Malware hidden in vid app is so nasty, victims should wipe their Macs It's going to be an unpleasant weekend for some Mac users who are facing a complete system wipe and reinstall – after hackers stashed malware in legitimate applications. Eltima Software, which makes the popular Elmedia Player and download manager Folx, today confessed the latest versions of those two apps came with an …
I see posters here suggesting that complex projects demand "team" development when the reality is that it is just cheaper to get in a few people who know what they are doing and a lot of amateurs who need to be told.
That would still be what is commonly defined as a "team".
The sad truth is that there are programmers who can code without allowing any errors in the final product and then there is the majority who have been programmed to believe it doesn't matter.
When I did data-entry work (for a short time between other jobs, was a terrible desperate time!), a typing rate of 90% accuracy was considered very good, and I think you were employed if you could top 70%. At 90% that means you average 1 error in every 10 characters! Now, my typing accuracy is much better than that - I've touch-typed this paragraph with the first error being the "U" in "touch" being missed. That was 326 characters without error (I also missed the 2nd C in "characters", both cases not hitting the key quite hard enough). So at this point 3 errors (next was hitting "p" instead of "o" in "So", 612 characters with 3 errors.
To type a tiny program with 1000 lines of code, averaging 100 characters per line, is 100,000 characters. The odds of any human doing that without a number of typos is 0. No matter what you claim your typing is not that good, there is no one who can type at a reasonable speed and get it right.
Some of the errors will be quickly picked up by the compiler, eg if you have a variable named "mycodeisshite" and in one case you type "mycodeisshit" the compiler should get that. But a lot won't be, say you mean to type "13565236734727" and you type "13565237634727" instead, in a constant, neither your compiler nor your eye will pick that up until you're having real problems and very closely look at the code.
So by this point I've already proven that either your code makes a "hello world" program look complex, or your code has bugs. You may get most of them before shipping, but unless your code is very trivial you're stuffed.
My last program was 603 lines of Pascal, including comments. It was a simple console .exe to clean up a minor failure in a customer's system, seeking a string in certain file names and removing that string. From what I know the "shipped" version was bug-free, however it was only executed 3 times once complete - a test run by me on sample data, the actual run on that customer's machine, and another run on another machine with the same issue. I designed it in an hour, and built it in a weekend with a few bugfixes in the process. By most standards this really is a very trivial program. I have no idea how many lines of code a graphics driver has, or the kernel of an OS, but it is far beyond what one person can do.
Add in development tools that are themselves insecure and management who value only getting the product out the door.
True there are issues with the build tools (as I mentioned, another reason why your code cannot be perfect). And also true there are managers who want products shipped as soon as possible, however repeat business comes from having a product that's good enough - if your customers really hate what you're doing then you're not getting them back.
It used to be that if you wanted a computer based solution, you went to a guy who built the hardware, software basically everything from scratch, if he had to get help then clearly he was the wrong guy. Now we roll out "qualified" developers who could not build the hardware, have no clue how to write an OS and need a existing development package to write even just an office suit. How can anyone doubt that trusting these guys is a bad idea.
And here we need that steaming pile of bovine excrement icon. Even Turing had a team helping him out, and before them - before he was born even - a lot of work went into stuff that he learned and built from. If Turing hadn't had his team then his machine would never have worked, certainly not in time to crack Enigma anyway. It was someone else who gave him the idea to look for the common element (the weather report IIRC, though "heil hitler" also springs to mind).
If you're referring to "building the hardware" as actually from raw components (rather than building a PC consisting of already-assembled mobo, already built CPU etc etc) then there is NOT ONE PERSON in this world who could do that. One person can build a CPU, true, it has been done not long back. However, that CPU is very large and does not have the power of even the least of the smart phones.
I'd love to see a citation of where one person could do the lot, build the hardware and write the software. Even in the Vic20 days that would've been difficult, if not impossible for one person to do. Maybe back with some of the more simple kitset computers that blinked a few lights.
You could blame the education system, the employers the users or you could just accept that unless you are that guy then you are an imposter, you are the reason for the "bugs" and vulnerabilities, simply because you do not know better. Better to have given matches to children.
Actually no, I think the few people out there like you are the problem. Really, you can, on your own, code an entire OS, plus application suite, plus build the computer - and all of this non-trivial and secure and bug-free?
