Mac OS X Open Source and Security

Previously I blogged about my regularly used Open Source applications on the Mac. Today I am dealing with some applications that deal with security on the Mac. In my career I wear two hats, one of Open Source advocate/developer/consultant and then also a security consultant hat.
I also have a keen interest in keeping my Mac secure when using it from day to day - thus the tools I am about to discuss deal with "personal" security (local firewall for example) as well as "network" security.

Lets get started.

1. MacGPG (http://macgpg.sourceforge.net/)
• The Free Software implementation of PGP. I specifically use the GPGMail plug-in for Apple Mail.app to allow me to send and receive encrypted email as well as sign emails and verify email signatures.
  
2. sshfs (http://code.google.com/p/macfuse/)
• A FUSE pluggable filesystem for the Mac that allows it to mount drives on other Unix or Linux hosts using ssh. This might not be a specific security related app but it does allow for extra security when sharing across a network - the links are encrypted and safe from snooping.
  
3. Waterroof (http://www.hanynet.com/waterroof/)
• A personal firewall manager that exposes the underlying, powerful, ipfw firewall of Mac OS X. There were a couple of scares with the Leopard firewall's default behavior when it first ship and it led me to look for more information on the topic. Waterroof allows a user to truly fine-tune the firewall. A handy wizard also allows novice users to set up a very secure default policy.
  
4. MacPorts Apps (http://www.macports.org/)
• Some applications are best served using macports. To install the following app download and install macports and then issue: "sudo port install appname"
  
1. nmap (http://insecure.org/nmap/)
• nmap is the de-facto standard when it comes to port scanning. You can use nmap to learn a lot about hosts, networks and services.
  
2. wireshark (http://www.wireshark.org/)
• wireshark is a packet sniffer with a lot of advanced capabilities. Packet captures can be analyzed to a great level of detail. It also produces traffic flow and usage reports on the traffic that it captures. If you need find out what is going on on your network you need Wireshark.
  

Thats it for this installment. There are many more apps within MacPorts that I'm not covering here, as well as some legendary apps like KisMac. I will try to blog again soon about some more Mac OS X Open Source goodness. As always comments are welcome and if you know of any other great OSS security analysis tools on the Mac please let me know.

Mac OS X Open Source Roundup

As we approach the end of the year, here is a list of really usefull Open Source utilities and applications that I use regularly on my Mac.
I run Mac OS X 10.5 (Leopard), but most of the applications should work on Tiger (10.4) as well.

1. Freemind (http://freemind.sourceforge.net/)
• Indispensable mind-mapping application written in Java. I have been using Freemind for years on Linux, Windows and of course now on the Mac as well. Truly useful with some real advanced functions and scripting capabilities.
  
2. Vienna (http://www.opencommunity.co.uk/vienna2.php)
• An Open Source RSS feed reader. Vienna is a part of my daily routine in which I track a couple of hundred feeds. Once you get to know it you will love it even more - some clever keyboard shortcuts really create a lot of efficiency.
  
3. Firefox (http://www.mozilla.com/en-US/firefox/)
• Firefox is the standard web browser for millions of Windows, Linux and Mac users out there. I prefer Firefox as opposed to Camino on the Mac as I really depend on some plug-ins for my daily security and privacy needs (I'll blog more about this again soon).
  
4. Adium (http://www.adiumx.com/)
• Due to its massive multi-protocol nature (supports over 10 different IM providers) Adium was a no-brainer when it came to Instant Messaging on the Mac. I have never tried iChat or any alternatives mostly as Adium did such a stellar job out of the box. Growl integration makes it even more powerful - I like the ability to do specific actions when certain contacts come online. It also offers the ability to "bundle" accounts from multiple networks into one account for those contact who like myself are on various networks.
  
