There was an error in this gadget

Tuesday, October 30, 2012

EFI firmware protection locks down newer Macs

Apple's firmware password security is greatly enhanced in recent Mac models, making it a rather robust security feature.

With Apple's firmware password feature on Mac systems you can lock down the options to select an alternative startup disk, boot to Safe or Single User modes, reset the PRAM, and otherwise start the system in ways that can bypass the security features of OS X.

However, as a security measure the firmware password has been met with some criticism because it could easily be bypassed by someone who has physical access to the system. In earlier Intel-based Macs the firmware password was stored in the PRAM of the system, and was simply read by the system's EFI firmware before other PRAM variables in order to maintain the lock on the system; however, this setup had drawbacks that allowed the firmware to be reset or even revealed.

Altering the system's hardware configuration, such as by removing or adding RAM modules, would clear the security password and permit booting to alternative modes. Not only did this basic way of bypassing the password exist, but the password was also not stored very securely. While administrative rights are required to uncover it, with these rights one can use included utilities in OS X to reveal the password in the PRAM, which is masked only by a simple obfuscation routine.

These fallbacks made the Mac's firmware password almost laughable as a security measure, but this has changed with newer Mac systems. Starting in 2011, users began finding they could no longer reset their firmware passwords simply by modifying the hardware configuration. The systems would maintain the lock and prevent the use of alternate boot modes, leaving no choice for those who had set the password and then forgotten it but to bring their systems in to Apple for servicing.

In these newer systems, instead of using the PRAM to store the EFI firmware password, Apple has resorted to using a separate programmable controller from Atmel (PDF) that contains lockable flash memory used to store the password. This tiny chip is tucked away on the motherboard and includes include a security feature that stores the password in ways that require special programming with identifier numbers for both your motherboard and the Atmel chip to access and erase, which must done using special routines during the boot process.

As it's not dependent on other system components to maintain this lock, this new chip therefore cannot be unlocked simply by a hardware change. The password is also not available in the PRAM, so it cannot be revealed to users, regardless of their administrative status.

To reset the firmware password on newer Macs, you must now follow these steps:

Boot with Option key held to display the boot menu's firmware password prompt.

Press Control-Option-Command-Shift-S to reveal a 33-digit hash (mixed letters and numbers) that contains an identifier for your specific motherboard and the Atmel chip used for your system. In this hash, the first 17 digits are an identifier for the system's motherboard, and the last 16 digits are a hash for the password.

Submit the hash to Apple, where someone will put it through a special utility to create a keyfile that is specific for your machine.

Place the file on a special USB boot drive and hold Option to load the boot menu and select this drive.

The system will read the file and properly reset the firmware password stored in the Atmel chip.

This process may seem easy enough, except that the utility for creating the keyfile is kept at Apple so you have to go through an authorized service center, which will contact technicians at Apple for this service. Secondly, the Apple technicians will not give you the keyfile for unlocking your system, so you must get your system serviced to perform this step.

Even if you were able to get the keyfile, it cannot be used on any other Mac system. The Atmel chip's serial number and motherboard identifier are factory-programmed, resulting in a pairing that is unique for your system. This is why the hash numbers for your system must be programmed into the keyfile, making it machine-specific.

Even so, there is one way to bypass the Atmel chip, which is to manually remove it and solder a new, unlocked chip to your motherboard; however, without precise reflow soldering tools and techniques, this would likely result in an unmitigated disaster that not only would void your warranty, but would very likely break your machine.

Coupled with Apple's FileVault full-disk encryption to protect data should the hard drive be removed, the firmware password in Apple's latest systems provides a very effective hardware security lock. Setting it up involves the same steps as for all of Apple's hardware, but these advances make it so that to change or remove it you need to either use the same firmware password utility and remember the previous password, or have it serviced.


Google Apps: Google upgrades Gmail interface, now less 'drafty'

Shifting email towards instant messaging

Google has begun a series of upgrades to its Gmail user interface, starting with a "compose and reply experience" that brings email composition much closer to an instant messaging format.

When you're writing an email and you need to reference another message, the current system of saving to draft, searching for the new email, getting the information, and then reopening the original draft, is a pain in the neck, Google product manager Phil Sharp points out in a blog post. El Reg forum users have been pointing this out for some time.

The new function will give you a choice when the Compose button is hit of a floating email window, similar to that used by Google's IM client. This leaves the inbox view in the background, but it's still usable to search for and open other emails in a similar manner as needed. Attachments, text, and email addresses can then be pulled into the original draft.

"This makes it easy to reference any other emails without ever having to close your draft," Sharp writes. "You can even do a search or keep an eye on new mail as it comes in. And because the compose window works the same way as chats, you can write multiple messages at once and minimize a message to finish it later."

The new message pane could best be described as functional, with basic formatting tools for the moment, and the pane expands to fit the amount of information needed, to save on-screen acreage. The Save Now button is gone, since everything's auto-saved, and with each email recipient you can start a new email string with a click on their address.

Google is going to roll out the feature to some users within the next 48 hours, a spokeswoman told El Reg, and Google Apps customers on the scheduled release track will see the link in approximately two weeks.

Over the next couple of months, Google will add more features to the Gmail composition windows, including canned responses, inserting emoticons and event invitations, printing and label-generating options, and a read receipt alert option for Apps customers – so HR will know you've scanned the latest corporate missive.


Saturday, October 27, 2012

Millions of SSNs lifted from South Carolina database

Slipshod security at the state Department of Revenue leads to a massive security breach: 3.6 million Social Security numbers are stolen. The state's population is approximately 4.7 million.

If you live in South Carolina, there's a very good chance that slipshod state government security has allowed an overseas computer criminal to acquire your Social Security number.

The South Carolina Department of Revenue acknowledged the massive electronic security breach today, saying an electronic intrusion led to 3.6 million Social Security numbers being stolen. The state's population is approximately 4.7 million.

"We are taking immediate steps to protect the taxpayers of South Carolina, including providing one year of credit monitoring and identity protection to those affected," Gov. Nikki Haley said in a statement.

Anyone who has filed a South Carolina tax return since 1998 -- including former residents who have since moved out of the state -- is being urged to call  (866) 578-5422 to enroll in a consumer protection service and visit

Social Security numbers weren't always used as taxpayer ID numbers, and it's possible that South Carolina's missteps could prompt a move to rethink their use. It wasn't until 1976, when the federal Tax Reform Act was adopted, that states began to adopt SSNs for tax and motor vehicle licensing purposes.

Employers, universities, and even some states have adopted substitutes for SSNs, which can jeopardize privacy when disclosed because they're used for authentication and as a unique identifier. The U.S. Navy is moving away from SSN use, and New York's civil service offers substitutes for people without SSNs. So, perhaps ironically, does the University of South Carolina.

A chronology of events (PDF) that the state published today says that the Department of Revenue learned of the intrusion on October 10 -- it doesn't say how, and USA Today suggested the hacker may have contacted the state demanding a ransom -- and alerted federal and state law enforcement.

On October 12, the state hired an outside consultancy, Mandiant, which determined the intruders accessed state systems in early and mid-September. It wasn't until eight days later, on October 20, that the suspected security hold was actually closed.
Approximately 387,000 credit card numbers were in the files taken, the state said. But officials claim that only 16,000 were unencrypted.


