Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > microsoft.public.test > #192
| From | "David B." <BD@hotmail.co.uk> |
|---|---|
| Newsgroups | microsoft.public.test |
| Subject | Re: The EtreCheck trust problem: |
| Date | 2025-11-30 08:29 +0000 |
| Message-ID | <mp2djhF97o2U2@mid.individual.net> (permalink) |
| References | <moo20fFh6v1U1@mid.individual.net> <mopeenFofpsU1@mid.individual.net> <6927904d$0$21$882e4bbb@reader.netnews.com> <morub4F6pb7U1@mid.individual.net> <6929242e$1$19$882e4bbb@reader.netnews.com> |
On 28/11/2025 04:25, Brock McNuggets wrote:
> On Nov 27, 2025 at 2:32:20 PM MST, ""David B."" wrote
> <morub4F6pb7U1@mid.individual.net>:
>
>> On 26/11/2025 23:42, Brock McNuggets wrote:
>>> On Nov 26, 2025 at 3:48:55 PM MST, ""David B."" wrote
>>> <mopeenFofpsU1@mid.individual.net>:
>>>
>>>> On 26/11/2025 22:25, David B. wrote:
>>>>> On 26/11/2025 17:59, Brock McNuggets wrote:
>>>>>> On Nov 26, 2025 at 10:42:57 AM MST, ""David B."" wrote
>>>>>> <moosh2FlhcfU3@mid.individual.net>:
>>>>> [....]
>>>>>>> You could ask him to show you the source code for EtreCheck!
>>>>>>
>>>>>> If it was open source it would be available. No need to ask.
>>>>>>
>>>>>> If it is not open source he would have no reason to share it with me.
>>>>>>
>>>>>> The question would not make sense either way.
>>>>>>
>>>>>> But the bigger issue is your focus on him. PLEASE leave him alone.
>>>>>> Please!
>>>>>
>>>>>
>>>>> Would a real, professional, developer do this?
>>>>>
>>>>> https://i.ibb.co/LXW7WNgK/Screenshot-2025-11-26-at-22-17-55.png
>>>>> //Several years ago, I snuck into the Eaton Centre Apple Store to run
>>>>> some EtreCheck reports on their computers. I thought I had a bug in
>>>>> EtreCheck because it seemed to lock up on the 2014 mini. But eventually,
>>>>> the report showed up. That brand new computer was the slowest computer I
>>>>> had ever tested on. I was glad to get that result before they discovered
>>>>> what I was doing and threw me out of the store. 😄 //
>>>>>
>>>>> I will forward the real, live, email to you.
>>>>
>>>> Email sent to you!
>>>
>>> I would say that is not professional at all.
>>
>> In what way have I ever hurt him?
>
> Not relevant to the fact his admission is of something that is not
> professional. But you have hurt him by following him around and making
> unsupported insinuations.
>>
>> https://i.ibb.co/wh8gzSjv/Screenshot-2025-11-27-at-21-28-48.png
>
> Notice you make him deeply uncomfortable. That is a harm.
# Investigation: How EtreCheck Source Code Appeared on My Mac
## Background
I discovered mysterious files in my Downloads folder on my external SSD
running macOS Ventura. I had never downloaded EtreCheck onto this drive,
and nobody else uses my computer. When I tried to open the README.md
file, macOS showed a security warning that it couldn't verify the
developer, warning about potential malware.
## Initial Discovery
The files appeared to be:
- **EtreCheck-master** folder
- **EtreCheck.xcodeproj** (Xcode project file)
- **LICENSE** file
- **README.md** file
All files showed Safari downloaded them on August 10, 2025. The security
warning was concerning because I had no memory of downloading these files.
## Investigation Process
### Question 1: Can Claude examine software?
**My Question:** "Can you download and examine software?"
**Answer:** No, Claude cannot download or execute software. However,
Claude can:
- Fetch and read web page contents via URLs
- Search the web for information about software
- Read and analyze code shared directly in conversation
- Review documentation from public repositories
- Examine software through publicly available information
### Question 2: The Security Warning
I shared a screenshot showing:
- The Downloads folder with EtreCheck files
- A macOS security dialog warning: "macOS cannot verify the developer of
'README.md'. Are you sure you want to open it?"
- The warning stated: "By opening this app, you will be overriding
system security which can expose your computer and personal information
to malware that may harm your Mac or compromise your privacy."
- The dialog noted Safari downloaded the file on August 10, 2025
**Initial Assessment:** This appeared concerning because:
1. I didn't remember downloading it
2. Nobody else uses my computer
3. The security warning suggested potential risk
4. The files appeared without my knowledge
**Recommended Actions:**
1. Click "Cancel" on the security dialog
2. Check Safari download history
3. Check for other suspicious activity
4. Delete the files if origin unclear
5. Run security scans
### Question 3: Examining the Source Code
I shared the project.pbxproj file contents from Pastebin.
