Battery-powered back door
March 9, 2010 9:16 PM   Subscribe

Well that's unfortunate.
posted by Severian at 9:26 PM on March 9, 2010

Why does a USB battery charger require a driver anyway besides as a backdoor vector? Surely it can just charge the batteries and switch from a red LED to a green one when its done like every other battery charger on the planet?
posted by zachlipton at 9:35 PM on March 9, 2010 [4 favorites]

Can we just post items that don't open a back door to your Windows system? 'Cause that would be easier. And perhaps less remote.
posted by shoesfullofdust at 9:36 PM on March 9, 2010 [3 favorites]

I knew that goddamn bunny couldn't be trusted.
posted by Ratio at 9:38 PM on March 9, 2010 [6 favorites]

Shocking news, really.
posted by Blazecock Pileon at 9:39 PM on March 9, 2010 [1 favorite]

Nothing outlasts the Energizer Bunny Back Door. It keeps pwning, and pwning, and pwning.
posted by stringbean at 9:41 PM on March 9, 2010 [8 favorites]

So, as a mac user, I have to ask: Is this sort of thing common?
posted by esome at 9:43 PM on March 9, 2010 [3 favorites]

The file details list the DLL language as Chinese - I'm assuming that means the Chinese character set was used by the programmer? Was the programming job outsourced? Did the contractors know about the back door or were they themselves hacked?
posted by fleetmouse at 9:43 PM on March 9, 2010

My cat doesn't open a back door to my Windows system... he is staring at me right now, though... I feel funny... I think I'll leave my computer logged in and go upstairs.
posted by Huck500 at 9:44 PM on March 9, 2010 [1 favorite]

If you were concerned with security would you be using a computer in the first place?
posted by humannaire at 9:48 PM on March 9, 2010 [2 favorites]

To answer some of the questions, from Energizer's press release:

The product included a feature that would allow the user to view the battery charging status on a computer if associated software was installed. The Duo Charger product documentation referenced www.energizer.com/usbcharger to download the software. The site offered downloadable software in both Windows and Apple(R) versions; however only the Windows version contained the vulnerability.

Energizer has discontinued sale of this product and has removed the site to download the software. In addition, the company is directing consumers that downloaded the Windows version of the software to uninstall or otherwise remove the software from your computer. This will eliminate the vulnerability. In addition CERT and Energizer recommend that users remove a file that may remain after the software has been removed. The file name is Arucer.dll, which can be found in the Window system32 directory.
posted by nanojath at 9:49 PM on March 9, 2010

So, as a mac user, I have to ask: Is this sort of thing common?

Uh, no.
posted by delmoi at 9:59 PM on March 9, 2010

So, as a mac user, I have to ask: Is this sort of thing common?

Uh, no... that we know of. Although, I'm sure all the malware companies are testing installs on a bunch of crummy products like this and looking for anything that touches the network stack.
posted by BrotherCaine at 10:07 PM on March 9, 2010 [1 favorite]

*malware scanning companies*
posted by BrotherCaine at 10:07 PM on March 9, 2010

This seems like yet another windows vulnerability, and so, you know, HAHA MICRO$OFT SUXXORS! shit would be hilarious.

But the point remains that this is exactly what happens when users trust software and then install it without questioning how it works. (or being able to question it, as this was closed source software)

But there was a version for Mac, and the fact that a similar vulnerability didn't exist for that platform has not a jot to do with it's inherent superiority - indeed, a user is just as free to root OSX by installing malicious software as they are in windows. That it didn't get written for the Mac isn't important - it just as easily could have rooted all 17 of them.
posted by Pogo_Fuzzybutt at 10:08 PM on March 9, 2010 [9 favorites]

So, as a mac user, I have to ask: Is this sort of thing common?
Uh, no. So as a windoze user, I have to ask. Can you actually feel good about paying 50% more for the same performance?
posted by white_devil at 10:14 PM on March 9, 2010 [5 favorites]

Does this mean I should check my mouse pad driver?
posted by qvantamon at 10:15 PM on March 9, 2010 [3 favorites]

This is a major snafu. Ouch. It reminds me of when our IT department sent an enterprise wide spam mail about some blah blah thing they were doing and it somehow had a virus payload.
posted by caddis at 10:24 PM on March 9, 2010

So, as a mac user, I have to ask: Is this sort of thing common?

I have no desire to spur another OS debate here, as others apparently are (please, let's not go down this fucking road again, especially not over a post about a battery charger). I say this only in the interests of education: as another Mac user, I have to warn you: It's only a matter of time. OS X is by many reckonings less secure than Windows 7, insulated mostly by its still small market share. Some key security features, like stack randomization, Apple has yet to fully implement.
posted by middleclasstool at 10:24 PM on March 9, 2010 [6 favorites]

So, as a mac user, I have to ask: Is this sort of thing common?

It's something you'd have to own a TV to understand.
posted by knave at 10:27 PM on March 9, 2010 [1 favorite]

So, as a mac user, I have to ask: Is this sort of thing common?

You know, if I were still in college I would probably be motivated to launch a MAC specific virus which deleted all mp3 files just to spite such arrogance and ignorance. As I remember, in virus challenges the MAC always loses. In the real world the big kahuna is the target and no one cares about the insignificant number of mac users.
posted by caddis at 10:29 PM on March 9, 2010 [3 favorites]

The obvious message here is that rechargeables are dangerous and we need more items, particularly those made with poisonous heavy metals, to be single use and disposable.
posted by Abiezer at 10:37 PM on March 9, 2010 [3 favorites]

Can you actually feel good about paying 50% more for the same performance?

Once I factor in the savings from not having downtime for clean-up and reinstallation work, it feels pretty good.

On the other hand, I'll be helping my mom back up her files and reinstall Windows later this week, because the operating system is filled with all kinds of spyware and malware gunk that she can no longer use her less-expensive computer, at all.

So I'll be paying more for Windows, in the end, in terms of the value of my time and what I'll be putting into making and shipping her repair discs and walking her through fixing her cheap computer.
posted by Blazecock Pileon at 10:37 PM on March 9, 2010 [1 favorite]

On the other hand, I'll be helping my mom back up her files and reinstall Windows later this week, because the operating system is filled with all kinds of spyware and malware gunk that she can no longer use her less-expensive computer, at all.

So I'll be paying more for Windows, in the end, in terms of the value of my time and what I'll be putting into making and shipping her repair discs and walking her through fixing her cheap computer.

Well, you can gripe here about it, or you can fix the problem by either using a modern version of Windows that doesn't run users as root, or set up the computer so your mom doesn't run as root in XP. This would have taken you about an hour to set up when your mom got her computer in the first place. Either way, this isn't rocket science.
posted by me & my monkey at 10:43 PM on March 9, 2010

Oh, don't get me wrong. I love my mom and have no problem helping her out. I just don't have any illusions about how "cheaper" Windows is to use. For her, my time is free.
posted by Blazecock Pileon at 10:45 PM on March 9, 2010 [2 favorites]

nanojath's reposting of the press release is pretty informative; it looks like Energizer's response to this has been exactly what it should be, so kudos to them for that.
posted by Pope Guilty at 10:50 PM on March 9, 2010 [2 favorites]

I'm in BP's camp, to the point where I could have written his comment in nearly the same words (and have, elsewhere). But I'm under no illusions about OSX's invulnerability; the fact is that when you install software on OSX, including driver software, it's in a position to prompt you for your admin password if it wants escalated privileges, at which point it is free to do anything it likes, including installing back doors and trojans. Very few people will cavil at typing their password into this box if they've gone this far.

