Security Quest #8 – Leopard Default Insecurity

This article is obsolete. Images and broken external links have been removed.

The default OS X install has always annoyed me with it’s security holes. Since I did a fresh install of OS X 10.5 Leopard it was necessary for me to go through and change those settings. Here’s what I changed.

Under security preferences I enable requiring a logon when returning from sleep or screen saver and disable automatic logon.

 

It’s a minor inconvenience but if my Mac is ever stolen it will prevent them from logging on and using the Mac as me. It also makes it harder to get to the files on disk as they need some technical knowledge and another computer.

On a related note: I enable the Master Password in Firefox. I have to enter the password when I start Firefox but it would prevent someone from easily accessing website using my passwords by simply firing up Firefox.

Because my MacBook travels and is more likely to get stolen I usually enable FileVault, but I haven’t enabled it yet. I’ll enable it once I’ve used the laptop a few days and know it’s stable.

I was surprised to see that the firewall defaulted to “Allow all incoming connections”. This seems like a step back. The biggest single improvement Microsoft made to Windows security was the enable the firewall by default starting with Windows XP SP2. If your behind a home router there’s probably little cause for concern, but a direct Internet connection or a laptop that uses public networks would be at risk.

I set the firewall to block all incoming connections. Leopard will automatically open ports for the OS X services I enable. (This itself sounds like a problem in that it seems there’s not way to block some traffic on the firewall if Apple decides it’s needed.) If I find needed apps are being blocked I’ll change to “Set Access for Specific Servers and Applications” and add the apps to the list.

 

I also went into the Advance button and enabled logging (for curiosity) and Stealth mode.

 

When behind a home router (assuming it’s NAT enabled, almost all are) stealth mode is unnecessary and logging will (hopefully) confirm the Internet doesn’t see your Mac.

Then I went into my .Mac configuration and turned off Back to My Mac. I have nothing against it, but I won’t be using it for awhile and leaving it running seems to be inviting trouble. Some feel that back to My Mac has a security hole. But what it comes down to is how secure is your .Mac account? If it’s got a secure and secret password that’s not used by anyone you don’t want accessing your Mac then it seems fine.

 

I’ll have no problem turning it one once I’m ready to try it out.

The OS X firewall only blocks incoming connections. In the past I’ve used Little Snitch to manage outgoing connections but version 1 is not Leopard compatible and version 2 is still in beta. I’m not installing the beta , I’ll wait for the full release.

Security Vulnerabilities

There was a vulnerability announced in WordPress 2.3. It’s resolved in 2.3.1 and doesn’t appear to exist in earlier versions.

News & Links

 

BBC.co.uk | Technology | PC stripper helps spam to spread – Spammers use strippers and malware to circumvent captchas and spread spam.

Techdirt.com: Remember How TJX Was The Worst Data Breach In History? Well, It Was Actually Worse
– TJX even worse than reported with data being used in frauds. From the article: “t doesn’t seem like anything is really done to stop companies from being so careless…”

arstechnica.com: Microsoft security report: Our newer software is more secure – Microsoft has released the third installment of their MS Security Intelligence Report. Newer stuff is more secure.

news.com: McAfee to acquire ScanAlert – McAfee is acquiring ScanAlert. ScanAlert is the keeper of the “Hacker Safe” website security seal.

news.com: Report: U.S. tops list of spam-offending countries – Another report where the U.S. leads the world as the biggest spammer. It’s attributed to the large zombie population.

news.com:: Report: PDF files used to attack computers – PDF file attachments not being used to spread malware.

thereigster.co.uk: World’s most gullible supermarket chain falls victim to online scam – Email scam nets supermarket chain when they switch bank accounts based on an email. They claim due to our internal controls and processes, we were able to quickly discover…”. Perhaps they need better controls on email?

Perfect Apple Apps

I have to admit an unhealthy admiration for two apps that come free with OS X. Both received upgrades with Leopard which makes me happy. Unlike their closest counterparts in Windows these are truly useful apps that approach perfection. A perfect app is one that does what it’s designed to do quickly and efficiently. Best of all they come with OS X 10.5 Leopard so there’s Leopard compatibility issues.

