Jon Alper's probably insufficiently humble opinion

[NOTE: See Peter from Intego’s comments below. I am electing only to respond to his correct observation that I’d conflated two security issues in this post and amend the post accordingly to address the valid elements of his critique. See prior comment thread here: http://blog.jonalper.com/2011/intego-untrustworthy/ for why I feel it both important to make the corrections Peter’s comment demand and that I not engage in discussion with him about the remaining content of this piece. Note that the updates below continue to reveal my original error alongside the corrections marked between [UPDATED] and [/UPDATED].

When you sell ‘security products’ you have a a responsibility to exercise an over-abundance of caution in how you communicate with your customers and potential customers. Failing to do this makes you part of the problem and, again, I think Intego is falling far short of that standard.

The issue, as I see it, this time starts with the headline “New Version of DevilRobber Trojan Found In Three Mac Apps” of yesterday’s Mac Security Blog.

The headline implies you might find this nasty malware and be in jeopardy in software you’re likely to be using today. The headline implies typical Mac users are at present risk without an anti-virus application.

Au contraire mon frère, you’re not. As of now, you’ll only find yourself infected with DevilRobber.D if you use BitTorrent to try and pirate software.

Deeper still, the unwritten message is “you need our product to protect yourself” is just not true in this case. To be fair to Intego, this implication is a ‘sin of omission’ rather than a overt misdirection but, as I keep trying to say, I think the core problem is Intego falling short of a very high standard of communication and behavior that I believe comes with selling ‘security’ products.

Why do I pick on Intego? Aren’t all of these antivirus companies are basically a protection racket? Well, it’s pretty simple. Intego is a Mac shop and, having met and chatted with several Intego team members, I think they’re basically good people and they ought to do better. I expect this silliness from the “My super zippy PC TV ad” companies. I don’t expect this from a “Mac Company”.

Here are four simple truths Intego’s article either only indirectly addresses or completely ignores.

1) They found an ‘in the wild’ exploit on a BitTorrent tracker of pirate copies of three Mac titles.
2) Mac users who don’t use BitTorrent to pirate their software are, so far, immune as far as we know.
[UPDATED Points three and four below are not relevant due to my error pointed out by Peter in the comments]
3) Mac users who use Preview to read PDF’s rather than Adobe Reader are immune.
4) Mac users who use Adobe Reader can configure Adobe Reader to block the attack with a preferences setting now.
[/UPDATED]

Worst of all, from a marketing perspective, (the likely motivation for the misleading headline and, indeed, the whole point of their blog) Intego don’t even seem to give themselves full credit for the fact that they already blocked it with existing virus definitions.

Here’s the same post re-written by me as if I worked for Intego:

New Variant of DevilRobber Trojan found in altered MacOS apps distributed via BitTorrent

Intego’s malware researchers have found a new variant of the DevilRobber Trojan horse, which they first discovered in October. The latest variant – DevilRobber.D (there have been two others in between) – has been spotted in three deliberately altered Mac applications (Writer’s Café, EvoCam and Twitterrific) distributed via BitTorrent trackers.

The original developers’ distributions are not infected. (The files you can download directly from the developers’ sites are clean.) The malware has only been found in altered files distributed via BitTorrent trackers. If you use these applications, and have purchased them from the developers, you do not have infected copies of these applications.

[UPDATED *** As Peter from Intego correctly pointed out in the comments, I foolishly conflated the DevilRobber Trojan with another security issue with trojans distributed via PDF and exploits of the Adobe security flaw in Reader. The Links below relate to the PDF issue and *NOT* to DevilRobber]
For more information about this exploit please see:
Adobe’s Security Bulletin: http://www.adobe.com/support/security/advisories/apsa11-04.html
Topher Kessler’s article for C|Net’s MacFixit: http://reviews.cnet.com/8301-13727_7-57338524-263/security-threat-in-reader-and-acrobat-poses-threat-to-macs/
[/UPDATED]

For more information about this exploit please see:
http://www.thesecurityblog.com/2011/12/devilrobber-gets-an-updated-version/

http://nakedsecurity.sophos.com/2011/10/29/devilrobber-mac-os-x-trojan-horse-spies-on-you-uses-gpu-for-bitcoin-mining/

VirusBarrier X6 definitions addressing the previous versions of the DevilRobber Trojan successfully blocked this new variant (and two others) but we have updated our definitions to specifically block this new version as well.”
-30-

If the headline is too long or insufficiently sensational for your marketing guys to sign off on, split it up: New Variant of  Mac DevilRobber Trojan Found and then lead the article with “Three Mac Apps altered to payload the Trojan have been found on a BitTorrent Tracker”.

