02 Nov
   Filed Under: Design, How-To, Icon Design, Personal Work   

 

makingiphoneicons.png

In my free time, I have been experimenting with the iPhone home screen icons. I was initially pleased by the icons, but found several to be lacking after having looked at them for prolongued periods of time. Since I don’t want to be greedy, I will share some techniques, know-how and tips with you to help you get up to speed designing icons for your own iPhone. I will also look at my upcoming set of icons and discuss why I am changing so little to the look of the default icons.

Continue reading…

24 Oct
   Filed Under: Design, How-To   

Michel Jansen, fellow Dutch blogger, uncovered a system setting to use the new “on-the-side” Dock on the bottom too (which a lot of you asked for in my last post).

Open Terminal.app and enter;

defaults write com.apple.dock no-glass -boolean YES; killall Dock

Before and after images at the source. Thanks Michel!

27 Jun
   Filed Under: Design, How-To, Icon Design   

Okay, I thought it was time for a concise tutorial. We all know the Safari toolbar icons; they are, basically, buttons. To design these properly, you want some elements to be in order; a texture, basic shading, the beveling of the glyphs inside. In this tutorial, you aren’t only going to learn good design practices – the good design practices that you will learn, will guarantee that the toolbar button you will make is ready for Leopard’s resolution-independent UI.

Here’s an example of toolbar buttons in Tiger:

tigertoolbarbuttons.jpg

In Leopard, however, this style has been abandoned, in favor for a more dark, unified and bezeled look;

leopardtoolbarbuttons.jpg

Whichever one you like better doesn’t matter, but we’re going to make a Leopard button now. You can adorn your Finder with it later on, or do whatever you want. It’s a good idea, however, to start thinking what kind of a button you want to make. Let’s say we want to make a whole new button that, when pressed, opens iCal.

What this means is that you’ll want to find an appropriate glyph. iCal is an easy example; we already have a convention for an ‘iCal’ or calendar glyph in OS X. No, really, check it out;

iphotobuttons.jpg

As you may observe, these buttons resemble Leopard’s quite a bit. They also have that nice bezel. Let’s make a screenshot (take this one, if you want to follow along) or make a new glyph if there is no convention. “But wait, Sebastiaan!”, I hear you say, “why remake a button that’s already there?”

Well, here’s good design lesson number one; imitate to learn. You want to learn how to make buttons like this? A good idea is making an attempt to remake it. Lesson two: Design for the future. Be thoughtful in your designs. Before you kick up your favorite image editor, think what you want to make, but also how long you want to use it. Are there future requirements for the graphic you are making? For normal work, you might consider making things at a high resolution so you can print beautifully, but in this case, Leopard needs some high-res resources for buttons.

And you can even set your working size to be infinite. Yeah. That’s right, you can make your resources as big as you want them if you make them from scratch. With Photoshop? Yup.

Follow along. If at some point you stop getting it, just keep reading and at the end there’s a nice PSD to try it all out for yourself. Let’s start with our calendar glyph screengrab. It’s not too big…

sizecalendar.jpg

Let’s make it a bit bigger. Select “percent” from the image size dialog. Picture 6.jpg

Then proceed to resize to to 400% it’s original size. Select “Nearest Neighbor” from the resample dropdown.

Picture 7.jpg

Okay, now that you’ve got it in the size it should be minimally for Leopard in bitmap, you can start making a vector out of it. Use the Pen Tool in Photoshop to trace its lines. Be sure to select Shape when making it and sample its color.

vectorized.jpg

After a bit of working the lines and tweaking the edges to be exactly 90 degrees, this is the result. Your mileage may vary, depending on your Pen Tool skills, but just keep tweaking with the white and black arrow tools to tweak the shapes. There are plenty of Pen Tool tutorials out there.

If we were to overlay this to it’s original background now, it looks like this;

nobezel.jpg

That’s not too funky; it doesn’t really work this way because it looks like a graphic slapped on a gradient. It’s just too flat, you know? Let’s add a bezel. Although this ‘pixeled’ icon contains only sharp edges, you can apply the same method for round shapes, in vector, to make bezels that actually work (instead of working at the small size with 1 pixel ‘outer bevel’ layer effects, that really get messy).

bezel.jpg

As you can see, you can, without resorting to layer styles, make a white form behind your existing vector shapes. At this level, you can see it’s a white form. At our classic size, however…

100percent.jpg

As for the background of the button, some people insist on fussy practices of sampling colors. In this case, take a 1 pixel wide selection to rapidly ‘prototype’ the button background without having to create a whole gradient;

