Geek Precis: Apple

Showing posts with label Apple. Show all posts

2008-05-28

About the Mac OS X 10.5.3 Update

Apple has released the Mac OS X 10.5.3 update. As usual, it is recommended for all users and has a gazillion fixes and patches.

2008-03-21

Google's New Gmail Code Solves Conflict with Safari 3.1

As we mentioned before, there was a painful conflict between the new Safari 3.1 and the older Gmail code (UI 1) still active for some users. Google is now pushing out the newer codebase, and it appears to solve the problem (at least for us).

As Google, says in their blog post:

How to access what's new:
Just sign in to Gmail. You'll know when you're in new version of Gmail when you see a link for "Older version" at the top right of the screen.

Links:
Gmail blog post - feature list

FYI-YMMV

2008-03-18

When Will Apple Require Code Signing in Mac OS X?

After reading Roughly Drafted's recent article on the iPhone SDK's code signing requirements, I began to think about how this might be applied to Mac OS X. Then, I remembered the new Application Firewall in Mac OS X 10.5 (Leopard).

Starting with 10.5, Mac OS X is able to differentiate between signed and unsigned applications and can provide different levels of access to each. This functionality is exposed now in the new application firewall. A related feature is obvious, when Leopard warns you the first time you run a downloaded application.

Here's Where Things Get Interesting
The same system of code signing used by Apple for the iPhone could be applied directly to the Mac too. And the same system of iTunes distribution could be used for the whole application or simply for purchasing and delivering license codes. Optionally, Apple's existing "Software Update" system could be used to delivery the actual application files.

What if Apple decided to take this next step in computer security to maintain it's lead over Microsoft. They could implement a partially optional code signing system for Mac OS X. Signed apps would have full security privileges. Unsigned apps might generate a warning similar to a recently downloaded application until silenced. Or at the user's option, unsigned applications might not be allowed to run, or might be heavily restricted.

This would make it virtually impossible for trojans and most malware to get installed. And if the warning for unsigned apps repeated (say, daily, weekly, or monthly), it might effectively disable some malware simply by repeatedly asking for permission.

Apple can restrict the security privileges of their own software so that even exploits based on buffer overflows or other issues can be limited to specific security rights in a "sandbox". And a third party application's signature could limit it in the same manner.

I think this could be an elegant way to extend security without creating too much additional user inconvenience.

Leopard Application Firewall background here at Geek Precis:

Apple Links:

Painful Conflict Between Safari 3.1 and Gmail (UI 1)

With the new release of Apple's Safari 3.1, it has become clear there is a conflict between it and Gmail for folks using version 1 of Gmail (which includes most Google Apps and some localized accounts). When trying to type in the rich text fields, the modifier keys cause the focus to change. Trying to type a capital "I" by pressing shift will cause the focus to leave the rich text field without every typing the "I".

To say this is annoying is a major understatement. It is maddening,

Workaround:
If you can, switch to the "new" version 2 Gmail. If the new version is not available, you might be able to switch from "rich text" to "plain text" to avoid the problem.

This has been a known issue through the development of Webkit, so I'm not sure how Apple and Google could have let this very annoying problem happen. Hopefully, they will get it fixed ASAP.

Apple Releases Safari 3.1 for Mac and Windows

Apple has released Safari 3.1 for both Mac and Windows. Apple has incorporated the latest WebKit changes. Here are some highlights from Apple's changelog:

Support for CSS 3 web fonts
Support for CSS transforms and transitions
Support for HTML 5
Support for offline storage for Web applications in SQL databases
Support for SVG images in elements and CSS images
Support for SVG advanced text
Improved stability and compatibility
Improved Security
Improved JavaScript performance
Developer features including an optional menu
Windows version fixes and improvements

Links:

2008-03-04

A Fix for Slow WiFi 802.11 File Transfers under Mac OS X Leopard 10.5.2

While trying to transfer files from a wired iMac running 10.5.2 to a wireless MacBook Pro running 10.5.2, I ran into extremely slow transfers.

I was attempting to copy the free part of Nine Inch Nails' new album and decided to leave the slow transfer plodding along, while I researched the issue. It seems I was not the only one having this problem (Apple Support Discussion link).