Friday, October 26, 2012

SSL Vulnerabilities Found in Critical Non-Browser Software Packages

The death knell for SSL is getting louder.

Researchers at the University of Texas at Austin and Stanford University have discovered that poorly designed APIs used in SSL implementations are to blame for vulnerabilities in many critical non-browser software packages.

Serious security vulnerabilities were found in programs such as Amazon’s EC2 Java library, Amazon’s and PayPal’s merchant SDKs, Trillian and AIM instant messaging software, popular integrated shopping cart software packages, Chase mobile banking software, and several Android applications and libraries. SSL connections from these programs and many others are vulnerable to a man in the middle attack.

“This is exactly the attack that SSL is intended to protect against,” according to the research paper “The Most Dangerous Code in the World: Validating SSL Certificates in Non-Browser Software.“ It does not involve compromised or malicious certificate authorities, nor forged certificates, nor compromised private keys of legitimate servers. The only class of vulnerabilities we exploit are logic errors in client-side SSL certificate validation.”

SSL encrypts network communications between clients and servers. The research, done by Martin Georgiev, Suman Jana and Vitaly Shmatikov of the University of Texas at Austin and Subodh Iyengar, Dan Boneh and Rishita Anubhai of Stanford University, focuses on SSL connection authentication in non-browser software. The team looked at a number of applications and libraries supported on Linux, Windows, Android and Mac iOS platforms, and how they validate SSL certificates. All of the applications and libraries tested failed to reject self-signed and third-party digital certificates and instead established SSL connections initiated by a man in the middle who siphoned the transaction information.

“SSL certificate validation is completely broken in many critical software applications and libraries,” the report concluded.

Non-browser software often requires a secure Internet connection, and SSL is deployed as the preferred encryption protocol. Some of the critical applications tested by the researchers included instances where SSL was used to send local data to cloud-based storage, transmit payment data to processors such as PayPal and Amazon, establish connections between IM clients and the respective service, and authenticate servers to Android and iOS mobile applications, the research paper said.

“The root cause of most of these vulnerabilities is the terrible design of the APIs to the underlying SSL libraries. Instead of expressing high-level security properties of network tunnels such as confidentiality and authentication, these APIs expose low-level details of the SSL protocol to application developers,” the paper said. “As a consequence, developers often use SSL APIs incorrectly, misinterpreting and misunderstanding their manifold parameters, options, side effects, and return values.”

Developers, meanwhile, may incorrectly use legitimate SSL libraries that don’t validate certificates, or inadvertently turn off certificate validation.

In addition to certificate validation vulnerabilities in a number of cloud-based storage management programs, Java-based Web services middleware, merchant software development kits and IM authentication instances that could lead to various types of data leakage (lost credentials, payment information and more), the researchers were most disturbed with issues discovered on the Chase mobile banking application for Android devices. The researchers discovered that the mobile app overrides default x509 code which causes the app to fail to check the requesting server’s certificate.

“Perhaps the most devastating (because of the ease of exploitation) bug is the broken certificate validation in the Chase mobile banking app on Android,” the report said. “Even a primitive network attacker—for example, someone in control of a malicious Wi-Fi access point—can exploit this vulnerability to harvest the login credentials of Chase mobile banking customers.”

The researchers point out that the SSL libraries (JSSE, OpenSSL, GnuTLS and others) are often correct, but developers misunderstand the security options, parameters and return values. By incorrectly setting a return value in Amazon’s Flexible Payments Service PHP library, for example, a developer can accidently turn off certificate validation functionality. PayPal Payments Standard PHP library contains the same bug, the researchers said.

The research team said a number of factors contribute to the poor security of SSL implementations: a lack of testing for vulnerabilities during development; unsecure SSL libraries by default; misuse or misinterpretation of security options in secure libraries by developers; SSL vulnerabilities are often not present on the application layer, but in middleware—out of a developers’ purview; and some cases where developers deliberately turn off validation.

“A principled solution to the problem must involve a complete redesign of the SSL libraries’ API,” the report said. “Instead of asking application developers to manage incomprehensible options such as CURLOPT_SSL_VERIFYPEER or SSL_get_verify_result, they should present high-level abstractions that explicitly express security properties of network connections in terms that are close to application semantics.”


Red Hat-Applied Micro deal is another vote for ARM in the Data Center

Everyone is jumping on the ARM server bandwagon with Red Hat and Applied Micro the latest vendors to hitch a ride. Cell phone chips in the the data center is a hotly anticipated trend and we’re going to see a lot of ecosystem announcements next week.

Let’s just get this straight. Next week at ARM’s tech development event in Santa Clara, Calif., there’s going to be a lot of talk about getting cell phone chips into servers. The bet here is that using ARM-based chips in servers, as opposed to the traditional x86 processors that Intel and AMD make, will be more energy efficient and better match the processing needs of many of todays applications.

Last week, Calxeda kicked it off with news of its product roadmap, and Dell followed with its own announcement of an ARM-based server designed for Hadoop. HP, Dell, Penguin Computing, Boston Ltd., Cavium and Marvell also are all officially on the ARM server train. On Monday, AMD is expected to announce that it’s taking an ARM license.

There will be ARM-based chips in production environments by the end of this year, but those will only be 32-bit and capable of addressing smaller amounts of memory. Still, Dell, Calxeda and others argue that 32-bit processing is good enough for Hadoop and a few other specific data center workloads.

However, to really break ground in the server world, you need a chip capable of 64-bit processing that is widespread across the enterprise market. Which is why it’s significant that on Thursday, ARM, Red Hat and Applied Micro Circuits Corp. said they were getting together to develop a 64-bit server design platform. Applied Micro, a server maker, is announcing the Applied Micro X-Gene Server on a Chip aimed at the big data and cloud server market.

Red Hat will be responsible for building support within the Fedora community for the new 64-bit ARMv8 architecture, in hopes of making this dream a reality in time for the actual launch of 64-bit capable ARM cores next year. The company’s support is important, as has been Canonical’s previous support, because you need software capable of running on ARM-based chips. It would be nice if VMware were to step up and say that it wanted to support ARM in the data center, but so far that hasn’t happened.

In the coming week I expect to see more news highlighting the much-needed development of the ARM-server ecosystem. Stay tuned to see more ways the chips from your cell phones will invade data center.


Thursday, October 25, 2012

How to manage the Java 6 and Java 7 runtimes in OS X

Problems with Oracle's Java 7 runtime may require OS X users to switch back to Java 6, but currently there is no direct means of doing so.

The transition from Apple's Java implementation to Oracle's with the release of Java 7 is a bit of a problem for many Mac users. While the Java runtime should have the necessary components to run most applications, the implementations differ enough, even in minor details, to make some programs simply throw up their hands and not run, claiming a valid Java installation needs to be run.

As part of its latest updates to Java, Apple has pushed for users to leave the Java SE 6 platform and adopt Oracle's Java 7 runtime. Usually with multiple Java runtimes installed you can use a utility such as Oracle's Java system preferences or Apple's Java Preferences tool to switch between runtimes; however, the differences between the Oracle's and Apple's implementations make them incompatible with these utilities.

