didn't we pay lots so we would be protected?
 

hi there, I came across something disturbing... aren't mac system suppose to be protected from this sort of things, isn't it misinforming advertisement by Apple.

/!\ ALERT: IF YOU GIVE YOUR ADMIN PASSWORD TO EVILDOERS, BAD THINGS WILL HAPPEN /!\

this text is in lowercase so the forums will let me use caps lock above

well, that doesn't answer the question at all.

Maybe you asked the wrong question.

what, because this specific Trojan is transmitted by using illegal copies??? it is like the view of people on aids in the 80, it wasn't a problem because it was affecting gay and drugs abusers... if it is illegal or not there is still a problem that apple promised wouldn't exist. and if you don't want to answer just don't answer.

See, you asked: "Did Apple misrepresent the state of security in Mac OS X? Aren't we immune to this?"

You should have asked: "What can be done about a user who is tricked into supplying his administrator password to malicious software?"

That's the real issue. When a user willingly gives an admin password to a piece of software, that software gains the ability to do whatever it wants. It's an extremely difficult, if not impossible problem to solve because at the end of the day, it's the computer's responsibility to trust the owner's credentials and do what the owner of the computer demands it to do.

There's simply no such thing as a house being immune to the owners giving their keys to burglars dressed up as police detectives.

now you're talking, thanks! is there any way to recognise and spot trojans? are applications posted on pages like apple download and macapdate checked by the site for such malware? so what is the advertisement pertaining to? viruses and adware? nothing more?

I don't think Apple ever promised that there would never be security problems on OS X. Which advert do you have in mind particularly?

They certainly made hay by pointing out the viruses on Windows and claiming that OS X was "virus-free". OS X still remains a very difficult platform to create and dissipate viruses across. There are still no viruses "in the wild" for OS X.
But potential security exploits have certainly been discovered and published, to which Apple has issued security updates (sometimes belatedly).

This is not the first Trojan for OS X. There was another one which asked you download a codec to view porn videos. (Or so I understand...:o) When you installed (deliberately, giving your password) the "codec", it turned out to be a trojan.

Short of publicity, there is very little that can be done to stop the user from doing things to their own computer: no more than if someone were to post a malicious Terminal command here in the guise of a "useful script". You are your own sysop, and responsible for what you do to your system.

I'm not sure where you got the idea that we "paid lots to be protected", either. We paid for the particular combination of hardware and software that Apple creates, which has a whole host of features that we prefer over other choices. There is no "extra cost" factored out which relates to security, like some kind of airport tax.

Some of us have for some time repeated that the fact that the Mac OS was (and still largely is) free from serious threat, there is no way for Apple to have made any 'guarantees' of future attacks. As the Mac OS grows in popularity, it will become a bigger target, and it would be a mistake to assume that it will remain permanently unaffected by malware creators. To be fair, Windows viruses often require the cooperation of unwary users to spread themselves, either by installing some program or visiting some website, or opening an attachment on infected mail. Users are often careless about security. Some people who use anti-virus software, for example, often neglect to update the definitions for the software, leaving them open to new threats. It probably is still not necessary for Mac users to run to anti-virus software, but if when that time comes (if it does), it will be necessary to understand how the protection works and do what is necessary to keep it effective.

I simply don't think that Apple claimed invulnerability, although their marketing people may well have taken advantage of the de facto lack of malware to promote their product. In any case, users are not paying an exorbitant amount for the Mac OS unless you compare it to free distributions of Linux. But it's important to note that the age of innocence is probably over. The point several people made about providing your password for installing items you don't know (in some reasonable sense) to be safe is a good one. People simply have to develop better habits if they wish to avoid contamination. The OS can only provide a certain level of protection in and of itself.

Joe VanZandt

Just looking at the title, No, I didn't buy a mac to be protected.

I bought one because I wanted one :)

Brett

Every OS is suspect to these types of attacks. No OS is bullet proof. Whenever you trick people into giving anything admin rights no matter what platform you have, you will get exploited. Plain and simple. OS X is not exception to this.

[moved to Coat Room]

Any software that you download from a less-than-reputable site (or via P2P) is likely to be a Trojan.

Still, I sense there may be a lot more attempts to hit Mac in the future and these recent attempts may just be the tip of the iceberg. Time to be extra vigilant I think.

Now that they have a like a 8 to 9% market share they are a more viable target.

