Security Quest #11: Leopard Firewall Updates

Apple recently released security updates for their OS products and among those were updates for Leopard all centered around the firewall. The three firewall updates were included in the OS X 10.5.1 update.

One of the fixes took a page from Microsoft by changing some words to help call the problem solved. This “re-wording” was for the problem described as:

The “Block all incoming connections” setting for the firewall is misleading.

Apple fixed this so the setting now reads “Allow only essential services”. According to the bulletin they have reduced the number of apps that allow connections through the firewall. It used to be any app running as root could get through the firewall. Now the list is limited to configd (for DHCP and network configuration), mDNSResponder for Bonjour, and racoon for IPSec.

Previously, any process running as root would be allowed through the firewall even if it was on the list to block. The OS X 10.5.1 update now blocks any process that’s in the list to be blocked, even if it runs as root.

And in the third firewall fix Apple changed it so that changes to the firewall take effect immediately. Previously some processes had to be restarted for the change to take effect.

So, Apple made some changes to the firewall so it makes a little more sense and the way it works is more clearly defined. I still prefer the OS X 10.4 method of opening ports by number.

News & Links

BlogSecurity.net: RR Securing WordPress Tips – Good tips for securing a WordPress website.

PaulStamatiou.com: Privacy Implications of RFID Tags – An interesting read on the topic.

Wired.com: Hushmail To Warn Users of Law Enforcement Backdoor – Hushmail, always thought to be secure, can read any email with a court order. Even those using their most secure product.

apple.com: Apple security updates (OSX 10.3 & 10.4 and Safari 3 Beta for Windows – Apple released OS X 10.4.11 for Tiger which includes security updates. Also Security Update 2007-008 for OS X 10.3.9. And finally, Safari 3.0.4 beta for Windows which includes security updates.

news.com: In ID theft, some victims see opportunity – Roundup of ways companies make money from ID theft. Needing to pay to protect our identity just seems wrong to me.

The OS Quest Trail Log #15:

When I upgraded to Leopard I kept Safari as my default browser so it would open whenever I clicked a link. But I kept using Firefox for almost everything. I liked how fast Safari was when I did fire it up. So this morning I decided to switch over and start using Safari as my primary browser, only going to Firefox when there’s no choice. Safari definitely feels faster and uses less memory.

The Greasemonkey and Browser Sync extensions to Firefox give it an edge in features over Safari, especially when running multiple computers. But, having to stop and start Firefox after using it for extended periods has become a bit annoying, especially when I had to do a force quit for Firefox. Let’s see how far I can go with Safari.

Software Upgrades

There were a lot of software upgrades for me this week. I already wrote about the upgrades to WordPress 2.3.1 and VMWare Fusion 1.1. Then there was the OS X 10.5.1 update for Leopard. I haven’t noticed much of a change since the upgrade. Wireless on my Mac Mini now works when it wakes from sleep mode but that’s about if for noticeable changes.

Adobe released Lightroom 1.3 which includes fixes for Leopard and additional enhancements. I updated my evaluation copy of Lightroom and found that the evaluation counter was reset back to 30 days.

Fetch, from Fetch Softworks, has been updated to version 5.3. It includes improved compatibility with Leopard. I upgraded but rarely use Fetch these days so haven’t used it since the upgrade.

Remote Buddy 1.8 was released. Four fixes, 5 new features, 7 enhancements to an already great remote control program. I didn’t have any problems after the upgrade but I barely scratch the surface of what this app can do.

News & Links

maintain.se: Cocktail 4 for mac no supports Leopard – Cocktail 4 has been released and now supports leopard. Cocktail is a maintenance and UI tweaking tool for the Mac.

News.com: Firefox 3.0 may ship with a slew of serious bugs intact – CNet tech news blog is reporting that Mozilla may ship Firefox 3 with only about 20% of the “blocker” bugs fixed. Blockers are supposed to be serious enough to justify postponing a release.

OmniGroup.com: OmniFocus for the Mac – Described as peronal task management software. Pre-release Beta no available. You can download the beta for free. If you buy before the Jan 8th release you pay half price ($40 – charged immediately)

Techdirt.com: Congress Moves Forward With Required University Subsidies To Napster, Ruckus – TechDirt has an article that’s a rather glaring indictment of our government and how they subsidize failing businesses by attacking education.

