Transmission BitTorrent Client OSX/Keydnap Malware Incident Q+A (opens in new tab)

(transmissionbt.com)

267 pointstomasandrle9y ago138 comments

138 comments

85 comments · 24 top-level

deep_attention9y ago· 15 in thread

Are there any good alternatives to Transmission on OS X?

pwg9y ago

RTorrent https://pmukhanov.wordpress.com/2014/01/19/installing-rtorre...

Text console based, so it can run headless and/or in the background in a screen/tmux session.

diyorgasms9y ago

I've been using rtorrent for years and I wouldn't ever suggest anything else. It's just so damn simple and reliable. I love the concept of watch directories too. Upload a torrent file to a specific directory, and the data will be downloaded to a specific directory. You can have multiple watch directories for different types of data.

anonova9y ago

Note that rtorrent is no longer supported by homebrew[1]. You'll have to build it yourself with gcc since it can't be compiled with clang.

[1]: https://github.com/Homebrew/homebrew-core/pull/369

ciupicri9y ago

Transmisson can also run headless.

commenter239y ago

qbittorrent?

http://www.qbittorrent.org/download.php

hannob9y ago

No HTTPS?

(Given that the original post was about compromised downloads this is a bit ironic)

1 more reply

clappski9y ago

Deluge is pretty good, that's what I tend to go for.

voltagex_9y ago

I like Deluge, but I really wish its default API (protocol) wasn't so difficult to use. It's bencoded Python objects as far as I can tell. If you've never heard of bencoding, that's because it's only used by Deluge.

1 more reply

some-guy9y ago

This may be overkill for some people, but if you have a VPN and use docker somewhere at home you can check out this container: https://github.com/haugene/docker-transmission-openvpn

I run it on a really old low-power PC and it's been very nice...I can even access it remotely wherever I am.

yanokwa9y ago

I like aria2 from https://aria2.github.io. I use it on the command line, but there is a web interface at https://github.com/ziahamza/webui-aria2.

dbcooper9y ago

qbittorent is my choice on Windows, and it has an OS X version.

dawnerd9y ago

Seed box, even if its for totally legit linux isos.

spriggan39y ago

Deluge is nice.

beaker529y ago

uTorrent

http://www.utorrent.com/

temp9y ago

Only if you want an interface filled with ads.

2 more replies

davej9y ago· 9 in thread

Second time that this has happened to Transmission this year. Last time a ransomware got included. If you're a Transmission user then be very cautious when installing new versions.

simcop23879y ago

Main reason that I only install stuff like this from my distro's repositories. Anyone know if this would have affected homebrew and such on OSX?

jquast9y ago

Homebrew packages verify checksums, so very unlikely to be affected.

3 more replies

yAnonymous9y ago

When this happens regularly like with Transmission, is there a guarantee the version in official repos is not affected? The only way to be sure would be code checks and I doubt they do that.

1 more reply

rvanmil9y ago

It was the .dmg file hosted on their own server, so any version could be compromised. I guess the safest route to take is to build the app from source.

aj_n9y ago

I feel stupid knowing that I actually considered this when installing on the 28th, but thought that they wouldn't allow a repeat of KeRanger. Looks like I'll be building all my software from source now (and switching to Aria2).

okket9y ago

You were only at risk when downloaded fresh copies from the website. Updates were checked by the already installed Transmission.

madeofpalk9y ago

Except that time where the auto update mechanism was actually distributing a hacked version

http://www.macrumors.com/2016/03/07/transmission-malware-dow...

1 more reply

javitury9y ago

I thought it was a dejavu for a moment

amykhar9y ago

Conspiracy theorist in me wonders if this isn't an attack by somebody hired by an anti-piracy group.

okket9y ago· 6 in thread

Simple file check if you are infected:

  if [ -f "/Applications/Transmission.app/Contents/Resources/License.rtf" ] || 
     [ -f "/Volumes/Transmission/Transmission.app/Contents/Resources/License.rtf" ] || 
     [ -f "$HOME/Library/Application Support/com.apple.iCloud.sync.daemon/icloudsyncd" ] || 
     [ -f "$HOME/Library/Application Support/com.apple.iCloud.sync.daemon/process.id" ] || 
     [ -f "$HOME/Library/LaunchAgents/com.apple.iCloud.sync.daemon.plist" ] || 
     [ -d "/Library/Application Support/com.apple.iCloud.sync.daemon/" ] || 
     [ -f "$HOME/Library/LaunchAgents/com.geticloud.icloud.photo.plist" ]; 
  then echo "OSX/Keydnap detected.";
  else echo "You're good.";
  fi

Source: https://gist.github.com/kaizensoze/ca96d039b295db220951d42ca...

harperlee9y ago

Thanks! Reducing friction for these kinds of things is good for everyone.

