Security issues reign supreme this week, with Glenn Fleishman outlining security flaws in AppleShare and Adam looking at how Panther’s FileVault feature works – and how it should work. Glenn also passes on news of an offline Wi-Fi hotspot locator, and Jeff Carlson reveals more iChat AV tips. In the news, Eminem sues Apple, we give away copies of Interarchy in DealBITS, and Salling Clicker 2.1 and Now Up-to-Date & Contact 4.5.2 are released.
Eminem Rips, Mixes, and Burns Apple — Rap superstar Eminem has filed a copyright infringement lawsuit in U.S. District Court in Detroit against Apple Computer, also naming Viacom subsidiary MTV and advertising agency TBWA/Chiat/Day as plaintiffs. The suit alleges Apple used Eminem’s Oscar-winning hit "Lose Yourself" in an iPod advertisement without permission; the spot was shown on MTV networks in 2003 and was available via Apple’s Web site. Eminem has scrupulously avoided national endorsement deals, and claims that a fee possibly in excess of $10 million would be required if he were to pursue such an arrangement. Although the lawsuit does not specify damage claims, it notes that Eminem (whose real name is Marshall Bruce Mathers III and who is suing via his publishing company Eight Mile Style) would be entitled to "exemplary damages" because of the high status the song has achieved in popular culture. [GD]
Salling Clicker 2.1 Adds Symbian Support — Salling Software has released Salling Clicker 2.1, adding support for Bluetooth-enabled smart phones that run the Symbian operating system (see "Salling Clicker in Action" in TidBITS-694). Salling Clicker 2.1 is now compatible with the Sony Ericsson P800 and P900, Nokia 3650, 6600, and N-Gage, and the Siemens SX1. On some models, the new version of the remote-control software displays iTunes album artwork on the phone’s screen for the current playing song; pen-based phones can control the cursor on your Mac. With version 2.1, Salling has also rolled-in support for Bluetooth-enabled Palm OS devices (which were previously run by a separate version of Salling Clicker). The update is a 4.2 MB download, requires Mac OS X 10.2.8 or later, and is free for existing customers; a new license costs $20. [JLC]
Rendezvous with Now Up-to-Date & Contact 4.5.2 — Many fans of Now Software’s Now Up-to-Date & Contact stick with it because of its capability to host calendars and contact information on shared network servers. This feature gets a boost in version 4.5.2 with its support of Rendezvous (also known as Zero Configuration Networking) for more easily connecting devices on a network. The update also adds support for Apple’s new Xserve G5, and includes stability enhancements. Now Up-to-Date & Contact 4.5.2 requires Mac OS X 10.2 or later, and is a 17.6 MB download. [JLC]
FTP, or File Transfer Protocol, is an easy-to-understand Internet service, but providing a good interface and helpful add-ons has meant that a good FTP program is disproportionately more powerful than you’d expect. That’s certainly true of Interarchy, one of the longest-standing Internet programs still around (only Fetch, the granddaddy of Macintosh FTP clients, has been around longer). Interarchy does basic FTP, several forms of secure FTP, and HTTP, and for all of them it offers a variety of scheduling, repeating, and mirroring options. But Interarchy goes well beyond file transfer with its network monitoring capabilities, which turn it into an invaluable part of any network administrator’s toolkit. User reviews of Interarchy 7.0 have been stellar, with a number of people on TidBITS Talk raving about the upgrade. Be sure to check it out for yourself.
Computer safety firm SecurityFocus has discovered a highly specific but important flaw in Apple’s use of encrypted connections for AppleShare, as well as flaws in the way passwords are managed and encryption keys are confirmed. For certain users, these flaws may require that they bypass some of Apple’s built-in security and encryption options in favor of more robust or less convenient methods. Apple has not yet responded to the report.
AppleShare via SSH — When you connect to an AppleShare server (running Personal File Sharing or a Mac OS X Server) you can choose to connect via SSH (Secure Shell), which encrypts the password, all file transfers, and other data between your machine and the AppleShare server. This connection requires that Remote Login has been enabled on the AppleShare server.
The SSH option, first supported correctly in Mac OS X 10.3.2, creates an encrypted link between a Mac initiating an AppleShare file server connection and a Mac server running Mac OS X 10.3 or Mac OS X Server 10.3. The AppleShare client on the initiating Mac connects via the Remote Login service, which is Apple’s name for SSH. To enable or disable Remote Login, open the Sharing preference pane and click the Services tab.
