I had an interesting e-mail discussion with Ploni Almoni the other day, about how I should set up my new MacBook‘s security. He suggested installing a separate firewall program, despite the fact that OS X already includes a built-in “application firewall.”
After some web research, I told him that it looked like the built-in firewall was sufficient, and even an improvement over the traditional port-based firewalls, because there’s no need to know what ports it’s listening on. You just approve or disapprove it by program.
He came back with the perfectly logical argument that when a virus infects a previously-approved application, your system is completely compromised. Not the case, because Apple already thought of that; the OS cryptographically signs executables when you permit them through the firewall, so that if they’re changed, you have to manually re-approve them before they can open a listening port again.
But that got me thinking… there really aren’t many old-school viruses anymore. A virus, by the traditional definition, is something that reproduces itself by “infecting” executable files, modifying them to carry the virus’s code and execute it any time that file is run. They require a much higher level of knowledge and programming skill than most of today’s malware authors have, and they aren’t as useful these days either (because people rarely swap raw executables anymore, they generally download the latest version from the Internet, or install from an archive — zip, tgz, package file, etc — that can’t be secretly auto-infected by traditional viruses).
Practically all malware nowadays seems to be Trojans, which are stand-alone executables themselves. Like the storied Trojan Horse that they’re named after, they do their work by tricking you into allowing them in, rather than by sneaking in as part of another program. Much easier to write, because you don’t have to know the details of how a system’s executable files are put together, or of the defenses that the user or the OS might have against stealthy changes to them. They’re lumped under the umbrella of “virus” because that’s the term that people understand, but it’s technically incorrect.
On the plus side, it’s a lot easier for a savvy computer user to avoid infection by Trojans than by viruses. But — and I never thought I’d hear myself say this — I miss the old-school virus. At least when you discovered that your system was infected by one of those, you could console yourself with the honest assessment that your security had been bested by a skilled programmer. These days, programmers with that kind of skill have moved on to more challenging work; if you discover a Trojan on your system, you’ve probably been “pwned” by a script-kiddie, who thinks that a “pointer” is just something used when giving a presentation.
How humiliating.
Quote: Not the case, because Apple already thought of that; the OS cryptographically signs executables when you permit them through the firewall, so that if theyโre changed, you have to manually re-approve them before they can open a listening port again.
So did Microsoft with their firewall they built into XP and later versions of Windows. The problem with this a approach is, how many people are going to remember all the programs they’ve already given access to? Most users will simply grant access and never realize that they’d already done that.
Well, I will, for one — because right now, the only thing that’s allowed is Skype. ๐
That’s cheating! ๐