TidBITS.com: FileMaker’s Bento: Undercooked and Slightly Fishy – Good overview of Bento and its shortcomings.

arstechnica.com: New bill would punish colleges, students who don’t become copyright cops – The article sums up the incredibly bad idea rather well.

bentotrial.com: Meet Bento — Learn More – Bento is from Filemaker and is described as a personal database that’s Leopard only. A beta preview is available for download.

engadget.com: Vista SP1 release candidate goes out to testers – The headline says it all.

kessels.com: JkDefrag v3.29 – Free open source disk defragmenter for Windows 2000 through Vista was update to version 3.29.

techcrunch.com: gOS PC Sells Out: People Like A Google Focused PC – Seems like the $200 Walmart PC, the one in the oversized case so people think it’s powerfull, appears to be a hit.

tuaw.com: Improve your Stacks with some drawers – Haven’t tried it yet, but sounds like the slickest solution out there.

wsj.com: Google Has Even Bigger Plans for Mobile Phones – The Wall Street Journal is among those reporting Google will bid on some wireless spectrum in January. They report Google is already running a test version of an advanced wireless network.

Security Quest #9 – OSX.RSPlug.A Brings Macs Mainstream

There was news last week of a piece of malware targeting OS X. It’s called OSX.RSPlug.A (a.k.a. DNSChanger) and it’s a trojan distributed through porn sites (no puns). A lot was made of the fact that this *could* redirect browsers to malicious websites, such as phishing sites.

The only real news here was that OS X was specifically targeted by a malware writer. It didn’t exploit any deficiency in OS X security. The only way to get the malware to install was to convince the user that they wanted to install the software. Intego and other security software vendors are promoting the fact that they can detect the trojan.

Let’s look at what’s involved to infect a Mac with this bug. You had to:

  • Visit a website, in this case a porn site, and be enticed into downloading a file. In this case it was said to be a codec needed to view some videos.
  • After downloading the DMG file you had to open it and run the installer.
  • When the installer ran you’d be prompted for your password which you’d have to enter.
  • Then the software would install.

So the only security hole was between the keyboard and the chair, not in the software.

MacWorld has a good article on how to detect the trojan.

The first rule of PC (personal computer, including Macs) should always be only install software from trusted sources. This wasn’t a drive-by install where the user visited a website and it automatically installed. On the other hand, there are people who say they visit websites in bad neighborhoods with Macs since it’s safe and secure. This does show that Macs are beginning to be targeted so that is probably not a good attitude. As much care needs to be taken on Macs as on Windows machines.

One of the things that make Macs a less than perfect choice for visiting bad neighborhoods is that Safari has “Open Safe Files after downloading” enabled by default. It’s a poorly named option and should be turned off. Safari doesn’t determine safety. What it really means is that it will open files which don’t automatically execute anything when all system are working. This includes DMG and PDF files which have recently carried malware. If a vulnerability was found that enabled auto execution this default setting could be deadly. If nothing else, the name gives a false sense of security since it sounds like OS X can determine if the file is safe or not. This is set under Safari preferences, on the general tab. Click the thumbnail at the beginning of this paragraph to see the setting. The screen shot shows the Safari defaults.

If you want to visit bad neighborhoods or want an extra level of protection there is software available to help protect your Mac.

ClamXAV is an free (donationware) virus checker for OS X that’s built on the open source ClamAV anti-virus engine. The software allows certain directories to be watched and all file changes in those directories will be scanned. Scans can also be scheduled. There isn’t any real-time scanning, other than the watch directories feature. I used ClamXAV under Tiger but there are currently Leopard issues so I haven’t re-installed it since upgrading. These issues appear related to scheduling an other non-detection related features.