The SSH option for AppleShare is only available when connecting to an AppleShare volume. Using Connect to Server in the Finder, select a volume or enter a host name or other address. When you click Connect, the login window offers an Options button. Click Options and check the Allow Secure Connections using SSH option. You can set this option as a default. (To learn more about AppleShare file sharing under Panther, you can consult my book, "Take Control of Sharing Files in Panther.")
Four Thousand Holes in Blackburn AppleShare — The primary flaw in AppleShare’s use of SSH is simple: if a secure connection via SSH cannot be made to the AppleShare server, the connection is still made without the encrypted tunnel – and without warning. This means that if you were expecting to send your password and file transfers through an encrypted connection, you would be sending this information in the clear without knowing it.
The SecurityFocus item was written by Chris Adams, a developer at the Salk Institute who also noted a number of serious problems with Apple’s approach to encrypting passwords in AppleShare as well. Some of these flaws require a cryptographer’s understanding, but that shouldn’t understate the concerns of academic institutions and others who rely on AppleShare for encrypted passwords or encrypted connections.
In most SSH systems, an SSH client is prompted on its first connection to an SSH server to confirm the server’s identity. This is performed through fingerprinting: the client software shows a short sequence of numbers that uniquely prove the server’s identity. An astute user checks that fingerprint against one provided for them by a server’s operator or server software "out of band": by phone, graphically on the server’s screen, by fax, or some other method that’s not over the same connection. At the very least, if the fingerprint ever changes, the user is alerted that the server might have had its identity spoofed.
Adams points out that Apple uses a lax method of SSH key exchanges for AppleShare sessions that avoids this complexity, but also makes it possible for a man-in-the-middle attack, so called because a network attacker could install server software on the network that would masquerade as the AppleShare server a user wanted to connect to. Because the user doesn’t confirm the identity of the server at the fingerprint level – and Apple doesn’t provide a facility for this in AppleShare – the man in the middle can act like the server to the client and the client to the server, effectively harvesting user names, passwords in the clear, and other data, while transparently relaying information between AppleShare clients and the real server to hide its own existence.
Adams suggests that Apple provide warnings when an SSH connection is not available to allow a user to opt out of accidentally creating an insecure connection. He also suggests that Apple provide a graphical interface for SSH messages that would allow a user to accept and associate encryption keys with known AppleShare servers. This would prevent a man in the middle from successfully fooling an AppleShare client into thinking that it was the server itself.
Apple could follow PGP Corporation’s lead in allowing server encryption key fingerprinting while avoiding the complexity of working with hexadecimal digits (the way such keys appear). PGP’s software for encrypting messages and virtual disks lets you confirm another user’s PGP key by assigning unique words to each hexadecimal number from 0 to 255. My fingerprint for my PGP key, for instance, starts "soybean drunken stormy uncut Oakland," very much like Beat poetry.
Until Apple chooses a new approach for making its SSH connections actually secure, those of you who use it need to consider three options: make strong efforts to ensure your network’s integrity, switch to virtual private network (VPN) software (well handled in Mac OS X 10.3 and Server 10.3), or create individual SSH tunnels. None of these solutions is ideal, since they take more effort than just checking a box in the current system.
Need to find a place to connect to the Internet wirelessly, but you’re not currently online? Now you don’t need to let this Catch-22 leave your laptop digitally dry-docked: JiWire, a site devoted to Wi-Fi hotspot listings and how-to articles, has just released a free offline locator of public hotspot locations. The JiWire Hotspot Locator works under Mac OS X 10.3, Linux (Red Hat 9), and Windows XP, Me, and 2000. (Full disclosure: I’m a senior editor at JiWire. I also link to them and they to me at my independent Wi-Fi Networking News site.)
The locator lets you search all 28,000 worldwide locations in JiWire’s directory by city, state, country, connection type, provider, or Zip code (or any combination of those factors). You can also check a box to restrict the search to only free hotspots, an increasingly popular phenomenon across the United States. The locator includes a step-by-step guide to connecting to a Wi-Fi network for each platform, helpful for users of nascent public hotspot.
If you’re using the locator while connected to the Internet, you can click a link on each search result to see JiWire’s contextual maps, which also display other nearby hotspots. An update feature checks for new hotspots and software updates each time you run the locator.
Use of the JiWire directory is free, but it may display advertising alongside listings in the future, as well as coupons for special offers. The software does require registering for a free My JiWire account on the company’s site.
This is one of the first times I can recall that a Wi-Fi-related product was available for Mac and Windows (not to mention Linux) simultaneously. Boingo Wireless’s Windows-only software for finding and connecting to free and commercial locations is still expected to appear on the Mac, but no date has been set.