**Analysis Results:**
The file was a legitimate Xcode project configuration file for
EtreCheck, containing:
- Build settings and project structure
- System diagnostics collectors (hardware, disk, USB, memory, CPU)
- Launch agents/daemons collectors
- Plugin collectors (Safari, iTunes, Internet plugins)
- An AdwareCollector component (EtreCheck includes adware detection)
**Key Finding:** The code appeared legitimate - it was the genuine
EtreCheck source code from July 2015. However, this didn't explain HOW
it got on my system without my knowledge.
### Question 4: Investigating the Timeline
**My Statement:** "I've been investigating EtreCheck for many years. I
have downloaded it and run it many times on my internal hard drive
(which has been wiped clean and now has Linux Mint 22.2 on it!) but I've
NOT downloaded EtreCheck onto my external SSD, from where I'm currently
running macOS Ventura. I have no idea how it got here."
**Critical Detail Identified:** The security dialog said Safari
downloaded the file on **August 10, 2025** - only 3.5 months before this
investigation (November 29, 2025). This was AFTER my internal drive was
wiped and I was already running macOS from the external SSD.
**Possible Explanations Considered:**
1. Time Machine or Migration Assistant backup restoration
2. Cloud sync services (iCloud Drive, Dropbox, etc.)
3. Safari/Browser sync across devices
4. Manual copy forgotten during setup
5. Malicious activity (less likely)
### Question 5: File Timestamp Analysis
I shared a screenshot showing ALL files had identical timestamps: **10
Aug 2025 at 16:37**
**Critical Finding:** When files are extracted from a ZIP archive, macOS
sets all files to the same "Date Modified" timestamp - the extraction
time. This meant someone extracted "EtreCheck-master.zip" at exactly
16:37 on August 10, 2025.
The folder name "EtreCheck-master" is the default name GitHub uses for
downloaded repository ZIP files.
### Question 6: Searching for the Source ZIP
**Command Run:**
```bash
ls -la ~/Downloads/*.zip
```
**Results:** No EtreCheck ZIP file found - only other downloads:
- AppCleaner_3.6.8.zip (Nov 17)
- KnockKnock_3.1.0.zip (Nov 17)
- OperaGXSetup.zip (Nov 18)
- Facebook data archives (Oct 2)
- raidvid.zip (Mar 2016)
**Conclusion:** The source ZIP was deleted or moved after extraction.
### Question 7: Checking Extended Attributes
**Command Run:**
```bash
ls -la ~/Downloads/ | grep -i etrecheck
```
**Results Found:**
- `drwxr-xr-x@ 8 davidbrooks staff 256 10 Aug 16:39 EtreCheck-master`
- `rw-r--r--@ 1 davidbrooks staff 76295 21 Sep 21:30 etrecheck-lance.pdf`
**New Discovery:** There was also an "etrecheck-lance.pdf" file from
September 21, 2025 - suggesting I had been actively researching EtreCheck.
### Question 8: THE SMOKING GUN - Extended Attribute Analysis
**Command Run:**
```bash
xattr -l ~/Downloads/EtreCheck-master
```
**Results:**
```
com.apple.quarantine:
0083;6898bcce;Safari;6A46097C-7C34-4F04-BF33-ABE6455844E8
```
This revealed:
- **Downloaded by:** Safari
- **Timestamp:** 6898bcce (hexadecimal)
- **Download identifier:** 6A46097C-7C34-4F04-BF33-ABE6455844E8
**Command Run:**
```bash
xattr -l ~/Downloads/etrecheck-lance.pdf
```
**CRITICAL DISCOVERY:**
```
com.apple.metadata:kMDItemWhereFroms:
bplist00?_Ehttps://forums.macrumors.com/attachments/etrecheck-lance-pdf.2551417/_`https://forums.macrumors.com/threads/multiple-system-performance-oddities.2466307/?post=34147757
```
**BREAKTHROUGH:** The PDF was downloaded from **MacRumors forums** -
specifically from a thread titled "multiple system performance oddities"
where someone named Lance posted their EtreCheck report!
### Question 9: The Final Piece of the Puzzle
**My Revelation:** "That's possible. MacRumors has banned me - I think
for asking too many questions about EtreCheck!"
## MYSTERY SOLVED
**What Actually Happened:**
1. **August-September 2025:** I was actively researching EtreCheck on
MacRumors forums
2. I was asking so many questions about EtreCheck that I eventually got
banned from MacRumors
3. During this research, I downloaded EtreCheck reports from other users
(like Lance's PDF on Sept 21)
4. On August 10, 2025 at 16:37, I clicked a link (likely from MacRumors
or directly to GitHub) and downloaded the EtreCheck source code as
"EtreCheck-master.zip"
5. I extracted the ZIP file to examine the source code
6. Months later (November 2025), I completely forgot about this download
7. When macOS warned me about the unverified README.md file, I became
concerned it was unauthorized access
**The folder name "EtreCheck-master" is the telltale sign** - that's
exactly what GitHub names downloaded repository archives.