Intego has a full menu of security products. They are clearly the market leader in OS X security software. When I switched from Windows I naturally wanted anti-virus software so I purchased an earlier version of their anti-virus software. While I never came across any viruses for it to detect the software seemed fine. My main complaint is I feel they’re expensive. Be aware that their products that include definition updates may have just a one year subscription. I stopped using them when my subscription ran out and I didn’t feel the upgrade cost was justified for me. They also promoted paid upgrades through the same update engine that pulled down virus definition updates but didn’t identify them as paid until the update was selected, which was annoying. Intego has stated all their products are Leopard compatible. Trial versions are available.
MacScan by SecureMac is AntiSpyware program for OS X that is currently Leopard compatible. This is a traditional anti-spyware program that scans the Mac on demand or on a schedule. Detection ranges from tracking cookies to key loggers. A thirty day demo is available. I downloaded and ran the demo today. I’ll have more info when I’ve run it awhile but it’s a fairly simple interface as is shown by the thumbnail at the beginning of this paragraph (click to see full screen). The 41 pieces of spyware detected in the scan where all tracking cookies from websites and web ads. When spyware is detected you have the option of picking and choosing which you want “isolated” in MacScan terms. Despite the term, tracking cookies are just deleted.

Both McAfee and Symantec have security software for the Mac. Neither seems to have particularly good reviews available. The Symantec software can be viewed here (select Macintosh Products from the drop down list). McAfee information is here. Neither Symantec or McAfee products appear Leopard ready.

ClamXav and MacScan appeal to me because they are non-intrusive on the system. They are also the lowest cost solutions. I’ll probably stick with ClamXav.

The Intego, McAfee and Symantec products all cause me the same concern – that they’re too intrusive on the system and aren’t worth the performance cost. But if I knew I’d be going into bad neighborhoods I’d give Intego a try. At least they’re dedicated to the Mac platform. Just beware of feature bloat intended to justify their existence and upgrades.

I’m a believer that computer habits are better prevention than software. If your switching from Windows and used anti-virus, or have been using a paid virus scanner on the Mac ask yourself how many viruses were detected by the software you used.

Software News

CCleaner – Home – CCleaner is a freeware privacy tool and has recently been updated to version 2.02.525.

TUAW.com: Free download of 1Password 2.5.3, courtesy Macworld – 1Passwd is free for a limited time and with limitations (no upgrades, no access to online version). Mac software used by many.

News & Links

 

Apple.com: Mac OS X 10.5: About the PubSub Agent – Apple let’s us know that it’s OK for PubSub to access our keychain.

BlogSecurity.net: ModSecurity and WordPress: Defense in Depth – Paper about securing WordPress

Bogus FTC e-mail has virus | CNET News.com – FTC’s name is being used by spammers to spread malware

Intego reporting new OS X trojan horse in the wild – The Unofficial Apple Weblog (TUAW) – New Mac trojan. Like the article says, it doesn’t install itself. It requires the user to install and provide admin permission.

Macworld.com: Secrets: How to: Discover malware before installing – MacWorld provides some tips with how to avoid and detect Malware without having to buy software

WashingtonPost.comDeconstructing the Fake FTC E-mail Virus Attack – Security Fix – interesting Security Fix blog post about a successful email phishing attack. The vulnerability exploited was the user. Note the update at the end which links to a report showing only 1/2 of AV software detected the malware.

WashingtonPost.com: Hiding In Plain Sight – Security Fix – I’ve told windows to show file extensions for so long I forgot about this. A good reminder to set windows to tell all it knows.

WashingtonPost.com: Salesforce.com Acknowledges Data Loss – Security Fix – looks like salesforce.com fell for a phishing scam and lost control of some customer data, resulting in a wave of phishing emails targeting their customers.

The OS Quest Trail Log #13: More Leopard

It’s been just over a week with OS X 10.5 Leopard. So far I’m liking it a lot. I wouldn’t have picked it going in, but Spaces has turned out to be the killer feature for me. I’m using it on both my 24″ iMac and my 13″ MacBook.

I installed Leopard on my Intel Mac Mini yesterday. This Mac is used only as a media center and has little software and no unique data. So I went for a straight upgrade. The only minor glitch was with the wireless network When the setup wizard ran it wouldn’t connect to the wireless networks. Messages alternated between bad password and a general network error. But I was able to go into network preferences and pick the network from there and it connected fine.

The software I use is running well under Leopard, with just minor glitches. I’m getting used to cover flow in the finder and think I’ll actually find it useful. Apple seems to be moving more towards the way I like to organize things, mainly by not organizing them. I like GMail exactly because with a few tags I can find email via searches and don’t need to organize it into folders. Finder seems to have gone the same way. I can through stuff in directories and use spotlight, coverflow and quickview to find them fast. I’ve actually held off telling Pathfinder to replace Finder at start-up.