Absolute rubbish. But I'll call you on it and give you a chance to prove yourself - what code have you released that is not trivial and bug-free? What OS have you written? Afraid you'll have to kill your AC and provide verifiable links (I'll accept you passing the info to staff at El Reg (since they can tell who you are anyway) and have them check your claims and simply come back with a "Yes, AC has actually done this" or "No, AC is telling porkies")
Icon --> Always looks to me like a homeless guy sniffing a tube of some sort of glue. Brain-damaging drug use seems appropriate here.
"So by this point I've already proven that either your code makes a "hello world" program look complex, or your code has bugs. You may get most of them before shipping, but unless your code is very trivial you're stuffed."
^ This.
"And also true there are managers who want products shipped as soon as possible, however repeat business comes from having a product that's good enough - if your customers really hate what you're doing then you're not getting them back."
And ^ This.
"Actually no, I think the few people out there like you are the problem. Really, you can, on your own, code an entire OS, plus application suite, plus build the computer - and all of this non-trivial and secure and bug-free?
Absolute rubbish."
And most definitely ^ This.
Kiwi gets it. One point I would add (and then I really need to get off this discussion and do some work) is that even if code is written 100% bug-free, that doesn't necessarily make it secure - it only means it will do what it's designed to do when all parameters are as-expected. A hacker isn't interested in what code should do, he's interested in what it can do - e.g. what happens when it (or the sandbox, or the OS, or the abstraction layer) is fed bogus or unexpected parameters which cause the code to flip and open up a hole. This is what makes fuzzing such a useful technique.
Yes everyone makes typos but there are ways to remove them from the finished product
Your example constant = "13565236734727" rather than a * ( b+x ) ^5, bad practice/comprehension allowed your error. Any string over 3 characters is an increasing liability as you rightly said because what you see is what your brain thinks it should see. However if the string is constructed from meaningful modules of less than 3 characters then the length can increase. Even in English missing a typo in three letter word when you are concentrating is an impressive fail.
"but it is far beyond what one person can do.", just using logic alone anything that any single person of a team can do alone a single person can also do. You don't get much "hold that end whilst I hammer this in" during development but if you did then that is a classic communication/planning problem and to be avoided by removing the Muppet who thinks it is essential from the equation.
"By most standards this really is a very trivial program.". You wrote a bit of code by yourself, you knew what you were doing and would find it easier to write it again from scratch. During coding you avoided lots of errors that would have been made by a different programmer who had never written that solution before and/or you learned some new mistake not to make again. Afterwards you needed to go through your code again and remove some errors that next time you would have avoid adding in the first place.Hence it was indeed trivial because you knew what you were doing.
What if instead of a throw away solution you instead built it out of libraries that you had perfected by the same method. Code that had been reused over and again in many other different solutions to the point where any typos, logical errors etc. had already been removed. Whilst the library only does what it says on the tin it does it right every time under every condition possible to pass to it. How much faster could you have written and validated the new solution when 90%+ of the code is known good. As I said earlier a single programmer might take longer, creating your own libraries alone takes years but once perfected they can be reused over and again and the ones that you didn't get paid to write, reward you in the future.
As to giving up my anonymity then no, my Reg persona doesn't connect to anything I have done anyway nor would it be wise to advertise where my code is being used.
"What if instead of a throw away solution you instead built it out of libraries that you had perfected by the same method. Code that had been reused over and again in many other different solutions to the point where any typos, logical errors etc. had already been removed. Whilst the library only does what it says on the tin it does it right every time under every condition possible to pass to it."
Not necessarily. Think gestalt exploits where the individual components are tried, tested, maybe even proven, but when they're taken as a whole suddenly exhibit unwanted behavior (in other words, the exploit is worse then the sum of its parts). The problem with code written by man is that it's nigh-impossible to predict EVERY circumstance where it will be used. Even formal proofs carry with them context limitations (ex. seL4 can't keep its proof with DMA in use).
@AC You're either unwilling or unable to grasp basic concepts of how coding works in modern systems, and I don't get paid enough to teach you. So I'm out of this discussion now, and I'll just leave you with these wise words from Col. Nathan R Codemonkey, Senior Programmer, Guantanamo Software House, Cuba.
Senior programmer: I'll answer the question. You want answers?
Junior Programmer: I think I'm entitled to them.
Senior programmer: You want answers?!
Junior Programmer: I want the truth!
Senior programmer: You can't handle the truth!
Son, we live with software that has holes, and those holes have to be found and closed by men with serious skills. Who's gonna do it? You? You, Anonymous Coward? I have a greater responsibility than you can possibly fathom. You weep for the state of software security, and you curse those who spend their lives trying to harden it. You have that luxury. You have the luxury of not knowing what I know -- that software vulnerabilities, while tragic, are inevitable in complex software; and my existence, while grotesque and incomprehensible to you, makes it as safe as it can be.