1pxselection.jpg

Take this selection, copy it to a separate layer and scale it about 20 times wider. Once you are happy with your glyph, you can take the shape of the button, make a vector and apply the proper gradient on it.

vector.jpg

As you can see from the PSD, you can export this as a ‘regular’ size (as the button was before, thus, 25% of our current image) and as 4x to comply with the Resolution Independent guidelines laid down in the now public session at WWDC ’06. You can also, as the buttons we see here are easy to make in the new Interface Builder under Leopard, export them as PDF’s. Be sure to fit the path in an ‘image’ of appropriate pixels, though, or your shape might be placed quite oddly in the NSButton.

Now that you know the basics of putting together these kind of buttons, go make an alternative set to Safari’s! Or perhaps some new toolbar buttons for Mail? Preview? Let’s see what you can come up with in some spare time!

If you enjoyed this tutorial, you can take some time to comment, share with delicious, or digg it. Kind words over email are also appreciated ;).

13 Mar
   Filed Under: Apple, How-To, Popular   

secure2.jpg

This is a folow-up on my earlier how-to “A more secure OS X before Leopard“. I have split this article from the results of the scan following the last article. I recommend following the first how-to before this one, if you haven’t read it, and see what potentially insecure defaults you can change without interfering with your daily activities. Some things touched there that I will not discuss here are;

- Filevault
- Turning on your Firewall
- Bluetooth
- Making a new, unprivileged user

Further securing OS X is something for the truly paranoid, although some of the tips in here are handy for people who do feel like a checklist of things they could do to secure their Mac further. I am one of those very paranoid people, and I like to be in control of what happens on my computer. There are, once again, basic, intermediate, and advanced tips and little tricks in here, this time clearly divided in difficulty.

1basic.jpg
- Disable your Microphone input and / or iSight if you aren’t using them This hint, from the NSA Hardening guide, is a very good way to protect against any way for an intruder to physically eavesdrop on you, and any Quicktime component can access your iSight. There might be vulnerabilities looming on the horizon. The most desirable first is the iSight, as it has a real privacy concern if it were to be compromised. It’s as simple as a copy and paste into your Terminal. It won’t be painful, just open it for now.

/usr/bin/sudo /bin/chmod a-rwx /System/Library/QuickTime/QuickTimeUSBVDCDigitizer.component/Contents/MacOS/QuickTimeUSBVDCDigitizer

I will be explaining why I use full paths to commands later on. This simple line will make sure no user level process can access the module that interacts with the iSight. To restore;

/usr/bin/sudo /bin/chmod a+r /System/Library/QuickTime/QuickTimeUSBVDCDigitizer.component/Contents/MacOS/QuickTimeUSBVDCDigitizer
(I had this all mixed up. Thanks Greg)

Many thanks to techslaves. To disable your Microphone as well, you can set it’s input volume to zero in the Sound preference pane, under the “Input” tab.

- Enable Secure Keyboard Entry in the Terminal It’s that simple. It’s in the “File” menu in the menu bar.
1ttem.png

- Disable IPv6 if you aren’t using it. Why? Potential vector for attack. To fix this, go to the Network configuration pane. Select the connection you want to use for internet access, and click here;
ipv61.jpg
And now make sure it is set as below;
ipv62.jpg

- Disable automatic Movie playback. What if there were to be an iSight vulnerability by delivery in a Quicktime file? We wouldn’t want it to just play without us asking. Go to the Quicktime preference pane, browser tab;
playmovies.png

- Set your software updater to check more frequently. Of course, we like to be ready for fixes. This goes without any picture, because this is too trivial. Just go to the preference pane of Software Update.

- Ensure that access for assistive devices is disabled. In the preference pane for Universal Access. You can also make your cursor insanely big here, which is nice.

- Use a firewall accessory application like Glowworm FW Lite, or Little Snitch . Speaks for itself. Lets you decide if you want applications to connect to something.

1intermediate.jpg
- Set an Open Firmware Password. OF Passwords can be subverted in some ways (the password is nulled when RAM configuration is changed), but it is a hindrance. This works differently for PowerPC Macs and Intel Macs, because the latter use EFI and the other Open Firmware. For PowerPC, use the tool in Utilities to change your password. You can also boot with Command-Option-O-F pressed, to enter the OF prompt. From there, enter your newly set password, and type;
setenv security-mode full

To set full security mode, the most secure mode.
For Intel Macs. Apple has not yet provided security extensions to the EFI. You can use the Open Firmware Password Utility to set an EFI password, but that’s about it. Perhaps in the future, we will see rEFIt become TPM-aware (see advanced section).