I’m also surprised by how fast Leopard is. I did erase and installs on my two main machines and upgraded memory on my iMac, so I can’t directly compare old and new speeds. But Leopard feels faster. Maybe some things are cosmetic, like bouncing icons less. But spotlight is faster since before it really wasn’t worth using, now it is.

Oh yea, another cool feature. iCal isn’t even running and the icon in the doc has today’s date.

It was another week where the quest was pretty much all Leopard and that about covers it.

Software Upgrades

Adobe.com: Downloads: Flash Player 9 Update – Adobe has updated Flash Player 9 to be compatible for Leopard. Note the requirement to uninstall the old version first. The uninstaller is linked on the page.

Netscape.com: Netscape Navigator Web BrowserNetscape Navigator lives and is now at version 9.0.0.2

gimp.org: GIMP – The GNU Image Manipulation ProgramGIMP has been updated to 2.4.1

Growl 1.1.2 has been released for the Mac.

iSlayer.com: iStats menu 1.2 – An update to the popular iStat Menus program for Macs. Great for those of us who like tech info on how our Macs are running. (Donationware)

mozilla.com: Mozilla Firefox 2.0.0.9 Release NotesFirefox has released a new version

News & Links

JungleDisk.com: Leopard DNS Issues (and work-around) – Solution for issue some Jungle Disk users had with Leopard. I like Jungle Disk even if I haven’t found a reason for me to use it.

TechCrunch.com: Imperium: Google’s March Towards Becoming America’s Biggest Company – It’s a scary thought that the 5th largest U.S. company, by stock valuation, makes it’s money by selling ads. And some expect it to become the largest.

apple.com: MacBook (Late 2007): About the Mac OS X 10.5 Leopard installation disk – Apple does seem to have a bit of copy protection on their OS DVDs.

arstechnica.com: Fair use advocates hit back with copyright principles of their own – Fair use advocates responds to the big content manifesto about user generated content. They try to restrict the impact on fair use.

arstechnica.com: IP firm sues… everyone for WiFi patent infringement – A broken patent and/or legal system.

arstechnica.com: Some Leopard early adopters bitten by installation bugs – Ars Technica rounds up some problems people have experienced upgrading to Leopard.

blogspot.com: Official Gmail Blog: Code changes to prepare Gmail for the future – Google will be rolling out more updates to GMail.

dailyapps.net: Hack Attack : Install Leopard on your PC in 3 easy steps! – Installing Leopard on a PC. Hacked iPhones and now Leopard on non-Apple hardware. Oh my.

engadget.com: Everex’s $199 green PC: attention ignorant Wal-Mart shoppers – amusing note about Everex’s “green” pc at Walmart. It’s a mini-ITX motherboard in a tower case. Because “Research indicates that Wal-Mart shoppers equate the size of the system to its capability.”

news.com: Is it time to get rid of the Whois directory? – Column discusses that there’s a proposal to get rid of the whois database. One argument against doing so is “accurate and available information is essential for law enforcement in crimes”. Good to know criminals accurately register domains.

tech.blorge.com: Killing the RIAA: Is “stealing” music the same as supporting music? – Interesting take on the RIAA and that spreading songs through file sharing networks (“stealing” in RIAA terms) actually helps the artist more than buying the CD since artists get little or nothing from CD sales.

theAppleBlog.com: Say goodbye to the transparent menu bar – There’s already a utility to get rid of the semi-transparent menu bar.

theregister.co.uk: Appeals court rubber stamps FCC’s DSL (de)regulation – Appeals court ruling could eliminate independent ISPs and limit consumer choice. Why hasn’t this been publicized in the US? I found the news on a UK site.

tuaw.com: Apple sells 2 million copies of Leopard since Friday – I guess Leopard is popular.It took 6 weeks to sell 2 million copies of Tiger.

tuaw.com: Leopard Spotlight: the upgrade disc gripe – Looks like Leopard drop-in disks (shipped with new Macs) require Tiger to already be on the Mac.

washingtonpost.com: ‘Net Governance Body Punts On WHOIS Privacy – Security Fix – WHOIS database will remain full of information and public. Options are to provide false info or pay to keep the info private.

Waiting for SuperDuper! – Mac Disk Clone Backup

I’m still waiting for SuperDuper! to release a Leopard compatible update. While the current version can be used to clone a disk under Leopard and make the data available on the cloned disk, the metadata isn’t consistent and the cloned disk probably isn’t bootable.

