Apple Mail and its security.

Apple’s Mail client, aptly named Mail, is pushing closer towards more HTML email content in every major release of OS X. HTML email is a bit of a cinch, as a lot of people use cleartext clients (I set my Gmail to it) but most importantly, it’s a security issue. This wouldn’t be the Cocoia blog if we investigated what risks could go with Apple Mail’s HTML email facility.

First of all, a bit of background; Safari, Apple’s browser, uses the Webkit rendering engine. Webkit’s seen it’s share of exploits, as a any HTML rendering facility has. Apple Mail has an implementation of Webkit to render it’s HTML content. This is nicely illustrated when you go to a page in Safari. From there, you can easily make the page into an email (something I did for my mass-mailing of beta invites in HTML format).

So, what could ever go wrong? First and foremost, a major issue that isn’t yet solved in any email client: Spam.

Any spam email you read and embeds images or other web-based content with an external link, can be used to track your IP address and to see if you read your email. We all already know the links on the bottom of spam that ‘allows you to no longer recieve emails from this address’. It’s a great way to determine if someone reads the spam. The same goes for HTML email. For this reason, Gmail doesn’t load images automatically. EDIT; Mark Rowe (from the Webkit team) has commented that Mail doesn’t do this as well. Kudo’s, although I have found that all users around me have the setting in the ‘Viewing’ preferences, ‘Display images’, enabled.

XSS in Javascript can do some nasty stuff. I am a fanatic reader of the great ha.ckers security blog, and it often has great in-depth articles about the latest disclosed problems with Cross-Site-Scripting. Although there is very little on the blog about Webkit, some XSS is actually cross-platform. XSS could be brought to you with HTML or embedded content like images and Javascript. EDIT; Mark pointed out that Javascript doesn’t work in content. Avenues for HTML attacks aren’t transparent to me, and I hope Mark can give me more insight on this.

Quicktime exploits are common. Webkit is integrated with Quicktime, allowing for inline rendering of video’s and audio files. Quicktime is really a piece of software that gets patched with every minor update of OS X. Over this attack vector, one could easily try a mass-attack. Remember that the email address itself doesn’t even need to be valid; only the attached content that you will be executing. EDIT; (Mark pointed out that Quicktime doesn’t work embedded, but it does in attachments.)

Only these three major issues listed, it already shows the risks you are taking by using HTML email on your Mac, or any other OS. With Windows, it’s, of course, a lot more risky, but I really don’t deal with Windows. I suggest anyone to closely scrutinize his own needs to see if you really, really need HTML email, and if you do, only open HTML email from a trusted and verified source.

The Cocoia Blog; now with 100% new look.

So long, dark black glossy design of March. The Cocoia Blog april design is here! Expect a black and white theme switcher soon, as I am just too lazy and occupied to do that right now. What strikes me most right now is how legible my blog has become with this black on white scheme. Like it? Dislike it? Give me a line.

Rest in peace, March Design.

The well-defined need for war.

I’ve seen “Why we Fight” a few days back, and it’s a strong, pretty unbiased documentary on the US ‘Military Industrial Complex”. As a character that later burned himself to death with gasoline on the streets said in Linklater’s Waking Life (a Movie); “I believe all these wars, disasters and famines meet well-defined needs.”

And it’s a scary thing to realize, but that’s just that. We’ve become entangled, globally, in an arms race to an unattainable goal. Making money. While our society itself is already thriving on people’s misery (let say you’d want to feed the world, then we’d have to make some serious compromises), we are also enriching ourself with war. The United States is, of course, a prime example of a state that has been thriving on war, misery, and death for it’s life-span, and Europe, the birth-ground of this entire cultural phenomenon, hasn’t become pacifist in the last 60 years either. The refusal of renouncing nuclear weapons from all sides, and the more rapid and spontaneous uprising of armament of nations across the globe is an increasingly alarming signal we have to take seriously. I don’t consider anyone reading my blog to be ignorant enough to truly believe in the threat of terrorism. It’s no new threat, and it’s been debased countless times - it’s not a ‘threat’ to us in it’s form today or yesterday, not even in statistics.