5. Colloquy (http://colloquy.info/)
• The gents behind Adium also recommend Colloquy for IRC (internet relay chat). My usage of IRC varies depending on project and job focus but I have started to learn the nuances of the program and have grown to love it. I'm not crazy about its default behavior but after a little bit of tweaking it really turned out to be a powerful tool.
  
6. Quicksilver (http://www.blacktree.com/projects/quicksilver.html)
• What can one say about Quicksilver? It has changed the way I interact with my computer and probably would be one of the functions I cant live without. The ability to "act without doing" as the developers call it creates the most amazing productivity gains. I am not a Quicksilver ninja yet but the limited ways that I use it in has made life so much easier... Thinking of an app? Three keystrokes and you're there.
  

There's still a plethora of other applications that I use on a less regular basis. I will blog about Open Source security software for the Mac in the next installment.

How to FLOSS

In my never ending quest to discover good up-to-date resources about Open Source Software I stumbled across the following.

"This guide (developed in the context of the FLOSSMETRICS and OpenTTT projects) present a set of guidelines and suggestions for the adoption of open source software within SMEs, using a ladder model that will guide companies from the initial selection and adoption of FLOSS within the IT infrastructure up to the creation of suitable business models based on open source software."

The guide seems to be pretty comprehensive and could serve as a valuable resource for persons wanting to familiarise themselves with FLOSS.

The guide can be found at http://guide.conecta.it/.

WEP?? Leopard Internet Sharing Woes

I anxiously awaited Leopard in the hope that Intenet Sharing would support WPA. I have a really hard time understanding why Leopard supports Internet Sharing through WEP. Aircrack-ng and other tools can crack WEP in uder a minute - it just does not make sense.

Perhaps the Lazyweb can recommend a solution whereby I can do WPA through third party support? From what I understand WPA has the same performance impact as WEP (when not using AES) - but it probably is a case of the Hardware only supporting the old standard...

My recommendation? If you truly need to do Internet Sharing do it through the Ethernet port (using a crossover cable) or enable WEP only for a short while and change the password every time you use it.

Leopard Firewall - OS X 10.5.1 relief

I'm glad to report that this morning after updating to Mac OS 10.5.1 the firewall seems to be working as advertised. They dropped the "Block all incoming" moniker and replaced it with "Allow only essential services", which I selected.

Also, I enabled "Stealth Mode" under Advanced.


I then ran some tests from another host to verify that the firewall was up and it seemed to be performing as advertised. I'm pretty interested to see what the "Essential" services are - perhaps I will do some digging soon.

Just for completeness run the following tests from another host on the network:
$ ping hostname
(Should return no replies if stealth is on)
$ nmap hostname
(Should also not return with any open ports)

I disabled my firewall temporarily to scan for some open ports and then tested connections to those ports using telnet after re-enabling the firewall. All results were also positive.

I'm very pleased that this issue has been resolved.

Leopard Firewall Woes

I have been using Mac OS X Leopard for the last few weeks and the article on Heise Security caught my attention. I use a 3G connection to the internet quite often and have to assume that a NAT firewall wont always be available.

I did some of my own tests and as far as I could tell setting the firewall to "Block All Incoming Connections" just does not seem to work.

The output of "sudo ipfw list" does not seem to change when switching between "Allow All" and "Block All"...

Here is what I recommend for now:
- Download WaterRoof ipfw at: http://www.hanynet.com/waterroof/ (its OSS).
- Run through the Wizard, just clicking next is the equivalent of "Block All"
- If you want "Stealth", go to "Static Rules" and add a rule to block all ICMP from "Any" to "Me".
- Make these changes permanent through: Tools -> Startup Script -> Install Startup Script.

To test if your setup is any good head over to Shields Up! Steve Gibson's excellent resource and run some tests to check that your firewall is actually working as planned. Shields Up! can be found at: http://www.grc.com/.

Please note that this test is most effective if you are directly connected to the internet. If you cannot connect directly rather Google for nmap and run some tests on your LAN. I used nmap to run some tests against the firewall to confirm the results - consider just trying to ping your machine from another host at least.

