Forgot your password?
typodupeerror
Security Businesses OS X Operating Systems Apple

Apple Releases Mac OS X Leopard Security Guide 61

Posted by timothy
from the to-prevent-worms dept.
Wormfan writes to share ZDNet's brief mention of and a link to "Apple's release of a ~250 page PDF of security best-practices and tips to protect Mac OS X Leopard clients. The guide is aimed at experienced users, Apple says, familiar with the Terminal application and its command-line interface."
This discussion has been archived. No new comments can be posted.

Apple Releases Mac OS X Leopard Security Guide

Comments Filter:
  • by peterpan79 (1151325) on Tuesday June 03, 2008 @09:59AM (#23637613)
    citing page 52:

    In the Password and Verify fields, enter a new Open Firmware or EFI password, and click OK.

    This password can be up to eight characters. Do not use the capital letter "U" in an Open Firmware password.

    If you do, your password will not be recognized during the startup process.

    ;)
    • Re: (Score:3, Funny)

      by kellyb9 (954229)
      AND YO 'D think they WO LD have FIG RED that O T!
    • Re: (Score:3, Interesting)

      by 3dr (169908)
      Ha!

      Anybody know the reason for this?
      • by gEvil (beta) (945888) on Tuesday June 03, 2008 @10:39AM (#23638245)
        Anybody know the reason for this?

        From this page [apple.com] on Open Firmware passwords, they list the following:
        Blocks the ability to use the "C" key to start up from an optical disc.
        Blocks the ability to use the "N" key to start up from a NetBoot server.
        Blocks the ability to use the "T" key to start up in Target Disk Mode (on computers that offer this feature).


        I wonder if the missing U has something to do with those... : p
        • Re: (Score:3, Funny)

          by Anonymous Coward
          On Slashdot, the word "cunt" is informative. You can't make that up.
      • Re: (Score:2, Informative)

        by Anonymous Coward
        I'm guessing it's due to some Unicode support hack, although I would love to know definitively myself, just out of curiosity.

        In any case, remember that Open Firmware is only used on PowerPC machines, and is based on a Forth interpreter. EFI is used on all the Intel Macs, and isn't subject to the same restriction on passwords.
    • by ArsonSmith (13997) on Tuesday June 03, 2008 @02:53PM (#23641897) Journal
      Apple is a US based company

      Only in Soviet Russia, passwords contain U.
  • by TheRaven64 (641858) on Tuesday June 03, 2008 @10:14AM (#23637857) Journal
    If you need to:
    1. Be an experienced user familiar with the terminal, and
    2. Read a 250 page PDF
    then I wonder a little about Leopard's security.

    Having skimmed the document, I'm a little bit less sceptical. In a lot of places it explains why the default configuration is secure (e.g. mDNSResponder uses the MAC framework to run in a sandbox, which is why the recent security hole did not apply to Leopard, while it did to Tiger, Windows and Linux). It also told me about a few features I was completely ignorant of, such as the ability to use a smartcard to unlock File Vault images and the keychain rather than a password (would be a bit more useful if Macs included a JavaCard reader). It also covers things like completely disabling WiFi and Bluetooth, which are likely only to be required by people working in the defence industry or suffering from extreme paranoia (but I repeat myself). Sadly, although it mentions the MAC framework, it doesn't give any hints about actually using it.

    It also includes one thing that made me groan slightly:

    Mac OS X v10.5 supports the Mac OS X v10.4 sparse disk image format created using AES-128 encryption.
    In my experience, this only applies to the first boot of a Leopard system. After mounting and unmounting a Tiger File Vault disk image, you will find that it is only mountable in Tiger. I wasted many hours fixing this problem after upgrading.
    • by mikael_j (106439)
      In my experience, this only applies to the first boot of a Leopard system. After mounting and unmounting a Tiger File Vault disk image, you will find that it is only mountable in Tiger. I wasted many hours fixing this problem after upgrading.

      Ah yes, I remembering spending quite some time figuring out how to convert my filevault image from Tiger to a sparse disk image so I could rescue everything from my home dir (without restoring from backups that were a few weeks old), I ended up having to do this throu

  • Better Trojan horse protection. Mac OS X v10.5 marks files that are downloaded to help prevent users from running malicious downloaded applications.

