Currently Being ModeratedJun 3, 2011 10:13 AM (in response to etresoft)
When you hand over your admin password, you hand over just about everything. If you are using a default admin account, then you really do hand over everything, including the contents of your keychain (if the software is clever enough).
Again, not exactly true. Look at the Access Control list for Keychain items. It isn't if the software is clever enough but if the user is foolish enough to allow questionable items to be added to the list.
Currently Being ModeratedJun 3, 2011 10:26 AM (in response to R C-R)
R C-R wrote:
What you are proposing is basically a closed system with no administrator. It isn't a practical solution for upgradable systems, particularly where security is concerned. That's why the idea was abandoned long ago.
Abandoned???? When did this happen? I can't believe that Apple would abandon iOS!!!
Currently Being ModeratedJun 3, 2011 10:34 AM (in response to R C-R)
If the user is silly enough to hand over their admin password to any program that asks for it, I can write a program that asks for it. Then, I take that password they provided, upload it to my server, upload the user's keychain, decrypt the user's keychain with the password they have so graciously given me, grab their online banking/paypal login information, then book my cruise and order that MacBook Air I could never afford.
This has nothing to do with Access Control or Keychain Access. I write my own dialog and ask for the password. Given the success of MacDefender, I think I would collect quite a few of them.
The moral of the story? Don't hand over your password!
Currently Being ModeratedJun 3, 2011 10:38 AM (in response to R C-R)
R C-R wrote:
The audience I target is folks that come here looking for accurate info, not nonsense.
So you claim that the above hypothetical exchange isn't happening somewhere in the world right now? It is nonsense to claim that people are being misled into buying software they don't need. Isn't that exactly what MacDefender does?
Your claim of nonsense is disproved.
Q. E. D.
Currently Being ModeratedJun 3, 2011 11:34 AM (in response to etresoft)
No, that is not what MacDefender does. Users buy nothing when they provide their CC info. To say that they do is just more confusing nonsense.
EDIT: Also, hypothetical exchanges are not evidence of anything. I could just as easily come up with a hypothetical counter-example, but that would be just a pointless as yours.
Currently Being ModeratedJun 3, 2011 6:38 PM (in response to etresoft)
First of all, each user account has its own login keychain, so it doesn't matter if it is an admin or standard account. More to the point, even if your social exploit succeeds in getting a user to give your app the account's login password, you still have to figure out how to get it to upload the keychain file to your server. That requires cooperation from the OS. You will find that is harder to get than you might think, unless of course you have already managed to compromise the OS. But that is not easy to do, with or without an admin password.
Currently Being ModeratedJun 3, 2011 7:35 PM (in response to R C-R)
I don't have to compromise the OS. That's way too hard on MacOSX. If the user installs my software, I can upload any file that the user can read.
It does make a difference if you are using an admin or standard account. If a user is duped into handing over a password to a little-used admin account, the malware will gain control over the machine but will have difficulty reading information from the primary, albeit standard, account. Having the admin account password will not decrypt the user's standard account keychain. There are other methods for getting personal information, but they are exponentially harder when going across accounts.
Good common sense will provide far more protection from malware on a Mac than any anti-virus software.
Currently Being ModeratedJun 3, 2011 7:58 PM (in response to etresoft)
The point is that all the methods to gain control of user info are hard. There is a lot of difference between saying that you can write a program to do that & demonstrating that you actually can do so.