Java 7 from Oracle is completely embedded in the Java plug-in that is installed in the /Library/Internet Plug-Ins/ directory on the computer, whereas Apple's version is installed in the /System/Library/Java/ folder and is not bundled in a self-contained package, so that its contents can be accessed more globally by applications that need it. Components of the runtime such as the Internet plug-in are simply linked to so they can be accessed by your Web browsers.

In essence, the basic difference is that one runtime is unpackaged and in a different location than the other runtime, which will require new versions of some Java programs to be released that look for Java in the proper locations.

In the meantime, if you have a Java applet that you need to run on your system and you can't get it working in Oracle's Java 7, then you can re-enable Java 6 without needing a Java runtime manager utility like Apple's Java Preferences. The installation of Java 7 does not remove the Java 6 runtime from OS X, but simply replaces Apple's Java Internet plug-in link with its plug-in package. Therefore, to downgrade and use Java 6, you can replace this package with a link to Apple's Java runtime.

To do this, follow these steps:

Go to the Macintosh HD/Library/Internet Plug-Ins/ folder and delete the file "JavaAppletPlugin.plugin"

Open the Terminal and run the following commands (each on one line):

cd /System/Library/Java/Support/Deploy.bundle/Contents/Resources/

sudo ln -sf JavaPlugin2_NPAPI.plugin /Library/Internet\ Plug-Ins/JavaAppletPlugin.plugin

Note that Apple does have a Java plug-in reference in its CoreDeploy.bundle package, but in the latest update to Java 6 this plug-in is used to redirect users to download Java 7, so linking to it will not provide a working Java plug-in.

At this point you should have a working Java runtime, but if you also need the Java Web start utility working (to launch locally stored Java applets), then you can run the following command (as noted in a recent Apple Knowledge Base article):

sudo ln -sf /System/Library/Frameworks/JavaVM.framework/Commands/javaws /usr/bin/javaws

You can disable Web Start by running the following command (all on one line):

sudo ln -sf /System/Library/Frameworks/JavaVM.framework/Versions/Current/Commands/javaws /usr/bin/javaws

If after this you would like to get Java 7 running again, you can simply download and reinstall it from Oracle's Java Web site. Future version upgrades to Java will likely be managed properly through Java's system preferences, but for now these steps will have to be taken to specify the Java runtime to use.


Monday, October 22, 2012

How to fix drive-permissions problem in OS X

When the setting to ignore permissions on secondary hard drives keeps toggling off, blocking access, here's what to try.

Secondary volumes such as external USB and FireWire hard drives are often used with multiple computers, and if the drive contains a permissions-aware filesystem such as Apple's HFS+ (the default Mac filesystem) then it can inherit various permissions settings from the systems it's used with. While that's not usually an issue, these permissions can sometimes block access to parts of the hard drive so it can't be read from or written to.

To deal with this problem, Apple includes an option to ignore permissions on secondary drives, which can be invoked by selecting the drive and getting information on it, and then checking that option in the Sharing section.

While convenient, sometimes this setting may not stick. MacFixIt reader Ian recently wrote in about this issue:

Every day the permissions on the other 3 drives in my Mac Pro change away from "Ignore ownership on this volume." I can't access my other drives until I manually go into "Get Info" on each one!...

When you ignore permissions on secondary drives, the system does not remove or otherwise alter the permissions setup, but simply updates a central database to have the system handle the drive with root permissions. When the drive is attached, the system checks this database to see what settings should be used, but corruption in the database file may prevent the system from doing so properly, so that it resorts to the default setting of observing filesystem permissions.

To fix this, one simply needs to remove this database and have the system set it up again from scratch, similar to removing a corrupt preferences file when preferences aren't sticking for an application.

The permissions settings for attached volumes are stored in a basic text file called volinfo.database that contains a drive identifier string followed by a bitwise settings value to indicate various settings such as ownership and permissions management. This database is set up when you modify settings for a volume, but it's not needed for access to the drive, so you can remove it and the system will recreate it when you change the drive's permissions settings.

To do this, you will need to open the system's hidden database folder, by going to the Finder's Go menu and entering the following as the target folder:


When this folder opens, locate the file called volinfo.database and remove it, and then get information on your hard drives and set their permissions awareness accordingly.


Friday, October 19, 2012

Spammers start using short .gov URLs to trick their victims

Cybercriminals are increasingly using links in their spam campaigns to trick users into thinking the links lead to genuine US government Web sites. How are they pulling it off? It turns out this comes down to a simple loophole in links.

Here’s how short URLs are described by the US government:

Now, whenever anyone uses bitly to shorten a URL that ends in .gov or .mil, they will receive a short, trustworthy URL in return. To create a URL, simply go to, paste in a long .gov or .mil URL, and click shorten. There’s no need to log in.

As Symantec points out, however, spammers can use an open-redirect vulnerability to set up a URL which ends up taking the victim to a spam website. Therefore, something like…/Rxpfn9 takes you to[spam site] which then redirects you to the spam site in question.

From there, spammers can make the spam site look more legitimate by designing it to look like a government Web page. Any links included therein will of course lead to spam, or even worse, malware.

Since the Data Web page can let you know the number of clicks on a URL, Symantec could dig deeper into a recent spam campaign. The security company found that is a recent phenomenon: in the last week, over 43,049 clicks were made through shortened URLs to 10 spam domains. Unsurprisingly, most of them came from the US, according to the firm’s analysis:

In addition to volume, the data also provides some insight into the locations of the clicks. 36,664 of 43,049 spam clicks had a country code associated with them. There were 124 countries identified. The top four countries on a daily basis were the United States, Canada, Australia, and Great Britain. In aggregate, the United States made up the biggest slice with 61.7 percent of the clicks

This is a perfect example of why you should never blindly click on a link, even if it appears to be legitimate. If you can help it, only navigate to websites manually, and don’t click on links that are shared with you unless you absolutely know what they are.


Thursday, October 18, 2012

Fighting Hackers: Everything You’ve Been Told About Passwords Is Wrong

Security is not just about strong encryption, good anti-virus software, or techniques like two-factor authentication. It’s also about the “fuzzy” things … involving people. That’s where the security game is often won or lost. Just ask Mat Honan.

We – the users – are supposed to be responsible, and are told what to do to stay secure. For example: “Don’t use the same password on different sites.” “Use strong passwords.” “Give good answers to security questions.” But here’s the troublesome equation:

more services used = more passwords needed = more user pain

… which means it only gets harder and harder to follow such advice. Why? Because security and practicality are in conflict.

But they don’t have to be. As someone who has studied millions of passwords and how they were constructed – I’ve spent most of my waking hours for over a decade obsessing about authentication methods – I say we can have both security and practicality.

And it starts with recognizing that a lot of security advice hurts more than it helps.

Security specialists – and many websites – prompt us to use a combination of letters, numbers, and characters when selecting passwords. This results in suggestions to use passwords like “Pn3L!x8@H”, to cite a recent Wired article. But sorry, guys, you’re wrong: Unless that kind of password has some profound meaning for a user (and then he or she may need other help than password help), then guess what? We. Will. Forget. It.

