Has really not a whole lot to do with where xcode is downloaded, because that can be compromised easily even if you think it's directly from Apple.
Gee - open source developers have been posting MD5 checksums of stuff for years now - perhaps it's time for "real" companies like Apple, Microsoft, etc. to start doing the same?
Especially for developer tools?!? It's not like devs won't know what to do with a checksum. Then again human nature being what it is, anyone actually using the checksum is still important.
Having said all that, it's all irrelevant - no need for government conspiracies when people didn't even download it from Apple in the first place! Why bother to intercept it when people will download it from a stupid place to begin with?!?
How about we get people acting responsibly first then worry about the exotic outliers and theoretical exploits that work well in a perfect world but in the wild aren't nearly so guaranteed as Hollywood/security tool vendors would have you believe?
Except when you look at Chinese, you don'T need conspiracies, they'Ve been caught actually doing large scale redirects, and hacks before.
Completely irrelevant and a needless distraction since the affected developers shot themselves in the foot.
All this government conspiracy talk is an UNNECESSARY DISTRACTION. The story here is don't download critical software like compilers from non-trustworthy sources!
Directly supports my original thesis - people love making mountains out of molehills because it's far more interesting. People downloading infected software from untrustworthy sources is boring. But government conspiracies targeting the hapless populous - now that's a story!
Bah! This is why a good deal of security crap never gets addressed. People can't believe that such simple stuff is really effective. There HAS to be more to it, they tell themselves so instead of fixing the obvious we go off chasing NSA/Russian/Chinese boogymen.
Now, I'm not saying that governments aren't up to any shenanigans - they obviously are. And they shouldn't be let off the hook either. But trotting out the government boogyman EVERY TIME something like this happens, when it's clearly not related in any way just desensitizes people from caring when the aforementioned government boogymen really are involved.
Hmm - you wouldn't be part of the machine trying to desensitize and distract us from when it will really matter, are you?
And if you aren't getting paid by them you should be since you are doing their work for them for free
my understanding wer are just lucky that the malicious code does not appear to be very harmful.
Ha! There's more than just luck that it's not that harmful. Many of the things people love to criticize Apple for (Sandboxing, code signing, "Walled garden", etc.) are why this isn't as bad as it could be. All of that "restrictive" stuff is why I trust iOS apps far more than any other platform. Yes, it's not perfect - but if you want to talk imperfection then let's talk about tampering, man-in-the-middle and stuff for every other platform - including OSX
Like any other software, You should be downloading it directly from the SOURCE!!! in this case APPLE!!! Not some 3rd party source where they can do crap like this, or in a case of someplace like download.com where spyware and other crap gets placed in the installer. XCode should always be downloaded from APPLE, and Apple ONLY!!!!
So tell me this, when you consider to buy an app in App Store, how can you enforce/insist/ensure the developer is using the right tools to build the app?
In other words, do not shift the problem to developers. It is App Store who is ultimately responsible for filtering out crap. And there will be always intentional attempts to abuse it.
<span style="line-height:1.4em;">So tell me this, when you consider to buy an app in App Store, how can you enforce/insist/ensure the developer is using the right tools to build the app?
How do you do that on any platform? What's special about iOS only? Think the same stuff doesn't happen on other platforms? It already has. It will again. The difference is with Apple they can take far more corrective action than any other platform owner.
In other words, do not shift the problem to developers. It is App Store who is ultimately responsible for filtering out crap. And there will be always intentional attempts to abuse it.
Well, developers created the problem by being stupid so why shouldn't the ultimate responsibility rest with them? Yes, Apple has a role in vetting the software (which they signed up for when they designed the ecosystem in the first place) - but it's unrealistic to think that they are going to be able to catch everything. The difference is once detected they can do things like pull the apps, prevent them from running, limit the damage they can do through things like Sandboxing and other architectural decisions that some programers and users whine, bitch, moan, complain about, etc.
And for your Mac, Windows, Android or any other platform, since there is no Apple how are you vetting code you download? Would love to hear about your level of effort on other platforms. Because as you point out, people will attempt to abuse any system out there - if it can happen on something as controlled as the iOS ecosystem... hehe - good luck!
How do you do that on any platform? What's special about iOS only? Think the same stuff doesn't happen on other platforms? It already has. It will again. The difference is with Apple they can take far more corrective action than any other platform owner.
Well, developers created the problem by being stupid so why shouldn't the ultimate responsibility rest with them? Yes, Apple has a role in vetting the software (which they signed up for when they designed the ecosystem in the first place) - but it's unrealistic to think that they are going to be able to catch everything. The difference is once detected they can do things like pull the apps, prevent them from running, limit the damage they can do through things like Sandboxing and other architectural decisions that some programers and users whine, bitch, moan, complain about, etc.
And for your Mac, Windows, Android or any other platform, since there is no Apple how are you vetting code you download? Would love to hear about your level of effort on other platforms. Because as you point out, people will attempt to abuse any system out there - if it can happen on something as controlled as the iOS ecosystem... hehe - good luck!