I’ve been using the Time Machine for local backups and Mozy for my offsite backups. But my boot disk for fast recovery was running Tiger and had data that was getting older by the day. So I decided to use Disk Utility to clone my iMac disk and replace my last SuperDuper! clone of Tiger. This is a simple process although the disk clone will take some time, how long depends on your hardware. I ran the clone while I was at work today. To clone the disk:

1. Start Disk Utility. It’s in Applications/Utilities.

2. Select a drive then click the “Restore” button.

3. Drag the source partition from the list on the left to the Source box.

4. Drag the destination partition to the Destination box.

5. Click erase destination to make the disk bootable.

6. Click the “Restore” button in the lower right. The screenshot below shows my selections:

 

When I left for work the time estimate for my drive (258GB used) was 8 hours. I can’t say how long it took but when I returned 10 hours later it was done. Unlike Superduper! the next clone will take just as long and it can’t be scheduled so I probably won’t do it daily, but at least it’s got newer data and is Leopard.

The OS Quest Trail Log #12: Leopard

This week on the quest was almost all about Leopard. Certainly this weekend was all Leopard.

I chose to do a complete erase and rebuild, installing all my apps one by one. While time consuming I like this method for any OS upgrade. With Windows it was almost a requirement.

One reason I like it is there’s little risk while installing the OS, especially for OS X with all peripherals disconnected. If Apple (or anyone) can’t install a OS on hardware they also designed it would be a slam dunk to go back to the old OS and wait for the fixes, or move to another OS.

A second reason is I like to see the OS as intended by the developers (or the marketing department). By not doing a migration I get fresh settings. Of course, the downside here is it’s all new and I either have to change my ways for awhile or manually tweak the settings back to where I wanted them. But it’s all fun.

The third reason is that all the app settings get wiped out. Most apps have been upgraded since I first installed them and this give me an opportunity to revisit them and see if there are better ways. Also, there may have been some minor corruption in the settings that I didn’t notice and this cleans it all out before it has a chance to bite me. But in cases where I did want to save the settings it was so much easier than with Windows. All I had to do is restore the apps ~/Library/Application Support subdirectory and I was good to go.

It was also a bit of an eye opener about how much of my data had moved to the net. Mail has always been a concern for me since it’s usually a complex file system and tied to one app. I’m using GMail now so it was immediately available without risk of data loss (although I still need to do something to prepare for when Google loses it). My Firefox bookmarks and settings are also synced so were ready to pull down. .Mac synced my Safari bookmarks, Transmit favorites, contacts, calendars and all my Yojimbo data.

The only serious problem I had was trying to set up my Boot Camp partition in Parallels. A little research shows this problem pre-dates Leopard. Between the time to install and troubleshoot the problem I put it aside for later. I just don’t need the functionality. Other than that there’s just minor annoyances. I’ve been listing them on my Leopard page.

First Impressions

I like it. Like I suspected, it’s the sum of the improvements that make it worthwhile. Some of them are minor like in the print driver for my Epson R340. Previously if a pre-set came up as the default but I wanted to print just some of the pages I lost the preset when I picked the pages to print and had to reselect it. Now I can change the pages to print without losing the preset. Minor, but annoying when I forgot. I also like the improvements to the DVD player since I frequently watch DVD’s while working on my iMac (like now – Tom Petty Gainsville concert). There’s a setting to keep it above other windows and they’ve added a time slider at the bottom of the viewer window.

Spaces – I’m liking it so far. Applications can be assigned to certain spaces or they can just be allowed to stay in the space that they’re open in. Switching between spaces is intuitive and windows can be dragged from one Space to another. This last one is important for apps such as Firefox or Safari where I might want windows in multiple space. When selecting a running app from task switcher Leopard switches to the Space it’s running in. This is both beneficial and annoying. As many apps will only run one instance of themselves I sometimes want them in two Spaces. I need to drag the new window to the new Space.

Time Machine – The jury is still out for me, but it does appear to be more than eye candy. The interface may be flashy, but it’s functional. It was easy to set up for everything to be backed up. While the restore screen does take over when activated it does seem intuitive. I’ve set it up for both my iMac and MacBook. I’ll be using it until SuperDuper! gets officially updated for Leopard. I’m also impressed that I haven’t noticed a performance hit when the backup runs. (Other than the first backup which I let run overnight. [Updated Oct 29th] So much for no performance issues. I had a problem when Time Machine got around to backing up my large VM file.]