It appears likely the problem has crept in with the 10.5.2 update, and it dramatically slows wireless transfers under some conditions. It seems to affect a variety of wireless Macs connecting through a variety of wireless router brands including Apple.

Based on some of the posts, it appears the problem is related to "silly window syndrome" which causes confusion with the normal packet acknowledgment process in TCP/IP. Due to this confusion (which may be caused by edge cases of transfer size and timing), both machines basically pause waiting for the other to say go. In the fast and furious world of TCP/IP, this shows itself as a dramtic slow down in large transfers, while it may not be so noticeable in smaller transfers.

But there is a fix (or at least a workaround). You can change your Mac's default ACK setting from 3 to 0 with the following Terminal command:

sysctl -w net.inet.tcp.delayed_ack=0

And you change it back to the default of 3 with:

sysctl -w net.inet.tcp.delayed_ack=3

Or you can simply check you existing setting with:

sysctl net.inet.tcp.delayed_ack

Note: You will likely need to preface any command changing these settings with "sudo" and enter your admin password to use your root account privileges.

Hopefully, Apple will roll out a more elegant and more permanent solution soon.

Additional Links:
Related Technical Paper
Script to make the ACK change on login
MacOSXHints

2007-11-15

Leopard 10.5.1 Is Out With Security Fixes But Issues Remain

Apple has released Mac OS X 10.5.1 Leopard and has included numerous security fixes (as usual), but some issues remain. Download the update from Apple here.

All these fixes bode well showing Apple's quick response to issues raised by their users. I am still hopeful the application-based (socket) firewall will become a strong security asset to improve Mac OS X's reputation for security. Although I believe the traditional ipfw will need to play a role also.

I like the idea of a layered security approach where ipfw blocks things at a port and packet level, and Leopard's new socket firewall blocks things at an application level. (Of course a hardware firewall is still recommended for home network connections.) Combine this with a system that leaves unnecessary services off until needed and has few exploitable bugs, and you have a highly secure system with minimal inconvenience.

Fixed in 10.5.1

The firewall settings no longer refers to "Block all incoming connections", but calls it more accurately "Allow only essential services". This should go a long way to fixing the confusion caused by mislabeling this setting.
When "Set access for specific services and applications" is selected in the application firewall, the setting now functions properly when setting "Block incoming connections" on root processes. Previously, root processes were always allowed.
Processes launched by launchd previously were not affected by firewall settings changes until they were restarted. This caused applications to be unexpectedly exposed, and this was especially noticeable when changing settings and testing as many security expert did.

Not Sure

From Apple's 10.5.1 Release Notes:

"Addresses a code signing issue; third-party applications can now run when included in the Application Firewall or when whitelisted in Parental Controls."

This may refer to fixes for applications like Skype, World of Warcraft, and other apps that do their own integrity check. We'll see how things develop.

Open Issues Remaining in 10.5.1

Processes running as root still are allowed to accept incoming connections, unless specifically blocked. This will continue to be a sore spot, as it leave open the possibility of an exploit or Trojan running as root to go about it's business unhindered. An important thing to consider: any process running as root could change any settings it wanted.
ipfw is still not active, as it is running with only one rule (65535 allow ip from any to any).

Background
Apple Release Notes for 10.5.1
Apple Security Update Notes
Here at Geek Precis - initial, testing and analysis, and this article
Heise Security - initial, testing, and application signing
Securosis - investigation and good news
TidBITS
LeoFUD - initial FUD and code signing
Apple - firewall support docs and code signing

Amazon.com Widgets

Books

2007-11-07

A Summary of Leopard Firewall Issues

There are a handful of issues or problems with the new Leopard firewall. Here's the short version:

Ipfw is still available, but basically does nothing and has no graphical interface.
The interface and performance of the new firewall do not match. "Block All" does not block all.
Leopard uses executable signing to "authorize" network traffic to certain services and applications. The signature data appears to be added to the actual binary, and some apps do not like to have their binaries modified and fail to run after failing a checksum or hash check.
Apple has provided no information (that I'm aware of) to explain what is going on and why.

ipfw
The previous firewall is still installed and running. It just doesn't appear to be used for much. Anyone interested can still use it. I believe it is still operating at the port layer below the sockets layer, where the new application-based firewall appears to be running.

