Welcome back to Ask TUAW, our weekly troubleshooting Q&A column. This week we've got questions about VOIP apps on the iPhone, auto-tagging music, Boot Camp, replacing a hard drive and more.

As always, your suggestions and questions are welcome. Leave your questions for next week in the comments section at the end of this post. When asking a question, please include which machine you're using and what version of Mac OS X is installed on it (we'll assume you're running Snow Leopard on an Intel Mac if you don't specify). And now, on to the questions.

Earlier this week, PC security app vendor Trend Micro announced a new product aimed at Mac users. Smart Surfing for Mac (US$69.95 per user per year) provides antivirus, anti-spyware, anti-rootkit, and web threat protection, and also has a two-way firewall built in.

This, of course, brings up the old debate for Mac users. On the one hand, our 10% of the personal computing market is virtually free of the virus and malware attacks that plague the Windows world. On the other hand, should you be concerned enough to consider purchasing protection that might be overkill?

Some of the features of Smart Surfing for Mac could be very useful for users who might otherwise be in danger of certain nefarious schemes. For example, it blocks visits to dangerous websites and has anti-phishing capabilities. While I know enough to check the real URL of links in emails by simply hovering my cursor above them, there are a frightening number of people who don't do this and who are at real risk of phishing scams. Parents might like Smart Surfing for Mac for their kids, as it restricts access by content categories, controls IM access, and also lets you block certain websites.

Are products like Smart Surfing for Mac expensive overkill, or are they cheap insurance against the remote chance of actually getting hit with a Mac virus, malware, or a scam? Let's hear your opinion in the comments section!

The folks over at Intego let the world know about a new trojan making the rounds along with copies of an application designed to crack Adobe Creative Suite 4. They consider the risk "serious."

If you don't download software using peer-to-peer tools like BitTorrent, then you're perfectly safe. You can stop reading this story, if you like. If you're one of the 5,000 people who recently downloaded and installed the serial crack, then you have a bad day ahead of you.

The malware, after asking for your administrator password, installs an executable with a random name in /var/tmp, a folder that isn't deleted when the computer restarts.

The randomly-named program will install itself in /usr/bin/DivX, create a startup item in /System/Library/StartupItems/DivX, and if it has root privileges, save a hash of your password in the file /var/root/.DivX.

The software then listens on a random TCP port and awaits instructions from its evil overlords. With an infected computer's root password, those in control of the software will be able to execute commands on the infected computer, including deleting files and performing malicious network tasks.

Late last week, pirated copies of iWork '09 were infected with similar malware.

Intego VirusBarrier X4 and X5, as you might imagine, protect you against the Trojan. Either looking for (and removing) the files mentioned above or using a virus removal utility is recommended.

Also recommended: Not downloading pirated software (and their associated tools) on peer-to-peer networks. If you do choose to get your software that way, you have nobody to blame but yourself if your system gets infected.

We at TUAW have a pretty healthy collective sense of humor. Bearing that in mind, we'd like to take a moment and address the recent attention to the "Newton Virus," a playful piece of software with an unfortunate moniker. The "virus" was created – and named – by Troika, a multi-disciplinary art and design practice in the UK. We have no bones to pick with Troika, we just take issue with calling the program by a name with malicious implications. It is, in fact, a piece of interactive artwork designed with a non-destructive disruption of reality in mind.

The first definition of a virus is a program that can replicate and infect a computer without permission or knowledge. The second, more flexible definition is a program falling into the category of malware. The Newton Virus is a mild – albeit visually interesting – disruption, and given that it was designed for manual installation and incapable of replication, not really a virus at all. Ergo, the ensuing headlines seen around the 'net are based on a sensationalistic misnomer.

That being said, the piece is a fascinating little experiment (leveraging the Sudden Motion Sensor in Mac portables) that fits nicely with Troikart's typical fare, and it's earned a spot in the Design and the Elastic Mind exhibition at the MoMA. So, next time someone tells you they heard about a virus for Macs, tell them not to sweat it: it's probably just modern art.

NPR hits up the issue of Mac hacking (the bad malware kind, not the good kind), and suggests that Macs are supposedly becoming a bigger target for exploitative folk.

While this is a topic that could easily (and does often) degenerate into complete misinformation and FUD, NPR basically acknowledges that Macs are showing up in more and more places (and that includes the iPhone, where even Apple is concerned about security), and that means that they're becoming a juicier target for malware developers. Fortunately, however, a familiar voice shows up later in the report (dig those dulcet tones!) to remind everyone that throughout five iterations of OS X, the malware problems have been hard to find. Malware developers may be trying, but it ain't working.

Of course, we can't let this go without noting that this story was inspired in the first place by a PR report released by... you guessed it: an antivirus company. The people who profit off of programs that supposedly prevent malware are claiming that malware is a bigger threat than ever before? Go figure.

So there's this company, Kaspersky, and they say they've discovered the first iPod virus[1]. Oh dear! Everyone panic, alarums and excursions, and all that, right? Not.

