Slashdot Mirror
OS X Leopard Firewall Flawed
cycoj writes with a report in the German IT magazine Heise, taking a look at the new OS X Leopard firewall. They find it flawed. When setting access to specific services and programs to only allow SSH access, for example, they found that a manually started service was still accessible. From the article: "So the first step after starting Leopard should be to activate the firewall. The obvious choice to do so is the option to 'Set access to specific services and programs,' which promises more control over network traffic. Mac OS X automatically enters all shared resources set up by the user, such as 'Remote login' for SSH servers, into the list of accessible resources... However, initial functional testing quickly dispels any feeling of improved security. A service started for testing purposes was able to be addressed from outside without any difficulty. The firewall records this occurrence... Even with the firewall set to 'Block all incoming connections' ports to netbios, ntp and other services were still open... Specifically these results mean that users can't rely on the firewall."
As any new OS out there, these are childre diseases. Every new system will have problems: small problems and big problesm. The difference is that some will get praise anyway and some others will get "defectivebydesign" or "haha" tags.
It's time to realise that Abble's products are the biggest abomination these days. Just say NO to the dumb iAbble way!!
Couldn't you argue that more layers = more possibilities for attack vectors?
Also, FYI, a hardware firewall is just a dedicated software firewall.
I thought it was illegal for Germans to do this kind of investigation now. Is it? I mean, it requires "hacking tools."
Unfortunatly, Apple's apparently company line (based on what I've heard from Apple sales reps) is that you don't need any "3rd party security software". Specifically, I overheard a salesperson speaking to a customer who was buying a notebook computer for his daughter (who was going to college), saying that the customer didn't need to purchase any of that kind of software, because OS X had no security holes. I did restrain myself from taking the salesperson to task for this in front of the whole store - but only because I didn't want to get kicked out of the store - as I hadn't completed my purchase yet. If I'd already gotten my iPod, I would have, as least, brought this to the manager's attention. As it is, it'd been a long day, and I wanted to get my iPod and go, so didn't make a deal about it.
In retrospect, I should have made a bit of a fuss about it, and were the situation to happen today, especialy with what I learned from TFA, I would certainly have called the salesperson on this (albeit after I'd gotten my iPod - I'd rather not get kicked out of the store before I made my purchase).
Zagreus sits inside your head, Zagreus lives among the dead, Zagreus sees you in your bed and eats you in your sleep.
Er, yeah, but... these are Mac users you're talking about. The people who've been sold a computer that ordinary people can use without being computer experts, and which doesn't get viruses like Windows does. (Not counting the Linux refugees, of course.)
"None are more hopelessly enslaved than those who falsely believe they are free." -- Goethe
http://leofud.blogspot.com/
Specifically that the open|filtered may mean the ports are in a stealth mode... which is what you want!
I did a port scan of my Leopard machine from a Tiger machine and didn't see any open ports at all. I'm not running the firewall either -- but I don't have any services turned on right now. That's the way OS X ships by default (and has since as least 10.2).
Not arguing that things couldn't be better communicated by Apple, but I think an article claiming they're taking a Microsoft-esque tact toward security is more than likely politically loaded.