A couple of weeks ago, I shared some tips from my new book, iChat AV 2 for Mac OS X: Visual QuickStart Guide. You’d think that a small, simple application such as iChat would be pretty flat, but in fact Apple’s engineers have tucked in a number of details that are hard to find, or just plain clever. They also made it easy for third-party developers to create add-on utilities that make iChat more useful and fun. Here are some more tips from the book, and a spotlight on a few utilities I use.
Two Audio/Video Tips — Once you’ve established an audio chat, you can minimize the chat window into the Dock to get the window out of the way; click the yellow Minimize button, or press Command-M. This works for video chats too, which is especially good when you’ve initiated a one-way video chat because you only see the video image of yourself (and talking to an image of yourself is just weird).
Also, does the audio coming out of the built-in speakers of your PowerBook G4 or iBook sound tinny or flat? This is by design: to reduce audio feedback from the internal microphone, the sound from audio and video chats comes out of the left speaker only, and in mono. Connect a set of speakers or headphones to improve the quality (though it’s still mono).
Camcorder as Webcam — Although Apple would prefer that you bought an iSight video camera, you can use a FireWire-connected camcorder as your video and audio source – iChat should recognize it automatically. If your camcorder keeps shutting itself off after a few minutes (due to built-in power conservation features), simply remove the tape.
Find Transferred Files on Your Mac — I mentioned last time how you can use iChat AV to send files between people, but I didn’t point out that after a file arrives, the program helpfully displays the file in the Finder. However, iChat offers a similar courtesy for files that you sent off. After you’ve sent a file to someone, if you need to locate it again (perhaps you closed the Finder window it was in), click the link in iChat that was created when you sent the file. A new Finder window appears with the file highlighted.
iChatStatus — You can choose a status message that appears beneath your name in other people’s Buddy Lists, such as "Available" or "Away". You can also create your own messages ("Here, but busy" or "Caffeinated!"). But iChatStatus takes the concept one musical step further. With the iChatStatus preference pane installed, the status message displays whichever song and artist is currently playing in iTunes. You can share your musical tastes with everyone who includes you in their Buddy List. (Not two minutes after I installed iChatStatus on my Mac, an editor friend of mine sent an instant message saying, "Crowded House is my favorite band!")
The iTunes connection is the default action, but it’s not the only possibility. Using AppleScript scripts that come with the utility, you can choose to display a range of information such as the local temperature, your current front-most application, your Mac’s free memory, the current Web page in your favorite browser, the number of unread email messages in Apple’s Mail application, and more. There are even controls for what data appears before or after the automatic message text (such as a musical note, or anything you choose; to display the local temperature, I created a Prefix of "Seattle:" so that my message reads, "Seattle: 47° F").
iChatStatus is free (though donations are accepted by the author), requires iChat and Mac OS X 10.2 or later, and is a 228K download.
iChatter — Looking to relive the scenes in the movie Wargames when the computer program spoke to Matthew Broderick? Install iChatter to have your outgoing and incoming text read aloud using Mac OS X’s text-to-speech voices. If your buddy also has iChatter installed, it honors the voices you’ve both chosen. The developers have also cleverly substituted phrases for smileys, such as "hee hee" for the basic smile, and "winkie winkie" for the winking smile. Sending a URL to someone isn’t as clean, because iChatter spells out the entire thing ("h-t-t-p-colon-slash-slash…"). If you want to put a voice to your text, this is the way to go. iChatter requires the freeware Application Enhancer to run, costs $8 shareware, and is a 1.1 MB download.
Logorrhea — iChat can automatically save transcripts of your text chats – choose this option in the Messages pane of iChat’s preferences to enable the feature. However, what you get is a folder full of .chat files, one for every chat and named according to the participant, date, and time ("Adam C. Engst on 2004-02-16 at 13.56.chat" for example). Double-clicking a file opens it in iChat with iChat’s balloons, icons, and formatting, but what if you’re looking for something specific?
Download and install Logorrhea (a term that means "pathologically excessive talking"), a fantastic stand-alone application for viewing and, more important, searching within those .chat files. I’ve used Logorrhea numerous times when I needed to find a phone number or other information that someone gave me via iChat instead of email. It’s freeware (but donations are accepted), and a 130K download.
We’ve been uniformly negative about FileVault, the new security feature that Apple added to Mac OS X 10.3 Panther, but that doesn’t mean we dislike the idea of protecting sensitive data. The problem is that Apple chose an overly simplistic approach that may be easy to use and understand but ends up making users more vulnerable to other problems.