I didn't bother checking after I read that the autoupdate wasn't compromised, but never hurts to check - and I was not really going to do it until I saw your post.

toxik9y ago

And to run it from the clipboard:

    pbpaste | sh -

IanCal9y ago

If anyone wonders why this is taking too long, you may have done the same daft thing I just did, which was to copy the first command and then copy pbpaste | sh -. The latter will of course create an infinite loop.

1 more reply

clishem9y ago

Or just copy and paste the above?

labster9y ago

Why not this?

    curl https://gist.githubusercontent.com/kaizensoze/ca96d039b295db220951d42ca7c83d89/raw/ | bash

4 more replies

JadeNB9y ago

Is this robust against locating `Transmission.app` somewhere other than `/Applications`? (I put my applications in `~/Applications`, but I don't know the specifics of Keynap; maybe it ignores applications not in the usual location.)

Might it be better to replace the first two tests with something like `-f /[star][star]/Transmission.app/Contents/Resources/License.rtf`?

kalleboo9y ago· 6 in thread

So what happened with the codesigning? That's pretty much the only viable line of defense for the average user (nobody is going to be verifying SHA signatures, or the site is going to be compromised along with the download)

Was the malware version also signed with an official Apple Developer ID? The same ID? Is a change of ID verified with the auto-updater?

If there was a malicious Developer ID, has it been revoked by Apple?

andreasley9y ago

According to this article [1], the compromised app was indeed signed – but with a different Developer ID than usual.

Anyone with a credit card can sign up for Apple's developer program and start signing apps.

[1] http://www.welivesecurity.com/2016/08/30/osxkeydnap-spreads-...

koolba9y ago

> According to this article [1], the compromised app was indeed signed – but with a different Developer ID than usual.

That's the terrible part about all of this. Having signed applications without any verification of the signer is pointless.

A simplistic, yet more secure approach, would be to have domain validated keys that could be used to sign applications. Browsers could then verify that the application downloaded from example.com was signed with a key for example.com. I think OSX already stores "This was downloaded from the scary internets!" in a separate resource fork so this info could go there as well. Maybe even cut out the middle mad and put them in DNS SRV records so you don't even need a central CA. If DNS gets compromised the client's have bigger problems already.

Unfortunately like all things like this, it'd be forever before it's widespread enough to be useful.

1 more reply

tajen9y ago

So Apple/the bank/a warrant can return his name?

1 more reply

tajen9y ago

Interesting question. According to https://developer.apple.com/support/certificates/:

>> If your membership expires, users can still download, install, and run your Developer ID–signed applications. However, once your Developer ID certificate expires, you must be an Apple Developer Program member to get new Developer ID certificates to sign updates and new applications.

What I understand is that codesigning costs $99 a year, which open-source projects may want to skip, but this harms their credibility if their downloads are compromised.

SyneRyder9y ago

I really thought Apple had added a free option (maybe even specifically for open source projects?), but I can't find it anywhere. Can anyone else find that info, or am I misremembering?

1 more reply

appleiigs9y ago

I wonder if the checksum was changed on the website too.

FatalLogic9y ago· 5 in thread

I'm not a Transmission user, but this makes me wonder, as a sort of Ask HN question: How long do you wait before updating software?

If you always update as soon as possible, then you risk getting hit by a compromise like this one, or you could suffer other unintentional bad effects of a botched update.

But the longer you delay updating, the more you raise your risk of becoming a victim of a new vulnerability that's just been patched and is now in the wild.

ivanhoe9y ago

Problem is that apps nowadays check for updates automatically. And if the release message says it's a security patch I guess the most of usrs will update right away. At least I do. And obviously if I was a hacker I would play that "important security update, upgrade immediately" card, it's a basic social engineering...

okket9y ago

Neither during this or the previous incidence the updates were compromised (they were checked by the installed binary). Only fresh downloads from the website.

FatalLogic9y ago

I haven't read much about this, so perhaps I'm not understanding clearly, but if the downloaded binary from Transmission's "website server" was replaced, then how is that not a compromise?

