Sunday, February 1, 2004

Atom is a powerful, open, RSS-like syndication format, but so far, not a lot has been done with it. Now, Deez Steeles has used Atom to ship an iPhoto-to-Typepad tool that directly exports pictures that are retouched, selected and organized in Apple's iPhoto to Movable Type's Typepad blogging service. That's pretty sweet.

I'm digging the new Atom API interface to typepad. I have just completed a prototype of an iPhoto2Typepad interface. That means that its now possible to select photos in iPhoto and directly export into a Typepad Photo Album. This is basically my Holy Grail of digital photo convenience. Now the same program we use to import, and organise our pictures can send them right to Typep

Link

(via Dive Into Mark) [Boing Boing]


11:14:04 PM    

2003 was All Consuming’s first full year, and here’s the list of the 100 most mentioned books: Top 100 Most... [All Consuming News]


11:08:43 PM    

Computer Weekly Feb 2 2004 2:17AM GMT... [Meerkat: An Open Wire Service]


11:05:12 PM    

Internet/Network Security [Syndic8.com New Feeds]


11:04:13 PM    

In Part 1 of the Complete Mac Security series, we discussed physical security of your Mac, as well as Open Firmware and how you can utilize it to safeguard your system. Unfortunately, this is but a part of the steps everyone needs to take to completely safeguard your Mac against information (or physical) theft. This week, we'll discuss login security in all its forms, and how you can be completely sure that no one can login to your Mac except you.

Theory

Suppose you use a Mac running OS X at the office, and you step away to take a call. Obviously, you aren't going to turn off the computer for such a short period of time, just to protect your data. What if you have a server and can't turn it off at night? What if you just LIKE having the computer on when you come in every morning? What if you have a laptop and simply put it to sleep instead of shutting it down? (My PowerBook hasn't been off on months.) If you leave it like this, you have initially bypassed Open Firmware as a security level (although someone resetting the machine would encounter it again) and left them at the next level - OS X itself. What can we do at that point to keep your machines secure? By changing a couple simple settings, we can make your Mac impervious from random people looking for any tasty morsel of information on your computer. We'll use two technologies that come with OS X 10.3: the LoginWindow application, and Fast User Switching. Ready? Let's get started.

Long-Term Protection with LoginWindow

Mac OS X: Login WindowDepending on how long your Mac will be unattended, there are different methods for preventing someone from using your OS X account while you are away. The first is when you are away for an extended period of time - say, overnight. In this case, logging out is the best way to deter unauthorized access from someone sitting at your computer. All documents are saved and closed, and all applications have quit, with the exception of LoginWindow. The sole job of LoginWindow is to control access to the Finder's launch, based on user credentials. LoginWindow can authenticate against both local (NetInfo) and network (LDAP, Active Directory, etc.) user databases. Regardless of how LoginWindow authenticates, however, you still need to implement the security on your end so that the intruder doesn't have a chance to find out on his own.

LoginWindow should be enabled on every Mac, but sadly Apple has chosen to disable it by default. If autologin is enabled on your Mac (as it is by default), anyone who starts your machine (or resets it via the reset button on every Mac) will be automatically logged into your account (and have all the privileges you have on your account as well). This, obviously, is not good. Here's how to fix this problem:

  1. Select the Accounts tab in System Preferences.
  2. Below the list of users created on your Mac, you should see a picture of a house and Login Options. If it is disabled, you need to unlock the control panel by clicking the lock and entering any administrator login and password. The lock will then unlock and you can click on Login Options.
  3. Look for the checkbox marked Automatically logged in as: and uncheck it, if checked. Unchecking this will stop autologin from occuring.
  4. While we're here, find Display Login Window as: and select Name and password instead of List of users. This will show text boxes for the user's name password. Why this? If you have a list of users, there's no need to guess the username - it's right there! This forces anyone attempting entry to know both the username (either short name or long name) and password to log in to the machine.
  5. Click the lock again to secure the control panel, preventing future changes without admin authorization. Close System Preferences. You're all set!
Login Preferences

To test this, log out of the machine (try the key combo - command-shift-Q - if you like). When you start up your machine, you should see a text box for the name and password, and that's it. Looks pretty frustrating to an intruder, huh? Good - that's exactly how we want it. This isn't the only scenario that people use every day, though.

Short-Term Protection with Fast User Switching

Mac OS X: Fast User SwitchingLet's go back to that original scenario: you're at work, on your Mac, saving the world as usual, when you're called away for some reason - a phone call, another promotion, whatever. As soon as your back is to your computer, it's literally open season for anyone to pop a seat and take the scenic route through your personal account. Obviously, this doesn't work. We could log out, but that's quite a pain, considering you'll definitely be coming back in a few minutes. What to do? Enter the power of Fast User Switching.

