Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Computer 'Worms' Turn on Macs

CmdrTaco posted more than 8 years ago | from the here-they-come dept.


Carl Bialik from WSJ writes "Macs have been laregly immune to the viruses, worms and malware that have plagued PCs, but the Mac's recent popularity uptick has meant that 'bad guys appear to be casing the joint,' the Wall Street Journal reports. Among the signs: two recently discovered worms and the discovery of a vulnerability in Mac OS X that leaves Safari open to a hack. A Symantec engineer predicts a 'gradual erosion' of the idea that Macs are a safer operating system than Windows. 'Some security experts believe hackers are becoming more interested in writing nasty code for Macs precisely because of reports of its relative immunity to security woes,' the WSJ reports. 'Apple itself has gone out of its way not to promote the Mac's relative safety, lest it tempt hackers to prove the company wrong. Apple declined to discuss the topic of security in depth for this article.'"

cancel ×


Sorry! There are no comments related to the filter you selected.

Symantec? (5, Insightful)

matt4077 (581118) | more than 8 years ago | (#14808255)

A Symantec engineer predicts a 'gradual erosion' of the idea that Macs are a safer operating system than Windows.

Now there's a neutral party with no agenda when it comes to security!

Honestly, the worst Mac malware I've seen so far had a Symantec sticker on the box.

Re:Symantec? (4, Insightful)

dantheman82 (765429) | more than 8 years ago | (#14808364)

Apparently, they've had slow sales on the Mac platform recently. Perhaps a real worm/virus in the wild would be some newsworth info...

Re:Symantec? (3, Insightful)

peragrin (659227) | more than 8 years ago | (#14808404)

a recently symantec update did more damage to users systems than the so called recent virus script looking like an image did to all the computers it actually attacked.

So yea symantec sales would be slow.

Re:Symantec? (1, Flamebait)

taylor_venable (911273) | more than 8 years ago | (#14808388)

Yes, if there's anyone who can stand to make a quick buck off security worries, it's the so-called "security software" businesses themselves. Of course, they all love to insinuate that all operating systems play on the same level field. (So the only way to make sure you're safe is to BUY OUR [poorly written] PRODUCT!) Now, because a couple people came up with a proof-of-concept exploit, they get their chance to say "See, Mac OS X isn't any more secure than Windows is!" But of course, we know that there's hardly any truth behind those statements. Sure, all software systems have holes, and flaws, and bugs. But depending on how the software is written, the threats from those vulnerabilities can be mitigated and even made altogether impotent. I'm not an OS X user, but I do exclusively use operating systems that live in the same family tree, the modern BSD Unixen. And I can state from experience that these systems are inherently more secure than some other commercial operating systems, simply because of the way they are written. (For example, the level of source auditing found in OpenBSD, etc. etc.)

Re:Symantec? (4, Insightful)

Golias (176380) | more than 8 years ago | (#14808543)

One of the recent worms relies on iChat.

I use iChat every day, and have other Mac users on my "Buddies" list, yet I've still yet to get this particular worm delivered to me, and it's been well over a week since I heard about it being "in the wild." There was even a story about it over on Drudge, so somebody must have been hit by it, right? Yet, I still have yet to hear a first-person account of somebody getting this particular worm sent to them.

Part of the reason for this might be that the Mac gives all kinds of warnings about the nature of incoming files, and even requires that you type in your admin password before running anything that hits any important part of the OS. (Hint: just installing an application or performing trivial tasks does not require a password. Whenever you get a password prompt on a Mac, you know that the app in question is trying to do something which requires root-level access.)

Installing antivirus software on a Mac is worse than useless. Should a virus ever come along which can get past both MacOS security and simple user awareness, currently-existing anitvirus software won't be ready for it anyway.

Plus, I know enough from running antivirus software on my Windows PC at work (which I would never DARE go without) that anitvirus software means a performance hit and less stability of the operating system.

I think I'll just stick with common sense and Apple's frequent OS update patches.

Re:Symantec? (1)

lidocaineus (661282) | more than 8 years ago | (#14808611)

If I install an application (ie, it wants to copy itself to /Applications), I definitely get an admin password prompt. Anytime I do anything that requires write access outside of my ~, I get the password prompt. Are you running as an administrator-level user?

Re:Symantec? (1)

Golias (176380) | more than 8 years ago | (#14808640)

Of course. Are you using a school computer or something?

I still get Administrator password prompts when installing OS upgrades and the like, but installing the newest version of EyeTV went like this:

Step 1: Download the image.
Step 2: Drag the application from the image into my Applications folder.
Step 3: There's no step three. *laughs* There's no step three!

Re:Symantec? (3, Insightful)

twocents (310492) | more than 8 years ago | (#14808395)

No kidding. Symantec would love their user base to expand, especially since MS is selling anti-virus software. It is legit to promote awareness of possible OS X exploits, but it ridiculous to rely upon any information from a company such as Symantec - they have a vested interest in scaring the hell out of people that don't know any better.

Re:Symantec? (1)

somersault (912633) | more than 8 years ago | (#14808506)

"they have a vested interest in scaring the hell out of people that don't know any better."

sound a bit like the virus writers to me =p except maybe the virus writers aren't trying to be so open with the public about having them install their software..

They could report a worm a day ... (1, Insightful)

tomhudson (43916) | more than 8 years ago | (#14808258)

The could report a worm or virus a day for the rest of my LIFE and they'd still have a better security record than Windows.

Re:They could report a worm a day ... (2, Funny)

TubeSteak (669689) | more than 8 years ago | (#14808347)

The could report a worm or virus a day for the rest of my LIFE and they'd still have a better security record than Windows.
I guess the real question is: "How many of those bugs will remain unfixed by the time you die."

We already know Microsoft's answer, but how does Apple deal with bugs in Mac OS 8 and Mac OS 9? (And does anyone still use Mac OS 7?)

Re:They could report a worm a day ... (1)

naelurec (552384) | more than 8 years ago | (#14808617)

We already know Microsoft's answer, but how does Apple deal with bugs in Mac OS 8 and Mac OS 9? (And does anyone still use Mac OS 7?)

Is it realistic to still assume support for any of those systems? Mac OS 9 was released in Oct 1999 .. Besides that, OS 9 was, for all intents and purposes, OS 8.7 .. so now your looking at a system that was originally released in 1997! I don't think any vendor is still providing support for these older systems.