If desired, ipfw can still be configured via the terminal or a GUI utility such as WaterProof.

Leopard's New Firewall Performance
As you probably know, Leopard's new firewall does not do exactly what it says it is doing in the GUI. I discussed this previously and you can find additional details all over the Net.

When the new firewall says it is blocking everything, it is not. Certain "privileged" traffic is still allowed. This is cause for concern, because some future exploit might find a way to take advantage of this functionality to secretly allow traffic to/from itself. Only time will tell how secure this actually is.

Application Signing
In order to increase security, Apple has implemented application signing. Apple's applications are cryptographically signed, and 3rd party ISV's can sign theirs too. This is intended to ensure both the integrity and identity of applications.

Some applications do not like to have their executable changed and will fail is they detect this. Many online games do this check to prevent cheating, and Skype appears to do this also. There are reports that World or Warcraft and Skype both fail, due to this modification of their binaries.

Apple Has Provided No Information
As far as I can tell, Apple has not had anything to say about the analysis and FUD flying around the Internet. Hopefully, they will explain things and maybe make some of the changes I've previously suggested.

Update: it appears Apple has posted some explanation confirming that ipfw is still running below the new firewall (via Securosis).

Background
Here at Geek Precis - initial, testing and analysis, and this article
Heise Security - initial, testing, and application signing
Securosis - investigation and good news
TidBITS
LeoFUD - initial FUD and code signing
Apple - firewall support docs and code signing

Amazon.com Widgets

Books

2007-11-05

Good Leopard Reviews

A very nice in-depth and technical review of Leopard from Information Week
John Sirasusa@ArsTechnica - Mac OS X 10.5 Leopard Review, the usual definitive review

My previous list of reviews is here.

2007-11-03

Leopard Firewall - Testing Analysis and Speculation

Click Here for an Updated Summary of Leopard Firewall Issues Here at Geek Precis

After all the discussion on the web concerning Leopard's new firewall, I wanted to do some testing in an attempt to better understand what was happening. I've divided my results and the related discussion into sections for easy digestion.

Summary
Apple has made significant changes to how the firewall functions in Mac OS X 10.5 (Leopard). In an apparent attempt to tightly integrate the firewall with their applications and services of their new OS, they have added a proprietary firewall to provide different/additional functionality and flexibility. The previous firewall (ipfw) is still there and running, but not really doing anything by default.

I think things are not as bad as some articles have made it seem, but I think Apple should make some changes to fix both the perception and the reality.

Background

Heise Security Article - original analysis of potential flaws in Leopard's firewall
My initial post
Slashdot discussion
Securosis analysis - some good testing
ipfw - Wikipedia, FreeBSD
IANA TCP/IP Port List - for good measure

More Good Links

How Leopard's Firewall Performs
After reading everything I could find, I did some testing of my own. Here's what I found:

I started with a few basic services (File Sharing, Printer Sharing, and Remote Login) turned on in the Sharing preference pane. After testing that basic configuration, I turned everything off in the Sharing pane and disabled the sharing activated by my iLife applications to see how the firewall would respond with no user selected sharing active.

Leopard's new firewall does a few things that might be expected and a few that might be considered unexpected:

Expected

Allows any traffic associated active shared resources (as determined by the Sharing Preference Panel). This is what previous versions of Mac OS X did by default.
Blocks traffic destined for various "random" ports.

Unexpected

The default firewall setting is to "Allow all".
Allows any traffic associated with (signed) applications that have sharing activated (as determined by individual application UI's).
Allows certain system traffic (Kerberos and NTP).

Basically, Leopard's firewall allows traffic associated with sharing that the user has selected in the usual way, allows traffic destined for "trusted" applications (if requested by the user in the application's interface), and allows traffic you will not find anywhere in the firewall interface.

Any shared services (e.g. file or printer sharing) the user has activated will be allowed access, unless the user manually deactivates that service share or manually blocks it in the firewall. And some services used by the system will accept traffic under almost any circumstances. This is odd, and I'm not yet sure what the intention is here.

What Apple Has Done
It appears to me Apple has added their own application-based firewall in a layer above the open source ipfw firewall (see below).

