<div id="popup_box_thanks" style="display:none" onClick="close_popup_thanks('popup_box_thanks', 'ts')"><br>Thanks for submitting your tip! All submissions are moderated by an editor before appearing online. We've reset the form so you can enter another tip. Or you can close the tip submission box. <div class="x_close" id="thanks_upper_right"><a href="javascript:void(0)" onmousedown="close_popup_thanks('popup_box_thanks', 'ts'); return true;">Close</a></div></div>
<div class="tbf_row"><div class="tbf_wide_extra_top not_bold">Please submit only technical tips that will help other TidBITS readers better use their Macs, iPhones, and related software and hardware. All product announcements should be sent to <a href="mailto:releases@tidbits.com">releases@tidbits.com</a>.</div></div>
<div class="tbf_left">URL</div><div class="tbf_right"><input type="text" value="" name="tip_link_url" tabindex="3"><span class="tip_description"><br>Enter the URL to a Web page that supports your tip.</span></div>
</div>
<div class="spacer"></div>
<div class="tbf_row">
<div class="tbf_left">Linked text</div><div class="tbf_right"><input type="text" value="" name="tip_link_label" tabindex="4"><span class="tip_description"><br>Enter the name of the page linked above.</span></div>
<div class="tbf_wide"><input type="submit" value="Preview Your Tip" name="preview_tip" onClick="fill_preview('tipbits_enclosure_preview', 'ts', this.form); return false;" tabindex="7"> <input type="submit" value="Send Us Your Tip!" name="submit_this_tip" onClick="handle_tip_submission('ts', '', this.form, 'tip'); return false;" tabindex="8"></div>
</div>
<div class="spacer"></div>
<div class="tbf_row">
<div class="tbf_wide"><span class="fine_print">When you submit a tip, you give us permission to use it. Read <a href="javascript:void(0)" onClick="generic_show_hide('tip_terms')">our terms</a> for more details. All submissions are reviewed before publication.</span></div>
<div class="tbf_wide"><span class="fine_print">Our terms: By submitting a tip, you agree to assign TidBITS Publishing Inc., a non-exclusive, worldwide, perpetual license to reproduce, publish, and distribute your tip in connection with the TidBITS Web site and associated products in any media. You agree that you created the content you submitted, and that you have the right to assign us this license. You give us permission to use your name, but your email address won't be publicly displayed or shared. We review all submissions before publication, and reserve the right to select which submissions we feel are appropriate for our readers and to edit those we publish.</span></div>
<div id="comment_thanks" style="display:none" onClick="close_popup_thanks('comment_thanks', 'comm')"><br>Thanks for submitting a comment! Please check your email for a link that, when clicked, will verify that you're a real person and cause your comment to appear immediately. <div class="x_close" id="comment_upper_right"><a href="javascript:void(0)" onmousedown="close_popup_thanks('comment_thanks', 'comm'); return true;">Close</a></div></div>
<div class="tbf_wide"><span class="fine_print">Our terms: We reserve the right to edit or delete any comment, so please post thoughtfully. We use your email address <i>only</i> to send you a one-time verification message confirming that you posted this comment. We also store your address to allow you to verify using other Web browsers in the future. For more info, see our <a href="http://db.tidbits.com/privacy.html">privacy policy</a>.</span></div>
<li><a href="/feeds/tidbits.rss" title="Subscribe via RSS" class="gettb">RSS <img src="/images/feed-icon-12x12.gif" width="12" height="12" border="0" class="nav_img" alt="Subscribe via RSS"></a></li>
<li><a href="http://itunes.apple.com/WebObjects/MZStore.woa/wa/viewPodcast?id=276986548" title="Subscribe to the podcast" class="gettb">Podcast <img src="/images/feed-icon-12x12_podcast.gif" width="12" height="12" border="0" class="nav_img" alt="Subscribe to the postcast"></a></li>
<li><a href="http://www.twitter.com/TidBITS" title="Get Article Updates via Twitter" class="gettb">Twitter <img src="/images/feed_icon_12x12_twitter.png" width="12" height="12" border="0" class="nav_img" alt="Get Article Updates via Twitter"></a></li>
<li><a href="http://www.facebook.com/pages/TidBITS/195314925519" title="Go to the TidBITS Page at Facebook" class="gettb">Facebook <img src="/images/feed_icon_12x12_facebook.gif" width="12" height="12" border="0" class="nav_img" alt="Go to the TidBITS Page at Facebook"></a></li>