Re:They could report a worm a day ... (0)

Anonymous Coward | more than 8 years ago | (#14808521)

Thats because the original versions of windows wasn't built with security in mind.
Expect windows security to get A LOT better since they are desinging NEW versions
of windows WITH security in mind.

Re:They could report a worm a day ... (0)

Anonymous Coward | more than 8 years ago | (#14808616)

Good FOR them, I look FORWARD to seeing THIS!

Immune? (1, Interesting)

east coast (590680) | more than 8 years ago | (#14808261)

Macs have been laregly immune to the viruses, worms and malware

Just because no one has exploited a system doesn't mean it doesn't have exploits. I know about a month ago this came up in an article about how OSX/Linux users could face issues because they felt to secure. Hopefully they will be able to cut this off at the quick but don't think that running an "obscure" OS makes you safe. How many Mac users today run anti-virus software?

Re:Immune? (4, Insightful)

SpooForBrains (771537) | more than 8 years ago | (#14808298)

but don't think that running an "obscure" OS makes you safe

*sigh* We don't. We think running an operating system with proper security makes us safe.

Re:Immune? (1)

IAmTheDave (746256) | more than 8 years ago | (#14808345)

Or, you know, nicer software, better user interface, less learning curve for the parents and grandparents, better hardware, better industrial design, "UNIX inside ©" etc. IMHO, of course.

Re:Immune? (2, Insightful)

somersault (912633) | more than 8 years ago | (#14808525)

yep, the last exploit relies on people to be morons and try to open an apparent 'picture' from a random spammer, or a strange website/whatever. Which could happen with any OS. Except if the user isn't running with full admin priveleges then they are going to be fine anyway..

Re:Immune? (1)

tomhudson (43916) | more than 8 years ago | (#14808359)

How many Mac users today run anti-virus software?

Running anti-virus software is a stupid thing to do when you can FIX the system instead.

Just because Microsoft is at the "fix one bug, re-create another" stage doesn't mean Apple has to go the same road.

An analogy - would you rather eat fresh, properly prepared food, or moldy infested crap and a megadose of antibiotics? (I would have used the "would you rather have sex with someone who isn't infected with HIV, or someone who is, but you take *precautions*", but this is slashdot ...)

Re:Immune? (2, Insightful)

east coast (590680) | more than 8 years ago | (#14808582)

Running anti-virus software is a stupid thing to do when you can FIX the system instead.

What's the phrase? There is no patch for human stupidity?

Go ahead, be smug about it. But the bottom line is that as Mac becomes more popular you're going to have idiots who are going to let thing thru simply because they don't understand what they're doing. Do you really think that Windows user who keep their systems up to date and use a bit of common sense are the ones you're reading about? Windows is insecure in a lot of aspects, sure, but a Windows user with a dose of common sense and some knowhow aren't suffering as much as the normal MS bashing article here would have you think.

Re:Immune? (1)

gerddie (173963) | more than 8 years ago | (#14808367)

How many Mac users today run anti-virus software?

I installed ClamXav [] , since it was required that an anti-virus program was installed on my laptop, befor I could plug it into the company net.

Re:Immune? (1)

antifoidulus (807088) | more than 8 years ago | (#14808375)

Exactly. Even as a mac user I shudder when I hear the phrase, "more secure". How can you quantify security. I would consider it to be a binary measure, either you are secure or you aren't. And the answer is you are not.
Basically it all comes down to being smart when using your computer. First and foremost is never run anything in any sort of admin mode unless absolutely necessary. Most mac users create an admin account and use it for everything they do(and I hate to admit I am one of those), that is just asking to be attacked. Don't open random email attachments. Don't go to web sites that could be of questionable character. And, of course, always stay educated.
As an aside, I would also recommend using two different browsers. If you find out there is a security threat to Safari, switch to Firefox till the patch at least. And of course visa-versa. It also never hurts to have those different browsers on your system in case a web page you need to access isn't compatable with one but is with the other. I even had to use IE to access a site on my mac(yeah, I know I shouldn't have as a geek, but they had cheap health insurance and I was hard up for cash at the time)

Re:Immune? (1)

hawkmoon77 (957541) | more than 8 years ago | (#14808409)

Right on... Is it an "immunity" because no one bothers to write viruses? Think of it: If you are a an evil software programmer, and you want to torment as many computer users as possible, do you write a program that affects 97% of the computers, or 2% of them. I wonder... and I hope this is not construed as flamebait here, but seriously. What would be the consequence of having a highly popular OPEN SOURCE OS in terms of security and hackability?

Re:Immune? (0)

Anonymous Coward | more than 8 years ago | (#14808492)

What would be the consequence of having a highly popular OPEN SOURCE OS in terms of security and hackability?
Something like Linux + Apache, you mean ... ?

Re:Immune? (2, Insightful)

theAtomicFireball (532233) | more than 8 years ago | (#14808423)

How many Mac users today run anti-virus software?

Hopefully very few. With the current state of affairs, anti-virus software for the Mac is a case of the cure being much worse than the disease. Even these recently discovered worms and the Safari vulnerability are relatively benign and can be protected against with a little common sense. In fact, most users hopefully are already safe from the Safari vulnerability since the "Open Safe Files" option was already the source of another vulnerability a while back.

By the time these vulnerabilities make it into the virus definitions, they are old hat. Plus, at least one *cough* Norton *cough* anti-virus for the Mac actually introduces a considerable number of new security vulnerabilities to the OS.

Sure, running anti-virus software on our machines will catch all those old Windows exploits but I'm not compromising my system to protect somebody else who didn't bother taking steps to protect their own machine... sorry.

If/When we start to see a critical mass of malicious viruses, trojans, or other malware targeted at the Mac that aren't stopped by common sense practices, then I'll look into Anti-Virus software... no sooner. Yeah, perhaps there's some risk in doing that, but far less risk than with running anti-virus software right now.

Re:Immune? (1)

Biff Stu (654099) | more than 8 years ago | (#14808550)

What exactly does Mac anti-virus software do? There are still no real self-propagating malicious worms on the platform. Yes, AV software can check for a couple of Trojans and the usual collection of Office macro viruses, but I can avoid that stuff without AV software. Even if something really serious breaks out, the software won't do a damn bit of good until the anti-virus companies update their definitions. When there is a serious threat and the software actually blocks the threat, I will fork over the cash and get some AV software. (Well, actually, given the utter lack of quality of Symantec software on the Mac platform, I am much more likely to get ClamAV and save a few bucks.) Until then, I will forgo the cost and performance hit associated with an AV package.