    The main result of this is to train people to click "OK" to security dialogs. I have observed this trend in Windows, over the past decade as a network and system admin, and there were several users who would REPEATEDLY come to me with "I clicked the wrong button again and I think I've got a virus".

    Easier network security. After you've activated the new Mac OS X v10.5 application firewall, it configures itself so you get the benefits of firewall protection without needing to understand the details of network ports and protocols.

    OS X is not Windows: it does not promiscuously open listening ports unless you are serving data. Unless you have installed third party software that opens additional ports, there is nothing the firewall needs to do (and indeed it has been reported that the firewall does not actually restrict access to any standard ports), and there is little point in running it. If you have, then you need to understand network ports and protocols.
    • by 99BottlesOfBeerInMyF (813746) on Tuesday June 03, 2008 @12:34PM (#23639947)

      Better Trojan horse protection. Mac OS X v10.5 marks files that are downloaded to help prevent users from running malicious downloaded applications.
      The main result of this is to train people to click "OK" to security dialogs.

      What you are referring to is often called the "OK/Cancel problem" and is a classic HCI issue to avoid. This is different from Windows though in several ways. First, OS X does not have other, identical dialogue boxes that routinely have to be clicked in order to "make Windows work". This means users are not being conditioned to click "ok" in response to any dialogue box that appears. OS X does not present useless dialogue boxes that only have the OK option to further condition users. Second, the options are not "OK" and "Cancel" like any other such dialogue box, but "Cancel" and "Open". This is better than Windows, but not ideal. Open is an action verb, one of the primary requirements for bypassing this problem. It means even if the user does not read the dialogue box, they still know what the button they are clicking is going to do, it will open something. I'd argue "Run program" would be a better label for the button, but it is not a complete disaster. Third, this option only applies to programs, not data and as such differentiates the two. This box does not appear when you double click a file from the internet the first time; it only appears when you do so with an application, making it much less frequent (less conditioning) and informing users that this is an application and not data, so they can't be tricked into thinking it is just a movie file or a zip file of images. Fourth, on Windows, when the OK/Cancel box appears, people need to choose and may not have all the information they need. On OS X, there is also a button to open the Website from which the application was downloaded, thus giving users the option of easily looking into it and helping to resist the temptation to just run it and see what happens.

      To summarize, OS X does not fall afoul of the OK/Cancel problem to anywhere near the same degree as Windows, but there is room for improvement. Ideally, the user should know what is an application and what is an executable before clicking on it. Ideally, they should be able to run it without a warning and the OS should appropriately sandbox it, by default, so that it can be run safely, even if it is malware. I suspect that is the direction of the future, but we're not there yet. Apple's design seems like a pretty good compromise to me. It's not great and revolutionary, but it is better than, well, anyone else's solution I've seen.

      ...and there is little point in running it.

      With regard to Leopard's new firewall, the idea is layered security. If malware slips onto the machine, the Firewall may still be able to limit the damage it can do. If a worm can't connect to its control channel, it basically does nothing. I'd also note that the new firewall is application based, not port based. That means it can restrict some new game from accessing port 80, while allowing your Web browser to do so. Sadly, it is not used to its full potential, but having it on any running can save your butt. Just be careful to note that the new firewall is not the old firewall and running both can be better yet. There are a lot of ports I don't want to communicate on and even if I don't knowingly run a service on one, does not mean some trojan has not done it for me. The firewall is a way to detect and stop that action.

      • Re: (Score:3, Interesting)

        by argent (18001)
        What you are referring to is often called the "OK/Cancel problem" and is a classic HCI issue to avoid.

        Absolutely not.

        It doesn't matter WHAT the dialogs say. The Windows dialogs I'm talking about do NOT in general actually read "OK", there are a variety of approval buttons in use, most of them completely descriptive of what they are going to do.

        The problem is NOT what the dialogs say. This is not the "OK/Cancel" problem in any way, shape, or form.

        The problem is that unnecessary approval dialogs are being use
        • Re: (Score:3, Informative)

          What you are referring to is often called the "OK/Cancel problem" and is a classic HCI issue to avoid.

          Absolutely not. It doesn't matter WHAT the dialogs say. The Windows dialogs I'm talking about do NOT in general actually read "OK", there are a variety of approval buttons in use, most of them completely descriptive of what they are going to do.