You don't want the truth because deep down in places you don't talk about at parties, you WANT me scanning your code -- you NEED me scanning your code.
We use words like “Token,” “Fuzzing,” “Exploit.” We use these words as the backbone of a life spent in penetration testing. You use them as a punch line.
I have neither the time nor the inclination to explain myself to a man who downloads porn and watches cat videos under the blanket of the very protection that I provide and then questions the manner in which I provide it.
I would rather that you just said "thank you" and went on your way. Otherwise, I suggest you pick up a keyboard and stand to post. Either way, I don't give a DAMN what you think you're entitled to!
@ Lord Elpuss
"how coding works in modern systems", short answer is badly. IMHO the reasons for this disorder lack of: discipline, comprehension, experience, ability and meaningful communication along with bad execution all of which we could circumscribe but do not. IMHO underpinned by the mantra "coding without errors in the final product is impossible" and those people who profit by it's acceptance
"finding the holes", if the holes were never put in would you still need to find them.
"what you think you're entitled to!", It is funny, to me, how often claims against entitlement sit right beside demands for payment for the author's time i.e. only the author has any entitlement. Personally I think that if I have to pay for something then it should be of a reasonable quality and without defects. I would also suggest that where a design approach consistently fails to remove defects the approach is replaced with something that does. You say it is impossible and I say my experience says you are wrong. I can empathise with you being upset, if your work is in identifying security issues and someone is suggesting removing the need for that as a separate task then of course they are talking about you having to do something else. If enough people actually questioned the idea that computers are somehow the most complex thing in the universe and they are impossible to control fully, then perhaps the standards for "acceptable" coding would go up. Personally I would see this as a good thing but I can understand that, if you have a vested interest, you would want to keep things the way they are.
I am not knocking security in your sense, it is after all a dirty job, but then again the world would indeed be a better place if someone did not have to do it.
"My code has never been exploited and has never needed any updates"
When I was a refrigeration engineer, I wrote a program in Basic for an Apple IIe that allowed my wife to enter invoices and send the output to her pre-printed invoice forms in the printer - never needed updating. Worked up until she used up her invoice forms.
Of course, since I've been doing this sort of thing for a living for decades now, I do a lot of updating. Maybe I should go back to Basic.
"My code has never been exploited and has never needed any updates, this simply because it was bespoke i.e. different for each customer and all written with the old computing definition of security in mind."
Your arrogance will get you killed, son. Well, your code anyways.
Generally speaking, code written from scratch by one individual will be less secure than commercial code written by a large software house. Large companies have the time and resources to dedicate to security, and the customer base to make fixing bugs worth their while -as opposed to simply moving on with the next victim customer.
"There is no guarantee whatsoever..."
There never is. Who suggested there was?
From a statistical probability perspective, my reasoning stands. For any given product (Smart TV, IoT, Operating System, Car...) of any significant complexity, you're far more likely to be better off if that code is written by a company that has (a) the resources to do a good job of hardening it, and (b) the customer base to make them care. One person writing one-off code from scratch (and thinking they can do it better than every TLA or miscreant out there) - now that's simplistic and naïve.
"From a statistical probability perspective, my reasoning stands."
False. It doesn't as a company is not only likely to offer BS, it's economically bound to offer BS as it's the cheapest they can get.
"(b) the customer base to make them care"
Semi-false: Customers are other companies buying the details of the users, i.e. cannon food. They care only about if users have too much privacy (or sacurity) and the users themselves are totally irrelevant: They aren't customers but the product for sale.
Case in hand: Windows 10.
"False. It doesn't as a company is not only likely to offer BS, it's economically bound to offer BS as it's the cheapest they can get."
Fuck me, the idiotards are out in force today. Go and study Economics 101; a product needs to be of some kind of quality in order to sell at all - if it's complete shit, nobody will buy it and the company that makes it will go out of business.
Profitability is always a balance between what the customer will pay, and what the company needs to spend in order to convince them to part with their wedge. It needs to be just good enough - and yes, that involves fucking security.
Your answer to (b) doesn't make any kind of sense in any universe.
E-, must try harder.
”" the idiotards are out in force today"<br/><br/>
Classy! Perhaps youtube is more your kind of thing?“
You’re right. My apologies. Spent the day dealing with ‘challenging’ users yesterday and allowed my frustrations to boil over into this discussion. Won’t happen again.