Re:Immune? (1)

Cyno (85911) | more than 8 years ago | (#14808604)

Alright then, what OS makes us safe?

I know OSX is safed by default than Windows. Its even safer than some Linux distros. That's not too shabby. I recommend an OS preconfigured with sane defaults like OSX or OpenBSD for computer illiterate users who want to access the internet. One could argue OSX is far more userfriendly than OpenBSD, atm, but some Linux distros are almost within their reach..

If we recommend sane defaults maybe we can get some sleep at night, huh?

not a worm or a virus! (5, Informative)

minus_273 (174041) | more than 8 years ago | (#14808263)

seriously if you have to manually download the program and enter your admin password, it is not a virus or a worm. I dont know why people keep calling it that. It is a Trojan and those have existed since the first rm -rf / script.

Re:not a worm or a virus! (1)

TeacherOfHeroes (892498) | more than 8 years ago | (#14808351)

How hard would it be to convince some average uses that the worm/virus/trojan that they're downloading is actually an amazing tool to "tweak" some aspect of their computer's performance (internet/speed/ram/etc...)?

Any such program could say that it just needs you to enter your password so that it can perform its miracles on your system, and let you have a faster compurer without paying for it.

Everyone wants something for free, and there are enough average users that don't know any better.

The social engineering snake-oil approach that will get people if the security hole doesn't

Re:not a worm or a virus! (1)

minus_273 (174041) | more than 8 years ago | (#14808445)

you can't really patch social engineering and it isnt the fault of the OS is it? I am sure there are things apple can do to limit the damage, but once a person has entered the password voluntarily in sudo, there is really not much you can do to stop it.

Re:not a worm or a virus! (1)

TeacherOfHeroes (892498) | more than 8 years ago | (#14808642)

Thats my point though. If everyone suddenly switched from windows to OS X, then you're going to have some of the same problems. You may not have worms cloging the internet like you do now, but chances are you'll still have to routinely clean up your neighbours/friends/relatives computers because of the nasty stuff that came in through the front door.

Re:not a worm or a virus! (4, Insightful)

AKAImBatman (238306) | more than 8 years ago | (#14808467)

How hard would it be to convince some average uses that the worm/virus/trojan that they're downloading is actually an amazing tool to "tweak" some aspect of their computer's performance (internet/speed/ram/etc...)?

The difference between the security hole approach and the social engineering approach, is that the latter starts and ends with stupid users. The worm cannot force its way onto the computers of more savy users like the RPC worms in Windows did. Instead, it will set off a huge number of warning flags with more experienced users, and perhaps prompt them to take action to clean other user's computers or encourage them not to run anything that asks for their password.

The end result is that such viruses could not spread as fast or as far as their Windows counterparts.

Re:not a worm or a virus! (1)

skinfitz (564041) | more than 8 years ago | (#14808396)

In that case you just shaved several thousands off the present number of Windows viruses as most 'viruses' these days are actually malware attached to emails.

Personally I would call them a 'viral trojan'.

Re:not a worm or a virus! (0)

Anonymous Coward | more than 8 years ago | (#14808511)

If malware runs without user intervention, it's a Trojan, no matter what platform. Code Red, on the other hand, is not a Trojan, it's an honest to god Worm, and is STILL ubiquitous.

Re:not a worm or a virus! (1)

skinfitz (564041) | more than 8 years ago | (#14808542)

If malware runs without user intervention, it's a Trojan, no matter what platform.

I think you meant to say 'virus' there, and I agree. With user intervention however, we have what I am calling a 'viral trojan'.

Yes it is... (1)

Afecks (899057) | more than 8 years ago | (#14808510)

A worm propagates by itself without user intervention. While at first glance it may seem that means the user doesn't have to run it in the first place, that's a common misconception. What it means is, once the program is active it is then able to spread itself via the network without user intervention. Unlike a virus, once active, merely infects files which then must be transferred to another computer from the original infected computer manually by the user.

The difference in a virus and worm is the method of propagation, not execution.

Re:not a worm or a virus! (0)

Anonymous Coward | more than 8 years ago | (#14808523)

The antivirus companies that drive and benefit from the hysteria over Windows viruses (and are likely behind many of them) have widened their definitions greatly over the last few years. The change in definitions accounts for a large portion of the increase in Windows attacks that they've been able to manufacture. And they appear to have finally decided to launch their campaign to penetrate the Mac and the cell phone markets. Papers and talks have appeared and been neatly timed with these worms/viruses or whatever you want to call them to try to stoke the spark into a real flame. They must have products ready or close to ready to roll. If the spark doesn't catch this time, there will simply keep sparking until they find the formula necessary to start the panic. Billions of dollars are at stake.

Re:not a worm or a virus! (1)

that _evil _gleek (598545) | more than 8 years ago | (#14808530)

And if that trojan contains a virus or a worm, it's a "dropper".

Re:not a worm or a virus! (2, Insightful)

foniksonik (573572) | more than 8 years ago | (#14808644)

Granted it's a trojan, but it's a Trojan that is being passed virally... ie: once downloaded by the first ignoramus, it attempts to re-distribute itself via Address Book (the equivalent of Outlooks contact list) and iChat (IM messenger app with hooks into AOL, .Mac and Netscape) whereby it becomes a virally transmitted trojan so that other victims can proceed to clicky-click it, thinking it is from a trusted source and thereby starting the process over... with their Address Book of targets...

Pretty nasty IMHO... I've turned on 'view all extension' and recommend all Mac users do the same until a patch is released (which I think should be as simple as a 'binary flag' or something similar that identifies an executable regardless of it's name, icon, extension or whatever... AND to buy or reimplement "Little Snitch" which is an awesome tool for letting you know when something is trying to access an outgoing port and gives you the option of allowing or denying it.... it may not stop you from getting a virus/worm but it will help you become aware of it and give you the option of containing it.

There's always Linux... (1)

the_humeister (922869) | more than 8 years ago | (#14808268)

...but I digress. Regular updates, safe web browsing, and not clicking email links should be the norm anyway regardless of operating system. Of course "safe web browsing" means different things to different people.