FileVault Basics — Conceptually, FileVault is easy to understand, since it makes use of a variety of existing Mac OS X technologies. When you turn on FileVault, Mac OS X creates a special type of disk image and stores your entire Home folder inside. The disk image is unusual in two ways: it’s encrypted with AES 128-bit encryption and it’s a "sparse image," which means that it takes up only as much as space on disk as the data it contains. During setup, copying all your data to the encrypted disk image can take some time: with the 6.6 GB Home folder on my 12-inch PowerBook G4, it took 73 minutes to set up.
By the way, pay attention to FileVault’s dire warnings about remembering your password. Apart from the master password you can set up when turning on FileVault, there are no back doors into FileVault, so you’re out of luck if you don’t have a backup. (This is of course a good thing: a security feature with a back door is worthless.)
Once FileVault is set up and working, you should notice it in only two ways. First, if you like to login automatically, FileVault turns that setting off (which makes sense from a security point of view), although you can turn automatic login back on. Second, for some applications, particularly on slower Macs, disk-related activities may be slower.
Should your Mac be stolen, the miscreant won’t be able to access anything in your FileVault-protected Home folder, assuming, of course, that your account wasn’t logged in when the computer is stolen and that your password was sufficiently secret and difficult to guess. It’s worth noting that when you’re logged in and can access your data, it’s also accessible to anyone who could learn your username and password and break into your computer remotely, or to hypothetical malicious or just poorly written programs.
There is one caveat to FileVault’s security: it doesn’t securely erase the original files that it adds to its encrypted disk image, so take this into account if you’re worried about a thief using a disk editor to recover deleted data from a stolen Mac.
FileVault Problems — Although FileVault sounds good in theory, it suffers from some serious design flaws. The most serious is that it’s an all-or-nothing protection of your Home folder, and only your Home folder. Of course, your Home folder is where all your data is (at least for most people), but just because data is in your Home folder doesn’t mean you need to protect it from prying eyes. And more to the point, there’s usually no need to waste disk space, CPU power, and time (entering passwords) protecting the very largest pieces of data: movies, music, and photos.
For instance, my Home folder is nearly 40 GB in size. Of that, my Movies folder contains about 2.4 GB, my Pictures folder holds 13.4 GB, and another folder stores 7.7 GB of Web logs. My Music folder has only 1.3 GB of files in it, but if I stored my iTunes Music folder on my Mac rather than on a server, that would be another 17.7 GB of data. So right off the bat, 24.8 GB of the 40 GB of data in my Home folder needs no protection at all. But there’s no way to tell FileVault to ignore all those folders.
Putting unnecessary data into FileVault has three negative implications. First, there’s added overhead in dealing with files that don’t need to be encrypted. Maybe the performance hit is noticeable in a given situation, maybe not, but there’s no reason to waste CPU cycles encrypting and decrypting files that aren’t sensitive. Second, and this is the real reason I don’t use FileVault, a disk image is a single file, and if your hard drive suffers physical or logical damage to the sectors that contain the FileVault disk image, you could lose the entire thing. No one should be surprised by that fact – it’s no different than losing any other file when a disk becomes corrupt. But there is a huge difference between losing a single file and losing every piece of your user data. Third, let’s say that you try FileVault and decide you don’t want to continue using it, so you turn it off. FileVault must then copy all your data out of the disk image and back to your Home folder, deleting the disk image file when it’s done. If your Home folder is too large, you must delete some files to free up enough disk space for both copies.
Put bluntly, you know those warnings about putting all your eggs in one basket? FileVault is that basket.
Along with the flaw of being too broad in the scope of what it protects, FileVault also increases your risk of data loss from unrelated events. Because FileVault stores your data in a disk image, it needs to write data to the image gracefully on logout. In the event that you should experience a kernel panic, system freeze, filesystem-corrupting bug, or even a power outage, the chance of losing data increases with FileVault. That’s because the encryption layer adds complexity to recovering from improperly closed files, as does the fact that the FileVault disk image is itself a file that could be corrupted. Although Mac OS X is usually quite stable, in the real world, it can still crash in ugly ways at times.
In fact, while I was testing FileVault on my PowerBook for this article, I installed some updates via Software Update and when prompted, rebooted. FileVault told me my Home folder was using more space than necessary and said it could recover the extra space. But before I could click a button, the Mac kernel panicked. I restarted, and it came back up fine, but it continued to kernel panic on every reboot. Needless to say, I turned off FileVault, which took another 28 minutes.
Even when Mac OS X remains stable, power outages can cause data loss. Not everyone has a laptop (which would switch to battery instantly in the event of a power failure) or an uninterruptible power supply (UPS), though I personally consider a UPS essential equipment. Over the years I’ve amassed a UPS collection that lets me protect every desktop Mac we own, along with our TiVo.
