Are Input Managers the Work of the Devil?

On 2/22/06 14:57, "Daniel Eran" <danieleranmac.com> wrote:

> Input managers can be entirely disabled by any end user via file
> permissions, so that any installer simply fails when trying to
> install one.

If the user is saavy enough to do this, or even knows what an input manager
is.

> Undesired file managers can simply be removed and their ability to do
> anything vanishes.
>
> How is this a "genie that can't be put back in the bottle"?

Again, if the user doesn't know what this is, they're hosed. If the input
manager is set invisible in the Finder, it's still there, but not visible
outside of the terminal, so a user who doesn't use the terminal won't see
it.

--
John C. Welch Writer/Analyst
Bynkii.com Mac and other opinions
jwelchbynkii.com

--On February 22, 2006 12:57:19 PM -0800 Daniel Eran <danieleranmac.com>
wrote:

> Input managers can be entirely disabled by any end user via file
> permissions, so that any installer simply fails when trying to
> install one.

Sadly, a nasty installer can put up the "enter admin password" dialog and
pretty much expect users to just comply (too many installers do this). Once
the installer has gained root privileges, it can unravel whatever barriers
you've erected and install the input manager anyway. And do anything else
to you and your system it feels like doing.

> Undesired file managers can simply be removed and their ability to do
> anything vanishes.

True. I rather like the advice to set up folder actions to put up a dialog
whenever something is created inside. Cool idea.

> How is this a "genie that can't be put back in the bottle"?

There's a general security logic that says that once you've lost control of
your account, you can't ever get it back because you don't know what the
malicious code did while it was in control. It could have put backdoors
into your applications; installed setuid programs; sent your sensitive
files to another machine; and so on. In that sense the genie never goes
back into the bottle; you can't really trust your files once nasty code had
you. (With the exception of someone copying off your files, you can recover
by wiping all your data off and restoring a backup known to be made before
the attack. But there's no way to "repair" the situation.)

Of course this is not specific to Input Managers. It's true no matter how
you got to run the nasty code. Input managers are just a very convenient
way to infect *every* program of yours, all from one file. Sort of like a
Haxie, except made by Apple. :-)

Cheers
  -- perry
---------------------------------------------------------------------------
Perry The Cynic perrycynic.org
To a blind optimist, an optimistic realist must seem like an Accursed Cynic.
---------------------------------------------------------------------------

On 2/23/06 15:29, "Perry The Cynic" <perrycynic.org> wrote:

>> Undesired file managers can simply be removed and their ability to do
>> anything vanishes.
>
> True. I rather like the advice to set up folder actions to put up a dialog
> whenever something is created inside. Cool idea.

Folder actions would handle this, and they aren't easily detected. Just
attach one that handles "on adding items to" and have it pop a dialog saying
"hey, something just added files to your InputManagers folder!"

--
John C. Welch Writer/Analyst
Bynkii.com Mac and other opinions
jwelchbynkii.com

At 16:19 -0800 UTC, on 2006-02-23, John C. Welch wrote:

> On 2/23/06 15:29, "Perry The Cynic" <perrycynic.org> wrote:
>
>>> Undesired file managers can simply be removed and their ability to do
>>> anything vanishes.
>>
>> True. I rather like the advice to set up folder actions to put up a dialog
>> whenever something is created inside. Cool idea.
>
> Folder actions would handle this, and they aren't easily detected.

FolderActions don't need to de detected, they are easily circumvented.
FolderActions rely on System Events to be running. Malware can disable
FolderActions simply by quitting System Events. Bye protection. (On my
machine I see System Events being launched again within a few seconds, but by
then it'll be too late already.)


--
Sander Tekelenburg, <http://www.euronet.nl/~tekelenb/>

On 2/24/06 08:40, "Sander Tekelenburg" <tekelenbeuronet.nl> wrote:

>> Folder actions would handle this, and they aren't easily detected.
>
> FolderActions don't need to de detected, they are easily circumvented.
> FolderActions rely on System Events to be running. Malware can disable
> FolderActions simply by quitting System Events. Bye protection. (On my
> machine I see System Events being launched again within a few seconds, but by
> then it'll be too late already.)

All methods are circumventable. However, folder actions are infinitely
preferable to relying on the user to manually check multiple folders every
time they install anything.

--
John C. Welch Writer/Analyst
Bynkii.com Mac and other opinions
jwelchbynkii.com