Hooray Social Engineering! (0)

Anonymous Coward | more than 8 years ago | (#14808270)

A virus is not a worm. If it requires you to execute it or interact with it in any way, it's not a worm.

Repeat after me: This is social engineering.

Re:Hooray Social Engineering! (1)

$RANDOMLUSER (804576) | more than 8 years ago | (#14808366)

It's not really a virus if it requires user intervention to be installed. It's just malware. And social engineering.

Go to a command window and type "sudo rm -rf /".

Re:Hooray Social Engineering! (1)

peragrin (659227) | more than 8 years ago | (#14808455)

Go to a command window and type "sudo rm -rf /".

I tried that but Windows responded command not found. I thought Windows supported old style commands like that?

Okay I was kidding I don't own a windows box anymore. The people who would try that on a Mac wouldn't know how to get to a terminal window anyway.

Re:Hooray Social Engineering! (0)

Anonymous Coward | more than 8 years ago | (#14808586)

I got the following as output:

anonymous_user is not in the sudoers file. This incident will be reported.

I'm not sure where I messed up. Could you point me to the FAQ? Man I wish this Linux stuff wasn't so hard.

Turn on (1)

kevin_conaway (585204) | more than 8 years ago | (#14808276)

So the virus turns the computer on, even after they've been shut off? Thats pretty cool.

Re:Turn on (1)

TubeSteak (669689) | more than 8 years ago | (#14808408)

So the virus turns the computer on, even after they've been shut off? Thats pretty cool.
Dude, that's not a bug, it's a feature.

WakeOnLan has been doing this for years.

(Don't blame Taco for the misleading headline, editors at the WSJ can screw up too)

Learn what a @#$(*&^ worm is! (1)

Alcimedes (398213) | more than 8 years ago | (#14808286)

Every reporter that misclassifies trojans and viruses as worms needs to be beaten over the head with a herring.

Worms are very different than viruses. Don't mix them up! It's not that hard!

Re:Learn what a @#$(*&^ worm is! (1)

deadlinegrunt (520160) | more than 8 years ago | (#14808458)

Is this anything like the hacker versus cracker? I'm not criticizing your standpoint more so than saying that people can complain hackers are good, crackers are bad. The public perception, and reality is, crackers are thin crisp wafers or biscuit; not some rogue hacker with malicious intent.

Worms, trojans, viruses - pretty sure this will fall under the above: For the technical minded and educated these are indeed very different things. The masses will lump the nomenclature of each together as synonyms for all.

Re:Learn what a @#$(*&^ worm is! (1)

dachshund (300733) | more than 8 years ago | (#14808500)

Worms are very different than viruses. Don't mix them up! It's not that hard!

This attitude can be taken too far. There are plenty of worms which have a trojan/virus component that allows them to spread through various barriers (e.g., firewalls) that a normal worm couldn't. In fact, it's generally bad design not to include this sort of flexibility in an attack if there's even a chance that it will be helpful. So what do we call these things?

Now, you are correct that (on the bright side) none of the Mac trojans/viruses includes a worm component yet.

Re:Learn what a @#$(*&^ worm is! (1)

B3ryllium (571199) | more than 8 years ago | (#14808620)

It's not a worm. It's a nematode!

Popularity decides if an OS is secure. (0)

gasmonso (929871) | more than 8 years ago | (#14808290)

An OS's security is directly related to its popularity. The less popular, the more secure and conversely, the more popular, the less secure. Hackers aren't gonna waste time on an unpopular OS. Whens the last time you heard of a security threat for BEOS? It's not because its secure... its because nobody uses it. []

Re:Popularity decides if an OS is secure. (3, Insightful)

theAtomicFireball (532233) | more than 8 years ago | (#14808514)

An OS's security is directly related to its popularity.
Hardly. There's a correlation, but it's not even close to being a direct correlation. If it were, there would be somewhere in the realm of 15,000 exploits in the wild for Mac OS X.

The situation just isn't as simple as you believe it to be. Sure, the number of people who use an operating system tends to have a relation to the number of people who develop for that system and also the number who have the skills necessary to create a virus, trojan, or worm. But there's more to it than that. Windows, although it's getting better, and hopefully Vista will be much better, has architectural issues that make it easier to exploit. It also has consumer-targeted development tools which have the sole intention of lowering the bar to new programmers. Combine these two, and you have a societal petrie dish ripe for creating malware authors - not only are there more people using the OS, but there are proportionately more people capable of writing malicious software and a system that is easier to exploit.

If the Mac had 95% market share, there would certainly be more malware, but the situation would simply not be as bad as it is for Windows right now.

I disagree with this (4, Insightful)

pHatidic (163975) | more than 8 years ago | (#14808291)

Windows has had what, like 200,000 Virus's in the last year? Apple has had two or three theoretical exploits that either require the user to run code by hand or else target services that most mac users don't turn on. Sounds like Apple is doing its job to me. And honestly this idea that as Apple gets more popular there will be more viruses is largely a load of crap. The notoriety of writing the first real virus for OS X would be vastly more than for writing yet another windows virus. The reason why no one writes viruses for Apple is most likely because people like Apple and want them to succeed. I think if people start writing viruses for Apple it will be because Apple gets lazy and stops innovating, or else stops at least trying to fix the bugs in its software. Because right now both the means and the motive or there, but it's just not really happening.

Re:I disagree with this (0, Offtopic)

at_slashdot (674436) | more than 8 years ago | (#14808515)

"The reason why no one writes viruses for Apple is most likely because people like Apple and want them to succeed."

I don't like Apple and I'm sure many other people share my dislike with closed source and proprietary Operating Systems and hardware.

Why would criminals care if Apple succeeds? (4, Insightful)

djtack (545324) | more than 8 years ago | (#14808535)

The reason why no one writes viruses for Apple is most likely because people like Apple and want them to succeed.

Considering that the main incentive for virus writers these days seems to be economic (profitable criminal activity such as spamming, phishing, DDOS blackmail, identity fraud), it seems unlikely to me that these criminals care if Apple succeeds. More likely, the profit motive isn't there, probably a result the combination of greater security on OSX, and smaller installed base.

Re:I disagree with this (1)

Farfromlosin (558901) | more than 8 years ago | (#14808635)

Wow. How is the weather on planet Oblivious? Is their sun, Naive, still burning brightly?

