Urgent warning to Mac users over fake browser updates that can steal your passwords - here's how to spot them

[THX-1139]

Just a friendly FYI "Heads up" for those that use these.
https://www.dailymail.co.uk/sciencetech/article-12783767/Urgent-warning-Mac-users-fake-browser-updates-steal-passwords-heres-spot-them.html

[RealityRipple]

meanwhile, legitimate software gets blocked by apple's developer paywall

[moonbat]

Despite the internet being around for more than 30 years, people still don't get the basics.

• The official website is the only true source of any information regarding the software you use.
• An actual browser update won't be a tiny 478 kb file as seen in the screenshot, nor would you be asked to download it from a bare directory.

Somehow the internet has only amplified the effects of the terminally dumb, the sort who would flunk an IQ test but are still somehow online. If this sounds elitist, then so be it. No other technology has been around for close to two generations and still has people so clueless about it. This would be like a car owner anytime after 1930 possessing a driving license and being out on the road while still getting confused between accelerator,brake and clutch pedals.

[athenian200]

Somehow the internet has only amplified the effects of the terminally dumb, the sort who would flunk an IQ test but are still somehow online. If this sounds elitist, then so be it. No other technology has been around for close to two generations and still has people so clueless about it. This would be like a car owner anytime after 1930 possessing a driving license and being out on the road while still getting confused between accelerator,brake and clutch pedals.

The main issue is actually that it's been made easier for people who don't understand anything about computers to use the Internet, which means we actually have an increasing number of clueless people online who are dependent on safeguards being built in to protect them from themselves. So if anything, the average Internet user now is a lot less capable of understanding the Internet than the average Internet user 20 years ago. That is to say, we have gone backwards on that front because it's been made very easy, and the lines between being online and offline have been blurred so that accessing an online resource is not a big deal anymore, even though it should be.

In the 1990s, you had to explicitly connect your computer to the Internet, offline was the default. In the 2000s, broadband was increasing the likelihood of being always on, but the separation between local and online was still clear. By the 2010s, the distinction between offline and online was getting really blurry with lots of things in an OS automatically accessing online resources and even encouraging you to rely on them, which means no one knows to be careful online. And it's even worse because smartphones/tablets rely on big icons and have a very child-friendly interface to the point that toddlers can figure out how to use them without even knowing how to read. If we have illiterate people using computers now, we're past the point where we can expect them to understand the concept of the Internet, let alone the concept of online safety.

With cars, we went in the opposite direction and put age restrictions on who could use them, required people to be licensed to drive and undergo basic training to use a car. With the Internet, everyone has strived to make it accessible to toddlers and require everyone to be protected from themselves. If cars had gone in the same direction as the Internet, with children allowed to use them, we'd all be driving bumper cars and limited to something like 10 miles an hour, and they wouldn't be user-serviceable at all.

[moonbat]

And the worst thing is software vendors are now dumbing things down to the lowest common denominator, thereby alienating those of us with more than 2 brain cells to rub together.

[Kris_88]

The problem is that every program gets user rights. While programs have long become independent entities that do whatever they want and about which the user, in essence, knows nothing. The user does not know who actually developed the program, what he was thinking about at that time, what errors and security holes are in the program. And at the same time, the user must either blindly trust the program or not use it at all. Since each program is a separate entity, it should be allocated its own small box and all interactions with the rest of the space should be controlled by the user. The world has changed a long time ago, but we still use the old ideology and blame the user for everything.

[Kris_88]

Yes, but that's not all
The developer also knows little about his program. Standard situation: “Yes, we used a third-party library here... Yes, it is the third-party library that uses this function... Yes, it is not entirely clear why it uses this function... No, we will not change this, because otherwise we will have problems with updates..." I'm not saying this is good or bad. I'm saying that's the way it is right now. And under these conditions, giving a program user rights is an extremely outdated ideology and the cause of most problems. This puts the user in a very difficult situation and it is strange to blame the user for not recognizing a virus based on the atypical size of the executable file.

[Moonchild]

I think the essential difference is that the "old guard" of internet users were actually taught computer education in school, were taught in a curriculum how computers work, how networks work, and what actually a program is and how it fundamentally operates and interacts with an O.S. -- That doesn't make the old guard somehow "less dumb", it just makes them better-educated and therefore more aware of risky situations. And i do think that lack of education and ignorance to danger as a result is very much to blame on the user, or, at the very least, blame society/education for allowing the user to use the internet without having the first clue about where they are and what they are doing. A compulsory basic course on internet usage and netiquette would go a long way, I think.

The problem is that every program gets user rights.

