If you have many email accounts (as so many of us do these days) but don’t much use some (as Mat Honan didn’t much use his me.com address,) you shouldn’t be using one that you ignore as a place for any other provider to send password recovery emails.
And at a deeper level, it is careless to be ignoring any working email account. In the teachable moment of the week, the ignored account was an iCloud (me.com) account, which Apple sent a notification message when they reset the password. That may seem silly, but if MH had forwarding set up on that account or had a connected IMAP IDLE session from whatever mail client he uses or even if he just checked the account every 10 minutes with a smartphone, he would have known of the crack in progress faster. With providers as careless as they have proven themselves to be, mail accounts get cracked. A user who doesn’t keep a trivial watch on an empty and unloved Inbox won’t see a crack when it happens. If you don’t exercise your ownership of an account, you won’t notice it being stolen.
So-called “Security Questions” have been spreading in use as a mechanism for password recovery, but anyone who knows anything about computer security knows that they are not about securing anything, they are about loosening security.
That’s not altogether bad. The flipside of strong authentication is that it is easy for users to lose the ability to authenticate themselves. Passwords are forgotten, certificates are deleted, temporal PIN gadgets are lost or destroyed, etc. Having a way to reset the primary authentication mechanism helps mitigate that risk. However, the “security question” mechanisms in broad use are mostly far too loose because they draw on a common universe of research-vulnerable questions (e.g. “Mother’s maiden name”) and in many cases (as with Apple and Amazon) are mediated by humans whose jobs are mostly not focused on security, but rather on low-skill customer support for which their employers pay very little. It is not rational to expect that those workers will follow a rigorous security policy that requires them to take time and risk disappointing customers. No amount of security policy rigor can address the problem that security policy is routinely ignored.
It appears that the case of Mat Honan hinged on absurdly weak security question policy at Amazon and a failure at Apple to follow policy in regards to security questions. The best fix isn’t to tighhten and try to enforce policy, it is to change the nature of the process. Authentication recovery mechanisms need to meet 2 simple criteria:
The secondary authentication information must be truly secret, known only to the user and the provider.
There must be no way for a special pleading to override the formal mechanism short of persuading the people who defined the mechanism that it should be bypassed.
This means that sometimes users will lose access to their accounts because they can no longer provide either the primary or secondary authentication factors. It may mean that sometimes real security professionals will have to listen critically to the sob stories of careless users.
For the real world where that sort of change isn’t going to happen in most cases at any point in the near future, smart users must adapt to the fact that most service providers have de facto lax security. I included some user-relevant lessons in my last post but here are a few more concrete ways to stay safe:
When offered a choice, pick security questions with non-researchable answers. If your spouse or sibling could answer the question, it’s a bad one. If a Facebook “friend” could answer it, it’s worthless.
Answer bad security questions with memorable and unique lies. For example, you might tell Apple that your mother’s maiden name is Wozniak or that you graduated from Cupertino High School, while telling Amazon that she was born a Bezos and you went to Seattle Country Day School (dunno if that even exists…)
Use an email service that provides a way to invent working unique addresses on the fly so that you can give a unique email address to everyone who asks for one. This is easier than you may think, since GMail supports “+” tagging and arbitrary insertion of periods in addresses.
Don’t let anyone store a credit card number in their system that can be used by any other vendor. I said this in my prior post but it is worth repeating.
Shun providers who behave badly. For example, some time ago a provider who shall remain nameless (as they may have changed) tried to “canonicalize” addresses I gave them by doing transformations on parts that might have been tags and trying to send mail to the modified addresses. Because I use my own complex and obscure mechanism for unique addresses this only meant that they bounced a few messages off my mail server, but the result was that I deleted my account and blocked all of their mail on my mail server.
Avoid the temptation of making any online identity a “hub” for everything you do online. Especially avoid this with free accounts (e.g. Google, Facebook, Twitter, Yahoo, etc.) because ultimately those are provided and governed at the whim of the provider. Apple accounts are slightly better because their email accounts are associated with you being a paying customer, but they also can have such serious powers (e.g. remote wipe) that it is unwise to have them hooked to anything else (like a GMail account) that might turn out to be part of an attack surface.
Be as autonomous as you can be. Having your own domain name is a start, but it’s just the prerequisite for a stack of DIY online services that you may or may not be up to handling on your own. At a minimum, having your own domain can be the basis for varying degrees of control over your email addresses that you really cannot have if you stick to using addresses in domains that you do not own.
This is only news because it happened to a writer for Wired. The “hack” didn’t expose any previously unknown vulnerabilities, the children doing it didn’t demonstrate any significant technical skill or use any sophisticated tools, it was essentially just a case of random vandals digging around online where they could dig easily and telling a few lies to “customer support” staff whose work can never be worth much more than the sub-median 3rd-world wages they are paid.
