To iPad or not to iPad, that is the question for my readers

Even though I’m your typical IT geek, I’m not one to jump on technology just because it’s new. I like to wait until technology stabilizes, prices drop and the lines at your favorite geek store decrease in size. I’m fortunate to have a Macbook Pro, and use it for just about everything I do. While I love my laptop the size and weight have always been a draw back for me. This week I got to visit the Apple store for the first time in I can’t recall, and I fell in love with the iPad2.

I’m seriously thinking about getting one, though a few questions came to mind:

– How much storage do I actually need? Should I max it out or will 16GB get me by?

– Will the lack of flash be a problem?

– How will I like using the parallels or fusion viewer vs. firing up a whole VM?

– Is the iPad a suitable platform for development and managing systems?

– Will I actually use the TV integration features offered by the iPad2 / Apple tv combo?

– Can I just grab my iPad at 3am and deal with system issues?

– How well do the various SSL and IPSEC VPN solutions work with the iPad2?

I’m sure a number of my readers are using iPads, and I would love to get your thoughts on these questions. I’m leaning towards this model, though I’m not really sure I need 64GB of SSD storage. I like to be practical when it comes to things like this, though sometimes more is actually better. :)

pbcopy / pbpaste in OS X

I came across a nifty utility in OS X that allows you to copy / paste data to/from the clipboard without having to select text and command+c/command+v

(michael)> echo foo | pbcopy

(michael)> pbpaste

Thats kind of neat.  What about connecting to a remote machine, executing some command, and then having that output in the clipboard of your local machine?

(michael)> ssh uptime | pbcopy

(michael)> pbpaste
5:26pm  up 64 day(s),  8:30,  4 users,  load average: 0.04, 0.04, 0.04

Apple file vault and good backups save the day!

I frequently travel with my Apple powerbook, and have always been concerned that someone might steal my laptop, or the disk drive would fail (this is ahuge single point of failure). To address both concerns, I enabled file vault to encrypt my home folder, and backup my data once a week to a central file store. File vault does slow down certain operations, but it works great if you use your laptop for surfing the web, checking email, and chatting with folks online.

Well — this weekend one of my concerns came to fruition. My powerbook disk drive croaked. Sometimes the drive works, sometimes it doesn’t, and it is making all of those lovely noises that drives make when they are on the fritz. I am not sure why smartmontools didn’t pick up the failure, and unfortunately I can’t get the machine to stay up long enough to extract the SMART attributes. Luckly I have a service contract on my laptop, so getting the drive replaced should be relatively straight forward (I have never dealt with AppleCare, so we will see).

Since I use file vault and backup my data weekly to a safe location, I don’t have to worry about the technician or drive manufacturer looking through the data on my laptop (not that there is anything worth looking at, but I am a privacy nut), and I also don’t have much to do to get my machine back online when it comes back form AppleCare (it should be as easy as installing OS X Tiger, and scp’ing my data from my central file store).

As most people who have met me know, I am a FANATIC when it comes to backing up data. I typically backup my data once a week to a server with redundant disk drives, those disk drives are periodically swapped out, and then I archive the data on those drives to a one or more DVDs which I store in a safety deposit box. Now you might ask me, Matty, why are you such a fanatic when it comes to backups? Well, I have collected technical notes, contacts and documentation for the last ten years, and I couldn’t imagine losing all of the data I have collected. This backup strategy may sound excessive to some, but using this practice means that my powerbook disk failure is an inconvenience, and not a life traumatizing event. :)

P.S. Anyone use their parents house for DR? ;)

Locking down the OS X firewall

I attended Jay Beale’s Discovering OS X weaknesses and fixing them with the new Bastille Linux port at Defcon last week. Jay did a great job presenting, and pointed out several HUGE flaws that are present with the default OS X “stealth” firewall rule set. The first major problem Jay pointed out was the fact that all UDP datagrams with source port 67 or 5353 are allowed in (this allows you to talk to ntpd and cups, which have a rocky security history). The second major flaw is the fact that the default configuration blocks ICMP type code 8 (ICMP echo requests), but allows all other ICMP traffic in. And finally, OS X defaults to an allow any rule, which allows cruft like bonjour and the service locator to pollute your network with the version of OS X you are running, and the hardware architecture you are running on (this is a shell coders dream!). I take security rather seriously, so I sat down the night I got home and read the ipfw manual page, and created the following firewall rule set to deny all traffic by default, and allow a few trusted services out:

