Fake installer malware makes its way to Mac | TUAW – The Unofficial Apple Weblog

Fake installer malware makes its way to Mac | TUAW – The Unofficial Apple Weblog.

When it comes to installing things on your Macs I often times advocate a rather carefree attitude. One thing that has always been true, and this article just nails home the point, is that even the most secure system can fall if the person holding the keys is tricked or cheated into opening the door.

I have said to many people whom I’ve given computer advice, if you have doubts, please contact me and I can look at it and give you advice. It’s free, and I’d rather help in the vein of “An ounce of prevention is worth a pound of cure.”

Superpass Password Hasher

Superpass Password Hasher.

This site has a rather novel approach to dealing with passwords. I see this a lot in both my personal and professional life, especially when people lose their computers. The question looms ‘Did you… ?” and usually the answers aren’t very good at least from a security standpoint.

One of the biggest things that people can-and-should do is keep individual passwords for every single site they access. Most people could approach this via tools like my beloved 1Password but this may be another approach that might also work. It uses an encryption staple called a hash to generate a multi-character password based on some simple password, a salt (which is used to increase the randomness that is added to the encryption routine) and the domain you are working with. It’s quite elegant in that it offsets the need to store individual passwords because it, supposedly, relies on stable domain names to provide password reproducibility. Each time you enter your simple password, and the domain name hasn’t changed, you should get the same hash over and over again. I still think that 1Password is still the best choice for everyone, but this might be a good starting place especially if cash is tight and you can’t swing a 1Password license.

UPDATE: After trying this out I discovered that it only really works well on plain sites like Google.com. If you go to any other sites, like Apple or nytimes.com the code breaks down on Safari. I couldn’t get it to even work on Firefox 13 on the Mac, so perhaps this isn’t as robust as I had hoped. The idea is still good, however. For what it’s worth.

International Day of Lying

People need lies. Lies are good.

At least when it comes to your online identity. I’ve been reading a few things here and there with people who are quite upset that Mark Zuckerberg is seeking ways to dodge his fair share of paying taxes and these people are very upset that Facebook is making money off their personal details – their lost privacy.

So how does one regain lost privacy? Simple, lie. Lie right through your teeth. Make lying an art form. Create a fantasy life out of pure whole cloth and make it as bombastic and marvelous as you have creative chops to make it!

In fact I think everyone should do this. Right now. We need a international day of lying. Everyone needs to log in to Facebook, Google Plus, and Twitter and go to town. Change the years, fiddle with the places, come up with schools you didn’t attend and live in cities you have no idea about beyond their brief entries in Wikipedia. Make it all random, make it monumental, but above all else, make it a lie. A big beautiful fantastic fabrication!

To that end, I’m going to edit my Facebook to this end. It’s going to feel good. Oh so good. Why don’t you join me? Nothing says pleasure more than wrestling power away from those that do not respect you, like Facebook. And Google. And Twitter. And well, anywhere else really.

Monetize that bullshit. I DARE you!

Of Clouds and Stones

The early 21st Century will be known for the era of cloud computing. Just a little bit of what the cloud can do I’m actually taking advantage of right now as I write this blog post.

Google provided a huge space for people to upload their music and created a handy tool to upload their iTunes music up to Google’s storage system on the network. I took advantage of this offer and copied my entire iTunes library up to Google. That’s of course just half of what I needed to cloudify my entire music collection. I also need a client to play the content on whatever devices I want to use them on. Unfortunately the Google webapp for their Google Music service doesn’t work well on my iOS device, however there is an app called Melodies which does work fantastically well!

This has saved me so much time, expense and bother. Instead of having to buy a device with a big storage unit for my music I can simply stream my music off the network, using Google and Verizon (and Wifi if I have it, and that is almost universally ubiquitous in North America anyways) so now I have nearly universal access to my music, in a way having my cake and eat it too.

This wasn’t always easy, the Melodies app did have an issue with not being able to shuffle properly but after I contacted the app support staff and telling them what was wrong they fixed the app and it updated on my iPhone in a few moments. From that point I have realized something I never thought I’d be able to do, but play my music right off the network. It’s just one more way that devices, storage, computers, all of it are becoming increasingly abstracted away from my computing experience. I expect that sometime soon the notion of a computer will start to erode and evaporate as more and more of my life becomes cloudified, or perhaps the right word is enclouded? Going to have to work on the terminology.