- Use a more reliable DNS service. It may even speed up your internet. OpenDNS is dubbed by some to be more reliable and secure than an arbitrary DNS server of your ISP. No real argument against that. To set OpenDNS’s DNS servers as yours, go to the Network preference pane, and select the interface you use for internet access.
dns.png
Simply set this field, present under the TCP/IP tab in your interface of choice, to these addresses, or go to OpenDNS yourself to verify (hey, I could offer you IP’s of MY DNS server, so don’t thread lightly).

- Set a login-window warning banner. (Courtesy of the Corsaire Report) Simply type;
/usr/bin/sudo /usr/bin/open /Library/Preferences/com.apple.loginwindow.plist
in the terminal. This opens the preference file of your loginwindow application.
loginwindow 1.jpg

Make sure where the suggestion for the password is, like my bogus text here, completely empty. Mine says “Grensschutzgruppe en Bas Haring”. Password hints may be a risk to the security of your system. Now, back on topic. Simply click the New Sibling button, and add the sibling LoginwindowText. Add some intimidating text, like;
This is a private computer system and is for authorised use only.
Any or all use of this system and all files on this system may be intercepted and monitored.
Unauthorised or improper use of this system may result in disciplinary and/or legal action. By
continuing to use this system you indicate your awareness of and consent to these terms and conditions
of use.

- Lock your keychain. By default, the keychain that stores your passwords, is always unlocked. No one can read your passwords, but programs are able to access your passwords, if they created the password. Use the Keychain Access application to set another password than your login password for the keychain. It will then prompt you for your keychain password every time an item is needed, and it will be open for a configurable period, which defaults to 5 minutes.
keychain.jpg

- Use Encrypted Disk Images. To secure file, or nest encrypted files even deeper in filevault, you can use the Disk Utility to create secure disk images.

- Set a more critical umask. (command courtesy of Corsaire write-up) The default umask allows all users to read each other’s new files. This command disables this;
/usr/bin/sudo /usr/bin/defaults write /Library/Preferences/.GlobalPreferences NSUmask 23

- Enable Process Auditing. (command courtesy of Corsaire write-up) This will log commands executed by all users. One line;
/usr/bin/sudo /bin/mkdir /var/account && /usr/bin/sudo /usr/bin/touch /var/account/acct && /usr/bin/sudo /usr/sbin/accton /var/account/acct
It will now run from startup.

- Force SSH to use SSH2. You can edit the ssh configuration like this;
/usr/bin/sudo /usr/bin/nano /etc/sshd_config
Now replace the line that reads “#Protocol 2, 1″ with “Protocol 2″. Lose the comment mark, otherwise it won’t work.

- Use full paths to command names. This security measure, coined mostly by Rixstep (the author of the brilliant ACP), ensures Bash or defaults path poisoning is no longer an attack avenue. Although the bash developers didn’t consider it to be a real issue, Rixstep’s CLIX (an essential accessory to any power user, and it is free) has path resolving and builtin measures against path poisoning.

- Keep an eye on startup scripts in launchd. Lingon can be used to monitor what starts up automatically. It’s an excellent GUI utility.

- Keep an eye on running services. I use the simple iServeBox for this. A simple GUI to enable or disable services, handy if you know what you are doing.

1advanced.jpg
- Compile and run Bastille-OSX on a regular basis.Bastille for OS X is a hardening assessment tool. It goes recommended for anyone that knows what he or she is doing. Perl-Tk on OS X might be a useful resource in this effort.
- Compile and implement SEDarwin. PPC-only for now, SEDarwin is an adaptation of the open Darwin kernel at the heart of OS X to support the Mandatory Access Control framework. It is, of course, based off SELinux.
- Use the Trusted Platform Module in your Mac. This is, only if it has one. The first generation of Macbook Pro’s have a TPM, for example. Do an ioreg;

/usr/sbin/ioreg | /usr/bin/grep -i tpm

The output should look like this, and not any differently;

| +-o TPM

In this case, you got a TPM and after you have installed the new, very cool open-source drivers and utilities by Amit Singh, you can go use it with services you'd expect from it. As an advanced user, you could compile several tripwire-like solutions to hash files on disk and run them against a database of hashes stored in your TPM without having processor load, or bake your own solutions.

