled DoJ in monopoly abuse case so long that the president they'd bought got elected and dismissed whole case as a pay-back for "campaign money".

            There aren't many companies who can reach that level of evilness, not even IBM could.

            The pensioneer-Bill is totally different animal, has barely any connection at all to former Bill. But he's not losing money: A charity you own is still personally yours. Except you don't pay taxes.

            Also inheriting a charity is not taxable. Think about that a while ... all of those billions and $0 inheritance tax. And you get to claim in public that "heirs aren't inheriting any money".

            Which is true, they just inherit the sole ownership of a foundation. Which owns tens of billions.

            I repeat: Bill is not losing money with this 'charity' thing: 5% of the capital to charity purposes (choose whatever you want), the rest is yours. 5% yearly profit without taxes should be trivial to any company. Even without stock gains.

            Totally legal of course, that's the whole idea: Tax loopholes for the ultra rich.

            1. Anonymous Coward
              Anonymous Coward

              Re: Macs and PCs aren't so very different

              You've got to REALLY hate Bill Gates to lay in to him over spending $2billion dollars on developing a malaria vaccine.

      2. TheVogon

        "Erm, aren't they called firmware viruses?"

        See https://www.theregister.co.uk/2015/02/17/kaspersky_labs_equation_group/

    2. AlbertH
      Boffin

      Nothing new!

      There was persistent malware as far back as the Amiga! There was battery-backed RAM into which it was possible to install a little nasty that would get written to every floppy inserted into the machine and would write itself to any uninfected Amiga that the floppy was put into.... It didn't do anything malicious, just spread itself to almost every Amiga I ever saw!

      1. macjules

        Re: Nothing new!

        Personally I would have said that persistent malware first raised its ugly face when people started harvesting user data under the grotesque misnomer commonly called 'social media'.

      2. Nick Ryan Silver badge

        Re: Nothing new!

        Nearly. Amiga RAM was not battery backed, what this used was a persistent RAM drive called a RAD drive. Anything stored in this type of RAM drive would survive a soft reset of the system (the normal RAM drive was wiped by a soft reset). Powering the system off would clear the RAD drive.

        If you had oodles of RAM (for the time) you could copy the OS to the RAD drive and configure the system to boot off it which made for a ludicrously fast booting system.

    3. Dodgy Geezer Silver badge

      ..buy a new computer?

      Malware sponsored by Microsoft and HP...

  3. Anonymous Coward
    Anonymous Coward

    Are crooks hacking private build systems, or cloud ones?

    Because the number of infected legitimate software is increasing... what's the reason?

    1. Anonymous Coward
      Anonymous Coward

      Re: Are crooks hacking private build systems, or cloud ones?

      I think your title was right, there have been several instances of software company's build systems getting hacked. This sounds like more of the same.

      The reason is probably because this is the easiest way to infect a lot of people. Compile your infection into software that either automatically updates itself or is updated regularly by users, and you get a lot more people than if you did it the old fashioned way and needed to find a remote root exploit or trick them into downloading something they shouldn't.

      Not much you can do as an end user about this except hope that as that keeps happening software companies will pay more attention to the security of their build environment and maybe consider taking it offline (I know, why would they do that when it is less convenient...)

      1. Citizen99

        Re: Are crooks hacking private build systems, or cloud ones?

        Upvoted - yes, air-gap FFS

    2. Anonymous Coward
      Anonymous Coward

      Re: Are crooks hacking private build systems, or cloud ones?

      Yes, there seems way way too much going on these days.

    3. Anonymous Coward
      Anonymous Coward

      Re: Are crooks hacking private build systems, or cloud ones?

      Fashion?

      This has been a problem for some time. In the early 00's there was even the "typo" (== vs =) in a single Linux kernel line able to give the planter root access on demand.

    4. Wayland

      Re: Are crooks hacking private build systems, or cloud ones?

      Like car jacking increased when it became harder to steal one without the key.

      I suspect now they have made them easier to steal that car jacking will decline.

  4. Pirate Dave Silver badge
    Pirate

    A complete wipe?

    So the advice for a Unix-based system with a virus is to completely wipe it and re-install from scratch? That sounds so Windows-like. There aren't any scripts that can clean all the crap out and get the system back to normal? That does not sound like the Unix-way to me.

    1. Electron Shepherd

      Re: A complete wipe?

      Once the system has been compromised, what script are you going to run that guarantees to restore the system state correctly? How can you trust anything that the OS tells you, once you've been infected?

      It's not a Windows vs [U|Li]nux thing at all, it's just common sense, regardless of the operating system.

      1. Haku

        Re: A complete wipe?

        "Once the system has been compromised, what script are you going to run that guarantees to restore the system state correctly? How can you trust anything that the OS tells you, once you've been infected?"

        If we were to treat the US government as an operating system, would I be right in diagnosing it's been rooted with a nasty malware infection?

        1. amanfromMars 1 Silver badge

          If you don't correctly diagnose the problem, spreading cancers remain untreated

          If we were to treat the US government as an operating system, would I be right in diagnosing it's been rooted with a nasty malware infection? ... Haku

          Haku, Howdy,

          For Bigger Picture and Greater IntelAIgent Games Plays, if we were to diagnose the US government as a nasty malware infection, what operating systems would require major life-threatening surgery as the only effective life-saving treatment?

        2. Destroy All Monsters Silver badge

          Re: A complete wipe?

          If we were to treat the US government as an operating system, would I be right in diagnosing it's been rooted with a nasty malware infection?

          Yeah, but how do you propose to go back in time and kill Teddy Roosevelt?

          1. Ropewash

            Re: A complete wipe?

            No need.

            The solution is the same no matter what generation of .gov software your country has installed.

            Erase the partition WashingtonDC then create a new partition and format with whatever .gov system you feel you require.

            If I might offer some advice; make the partition much smaller this time.

            1. Charles 9

              Re: A complete wipe?

              Two problems.

              One, you could end up with more of the same, or even something worse than before.

              Two, how do you deal with natural accretion which seems to be able to get past any law known to man?

            2. Tim Seventh
              Linux

              Re: A complete wipe?

              "The solution is the same no matter what generation of .gov software your country has installed.

              Erase the partition WashingtonDC then create a new partition and format with whatever .gov .people system you feel you require."

              FTFY

          2. allthecoolshortnamesweretaken

            Re: A complete wipe?

            "Yeah, but how do you propose to go back in time and kill Teddy Roosevelt?"

            Just out of idle curiosity, why Teddy? (Not my first go-to by a bit of a stretch.)

        3. Captain Badmouth
          Happy

          Re: A complete wipe?

          "If we were to treat the US government as an operating system, would I be right in diagnosing it's been rooted with a nasty malware infection?"

          There's certainly something present that needs a good wipe...

    2. Anonymous Coward
      Anonymous Coward

      Re: A complete wipe?

      Once it has root there's no telling what it has done.

      You really should wipe and reinstall for any malware that gains root/Administrator levels privs. I don't see how you could possibly trust your system without taking that step.

      1. Remy Redert

        Re: A complete wipe?

        I agree that you can't trust the OS itself afterwards, but with Linux at least it would be possible to boot off a live DVD/USB and run a scan from a known good OS to clean out any infection of the system.

        The only way to get around that would be to have a firmware persistent malware at which point you'd have to wipe and reinstall the firmware for everything as well, probably over USB.

        1. James O'Shea

          Re: A complete wipe?

          "I agree that you can't trust the OS itself afterwards, but with Linux at least it would be possible to boot off a live DVD/USB and run a scan from a known good OS to clean out any infection of the system.

          The only way to get around that would be to have a firmware persistent malware at which point you'd have to wipe and reinstall the firmware for everything as well, probably over USB."

          You can do that with Macs, too. It's perfectly feasible to create USB boot flash drives. It's even more feasible to create bootable external hard drives, and somewhat more difficult but still possible to create bootable DVDs. It would be trivial to boot off one and clean the drive.... _if you already had created such an item_. I, personally, have bootable flash drives with 10.11, 10.12, and 10.13 installed, and have full bootable backups (plural) of my working drives. It would be trivial for me to fix this. The easiest way would, actually, be to put the bad system into target disk mode and clone back one of the backups. However, I have backups and boot flash drives. The vast majority of John Public does not have either and look at you as if you just flew in from Mars when you suggest that maybe, just maybe, having a backup might be good, and that maybe, just maybe, it might be a good idea to have a bootable installer.

          How much am I bet that the majority of those affected have no backups whatsoever?

          1. This post has been deleted by its author

          2. My Coat

            Re: A complete wipe?

            Rather than create a bootable USB drive etc, probably easier to boot from the recovery partition, no?

