+- MacResource (https://forums.macresource.com)
+-- Forum: My Category (https://forums.macresource.com/forumdisplay.php?fid=1)
+--- Forum: Tips and Deals (https://forums.macresource.com/forumdisplay.php?fid=3)
+--- Thread: Discourse on Oompa Loompa "malware" if you haven't been following this (long read) (/showthread.php?tid=4910)
Discourse on Oompa Loompa "malware" if you haven't been following this (long read) - GeneL - 02-17-2006
I have found that this author's explanations are usually strongly critical of Apple's software engineers and it seems, to my "inexperienced in these matters" brain, that he has the expertise to justify his positions.
Since I don't have the knowledge to intelligently judge what he proposes, I'd like to hear what some of the more knowledgeable forum members have to say about this. Simply responding angrily to what may appear to be criticism of our "beloved" OS will be taken by me as an uniformed knee jerk reaction.
This is serious "stuff" and I think it deserves to be considered seriously.
That's just my opinion, I could be wrong.
======================================================
X N E W S F R O M R I X S T E P
17 February 2006
'Oompa Loompa'
======================================================
----------------------------------------
IN THIS ISSUE
----------------------------------------
IFOREWORD
[0000] The Unlit Keyboard
OOMPA LOOMPA
[0100] Intro
[0101] Apple & Unix
[0102] Microsoft & VMS
[0103] NT & Windows
[0104] NeXTSTEP & MacOS
[0105] OS X & Oompa Loompa
[0106] Oompa Loompa & Unix
[0107] The Fate of Apple
HOMEWORK
[FFFF] Oompa Loompa Links
----------------------------------------
IFOREWORD
----------------------------------------
[0000] The Unlit Keyboard
Computer science security history is littered with people who have a
piss poor attitude towards it.
At the end of every day it's those who demonstrate nonchalance who
bring everything crashing down on the rest of us.
The OS X Oompa Loompa worm has caused little damage and hit only a
handful of computers but it's a good demonstration of the possibilities.
And it's the first ever worm for OS X.
Have a good interim.
----------------------------------------
OOMPA LOOMPA
----------------------------------------
[0100] Intro
There are so many instructive things with the OS X Oompa Loompa worm
it's not funny.
First off, we have a worm that doesn't want root access. Specifically
it does not. That's got to be a first.
Second, it's able to operate anyhow.
Third, it shows incredible ingenuity in finding a way to trojanise a
system and spread like a virus.
Fourth - and this is most important: it wouldn't have a chance of
spreading if Apple hadn't screwed up the Unix they were given on a
silver platter.
NeXTSTEP wouldn't be vulnerable; Debian wouldn't be vulnerable; neither
would Fedora, Red Hat, SuSE, Mandrake, Gentoo, Linspire, OpenBSD,
FreeBSD, NetBSD, AIX, Slackware, or Solaris. Not a one.
What do Apple say? 'Don't open attachments.' Sounds a bit like
Microsoft anno 2000 doesn't it?
Jay Beale, head of Bastille-Linux, says Apple simply don't get it when
it comes to security. They haven't audited their code. They respond
well to bug reports but at the end of the day neither understand Unix
nor like it - and they seem to count on Unix nevertheless saving the
day - despite the fact they're openly ruining it.
No one's ever tried ruining Unix before - much less dared. If it had to
happen, it almost had to be Apple doing it.
We have too long trusted in Apple when we knew better. We trusted in
them because they inherited the brilliant NeXTSTEP. We felt secure in
the knowledge Apple would have over three hundred NeXT engineers under
the roof in Cupertino.
We forgot to use logic. We forgot to remember there were thousands of
Apple engineers already there.
We hoped NeXTSTEP (and Unix) would emerge. We knew precious little
about Apple then and today we know too much.
----------------------------------------
[0101] Apple & Unix
Apple and Unix have always been at odds. When Bell Labs were
proliferating the C programming language, Apple were still using the
pedagogical tool of Niklas Wirth. Brian Kernighan had come out and
explained in all too gory detail why Pascal was a terrible choice for
programming language, but that changed nothing in Cupertino.