I genuinely feel for the developers, and I personally would not blame them if I was affected, but unless the data was intercepted enroute from their server, then I think they have to accept some degree of responsibility for the whole delivery chain to the end user.

2 more replies

labster9y ago

I wait about a week, unless I've heard out of band talk about some terrible hack with a punny name and we all need to upgrade NAO!1! I suppose I should always look for a secondary source for release notes or such as soon as possible; I don't because I am a lazy human.

FatalLogic9y ago

Yes, totally, if you want to make the best decision, then you have to keep up with the news. That's why I'm interested in other opinions about this, because there's a lot of datapoints you need to factor into a decision. It's not a simple decision. That's work, and we are lazy humans, you're right.

But, I don't wait a whole week if the update is from an organization which I think I can trust not to totally botch an update, because they're conscious of the enormous potential for costly legal liability. I'm thinking of organizations such as Microsoft, Apple, Nvidia, AMD, Google, as a few examples. I might wait 1 or 2 days in that case.

1 more reply

huhtenberg9y ago· 4 in thread

> Am I at risk?

Instead of "Blah-blah, less than a day, go check yourself", they could grep the logs for IPs (and session cookies if they log that) of lucky winners and explicitly inform them, when they hit any page on their site. Then show generic version to everyone else. This takes all but 5 minutes to set up.

jmiserez9y ago

Nice idea with a major problem: If they did this, the absence of such a message could suggest that you were not affected, when in fact you could be (changed IP, cleared browser, etc).

False negatives are pretty bad in this case, better for users to check themselves.

huhtenberg9y ago

No, you are missing the point.

It will all remain exactly as it is now, except for the case when they recognize a visitor that is likely to have downloaded the malware. In this case they should throw an extra warning.

1 more reply

wepple9y ago

plus everyone behind a single NAT IP will get the message and freak out.

rem13139y ago

This is not a bad idea, maybe write to them and suggest that?

dantiberian9y ago· 3 in thread

They never responded with details of what they were doing to improve security after the last incident: https://forum.transmissionbt.com/viewtopic.php?f=1&t=17938. The outside appearance is that they didn't address the problem seriously enough.

jrochkind19y ago

Yeah, I was thinking, didn't this happen before?

lqdc139y ago

One of their servers or dev machines might have a rootkit. At this point, wiping basically everything is required.

Shank9y ago

Looks to me like the developers don't actively participate in their forum. Seems like this would be way too big to go unreplied to for months.

Mahn9y ago· 3 in thread

More info on the malware:

> The OSX/Keydnap backdoor is equipped with a mechanism to gather and exfiltrate passwords and keys stored in OS X’s keychain. The author simply took a proof-of-concept example available on Github called Keychaindump. It reads securityd’s memory and searches for the decryption key for the user’s keychain. This process is described in a paper by K. Lee and H. Koo. One of the reasons we think the source was taken directly from Github is that the function names in the source code are the same in the Keydnap malware.

Source: http://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malw...

aparadja9y ago

Wow. I'm the author of keychaindump. Didn't expect to become a malware co-author.

robk9y ago

Seemed pretty likely though don't you think?

1 more reply

microtonal9y ago

This is why applications should use app sandboxing on OS X. And Apple should provide an option to reject (by default) any application that is not signed + sandboxed, rather than: anything, signed, or app store.

king_phil9y ago· 3 in thread

I would have thought that Mac users would be a good target in general because they might have better income than Windows users...

mkj9y ago

Torrent users might be a good target for better than average internet connections for ddos?

rahimnathwani9y ago

Maybe per person, but probably not in aggregate.

iopq9y ago

Android users have way more money in aggregate, but iPhone apps make more money. This is because iPhone users have a lot more disposable income, while Android users are cheap.

1 more reply

Veen9y ago· 2 in thread

I like Transmission, but this is the second serious security problem they've had this year. Once you can forgive, but twice and it's time to look for a new BitTorrent client.

okket9y ago

FYI: Transmission binaries are now hosted on GitHub, so it is very unlikely that anything like this can happen in the future without compromising developer machines.

lucb1e9y ago

Question is, how implausible do we think it is that a developer's computer gets compromised?

1 more reply

thesimon9y ago· 2 in thread

Are Transmission releases usually codesigned?

okket9y ago

Yes. And updates are checked within the Transmission app.

thesimon9y ago

Looks like it was signed by a different developer:

https://news.ycombinator.com/item?id=12403906

In comparison to Windows, macOS doesn't really seem to show the developer in the normal user flow.