I’m NOT picking on Mat Honan here. It’s pretty clear that he’s a gadget guy not a security expert and as a journalist I’m sure he gets more and slicker pitches from hucksters who find security a nuisance than from security experts. Real computer security isn’t cool. It isn’t fun. It isn’t in any sense spiffy. If you think it is, you’re a geek. I do not say that as an insult, just to note that we are not normal. I have given up scolding normal people for not being security geeks. It’s pretty well proven that a lot of generally normal people love gadgetry but have no affinity for system security.Mat Honan wasn’t particularly careless or clueless, he just had never absorbed some clues that those of us who work in security have sadly stopped talking about much. Clues that are among the least cool, fun, or in any way spiffy lessons of computer security:
Any secret which you share with someone else so that they can authenticate your identity later is a password. That includes things that are not very secret (e.g. “mother’s maiden name”) that can be used to recover or reset “the” pasword. This means that “security question” access recovery mechanisms are de facto security-weakening tools.
Don’t use the same password for different accounts. This is a hard one, since it really is not practical to use a completely different password for every account without using a keyring tool, which ultimately is one password for everything. However, a secure keyring is MUCH better than using just one password everywhere or keeping all of your passwords in a plaintext note in some “cloud” service.
Don’t give anyone an unrestricted credit card number or bank account number to store for easy reuse. Yes, I know Amazon, PayPal, Apple, and others all really want this. They are stupid and effectively evil. Really. It’s not in a bad way; they don’t intend to be stupid or evil. That doesn’t make it much better. If you can’t resist easy one-click purchasing, get a Discover or other card that provides single-vendor numbers, so that you can’t break the previous rule with a card number. After all, a credit card number is a password to your money and Mat Honan’s example shows that even a part of a number can become part of a de facto alternative password to your account. The same card number linked to many accounts becomes a common and very weak password to them all and to your money.
An authentication system that has a fallback system that lets you recover from a lost or forgotten password is less secure than one which does not.
If it can be, human judgment almost always will be the weakest link in any security system. It takes an unusually weak assembly of mechanical security mechanisms to out-fail a person who has the power to circumvent it. If an authentication system includes the ability to call a human and beg for access, that will be the easiest way to break it.
Security and convenience are directly and intrinsically opposed to each other. Secure systems are not cumbersome and easy-to-use systems are not insecure as a result of poor design, but by necessity.
Using email addresses as unique identifiers for people is irresistible, so they become (sigh) a sort of secondary password. If you use one email address for everything, see the second clue…
Incumbent technical constraints are often not seen as part of security but may in fact be critical tacit assumptions for the security of systems that are perfectly functional — but are made insecure —with those constraints removed. Parables of this include WEP, the silly kerfuffle created by Steve Gibson over “raw socket” support in Windows, and a long parade of schemes to stop spam based on assumptions that spammers wouldn’t do things that they so far hadn’t done which basically only demanded audacity and motivation.
Email isn’t secure. It can be in specific cases and could be in general with existing tools, but in the real world as it is today the main protection most people have against undetected interception of their email in transit is the fact that there’s so much email in transit all the time and so much of it is pure worthless garbage. The “needle in a haystack” analogy applies, but a better one would be “corn kernels in the sewer.”
Backup is a critical security component because information loss is much more common than and usually worse than information leakage.
There are many degrees of security and many degress of attacker. If you allow yourself to be “low-hanging fruit” you will be vulnerable to low-effort attacks from a huge population of weakly motivated opportunists. The other side of this is that very small improvements in how you maintain your own security can raise your vulnerability above where most random vandals will bother.
These boring old truths have implications for “Cloud” services that sell themselves as hubs for a digital life enabled by frictionless sharing and synchronization and yadda yadda yadda. Mat Honan did things that those of us who are Security Geeks have given up warning against. Those warnings make people who wear ties and sign paychecks doze off and wake up grumpy. We’ve spent the past decade or so biting our tongues and taking paychecks and hoping that it would all work out, but it hasn’t. It never will, because it fundamentally can’t. Systems and applications that are most appealing when used in fundamentally insecure ways cannot be made secure. Systems and applications whose security is dependent on end users practicing good security hygeine will not be secure. Systems and applications whose provider-side security is dependent on adherence to policy rather than operation of tools will always be crackable by social engineering.
None of this is news. Back when the press made a big deal of Kevin Mitnick as a great “hacker” it was known by many people who wore that label proudly with no connotation of criminality that he was in fact just a very good con man with unremarkable technical tools and skills. We have had standards, tools, and tested best practices for online security since before most people had heard of the Internet, but still most service providers don’t bother with them. There is a geek subculture where good security hygeine is the norm and then there’s the world at large where many people use one email address and one password and let all of their accounts everywhere interact freely with each other to the extent that losing one to a random script kiddie essentially means losing them all. People who don’t understand that they have to deal with inconvenience as a price of security and that they can’t rely on providers who promote convenience to maintain security will always be the easiest prey for the largest field of predators.
Posted here because that comment is “awaiting moderation” and I doubt they have the integrity to publish it.
That’s a remarkably timely blog post, given that I was made aware of your existence by spam sent on behalf of one of your customers through your mail system, with links to their website which is hosted on your facilities. How they got my address and why they assumed that I would want mail about an association I care nothing about, I can’t know.
As someone who has dealt with email permissions issues professionally for nearly 2 decades, I am here to tell you: YOU ARE DOING IT VERY WRONG. The problems with this mailing started with the fact that they never should have had my address in the first place, but it was compounded by additional problems:
The first contact they made was a pitch for an event. It offered no clues as to why they thought (perhaps innocently, perhaps foolishly, likely BOTH) that I was someone to be mailed by them for any reason at all. First email contact should ALWAYS be a confirmation of the address as belonging to someone who wants to be sent further email.
