XPost: alt.comp.os.windows-11, comp.os.linux

there's a cocoa pods hole in the apple ecosystem which allowed for more
than a decade anyone in the world the permission to inject into any of over three million ios or macos applications any code they wanted to inject.

does this security hole also exist in the windows or linux ecosystem? https://www.darkreading.com/cloud-security/apple-cocoapods-bugs-expose-apps-code-injection

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: alt.comp.os.windows-11

Nick Cine wrote:

there's a cocoa pods hole in the apple ecosystem which allowed for more
than a decade anyone in the world the permission to inject into any of over three million ios or macos applications any code they wanted to inject.

does this security hole also exist in the windows or linux ecosystem? https://www.darkreading.com/cloud-security/apple-cocoapods-bugs-expose-apps-code-injection

Translation:

"Nick Cine" wants to troll the Apple newsgroups about a hole,
which "Nick" hopes to claim does not exist in other operating
systems.

"Nick Cine" first wishes to check whether this hole does or
does not exist in other operating systems (to avoid the risk
of looking like a fool).

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: alt.comp.os.windows-11, comp.os.linux

On 7/7/2024 11:20 PM, Nick Cine wrote:

there's a cocoa pods hole in the apple ecosystem which allowed for more
than a decade anyone in the world the permission to inject into any of over three million ios or macos applications any code they wanted to inject.

does this security hole also exist in the windows or linux ecosystem? https://www.darkreading.com/cloud-security/apple-cocoapods-bugs-expose-apps-code-injection

Any software can have vulnerabilities. That's how the NSA
and Israeli spooks continue to churn out 0-days for their
spying... which then get used as malware by others.

This sounds worse mainly because Macs are widely believed
to be ultra-safe computers sprinkled with fairy dust. Aside from
artists who think (20 years out of date) that Macs are better for
artists, probably the second-most numerous Apple fans are the
ones who thought that Mac meant they didn't have to understand
ANYTHING about security.

The CocoaPods thing seems to have been in that glow of
magical protection that Macs are believed to have. But it's actually
a shared library system, used widely, with no one minding the store.
From reading the article it sounds like the equivalent on Windows
would be if programmers believed that anything with a "DLL" file
extension was tested and confirmed safe by Microsoft.

But we shouldn't get too smug. Most popular DLLs are dependent
on the reputation and security of the authors. The same is also
true for software programs. Unlike Macs, on Windows anyone can
write software and distribute it, using whatever tools they like. They're
not slaves to Cocoa and they don't have to pay Timmy Cook a kickback.
Very few such programmers are security experts. A surprising number
don't know what dependencies their software has. When you install
a program you're trusting that the author is not only honest but
also competent. But how competent can someone be when they don't
even know what libraries their software needs? ("It ran fine on my
computer, so I can't imagine what the problem is on your end.")

So the Windows "ecosystem" is probably less secure, but benefits
from being less ninny-headed. Nevertheless, if someone managed
to do something like replace ffmpeg or popular ZIP DLLs that are used
widely, that could result in massive malware infestations.

Linux is an interesting case. The number of versions and names of
support libraries is mind-boggling. When you update a program on
Linux it invariably wants 2 dozen libraries, and there's no backward compatibility. It's not enough that you have wqkeeia v. 1.23.4567.
The new program MUST have v. 1.23.4568. And what's wqkeeia?
Who knows? The names are all like that. There's no hope of exercising
any control over what's on the system. It's so overcomplicated that
the OS itself is expected to manage software with a "package manager".

On the bright side, problems seem to be rare, probably because a
lot of talented programmers are overseeing Linux development. On the
other hand, unless you're a talented Linux developer you'd have zero
chance of catching malware, what with dripfeed updates happening
all the time to update mysterious things like wqkeeia. That's one
of the reasons that I avoid Linux. One is expected to trust in the
Rube Goldberg system of constantly changing beta software.

But once again, dripfeed updates have also become popular on
Windows. The bottom line is that computers were never designed to
be secure from advanced hacking. So you shouldn't feel safe with
any OS. Efforts like dripfeed updates are a mixed blessing that people
depend on erroneously for security.

Remember the Melissa virus? It was a simple VBScript written as a
prank by an office worker using MS Word. He was so inexperienced
that he didn't realize his name and ID were embedded in the infected
Word DOC, so he was exposed as not only a criminal but also a very
childish office worker. Melissa brought white collar business to a
standstill,
because everyone used Word and no one knew how to protect from
script in DOCs! They had never been attacked before.

VBScript got blackballed as unsafe. Yet people run piles of
javascript in webpages they visit. And PowerShell has also had
vulnerabilities. Executable code creates vulnerabilities. And now
malicious foreign entities, as well as numerous people in poor countries,
have very good reason to try to hack into your computer and try
to somehow scam some money. The world is full of starving peasants
who are immune to US and EU law enforcement, and see no reason
not to steal coins from the spoiled ruling class. Expect this to all get
much worse. Technophiliacs are creating a world that depends on
computers for nearly everything.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: alt.comp.os.windows-11, comp.os.linux

On Mon, 8 Jul 2024 07:52:39 -0400, Newyana2 wrote:

But we shouldn't get too smug. Most popular DLLs are dependent
on the reputation and security of the authors. The same is also
true for software programs.

I think the difference here is that anyone in the world could have injected
any malicious code they wanted to inject into that DLL (in your example).

So it didn't matter if you trusted the DLL's authors (in your example).