Before we get too deep, what is Fast User Switching (FUS)? This is a technology introduced to Mac users in OS X 10.3 "Panther". In a nutshell, it allows multiple people to be logged into OS X at the same time, with one user viewing their session at a time. Users have the ability to switch back and forth between logged in users via the FUS menu extra (enabled when FUS is turned on), as well as log in to users that are not logged in yet. Users can also bring up the login screen, allowing only someone with login credentials to get to their opened (or unopened) OS X session.

How does this relate to making your Mac completely secure? The beautiful part of Fast User Switching (apart from the gorgeous Quartz Extreme-driven transitions) is that you don't need two users to apply the security tools of the feature! Even if you're the single user on that Mac, you can still benefit from FUS by turning it on when you step away from the computer. This way, only you can switch back to your account, in a matter of seconds - and your work is just as you left it! With the right settings, anyone who looks at your screen won't even know you're logged in. Ready? Here we go:

  1. The hardest part of this process (if you can consider it hard) is to enable Fast User Switching in the Accounts control panel. So, let's head back over there.
  2. Open the Accounts control panel in System Preferences.
  3. Once again, find the Login Options button below the list of user accounts and click. If the option is disabled, click the lock in the lower left corner and enter an admin login/password to unlock the control panel.
  4. Once you're in the login options, check Enable fast user switching. When you do so, a warning dialog will appear:

    This feature will allow other users to stay logged in and continue running software in the background while you're using this computer. This feature should only be enabled if you trust the other users of this computer. (Incidentally, we're enabling this feature specifically because we don't trust the other users, as they're not intended to be users in the first place.)

  5. Click OK, and Fast User Switching will be enabled. You will notice that a new menu extra will appear on the very right side of the menu bar with the name of the current user. Clicking on the menu will list the icon and name of every local user on the computer. Next to each logged in user you will see an orange circle with a checkmark. This menu extra is exactly what you'll use to enable LoginWindow when you step away.
  6. Make sure that the radio button setting for Display Login Window as: is Name and password, so as not to show the list of accounts.
  7. Click the lock to secure the settings, and close System Preferences.

Now, go ahead and test it. Click on the FUS menu and select Login Window... You will be instantly be taken to LoginWindow, requestiong a name and password. Because you selected Name and password as the LoginWindow display type, it doesn't show who's logged in, or that anyone is at all. Now enter your user name (either short name or long name will do) and your password, and you will be whisked back to your work environment, exactly as you left it, completely secure while you walked away.

Disuse of OS X Screensaver as Security Measure

Mac OS X Screen Saver

One of the things OS X brought to the Mac community was a unified, built-in screensaver engine. Apple included the ability to require a password to exit the screensaver. While this is initally a good idea, there are two major points that are often overlooked:

  1. When you activate the dialog box to enter the user name and password to exit the screensaver, the username is already in the text box! Suddenly, half the work of the intruder is done and the password is all that is required.
  2. One thing that people do not realize is that any admin password (including root) can be entered in the dialog box to exit the screensaver. Go ahead, try it some time. While this might generally be seen as "still secure", the fact that any admin password can view the contents of a user's account (including and admin or root account) is disturbing, considering the fact that otherwise, this wouldn't be possible (with the exception of root).

Now, the use of a screensaver in itself isn't a bad idea; it saves CRT monitors and looks cool. However, using Fast User Switching is just a smarter overall choice when it comes to protecting the information on your computer.

In the coming weeks, MacZealots.com will publish additional articles in the Complete Mac Security series, covering every aspect of practical OS X security, including permissions, FileVault, network ports, file/web sharing, and other topics.

Matt WillmoreMatt Willmore is a founding partner of MacZealots.com. While he may be single and willing to mingle, he does have his 17" PowerBook to keep him warm at night. He can be reached at

Comments (2)

Comments on this Entry:

(Jeremy Lavergne on Jan 30, 2004 7:06 AM)
Viewing user directories is possible for all admins in a Unix environment, even one such as OS X. That's why they are admins.

(Matt Willmore on Jan 30, 2004 7:31 AM)
Jeremy -

Perhaps I should have clarified. Admins (and non-admins) can see the base contents of other users' directories, but can only view the contents of the Sites and Public directories (and any other user-created folders with appropriate permissions, such as 755). However, just because they are admins does not give them the permission to view other users' directories in full (ie. read all folder contents) any more than a non-admin status would. The root user is the only user able to accomplish this.