            1. Doctor Syntax Silver badge

              Re: A complete wipe?

              "Rather than create a bootable USB drive etc, probably easier to boot from the recovery partition, no?"

              That assumes the recovery partition hasn't been affected.

              1. Lord Elpuss Silver badge

                Re: A complete wipe?

                @Doctor Syntax

                "That assumes the recovery partition hasn't been affected."

                On Macs from 2012 onward the recovery partition is Internet-based - downloads a live environment direct from Apple and doesn't touch the HDD/SDD at all during boot.

                1. Daniel B.

                  Re: A complete wipe?

                  Internet recovery is only used if the user explicitly chooses it, or when there is no recovery partition on the HDD/SSD.

                  1. Lord Elpuss Silver badge

                    Re: A complete wipe?

                    So explicitly choose it.

                    1. CrazyOldCatMan Silver badge

                      Re: A complete wipe?

                      So explicitly choose it.

                      Doesn't always work - especially in heavily-proxied corporate environments.

                      1. Lord Elpuss Silver badge

                        Re: A complete wipe?

                        "Doesn't always work - especially in heavily-proxied corporate environments."

                        Well, I would guess that if you're in a heavily proxied corporate environment then you have an IT department who can presumably deal with the issue for you - in our case, that would typically mean they give the user a new laptop from stock and reflash/zero the old one at their leisure.

                2. CrazyOldCatMan Silver badge

                  Re: A complete wipe?

                  On Macs from 2012 onward the recovery partition is Internet-based - downloads a live environment direct from Apple

                  Not *entirely* true. You can build them that way - you can also build them the old-fashioned way.

                  Which we have to, being in a proxied environment where the proxy doesn't like Macs much.

            2. CrazyOldCatMan Silver badge

              Re: A complete wipe?

              probably easier to boot from the recovery partition, no?

              Well yes. Assuming that you trust that the malware hasn't infected that as well..

        2. Charles 9

          Re: A complete wipe?

          "The only way to get around that would be to have a firmware persistent malware at which point you'd have to wipe and reinstall the firmware for everything as well, probably over USB."

          Except if something like BadUSB hoses the USB controller, you can't trust it, either. Some malwares are getting SO bad that they can permanently brick hardware.

          1. patrickstar

            Re: A complete wipe?

            That would, of course, be a firmware backdoor. Just USB controller firmware as opposed to the "main" BIOS/UEFI.

            And well, unless you find some OTP ROM to stick your backdoor into, it's technically not permanent. But in some cases reflashing is difficult enough that it might well be.

        3. Rob Moir

          Re: A complete wipe?

          I agree that you can't trust the OS itself afterwards, but with Linux at least it would be possible to...

          And the 'average person' type who might typically be running Windows or OSX isn't going to know how to do that. It's arguably better to give them "over the top" advice which they can follow and which will result in a clean machine than something they won't understand and won't do anything with (having said that, I'm far from convinced that the 'average person' would wipe their machine no matter how simple it was...)

      2. Dan 55 Silver badge

        Re: A complete wipe?

        Once it has root there's no telling what it has done.

        The latest Mac OSes are supposedly rootless so having root shouldn't happen. What went wrong here?

        1. CrazyOldCatMan Silver badge

          Re: A complete wipe?

          The latest Mac OSes are supposedly rootless

          Well - they still have an effective superuser login. It just isn't called 'root'

    3. rmullen0

      Re: A complete wipe?

      Step 1: Reboot.

      If that doesn't fix it,

      Step 2: FORMAT C:

      1. Anonymous Coward
        Anonymous Coward

        Re: A complete wipe?

        I tried that command on my mac and it didn't work.

      2. CrazyOldCatMan Silver badge

        Re: A complete wipe?

        Step 2: FORMAT C:

        "Drive /C: not found. Do you mean /dev/sda?"

    4. patrickstar

      Re: A complete wipe?

      Utterly regardless of whether it's Windows, Linux, MacOS, or something else entirely, the standard advice (CERT et al.) has long been to reinstall the OS after an admin/root-level compromise.

      However, if you know what you're doing and have a reasonable idea about what the attacker has done (like when it's some random standard malware and not a targeted attack), you can - of course - clean up an attack without a OS reinstall, regardless of which OS it is.

    5. Robert Grant

      Re: A complete wipe?

      That does not sound like the Unix-way to me.

      Don't make decisions based on learned conclusions (e.g. "Unix is better because you can script things!") Learn how stuff works, and conclusions will take care of themselves.

    6. Jakester

      Re: A complete wipe?

      What's wrong with a complete wipe? Sometimes that is the most efficient and effective way to eliminate most malware (except for those that installed into the firmware on the hard drive). Windows 10 is much easier to start from scratch compared to Windows 7. Once I was having issue with my one of my Ubuntu installations - that was even easier to reinstall. I have notes on each Linux installation I maintain (basically descriptions of partitions, software installed from the store, special configurations, mount points, etc) that are usually less than a page in length. My Windows reinstallation notes take a little more space, about 3 pages, but make starting from scratch much easier and less frustrating.

    7. Wayland

      Re: A complete wipe?

      You'd need to wipe the drive from orbit (to use a Globe Earth analogy).

      You'd need to boot from a clean drive and run nothing from the suspect drive until you'd run anti-virus. You would really want to replace every executable with a clean one and hope that you can clean out any viruses in the data files.

  5. Anonymous Coward
    Mushroom

    Wow

    Simply wow .. that's a nasty hit.

    Just goes to show how vulnerable these systems are, UNIX/Linux, Windows, and macOS.

    I'm not sure about Apple low level security, but could the UEFI and harddrive firmware be compromised as well, or is there some built in check the Apple UEFI bios? If it were PC/Windows, I'd toss the HDDs and reflash the bios with a "known good" copy.

    1. Sandtitz Silver badge

      Re: Wow

      I'm not sure about Apple low level security, but could the UEFI and harddrive firmware be compromised as well, or is there some built in check the Apple UEFI bios? If it were PC/Windows, I'd toss the HDDs and reflash the bios with a "known good" copy.

      Through the rabbithole with the paranoias.

      Many - not all - PC makers only allow signed UEFI updates. Of course if the malware writers have pwned the mfgr's internal systems they could sign their own updates. Like they did with Eltima in this case.

      If your UEFI has a virus - something the TLAs could possibly cook - it could either a) deny further flashing, or b) allow flashing BUT still remain. Computers these days don't have a socketed EPROM for DIY flashing - perhaps the mfgrs still have the tools to reflash securely through a JTAG or something similar?

      1. Anonymous Coward
        Anonymous Coward

        Re: Wow

        @ Sandtitz

        Just because you are paranoid doesn't mean they are not out to get you. 'And here, obviously, they are.

        Anyway, I wasn't sure about UEFI, as I've only ever updated UEFI for the sake of updating it, never on cause of an attack. I would venture then that the UEFI bios of these Macs are 'OK'. I'd still be looking to toss the HDDs though.

        On the big iMac that is a complicated process where one has to unstick the glass screen beforehand .. there are videos on YouTube though on how to prepare for and perform the removal and reattachment of the iMac glass screen. Doing so on one's own would void the warranty, so perhaps an Apple Store could give advice.

        Of course, going that far is a business decision. If the machine is used for casual email and web surfing, the impetus would be less. If it houses one's own business, especially one "hackers" would be interested in, then it would be worth looking into taking the step to replace the harddrive. If you don't believe me, Bing the term harddrive firmware infected.

        1. anonymous boring coward Silver badge

          Re: Wow

          You would throw away the hard disk?

          Seems a bit extreme?

          Just boot a fresh external drive and reformat the original disks.

          1. robidy

            Re: Wow

            Not sure a straight format passes the sniff test. One assumes you mean wipe the partiton table? Or as I found with some odd raid partitioned drives you actually have to zero the first part of the drive for good measure.

            One does wonder how this could be exploited...not to mention the recent TPM issues.

            1. anonymous boring coward Silver badge

              Re: Wow

              But if you worry about this level of infiltration, then you can't possibly be running any standard OS with standard connectivity! You might as well accept that you are effed then.

              1. TheVogon

                Re: Wow

                "But if you worry about this level of infiltration, then you can't possibly be running any standard OS with standard connectivity!"

                Given the amount of effort needed to code and execute such an attack, they are probably primarily going to be developed by government agencies. However recent history shows that eventually either such attacks are discovered in the wild or the exploit installers leak. And therefore it's quite possible that one day these attacks will be used by something zero day in the wild. So no harm in being paranoid and patching whenever there is a fix. Baring in mind the potential insidious nature of such malware once installed, prevention where it exists is probably easier than a cure.

          2. John Brown (no body) Silver badge

            Re: Wow

            "You would throw away the hard disk?