There isn't really a way around that though. The user executes the program; the program needs access to user space for the necessary separation of program code and user data. The hierarchy of having that clear separation allows for clear user control, allowing program updates without risk of data loss, and allows data to be centrally accessible and interchanged between different programs. It works, and works well (ignoring the bad practice of installing programs in user data space like Chrome and a collection of others...). While strictly separating programs from each other might be an idea for some situations, it's not desirable in general as cross-program-access isn't really a thing, but "My Documents" as a single repository of saved documents is a thing and is what users would desire. If you'd separate out the programs you wouldn't be able to have a singular save location. while at the same time also not solving the malicious fake update problem (which is just a web page anyway, and only user behaviour can stop its abuse).

[Kris_88]

If you'd separate out the programs you wouldn't be able to have a singular save location.

Let's say the user has launched Word and wants to open a file for editing. It performs the corresponding action in the menu, Word uses a system function to display a list of drives, folders, files, ... etc. The user selects a file, the system opens the file and provides a handler to Word. Everything looks as usual to the user. The only difference is that Word does not have access to everything, but only to what the system has provided under the guidance of the user. It is not Word that displays a list of folders (it does not have access to them), but the system.
And, no, I’m not saying that I imagine the entire ideology down to the smallest detail.

[Moonchild]

The only difference is that Word does not have access to everything, but only to what the system has provided under the guidance of the user. It is not Word that displays a list of folders (it does not have access to them), but the system.

Ah you were thinking about something else than what I thought.
It already works that way, at least on Windows. it's called "common dialogs". You just tell the OS to handle opening a file and the program itself never gets any of the files/folder data the user browses through finding the file to open, aside from the one specific path and file name that is returned from the dialog. So no, that's nothing new, but it doesn't solve the problem that the program will then make the call-out to actually open the file, requiring access to that folder/storage location. Same for saving, it will require access to that location. And filesystems are simply not that granular -- what you seem to be thinking of is a database-like storage system where files have granular accessor rights. That actually has been implemented in a few ways in various experiments but i don't think it was ever practical enough to make into a usable FS, I think primarily because users want direct access to manipulate files and this would make it really cumbersome to keep track of.
You can however approach this with file and group access rights and ownership. However, most systems are not really set up to have strict access policies. Once again most likely because it becomes impractical really quickly.

[Kris_88]

it's called "common dialogs". You just tell the OS to handle opening a file and the program itself never gets any of the files/folder data the user browses through finding the file to open, aside from the one specific path and file name that is returned from the dialog. So no, that's nothing new, but it doesn't solve the problem that the program will then make the call-out to actually open the file, requiring access to that folder/storage location.

No, I wrote something completely different. Common Dialogs has the rights of the calling program, AFAIK. This is not a system function, but a regular function (albeit in the standard system library). What I’m saying is that the file selection dialog operates with user rights, it can display all files, but then give the program access only to the selected file. The program itself has rights only to its own box, it does not have user rights. To obtain the right to work with a specific external file, the program uses a system dialog that has user rights. This is not the case in Windows.

[Moonchild]

That is just not how process hierarchy works. You cannot have a program spawn a dialog as part of it that has more rights than the calling program.

[Kris_88]

That is just not how process hierarchy works. You cannot have a program spawn a dialog as part of it that has more rights than the calling program.

A program can create a file; to do this, it calls a system function that performs all physical operations on the disk. At the same time, the program itself does not have the rights to perform physical operations on the disk.
And yes, I’m talking about the file selection dialog, not as a regular program window, but as a system function that has other rights.

[moonbat]

With Windows, I'd say the biggest problem so far has been users running with full administrator privileges, so any malicious program easily has access to the whole system. To fix it now we have the other extreme where even with an admin account you are unable to change certain settings or modify certain files.

[suzyne]

I think part of the "modern" problem is the falling cost of technology.

If computers were still expensive and a household was considered fortunate or lucky to own one, who would care about storing things online? It's the only computer I use and all my data is on my C drive. But now I own multiple devices and want to access my data everywhere and not only what was once my single computer, but at work and on the train too. Enter, always being online.

If computing technology wasn't so affordable, our expectation of using it anywhere and everywhere wouldn't even exist. I am simplifying some of the issues, but falling costs is another factor that explains where we are today.

[RealityRipple]

I've always thought you should have to take a computer literacy test to get a license to use a networked computer. I also think they should have core GUI concepts/computer jargon/fraud recognition classes and instructors available to the public, the same as they have driving classes.

[Moonchild]

I've always thought you should have to take a computer literacy test to get a license to use a networked computer. I also think they should have core GUI concepts/computer jargon/fraud recognition classes and instructors available to the public, the same as they have driving classes.

I 100% agree. Ultimately it's about reducing PEBCAK as a cause, and some basic education would literally kill most of the grifting/scamming out there that has gone totally bonkers.

[Kris_88]

Of course, if developers create programs and even operating systems in such a way that security updates are then needed every week for many years, and then without fixing all the problems they release the next version with the same problems, then the user should not be allowed to access the computer without special training. It is also highly advisable to use body armor, a helmet and put a condom on the network cable.