TextEdit

The first is TextEdit. Coming from Windows I saw this as a notepad clone. In the beginning I only used it when it opened by default to edit simple text files. I was wrong. TextEdit is a fairly powerful word processor. It’s said that 80% of the people only use 20% of a Word Processor’s features. I’d venture to guess that 80% of that 80% would be happy with TextEdit (don’t ask me what that works out to – wait, I can use Spotlight as a calculator – that’s 64% of Mac users).

I doesn’t do version tracking, page layout or other heavy lifting, but it does do things like formatting text, supporting styles for ease of formatting, spell and grammar checking, and can embed tables, pictures and movies. It now adds the ability to jump to a line number although lines aren’t actually visibly numbered.

It also supports modern Microsoft Word formats (97/2000/2003/2007) although unsupported features will be lost when loading the file. It also supports Open Document(odt), Rich Text (rtf & rtfd), HTML and Web Archive formats.

I figure TextEdit is done by a programmer who can’t be fired, maybe he has pictures, but he pissed somebody off. So they sent him to a basement office and they told him to work on a text editor because that other OS has one. He’s since dedicated himself to showing the Pages team what a real word processor is.

Preview

My introduction to Preview came when it fired up to open a PDF by default. I didn’t need Adobe Reader to read PDFs, if it did nothing else it would already be perfect. But it did even more. It could also view numerous image formats and due some mild editing such as cropping. Now it can mark up and annotate PDFs. These changes can be viewed by other PDF viewers. It also adds the ability to extract images from backgrounds and multiple images can be opened in the same preview window without having to select them all at once. Some useful enhancements that avoid feature bloat.

Any other gems buried in the OS?

Housekeeping and Horn Blowing

Housekeeping:

I updated my Leopard compatibility post to include a short line about any of the apps I’ve already used. The short version – no major issues for the apps that were expected to be compatible. Thumbs down to Apple for not releasing the final build to developers before the 26th. They gave it to reviewers early. It still appeared on P2P networks before the 26th.

Horn Blowing:

The OS Quest had it’s best single day yet for views. About 50% above the previous record. But more important to me was that the current visitors stuck around to read stuff. The previous record was people who came here for my article about the Azureus bittorrent client and they quickly bounced when it wasn’t what they expected. While still small in the grand scheme, Sunday was the first day The OS Quest went above 200 unique visitors.

 

Leopard: Time Machine Annoyance

Just as Time Machine was beginning to grow on me as a viable backup option I ran into my first annoyance. And it is annoying.

Until now Time Machine ran almost unnoticed by me. But tonight I had a Parallels VM open for several hours. The good news is that Time Machine didn’t seem to be bothered by this.

But then I shut down the VM and Time Machine’s hourly backup time rolled around. Time Machine had 12.9GB to back up, almost all of it was that VM. I was playing music in iTunes like I often do and it sounded like a record skipping (to those of you too young to remember vinyl think fingernails on a blackboard). The skipping is what caught my attention. The CPU wasn’t pinned (although heavily used) but between that and reading the disk iTunes was affected. I was typing at the time and that seemed unaffected. The backupd process was showing around 70% in activity monitor.

Since I don’t really care about backing up the VM’s (well, I do – but not frequently so I’ll come up with an alternative) I excluded them from Time Machine.

To do this go into System Preferences and select Time Machine. Then click the Options button and click the + button. Browse to and select the location of the Parallels VMs.

 

Then click the exclude button to save it to the exclude list.

 

This doesn’t remove them from existing backups, but future backups won’t have them.

Leopard Upgrade: Parallels VMs Restored

Due to the time and hassle of rebuilding my Parallels Desktop VMs I wanted to use the VMs I had already created. This was simple to accomplish. I didn’t do anything special to prepare but all my VMs were shut down the last time I used them, not just suspended. I also didn’t have any snapshots to be saved.

I did a complete erase and fresh install of Leopard. I’d cloned my disk so I’d be using the clone as a backup to restore from. After installing Leopard I installed Parallels and ran it once to make sure it created all the directories it needed then shut it down. Then I dragged the ~/Library/Parallels folder from my backup to my Leopard drive and put it in the same location.