This is nothing. Here's a couple of real problems:
http://www.neowin.net/news/main/09/0...-vista-viruses
http://www.cnn.com/2009/TECH/ptech/0...dup/index.html

As long as the worst they can throw at the Mac is a Trojan I won't be worried about my computers. Cautious, yes. Worried, no.

*cancels torrent download*

ahh i joke i joke

You can download those just don't let your girl friend catch you watching them!:eek:;):D

There are a lot of ways to deal with this:
1) Get an anti-virus software (I forget the names of them, haven't used one for a while...)
2) Use a standard user instead of a admin user, thus you have to give our password every time and might think twice about installing stuff...
3) Probably most importantly, only download software from trusted sources!. I only download software from people I know and trust, or from companies who's site I navigate to on my own. Don't just go clicking links in emails...

Lastly. I'm an Apple Campus Rep and as such, I am not aloud to speak on behalf of Apple, so I won't. But I will say this: Apple has very strictly instructed me to never tell anyone that OSX is either a)virus free or b)will never be compromised in some way shape or form. We know it's possible, trust me. Just make sure you protect yourself, k?

Is it just me, or is there only one kind of torrent in your world? I won't ask further... ;).

"didn't we pay lots"

I wouldn't say that we paid lots, no. Not as compared to the price of buying hardware, an operating system, and software using other non-free competitors.

"so we would be protected"

From what? from myself? How much is lots to protect me from my own stupidity?

"isn't it misinforming advertisement by Apple."

Nowhere ever on Apple's website, television commercials, or other media did Apple make the claim that they would protect us from the ills that can occur by downloading and installing illicit or illegally gained software.

So the answer to your question is NO.

Here's how easy it is... is the email legit or not. I believe it is legit and clicking on trial version does go to apple.com/ , then again maybe the bandits are getting better?

Would you trust it?

I've paid lots in my life to not be stupid. Not to Apple, though. I suppose the jury is still out on whether it worked or not.

I do know better than to expect piracy programs to improve the quality of said life. :p

It is vitally important to check whether a link in a mail message does go to where it purports to.
Mail.app will show you the URL if you hover the mouse over the link.
But you do have to look carefully (and have some technical knowledge of domain name syntax) since, for example, a link to:
http://iwork.apple.com.freetrial.tv
goes to the domain freetrial.tv (owned by someone in Singapore), not to Apple.

This arrived in an e-mail? From a trusted friend and perhaps Forum participant? Or purportedly from Apple? I never get admails from Apple, I think I ticked a box during registration not to, but I've seen and ignored my share of phishing attacks "from" my ISPs, as well as banks I don't actually bank with :D.

Speaking of which: as well as a Mac newbie, I am a cantankerous reactionary, and I don't touch online banking. Also for personal reasons I like to bank over the counter, where my ugly mug is a familiar sight and quite unhackable.;) I do have my account numbers on my machine, in a Word document, but the 'puter doesn't know my credit card details or PIN number and is not interfaced with my bank in any way whatsoever. Never even been to my bank's website; for me, my bank exists solely in meatspace and that's the way I like it.

You should put that information in an encrypted disk image.

How does one make one of those, then?

However, I'm a bit puzzled by the notion that bad guys can do anything with my account number as such and alone; anyone who has ever paid me, or anyone whom I have ever paid, already has that information. Anyone who walked into the bank and tried to withdraw would meet a demand for ID and signature; my accounts are not hooked up to any online banking. How could anyone stiff me with this information alone, without the bank being liable? :confused:

See: /applications/utilities/disk utility


Is your bank online? Then so are your accounts!

It is a valid email from Apple. I do most of my banking via the internet. Yet to have a problem, but for sure there are differing levels of security from bank to bank. I never under any circumstance link to a bank account from an email or anything else because there's no way to be sure where you are... some banks use strange URLs such as online.east.etc., etc, not just their name with a .com after it. I get emails from my bank, but would not trust their links either.

Like you, there are no docs on my Mac with cc numbers or bank account numbers or passwords. I don't use keychain. I do type in lists of such things, print them, and then secure delete the doc. Overkill I am sure, but I worry about it.

I also run software that identifies (usually) suspect sites and blocks access to them.... I have an 11 year old who uses the computer, too, in a non-admin account.

OS X is as safe as it gets, I think, but many users are not ITs and are pretty much at risk of being scammed until they learn their lesson the hard way.