Peeking into the traditional Apple API is bound to give any engineer
vertigo, and a lot of this is attributable to Pascal and the rest is
attributable to engineers who wanted to use Pascal. Pointers and
explicit typecasts and who knows what - it was a real mess.
Copland must have been abortive from the beginning. Common sense says
you can't work from a standalone 'hardware interface' and hope to
create a real operating system.
----------------------------------------
[0102] Microsoft & VMS
Bill Gates always had Unix and a lot of internal work has traditionally
been done on that platform at Microsoft. Yet when it came time to
choose a robust 32-bit OS, Gates didn't take what he already had in
house - he contracted externally.
Dave Cutler is the legendary creator of VMS, considered one of the most
bulletproof operating systems ever in the world - yet when DEC
delivered VMS systems, they left them wide open.
Basically, VMS systems - like NT systems - have a 'SYSTEM' account, a
rough equivalent of the Unix 'root' account with the subtle difference
that 'SYSTEM' is rarely used. But what's important is that it is there.
DEC delivered their VMS with the SYSTEM account enabled and set to the
password 'SYSTEM'. By default. Every copy delivered.
It didn't take long for the 'WANKers' in Oz to figure out how to have
fun and this is what came up on thousands of NASA screens as another
shuttle launch approached.
W O R M S A G A I N S T N U C L E A R K I L L E R S
_______________________________________________________________
\__ ____________ _____ ________ ____ ____ __ _____/
\ \ \ /\ / / / /\ \ | \ \ | | | | / / /
\ \ \ / \ / / / /__\ \ | |\ \ | | | |/ / /
\ \ \/ /\ \/ / / ______ \ | | \ \| | | |\ \ /
\_\ /__\ /____/ /______\ \____| |__\ | |____| |_\ \_/
\___________________________________________________/
\ /
\ Your System Has Been Officically WANKed /
\_____________________________________________/
You talk of times of peace for all, and then prepare for war.
VMS itself might have been secure, but what did it matter? The good
guys left the door unlocked.
----------------------------------------
[0103] NT & Windows
As we all know today, NT started as a DEC project called Prism/Emerald.
Cutler's source tree to NT was 'C:\Prism'. His project might have been
excellent from his own security standpoint, but he had to bring it
crosstown to Redmond in the end.
Microsoft had a legacy of code that was supposed to run on Windows.
They too had started with a standalone system and were now trying to
create a real OS out of it. It just doesn't work. Microsoft contracted
Dave Cutler and his 'Tribe'.
Cutler had to back pedal so as to not alienate all the Windows programs
out there. And in so doing probably said goodbye to good security
forever.
NT and its successors have passed several 'security tests', but in each
case - if you bother to read the fine print - all remote access to the
computer was ignored. As the testing body wrote, 'we must presume
interlopers cannot access the machine'.
How good such a test is in today's world I'll let you judge.
Cutler has his NTFS file system; it's not the world's easiest to harden
and navigate through; but most Windows boxes still use FAT32 which has
no security whatsoever.
Tonnes of Windows applications are dependent on administrative
privileges which is plain nuts.
And so forth. What could have been secure was not allowed to become
secure because of existing software titles that just had to run. In
other words because of money.
----------------------------------------
[0104] NeXTSTEP & MacOS
NeXTSTEP suffered a similar fate. Actually it's not so much NeXTSTEP as
it is FreeBSD. FreeBSD is the free Berkeley distro under NeXTSTEP and
OS X. Of it Linus Torvalds once said that had it been around when he
needed it, he would never have started his own OS project.
Whatever: it's vanilla POSIX compliant Unix.
Apple have made a branch of FreeBSD they call Darwin. There have been
compromises in the past - notably in terms of favouring
user-friendliness over security - but otherwise they've mostly been
relegated to the file system HFS.
Over the years we've written a huge number of articles on what is wrong
with this file system. Basically it can be summed up in a few issues.
- No support for hard links. HFS tries to implement hard links but does
a bum job of it. Users cannot edit their multi-linked files as other
Unix users can. Adding insult to injury, most legacy Apple users don't
know to this day what a hard link is and why it's good.