What Good Is a Password We Can’t Remember?
Obviously, we need something that is both secure and which we can remember. Whoever asks us to use meaningless sequences of letters, numbers, and characters worries more about security than about practicality. We need to resolve this tension, or we will forever be faced with vulnerabilities to hackers, or lack of access to our data.

We need new password approaches.

One common suggestion is taking a word, let’s say “Elvis”, and replacing letters with digits to get “3lv1s”. While this makes a password memorable – presuming we won’t forget Elvis – it doesn’t make it that much more secure. Because everybody makes changes just like that.

Furthermore, when forced to add a numeral and a special character, people just add “1″ and an exclamation point at the end. While this does get your password accepted on most sites, it doesn’t make the password much stronger.

Because hackers know all our tricks. Online criminals know much more about passwords than the good guys do.

The irony is that most sites will tell us a password like “3lv1s” or “3Iv1s!” is secure (though it might be a bit too short on some sites). This is because today’s password strength checkers don’t measure password strength, but rather, count individual characters and simply make sure passwords have numerals and special characters.

They fool us into thinking that bad passwords are good – and that some good passwords are bad.

The community of security experts has naively assumed that digits and exclamation marks mean more security, when in reality these just result in lower recall rates. Instead, password strength checkers should break down passwords into their components, most typically words – because that’s how people naturally think and communicate. The strength checker can then determine (1) what words a given password consists of, and (2) how common or frequent those words are. The product of those frequencies is a much better estimate of the password’s strength than whether the password contains a particular character or not.

So how do we select strong and memorable passwords? Here’s how: Think of a story, something weird and memorable that happened to you. Like that time you went jogging and stepped on a rat (ugh). Your password? “JogStepRat”: Your personal story boiled down to three words. If this really happened to you, you won’t forget. And no one else can guess it – unless you’ve told everyone that story, but then you’d just pick another, more embarrassing source story you’d never share!

This approach isn’t just conjecture: It works. It’s been tested at a large scale, and this type of password has twice the bit security of an average password. I kid you not.

Turns out, research has a lot to say about not just passwords, but the security questions used to remember them, too. Because most of those questions are pretty atrocious.

A horribly obvious one is “Favorite color?” Red. Green. Yellow. Purple. How many people actually pick the lesser-known color “Caput Mortuum” as their answer? This isn’t the user’s fault: Whoever decided that favorite color can be used for authentication is to blame. Similarly, questions like “Brand of your first car?” aren’t recommended either, because we’re more likely to start off with a Dodge or a Honda than with a Bentley.

The problem with both of these questions is that most people will choose from a very small set of answer options.

Another common, bad security question is “Mother’s maiden name?” By using easily available public records, hackers can derive more than a tenth of people’s mother’s maiden names with certainty – and a lot more with pretty high probability.

So some security experts suggest you get creative with password questions. (Et Tu, Wired?) While the approach of answering favorite color with ”Abraham Lincoln” and brand of first car with “Dandelion” seems great in theory, it doesn’t work in practice. Again, because: We. Will. Not. Remember.

Why would we remember one nonsense thing (the answer to a creative security question) when we can’t remember another (the very password we forgot in the first place)?

The best security questions, generally speaking, are those where:

  • there are many possible answers;
  • others can’t find the answers using a quick Google search; and
  • we can actually remember the answer, but others would have a hard time guessing it.

It’s the same underlying approach, in fact, as the password approach I shared above: a focus on security and practicality. We don’t need a complex password / security question solution – at least on the front end. On the back end, however, a lot can be done if we structure things in a meaningful way.

So what are examples of good security questions? People’s preferences turn out to be a great starting point. For example: likes olives but can’t stand volleyball; these are the kinds of things we’ll comfortably recall in a year. Surprisingly, most of these preferences are actually very difficult for others to guess – even by people who think they know you. In tests where we asked people to guess the preferences of their colleagues, friends, and spouses, only the spouses got enough answers right to pass.

That’s the secret to security: We have to remember that much of the time, the problem involves users … and that users are people – not machines.


HSBC hit by broad denial-of-service attack

The multinational bank confirms attack, saying it "did not affect any customer data, but did prevent customers using HSBC online services."

If you haven't been able to log into your HSBC online banking account today, you're not alone.

The multinational bank based in the U.K. confirmed this afternoon that it has become the target of a denial-of-service attack that overwhelmed its servers.

"This denial-of-service attack did not affect any customer data, but did prevent customers using HSBC online services, including Internet banking.
We are taking appropriate action, working hard to restore service. We are pleased to say that some sites are now back up and running.

We are cooperating with the relevant authorities and will cooperate with other organizations that have been similarly affected by such criminal acts."

Twitter users began reporting problems with connections to and other sites about 90 minutes ago. was still unreachable for us as of 1:45 p.m. PT.


Tackling disabled Dictation in Mountain Lion

The inability to enable Dictation services in OS X may be from faulty Parental Controls settings.

One of Apple's newer features in OS X is the Dictation service that was introduced in Mountain Lion, which allows you to speak phrases and have the system enter it as text in entry fields. While useful in certain situations, some people who have tried using the service have found it to be unavailable on their systems.

When accessing the "Dictation & Speech" system preferences, instead of being able to click the on or off buttons, these options are grayed out, even in administrative accounts that ought to have full access to system services.

The Dictation service does require an available microphone, so if the system is making the dictation service unavailable to you, then first check if your microphone is attached and working. In the Dictation system preferences, you will see a purple icon of a microphone, which should be pulsing in response to ambient sounds in the room (taps, claps, and talking). If this icon is not pulsing at all, then try selecting a different microphone source in the menu beneath it.

Microphone settings can also be adjusted in the Sound system preferences and by using Apple's Audio MIDI Setup utility (in the /Applications/Utilities/ folder). If the microphone is missing in these preferences and utilities, then check its connection and power options to ensure it is working properly.

If the microphone appears to be working fine, then this problem may stem from a fault with the parental controls settings in OS X. Apple's Parental Controls are intended to manage user accounts and prevent access to restricted content and system services, with one being the dictation service.

To fix this problem or similar ones where a service that can be managed by the parental controls is not accessible, try clearing your account's parental controls settings. Your first option is to try toggling parental controls settings to have the system overwrite relevant configuration files and have them be used properly, which can be done with the following procedure:

1. Create a new admin account and log into it.
2. Revoke the admin status from the problematic account.
3. Toggle the parental controls settings to enable and disable them for the account.
4. Give the account administrative status again.
5. Log out of your new admin account and back into your standard account.

After this is done, the account should have access to all system services, but if you still cannot access Dictation then you might try manually removing the entire collection of parental controls configuration files for your account. Open a Finder window and go to the /Macintosh HD/Library/Managed Preferences/ folder, in which you will see a folder for each user that has parental controls set. If one exists for your account, remove it, followed by logging out and then back into your account.


Manage display arrangement errors in OS X

Sometimes multidisplay arrangements will not stick in OS X after performing software or hardware modifications.

When you connect an external display to your Mac, the system will usually by default resort to its native resolution and arrange it to the right of your main display. You can modify these settings in the Displays system preferences, which should preserve separate settings for each display you use with the system; however, after updating or upgrading OS X the system may not keep these changes and persistently revert to defaults every time your display is attached or when the system restarts.

