Sunday, April 26, 2015

Debian Jessie Turns Stable

I know it's hard to hear me over the din of the roof-raising Debian release parties, but I'll try.

Debian Jessie turned stable today, so what does it mean for PowerPC users? It's been a two-year, sometimes harrowing ride for Jessie, but now that it's turned Stable, I think it's... okay. On Mac models where it works well, like my aluminum Powerbook, it's great and a nice improvement over Wheezy. Unfortunately some models experience serious bugs out of the box, but the good news is there are workarounds. On that subject, I've just updated my Debian install guide taken from my own experiences installing on a few different Macs.

Yes, there's a major sound bug affecting my G3 iBook, and according to reports, several other models, but there's a workaround. There are some severe graphics bugs, but there are workarounds. I'm hoping this is a time of transition for PowerPC Linux, where the right bug reports and testing will lead to a better-out-of-the-box experience around the corner.

I've seen people write that we shouldn't bother filing bug reports on KMS because KMS on PowerPC will never be fixed. I'm going to test that theory. I have a black screen of death issue with my iBook that requires disabling KMS, so I'll file a bug report on that and see where it goes. On the sound bug front, a developer doing I2C work just popped in on the Debian PowerPC mailing list and offered to work on it, with the right assistance. If there's anyone with an afflicted machine who can compile custom kernels, I'm sure he'd appreciate your help. If it's gonna be me, theeeeeeen I guess I better learn how to compile custom kernels.

Also, a shoutout should go to Ubuntu MATE's PPC maintainer for making patched Mesa binaries available that also work on Jessie.

Here are a couple of screenshots of my iBook's Openbox desktop (my Powerbook ain't all purtied up yet):

Openbox menu

Openbox Desktop

Monday, April 6, 2015

Set Up That Server You Always Wanted To

You've probably read about servers, and if you've never run one before, thought it sounds like a cool thing to do. You also may have a spare PowerPC Mac lying around doing nothing, which is why this post is about you (yes, I can see you). I have an old Sawtooth that I just can't quit—they're terrific machines—and I wanted to write a post on how I set it up as a headless file/bittorrent server that's so simple anyone can do it.

The first consideration is the hardware. Electricity consumption is one reason, and hard drive space is another. If you're lucky enough to have a Sawtooth, they offer the best balance of the two. Mac Minis consume the least power but may have limited hard drive space. A laptop with say a broken screen would also be a low-power alternative. Sawtooths use about 50 watts at idle in their basic configuration, and subsequent Power Macs used a bit more until G5s came along idling at 150 watts. So a G5 is a bit impractical for our purposes.

So now that you got the hardware, what do you do with it? You could set up a music server, a print server, or a backup server among other things. I wanted a bittorrent server because I'm on a private tracker for classic films and need to seed a bunch of films long-term without taking up space on my Powerbook. I also wanted something I could sync backups to via Unison. Finally I wanted to sleep the computer at night, so I'll be doing this on OS X and not Linux.

Before you go completely headless, you'll want to set up a few things on your server with a monitor attached. First, give it a static IP address because you'll have to forward ports to it and you don't want your router intermittently changing the server's address. To do this, go into Network Preferences, and under the TCP/IP tab choose "Configure IPv4:" "Manually". Then fill in an IP address your router hasn't already assigned as well as your router address. You can see an example below:


You'll also want to install a VNC server which will let you control your headless Mac from your other computers. VNC stands for Virtual Network Computing, and in practical terms it means you can display your server's desktop on any other computer with a VNC client. So this server business doesn't have to be all SSH commands and terminal outputs. It can be point and click just like any desktop.

OS X's Preferences has something smilar to VNC called Apple Remote Desktop that's compatible with VNC clients, but people complain it's slow and I also don't see any SSH options, so it's not secure. A pure VNC server has a remote login option so your sessions will be secured through SSH. The best server for PowerPC is Vine Server (OSXvnc). There's a slightly updated version at this TestPlant page, and manuals, too.

So once you've installed that and any other software you want to operate, like a bittorrent client, you're all set to go headless.

The next step is to forward ports on your router so it knows which computer to send all the traffic. In your router's administration, forward port 22 to your server's IP address as TCP only. Port 22 is for SSH. For VNC, forward ports 5900 to 5909, also TCP only, to your server's IP address. I've also forwarded a port for my bittorrent client, Transmission (the same port number you set in Transmission's preferences).