            Seems a bit extreme?

            Just boot a fresh external drive and reformat the original disks."

            This guy demonstrates how to hack the HDD firmware in a persistent way such that you can still get into a box after wipe/reinstall. He then goes on to install linux into the HDD controller board, just for fun.

        2. Kiwi
          Black Helicopters

          Re: Wow

          If it houses one's own business, especially one "hackers" would be interested in, then it would be worth looking into taking the step to replace the harddrive

          No really. From Kaspersky :

          For starters, hard drive reprogramming is much more complex than writing, let’s say, Windows software. Each hard drive model is unique and it is very expensive and painstaking to develop an alternative firmware. A hacker must obtain the hard drive vendor’s internal documentation (which is nearly impossible), purchase some drives of the exact same model, develop and test required functionality, and squeeze malicious routines into existing firmware, all while keeping its original functions."

          Despite what some people imagine, it really is quite difficult to maliciously alter firmware in a number of devices - the address space is small and if you want your alterations to go unnoticed, you have to keep the thing running as normal - no loss of functionality and no loss of speed. Having a HDD that noticeably slows down is going to be noticed, and an IT team will replace a slow HDD as it's showing signs of failure, even if quite new. Also, a machine generating a lot of network traffic (gigs of data being uploaded to the hackers) above what it should will be noticed and dealt with. And despite what some say about taking only small amounts at a time, if you want to be able to go through my files for anything interesting then you need all of my files, and if that's a terrabyte of data then downloading at 20kps will take you a very long time. It's been done, sure, and systems that send a lot of traffic are going to be harder to watch for excessive amounts of uploads.

          If you don't believe me, Bing the term harddrive firmware infected.

          There's your problem (though Google's results aren't exactly much better these days). Bing. From the company who thought the "Good Times" hoax was a good idea and made it possible to get infected just by clicking on the email...

          1. Wayland

            Re: Wow

            There are tools that can get deep into a hard drive. It's likely you could do a hard drive firmware or boot track infection on a whole swath of Apples fitted with the same drive. It's right that RAID drives have something written to them which survives formatting. X-Box drives are also modified in some way as are drives from TV recorders.

            I'm not saying the virus did these things but with root access a person could do this therefore a virus could.

        3. TheVogon

          Re: Wow

          "I would venture then that the UEFI bios of these Macs are 'OK'."

          I wouldn't. See for instance:

          https://arstechnica.com/information-technology/2017/09/an-alarming-number-of-macs-remain-vulnerable-to-stealthy-firmware-hacks/

          There have been at least 3 different MAC EFI vulnerabilities found and exploited in the past, so likely given enough effort likely more could be found...

    2. Remy Redert

      Re: Wow

      AFAIK all Apple machines run on Intel hardware, so if the malware writers really wanted to there's a few gaping holes in the management engine to exploit. I'd bet that even if a patch is available, the vast majority of machines will not have installed it.

      1. CrazyOldCatMan Silver badge

        Re: Wow

        Intel hardware, so if the malware writers really wanted to there's a few gaping holes in the management engine to exploit

        I don't think Apple includes IME in their motherboards.

    3. Wayland

      Re: Wow

      Well it could set up a boot loader of some kind which then boots the main drive once infected. Many PCs these days can access the Internet from the BIOS.

  6. Anonymous Coward
    Anonymous Coward

    That image!

    Is it meant to evoke the widening of a sphincter post-installation?

  7. Anonymous Coward
    Anonymous Coward

    Perhaps developers should work offline

    or alternatively release only a finished product that doesn't need Microsoft style updates all the time.

    Oh yeah right, "it is impossible to write application code that doesn't need to be changed after release"? I totally believe you dude

    1. d3vy

      Re: Perhaps developers should work offline

      Are you mental?

      Of course it's not possible to release code that doesn't need updates.

      Requirements change.

      Features are added.

      Bugs are fixed.

      Even without the bugs updates would still be needed to support new hardware configurations etc..

      1. Anonymous Coward
        Anonymous Coward

        Re: Perhaps developers should work offline

        @d4vy like I said, I totally believe you dude

        Requirements change,features added = new product.

        Bugs fixes = you released bad code and are an incompetent liability to your customers.

        Whilst it remains okay for chancers to release code with errors/vulnerabilities then expect them to continue to be exploited just as they have been for years.

        If you want security then do not buy mass produced, off the shelf crap produced by people who sell "coding is more complex than any other human endeavor".

        My code has never been exploited and has never needed any updates, this simply because it was bespoke i.e. different for each customer and all written with the old computing definition of security in mind.

        1. This post has been deleted by its author

        2. Kiwi

          Re: Perhaps developers should work offline

          My code has never been exploited and has never needed any updates, this simply because it was bespoke i.e. different for each customer and all written with the old computing definition of security in mind.

          So... No repeat business, code insignificant enough that errors in the compiler aren't triggered by it, insignificant enough that changes to the OS don't cause any issues with it. Oh, and insignificant enough that ONE person writes it.

          I can understand a lot of the bugs with MS stuff - their code has to support quite literally MILLIONS of possible hardware configurations. On top of that, there are millions of software configurations as well. The interaction between different bits of hardware or software, especially on complex programs, and sometimes that can throw up some serious surprises.

          Of course, if you really did write code like you want us to believe, you'd know that what you have in your test environment may not match what your customer has in their RealLife environment, and any changes to their RL environment could well result in changes to the function of your code. Also, no matter what coders think to test for, no matter what we think is a "so stupid it will never happen", RL invents users who, on the first time just looking at your software, manage to break it in ways you never dreamed possible.

          And that's before the next lot of updates to the OS, or other running software (what about all those deprecated system calls, API's that no longer exist, DLL's that have changed name or location on disk etc etc etc etc etc etc etc etc etc etc etc?)

          El Reg - an icon that represents a steaming pile of male bovine excrement would be much desired.

          1. Charles 9

            Re: Perhaps developers should work offline

            So what happened in the days BEFORE the Internet, where the limited methods of distribution pretty much meant you only had one shot at getting it right?

            1. patrickstar

              Re: Perhaps developers should work offline

              Then we simply learned to live with the bugs software had (there were probably less bugs since software was less complex, but it still felt like they numbered in the gazillions). And a bug having widespread security impact was much rarer since things weren't as connected, and most OSes had no real security anyways.

              A 'security incident' meant getting infected by some random virus - not your confidential data getting sent to the US, Russia and China all at the same time.

            2. Anonymous Coward
              Anonymous Coward

              Re: Perhaps developers should work offline

              "So what happened in the days BEFORE the Internet"

              It wasn't possible to remotely attack most computers, so it was far less of an issue. Also things like internet banking and Paypal didn't exist so there was typically far less to gain by doing so.

              Updates where needed (usually data updates or software bug fixes rather than security fixes) were typically mailed monthly or less frequently on floppy disks!

            3. ravenstar68

              Re: Perhaps developers should work offline

              So what happened in the days BEFORE the Internet,

              Erm well in at least one case you sent the cassette back to the software house and they sent you a replacement.

              Acorn Electron version of Elite back in 1984 had a bug that crashed the game when you used the galactic hyperdrive. That really was the fix. I sent mine off using registered post.

              1. tim 13

                Re: Perhaps developers should work offline

                I wish I had known that, it did the same on the Amstrad. I was a master of beating every enemy, by the time I could afford a docking autopilot I didn't need it and I had all the money I ever needed, but without being able to change galaxies the game was effectively over.

            4. d3vy

              Re: Perhaps developers should work offline

              "So what happened in the days BEFORE the Internet, where the limited methods of distribution pretty much meant you only had one shot at getting it right?"

              We posted each other floppy disks.

          2. Anonymous Coward
            Anonymous Coward

            Re: Perhaps developers should work offline

            "El Reg - an icon that represents a steaming pile of male bovine excrement would be much desired."

            So, a photo contest then? How would we retain our anonymity?

            1. TheVogon
              Thumb Up

              Re: Perhaps developers should work offline

              ""El Reg - an icon that represents a steaming pile of male bovine excrement would be much desired.""

              Maybe a competition is in order for a new row of icons?

              1. Kiwi
                Pint

                Re: Perhaps developers should work offline

                ""El Reg - an icon that represents a steaming pile of male bovine excrement would be much desired.""

                Maybe a competition is in order for a new row of icons?

                I've probably suggested enough for a couple of rows in the last year or two!

                But I agree, something to get the team/commentards working for at least one row! (would like to see some of the older ones make a comeback as well)

                (I also, when I screw up the tags in a post, would love to see a highlight in the approximate area of the invalid HTML, or when invalid stuff is detected colour-coding the bits it can figure out :) )

        3. Doctor Syntax Silver badge

          Re: Perhaps developers should work offline

          "Requirements change,features added = new product."

