There has been a whole buzz of news in graphics, GUI, Open Source, and all topics in between in this week, prompting for a new weekly; The Graphic Friday. I’ve mostly decided to add this weekly because there has been an influx of demand for more (regular) posts concerning typography and graphic design (or eye candy, whatever you’d like to call it ;)).

Everyone’s favorite linux distribution, Ubuntu, has gotten a website redesign. A lot of negative feedback was unearthed with the redesign, but I must say, I like it. It’s gotten a sense of information architecture now (most needed information, like a link to the forum, a link to the files, etc), and it’s, well, in line with the general ‘Human’ theme they have had going on in Gnome for a long time now – complete with rounded corners. Ooh, rounded corners, they just seem to be popping up everywhere, don’t they?

Anyway, for even sexier Open Source desktops, a Beryl equivalent of Gnome-Look was also launched today; Beryl-Themes. For those unacquainted with Beryl (you must have been living under a mountain to miss this whole ‘Linux’ thing), it’s a super-dope 3d desktop, complete with theming abilities and productivity enhancements like zoom (as seen in OS X), ‘exposé) (as seen in OS X), and negative (as seen in any OS).

And even more sexy UI news from Open-Source land; Neil J. Patel, a new true innovator in the GNOME project (GNOME is as much as the entire UI in a lot of Linux distributions, and a host of other features that are essential to any desktop operating system) released some screenshots of Affinity, a new GNOME search tool (not quite unlike OS X’s Spotlight).

That’s Affinity set loose on Beagle’s backend (Beagle is a search engine, metadata indexer, much like Tiger’s Spotlight 1.01).

I want to conclude this one Open-Source edition of the Graphic Friday with a film I have just seen, and I rate second best anime next to Akira; Howl’s Moving Castle (grammar nazi cataclysm avoided by Jelmar). It’s immense – what a great movie. I can absolutely recommend it to anyone who enjoys a whole lot of eye candy and weird, speampunk-esque worlds. Impeccable animation and a very strong plot make it a joy to watch.

It’s Typographic Wednesday again, time for some nice insider news from the typography scene.

Helvetica; the movie has started showing! I am very excited and I will be sure to buy the movie as soon as it comes out. It’s already been dubbed ‘the most interesting movie on Graphic Design’, and has received general praise. Keep an eye on this movie, featuring the biggest star in typography to date.

The typographic blog Type for You has a nice interview with Wim Crouwel, a Dutch type designer who did works like the New Alphabet and Gridnik (both now for sale at the Foundry). He’s also, incidentally, from the same city – while I study in Groningen, he spent most of his life there.

Fabrizio Schiavi is a great type designer. He’s just released a new, beautiful stencil font that redefines the look of stencil. Meet Siruca;

Fabrizio Schiavi’s font portfolio includes the beautiful Sys, and CP Company.

That’s it, for now, some smoky words,

image by fliegender on flickr.

This is a folow-up on my earlier how-to “A more secure OS X before Leopard“. I have split this article from the results of the scan following the last article. I recommend following the first how-to before this one, if you haven’t read it, and see what potentially insecure defaults you can change without interfering with your daily activities. Some things touched there that I will not discuss here are;

– Filevault
– Turning on your Firewall
– Bluetooth
– Making a new, unprivileged user

Further securing OS X is something for the truly paranoid, although some of the tips in here are handy for people who do feel like a checklist of things they could do to secure their Mac further. I am one of those very paranoid people, and I like to be in control of what happens on my computer. There are, once again, basic, intermediate, and advanced tips and little tricks in here, this time clearly divided in difficulty.

– Disable your Microphone input and / or iSight if you aren’t using them This hint, from the NSA Hardening guide, is a very good way to protect against any way for an intruder to physically eavesdrop on you, and any Quicktime component can access your iSight. There might be vulnerabilities looming on the horizon. The most desirable first is the iSight, as it has a real privacy concern if it were to be compromised. It’s as simple as a copy and paste into your Terminal. It won’t be painful, just open it for now.

/usr/bin/sudo /bin/chmod a-rwx /System/Library/QuickTime/QuickTimeUSBVDCDigitizer.component/Contents/MacOS/QuickTimeUSBVDCDigitizer

I will be explaining why I use full paths to commands later on. This simple line will make sure no user level process can access the module that interacts with the iSight. To restore;

/usr/bin/sudo /bin/chmod a+r /System/Library/QuickTime/QuickTimeUSBVDCDigitizer.component/Contents/MacOS/QuickTimeUSBVDCDigitizer
(I had this all mixed up. Thanks Greg)

Many thanks to techslaves. To disable your Microphone as well, you can set it’s input volume to zero in the Sound preference pane, under the “Input” tab.

– Enable Secure Keyboard Entry in the Terminal It’s that simple. It’s in the “File” menu in the menu bar.