<li><a href="javascript:void(0)" title="Sections" class="tabhead" onClick="return showhide('articleslist')">Sections <span id="articleslist_triangle"><img src="/images/nav_triangle_open.gif" width="9" height="9" border="0" class="navtriangle" id="articleslist_tri_image" alt="Click to show or hide the contents of this section."></span></a></li>
<li><a href="javascript:void(0)" onClick="return showhide('stafflist')" title="Staff" class="tabhead">Staff <span id="stafflist_triangle"><img src="/images/nav_triangle_closed.gif" width="9" height="9" border="0" class="navtriangle" id="stafflist_tri_image" alt="Click to show or hide the contents of this section."></span></a></li>
<li><a href="javascript:void(0)" title="Issues" class="tabhead" onClick="return showhide('issuelist')">Weekly Issues <span id="issuelist_triangle"><img src="/images/nav_triangle_closed.gif" width="9" height="9" border="0" class="navtriangle" id="issuelist_tri_image" alt="Click to show or hide the contents of this section."></span></a></li>
<li><a href="javascript:void(0)" onClick="return showhide('abouttidbits')" title="About TidBITS" class="tabhead">About TidBITS <span id="abouttidbits_triangle"><img src="/images/nav_triangle_closed.gif" width="9" height="9" border="0" class="navtriangle" id="abouttidbits_tri_image" alt="Click to show or hide the contents of this section."></span></a></li>
<div class="center_top">Thoughtful, detailed coverage of the Mac, iPhone, and iPad, plus the best-selling <a href="http://www.takecontrolbooks.com/?pt=TB-TAGLINE" style="color:yellow">Take Control</a> ebooks.</div>
<!-- begin centercolumn -->
<div id="centercolumn">
<!-- begin rightcolumn_container -->
<div id="rightcolumn_container">
<!-- begin rightcolumn -->
<!-- rightcolumn is embedded within centercolumn so featured text wraps around it -->
</div><!-- end tearoffbox_wide_container for watchlist items -->
<!-- begin tearoff box wide -->
<div class="tearoffbox_wide_container">
<div class="tearoffbox_wide_tips">
<div class="tip_display">
<div class="tips_sponsor_logo">
</div>
<h6>Syslogd Overwhelming Your Computer?</h6>
<p><p>If your Leopard (Mac OS X 10.5) system is unexpectedly sluggish, logging might be the culprit. Run Activity Monitor (Applications/Utilities/ folder), and click the CPU column twice to get it to show most to least activity. If syslogd is at the top of the list, there's a fix. Syslogd tracks informational messages produced by software and writes them to the asl.db, a file in your Unix /var/log/ directory. It's a known problem that syslogd can run amok. There's a fix: deleting the asl.db file.</p>
<p>Launch Terminal (from the same Utilities folder), and enter these commands exactly as written, entering your administrative password when prompted:</p>
<p>sudo launchctl stop com.apple.syslogd</p>
<p>sudo rm /var/log/asl.db</p>
<p>sudo launchctl start com.apple.syslogd</p>
<p>Your system should settle down to normal. For more information, follow the link.</p></p>
<p>Visit <a href="http://smartic.us/2007/11/8/leopard-100-cpu-usage-caused-by-syslogd-and-possibly-time-machine">Discussion of syslogd problem at Smarticus</a></p>
</div>
<div class="tearoffbox_wide_bottom_tips">
<div style="padding-bottom:35px"><div class="tip_display" style="float:left"><p><br><a href="/tipbits/71">Link to this tip</a></p></div><div class="tip_display" style="float:right; width:150px">
<div class="tbf_wide_80" id="hc_rc_5218">To help us avoid automated posts and misuse of our site, please enter the words below.</div><div class="x_close_row" id="hc_upper_right2_5218"><a href="javascript:void(0)" onmousedown="HidePopupContent('hc_5218', 'hc', '5218'); return true;">Close</a></div>
<div class="featured_meta"><div class="meta_article">22 Oct 2001 | <a href="/article/6602?print_version=1">Print <span class="shift_up"><img src="/images/printer_icon.gif" alt="Printer-Friendly Version of This Article" border="0" width="9" height="10"></span></a></div></div>
<div id="article_box_5218"><P>Mac OS X 10.1's significant improvements in performance and usability may have plenty of people considering a switch from the reliable workhorse of Mac OS 9, but it seems clear we can never go home again with regard to the issue of security. A number of security issues, most with Mac OS X's Unix underpinnings, have surfaced since the operating system's initial release, and although the Mac OS X 10.1 release offered fixes for a number of concerns that had arisen, three more cropped up almost immediately. One affected Internet Explorer 5.1, another dogs WebDAV and iDisk, and a third enables any application to run with root privileges. Apple reacted more quickly than in the past, publishing a workaround for the Internet Explorer problem within days and offering fixes for the Internet Explorer and root access problems on 19-Oct-01, less than three weeks after Mac OS X 10.1 shipped.