security

Disable OS X Lion’s “is an Application Downloaded from the Internet. Are you sure you want to open it?” message with Onyx [solved]

What a Vista-like message. Apple warns you every time you open almost any kind of file that was downloaded from the internet, which is MOST files these days. There doesn’t seem to be any way to turn it off. It happens with applications, php files, even HTML and jpg files. As a PHP programmer, I can’t stand seeing this message every time I open files that I coded MYSELF. It severely interrupts my workflow.

The commonly suggested method of using terminal to write to defaults does NOT work for me:
defaults write com.apple.LaunchServices LSQuarantine -bool NO

There is another method of manually removing the quarantine flag of the files that you download each time you download them, but this would take more time than just clicking ok in the stupid dialog.

What did work for me was downloading the latest version of Onyx and unchecking the internet warning checkbox. Thank you, Titanium Software!

Note that this does make your computer more susceptible to viruses and trojans if you visit risky sites or blindly open unknown applications. For users like me, this is preferable to the condescending, interrupting workflow Apple has been increasingly favoring lately.

Cancel or Allow?

Create an encrypted folder with OS X Disk Utility [Solved]

I run several servers on my mac, and worry about getting hacked or accidentally sharing sensitive files. In addition, I worry about sensitive files when I take the computer in for tech support, or when others use my computer. Documents such as my tax files contain my social security number.

I don’t have to worry any longer (until AES is cracked, anyway), because it is easy to create an encrypted disk image on OS X. I followed the instructions here:

http://blog.smalldog.com/article/1814/use-disk-utility-to-encrypt-files/

I chose a 2.5 GB image, which automatically suggested a CD/DVD type partition. I’m not sure what partition type to use but don’t think it matters. These were the settings I used:

This will create a .sparseimage file. Sparse images are nice because they don’t actually take up their entire hard drive space until they’re filled with contents.

Note that after you drag the files in, you still have to delete the originals. Then when you eject the encrypted image, they are protected. When you double click on the image again, it will ask you for your password. Don’t forget this password, because it is impossible to recover!

I used spotlight to search my computer for files containing my passwords or social security number. If they were necessary, I dragged them in here, otherwise I deleted them.

Check for open logs running on OS X, unix or linux [solved]

Use this command to find the log you’re looking for:
lsof | grep -i log

On OS X, typical directories I look in are /var/log/, $HOME/Library/Logs/, and /private/var/log/.

‘No access’ greyed out for user Everyone in Leopard File Sharing [unsolved]

This is a follow up to my previous post about locking the system out of itself by trying to set “Everyone”‘s priveledges to “no access” via get info and locking Leopard out of its own system.
I recently discovered that my file sharing is not behaving like it is supposed to. “Everyone” having “read only” access indeed SHARES ALL OF MY FILES with read only access and no password required. If you try and set “Everyone” to “no access” via get info like I previously described, when you reboot Leopard fails to launch and the Leopard install disk cannot repair the permissions. (See my previous post for my fix).
But when I try and change the read only access for Everyone, “no access” is greyed out:
Leopard does not let you choose no access for Everyone
This is a huge bug apple!! Leopard has downgraded the ability to share files with a password.

mod_security won’t let you post [solved]

In my last post, I kept getting this error when I clicked Publish in wordpress:

Error 406, Not Acceptable. An appropriate representation of the requested resource /wp-admin/post.php could not be found on this server.

It turned out my host was running mod_security and there are certain phrases it won’t let you publish. It’s censorship, but I understand why they do it. I was talking about the most dangerous command you can run in unix:

sudo rm -rf

That’s what triggered it. I had to obfuscate the text in that entry and this one just to be able to post it. (View the source of this page to see what I mean).

If you’ve been able to post normally and suddenly you can’t and are getting this error, check for weird linux commands or files in your post that could be triggering this.

Permissions error SNAFU causes Leopard not to boot [solved]

Update: This is a bigger bug than I thought.

I just went through a nightmare of permissions errors that caused my computer to stop booting for several hours.

I was trying to share my whole hard drive, and not just my home folder. I went to System Preferences > Sharing > File Sharing and added my hard drive as a shared folder. I noticed that all my shared folders had these sharing permissions:

Me: Read & Write
Users: Read & Write
Everyone: Read Only

It freaked me out that everyone would have read access to my drive; this sounded like OS X’s guest access. (Update: This IS OS X’s guest access, sharing all of your files with no password!) Furthermore, it wouldn’t let me select no access, so I was ([RIGHTFULLY]) worried that my drive was open to the public.