1 more reply

okket9y ago· 1 in thread

Service announcement: You were only at risk when you downloaded fresh copies from the website. As with the previous incident, updates within the app were safe and checked.

xnyhps9y ago

It's pretty scary that they still haven't fixed the Sparkle RCE vulnerability from a few months back. Attackers with access to their servers could've installed malware for every user, even if they didn't install the update.

menzoic9y ago· 1 in thread

According to the article, the title is wrong

"The infected file was available for download somewhere between a few hours and less than a day."

tomasandrleOP9y ago

Thanks for the correction. I wrote the original title based on the warning on their homepage: "Critical security notice to users who downloaded Transmission 2.92 for Mac on August 28th or 29th".

arianvanp9y ago· 1 in thread

Again? :(

devn0ll9y ago

That's what I thought as well: http://news.softpedia.com/news/transmission-bittorrent-clien...

rahiel9y ago

It's nasty that a free software project has to deal with this, given their limited resources. This shows the importance of reproducible builds and using package managers with verification like APT or homebrew.

SturgeonsLaw9y ago

That's not the first time this has happened... http://gizmodo.com/yes-ransomware-can-affect-macs-too-176323...

yladiz9y ago

Kinda sucks, and I haven't followed Transmission for a while, but them transitioning more to Github is a good thing -- I trust Github more than a self hosted solution, in general. It sucks they've been compromised twice in a year, but hopefully this will help mitigate some of that.

aorth9y ago

You might want to install Objective-See's free BlockBlock tool to block these type of things:

https://twitter.com/objective_see/status/771189100355264512

Also, their other (free, open source) tools are very good too, like KnockKnock and RansomWhere:

https://objective-see.com/

mirap9y ago

This is happening too often... so, what other BitTorrent clients are you using on Mac OS?

varcharlie9y ago

They say that the infected file was only there for a day, but maybe it would behoove them to do some bash-fu w/ their logs and get an approximation of the number of users affected!

fastball9y ago

Wow, I downloaded a binary from the website in that exact timeframe.

Luckily, it was only the CLI version, which I was putting on an Ubuntu system...

cjbramble9y ago

I will be using Deluge now.

zyxley9y ago

Time to switch to qBittorrent.

mikegerwitz9y ago

I notice that they don't sign their releases.

j / k navigate · click thread line to collapse

138 comments

85 comments · 24 top-level

deep_attention9y ago· 15 in thread

Are there any good alternatives to Transmission on OS X?

pwg9y ago

RTorrent https://pmukhanov.wordpress.com/2014/01/19/installing-rtorre...

Text console based, so it can run headless and/or in the background in a screen/tmux session.

diyorgasms9y ago

anonova9y ago

Note that rtorrent is no longer supported by homebrew[1]. You'll have to build it yourself with gcc since it can't be compiled with clang.

[1]: https://github.com/Homebrew/homebrew-core/pull/369

ciupicri9y ago

Transmisson can also run headless.

commenter239y ago

qbittorrent?

http://www.qbittorrent.org/download.php

hannob9y ago

No HTTPS?

(Given that the original post was about compromised downloads this is a bit ironic)

1 more reply

clappski9y ago

Deluge is pretty good, that's what I tend to go for.

voltagex_9y ago

1 more reply

some-guy9y ago

This may be overkill for some people, but if you have a VPN and use docker somewhere at home you can check out this container: https://github.com/haugene/docker-transmission-openvpn

I run it on a really old low-power PC and it's been very nice...I can even access it remotely wherever I am.

yanokwa9y ago

I like aria2 from https://aria2.github.io. I use it on the command line, but there is a web interface at https://github.com/ziahamza/webui-aria2.

dbcooper9y ago

qbittorent is my choice on Windows, and it has an OS X version.

dawnerd9y ago

Seed box, even if its for totally legit linux isos.

spriggan39y ago

Deluge is nice.

beaker529y ago

uTorrent

http://www.utorrent.com/

temp9y ago

Only if you want an interface filled with ads.

2 more replies

davej9y ago· 9 in thread

Second time that this has happened to Transmission this year. Last time a ransomware got included. If you're a Transmission user then be very cautious when installing new versions.

simcop23879y ago

Main reason that I only install stuff like this from my distro's repositories. Anyone know if this would have affected homebrew and such on OSX?

jquast9y ago

Homebrew packages verify checksums, so very unlikely to be affected.