This is about Podloso a proof-of-concept virus that infects iPods (rather than using iPods as a distribution mechanism). And it goes like this: First, you have to install Linux on your iPod. Next, you have to install the virus to your Linux-capable iPod. Then you have to launch the virus, because "Podloso cannot be launched automatically without user involvement". Once launched, it infects all executable .elf files with a lame message.

So here's TUAW take on the matter: if you own an iPod and you run Linux on it? Don't install the virus, 'kay?

[Via TechDirt]

[1]They're not counting the Windows virus that accidently hitched a ride on some otherwise innocent 5.5G iPods.

The whole QuickTime/MySpace security hole that was discussed this week on TUAW has given rise to a general concern about QuickTime's vulnerabilities. The QuickTime bug apparently allowed a worm to infect MySpace user profiles and redirected traffic to a phishing site, where passwords were harvested.

An Information Week article suggests the security flaw could extend well beyond Myspace to both Mac and Windows users. The problem seems to stem from QuickTime's JavaScript support and a bug that allows malicious JavaScript code to affect browsers. The article states that although Apple has provided an Internet Explorer patch, it has yet to issue a general QuickTime fix across all platforms.

One of the long-standing major appeals of the Mac OS has been its relatively small and low-impact ratio of serious security vulnerabilities and virus attacks. Users wear it like a badge on their shoulder, and even Apple has jumped in by flat-out bragging about Mac OS X's security with their latest Get a Mac ad campaign.

While the debate surrounding exactly why the Mac has earned this reputation has raged at least since the term 'trolling' was coined, I'm a bit more interested in bending the space-time continuum and asking you, dear readers, a hypothetical: what would happen if a truly malicious Mac OS X virus were to break out in large scale? I'm talking about something along the lines of the Sasser worm, which grounded some Delta Airline flights, brought many other companies to their knees, and is estimated to have caused billions in damage.

I know Apple's machines aren't quite as integral to the various operations of our society and businesses like Windows and Linux are, but it would be hard to argue that a good portion of of the Mac user base doesn't care about the security of their chosen OS. With this in mind, I wonder: would you keep your Mac in a day and age when 3rd party virus and security tools become a basic necessity of Mac OS X? Would you bite the bullet and buy Norton Virus Mega Security Bundle Premium 2007 beta 5? Do you think all those switchers - reeled in by Apple's "We don't have any viruses" Get a Mac commercials - would become crippled in disillusion?

What say you, TUAW readers. How large of a hole in Apple's security record would be 'too large'?

This week's podcast involves Dan Pourhadi and the C4 developer shindig he attended, those exclusive Leopard screenshots we nabbed, iPod viruses and the corporate blame game, and we round off with Apple's preliminary 4th quarter earnings results. Dan and I kept things short this time around, as the podcast rounds off at just over 20 minutes and 18.6MB.

As usual, you can grab the podcast via a direct link, our podcast RSS feed or in the iTunes Store podcast directory. Enjoy the show.

Update: It seems there's a bug in our iTS feed preventing from getting this latest episode, though our other links for accessing the podcast are working just fine. We'll keep you posted.

Apple has released a "Mac Maintenance Quick Assist" support document that is more or less a 10-step guide aimed at beginners for taking care of their Mac, both inside and out. These steps include good, basic practices such as using relevant names for files instead of "DSC_00001.jpg," while also recommending that you occasionally clean your Mac (duh).

I was surprised to see a few tips make this list, however. The first: Check for viruses. "Macs don't get anywhere near the amount of viruses that Windows PCs are prone to, but that doesn't mean that they can't get infected," reads tip #8. I guess the guys who wrote this article didn't get the memo from the team who made the "Macs don't get viruses" TV commercials. The other odd tips deal with Mac maintenance stuff, like repairing permissions and defragging your hard drive. I was under the impression that, since Panther, Mac OS X defragged itself. On the permissions topic, there has been a lot of chatter over the last couple of months about whether repairing permissions is actually useful. Just check out the pseudo-series John Gruber had on the topic.

All in all, I think I was actually a little frightened by evidence of even cheesier one-liners making their way into Apple's support docs: "As a Mac user, you won't have to do windows, but you will need to do some housekeeping!" Yuk yuk.

There is a little application I mentioned way back in September 2005: MacScan. Does it work? Well I have no idea, because I don't use it, and I've never heard of any particular spyware for the Mac. Yet somehow a new version is out which protects against "all the latest threats." Like that Dvorak virus? Anyway, MacScan is now a Univeral Binary, so you Intel Maccers can finally rest assured knowing your box is safe. At least, while it's booted into the Mac OS. Aw dang, I just couldn't get through one post without a reference to, uh, what was that thing again? The one that lets you boot into Windows?

For those of you without antivirus protection for your Mac (which I guess is all of you, right?) there's always ClamAV. And while Clam is fantastic, updating the package requires a cumbersome trip to Sourceforge to download and compile on your machine. Fortunately, Macosxhints has a post with a shell script automating the process. Now since Terminal is AppleScriptable, you can run this script with a simple drop down as well. In fact, shell scripts are accessible via AppleScript directly, but I digress. You could just get all fancy and grab ClamXav, the GUI front-end to ClamAV.