[MacZealots.com - Tutorials]


11:02:48 PM    

Atom provides the potential to share your blog with a wider audience. When you activate Atom syndication, Blogger automatically generates a machine-readable version of your blog that can be picked up and displayed in a variety of ways, including newsreaders, web sites and handheld devices. There are already a bunch of newsreaders that support Atom. [Via shellen dot com]

[Lockergnome's RSS Resource]


10:59:10 PM    

NewsWatcher by Scopeware Vision is a free desktop application for subscribing to RSS-supported sites.

[Lockergnome's RSS Resource]


10:58:24 PM    

Introducing Linux to Joe Average [Slashdot]
10:41:10 PM    

Forgoing Software For a Firewall You Can See. With worms and viruses - not to mention malicious humans - loose on the Internet, sitting down at your computer to do a little Web browsing can feel a bit like exposing yourself to the Sword of Damocles, that legendary blade suspended by a thread and a bit of luck. But a good shield can deflect many a sword, and hence comes AlphaShield, a hardware firewall said by its eponymous manufacturer to be By J.d. Biersdorfer. [New York Times: Technology]
10:38:00 PM    

Wi-Fi Wizards at Your Service. Several major cable companies offer installation and maintenance of wireless home networks in many areas. (Others, including Cablevision and Charter Communications, do not yet do so.) Services offered, including limits on the number of devices that can be networked, may vary by region. [New York Times: Technology]
10:36:29 PM    

I'm an application whore - I'll try pretty much any software to see what it does. Compulsive installation can create problems however, since some installers will happily modify system files without even the slightest hint that it has done so.

One of these software indiscretions had apparently hosed my firewall settings, because when I clicked on the "Firewall" tab in the Sharing pane of System Preferences, a dialog box appeared indicating that other firewall software was running on my computer and that I could not modify my settings before disabling it.

At first I didn't recall installing any firewall software, but then remembered a brief fling I had with NetBarrier. I got tired of it's constant nagging about something trying to connect to something else, blah blah..., so I disposed of it - or so I thought.

Fortunately, the February 2004 issue of MacAddict (February?? It's only January 7th!) has a tip on page 69 to flush your firewall settings (Terminal > sudo ipfw flush). Worked as advertised.

Ever notice how magazines you read this month are dated next month, but you already knew about most of the stuff last month?

[MacIT.org]


9:53:36 AM    

Adventures in Troubleshooting

You can follow me via RSS Feed as well. I like it so far. Check out my photo album there. [Ramblings of a Technology Addict]


9:48:39 AM    

We've recently had a few questions raised about the licensing for Movable Type, and while the personal and commercial licenses are of course the definitive lists of your rights, we thought we'd summarize how Movable Type can and can't be used.

First, for personal, non-commercial users, Movable Type is free to download and use. We don't consider an Amazon wishlist link or a PayPal donation link to be a commercial use of your site, so you're free to update your weblog and maintain your site with Movable Type and all we'd ask is that you link back to movabletype.org and donate whatever you feel the software is worth to you.

For commercial users, we offer a few ways you can use the software. Businesses and other organizations can use Movable Type to manage weblogs on their intranets or behind their firewalls by paying for one $150 commercial License Fee per installation on each of the servers running the application. There are no per-user fees or client fees for using Movable Type in an organization. You can also use the system to update content on your public site, with the same rules applying.

Currently, if you're a web developer or designer, and you want to offer Movable Type to your clients so they can update their own site, or you want to use it to perform updates on their site, one License Fee must be paid per server installation, either by you or your client.

So what can't you do? You can't sell the software yourself, or redistribute it with changes, or offer it installed as part of a hosting service, either bundled or as a pay option.

Based on the comments and questions raised about offering support services, we'll be revising our licenses and working on creating a Movable Type Developer/Service Provider Network that will rely more on a software/service-provider relationship rather than that of licensor/licensee. We'd love to hear what you think about this sort of a program and if you have any ideas or suggestions of how it would work best for you as a service-provider or developer.

[Movable Type News]


9:46:03 AM    

E-consultancy has a pack of downloadable templates that can be used in various stages of web projects, including: Contract for... [Information Management Weblog]


9:44:45 AM    

John Gotze has posted an interesting-looking supplemental reading list for a course on Enterprise Architecture. Check it out.... [Information Management Weblog]


9:44:20 AM    

Orkut: What Is the Point?. Orkut is a new hack from Google, but no one can has been able to tell me why I should join it. [Meerkat: An Open Wire Service: O'Reilly Weblogs]
9:13:28 AM    


© Copyright 2004 Patrick Mikulak .
Last update: 5/18/04; 12:43:38 AM .

Click here to visit the Radio UserLand website. Valid CSS! Subscribe to "pmik's blog" in Radio UserLand. Click to see the XML version of this web page. Click here to send an email to the editor of this weblog.