The .Mac enhancements seem to make it even more functional. The preferences sync seems to take most of the preferences folder (~/Library/Preferences) so even third party app sync. Maybe I shouldn’t have been but I was surprised to see apps getting the settings when I installed them on my MacBook which was a huge time saver. It also opens up some interesting system restore possibilities.

I haven’t used Apple Mail.app since I had some problems with it. But I’ll probably give the new version a try later this week. I left Safari as my default browser to give it a try. But I still end up going to Firefox on the strength of the add-ons. I have used Safari a bit without any problems.

I’m one of the people that puts the dock on the left side and also auto-hides it, rarely using it. With the last minute changes that Apple made a side dock looks much like the old dock so I don’t have much to complain about there. The translucence is annoying at times, like when I can read background text in a dialog that I’m trying to read text in the dialog itself. Hopefully they’ll add the ability to turn it off in a future update.

Haven’t come across much more that I can complain about. I’m a happy Leopard user.

Software Upgrades

Haven’t really kept track of upgrades this week. With the Leopard upgrade all my apps were re-installed with the latest versions and patches.

WordPress 2.3.1 was released a couple of days ago, hopefully I’ll get around to upgrading it this week.

News & Links

FastCompany.com: Magic Shop – Reporter as front-line employee at several retail stores. Says Apple gets it right. My favorite line: “When employees become sharers of information, instead of sellers of products, customers respond.” Still take too long to get service sometimes.

Lifehacker.com: Featured Mac Download: Keep Mail.app at a Glance With Mail.appetizer – Seems like a cool add-on for handling mail in mail.app.

ap.google.com: Comcast Blocks Some Internet Traffic – The AP is reporting about Comcast’s blocking of internet traffic. They stop the transfer by silently sending a false message to stop downloading. The message appears to come from the other computer. Which, as others point out, is just plan wrong.

arstechnica.com: Comcast traffic blocking: even more apps, groupware clients affected – Ars Technica has more info on Comcast blocking of network traffic. It apparently extends to enterprise software such as Lotus Notes.

dailyapps.net: Hack Attack : Install Leopard on your PC in 3 easy steps! – Installing Leopard on a PC. Hacked iPhones and now Leopard on non-Apple hardware. Oh my.

news.com: Congressman to Comcast: Stop interfering with BitTorrent | Tech news blog – CNET News.com – net neutrality is back on the agenda.

Leopard Upgrade: Executing the Plan – Part 2

I got Leopard installed and running in good time and without any problems. So it was time to start installing the apps. So far the app installations have gone fine although a few minor Leopard problems have cropped up.

The first thing I installed was Yojimbo because I keep all my configuration info, serial numbers and passwords in it. Yojimbo syncs with .Mac so after installation I reconfigured it to sync with .Mac and did a manual sync. When prompted I told .Mac to replace everything on the computer (Yojimbo data only). All my data was quickly restored and I moved on.

Next up was Firefox. While it doesn’t sync with .Mac I do use the Google Browser Sync plugin to save configuration and other info. So I re-installed that and did a sync. All my bookmarks, cookies and configuration were restored.

Other programs, such as DVDPedia keep their data in ~/Library/Application Support/AppDir. I didn’t want to take the settings for every app since I wanted a clean start, but if the app also kept it’s data there I dragged the directory from my backup to Leopard after installing the app.

I installed all the Apple apps (iLife, iWork, Aperture) from DVD then ran Software Update to get all the updates for them. While there were updates for just about everything it was nice to only have to get one set of updates and not have to return to get the updates for the updates. For other apps I used their own update check after installing the software.

For iTunes I started it before any restore then I shut it down and moved my iTunes library from my backup to the newly created library directory and overwrote everything. I was happy to see it remembered all my podcast subscriptions and history. I had to authorize the computer with the iTunes store and I also went through the preferences and set things up again.

For iPhoto I copied my libraries to the Pictures directory. Since I don’t use the standard library name I held down the option key when I started iPhoto and picked one of my libraries and all was fine. I was able to use iPhoto Library Manager to switch between libraries although I’m avoiding any other iPLM options until there’s an update.