– Disable IPv6 if you aren’t using it. Why? Potential vector for attack. To fix this, go to the Network configuration pane. Select the connection you want to use for internet access, and click here;

And now make sure it is set as below;

– Disable automatic Movie playback. What if there were to be an iSight vulnerability by delivery in a Quicktime file? We wouldn’t want it to just play without us asking. Go to the Quicktime preference pane, browser tab;

– Set your software updater to check more frequently. Of course, we like to be ready for fixes. This goes without any picture, because this is too trivial. Just go to the preference pane of Software Update.

– Ensure that access for assistive devices is disabled. In the preference pane for Universal Access. You can also make your cursor insanely big here, which is nice.

– Use a firewall accessory application like Glowworm FW Lite, or Little Snitch . Speaks for itself. Lets you decide if you want applications to connect to something.

– Set an Open Firmware Password. OF Passwords can be subverted in some ways (the password is nulled when RAM configuration is changed), but it is a hindrance. This works differently for PowerPC Macs and Intel Macs, because the latter use EFI and the other Open Firmware. For PowerPC, use the tool in Utilities to change your password. You can also boot with Command-Option-O-F pressed, to enter the OF prompt. From there, enter your newly set password, and type;
setenv security-mode full

To set full security mode, the most secure mode.
For Intel Macs. Apple has not yet provided security extensions to the EFI. You can use the Open Firmware Password Utility to set an EFI password, but that’s about it. Perhaps in the future, we will see rEFIt become TPM-aware (see advanced section).

– Use a more reliable DNS service. It may even speed up your internet. OpenDNS is dubbed by some to be more reliable and secure than an arbitrary DNS server of your ISP. No real argument against that. To set OpenDNS’s DNS servers as yours, go to the Network preference pane, and select the interface you use for internet access.

Simply set this field, present under the TCP/IP tab in your interface of choice, to these addresses, or go to OpenDNS yourself to verify (hey, I could offer you IP’s of MY DNS server, so don’t thread lightly).

– Set a login-window warning banner. (Courtesy of the Corsaire Report) Simply type;
/usr/bin/sudo /usr/bin/open /Library/Preferences/com.apple.loginwindow.plist
in the terminal. This opens the preference file of your loginwindow application.

Make sure where the suggestion for the password is, like my bogus text here, completely empty. Mine says “Grensschutzgruppe en Bas Haring”. Password hints may be a risk to the security of your system. Now, back on topic. Simply click the New Sibling button, and add the sibling LoginwindowText. Add some intimidating text, like;
This is a private computer system and is for authorised use only.
Any or all use of this system and all files on this system may be intercepted and monitored.
Unauthorised or improper use of this system may result in disciplinary and/or legal action. By
continuing to use this system you indicate your awareness of and consent to these terms and conditions
of use.

– Lock your keychain. By default, the keychain that stores your passwords, is always unlocked. No one can read your passwords, but programs are able to access your passwords, if they created the password. Use the Keychain Access application to set another password than your login password for the keychain. It will then prompt you for your keychain password every time an item is needed, and it will be open for a configurable period, which defaults to 5 minutes.

– Use Encrypted Disk Images. To secure file, or nest encrypted files even deeper in filevault, you can use the Disk Utility to create secure disk images.

– Set a more critical umask. (command courtesy of Corsaire write-up) The default umask allows all users to read each other’s new files. This command disables this;
/usr/bin/sudo /usr/bin/defaults write /Library/Preferences/.GlobalPreferences NSUmask 23

– Enable Process Auditing. (command courtesy of Corsaire write-up) This will log commands executed by all users. One line;
/usr/bin/sudo /bin/mkdir /var/account && /usr/bin/sudo /usr/bin/touch /var/account/acct && /usr/bin/sudo /usr/sbin/accton /var/account/acct
It will now run from startup.

– Force SSH to use SSH2. You can edit the ssh configuration like this;
/usr/bin/sudo /usr/bin/nano /etc/sshd_config
Now replace the line that reads “#Protocol 2, 1” with “Protocol 2”. Lose the comment mark, otherwise it won’t work.

– Use full paths to command names. This security measure, coined mostly by Rixstep (the author of the brilliant ACP), ensures Bash or defaults path poisoning is no longer an attack avenue. Although the bash developers didn’t consider it to be a real issue, Rixstep’s CLIX (an essential accessory to any power user, and it is free) has path resolving and builtin measures against path poisoning.

– Keep an eye on startup scripts in launchd. Lingon can be used to monitor what starts up automatically. It’s an excellent GUI utility.

– Keep an eye on running services. I use the simple iServeBox for this. A simple GUI to enable or disable services, handy if you know what you are doing.

– Compile and run Bastille-OSX on a regular basis.Bastille for OS X is a hardening assessment tool. It goes recommended for anyone that knows what he or she is doing. Perl-Tk on OS X might be a useful resource in this effort.
– Compile and implement SEDarwin. PPC-only for now, SEDarwin is an adaptation of the open Darwin kernel at the heart of OS X to support the Mandatory Access Control framework. It is, of course, based off SELinux.
– Use the Trusted Platform Module in your Mac. This is, only if it has one. The first generation of Macbook Pro’s have a TPM, for example. Do an ioreg;

/usr/sbin/ioreg | /usr/bin/grep -i tpm

The output should look like this, and not any differently;

| +-o TPM