It looks like you can manually configure ipfw via the command prompt or use a GUI-based configuration utility (e.g. WaterProof) and restore the functionality that was previous exposed by the firewall portion of Tiger's Sharing pane. Ipfw is installed and running, but it appears to only have a single rule allowing any and all traffic. All the traffic allowed by ipfw would then pass to Apple's new firewall for further inspection. If a default configuration, Apple's firewall would be providing the only practical packet inspection and filtering; ipfw is there, but not really doing anything.

Why Apple Configured the Firewall This Way
I believe Apple decided ipfw did not provide the kind of flexibility and integration with their applications that they wanted in order to produce an elegant, user-friendly OS. They wanted a solution that was tightly integrated with the services and sharing provided by MacOS X 10.5 and Apple's applications.

In what I hope is NOT a return to the mistakes of the "old" Apple, they decided to create a new firewall from scratch rather than using well-developed and mature open source solutions like ipfw. In the past, Apple has chosen to take the proprietary (sometimes incompatible) path, and I fervently hope this is not a sign they are returning to that behavior.

I can understand Apple's desire to create a firewall configuration process that is easy to use to most non-geek users. The previous setup was easily understood by people with some networking knowledge, but fairly difficult to understand by non-techies. And it was often the case that 3rd-party configuration utilities and Apple GUI were not compatible and would could not work together without resetting the ipfw rules to match the configuration of the last UI used.

And I think there might be other justifications for this change including the sharing and services (e.g. Back to My Mac) Apple is offering and plans to offer, and a desire to integrate with some of Apple's new security features (i.e. sandboxing, application signing, and tagging downloaded applications). Apple is not likely to announce any plans that might use this new functionality, at least not before they are released.

But in the end, I think Apple has done themselves a disservice from a public relations perspective. Prior to this, Apple was universally praised for being more secure than its Windows competition. The news surrounding the firewall changes, while maybe overblown, is conspiring with the recent announcement of a Mac Trojan to make Mac OS X's security look weaker.

While the perception will likely last, only time will tell if the technical performance is better or worse than ipfw in previous versions of Mac OS X.

Recommendations
I recommend Apple do a few things to improve the situation:

First, Apple must get out on this story and explain in detail what has changed and why. Without doing this, it is too easy to speculate and create FUD. I cannot understand why they have not responded to the bad press during Leopard's launch.
Second, Apple should change the default behavior to set the firewall to "Block All Incoming". The user can then be notified if and when this setting needs to be changed.

After this they have a few options:

Apple could re-implement their application-based firewall as a control layer that works with ipfw to make the necessary changes instead of using a separate, proprietary firewall.
They could change the default rule in ipfw to block more incoming traffic that is not needed or wanted by any of the sharing features they appear to be so concerned about. At least this would close a few potential doors, while still allowing them to use their new firewall too.
They could provide an "advanced" mode and UI returning the firewall behavior to the previous configuration relying on ipfw and disabling the new firewall layer. This would give the advanced user the control he or she wants, although it might disrupt some functionality in the areas of remote access and sharing.

What I do not believe is a good option is for Apple to leave things alone and/or not change anything.

Tools and Software

WaterProof - ipfw GUI configuration
Apple's built-in port scan (/Applications/Utiltities/Network Utility)
Nessus
Bonjour Browser
Observation Post

Amazon.com Widgets

Books

2007-11-02

Leopard Benchmarks (more)

It appears Leopard benchmarks generally a bit slower on PPC and a touch faster on Intel only in 64-bit mode.

Here's a brief list of Leopard benchmarks from around the web:

Some individual's Leopard benchmark results from MacRumors:

Does anyone know of any other Leopard benchmarks posted? Leave a comment with your URL, and I'll add yours.

2007-10-30

Is Leopard's Firewall Insecure or Broken? Maybe not.

Click Here for a More Up-to-date Summary of Leopard Firewall Issues Here at Geek Precis

More in-depth post here at Geek Precis

Frightening Analysis of Leopard's Firewall

Discussion on Slashdot discussing the actual facts behind the story.

It boils down to a pair of misunderstandings: 1) the security analysts expect Leopard to follow the "traditional" model where the firewall is independent of the OS and related services, and 2) Apple chose to frame the UI with practically accurate, but technically inaccurate phrasing.

