View Single Post
ShadowOfGed
Travels via TARDIS
 
Join Date: Aug 2005
Location: Earthsea
 
2008-06-29, 00:32

Quote:
Originally Posted by Dave View Post
Well, unless you're wrong and the software that you trust has a trojan in it.
Yes, but how is "software you trust" going to get a trojan in it? There are only a few options:
  1. App writer intentionally inserts trojan. Most unlikely, but you'd enter your password since you trust it anyway.
  2. Man-in-the-middle attack. Someone repackages a trusted App and distributes a compromised copy. For example, maybe someone uploads a compromised package to macupdate.com.
  3. A hacker somehow compromises an App's build system and inserts the trojan payload at the source. Not sure if this more or less likely than the first option, but the chance is very small.

So, in the second case, just make it a policy to download apps directly from their authors. In the third case, you'll legitimately be pwned, but the hope is that reputable vendors take their build / distribution security VERY seriously.

Also, some of this may be aided by Application signing (new in Leopard); you may be able to sign installer packages as well, so a man-in-the-middle attack becomes impossible.

Apparently I call the cops when I see people litter.

Last edited by ShadowOfGed : 2008-06-29 at 23:26. Reason: Needed a question mark.
  quote