The bank does online banking, yes. But my understanding is that getting a first-time password, in someone else's name, to use online banking services is a bit more involved than stealing someone's password to an already configured set-up. Am I wrong, then?

My country encourages people to submit their tax returns online (though I myself am sticking to dead trees as long as I can), which also involves account numbers being held on computers, ours and theirs. I would think it would easier to hack the tax office. Or wait for them to leave all the info on a CD in a taxi :rolleyes:

online banking uses a slew of security measures. Mine uses IP and MAC address authorization, passwords, secret words, security questions, and confirmation emails to access the account. I assume most banks follow this sort of model.

As for the email thing, I got a scary email when i first signed up for facebook saying so and so wanted to be my friend, so I clicked on the link thinking it was facebook (spoofed URL) and it immediately said I need to install browser plug ins to make it work. Well, I immediately knew that was a scam. Closed my browser and started to investigate. Viewed the headers of the original email and the IP it last came from was an IP in china. I am pretty sure there are no Facebook servers in China. It was a scam and looked very real. I was really impressed and their English was almost perfect, after rereading the email I only saw one grammatical error towards the end of it. Otherwise, it looked like a legit email from facebook.

I have also seen some pretty cool paypal spoofs. By cool I mean well done, I still think it is a jerk move. These types of attacks can and will affect any platform.

Security varies by bank for initial set-up as well as access. Some will not issue a login and password by internet or phone.... they mail it to you just like a pin number. Others will allow internet registration after you answer a dozen personal questions including ssan, address, phone, acct number etc., etc.

Some use an image with a key word that appears when you type in your login, if you don't see the image and codeword you are not on their site so you don't enter the password.

A couple of my banks identify the computer I am on and if they don't recognize it you don't get access even with a correct login and password but will instead be challenged with 3 or 4 personal questions.... city of birth, pet's name, city where you met the spouse, make of first car, etc.

I think internet banking is secure, though obviously you have to exercise care. Someone gets access to your computer and finds a list of logins & passwords one is going to be in for a long, long year. Physical access to your machine is the greatest threat I think.

Look at my links from post #16 and suppose that one of those viruses hits your bank. Isn't it possible that the bad guys could gain enough information so that they could set up an online account in your name?

That's part of why I think it's a very bad idea for Mac/Linux users to scan for PC viruses. We should let nature take its course: either quickly improving Windows security or forcing it off the stage. Propping up Windows is putting us all at greater risk than is necessary, and at far high cost than it would be to replace Windows, especially since it doesn't need to be done all at once.

That's cool! My bank isn't supposed to give balance info over the phone, but I often need to know whether a customer has coughed up and can't get into town; when I call and greet the answerer by name, recognising their voice, and they recognise my distinctive voice/accent as well, and also ask what sum I am expecting, then they bend the rules. No one could get away with pretending to be me, except perhaps a supremely gifted mimic who also knew who worked there. A couple of times, in extremis, I've even called from abroad to have money transferred from a savings to a current account; but that's only between my own accounts. Even when they're 110% sure it's me, they would never transfer funds to a third party.

Yeah, and we don't always worry about the objectively biggest threats, do we? Anyone who stole my computers would know where I banked and the account numbers, like any customer or supplier does; but that doesn't mean getting any of my money out. I'd be a lot more worried about confidential work files. There was someone on the Forum the other day who described getting his laptop stolen when he was only feet away at the time -- if it was not asleep and sleep-locked, or screensaver-locked, all the perp would need to do would be to keep it open and awake until he could download the contents to a memory-stick in his pocket, no? How do you protect against something like that? Passworded opening of all files, or all folders? Quite a slowdown for the busy user.

Say that it is possible -- what can I do about it? I don't see what configuration of my own 'puter could prevent that, any more than the lock on my own door can prevent the bad guys breaking into the bank's vaults three miles away. If they can crack the bank (or the tax office!), they don't need to crack me to find out my account numbers, no? And in such a situation, the bank would have serious liability.

Other than vote with your wallet, not much. All too often, people take the attitude that all platforms are valid options, and while it might be argued that on a technical level Windows is a valid option, doing so ignores the enormous costs to all of us when people (and businesses like banks) use Windows.