          Based on the assumption that a full product is bigger than an update - and bigger than the original as it contains new features, then this presents the customer with at least the same risks and possibly more than updates.

          "My code has never been exploited and has never needed any updates, this simply because it was bespoke i.e. different for each customer."

          Been there, done that. But neither you nor I have had the problems inherent in supplying product to a mass market. I don't think we'd have been in business very long if we insisted on selling new products for every new feature, at least, not without the Stockholm syndrome of Windows users.

          1. Anonymous Coward
            Anonymous Coward

            Re: Perhaps developers should work offline

            @Doctor Syntax

            "problems inherent in supplying product to a mass market" yes there are additional problems but then again the rewards are greater and yet strangely the security tends to be lower.

            I see posters here suggesting that complex projects demand "team" development when the reality is that it is just cheaper to get in a few people who know what they are doing and a lot of amateurs who need to be told.

            The sad truth is that there are programmers who can code without allowing any errors in the final product and then there is the majority who have been programmed to believe it doesn't matter.

            Add in development tools that are themselves insecure and management who value only getting the product out the door.

            Thus we have bad/insecure code simply because it is deemed cheaper in the short term than doing it right. As the saying goes if you pay peanuts then you get monkeys

            It used to be that if you wanted a computer based solution, you went to a guy who built the hardware, software basically everything from scratch, if he had to get help then clearly he was the wrong guy. Now we roll out "qualified" developers who could not build the hardware, have no clue how to write an OS and need a existing development package to write even just an office suit. How can anyone doubt that trusting these guys is a bad idea.

            You could blame the education system, the employers the users or you could just accept that unless you are that guy then you are an imposter, you are the reason for the "bugs" and vulnerabilities, simply because you do not know better. Better to have given matches to children.

            One guy on his own can still code everything, it might taker longer but if it is the right guy then he only has to write it once. When you add up the costs of updating and downtime then is the current situation actually cheaper for anyone, personally I think it is far to expensive to be allowed to continue

            1. Kiwi
              Windows

              Re: Perhaps developers should work offline

              I see posters here suggesting that complex projects demand "team" development when the reality is that it is just cheaper to get in a few people who know what they are doing and a lot of amateurs who need to be told.

              That would still be what is commonly defined as a "team".

              The sad truth is that there are programmers who can code without allowing any errors in the final product and then there is the majority who have been programmed to believe it doesn't matter.

              When I did data-entry work (for a short time between other jobs, was a terrible desperate time!), a typing rate of 90% accuracy was considered very good, and I think you were employed if you could top 70%. At 90% that means you average 1 error in every 10 characters! Now, my typing accuracy is much better than that - I've touch-typed this paragraph with the first error being the "U" in "touch" being missed. That was 326 characters without error (I also missed the 2nd C in "characters", both cases not hitting the key quite hard enough). So at this point 3 errors (next was hitting "p" instead of "o" in "So", 612 characters with 3 errors.

              To type a tiny program with 1000 lines of code, averaging 100 characters per line, is 100,000 characters. The odds of any human doing that without a number of typos is 0. No matter what you claim your typing is not that good, there is no one who can type at a reasonable speed and get it right.

              Some of the errors will be quickly picked up by the compiler, eg if you have a variable named "mycodeisshite" and in one case you type "mycodeisshit" the compiler should get that. But a lot won't be, say you mean to type "13565236734727" and you type "13565237634727" instead, in a constant, neither your compiler nor your eye will pick that up until you're having real problems and very closely look at the code.

              So by this point I've already proven that either your code makes a "hello world" program look complex, or your code has bugs. You may get most of them before shipping, but unless your code is very trivial you're stuffed.

              My last program was 603 lines of Pascal, including comments. It was a simple console .exe to clean up a minor failure in a customer's system, seeking a string in certain file names and removing that string. From what I know the "shipped" version was bug-free, however it was only executed 3 times once complete - a test run by me on sample data, the actual run on that customer's machine, and another run on another machine with the same issue. I designed it in an hour, and built it in a weekend with a few bugfixes in the process. By most standards this really is a very trivial program. I have no idea how many lines of code a graphics driver has, or the kernel of an OS, but it is far beyond what one person can do.

              Add in development tools that are themselves insecure and management who value only getting the product out the door.

              True there are issues with the build tools (as I mentioned, another reason why your code cannot be perfect). And also true there are managers who want products shipped as soon as possible, however repeat business comes from having a product that's good enough - if your customers really hate what you're doing then you're not getting them back.

              It used to be that if you wanted a computer based solution, you went to a guy who built the hardware, software basically everything from scratch, if he had to get help then clearly he was the wrong guy. Now we roll out "qualified" developers who could not build the hardware, have no clue how to write an OS and need a existing development package to write even just an office suit. How can anyone doubt that trusting these guys is a bad idea.

              And here we need that steaming pile of bovine excrement icon. Even Turing had a team helping him out, and before them - before he was born even - a lot of work went into stuff that he learned and built from. If Turing hadn't had his team then his machine would never have worked, certainly not in time to crack Enigma anyway. It was someone else who gave him the idea to look for the common element (the weather report IIRC, though "heil hitler" also springs to mind).

              If you're referring to "building the hardware" as actually from raw components (rather than building a PC consisting of already-assembled mobo, already built CPU etc etc) then there is NOT ONE PERSON in this world who could do that. One person can build a CPU, true, it has been done not long back. However, that CPU is very large and does not have the power of even the least of the smart phones.

              I'd love to see a citation of where one person could do the lot, build the hardware and write the software. Even in the Vic20 days that would've been difficult, if not impossible for one person to do. Maybe back with some of the more simple kitset computers that blinked a few lights.

              You could blame the education system, the employers the users or you could just accept that unless you are that guy then you are an imposter, you are the reason for the "bugs" and vulnerabilities, simply because you do not know better. Better to have given matches to children.

              Actually no, I think the few people out there like you are the problem. Really, you can, on your own, code an entire OS, plus application suite, plus build the computer - and all of this non-trivial and secure and bug-free?

              Absolute rubbish. But I'll call you on it and give you a chance to prove yourself - what code have you released that is not trivial and bug-free? What OS have you written? Afraid you'll have to kill your AC and provide verifiable links (I'll accept you passing the info to staff at El Reg (since they can tell who you are anyway) and have them check your claims and simply come back with a "Yes, AC has actually done this" or "No, AC is telling porkies")

              Icon --> Always looks to me like a homeless guy sniffing a tube of some sort of glue. Brain-damaging drug use seems appropriate here.

              1. Lord Elpuss Silver badge

                Re: Perhaps developers should work offline

                "So by this point I've already proven that either your code makes a "hello world" program look complex, or your code has bugs. You may get most of them before shipping, but unless your code is very trivial you're stuffed."

                ^ This.

                "And also true there are managers who want products shipped as soon as possible, however repeat business comes from having a product that's good enough - if your customers really hate what you're doing then you're not getting them back."

                And ^ This.

                "Actually no, I think the few people out there like you are the problem. Really, you can, on your own, code an entire OS, plus application suite, plus build the computer - and all of this non-trivial and secure and bug-free?

                Absolute rubbish."

                And most definitely ^ This.

                Kiwi gets it. One point I would add (and then I really need to get off this discussion and do some work) is that even if code is written 100% bug-free, that doesn't necessarily make it secure - it only means it will do what it's designed to do when all parameters are as-expected. A hacker isn't interested in what code should do, he's interested in what it can do - e.g. what happens when it (or the sandbox, or the OS, or the abstraction layer) is fed bogus or unexpected parameters which cause the code to flip and open up a hole. This is what makes fuzzing such a useful technique.

              2. Anonymous Coward
                Anonymous Coward

                Re: Perhaps developers should work offline

                Yes everyone makes typos but there are ways to remove them from the finished product

                Your example constant = "13565236734727" rather than a * ( b+x ) ^5, bad practice/comprehension allowed your error. Any string over 3 characters is an increasing liability as you rightly said because what you see is what your brain thinks it should see. However if the string is constructed from meaningful modules of less than 3 characters then the length can increase. Even in English missing a typo in three letter word when you are concentrating is an impressive fail.

                "but it is far beyond what one person can do.", just using logic alone anything that any single person of a team can do alone a single person can also do. You don't get much "hold that end whilst I hammer this in" during development but if you did then that is a classic communication/planning problem and to be avoided by removing the Muppet who thinks it is essential from the equation.