Honestly, It always struck me as the worst of both worlds to have a software firewall implemented to mimic an external hardware firewall in every way possible. I actually am excited about a software firewall taking advantage of the benefits of being software and being resident on the client. Hardware firewalls cannot "know" anything about the processes and services running on the client, but a software implementation can take full advantage of this data. This is a feature I always liked about other solutions like Zone Alarm, even if I was bothered by their constant badgering and sometimes opaque interfaces to make changes after-the-fact.

Most users don't think in terms of TCP ports and ACL's, and this fact is a more serious security threat than most technical implementations. By making security hard to use and/or difficult to understand, many "solutions" make it less likely that security features will be used or used properly.

In this case, the security analysts fail to properly take into account the target market for the software firewall and how it will be used in the vast majority of cases. Apple touts Leopard's new Application-based firewall and want to give non-advanced users a way to control the security of their Mac. And it appears to do just that.

But Apple failed to understand how imprecise (technically inaccurate) language makes the system look bad. If the firewall is not actually closed, it shows some degree of poor judgment to say it is closed in the UI. Even if it is "closed" for all practical purposes for the vast majority of users.

In the end, I predict that Apple will release a patch (probably buried in 10.5.1 or 10.5.2) that changes the language in the UI and more obviously allows an advanced user to revert to a traditional firewall. I also predict the security analysts will not make as big a deal out of these changes, when they are made.

Next tempest in a teapot, please.

New Leopard Security Features Involved (from Apple's site)

Tagging Downloaded Applications
Protect yourself from potential threats. Any application downloaded to your Mac is tagged. Before it runs for the first time, the system asks for your consent — telling you when it was downloaded, what application was used to download it, and, if applicable, what URL it came from.

Signed Applications
Feel safe with your applications. A digital signature on an application verifies its identity and ensures its integrity. All applications shipped with Leopard are signed by Apple, and third-party software developers can also sign their applications.

Application-Based Firewall
Gain more control over the built-in firewall. Specify the behavior of specific applications to either allow or block incoming connections.

Sandboxing
Enjoy a higher level of protection. Sandboxing prevents hackers from hijacking applications to run their own code by making sure applications only do what they’re intended to do. It restricts an application’s file access, network access, and ability to launch other applications. Many Leopard applications — such as Bonjour, Quick Look, and the Spotlight indexer — are sandboxed so hackers can’t exploit them.

Amazon.com Widgets

Leopard Benchmarks

Ars Benchmarks Leopard

2007-10-29

Another Great Mac OS Review by ArsTechnica's John Siracusa

John Sirasusa@ArsTechnica - Mac OS X 10.5 Leopard Review

I already included his review in my list of resources, but his articles are so good, I thought I should make a separate entry. Good stuff.

2007-10-27

Leopard Resources - Great Places to Learn More About MacOS X 10.5

Here's a collection of links to various Leopard reviews and reference materials. I've tried to collect everything useful I have found about Mac OS X 10.5 in one place for easy use. Tell me if you know of any other good sources.

Reviews
John Sirasusa@ArsTechnica
Information Week
Leo Laporte
Daring Fireball
MacWorld
MIT Technology Review
New York Times
PC Magazine
Engadget
USA Today
AppleInsider
Wall Street Journal
ComputerWorld
CNET

Screenshots
AppleInsider
ComputerWorld

Performance and Upgrades
Gizmodo - Old Hardware
Gizmodo - 10 Things to Know Before Upgrading

Glitches and Issues
Leopard Does Not Support Classic
TidBITS - FileMaker
AppleInsider - No Wireless Time Machine Backup

Apple's Links
300 New Leopard Features
Video Guided Tour

Books
The Mac OS X Leopard Book
Mac OS X Leopard: The Missing Manual
Mac OS X Leopard For Dummies (For Dummies (Computer/Tech))
Special Edition Using Mac OS X Leopard (Special Edition Using)
Mac OS X Leopard On Demand
Automator for Mac OS X 10.5 Leopard: Visual QuickStart Guide

My Blog Entries
Tagged with "Leopard"
More on Wide Area Bonjour
Leopard Feature of Interest - Wide Area Bonjour
AppleInsider In-depth Articles by Price McLean (Daniel Eran Dilger)

2007-10-25

Leopard Does Not Support Classic

From ArsTechnica

I'm not sure how I feel about the death of Classic. I haven't used it in a loonnngggg time, but it has been nice to think I could if I needed it. And I hate to see an friend head off to the bit bucket. On the other hand, with Classic completely gone, maybe that will free up some resources both on the development side and on the OS side. I wonder how many Classic-related work-arounds and kludges can be jettisoned now.

