Dina Dai Zovi: how to secure your OS X machine

DF has a terrific interview online with Dino Dai Zovi. Mr. Dai Zovi demonstrated that he could create a serious exploit on an OS X machine within 12 hours of being invited to do so. That's more than a bit impressive. It is, of course, supremely unlikely that he's located the only such vulnerability. It's possible that OS X is just incredibly vulnerable, but I think few believe that. The take home message for me is that most computers on public networks are quite vulnerable. I hope Schneier will write his own comment.

In the course of the interview Dai Zovi also provided some handy security advice for users and free advice to Apple. I was reassured to learn that I already follow some of it, but I will move some passwords to a new keychain with a timeout. Emphases mine:

Daring Fireball: Interview: Dino Dai Zovi

... I take some extra security precautions such as always running as a non-admin account, using separate encrypted disk images and keychains for different purposes, and isolating data on different machines. I also take some extra precautions that I’m not going to advertise publicly :). I do not, however, run any commercial anti-virus packages.

Gruber: Are there any precautions you think typical Mac users should take that they aren’t now?

Dai Zovi: I would recommend they make their primary user account a non-admin user, I think that is a reasonable compromise between usability and security. I would also recommend that more security-conscious users create a separate keychain with a 5 minute timeout for important passwords. Even if the user is using FileVault, a separate encrypted disk image for sensitive financial or personal documents is another simple and prudent measure to protect your personal information.

Gruber: Do you use FileVault? I don’t. I do store financial and private information on encrypted disk images, but I’m wary of storing my entire home directory on one. I feel like I’m far more likely to run into problems with my disk than I am to run into a security problem, and FileVault can make it harder to recover files if things go south with the drive.

Dai Zovi: I had previously used FileVault on my laptops without much incident when I was traveling and doing consulting. These days, I am no longer doing consulting and traveling less, so I am not using it. I do still use separate encrypted disk images for different types of data.

Gruber: I’ve heard claims that there exist a handful of known Mac OS X exploits amongst security experts. Do you believe – or know – this to be the case?

Dai Zovi: Security experts quite often have exploits for vulnerabilities that they have discovered and the vendor is in the progress of addressing. Some others choose not to report the vulnerabilities that they find. So I would not be surprised if there were a number of OS X exploits floating around, I have already seen evidence of this in the past (i.e. the mach exception ports exploit)...

... Gruber: You had nice things to say in your interview with Ryan Naraine about your experience reporting findings to Apple. Do you think there’s anything Apple should do different with Mac OS X itself that would improve security? (E.g. do you think Apple should change the first-run configuration UI so as to encourage users to create non-admin accounts?)

Dai Zovi: I think Apple is to be commended for proactively releasing updates for internally identified security vulnerabilities, which is a stance that few other software vendors take. Apple should implement some of the security defenses that other operating systems have adopted [jf: I think this includes Vista] such as Address Space Layout Randomization and other stack and heap protections. I think Apple should provide the option to create both admin and non-admin accounts in the first run as well as make it easier to store passwords in non-login keychains.

Automated defrag in XP out of the box

Nice to know XP can auto-defrag without any add-ons: Mozy Blog: Defrag the Mozy Way

Joel on VBA for Macintosh and the Office alternatives

Another example of Microsoft on the skids: VBA for Macintosh goes away (Joel on Software).

Joel wrote the spec for VBA. It was a lock-in strategy from start, which is no surprise of course. The loss of VBA on the Mac won't have much impact on most users of Office/Mac, but Joel's story is interesting for several reasons:

1. It's a story about Microsoft's only great product - Excel.
2. Joel's a longtime supporter of Microsoft as a company (he grew up there) and even he's advising friends to avoid Vista at this time.
3. He gets fed up with Office 2007.

Most Mac users who really need Office are going to run Office Pro/Windows in emulation under Windows 2000 or XP. I don't care so much about VBA, but I need Microsoft Access.

Mac users who want a quality word processor should probably use Nisus Writer Express (Pro is in beta). Every other product that works well on the Mac uses a lock-in proprietary file format or an (unfortunately) little supported open alternative. NWE uses RTF.

For presentations, if you can escape PowerPoint (few can) I hear Keynote is good. For an end-user non-pro database you're limited to Filemaker (kind of hurting really). For a spreadsheet you can, err, uhhh, hmmm. That' s a problem, isn't it? When I started writing this post I didn't know of any. I decided to research the question first ...

