Mac Maintenance Sunday for Nov 7th, 2007

 

 

Click "Edit page" to edit this list.

 

Welcome to the Typical Mac User Live show. My name is Victor Cajiao and I am your host this evening. My regular Podcast Typical Mac User Podcast can be found at www.typicalmacuser.com and that shows is released weekly on Tuesday nights.

 

If you are listening to the Talkshoe stream and want to be an interactive part of the show. All you have to do is sign up for Talkshoe at www.talkshoe.com (It's free) and get an ID

 

The you can Call Phone Number: (724) 444-7444

Talkcast ID: 3097 you will be asked top put in your talkcast ID and then you can put in the number you choose for your talkcast ID.

 

Sponsor spot if there is one:

 

This evening I have a very special co host Steve Stanger who is the host of the Mac Attack Podcast http://themacattack.us/. Steve is a super knowlegable veteran Mac User and certified repair person, and tonight we are going to focus on some of the aftermath of Leopard, good bad and otherwise.

 

TMUP Live - 1/4/2007

!

Over all topic Leopard weirdness and misinformation...

 

 

Trojan Horse? (I want to mention this first because it's getting some press and there is some misleading info going around)(Victor - we don't have to spend a lot of time on this).

 

A little history - The first viruses the world saw were on the Apple/Mac computers.

 

A malicious Trojan called OSX.RSPlug.A making the rounds of some adult themed web sites. When Mac users try to view some videos, the site feeds them a page that says QuickTime is unable to play the file unless a special codec is installed first. If the user proceeds, a form of DNS Changer is installed that hijacks some web requests sent to eBay, PayPal and some banking websites, according to a security memo from Intego, a company that sells Internet security software. (Hmmmm, interesting)

 

After the malicious web page loads, a disk image (.dmg) file automatically downloads to the user’s Mac. If the user has checked 'Open “Safe” Files After Downloading' in Safari’s General preferences (or similar settings in other browsers), the disk image will mount, and the installer package it contains will launch the Installer. If not, and the user wishes to install this codec, they double-click the disk image to mount it, then double-click the package file, named install.pkg.

 

Installation requires an administrator’s password, which grants the Trojan horse full root privileges. No video codec is installed.

 

This Trojan horse is a form of DNSChanger it changes the Mac’s DNS server (the server that is used to look up the correspondences between domain names and IP addresses for web sites and other Internet services). When this new, malicious, DNS server is active, it hijacks some web requests, leading users to phishing web sites (for sites such as Ebay, PayPal and some banks), or simply to web pages displaying ads for other pornographic web sites. In the first case, users may think they are on legitimate sites and enter a user name and password, a credit card, or an account number, which will then be hijacked.

 

Under Mac OS X 10.4, there is no way to see the changed DNS server in the operating system’s GUI. Under Mac OS X 10.5, this can be seen in the Advanced Network preferences; the added DNS servers are dimmed, and cannot be removed manually.

 

Note: if you are using a router the DNS servers are dimmed out, too. (don't be alarmed, you don't have a trojan)

 

The Trojan horse also installs a root crontab which checks every minute to ensure that its DNS server is still active. Since changing a network location could change the DNS server, this cron job ensures that, in such a case, the malicious DNS server remains the active server.

 

MacOSXhints.com has an article on how to remove this Trojan. I like what the author of this article says __"The only people who should be infected today are those who have broken the number one rule of internet computing: don't download and install programs (especially those that are (a) package installers that (b) request your admin password) from untrusted sources."__

 

Are we becoming a bigger target due to popularity? Is Leopard less secure then Tiger? (No it's not) but improvements will be made to the way Leopard does security.

 

My point to all of this: The human being (us, the end users) are still the final line of defense under OS X. In this case you are asked for your admin password before installing anything. Unlike what happends on Windows where a trojan get's installed and you're not sure what's going on.

 

Intego's Security Memo - (http://www.intego.com/news/ism0705.asp)

macosxhints.com trojan removal - (http://www.macosxhints.com/article.php?story=20071031114140862&query=trojan

)

---

 

!

Leopard weirdness....

 

 

Movie directors quote that I feel also pertains to OS releases: (I don't remember who said this)

 

"Movies aren't finished, they are abandoned" what this means is a director would keep tweaking a movie to the point that it would never see the light of day (never be released). I feel that maybe that is the case with Apple and even Microsoft - at some point you have to release a new OS, then release patches, fixes and updates. Look at how many system and security updates Tiger had.

