Jon Alper's probably insufficiently humble opinion

**********UPDATE*********** See below for a new update from Intego.

Intego reports another variant  of Mac Malware Flashback on their security blog here, and updated here.

Generally useful  advice and relatively little of the weaselly stuff I have bashed Intego for in the past.  My recommendation is to take the advice offered in those posts seriously.

Nevertheless, the Mac Security Blog post from Intego includes the following useful gem: “It is worth noting that Flashback.G will not install if VirusBarrier X6 is present, or if a number of other security programs are installed on the Mac in question. ”

Let me decode that for you: “We know some other security tools that would also protect you because this variant will not install if it finds these tools present on a Mac during an infection attempt but we’re not going to tell you. We’re not saying because we want you to be scared into buying our product rather than made to feel confident in our integrity and want to buy our product.”

Now, to be fair, they aren’t obligated to tell their customers or potential customers about competing products. That said, and my point all along with Intego is a company should be self aware enough to realize that selling security software comes with an expectation of maintaining the highest possible standard of conduct.

A smarter approach would mean they’d want  people perceive them as trustworthy and they’d say “We know these other security programs also offer protection against this variant.”

Why can’t they learn? The Mac community needs every good supplier of consumer security tools we can get.

Here’s a little more info than Intego felt a need to share: http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_c.shtml and http://blog.joelesler.net/2011/10/macosx-flashback-trojan-is-covered-by.html As always with security issues, a holistic approach and getting yourself informed is best. In this case it looks like the presence of LittleSnitch may do it and, that ClamXav and Sophos Anti-Virus for Mac Home Edition may also protect you from this variant of Flashback

Please, Intego, step up. Do better. I know you can. You just don’t seem to want to.

———-Update Below———-

Intego posted a useful and issue-free update. In short, with Java as an infection vector, Flashback no longer is truly a simple Trojan. Intego’s update usefully, simply and directly explains this with none of the ‘marketing weaseldom’ I have noted in the past. Good for them! Let’s hope this marks a new way of communicating for them.

****update*****  9.27.11

Seems OnStar had a change of heart. I wonder how much things like this had to do with that?

************

Jonathan Zdziarski’s blog post describes changes to OnStar’s Privacy Policy (The main link to OnStar’s Privacy Policy which may be updated from the preceding is here.)

In short, not only does OnStar currently track your vehicle’s speed and location but, under the policy linked above, they will continue to track this data and sell/give it to third parties even if you cancel your service unless you explicitly opt out (or disable the hardware).

“Big Deal” you say, we all use GPS all the time, we’re always tracked. No, in fact, you are not. Despite what you may think based on what you’ve seen in spy movies, GPS can’t track you. At its core, A GPS unit is a receiver only. It listens for signals constantly being broadcast to anyone listening by satellites in orbit around Earth. The GPS device figures out your latitude, longitude and altitude based on listening to not communicating with these satellites. GPS is a one way radio from satellite to your device.

Nothing about your location needs to be transmitted to anyone for your device to show you where you are. The data sent by each satellite is incredibly simple, basically, it’s a very precise and synchronized clock. Your devices uses the differences between when these clock signals arrive to calculate your location. By detecting relative delay, the GPS device calculates how far it is from each of the satellites it can ‘hear’ and using this math, it locates itself on the earth relative to the satellites. 299,792,458 metres per second is not just a good idea, its the law. Radio takes time to travel from space to your Garmin. A satellite is farther away, it takes longer, if it’s closer, it gets there quicker. If all the clocks are synchronized, the device can calculate your position based on listening to the signals of 4 or more of the 24 to 32 working satellites in orbit and comparing the timing against each other.

With GPS only ways your location are transmitted to anyone are:

• Your GPS device retrieves maps from some online provider in realtime. Google Maps, Yahoo Maps or somebody else and, in requesting these maps, tells the map-server where you are.