Finally it's time to download a VNC client, and the one and only choice is Chicken (formerly Chicken of the Sea VNC). Other clients may be just as good, but none can match its dock icon, a chicken popping out of a tuna can. If you already have Tenfourbird, TenFourFox, and Cyberduck, this will look right at home among them. Don't forget to check Chicken's SSH tunneling option and that Chicken's SSH host is not just the IP address but username@IP address, like dan@192.168.1.160. Also, you should already know to have a strong password, but I'll reiterate it anyway. Especially with port 22 open, you should have a strong password.

Now when you click connect you should see the server's desktop on your client desktop.


(the password is actually longer than that graphical string indicates)

As for putting your new server to sleep on occasion, you can set Energy Saver preferences on some Macs to have the power button sleep the computer, but if your Mac is in a hard-to-reach location there's another alternative. It's called Wake-On-LAN*, and it's a simple packet that sleeps and wakes your computer over the network. There's a WOL utility conveniently called WakeOnLan that works on Tiger through Snow Leopard but reportedly not on Lion. I read there are also several iOS apps for this. I also read, though I haven't tried this, that you can forward port 4343 and sleep/wake your computer from outside your network, assuming you know your network's IP address. In either case, you must check "Wake for Ethernet network administrator access" in your server's Energy Saver preferences.

*I believe this only works on ethernet-connected servers in Tiger and Leopard. Wake-On-Wireless was enabled in Snow Leopard.

Speaking of using servers from outside your network, you can control Transmission remotely as well, but I won't go into that here. Skip over to OS X Daily for more on that.

If you want to do all this on Linux, the good news is there are graphical VNC clients. The bad news is I don't know of any graphical server programs, so you have to set it up through the command line. Also, setting up a static IP address requires editing configuration files, so it's a little more involved. Though hopefully not insurmountable.

That's all, folks!

Saturday, March 28, 2015

Some Linux News

If you've been perplexed and flummoxed by the crash-on-startup problems with webkit browsers, a fix appears to be on the way. This Ubuntu bug report has several links to other various bug reports on the same problem, so if you want to delve in deeply, go crazy. There are also patch files for testing posted here. The Debian bugs marked resolved indicate the patches will migrate into Testing soon, so hopefully our Long Webkit Nightmare will be over.

You may have heard of Ubuntu Mate, which as the name indicates brings the Mate desktop to Ubuntu. In a bit of good news, they've announced their 15.04 release will officially support PowerPC. If you want to test their beta, go visit their download page (they prefer you choose the torrent download). Also, check out this screenshot sent by rican-linux of the Mate desktop + Numix theme:

Mate screenshot

Finally, there's a new fork of Debian as a fallout from the whole systemd debacle. Now that Debian basically requires systemd, an association of system administrators has left the Debian project to produce a fork promoting init freedom. Their project is called Devuan and they promise a seamless transition from Debian 7 to Devuan 1. We'll see. I wonder if they'll support PowerPC and other architectures.

Wednesday, February 25, 2015

Take Flight with Fly! II

When people talk about flight simulators for Macs, they mostly talk about X-Plane, but there was another somewhat overlooked flight sim for PowerPCs called Fly! by Terminal Reality. Actually that was the name of the first incarnation, but the sequel which we'll mostly focus on here was called Fly! II and ran on both OS 9 and X. I had the original Fly!, but when Fly! II came out I didn't give it much thought as it was met by a bunch of negative reviews for being incomplete and rushed. The distributors apparently thought it was more important to compete with a new Microsoft Flight Simulator release at the time than it was to put out a finished product.

Fast forward a few years and I see Fly! II is abandonware on Macintosh Garden, so I decided to check it out. While the interface was less polished than the original Fly!, it offered better graphics and made for a potentially better development platform for creating custom scenery and additional aircraft--if you could get the editing functions to work. And this illustrated one of the biggest problems with Fly! II. It was buggy, and on Macs the built-in editor didn't work. It turns out there were several patches released, coalescing into one grand final patch, but the Mac version of it seemed to have completely disappeared from the web. It was supposedly available at the AVSIM Library, but they had a hacker attack a few years ago and didn't keep backups, so they suffered massive data loss including the Mac patch.