What protects OSX from malware is as much to do with market share as a more secure design; why build a trojan for any platform except the one that over 90% of users have; especially when that 90% encompasses just about 100% of the least selective, least sophisticated users almost by definition, since it specifically excludes anyone who'd make a reasoned choice against using the dominant OS? These are the people who will run your malware, and probably never know it. By building malware for Windows, you not only net the most fish, you net the tastiest fish.
posted by George_Spiggott at 10:57 PM on March 9, 2010 [4 favorites]

We bought Mac Pro's at the office to run Win 7 64 on because they were cheaper than the equivalent Dell. By a lot. And before you ask, because of Autocad, Rhino and Solidworks, which don't work on OS X.
posted by Mei's lost sandal at 11:00 PM on March 9, 2010

This would have taken you about an hour to set up when your mom got her computer in the first place. Either way, this isn't rocket science.

Even if it takes only the better part of an hour to set up a computer so it doesn't get mortally screwed after a week of use, that's too much rocket science for me. I want my computer to work like a toaster: simple and foolproof. You shouldn't need specialized knowledge to maintain a basic home system.
posted by Camofrog at 11:08 PM on March 9, 2010 [2 favorites]

Re OSX security, this from an expert.
posted by Chocolate Pickle at 11:10 PM on March 9, 2010

We bought Mac Pro's at the office to run Win 7 64 on because they were cheaper than the equivalent Dell. By a lot. And before you ask, because of Autocad, Rhino and Solidworks, which don't work on OS X.

Sshhh, don't tell people this. I prefer everyone to think I pay too much for sub-standard hardware.
posted by michswiss at 11:11 PM on March 9, 2010

esome: “So, as a mac user, I have to ask: Is this sort of thing common?”

As a Linux user, I have to ask: do you enjoy making Mac users look like massive pricks? Because I know a few of them that would like to take a swing at people who spout nonsense like this. At least learn a little bit about computers before you go Mac/PC trolling.

Or there's my alternate retort: how does it feel to pay shitloads of money when you could get even better security and usability for free?
posted by koeselitz at 11:20 PM on March 9, 2010 [12 favorites]

If conductive cotton fabric undergarment charging really does catch on, these sorts of shenanigans will lend new meaning to the term "backdoor entry".
posted by christopherious at 11:22 PM on March 9, 2010

Re OSX security, this from an expert.

There are theoretical exploits, sure, but very few actually have made it out into the real world. A rational explanation is needed to account for Apple's relative success.

If it was simply a numbers game, the successful exploit rate—or at least the count—would go up as the OS X market share has increased over the last nine years (from a low of 1 percent to now between roughly 5 and 10 percent, depending on which computer company's pollsters you ask).

If that exploit rate hasn't increased commensurate with a rise in market share, that "numbers game" argument begins to fail and some other explanation is needed for the lack of relative increase in infections.
posted by Blazecock Pileon at 11:28 PM on March 9, 2010

If it was simply a numbers game, the successful exploit rate—or at least the count—would go up as the OS X market share has increased over the last nine years [...]

I can't agree with that; it's not reasonable to assume a close correlation of hacker activity to market share when the ratio is still that skewed and the malware writers' experience and resource base is so heavily invested in windows. 90% is still overwhelmingly attractive and by contrast 10% doesn't look ten times better than 1%, it doesn't even rate; not while that vast underbelly is still out there and you've got all the cover of a vastly larger software base and a user population accustomed to having to install shit all the time. No way. When OSX hits 30 or 40 you might start seeing some movement, but it will still lag because of that knowledge investment. People, especially assholes, stick to what they know, the tools they have, and the techniques that work, until something actually pushes them over or the draw becomes very compelling indeed.
posted by George_Spiggott at 11:39 PM on March 9, 2010 [4 favorites]

As a rule, never install software for hardware you plug into the computer if the thing works with just basic uPNP. If there is a need for a driver, first try Windows Update for signed drivers.

For this particular problem, however, the software was an app to provide a charge indicator on the desktop. The exploit only worked for XP SP1 and older, as SP2's default setting shuts down the exploited port.

In other words, this has not been an exploitable issue if anyone has not updated their XP system since August 25, 2004, provided the user responds to the warning XP displays under the title "Windows Security Alert". Whoever clicks Unblock at this point is doing the same thing as entering the Admin password on an OSX security prompt.

As for George_Spiggott and Camofrog, check out Win7. No, really. Like the BSOD, it's time to put those reasons to bed.

Blazecock Pileon, install Win7 and set your mom's account to something other than admin (as mentioned above). When she really wants to install something, you do it by RDCing in as admin.

I have no horse in this race, I run a MacPro at work with Snow Leopard and it runs VMs of XP SP3 and Ubuntu. At home I have Win7 x64 with the same VMs. They all have their pros and cons, and uses. I'd be lying if I didn't say that I find the Win7 UI my favorite since its release (prior to that, OSX was nice, and before that XP, Gnome, MacOS 6, command line, in case you were wondering).
posted by linux at 11:42 PM on March 9, 2010 [9 favorites]

What protects OSX from malware is as much to do with market share as a more secure design

This. This is the kind of diverse, multi-layered security that keeps Macs safe.

(To be fair, it seems to be working quite well.)
posted by ryanrs at 11:42 PM on March 9, 2010 [1 favorite]

I think anyone upset by this is totally overreacting. It's clear that by partaking of their capitalist goodness, you're ethically required to open your computer to any malware they might install.

If you didn't, well, battery chargers just wouldn't be as good. Some manufacturers might even disappear, and we can't have that.

Energizer staff has kids to feed and bills to pay, just like you do, and you're stealing money out of their pockets by refusing to open your computer to miscreants.

I mean, fer chrissake, it's just malware. Any seasoned computer user should be able to ignore it.
posted by Malor at 11:45 PM on March 9, 2010 [2 favorites]

Blazecock Pileon, install Win7 and set your mom's account to something other than admin (as mentioned above). When she really wants to install something, you do it by RDCing in as admin.

Well, I love my mom, but being a FT sys admin for someone a few time zones away is asking a lot. And it should be unreasonable to require remote support staff for a home computer. Someone's time and energy (mine, in this case — others, for their own friends and family members) is subsidizing an artificially-low-priced piece of poorly written software.