For reference here are my rules, running "sudo ipfw list" from the terminal should give you similar results.

$sudo ipfw list

00100 allow ip from any to any via lo*
00110 deny ip from 127.0.0.0/8 to any in
00120 deny ip from any to 127.0.0.0/8 in
00130 deny ip from 224.0.0.0/3 to any in
00140 deny tcp from any to 224.0.0.0/3 in
01000 allow tcp from any to any out
01000 allow tcp from any to any established
01100 deny icmp from any to me
65534 deny tcp from any to any
65535 allow ip from any to any

And remember: "Friends do not let friends get Owned" - Pauldotcom Security Weekly

You should read this if you use Facebook

Sophos Facebook best-practices

Spot on

Matt Assay quoting Michael Tiemann on Microsoft and the OSI.
Going Open Source is the _best_ thing Microsoft could do.

...

Switch!!

As of last Thursday I am a Mac OS X user - and I love it!

The latest Macs are the only platforms you can run all 3 of the major OS flavors on (my biggest reason for switching). I am running VMWare Fusion (for Windows/Unity) as well as bootcamp. My Ubuntu install is relegated to a virtual machine for now, but the hardware will run it just fine natively. Contrary to my expectations, I am really at home in OS X - the switch was quick and its complete.

Thanks, but no thanks

I have been tracking Calendar Swamp for a while now and ran across a comment this morning that according to Paul Thurrot the local calendar is dead.

In a way I agree, but essentially, as it stands today, I have an issue with Google (for example) owning my calendar. I fully agree that having my calendar confined to my PC is a pain, and really not very useful to me. I see the solution as having an alternative, if possible, and host my _own_ calendar online (On infrastructure that I own and on software that I control) I would love to say "Thanks, but no thanks" to all these targeted adds and hosted services. As far as planning my own life is concerned and hosting my email I would like to have full control.

Luckily there are positive developments in this direction.

1) Web Contracts (at least in some parts of the world) cannot be changed without notice. I like the idea that Google could not potentially change its terms of service or privacy policy behind my back.

2) Jimmy Wales (from Wikipedia fame) has kicked off Grub. I see this as a really exciting development. How wonderfull would it be to get high-quality search results without someone tracking your search habits, storing your private information and targeting adds at you all the time. Go Jimmy!

3) Open Source Groupware is maturing very nicely. The Kolab and Horde projects are converging slowly but surely and I hope to host all my calendar and email services, that I currently "outsource", myself soon. My email and calendar - hands off.

7 Actions to browse the Internet a little safer

My 2 cents worth regarding a safer browsing experience, I am ordering these from easy-to-do to really-paranoid and hard to set up.

1) Use Firefox
(http://www.mozilla.com/en-US/firefox/)
2) Disable "Remember passwords for sites" in
Edit -> Preferences -> Security
3) Clear you private data when you close Firefox
(Edit -> Preferences -> Privacy -> Private Data. (I clear all private data on logout without Firefox prompting for permission)
4) Disable JavaScript
(https://addons.mozilla.org/en-US/firefox/addon/722)
5) Use strong passwords
(https://addons.mozilla.org/en-US/firefox/addon/469)
6) Browse inside a Browser Appliance
(http://www.vmware.com/vmtn/appliances/directory/browserapp.html)
7) Browse using a LiveCD
(http://www.ubuntu.com/getubuntu)

The Internet has Crashed!

This is excellent!

The Semantic Desktop

Oh wow...

Watch out, here comes KDE4!
http://nepomuk.semanticdesktop.org/xwiki/bin/view/Main1/Participants

http://www.internetnews.com/dev-news/article.php/3688606

This is quite frankly mind-boggling, amazing, exciting stuff :-)
I love it when a good plan comes together!