So we were kind of stuck. But then, just recently, a random good samaritan uploaded the final Mac patch to Macintosh Garden and rescued us from our doldrums. I ran the patch, and suddenly the editor works. I can import elevation meshes without it crashing, 3 arc second elevations that address one of my biggest problems with Fly! II graphically.

When you first run Fly! II, you get just the default scenery and elevations. The generic scenery isn't bad, but the elevations have so few data points it makes everything look like rolling hills. So I downloaded a bunch of 3 arc second elevation tiles from the USGS website (one data point every 90 meters), imported them into Fly! II, and what a difference it makes. Everything looks more realistic, and familiar geographic features look familiar again. Here's an example of Washington's Mt. Rainier with the default elevations and the enhanced (click to enlarge):

Fly! II default elevations

Fly! II enhanced elevations








 So now with these new elevations, I can finally enjoy Fly! II with all its other advantages over X-Plane, including its superior plane and flight models and overall realism in flight procedures. The enhanced elevations I made cover the US West Coast (most of Washington and Oregon, all of California, and parts of Nevada), and if you want to download them I've made them available here. But all that would be kind of useless if you live somewhere else, so here's a quick tutorial on how to make your own elevations in Fly! II.

First, go to USGS's Earth Explorer website and choose the area you want on the map (click to enlarge):

Earth Explorer screencap

Then click the "Data Sets" tab and expand "NASA LPDAAC Collections", then "NASA SRTM (SRTM3) Collections", where you can finally choose "NASA SRTM3 SRTMGL3". Click the "Results" button and you can download the files.

When you unzip them on your hard drive, you get a bunch of .hgt files that you must rename to a .ras extension. Now you can import them into Fly! II by launching the program and pressing Command - e to enter the editor. Under the scenery editor's Tools menu, select "Import Scenery...", then check "Generate Elevations", choose your DEM file to import, and fill in the necessary data. The example below is for the SRTM3 file N32W115.hgt which I renamed N32W115.ras (click to enlarge):

Fly! II editor

The first row latitude and longitude is for the lower left corner of the tile, and the second row is for the upper right corner (the longitudes go backwards when counting from west to east). The samples width and height are always 1201 x 1201 for single tiles. For "Subdivide Tolerance" the default is 500 feet, but I changed it to 200. Some people recommended going all the way down to 50, but I thought that made hilly terrain look too jagged. Finally, click "Import" and let it do its thing.

When doing these one at a time, the results aren't perfect. Sometimes data from neighboring tiles gets overwritten and some blank spots will occur where it falls back to the default elevations. A better way is to combine the .hgt files into one big .ras file, but for that you need two Windows programs, 3DEM and 3DEMBin2Ras (available at the AVSIM Library), and either Virtual PC or an actual Windows computer. I have Virtual PC 4, and it worked but since Virtual PC 4 has a 512 MB memory ceiling, I was limited to combining only 6 x 6 squares. In any event, the process is simple. Open the multiple .hgt files in 3DEM, wait for it to render, then choose "Save Terrain Matrix" from the file menu. From the save options that pop up, choose "Binary Signed Integer. This will give you one big .BIN file which you then use 3DEMBin2Ras to make a minor endian conversion so the file can be imported into Fly! II. The resulting file will have a .RAS extension which you must rename to a lower case .ras. Apparently Fly! II only likes lower case extensions.

When importing a combined .ras file into Fly! II, the procedure's the same as a single tile, except the sample width and height will be some factor of 1200 plus one. For example, a 2 x 2 square (2 tiles across horizontally) will be 2 X 1200 + 1. So the sample width and height will be 2401 x 2401. For a 4 x 4 square, the width and height will be 4801 x 4801, and for a 6 x 6 square the sample width and height will be 7201 x 7201. And for this I only tried perfect squares--I don't know if 3DEMBin2Ras conversions work on rectangles.

Finally, be mindful that you get the lower left and upper right corner coordinates correct on the combined files.

Online resources for Fly! II are starting to dry up. For a long time there was the site Fly.Simvol, but lately it's giving an "Internal Server Error." It's still accessible with the Internet Wayback Machine. Also, their downloads are still available at fichiers.simvol.org/fly/fly_2/ including some cool planes and France scenery add-ons, but I don't know how long that'll last so grab them while you can.