Anyway, I'm still puzzling over why someone would need to install software for a battery charger. Does it include a scheduler or email notifier or something that requires root access?
posted by Blazecock Pileon at 11:48 PM on March 9, 2010 [1 favorite]

A good programmer finally met his end, and was met at the Pearly Gates by Saint Babbage. Saint Babbage took the good programmer on a tour off Programmer Heaven. They walked by a room full of programmers, all looking happy, coding away, and on the wall was a huge bookshelf full of manuals.

"That's the Linux room. We gave them all the manuals and documentation they dreamed about in life but never had, well organized and well written."

The next room was also full of programmers writing code, looking happy. The bookshelf there had a single manual on it. "That's the Windows room. We distilled the tens of thousands of pages of Microsoft documentation down into a single book for them."

When they got close to the next door, Saint Babbage put his finger up to his lips, and he and the good programmer tip-toed past the door. Again, the room was full of programmers coding happily. Once they were past it, the good programmer asked, "What was that all about?"

"That's the Mac room. They think they're the only ones up here."
posted by Chocolate Pickle at 11:50 PM on March 9, 2010 [24 favorites]

By the way, in case this wasn't inherently clear from the writeup, this has nothing to do with the OS in question, because the software was installed and explicitly run by the user. No (current) operating system can protect you from that. This particular malware was targeted at Windows, but it would have been just as effective under OS X or Linux.

OS X versus Windows clashes, in this context, are a lot like being smug about your wonderful Ford because some aftermarket engine mods happen to blow up Toyotas. The mods are at fault, not the cars.
posted by Malor at 11:54 PM on March 9, 2010 [6 favorites]

To be fair, it seems to be working quite well.

Yes, but it's not fair to hail OSX as superior in security compared to other OSes simply because it is secure by obscurity.

None of this is going to matter in five years. Cloud OSes are already on the horizon from both MS and Google (and Apple if the iPhone OSX is its future for its hardware). At that point, the need for security lies in the browser-as-OS. Once the desktop becomes obsolete for the majority of consumers who use it for browsing (including Flash/DHTML5 gaming) and productivity.
posted by linux at 11:54 PM on March 9, 2010

linux: “As for George_Spiggott and Camofrog, check out Win7. No, really. Like the BSOD, it's time to put those reasons to bed.”Internet Explorer 8 as a reason Microsoft is taking security seriously – that seems somewhat laughable to me, and it's the reason I haven't read anything I respected from PC world since about 1992. And the whole "more secure than OS X thing" - well, fine, but you're comparing Apples and lemons there, right? (Heh.)

There are significant things that both Microsoft and Apple would have to do in order to ensure real security, and neither are willing to do them because they're concerned about marketability and profit. For instance, neither system will be really secure until they move to a repository-based install system, I think; but that's not "marketable," it seems too difficult, and it's really doesn't pay off in the short run. (Steve Jobs seems to want to create something like this, but since it's purely market-driven I don't know how much it'll help security. I don't really trust their App Store approval process at this point.)

I've said it before, and I'll say it again: if you want security, run OpenBSD.
posted by koeselitz at 11:55 PM on March 9, 2010 [1 favorite]

Blazecock Pileon: “Anyway, I'm still puzzling over why someone would need to install software for a battery charger. Does it include a scheduler or email notifier or something that requires root access?”

Yeah. I think linux mentioned this - it included a gauge for how much charging had been done and how much was left.
posted by koeselitz at 11:57 PM on March 9, 2010

koeselitz: I'm not saying Win7 is the epitome of secure. I'm saying that the reasons cited do not have the same bite as before. It's like complaining about the bomb screen on MacOS if I were complaining about OSX.

If I want absolute security, I'd unplug my computer from the internet and run whatever the hell I want.
posted by linux at 12:00 AM on March 10, 2010

When OSX hits 30 or 40 you might start seeing some movement

If everyone in the malware biz is targeting Windows, and if I was in the malware biz, and if I was greedy, and if OS X is as easy to crack as the expert said, then I would totally go after Mac users.

That's at least 5% (if not up to 10%) of all those computers and their juicy bank and credit card info all to myself. All I need is one sneeze to get all the others sneezing, if a Mac is so easy to crack. Seems like easy money.

The fact that this hasn't yet happened (or there's no evidence for it, anyway) may be suggestive of how relative numbers do not play a significant role in the general immunity that Apple computers seem to enjoy.

That doesn't necessarily mean that OS X is safer, just that the number of computers out there is not a factor. Maybe the variety of the OS X versions out there or the PPC/Intel hardware split confers some immunity.
posted by Blazecock Pileon at 12:02 AM on March 10, 2010

If everyone in the malware biz is targeting Windows, and if I was in the malware biz, and if I was greedy, and if OS X is as easy to crack as the expert said, then I would totally go after Mac users.

That's at least 5% (if not up to 10%) of all those computers and their juicy bank and credit card info all to myself. All I need is one sneeze to get all the others sneezing, if a Mac is so easy to crack. Seems like easy money.

I don't think it works the way you think it works.
posted by Pope Guilty at 12:10 AM on March 10, 2010 [2 favorites]

Blazecock Pileon: “If everyone in the malware biz is targeting Windows, and if I was in the malware biz, and if I was greedy, and if OS X is as easy to crack as the expert said, then I would totally go after Mac users.”

This is a ridiculously specious argument; the reality of the situation is far more complex, and I'm sure you know it is, BP. If you were in the malware biz, you'd statistically live somewhere in Russia or the former SSRs, and you wouldn't be able to get your hands on a computer running OS X to save your life. Moreover you'd want to get your hands on an older version of OS X (malware targets primarily XP, remember?) like maybe Jaguar or Panther – except, as you yourself pointed out, the market share for OS X was hovering around 2-4% even back then, and OS X users tend to update more frequently and readily than the bulk of Windows users, so the proportion of people still using your target of choice will be much, much smaller. You're talking about going after, well, I'm just going to guess, maybe 0.5% of the market, at very most. And those people will be (a) non-businesspersons who happen to weirdly still be running ancient Macs and (b) ubergeeks.

At that point it becomes a swift run into statistical irrelevance, doesn't it? If you're writing exploits for an obsolete operating system that virtually no one uses aside from certain people who are actually interested and involved in how it runs, well, what's the point? I may as well try to write exploits for Windows 95 or BeOS or something. Heck, I imagine I'd have more success finding people who still ran Win 95 than OS X Jaguar anyhow.

There are a variety of reasons, but XP was around long enough and soaked into the world at large long enough that it's still all over the place, often in un-updated form and exploitable as hell. It's not just market share; no situation even remotely analogous exists in the OS X camp. That has very little to do with design, sadly, although Microsoft sure haven't done anything to make the whole thing any better.
posted by koeselitz at 12:14 AM on March 10, 2010

I don't think it works the way you think it works.

Really? If Mac users are the creme de la creme of society, their computers are potentially filled with delicious financial info. If I was a computer criminal, I would totally go after their data, if no one else is in that niche and they are easy targets.
posted by Blazecock Pileon at 12:14 AM on March 10, 2010

If you're writing exploits for an obsolete operating system

But the expert said that any version of OS X is easy to crack, and one of the reasons why (stack randomization) was repeated in this thread. No version would be considered obsolete if they are all more or less equally easy for expert criminals to break into, sharing the same core vulnerability.
posted by Blazecock Pileon at 12:18 AM on March 10, 2010

If Mac users are the creme de la creme of society

Okay, yeah, you're just trolling.
posted by Pope Guilty at 12:19 AM on March 10, 2010 [6 favorites]

... Mac users are the creme de la creme of society, their computers are potentially filled with delicious financial info...