My prior rant re: Intego’s behavior is here:  http://blog.jonalper.com/2011/intego-untrustworthy/

[UPDATED Due to my conflation of DevilRobber with the Adobe Reader vulnerability and this story: http://www.thesecurityblog.com/2011/10/mac-trojan-posing-as-a-pdf-file/ the irony is far less thick in this post but PLENTY thick if you look at that link.] (The irony that that last rant addressed a behavior that socialized users to trust a file described and badged as a PDF that was really an application and that now we’re seeing an actual PDF Trojan is not lost on this writer.) [/UPDATED]

Here’s the deal. If you sell security products, I think you have to:

– Tell the truth about the level of risk.
– Tell the truth about what your product can do to protect from specific attacks.
– Tell the truth about what alternative measures users can take to mitigate risk.
– Fall all over yourself to protect the reputations of legitimate developers unless and until they distribute infected files or ship software that creates an attack vector.
– Be ‘low key’ about how you characterize risks so users can be confident in the maturity of your products and your business practices so they either buy your products (good for you and your customers) and follow good practices to reduce their risks even without your products (good for everybody).

[UPDATED Again, due to Peter from Intego pointing out my conflation of two issues, this not relevant to the post though still true.] As a final note, yeah, it sure seems like Flash and Acrobat are getting exploited pretty regularly lately. Maybe not leaving these plug-ins enabled in our browsers would be a good idea. [/UPDATED]

– Jon

****** See Updates at bottom******

I bought a bundle of apps sold under the banner of ‘Mac Promo’ that included a number of terrific tools I’ll probably talk about later but I also discovered things I now find very disturbing.

First, “Mac Promo” was a promotion run by Intego. It’s not Mac Update Promo. The, I think, deliberate ambiguity in the branding was mildly troubling but that’s hardly a major issue and, to be fair, the design and appearance of the promotion was clearly different from Mac Update Promo. Intego did, in the small print, say the bundle was being offered by Intego. (That the clock ticking down to the end of the offer period silently reset and extended the time limit is cheesy but not exceptionally weaselly. It’s standard issue marketing weaselly.)

Included in the bundle was a product called Personal Backup by Intego. When I initially looked into the Personal Backup product a few days ago prior to purchasing the bundle, the only documentation for Intego’s Personal Backup on their web site was Mac OS 9-era information including Classic UI elements. Personal Backup was not then, and is not now listed as a current Mac product on Intego’s site. That’s, at best, amateurish. At worst, it’s creepy.

The creepiness just got worse.