In finder, I used get info and saw similar permissions:

Sharing & Permissions:
System: Read & Write
admin: Read & Write
everyone: Read only

Since it says “Sharing” above it it, I clicked the lock to unlock, authenticated, and changed everyone’s access from “read only” to “no access”. Oops.

Clearly this is for general filesystem permissions and not for AFP file sharing. First, I couldn’t install a software package (it hung on examining additional volumes…). So I tried to reboot, and my computer hung on the grey screen with the little spinny dots circling around themselves. I’d just locked my system out of itself.

I tried booting into single user mode (hold down command S) and running fsck to fix the drive. No dice.

Then I booted with the Leopard install disk. I ran Disk Utility and tried to Repair Permissions. It failed, saying something like “Unsuccessful – an internal command reported failure”. The same thing happened with Check Permissions. Crap.

I tried booting with the Techtool Deluxe CD that comes with Applecare, but apparently this isn’t even compatible with Leopard — it wouldn’t even boot to CD for me, on several tries.

I tried some of the steps from the article Unable to move, unlock, or copy an item in Mac OS X:

cd /Library/Preferences/SystemConfiguration
defaults write /Library/Preferences/SystemConfiguration/autodiskmount AutomountDisksWithoutUserLogin -bool true

Next it said to run

sh /etc/rc

but in Leopard there is no rc in /etc/. So much for that.

By the way, in the article Troubleshooting permissions issues in Mac OS X, it says

1) open Terminal
2) type: sudo rm -rf.

I don’t care what it says, NEVER RUN THIS COMMAND. That’s the most dangerous command you can run in unix.

Anyway, finally, I took it into my own hands: I booted into single user mode, and typed

chmod -R 777 /

This would recursively give everything access to everything and is the loosest form of permissions I could think of. It would screw up all of OS X’s permissions, but hopefully it would at least give OS X access to the drive again and disk utility could fix them.

Disk utility was able to run and spent a couple hours fixing permissions on the drive. After that I was able to boot again. Yay! I went back and changed the everyone permission on Macintosh HD to read only.

I got several kernel extension errors – OS X complained about not being able to load my MOTUFireWireAudio.kext extension (for my firewire audio interface), LittleSnitch.kext (little snitch), and fusefs.fs (NTFS mounter that parallels uses to mount XP drives). For the kernel extensions, I used terminal and typed:

cd /System/Library/Extensions

The extensions mentioned above had the wrong permissions (still 777). I think this is because they didn’t come with OS X by default so repair permissions didn’t know what to do with them. So I typed:

chmod -R 755 MOTUFireWireAudio.kext/
chmod -R 755 LittleSnitch.kext/

And they worked better. These files are actually OS X packages / directories, hence the trailing slash and the -R flag. My MOTU driver started working but wouldn’t open the configuration application automatically, so reinstalling it and rebooting fixed it.

You can also test your kernel extensions by running:

kextload -t MOTUFireWireAudio.kext

for example. That gave me verbose output that the permissions were wrong.

I reinstalled parallels but fusefs.fs still wasn’t loading. So I typed:

cd /Library/Filesystems
chmod -R 755 fusefs.fs

Reinstalled parallels again, rebooted, and it worked.

I think things are ALMOST back to normal! Jeez. Lesson learned: Don’t freak out if you see “everyone” having “read only” access in sharing system preferences. It refers to linux permissions, not to Mac OS X’s guest file sharing access. Lesson Learned: If you have this bug there is no way to securely share your files in Leopard, and trying to change the permissions for user “Everyone” with get info may hose your system.

Vine Server Security Exploit and Leopard Incompatibility [unsolved]

I’m not happy with Leopard’s built in VNC server – no clients can seem to connect to it. Some clients can connect if you set the color settings to full color or automatic color, but then it’s slow and unresponsive.
So I was surfing around for free OS X VNC servers and tried vine server:
OS X Vine Server (formerly osxvnc)
When you launch the app, the server starts immediately with no password protection. I did set a password, and it worked decently. Then I tried launching the server as a system service, and the application crashed. It would neither force quit nor respond so I just left it alone.
Then, this morning, I saw someone connect and move my mouse around. The computer would “wake up” when they connected and they tried to go to the address bar in safari and double clicked. I immediately unplugged the ethernet and rebooted, and then uninstalled the program.
I wrote about the bug here:
Vine Server Security Exploit
I’m not sure if this is a bug similar to RealVNC’s authentication vulnerability or if the combination leopard incompatibility / default blank password bug was the problem, but in any case I recommend NOT using this program until this is fixed.