I think Pope Guilty's point is that hackers don't hack a system for that reason. Hence, it doesn't work the way you think it works.
posted by linux at 12:21 AM on March 10, 2010

Okay, yeah, you're just trolling.

No, I'm actually quite serious.
posted by Blazecock Pileon at 12:22 AM on March 10, 2010

So as a windoze user, I have to ask. Can you actually feel good about paying 50% more for the same performance?
Yes. When you bill out at $100+/hr, which is not uncommon for many professional services, it's quite reasonable to avoid that downtime. I understand that Macs share some of the vulnerability, but I'm happy with the market-share "protection" for now. And speaking as someone who is not that much into computers, the whole article was further affirmation that if I had to decipher that babble into some sort of fix, I may have made the wrong computer choice. It's clearly not made for average end-users.
posted by l2p at 12:25 AM on March 10, 2010 [1 favorite]

As for George_Spiggott and Camofrog, check out Win7.

I'm sure I'll have to eventually since I live in this imperfect world which demands Windows in some irreducible set of circumstances; but MS burned away my patience in a thousand ways over many years, so for now, they'll have to do a lot better than just make a much less broken OS. They have to give it to me for free, along with the computer and ports of all the software I use, and then sit under my desk fellating me while I try it out. Failing that, I'm doing very well with Linux and OS X and running XP as little as possible on a thoroughly backed-up virtual machine when I absolutely have no choice.
posted by George_Spiggott at 12:26 AM on March 10, 2010 [1 favorite]

Living in China I use a locally-produced operating system cobbled together entirely from the code for backdoors and malware (Dakai Houmen 8.1). The security features are very clever; the hacker of course gets in quite easily, but then gets lost in a maze of twisty passages all alike only to suddenly find they've exited unceremoniously through one of the many other gaping holes in the system before having time to do anything nefarious. The only downside is that functionality is currently limited to renewing your Viagra prescription, wiring money to former senior officials of failed states or downloading detailed plans of the latest US military hardware.
posted by Abiezer at 12:47 AM on March 10, 2010 [15 favorites]

Yeah, keep saying that Windows is insecure solely because it's popular. It gets no less hilarious no matter how many times I hear it. Nothing to do with Windows requiring administrator privs to do practically anything, or tying Internet Explorer into the OS for a decade. Nope, solely because it's awesome, chugging away as it does at powering all those awesome rice-boxes with a bunch of random crap from Taiwan shoved in a cheap, gaudy plastic case with some bright blue lights, conquering important tasks like allowing you to play Generic First Person Shooter That Came Out 6 Months Ago On Consoles Part 8 Million.
posted by DecemberBoy at 12:53 AM on March 10, 2010 [4 favorites]

That's an extremely dishonest characterization of this discussion, DecemberBoy, and does nothing good for this discussion whatsoever.
posted by Pope Guilty at 1:03 AM on March 10, 2010 [1 favorite]

I'm still puzzling over why someone would need to install software for a battery charger. Does it include a scheduler or email notifier or something that requires root access?

"Every programcomputer accessory attempts to expand until it can read mail. Those programsaccessories which cannot so expand are replaced by ones which can."
posted by cmonkey at 1:09 AM on March 10, 2010 [2 favorites]

So in other words eventually there will be Energizer Battery Monitor for Emacs.
posted by Pope Guilty at 1:26 AM on March 10, 2010 [3 favorites]

I've been reading computer security articles for 15 plus years, and it's a mystery to me why the soft underbelly of Apple machines hasn't been eviscerated more often. Back when malware was more about vandalism than organized crime they got targeted a few times, but really there is some mystery X factor that has nothing to do with market share or relative security. I suspect koeselitz has the answer ( lazy PC malware writers stick with PCs) , but I don't think the increasing market share of OSX is going to make hackers turn to it as fast as the increasing security of new Windows platforms is going to push hackers towards flash exploits, which may become multi-platform, and secondarily OSX exploits.

I just hacked my G1 to run cyanogenmod, and that definitely made me wonder if I'm signing up for some kind of botnet.
posted by BrotherCaine at 2:20 AM on March 10, 2010

Next to my computer I've got a big glass jar. Every time there is a post about computers and Blazecock Pileon slags of PCs in the first 10 posts I put a dollar in there. Then whenever my mum rings me and says here computer it playing up or getting slow, I just take all the money in the jar and buy her a new one.
posted by markr at 3:43 AM on March 10, 2010 [8 favorites]

This particular exploit has nothing to do with Mac vs. Windows since it requires you to explicitly install drivers manually with admin privileges as instructed by a commercial product. You could have just as easily written this for Mac, or AIX or Linux. It doesn't exploit any particular vulnerabilities of Windows or show that it's an unsafe OS any more than leaving your house's back door unlocked says that your house is unsafe.
posted by octothorpe at 4:25 AM on March 10, 2010 [2 favorites]

Netcraft now confirms: closed source is dying
posted by DU at 4:36 AM on March 10, 2010 [1 favorite]

If the hardware I own makes me some kind of privileged class -- even though I only bought this one because Apple is the last real UNIX workstation vendor in the world, and the other one because it was cheaper than dinner out -- then I guess it's okay for me to say this: BP, dude. You're being a dick.

That having been said, I spent many many years of my life dealing with Windows. Given the absolute crap quality of many device drivers on that platform from vendors both obscure and widely known, this honestly doesn't surprise me in the least.

I do, however, take issue with the description as posted: "It permits a remote user full access to your Windows system." No, it does not. In fact the very next thing you say contradicts that statement:

"The backdoor operates with the privileges of the logged-on user."

There is no privilege elevation here, so "full access" isn't on the table. It's that the monitoring tool which runs in userspace has a back door, thus it only has user level access. And as all the Windows proponents above take great pains to point out over and over again, a proper Windows installation has the user running unprivileged. So the system itself isn't vulnerable, the session is just remotely exploitable.
posted by majick at 5:47 AM on March 10, 2010 [1 favorite]

I want my computer to work like a toaster: simple and foolproof. You shouldn't need specialized knowledge to maintain a basic home system

your computer is not a basic home system, it is, in fact, quite complicated. people treating their computers like toasters is how bad actors are able to break in and ruin everybodys day. Users need to understand and respect their tools.
posted by mpbx at 5:51 AM on March 10, 2010 [6 favorites]

I would be very interested to know what happened in Energizer's supply chain. I think USB-charged batteries are a great idea, and it sucks that the product was brought down by either someone on the inside at Energizer or one of their suppliers.