I for one am not remotely competent to do due diligence on the bank's IT security. Just for fun, next week I shall ask them what platform they use, though the counter clerks may not know much. And how would your wallet vote, CWT, if one bank ran on Windows but was otherwise customer-friendly, while another used Linux but kept everyone waiting an hour in order to coerce them over to online services? Which some of them do here. I've never been looted by a cracker, but I've sure been dissed by a banker!

I have a friend that works at a major bank's HQ downtown in their IT department. He works out of the data center. They have around 300 IT guys in his department, which do all the IT/maintence, web development, app development, so on and so forth. The use a mixed platform, and he told me his particular bank as two macs. The two macs are used for developers to develop web apps for the mac platform, the rest are all PCs running Windows/Linux.

Also, having been a system administrator for Windows Servers at my old job, they are not to be compared to Windows clients. They are way more secure than a Windows client machine, and Vista is the first end user OS to start to adapt some of that server side security. That is why you notice some of the user accounts being changed directory wise, and you see running things as an administrator. I haven't used windows 7 yet really but from what I have read it will implement even more POSIX Unix-like security features when it is released.

hmmmmmm good advice.....*cough* private browsing+encrypted dmgs ftw >.> cuz i wouldnt want her finding all my extra revision documents

well 2 and a half :rolleyes:

That's the problem you get when you don't have proper regulation: no real competition. :(

Still, making your voice heard can have an effect: never connect to a bank using Windows. It's not only good for your immediate security in the short term, but if enough people do it they'll change their systems.

Uh millions of people bank with windows all day every day and our whole accounting and payroll department run windows boxes, so it isn't like its not secure. most of the time it is a humans fault when things get exploited, like not running a security patch, or using a really lame password that gets dictionary attacked.

You don't have to use a Mac to be secure and safe.

But, as I've been trying to say, I don't "connect" to a bank using anything electronic. My bank connection protocol consists of the meat walking through the door and saying "Hi, ladies". Radical, huh?

:rolleyes:
Track records are history, and history is important.

No, but it helps.
A bit OT, but close enough.

But that just means that your 'electronic' voice is unheard. You haven't made a choice that they'll recognize.

well in that case

http://www.macworld.com/article/1327...8/03/hack.html

Oh, come on! Can't you do better than that? Some guy who probably spent months working full time and with help, manages to find a hole, and we're all supposed to think that compares with over a decade of frequent and highly successful exploits of Windows systems in the wild? :eek:

lol windoze am i rite

But seriously, just don't use Internet Explorer and don't use a computer you don't own. (Never use a library computer, public kiosk, a friend of a friend's computer, etc.) The latter rule applies to Mac OS X, as well.

We get the point, the real world is "meatspace" and inhabited by "meat". It's not really that clever.

Actually, I have made my voice very well heard in my bank, as a customer who doesn't want to use online services and wants banks to continue offering good customer service at bricks-and-mortar establishments. Mine does, but others don't, and so I vote with my feet and wallet accordingly. This is what is important to me, also for personal reasons unconnected with computers, rather than the security of their back-office operations against penetration, which I can't judge and that I have no evidence is a problem, whatever platform they use. Here the big scamming techniques involve physical tampering with ATMs and skimming of credit cards.

Explain why Apple was so late in the game to fix the worldly know DNS exploits then?

Sure MS has had it's history but one thing about MS that no one can touch them on is patching and fixing holes. They are pretty good at it. There are tons and tons of existing Windows server back end infrastructure out there that is secure. Like I said a lot of times those exploits happen because system admins are lazy, use weak passwords, or configure things wrong.

Same thing could happen to OS X, hell people get hacked on their macs all the time for leaving open port 22 and using really weak passwords, along comes mr ssh sniffer in russia or china and bam you have an exploited mac. It even happens to Linux boxes.

Simple: They don't need to be fast. Their software isn't beaten like a dirty rug every day of the week. Even when a weakness is found, it usually requires too many special circumstances to be useful, and that gives them time to come up with a fix that won't create new holes.

Of course they're good at it! They get lots of practice reacting to compromised systems, and rather than do the right thing and start over with a better design, they've decided to get better at reacting.

:rolleyes:
Second paragraph from the link above:

yeah that was written by an obvious fan boy. The bottom line is you don't have to run a Mac or a Linux box to be secure. I have managed many Windows clients and servers over the year and have had generally about the same amount of problems as I have had with the Macs, and now that I manage thousands of Macs I have easily over 50 to 80 a week that break on me. However, I am digressing a bit...