Good points. It IS hard. However, one thing Apple could do is to add more restrictions into apps, like Network access (except user-entitled iCould store). Many of the apps really do not need one. Like Pocket Scanner which in the list of the compromised apps, it does not really need broad Internet access. Most of the apps can really work with a single domain which Apple may require to be set up front.
So once an app is explicitly asking for Internet access permission, you are immediately aware that something could be fishy.
<span style="line-height:1.4em;">So once an app is explicitly asking for Internet access permission, you are </span>
immediately<span style="line-height:1.4em;"> aware that something could be fishy.</span>
While I would appreciate that, history has shown that most people will just click through to see the naked dancing pigs without understanding what they are clicking. Then again it would provide value to you and me, so yes - at least having it as an option for those of us who are inclined would be nice. I love Little Snitch on my Mac's - I would love something like that on iOS too. Canary in the mine and all that.
And I'm pretty sure Apple is already working on requiring developers to only communicate with proper SSL certificate signing, but is not enforcing it yet - and Google got in trouble for basically putting out policy on how to bypass the SSL requirement as it breaks a lot of their adware crap. Wasn't that whole fiasco in the last week or the week before?
Furthermore, when Apple eventually makes it mandatory how many people will point back to this thread, or go down the "Apple is anticompetitively picking on Google" or small developer memes?
It continues to amaze me that people fear the US government more than the fear the very active, very visible and very dangerous hacking activities of Russian gangs; The Russian, Chinese and North Korean governments; and, "run-of-the-mill" hackers out to steal your credentials and drain your credit and bank accounts.
It's like worrying about the Keystone Cops while cheering on Ma Barker, Al Capone and Bonnie and Clyde. (If you don't get the references, use Bing.)
Absolutely. Some of those you name are stealing Western technology and damaging critical Western systems as we speak.
And I'm pretty sure Apple is already working on requiring developers to only communicate with proper SSL certificate signing, but is not enforcing it yet - and Google got in trouble for basically putting out policy on how to bypass the SSL requirement as it breaks a lot of their adware crap. Wasn't that whole fiasco in the last week or the week before?
Furthermore, when Apple eventually makes it mandatory how many people will point back to this thread, or go down the "Apple is anticompetitively picking on Google" or small developer memes?
I almost look forward to it
Yes it was in the last week or so. But no, Google did not "get in trouble" for the mention of a bypass Apple provided.
Believe me... You are not so important that the US government will feel the need to spy on you. And, if you were because of your suspicious activity, then too bad. Hackers, not the US government steal from everyday people and corporations to the tune of billions of dollars. Worry about them. As for the US spying on Chinese citizens— even if they did, it would be a drop in the bucket to the spying done by the Chinese on its own citizens.
You really need to re-evaluate your concerns. The US is not near the nefarious culprit you think. Even its infamous NSA eavesdropping efforts collects more information than they can ever peruse. Their computers look for known phone numbers and key words and phrases. The likelihood of a specific person being singled out is very small. The vast majority of people just don't fit their profile.
Now, chew on this: the Russians and Chinese tap into undersea cables. They also have spy satellites. And they perform massive hacking attempts. Worry about them. Too.
Possible useful keyword analytics separated by comma:
It's reported today that compromised apps, apparently hundreds or more, are still being provided for download in Apple's App Store.
"scans reveal that compromised versions of more than a thousand apps remain live in the Chinese version of Apple’s App Store... some of them have been infected since April."
Comments
Gee - open source developers have been posting MD5 checksums of stuff for years now - perhaps it's time for "real" companies like Apple, Microsoft, etc. to start doing the same?
Especially for developer tools?!? It's not like devs won't know what to do with a checksum. Then again human nature being what it is, anyone actually using the checksum is still important.
Having said all that, it's all irrelevant - no need for government conspiracies when people didn't even download it from Apple in the first place! Why bother to intercept it when people will download it from a stupid place to begin with?!?
How about we get people acting responsibly first then worry about the exotic outliers and theoretical exploits that work well in a perfect world but in the wild aren't nearly so guaranteed as Hollywood/security tool vendors would have you believe?
Completely irrelevant and a needless distraction since the affected developers shot themselves in the foot.
All this government conspiracy talk is an UNNECESSARY DISTRACTION. The story here is don't download critical software like compilers from non-trustworthy sources!
Directly supports my original thesis - people love making mountains out of molehills because it's far more interesting. People downloading infected software from untrustworthy sources is boring. But government conspiracies targeting the hapless populous - now that's a story!
Bah! This is why a good deal of security crap never gets addressed. People can't believe that such simple stuff is really effective. There HAS to be more to it, they tell themselves so instead of fixing the obvious we go off chasing NSA/Russian/Chinese boogymen.
Now, I'm not saying that governments aren't up to any shenanigans - they obviously are. And they shouldn't be let off the hook either. But trotting out the government boogyman EVERY TIME something like this happens, when it's clearly not related in any way just desensitizes people from caring when the aforementioned government boogymen really are involved.