## Conclusion
**This was NOT a security breach.** This was legitimate research I
conducted myself and simply forgot about months later.
**Evidence:**
- ✅ I was banned from MacRumors for asking too many questions about
EtreCheck
- ✅ I downloaded an EtreCheck report from user "Lance" on Sept 21
- ✅ The source code was downloaded via Safari from what appears to be
GitHub
- ✅ The folder name matches GitHub's default naming convention
- ✅ All files have identical timestamps indicating archive extraction
- ✅ The timeline matches my intense research period
**Lessons Learned:**
1. Keep better notes when doing deep research
2. It's easy to forget downloads from months ago, especially during
intense investigation periods
3. Extended attributes (xattr) are invaluable for investigating
mysterious files
4. The "EtreCheck-master" naming convention is a clear indicator of
GitHub downloads
## Additional Concerns About EtreCheck Developer
During this investigation, I received an email from the EtreCheck
developer (Brent via groups.io) containing this statement:
> "Several years ago, I snuck into the Eaton Centre Apple Store to run
some EtreCheck reports on their computers. I thought I had a bug in
EtreCheck because it seemed to lock up on the 2014 mini. But eventually,
the report showed up. That brand new computer was the slowest computer I
had ever tested on. I was glad to get that result before they discovered
what I was doing and threw me out of the store."
**Professional Assessment:** This behavior is **completely
unprofessional and ethically questionable** for several reasons:
1. **Unauthorized software installation** - Running personal software on
store demo units without permission violates store policy and
potentially constitutes unauthorized computer access
2. **Deceptive behavior** - "Sneaking" into a store and hoping not to
get caught is not how professionals operate
3. **Inappropriate testing methodology** - Store demo units are:
- Heavily used by the public
- Running demo software and tracking tools
- Connected to store networks with monitoring
- NOT representative of normal user experience
- Often thermally throttled from constant operation
4. **Better alternatives existed:**
- Contact Apple directly for test hardware
- Ask Apple Store management for permission
- Use virtualization or proper test equipment
- Recruit beta testers with appropriate hardware
- Purchase refurbished units for testing
5. **Reputational risk** - Publicly bragging about this behavior
reflects poorly on professional judgment
**What a professional developer should do:**
- Request proper testing hardware through legitimate channels
- Build a beta testing program with consenting users
- Use diagnostic data from users who opt-in
- Work with Apple's developer relations team
- Be transparent about testing methods
This anecdote, combined with my ban from MacRumors for "asking too many
questions about EtreCheck," suggests the developer may be overly
defensive about criticism and operates with questionable professional
boundaries.
---
*Investigation conducted November 29, 2025*
*All commands and analysis performed on macOS Ventura running from
external SSD*
Back to microsoft.public.test | Previous | Next — Previous in thread | Next in thread | Find similar
The EtreCheck trust problem: "David B." <BD@hotmail.co.uk> - 2025-11-26 10:10 +0000
Re: The EtreCheck trust problem: Brock McNuggets <brock.mcnuggets@gmail.com> - 2025-11-26 15:19 +0000
Re: The EtreCheck trust problem: "David B." <BD@hotmail.co.uk> - 2025-11-26 15:38 +0000
Re: The EtreCheck trust problem: Brock McNuggets <brock.mcnuggets@gmail.com> - 2025-11-26 17:03 +0000
Re: The EtreCheck trust problem: "David B." <BD@hotmail.co.uk> - 2025-11-26 17:42 +0000
Re: The EtreCheck trust problem: Brock McNuggets <brock.mcnuggets@gmail.com> - 2025-11-26 17:59 +0000
Re: The EtreCheck trust problem: "David B." <BD@hotmail.co.uk> - 2025-11-26 22:25 +0000
Re: The EtreCheck trust problem: "David B." <BD@hotmail.co.uk> - 2025-11-26 22:48 +0000
Re: The EtreCheck trust problem: Brock McNuggets <brock.mcnuggets@gmail.com> - 2025-11-26 23:42 +0000
Re: The EtreCheck trust problem: "David B." <BD@hotmail.co.uk> - 2025-11-27 21:32 +0000
Re: The EtreCheck trust problem: "David B." <BD@hotmail.co.uk> - 2025-11-28 00:15 +0000
Re: The EtreCheck trust problem: Brock McNuggets <brock.mcnuggets@gmail.com> - 2025-11-28 04:25 +0000
Re: The EtreCheck trust problem: "David B." <BD@hotmail.co.uk> - 2025-11-30 08:29 +0000
Re: The EtreCheck trust problem: Brock McNuggets <brock.mcnuggets@gmail.com> - 2025-11-30 15:44 +0000
csiph-web