          The problem was named back in the day when that was what pretty much all the dialogues boxes read. It is still used to describe the problem today, even though the button names have changed. The problem is operant conditioning users to reflexively click a given option. What the buttons are named is one aspect of the problem, as buttons that are not action verbs are not descriptive in themselves and those button names are the only part of the dialogue box that are "required reading" for the user to find and

          • by argent (18001)
            The problem was named back in the day when that was what pretty much all the dialogues boxes read. It is still used to describe the problem today, even though the button names have changed. The problem is operant conditioning users to reflexively click a given option.

            It's more complex than that. People aren't pigeons and even pigeons have proven more complex than Skinner thought. It's not a matter of training users to click a specific option. Users will still automatically approve these dialogs even when pr
      • by zn0k (1082797)

        With regard to Leopard's new firewall, the idea is layered security. If malware slips onto the machine, the Firewall may still be able to limit the damage it can do. If a worm can't connect to its control channel, it basically does nothing. I'd also note that the new firewall is application based, not port based. That means it can restrict some new game from accessing port 80, while allowing your Web browser to do so.

        Unless I am very mistaken even after quickly reviewing Apple's documentation, it is indeed an application based firewall (working off signed code, so an alert is triggered if an application's code base changes), but only for incoming connections. Thus, you cannot block any malware from contacting a control server - though you are probably blocking your machine from becoming a control server.

    • by Ilgaz (86384)
      Apple OS X marks the _executable_ files which are downloaded from internet, once only (if they weren't maliciously replaced). I saw MS copied it on XP3 completely wrong. The MS photocopy will make users click happy indeed.

      If user replaces an executable by hand, e.g. new version- drag/drop overwriting old executable, it doesn't ask.

      Also, if Developer is not lazy or doesn't have a philosophical reason to ignore free application signing (Adium/Omniweb has signed binaries), user is never, ever prompted when exe
  • Presentation (Score:4, Insightful)

    by ditoa (952847) on Tuesday June 03, 2008 @12:03PM (#23639467)
    I have not read the document fully yet (obviously, it is 240 pages!) but I have to say Apple do a damn good job in presenting their documents. The first thing I thought when I opened the PDF was how nicely formatted it is. It is a silly little thing but I much prefer a well presented document than just text dumped. Kudos to whoever put it together, I just hope the content is as good as the presentation!
    • Re: (Score:3, Informative)

      The first thing I thought when I opened the PDF was how nicely formatted it is.

      Interestingly, they put it together using Framemaker v 6.0, according to the meta data. That is to say, they're using software from 2000, because none of the current versions run on Mac OS (and that version only runs on OS X using classic on a PPC system). It will be interesting to see what they transition to to retain that high quality of formatting.

  • Framemaker 6 (Score:5, Interesting)

    by 99BottlesOfBeerInMyF (813746) on Tuesday June 03, 2008 @01:29PM (#23640737)

    This is sort of off topic, but the PDF metadata claims it was made using Adobe Framemaker 6.0 and a Macintosh version of Adobe Distiller. That strongly implies this guide to securing the latest and greatest version of OS X, was actually put together and created using a PPC Mac running classic. I wonder what Apple plans to do in this regard going forward, since none of their currently offered systems can run this software and their are really not many alternatives for said niche. Maybe Adobe will face one more Apple product as a competitor in the next year or so, if Apple decides to bring an OS X native program to market as they have in other cases like this.

    • by Maserati (8679)
      Apple has used Framemaker for documentation since time immemorial. There are probably a couple of people with double-digit employee numbers who stashed some of the last machines that ran Framemaker 6.0 and have the pull to keep them up and running. It's not like anyone has produced anything better than that Those people need to get a Pro version of Pages, Volumes maybe. It'd be a small market, but it'd kick in a few more doors for the sales team.
      • by Ilgaz (86384)
        That is professional community of Apple for you. When we say Apple is wrong removing Classic support from Leopard (unless there is major tech. issue) or when they allow completely stupid rumours to spread like removing PPC from next version of OS, they mark people as troll or digg them down etc.

        A professional will run whatever runs best regardless of the year it was produced. You should go to a sound studio to see all those 10.2.8 machines doing insane amounts of audio processing or 10.3.9 Machines used in

Hacking's just another word for nothing left to kludge.

Working...