This concludes my divided how-to on securing your Mac beyond its defaults. You can use the following resources to your advantage, like I did, and try to persuade people to watch security more on OS X. And no, I promise, there will be no more scanning. Be safe out there.

PDF Guides:
NSA's Guide to Panther Hardening
Corsaire's Guide on Securing OS X Tiger
Apple's Document on Securing Tiger

small edit; added instructions for Intel Mac OF password, consistently explained using the full path to programs, added TPM entry.

digg this!

11 Mar
   Filed Under: How-To   

inspector.jpg

In this new quick and dirty how-to, I want to address how I secure my personal network, consisting of a few rogue Windows computers (I manage a network that connects two houses with one internet connection at home) and two Macs, a FreeBSD server and a Linux server (my computers). It’s got wired and wireless access points, and my servers use wired connections. I use several tools on all platforms that you can all test for yourself without even touching your computer with the latest 2.0 of the Backtrack live CD, a GNU / Linux security distribution that features some hot tools for you to use out of the box. Make sure it supports your hardware, though, or you will be in for a very boring ride.

First off, wireless networking is a very big hole in the security of any network. It’s trivial to penetrate many networks, in spite of encryption, MAC filtering (filtering devices by their hardware address) and other security mechanisms, it adds an attack vector for anyone with malicious intent. For rather personal reasons (I don’t like people whining about internet being a hassle) and fun and profit (more about this later on) I chose to keep my wireless access point.
What’s always important to know, is who or what is on your network. The primary tool I use to enumerate hosts on my networks is Nmap, by the brilliant Fyodor. In any environment that’s got a shell (even Windows has a shell, check out Cygwin), Nmap is trivial to automate, and it’s output is trivial to process. It runs nice and fast, and it has a host of options. Check out this shell command as an example to find hosts on your network and get the output in a format that is readable and even printable by dope things like Geektool (OS X), to put the output on your desktop.
'/opt/local/bin/nmap' -sP 192.168.2.0/24 | awk '/192.168./ {print $2, $6}'
Note; /opt/local/bin/ is my path to nmap. Use your own. The -sP command does a ping sweep of all hosts in the 192.168.2. subnet. In other words, the netmask is 255.255.255.0, or /24. You should change this to your network’s IP address range, as well as the two fields in awk. The output of the command looks like this;

192.168.2.1 up.
192.168.2.2 up.
192.168.2.4 up.

Now, that’s just handy. Now we can already know what ping-replying people are on the network. If there seems to be a bit of a delay, and our scan doesn’t return results, we can use the more advanced options of Nmap – which require privileges. Some options to consider; -sL; the list scan. Will mass-scan a list of hosts, which you can use with the following, useful flags; -v for verbose mode, extra output! You can use the -PR, -P0 or -PN options to respectively use ARP for pinging, not ping at all, or use ICMP netmask requests (a clever one which can bypass Windows and OS X ‘stealth’ mode firewalls default ICMP rules). With the -O flag, you can also let Nmap try to fingerprint the hosts’ OS, which can be handy, as well as giving a guess of the network device’s hardware vendor with the aforementioned verbose mode. There are many open-source programs to quickly or otherwise uniquely enumerate or find hosts on a network, and I leave it to the reader to vary with programs like hping3, arping, fping, scanrand and others to get different or better results. I use arping and scanrand (Dan, the man!) on a regular basis, because each has it’s own advantages.

A commonly-used attack on networks once in is using a poisoning attack to capture traffic. Virtually all routers operate as switches today, which means they don’t just send out all traffic on the network to anyone, but switch it between appropriate hosts. To keep track of all the hardware addresses and routing between platforms in the traditional IPv4, the ARP protocol is used. My very, very favorite tool for fucking with ARP (excuse my language) is ettercap, but most people, for the safety of their own network, will merely want to keep tabs to see if people aren’t doing nasty shit. For this purpose, arpscan is a very fine choice. It compiles cleanly on virutally all operating systems (I don’t know about Windows, but this is owning your network open-source style, not borked-lego-interface style) and it sends an email to your local account when some suspicious activity occurs. Suspicious could be someone new seen on the network, or someone doing real nasty stuff (MAC spoofing / ARP poisoning). You can always manage these messages with the most owning open-source Mail program, pine, or simply use the command-line tool mail.
Offensive network defense is sometimes a good idea if someone won’t leave the network when asked politely. Make sure you know what you are doing, and use Backtrack, or any UNIX with ettercap to use the dark side of… ARP (and a host of other attacks!).
ettercap.jpg