                "By most standards this really is a very trivial program.". You wrote a bit of code by yourself, you knew what you were doing and would find it easier to write it again from scratch. During coding you avoided lots of errors that would have been made by a different programmer who had never written that solution before and/or you learned some new mistake not to make again. Afterwards you needed to go through your code again and remove some errors that next time you would have avoid adding in the first place.Hence it was indeed trivial because you knew what you were doing.

                What if instead of a throw away solution you instead built it out of libraries that you had perfected by the same method. Code that had been reused over and again in many other different solutions to the point where any typos, logical errors etc. had already been removed. Whilst the library only does what it says on the tin it does it right every time under every condition possible to pass to it. How much faster could you have written and validated the new solution when 90%+ of the code is known good. As I said earlier a single programmer might take longer, creating your own libraries alone takes years but once perfected they can be reused over and again and the ones that you didn't get paid to write, reward you in the future.

                As to giving up my anonymity then no, my Reg persona doesn't connect to anything I have done anyway nor would it be wise to advertise where my code is being used.

                1. Charles 9

                  Re: Perhaps developers should work offline

                  "What if instead of a throw away solution you instead built it out of libraries that you had perfected by the same method. Code that had been reused over and again in many other different solutions to the point where any typos, logical errors etc. had already been removed. Whilst the library only does what it says on the tin it does it right every time under every condition possible to pass to it."

                  Not necessarily. Think gestalt exploits where the individual components are tried, tested, maybe even proven, but when they're taken as a whole suddenly exhibit unwanted behavior (in other words, the exploit is worse then the sum of its parts). The problem with code written by man is that it's nigh-impossible to predict EVERY circumstance where it will be used. Even formal proofs carry with them context limitations (ex. seL4 can't keep its proof with DMA in use).

                  1. Lord Elpuss Silver badge

                    Re: Perhaps developers should work offline

                    @AC You're either unwilling or unable to grasp basic concepts of how coding works in modern systems, and I don't get paid enough to teach you. So I'm out of this discussion now, and I'll just leave you with these wise words from Col. Nathan R Codemonkey, Senior Programmer, Guantanamo Software House, Cuba.

                    Senior programmer: I'll answer the question. You want answers?

                    Junior Programmer: I think I'm entitled to them.

                    Senior programmer: You want answers?!

                    Junior Programmer: I want the truth!

                    Senior programmer: You can't handle the truth!

                    Son, we live with software that has holes, and those holes have to be found and closed by men with serious skills. Who's gonna do it? You? You, Anonymous Coward? I have a greater responsibility than you can possibly fathom. You weep for the state of software security, and you curse those who spend their lives trying to harden it. You have that luxury. You have the luxury of not knowing what I know -- that software vulnerabilities, while tragic, are inevitable in complex software; and my existence, while grotesque and incomprehensible to you, makes it as safe as it can be.

                    You don't want the truth because deep down in places you don't talk about at parties, you WANT me scanning your code -- you NEED me scanning your code.

                    We use words like “Token,” “Fuzzing,” “Exploit.” We use these words as the backbone of a life spent in penetration testing. You use them as a punch line.

                    I have neither the time nor the inclination to explain myself to a man who downloads porn and watches cat videos under the blanket of the very protection that I provide and then questions the manner in which I provide it.

                    I would rather that you just said "thank you" and went on your way. Otherwise, I suggest you pick up a keyboard and stand to post. Either way, I don't give a DAMN what you think you're entitled to!

                    1. Anonymous Coward
                      Anonymous Coward

                      Re: Perhaps developers should work offline

                      @ Lord Elpuss

                      "how coding works in modern systems", short answer is badly. IMHO the reasons for this disorder lack of: discipline, comprehension, experience, ability and meaningful communication along with bad execution all of which we could circumscribe but do not. IMHO underpinned by the mantra "coding without errors in the final product is impossible" and those people who profit by it's acceptance

                      "finding the holes", if the holes were never put in would you still need to find them.

                      "what you think you're entitled to!", It is funny, to me, how often claims against entitlement sit right beside demands for payment for the author's time i.e. only the author has any entitlement. Personally I think that if I have to pay for something then it should be of a reasonable quality and without defects. I would also suggest that where a design approach consistently fails to remove defects the approach is replaced with something that does. You say it is impossible and I say my experience says you are wrong. I can empathise with you being upset, if your work is in identifying security issues and someone is suggesting removing the need for that as a separate task then of course they are talking about you having to do something else. If enough people actually questioned the idea that computers are somehow the most complex thing in the universe and they are impossible to control fully, then perhaps the standards for "acceptable" coding would go up. Personally I would see this as a good thing but I can understand that, if you have a vested interest, you would want to keep things the way they are.

                      I am not knocking security in your sense, it is after all a dirty job, but then again the world would indeed be a better place if someone did not have to do it.

                    2. anonymous boring coward Silver badge

                      Re: Perhaps developers should work offline

                      "You're either unwilling or unable to grasp basic concepts of how coding works in modern systems"

                      ASCII? What about programming?

        4. Anonymous Coward
          Anonymous Coward

          Re: Perhaps developers should work offline

          "My code has never been exploited and has never needed any updates"

          When I was a refrigeration engineer, I wrote a program in Basic for an Apple IIe that allowed my wife to enter invoices and send the output to her pre-printed invoice forms in the printer - never needed updating. Worked up until she used up her invoice forms.

          Of course, since I've been doing this sort of thing for a living for decades now, I do a lot of updating. Maybe I should go back to Basic.

        5. Lord Elpuss Silver badge

          Re: Perhaps developers should work offline

          "My code has never been exploited and has never needed any updates, this simply because it was bespoke i.e. different for each customer and all written with the old computing definition of security in mind."

          Your arrogance will get you killed, son. Well, your code anyways.

          Generally speaking, code written from scratch by one individual will be less secure than commercial code written by a large software house. Large companies have the time and resources to dedicate to security, and the customer base to make fixing bugs worth their while -as opposed to simply moving on with the next victim customer.

          1. anonymous boring coward Silver badge

            Re: Perhaps developers should work offline

            Simplistic and naive reasoning.

            There is no guarantee whatsoever that large companies allocate resources correctly from a security standpoint. Are smart TV manufacturers small or large? How about IoT companies?

            1. Lord Elpuss Silver badge

              Re: Perhaps developers should work offline

              "There is no guarantee whatsoever..."

              There never is. Who suggested there was?

              From a statistical probability perspective, my reasoning stands. For any given product (Smart TV, IoT, Operating System, Car...) of any significant complexity, you're far more likely to be better off if that code is written by a company that has (a) the resources to do a good job of hardening it, and (b) the customer base to make them care. One person writing one-off code from scratch (and thinking they can do it better than every TLA or miscreant out there) - now that's simplistic and naïve.

              1. Tuomas Hosia

                Re: Perhaps developers should work offline

                "From a statistical probability perspective, my reasoning stands."

                False. It doesn't as a company is not only likely to offer BS, it's economically bound to offer BS as it's the cheapest they can get.

                "(b) the customer base to make them care"

                Semi-false: Customers are other companies buying the details of the users, i.e. cannon food. They care only about if users have too much privacy (or sacurity) and the users themselves are totally irrelevant: They aren't customers but the product for sale.

                Case in hand: Windows 10.

                1. Lord Elpuss Silver badge

                  Re: Perhaps developers should work offline

                  "False. It doesn't as a company is not only likely to offer BS, it's economically bound to offer BS as it's the cheapest they can get."

                  Fuck me, the idiotards are out in force today. Go and study Economics 101; a product needs to be of some kind of quality in order to sell at all - if it's complete shit, nobody will buy it and the company that makes it will go out of business.

                  Profitability is always a balance between what the customer will pay, and what the company needs to spend in order to convince them to part with their wedge. It needs to be just good enough - and yes, that involves fucking security.

                  Your answer to (b) doesn't make any kind of sense in any universe.

                  E-, must try harder.

                  1. anonymous boring coward Silver badge

                    Re: Perhaps developers should work offline

                    " the idiotards are out in force today"

                    Classy! Perhaps youtube is more your kind of thing?

                    1. Lord Elpuss Silver badge

                      Re: Perhaps developers should work offline

                      ”" the idiotards are out in force today"<br/><br/>

                      Classy! Perhaps youtube is more your kind of thing?“

                      You’re right. My apologies. Spent the day dealing with ‘challenging’ users yesterday and allowed my frustrations to boil over into this discussion. Won’t happen again.

                      Cheers LE

                      1. anonymous boring coward Silver badge

                        Re: Perhaps developers should work offline

                        "You’re right. My apologies. "

                        It's a great thing to be able to apologise. I will work on that for my own part.

                        Upvote, and all the best!

                  2. Anonymous Coward
                    Anonymous Coward

                    Re: Perhaps developers should work offline

                    Single programmer: assume they are disciplined, know before they start coding exactly how it will work, they understand fully the client's requirements and they have planned out how the project is to be broken down into modules so as limit the duration of the high concentration levels required to do it right.