If you use the default arrangement then this issue may not be much of a problem, but those with custom setups such as having your secondary display in a different position or even using it as the primary monitor, setting it up every time can be irritating.

Display arrangement settings are managed by the OS X window server and saved on a per-user and per-machine basis, which means that the settings for it are in the user's "ByHost" preferences folder. Since the host identification is associated to a specific machine's hardware configuration, if you migrate to a new system or if your current system has parts serviced and replaced then it is likely the host identification will change and result in a new settings file being used for the system. However, this reset should only happen once and not result in continual need to change settings.

A more likely problem is simply corruption in the settings file for display arrangements, which is a common reason why settings for any application or process cannot be saved or restored. As a result, the easiest approach to fixing this problem is to clear the window server settings and have them be rewritten by the program, which can be done in one of two ways.

The first approach is have the system clear these settings by running the following command in the Terminal:

defaults -currentHost delete

This will tell the defaults system (the preferences writing routines) to target the specific preferences file for the current computer and remove its contents. While the file itself is not replaced, this routine will clear its contents and set up a basic xml structure in it to accept new preferences settings.

The second approach is to manually remove the file itself, which will force a recreation of it by the window server. A new file will ensure its filesystem properties and permissions are properly inherited and therefore accessible to the window server when running under your account. To remove this file, go to the Finder and choose the Library option from the Go menu (hold the Option key to reveal the Library in this menu if it is missing). Then navigate to the Preferences/ByHost folder in the window that appears, and remove the file called "" (the NUMBER component of the file name will be the current host identification string).

After performing each of these steps, try logging out and logging back into your account to see if new display arrangement settings stick.


Java Preferences missing after latest OS X Java update

While the Preferences utility is missing, this may be a simple oversight on Apple's part.

Apple has recently released a couple of Java updates for OS X 10.6, 10.7, and 10.8 that bring its in-house supported Java runtime (Java SE 6) up to the latest version issued by Oracle. The update tackles a couple of security bugs in the runtime, but those who have installed the updates have noticed that in addition Apple has apparently removed the Java Preferences utility, which was used to configure how the Java runtime is managed in OS X.

While Java Preferences is missing for those using OS X 10.7 or later, the utility is still present for those who update Java in OS X 10.6. This may seem to suggest that Apple simply overlooked including Java Preferences in the updater for OS X 10.7 and later; however, this is not the case. In fact, leaving out Java Preferences is a part of Apple's progressive move away from in-house support for Java.

With this latest update, Apple has made some significant changes to the Java runtime. One of the first is that while the Java 2012-006 updater will install the latest version of Java SE 6, it will configure the Web plug-in to download the latest Java 7 runtime from Oracle when applets are run. This step will hopefully migrate more users to the latest developments from Oracle instead of relying on Apple for Java support.

In addition, the various Java tools Apple includes (such as command-line tools) are configured with reference to the Java runtime with the highest version number, ensuring that Java 7 or later will be used once it is installed, regardless of any other runtimes that may be present. Since Java from Oracle has its own configuration tools and does not use Apple's Java Preferences utility, Apple has removed this utility in favor of Oracle's tools.

Unfortunately Oracle will only be supporting OS X 10.7 and later with Java 7, so Apple has left these changes to the runtime out of Java for Snow Leopard. Therefore, these users will have Apple's Java Preferences utility available for this and future updates to Java SE 6.

While Apple's Java Preferences utility can be restored from a Time Machine backup and used to configure any installed runtimes, this shouldn't be necessary. In short, if you have OS X 10.7 or later and wish to configure Java after applying this update, then you'll be using Oracle's Java system preferences pane.


Tuesday, October 16, 2012

Apple promotes Java 6 SE fix through Software Update

Patches zero-day exploit for Snow Leopard, Lion, Moutain Lion

Though recent versions of OS X no longer ship with a Java plug-in -- and Apple has ceased developing its own versions and left compatibility to Java owner Oracle -- the company is pushing an updated version of Oracle's latest release of Java SE 6 (version number 1.6.0 build 37) through its own Software Update mechanism. The update fixes a critical "zero-day" exploit reported at the end of last month and is available as separate releases for OS X 10.6, and OS X 10.7 and higher.

For Snow Leopard users, the update is referred to as Java for Mac OS X 10.6 Update 11. Currently the support page download link goes back to the previous update from September (Update 10), but it is available through Software Update. As with the previous update, it configures web browsers not to automatically run Java applets, and instead creates a sort of "Java blocker" on web pages that can be manually overridden by clicking on an area labelled "inactive plug-in." It will also deactivate the Java web plug-in if no applets have been run for "an extended period of time."

The Lion and Mountain Lion version of the update is called "Java for OS X 2012-006" and like the Snow Leopard version, it offers "improved security, reliability and compatibility" but doesn't specify exactly what has changed. The accompanying note says that the update will uninstall any old Apple-provided Java applet plug-ins from all web browsers, and replace it with the "inactive plug-in" blocker described above. Users who click on the "inactive" button will be prompted to download the latest version of the Java plug-in directly from Oracle. The update also removes the Java Preferences application, which is no longer required to configure applet settings.

Oracle, in its release notes for the new version, says that the v1.6.0_37 update adds the compromised Cisco AnyConnect Secure Mobility Client to its blacklist, and closes two bugs related to the zero-day exploit, which affects all versions of Java including Java 7, though this patch is aimed only at Java SE 6. An update for Java 7 (update 9) is available as well for users running Java SE 7 on Macs, but at present is only available directly from Oracle.

Most users Java SE 5, which is also affected by the exploit, is no longer updated and little-used. Users running pre-Snow Leopard Macs or outdated versions of Java are strongly advised to disable the web plug-in and seek alternatives for Java uses or update their systems if possible.


15000 Wordpress blogs hacked for making money from Survey

Wordpress Security Team is sending out warning messages to thousands of wordpress users that their account has been compromised recently. Warning message include "We recently detected suspicious activity on your account. To protect your identity and keep your site safe, we’ve reset your password."

Message continue "To reset your password and get access to your account and blog, please visit Click on “Forgot password?” in the Login toolbar to get started. It is very important that your password be unique because using the same password across different web applications increases the risk of your account being hacked."

Note: Wordpress officially has not announce yet any security breach news on their website, but these warning mails are silently received by compromised account holders. Method of hack is still not confirmed. But hacking 15000 blogs from wordpress server and posting same article on all sites most obvious can't be a client side hack. Either wordpress servers has been compromised or a 3rd party WordPress API service server has been compromised where all these 15000 users account can be clients.


Cisco Has Found A New Way To Battle VMware

Cisco has sent a strong signal to VMware, a close partner which has increasingly edged into its core networking business.

The networking-equipment maker just releasied its own version of an open-source cloud operating system.

In essence, Cisco said to VMware, "You want to go after our core industry? Then we'll take a bite out of yours!"

VMware and Cisco have fallen into a love-hate relationship. On the one hand, they are close partners. Cisco's blockbuster server product, Unified Computing System, leans heavily on tech from VMware and EMC, the storage maker which owns a majority stake in VMware. The three of them back a venture called VCE, which sells a popular data-center-in-a-box product called Vblock.