First step towards the Semantic Web

It seems that the ideas reflected by Havoc Pennington and other GNOME developers in the GNOME Online Desktop echo some of the concepts put forward by Sir Tim Berners-Lee with his Semantic Web.

Very interesting...

I also have the desire, more and more everyday, that my data should integrate. I'm tired of synchronization issues, multiple calendars and task lists. The fact that items "dont match up". Standardization is definitely driving the ability to have a Semantic Web forward...

The challenge that we will then face is security and privacy. I for one would not want my personal calendar and tasks to be seen by everyone or synchronized with software or hardware that I do not fully control or own. Even though I would find it incredibly useful to see my work calendar on my personal phone (for planning purposes) that should not imply entitlement by my employer to have access to the rest of my data.

Did Enterprise Linux slow Linux adoption?

I have been fondly thinking of the "good old days" of Red Hat 9 recently. It seemed so clear back in the day that if you wanted to run any kind of server (or proprietary server software) that you could just run it on Red Hat 9. Everyone seemed to be using Red Hat. Debian was extremely popular, but if you just wanted to get going and run something Red Hat 9 seemed to be the obvious choice.

Red Hat Enterprise Linux and Suse Linux Enterprise just never could obtain the same kind of ubiquitous/de facto status as those early distributions had. All of a sudden sysadmins had to scramble to find new solutions or pay up. A lot of uncertainty ensued for vendors and for customers. The reasoning behind the change was sound but it left a big gap, which Debian and more so Ubuntu gladly filled. I know that Fedora and more recently OpenSUSE are strong, robust alternatives, but it just doesn't fit the bill as old Red Hat 9 did.

Could it be that had Red Hat just opened their development process to leverage the community more (the Ubuntu model) the world would've been a different place? I think now that things are really starting to take off the opportunity for revenue through services and support is really taking off for Ubuntu (and Canonical for that matter).

It is hard to tell how things would've been different, but I cannot seem to shake the feeling that if the latest server offering from Red Hat was still as free and ubiquitous as good old Red Hat 9 the world would've been a very different place by now.

Hooray for GPLv3!!

Welcome to the new kid on the block http://www.gnu.org/licenses/gpl-3.0.html

ImpiLinux 7.05 arrives

Its official, ImpiLinux 7.05 is here (http://www.impilinux.co.za/).

Its not a massive departure from the brilliant Ubuntu 7.04 but it has more of a business focus. We included Beagle, Kontact (as opposed to Evolution), Seahorse and Authtool by default.

Good news regarding patent laws

This is not brand new news, but I just re-read the article and it dawned on me that it is very good news for non-US countries - especially the EU - when it comes to software patents.

http://news.bbc.co.uk/1/hi/business/6608863.stm

The US supreme court ruled that US software patents do not apply to countries outside the US, a short quote from the article:

"The presumption that United States law governs domestically but does not rule the world applies with particular force in patent law," said Justice Ruth Bader Ginsburg.

This ruling makes it imperative that countries which are still able resist software patents, do so as long as possible. US software developers frustrated by the patent mine-field created by the US patent system can also distribute their software outside of the US without fear of retribution.

A sneak peak at ImpiLinux 7.05

For the last couple of months our team has been hard at work to get our new desktop ready. This desktop is derived from Ubuntu 7.04 and represents more or a "Ubuntu for business" kind of experience.

But before I get ahead of myself, here are some screen shots, expect more to come as we run up to our official public release in May 2007... we're just still busy adding the finishing touches...

The usplash screen (progress bar during bootup) as it is so far...


The GDM session screen (initial user logon) as it looks so far...


The default desktop...

Compiz and Ubuntu Feisty Fawn (ATI X1400 + fglrx + compiz)

After a long struggle I have finally managed to create an easily reproducible method of starting Compiz with ATI X1400 and restricted drivers on Ubuntu 7.04 (Feisty Fawn). Feisty aims to support Compiz via AIGLX (as far as I could tell), the best way to get it running though is through Xgl.