Hmm - you wouldn't be part of the machine trying to desensitize and distract us from when it will really matter, are you?
And if you aren't getting paid by them you should be since you are doing their work for them for free
Ha! There's more than just luck that it's not that harmful. Many of the things people love to criticize Apple for (Sandboxing, code signing, "Walled garden", etc.) are why this isn't as bad as it could be. All of that "restrictive" stuff is why I trust iOS apps far more than any other platform. Yes, it's not perfect - but if you want to talk imperfection then let's talk about tampering, man-in-the-middle and stuff for every other platform - including OSX
Like any other software, You should be downloading it directly from the SOURCE!!! in this case APPLE!!! Not some 3rd party source where they can do crap like this, or in a case of someplace like download.com where spyware and other crap gets placed in the installer. XCode should always be downloaded from APPLE, and Apple ONLY!!!!
So tell me this, when you consider to buy an app in App Store, how can you enforce/insist/ensure the developer is using the right tools to build the app?
In other words, do not shift the problem to developers. It is App Store who is ultimately responsible for filtering out crap. And there will be always intentional attempts to abuse it.
How do you do that on any platform? What's special about iOS only? Think the same stuff doesn't happen on other platforms? It already has. It will again. The difference is with Apple they can take far more corrective action than any other platform owner.
Well, developers created the problem by being stupid so why shouldn't the ultimate responsibility rest with them? Yes, Apple has a role in vetting the software (which they signed up for when they designed the ecosystem in the first place) - but it's unrealistic to think that they are going to be able to catch everything. The difference is once detected they can do things like pull the apps, prevent them from running, limit the damage they can do through things like Sandboxing and other architectural decisions that some programers and users whine, bitch, moan, complain about, etc.
And for your Mac, Windows, Android or any other platform, since there is no Apple how are you vetting code you download? Would love to hear about your level of effort on other platforms. Because as you point out, people will attempt to abuse any system out there - if it can happen on something as controlled as the iOS ecosystem... hehe - good luck!
How do you do that on any platform? What's special about iOS only? Think the same stuff doesn't happen on other platforms? It already has. It will again. The difference is with Apple they can take far more corrective action than any other platform owner.
Well, developers created the problem by being stupid so why shouldn't the ultimate responsibility rest with them? Yes, Apple has a role in vetting the software (which they signed up for when they designed the ecosystem in the first place) - but it's unrealistic to think that they are going to be able to catch everything. The difference is once detected they can do things like pull the apps, prevent them from running, limit the damage they can do through things like Sandboxing and other architectural decisions that some programers and users whine, bitch, moan, complain about, etc.
And for your Mac, Windows, Android or any other platform, since there is no Apple how are you vetting code you download? Would love to hear about your level of effort on other platforms. Because as you point out, people will attempt to abuse any system out there - if it can happen on something as controlled as the iOS ecosystem... hehe - good luck!
Good points. It IS hard. However, one thing Apple could do is to add more restrictions into apps, like Network access (except user-entitled iCould store). Many of the apps really do not need one. Like Pocket Scanner which in the list of the compromised apps, it does not really need broad Internet access. Most of the apps can really work with a single domain which Apple may require to be set up front.
So once an app is explicitly asking for Internet access permission, you are immediately aware that something could be fishy.
Of course it was China. ????
China learned this from VW.
While I would appreciate that, history has shown that most people will just click through to see the naked dancing pigs without understanding what they are clicking. Then again it would provide value to you and me, so yes - at least having it as an option for those of us who are inclined would be nice. I love Little Snitch on my Mac's - I would love something like that on iOS too. Canary in the mine and all that.
And I'm pretty sure Apple is already working on requiring developers to only communicate with proper SSL certificate signing, but is not enforcing it yet - and Google got in trouble for basically putting out policy on how to bypass the SSL requirement as it breaks a lot of their adware crap. Wasn't that whole fiasco in the last week or the week before?
Furthermore, when Apple eventually makes it mandatory how many people will point back to this thread, or go down the "Apple is anticompetitively picking on Google" or small developer memes?
I almost look forward to it
It continues to amaze me that people fear the US government more than the fear the very active, very visible and very dangerous hacking activities of Russian gangs; The Russian, Chinese and North Korean governments; and, "run-of-the-mill" hackers out to steal your credentials and drain your credit and bank accounts.
It's like worrying about the Keystone Cops while cheering on Ma Barker, Al Capone and Bonnie and Clyde. (If you don't get the references, use Bing.)
Absolutely. Some of those you name are stealing Western technology and damaging critical Western systems as we speak.
Yes it was in the last week or so. But no, Google did not "get in trouble" for the mention of a bypass Apple provided.
The article is here:
http://forums.appleinsider.com/t/187906/google-offers-short-term-fix-to-help-ad-publishers-bypass-apples-ios-9-security-protocol/40
Possible useful keyword analytics separated by comma:
Apple, developer, download, xcode, CDN .....:err:
"scans reveal that compromised versions of more than a thousand apps remain live in the Chinese version of Apple’s App Store...
some of them have been infected since April."