- As a corollary of the above, the NeXTSTEP document controller used in
OS X has been rewired and is totally confused. On the 'recent' menu it
works correctly, but when saving files it falls to bits. Conflicting
ideas brought about by the totally impossible marriage of NeXTSTEP
(FreeBSD) and MacOS are at the root of it.
- Resource forks. Not only are they unheard of in the world of Unix,
but they also present serious security issues. Bad code can camouflage
itself as benign document files. This goes above and beyond what is
capable on Windows. The ability with HFS to ascribe a 'custom icon' to
any file gives the interlopers the opening they need.
- Added to the above is the fact that cross-platform interoperability
with other platforms approaches nil. And today with the reversion in
'Tiger' to corrupting the actual FreeBSD open source code to
accommodate these resource fork critters, Apple are at an all-time low.
Classic Unix programs like cp and mv are rewritten to see and deal with
resource forks. This code is no longer of use to open source.
- Even Apple's supposed alternative file system UFS ('Unix file
system') is not a true POSIX compliant file system: it rewires resource
forks as separate files the system will interpret as such. Files get
funky prefixes like '._' and Apple's UFS recognises them as resource
forks. UFS isn't a POSIX compliant file system either.
----------------------------------------
[0105] OS X & Oompa Loompa
The Oompa Loompa worm would not be possible without Apple's HFS. It
uses HFS to lure the user into opening it: the initial package uses a
resource fork to hide an innocent icon and HFS to mark the file as
having its own customised icon.
When it is opened, Oompa Loompa again uses HFS to create a clone of
itself. When it sets about finding applications to infect, it transfers
their entire executables to its own resource fork and overwrites the
original executables with its own payload.
When the applications are started up, the additional logic is in place;
control is ultimately turned over to the code stored in the worm's
resource fork.
None of this would be possible without HFS.
Ordinary users cannot see resource forks and their default file manager
Finder won't even tell them when and where they have resource forks.
Apple have a number of recommendations online on how you detect foul
play, but they're weak at the very best. All clues a user with Finder
can get are 'indirect' - you have to read a lot between the lines and
you never get to see anything with the naked eye.
OS X applications are hives, and again Apple, in their zeal to be
user-friendly, are doing their very best to hide this from users.
Control-clicking an application in Finder gets you inside it the hive
but it's very tough going. (That's the idea.)
Oompa Loompa also makes extensive use of the /tmp directory. As on many
Unix platforms, /tmp today is a symbolic link to /private/tmp. But both
/tmp and the target /private/tmp are deliberately hidden from view in
the Finder. Ordinary users can't get at them, and many don't even know
they exist - they never see them.
In the file '.hidden' in the root directory both 'private' and 'tmp' -
along with a goodly number of very well known Unix directories and
files - are listed; when they are listed in this file, Finder will
categorically refuse to admit they exist.
All told there are approximately 15,000 directories and 80,000 files
hidden from ordinary OS X users by their file manager.
We basically have a clever worm navigating to areas of the hard drive
Apple have done their best to prevent users from accessing - how are
these users in such case supposed to defend themselves?
----------------------------------------
[0106] Oompa Loompa & Unix
Is it possible to create an 'Oompa Loompa' for vanilla POSIX compliant
Unix? Not in the fashion this gem has been created, no. It is
theoretically possible another bad piece of code will emerge that finds
a way to proliferate on these boxes, but it is not the time nor the
place to speculate about that here and now.
What we can ascertain is that up until recently both OS X and all other
Unix platforms were totally 100% 'virus-free' and that now it's only
all the other Unix platforms which still are.
There was no reason for this to happen. There are explanations, but
there are no excuses. And all the blame has to fall on Apple.
The fear is Apple will prove to find it just as hard to 'get it' as
Microsoft once did and that the commercialisation of NeXTSTEP, setting
aside security concerns in the name of an inane level of supposed
'user-friendliness' - just as with Windows - will inevitably result in
the same type of catastrophe.
It's no fun to use a platform the vendor's left wide open. That's why
we left Windows. And there were things about Windows which were cool.
Likewise with OS X: the development environment is in a class of its
own, but there are more important things down the line.