I was able to find 6 alternatives, not counting OpenOffice since it still requires an X Window front-end:

1. AppleWorks if you can find a copy (runs in cpu emulation on intel macs)
2. MarinerCalc 5.5.1
3. Google Apps with Firefox/Camino (not Safari)
4. Tables
5. Mesa (NextStep originally) is still around and is a universal binary
6. NeoOffice: (update 5/29/07: I tried the spreadsheet with a modestly large data series. It died trying to create a chart. It's not a real contender.)
   

Spanning Sync on multiple macs

This description of Spanning Sync makes me wonder again if we can use it for a family calendar. I still need a good solution for synchronizing Google Calendar with Outlook ...

Spanning Sync Blog: Using Spanning Sync with Multiple Macs:

...To set up Spanning Sync on multiple Macs, first download and install it on one machine, login using your Google account, pair your iCal and Google calendars, and perform a sync. At this point, Google Calendar will have a copy of all of your events.

Then on each of your other Macs, create an empty iCal calendar for each calendar you're syncing. Install Spanning Sync and login with the same Google account, then pair the appropriate Google calendars with the empty iCal calendars and sync. From this point on, changes you make in iCal on any of your computers will be synchronized with Google Calendar and with your other Macs.

Remember that since Spanning Sync is licensed per-person and not per-Mac, you can install it on as many Macs as you like—just login using the same Google account on each one...

I will test this at home first ...

Update: I created a family domain for Google Apps and added both my wife and I to the domain. I've tested spanning sync and am now trying SyncMyCal and gSyncit. Gsyncit is bidirectional, which I don't want for work, so I'll try SyncMyCal first.

Coda and Fission: Nice action on the OS X app front

OS X 10.5 is MIA [1] and so is iWorks 3 (OS X spreadsheet), Aperture 2 (working date metadata and faster than a dead slug), iLife 2007 (2008?), Safari 3 (a modern browser?), a blog editor, .Mac that's worth something ... argh. There's no putting a pretty face on it, Apple seems to have taken 2007 off to work on my iPhone.

So it's especially good news to hear of two very interesting OS X product releases: Coda (DF review) and Fisson. Nisus Professional for OS X is also in beta and OpenOffice is supposed to come out for OS X (no X Windows) this summer.

[1] I worry about the Fall delivery considering the challenge of iPhone -- when big projects slip once they almost always slip three times. By that rule 10.5 will come in 2008.

A cause for the pesky -36 error with SMB connections

I get these on occasion, though I do much less with XP these days ...

Mac OS X 10.4: Error -36 alert displays when connecting to a Windows server

Mac OS X 10.4: Error -36 alert displays when connecting to a Samba or Windows server

After upgrading from Mac OS X 10.3.x to Mac OS X 10.4, you may get an error message when you try to connect to a Samba or Windows (SMB/CIFS) server. A Samba or Windows (SMB/CIFS) server includes servers operating on Microsoft Windows and other operating systems that use Samba for SMB/CIFS services.

If the connection is unsuccessful, the following error message may appear:

The Finder cannot complete the operation because some of the data in smb://........ could not be read or written. (Error code -36).

If you check the Console (/Applications/Utilities/), you will also see this error message:

mount_smbfs: session setup phase failed

This error can occur if your Mac OS X 10.4 client is trying to connect to a Samba or Windows (SMB/CIFS) server that only supports plain text passwords. If you do not see the above message in the Console, you are not experiencing this issue and should try normal troubleshooting to isolate the source of the issue.

Unlike Mac OS X 10.3, the Mac OS X 10.4 SMB/CIFS client by default only supports encrypted passwords. Most modern Samba or Windows (SMB/CIFS) servers use encrypted passwords by default, while some Samba servers might have to be reconfigured.

You should consider contacting the owner or system administrator of the Samba or Windows (SMB/CIFS) server to which you are trying to connect and encourage them to disable plain text passwords and start using encrypted ones. If the server cannot be reconfigured to support encrypted passwords, you can configure Mac OS X 10.4 SMB/CIFS client to send plain text passwords.

I think XP only uses encrypted passwords, but I'll check.

Rescue Kodak Photo CDs from oblivion with iPhoto

iPhoto can import obsolete Kodak Photo CD file formats. Neat trick! Another lesson in the risks of proprietary file formats. In ten years there may be nothing that can read these old formats.