This is the second time I’ve personally been hacked via VNC. The first was in a different part of the country, two years ago, on a PC using the RealVNC exploit. Clearly people have VNC scanners and search for open computers. I recommend NOT using the default port 5900, and testing your computer thoroughly for security.

I’m still looking for a good free remote desktop app for OS X. I like timbuktu but hate having to install the client everywhere. They should really make a web based client for it.

Solving the prevoius post: getting rid of the backdoor.generic2.vlu virus [solved]

So after three virus scans, AVG Free was able to detect the virus wreaking havoc on my computer.

Thanks to this forum on hardwareanalysis.com for helping me solve this problem. Those guys really are experts on XP and have helped me with two very complicated issues for free.
Norton Antivirus didn’t detect this virus and in fact was disabled by it; Trend Micro’s Housecall did not pick it up, and even AVG Antivirus’ Trial Edition didn’t find it! After a full scan with AVG Trial edition, I uninstalled it after hearing about the Free edition, and the free edition detected it immediately!

The error I got was:

“You have a virus!
backdoor.generic2.vlu
C:\System Volume Information\restore_1\lsass.exe
Ignore | Info | Move to Vault | Restore access”

Lsass.exe is a legit process to be running, but only if there’s one copy and it’s in c:\windows\system32. Mine was in System Volume Information, which is impossible to access because it is where XP keeps its restore points. AVG’s undocumented ‘restore access’ button opens up XP’s System Restore preference pane, which allows you to turn off system restore, which (for better or for worse) deletes all system restore points. Doing this fixed my computer.

So the repair install was unnecessary and did not fix my computer, and it’s amazing that norton, trend micro and AVG’s pay edition could not pick up this virus. I guess the best things in life really are free!

Here is the letter I wrote to AVG.

I think Norton is acting fishy [unsolved]

My Windows XP Machine is acting fishy. I installed the google pack, a software package that includes google desktop, firefox, google earth, picasa, and norton antivirus, and things have started going wrong with norton antivirus.

I also installed google pack on a different PC and had the same thing happen. First Norton has an error like “Norton encountered an internal error and needs to close. Please reinstall norton antivirus.”

I also get the error when opening word documents or running the symantec autofix tool: “Norton Does not support the repair feature. Please reinstall norton antivirus.”

Then, programs will start to fail. After being left idle for about 15 minutes, the internet will fail. Launching programs will give you a file not found error. Rebooting fixes the problem.

On my main PC, I tried several times uninstalling norton antivirus and google pack. Norton still persists, giving me several errors including the amusing “this program was installed with [cobrandedpackagename]. Please uninstall [cobrandedpackagename] as well.” (Brackets included in the error message.) Now it says “The installation is missing the file instopts.dat. Setup will now exit. For more information, please visit wwww.symantec.com/install” [sic].

I’ve done an online virus scan with trendmicro housecall, which didn’t find much. Programs like mcaffee internet security and personal firewall are also not working now, and their uninstalls failed.

Certain run commands do not work anymore, such as cmd.exe and compmgmt.msc. Browsing to their location and double clicking does not work either. I get the error “Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the file.”
I read here that nconvert.exe can generate this error for cmd.exe if it does not have the right permissions. However, I can’t find this file.

My user accounts window was completely blank, until I read here that running “regsvr32 jscript.dll” will solve this issue.

However, now that I can access user accounts, it looks like my account is completely normal, administrator with all rights.

I guess my next step is to find my hard drive device driver and do a repair install of windows.

–Update-

I read that the sircam worm can corrupt rundll and .exe files, especially if you try to repair it with symantec norton, but their removal tool scaned my machine and couldn’t find it.
I didn’t want to run a system restore because I’d uninstalled antivirus programs and was afraid this would give me all sorts of errors (it has in the past). So I dug up my SCSI/ultra ATA hard drive drivers and did a repair install of windows.

47 updates later, it looks like I’m running smoothly again. I think I’ll try mcaffee instead of norton.

I may have had more luck fiddling with permissions before doing the reinstall. I didn’t try these but it looks as though there are some fixes on this page:

http://www.kellys-korner-xp.com/xp_tweaks.htm

It also had a replacement cmd.exe that worked for me when my system was acting up. It’s a useful resource.

Even though my computer’s normal again I’ll leave this as unsolved because I don’t know what caused the problem.