But when VMware bought fledgling networking startup Nicira for $1.26 billion last summer, it told the world that VMware is ready to upend the networking business, much like it transformed the server industry. And that means taking on Cisco.

On Friday, Cisco fought back by releasing the Cisco Edition of OpenStack. OpenStack is a cloud operating system built with the cooperation of about 200 tech companies, including Cisco.

OpenStack competes head-to-head with VMware's prize cloud operating system, vCloud. vCloud is the reason VMware spent $1.26 million on Nicira.

OpenStack is also one of the most politically charged consortiums in the tech industry right now. Nicira was a power player in it, working with Cisco to developing the networking portion of OpenStack. After VMware bought Nicira, VMware asked to become a part of OpenStack and permission was granted.

This upset a lot of OpenStack members because until that point, VMware had been dissing OpenStack.

"I was one of the few people that voted against VMware joining," OpenStack board member Boris Renski told Business Insider. "Ultimately VMware didn't join to help the project, but to neutralize and subdue it."

Renski is cofounder of Mirantis, a company that helps companies build OpenStack clouds.  Mirantis worked with Cisco on its OpenStack edition and says Cisco isn't ready to grab enterprises customers away from VMware ... yet.

But, Cisco is getting ready to yank out its own internal deployments of VMware's software and use OpenStack instead, and is doing the same for a handful of its strategic customers, says Renski.

And that means that Cisco will be able to end its relationship with VMware altogether, should it come to that, because it will soon be able to substitute technology from VMware and EMC with OpenStack.


Monday, October 15, 2012

Newly IDed 'MiniFlame' malware targets individuals for attack

A new malware variant related to the state-sponsored Flame and Gauss cyber-espionage tools can work on its own or team up with its brethren to conduct targeted surveillance, say researchers at Kaspersky Lab.

A new form of state-sponsored malware is making the rounds, this one apparently designed specifically to spy on its victims.

Dubbed "MiniFlame" by Kapersky Lab, but also known as SPE, the new malware variant is similar to the Flame virus that targeted computers in the Middle East this past summer. But MiniFlame is a cyber espionage program that can take over where Flame leaves off.

As described by Kaspersky:

First, Flame or Gauss are used to infect as many victims as possible to collect large quantities of information. After data is collected and reviewed, a potentially interesting victim is defined and identified, and miniFlame is installed in order to conduct more in-depth surveillance and cyber-espionage.

Kaspersky discovered MiniFlame in July, although at the time it simply looked like an earlier version of Flame. Further research determined last month that the new module was actually a separate malware strain, through one that can take advantage of PCs infected by Gauss and Flame.

The developers of MiniFlame may have started their work as early as 2007, according to Kaspersky, and continued until the end of last year.

Six variants of the new virus have been discovered, though there are likely more. So far the infection rate is low, especially when compared with Gauss and Flame. Only 50 to 60 computers worldwide are estimated to be infected with MiniFlame.

But these types of attacks are less focused on quantity and more on hitting specific targets.

"MiniFlame is a high precision attack tool. Most likely it is a targeted cyberweapon used in what can be defined as the second wave of a cyberattack," Alexander Gostev, Chief Security Expert for Kaspersky Lab, said in a statement. "The discovery of miniFlame also gives us additional evidence of the cooperation between the creators of the most notable malicious programs used for cyber warfare operations: Stuxnet, Duqu, Flame, and Gauss."

Together, these malware strains are seen as a sign of continued cyberwarfare against Middle East countries. In particular, many analysts believe many of these strains gathered intelligence in Iran and may have been used to sabotage its nuclear-weapons program.

"With Flame, Gauss, and miniFlame, we have probably only scratched [the] surface of the massive cyber-spy operations ongoing in the Middle East," a Kaspersky Lab expert wrote in the blog. "Their true, full purpose remains obscure and the identity of the victims and attackers remain unknown."


Apple planning to launch new Mac minis?

Apple also planning new Mac minis for launch alongside smaller iPad.

Alongside the smaller iPad, Apple plans to announce a new version of its Mac mini. Sources say that these Mac minis will come in two standard configurations, with different storage and processor options, and a third model that runs OS X Server.

These new Mac minis are said to begin shipping immediately after announcement. Apple last redesigned the Mac mini with a unibody aluminum enclosure in 2010, and last updated the computer with faster processors last summer. These current Mac minis are on last-generation chipsets and lack USB 3.0, so we should be seeing those components updated in these new models.


How to invoke alerts from the OS X Terminal

If needed, you can have the Terminal alert you when a process or script is complete.

When you run a script or command in the OS X terminal, it can be useful to have some indication for when it is completed, especially if the script is a lengthy process you might not wish to monitor at all times. Unfortunately when a script or command finishes running, the Terminal will drop you to the command line again, without any notice to you. However, if needed, you can set up the system to run commands so it does offer some notification.

System alerts
The first option is to have the terminal invoke the system alert after the command is finished. The system alert sound can be invoked from the Terminal by running "tput bel" at the command line, which can be put after a script or other command in a one-line command sequence similar to the following:

top; tput bel

In this sequence, the first command is run (in this case "top" to view system process status), and when it completes, the command after the semicolon will run. In this case, the terminal will have the system alert sound play.

Speak a phrase
The second option is similar to the first, but uses a different audible alert. OS X provides an integrated text-to-speech technology that can be invoked from the command line using the "say" command, so for instance to have the system speak some text, simply run the following command in the Terminal:

say "Your script is done"

Using this command in a similar manner as the "tput bel" option above, you can have the system speak a custom phrase when the terminal command or other process you are running is completed.

Invoke notifications
Unfortunately the above options will only run once. While you can put the audible alert command along with the terminal's "sleep" command in a script that loops them indefinitely and then invoke this script in order to maintain the alert indefinitely, there is another cleaner option available that makes use of Mountain Lion's notification system.

  1. Download terminal-notifier and place the program in your Utilities folder.
  2. Create a terminal alias to the program's executable by running the command "pico .bashrc" and when the editor opens add the following line to it:

    alias terminal-notifier=/Applications/Utilities/

    NOTE: while the alias "terminal-notifier" is used here, you can use any alias string you would like
When this is complete, you will be able to run the terminal-notifier utility from the command line. There are some complex options you can use for customizing notifications (which you can see by running "terminal-notifier" by itself in the Terminal), or you can invoke a basic notification by running the following:

terminal-notifier -message "Script Complete"

With this command now available, you can similarly invoke it sequentially after you run a lengthy script or command, and thereby have the system output a custom alert notification when done. For example, the following command will run the "top" process viewer program, and when the program is quit the system will issue a notification that reads "Top Completed."

top; terminal-notifier -message "Top Completed"

The terminal-notifier utility is required for invoking Mountain Lion's built-in notifications; however, if you do not have Mountain Lion or prefer not to use Notification Center, then you can alternatively install the popular notification system "Growl" and use the "growlnotify" command to perform a similar option. First install Growl and then install GrowlNotify, and then you can run a basic notification using the following terminal command:

growlnotify -m "Script Complete"


Friday, October 12, 2012

Mozilla rereleases Firefox 16 after fixing critical flaw

Browser was pulled from download after only a day, to fix bug that could reveal which Web sites a user had visited.