                    Given that they have already written a lot of the code in their tried and tested libraries they are just left with the new modules and structure which they also validate/test.

                    Team programmer: Assume lead is of same quality as single programmer above and has his own secure/validated libraries, then they will have all of the bug vectors that the single programmer suffers plus the additions that come with team programming.

                    Lead here knows what they are doing but must deal with management and still delegate to other coders typically of lesser ability/experience enough understanding such that it is quicker and more secure than just doing it themselves.

                    Where it comes to bugs, people are always the weakest link add more people and less discipline/experience/knowledge and you are going in the wrong direction if you want secure code. Yes you can get something out the door faster but you are going to be rewriting the same solution forever. Yes, fine whilst the client believes the BS about "bugs are inherent" and keeps paying you to continue failing in your task but for how much longer?

                    Computers are now so cheap, pretty much everyone has one, if the first world wants to stand out from the rest then it is going to need to offer something the client wants, something other than speed of release and cost. They can already get it cheaper and faster because the third world is online and gagging for the chance to replace you so all you are left with is excellence and to be frank it is far past time to do the job properly.

                    IMHO team development is only a good thing for people who prefer management to coding and to be frank a excellent programmer doesn't need managing at all. They can make alone what the client wants and can always employ other disciplines as the client requires. Get rid of the overhead and produce secure code and you can compete with the rest of the world, or stay as you are and be swept aside, your choice.

                    1. Kiwi
                      Windows

                      Re: Perhaps developers should work offline

                      IMHO team development is only a good thing for people who prefer management to coding and to be frank a excellent programmer doesn't need managing at all.

                      Are you pottything, or that idiot from GRSecurity? Same arrogance anyway.

                      How can one person keep up with the changing hardware, changing OS, changing tools, and changing software environment of a machine, and still write complex code?

                      Here's a tip you've missed - a lot of stuff written for DOS will not work on WIn 10. Nor will a lot of stuff written for Windows XP. Or even 7. API's have changed, some removed. The hardware has changed (not always an issue at the application level), the OS API's are different, the look of the software (window decorations etc) have changed just in the last few years.

                      So.. Prove that one person can write an entire OS, application suite, and build the hardware - and ship it 100% bug free.

                      If your coding is like your grasp of English........

          2. Anonymous Coward
            Anonymous Coward

            Re: Perhaps developers should work offline

            "Large companies have the time and resources to dedicate to security,"

            Yes they have but they have no incentive at all to allocate resources for irrelevant stuff.

            "Security" costs money, i.e. less profits and uses huge amount of time, delaying publishing, i.e.less profits.

            Companies are in it for profits and your security isn't even on the list of items to consider.

            On the contrary: The less secure you are, the more company can demolish your privacy to collect juicy tidbits about you to sell, i.e. more profits.

            Example in hand: Windows 10.

            One person who knows what he's doing is inherently better option as he's doing what is good for you, not the thing that's good for his company as a sole customer you are actually important, not the product company sells forward.

            1. Lord Elpuss Silver badge

              Re: Perhaps developers should work offline

              "Companies are in it for profits and your security isn't even on the list of items to consider."

              Security is always a component of the profit equation. A product which is unsatisfactory in terms of security (in the consumer's eyes) will not sell as well as one which is satisfactorily secure, hence reduced profits, hence the company will care enough just enough about security to make sure the product sells. It's true that a company will not invest more money in security than is strictly necessary to continue to sell the product, but to claim security isn't even on the list of items to consider is patently absurd.

              "The less secure you are, the more company can demolish your privacy to collect juicy tidbits about you to sell"

              You're conflating security and privacy. Violating your privacy may be considered an acceptable tradeoff (usually in exchange for a 'free' product, see Android), vicariously violating your security means they'll lose all their customers and ultimately go out of business. What a mind-blowingly daft statement.

              1. Anonymous Coward
                Anonymous Coward

                Re: Perhaps developers should work offline

                @Lord Elpuss

                "Security is always a component of the profit equation", possibly true but the evidence suggests that security is of less consideration than money. Whilst code with bugs is okay to sell then doing otherwise is unnecessary. What is unnecessary is virtually always omitted by business but may still be included by the proud individual.

                "vicariously violating your security means they'll lose all their customers and ultimately go out of business. What a mind-blowingly daft statement."

                Really? Microsoft still seems to be going. You missed out the "big business" exception to your rule, namely that they are able to flaunt the laws/technical opinion etc simply because they have the money and have bound enough of the influential to them, that they can make the rules and destroy any competitor who might offer a secure alternative.

          3. Anonymous Coward
            Anonymous Coward

            Re: Perhaps developers should work offline

            @Lord Elpuss

            "Large companies have the time and resources to dedicate to security" name one that has released only secure code

            Whilst it is true that more eyes making finding things easier the actual reality is that larges software house release a lot of bug fixes. Suggesting that whilst they could they do not

            1. Charles 9

              Re: Perhaps developers should work offline

              "Whilst it is true that more eyes making finding things easier the actual reality is that larges software house release a lot of bug fixes. Suggesting that whilst they could they do not"

              IOW, is it a case of more eyes or too many cooks?

        6. d3vy

          Re: Perhaps developers should work offline

          @Annon.

          Are you that guy that I had an argument with last year who said that logging in applications was unnecessary and anyone who did it was stupid?

          You sound like the same guy... In that you are both very wrong.

          "Requirements change,features added = new product."

          HAHAHAHAHAHA, Yeah, OK.. Ill try selling that to the next client that asks for an extra check box on a web form.. NEW PRODUCT!

          "Bugs fixes = you released bad code and are an incompetent liability to your customers"

          I'd laugh again but I'm starting to worry that you might seriously believe what you have typed...

          My code has never been exploited and has never needed any updates

          Your code:

          10 PRINT "I AM AWESOME!"

          20 GOTO 10

          1. Anonymous Coward
            Anonymous Coward

            Re: Perhaps developers should work offline

            @d3vy "Are you that guy that I had an argument with last year who said that logging in applications was unnecessary and anyone who did it was stupid?" if you are referring to me then no you were talking to someone else or possibly yourself.

            If I was to use the word "stupid" in a post then I would be saying "against your own best interests", as opposed to bombastic ignorance.

            "asks for an extra check box on a web form", this would strongly suggest that someone did not understand the client's requirements. My "new product" point was based upon the premise that either the product requirements have changed or been misunderstood, the "just add a checkbox" clearly suggest to me failure in comprehension.

            If the client's requirements are misunderstood then it is likely that there are more confusion induced errors elsewhere and a full review is needed, this especially so if you are dealing with someone else's code. Simply adding another checkbox or similar each time the client complains that you "didn't get it" is not going to inspire confidence that you are writing what the client wants rather than some other solution. If you want an analogy then your way is like a taxi driver stopping at every house on the required street and asking is this it, when they gave your the full address before they got in the car. It is possible that this is exactly what the client wants but you should be making them aware of the implications of this kind of thinking rather than saying "yeah, I can sling an extra checkbox in", after all you are supposed to be the expert not the client and once you alter the code then it becomes your responsibility even if you didn't write to original.

    2. allthecoolshortnamesweretaken

      Re: Perhaps developers should work offline

      Well, he has a point.

      This sort of thing never happened when I was using punchcards.

      1. Anonymous Coward
        Anonymous Coward

        Re: Perhaps developers should work offline

        I think he does have a point.

        My one liner print("Hello World") code is still unhackable. Not that it can do anything else.

        1. Lord Elpuss Silver badge

          Re: Perhaps developers should work offline

          &AC

          I’ve been at a conference where they held a ‘Hack the (Hello) World’ competition; to do exactly what you suggest. Used a buffer overrun and a memory injection attack via the graphics card - I still have the presentation somewhere. Needed physical proximity to the target device plus knowledge of the internals, but did end up printing rude words to the screen whilst reporting back to the program that it said ‘Hello World’.

          1. Anonymous Coward
            Anonymous Coward

            Re: Perhaps developers should work offline

            Contrived in the extreme, the "hello world" worked as expected the environment it was running in was not that envisaged by the programmer.

            You could as easily say that the program as a 8086 binary failed because it did not run as expected on a 6809.

          2. Charles 9

            Re: Perhaps developers should work offline

            "I’ve been at a conference where they held a ‘Hack the (Hello) World’ competition; to do exactly what you suggest."

            So they managed to hack a computer that had no code in it but the equivalent of "PRINT 'HELLO, WORLD!'"? Changing the source code is one thing; hacking a fixed program with so little functionality is another.

