
Ask HN: I'm a pro; still harmed by CCleaner's malware. What could I have done? - oferzelig
Frustrating.<p>I&#x27;m a pro user (or at least that&#x27;s how I consider myself, unless I suffer from the Imposter Syndrome).<p>I don&#x27;t click links just because. I just don&#x27;t. Not once in a million, not by mistake. I just don&#x27;t.<p>I don&#x27;t install software that comes from an &quot;Unknown Publisher&quot;, even if I have to have it. I just don&#x27;t.<p>I use CCleaner for a long time, as it&#x27;s considered trusted, reliable and crap-free.<p>I did install the dodgy CCleaner 5.33. It was digitally signed by Piriform: https:&#x2F;&#x2F;i.imgur.com&#x2F;GlDiEJM.png<p>And yet, it contains malware that was injected to the build process, thus got it to be as part of the &quot;normal&quot; program files and signed.<p>The trust model has broken.<p>What could I have done differently?
======
bob33212
There was not much you could have done. Personally I never used CCCleaner even
though folks on my team did. I just didn't have a use for it because I wanted
to make sure I understood chrome's caching logic. SO maybe I am slightly more
"Pro" than you. But I install lots of software that could have had their
deployment process hacked without me knowing.

------
TurboHaskal
Think twice before installing a new application. Try to use the OS default
applications as much as you can tolerate them.

I don't think you need CCleaner in 2017.

Recommended reading:
[https://usesthis.com/interviews/marius.eriksen/](https://usesthis.com/interviews/marius.eriksen/)

------
sotojuan
It's not like CCleaner was out to get you - they got hacked. It's like if your
bank got hacked and your stuff got stolen. The bank didn't trick you.

What should you do now? Never update an app automatically. Wait at least a day
and see if there are any issues.

~~~
oferzelig
I know they didn't, I know they were hacked. The question is how can one be
cautious and alert, if that doesn't help? Digital signatures were invented so
you can trust the program you're installing, but if that doesn't happen, what
else?

Also, I didn't update automatically. It was a fresh install on a relatively
new machine. And even if I did disable auto update - in that case I would've
installed it manually. What's the difference?

------
codegladiator
Think twice before installing a "Anti- (virus/malware)" software. I havent
installed one in either windows/linux/mac for the last 10 years ( because
norton/mcafee/avg and others used to mess up the speed ).

\- use ad blocker

\- dont auto update

------
senoraptget
Don't do all tasks on one computer. Computers dropped in price so there's no
reason to do that.

You can use a livecd for surfing the web. The web is one of the biggest
sources of badware.

------
thiagooffm
not using CCleaner would be a start.

pay attention to the version of what you are using and avoid using things on
auto-update or on a version which haven't been battleproof.

use linux and check the source code of everything you run... but it's a lot of
work

so basically I don't think you could've done much, nor most of the people can
unless you would accept living in a very walled and time-consuming computer
setup

~~~
Piskvorrr
Most Linux users would have been caught the same way, what with PPAs and
autoupdates. If a trusted party is compromised, it's essentially game over.

------
romanovcode
I don't get how can you be a pro yet use this kind of crapware.

