Quote:
Originally Posted by Dave
Well, unless you're wrong and the software that you trust has a trojan in it.
|
Yes, but how is "software you trust" going to get a trojan in it? There are only a few options:
- App writer intentionally inserts trojan. Most unlikely, but you'd enter your password since you trust it anyway.
- Man-in-the-middle attack. Someone repackages a trusted App and distributes a compromised copy. For example, maybe someone uploads a compromised package to macupdate.com.
- A hacker somehow compromises an App's build system and inserts the trojan payload at the source. Not sure if this more or less likely than the first option, but the chance is very small.
So, in the second case, just make it a policy to download apps directly from their authors. In the third case, you'll legitimately be pwned, but the hope is that reputable vendors take their build / distribution security VERY seriously.
Also, some of this may be aided by Application signing (new in Leopard); you may be able to sign installer packages as well, so a man-in-the-middle attack becomes impossible.