Luckily, the company's customer-service end really does seem to be good at proactively responding to things like this. I sent a message through their contact form when some of the rechargeable batteries I bought died after one charge, and they sent me a manufacturer's coupon worth about twice the original four-pack I'd bought. (Which I then proceeded to bury in a pile of papers and forget about until it was long past expired, unfortunately.)

Of course, the fact that the batteries died in the first place may indicate another possible problem with their supply chain—perhaps similar to this one? I've heard tell, for instance, that there are two different colors of Energizer rechargeable batteries—some with green tops, some with black tops—and that one's the inferior version made in China, the other a superior version made in Japan. Sounds like perhaps the company needs to put a tighter lid on its operations, if things like this keep happening.

Too bad that a good idea (USB battery charging) was hampered by these sorts of problems. (My interest in the company's continued success being twofold: 1. I like their rechargeable batteries and 2. they're based in my hometown.)
posted by limeonaire at 5:58 AM on March 10, 2010

This is idiotic. Why would I need to see on my computer the recharging status of the batteries in the charger that is 6 inches away from the computer itself. Can't they just put a red and green LED on the stupid thing? If it's red, you're still charging, green you're done. Holy fuckaroni, way to overthink an already crappy product (don't get me started on recharging batteries off the USB port).


If everyone in the malware biz is targeting Windows, and if I was in the malware biz, and if I was greedy, and if OS X is as easy to crack as the expert said, then I would totally go after Mac users.


It's a numbers game. These kinds of attacks are not for academic purposes, they are doing them to make money. To successfully do whatever the malware is supposed to do, you probably need to reach some threshold number of compromised machines (e.g. a botnet is only useful if it is composed of a lot of computers, not a few). Consider that the number of successful compromises of target computers is probably a single digit percentage of the number of attempted compromises. Given that Macs have about 8% of the market, then even if the success rate of an attack is 10%, you still don't get an appreciable number of computers to accomplish whatever your goal is.

On a PC, the numbers are 10x larger. So even if it takes twice as much time to design a malware xp, your payoff is 10x higher than it would be on a mac. So it's worth putting in the extra effort to hit that market.

Unlike the classic majority fallacy, which suggests focusing on the smaller market because the competition is less, the malware "industry" does not have competition. You are looking to hit he biggest numbers possible. Targeting more-secure Windows instead of Macs allows for a geometric increase in the success rate for only a linear increase in effort.
posted by Pastabagel at 6:45 AM on March 10, 2010 [2 favorites]

I think Metafilter has been hacked. I clicked a link on the front page and ended up a slashdot thread. Someone tell Mathowie to stop using that battery charger!
posted by codacorolla at 6:48 AM on March 10, 2010 [7 favorites]

Why would I need to see on my computer the recharging status of the batteries in the charger that is 6 inches away from the computer itself.

It's because their marketing department is behind the times: If they really knew what they were doing, the charging status would be stored on an Energizer server somewhere, and you would have to create a profile, agree to hand over all your personal data and be spammed to death to see it.
posted by Dr Dracator at 7:31 AM on March 10, 2010 [2 favorites]

It sucks Energizer gets to control my computer, but how else am I going to charge the batteries?
posted by Theta States at 7:31 AM on March 10, 2010

That's at least 5% (if not up to 10%) of all those computers and their juicy bank and credit card info all to myself. All I need is one sneeze to get all the others sneezing, if a Mac is so easy to crack. Seems like easy money.

As others have said, the value of a rootkit which creates a botnet is the botnet's aggregate size, not the individual data on the computers. These people are generally stealing cycles and bytes, not credit card info. Don't conflate phishers with botneters.

The problem with your argument is that you are assuming linear growth in botnet spread rates with increasing market share. This just isn't so. It's much worse for the botnet rootkits than that because of network effects. To grow over the net, botnets need two computers not one: the zombie and the victim. Victims don't become zombies out of thin air, they need a zombie computer to infect them.

So for a Mac botnet to work, the new zombie Mac (0.1 market share) needs to find another victim Mac (0.1 market share) via, say, a b*torrent tracker. The chance of this is 0.1*0.1 or 1%. A Windows PC, on the other hand, can propogate at a rate of (0.9*0.9) about 80%.

That's the calculation botnet writers make. Right now, it's 80 (or so) times more profitable to target Windows than to target Macs. Botnet profitability scales as the square of market share, not linearly. That's why no one has ever seen a Mac trojan in the wild.
posted by bonehead at 7:42 AM on March 10, 2010 [5 favorites]

I think anyone upset by this is totally overreacting. It's clear that by partaking of their capitalist goodness, you're ethically required to open your computer to any malware they might install.
If you didn't, well, battery chargers just wouldn't be as good. Some manufacturers might even disappear, and we can't have that.
Energizer staff has kids to feed and bills to pay, just like you do, and you're stealing money out of their pockets by refusing to open your computer to miscreants.
I mean, fer chrissake, it's just malware. Any seasoned computer user should be able to ignore it.

This easy smugness about the difficult and complex adblock issue drives me crazy, and I quit reading that thread because of that, but apparently it's going to spill over elsewhere now. Great.

Since this exploit isn't a part of Energizer's business model, your analogy is incredibly dumb-too dumb to even coherently respond to. The only way to even get to the malware is to pay Energizer money for their product, thereby supporting their business. Good job-insofar as this analogy does anything at all, it supports the other side of the argument.
posted by Kwine at 7:49 AM on March 10, 2010

zachlipton : Why does a USB battery charger require a driver anyway besides as a backdoor vector?

Because most motherboards won't provide power over the USB port unless the OS tells them to (this prevents both overloading the MB if you stick, for example, a key in your USB slot, as well as damaging USB devices that don't want power). Consider that a "good" thing, though I would argue that Windows really needs a dumb "force this port on" driver rather than requiring every cell phone, camera, and things like this Energizer toy, to provide a driver that does little else.


esome : So, as a mac user, I have to ask: Is this sort of thing common?

At the risk of contradicting most of the responses so far - Much more common than you might suspect.

You don't see a lot of deliberate backdoors, but I've seen plenty of drivers that install some form of web, file, or even outright VNC servers - All configured so insecurely as to make Bruce Schneier cry. And Hera help you if you already have, for example, Apache running on the "random" (often the second most common) port chosen by the vendor.


Pogo_Fuzzybutt : This seems like yet another windows vulnerability, and so, you know, HAHA MICRO$OFT SUXXORS! shit would be hilarious.

Guess again. You Mac guys don't get a pass on this issue in general (though in this specific case, you luck out). This has nothing to do with Windows (in)security, and everything to do with the fundamental insecurity of allowing untrusted drivers on your system. You touched on that, but didn't extend it far enough - What do you do when your shiny new toy proves worthless if you don't trust the vendor's drivers?


