Other Sites

03 November 2006

As Macintosh users, we like to keep things simple. We hope that we can pull a new iMac out of the box at Christmas, set it up, and start having fun. Indeed, that's generally possible. The trouble is, machines are fallible, the Internet is a dangerous place, and the home computer has taken on a new role as the archive of our music, TV shows, and family photos and movies. It's also used, in many cases for family finances, such as paying bills via on-line banking and doing Income Tax. So, whether we like it or not, we end up having to be literate about certain activities with a Macintosh.

In Part II of this series, I talked about structured knowledge. We have to put our knowledge into a framework so that we can build on pieces that matter and have resources, both human and digital. In this segment, I want to discuss Process. We all know about this in every day life. For example, when we park our car, we first put the transmission into Park. That's so we can remove our foot from the brake safely and reach for our belongings. Then, if we have power windows, we have to close them before we turn the ignition off. Finally, unless we have a keyless remote, we have to press the master door lock button before we shut the driver door. Getting out of sequence in any of these procedures just leads to annoyance and wasted time. Worse, something dangerous could happen.

The same is true with computers. There is a best-practices process that takes into account how the machine works, what can go wrong, and what the external dangers are. In the coming segments, I'll discuss four operational areas that need some process from you: Security, Backups, Mac OS X Operations, and Applications. We'll start this time with security. Remember, this is not a HOWTO. It's a launching point for deliberate process and learning.

Security

The first thing you may be tempted to do, out of the box, is connect your Mac to the DSL or Cable modem and get on the Internet quickly. Resist. That's the worst thing you can do in this era of Internet crime. You'll want to put an intermediate device between your Mac and that, say, Cable modem. By the way, I recommend Cable modems over DSL. They're generally faster and avoid complications with your home phone system.

Inbound Assaults

This intermediate device can take the form of a wireless router, and Apple AirPort Extreme or AirPort Express, or something more exotic and capable such as a hardware firewall. You'll need to learn a little about how such a device works, and you may need to engage an Apple consultant. You'll need to learn a little about Network Address Translation and non-routable IP addresses. I consider it important that the device be able to send you an e-mail each day providing a list of the assaults and where they came from. Without such an e-mail, you're very much in the dark.

Make sure that if the wireless router doesn't also have built in Ethernet jacks, that is, doesn't include an Ethernet Switch or Hub, that your Mac has an AirPort card -- so it can communicate wirelessly. If the router does have these ports, then you can buy what's called a "Cat 5 Patch Cable" and physically connect your Mac to the router if you wish. (Don't worry. The data between your Mac and the wireless router can be encrypted, and Internet assaults on your computer from criminals in foreign countries are much more dangerous than your neighbor next door who might pick up the signal.) Having a router like this insulates your entire network -- planning for the day when you may have a second Mac and want to open various communication ports in the Mac OS X software firewall for things like music, printer, and file sharing. Or friends of yours or student friends of your kids may visit. You owe them a secure wireless network.

Next, since a Cable Modem keeps your Mac on-the-air 24 x 7, even with multiple firewalls, there's no point in leaving the house with a connection in place. You can either turn off the Mac or sever the connection in the OS. (I recommend leaving your Mac on all the time. There may be scheduled processes that need to run. It's typial in a UNIX OS.) I've searched for tools to easily break the network connection, but none of them are really satisfactory. The best way to do this is in System Preferences -> Network. Create a new location called Off-The-Air and deselect every Network Port Configuration on the Show: popup. That way, you can sever your connection from the world without turning the Mac off. When you're ready to sever or re-establish the connection, use the blue Apple menu and the Location menu item to select the setting you want.

Of course, make sure the Mac OS X firewall is on in System Preferences -> Sharing, the Firewall tab.

