Jon Alper's probably insufficiently humble opinion

Steve Ragan of Security week tells us Everything You’ve Always Wanted to Know About Flashback (but were afraid to ask)

The above just about covers it all. I’ll add that my earlier post: Apple shoddiness so easily fixed remains relevant but Apple has improved the documentation for the two latest updates:

About Java for Mac OS X 10.6 Update 8 and  About Java for OS X Lion 2012-003 continue to have different names for the Snow Leopard and Lion updates and continue to link to files with uselessly unclear file names. (JavaForMacOSX10.6.dmg and JavaForOSX.dmg respectively). The good new is that now Apple includes this in both documents: “Java for Mac OS X 10.6 Update 8 delivers Java SE 6 version 1.6.0_31 and supersedes all previous versions of Java for [OS version].” so, some forward motion there.

The key take away from this very real malware event on Mac OS X is this: It may be true that Mac OS X, when configured and managed properly, is less of malware risk than Windows. It’s clearly true that the Mac is not now, never was and never will be immune. Even iOS has not been immune if you acknowledge that some less than ideal behavior has been allowed in Apple-approved apps. Just because something is better doesn’t mean it’s perfect and informed users and well managed I.T. are a necessity no matter what. Apple would have been wise not to oversell the Mac’s historical advantage in this regard as a future guarantee of safety. I said that to Apple loudly and repeatedly for years. I said this to clients. Now the truth has been thrust upon us: No, the Mac is not the insta-p0wn Windows was. Yes, I’d still much rather use a Mac but the Mac’s not perfect and Windows is getting better. We all need to be smarter. We all need to realize we have a responsibility to protect ourselves and learn caution.

One final thought. I’ve picked on Intego a lot before.  The most aggressive of my posts about them being “When your protection tools can’t be trusted: Intego“and another later post where I made some significant technical errors Intego pointed out and I corrected.

In truth a side effect of the Flashback story for me is that my frustrations with Intego have crystalized nicely. I understand more completely why I express such frustration with them. I also fully acknowledge that they have made useful and meaningful contributors to the research and documentation of issues with Flashback for the Mac community.

What I said in the past was that they don’t seem to understand that as a vendor of security tools they need to be above moral reproach in the way they communicate.  This is a blog of a person. A person who happens to run a business but a person none-the-less. You don’t see these posts at my company site. Here, I’m a Mac IT and media production consultant blogging on a personal blog some might say has an attitude. That’s, in part, what a personal blog is for. A touch of the ‘tude. A bit more of the personality than corporate communications.

My clients will tell you when it’s business,  I may be gruff but I am always one hundred percent transparent about the issues involved in a problem or project and I never, ever, take a markup on services or products I specify for a job. I sell my opinion and my skill and my willingness to say “I’ll do what you ask but I think it’s bad for your business for these reasons.” and let my clients decide. This is a business value system I am proud of. It’s what I believe a good consultant strives to do. Help the client, be honest even if it costs you revenue. This attitude has, I hope, been a major reason I’ve stayed in business.

The concern I have with Intego I now understand better and  it’s well encapsulated in a quote from the article linked at the top of this post:

“Intego promoted the trial of their Anti-Virus product, while Sophos promoted their free Mac-based Anti-Virus. F-Secure, Symantec, and Kaspersky Lab also released tools. However, on April 12th Kaspersky had to temporarily pull its tool out of circulation, after a handful of the people downloading it reported that its usage could result in erroneous removal of certain user settings. Kaspersky fixed the tool and released an update a day later.”

Look what other companies did. Note even that Kaspersky made a mistake that they had to publicly acknowledge and then promptly fixed. Contrast the others with Intego. Intego promoted their commercial product as a fix and offered a 30 day free trial. A free trial you could only get if you gave them your email address. There’s a sort of sticky ooze all over that approach.

True, no company has to provide product or tools for free but a smart company, a company you want to do business with, might have recognized that there are more customers to be won if you provide a simple and basic free tool for one issue as a promotional loss-leader for the product they can, and should BUY to provide protection in the future.

What Intego did was say “Here’s a fix. If Apple doesn’t really solve this for 30 days, you’ll have to pay us.” and “Here’s a fix but we want your email so we can try and sell you stuff later.” and to me, that’s a tone-deaf approach.