• Your device is OnStar or a system like it with features built in to it with the explicit purpose of telling the provider where you are. In OnStar’s case so they can mine the data and make you feel safer that if you crash and are unconscious, police and rescue can be sent because they detected the airbag going off. Now, if you have a cell phone and call 911, your cell phone will tell first responders where you are. (This is done according to this FCC rule) and can be done via cell tower triangulation and, theoretically, your phone broadcasting the GPS-derived location of your phone when you dial 911.

• Somebody has explicitly attached a GPS tracking device to you (or your vehicle) which passively listens to the GPS system and then actively transmits that location data it’s calculated to whomever is ‘bugging you’ with the tracking device.

There are lots of legitimate concerns about how smart phones and tablets and even your computer browser can send location information to the web sites (or ‘app’ back end servers) you connect to but those are unrelated to GPS tracking and OnStar and a topic for another post.

What should concern you about OnStar and other services that may work in a similar way (XM traffic and weather services perhaps?) is that your location at any given time is potentially very dangerous information when in the wrong hands.

Should the son-to-be-ex-spouse-under-restraining order have any possibility of buying this information? Should the police have any possibility of retrieving this information without a warrant? Should the burden of proof in a legal proceeding be shifted to a presumption of guilt if your phone or your car was found to be in a location you may have been nowhere near?

Many, many, many people have written about Apple excluding Flash from iOS and Adobe’s spin that Flash is ‘part of the web’ iOS users are being deprived of. The following note from my friend Kevin and a spate of Flash-induced browser crashes has me me itching to chime in:

I like to listen to internet radio streams when I work; stuff from grooveradio.com
has long been a favorite productivity boost for me, like caffeine for the ears.
More recently, thanks to Eric Konieczko, I’ve come to appreciate the more varietal
offerings from ibizasonica.com, but its flash-plugin player excessively and
consistently loads down my CPU: 50-70%! Not so productive, right? The choice of
browser is not a factor; Flash is a pig!

In contrast, I can use VLC on the source stream (http://stream2.wft.es:1025/) and
run at a cool 6% CPU, which could be even lower if videolan’s VLC package for Mac
included the cvlc binary (dispenses with the GUI). If you have any experience
compiling VLC and could share any helpful tips, please do; I’d appreciate it very
much.

If you have any ideas for Kevin, I’d be interested too and would welcome comments.

But it gets to the core point. Flash has enormous unique value. It’s very good for this kind of thing. (As an aside QuickTime used to be too but that’s a story for another day) and for this kind of thing.

What it’s not good for is how Adobe’s marketing has encouraged it to be used:

• As a way for a good visual designer to do sexy site navigation without learning to write code. If you want sexy and your coding talents aren’t able to execute your vision in HTML/CSS/Javascript, hire somebody who can. I know lots of talented people. Need help? Let me know.
• As a way to inflict, and note that I said inflict and not offer, an introductory splash page for your web site. Splash pages are for people who can’t organize their thoughts well enough to design and execute an inviting and easy to understand home page. Splash pages are a way to try (and fail) to force your users to pause and absorb your message as you hold them hostage before you give them what they came for. If you give them what they came for, you can make money off them.  Be nice.  If you find you can’t explain your site or offering well enough without imposing a linear experience as an introduction, that’s fine. It’s very hard. Get help. I can find you great people.
• As the only way you offer video and audio. There are multiple standards some supported on a particular computing platform (Windows Media and mp4 on  Windows and  MacOS/iOS  respectively). If you want a reliable experience, offer platform native formats.
• As a way to inflict (see above regards offer vs inflict) your advertising message in front of content.

Flash is not part of the web. Flash is a media type. The web is the interconnectedness of documents, html documents. If you can’t recognize that essential truth and then, from there, add styling, elegant and engaging navigation and, as needed, images, audio and video on top of that to benefit your users, you’re not making websites you’re limiting yourself and and your success.

Adobe, if you can’t sell Flash for the things it’s actually very, very good for, don’t keep trying to dupe people into misusing it in order to sell more. You, Adobe, make wonderful tools in Photoshop, Illustrator, After Effects et al, get rich making those wonderful tools and stop trying to hammer home a doomed agenda.