To load the VMs it was simply a matter of picking “Choose” from the new VM dialog.

Then browsing for the VM and selecting it.

 

Once it’s loaded Parallels will remember it and you can open it as you would any other VM in the future.

 

That’s it.

One thing I like about Leopard is Spaces. I have one space set up just to run Parallels in Coherence mode without mucking up the rest of my desktops.

Also, I did have a problem adding Boot Camp as a VM although the problem seems to pre-date Leopard.

If the large size if the VMs causes performance problems when Time Machine backs them up you may want to read about what I did.

The OS Quest Trail Log #12: Leopard

This week on the quest was almost all about Leopard. Certainly this weekend was all Leopard.

I chose to do a complete erase and rebuild, installing all my apps one by one. While time consuming I like this method for any OS upgrade. With Windows it was almost a requirement.

One reason I like it is there’s little risk while installing the OS, especially for OS X with all peripherals disconnected. If Apple (or anyone) can’t install a OS on hardware they also designed it would be a slam dunk to go back to the old OS and wait for the fixes, or move to another OS.

A second reason is I like to see the OS as intended by the developers (or the marketing department). By not doing a migration I get fresh settings. Of course, the downside here is it’s all new and I either have to change my ways for awhile or manually tweak the settings back to where I wanted them. But it’s all fun.

The third reason is that all the app settings get wiped out. Most apps have been upgraded since I first installed them and this give me an opportunity to revisit them and see if there are better ways. Also, there may have been some minor corruption in the settings that I didn’t notice and this cleans it all out before it has a chance to bite me. But in cases where I did want to save the settings it was so much easier than with Windows. All I had to do is restore the apps ~/Library/Application Support subdirectory and I was good to go.

It was also a bit of an eye opener about how much of my data had moved to the net. Mail has always been a concern for me since it’s usually a complex file system and tied to one app. I’m using GMail now so it was immediately available without risk of data loss (although I still need to do something to prepare for when Google loses it). My Firefox bookmarks and settings are also synced so were ready to pull down. .Mac synced my Safari bookmarks, Transmit favorites, contacts, calendars and all my Yojimbo data.

The only serious problem I had was trying to set up my Boot Camp partition in Parallels. A little research shows this problem pre-dates Leopard. Between the time to install and troubleshoot the problem I put it aside for later. I just don’t need the functionality. Other than that there’s just minor annoyances. I’ve been listing them on my Leopard page.

First Impressions

I like it. Like I suspected, it’s the sum of the improvements that make it worthwhile. Some of them are minor like in the print driver for my Epson R340. Previously if a pre-set came up as the default but I wanted to print just some of the pages I lost the preset when I picked the pages to print and had to reselect it. Now I can change the pages to print without losing the preset. Minor, but annoying when I forgot. I also like the improvements to the DVD player since I frequently watch DVD’s while working on my iMac (like now – Tom Petty Gainsville concert). There’s a setting to keep it above other windows and they’ve added a time slider at the bottom of the viewer window.

Spaces – I’m liking it so far. Applications can be assigned to certain spaces or they can just be allowed to stay in the space that they’re open in. Switching between spaces is intuitive and windows can be dragged from one Space to another. This last one is important for apps such as Firefox or Safari where I might want windows in multiple space. When selecting a running app from task switcher Leopard switches to the Space it’s running in. This is both beneficial and annoying. As many apps will only run one instance of themselves I sometimes want them in two Spaces. I need to drag the new window to the new Space.

Time Machine – The jury is still out for me, but it does appear to be more than eye candy. The interface may be flashy, but it’s functional. It was easy to set up for everything to be backed up. While the restore screen does take over when activated it does seem intuitive. I’ve set it up for both my iMac and MacBook. I’ll be using it until SuperDuper! gets officially updated for Leopard. I’m also impressed that I haven’t noticed a performance hit when the backup runs. (Other than the first backup which I let run overnight. [Updated Oct 29th] So much for no performance issues. I had a problem when Time Machine got around to backing up my large VM file.]