The message included a link “to update your email preferences” which redirected to their home page without showing any sign of doing anything. Was I unsubbed? Maybe. There’s no way for me to know.
The mail and web facilities used and pointed to in the spam live in Time Warner/RoadRunner network space without proper SWIP or rwhois records and have names in the ymem.net domain which lacks a registered abuse contact or working MX. This makes you and your customers look sleazy, plus it means the first place they will complain about spam is not to you, but at best to your connectivity provider.
You are sending mail with an arbitrary customer address used as the SMTP envelope sender. This makes it very likely that if they have a SPF record in DNS which has a “fail” or “soft fail” default, the mail you send for them will get it.
Because you act as a sole source for your customers, providing hosting, tools, and expertise, these are not just their problems, they are YOUR problems. Will abuse@rr.com get enough complaints to cut your connection off? Probably not. Will enough people report spam coming from ymem.net machines with links for ymcdn.com tracking bugs to public reputation systems and filter providers to cause real trouble? Probably not in the near term. Have people reported spam to their own mail providers adequately to make those aspects fodder for spam filters? YES. That’s something you may not notice until it is a big problem, but it is already reducing your deliverability a little.
A professional acquaintance wrote a great piece for the StarTribune that actually might manage the trick of changing some minds on the issue of marriage equality and particularly the MN marriage amendment. Seebs (no one calls him Peter…) has quite the corner case, but like all good sysadmins he knows that a robust system has to handle those.
Microsoft researchers have analyzed a new piece of malware that’s targeting Macs running Snow Leopard and found that the malware uses a multi-stage attack that’s similar to typical Windows malware infection routines.
So what is wrong here? Simple: the dissected malware DOES NOT EXPLOIT A VULNERABILITY IN SNOW LEOPARD OR ANY OTHER VERSION OF MAC OS X .
It uses a MS Office for Mac vulnerability. A stack overflow, the sort of thing no competent developer has allowed in release software in over a decade. (But of course this is MS…) It was fixed in a patch by MS almost 3 years ago. MS Office for Mac has an autoupdate gadget of its very own that is on by default. MS Office for Mac is also an overpriced, shoddy, and usually superfluous piece of bloatware that isn’t exactly rare on Macs, but it is far from universal. The exploit requires getting a user to open a maliciously crafted Word file with MS Word (or possibly with other MS Office programs that use the same code.) Even Mac users who have Word installed often switch the default handler for Word docs back to TextEdit (the simple text editor that comes with Mac OS X) because if you don’t keep Word open all the time, starting it up is a panfully long process. For most work with most files, TextEdit is all you need. Launches in a couple of seconds.
Nobody worth listening to says Mac OS X is “safe from malware” in an absolute sense. It never has been. Yet there’s been no claim or evidence that this particular malware is widely distributed or even capable of wild propagation. It isn’t particularly remarkable, it isn’t even clear that it is all that new. It looks to me like a “spearphish” payload: something used to attack a particular known-vulnerable target, not something used to take control of a large number of machines. This is moderately interesting for people in the business of security, but it isn’t a serious threat.
What is far more dangerous than the MS09-027.A exploit is the cynicism that pervades the Mac OS X user community about the commercial anti-malware industry. For many years we have had a trickle of malware species targeting Macs which have with one very recent exception (Flashback) posed no risk to users who practice the simplest sorts of careful behavior. Almost every one of them has been trumped up by opportunists in the commercial anti-malware industry as the first drop in the coming deluge of Mac malware. Because that deluge has yet to materialize and because many Mac users are not idiots, the whole industry is seen as the Boys Who Cry Wolf by the Mac community, and that skepticism also holds sway at Apple. But Flashback has shown that there IS a wolf. It’s time for the software security community to address the Mac community as rational adults instead of continuing to try to work up irrational fears over narrow risks. Stop trying to tell us that our machines are at the same risk as Windows machines: we can see that they are not. Stop trying to sell us the same bloated software monsters you have to create for the Windows world: we know we don’t need all that. The old-timers in the Mac world remember what good AV protection looks like. We remember the death blow dealt to the embryonic MacOS malware environment in the 90’s by Mac-specific tools like Gatekeeper and Disinfectant. While there may be valid reasons to expect that more aggressive approaches are needed to fight off the more robust flora that are trying to come back to us after a long evolution in a friendlier environment, we won’t buy the argument that we need to accept the same tools that are used on Windows with Mac skins on them. We need Mac tools. We need proof that the software security industry actually understands the Mac OS and the Mac community, because they’ve provided a decade of evidence that they understand neither and worse, that they don’t take the platform or its users seriously.
Like why didn’t he fulfill the campaign promise, one of the cornerstones of his campaign btw, to close Gitmo?
Because a bipartisan coalition of paranoid imbeciles in Congress passed a bill forbidding it. How can anyone who brings up Gitmo not know that?