Global warming, and global uptake of weapons, are fundamental threats to our existence. Increasing numbers of Orwellian laws in, by now, almost all of our ‘first world’ countries being introduced to fight off ‘terrorism’, is a fundamental threat to the way society is today. At the moment, history is balancing on a thread; either we plunge into our own history of bloodshed, regressing into more fundamental religious beliefs, the dismissal of science or the distortion of it, and a controlling state that thrives ever more on war, or we plunge into a controllable, but fierce struggle with the issues man created. Our world is knocking on our door, and we can’t keep it out much longer.

I often feel powerless about the situation around me. I have seen the politics in the Netherlands (for those who still don’t get it, I live there) grow ever more conservative, discriminative (foreign policy, foreigners) and religiously oriented. It’s startling that 30 years ago, when in the Netherlands, a political party would have suggested to re-introduce mandatory ID-checks, would have been branded fascist. Today, everything including tapping all communications, storing even the most profiling data on people in a centralized fashion (the exact thing that caused the most devastating effects of the holocaust in the Second World War), or extraditing people who know only Dutch culture to Iraq or Afghanistan, has become a facet of the times. We look upon China with disgust, because of true censorship, but in my country, the secret service has tapped media, lawyers, newspaper journalists, or even prosecuted them with this information. All with the great laws that will one day, allow us to stop terrorists in their tracks.

All I ask of you, is that when you turn on the TV next time, and look at those images, of suicide bombings, wars, and famines, just realize that there are people that profit from this. There are societies that profit from this. Don’t look upon corpses and explosions with a perspective of ideals and motives, but a goal. There is only one goal, and that is to keep US in power. WE are the power of the Earth, and the throne is going by the heat of our own fire. You are one of the people, the reason. We are all the reason. Our legacy is coming, for the Earth, for our race, as humanity. In what world do you want your children to live? It won’t be yours.

I’m sorry, Dave…

As someone pointed out on Ars Technica, it’s an almost spooky idea to have a program that can act on you appearing. As OS X already has a built-in functionality to just speak your alerts aloud (on my laptop, it regularly has a ‘discourse’ with me about my battery being empty), the added functionality of the speech synthesis in OS X makes it easier for developers (like me) to add more of those spooky features. With motion-detection now out of the box, and face feature recognition around the corner for iSight Expert, I’ve done a bit of work to let it do a saved Quicksilver action when I appear. Now, without further ado, here’s the HALbook.

As you can see, it’s an… er, out of the studio session, and it’s sensitivity can be set lower so ‘accidental’ motion (which I tested here with the TV) isn’t picked up. More to come as the app progresses.

Personal Productivity Update.

In the vein of a special day, the CS3 Suite will most likely get released and I was planning some big updates on my work in Cocoa (yeah, ‘Expert and Praetorian), I wanted to do a little post to tell everyone what I’m up to right now, and what helps me get the job done faster. First of all, a brilliant article, really the eye-opener of the day. I encourage you to digg the article. It’s about Quicksilver, my favorite productivity application. I never even figured, that you can store Quicksilver actions, and using the comma switch (you can add multiple items into a selection that way) you can actually run all those actions parallel! I’ve got a few personal uses for this, like;

- Make an action that opens my blog’s control panel, MarsEdit (I post with MarsEdit) and the main Yojimbo view (for my blog snippets). Open in one click.
- Open my incoming torrent folder, open Azureus, and make Quicksilver open Finder and do a (CMD+3) to get a convienient list view.
- Save my current working reference documents with comma, save the action to open them with preview on my desktop.
- Open xCode with GrowlCode and Interface Builder, all one one desktop (VirtueDesktops PyObjc plugin).

and those are just the few I just made. I can probably find some more innovative methods with the image actions, like scaling and reformatting my images. Ankur, you’re a veritable genius.

Now, I just heard the nice words over at Surfbits’ Macreviewcast, and I am very flattered to have that much attention for my little app. The nice words are a real boost to my working drive. At the moment, I am considering an early preview version, but I really want to give my testers something very feature-rich and stable. I’ll lift a bit of the veil of things to come here…

Whazzallthisthen? Well, since I got more than just iSight Expert coming up, and I don’t have all the time in the world to organize reported issues, I decided to build a site that allows you to do just that. You will be able to report your issue, and back other issues so I can see how many people are experiencing the same problems.