Say hello to ettercap -C. Ettercap obviously requires privileges, and it can be used to sniff out traffic first, but also make a nice host list and perform attacks on these hosts. The -C option uses by favorite interface system, Curses, but if your X11 has GTK, you can download ettercap-gtk and run it in it’s own window, with a ‘real’ interface. It can, obviously, also be ran as a command-line tool.
If you do not know what you are doing, fooling around with ARP Poisoning could break a network. Yes, you can get in dire trouble if you really start to fuck around with this in places other than your own network. Now, if you don’t mind your router being harassed by routing the traffic, you can disable internet for a host by simply not changing your routing settings, and performing ARP poisoning with ettercap. The hosts’ traffic will be routed through the router, to your computer, which will drop it. Incidentally, this often means the host sends it’s IM login info several times, which ettercap will display for you.
arp.jpg
Use this attack, with the ‘remote’ option. Don’t forget to use the ‘Stop mitm attack(s)’ when you are done. The console should provide you with output like the dropped packets and passwords. Configure logging to a convenient file in the logging tab, and make sure you have your router configured as Target 1, and the victim as Target 2 in the host list (under Hosts, obviously). Dandy. You can mess around with other, potentially destructive options on your own network at your own discretion. Just remember, I didn’t break it.
Now, what else can we do to own a network? Well, the former Ethereal (now Wireshark) is an excellent cross-platform (Nmap-cross platform, Windows users, go wild) packet sniffer. You can use it to take a more in-depth look at your traffic, as it can often sniff out raw wireless packets too, and login information. The convenient protocol coloring shows you what part of the network traffic is what, even measured in percentages. Think that sounds nice? Here’s an obligatory screenshot.
front_screen_full 1.png

Ooh, pretty colors. Remember you can always check all these tools out hassle-free if you have a Backtrack-compatible setup.

This should give you some pointers on what steps you can take to feel like you are owning your network a bit more. Remember to look at the tools, read the documentation and be creative. The only way to control a network is to get in touch with the technical side.

digg this!

10 Mar
   Filed Under: Apple, How-To, Popular   

secure.jpg
edit: 12th of March; Follow-up availible; Click Here

In this howto, I will show you some things I have done to secure OS X beyond its default settings. There are very basic, and some advanced things in here. I am in NO WAY LIABLE for ANY DAMAGE you might do to your Mac by messing around with the things I describe here, because it could very easily cut you off from the internet if you don’t know what you are doing, and you’ll be emailing me to death from some internet café while receiving strange looks from people because you just ate your Mac’s supplied stickers.

First off, there is some odd stuff going on with Tiger’s default security settings. Upon setting up your Mac, you are essentially it’s administrator. You can even change the password of the highest power on the computer, root. Therefore, if there ever would be a security danger, and you are running with such privileges, it is a lot easier to exploit the system. To fix this hassle, make a new user. Awww, you just had your whole Mac set up with a ton of programs and settings? What, you are expecting me for some migratory script? Well, suck it up, because it’s not done yet. Swallow the bitter pill for now, as I am still struggling with the ‘defaults’ command-line tool to copy all the settings. You can relieve some loss of settings by copying relevant preferences from (Initial User)/Library/Preferences to (New User)/Library/Preferences. NOTE: NOT /Library! The Library folder in your $HOME. (EDIT; gregr over at digg pointed this out: “- if you have your account set up the way you want, then create a new user as advised here but make that the admin one (just don’t call it admin or similar), put a good password on it and then make your user a ‘normal’ user.” This is, of course, a much more hassle-free way to do this. Thanks gregr!
Also, people rarely realize – your firewall is off by default. Even better, we have an intensely impressive firewall option. First, here’s the gem; it’s hidden in the Sharing preference pane (what genius thought that one up?) under it’s own tab. And there, the fun begins.

greyed 1.jpg
What is all this then? Oh, remember, you created a new, unprivileged account. Just checking on you.

Ok, unlock the thing, authenticate, and click the obvious ‘Start’ button. It’s on when it reads stop. Easy so far. Now, click the almost hidden “Advanced” button.

advanced.jpg

Ooh, doesn’t that sound yummy. “Stealth Mode”? Damn, screw all that, my Mac’s going to be like a fucking Stealth Plane! Uh, anyway, ignore the buzz for now and check it out; UDP filtering is off by default, this ‘Stealth mode’ thing is off, and logging too. Insane. Put them all on. Little note here; if you want to be a diehard bittorrent downloader and want to optimize other P2P traffic, you best leave the UDP filtering out. What does this leave for attackers? Network Time, 2 exploits in the last years, CUPS (Printing), 1 DoS exploit found and strangely, MS Word (use OpenOffice.org!).