Why has he not called for an investigation into his AG for the gun running program he signed off on, or for lying to congress, who is about to charge Mr Holder with contempt of congress
Good question. I think Holder has spent 3 years demonstrating that his time out of government did not include acquisition of a moral compass or growth of a backbone, despite appearances 3-4 years ago. He has proven himself unfit for his office, and his failure to fire everyone involved with F&F the day he learned of it is an important part of that proof.
Why is it that Obama, who promised in his campaign that his government would be transparent, and open, has commissioned the CIA to run a secret drone bombing campaign that’s targeted civilians on multiple occasions?
See Brennan’s discussion of that this week. I think it is an implausible claim that the drone program has “targeted civilians” for any rational definition of those words, and such claims are never made by anyone who can credibly claim to know.
As for transparency, a military program is the last place you will ever find it. If you want transparency, try http://www.recovery.gov. Reversing the natural tendency of government to operate opaquely and the active promotion of that under Bush is a large slow process. If you had listened carefully to Obama, you would have noted that he made relative promises about transparency, not absolute ones. I think he’s met the promise to be “more transparent” and maybe even the “most transparent”, even if he’s not making the CIA publish daily operational planning reports.
why is Obama’s justice department acting as a proxy for the entertainment industry in an unconstitutional attack on a file sharing company? This clearly a civil case, yet Holder’s crew is prosecuting the case in a criminal trial
I don’t think it is at all clear that the MegaUpload case is not criminal in principle, although it does seem clear that there are technical challenges with enforcing US criminal law against foreign corporations that were not met (and maybe couldn’t have been) in this case. I think this is another case of Holder going along with a corrupt bureaucratic establishment that is in the habit of doing anything in the intellectual property realm that the lawyers from Disney, Universal, Sony, et al. can give them a rationalization for.
As for that reflecting on Obama, I think that has to be informed by an understanding of how the federal government and especially the DoJ should function. I think that the Holder Problem has been made worse by the fact that Obama doesn’t see the Reagan/Meese or Bush/Gonzales cases as the proper models for how a President should relate to an AG. Holder’s serial failures are his own and only reflect poorly on Obama in the sense that the appointment was a mistake that has played out as such in a predictable way.
So which is more odious? Some stupid campaign lies, which will be flowing fast and heavy from both sides over the coming months,
Arguing from the assumption of purely hypothetical future events is about as weak as it gets. There are gradations of untruth due to the imprecision of words and the human capacity for sincere misbelief, so there really can’t be a valid argument that all sides are equally guilty of the sort of bullshit called out in this case until such time as there is a concrete example. Based on their respective track records, I think it is ridiculous to suggest that Romney and Obama will engage in comparable sorts of ”campaign lies” in the coming 6 months. Romney hasn’t managed to personally alienate 2 batches of nomination contenders by accident, he’s done it largely by a pattern of carefully crafted and practiced dishonesty.
or the actual bombing of innocent people and subjugation, once again, of the constitution by the sitting administration?
Apples and oranges and hyperbolic hogwash.
I’m all for ending all killing of innocents in war, because I’m all for ending war, which always kills innocents and always will. I think the Forever & Everywhere War crafted for us by the prior administration for strategic domestic political ends remains a huge intractable problem that has no ethically pure solution which can actually be executed by any President. Our architected state of war is to some degree working as designed, but I think Obama has followed an unexpected path to dismantle that design by finding colorable “victories” to end the various sub-wars one by one. It is clear from Romney’s choice of advisors and spokespeople on military and foreign policy that he is fully on board with the strategy of a permanent state of unwinnable war against a vaguely defined enemy (the “Not With Us” legions.) As cynical as it may be, Obama has declared victory and left Iraq (which is hardly a peaceful place) and has lashed US policy to a similar path in Afghanistan, with victory pre-declared for 2014 and a decade of vigilant friendship declared for the ensuing decade without regard to actual events. I’m not sure I understand what endgame plan is served by the CIA drone campaign, but I expect there is one. Given the alternatives of a proven track record of overall reduction in the scope and intensity of our warfare or promises to reverse that trend, the right choice is clear to me even if it isn’t one I’m excited about making in this area. The option of rapidly dismantling the military-industrial complex and de-imperializing our foreign policy isn’t being offered by anyone realistically capable of winning the Presidency, and it hasn’t been for a very long time. Anyone who believes Obama ever offered that was not paying attention. Since I never held that delusion I’m not particularly disappointed.
We got a demo yesterday of how wrong all of the “Obama=Bush” bullshitters are and always have been.
The agreement he went to Kabul to sign helps cement the plan and timetable that has been in operation since the so-called “surge” in Afghanistan that Obama initiated in late 2009. It’s easy to criticize that plan, but it has the very important features of being a plan with a timetable for ending our occupation of Afghanistan requested by the Afghan government. Last night, the President referred to the ongoing phased reduction in forces that will be complete by 2014 as the end to our “time of war.”