You can live under your blanked of safety and cling to the Mac like it's crap don't stink or whatever it is that you do. However, Macs can and will be exploited and until humans actually learn the ins and outs of how a computer works this will always happen.

The QT codec virus was a prime example. Apple only has a 8% market share and when they start to climb (and I think they will have a larger market share down the road) you will see it happen more. Simply because people don't know what they are doing and install software and they think, oh it is a Mac so it is secure and it just works. I say hello root kit heaven when that happens.

Oh and the DNS exploit, that affected every OS because it was an actual flaw in DNS (and not the OS itself) left all Apple servers and client machines vulnerable for months while everyone else patched it with in a week. Novell, Microsoft, Sun, Cisco, anything that can run DNS had it fixed with in a week, it took Apple months. They got lucky, if hackers wanted to exploit that they could have.

I wonder if you'll ever grasp the concept that not all users are IT techs.
This is so disingenuous that it's infuriating. I've never even seen a post on this forum or any other where a Mac user has said that Macs couldn't or wouldn't be exploited, yet you keep going back to this straw man. Everyone knows that it's not a matter of safe and not safe. It has always been a matter of degree. Why do you keep pretending that some one is saying otherwise?

The DNS exploit only affected machines that were running a DNS server. I.e. only server machines. The vast bulk of OS X (non-Server) machines were not affected by this problem simply because they were not running the software involved.

Yes, normal OS X machines were (obviously) DNS clients and so were potentially vulnerable to this problem if the DNS server that they were using was compromised. But the DNS servers in question were (in most cases) running on their ISP's machines and probably not running OS X.

Hence the only hurry for Apple to fix this problem in the DNS server software was for OS X Server.
There was nothing to fix on the client.

Yes true, but I have stuff that runs DNS and it is powered by Apple technology.

So, yeah they had an excuse if you want to call it one. Apple products don't run DNS compared to other platforms so that gives them a hall pass to be tardy?

I mean if the known fix was released and everyone who makes technology that can run DNS fixed it with in a week or two, why couldn't apple? That is all I am getting at.

And I wouldn't have said anything except that you (in post #50) claimed that Apple's tardiness put OS X client machines at risk.

OK fair enough that was an oversight on my part.

To be fair the biggest problem with windows until Vista, 7, and 2008 was that the default login allowed for the installation of virtually anything with no additional passwords required, leaving these systems sitting ducks.

I have seen even in organizations with crack staff, firewalls, antivirus, etc get slammed badly by viruses even only a few months ago.

As others have said systems with the keys to the car are going to get taken for a ride. Macs require a password. Until recently windows did not.

This will not be the end of windows exploits with Vista and beyond of course but passwords at least make the process more difficult. For the Mac it would be nice if patches were faster. And for those that wish additional protection is now officially recommended by Apple.

Do we need it? Debatable? Are the Apple included firewalls and other protection sufficient? Up to the end user.

Even then you are relying on users to use strong passwords. Macs still get compromised by dictionary attacks and there are some cases even on this forum that show that evidence. One post on this forum is from a mac user, who from what I deducted, installed a VNC app on his iphone which probably did not use any sort of encryption and some how got rooted and they even stole from his paypall account and was using VNC to actually control his mac desktop.

Also, like I said before, WIndows client and Windows server are two different creatures and Vista is the first OS to adopt some of their security layers.

Also, if I recall, the webkit exploit and the ard client exploit didn't need passwords to root the mac.

I agree with you though, by model and design Windows can be less secure.

In the light of what I'm reading here I'm thinking of protecting those documents that contain account data, and getting a fancier admin password, but would you be so kind as to explain that bit about port 22 for a non-techie?

No. You paid for a computer of superior components and build quality, and a vastly superior OS. You paid for a computer and OS that doesn't feel chintzy, but rather, very complete and of superior quality.

Me, too. I am not an IT or techie. I have the OS X firewall on all the time with no listed ports open for anything. Connected to internet through a gateway with its firewall on. My Mac is not networked with any other machines at my house.

My admin password is all numbers. I have good passwords for everything else, but never realized just logging into the machine needed a tough password since I generally trust the rest of the family not to tinker.