Why am I so non-verbal about my applications right now? Well, I got website work to do, you know? I just finished the complete design of the two websites, (Praetorian and iSight Expert) and I’ll release them by the end of this month, also replacing my blog’s current header, and, by massive request, adding a black-on-white layout (comments ranged from “I’d prefer a black on white layout” to “AHH! My eyes are burning!”). So, design-wise, you’ll see a lot of changes. And then what?

I might start releasing the first béta of Praetorian before iSight Expert (Praetorian’s been in development and active testing for much longer than iSight Expert), and then giving out a limited promotional alpha for several reviewers, pod-casters, developers and academia, before the stable 0.5 public beta. Anyway, as it stands, I have less than a hundred béta testers, so there is room for more. You know the address, just let me know if you want to get in, and of course, any more comments on why, your hardware, are all welcome and encouraged.

I want to thank Ars Technica and Macreviewcast for the very nice words and publicity. I’ll be sure to keep you up to date…

Uh?

My digg account got deleted? According to digg, because of ‘misuse’. I really wonder what I did wrong. If you were to check out my profile, well, you can’t, because it’s no longer there. Um? And when I checked back about 20 minutes ago, it was still there, but then, this morning, a few hours back, it wasn’t. People, uh, what are you doing? I actually read digg’s Terms and Conditions, and I really, really can’t find anything I didn’t adhere to. Email sent, natch.

Anyway, I am putting up a new one; cocoia. Oh, I can’t use my real email, because my account isn’t really deleted (and thus, my email address not freed)? Great. I hope I see an answer soon.

Everything old is new again!

CS3 Packaging… Ohh, yummy!

This is my personal favorite. The graphic design for these prominent applications has really gotten better across the board: icon design, the interface is wonderful, and this. Check it out, see what package you like best.

Review: Security in OS X Leopard Preview Build

I’ve got a few friends who really develop Apple software for a living (whose names I’d rather not discuss here) and run Apple’s developer builds of Leopard for software testing purposes. Every once in a while, I come by and test some of my apps, and the last few weeks, whenever I had some time to spare, I’ve been around the network to check on the security of the latest build - Client and Server edition. Stability and release date aside, Leopard’s already a very special OS. Apple’s taken a bit of a fright from the last ‘MOAB’ (The Month of Apple Bugs, for the uninformed) and has locked down several portions of the OS. The highlight of my tour was when someone said:

“Hey, Sebastiaan, don’t you, you know… -like- this stuff?” *Points at monitor*
Me: *peeks over and faints*

Here’s what I saw;

Image removed to comply to DMCA notice.

This is the Server Admin management pane for Leopard (people have pointed out this looks the same in Tiger, well, it now does what the GUI says it should do, touché), and although it sucks big-time that there is, once again, a built-in ‘don’t fuck up’ (some fields cannot be edited, including the ICMP rules), but look at that! It’s a veritable dashboard for network geeks! Count with that, that Leopard server could sit at home, between your modem, and your airport (slash access point that isn’t Apple), and serve anything (VPN, net-boot, files, calendar, weblogs, streaming, RADIUS to secure your wireless, Printing, software update deployment and even more), serve as a NAT and Firewall that is ultimately configurable. Gee, with all the news of late, I wonder more and more how possible it would be to run this on an Apple TV, or a Mac Mini. The latter must be possible, but the first would be fantastic. I have seen it running on a 0.7Ghz G4, and it was spanking fast.

Now, what runs on these Leopard machines, and is it secure?
Well, to be short: yes. Apple’s done a lot to make the Darwin 9 and up family save on a network administrator’s sleepless nights.

First of all, one of my points of critique in my last security articles was that the Firewall preferences were virtually hidden, and disabled by default. Now, following the ‘everything works out of the box - idiot proof - EXTREMELY friendly citizen in networks’, the software firewall is still defaulted to ‘Allow all connections’, but has more fine-grained controls if the user desires, including a, well, lock-down (disallow all traffic). It’s also housed in the Security preference panel.