Of course, people who I’ve spoken to about the cloud come up with very familiar complaints as to why they don’t want to join me. Mostly it comes down to a question of privacy, and that they feel the cloud would endanger their sense of privacy. I’ve thought about that point for a while, trying to come up with a position on it. I’ve honestly never really given two shakes about my precious privacy. What value am I coveting? So what if Meijers knows what I buy and when I buy it? So what if Google knows what music I enjoy? So what if I’ve been categorized and indexed? Where is the hazard? People regard privacy as some sort of grail-object. They protect it beyond all rational sense and I don’t think that any of us can maintain any sense of privacy any longer, at least since social networking became a mainstream part of our lives.

But then again, there is the fear. Where does that come from? People hiding who they are, what they think, what they buy from others because we’re afraid of, what exactly? Isn’t it a more comfortable life to simply be who and what you are and let the chips land where they will? A life exposed is a non-issue for those that are proud of who and what they are. I admit to having a definite cavalier attitude when it comes to my privacy, but what the hell do I have to hide? Or any of us? To me it has always been my argument that if I reveal elements of my life to strangers that somehow they’ll take advantage of that information and somehow misuse it or attempt to hurt me. Well, first and foremost they’ll have to endure the social awkwardness of being the ones to expose my “secrets” to everyone else. The key here is to own everything about yourself. Own your passions, own your foibles, and own your mistakes. Nothing about the past means anything, regret is a dull nothing. For example, Anthony Wiener’s crotch-shot being publicized lead to the end of his political career. WHY? I respect people more when they stand up and own whatever it is that others find outrageous. Here’s the thing, none of us are pure. None of us really have any place to stand and throw stones. Even Jesus Christ spoke on this very point. “Let him who hath no sins cast the first stone!” Well? So you have a picture of your tenty underwear out there? OWN IT. BE PROUD OF IT. In fact, go on a Playgirl shoot and show the world your junk. This idle and meaningless outrage is stupid and lame. I would pay real money to anyone who could prove beyond a shadow of a doubt that any random other human being isn’t a sexual pervert loaded with monumental loads of kink. All it takes is a shot of whiskey to get a man to drop his shorts and do highly entertaining things with his body.

So what it comes down to? Privacy bent to protect the image that we’d like to impress upon other people that we are all pure as driven snow? How silly is this, when we are as pure as driven-over snow! At least have the fortitude to stand up and say “Yes, that’s my junk shot! Do you like it!?!” Because in that, lies respect and honesty.

To people that feel differently than I do, I have a one word question to ask you:

“Really?”

Brown Chicken, Brown Cow

It eventually had to happen. I read this little nugget in a spam email that was delivered to my inbox just now:

Excuse me ,
I have a question- have you seen this picture of yours in attachment?? Three facebook friends sent it to me today… why did you put it online? wouldn’t it harm your job? what if parents see it? you must be way cooler than I thought about you man :))))

The attachment is IMG9821.zip. Come on. A zip file? Seriously?

Just a note to everyone who might come across this blog post. When you get files in your email that you aren’t expecting, don’t willy-nilly go clicking on them. Even if you have a Mac you could be duped into running a Trojan Horse, which would be very bad. This is likely a Windows virus trying to spread via social manipulation.

Anyhow, if there are compromising photos of you on the net, own them. Be proud of them. There is very little you can do to combat something like that so you might as well make the best of the situation.

Brown Chicken, Brown Cow. 🙂

Marco Polo plays Ping Pong

There is always something. I recently had the irritated displeasure of attempting to raise a communications channel to a certain group of adults and found the process to be highly educational. Recently Apple had instituted a series of advanced security questions that get paired to an Apple ID when you make a purchase in the month of April. These questions ranged from “Where did your parents first meet?” to “What was the first concert you attended?”, those sorts of questions.

At work, I have an Apple ID that I use to manage our iOS devices here and there and one of the people I tried to contact had to be the one that set the security questions, as I had gotten an email stating that someone set the security questions on the account on April 14th. So I figured someone was just absent-minded, we all have that from time to time, so I texted everyone to please get back to me if they had answered any Apple security questions.