If Apple cannot grab the rudder and make some long overdue changes, we
and a lot of others will be 'out of here'.
----------------------------------------
[0107] The Fate of Apple
Had Apple stuck to the NeXTSTEP they bought for $429 million,
everything would be fine. They would still be using the totally
cross-platform FreeBSD which has much in common with every other Unix
distro and they would benefit from all the others' research into
security and other issues.
But Apple have closed themselves out from the Unix open source
community. Their Darwin code, their own branch of FreeBSD, is not
compatible with FreeBSD or any other Unix platform. They can neither
contribute nor benefit from contributions readily available to everyone
else.
Open source is strong because so many people are working on it
simultaneously. When one bug is found in one program on one platform,
the discovery (and the fix) can be of benefit to all.
Apple still make any number of true open source projects available:
Apache isn't rewritten by Apple, as one example. Any number of
'standard' Unix programs are to this day maintained by independent
groups and their code is available to all.
But at the bottom of all this a good file system must reside, and
although Unix has several absolutely 'ace' file systems (Reiser
naturally comes to mind) Apple do not use a one of them. They're still
locked into legacy 'beige box' compatibility. Just as Microsoft are
condemned to ruin their chances with NT.
Perhaps it's the commercial angle which does them all in. Open source
aficionados would say 'it's not just perhaps' and they're probably
right. All open source are trying to do is get good platforms out
there; getting the software needed for the platforms is another matter
entirely.
While commercial organisations like Apple and Microsoft are always
thinking of keeping revenues alive - revenues dependent on their
'killer apps' still working.
And if that's the way it has to be, it's fairly easy to see that the
days of the commercial operating system vendor are numbered.
----------------------------------------
HOMEWORK
----------------------------------------
[FFFF] Oompa Loompa Links
The Chocolate Tunnel
Oompa Loompa hits OS X.
Peeking Inside the Chocolate Tunnel
Oompa Loompa hits Apple.
Oomp-A: Hardening the Arteries Against the Chocolate
OK: so Apple haven't yet put their file system in the trash bin of
oblivion where it belongs - what can you do?
Xfile
28 February 2003 marked the unveiling of the first 'alpha' release of
Xfile, a 'Finder Killer' from Rixstep. It was previewed to select
subscribers and on 2 March 2003 was made available to the public.
Doomed to the Margins
Bill Gates wasn't always the bastard towards Steve Jobs. He once
offered the Apple founder some good advice. Become a software company,
said Gates. License your operating system to hardware OEMs. Stop
playing the proprietary Piper.
Nick
Nick was taken care of at a very early age by his uncle Steve and aunt
Eunice. Uncle Steve worked at Mac and Lisa's boarding house, and aunt
Eunice worked in a laboratory far away, but Eunice came back home to
help support Nick, and she and uncle Steve combined forces to take care
of him.
.DS_Store
What's the matter with .DS_Store? The idea is good enough; the
implementation is not.
.DS_Insecure
Why belabour an old security advisory? Because it has been Apple's
policy to not mention these insidious critters to anyone - even when
the online threat was serious.
No Dots
Much more than a thousand words.
Monster
Mac users are roaring in rage because of a nasty installment glitch
that erases data on external hard drives.
The Love Bug - A Retrospect
This week marks the fourth anniversary of the Love Bug aka the ILOVEYOU
worm, a watershed in the online connected experience.
Apple Security Update
Apple have plugged the 'protocol hole' after a fortnight - deftly done.
The Sudo Hole
It's real but...
Windows Friendly Attachments
Nothing like bashing Microsoft when you're stuck with your thumb in the
pie.
Zaptastic
You've come a long way baby.
The Fun's Begun
The world's first worm for 'Tiger' in the wild?
The OS X Achilles Heel
Why are Apple servers so slow? It's not the hardware.
Sweet Sixteen
It's somebody's birthday today.
Phishing Tales Can Come True
It can happen to you.
Really Super Get File Info
People are worried what's on their disks? Why?
Bundles
A look at OS X application architecture.
Hidden Files
Ignorance might be bliss, but knowledge is fun.
HFS+
Taking a walk in the orchard.
3662262
Back to HFS.