Now, since the firewall is hardly the biggest issue in securityland, let’s look at some of the services’ version numbers;

versioning information removed to comply to DMCA notice

This looks like a new lineup of software. Especially the FreeRADIUS bundling makes me happy, as it’s becoming an easier technology than ACL’s on Access Points themselves, or even WPA2 / other ‘pass-phrase’ solutions. It’s fine-grained, gives the end-administrator more control over what is happening.

Other ‘little details’ involve the way the firewall handles things. Apple removed controls I discussed in the Advanced panel of the firewall of Tiger; “Stealth Mode” is gone, “UDP Filtering”, the rather generic button, is gone. You now have the ability to restrict services to the local network, or allow internet access. To my surprise, performing a port scan with nmap yielded all ports filtered but Bonjour. This means, as it stands now, out of the box, Leopard is actually OS-fingerprint proof.

It has been in the news lately that InputManagers no longer work in Leopard. If anyone was wondering if the loss of InputManagers would really cost Apple’s OS X it’s bleeding edge in user customization and hacking, Apple has done some Input hacking of their own - All Cocoa apps now enjoy inline grammar checking, which must be a service able to vacuum in the data you type. After seeing what service is responsible (this is a joke with Leopard’s new tools), it appears that simply hacking features into the Cocoa functionality will be a lot harder. Apple has hardcoded the spelling and grammar checker into the Cocoa framework itself, ensuring removing the InputManager support won’t break their own features. But is it really that impervious to adding a few hacks? We already know the current builds don’t allow Unsanity apps to do their work, and stuff like Mega-Zoom (a SIMBL plugin) doesn’t work anymore, so yes, it is. Is this really bad news? No. I consider it very good news that runtime code injection isn’t a possibility now. Of course, people will probably start an open, shared framework to put these kind of services in (like skinning, and changing some of the application’s fundamental workings) but Apple’s own binaries… I think we’ll be seeing a fight with that. Apple has proven to be very unforgiving to people reverse-engineering app files that belong to the Dock, or Finder. They discourage the OSX86 project, for understandable reasons. This could, quite certainly, hinder OS X86 hackers and break future exploits.

This already tells us one thing; Leopard will need less hardening out of the box. As I haven’t tested things like Bluetooth (not really available on the hardware I was assigned) I haven’t got a complete image on Leopard’s security, but it does feature some incredibly strong design decisions to harden the OS in advance. Apple isn’t stupid, they know OS X is the base to their user’s experience, and a secure base will ensure Apple stays in line as one of the most secure operating systems running on computers today.

Been a while…

It feels like I’ve been out of it for a week! My streak of daily posts was interrupted yesterday by a very busy day. It’s been a few days of fast development, and to keep you a tidbit informed, the iSight Expert béta gets a little delay by a project now almost finished, and in need of my full time;

On a different note, I am going to get a book on Cocoa programming tomorrow - does anyone have some suggestions? I am looking for a recent book, since I am a bit tired of continuously just having to read the documentation on my computer, and some how-to’s and references are always handy.

Let me know. More updates on my apps soon.

I’ve set up RADIUS and my apps are lucky.

Well, the Academy of Arts in Groningen now has a working RADIUS server and RADIUS-enabled access point. It was fun to set it all up. In case you’re reading this, hey Martin (I hope I spelled your name right)! RADIUS is just pure fun. I can’t encourage people to just go around messing with FreeRADIUS, but it’s actually quite easy to set up (not really has an up-to-date GUI solution yet, but that’s why people like me exist) and use. What it does out-of-the-box, for the Academy, at least, is ensuring people that associate with wireless access points get sandboxed, and people with a valid MAC address as defined in RADIUS’ users file get intranet and internet access.

Now, my apps (especially Fortitude) got lucky today. I’ve got my hands on the very first PowerPC Mac to ever be regularly in my house. I consider this Mac to be one of the best designs of Apple, and it’s quite iconic because of a female illustration made with this design. Without further ado, I present you the G4;

It’s a nice machine, that I can (and will) expand in memory, HD’s, and even it’s disc drive abilities. I can plug my existing GPU in there, which I know works well with Linux. It’s very cool. Now, to test out this baby…