Another good resource is the AVSIM Library (free registration required). There you can find all kinds of user-created scenery add-ons and utilities, etc, of which I plucked many taxiways and airport sceneries. There's also a file library at FlightSim.com which has "Fly!II Blue Sky", a sky.ini replacement that looks much better than the stock sky, especially with water reflections turned off.

On the subject of performance tweaks, there are a couple of hand edits you can make to improve framerates. The simulator itself has several scenery sliders and sound options you can adjust, but beyond that you'll want to open fly.ini in Fly! II's "System" folder and change the "popBuildingsIntoView" value from 0 to 1, and "popBuildingsTolerance" to something like 8 or 10. These changes make 3D buildings pop into view only when you get close, and increasing the "popBuildingsTolerance" value decreases the distance at which they become visible.

Also, open render.ini in the same folder and you'll see about a dozen MaxTextures lines. I changed "maxTextures128" from 64 to 250 and got a modest boost in framerates, but more importantly the simulation became much smoother and less herky jerky. This has to do with the slots Fly! II allocates to your graphics card, and flying with the debug info turned on, I saw that there was a logjam with the 128 x 128 textures. You can read more about render.ini settings at the Fly.Simvol FAQ.

Your Mac's menubar will present somewhat of a complication. In the original Fly! the spacebar could hide it, but in Fly! II it's always there in the way. To hide the menubar with the spacebar in Fly! II, you need to add the line "allowHiddenMenubar=1" to your fly.ini, and this will only work in Mac OS 9, not in OS X. And it's a bit glitchy when unhiding, which is probably why it's not there by default. Though OS X users can't hide the menubar, they can run the simulation in windowed mode to get the full 1024 x 768 resolution without the menubar blocking its portion of it. To do so, have "autoFullScreen" equal 0 in fly.ini.

Though it's getting long in the tooth, Fly! II is definitely still the best flight simulator for Macs running OS 9, and may even be the best for PowerPC Macs on OS X. Hardware requirements are somewhat different depending on which system you have. Framerates are better in OS 9, so there you may want a 733 MHz chip or higher with a decent graphics card. OS X users will need a higher end PowerPC. It runs reasonably well on my aluminum Powerbook, but I wouldn't want to use it on anything less.

One last note about the elevations I made, there's a hole in the Earth off the coast at San Simeon, CA, near where Hearst Castle is. This is due to that particular SRTM file having the ocean at an elevation of -9 meters, which the Fly! II editor interprets as a bottomless fathom. I suppose you can edit the data files to fix it, but I decided to leave it in as a monument to weirdness.

And since this post is approaching terrorist-manifesto-length, I think I'll sign off now.

Thursday, February 5, 2015

Adblock Plus vs. uBlock vs. Bluhell Firewall

It's been awhile since I did one of these Spy vs. Spy posts, but with a couple of new ad blocking extensions on the scene, what better occasion for a good old-fashioned deathmatch? The two new kids on the block are uBlock (now called uBlock Origin, see update at bottom) and Bluhell Firewall, both Firefox extensions with uBlock also available for Chrome and Safari. They'll be taking on the gorilla in the room, Adblock Plus, the ad blocker practically everybody has on their computer. But do they know what lurks beneath?

Adblock Plus has had its share of controversies, but one of the main ones has been its performance. It's been accused of slowing the browser launch and being a memory hog, even if it does eliminate more ads than the competition. Bluhell Firewall and uBlock advertise themselves as being significantly lighter on resources, so let's put them to the test and see who's truly worthy.

I'll be testing for browser startup time, RAM usage on startup, and RAM usage with three tabs open (the three being IMDB, OS X Daily, and Gawker). The tests will be done on my Powerbook with TenFourFox 31 running a fresh profile with no other extensions. As a frame of reference, let's start out with no ad blocking:

startup time -- 8.5 seconds
RAM on startup -- 122 MB
RAM with three tabs open -- 265 MB

Those numbers are rough averages after a couple of run-throughs. Since the results were consistent, I didn't bother with more than two. Now let's get to Adblock Plus:

startup time -- 15 seconds
RAM on startup -- 200 MB
RAM with three tabs open -- 375 MB