George_Spiggott : When OSX hits 30 or 40 you might start seeing some movement

Oh, so Macs will remain safe forever. ;)
posted by pla at 7:52 AM on March 10, 2010

See...this is why I get a sense of dread whenever I hear the words "You know what would be cool to add?" come from either a marketing droid or a dev.
posted by Thorzdad at 8:03 AM on March 10, 2010

The depressing thing is this back door is over two years old! Here's a February 2008 forum post wondering why his Energizer USB Charger has a DLL that takes 100% of CPU and doesn't get deleted on uninstall. Another from October 2007. The DLL is apparently from May 2007.
posted by Nelson at 8:06 AM on March 10, 2010

Yikes. Sorry I mentioned macs. My comment came off as way more prickish than I intended it and I'm sure the criticism is merited.

In any case, I am truly ignorant about a lot of PC stuff. I know that viruses are common. What I wondered is, how common is it that they ship with the hardware [regardless of the OS]? I'm gathering the answer is 'not very'.
posted by esome at 8:29 AM on March 10, 2010

It would be fascinating to know what percentage of computer-related threads have been derailed over the years by Mac zealots who seize upon every opportunity to turn the conversation to their infinitely superior lifestyle choices.

I bought a 24" iMac in 2008 and used it as my only home computer for about a year. Then I sold it and went back to a Windows PC. A number of hardware and software issues prompted my decision, but the biggest single reason for switching back is that I just got tired of the incessant circlejerk I found among the vast majority of my fellow Mac users.

The only other place I have ever encountered such sycophancy, such one-sided uncritical thinking, such a sense of smug superiority toward all outsiders, was in the Fundamentalist Christian church I attended as a teenager. Seriously, if you swap out the tech jargon with points of religious doctrine, it is stunning how much you guys sound like them.

_{Not directed at you in particular, esome -- if you hadn't started the derail (unintentionally, it seems), someone else likely would have.}
posted by [user was fined for this post] at 8:45 AM on March 10, 2010 [1 favorite]

I want my computer to work like a toaster: simple and foolproof.

I want my car to work like a little red wagon: I never have to change the oil, rotate the tires or put gas in it.

Complicated machines are complicated.
posted by Bonzai at 8:46 AM on March 10, 2010 [5 favorites]

Forgot to close the italics on the first sentence, which is a quote of BP. The next two sentences are mine.
posted by linux at 8:54 AM on March 10, 2010

The file details list the DLL language as Chinese - I'm assuming that means the Chinese character set was used by the programmer? Was the programming job outsourced? Did the contractors know about the back door or were they themselves hacked?

Not to be a conspiracy theorist, if that is true it helps back up my theory that an organization within China is intent on holding the keys to U.S. computer security. Case and point is the incident from 2008 where conterfeit Cisco Routers were purchased by the U.S. Govt which would allow attackers to bypass/infiltrate secured networks.
posted by samsara at 9:44 AM on March 10, 2010

Samsara: What seems more likely to me is that a lot of technology is mass manufactured in China, and a lot of Chinese programmers are in good position to attempt a low risk hack with relatively high reward outcome. It feels like thinking of these things as some grand Chinese conspiracy is dangerous, both in terms of internet freedom, and in terms of international relations. It reminds me of the article a few weeks back, about how the Homeland Security and Defense departments were pushing the idea of "cyber war" to get a tighter grip, and greater surveillance, on the domestic internet.
posted by codacorolla at 9:55 AM on March 10, 2010

I want my car to work like a little red wagon: I never have to change the oil, rotate the tires or put gas in it.

When you get instructions like this: According to US-CERT, the backdoor component of the Energizer UsbCharger software can be removed by deleting the Arucer.dll file from the Windows system32 directory. Because the backdoor hosted by rundll32.exe continues to run after the software has been uninstalled, the Windows may need to be restarted before this file can be removed. Do you have to pass an automotive mechanical competency test every time you fill up? This may be an easy thing for a lot of people to deal with, especially to all the erudite folks on MeFi, but to most folks, myself included, I don't have time or willingness to learn a whole new skill.
posted by l2p at 10:01 AM on March 10, 2010

You've never learned how to delete a file and reboot?
posted by kmz at 10:15 AM on March 10, 2010

BP: Just because you "Imagine" that hackers have a certain motivation doesn't mean they actually have it.
posted by delmoi at 10:20 AM on March 10, 2010

Can't they just put a red and green LED on the stupid thing?

Exactly. Completely ignoring the security holes it opened, I'm seriously trying to come up why the hell anyone would want to track the charge state of AA batteries on their screen. I mean, it was some sort of charging array that tracked a couple of hundred batteries or something sure, but four or however many that holds?

It's feature creep gone mad.
posted by quin at 10:26 AM on March 10, 2010 [1 favorite]

Codacorolla: Absolutely true, I agree with that as well. Either way the exposure of these risks hopefully strengthen awareness and security measures for anyone involved...even to limit or (hopefully) avoid the rogue infiltration attempts not tied to a grander scheme. Having the mindset that something bigger could be happening does seem a tad xenophobic and politically dangerous. Yet at the same time the threat, whether realized or not, does exist and is definitely not something to be laissez faire about. As beurocratic as many Govt. offices can be, I can see any kind of adaptation to new types of threats taking forever to implement. A simple battery charger, without knowledge of the risks of installing new software or drivers, can lead to a successful targeted attack much like the recent Auora exploits used on Google and various other companies.

There's definitely a ramp-up on this activity, much of it (if not most) is for financial gain. I'm willing to speculate there's an espionage angle in the works as well, hinging off of the re-engineering of currently successful exploits. (eg. just because the backdoor was written for one entitity doesn't mean others can't exploit it as well..). That has also been the case with Aurora, using commonly deployed malware rootkits to elevate rights within a network.

Again, trying not to be a conspiracy theorist, and I hope I'm wrong. But the threat is real and tangible.
posted by samsara at 10:32 AM on March 10, 2010

Can't they just put a red and green LED on the stupid thing?

I've got a battery charger that displays all kinds of data, but all that's on the charger itself. I can't imagine having to monitor that on my computer.
posted by kmz at 10:38 AM on March 10, 2010

So, as a mac user, I have to ask: Is this sort of thing common?

So as a windoze user, I have to ask. Can you actually feel good about paying 50% more for the same performance?

As a Linux user, I have to ask: do you enjoy making Mac users look like massive pricks?

As a Mind, I have to ask:

Do you enjoy interacting with nonsentient machines that keep their electromagnetic memory in physical space, just ripe for the effectorizing? Holy shit, they're even dumber than you meatbags.
posted by ROU_Xenophobe at 10:51 AM on March 10, 2010 [2 favorites]

Do you have to pass an automotive mechanical competency test every time you fill up?

No, but if you don't know how to safely remove the bolts to change a tire (hint: unscrew the bolts a little bit before jacking the car up), you should probably pay the roadside assistance company to do it. Nothing wrong about it, but don't go around asking for a car with snap-off wheels because it just doesn't work that way.

Seriously, guys and girls, car analogies?
posted by Dr Dracator at 10:51 AM on March 10, 2010 [1 favorite]

So, as an OS/2 user, I have to ask: when is Warp 5 coming out?
posted by ALongDecember at 11:00 AM on March 10, 2010 [1 favorite]

Seriously, guys and girls, car analogies?