That is a highly significant choice of words. Consider what Bush did with the political and legal leverage of the idea that we were “at war” for 7 years. The war in Iraq was rationalized with an edifice of lies, but at the base of that structure was a truth: we were “at war” with a vaguely defined enemy under a vague Congressional authorization for the use of military force. Bush’s failure to take out bin Laden in battle at Tora Bora was entangled with his strategic goal of launching a war in Iraq. Whether one believes that the failure was merely a consequence of a strategic error influenced by the contingencies of prepping for Iraq and a loss of focus or (as I do) that allowing bin Laden and many others to escape into Pakistan was an intentional choice, it is matter of fact that the consequence of that blunder was the loss of any notional path to a decisive victory in Afghanistan. It became a contest for hearts and minds against an enemy whose leadership was safe from our military: a war that could never be called “over” no matter what we did. Having a war which never can be won or lost and which never calls for intensification is useful to an unscrupulous politician, particularly one who wants to start another war and to justify an attack on domestic civil liberties. Bush used the ongoing and going-nowhere war in Afghanistan politically and legally to justify the invasion of Iraq and the advancement of an authoritarian revolution in US law and public policy. The latter is clear in the rationalizations of torture and the legal arguments over the Guantanamo Bay prison, but it extends to the so-called Patriot Act, “homeland security” projects, and even the uses of the “unitary executive” theory in widespread areas of domestic governance. Agencies like NASA and EPA found themselves with political overseers silencing their scientific work on the pretense that as Commander in Chief in wartime, the President had no limit to his power over the Federal government. The highly flexible authorizations given Bush for both wars were used to expand executive power and weaken the controls on politicization of government functions. The wars without end also provided cover for insane fiscal and economic policies that led to the 2008 collapse and the current political gridlock over the budget: artificially low interest rates, deficits, spending tilted towards military rather then domestic needs.
Obama has followed through on the withdrawal from Iraq that was negotiated in late 2008 as he was campaigning on scheduled withdrawal and McCain was still rejecting the whole idea. He has negotiated a similar plan for Afghanistan despite resistance from the Right and he has cemented that plan with a long-term agreement for strategic cooperation that is predicated on ending our combat deployment by 2014. Force reductions have started and will continue. He has described this in a major address to the nation as an end to our time of war. Could anyone believe that Bush would have EVER given up the productive tool of a Forever War? John McCain made it clear in 2008 that he wouldn’t. Much of the GOP has been agitating for war with Iran, a project that Obama shows no signs of adopting. You can call this a cynical declaration of victory to cover a retreat but even if it is, how is it a bad thing? Is there anything to be gained for anyone for the USA to frankly declare Afghanistan a lost cause as a premise for withdrawal instead? I think not. Should we pull out as fast as possible and tell the people of Afghanistan that they are on their own in holding the Taliban at bay while they figure out how to govern their country sanely? I think we tried that once, and it was bad for them and for us.
I think that Obama’s choice of words is important, and that it raises the profile of the real stakes of the election. Those who have argued that it does not matter if Romney wins because Obama has not reversed the damage done by Bush using the excuse of war need to review their estimations. Do anyone really believe Romney would stick to Obama’s plan to give up the excuse of war by 2014? One need only look at the way he has pandered to the Far Right for the past 4+ years and adopted Loyal Bushie neocons for foreign policy advice to change that belief. There will be no end to war with Romney. We have a timetable for an end with Obama. It matters.
There are major problems with the so-called “HTML5 Test” being cited here. Some are admitted to and rationalized at http://html5test.com/about.html but that apology for the test creator’s choices fails to address issues such as fundamental security problems with some tested features, incomplete specs of some HTML5 features, and unsettled issues of what new features will actually be included in HTML5. Any compliance test is premature and this particular test which arbitrarily hands out points for non-HTML5, deprecated, and incomplete features is a great demonstration of how bad such a test can be.
Maxthon may be a great browser, but it says nothing good about its developer that he cites this lousy test.
This is a trend.
The HTML standards process has morphed from defining a basis for interoperability into a project defining a new model for networked applications of all sorts, and while that is not a bad thing in itself, it has created a new meaning for “standards compliance” that is far beyond what that phrase has meant for web browsers in the past. HTML5 is not yet final and parts are not merely lacking final approval, they are lacking full specification. When complete, it will include features that have no place in general-purpose browsers due to privacy and security issues, and even in specialized tools that act as web clients for single apps those issues will be serious until such time as infrastructural components such as DNSSEC and a trustworthy TLS/X.509 environment are safely assumable. As a result, a browser that implements “all” of HTML5 as it stands and exposes all features to a public website is not necessarily a better browser, it may well be a worse browser than one which doesn’t implement some features or walls them off from use by arbitrary sites. It used to be that pedantic geeks like me flogged the “standards compliance” dead horse to shame browser and site developers into making the web more accessible and transparent, but now we need to start thinking more carefully about specific types of compliance and carefully chosen non-compliance.
It is irresponsible fear-mongering to claim that the widespread presence of Windows malware on Macs is in states that “can still be spread to others” without backing that claim up in detail.
The top two families you cite are carried in email, and are readily identified as “spam” by eye or by low-end spam filters like those used in Mail.app or by most consumer mail providers. It certainly is possible to forward email, but forwarding infective spam is an unusual act. Some of the others are things I would expect to find in the browser caches of reckless wanderers, but they are hardly an infective threat to anyone from that position.