The startup time includes about five seconds of a spinning beach ball while the ad blocker initializes. As you can see the memory went way up. Now let's see how uBlock does:

startup time -- 8.5 seconds
RAM on startup -- 165 MB
RAM with three tabs open -- 280 MB

No impact on startup time and modest bumps in memory usage. Finally, here's Bluhell Firewall:

startup time -- 8.5 seconds
RAM on startup -- 123 MB
RAM with three tabs open -- 215 MB

If memory is what you're going by, Bluhell is the clear winner. But does that mean it's the best? Its filters not being as extensive as Adblock Plus's, it lets the occasional ad through. It also lacks a whitelist feature, so you can't make exceptions for websites you want to support. Some people also report some site breakage.

In my opinion, uBlock is the more interesting alternative. It supports whitelists and is available on all major browsers. And as far as ad blocking goes, it's no slacker compared to Adblock Plus. In fact, Adblock Plus was overly aggressive, filtering out all of Gawker's "Promoted by..." posts. Most of those are embedded ads, but some are guest essays that, no matter how pretentious, should never be blocked.

I've always used NoScript combined with CSS rules based on floppymoose (the one shipped with Camino, to be exact) for ad blocking, but it's kind of a pain to edit your UserContent.css to include new rules for ads that get through. UBlock seems the more up-to-date option. In any event, NoScript should remain an essential item in your PowerPC toolbox to keep the Web loading fast and smooth while avoiding javascript catastrophes like this one, or this particular holocaust. I know there are a lot of about:config tweaks out there that promise big speed benefits (pipelining, etc), but they don't deliver much. To enhance the speed of your browser, it's really all about NoScript and a good ad blocker.

(UPDATE: Since the writing of this post, uBlock's original developer has left and begun a fork called uBlock Origin. UBlock will continue with new maintainers, but uBlock Origin is intended to maintain the original code with bug fixes rather than adding new features. UBlock Origin has dropped support for Safari, so Safari users should stick with uBlock.)

Thursday, January 22, 2015

Dropbox Pulls a TurboTax

So Dropbox ended support for PowerPC. That happened. Going forward, their client will require Snow Leopard, and not only that, but the old clients will stop functioning so you'll only be able to access your data through their web interface. The official cutoff date is May 18, but to try mitigate this and at least get Dropbox to allow PowerPC users to continue using their old clients, Martin Kuka─Ź from viva PowerPC has posted an open letter urging just that. You can read the whole thing here:

http://vivapowerpc.blogspot.cz/2015/01/an-open-letter-to-dropbox-team.html

Also, to add your voice and show Dropbox there's still a demand from PowerPC users, you can go to their forums and post to this somewhat long thread, or even start your own.

As for Dropbox alternatives, I hear second-hand that SugarSync still works with their old Tiger client (direct download). Also, you can try Unison, which I wrote about awhile back. If you're syncing several PCs/devices with Dropbox and only one PowerPC Mac, perhaps you can sync your Dropbox folder with Unison. It's not totally seamless, but it may be workable. If you want to share files with a group of collaborators, you can look into Box.com. They support WebDAV as does Cyberduck, so uploading or downloading the latest file versions with Cyberduck as your client is simple and quick. And if you're accustomed to using Dropbox to transfer individual files to and from your iOS devices, DropCopy can do that for you, too (Tiger and Leopard users, download the Older Version).

As for me, I don't sync on the cloud. I use Unison to sync over my home network. I have to take my Luddite nomenclature seriously.

UPDATE: The editors at LowEndMac have put up a petition at Change.org: Continue to support Dropbox on Mac OS X 10.4 and 10.5.

Monday, January 12, 2015

Getting Started With pkgsrc

Package managers are fun. Package managers are an easy way to get updated software onto your system and keep them up to date, and also an essential tool in maintaining a legacy system like OS X on PowerPC. The best known package managers on OS X are MacPorts and Homebrew (Tigerbrew on PowerPC), but there's another one from BSD land called pkgsrc. Sevan from GeekLAN has made a repository of pkgsrc binaries available for PowerPC users, so here's a quick rundown on how to start using pkgsrc.

