Tuesday, January 24th, 2006
Archive for January, 2006
Uncovering Undercover
Friday, January 20th, 2006I read about the anti-theft software Undercover and want to share my opinion with you.
I will not run this piece of software on my Mac, but I have done a quick static analysis. Some interesting and scary details:
The program is launched via LaunchDaemon, then it uses
a NSTimer to loop (the guys at TUAW were wondering how it could get started without a user logging in – I wonder if the U is for unofficial or for unskilled).
The very authentic “hardware damage” that they are talking about seems to be a dialogue with the following message:
Mac OS X detected a logic board failure
It is recommended to take this computer to an authorized Apple support center.
There are also other nice messages that will be displayed:
This Mac has been stolen. Identifying information about you and your location has already been collected. This Mac will
become unusable in the next 5 days.
Please contact info@orbicule.com for instructions on how to return this computer.
You will receive a reward if this computer is returned.
It’s questionable if it’s really a good idea to inform the thief that a protection software is running…
It’s also quite funny that they use the speech synthesis to alert, the following AppleScript is used:
say "Help. Help. Help. I'm a stolen macintosh computer... Please return me to the rightful owner"
Instead of sending the MAC address and receiving a message if it’s stolen, the program downloads a list of ALL stolen Macs and seems to then check.
The lists can be found here and here – so far, only one Mac was stolen :-)
The IP address check is done by some obscure third party website, checkip.dyndns.org, instead of just sending to www.orbicule.com and let them examine their logfiles…
And now for the big bummer, please sit down!
The upload of the screenshots that the program takes are uploaded via FTP, not some fancy or even not quite as fancy asynchronous push method.
So, you wonder where they are uploaded to? Yes, his webserver, into the document root, with user privileges that can add, delete or modify ANY file on the webserver, including the disk image of the software itself. So backdooring that software is just a matter of evilness. Ah, yes, of course, username and password are hardcoded.
The software is terribly designed, if it was designed at all,
the version number should rather be 0.1 and it’s a joke to
demand money for it.
I STRONGLY advise to NOT download and especially NOT RUN this software.
If you are concerned about theft, get an insurance, this program wouldn’t help you anyways…
Mach-O fat binaries on DIET
Friday, January 20th, 2006When Apple decided to build computers with Intel CPU, they got an old feature of NeXTstep out of their drawers: fat binaries. They always existed in MacOS X, but were never used before. A fat binary is a collection of binaries for different architectures, so it’s possible to ship the same binary for all architectures.
So far, so good, BUT! They waste disk storage and some tools that work on Mach-O binaries cannot handle fat binaries so far.
I proudly announce the first release of diet, a tool that extracts the PowerPC version of the binary. Get it here.
As always, released under a BSD-style license.