I did get just a handful out of 23 people reply to me in one fashion or another. I then shifted the request over to email and also sent another request “If you have answered any security questions, please let me know what they are.” and for about a week of waiting, just the handful out of 23 deigned to reply to me.

Right after that I started a request with iTunes support at Apple to petition them to wipe away the erroneous security questions on the account and they were busy working on that. Last night they sent me an email telling me that the security questions were reset and that I could login and re-answer them, which I did late last night. So the technical angle of this issue is now a solved non-issue.

But what does bother me, and it’s more vexatious then a real concern is how people replied, or didn’t to my inquiry. I had made the erroneous assumption that when I send out a text twice, and an email asking for information that there is a built-in component to that message which people should reply either way. It was for work, it was important, I used the word “please”. The response I received back after bringing this up was “I didn’t know what it was about so I didn’t reply.” and it was my fault I suppose for assuming that people would, by themselves, assume that a reply was expected. Out of 23 people, only five were not question marks, the rest were crickets. Nobody here but us crickets.

So in the future I vow that I will include “reply requested” to my communications. I hate to dumb it down so far as to treat them like children, but after this, I can’t help but think that’s going to be the only way I can establish a communications channel with these people. I have great fear for when I have to establish a technical communications channel with people, these specifically, but even people in general when there is an emergency. There is this sense of “deer in the headlights” that is deeply upsetting to me. If you get a message that you don’t understand – which is the better path? To actually communicate about it in hopes of resolving it or just sit in the dark, ignoring it, hoping it goes away?

It’s a lot like Marco Polo playing Ping Pong with himself. It’s not a game, it’s just a sad old man standing in front of a ping-pong table with a stiff little white ping pong ball bouncing on the table.

Facepalm
Facepalm

Flashback Trojan on Mac OSX

Apple makes some marvelous products. In this case, I’m talking about Apple Remote Desktop. With ARD I was able to scan every single one of my client Macs to check to see if any of them were infected with the Flashback Trojan Horse. Before my scan I would have sworn on whatever-you-like that none of my systems that I manage here at WMU were infected. Turns out I was right.

Macs really aren’t susceptible to viruses and the biggest threat comes from Trojan Horses. To scan a mac for infection you just open up Terminal and run these two commands:

  • defaults read /Applications/Safari.app/Contents/Info LSEnvironment
  • defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

If you get an error from both of those commands, you are in the clear. It’s quite easy to do, mostly just opening up Terminal and copying and pasting and getting the errors and being satisfied. The removal instructions are straightforward to follow, so even removal of an active infection should be a snap.

If you try these commands and don’t get errors, don’t panic. Just let me know and I’ll find a way to help you out.

It's silly, and you should stop doing it.

Email confidentiality footers annoy me. I see them frequently on many emails that I get and I think of them as meaningless text that really should be ignored. That an email is somehow a private exchange of information is laughable. Email is sent in plaintext using an open protocol and on the wire it’s all unencrypted.

What really brings this to the forefront is when I see these meaningless bits of mental flotsam and jetsam clogging up my email box because someone set a vacation autoresponse and their membership on a email list is causing them to constantly reply with a “I’ll be out from…” email with this stupid block of text at the bottom asserting that the email is the property of blah blah blah.

Writing email has the same security protections as writing a postcard and tying it to a bird and letting it fly off. Your assertion that your communications are somehow proprietary or classified is utterly hilarious.

If people really wanted to make this not so utterly irrelevant, they should use public-key encryption or at least something like ROT–13 encryption so that the text isn’t readily apparent and takes some work to decode. Sending plaintext with this silly block at the bottom just musses up the display and doesn’t mean anything to anybody. So stop it.

Mopping Up

At work we have moved to a new “Engagement Platform” called iModules. Some of you already know something about this as I’ve shared stories about it with some of you before.

The system is up and running. I have to admit that I’m quite glad that the implementation phase of the project has reached a conclusion, as it took six months to get this wobbly-legged foal up on it’s feet and bouncing around.