The .Mac enhancements seem to make it even more functional. The preferences sync seems to take most of the preferences folder (~/Library/Preferences) so even third party app sync. Maybe I shouldn’t have been but I was surprised to see apps getting the settings when I installed them on my MacBook which was a huge time saver. It also opens up some interesting system restore possibilities.

I haven’t used Apple Mail.app since I had some problems with it. But I’ll probably give the new version a try later this week. I left Safari as my default browser to give it a try. But I still end up going to Firefox on the strength of the add-ons. I have used Safari a bit without any problems.

I’m one of the people that puts the dock on the left side and also auto-hides it, rarely using it. With the last minute changes that Apple made a side dock looks much like the old dock so I don’t have much to complain about there. The translucence is annoying at times, like when I can read background text in a dialog that I’m trying to read text in the dialog itself. Hopefully they’ll add the ability to turn it off in a future update.

Haven’t come across much more that I can complain about. I’m a happy Leopard user.

Software Upgrades

Haven’t really kept track of upgrades this week. With the Leopard upgrade all my apps were re-installed with the latest versions and patches.

WordPress 2.3.1 was released a couple of days ago, hopefully I’ll get around to upgrading it this week.

News & Links

FastCompany.com: Magic Shop – Reporter as front-line employee at several retail stores. Says Apple gets it right. My favorite line: “When employees become sharers of information, instead of sellers of products, customers respond.” Still take too long to get service sometimes.

Lifehacker.com: Featured Mac Download: Keep Mail.app at a Glance With Mail.appetizer – Seems like a cool add-on for handling mail in mail.app.

ap.google.com: Comcast Blocks Some Internet Traffic – The AP is reporting about Comcast’s blocking of internet traffic. They stop the transfer by silently sending a false message to stop downloading. The message appears to come from the other computer. Which, as others point out, is just plan wrong.

arstechnica.com: Comcast traffic blocking: even more apps, groupware clients affected – Ars Technica has more info on Comcast blocking of network traffic. It apparently extends to enterprise software such as Lotus Notes.

dailyapps.net: Hack Attack : Install Leopard on your PC in 3 easy steps! – Installing Leopard on a PC. Hacked iPhones and now Leopard on non-Apple hardware. Oh my.

news.com: Congressman to Comcast: Stop interfering with BitTorrent | Tech news blog – CNET News.com – net neutrality is back on the agenda.

Leopard Login & Keychain Update

Apple has already released a Leopard update called Login & Keychain Update. it addresses issues with:

  • Logging in with an account originally created in Mac OS X 10.1 or earlier that has a password of 8 or more characters.
  • Connecting to some 802.11b/g wireless networks.
  • Changing the password of a FileVault-protected account.

It has the distinction of being the first Leopard only update. It requires a reboot. It’s available through software update (4.8MB for me) or as a 10MB standalone download.

Leopard & MacMozy Backup

After getting Leopard set up and most software installed it was time to set up Mozy again. I’m backing up about 30GB to Mozy and if all the files had to be sent again it would take days at my upload speed. Even though I was doing a complete re-install of everything I’d be restoring the bulk of my data to the same locations and they should appear unchanged to Mozy. Some data would be unchanged but be in new locations. Since I was re-installing all software the settings would in fact be new and would be backed up again but this should be a relatively small amount.

I did the MacMozy install last thing Friday night so it would have the whole night and some of the next morning to back up before I was back at my Mac.

I ran the installer for the latest MacMozy software which was version 0.7.0.0 (640). I entered my account information and when Mozy verified my account it saw that I had files already backed up using a private encryption key. It prompted me to enter the encryption key which I did. Then it ran the setup wizard and prompted me to chose the items to back up. I picked the same directories I had chosen previously.

I noticed that the “Backup Set” queries ran much quicker than before. So I picked several of them to make sure I was covered in case I missed the directories.

Once the backup started it told me it had a little over 3GB to backup. That wasn’t too bad, although it could take up to a day. One thing I noticed is it appeared very slow or even hung up. Scanning for files took much longer than usual. Then it stayed in a “communicating with server” status for what seemed forever (I eventually gave up and went to bed while it ran). But in checking the Mozy log through the console I could see it was in fact going back and forth with the server sending information about 500 files at a time. I imagine that since the local history was gone it was rebuilding it or validating the information it received from the server about the files it wasn’t backing up

The backup was still running in the morning. When I checked the logs later I saw that it had run about 10 hours. Of the 3GB it thought it had to send, only about 1GB was for files that weren’t already on the server. The files that had been moved but otherwise unchanged were logged as already on the server.