        2. d3vy
          Joke

          Re: Perhaps developers should work offline

          My one liner print("Hello World") code is still unhackable. Not that it can do anything else.

          You missed a semi colon. :)

          1. Anonymous Coward
            Anonymous Coward

            Re: Perhaps developers should work offline

            @davy and "You missed a semi colon. :)", he said it was a "one liner"

    3. Anonymous Coward
      Anonymous Coward

      Re: Perhaps developers should work offline

      >> or alternatively release only a finished product that doesn't need Microsoft style updates all the time.

      Most realistic alternatives are actually worse. For instance Google released more patches for Android alone last month than Microsoft did for every single supported product. Mac OSX has over 1000 patched CVEs, the Linux kernel is approaching 2000 CVEs, etc, etc.

  8. Anonymous Coward
    Anonymous Coward

    It takes me well under an hour to do a wipe and fresh install. I do it every major macOS release. Fresh crepes bruv.

  9. Jamie Jones Silver badge

    Surely the bigger story is...

    No-one seems to be mentioning how they managed to reverse engineer the sha256 checksums that are held on entirely different servers, and are checked before any downloaded software is released?

    That's how it's done, right?

    1. Charles 9

      Re: Surely the bigger story is...

      They didn't. They infected the actual source tree BEFORE it was signed. IOW, this was an "Outside the Envelope" attack.

  10. Anonymous Coward
    Linux

    Malware and developer servers ...

    "Folx, today confessed the latest versions of those two apps came with .. OSX.Proton malware .. miscreants had got into the developer's servers, implanted the malware into the download files"

    How did the software nasty got onto the developer servers and what was the name of the hardware and the software that the developer's servers ran on?

    1. Richard 12 Silver badge

      Re: Malware and developer servers ...

      Doesn't matter.

      It will have got in by infecting a development machine, quite possibly by infecting a framework/library they use.

      As it is not possible to cross-compile and Apple don't make a server class machine, Apple software is almost always compiled for release on a normal desktop or laptop Mac.

      Which is probably someone's daily work machine, and thus open to easy infection via drive-by or phishing.

      1. anonymous boring coward Silver badge

        Re: Malware and developer servers ...

        Even if compiled on some dedicated server, it won't matter as it's only a matter of committing the changes to the central source repository.

        1. patrickstar

          Re: Malware and developer servers ...

          You generally don't get an entire trojan into software by committing it to source control. That'd be ... pretty obvious.

          In the CCleaner case they fiddled with the actual toolchain used to build the final EXE. I'd assume either something similar has happened here, or they simply signed and uploaded a trojaned version of the executable.

  11. frank ly

    Words

    "This is a standard procedure for any system compromise with the affection of administrator account."

    It sounds more like animosity than affection.

  12. Anonymous Coward
    Anonymous Coward

    Was always going to happen.

    I'm so glad I've got a Mac, they're virus free doncha know.

    1. chivo243 Silver badge
      Holmes

      Re: Was always going to happen.

      "I'm so glad I've got a Mac, they're virus free doncha know."

      Yes, yes they are. Now let's talk about malware... that is what the news story is about? No?

      Wake me when there is a nearly bulletproof OS... For the time being, I will use the best OS for the job at hand...

      1. Anonymous Coward
        Anonymous Coward

        Re: Was always going to happen.

        There will always be malware, viruses, trojans, social engineering etc, my comment was made because the average user, Windows, Mac, Android, iOS on the street doesn't know, doesn't care or even want to know what the difference is between Malware, Viruses, Trojans, Spyware, Adware, to them they're all 'viruses'.

        Perpetuating the myth that Macs are invulnerable (ask ten average Mac users and see how many of them tell you this, in fact go and stand next to a Mac salesperson and see how many people they tell that lie to) is a ridiculous course of action that can and will only lead to more Mac malware of all sorts.

        Yes, I take the piss but with good reason.

    2. To Mars in Man Bras!
      Facepalm

      Re: Was always going to happen.

      >I'm so glad I've got a Mac, they're virus free doncha know.

      Came here for this comment. Wasn't disappointed.

    3. Montreal Sean

      Re: Was always going to happen.

      I think you forgot the sarcasm tag.

  13. d3vy

    FAKE NEWS

    We all know apples can't get infected with malware or viruses.

    1. hplasm
      Happy

      Re: FAKE NEWS

      You're thinking that apples get worms, right?

    2. anonymous boring coward Silver badge

      Re: FAKE NEWS

      "We all know apples can't get infected with malware or viruses."

      I didn't know that.

      1. d3vy

        Re: FAKE NEWS

        "I didn't know that."

        Well you know now ;)

  14. PNGuinn
    Facepalm

    So the obvious solution here is...

    For ANY os or distribution:

    1. Don't get your software from 3rd party websites. (Eliminates one obvious vector of infection.)

    2. Stick to the developer's site or your distro's.

    3. Download the desire of your heart.

    4. Check it for nasties.

    5. Assume your "secure" download has been got at and is fscked.

    6. Wait for a decent while (this could be quite a long while in some cases).

    7. Wait for the cries of anguish, articles on the reg,reports on developer's or distro's fora etc.

    8. Only now recheck your download for nasties.

    9. Install and keep everything crossed.

    The paranoid will no doubt suggest further steps ....

    10. Go back to using an abacus.

    1. Anonymous Coward
      Anonymous Coward

      Re: So the obvious solution here is...

      I'm going to be contrary, PNGuinn, 'hope you don't mind!

      1. Everything in computerland is "3rd party", PNGuinn.

      2. Unless you are running a single purpose computer, where's the fun in that? Moreover, it sounds like vendor lock-in.

      3. Yeah, fine.

      4. Good idea.

      5. Only to come extent. You might double scan it. So far these vendor infections have been relatively rare. There's risk, sure, but again unless you are setting up a single purpose server, why be stopped from doing what you want to do? There's a statistical chance that if you go for a walk you will be hit by a car, but should that stop you from going for a walk?

      6. This might be a good idea to some extent, yes, why rush? On the other hand, going to the extreme of waiting eons goes back to point 2, no fun unless you are setting up a single purpose computer.

      7. There are cries on anguish on the Reg everyday, no need to wait.

      8. Yup, regularly scan, good advice.

      9. Yes, reading the Reg makes one feel computing is like a crap shoot. But remember, the Reg collects all the horror & nasty stories. The day-to-day enjoyment of computing isn't reported.

      10. I can't go back to that as I never did. I think I will stick working with computers for now, despite and to spite it all, and because I love working with them.

      11. Computers used to develop software shouldn't be used for web surfing, and extra software installed, if any, should be kept to a minimum. 'And caution needs to be exercised. Furthermore, you need at least two computers, one to develop with and another, a sidekick if you will, for going online to look up stuff etc. etc.

      1. Charles 9

        Re: So the obvious solution here is...

        And if you can't afford two computers because, for example, you're a one-man shop?

  15. King Jack
    Thumb Up

    Sounds familiar

    Windows 10 is a remote-control trojan designed specifically for PC systems. It opens a backdoor granting root-level command-line access to commandeer the computer, and can steal passwords, encryption and VPN keys, and crypto-currencies from infected systems. It can gain access to a victim's cloud account, even if two-factor authentication is used.

    And people still use it and defend it.

    1. amanfromMars 1 Silver badge

      Re: Sounds familiar

      Windows 10 is a remote-control trojan designed specifically for PC systems. It opens a backdoor granting root-level command-line access to commandeer the computer, and can steal passwords, encryption and VPN keys, and crypto-currencies from infected systems. It can gain access to a victim's cloud account, even if two-factor authentication is used. .... King Jack

      Hi, King Jack,

      Can you cite me a computer OS that isn't useable as a remote-control trojan? Isn't that their raison d'être and a vital goal for ... well, Future Shenanigans is no exaggeration, is it? .

      Some are just a bit trickier/stickier to access for provision of privileges than others, but none are fail-safe against penetration testers, and that provides ready made establishment platforms for Renegade Rogue and Private Pirate Controls to Command.

      It's an Advanced IntelAIgent Facility which Sublime Superior Programming Delivers for SMARTR Use with Zero Abuse.

      1. AmenFromMars

        Re: Sounds familiar

        "Hi, King Jack,

        Can you cite me a computer OS that isn't useable as a remote-control trojan? Isn't that their raison d'être and a vital goal for ... well, Future Shenanigans is no exaggeration, is it? .

        Some are just a bit trickier/stickier to access for provision of privileges than others, but none are fail-safe against penetration testers, and that provides ready made establishment platforms for Renegade Rogue and Private Pirate Controls to Command.

        It's an Advanced IntelAIgent Facility which Sublime Superior Programming Delivers for SMARTR Use with Zero Abuse."

        eh?