So, does this all do what it says? Nope. If you don’t want to share your printer, or share files over the Windows protocol, then these are left open, regardless of what you fiddle with in the preference panels. Bonjour is also always allowed in, and for some arcane reason, DNS is allowed outwards. This is almost like waiting for an exploit to happen. To somewhat augment these insane defaults, you can open a terminal and fiddle around with the ipfw command. You will need priviledges, gained by using sudo. You can also use Waterroof, a visual editor of your firewall rules. Dandy.
Anyway, the UDP filtering by default just allows anything Bonjour and Printing Server in. To fix this strange behaviour, just use ipfw;

sudo ipfw del 20321
followed by;
ipfw del 20322
Only do this with all settings in the ‘Advanced’ tab enabled! You might end up deleting the wrong firewall records. Anyway, what does this do to secure you? With inbound Bonjour UDP and CUPS UDP forbidden, foreign hosts will not be able to see what patchlevel you have (OS Version and Hardware type) and not be able to use CUPS exploits. It disables printer sharing, iTunes sharing, and other Bonjour-services.

Now, the Firewall a bit more secure, you can check to make sure Bluetooth is off by default (it is ON and discoverable on new users by default), and that it is set to non-discoverable. Now, click the Bluetooth icon in the menu bar, and go to Bluetooth Preferences.
blue.jpg
Ensure that the checkmarks are like in the picture. Most important here is the field with the key icon, which means authentication is on. Some are off by default, an insanely stupid move. There are lots and lots of Bluetooth vulnerabilities out there, and the first worm for OS X used Bluetooth to propagate itself.

Other common security fixes for everyday life is ensuring you log into gmail with https://, and browse Gmail with https://. Gmail drops the secure session after login, but you can force it by typing https://gmail… in the browser. In Apple Mail, make sure you have encryption enabled. Otherwise, you can secure a non-secure connection to a server you have SSH access to with the following terminal command;

sudo ssh2 -l username@server.com -L 25:server.com:25 -L 110:server.com:110 server.com
This essentially forwards the ports 25, and 110 (respectively SMTP and POP3, replace for IMAP or IMAPS with adequate port numbers) to the server in question and ‘tunnels’ the traffic through SSH, encrypted et al. You can now set the server settings in Mail for incoming to ‘localhost:110′ (without the brackets, doh) and outgoing to ‘localhost:25′. The ssh2 command forces SSH2.0, for more security.

For Laptop safety, you can first disable the most stupid feature in history, namely auto-login. It will make it much easier for people who steal your laptop to make use of it. This included people with sensitive data, who, if they don’t mind performance degradation, should use my settings;

filevault.jpg
Yup, disable auto-login, make sure there is a pass on your screen saver / wake-up, ensure virtual memory is encrypted (performance drop here) and Filevault is on with a very complex password that stretches the imagination. (and don’t start asking me why this is greyed out)

Okay, so that all makes us a bit more secure and aware of our security. For other security, in the sense of anonymous internet access, you can use Vidalia with Tor. There was a recent proof-of-concept attack on Tor, but it’s not to be used as a completely anonymizing tool – it does it’s work very well, though, and it goes recommended for any computer for me.

This concludes this howto to harden OS X. If you have the abilities to compile something, please take a look at Bastille for OS X, whose co-author Jay Beale showed many of the faults in defaults in this document. It requires X11, the developer tools, and the latest developer release of Perl-Tk to function, and it can assess your system security with a number. It will automate many of the things I have advised and howto’d here in a friendly Tk-dialog. For now, have fun hardening your OS, and remember, hardening breaks future exploits! With the surge in Apple’s marketshare, we will start seeing malware.

Since this article got dugg, I have gotten a lot of feedback. Don’t miss these useful tips from readers;

- There is an often overlooked feature in Safari’s preferences to disable the automatic opening of disk images. This feature has had many exploits since it’s advent (contributed on digg by newbill123.
- For the truly paranoid, set the Firmware Password with the tool in your /Applications/Utilities folder to ensure no CD is bootable or the settings immutable without a password (contributed on digg by the ‘friendly’ frozendice).
- I will touch on more hints, tips, and hardening documents in the next how-to.

digg this!