</P><P>That's good, but other aspects of Apple's approach to addressing security issues remain problematic. After an initial quiet period following the release of Mac OS X 10.0 during which many (including TidBITS) called for Apple to make public statements about security breaches, Apple finally created a security announcement mailing list and a set of related Web pages, one of which lists security updates to Mac OS X. Unfortunately, the mailing list has been used only once since it was created in May of 2001, and then only to tell subscribers to visit the Security Updates page. Worse, that page has not yet been updated to explain the 19-Oct-01 fixes. Even if it's not completely up to date, it's worth visiting that page periodically to see at least those security concerns Apple has acknowledged and addressed.</P><P><<A HREF="http://www.apple.com/support/security/">http://www.apple.com/support/security/</A>><BR><<A HREF="http://www.apple.com/support/security/security_updates.html">http://www.apple.com/support/security/security_ updates.html</A>></P><P>Let's look at the three recent issues, including the concern with WebDAV and iDisk, which remains outstanding.</P><P><STRONG>Mac OS X Easily Rooted</STRONG> -- Although we generally think of crackers taking over machines remotely over the Internet, local exploits are becoming a concern to some users given Mac OS X's Unix underpinnings and multi-user capabilities,. In previous versions of the Mac OS, anyone who could sit down at a Mac unprotected by third-party software (or in Mac OS 9, Apple's built-in file encryption) could access any data on the Mac. The old Multiple Users feature was helpful for keeping kids from messing up a Mac, but wouldn't stop anyone who wanted to break through. With Mac OS X, though, there's more of an assumption of security, so it was troubling to discover that there was a trivially easy way to gain root access for anyone at the desktop, even if you've never enabled root access. All you had to do was launch certain applications that always run as root (like NetInfo Manager, Disk Utility, or Print Center), then launch another application from the Apple menu's Recent Items menu (or from anywhere in the Apple menu). Apple fixed this problem with Security Update 10-19-01, available via the Software Update preferences panel (choose About this Mac from the Apple menu, then click "Version 10.1". If "Version 10.1" is replaced with "Build 5L14", you have the fix.) You may still find it interesting to read Stepwise.com's explanation of how this breach worked.</P><P><<A HREF="http://www.stepwise.com/Articles/Admin/2001-10-15.01.html">http://www.stepwise.com/Articles/Admin/2001-10- 15.01.html</A>></P><P>Why was this a concern? From the Unix perspective, root access is a big deal, since it gives someone complete control over the machine despite any previous restrictions. But from the perspective of a normal Mac owner, who likely has only a single user and has that user set to login at startup, this security hole wasn't a major concern. I'm far less worried about someone gaining root on my iBook locally than stealing it, which seems a lot more likely given the need to have physical access to the machine. To be fair, the discovery of this exploit also points out the need to be careful with remote control programs like Netopia's Timbuktu Pro and the various VNC servers and clients.</P><P><<A HREF="http://www.netopia.com/software/products/tb2/mac/">http://www.netopia.com/software/products/tb2/ mac/</A>><BR><<A HREF="http://www.osxvnc.com/">http://www.osxvnc.com/</A>><BR><<A HREF="http://www.webthing.net/vncthing/">http://www.webthing.net/vncthing/</A>></P><P>For an additional bit of perspective, remember that anyone can reboot a Mac OS X system using a Mac OS installation CD or a copy of Mac OS 9 installed on the hard disk. Afterwards, this person has full control of the system, since Mac OS 9 doesn't recognize or honor Mac OS X file permissions on local disks. Apple is working on securing Open Firmware to close these holes, but Open Firmware restrictions can still be bypassed by resetting Open Firmware or transplanting the disk to another computer. As a result, this local root exploit is best thought of a reminder that anyone with physical access to a machine effectively has full control over it, despite any <EM>software</EM> security short of an encrypted filesystem.