        1. Captain Badmouth
          Happy

          Re: Sounds familiar @ AmenFromMars

          "eh?"

          How strange, you're not new here...

      2. King Jack
        Facepalm

        Re: Sounds familiar

        You miss the point. The key word is TROJAN. A program that appears to be one thing but under the surface it is something else.

        Past Windows OS were just that, something to launch programs and run the computer nothing more. Windows 10 brings spying to the table. It reports back to mother everything you do, run or type. Just like malware. My 'quotation' was lifted directly from the article with 'Windows 10' inserted. It is malware just like this Mac nasty. It functions the same and reinstalling will not get rid of it.

  16. Charles 9

    What next? Surety bonds for programmers, drivers, and so on?

  17. amanfromMars 1 Silver badge

    CyberIntelAIgentWare Fare which is not VapourWare Fare

    eh? ... AmenfromMars

    SMARTR Virtual Machinery, AmenfromMars, has Core Source Code cracked and hacked Terra Phorming SCADASystems.

    In other words, there are new practically anonymous and virtually autonomous leaders in command and control of future augmented virtual reality programming for media presentation of projects/daily event horizons/zeroday applications ....... and they be fully in support of traditionally established structures which do battle against those extant remote global forces which were/are designed to enslave them to maintain the past rather than create novel futures.

    I trust that makes things clearer for you ..... although I can easily understand any abiding disbelief. However, fear not, for further escaping information will provide all the necessary intelligence to see the bigger picture show.

    You might like to consider the value in this thought, ........

    Artificial Intelligence…. Another Approach?

    Are we struggling to make machines more like humans when we should be making humans more like machines ….. Advanced IntelAIgent Machines.

    1. amanfromMars 1 Silver badge

      Re: CyberIntelAIgentWare Fare which is not VapourWare Fare when Heaven Sent

      And now all here on El Reg are appraised of ITs Readily Available Advanced IntelAIgent Facility, are there any who could make Greater Good Use of ITs NEUKearer HyperRadioProActive Programming Projects ....... for Augmented Virtual Reality Productions ........ Future Realistic Presentations for Human Migrants in the Thrall of Live Operational Virtual Environments.

      Or for Future Speech, will AI Pioneers have to Seek Out NEUKlearer Joint AIdVenturers with Sublime AIdvertising for Grand Universal Masters from the likes of here?

      When Anything is Possible when Reasonable and Polished, what would you have IT Do Next for You to Enjoy Too.

  18. Anonymous Coward
    Anonymous Coward

    Let me spell this out to you all.

    Macs do not get viruses. It's literally impossible because of the code Jobs wrote when he worked at Nasa when they dissected that Alien back in 1940. Just google 'virus' in the App store to see what I mean. Articles like this are #fakenews and just the sort of thing the so-called 'liberal' left try to spring upon us right-minded folk. Where as every Windows machine has a a gigabit pipe straight to the NSA built in. #projectfear. #ipaybuthavenosay. #factsintechnology. #youpickedafinetimetoleavemelucille.

    1. Anonymous Coward
      Anonymous Coward

      Re: Let me spell this out to you all.

      And I suppose it does it by modulating the electricity in the Chinese-made power supply unit so that it flows down the power lines even if you have no Ethernet device plugged in?

  19. unwarranted triumphalism

    Nuke it from orbit

    How about throwing it away and replacing it with a real computer instead?

  20. glnz

    How to scan for those files or folders? Not an Apple person.

    Really dumb Q but need your help because I am not an Apple person.

    Author writes:

    "… just in case, do a scan for the following files:

    /tmp/Updater.app/

    /Library/LaunchAgents/com.Eltima.UpdaterAgent.plist

    /Library/.rand/

    /Library/.rand/updateragent.app/

    If any of those exist, then you've got Proton on your computer. "

    So, how exactly does my wife scan for these on her iMac and MacBook Pro? She'll ask and I don't know.

    Thanks.

    1. diodesign (Written by Reg staff) Silver badge

      Re: How to scan for those files or folders? Not an Apple person.

      Open the Terminal app (in Applications->Other) to get a command prompt. Use the ls command to list info about the files, eg type:

      ls /tmp/Updater.app/

      Or rather type 'ls ' and then cut'n'paste the file name. Hit enter, and you should see:

      ls: /tmp/Updater.app/: No such file or directory

      Which means the directory doesn't exist so you're OK. Repeat this for the other files listed. You can quit Terminal when you're done.

      C.

  21. d2

    BGates,malware post mS

    https://www.youtube.com/watch?v=n9aYrURLHh0

    A Meticulous Analysis of History

    1,416,176 views

    Swalka1991

    Pinky and the Brain sing about the benefits of history.

    Well, Brain sings about that. Pinky sings about how boring it is XD

    ahh, good ol' boy.Billy, right from TheBrain's songbook:

    http://www.hangthebankers.com/the-bill-melinda-gates-foundation-exposed/

    ExxonMobil, BP, Chevron, DynCorp, G4S, Walmart and McDonald’s are just a few of the companies that the mega ‘charity’ supports.

    With an endowment larger than all but four of the world’s largest hedge funds, the Bill & Melinda Gates Foundation is easily one of the most powerful ‘charities’ in the world. According to its website, the organization “works to help all people lead healthy, productive lives.”

    https://thedailycoin.org/2017/02/09/india-kicks-bill-melinda-gates-foundation-video/

    India Kicks Out Bill & Melinda Gates Foundation (Video)

    TDC Note- It sounds like India has wised up to the Gates Foundation and their eugenics program.

  22. Robert D Bank

    Z/OS

    Never, ever, heard of a hack of IBM Z/OS operating system, despite roots dating back to the 60's, or any of the associated firmware for that matter. And it's backward compatible virtually all the way. System z roots may be many decades old, but MS, OSX, Android etc have a looong way to catch up, in so many ways. Meanwhile Z/OS has advanced beyond the shadow of prejudice to support anything the other O/S's can provide. Maybe not perfect, but which of these others even come close?

    Possibly annoying for some on this thread, but true nevertheless.

    1. Throatwarbler Mangrove Silver badge
      Coat

      Re: Z/OS

      "Meanwhile Z/OS has advanced beyond the shadow of prejudice to support anything the other O/S's can provide."

      Can it run Crysis?

      1. Robert D Bank

        Re: Z/OS

        dunno, I don't play computer games, no interest when reality can be so much more entertaining. If Crysis runs on Linux it probably can though, given Linux runs quite happily on the mainframe. Either way, not bothered. When you grow up we could talk about it down the pub.

        1. Charles 9

          Re: Z/OS

          Some of these games ARE grown up. They play games like that for a living. Look up Major League Gaming and the term PROFESSIONAL gamer.

      2. Androgynous Cow Herd

        Re: Z/OS

        "Can it run Crysis?"

        Yes, but only in text mode.

    2. amanfromMars 1 Silver badge

      Re: Z/OS .... $64,000/$64Trillion Question

      Meanwhile Z/OS has advanced beyond the shadow of prejudice to support anything the other O/S's can provide. Maybe not perfect, but which of these others even come close? .... Robert D Bank

      But does it provide for other supporting Operating Systems? That would be practically perfect and allow for virtually absolute command and control of every script programming future events?

      Or is that to be developed for some of those new fangled entangled conventional computers acting as quantum simulators ....... http://www.theregister.co.uk/2017/10/24/google_we_dont_have_a_quantum_computer_yet_but_we_have_a_compiler/

      Nice one, IBM. Way to Go.

      1. amanfromMars 1 Silver badge

        Re: Z/OS .... $64,000/$64Trillion Question

        Do IBM do Remote SMARTR ProgramMING of Advanced IntelAIgent Machines? ....... https://forums.theregister.co.uk/forum/1/2017/10/24/us_doj_limits_gagging_policies_microsoft_drops_lawsuit/#c_3326471

        They Provide Command and Control Of Every Future Targeted and Captivated. :-)

        Live Operational Virtual Environments Reign and Rule Supreme is AI Leading Program NEUKlearer HyperRadioProActive and Flash Crash Testing Vulnerable Fields of SCADA.

      2. Robert D Bank

        Re: Z/OS .... $64,000/$64Trillion Question

        Mainframes support z/OS, z/VM, z/VSE, Linux, and z/TPF operating systems (and VOS3 in Japan).

        You can also run a Z/OS emulator called zDT on a Linux platform, or host multiple Z/OS's under the z/VM hypervisor.

  23. eltima software

    Eltima Software

    In close cooperation with ESET and Apple representatives, we have applied all necessary measures to prevent further malware spread.

    Now we officially inform that Elmedia, Folx, as well as other our products are absolutely safe to install and malware-free.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like