1. The creepy behavior goes all the way down to the license and getting started documents on the disk image for the application. They appear to be documents and are badged PDF and HTML respectively. In fact, both are applications, executables, programs, things that run code on your Mac. These executables appear to be as benign as wrappers that check what language your Mac is localized to and then open the appropriate documents. This is deliberately misleading the user, badging the document icons PDF and HTML respectively. Users lulled into trusting these things, apps masquerading as docs are, absolutely an infection vector for malware. That Intego’s faux docs aren’t literally malware doesn’t change the fact that to imply they are delivering documents when, in fact, they are delivering applications is bad behavior at best and, at worst, creating the kind of problems they then want to sell you products to avoid.
2. Intego’s Personal Backup product required online activation. The need for online activation is not warned of prior to purchase or installation and the installation experience is ambiguous as to what’s really going on. Don’t run LittleSnitch or the like and you’re likely never to even know it does it without looking closely. The serialization documentation on their web site doesn’t tell you that their products online activate and is, in my opinion, written to obfuscate the fact that they do. A developer is obligated to tell the user at least when you do the online activation that you are doing it. If they’re remotely polite, they should warn their customers prior to purchase that their product requires online activation.
3. Installing and using the product demands you run an installer as opposed to being a drag-install. This should usually raise a red flag because, if you run your Mac without administrator permissions (as you should), you will need to enter an administration-enabled user name and password  to allow the installer permission to run. Think about, for example, BBEdit. When you install BBEdit, you drag the application to your Applications folder (or wherever else you want to). When BBEdit needs additional functionality that demands it place executables outside it’s app package (the command line tools) it asks you first.
4. The Intego Personal Backup installer installs, at least: Two Applications to the Applications Folder (NetUpdate and Personal Backup), two Dashboard widgets, a daemon to handle scheduling of automated backups (necessary for automation functionality but they should tell you), a prefpane, a menu bar item and, on launch, a goody pile of plists and app caches. It’s simply excessive. To run a personal backup application with the functionality they include, you need an application that can, with the users’ permission, escalate privileges to access certain files to back them up. You optionally need to allow a daemon (background application) to be run at every startup to allow the app to start itself and run a scheduled backup. If you don’t schedule automated backups, you don’t need the deamon. If you do schedule automated backups, the app should ask to install the deamon. Intego’s documentation for NetUpdate or the Personal Backup application it payloads onto at install doesn’t tell you what, specifically, is installed let alone what is not removed by their uninstaller. A developer is, in my opinion, obligated, when they install anything more than the App and generate a prefs file, to tell the user what they are installing. If not in a ‘read me’ available at installation, at least on your web site in a clearly discoverable place.
5. The installer’s “Uninstall” option does not remove all of these things or warn you that to remove that portion of cruft it does uninstall, a restart is necessary.
6. Finding all the crud (including still running code after a post-uninstall restart) demands you know how to look for it. OS X spotlight won’t find it all. DEVON Easy Find (Free, yay DEVON Technologies) is one method, there are others. If you sell anti-malware software, installing faceless and fairly deeply buried things that run every time you start your Mac is tres uncool.

Now, why is all this so creepy, so utterly unacceptable,  in this case when all sorts of apps behave similarly badly? Intego is in the business of selling tools that are all explicitly about keeping your Mac safe.

They sell:

• AntiVirus Software
• Software Firewall/Internet Security Software
• Privacy software to clean your Mac of browsing history.
• Backup Software (not that you’d know they sell that product from their product listings and there’s no press release for Personal Backup more recent than July of 2008).

If Intego expects their customers to trust them to help keep them safe from malware, they shouldn’t behave like malware. If they are actually interested in controlling the spread of malware on MacOS, they should behave in a manner beyond reproach. If they want to have users learn basic habits that inherently make them safer from malware, they shouldn’t acculturate users to do exactly the sorts of things that lead to spreading malware. Intego is, without major changes in their behavior, not to be trusted. Period.

**************Update**************

The Mac Promo bundle mentioned above  also includes “Personal Antispam” from Intego. It too has faux HTML and PDF ‘documents’ and, it too installs a similar suite of cruft. The habits described above seem to apply to at at least two Intego products.

**************Update again**************

The text:

“You must provide a valid e-mail address when serializing the Software, which will then proceed with the activation procedure. At the end of the Period of Use, the Software will no longer be active, and to continue using the Software You will need to purchase a new license or subscription for a new Period of Use.”  does appear in their License. The license is included the collection of ‘masquerading as documents’ applications on the installer disk image and here: http://support.intego.com/kb/index.php?x=&mod_id=2&id=70

Why do they want an email address? “6. Communication and Personal Information. By accepting this license, You grant to Intego the right to send You occasional e-mails or postal mailings regarding security alerts, new software, software offers, as well as reminders that Your Period of Use is due to expire. Intego will not sell or lease Your e-mail address or other personal information to third parties.”

In other words: In order to use the product you paid for, it is a condition of the license that they be allowed to email you ‘offers’. You can’t use the product you paid for unless you give them permission to spam you. Conversely, if you ask to be removed from their promotional email lists, you forfeit the license you paid for. How do you like them apples?

**************Update again…again**************

Email sent to support@intego.com:

Subject: License disclaimer and removal request.