Zeroes Are Nice
Inside .DS_Store.
Yours Mine & Ours
Personal computing isn't personal anymore, and the personal computer
isn't personal either.
Fork-U-2
A site visitor sends a URL, a quote, and a question.
Gonna Switch?
Reasons why you should - and perhaps should not - migrate to Apple.
volfs
Putting the horse before the cart: too radical an approach?
Yours Mine & Ours II
When your perimeter breaks and all you've got to defend you is Finder,
you've really got no defence at all.
iPod Therefore iPay
Something is really missing here.
Is It Unix?
What will MDM say?
Mac Worm X
'Hi! I found this great Dashboard widget! Try it out!'
Spotlight on Spotlight
A brief look at Apple's new search technology.
Disable Tiger Features
It's great stuff! OK, now let's turn it off.
A Third Chance
Don't blow it again.
A Weird Bug
As so often before, when a 'quirk' rears its head in the futuristic
world of Apple's reincarnation of NeXTSTEP, old MacOS and the Maccies
lurk around the corner.
File Management Macintosh Style
Sometimes it's easier to just cross the street.
Why Pascal is Not My Favorite Programming Language
Reproduced in its entirety.
4350557
When unacceptable behaviour is accepted.
OS X Server
'Thank you for buying what is supposed to be small enterprise level
software - now, there are some areas of the system you really shouldn't
have access to.'
Business & Freak
What did they see?
You cannot save this document
The day Linux gives the Mac diagnostic that you can't open a file
because you don't have the application is the day Linux becomes
non-Unix.
----------------------------------------
This is almost certainly the year of the OS X exploit. The OS X
platform may be based on a Unix platform, but Apple seems to be making
mistakes that Unix made - and corrected - long ago.
- Jay Beale, Bastille-Linux
Seymour Quotes
Red Hat Diaries
Trouble in Paradise
Zeitgeists
======================================================
Copyright © Radsoft. All rights reserved.
Copyright © Rixstep. All rights reserved.
Online
Subscribe and unsubscribe
======================================================
X N E W S - W I L L - R E T U R N
======================================================
Re: Discource on Oompa Loompa "malware" if you haven't been following this (long read) - bangman - 02-17-2006
I think you mean discourse.
Re: Discourse on Oompa Loompa "malware" if you haven't been following this (long read) - GeneL - 02-17-2006
Thanks bangman. Immediately corrected
I tke prde im me spolling
Re: Discourse on Oompa Loompa "malware" if you haven't been following this (long read) - Sam3 - 02-19-2006
After reading the post, they make a very logical presentation based on my limited programming experience and knowledge of computer workings. I would like to hear a rebuttal from an Apple insider, at the same technical level, as to where the article goes wrong.
Reading some of the other articles linked, they sure do take apart Mac OS X. If I understand correctly with each new OS update, and Tiger being the worst, Mac OS X is straying from the safe Unix roots and will become a malware and virus infested OS just like Microsoft. All to keep pace with the Mac Classic UI and the 'user experience.'
If what they say is true, then I would hope that 10.5 should abandon resource forks and other Mac Classic OS workings to return to a truer Unix underpining, as well as dump HFS. Why not! Since Classic OS won't even run on an IntelMac, let's jettison all the legacy stuff. The last thing Apple needs is all the Windows fanboys saying "I told you so, Macs gets viruses too."
Re: Discourse on Oompa Loompa "malware" if you haven't been following this (long read) - GeneL - 02-19-2006
Sam3, thanks for your comments. I was glad to get at least one well considered response.
I felt as you do after reading the information that I posted here and like you, I don't have sufficient knowledge to judge the quality of the author's premise.
If he is correct, then it is important to heed the warnings.
Here's another interesting discussion about this topic.
The discussion includes some seemingly knowledgeable members who mostly seem to pooh, pooh the danger by saying that this piece of malware is poorly written.
My take is, that while this threat may not be a very big problem, it doesn't take much imagination to envision a more sophisticated "rat" producing a more serious piece of malware that takes advantage of the supposed security flaws in the Tiger OS.
I feel we have to do what we can to stay on top of this.
As I always say "That's just my opinion, I could be wrong."