$ cat /etc/rc.firewall


# Variables to simplify maintenance (these are comma delimited)

# Enable firewall logging
/usr/sbin/sysctl -w net.inet.ip.fw.verbose=1

# Flush existing rules
/sbin/ipfw -f flush

# If the rule was added to the dynamic rule table, let it in
/sbin/ipfw add check-state

# Allow traffic to flow on the loopback interface
/sbin/ipfw add allow all from any to any via lo0

# Allow established connections
/sbin/ipfw add allow tcp from any to any established

# Allow SSH connections
/sbin/ipfw add allow tcp from me to any 22 keep-state

# Allow non-secure web traffic
/sbin/ipfw add allow tcp from me to any 80 keep-state

# Allow secure web traffic
/sbin/ipfw add allow tcp from me to any 443 keep-state

# Allow secure LDAP traffic
/sbin/ipfw add allow tcp from me to any 636 keep-state

# Allow IMAPS
/sbin/ipfw add allow tcp from me to any 993 keep-state

# Allow me to get to my DNS servers
/sbin/ipfw add allow udp from me to ${DNS_SERVERS} 53 keep-state

# Optionally allow ICMP traffic out
# /sbin/ipfw add allow icmp from me to any out keep-state

# Deny everything else
ipfw add deny log ip from any to any

To enable the policy at startup, you need to place the rules listed above in a file, and make the file executable. This blog entry assumes the rules were placed in the file /etc/rc.firewall. Next, you will need to create an entry in the system startup folder. Each startup item contains a script to start and stop the service, and a property file to control when and how the service starts. To enable the firewall policy listed above, we can create a file called /Library/StartupItems/Firewall/Firewall with start, stop and restart actions:

$ cat /Library/StartupItems/Firewall/Firewall


# Firewall

. /etc/rc.common

case "$1" in

        ConsoleMessage "Starting Firewall"

        # Activate the firewall rules
        /etc/rc.firewall > /dev/null
        echo "Stopping Firewall..."
        /sbin/ipfw -f flush

        ConsoleMessage "Retarting Firewall"

        # Activate the firewall rules
        /etc/rc.firewall > /dev/null

exit 0

In addition to the script listed above, you will also need to create a properties file to tell OS X when the service should start, and any dependencies that need to be online before the service is started. The properties file should be placed in the same directory as the startup script, and named StartupParameters.plist. The following property file can be used along with the Firewall startup script listed above:

$ cat /Library/StartupItems/Firewall/StartupParameters.plist

  Description     = "Firewall";
  Provides        = ("Firewall");
  Requires        = ("NetworkExtensions","Resolver");
  OrderPreference = "Late";
  Messages =
    start = "Starting firewall";
    stop  = "Stopping firewall";

Once all three files are in place, you can reboot the machine, and run ‘ipfw show’ as the root user to make sure the policy is installed. Daniel Cote has a great write up on building robust OS X firewall (ipfw) rulesets (I didn’t need some of the bells and whistles provided by Daniel’s script, so I reduced the rules to exactly what I need to filter inbound and outbound traffic). The Firewall and StartupParameters.plist files were taken from the firewall tarball on Daniel’s website, and I would like to thank him for putting together such an awesome website!

Microsoft Word is broadcasting on my network!

While performing some basic traffic analysis on my home wireless network, I noticed the folllowing broadcast traffic:

$ tcpdump -i en1 broadcast or multicast
15:51:25.761928 IP (tos 0x0, ttl 64, id 28912, offset 0, flags [none], proto: UDP (17), length: 180) > UDP, length 152
15:52:25.765492 IP (tos 0x0, ttl 64, id 28951, offset 0, flags [none], proto: UDP (17), length: 180) > UDP, length 152
15:53:25.769116 IP (tos 0x0, ttl 64, id 28989, offset 0, flags [none], proto: UDP (17), length: 180) > UDP, length 152

Gak! I disabled rendezous on my laptop to avoid polluting the ether, and the applications that were running shouldn’t be broadcasting messages! I was curious to see what was causing this, so I went into discovery mode. After reviewing ktrace, netstat and lsof data, I realized that the traffic was coming from Microsoft Word. It turns out that Microsoft Word sends broadcast messages to ensure that a license is only being used on a single node. This is *supposed* to help combat piracy, but I didn’t agree to this when I signed the EULA. This was extremely annoying, and what made it worse is the fact that Microsoft Word also listens on a TCP port:

$ lsof -i | grep Microsoft

Microsoft 1208 matty   19u  IPv4 0x0283a590      0t0  TCP *:3797 (LISTEN)

Last week Microsoft released several critical Office patches for the Windows paltform (I am not sure if these apply to OS X yet, so I don’t want Microsoft office application blindly sending or accepting data). My laptop now uses a selectively allow and deny everything else firewall policy, which stops this cruft from meandering throughout my home network. If you don’t feel like mucking with the default firewall policy, you can add an ipfw rule similar to the following to block this traffic:

$ /sbin/ipfw add deny udp from any to any 2222 out

I reckon it’s time to switch to Pages for word processing.

Implementing backoff timers in RSS readers

I have recently been on a quest to find a new RSS reader for OS X. NetNewsWire looks to be the leading candidate, since LifeRea doesn’t have a native port to OS X. One thing I noticed in the clients I tested, is that they have fixed times when they will check ALL feeds for new content. This time increment can be in minutes, hours, days, weeks or months. Since several of my feeds get updated 1 – 2 times a month, the fixed time metric doesn’t really work all that well with those sources (especially since the time applies to all feeds). While it may take a bit of additional coding, it would be neat to have syndication clients learn how often feed are updated, and base their syndication checks around that. Hopefully the RSS reader developers will add backoff timers to their clients, which should save bandwidth, and reduce the amount of work each web server needs to do.