Mozilla released a new version of Firefox (Windows, Mac) today, one day after yanking the Web browser to address security flaws.

Firefox 16 was pulled off Mozilla's installer page yesterday, just one day after its release, to fix a vulnerability that could have allowed a malicious site to identify which Web sites a user had visited, said Michael Coates, Mozilla's director of Security Assurance. The flaw was publicly disclosed yesterday by security researcher Gareth Heyes, who published proof-of-concept code to demonstrate the vulnerability.

Though Mozilla said it had no evidence that the vulnerability was being exploited in the wild, the company recommended that users who had upgraded to version 16 downgrade to version 15.0.1, which was deemed unaffected by the flaw.

At noon today, the new version -- Firefox 16.0.1 -- was released to Mozilla's upgrade servers and was pushed to users who had previously downloaded Firefox 16. A fix for the Android version of Firefox was released last night.

Mozilla also provided more information about the nature of the flaw, which it rated as critical.

"Mozilla security researcher 'moz_bug_r_a4' reported a regression where security wrappers are unwrapped without doing a security check in defaultValue()," Mozilla said in an accompanying advisory. "This can allow for improper access to the Location object. In versions 15 and earlier of affected products, there was also the potential for arbitrary code execution."

The new version of the Web browser landed Tuesday with support for HTML5, indicating that Mozilla has decided it has matured enough to run in the browser without causing instability. The new version includes CSS3 Animations; Transforms; Transitions; Image Values; Values and Units; and IndexedDB.


Mozilla 'temporarily' pulls Firefox 16 to address security flaw

Out in the wild just a day, the new browser version is expected to get an update tomorrow to fix an apparently serious vulnerability.

Just a day after its debut, Firefox 16 has been "temporarily removed" from Mozilla's installer page while it addresses what is apparently a serious security flaw in the browser's latest version.

"The vulnerability could allow a malicious site to potentially determine which websites users have visited and have access to the URL or URL parameters," Michael Coates. Mozilla's director of Security Assurance, said on the company's security blog. "At this time we have no indication that this vulnerability is currently being exploited in the wild."

Mozilla is currently working on a fix it expects to ship to users tomorrow, Coates said. But in the meantime, Mozilla is recommending that users downgrade to version 15.0.1, which he said was unaffected by the flaw.

"Alternatively, users can wait until our patches are issued and automatically applied to address the vulnerability," Coates wrote.
The new version of the Web browser landed yesterday with support for HTML5, indicating that Mozilla has decided it has matured enough to run in the browser without causing instability. The new version includes CSS3 Animations, Transforms, Transitions, Image Values, Values and Units, and IndexedDB.


Mount network shares privately in OS X

You can prevent mounted network shares from showing up for other accounts in OS X.

In order to mount a shared network folder in OS X, in general you first open a Finder window, where you will see a list of systems that are broadcasting network services, and upon clicking them you can provide authentication information to connect and mount their available shares.

When you mount a shared folder in this manner, the system uses a global mount point (within the hidden /Volumes directory at the root of the boot drive) to access the shared folder. This mount point can be seen by selecting Go to Folder from the Finder's Go menu and then typing in "/Volumes" to reveal the hidden Volumes directory. In here you should see internal hard-drive volumes such as those for your OS X installation and perhaps Boot Camp, and any other mounted volumes on locally attached drives (i.e., those on USB or FireWire drives).

The use of this mount point is convenient, but it does have one potential drawback in that mounted shares will at least be visible if not readable to any account on the system. Therefore, if you have two users logged into a system and you mount a network share in your account, then the share will show as being mounted in the second account. Luckily most permissions setups prevent the second user from accessing the share simultaneously, but despite this, the user can unmount the share from the system.

To prevent such access or even have the mounted network drive be detected by another user on the system, you can mount the share privately by using a mount point within your user account instead of a global one that is accessible by all accounts. To do this, you will first have to create a mount location in a convenient place, and then instruct the system to use that for mounting your network share.

Get the server and share name

To mount a share privately, you will first need to know the server name or IP address, and then the name of the shared folder you are trying to mount. In addition, you will need to know if it is a Windows machine or a Mac that you are connecting to. The name of the server can usually be the name seen in the Finder's sidebar, after making a couple of modifications to the name. First take the name and remove any punctuation, followed by replacing spaces with dashes, and finally appending the word ".local" to the end of it. For example, one of my Macs is called "Topher's Mac Mini," so the name to use for accessing it on the network would be "tophers-mac-mini.local."

In this case, the server is a small Mac Mini running OS X 10.7, and I am trying to connect to my personal home folder on this system.

Create a mount point

The next step is to create a mount point to use. You can create a mount point anywhere on the system for which you have access, but I prefer to use a mount point in the user home folder, so go to the Finder and create a folder called "mount" at the base of your home directory.

Mount the share

The last step is to mount the shared folder at the newly created mount point, which will need to be done via the Terminal by running one of the following commands:

For OS X shared folders:
mount_afp -i afp://user@server/share mountpoint

For Windows shared folders:
mount_smbfs smb://user@server/share mountpoint

In these commands, replace "user" with your username that you use to log into the systems, and then replace the "server" and "share" with the respective names determined in step 1 above. For the mountpoint, you can use "~/mount" to target the mount point we created in step 2, but you can use any other folder as a mount point by typing a space after the share name and then dragging the folder to the Terminal window (this will enter the full path to the folder).

When finished the command should look something like the following:

mount_afp -i afp://tkessler@tophers-mac-mini.local/tkessler ~/mount

Upon executing the command and providing the log-in password when prompted, the remote folder "tkessler" (my home folder on the Mac Mini) will be mounted in the newly created "mount" folder in my local home directory. From here I can access it as I would any other mounted network share, but it will only show up for my account.


Thursday, October 4, 2012

Use Wi-Fi diagnostics to find active Bonjour services in OS X

Mountain Lion has an easy way to look up all available Bonjour services, if needed.

Apple's Bonjour service in OS X is a convenient zero-configuration autodiscovery technology that allows the operating system to locate and present various network services available to you. For example, if a computer on the network has file sharing available, then the system will discover that and make it available in relevant areas of the system such as the Finder, and also allow your system to easily discover shared printers, remote log-in capability, screen sharing, and similar services the remote computer may have enabled.

While convenient, most of the services that Bonjour broadcasts are contextual, meaning that they only appear on your computer in the relevant programs and features that support them. For instance, if a system on your network has remote log-in enabled then you can detect the remote log-in broadcast by opening the Terminal utility and choosing its New Remote Connection option, but otherwise you wouldn't be aware that this broadcast is available.

This contextual nature of Bonjour services can be considered convenient, as it only shows available servers in relevant contexts. However, you may wish to check what services are being broadcast by Bonjour, both by your system and others on the local network.

One way to do this is to use the "dns-sd" command in the Terminal, which can identify Bonjour broadcasts on a network. In order to use it you will need to specify the services you are looking for. For example, if you wish to search for systems that have remote log-in enabled (the SSH service), you would use the following command:

dns-sd -B _ssh

In this case, the "_ssh" service name is easy enough to remember, but others like "_afpovertcp" for file-sharing services are not so intuitive or easy to remember. As a result, using this feature may not be the best approach if you want to figure out what Bonjour services are available to you in general. Even if you use OS X features such as the Terminal's New Remote Connection option and the Finder to identify the available Bonjour services that they can handle, you may overlook others like iTunes music sharing, which only shows up in iTunes.