3 more replies

yAnonymous9y ago

When this happens regularly like with Transmission, is there a guarantee the version in official repos is not affected? The only way to be sure would be code checks and I doubt they do that.

1 more reply

rvanmil9y ago

It was the .dmg file hosted on their own server, so any version could be compromised. I guess the safest route to take is to build the app from source.

aj_n9y ago

okket9y ago

You were only at risk when downloaded fresh copies from the website. Updates were checked by the already installed Transmission.

madeofpalk9y ago

Except that time where the auto update mechanism was actually distributing a hacked version

http://www.macrumors.com/2016/03/07/transmission-malware-dow...

1 more reply

javitury9y ago

I thought it was a dejavu for a moment

amykhar9y ago

Conspiracy theorist in me wonders if this isn't an attack by somebody hired by an anti-piracy group.

okket9y ago· 6 in thread

Simple file check if you are infected:

  if [ -f "/Applications/Transmission.app/Contents/Resources/License.rtf" ] || 
     [ -f "/Volumes/Transmission/Transmission.app/Contents/Resources/License.rtf" ] || 
     [ -f "$HOME/Library/Application Support/com.apple.iCloud.sync.daemon/icloudsyncd" ] || 
     [ -f "$HOME/Library/Application Support/com.apple.iCloud.sync.daemon/process.id" ] || 
     [ -f "$HOME/Library/LaunchAgents/com.apple.iCloud.sync.daemon.plist" ] || 
     [ -d "/Library/Application Support/com.apple.iCloud.sync.daemon/" ] || 
     [ -f "$HOME/Library/LaunchAgents/com.geticloud.icloud.photo.plist" ]; 
  then echo "OSX/Keydnap detected.";
  else echo "You're good.";
  fi

Source: https://gist.github.com/kaizensoze/ca96d039b295db220951d42ca...

harperlee9y ago

Thanks! Reducing friction for these kinds of things is good for everyone.

I didn't bother checking after I read that the autoupdate wasn't compromised, but never hurts to check - and I was not really going to do it until I saw your post.

toxik9y ago

And to run it from the clipboard:

    pbpaste | sh -

IanCal9y ago

1 more reply

clishem9y ago

Or just copy and paste the above?

labster9y ago

Why not this?

    curl https://gist.githubusercontent.com/kaizensoze/ca96d039b295db220951d42ca7c83d89/raw/ | bash

4 more replies

JadeNB9y ago

Might it be better to replace the first two tests with something like `-f /[star][star]/Transmission.app/Contents/Resources/License.rtf`?

kalleboo9y ago· 6 in thread

Was the malware version also signed with an official Apple Developer ID? The same ID? Is a change of ID verified with the auto-updater?

If there was a malicious Developer ID, has it been revoked by Apple?

andreasley9y ago

According to this article [1], the compromised app was indeed signed – but with a different Developer ID than usual.

Anyone with a credit card can sign up for Apple's developer program and start signing apps.

[1] http://www.welivesecurity.com/2016/08/30/osxkeydnap-spreads-...

koolba9y ago

> According to this article [1], the compromised app was indeed signed – but with a different Developer ID than usual.

That's the terrible part about all of this. Having signed applications without any verification of the signer is pointless.

Unfortunately like all things like this, it'd be forever before it's widespread enough to be useful.

1 more reply

tajen9y ago

So Apple/the bank/a warrant can return his name?

1 more reply

tajen9y ago

Interesting question. According to https://developer.apple.com/support/certificates/:

What I understand is that codesigning costs $99 a year, which open-source projects may want to skip, but this harms their credibility if their downloads are compromised.

SyneRyder9y ago

I really thought Apple had added a free option (maybe even specifically for open source projects?), but I can't find it anywhere. Can anyone else find that info, or am I misremembering?

1 more reply

appleiigs9y ago

I wonder if the checksum was changed on the website too.

FatalLogic9y ago· 5 in thread

I'm not a Transmission user, but this makes me wonder, as a sort of Ask HN question: How long do you wait before updating software?

If you always update as soon as possible, then you risk getting hit by a compromise like this one, or you could suffer other unintentional bad effects of a botched update.

But the longer you delay updating, the more you raise your risk of becoming a victim of a new vulnerability that's just been patched and is now in the wild.

ivanhoe9y ago

okket9y ago

Neither during this or the previous incidence the updates were compromised (they were checked by the installed binary). Only fresh downloads from the website.