Vicious code writers haven't targeted Mac's because of the low count. Why would they spend hours writing code to exploit a few thousand computers when they can write code to exploit a few million? Simple numbers, nothing else.

Terminology (1)

CastrTroy (595695) | more than 8 years ago | (#14808292)

Most of the "worms" I've seen on Mac haven't actually been worms. They come in via safari and are disabled by unchecking a checkbox. It's not like the windows worms where they have a service that nobody uses listening on a port that is able to execute the code. And it doesn't trash the system because you don't have root access on by default.

Re:Terminology (1)

heinousjay (683506) | more than 8 years ago | (#14808583)

Yeah, because putting down Windows is terribly productive re: ensuring other operating systems are secure.

Posts like yours are the reason I laugh at anyone that takes Slashdot seriously.

Re:Terminology (0)

Anonymous Coward | more than 8 years ago | (#14808682)

What a lot of people are missing is that Apple not allowing root access makes zero difference to how bad a worm or trojan can be.

For a trojan or worm to be scary, it needs to have access to
a)your personal data (if this is what they're interested in)
b)your email account and address book to spread itself

How many people honestly have their computers set up so that they have to type in a password every time they open any document, or send an email?

Worms that have root access can obviously break your computer worse, and install things like key-loggers, bots etc. but 99% of important data on your computer and the ability to send emails is not root protected. You can always reinstall your OS if that's hacked, but it's not so easy to un-steal your social security number.

Asking Symantec about this? (0, Redundant)

tbone1 (309237) | more than 8 years ago | (#14808294)

Good gravy, there is an objective opinion from someone without a product to sell. What next, asking a journalist about the integrity of the press?

A virus free world (1)

Sidde (758228) | more than 8 years ago | (#14808301)

If companies like Symantec would stop making those damn viruses the world would be virus free. But then companies like Symantec would not be needed.
And if they can't make any viruses, they start making up shit about that it is not safe for users anyway.

I guess this will test ... (3, Insightful)

hattig (47930) | more than 8 years ago | (#14808314)

I guess this will test whether Apple's approach to security (i.e., pretty much like Unix's) is better or worse than Microsoft's.

I.e., will these worms affect the whole computer because of a fault in the operating system, or will they affect only a single user on the computer because of a software issue that let the worm in to play in that user's space, or will it affect people only because of user stupidity ('ooh, really, clicking on this will make my pen0r bigger!')?

Note that Microsoft gets critical security issues fairly often with their approach.

The recent Apple issues have been lowest rated security issues.

Certainly I think that not having users run as root by default will help Mac OS X, but that doesn't stop them entering their password when prompted.

You can't secure against user stupidity except by scanning each file that they try to execute for viruses. And that means virus checkers, and the associated slowdowns they bring.

Re:I guess this will test ... (1)

99BottlesOfBeerInMyF (813746) | more than 8 years ago | (#14808480)

Certainly I think that not having users run as root by default will help Mac OS X, but that doesn't stop them entering their password when prompted. You can't secure against user stupidity except by scanning each file that they try to execute for viruses. And that means virus checkers, and the associated slowdowns they bring.

I disagree. Creating a blacklist of malware is a way to make machines more secure, but it is only one third of the equation. In addition modern OS's should be implementing jails, ACLs, or VMs for new executables of any sort and providing them with a very limited access to the OS. Further these default limitations need to be built around a very usable UI that informs the user about any unusual behaviors a program wants to use in plain, understandable language. It should have sensible, restrictive defaults. Finally, the application dev tools should encourage the development of programs that don't run afoul of these rules and minimize inconvenience for users. Users should only rarely be asked to let a program have additional privileges and it should always be framed in such a way that the user needs to understand what the program wants to do in order to enter the right decision. For example, "This program would like to read your e-mail address book. (Don't let it read my address book)(Let it read my e-mail address book)" That right there would stop a huge number of malware applications from propagating.

Re:I guess this will test ... (1)

InsaneGeek (175763) | more than 8 years ago | (#14808502)

The unfortunate thing is that for most PC's out there, they really only use one account; and from my small exposure to Mac users they tend to use even fewer system accounts. So in that sense they can't take over the entire box, but if all the stuff you cared about in your system now gone, having an OS still there doesn't really give one any relief. In the grand scheme of things there is no difference, if all my docs are gone and I've got to reinstall the entire OS, or I've got an OS but all my docs are still gone.

All of the success spyware has had shows the stupidity level of the majority of users; for the most part you had to give permission to install an app.

In the end, I think everybody's up for a bumby ride and it's market penetration that drives # of security breaches for the desktop, as Windows/OSX/Linux/Solaris architecture aren't the weakest link but the guy behind the keyboard and changing the OS doesn't change the guy behind the wheel.

Childishness (2, Funny)

LiquidCoooled (634315) | more than 8 years ago | (#14808321)

Folks don't need to worry.

Using google images as a definitive source, I tried the following searches

Microsoft worm


apple worm

Surprisingly the Microsoft one was filled with warning messages and exclamation marks and maggots.

Meanwhile the apple one was all cutesy and cartoony and fluffy (some of the worms even appear to be wearing turtle necks)

The world will continue to turn.

so what (0)

Anonymous Coward | more than 8 years ago | (#14808322)

No one ever said Macs were perfect, just that they are better. It's amazing to me how there can be hundreds upon hundreds of fllaws in Windows, but as soon as a token flaw is discovered in the Mac somehow Wlindows users feel vindicated. I suppose it's a matter of emotional self-defense - they don't want to feel bad about buying/using Windows, so the smallest Mac flaw is exaggerated.

Consider the source (1)

mblase (200735) | more than 8 years ago | (#14808326)

A Symantec engineer predicts a 'gradual erosion' of the idea that Macs are a safer operating system than Windows.

Well, yeah... Symantec has kind of a vested interest in gradually eroding that idea, don't they?

Re:Consider the source (1)

tomstdenis (446163) | more than 8 years ago | (#14808475)


*golf clap*

Now will people stop investong in "protection rackets"???


Lets be fair, folks (2, Insightful)

endrue (927487) | more than 8 years ago | (#14808330)

Every piece of code is subject to exploits. Show me a program/OS that is 100% infallible and I will show you a liar. I think that the main reason OS/X (and *nix for that matter) was considered to be rock-solid is because very few people were taking shots at it. Now I do realize that *nix-based OSs do plug up the obvious holes that MS left open. But don't assume that just because no one has broken into your house yet that your house is completely secure.