A tone-deaf approach defined by a naked marketing agenda. Tone deaf marketing makes me feel like I can expect tone-deaf support. If I think I’m going to get tone-deaf support, I won’t trust a security tool provider. It’s just that simple. The past issues I’ve had with Intego all boil down to the same thing.  Dumb down UX at the expense of good practice.  Post alerts that convey more urgency than there is.  Do these things and your company doesn’t feel trustworthy.

Flashback is a real threat now. Now Intego can (and should!) enjoy revenue that comes with more global awareness of the truth that Mac users do need to be a lot more security aware than, in general, they had been. But don’t over-play that hand. Don’t miss a chance to be the best and most transparent.

If you sell security tools, you have to recognize that value of your product is defined by ‘trust’ and trust is, in large part, engendered with tone. So, is Intego useless? No. Are they buggy? No more or less than anyone else necessarily. What they are is tone-deaf and it’s just sad. They are a Mac company selling to Mac users and we need them to be better.

**********UPDATE*********** See below for a new update from Intego.

Intego reports another variant  of Mac Malware Flashback on their security blog here, and updated here.

Generally useful  advice and relatively little of the weaselly stuff I have bashed Intego for in the past.  My recommendation is to take the advice offered in those posts seriously.

Nevertheless, the Mac Security Blog post from Intego includes the following useful gem: “It is worth noting that Flashback.G will not install if VirusBarrier X6 is present, or if a number of other security programs are installed on the Mac in question. ”

Let me decode that for you: “We know some other security tools that would also protect you because this variant will not install if it finds these tools present on a Mac during an infection attempt but we’re not going to tell you. We’re not saying because we want you to be scared into buying our product rather than made to feel confident in our integrity and want to buy our product.”

Now, to be fair, they aren’t obligated to tell their customers or potential customers about competing products. That said, and my point all along with Intego is a company should be self aware enough to realize that selling security software comes with an expectation of maintaining the highest possible standard of conduct.

A smarter approach would mean they’d want  people perceive them as trustworthy and they’d say “We know these other security programs also offer protection against this variant.”

Why can’t they learn? The Mac community needs every good supplier of consumer security tools we can get.

Here’s a little more info than Intego felt a need to share: http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_c.shtml and http://blog.joelesler.net/2011/10/macosx-flashback-trojan-is-covered-by.html As always with security issues, a holistic approach and getting yourself informed is best. In this case it looks like the presence of LittleSnitch may do it and, that ClamXav and Sophos Anti-Virus for Mac Home Edition may also protect you from this variant of Flashback

Please, Intego, step up. Do better. I know you can. You just don’t seem to want to.

———-Update Below———-

Intego posted a useful and issue-free update. In short, with Java as an infection vector, Flashback no longer is truly a simple Trojan. Intego’s update usefully, simply and directly explains this with none of the ‘marketing weaseldom’ I have noted in the past. Good for them! Let’s hope this marks a new way of communicating for them.

[NOTE: See Peter from Intego’s comments below. I am electing only to respond to his correct observation that I’d conflated two security issues in this post and amend the post accordingly to address the valid elements of his critique. See prior comment thread here: http://blog.jonalper.com/2011/intego-untrustworthy/ for why I feel it both important to make the corrections Peter’s comment demand and that I not engage in discussion with him about the remaining content of this piece. Note that the updates below continue to reveal my original error alongside the corrections marked between [UPDATED] and [/UPDATED].

When you sell ‘security products’ you have a a responsibility to exercise an over-abundance of caution in how you communicate with your customers and potential customers. Failing to do this makes you part of the problem and, again, I think Intego is falling far short of that standard.

The issue, as I see it, this time starts with the headline “New Version of DevilRobber Trojan Found In Three Mac Apps” of yesterday’s Mac Security Blog.

The headline implies you might find this nasty malware and be in jeopardy in software you’re likely to be using today. The headline implies typical Mac users are at present risk without an anti-virus application.

Au contraire mon frère, you’re not. As of now, you’ll only find yourself infected with DevilRobber.D if you use BitTorrent to try and pirate software.

Deeper still, the unwritten message is “you need our product to protect yourself” is just not true in this case. To be fair to Intego, this implication is a ‘sin of omission’ rather than a overt misdirection but, as I keep trying to say, I think the core problem is Intego falling short of a very high standard of communication and behavior that I believe comes with selling ‘security’ products.

Why do I pick on Intego? Aren’t all of these antivirus companies are basically a protection racket? Well, it’s pretty simple. Intego is a Mac shop and, having met and chatted with several Intego team members, I think they’re basically good people and they ought to do better. I expect this silliness from the “My super zippy PC TV ad” companies. I don’t expect this from a “Mac Company”.