Assuming I avoid doing stupid things on the net, am I safe? What else should I be doing? 10.4.11

The 11 year old found a novel way to do an easy to remember password.... he ignores recognizable letter/number combinations and simply picks a key on the keyboard then goes diagonal down for four keys and then across for three more (or similar). Easier for him to remember the pattern than random digits. (kids do think differently than the rest of us)

This is a common misconception (and people are probably getting tired of me bringing it up), but the belief that Macs require a password to do anything is unfortunately incorrect.

The default login on a Mac is a member of the "admin" group. There are multiple local admin->root privilege escalation vulnerabilities that are well known (i.e. unpatched by Apple years after knowledge of them hit the mainstream web). That means if someone can get code to run on a default Mac by any means, social engineering or otherwise, it has full access to the system. This would for example, allow system level changes to network settings to make changes that could direct you to fake bank or online payment sites, or to insert fake password dialogues when you connect to a legitimate site. In Leopard, the access even includes unsetting the 'schg' flag which is something for which physical access should be required.

If an experienced user continues to use an "admin" account, that is of course their prerogative. They would be knowledgeable enough to avoid unsafe activities, although they would still be susceptible vulnerabilities in the system or applications. Even so, they are likely to be better prepared to recognize that something is wrong, investigate if they suspect something is wrong, and to recover, having taken basic precautions like having a backup if something is found to have gone wrong.

The problem is that Macs are directly marketed toward inexperienced users, with ease of use and security actively promoted by Apple. One of the TV ads actually went so far as to say "Macs don't get viruses", with full knowlege that the target audience think of all malware as "viruses" and probably couldn't tell you the difference between a worm, virus or trojan. Most users continue to use the default account as their primary account (an informal poll here with an admittedly puny sample size pegged admin usage at ~80%) which, given the Mac's growing user base, could make them a juicy target.

Port 22 is the default port used by ssh. If you leave (Not positive, but I think Leopard's screen sharing uses this port too) remote login turned on, and using the default port so that you can connect to your computer from elsewhere it is possible for a hacker to use a script to mount a dictionary attack on your system. All their script needs to do is try port 22 and if it gets a response, run through the dictionary.

That works well for PIN numbers too. Patterns are visual, and so easier to remember.

Well, I have never been interested in either remote log-in or screen-sharing, so if Leopard required me to do anything deliberate to enable this, I won't have done it. In SysPref/Network/Sharing (which I went to just now for the first time), every single box is off, as in unchecked. Anything else that I -- and maybe Aehurst -- should go look for to make extra sure?

That means that you're not running any services on your computer. That's a good first step.

Also, make sure that you have a good long password on ALL the accounts on your computers and devices, consisting of numbers and letters of both upper and lower case, and not consisting of a word that can be found in any dictionary, and not consisting of anything that can be personally traced to you (like your first dog's name).

Turn on your firewall.

Don't run as your admin user except when necessary, say to install software.

Keep your computer behind a NAT router (99.9% of small home routers are NAT routers). This keeps any attacks on your computer indirect--all attacks have to go through the router first. And make sure that "Remote Administration" is OFF on your NAT router.

If you use a wireless router, make sure to use WPA2 encryption (or at a minimum WPA, although that's getting a bit compromised now too). Use a long passphrase on your wireless network--12 characters is a bare minumum, more like 20 is preferred. Use the same rules as for password selection above.

Encrypt directories with stuff that you need to protect on your computer, but don't use FileVault--it's unfortunately caused many problems that we've seen on this and other Mac forums. (Disk Utility can easily make encrypted disk images, into which you can put the stuff you need to protect.)

Within reason, keep up-to-date on new versions of OS X, and Security Updates--those often fix vulnerabilities.

Trevor

I need a better one there, working on it...... Say, what about foreign words and names? There are a lot of languages out there, do they do dictionary attacks in exotic tongues too?

Could you explain where and how? I had one of those as a Windows user, but have heard no talk about that for Macs hitherto -- illustrating what someone said just now about hype aimed at us innocents...... For all I know it may be already on, just as remote log-in was already firmly off!

Now that's harder. I ran as standard user until recently, when I discovered that something about the users was preventing Spotlight from indexing. I gave my standard user, the one with MyStuff, admin privileges and killed the other one, the factory-settings user, and that problem cleared up. I also suspect that this issue was what caused Time Machine not to work back in November, you may remember that. When I've thought up an admin password that both fits your rules and can be remembered, I guess I could set up a new user structure, but if for some weird reason Spotlight will only index when I'm admin, then that's what I've gotta be, and take my chances.