Luckily if you have Mountain Lion installed on your system then Apple includes a way to easily look up all Bonjour services that are presented on the local network. One of the updated features in Mountain Lion is Apple's Wi-Fi Diagnostics utility, which in its latest version includes a Bonjour Services browser. To access this browser, open the utility from the /System/Library/CoreServices/ folder or hold the Option key before clicking the Wi-Fi menu bar icon, and you will see an option to open the Wi-Fi diagnostics. In this utility, press Command-7 or choose Bonjour Services from the View menu, and the tool will list each service that is available from computers on the local network.

Not only can you list the services in this utility, but you can also connect to them by clicking their icons, which should open the handling program for the service (such as Screen Sharing to open VNC connections) and establish the connection.


Tuesday, October 2, 2012

Time Machine running slow after OS X 10.7.5 update

Disabling and re-enabling Spotlight indexing of the drive may help.

After installing the latest OS X 10.7.5 update for Lion, a number of users are finding their Time Machine backups are taking forever to complete. In some cases the backups only run at a few kilobytes per hour, with text claiming that the backups will take between days to weeks to complete. People report this issue occurring with a variety of Mac models and backup setups, including backing up to local drives and to Apple's Time Capsule devices.

In addition to Time Machine running slowly, those experiencing this problem have noticed Spotlight also takes forever to update its index of the hard drive.

A few people have tried reverting to OS X 10.7.4 by restoring a backup of their system, and noticed Time Machine and Spotlight immediately started working at expected speeds, suggesting the issue is with the OS X 10.7.4 update.

In addition, others who have played around with the problem have noticed the slow activity with both services appears to be primarily when Spotlight indexing is active, suggesting the problem is specific to that service instead of to Time Machine.

And in fact, users have found that at least for now you can get Time Machine backups to work by disabling Spotlight indexing of the drive, so if you are having troubles with Time Machine being slow then you might try one of the following approaches:

Remove the Spotlight index

This issue may simply be a fault with the existing Spotlight index on the hard drive, so you might first try removing it to see if upon rebuilding the index the system will respond faster when both indexing and backing up. To do this, open the Terminal utility (in the /Applications/Utilities/ folder) and run the following command (provide your password when prompted):

sudo rm -rf /.Spotlight-V100

NOTE: copy and paste this command to make sure its structure is intact. There should be absolutely no spaces after the slash in this command.

Spotlight privacy lists

Another approach to removing the Spotlight index is to make use of the Spotlight privacy list, which will prevent a specific drive or folder from being indexed and included in search results. Open the Spotlight system preferences and click the Privacy tab, then drag your hard drive and any other local hard drives to the list. When finished, have Time Machine back up to see if it runs faster, and then remove the drives from this list to see if the Time Machine performance remains high.

Disable indexing on a per-drive basis

You can also disable Spotlight indexing to prevent the service from running, and do so on a per-drive basis. To do this, open the Terminal and type "sudo mdutil -i off" followed by a single space. Then drag your hard drive to the Terminal window and press enter to execute the command. After this is done, repeat this process for other drives on your system.

In addition to using this method to turn off indexing, you can run the same command to delete the spotlight indexes on the specified hard drive by including the "-E" flag in the command, similar to the following (the first will delete the index, the second will additionally disable further indexing):

sudo mdutil -E off /Volumes/drivename

sudo mdutil -E -i off /Volumes/drivename

To re-enable indexing using these commands, repeat them but change the word "off" to "on."

Unload the Spotlight daemon

A last option is to manually unload the background services (daemons) that are responsible for maintaining the Spotlight index. This approach may be better than the first two in that it will keep the current Spotlight index intact and allow you to search, but only prevent updating of the service. To disable Spotlight indexing, open the Terminal utility and run the following command:

sudo launchctl unload -w /System/Library/LaunchDaemons/

To re-enable Spotlight indexing, you can repeat the above command and change the word "unload" to "load," as in the following:

sudo launchctl load -w /System/Library/LaunchDaemons/


SSH tip: Send commands remotely

If needed you can run SSH commands followed by immediately logging out of the remote system.

When connecting to a system remotely using SSH (Secure Shell), usually you provide the SSH command string to log in to the system and then execute commands on the remote system using the current SSH session. This is the standard behavior and is good for performing system management tasks that take more than just a few steps, but sometimes you might only need to log in and run a single specific command or script.

For example, if you would like to check a Mac's process activity by using the "top" command, you would perform the following steps in the Terminal:

Run the command "ssh username@host" to log in to the system

At the command prompt, run "top" to view process activity on the remote system

Exit top and be dropped to the remote command line

Type "Exit" to close the command

This approach is easy enough, but you can also combine these two commands so the SSH session will log in and run the specified command, and then exit so it will not maintain a connection with the remote server. To do this, simply provide the command in quotes following the ssh log-in command, and provide the "-t" flag to ensure proper interaction with the remote system is allowed, if needed:

ssh -t username@host 'top'

If you need to perform multiple commands, you can do so by separating them with semicolons in the command string. Since sudo is often used when running commands in the Terminal, be sure you include the "-t" flag as shown in the command above, otherwise you will not be able to provide the administrative password to the remote system when prompted and it will be shown in the Terminal when typed instead of masked. The "-t" flag is also required if you intend to run commands that require more interaction,such as "top" or similar monitoring services. Without this flag, these commands will output an ever-growing string to the Terminal as they update their output.

This method of issuing commands is convenient, especially if you would like to run a command that takes a while to execute, but don't wish to stay around and wait for it to finish, as might be the case with a backup script. If you run the command this way, when finished the system will drop you back to your local machine and close the remote connection.


Web security protocol HSTS wins proposed standard status

Web sites complying with the policy will automatically prompt browsers accessing it to always interact with it over a secure connection.

A Web security protocol designed to protect Internet users from Internet hijackings due to unencrypted Web sites has won approval as a proposed standard.

A steering group for the Internet Engineering Task Force (IETF) gave its blessing to a draft of HTTP Strict Transport Security (HSTS), an opt-in security enhancement in which Web sites prompt browsers accessing it to always interact with it over a secure connection.

Web browsers complying with the policy will automatically switch insecure links to site to a secure version of the site, using "https," without the Web surfer having to remember to type that in the URL bar.

HSTS is designed to deflect HTTP session hijacking, in which limited encryption used on many popular Web sites put user accounts at risk of compromise by someone snooping on session traffic between the user's computer and the site's server. Sites typically encrypt the username and password as they are transmitted, but unless the entire Web session is encrypted with "https," or secure hypertext transfer protocol, someone sniffing the network could capture the cookie information and use that to access the accounts.

Whether the proposal is accepted as a standard depends on its degree of technical maturity and whether there is a general consensus that the protocol provides significant benefit to the Internet community.

The technology is already supported by sites and services such as PayPal, Blogspot, and Etsy. It's also included in the Chrome, Firefox 4, and Opera 12 Web browsers. However, Microsoft's Internet Explorer and Apple's Safari have not yet embraced HSTS.