Lastly, as much as I hope it’s clear that using FileVault increases the need for a solid backup strategy, FileVault itself makes backing up a little more difficult. Backup applications must have access to the encrypted files, which means you must be logged in during the backup. For personal backup applications, that’s probably a good assumption, but it’s less true when backing up networked Macs via Retrospect Client, which can happen when no user is logged in. In situations like that, Retrospect can’t access the files and won’t back them up; at least Retrospect 6.0 knows to ignore the FileVault sparse image files by default, since backing them up would be a huge waste of backup media. Having multiple users with FileVault turned on also complicates matters, since only logged-in users can have their files backed up.
For Serious Security — Although I don’t doubt the security of the encrypted disk image that FileVault uses, I don’t think that people with truly sensitive data should rely on FileVault, for the simple reason that it lacks the paranoid mindset that’s necessary for the highest levels of security. That’s why the PGPdisk feature in PGP 8.0, which also offers encrypted disk images for storing sensitive data, is a better solution in such cases. Some of the added security features in PGPdisk include:
The option to re-encrypt all the data on a PGP disk, enabling you to change your underlying encryption key (if you believe it has been compromised) or to switch to a different encryption algorithm.
An inactivity timer that can automatically dismount PGPdisks after your Mac has been idle for some amount of time. The inactivity timer lessens the likelihood that someone could steal a computer and be able to access a mounted PGPdisk.
Support for multiple users, such that multiple people can have their own passphrases for the same PGPdisk. Although using additional passphrases conceivably increases the vulnerability of the PGPdisk, it’s probably better than having a single passphrase traded around.
The capability to change the passphrases easily.
Protection of the passphrase in RAM by erasing it immediately after use (the passphrase is actually turned into a key), preventing passphrases from being written to disk due to virtual memory swapping, and protection against the derived key staying in RAM long enough to build up a static charge that can apparently be read by equipment owned by major governments.
In short, if you need the utmost in security, you should use PGP over FileVault.
Rethinking FileVault — Despite this condemnation of how Apple chose to implement FileVault and the concern that it’s not spook-level security, I think the idea of FileVault is an excellent one, so I offer this simple suggestion of how it could be improved.
Instead of making FileVault an all-or-nothing deal that takes over the user’s Home folder, let it apply to any given folder. You could Control- or right-click the folder to choose Protect with FileVault for a selected folder. Not knowing exactly what happens behind the scenes, I don’t know if it would make more sense to have a single FileVault sparse image file to which each protected folder would be added or if creating a new sparse image file for each protected folder would be easier. The latter approach might allow different passwords, which could be useful in certain situations where you protect some folders with a simple password that you don’t mind if your colleagues or family members know (but which a thief wouldn’t) and other folders with a totally private password that only you know and could enter when you accessed the associated folder.
Allowing users to specify exactly which folders should be protected by FileVault not only eliminates or reduces the severity of most the problems outlined previously, it gives users necessary flexibility. For instance, as much as the Pictures and Movies folders probably don’t contain anything particularly sensitive for most people, I’m sure there are plenty of people with photo or movie collections that they’d prefer stayed private. Others may wish to protect only a Quicken data folder, or data related to sensitive work projects.
The real question I have is just how hard making this change actually is. Could a savvy independent developer use FileVault’s underlying technologies and provide the top-level interface via a simple contextual menu plug-in? After all, you can use Disk Utility to create encrypted sparse image files, and it’s trivial to add disk images to the Startup Items list so they are mounted automatically at login, after which an alias or symbolic link to the encrypted version could replace the original folder. It sounds good in theory, and since you can perform all the necessary actions manually today, it would seem a relatively easy task to wrap into a contextual menu command. If anyone implements my idea, be sure to let me know, and in the meantime, I’d encourage anyone who has been frustrated by FileVault to create and use encrypted sparse images for your sensitive data.
FTP in the Finder — Apple’s built-in FTP client still doesn’t seem to be fully implemented, leading to a discussion of other FTP software. (27 messages)
Synchronization Software? What’s the best way to synchronize your data among multiple Macs? (9 messages)
Thoth Software Closes Down — The maker of a popular Usenet newsreader is shuttered, but the act sparks a discussion of other newsreader software. (17 messages)
System level databases — Many Apple programs, such as Address Book, hint at the value of working with system-level databases that are shared by many applications. Readers debate how a more comprehensive relational database, versus the existing filesystem, would work. (6 messages)