I then did a test restore for a couple of th newly backed up files along with a couple that were backed up before Leopard. The restores went just fine.

I later installed MacMozy to my laptop and reconfigured the free Mozy account with similar results.

The First Real Problems

I’ve finally encountered my first real upgrade problems. I installed Windows XP Pro SP2 under Boot Camp. Then I installed Parallels 3 and told it to use my Boot Camp partition for a virtual machine. Then the problems began. Parallels hangs up when starting the VM and Boot Camp no longer boots because it looks for the non-existent Parallels HAL.

When I boot the VM under Parallels in safe-mode it hangs up after the mup.sys. It appears the next driver – NDIS.SYS – is the problem. It’s not an original problem (and pre-dates Leopard) and the solutions I’ve found are to do a Windows XP repair. Since I haven’t added anything to Windows yet I’ll just flatten the VM and start over. But that’s for another day, installing Windows takes too long.

Leopard Upgrade: Executing the Plan – Part 2

I got Leopard installed and running in good time and without any problems. So it was time to start installing the apps. So far the app installations have gone fine although a few minor Leopard problems have cropped up.

The first thing I installed was Yojimbo because I keep all my configuration info, serial numbers and passwords in it. Yojimbo syncs with .Mac so after installation I reconfigured it to sync with .Mac and did a manual sync. When prompted I told .Mac to replace everything on the computer (Yojimbo data only). All my data was quickly restored and I moved on.

Next up was Firefox. While it doesn’t sync with .Mac I do use the Google Browser Sync plugin to save configuration and other info. So I re-installed that and did a sync. All my bookmarks, cookies and configuration were restored.

Other programs, such as DVDPedia keep their data in ~/Library/Application Support/AppDir. I didn’t want to take the settings for every app since I wanted a clean start, but if the app also kept it’s data there I dragged the directory from my backup to Leopard after installing the app.

I installed all the Apple apps (iLife, iWork, Aperture) from DVD then ran Software Update to get all the updates for them. While there were updates for just about everything it was nice to only have to get one set of updates and not have to return to get the updates for the updates. For other apps I used their own update check after installing the software.

For iTunes I started it before any restore then I shut it down and moved my iTunes library from my backup to the newly created library directory and overwrote everything. I was happy to see it remembered all my podcast subscriptions and history. I had to authorize the computer with the iTunes store and I also went through the preferences and set things up again.

For iPhoto I copied my libraries to the Pictures directory. Since I don’t use the standard library name I held down the option key when I started iPhoto and picked one of my libraries and all was fine. I was able to use iPhoto Library Manager to switch between libraries although I’m avoiding any other iPLM options until there’s an update.

I was able to install the following apps: Aperture 1.5.6, ChronoSync 3.3.5, CSS Edit 2.6, DVDPedia 4.0.7, Fetch 5.2.1, Firefox 2.0.0.8, Growl 1.1.1, iLife ’08, iWork ’08, Mailplane 1.53, QuickSilver B52 (3813), Skype 2.6.0.151, SnapZ Pro X 2.1.1, and Transmit 3.6.1 among others. All used similar methods, either restore data from .Mac or restore the data from my backup.

SnapZ Pro X is one app I had a problem with. When I picked the option to license it to all users on the computer it would prompt me for my admin password but not do anything after I entered it. I had no problem licensing it for me. This isn’t a big deal since I’m the only user.

The Quicksilver website (quicksilver.blacktree.com) has been down so I’m been unable to download plugins but I’ve been using it as an application launcher. Can’t blame Leopard for this one.

That takes care of most of the software. I still need to setup Boot Camp, install Parallels and configure Time Machine but those will be more involved. I have read about people who are doing an upgrade in place having problems (and many other success stories) so I’m glad I went the re-install route. It takes longer but not unexpectedly long and I end up with a pristine installation.