Open Terminal.app and enter the following to download and install the pkgsrc tools (all one line):

curl -s http://sevan.mit.edu/packages/bootstrap.tar.gz | sudo tar -zxpf - -C /

Then add the following two lines to your ~/.bash_profile (you can create the file if it doesn't exist):

export PATH=/usr/pkg/sbin:/usr/pkg/bin:$PATH

export PKG_PATH=http://sevan.mit.edu/packages/All/

(don't leave out the trailing / on that last url) Tiger users can then use "sudo nano" to open /usr/share/misc/man.conf and add this line (Leopard instructions are slightly different, please reference the above GeekLAN post for details):

MANPATH=/usr/pkg/man

Finally, close the Terminal window and open a new one so that your new paths are in effect. Now you can begin installing software. Let's say you want GnuPG for use with Enigmail or to encrypt files and folders with gpg encryption, for instance. Simply enter the command:

sudo pkg_add gnupg

You can also try the "-i" option if you're feeling social. After 20 seconds or so the install should be complete and you'll find your gpg tools in /usr/pkg/bin, all ready to go.

So what are the advantages of pkgsrc? You'll notice no compiling was necessary, in contrast to MacPorts which compiles everything, including dependencies already native to OS X. There's a good reason MacPorts does that, but still, it takes forever. Homebrew alleviates this somewhat by relying on native OS X frameworks instead of installing its separate set of dependencies, but Homebrew embeds itself in your /usr/local, which makes it hard to get out of the way if you're juggling more than one package manager. Pkgsrc creates its own directory, /usr/pkg, which can easily be moved with the mv command when you need it out of your path.

The binaries Sevan has built are easily browsable at sevan.mit.edu/packages/, so go check it out.

Package managers are fun. You can use them to install simple console programs, or you can install groups of dependencies that can allow you to compile software, like this person who compiled RawTherapee to run on Leopard.

More on pkgsrc here, including how to build packages from source.

Thursday, December 18, 2014

OS X PowerPC Security Holes Katy Perry Kate Upton Chili Hot Dogs!!!

Given that Leopard and below are no longer supported by Apple, it's reasonable to expect security holes to pop up every now and then, and though Apple will never officially patch them, us PowerPC users can at least come up with the necessary workarounds. The only problem is, news of these vulnerabilities is a bit scattered, so I wanted to put up one post that's a compilation of all the security holes you should be aware of when running OS X on PowerPC--hence the clickbait title, I want everyone to see this (sorry Katy Kate fans). This post will also be linked on the right and updated as more security exploits are discovered.

Here's the big list, and honestly, this is mostly about linking to posts on Cameron Kaiser's TenFourFox Development blog since he wrote the bash replacement below and knows just as much as anybody:

1) Yes, the bash that comes with your PowerPC Mac is compromised. Cameron Kaiser was nice enough to build a new version) that fixes the security flaw so us PowerPC users can rest easy (also works for Snow Leopard).

2) SSLv3 is no longer safe. The solution here is to update TenFourFox and Tenfourbird to their latest versions which disable SSLv3. Webkit browsers that depend on the system SSL libraries remain vulnerable.

3) Certain versions of OpenSSL have a hole. Older OpenSSL-based libraries bundled with Tiger and Leopard are not vulnerable to this specific bug, but if you have versions 1.0.1 to 1.0.1f installed on your system through Macports or Homebrew/Tigerbrew, you'll want to update to the latest version.

4) That handy tool sudo, giving you root access from the command line, is vulnerable to an exploit. Check this post for the solution and also look down to the comments on how to use nano to correct it in case vi is a mystery to you.

5) Flash is not safe.

6) Java is not safe. I've seen links about installing Open JDK 7 on Leopard, but I don't know how feasible it is. You could also put Debian on a separate partition and run the latest Java from there.

7) Finally, your Firewire ports are vulnerable to physical attack. You can check out Adam Albrec's Security Mode scripts to secure your laptops from this and other vulnerabilities.

As said, this post will be continually updated with developing news. Hopefully the list won't get too long. ;-)

UPDATE I:

And I've been informed of yet another one. The Diginotar SSL certificate is compromised. This was back in 2011 and was the first time Apple released a security update that didn't include PowerPC, so maybe that's why I blocked it out. Follow the step-by-step instructions at $ ps | Enable (their mpkg automator didn't seem to change things for me) to clear your system. This flaw only affects you if you use Safari or another browser that accesses your system's SSL certificates. It does not effect TenFourFox.