Because for a decade, anyone (even you & me) could have injected any code
they wanted into any of over 3 million mac/ios DLLs (using your example).

That's about as bad as it gets.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: alt.comp.os.windows-11, comp.os.linux, comp.os.linux.misc

On 7/8/24 7:52 AM, Newyana2 wrote:

On 7/7/2024 11:20 PM, Nick Cine wrote:

there's a cocoa pods hole in the apple ecosystem which allowed for more
than a decade anyone in the world the permission to inject into any of
over
three million ios or macos applications any code they wanted to inject.

does this security hole also exist in the windows or linux ecosystem?
https://www.darkreading.com/cloud-security/apple-cocoapods-bugs-expose-apps-code-injection

  Any software can have vulnerabilities. That's how the NSA
and Israeli spooks continue to churn out 0-days for their
spying... which then get used as malware by others.

  This sounds worse mainly because Macs are widely believed
to be ultra-safe computers sprinkled with fairy dust. Aside from
artists who think (20 years out of date) that Macs are better for
artists, probably the second-most numerous Apple fans are the
ones who thought that Mac meant they didn't have to understand
ANYTHING about security.

  The CocoaPods thing seems to have been in that glow of
magical protection that Macs are believed to have. But it's actually
a shared library system, used widely, with no one minding the store.
From reading the article it sounds like the equivalent on Windows
would be if programmers believed that anything with a "DLL" file
extension was tested and confirmed safe by Microsoft.

  But we shouldn't get too smug. Most popular DLLs are dependent
on the reputation and security of the authors. The same is also
true for software programs. Unlike Macs, on Windows anyone can
write software and distribute it, using whatever tools they like. They're
not slaves to Cocoa and they don't have to pay Timmy Cook a kickback.
Very few such programmers are security experts. A surprising number
don't know what dependencies their software has. When you install
a program you're trusting that the author is not only honest but
also competent. But how competent can someone be when they don't
even know what libraries their software needs? ("It ran fine on my
computer, so I can't imagine what the problem is on your end.")

  So the Windows "ecosystem" is probably less secure, but benefits
from being less ninny-headed. Nevertheless, if someone managed
to do something like replace ffmpeg or popular ZIP DLLs that are used
widely, that could result in massive malware infestations.

   Linux is an interesting case. The number of versions and names of
support libraries is mind-boggling. When you update a program on
Linux it invariably wants 2 dozen libraries, and there's no backward compatibility. It's not enough that you have wqkeeia v. 1.23.4567.
The new program MUST have v. 1.23.4568. And what's wqkeeia?
Who knows? The names are all like that. There's no hope of exercising
any control over what's on the system. It's so overcomplicated that
the OS itself is expected to manage software with a "package manager".

  On the bright side, problems seem to be rare, probably because a
lot of talented programmers are overseeing Linux development. On the
other hand, unless you're a talented Linux developer you'd have zero
chance of catching malware, what with dripfeed updates happening
all the time to update mysterious things like wqkeeia. That's one
of the reasons that I avoid Linux. One is expected to trust in the
Rube Goldberg system of constantly changing beta software.

  But once again, dripfeed updates have also become popular on
Windows. The bottom line is that computers were never designed to
be secure from advanced hacking. So you shouldn't feel safe with
any OS. Efforts like dripfeed updates are a mixed blessing that people
depend on erroneously for security.

    Remember the Melissa virus? It was a simple VBScript written as a
prank by an office worker using MS Word. He was so inexperienced
that he didn't realize his name and ID were embedded in the infected
Word DOC, so he was exposed as not only a criminal but also a very
childish office worker. Melissa brought white collar business to a standstill,
because everyone used Word and no one knew how to protect from
script in DOCs! They had never been attacked before.

   VBScript got blackballed as unsafe. Yet people run piles of
javascript in webpages they visit. And PowerShell has also had vulnerabilities. Executable code creates vulnerabilities. And now
malicious foreign entities, as well as numerous people in poor countries, have very good reason to try to hack into your computer and try
to somehow scam some money. The world is full of starving peasants
who are immune to US and EU law enforcement, and see no reason
not to steal coins from the spoiled ruling class. Expect this to all get
much worse. Technophiliacs are creating a world that depends on
computers for nearly everything.

I've got a VIC-20 stashed somewhere :-)

Wish I'd kept the C64 too. Think I've a ZX81 also.

But you're right - the sheer size/scale/scope of even
'simple' Linux means that nobody can hope to keep track
of, much less fix, all the potential security holes.
While the underlying paradigm of Linux/Unix IS better
that is hardly an all-purpose shield.

Another issue is that there's no one 'Linux'. Linus
and friends may put out a kernel, but from there on
everybody tweaks and adds-on and they don't talk to
each other very much.

I've mentioned the increasingly-dreadful Versions
Problem before. Seems you can't make even a tiny
utility without some huge fractal tumbleweed of
dependencies getting involved. I think this is why
we see more stuff distributed as big fat 'AppImages'
these days since there's HOPE they'll run across
distros/versions.

There may be fixes for the dependencies debacle, but
you'd kinda have to get everyone in the world to adopt
them all at once ........

Easier to write a de-novo OS and go from there.

Anyway ... 'security' is far more an illusion than a
reality and it's going to stay that way, indeed get
even worse. With State-level players now fully in
the game ... it ain't like little Henry Hacker working
out of Mom's basement anymore.

Hmmm ... the VIC and C64 had the 'system' burned into
ROM chips. Pretty safe.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)