A computer is only as secure as its maintainer. I am running a small network at home that has a mishmash of linux and Windows computers. Now is it right for me to say that my linux computers are more secure just because they are running linux? No, that's stupid. The same thing applies with this story - Macs can be exploited because that is the nature of the business. We usually find the holes because some numbnut exploits it.

Just my $0.02

- Andrew

Re:Lets be fair, folks (1)

cyber-vandal (148830) | more than 8 years ago | (#14808431)

Of course doing stuff in Linux rarely requires root access, unlike Windows. Now you can blame the app designers if you like (and I do), but setting an app to run as root while the rest of your work is done as a limited user is very easy in Linux, however I've yet to find a way on XP Home. Run As just isn't good enough, anything that runs at start up can't be set to run as a different user, and you also can't set it to be default behaviour, you have to keep doing Run As each time.
I bet the Wintrolls will now tell me to use XP Pro, but since I'm not a pirate, and nor do I have spare cash for it or the inclination to stump up for an OS I pretty much already have, you can save your bandwidth.

Trolls, how I feed thee. (0)

Anonymous Coward | more than 8 years ago | (#14808527)

What do you mean, "very few people were taking shots at it"? The whole premise behind security in an open source system is the concept that A LOT OF PEOPLE take shots at the system.

Unix has been running on servers for years. People have been trying to chip away at the security of these machines for just as long as they have been around. Whole hacking communities were created around attacking the security of these machines. To claim that few people have attempted to usurp the security in unix and linux based machines is preposterous.


"A computer is only as secure as its maintainer. [...] Now is it right for me to say that my linux computers are more secure just because they are running linux? No, that's stupid."

Forgive me for saying, but the only thing stupid about what you have said is your assumption. You assume that because any program MAY have holes, that every program is EQUALLY open to insecurity.

Re:Lets be fair, folks (0)

Anonymous Coward | more than 8 years ago | (#14808547)

int main(int argc, char **argv) {
return 0; //i win

Re:Lets be fair, folks (0)

Anonymous Coward | more than 8 years ago | (#14808609)

Your logic is flawed. Sure no OS is 100% safe. This is a given. Anyone saying the opposite is a liar. But, you're painting it wrong: Anyone using linux or OSX is safer than a windows user by a factor of I guess 1/10.000 (?) at this time. That being the analogy of malware on say linux/windows or OSX/windows. For any attacks other than automated ones, I beleive security is analogous to the skills of the system administrator.

It's not that Linux is secure (2, Insightful)

typical (886006) | more than 8 years ago | (#14808656)

Now is it right for me to say that my linux computers are more secure just because they are running linux? No, that's stupid.

It's not that Linux is secure. It's that Windows is *insecure*.

Microsoft had a long period (perhaps over?) where they introduced *horribly* insecure designs -- making decisions that completely ignored security in the name of any shred of functionality that they might gain. (And those designs still affect us today.) Double-click execution of executables in email, using their full-blown web browser to view emails (which escallated any security hole in a web browser into a worm-class bug), default of no Administrator password on NT, default share all drives (but make them "invisible" to other Windows machines), design a windowing API that essentially makes local security on a computer impossible, have a system where each file has many names (which makes it damned difficult to write a secure server), encourage people to use threads (because their OS lacked copy-on-write), omit the ability to create chroot jails from their OS, run all kinds of servers by default (remember Messenger Service and the spam that you *knew* was going to happen?) allowing IP-baed access and then proceed to blame sysadmins for not firewalling Windows boxes because Win machines weren't usable out of box on the Internet, bundle telnet but not ssh, and so forth.

Hmm...other goodies. POSIX places hard bounds on what calls do. Microsoft provides MSDN, which provides some examples and no guarantees. It's a tutorial, not a spec. Writing secure software when you don't have guarantees on *exactly* what a call can do or will do in future revisions of the OS is damned impossible. Because Windows isn't a very usable multi-user machine, software authors essentially ignored local security for years -- most Windows software can be attacked every way to Sunday locally (though I'll grant that this wasn't directly MS's fault). There are local security vulnerabilities in Unix software as well, but people actually *care* about them and fix them if they can find them, and don't just introduce them without a care in the world.

Secure software is correct software, and because Windows tries to guarantee binary compatibility and there is only one Windows, developers don't often look up the spec (when I code serious software under Linux, I have the C99 spec in one window and the POSIX spec in the other). It's just a matter of "well, I've passed in this invalid value and it seems to work, and it'll probably keep going". That drives me nuts. Try saying that on comp.unix.programmer, and you'll discover a higher standard.

And MS is still doing it. Okay, .NET does solve buffer overruns (unless you make any calls into Win32 or other C code, which Microsoft makes unnecessarily difficult to do correctly), but it pushes threads even harder. Secure software has to be correct, and threaded correct software is an oxymoron. Now you've got race conditions. The only race condition I usually have to worry about in a typical Unix software package is use of tmpnam() (and every time anyone compiles a piece of software, they get warned about it).

Now, Microsoft provides lots of security *administration* tools. They provide a sophisticated (I'd even argue overcomplicated -- in the vein of VMS, the problem is not a lack of controls, but in users not understanding the system fully) ACL system. The rules for what exactly happens with permissions when copying files around are bonkers. Sure, most users don't care, but if you're trying to write a system that doesn't have security holes, it's a royal pain in the ass. If it takes a ton of work to figure out and write something properly, developers will just stuff a maximally-permissive ACL on something -- under Unix, you have exactly 12 bits and an owner and group to worry about, and there's the extent of your permission system.

But the problem isn't a lack of frontends and tools. It's the coding and design practices, and that's just harder to fix. I don't blame Microsoft for doing a bad job of cleanup (and some things are impressive -- they did the same thing Red Hat did and added NX support to their stack, which I figured that the doctrine of "don't break old software" would never have let them do). The problem is all the stuff that got put in place with no regard for security in the *first* place.

Microsoft *did* churn out a "best security administration practices" document with the USG, which was, I think, awfully worthwhile in bang-for-the-buck. They should maintain these, because they are a Good Thing. (I'd like to see a "best security development practices" document too.) It might be nice to see some development tools -- try building features into Visual Studio that warn developers when they do stupid things to the greatest extent possible -- you do control the platform's compiler, folks, and gcc is ahead of you here. Perl has taint mode, which is damn useful. Why do none of your languages try doing something similar? Make it *easy* to write secure software instead of a constant battle, and people will do so.