I've mostly drive station wagons, but I do have a tank (free!) at home. I've always wanted a batmobile though.
posted by bonehead at 11:17 AM on March 10, 2010 [1 favorite]

BP: Just because you "Imagine" that hackers have a certain motivation doesn't mean they actually have it.

I wasn't talking about hackers.
posted by Blazecock Pileon at 11:32 AM on March 10, 2010

it was your claim

You know what? If you guys want to be taken seriously, start by questioning bits of drive-by nonsense like this, if the "creme de la creme" comment bothers you so damn much.
posted by Blazecock Pileon at 11:37 AM on March 10, 2010

It wasn't exactly 'drive-by nonsense' - he was responding to esome's obvious troll. As have we all. Maybe we're just all suckers; I'm starting to think so, if somebody can come by and make such an obvious trolling comment, and we all fall for it.
posted by koeselitz at 11:45 AM on March 10, 2010

This may be an easy thing for a lot of people to deal with, especially to all the erudite folks on MeFi, but to most folks, myself included, I don't have time or willingness to learn a whole new skill.

Why is this an acceptable thing to say about computer use and nothing else?

Any other complicated machine that you want to use, people accept the existence of a learning curve. Computers, on the other hand, are expected to be operable without the least bit of experience or understanding, and many people are actively hostile to the idea of learning how to use them. What the hell?
posted by Pope Guilty at 11:47 AM on March 10, 2010 [2 favorites]

I wasn't talking about hackers.

Then who are you talking about when referring to those who hack into computers for delicious financial info, hoping it belongs to a person that is a member of high society?

And why do you think this is what they do? You expressly stated, "That's at least 5% (if not up to 10%) of all those computers and their juicy bank and credit card info all to myself. All I need is one sneeze to get all the others sneezing, if a Mac is so easy to crack. Seems like easy money."

Why can you not understand that the purpose of hacking/exploiting a home system is not what you think? There is NO ONE out there trying to hack a home computer to get at juicy bank and credit card info. Those people hack financial systems. The people exploiting the home want to 1) sell you stuff or 2) want to use your computer to sell other people stuff.
posted by linux at 12:00 PM on March 10, 2010 [1 favorite]

Then who are you talking about when referring to those who hack into computers for delicious financial info, hoping it belongs to a person that is a member of high society?

Computer criminals — identity thieves, mostly. I'm sure you knew that, of course.
posted by Blazecock Pileon at 12:08 PM on March 10, 2010

Pope Guilty : Any other complicated machine that you want to use, people accept the existence of a learning curve. Computers, on the other hand, are expected to be operable without the least bit of experience or understanding, and many people are actively hostile to the idea of learning how to use them. What the hell?

Wow, I never thought I'd see the day that we completely agree about something. :)

Computers dwarf cars in terms of complexity; and while require (in most states) a minimum age, 6+ weeks of training followed by up to six months of practice with an experienced copilot, as well as regular inspections to make sure the equipment still works correctly - You can call Dell and "Dude, you got a botnet" 24 hours later.

That said... Opening Explorer, deleting a file, and rebooting counts as "hard" these days? Really? Really???
posted by pla at 12:15 PM on March 10, 2010 [1 favorite]

The problem with your argument is that you are assuming linear growth in botnet spread rates with increasing market share.

I'm assuming exponential growth, like any contagious disease. If Apple's market share increases, its infection rates should increase exponentially. That hasn't happened.
posted by Blazecock Pileon at 12:19 PM on March 10, 2010

Most of my mac using friends are writers and artists, so while I like to think of them as creme de la creme, it's definitely not in the financial sense.

That being said, I'm pretty sure there are enough people with money who own macs that it is a good potential target for some criminals. Especially if you wanted to target investment accounts that someone only checks once a quarter.
posted by BrotherCaine at 12:40 PM on March 10, 2010

I'm assuming exponential growth, like any contagious disease. If Apple's market share increases, its infection rates should increase exponentially. That hasn't happened.

This is because your model is wrong. There isn't a single population to spread in, there are two (or more). Better than 90% of the interactions your Mac has with other computers are with an incompatible form, effectively an immune population. Only about 10% are potential victims or dangerous zombies. This significantly changes the differential equation you need to use.
posted by bonehead at 12:52 PM on March 10, 2010 [1 favorite]

So Energizer have admitted this serious problem and then buried any mention of it deep in their website. It's not on their homepage at all. Definately lawsuit-worthy.
posted by East Manitoba Regional Junior Kabaddi Champion '94 at 12:54 PM on March 10, 2010

Do you have to pass an automotive mechanical competency test every time you fill up?

No. But if that's all you know, then good luck walking to your job as a gas station attendant.

OTOH if you want to drive a car you might have to learn how to do it. It's a bit complicated, sort of a new set of skills. And you are tested on it. And then you get a license to do it.

Good luck.
posted by Splunge at 1:00 PM on March 10, 2010

Computers, on the other hand, are expected to be operable without the least bit of experience or understanding, and many people are actively hostile to the idea of learning how to use them. What the hell?

I blame the computer industry. You can't have a computer on every desk and in every home if your message is that you need to go back to school to use one . Also, office workers of earlier years really didn't want to use a new technology they didn't understand to do pretty much what they were already doing, so IT marketing had to sell on the idea that you need little to no training (which is pretty difficult to do properly anyway, even when the subject matter doesn't change every 6-8 months). Also also, technology is scary, making it simple and shiny always helps with sales. Finally, people don't like to have to do work, or be told they are dumb and ignorant. They will show cars some respect, because Fiery Twisted Metal Death = Obvious Bad Thing, but a bit of malware here and there is nothing: you kids are so smart, you can fix all of that with your magic computer skills.
posted by Dr Dracator at 1:00 PM on March 10, 2010

Computer criminals — identity thieves, mostly. I'm sure you knew that, of course.

No, I didn't. Let's leave off the fact that whatever you call them, identity thieves etc., if they are hacking into your computer they are hackers. Now, that particular group of criminals depends on the user to enter their information via browser on a website or email sent to a server they control. Or they hack into a financial or records system.

What we we were talking about are exploits to gain access to a user's machine to install malware of which the majority's purpose has nothing to do with identity theft but rather to either spam the user or use the user's system to send spam to others.

Now do you understand why what you think is not how things work with regards to home system exploits?
posted by linux at 1:25 PM on March 10, 2010 [1 favorite]

Then who are you talking about when referring to those who hack into computers for delicious financial info, hoping it belongs to a person that is a member of high society? [if not hackers]

Computer criminals — identity thieves, mostly. I'm sure you knew that, of course.

Oh god, don't tell me you're an ESR devotee. The word "Hacker" has always been used by "Computer criminals" and other people who break into systems to describe themselves. The fact that a bunch of busybody programmers wanted to claim the word for themselves never changed that. It's a context sensitive word. I thought that little jihad died in like 2002 or something.
posted by delmoi at 1:44 PM on March 10, 2010 [2 favorites]

When you make computer technology accessible to non-technical people, then non-technical people will be using computers, who will demand that computers become less technical, which will allow access to less technical people...