Damien went into detail about the "hacker challenge" story and, as he explained, it's much ado about nothing— for now. Clearly, this Mac security thing is only going to get more important. Even Headline News had a largely exaggerated report on the Bluetooth exploit found a while ago... So what is the average Mac user supposed to do? It's all well and good if you're a sysadmin and you can do stuff like lock down a server, but if you just bought your iBook and you are now cowering in a corner because you're afraid to even open the thing (knowing that you will automatically "catch" something), what then? Read on, as I have some stories and advice for you.

First it is important to note that the most likely vector of any computer attack is human. And keep in mind the difference between a vector of attack (like the SSH "hack" mentioned by Damien), and a payload, which would be a true virus or Trojan. A worm is a vector, but it might deploy a payload. Make sense? Anyway, the point is humans are the weakest link in the whole chain, yet also the most important in stopping any attack. It is this central fact that makes almost all OS'es equal in terms of security. You are only as good as the people who use a system, and those who set it up. Case in point: phishing.

Phishing is a huge problem, and easy to set up. You get an email claiming some guy is your long-lost relative, and he needs some money to get out of jail. If he gets out, he'll double your money. Or, even easier to trick (but harder to set up) is the fake URL scam, where it looks like Paypal or ebay (common targets) is sending you a letter about your account. This is the true phishing scenario, played out millions of times a day on the internet. Just click on the link to "verify" your account info, or it will be deleted. Unfortunately, the link will take you to a spoofed site, and you'll be typing your sensitive info into a trap designed to steal your passwords and credit card numbers. These are spins on classic grifters' tricks, and phishing scams aren't very well guarded on OS X. Microsoft and Mozilla are trying to attack this problem with tools in their browsers (or in email clients) that will alert you to spoofed websites. So what can you do on OS X? First, check out the US government's guide to avoiding phishing scams. Second, make sure you're using something to filter spam, as this will often catch a lot of generic phishing scams. If you use Firefox, Netcraft has a toolbar that will supposedly guard against phishing, but I haven't tried it. It essentially checks URL's for you. Third, use common sense. Would ebay really send out an email to an account and NOT use their username? Of course, the common sense cure is the hardest one to invoke...

One more thing about the human vector: it's all about education. You have to teach people the rules of the road, yes? Well you'll have to educate yourself or others on some basic security precautions, especially if you are the cautious type. One common concept is to never share passwords. Also, most people would recommend you don't use the same password for everything you do. And since we're talking about passwords, don't forget to change them often, and use combos of letters, numbers, and uppercase/lowercase where appropriate. If you want a freeware tool for making passwords, there's Pazzle. With Keychain, I have a bad good habit of just setting a great password, but instantly forgetting it. Let's just hope I back up my Keychain database on a regular basis, eh? Oddly enough, Wayne State has a quick little ditty on setting passwords, and of course Wikipedia has the whole history plus some ideas too. Without exposing my own tricks, I can say that if I have to remember it, I'm more likely to use l33t type spelling for relatively common stuff. Maybe not the most secure in the world, but more secure than "Fluffy" or "PHilton." And did you know OS X includes a password helper, to help create good passwords? It's all here on this Tiger Tips page. Essentially you click the little question mark (or key, as in FileVault it was a question mark, but sometimes it's a key, as in the pic on the Apple page, go standard GUI!) and a tiny dialog pops open to help you make a password. Pretty slick.

Tiger introduced a ton of very necessary security features too (aside from the password helper). Stuff most people don't think about is now included, like Kerberos support in VPN, secure virtual memory, and a certificate assistant. A lot of these things are hard to find to the uninitiated, which I guess is good, since most folks won't use them. So instead, let's go over some more basic things you can do to protect yourself (after the jump).

It's like a leaky dam: It starts with one tiny little hole in the wall, then several more spring through. Before you know it, the whole dam has collapsed and the poor farm town down the road is nothing more than island rooftops and floating cows. What do you think happened to Atlantis, folks?

Following the discovery of one of Mac OS X's first "Trojan" worms (wink), Macworld was kind enough to point out another leak in our increasingly porous perimeter: a new proof-of-concept Java worm called Inqtana.A that "exploits a vulnerability in Bluetooth on some Macs that haven’t been updated with Panther and Tiger security patches."

I'll leave the gory details for Macworld to explain, but suffice to say that the malware loads onto your Mac, finds another machine via bluetooth and attempts to transfer itself. The user receiving the file does need to accept the transfer -- but it still self-propagates, technically classifying it as a worm. The good news, though, is that it doesn't seem to do much more than that.

Frankly, despite the sudden appearance of these proof-of-concept "leaks," I'm still betting that some clever animated superhero will pop a finger into the holes and seal 'em up before the dam bursts and we're forced to start new lives as ruffian mer-people. But there are only so many fingers and toes to go around before a leak's left unattended -- what happens then? Aquacalypse?

Well, here's something you don't see very often. Symantec has issued an update that offers protection agains OSX.Leap.A, the Mac Trojan Horse that we wrote about earlier. They classify it as a "level 1" on a scale of 1 to 5, so there's no need to slip into panic  mode. It seems to be PPC only, so you lucky Mactel owners have nothing to worry about. Carry on.