That done via the ISP's website, like when mine failed and I had to configure a new one? Had to be talked through that, no fun at all.

Nope.

Been warned about FileVault, got a tutorial on disk images printed out.

Been assiduous there. So I think my top two priorities now are working out a new password, which I can do on my own, and hearing more about the firewall.

Funny thing, I ran a Windows box for 12 years, and as far as well-updated AV could tell me, I never caught a bug, other than a little adware, but now you guys are making me more scared than I ever was before!

Depends on the hacker, and how exotic the tongue is. Cherokee, you're probably safe. French, German, Italian, Spanish, not so much.

In any event, you later mention that you'll have trouble picking out a good long password that is memorable, so I'll share a useful password-picking trick that I got from someone else years ago. Start with a memorable phrase, preferably something fairly long. For example, I'll use the Gettysburg Address by Abraham Lincoln.

The text of the first sentence of the Gettysburg Address is

So, now, start with the first letter of each word, and you get
FsasyaofbfotcannciLadttptamace

Pretty good--it's 30 characters, and a mixture of upper and lower case. But let's also substitute the words referring to numbers with those actual numbers. Then we get

4sa7yaofbfotcannciLadttptamace

That's already a pretty good password that won't be found in any dictionary, yet is memorable (at least if you know the Gettysburg address, or if you forget it you can look it up). If you wanted, you could obfuscate it even more by substituting an "&" for the "ands"

4s&7yaofbfotcannciL&dttptamace

Of course, choose something else that is long and memorable to YOU.

Be aware though, and be SURE to keep it something that is not personally associated with you. A friend of mine was working IT for the University of Colorado in Boulder and his supervisor always bragged about how secure his password was. My friend knew that he was a huge fan of the Doors, and tried this technique with Doors lyrics until he found that his supervisor had used the initial letters of "Light My Fire" as his password.

The directions for turning on your firewall are different for OS X 10.0 - 10.4 and in 10.5 Leopard. Your OS X Help should be your first resource for questions like this, but briefly in 10.0-10.4, it's System Preferences > Sharing > Firewall tab > click it on. In OS X 10.5 Leopard, it's System Preferences > Security > Firewall tab > click the radio button to either "Allow only essential services" or "Set access for specific services and applications".

No, it's most definitely NOT done via the ISP's website. It's to YOUR router, so you configure it on your router. Since we don't know what router you have, we can't really say much more, but with non-Apple routers you probably go to the IP address of your router, such as http://192.168.1.1 or http://192.168.0.1 and make sure that remote administration is turned off.

Note that this is usually turned off by default in routers, since it's a big stupid security hole.

Trevor

Okay. I am thinking of perhaps a placename in a language somewhere between Italian and Cherokee in obscurity, with some numerics thrown in. Not as elaborate as yours, but better than the present.

Ye gods and little fishes! And you do that how often? Not when you're travelling and your screensaver comes on every minute, surely? (As far as I understand it, the sleep/screensaver/user password has to be the same). I think about how often I'd need to type it in, and how often I fumble even my much easier Forum password.....:(

Duh, even what I've got now is less traceable than that!

Sorry, but I've had really bad experiences with Help and think I must have a mental block on it or something. Should also have found it for myself in SysPref the way I found Sharing, which wasn't difficult, I should have gotten used to things being logical by now..:o I've been lazy, mea culpa.

Yikes, it was off. Maybe they should ship with it defaulted to on? I put in on the middle option now. So that was a solid step forward this evening. Also enabled Stealth Mode.

Sorry again again, that's actually what I meant..... Not at my best today.

Good thread for us non-techies. Like Woodsman, I have tightened up a little, too. Had been running in an admin account. No more. Passwords now longer & stronger. Thanks Trevor & biovizier!!

Then, use the first 12 characters of whatever passphrase you have in mind. 12 characters isn't too long, is it?

I guess I wasn't clear that he was using the first letters of the full lyrics of "Light My Fire", not just the first letters of the title.

I wish that Apple would ship the firewall on by default as well. That has always seemed like a bad decision on Apple's part to me, but then they never bothered to ask for my opinion.