I was able to install the following apps: Aperture 1.5.6, ChronoSync 3.3.5, CSS Edit 2.6, DVDPedia 4.0.7, Fetch 5.2.1, Firefox 2.0.0.8, Growl 1.1.1, iLife ’08, iWork ’08, Mailplane 1.53, QuickSilver B52 (3813), Skype 2.6.0.151, SnapZ Pro X 2.1.1, and Transmit 3.6.1 among others. All used similar methods, either restore data from .Mac or restore the data from my backup.

SnapZ Pro X is one app I had a problem with. When I picked the option to license it to all users on the computer it would prompt me for my admin password but not do anything after I entered it. I had no problem licensing it for me. This isn’t a big deal since I’m the only user.

The Quicksilver website (quicksilver.blacktree.com) has been down so I’m been unable to download plugins but I’ve been using it as an application launcher. Can’t blame Leopard for this one.

That takes care of most of the software. I still need to setup Boot Camp, install Parallels and configure Time Machine but those will be more involved. I have read about people who are doing an upgrade in place having problems (and many other success stories) so I’m glad I went the re-install route. It takes longer but not unexpectedly long and I end up with a pristine installation.

Leopard Upgrade: Executing the Plan – Part 1

The Leopard DVD was waiting at more door when I got home tonight, left by Fedex 10 hours earlier (damn work!). My memory upgrade had arrived earlier than expected and was waiting with the DVD. So I set about executing my upgrade plan, which is to do a full erase and install.

I synced my iPod with iTunes to get the latest updates, refreshed my iTunes library backup on my Airport connected drive then deauthorized iTunes. Then I did one more .Mac sync and set syncing to manual. Then I started Superduper! to do a smart update to both my external drives and went to put on a pot of coffee. The smart updates for my 500GB drive (240GB used) took about 15 minutes each. I then verified Mozy had backed up during the day while I was at work.

Then I booted off of each clone to make sure they worked. So I had two bootable full disk clones and a third backup of all data (Mozy offsite for everything except iTunes, and iTunes on another external drive). Once each clone booted I shut down and disconnected it from my iMac to avoid any accidents. Not that I’m paranoid or anything.

Once that was done I decided to take advantage of my backups and see what it was like to remove a Boot Camp partition. That went extremely well and was quick. (I’ll be adding Boot Camp back but with Windows XP and not Vista.)

Then I shut down, disconnected all peripherals and did the memory upgrade to bring it to the 3GB maximum, and booted to make sure the old OS saw the memory and everything seemed fine. I’ll do the upgrade with only the keyboard and mouse connected.

It was time to pop in the Leopard DVD, power off and reboot while holding down the <C> key to boot from the DVD. I did an Erase and Install which went very much as described by Apple. I picked a custom install and deselected the Language translations to save 1.9GB. The install was about 9.5GB.

The install took about an hour, including the setup wizard. There’s a DVD verification scan that can be skipped. I let it run this first time but will skip if for the other Macs. This took 22 minutes. The setup wizard runs after the first reboot and was just like setting up a new Mac. I did not use the Wizard to import the old settings. I want to do fresh installs for everything.

Immediately after my first logon there was an update through Software Update titled “Remote Desktop Client 3.2.1”. It was a 5.8MB download which downloaded quickly. I had expected Software Update to be buried so I was pleasantly surprised.

Then I connected one of my cloned drives and clicked cancel when asked if Time machine should use it. I then started copying the User directory to the local disk in a spare location. My plan is to disconnect the clone and start moving data from that spare location to my current directories. I’ll clean things up as I go and by doing a move I’ll be able to keep track of what I haven’t touched.

I made a few quick configuration changes – moved the dock to the left side and set it to auto-hide and reconfigured mighty mouse so I can right-click. I also set it to bring up the app switcher by pressing the trackball.

Then I started installing software which I’ll cover in Part 2. (To jump ahead a bit – Software Update is feeding updates to my Apple apps just fine.)

My Leopard page will be kept updated with any problems as I find them.

Security Quest #7 – New Leopard Security Features

Now’s a good time to review the new security features Apple is adding to Leopard. Besides, between the site upgrade and Leopard prep I didn’t have time to put together another security topic.

Apple has 11 new security features listed on their “300+ New Features” page. Some of the non-security features seem to be padding for the list, such as an “empty trash button”. How lame are the security features and which ones are padding?