Simple math... (1)

fitten (521191) | more than 8 years ago | (#14808333)

Simple math based on market share show why malware writers haven't targeted much more than Windows (not that Windows isn't easily compromised). If you write something that has almost no chance or spreading around, or even if it does, won't do much, what's the point?

Now that Macs are getting popular, we'll see more of it... the same goes for Linux. It's simply a matter of time.

Re:Simple math... (1)

imroy (755) | more than 8 years ago | (#14808517)

Uh right. Care to explain then why there aren't worms spreading via Apache? Or Nokia mobile phones? Or Blackberrys. Or all sorts of other really popular software/devices?

Popularity and exposure play important roles, but not as much as other issues like ingrained behaviour, or unpatched vulnerabilities. Windows PC's may be pretty damn ubiquitous, but don't forget that they're so easy to attack!

Faulty reporting (1)

katorga (623930) | more than 8 years ago | (#14808335)

Mac's are not "immune" to anything.

They are not "targeted" due to their small market share. They are also not targeted due to the fact that they keep changing OSs, processors and whatnot such that any Mac (OSX PPC, OSX x86, OS9 PPC, OS9 Moto) is a subset of an already small market share.

Windows is a huge bullseye due to is truly massive installed base. Linux will be the next target.

Re:Faulty reporting (1)

feranick (858651) | more than 8 years ago | (#14808565)

Why you say that Linux will be the next target? I think a Linux user (mind, I am saying user, not Linux box) is inherently more security-conscious that a regular Mac user. So linux itself could be as insecure as anything, but their administrator should be more prepared to face threats than regular OSX user, specifically those who are affected by the "invincibility" virus.

Re:Faulty reporting (1)

dswartz (749795) | more than 8 years ago | (#14808580)

Serious question. What are the differences between OS PPC and OS Moto, or OSX PPC and OSX x86, that result in a trojan, worm, or virus succeeding on one, but not the other?

Mac OS X in the malware picture? (2, Funny)

sprins (717461) | more than 8 years ago | (#14808339)

...bad guys appear to be casing the joint...
Dang! Well, back to OS/2 for that good ol' "security by obscurity" strategy.

Basic Steps (1)

ZachPruckowski (918562) | more than 8 years ago | (#14808376)

There are like 4 steps to protecting yourself against viruses on Macs:

1) Leave your firewall on as many ports as possible. Only open it on non-major ports when you're actually using them (it's so easy to change if you want to)
2) Block images in email and don't open DLed crap.
3)Don't run as Admin. make a new account, check the admin box, and uncheck yours.
4)If you're super-paranoid, change the privledges to Terminal to take away everyone's access except root.

These steps literally took 3 minutes on Tiger.

Re:Basic Steps (1)

Nerdfest (867930) | more than 8 years ago | (#14808667)

Blocking images on emil is an unreasonable step that shouldn't be required. Major companies use HTML with images in advertising, and some of us acually request to be sent those adds. Simply viewing an emain should not need to be a restricted operation. Removing a users ability to perform common tasks is not an acceptable way to enforce security, it's just hiding the problems.

Getting the Worms (1)

sjonke (457707) | more than 8 years ago | (#14808378)

I've got your "bird" right here, Symantec.

'Worms' (1)

BenjyD (316700) | more than 8 years ago | (#14808381)

The worms didn't appear to inflict any meaningful harm on Macs -- they required users to go through several steps on their computers before being infected.

Doesn't the fact that they require user intervention to propogate make them not worms but trojan horses? Every OS is vulnerable to those, from Irix to Windows.

When Apples get worms... (1)

digitaldc (879047) | more than 8 years ago | (#14808384)

...use RAID []

Overreaction (1)

dfj225 (587560) | more than 8 years ago | (#14808416)

Personally, these two "worms" for OS X don't worry me too much. They both seem to require user interaction inorder to infect the system. What will really be of concern is a worm that can spread without the user being involved in any way. Personally, I think that OS X is much less likely to suffer from exploits of this type than Windows.

It's not that Mac OS X is "virus-proof" (4, Insightful)

jht (5006) | more than 8 years ago | (#14808432)

It's never been that (at least for most people). The advantage of Mac OS X is that it is less vulnerable than Windows (making Windows an easier target), and that Apple made decisions in the design process that mean that the typical consequences of a flaw are less severe. In recent years, Microsoft has attempted to harden Windows further and reduce their exposure - in W2K3 Server, for instance, they've done a pretty good job of it.

Even if Apple magically pulls some sort of super OS-jujitsu that reverses their market share and Microsoft's, the basic architecture will stay the same underneath - and that means Apple will have their relative advantages intact for the foreseeable future. Windows is, as its heart, an OS that has traded off many security options for ease of access and ease of programming. Apple had the advantage of seeing what was already happening to Windows when they made their decisions about how OS X would be designed, plus the system it was derived from was pretty robust to begin with.

There will be viruses that attack Mac OS X. Some will do a pretty good job of attacking. I'm kind of surprised it's taken this long to get there. But I'm also not expecting it ever to compare to Windows in that regard.

Duh? (1)

SchrodingersRoot (943800) | more than 8 years ago | (#14808442)

Some security experts believe hackers are becoming more interested in writing nasty code for Macs precisely because of reports of its relative immunity to security woes

This is what I've been saying for a while. Really, it's kind of a self-evident thing. Let's face it, the hacker (and/or cracker) mentality is often to do things to see if/because it's possible. It's the entire point. Just like government targets have historically been more tempting because they're supposed to be more secure, the more 'impossible' it is to do something, the higher that temptation. It's about cred and skill and kung fu. And there are people that think that way that have destructive, rather than constructive aims with this. Especially given the attitudes of some Mac users. Finagle knows it ain't all of them, but honestly, there are plenty that even I occasionally wouldn't mind seeing taken down a peg or two.

Everyone (at least anyone who writes code) knows any non-trivial system is going to have bugs, and weaknesses, of some sort. Will there be a pandemic like with Windows boxen? I doubt it, but on the other hand, I also doubt that all Macs have 3 inch hypersteel plating with regenerating plasma shields and a cloaking device. Maybe that's just me, though.