 

*Leopard firewall weirdness.

 

Default firewall option after installing Leopard was "allow all" even if you had set up Tiger's firewall previously it is now off in Leopard. In Apple's attempt to make the Leopard built in firewall easier to use and configure I think they took away a lot of the functionality. Not that Tigers firewall was anything to write home about, very limited. The three selection approach really limits things....

 

Suggest little snitch for monitoring and controlling out going net traffic....

http://www.obdev.at/products/littlesnitch/index.html

 

No port range or IP based filtering, no rules. Leopards Firewall is application based. Meaning that Leopard's firewall will open the ports to applications or services you want to access the Internet automatically.

 

IPFW is the command line configurable firewall and is still there part of the Unix underpinnings of Leopard (WaterRoof free/open source IPFW front end) (http://www.hanynet.com/waterroof/index.html).

 

If you feel you need a stronger firewall and you know something about firewalls and setting up rules and filtering give WaterRoof a look. I would advise people who don't know firewall configuring really well to steer clear because a misconfigured set of rules can really mess up your computer.

 

__I still strongly recommend a hardware firewall which you will find in all routers.__

 

A lot of what we are seeing in Leopard are still .1 or even .0 release type things. Is the new built in, under the hood security that Apple promoted not as secure as it could be? Is this true? Is this something that we should be alarmed about??? Some security experts feel that the security steps Apple have taken are in the right direction but at this point not enough and not perfect. Not a huge issue, Leopard isn't broken you, your computer and your data are not in danger. Apple can (and will) roll out security updates just like they did under Tiger.

 

 

Maintenance software NOT updated so far (i.e. Onyx, MainMenu, Cocktail and more)

 

*Repairing permissions problem in 'Disk Utility'.... Many people are seeing about a 5 or 10 minute delay (or longer) before seeing any kind feed back from Disk Utility.

 

They then see one or both of these errors:

 

Warning: SUID file "System/Library/CoreServices/RemoteManagement/ ARDAgent.app/Contents/MacOS/ARDAgent" has been modified and will not be repaired. (ARD - Apple remote desktop)

 

ACL errors (which are Access control lists) - a list of permissions attached to an object. The list specifies who or what is allowed to access the object and what operations are allowed to be performed on the object.

http://en.wikipedia.org/wiki/Access_control_list

 

You are not alone in seeing these errors. This is something that Apple has to fix. It doesn't appear that anything on the computer is "broken". Even if you are seeing this permissions are being repaired if need be.

 

DO NOT USE Mac Pilot to "repair" or wipe ACL data! Wiping ACL data removes a security feature Apple has setup in Leopard.

 

The message "ACL found, but not expected" does *not* indicate an error. It just says that additional security settings have been established for the Applications and Library folders. Those settings are intended by Apple and they make sure that users accessing the system volume via the file sharing feature of Leopard cannot intentionally or unintentionally remove components from those folders. When you remove those ACLs, you are destroying this security feature.

 

(from xlr8yourmac.com)

 

*TimeMachine: After using it for a week, very nice and I'm starting to feel comfortable recommending it as a back up routine for home or casual users. Power Users and Pro's are still going to want to back up using SuperDuper! (not leopard ready yet), Chronosync (works with Leopard), or even Apple's backup or any number of other back programs that give you more control over backing up your data.

 

Time machine preferences, 'Do not back up' window __(Very important)__. Add drives or folders to the list of what not to back up. (review what Victor said on his Wednesday show)

 

*Placing (or replacing) plain folders in the dock (Booo stacks). From MacOSXhints.com

 

To place a folder in the dock without turning it into a Stack, you just have to create an alias of the folder or drive, place this somewhere in the finder and then drag the alias to the right side of the dock. The alias will behave like a folder, not a stack. You will be able to single click on the folder to open a finder window, you will not get the hierarchal menu like you did back in the Tiger days...

 

---

SHOW ENDING:

 

 

Well I want to thank Steve Stanger from the Mac Attack Podcast http://themacattack.us/ for being with ust tonight. You definetly want to subscribe to his podcast and listen to each episode and some of the past ones. I sure do.

 

The Typical Mac User Podcast can be found at www.typicalmacuser.com and that shows is released weekly on Tuesday nights. This show will be release in my sream late tonight. If you haven't subscribed to that show yet, head over to the web site at www.typicalmacuser.com and hit the ONE BUTTON iTunes subscription.

 

For now this is your Host Victor Cajiao saying, enjoy the rest of your Sunday