FatalLogic9y ago

I haven't read much about this, so perhaps I'm not understanding clearly, but if the downloaded binary from Transmission's "website server" was replaced, then how is that not a compromise?

2 more replies

labster9y ago

FatalLogic9y ago

1 more reply

huhtenberg9y ago· 4 in thread

> Am I at risk?

jmiserez9y ago

Nice idea with a major problem: If they did this, the absence of such a message could suggest that you were not affected, when in fact you could be (changed IP, cleared browser, etc).

False negatives are pretty bad in this case, better for users to check themselves.

huhtenberg9y ago

No, you are missing the point.

It will all remain exactly as it is now, except for the case when they recognize a visitor that is likely to have downloaded the malware. In this case they should throw an extra warning.

1 more reply

wepple9y ago

plus everyone behind a single NAT IP will get the message and freak out.

rem13139y ago

This is not a bad idea, maybe write to them and suggest that?

dantiberian9y ago· 3 in thread

jrochkind19y ago

Yeah, I was thinking, didn't this happen before?

lqdc139y ago

One of their servers or dev machines might have a rootkit. At this point, wiping basically everything is required.

Shank9y ago

Looks to me like the developers don't actively participate in their forum. Seems like this would be way too big to go unreplied to for months.

Mahn9y ago· 3 in thread

More info on the malware:

Source: http://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malw...

aparadja9y ago

Wow. I'm the author of keychaindump. Didn't expect to become a malware co-author.

robk9y ago

Seemed pretty likely though don't you think?

1 more reply

microtonal9y ago

king_phil9y ago· 3 in thread

I would have thought that Mac users would be a good target in general because they might have better income than Windows users...

mkj9y ago

Torrent users might be a good target for better than average internet connections for ddos?

rahimnathwani9y ago

Maybe per person, but probably not in aggregate.

iopq9y ago

Android users have way more money in aggregate, but iPhone apps make more money. This is because iPhone users have a lot more disposable income, while Android users are cheap.

1 more reply

Veen9y ago· 2 in thread

I like Transmission, but this is the second serious security problem they've had this year. Once you can forgive, but twice and it's time to look for a new BitTorrent client.

okket9y ago

FYI: Transmission binaries are now hosted on GitHub, so it is very unlikely that anything like this can happen in the future without compromising developer machines.

lucb1e9y ago

Question is, how implausible do we think it is that a developer's computer gets compromised?

1 more reply

thesimon9y ago· 2 in thread

Are Transmission releases usually codesigned?

okket9y ago

Yes. And updates are checked within the Transmission app.

thesimon9y ago

Looks like it was signed by a different developer:

https://news.ycombinator.com/item?id=12403906

In comparison to Windows, macOS doesn't really seem to show the developer in the normal user flow.

1 more reply

okket9y ago· 1 in thread

Service announcement: You were only at risk when you downloaded fresh copies from the website. As with the previous incident, updates within the app were safe and checked.

xnyhps9y ago

menzoic9y ago· 1 in thread

According to the article, the title is wrong

"The infected file was available for download somewhere between a few hours and less than a day."

tomasandrleOP9y ago

Thanks for the correction. I wrote the original title based on the warning on their homepage: "Critical security notice to users who downloaded Transmission 2.92 for Mac on August 28th or 29th".

arianvanp9y ago· 1 in thread

Again? :(

devn0ll9y ago

That's what I thought as well: http://news.softpedia.com/news/transmission-bittorrent-clien...

rahiel9y ago

SturgeonsLaw9y ago

That's not the first time this has happened... http://gizmodo.com/yes-ransomware-can-affect-macs-too-176323...

yladiz9y ago

aorth9y ago

You might want to install Objective-See's free BlockBlock tool to block these type of things:

https://twitter.com/objective_see/status/771189100355264512

Also, their other (free, open source) tools are very good too, like KnockKnock and RansomWhere:

https://objective-see.com/

mirap9y ago

This is happening too often... so, what other BitTorrent clients are you using on Mac OS?

varcharlie9y ago

They say that the infected file was only there for a day, but maybe it would behoove them to do some bash-fu w/ their logs and get an approximation of the number of users affected!

fastball9y ago

Wow, I downloaded a binary from the website in that exact timeframe.

Luckily, it was only the CLI version, which I was putting on an Ubuntu system...

cjbramble9y ago

I will be using Deluge now.

zyxley9y ago

Time to switch to qBittorrent.

mikegerwitz9y ago

I notice that they don't sign their releases.

j / k navigate · click thread line to collapse