That's fine as long as it doesn't cause other problems. On the SMB network in my place of work, for example, I can't use Stealth Mode because it caused problems for me connecting to SMB/CIFS shares. Because of that, and it's antibenefits as far as troubleshooting (you can't easily ping a computer in stealth mode), I personally leave "Stealth Mode" off on my computers.

Trevor

I'll experiment a bit on dead trees and see...... thanks for the Firewall and all the other tips!

here is a list of kown netowrk ports Apple OS X uses, some are standard for every platform some are OS X specific

http://support.apple.com/kb/TS1629

Trevor already pretty much outlined what I would have said anyway, so maybe I will add a bit more to it later but he pretty much already explained it.

Interesting choice of example url's.

Why? Those are the common factory default IP addresses for several major brands of router. You can change them, of course, but a lot of people just stick with those defaults, as they are fine choices.

Trevor

Didn't realize that. In any case, one example was within a digit of my Mac's AT&T assigned IP (not the router). Too close, I thought, to be coincidence. I know next to nothing about IP addresses.

This is very well put. A mac does not guarantee you more safety over windows because most windows attacks are through some sort of social engineering attack. Which no platform is safe from.

There are still so many stigmas and misconceptions about Windows as well. Vista is the first machine that requires an application to run as admin if it wants to modify system files. Which sure, no password is there, but it requires the user to actually go in and say hey run this as admin. Windows Server security policies are pretty insane too. While, I do not like messing with creating Windows security policies because they are more complex than a standard Unix or Linux configuration file, in my opinion, there are ways to make them very secure.

I was just talking to my co-worker the other day about how easy it would be to embed some sort of worm or virus into a Mac application torrent file and when the user downloads and installs said software with admin rights, have dscl scripts that create hidden user accounts and open up access to certain ports all in the background with out the user's knowledge. All they have to do is put that password in once. While, I am not a developer at all so my coding skills are lacking, I do know how to make hidden user accounts, and manually set network settings from the command line. That is something I could easily script out.

So? This doesn't mean that you aren't more safe. It's just not guaranteed. What is?

First among all operating systems???? :rolleyes:
It's meaningless for Vista to be the first Microsoft operating system to do this.

I'm shocked!!! Shocked to find that programmers could do bad things!

Ugg. Enough pretty please. All OS have Pros and Cons. I prefer OSX. The fact that Vista and later require passwords for most installs is a good thing. Generally OSX has always done so. Its true that even more passes could be required in OSX or more limited account used.

I do not think were going to make everyone happy. Most of us on this site are Mac users and thus we like our Macs, not blindly but we did choose with our eyes open what we consider mostly superior. Admins that work with both will be well versed in the Pros and Cons of each environment.

I won't deny that what Apple did with Unix in my mind is pretty impressive. In many ways it isn't even Unix. Apple is gaining more and more market share and they will just have to keep up with everyone else that updates and fixes and expands their OS.

Novell, was horrible about this and that is one reason they lost their market share to Microsoft. They were able to expand and update faster to meet customers needs. Of course this applies to only one aspect of the market, but I think if Novell had kept that market share they would have probably ventured into end user OSes. Just my opinion, on that one.

I like OS X a lot, but it isn't perfect in my mind, and I hope Apple can keep up because in all honesty I would just like to see more market share and competition to drive everyone to actually make a better product.

More market share doesn't drive anyone to create a better product. Look at the big 3 auto makers. They had the bulk of the market and their complacency is what allowed the rest of the world to overtake them.

There is also the problem of where new customers come from when you're expanding market share, and what that does to your business culture. Ben & Jerry's used to have a strong following. Today, they're part of Unilever and many former customers think they're sellouts. I'm afraid that as Apple caters to more and more Windows users the same will happen to them. Little annoyances ported over from Windows already abound in OS X. When Jobs leaves Apple, they may truly be just another large corporation. That's when OS X will be under serious attack from hackers. :(

Post scriptum: My Windows box got sick and my Mr. Fixit was just here to take it back to his workshop. I took the opportunity to show him a few things on the Mac and discuss general security. He was impressed inter alia by the SysPref screen, Command-Comma access to Prefs and by what I told him of the courtesy and helpfulness of the Forumites, but laughed his head off at the default firewall setting being "allow all incoming connections".

Trevor, he knows my ISP, so he could tell me my router is indeed a NAT and that it is supplied with the Remote Administration firmly off, so that's a good first line of defence, behind which I'm beefing up my second.