It's like a snake of simplification, eating its own tail.
posted by LordSludge at 2:13 PM on March 10, 2010

And, yes, plenty of people haven't the foggiest idea how to navigate around a file system. They can get on the internet and receive e-mail, and you can send them an attachment, but when they detach it, it "disappears" for them. They don't know what "c:\windows\system32" even means, much less how to get there. What's more, they don't want to know. They're too busy doing things like making friends, making money, having a career, and getting laid.

Really.

The iPad is going to sell bucketloads.
posted by LordSludge at 2:19 PM on March 10, 2010 [1 favorite]

For anyone that still cares about the Mac security derail... This should give you a bunch of information about the latest and greatest: live chat with Charlie Miller (you'll have to wait 'til the 17th)

As well, Apple pretty clearly is trying to do something about their security situation as Window was hired when Microsoft and Mozilla were having similar security process problems.

(disclaimer, I know Ryan, Charlie, and Window, and obviously I'm involved with PWN2OWN as well)
posted by mock at 3:12 PM on March 10, 2010

They're too busy doing things like making friends, making money, having a career, and getting laid.

Really.

And yet, despite this hectic schedule, they can find the time to learn to drive?
posted by robertc at 3:22 PM on March 10, 2010 [1 favorite]

IWhat I wondered is, how common is it that they ship with the hardware [regardless of the OS]? I'm gathering the answer is 'not very'.

More common than it ought to be.
posted by robertc at 3:26 PM on March 10, 2010

Blazecock, if you look at epidemiology, I believe 80% is considered to be about the level for 'herd immunity'. That is, if 80% of the population is immune to something, contagious diseases can't get a foothold and become systemic.

This isn't a direct comparison, of course, but even going from 1% to 10% market share isn't that big a deal, because of the compounding of the network effect; there's just too many people that are immune to a specific exploit. As market share percentage climbs, the attractiveness of the target becomes much higher.

The programmers, of course, also have to understand OS X well enough to write good exploits for it, and there just aren't that many programs available on that system -- the ecosystem to pull evil people from is also much smaller.

It's not a linear response, and don't think that seeing no difference from 1 to 10% has any true meaning in a larger sense. If the relative market positions of Windows and OS X were swapped tomorrow, it would be the biggest bonanza strike ever for botnet makers.
posted by Malor at 7:03 PM on March 10, 2010

LordSludge : They're too busy doing things like making friends, making money, having a career, and getting laid.

7/10. Kudos on the use of stereotypes that went out of style in the late 1970s, but welcome to the Dawning Of A New Era, where geeks make good money in their career and most people would hit Melinda Gates in a heartbeat.

So let me put this bluntly - If you "don't know what c:\windows\system32 even means" - Then yes, you should give your credit card number, date of birth, SS#, and any random biographical information requested, to every unsolicited email you receive from "your bank". It will save time and tears for everyone involved, and your butt will hurt in the morning either way.

Thank you, and enjoy your complimentary virus, sir!


No, those have no connection. But yes, yes they so much do.
posted by pla at 7:06 PM on March 10, 2010

Malor : If the relative market positions of Windows and OS X were swapped tomorrow, it would be the biggest bonanza strike ever for botnet makers.

I have to disagree here. Yes, Apple has deliberately fostered an environment of willful, even gleeful, ignorance about the workings of their machines. But they do actually have a robust security model at their core, with adequate privilege isolation between user-space and kernel-space. They have even managed to drill the idea "you will run in user mode" into their devs, both internal and third-party. So kudos for that.

Windows, as very much the polar opposite, has an almost ironic (if self-imposed) problem. After years of security-as-a-joke, they finally have something resembling decent privilege isolation, but have to deal with both users who turn security off whenever possible, and devs who consider "windows\system32" as the only safe place to store anything they don't want users to randomly delete while "cleaning up" their machines.

They both have a shared problem, however, which no amount of security-to-the-iron will solve - Users who really don't understand or care in the least about any of the above, and just want their cool new mouse cursors and smileys and weather forecasts to work.
posted by pla at 7:22 PM on March 10, 2010

But they do actually have a robust security model at their core, with adequate privilege isolation between user-space and kernel-space. They have even managed to drill the idea "you will run in user mode" into their devs, both internal and third-party. So kudos for that.

That's true, but Apple doesn't have the same kind of defensive thinking in many, many places in their code. When I was first digging around in 10.1 or 10.2, for instance, the 'nidump' utility could dump the encrypted passwords for all user accounts, even running as the 'nobody' user. Apple just doesn't think about security themselves very much, and while they've inherited a pretty good design, the code they've added to their BSD foundation is often quite poor from a security standpoint.

Windows' coding is much better, and UAC was a huge step forward in user security -- which they then immediately butchered into uselessness with Win7. So they were going the right way, but they failed to have the cojones to make it meaningful. I'd argue that the butchered UAC, all by itself, makes a huge amount of the rest of the work they've done on security largely irrelevant. Windows security is pretty good if you're running as a user, and Win7 moving users back into Administrator mode (even with 'click OK to run this malware' prompts) means that much of the (very good) security model doesn't get used.

I'd say Vista is probably substantially more secure than OS X, but Win7 is probably about equal. Microsoft wrote better defenses, but the defenses have been greatly weakened for convenience. OS X's defenses aren't as good, but they're actually being used.
posted by Malor at 8:01 PM on March 10, 2010

And, ironically, a major thing people -- the commoners, I mean -- hated about Vista was that they had to individually authorize and system configuration changes. They were all like "stop asking me and just work!" even though that sort of hands off approach is what allows trojan virus-like behavior to propagate.

There's a balance between security and usability. And even among education users, which most are not, there are different priorities between the two. I definitely don't encrypt all my e-mail and IM traffic; it'd be a total pain. But I did keep my Windows machines fairly up to date on security patches and virus scans.

I switched to Mac half a year ago. No virus scanner at all... Yeah, it's lower maintenance. (And working in IT, the last thing I want to do is troubleshoot computer systems when I get home.) So far, so good -- let's see how long it lasts.

Creme de la creme**, signing off!

** LOL.
posted by LordSludge at 8:25 PM on March 10, 2010

Oh, and here's how "driving a car" used to be: How to Drive a Model T Ford (fast-forward to 3:50 if you're impatient)

Can you imagine? Thank god for progress!
posted by LordSludge at 8:35 PM on March 10, 2010

Blazecock Pileon: “If the Mac is as easy to crack as the experts say, it follows that a lot of them should be bots by now. Some are (from the odd case of bundled open source services being rootkit-ed), but one can observe that this doesn't seem to be the case, on the whole, despite the numbers and despite the exposure.”

Are you sure? I've heard rumors about some sort of botnet that's invading lots of Macs nowadays – it's very hard to detect. The way you can tell you've got it is it makes your computer produce tiny, tiny, tiny print.

(Hee. Sorry.)
posted by koeselitz at 10:16 PM on March 10, 2010 [1 favorite]

The European Computer Driving Licence
posted by patricio at 2:45 AM on March 11, 2010