The 11 from Apple’s list are:

1. Tagging Downloaded Applications:It all depends upon implementation but this sounds like a really good feature that contributes to security. When an application is downloaded to the Mac it is tagged as a downloaded app. Before it runs for the first time your prompted for your consent and are told it was downloaded, what application downloaded it and if possible what URL it came from. This one is definitely a useful feature.

2. Signed Applications: All apps shipped with Leopard are digitally signed and third-party developers can sign their applications. This one is probably more beneficial to sysadmins and all small segment of users, but most users probably won’t care. I’d still put this in the useful feature category.

3. Application-Based Firewall: In addition to port blocking you can also configure individual applications to allow or block incoming connections. OK, this is new for Leopard, but an evolutionary improvement that’s already in the Windows XP firewall and most third-party firewalls.

4. Stronger Encryption for Disk Images:OK, stronger is better, but this is borderline “new button” territory. It’s 256-bit AES instead of 128-bit AES. 128 bit is still an option. It’s an improvement, not a new feature and I suspect one most Mac users don’t care about. Governments and enterprises will probably welcome it.

5. Enhanced VPN Connection Compatibility: Like encryption, this is an improvement. A welcome improvement for people who need VPN. This could include people forced to use a public Wi-Fi network and wanting VPN for extra security.

6. Sharing and Collaboration Configuration: You can now share any folder on your Mac the same as Windows. I can see sysadmins cringe now. I’m not sure I’d call this a security improvement since users are often the weak link in security. It all depends upon implementation but it’s easier to share a directory to everyone rather than have to manage access and it’s easier to share an entire drive than folders. (I speak from experience.) I guess I’d agree this is new to OS X but I don’t think I’d put it in the security category unless it’s really well implemented.

7. Sandboxing: This one really depends upon the implementation but it’s a new feature and has the potential to significantly improve security. Applications can have their file access, network access, and ability to launch other apps limited. Apple has sandboxed Bonjour, Quick Look and the Spotlight indexer. A good security improvement but it depends upon the application and developers. This does deserve the “new feature” designation.

8. Multipe User Certificates: Allows you to maintain different digital certificates for different email addresses. Keychain can be used to associate certificates with email addresses. Signing email is becoming more common and anything that helps implement it is welcome. Another one that deserves the new feature moniker.

9. Enhanced Smart Card Capabilities: This is a welcome improvement targeted towards government and business.

10. Library Randomization: This loads system libraries to randomly assigned addresses which makes it harder for hackers. Vista has this too but it’s new to OS X and welcome.

11. Windows SMB packet Signing: Even the description makes this sound like something thrown in to pump up the numbers: “Enjoy improved compatibility and security with Windows-based servers.” So improved security is a good thing but it should hardly be on a new features list.

There’s one they put under the Network category that could help with security: New Airport Menu, now we’ll be able to identify secure WiFi networks. Sounds like they took it from Windows, but no shame in taking something that works.

Leopard Security Enhancement Summary

It’s actually not too bad. Only two shouldn’t be on the new feature list (6 and 11) and three are more along the lines of small enhancements (3, 4, 5) but the other six are worth identifying as new.

It’s nice to see Apple continue to address and improve security despite their reputation as a secure OS. I’d have to agree they aren’t paying lip service to security and made significant improvements.

Security Vulnerabilities

Real has released updates to several Windows versions of RealPlayer to address a security vulnerability. Mac and Linux versions are not affected.

Firefox 2.0.0.8 was released to address eight security vulnerabilities and add Leopard support.

WordPress 2.3 has a vulnerability that allows a blogroll to be spammed. This thread describes the vulnerability and has a link to download an updated link.php file to plug it.

Security Software

AVG Anti-Virus Free Edition has been update to version 7.5.503 has been released.

Links & News

ArsTechnica.com: Comcast’s law enforcement handbook leaked, could teach telecoms a thing or two – Comcast document leaked. Makes them look good compared to telcos.

Macworld.com: I will behave cautiously online – Some tips for safe browsing. Even Mac users are vulnerable in this area since the operating system is irrelevant.

Macworld.com: I will keep my Mac safe from other users – Some tips on securing a Mac. Can’t say I do all these things

Macworld.com: I will use good passwords – Some tips for using passwords