The comparison to Chlamydia is worse than tacky, it is outright deception. Chlamydia is frequently asymptomatic in the short term but it is living and causes problems in the long run. Chlamydia is not less transmissible by people who have no acute symptoms. For malware that requires Windows to run and propagate, presence on a Mac is not a quiet infection, it is (at worst) non-destructive storage. In some cases storage itself renders the malware inert over time because the attack vector itself is dependent on finding control systems online that don’t live in any one place forever.
One of the reasons Mac users have been reluctant to adopt AV software is that it is perceived as bloatware that does nothing of direct value for a Mac user. Is it worth the AV overhead for the average Mac user to know when he has surfed past a page that has IE-specific evil JavaScript in it or when the latest blatant phish in his Junk folder is recognized specifically as containing a Windows attack vector? Not really. Flashback and PubSab change that analysis significantly, but not enough for a lot of Mac users. Maybe if the major AV vendors could claim to have prevented infections before Apple’s sluggish fix for the Java hole they would be more convincing.
I am not saying that all Mac users who choose to run bareback are behaving wisely, whether or not they rationalize that decision based on the de facto Windows focus of all AV software. However, it would be a lot easier to persuade Mac users who DO rationalize their recklessness if there was a lightweight Mac AV tool that didn’t spend most of its time worrying about Windows malware.
It would also help if AV vendors stopped spewing blatant bullshit in an effort to scare Mac users into buying their tools. The simple truth really ought to be adequate without dressing it up in nonsense.
I should add that while I have copies of some free versions of commercial Mac AV software and have a clamav installation whose database is updated automatically, I run bareback. Clamav only scans things when I manually ask it to, I have not installed any of the commercial packages, and I have no intention of making anything act as automatic protection for me. That’s not because I think the cost/benefit analysis is generally correct, but because:
I work in security and so occasionally have a need to work with blobs of data that are or may be malware.
I have a huge junk email archive that I access via IMAP using multiple MUA’s and can’t be bothered to exempt all of their local stores just to please some aggressive AV.
Under normal conditions I practice meticulous computer and network hygeine. This may not provide perfect protection, but it has held for a long time. Someday a trojan may fool me, but none has yet…
I do think that it is time for Mac users to accept the end of the era of general Mac safety. It was always a bit more myth than reality, but one that has held up over the years in part because of the FUD that has periodically spurted out of AV vendors to meet rapid debunkery. Mac users have had an arguably rational skepticism protecting our myth. I wish that now that the AV vendors have a real wolf to be telling us about, they’d stop turning it into a ravening horde of Wargs.
Some related links, selected from the bottom half of what Zemanta offered:
[ Originally posted as a comment on a CircleID post]
People who have watched the issue of Mac malware for a long time have some special reasons to be skeptical of Flashback hype. I absolutely agree that some of the expressed skepticism is at odds with reality, but it is understandable.
First, it is important to understand that AV vendors have been episodically firing up their best FUD generators for a decade to convince Mac users that they should all go out and buy AV software for every Mac now because the Mac Malware Apocalypse has started. That premise has never been true before last week. Second, Flashback is a cowardly species of malware that runs away from geeks’ Macs. It makes no attempt to infect if it finds any of a number of common apps including Xcode (Apple’s free IDE), multiple AV programs including ClamXav (a GUI wrapper of the free clamav package), network monitoring tools, and even MS Office (presumably due to gross incompatibilities that would reveal the malware.) Having Xcode installed is pretty common, since it has been the normal means of getting tools installed for use in cross-platform open source software and so is usually installed by anyone who has used environments like Fink, MacPorts, or Homebrew to get access to that realm of software. Most of the other things that scare off Flashback are also somewhat more likely to be installed on systems used by people who are attentive to the risk of malware on their Macs. Finally, those of us who have been using Macs long enough remember that there used to be a real MacOS malware problem in the System 6 and 7 era, and the dominant folklore (which includes seeds of truth…) is that we essentially solved that ourselves despite the commercial AV racket and Apple, rather than in cooperation with them.
The result is that with a penetration on the order of 1%, Flashback has infected a very large number of Macs but it largely has avoided the Macs of people who are attentive to the risk of malware or who otherwise care about what’s “under the hood” of their Macs. That population sees no Flashback in their world unless they happen to also work with other sorts of people’s Macs. They also are likely to understand that the AV industry has been crying wolf for a long time to sell products to them that are de facto worthless and frequently destabilizing. The Mac “Power User” community has been conditioned to distrust AV vendors and to trust in their own behavioral discipline to keep their machines clean.
Unfortunately, that conditioning has made some of us who ought to know better reflexively scoff at the Flashback stories. It takes a little discipline (or maybe just the right amount of ADD…) to see the mass media coverage and react by hunting down the original sources to judge their credibility instead of just firing off a scoffing response because that’s been an appropriate thing for the last 5 similar stories.
Flashback IS DIFFERENT.Those of us who are uninfected despite our lack of maximally paranoid AV in service cannot credit our morally superior self-discipline or magical invulnerability of MacOS X for our pristine state, we can only be grateful for a first seriously dangerous malware species that avoids exposure-prone systems and for our luck of it being discovered in the wild when infection was still around 1%. The next exploitable gap might not have the visibility of a major Java flaw and Flashback has provided a useful lesson in how to attack MacOS for script kiddies who may not have previously bothered to look at how the dynamic runtime linker works.