First thing you will need to do is get the fglrx driver from ATI. The best way to enable this is:

1. Enable ATI accelerated graphics driver

System -> Administration -> Restricted Driver Manager

It is recommended that you restart your computer after you "select enable".

2. Grab the following listing and put it in a file called xgl.desktop

[Desktop Entry]
Encoding=UTF-8
Name=Xgl
Comment=Start an Xgl Session
Exec=/usr/local/bin/startxgl
Icon=
Type=Application

3. sudo cp xgl.desktop /usr/share/xsessions/

4. Grab the following listing and put it in a file called startcompiz

#!/bin/bash # # Start beryl-manager within gnome-session # if (( `ps -A -o comm | grep -c '^Xgl$'` == "1" )); then DISPLAY=:1 gnome-settings-daemon & DISPLAY=:1 compiz --replace else echo "${0}: Error: compiz not launched. Xgl not running?" fi

5. sudo cp startcompiz /usr/local/bin/

5a. sudo chmod a+x /usr/local/bin/startcompiz

6. Grab the following listing and put it in a file called startxgl

#!/bin/sh
Xgl -fullscreen :1 -ac -br -accel glx:pbuffer -accel xv:pbuffer &
sleep 4
export DISPLAY=:1
exec gnome-session

7. sudo cp startxgl /usr/local/bin/

7a. sudo chmod a+x /usr/local/bin/startxgl

8. sudo apt-get install xserver-xgl

9. System -> Preferences -> Sessions -> New


- Name : Compiz
- Command: startcompiz


10. You will need to Log Out, then login using the Session : Xgl

You should now have compiz :-)

11. sudo apt-get install gnome-compiz-manager

You find this program under System -> Preferences -> GL Desktop to fine-tune compiz.

Funnier things have happened

So this morning I walk out of the house to find my Honda S2000 on bricks - all 4 wheels gone... I've had better days...

Take my money but leave my Podcasts!

For the last couple of weeks I have been struggling with getting Podcasts to work properly on my Ubuntu desktop. I evaluated a lot of different software packages (a lot of them with varying support of iTunes features) but still resolved to running iTunes on Windows XP as a VMware guest operating system... painful.

This process was very error prone to say the least. VMware would not my detect my iPod if the guest was already running, forcing me to reboot the Guest OS whenever I wanted to sync iTunes with the iPod. Ubuntu/dbus/usb kept on grabbing the iPod and mounting it whenever a sync was finished in iTunes (it automatically unmounts the iPod - music on the run). I had to resort to blacklisting "automount" for the iPod in fstab.

Being a FLOSS developer I resolved to investigate how to improve iPod support in Banshee. I quite enjoy Banshee and it supports basic iPod syncing pretty well - fine if you're just listening to music. The features I wanted to add:

1. Support for the Podcast menu on the iPod (I hate having to browse through music/albums/artists to find my podcasts)
2. Proper ordering of the podcast (sorted according to date, newest at the top)
3. Read/Unread status (show me which ones I have not listened to please :-) )

Enter gPodder...

After searching a little bit for some sort of format specification I stumbled across a Free Software Magazine article in which the author mentions: gPodder


gPodder is a PyGTK application which supports all the critical features I mentioned above and does a great job of syncing the latest and greatest Podcasts to my iPod. A real life saver. gPodder even behaves well with Banshee - you can sync music from Banshee and add your Podcasts using gPodder.

Of course I also have the advantage of working for Impi Linux which meant that Francis (one of our distribution guys) could give me the luxury of just typing:

sudo apt-get install gpodder

Now I'm just waiting for my favorite shows to update so that I can enjoy my ride home listening to my favorite podcast programs. Joy!!

Ubuntu and the Enterprise Directory

One of the Google Summer of Code projects for Ubuntu is "LDAP Out-of-the-box" (https://wiki.ubuntu.com/GoogleSoC2007) - something that we are busy addressing within Impi Linux at the moment.

