12.9. Six Mac OS X Security Shields
Mac OS X has a spectacular reputation for stability and security. At this writing, not a
single Mac OS X virus has emerged—a spectacular feature that makes Windows look
like a waste of time. There's no Windows-esque plague of spyware, either (downloaded
programs that do something sneaky behind your back). In fact, there isn't any Mac
The usual rap is, "Well, that's because Windows is a much bigger target. What virus
writer is going to waste his time on a computer with eight percent market share?"
That may be part of the reason Mac OS X is virus-free. But Mac OS X has also been built
more intelligently from the ground up. Listed below are a few of the many drafty corners
of a typical operating system that Apple has solidly plugged:
The original Windows XP came with five of its ports open. Mac OS X has always
come from the factory with all of them shut and locked.
Ports are channels that remote computers use to connect to services on your
computer: one for instant messaging, one for Windows XP's remote-control
feature, and so on. It's fine to have them open if you're expecting visitors. But if
you've got an open port that exposes the soft underbelly of your computer without
your knowledge, you're in for a world of hurt. Open ports are precisely what
permitted viruses like Blaster to infiltrate millions of PCs. Microsoft didn't close
those ports until the Windows XP Service Pack 2.
Whenever a program tried to install itself in the original Windows XP, the
operating system went ahead and installed it, potentially without your awareness.
In Mac OS X, that never happens. You're notified at every juncture when anything
is trying to install itself on your Mac. In fact, you're even notified when you're
opening a disk image or .zip file that could contain an installable program (Figure
Figure 12-15. Mac OS X hovers like a stage mother, always informing you
when you're at a point where something virusy could be happening. It warns
you when you download a compressed file that could contain a runnable
program (top), and even when an installer has to run a tiny subprogram
before the installation (bottom).
Unlike certain other operating systems, Mac OS X doesn't even let an a
dministrator touch the files that drive the operating system itself without pestering
you to provide your password and grant it permission to do so. A Mac OS X virus
(if there were such a thing) could theoretically wipe out all of your files, but
wouldn't be able to access anyone else's stuff—and couldn't touch the operating
You probably already know about the Finder's Secure Empty Trash option
). But an option on the Erase tab of the Disk Utility program can do
the same super-erasing of all free space on your hard drive. We're talking not just
erasing, but recording gibberish over the spots where your files once were—once,
seven times, or thirty-five times—utterly shattering any hope any hard-disk
recovery firm (or spy) might have had of recovering passwords or files from your
Safari's Private Browsing mode means that you can freely visit Web sites without
leaving any digital tracks—no history, no nothing (Section 20.1.5
Every time you try to download something, either in Safari or Mail, that contains
executable code (a program, in other words), a dialog box warns you that it could
conceivably harbor a virus—even if your download is compressed as a .zip or .sit
file (Figure 12-16
Figure 12-16. And still more warnings. This operating system intends to make
darned sure no program ever runs without your knowledge (which is how Windows
PCs get viruses and spyware).
It tries to protect you, for example, when you double-click a document and the
required program opens for the first time (top). It also warns you the first time you
double-click any program that came from the Internet (bottom).
Those are only a few tiny examples. Here are a few of Mac OS X's big-ticket defenses.
12.9.1. The Firewall
If you have a broadband, always-on connection, you're open to the Internet 24 hours a
day. It's theoretically possible for some cretin to use automated hacking software to flood
you with files or take control of your machine. Mac OS X's firewall feature puts up a
barrier to such mischief.
Fortunately, it's not a complete barrier. One of the great joys of having a computer is its
ability to connect to other computers. Living in a cement crypt is one way to avoid
getting infected, but it's not much fun.
So if you open the Security panel of System Preferences, and click the Firewall tab, you
see something like Figure 12-17
at top. It offers three settings:
"Allow all incoming connections" is the same as having no firewall at all. Now,
most of the Internet's cretins are far more interested in tapping into Windows
machines than Macs, but you never know. Best to avoid this one.
"Allow only essential services" is the closest thing Leopard has to "block
everything." It gives access only to a small, fixed set of deep-seated services that
Mac OS X needs to get by.
"Set access for specific services and applications" is the best choice for most
people. It blocks all incoming pings except those addressed to programs and
features that you've approved.
And how do they get approved? Above the horizontalline (Figure 12-17
,top), features of
Mac OS X itself are listed. They get added to this list automatically when you turn them
on in System Preference: File Sharing, Printer Sharing, and so on.
Non-Apple programs can request passage through your firewall, too (Figure 12-17
bottom); if you click Always Allow, they appear below the line in this list.
Now, there are a few footnotes regarding the firewall:
Figure 12-17. Top: Apple's new firewall in Mac OS X 10.5 looks like this.