Cheers LE
Single programmer: assume they are disciplined, know before they start coding exactly how it will work, they understand fully the client's requirements and they have planned out how the project is to be broken down into modules so as limit the duration of the high concentration levels required to do it right.
Given that they have already written a lot of the code in their tried and tested libraries they are just left with the new modules and structure which they also validate/test.
Team programmer: Assume lead is of same quality as single programmer above and has his own secure/validated libraries, then they will have all of the bug vectors that the single programmer suffers plus the additions that come with team programming.
Lead here knows what they are doing but must deal with management and still delegate to other coders typically of lesser ability/experience enough understanding such that it is quicker and more secure than just doing it themselves.
Where it comes to bugs, people are always the weakest link add more people and less discipline/experience/knowledge and you are going in the wrong direction if you want secure code. Yes you can get something out the door faster but you are going to be rewriting the same solution forever. Yes, fine whilst the client believes the BS about "bugs are inherent" and keeps paying you to continue failing in your task but for how much longer?
Computers are now so cheap, pretty much everyone has one, if the first world wants to stand out from the rest then it is going to need to offer something the client wants, something other than speed of release and cost. They can already get it cheaper and faster because the third world is online and gagging for the chance to replace you so all you are left with is excellence and to be frank it is far past time to do the job properly.
IMHO team development is only a good thing for people who prefer management to coding and to be frank a excellent programmer doesn't need managing at all. They can make alone what the client wants and can always employ other disciplines as the client requires. Get rid of the overhead and produce secure code and you can compete with the rest of the world, or stay as you are and be swept aside, your choice.
IMHO team development is only a good thing for people who prefer management to coding and to be frank a excellent programmer doesn't need managing at all.
Are you pottything, or that idiot from GRSecurity? Same arrogance anyway.
How can one person keep up with the changing hardware, changing OS, changing tools, and changing software environment of a machine, and still write complex code?
Here's a tip you've missed - a lot of stuff written for DOS will not work on WIn 10. Nor will a lot of stuff written for Windows XP. Or even 7. API's have changed, some removed. The hardware has changed (not always an issue at the application level), the OS API's are different, the look of the software (window decorations etc) have changed just in the last few years.
So.. Prove that one person can write an entire OS, application suite, and build the hardware - and ship it 100% bug free.
If your coding is like your grasp of English........
"Large companies have the time and resources to dedicate to security,"
Yes they have but they have no incentive at all to allocate resources for irrelevant stuff.
"Security" costs money, i.e. less profits and uses huge amount of time, delaying publishing, i.e.less profits.
Companies are in it for profits and your security isn't even on the list of items to consider.
On the contrary: The less secure you are, the more company can demolish your privacy to collect juicy tidbits about you to sell, i.e. more profits.
Example in hand: Windows 10.
One person who knows what he's doing is inherently better option as he's doing what is good for you, not the thing that's good for his company as a sole customer you are actually important, not the product company sells forward.
"Companies are in it for profits and your security isn't even on the list of items to consider."
Security is always a component of the profit equation. A product which is unsatisfactory in terms of security (in the consumer's eyes) will not sell as well as one which is satisfactorily secure, hence reduced profits, hence the company will care enough just enough about security to make sure the product sells. It's true that a company will not invest more money in security than is strictly necessary to continue to sell the product, but to claim security isn't even on the list of items to consider is patently absurd.
"The less secure you are, the more company can demolish your privacy to collect juicy tidbits about you to sell"
You're conflating security and privacy. Violating your privacy may be considered an acceptable tradeoff (usually in exchange for a 'free' product, see Android), vicariously violating your security means they'll lose all their customers and ultimately go out of business. What a mind-blowingly daft statement.
@Lord Elpuss
"Security is always a component of the profit equation", possibly true but the evidence suggests that security is of less consideration than money. Whilst code with bugs is okay to sell then doing otherwise is unnecessary. What is unnecessary is virtually always omitted by business but may still be included by the proud individual.
"vicariously violating your security means they'll lose all their customers and ultimately go out of business. What a mind-blowingly daft statement."
Really? Microsoft still seems to be going. You missed out the "big business" exception to your rule, namely that they are able to flaunt the laws/technical opinion etc simply because they have the money and have bound enough of the influential to them, that they can make the rules and destroy any competitor who might offer a secure alternative.
@Lord Elpuss
"Large companies have the time and resources to dedicate to security" name one that has released only secure code
Whilst it is true that more eyes making finding things easier the actual reality is that larges software house release a lot of bug fixes. Suggesting that whilst they could they do not
@Annon.
Are you that guy that I had an argument with last year who said that logging in applications was unnecessary and anyone who did it was stupid?