</P><P><STRONG>Internet Explorer 5.1 Automatic Execution</STRONG> -- By default, Microsoft Internet Explorer 5.1 is set to decode MacBinary and BinHex files automatically during download. Nothing new here, and that's not a security concern. But for some reason under Mac OS X 10.1, Internet Explorer 5.1 automatically launched at least some applications that were encoded in MacBinary or BinHex without being compressed by StuffIt as well. With normal applications, that wouldn't be a problem, but if someone posted a Trojan horse - a malicious application that masqueraded as something benign - damage could result. It's not entirely clear what types of applications (Classic, Carbon, Cocoa, etc.) would be automatically launched or why, but it's moot now that Apple has released Internet Explorer 5.1.3 via the Software Update preferences panel. If you aren't able to update right away for some reason, the problem is easy to work around. In the Download Options pane of Internet Explorer's Preferences window, turn off "Automatically decode MacBinary files" and "Automatically decode BinHex files." Changing these settings has no functional liability; all it does is cause Internet Explorer to hand off decoding tasks to StuffIt Expander rather than performing them internally.</P><P><<A HREF="http://db.tidbits.com/getbits.acgi?tlkthrd=1490">http://db.tidbits.com/getbits.acgi?tlkthrd=1490</A>><BR><<A HREF="http://docs.info.apple.com/article.html?artnum=106503">http://docs.info.apple.com/article.html? artnum=106503</A>></P><P><STRONG>iDisk via WebDAV Exposes Passwords</STRONG> -- In Mac OS X 10.1, Apple modified the Finder so it accesses your iDisk via WebDAV rather than the older Apple Filing Protocol (AFP). Unfortunately, as Alan Oppenheimer of Open Door Networks has pointed out, Mac OS X's WebDAV implementation sends your password as unencrypted text across the Internet. This is a violation of the WebDAV specification and basic security principles. Someone who could monitor your Internet connections could discover your password and use it to access your iDisk and mac.com email account (and since many people reuse the same password many times, other services could be compromised as well). AFP remains secure, but to use it you must access your iDisk by choosing Connect to Server from the Go menu and then typing "afp://idisk.mac.com" (after which you can make an alias to the iDisk or add it to your Favorites for easier future access). FTP also sends passwords as unencrypted text, so your level of concern here should match your level of concern over exposing passwords via FTP. If you must use FTP or iDisk via WebDAV, common sense would dictate not reusing passwords used for those services with more sensitive services. As an alternative for FTP, try Interarchy 5.0.1 or RBrowser, both of which can use SSH encryption (built into Mac OS X 10.0.4 and later) for secure connections.</P><P><<A HREF="http://www.opendoor.com/macosxalert.html">http://www.opendoor.com/macosxalert.html</A>><BR><<A HREF="http://asg.web.cmu.edu/rfc/rfc2518.html#sec-17.1">http://asg.web.cmu.edu/rfc/rfc2518.html#sec- 17.1</A>><BR><<A HREF="http://www.interarchy.com/">http://www.interarchy.com/</A>><BR><<A HREF="http://www.rbrowser.com/">http://www.rbrowser.com/</A>></P><P>As far as we can tell, this WebDAV security hole was not fixed in the Security Update 10-19-01, although Apple is aware of the problem. A related discussion on TidBITS Talk indicated that Mac OS X 10.1's WebDAV implementation may support only Basic authentication, which eliminates one of the significant advantages of WebDAV over FTP.</P><P><<A HREF="http://db.tidbits.com/getbits.acgi?tlkmsg=11678">http://db.tidbits.com/getbits.acgi?tlkmsg=11678</A>></P><P>The moral of the story is that it's definitely worth letting Software Update look for updates regularly, since that will almost certainly be the fastest way to receive any updates that Apple releases. In the meantime, if you're interested in learning more about some of the basics of security in relation to Mac OS X, Roland Miller has posted a report about 10.0 that applies in large part to 10.1 as well.</P><P><<A HREF="http://www.sans.org/infosecFAQ/mac/OSX_sec.htm">http://www.sans.org/infosecFAQ/mac/OSX_sec.htm</A>></P><!-- Mac OS X 10.1 Security Issues Fixed Adam C. Engst --></div>
<!-- end article text -->
<!-- PayBITS -->
<p> </p><div class="sponsorbox">
<div class="sponsortext"><A HREF="http://www.smilesoftware.com/"><IMG SRC="http://db.tidbits.com/images/badges/SmileLogo2010-50x50.gif" ALT="" HEIGHT="50" WIDTH="50" BORDER="0" ALIGN="left"></A>Get more productive with software from Smile: PDFpen for<br />editing PDFs; TextExpander for saving time and keystrokes while you<br />type; DiscLabel for designing CD/DVD labels and inserts. Free demos,
<br />fast and friendly customer support. <<a href="http://www.smilesoftware.com/">http://www.smilesoftware.com/</a>></div>