Here are four simple truths Intego’s article either only indirectly addresses or completely ignores.

1) They found an ‘in the wild’ exploit on a BitTorrent tracker of pirate copies of three Mac titles.
2) Mac users who don’t use BitTorrent to pirate their software are, so far, immune as far as we know.
[UPDATED Points three and four below are not relevant due to my error pointed out by Peter in the comments]
3) Mac users who use Preview to read PDF’s rather than Adobe Reader are immune.
4) Mac users who use Adobe Reader can configure Adobe Reader to block the attack with a preferences setting now.
[/UPDATED]

Worst of all, from a marketing perspective, (the likely motivation for the misleading headline and, indeed, the whole point of their blog) Intego don’t even seem to give themselves full credit for the fact that they already blocked it with existing virus definitions.

Here’s the same post re-written by me as if I worked for Intego:

New Variant of DevilRobber Trojan found in altered MacOS apps distributed via BitTorrent

Intego’s malware researchers have found a new variant of the DevilRobber Trojan horse, which they first discovered in October. The latest variant – DevilRobber.D (there have been two others in between) – has been spotted in three deliberately altered Mac applications (Writer’s Café, EvoCam and Twitterrific) distributed via BitTorrent trackers.

The original developers’ distributions are not infected. (The files you can download directly from the developers’ sites are clean.) The malware has only been found in altered files distributed via BitTorrent trackers. If you use these applications, and have purchased them from the developers, you do not have infected copies of these applications.

[UPDATED *** As Peter from Intego correctly pointed out in the comments, I foolishly conflated the DevilRobber Trojan with another security issue with trojans distributed via PDF and exploits of the Adobe security flaw in Reader. The Links below relate to the PDF issue and *NOT* to DevilRobber]
For more information about this exploit please see:
Adobe’s Security Bulletin: http://www.adobe.com/support/security/advisories/apsa11-04.html
Topher Kessler’s article for C|Net’s MacFixit: http://reviews.cnet.com/8301-13727_7-57338524-263/security-threat-in-reader-and-acrobat-poses-threat-to-macs/
[/UPDATED]

For more information about this exploit please see:
http://www.thesecurityblog.com/2011/12/devilrobber-gets-an-updated-version/

http://nakedsecurity.sophos.com/2011/10/29/devilrobber-mac-os-x-trojan-horse-spies-on-you-uses-gpu-for-bitcoin-mining/

VirusBarrier X6 definitions addressing the previous versions of the DevilRobber Trojan successfully blocked this new variant (and two others) but we have updated our definitions to specifically block this new version as well.”
-30-

If the headline is too long or insufficiently sensational for your marketing guys to sign off on, split it up: New Variant of  Mac DevilRobber Trojan Found and then lead the article with “Three Mac Apps altered to payload the Trojan have been found on a BitTorrent Tracker”.

My prior rant re: Intego’s behavior is here:  http://blog.jonalper.com/2011/intego-untrustworthy/

[UPDATED Due to my conflation of DevilRobber with the Adobe Reader vulnerability and this story: http://www.thesecurityblog.com/2011/10/mac-trojan-posing-as-a-pdf-file/ the irony is far less thick in this post but PLENTY thick if you look at that link.] (The irony that that last rant addressed a behavior that socialized users to trust a file described and badged as a PDF that was really an application and that now we’re seeing an actual PDF Trojan is not lost on this writer.) [/UPDATED]

Here’s the deal. If you sell security products, I think you have to:

– Tell the truth about the level of risk.
– Tell the truth about what your product can do to protect from specific attacks.
– Tell the truth about what alternative measures users can take to mitigate risk.
– Fall all over yourself to protect the reputations of legitimate developers unless and until they distribute infected files or ship software that creates an attack vector.
– Be ‘low key’ about how you characterize risks so users can be confident in the maturity of your products and your business practices so they either buy your products (good for you and your customers) and follow good practices to reduce their risks even without your products (good for everybody).

[UPDATED Again, due to Peter from Intego pointing out my conflation of two issues, this not relevant to the post though still true.] As a final note, yeah, it sure seems like Flash and Acrobat are getting exploited pretty regularly lately. Maybe not leaving these plug-ins enabled in our browsers would be a good idea. [/UPDATED]

– Jon