[Originally posted as a comment to a post at Eclectablog]
The real problem with “cyber-schools” is that they get farmed out to scam operators like K-12 Inc. whose business is making money, not educating students. Entangling the idea of online education with the train-wreck of for-profit charter schools is a mechanism for expanding the conversion of government from a provider of public goods and operator of public institutions into a machine for funneling money from taxpaying citizens to corporate managers and shareholders.
I have been an advocate for online education literally since I was an elementary student myself and it was considered a crazy sci-fi concept and the Internet was a DARPA toy. There are sound arguments for expanding online education grounded in the fact that kids learn in different ways and at different paces that can’t all be served optimally by the traditional classroom model and in the problem of needing a critical mass of students to justify specific classes at the high school level. I was very fortunate to have attended a very well-funded public school system that could afford to hire and keep highly-trained and highly-skilled teachers to handle classes as small as 5 students in advanced levels of unpopular subjects like Chemistry, Calculus, and a half-dozen foreign (and/or dead) languages. Most schools cannot do that, and it was only feasible for some in the past because of the inequitable funding models of the time. Cyber-schools are often pitched as the ultimate solution to critical mass and individualized curriculum issues, but they are bundles of failure in areas that traditional schools handle reasonable well, such as the non-coursework skills of following a schedule, working with peers and supervisors (i.e. teachers), and general functioning as social beings. It is also a fact of our society that physical schools serve critical roles in the function of our society, providing adult supervision for children so that parents can hold jobs, being a point of contact for kids who need help beyond their parents, and even assuring that kids have access to basic nutrition.
Rather than creating “cyber-schools” in a way designed to dismantle public education, we should instead be trying to get schools to leverage modern technologies where they can address some of the real problems schools have with educating all of their students well. That might end up reducing the number and nature of jobs in schools, but it also might mean that teachers can be more focused on their areas of interest and be able to find stable jobs that are highly motivating. The point of educational reform shouldn’t be to preserve unionized teaching (or other) jobs and it shouldn’t be to demolish the public education system for profit-driven or ideological purposes. The point should be to educate more students well and fewer students poorly.
I’m not about to say that what Mario Batali was doing in skimming tips was anything close to ethical or even technically legal, and in fact it was probably neither or he would have likely not agreed to a settlement in the millions. I’m not a lawyer and I haven’t dug up any of the filings in PACER, so I don’t know what the detailed arguments on either side were or whether they were valid. Much of the journalism on this seems to be either tediously and trivially partisan (In These Times) and/or devoid of detail (WaPo) so it isn’t clear why it took 2 years to settle, but that period strikes me as about how long it takes for a class action cases to get to the point where both sides have run out of ideas for getting rapid unilateral victory and accepted that they have to either settle the case or start the real work of going to a real trial that they cannot be sure of winning.
What is abundantly clear as objective fact is that this was not a criminal case but a private civil class action case, so calling Batali a “common criminal” is unjustified hyperbole. It is also clear from the available figures and simple arithmetic that since the settlement of over $5 million is for a claim of skimming less than 5% of tips for about 1,100 people, they averaged around $100k in tips in the 8 years involved and are accepting a bit less than $5k each on average to settle. This is not a typical sort of restaurant labor dispute an it is being settled, which means that both sides in the dispute over how tips were handled have agreed on a resolution involving a significant payment of restitution. It is a private battle that is over except for a judge looking over the settlement and approving it, which is usually a formality to assure that the whole “class” in the action is being treated fairly and that the agreement isn’t in some way a ‘sweetheart’ deal for both sides to screw someone else. This battle was small and private and is basically over.
Also, a note of reality… The handling of tips, tipped employees, tip equity, tipping via credit cards, etc. is rich with legal oddities and vagueness, unfair traditions, endemic ineptitude, and almost universal technically criminal violations of labor and tax law that it would be wrong to prosecute. If you can find 2 lawyers who will give consistent formal advice on tip policies, you can safely bet that they are either in collusion or are plagiarizing the same probably-wrong sources. A war in defense of tipped workers’ rights to their tips is stupid. The whole system of having tipped workers with a distinct set of work and compensation laws and traditions is a bad thing. It can’t be fairly regulated without extreme complexity and vagueness. It is endemically handled with varied degrees of casual and unthinking graft, tax evasion, and worker exploitation of many flavors. I don’t have a detailed policy proposal for a perfect solution, but what we have in law and tradition and practice adds up to a big pile of shit. Defending a particular shape and texture for a particular region of that pile is stupid.
I’m in no position to patronize any of Batali’s restaurants and haven’t seen him anywhere on TV except on The Daily Show (or was it Colbert?) in many years, but I do know a good rule for customers at any restaurant who want to minimize unfair tip handling: tip with cash. Even in places where tip division is done fairly and management takes nothing, card systems will never fail to take their cuts. In addition, cash tips will in aggregate get reported for division and tax purposes based on the aggregate ethics and situational knowledge of the server getting them, and that is almost certain to be better (if not more legally sound) than that of management as influenced by lawyers and card handlers.