After a cursory investigation I have come to belief that unfortunately not much has changed in the last 4 years regarding Linux and something like an Enterprise Directory.

What do I mean by an Enterprise Directory?
- A product like Microsoft Active Directory (http://en.wikipedia.org/wiki/Active_directory) and Novell eDirectory (http://en.wikipedia.org/wiki/Novell_eDirectory) built from FLOSS

The challenges?
- Just as far as Kerberos is concerned here is a preview...

1. Currently neither Heimdal or MIT Kerberos can be found in the stable Dapper repositories (only in Universe).
   
2. A sane default configuration has to the developed and packaged for easy installation.
3. Bootstrap processes need to be developed to get the system up and running.
4. Clients have to recompiled/patches/fixed to support SSO via Kerberos
5. The client OS has to be "kerberized" (pam support for kerberos logon, changing of passwords, password policies...)

Then there's LDAP, Samba, Cups, DNS, etc, etc.

No wonder the state has not changed much in the last 4 years...

The shoulders of giants

I've been in the privileged position over the last 2 months to see the company that I work for go from strength to strength. The company is of course Impi Linux (http://www.impilinux.co.za) and the majority shareholder is Mark Shuttleworth. The idea behind Impi is to create derivatives of Ubuntu (http://www.ubuntu.com) for business and government.

Ubuntu is a fantastic Linux distribution, do yourself a favor and try the latest preview of the upcoming version 7.04 (Feisty Fawn). It is truly terrific and its getting rave reviews already (http://www.osnews.com/story.php/17505/Ubuntu-Feisty-Fawn-Desktop-Linux-Matured), Feisty Fawn demonstrates what the potential of a mature Linux distribution is.

Ubuntu aims primarily at the desktop and its audience is a global one. This means that although the offering is very mature and has most if not all of the features that a user would need, it does not cater out-of-the-box for the enterprise. That is where Impi comes in.

With Impi Linux we have the advantage and privilege of standing on the shoulders of giants, we take the solid base that Ubuntu offers us and we add what our customers require to deploy it in the business environment. To give you an idea of what this means, these are the features that we focus our attention on:

1. Single-Sign On (Kerberos, Password Management)
2. Directory Enabled clients and servers (based on Ubuntu 6.06 LTS Server)
3. Groupware (based on Kolab/http://www.kolab.org)

And much, much more...

When a business looks at Impi they get the advantage of a great product, due to its Ubuntu heritage, but they also get those features that are critical to their day to day operation and productivity.

From high up here it sure looks promising for the Linux desktop and server.

This one is quite Feisty

The past couple of days I have been evaluating the upcoming version of Ubuntu code-named Feisty Fawn. Feisty seems to be set for greatness. A couple of points of interest:

1. It "just works" - although I am evaluating Herd 4 I am experiencing very few issues with the system - a very good omen for the final release.
   
2. Its fast. Feisty feels extremely responsive in comparison to previous versions - my colleagues have also said the same.
3. Everything I need is available.
1. Setting up my ATI screen driver was a breeze
2. Beagle desktop search was but a "apt-get" away
3. Bluetooth is available and shows a lot of promise (more on this later)
   
4. My laptop suspends/hibernates/resumes without a hitch

Watch this space for more feedback as it becomes available.

Hello 2007

Another year, another attempt at blogging. 2006 was a really good year for me and 2007 promises to be even better. So what is up for 2007 and what can you expect to see in here if you follow my blog:

1. Hello Impi Linux - From 1 February 2007 I will be employed at Impi Linux, Ubuntu for Africa.
2. My move to Impi will mean one can expect a distinctive FLOSS slant to my blog and blog postings.
3. Enterprise and FLOSS - as a part of my responsibilities at Impi Linux I will be helping the company ready Ubuntu for the enterprise - expect some interesting tips/tools/tricks.
   

So stay tuned for more content.