You sound like the same guy... In that you are both very wrong.
"Requirements change,features added = new product."
HAHAHAHAHAHA, Yeah, OK.. Ill try selling that to the next client that asks for an extra check box on a web form.. NEW PRODUCT!
"Bugs fixes = you released bad code and are an incompetent liability to your customers"
I'd laugh again but I'm starting to worry that you might seriously believe what you have typed...
My code has never been exploited and has never needed any updates
Your code:
10 PRINT "I AM AWESOME!"
20 GOTO 10
@d3vy "Are you that guy that I had an argument with last year who said that logging in applications was unnecessary and anyone who did it was stupid?" if you are referring to me then no you were talking to someone else or possibly yourself.
If I was to use the word "stupid" in a post then I would be saying "against your own best interests", as opposed to bombastic ignorance.
"asks for an extra check box on a web form", this would strongly suggest that someone did not understand the client's requirements. My "new product" point was based upon the premise that either the product requirements have changed or been misunderstood, the "just add a checkbox" clearly suggest to me failure in comprehension.
If the client's requirements are misunderstood then it is likely that there are more confusion induced errors elsewhere and a full review is needed, this especially so if you are dealing with someone else's code. Simply adding another checkbox or similar each time the client complains that you "didn't get it" is not going to inspire confidence that you are writing what the client wants rather than some other solution. If you want an analogy then your way is like a taxi driver stopping at every house on the required street and asking is this it, when they gave your the full address before they got in the car. It is possible that this is exactly what the client wants but you should be making them aware of the implications of this kind of thinking rather than saying "yeah, I can sling an extra checkbox in", after all you are supposed to be the expert not the client and once you alter the code then it becomes your responsibility even if you didn't write to original.
&AC
I’ve been at a conference where they held a ‘Hack the (Hello) World’ competition; to do exactly what you suggest. Used a buffer overrun and a memory injection attack via the graphics card - I still have the presentation somewhere. Needed physical proximity to the target device plus knowledge of the internals, but did end up printing rude words to the screen whilst reporting back to the program that it said ‘Hello World’.
Contrived in the extreme, the "hello world" worked as expected the environment it was running in was not that envisaged by the programmer.
You could as easily say that the program as a 8086 binary failed because it did not run as expected on a 6809.
"I’ve been at a conference where they held a ‘Hack the (Hello) World’ competition; to do exactly what you suggest."
So they managed to hack a computer that had no code in it but the equivalent of "PRINT 'HELLO, WORLD!'"? Changing the source code is one thing; hacking a fixed program with so little functionality is another.
>> or alternatively release only a finished product that doesn't need Microsoft style updates all the time.
Most realistic alternatives are actually worse. For instance Google released more patches for Android alone last month than Microsoft did for every single supported product. Mac OSX has over 1000 patched CVEs, the Linux kernel is approaching 2000 CVEs, etc, etc.
"Folx, today confessed the latest versions of those two apps came with .. OSX.Proton malware .. miscreants had got into the developer's servers, implanted the malware into the download files"
How did the software nasty got onto the developer servers and what was the name of the hardware and the software that the developer's servers ran on?
Doesn't matter.
It will have got in by infecting a development machine, quite possibly by infecting a framework/library they use.
As it is not possible to cross-compile and Apple don't make a server class machine, Apple software is almost always compiled for release on a normal desktop or laptop Mac.
Which is probably someone's daily work machine, and thus open to easy infection via drive-by or phishing.
You generally don't get an entire trojan into software by committing it to source control. That'd be ... pretty obvious.
In the CCleaner case they fiddled with the actual toolchain used to build the final EXE. I'd assume either something similar has happened here, or they simply signed and uploaded a trojaned version of the executable.
"I'm so glad I've got a Mac, they're virus free doncha know."
Yes, yes they are. Now let's talk about malware... that is what the news story is about? No?
Wake me when there is a nearly bulletproof OS... For the time being, I will use the best OS for the job at hand...
There will always be malware, viruses, trojans, social engineering etc, my comment was made because the average user, Windows, Mac, Android, iOS on the street doesn't know, doesn't care or even want to know what the difference is between Malware, Viruses, Trojans, Spyware, Adware, to them they're all 'viruses'.
Perpetuating the myth that Macs are invulnerable (ask ten average Mac users and see how many of them tell you this, in fact go and stand next to a Mac salesperson and see how many people they tell that lie to) is a ridiculous course of action that can and will only lead to more Mac malware of all sorts.
Yes, I take the piss but with good reason.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