Leopard Info Sources

2007-10-23

Apple and Google Working Together

Wired

Rough Type - Bait

Cringely's Answer

Rough Type - Response

They discuss the possibilities of Apple and Google working on a front-end (Apple) and back-end (Google) solution where you have an intuitive consumer device that accesses Google's servers, storage, and services.

As a consumer, I like the idea. I loved the Newton and would love to see an elegant hand-held device that brings back those capabilities and augments them with access to Google's SaaS offerings.

But as much as I like the idea, I have trouble imagining a scenario where Apple and Google to put it all together. For it to make sense to Apple, they would need some level of exclusivity, something to draw people to the Mac, iPhone, and their other hardware products. But for Google, they would want the widest audience possible for their ads and services.

The only thing I can imagine working would be a case where Apple gets some time-limited exclusivity (maybe 6 months) and adds some Apple-exclusive features via integration with their operating system(s). Google might be willing to go this route, because it would give them a ramp-up period with a controlled number of users, and the service would get huge amounts of publicity by association with the juggernaut that is Apple.

What services would they offer? I think the obvious ones are what is already available: Gmail, Google Calendar, Google Docs, (a new version of) Picasa, and maybe things like Google Finance. The main problem with this scenario is ... .Mac . Apple already offers many of these services in one way or another. So, either Apple would need to replace .Mac with this Apple/Google service or they would need to add significant value for their customers.

2007-10-19

More Info on Apple's Wide Area Bonjour from Mac OS X 10.5 (Leopard)

Wide Area Bonjour is an extension to (local area) Bonjour which is Apple's zero-configuration networking protocol.

Under AppleTalk, Macs required no manual configuration to connect to a network. Macs would announce themselves, acquire a unique network address, and discover services available on the network. As Apple depreciated AppleTalk in favor of TCP/IP-based networking, they wanted a similar protocol to provide all the elegant simplicity of old AppleTalk. So, they created Bonjour, and released it as an open protocol called zeroconf.

(It was originally named Rendezvous, but they were forced to change the name by a software company in the financial space that had a technology serving a similar purpose. Obviously, they needed another French name; hence Bonjour.)

As many people know, TCP/IP (v4) requires a certain amount of configuration. Either you need a DHCP (or BOOTP) server to hand out the information to client computers, or you must manually enter it. To function, a computer needs a unique host addresses and a network address. These two addresses are combined to form an IP address. Also under most circumstances, a host will need a DNS server configured to translate domain names to IP addresses for actual use.

Bonjour uses mDNS, a multicast version of DNS, to handle domain name translations. It multicasts a request for a name-to-IP resolution, and devices configured to "listen" to that multicast address can respond. This is similar to how MAC-IP address resolution occurs, but that's another article.

The first versions of Bonjour only worked across a local area network. But with Wide Area Bonjour, the new version uses Dynamic DNS Update and regular unicast DNS queries to reach outside the local network. (this from Apple's Bonjour FAQ and RFC2136) But to do this, dedicated servers are required.

It appears to me Apple will host dynamic DNS servers (maybe via .Mac) to allow wide area functionality. The obvious possibilities are for SSH (remote shell access), SFTP (remote file transfer), and VNC (remote desktop/remote control) which will be called Back To My Mac.

But I think Apple will want to enable something a bit more flashy. I like to think they will implement things like iTunes library sharing (if the RIAA will allow it), iPhoto library sharing, and allowing developers to tie in their own services. I believe this could really make things interesting and might give Apple a real advantage vs. Windows.

Other links:
My initial post on Wide Area Bonjour
Leopard Info Sources

Apple's New Leopard Guided Tour (video)

Apple has posted a guided tour video or Mac OS X 10.5 (Leopard), so you can start to drool over features you won't have for a full week. You may want to have a friend bury you in the snow to pass the time more quickly. It really works.

Leopard Info Sources