This entire project still has some pieces to mop up, most notably the mopjob that I have to do surrounding our old platform, WordPress. Honestly I’m sad to see our use of WordPress in this regard come to a close as WordPress has been a wonderful platform and still is for my personal blog here as well as my “Captains Log” blog. I still maintain the “Captains Log” blog, but there have been lessons in using that as well. That particular one uses WordPress’s own P2 theme and for a time I opened it up and made it publicly available. This turned out to be a great mistake. I got heat from nearly every corner, mostly to do with keeping technical details private to non-maliciously violating an email clickwrap nonverbal unsigned unread agreement. I admit that the draw that the WordPress platform provides, free clouded hosting can’t be beat as far as I’m concerned. So for the “Captains Log” P2 blog, it’s gone private which makes all the previous gripers go silent as they can’t get past the “Please Login” barricade. So, once again thanks to WordPress I’ve found yet another way to “Have my cake and eat it too”.

We have moved the work stuff off to iModules and you all can see the efforts at our new site, MyWMU.com and thanks to our students and our staff who moved the contents off of our WordPress site and onto the new site, the speed of which was honestly shocking to me. Now the mopping up is all that remains. There were three blogs, Old WMYou, WMYou, and Western Express. The first and third have been backed up and purged from the system, but the middle one is stuck and I have a support ticket opened up with WordPress to help address it. We’ll see how that goes.

I will continue to update my personal blog, of course, and I will continue to enrich the P2 “Captains Log” and I really think other organizations should make use of WordPress for this great feature. It’s a great way to keep information handy, and takes the onus off the staff to remember the past as the system does it for you, time and date stamps, tags, categories, and the commenting system – not that the last part is really used for our P2 blog, but still. Not having to worry about hosting, cost, security, not to mention the ubiquity of ways to access the WordPress system make it the most compelling way to manage the working log of any business or help desk.

The only thing that I would like from WordPress, but would likely start running into real money (which I would pay, mind you) would be a Help Desk CRM overlaid on top of their P2 theme system. Some way for people to email problems or browse to the site and enter issues and the system gives them a trouble ticket number for tracking and we can lurk in the dark, hovering over this blog. That would leverage the logging goodness of P2 and it’s great usability and I don’t think it would be all that hard to code. I know there are Help Desk solutions for WordPress.org, but I really REALLY prefer to use WordPress.com. Perhaps someday in the future WordPress.com will get around to something like this. Time will tell.

LJ – What A Fool

From 9/26/2003


Our selectident is installed without the popular vote, he ruins the economy and plunges us into Vietnam II: Electric Bugaloo, tells us we’re there for Weapons of Mass Destruction then we find out there aren’t any. Then he says that Saddam Hussein is a vicious and horrible tyrant, one for which the United States loved while he was at war with Iran and for which we sent Donald Rumsfeld to Iraq back in the 80’s to have his picture taken shaking Saddam’s hand. Then the selectident declares genocide on the Hussein family, has Saddam’s sons perforated for their troubles and then saddles our beleaguered economy with supporting Iraq in the post-war “end of hostilities” era… only to find out that it costs a lot of money to put Humpty Dumpty Iraq back together again. Then our most esteemed selectident goes to the United Nations, the governing body that was declared irrelevant before the war, suddenly becomes frighteningly relevant after the war – our misleader walks up to the UN podium and instead of apologizing for a huge mistake, namely, mass-scale murder, he swaggers up to the podium and declares “If you aren’t with us, you are against us!” then walks off the stage.

Today I saw a headline that just made it all worth it:

Blow for U.S. as UN Staff Quit, Iraqi Leader Mourned

A U.S. army soldier guards the front of the United Nations headquarters in Baghdad, September 26, 2003. Mourners gathered in Baghdad for the funeral of a U.S.-appointed Iraqi leader Akila al-Hashemi assassinated by gunmen, as the United Nations pulled more staff out of the country following two suicide bomb attacks. (Ceewan Aziz/Reuters)

So, our selectident not only angers the world at large, but also pisses on the UN, then demands they help – and they leave. I can’t see any big surprises here at all. I can’t wait until they ask for another $100 Billion dollars for Iraq, and toss in the kicker, that it’ll take that same amount every 6 months for 5 years to give the poor Iraqi’s what they deserve.

Don’t get me started on what the poor Americans deserve… after all, we live in the lap of luxury and nobody is homeless, hungry, or out of work.