Related articles, a subset of the many essentially useless ones suggested by Zemanta:
There needs to be a basic sanity check when leaping from ‘association’ to ‘causation’ in this study’s results. There are just under 2.5 million deaths annually from all causes in the US. Both the crude and age-adjusted death rate in the US have been dropping for at least 3 decades (See: http://www.cdc.gov/nchs/data/nvsr/nvsr60/nvsr60_04.pdf). During that time, many new benzodiazepine and non-benzodiazepine sleeping pills have been developed and marketed, and the use of prescription sleeping pills has exploded.
The study says 6-10% of all American adults took some hypnotic drug in 2010. It also states that “hypnotics may have been associated with 320k-507k excess deaths in the USA alone.” Statistically, one would expect them to be “associated with” 150k - 250k causally unrelated deaths per year, i.e. 6-10% of those who died would have happened to have taken a hypnotic in their last year. If those ‘excess’ deaths were in fact causally attributable to hypnotics, they would be bigger killers than any other related grouping of death causes reported by the CDC other than heart disease and cancer. 13-20% of all deaths. 1-2% of all users dying every year as a result of hypnotics. These are not numbers that could hide in the noise of mortality data. It is simply not credible that the numbers of this study can be extrapolated as the authors unfortunately extrapolate and describe them.
I say “unfortunately” because I don’t doubt at all that there is something worth a better look in their hypothesis, and they seem to have taken the job analyzing what data they could get quite seriously and done what looks like a mostly competent and honest job in that. The problems are that they make weak arguments for generalizing their data to the USA as a whole from a highly non-representative sub-population, they seem to have made sampling choices that exclude significant sets of likely outliers from both cohorts, and their rationalization for not attempting any form of control for a wealth of mental health issues borders on the ridiculous. And then they wrote hyperbolic and unnecessarily inflammatory conclusions.
The referenced study was published in “BMJ Open” whose editorial quality I can’t really judge well, but it seems to me that while publishing full articles with their data openly is a great and good thing, the apparent rejection for the BMJ proper might imply some critique that the editors are not quite willing to express explicitly. I’m too many years away from involvement in scientific publication to really know…
However, I look at the sampling strategy and stats in that article and shake my head in disbelief. Back before I abandoned my unpromising career in science (under the strain of working for a MD ”lead” investigator with weak integrity and no leadership skills) I recall agonizing over confidence intervals and sampling approaches and sanity checking results and so on. Even with a flawed egotistical despot running our lab and demanding results in terms that bordered on suborning fraud, a paper like this one never would have made it out the door for review. It’s much too loose. It’s far too questionable. It is much too insulting to other researchers and to the many patients who know damn well that hypnotics can have concrete immediate benefits. The data makes a compelling case for more study. The conclusions voiced by the authors undercut that case by obviously overselling their results to the point where they seem like irrational cranks. The “journalism” of the Guardian in their report is on a par with most science reporting: craptastic and misleading.
Update: This study also hit the Slashdot front page, and I added some more blather in a comment there, some of which I think makes sense to add here…
Hypnotics are often taken by people for whom insomnia is a secondary condition grounded in deeper problems. That doesn’t mean the hypnotics are not very useful in enabling them to address the deeper problems, just that the drugs are only treating a symptom and not the symptom’s cause. Speaking from personal experience, a dozen doses of Ambien taken over the space of about 2 months during the breakup of my first marriage were critical to saving my job, my ability to eventually pull out of a deep depression, and possibly as many as 4 lives. When life is slicing deep enough that you cannot sleep for days on end, the lack of sleep itself gnaws on the stripped bones of sanity. Any description I can give of that time in detail would be unfair, but the objective fact is that at one point I was in my regular doctor’s office crying like a baby, and it was not because of the spectacular pain of the urethral swab I made him take because I feared having contracted an STD by way of my wife. He had the good sense to spend a little extra time with me and eventually sent me away with a sample Ambien, a scrip for more, and a set appointment with a therapist.
The main recommended use of hypnotics is for short periods in cases where insomnia itself is compounding a patient’s problems and more comprehensive treatments for underlying primary causes are too slow and/or are impeded by the effects of insomnia. Real primary insomnia that can be managed with hypnotics is pretty rare. A valid conclusion from the study is that people in one HMO serving rural PA who are being prescribed hypnotics are not getting adequate overall care, and that the inadequacy correlates with the amount of hypnotics that they are being prescribed. The authors claim (and I tend to believe them) that there is a growing consensus that CBT is a better treatment for chronic insomnia, but CBT is not something a doctor can write a scrip for and have the patient sleeping soundly that night for a few bucks. In the best cases, a doctor may do as mine did: prescribe the pills AND arrange for therapy for a patient whose overall mental functioning is severely degraded. CBT can also uncover and address underlying conditions like depression, OCD, and others where insomnia is really just a symptom of a more complex primary disorder. Of course, if you are a researcher specializing in retrospective studies of this sort who has been given access to a very large data set of patient records by an HMO, you don’t have a strong incentive to write an explicit conclusion that this HMO and their doctors are just prescribing cheap drugs wildly while not referring patients to expensive months-long rounds of a talk therapy. It is more judicious and discreet to conclude that the whole of the USA is reflected by your sampling (even if that leads to absurd conclusions) and mention almost as an afterthought that other therapy should be used more.
Follow me on Twitter, where I write more and shorter