It lists the programs that have been given permission to receive communications
from the Internet. At any point, you can change a program's Block/ Allow setting, as
Bottom: From time to time, some program will ask for permission to communicate
with its mother ship. If it's a program you trust, click Always Allow.
You can also click the + button to navigate your Applications folder and manually
choose programs for inclusion.
For more power and flexibility, install a shareware program like Firewalk or
Brickhouse (available from www.missingmanuals.com
, for example).
If you're using Mac OS X's Internet connection sharing feature (Section 18.5.4),
then it's important to turn on the firewall only for the first Mac—the one that's the
gateway to the Internet. Leave the firewall turned off on all the Macs
"downstream" from it. You want to protect your Macs from the nasties of the
Internet; you don't need them giving each other the cold shoulder.
Similarly, ifyou've bought a router to distribute your Internet connection to
multiple computers, it probably has its own firewall circuitry built in. In that case,
you can turn off Mac OS X's own firewall.
Two useful features are hiding behind the Advanced button(which is visible in
Enable Stealth Mode is designed to slam shut the Mac's back door to the Internet.
See, hackers often use automated hacker tools that send out "Are you there?"
messages. They're hoping to find computers that are turned on and connected full-
time to the Internet. If your machine responds, and they can figure out how to get
into it, they'll use it, without your knowledge, as a relay station for pumping out
spam or masking their hacking footsteps.
Enable Stealth Mode, then, makes your Mac even more invisible on the network;
it means that your Mac won't respond to the electronic signal called a ping. (On
the other hand, you won't be able to ping your machine, either, when you're on the
road and want to know if it's turned on and online.)
Enable Firewall Logging creates a little text file where Mac OS X records every
attempt that anyone from the outside makes to infiltrate your Mac. (To view the
log, click the Open Log button. The file opens in Console for your inspection.)
The Security pane of System Preferences is one of Leopard's most powerful security
features. Understanding what it does, however, may take a little slogging.
As you know, the Mac OS X accounts system is designed to keep people out of each
other's stuff. Ordinarily, for example, Chris isn't allowed to go rooting through Robin's
Until FileVault came along, though, there were all kinds of ways to circumvent this
protection system. A sneak or a showoff could:
Start up your Mac (if it's a pre-2003 model) in Mac OS 9, which knows nothing
about Mac OS X permissions.
Start up the Mac in FireWire disk mode (Section 6.2).
Remove the hard drive and hook it up to a Linux machine or another Mac.
In each case, they'd then be able to run rampant through everybody's files, changing or
trashing them with abandon. For people with sensitive or private files, the result was a
security hole bigger than Steve Jobs' bank account.
FileVault is an extra line of defense. When you turn on this feature, your Mac
automatically encrypts (scrambles) everything in your Home folder, using something
called AES-128 encryption. (How secure is that? It would take a password-guessing
computer 149 trillion years before hitting paydirt. Or, in more human terms, slightly
longer than two back-to-back Kevin Costner movies.)
This means that unless someone knows (or can figure out) your password, FileVault
renders your files unreadable for anyone but you and your computer's administrator—no
matter what sneaky tricks they try to pull.
You won't notice much difference when FileVault is turned on. You log in as usual,
clicking your name and typing your password. Only a slight pause as you log out
indicates that Mac OS X is doing some housekeeping on the encrypted files: freeing up
some space and/or backing up your home directory with Time Machine.
Tip: This feature is especially useful for laptop owners. If someone swipes or "borrows"
your laptop, they can't get into your stuff without the password.
Here are some things you should know about FileVault's protection:
It's useful only if you've logged out. Once you're logged in, your files are
accessible. If you want the protection, log out before you wander away from the
Mac. (Or let the screen saver close your account for you; see Section 12.9.3
It covers only your Home folder. Any thing in your Applications, System, or
Library folders is exempt from protection.
An administratorcan access your files, too. According to Mac OS X's caste system,
anyone with an administrator's account can theoretically have unhindered access to
his peasants' files—even with FileVault on—if that administrator has the master
password described below.
It keep so ther people from opening your files, not from deleting them. It's still
possible for someone to trash all your files, without ever seeing what they are.
There's not much you can do about this with FileVault on or off—all a malicious
person needs to do is start deleting the encrypted files, and your data is gone.
(FileVault works by encrypting your Home folder into eight-megabyte chunks.)
Shared folders in your Home folder will no longer be available on the network.
That is, any folders you've shared won't be available to your co-workers except
when you're at your Mac and logged in.
Backup programs may throw a tizzy. FileVault's job is to "stuff " and "unstuff "
your Home folder as you log in and out. Backup programs that work by backing
up files and folders that have changed since the last backup may therefore get very