Outbound Leaks

Now that you've blocked intruders from attacking from the outside, you need to worry about stuff you've downloaded manually or has come in through Safari that could activate a connection from the inside. Scurrilous Trojan Horse software, while rare for the Mac, could initiate an outbound connection. In fact, most legitimate commercial software you install these days, initiates some kind of harmless outbound connection. For example, informing the vendor what version you have so that they can offer you updates. Outbound connections are not blocked by the firewalls we just talked about. If you want to monitor outbound connections, you can install a wonderful, trustworthy tool (that all of us experts vouch for) called Little Snitch. Little Snitch, for a modest price, will allow you to monitor and/or block all outbound connections. It's generally easy to use and is a useful tool to help you decide what goes on in your computer with outbound connections. After awhile, you'll learn that BBEdit uploading the version number is harmless but for requests by various questionable Websites to trigger an outbound connection you may just want to say "no".

Physical Security

Finally, you need to plan for physical security. So far, we've discussed Internet security, but that doesn't help if your MacBook is, say, stolen from your car or if a nasty piece of shareware from France you innocently downloaded starts hunting around your home directory and uploads some personal data. There are two ways to encrypt and secure personal data on your Mac. You could turn on FileVault (System Preferences -> Security) which encrypts your entire user account. If you decide to do this, do it right away, with your Mac fresh out of the box. (I've used FileVault for years and found it reliable.)

Or you could create an encrypted disk image with the Disk Utility tool. The Disk Utility is found in the Utilities folder inside the Applications Folder. (Use File -> New -> Blank Disk Image...) Give yourself a DVD-size image (4.7 GB) and select the AES-128 option for encryption. Use this if you have a modest amount of tax, banking or financial data and you don't want to encrypt your entire home directory. You can also keep a simple, plain-text file with all your password on this encrypted volume. To access this data, you double-click the volume that's created, enter your password, and it'll mount on your desktop just like any other hard disk volume. Be sure to dismount it when you're done.

If you use either one of these methods to encrypt sensitive data, it's very unlikely that a non-technical thief could access your data. They'd have to wipe your hard disk clean before selling the computer. Unless they sold it to a foreign government. If you want better encryption than what Apple offers, there are lots of third party tools to look at. Look at www.securemac.com and scroll down to Mac OS Encryption. As a guideline, the U.S. government allows AES-128 only for sensitive and low level classified data.

What's Next?

I've given you a lot to think about. One could write a whole book on Mac OS X security, and it would be overwhelming. Instead, I've tried to make you a little more literate about the issues associated with Mac OS X security. You've been exposed to some processes, but you'll need to learn more on your own. You could probably ignore these issues and depend on the simple firewall in Mac OS X. You'd skate for awhile. Maybe you'd stay lucky. Maybe not.

The next step is to dig a little on the Internet. Read about Firewalls, Network Address Translation, AES encryption and so on. Wikipedia is generally a good source of information -- despite its current political turmoils. Purchase and install Little Snitch, and practice making an encrypted disk image. Look at the options in System Preferences -> Sharing ->Firewall -> Advanced. (Tiger only.) Turn on ALL those options!

While all those PC users out there have their PCs turned into Zombies, and control is wrested from them by foreign government agents or criminals who get paid for every PC they infect, you'll have a very, very secure system without a lot of trouble. You'll generally be able to surf with impunity. Just stay away from porn sites and music peer-to-peer file sharing software -- known to have imbedded nastyware. Stick to honorable Websites, for example, Apple's Music Store, Macintosh news, personal blogs, technical and professional sites, and major news related sites, and you'll be fine. Next time, now that you've secured your Mac, we'll talk about backing up all that important data you've protected.

This is Warp Core column #82. The Warp Core archives are here:

Year 2000

Year 1999

* Your humble author also writes a column for TMO.

John Martellaro is a senior scientist and author. A former U.S. Air Force officer, he has worked for NASA, White Sands Missile Range, Lockheed Martin Astronautics, the Oak Ridge National Laboratory and Apple Computer. During his five years at Apple, he worked as a Senior Marketing Manager for science and technology, Federal Account Executive, and High Performance Computing Manager. His interests include alpine skiing, SciFi, astronomy, and Perl. John lives in Colorado. He can be contacted via his Website or the Applelinks Contact link.