Thoughtful, detailed coverage of the Mac, iPhone, and iPad, plus the best-selling Take Control ebooks.

 

 

Pick an apple! 
Become a TidBITS member!
 

 

TidBITS Watchlist
 
ChronoSync Secret Menubar Shortcut

For a quick way to run a ChronoSync document without opening it, use the ChronoSync menu in the menubar. Select "Show ChronoSync menu in menubar" in ChronoSync's General Preferences window to activate the menu bar menu. Once activated, you'll see the ChronoSync circling arrows icon in the menu bar, at the top right of your screen.

You can open any scheduled ChronoSync document directly from the menu bar. If you hold down the Option key while selecting a ChronoSync document, the synchronization will run immediately without the ChronoSync document opening.

Visit Econ Technologies

Share your own tip! | Search TipBITS

 

 

Related Articles

 

 

Published in TidBITS 1007.
Subscribe to our weekly email edition.

 

 
Inside TidBITS | 10 Dec 2009 | Listen  | Print Printer-Friendly Version of This Article | Comment (4)

The Great TidBITS Malware False Alarm of 2009

by Rich Mogull Send Email to Author

Send Article to a Friend

On December 8th I woke up, went through my usual morning routine, grabbed my coffee, and sat down at my Mac to start the work day. As it was a Tuesday, I scanned my email for TidBITS #1006 and was slightly surprised that it wasn't in my Inbox. Since I had recently added another spam filter, I assumed the issue had been blocked, so I planned on pulling it out of quarantine later.

But the mystery deepened when a reader sent me an email message saying that his copy of the issue had been flagged as containing malicious software. Since I had been engaged in an intense Twitter debate a few days earlier claiming that Mac-based malware was rarely encountered by the average user, I immediately went into panic mode and started investigating.

I checked my frontline spam and virus filter (Google's Postini service), and the TidBITS issue wasn't flagged for anything there. However, when I checked my second filter, a special appliance on my network, I found the issue had been flagged as containing malware.

According to my anti-spam appliance, TidBITS #1006 contained "Email.Faketube", and when I reported this to Adam and the other TidBITS staffers, it came out that we were all receiving sporadic reports of this particular issue triggering a similar alert for readers.

I quickly searched on the Internet for details about Email.Faketube and found that it's a link that pretends to be from YouTube, but in fact redirects a browser to a Web site that attempts to download a Trojan horse (for Windows, not Mac OS X).

When I viewed the raw text of the TidBITS issue, I discovered that there was indeed a YouTube link in it, pointing at the trailer for the World of Goo game (see "TidBITS Gift Guide 2009," 7 December 2009).

By checking the link manually using one of the systems I have for security research of risky sites, it became clear immediately that the link was fine and did not redirect users to malware. Not that I expected it would; we check all links that go into TidBITS articles, so a link would have to change between the time we checked and when the issue was published for something untoward to happen. But then why the false alarm?

TidBITS Contributing Editor Mark Anbinder noticed that the string "www" appears at the end of the YouTube-generated link. The YouTube engine probably generates its links randomly, and the virus filters triggered upon seeing the "www" at the end of the YouTube link, thinking it was indicative of an attempt to redirect users. Attackers use a variety of techniques to mangle Internet addresses, one of which is adding characters to the end of a seemingly legitimate address to cause the redirection.

As a result, it's clear that I, and our readers who saw the alert, are all running a malware filter with a badly written rule set. It's likely that the rule is "flag any message containing a YouTube link with "www" after the 'watch?' portion of the address." Unfortunately, that's not necessarily indicative of malware and is thus a poor choice for a malware signature. (If nothing else, there's no requirement to redirect to a page whose domain includes "www" - such a filter is guaranteed to fail on any other domain.)

So the good news is that TidBITS #1006 wasn't infected in any way, and our apologies for any worry the false alarm may have caused. The bad news is that I now have to wonder about the quality of the company providing my email filter rules.

 

Scan anywhere with Doxie, the scanner for your Mac. Doxie scans
paper, photos, and receipts anywhere — no computer required.
And Doxie’s great Mac software organizes, creates searchable PDFs,
sends to the cloud, and more. <http://www.getdoxie.com/a/bits>
 

Comments about The Great TidBITS Malware False Alarm of 2009

Glenn Fleishman  2009-12-10 13:07
I remember reading the computer scientist and entrepreneur Nathaniel Borenstein's Programming as If People Mattered a few years ago. (He invented MIME, among other things.)

In it, he described how at one company he was working an alphabetic + numeric hash random key generator was occasionally producing words that were or looked like swearwords. He said that in a meeting they discussed creating a filter of naughty words and other techniques.

An intern piped up and said, "drop the vowels and go base 30," meaning that with 0 to 10 and the 20 letters omitting vowels they would still have a huge number of combinations to draw from without creating any precise obscenities. FCK or SHT doesn't have the same valence without vowels.

Maybe YouTube needs a www filter, though!
Dan Neal  2009-12-14 20:22
Just which company did you get the defective appliance from? Inquiring minds and all...
Lewis  2009-12-14 22:39
Pattern matching on URLs is difficult at best, and this difficulty breeds laziness. The fact is, most people write a regex and their testing is simply, 'does it match what I want it to match'; very rarely will someone test against a large corpus of data to see if it misfires on something else. Even more rarely does someone really examine the complete rule's logic bit by bit to see what potential pitfalls there are.
And believe me, I've been bitten myself by 'shortcutting' pattern matching. :/
Adam Engst  An apple icon for a TidBITS Staffer 2009-12-15 07:36
Yeah, it's easy to see how this happened, but assuming that "www" means a redirection is just lazy.