Application versus Operating System (2, Informative)

webjedi (106085) | more than 8 years ago | (#14808454)


The key thing to eyeball here, with all the FUD that has been stirred up, is there are OS vulnerabilities and application vulnerabilities. Much like the annual brew-haha when we comapre Linux versus Windows, you must make a clear differentiation.

Like Linux, I would never count, say an Apache hole against Mac nor Linux, since it's an application that is added after a base install. However, unlike Mac or Linux, Windows flaws are very much a hybrid. Windows really doesn't function much as Windows without IE (try reviewing a browser hijack, and see that the file explorer uses the IE render engine to see that an IE flaw is an OS flaw), and subsequent issues with IE are counted against the OS.

The issues found recently with Bluetooh OBEX and the Safari "open anything" flaw are two examples of differentiators. the OBEX flaw, is yes, a core OS issue, however, it was identified and patched two patches ago (10.4.3), Apple is no longer shipping the OS in that rev anymore. Minus one to OS security for Apple. Hoever, Safari, an application above the core OS, had a "bad settings default" besides the overall flaw in the app. In short, both are avoidable through an alteration in settings or application of an old patch. To be surprised that the Mac is "insecure" by the press FUD is rediculous.

Windows, as I sit on Microsoft briefings to my company each month, have not only application security issues on a predictable and regular basis (slow months in the summer and December are do to staff vacations), but because many of those apps are so tied into the core workings of the Operating System, that each new flaw opens a bigger hole that build upon each other. A standard install of XP out of the box takes 38 patches plus the two required to just upgerade to the latest version of Windows Update. WTF?! And that does even cover the OS settings needed to make it "generaly" safe to put on the Internet.

I feel safe putting ANY Mac, BSD or Linux box on the net for a half hour while I patch, because, in general are most of the distributions have reasonable defaults set, but, as they stay current, it makes it much less appetizing for the latest virus, worm, or hax0r than your default XP install. As it is with big business security, you don't nessesarily have to be the most secure, you just have to be less appetizing than the next guy down the row.

I'm truly sick of the news media (print, on-line, and TV) spreading unknowledgeable FUD to the masses, just because it's "something different" without recognizing why it may be different, let alone the overall truths. Remember kids, duck and cover!

FUD from Symantec and others (1)

jimbo-nally (655135) | more than 8 years ago | (#14808470)

Nothing to see here... move along.

My apple has a worm in it! (1)

Joseph_V (908814) | more than 8 years ago | (#14808473)

Don't worry they all do

root (1)

Chief Typist (110285) | more than 8 years ago | (#14808477)

The day that I don't have to enter an admin password to modify a file in one of the root directories is the day that I start worrying about security on my Mac.


Wired article re: Mac security (4, Interesting)

Kaimelar (121741) | more than 8 years ago | (#14808488)

A recent columnist at Wired said what I was thinking already [] :

From the linked article:

"These Mac security holes are a storm in a teacup. They've inspired hundreds of stories in the press and even the national network news, but if they were Windows holes, no one would have blinked.

That's because holes in Windows are routine, business as usual, while it now appears the Mac is under attack thanks to Apple's brand-new high profile. But this isn't the case.

Last month, there were four "massive" virus attacks on Windows, according to Commtouch, an antispam and antivirus vendor. Indeed, viruses are now so aggressive, they routinely outpace attempts by antivirus companies to distribute protective signatures.

This state of affairs is now so common, I hadn't noticed -- and I work for a technology news site. "Virulent computer virus infects millions worldwide, other non-news at 11."

These Mac "threats" are only news because of their novelty, not the threat level they pose."

Computer 'Worms' Turn on Macs (1)

revery (456516) | more than 8 years ago | (#14808529)

Computer 'Worms' Turn on Macs

Worst. Switch Ad. Ever.

Monopoly? (1)

AviLazar (741826) | more than 8 years ago | (#14808533)

As MS gives up its last true monopoly! ;)

And here I always thought... (1)

brunes69 (86786) | more than 8 years ago | (#14808590)

...what turned on Macs as a sexy iPod, just waiting for it's upload.

I guess it's hard to compete with an "agressive worm".

Is this..... (1)

TangoCharlie (113383) | more than 8 years ago | (#14808622)

..the definition of FUD?!

Seriously, it seems liek every week that I read a slashdot article which proclaims that the days of the virus-free Mac environment are numbered, and that Mac users will soon be the number 1 target of the malware writers. It seems that if you can use the words "Mac" and "virus" ** in the same article then you're bound to get it posted on some tech news-sh^Hite. Then give it two or three days and virtually the same article will pop-up on the BBC's website with even more inflated dire warnings.

Everyone knows that Macs "could" be susceptible to malware, so why do we keep on hearing the same doom story over-and-over again? Why not wait until there is a real threat?!

Well, we know why don't we?! It's because the anti-virus / anti-spyware vendors aren't getting their fair share of money from Mac users, and so they keep banging on with their FUD!

** or Tojan, malware, spyware, etc...

Man bites dog journalism (3, Informative)

plopez (54068) | more than 8 years ago | (#14808632)

Typical 'man bites dog' approach. If it is unusual, it is news. Microsoft Windows is a bug ridden unsecure OS, but since everyone (or at least 90% of users) use it it is not news. No one questions why a defective product exists or what it is actually costing in lost productivity. It is normal in most users' worlds, those users who never have experienced anything else.

OS X exploits are news only because they are unusual (though it does serve as an early warning, I sincerely hope Apple is busy auditing their code base). The fact that they are not as severe as Windows exploits, requires more user intervention and are often limited in scope are not discussed or probably understood by most people.

Macintosh does a few things right (1)

jaygatsby27 (894445) | more than 8 years ago | (#14808681)

The thing the Mac does that really should be automatic in Windows, and should be in Vista, is that it doesn't give its users full rights. Each time you do an install it requires your password, otherwise you have standard user rights, which prevent a lot of programs auto-installing. I have been using non-mac pc's for a long, long time and finally bought my first mac this month, so I am looking at everything through a Windows lens. I think the security settings make more sense on the Mac, as does the closed nature of the operating system. It leaves fewer opportunities for the end user to do something stupid, or more likely, prevents them opening up security holes by not doing something. This is probably all my fault for buying a Mac. Be warned, I just installed Linux for the first time, as well, so there is no doubt trouble on that horizon, too.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?