UPDATE II:

Via TenFourFox Development again, there are potential vulnerabilities in OS X's ntpd (Network Time Protocol daemon). This is used when you sync date and time automatically with Apple's time server in the Date & Time System Preference. I say potential because the typical user won't find themselves vulnerable, but people using ntpd in more elaborate ways should read the referenced blog post. A new version compiled for PowerPC is linked there for download.

UPDATE III:

Time to get your FREAK on! That's FREAK for "Factoring Attack on RSA-EXPORT Keys." Once again, if you're using TenFourFox you're not vulnerable, but Webkit users are. The comments on this post seem to indicate that (as of 3/8/15) development on Leopard Webkit is continuing and an update that ultimately plugs the hole may be arriving soon.

UPDATE IV:

This one's called Darwin Nuke and in theory can enable an outsider to trigger kernel panics on your system. I say in theory because Cameron Kaiser reports he's unable to trigger a successful attack against his PowerPC systems. However, since the vulnerable code does exist in the Tiger and Leopard kernels, it's safest to disable all incoming ICMP traffic on your router's firewall. On my Linksys router, this was already disabled by default with the Security --> Firewall setting, "Block Anonymous Internet Requests". If you don't see anything comparable on your router, google your router's brand and "disable ICMP". ICMP is used by network administrators for troubleshooting purposes, so the average user doesn't need it, anyway.

UPDATE V:

Run this RootPipeTester tool to see if you're vulnerable to something called systemsetupusthebomb. Read in detail at TenFourFox Development, but the short version is you should open your Security preference pane and check "Require password to unlock each secure system preference" (wording may be slightly different on Leopard), and you'll be secure against all known attacks. For an even more airtight solution, rename your writeconfig file according to the instructions Cameron Kaiser laid out on the linked post above.

Monday, December 8, 2014

Lock Down Your Mac With Security Mode

You may recognize Adam Albrec as the author of PPC Media Center, a suite of Applescripts that serves as a GUI wrapper for youtube-dl, and as a past guest poster here. Well, he's back, this time with another package of Applescripts called Security Mode (download at bottom of post). If you've ever wondered what it would take to completely lock down your PowerPC laptop in the modern jungle out there, this is what you've been waiting for.

Along with the Applescripts comes a very extensive Read Me file that has a lot of general tips as well as how to use/edit the scripts. In all honesty, I'd never heard of the Firewire vulnerability before perusing the Read Me, and I'm supposed to be on top of this stuff.

So what do the scripts do? As Adam writes:

The primary app is a simple toggle that will change your laptop to a 'Secure Mode' which implements the following security features:

- A password is now required to unlock the screen on waking the system from sleep (like after having the lid closed), or once the screensaver has become active.

- The unit will have the screensaver activate after 10 minutes.

- The display will sleep after 20 minutes of inactivity.

- The system will sleep after 30 minutes of inactivity.

- Firewire will be disabled - thus illuminating the threat of a DMA (Direct Memory Access) attack.

...

When toggled again, all the security features listed above go back to normal 'Home Mode':

- No password is required to wake the system or deactivate the screensaver.

- Both display and system sleep are set to 'Never'.

- Firewire will work normally.

As a convenient means of identifying the system's current security status, the Dock position will change in 'Secure Mode' to the left of the screen, and back to the bottom in 'Home Mode'.

The secondary helper app SM Fw-Disabler, when set as a login item, will make sure that whatever mode the system is in when it is shut down, will continue when restarted until the user chooses to change it.

Both scripts store your user name and password in plain text, so you need to keep the scripts on an encrypted volume. FileVault instructions are included in the Read Me for this purpose. Also...

As stated in the script comments, all the settings in the script including the sleep/screensaver times and Dock position changes can be set if the above are not to the user's liking. Those who are great at Applescript will have no trouble at this, but for those who might like some tips, just leave a comment here on the blog and I'll reply ASAP.

Finally, the Read Me concludes with some not-commonly-known tips on PCMCIA expansion bays, Open Firmware passwords, and TrueCrypt. All in all, this is great stuff, so download the scripts and the Read Me at the Mediafire link below:

Security Mode.dmg.zip

(ADDED: This can also be useful for Snow Leopard. It'll take some tinkering with the Applescript, but leave a comment and Adam will be glad to help.)