One Year Ago

A year ago on March 13, I left Apple and started ps Enable, Inc. Thanks to everyone who's helped me along the way. :-D

Pass It On

If you like this newsletter, please forward it to any colleagues who might be interested. They can sign up for their own copies at: <http://lists.ps-enable.com/mailman/listinfo/newsletter>.

Daylight Savings Time II

Now that we've finished taking care to move our clocks forward three weeks early, we should also beware of systems that spring forward again on the old date. I had to move the clock for my old VCR forward manually, because the automatic DST function can't be updated. In another week or so it will spring ahead another hour, and I will need to move it back an hour when that happens. There may be any number of embedded systems like this in your organization that you had to "spring forward" manually; only now you're going to have to "spring them back" manually again.

Oh, and don't forget these same systems come October and November.

Personal Firewall

Q: What should you do with the personal firewall on Mac OS X?

A: Turn it off and leave it off.

Say WHAT?!?!

The personal firewall isn't actually protecting you against anything, since it's linked to the various sharing services. Anyway, firewalling at the endpoints (the client or the server) is not very useful — proper firewalling happens at the router.

First, let's look at how the personal firewall works in detail, then let's look at the consequences.

Since the Sharing prefs pane services are integrated with the firewall, what happens in the four possible states?

1. Firewall off, service off --> port closed
2. Firewall on, service off --> port closed
3. Firewall off, service on --> port open
4. Firewall on, service on --> port open

Notice anything? The state of the port depends only on the state of the service, not the state of the firewall. Thus, the firewall has NO effect on the state of the ports. The firewall does have a marginal effect in that it may slow down an attacker's port scan if you turn on stealth mode, but in practical terms that has little effect. Most scans are done by automated tools that don't really care how long it takes.

Now, what are the consequences? In a low-threat environment, by turning on the firewall you interfere with services like Bonjour-based iTunes and iPhoto sharing, SubEthaEdit, etc. In a high-threat environment, what the heck are you doing with those services running, anyway?

The personal firewall is a feel-good, marketing-driven measure that can be safely turned off on Mac OS X, which ships with all TCP ports closed by default (although UDP 5353 is open for Bonjour). On Windows you need a personal firewall on every single machine, since there is no way to turn off the System or RPC services, and NetBIOS is generally on. Thus, TCP ports 135, 139 and 445 and UDP ports 137, 138, and 139 are always open unless they are blocked by a firewall.

I have long suggested (and yes, it is filed in Radar) that there should be an option to have the firewall restrict connections to those coming from just the local subnet, with an option to allow connections from anywhere. This would allow people to share files with someone locally without opening themselves up to the full Internet. Configuring the firewall this way would have a significant effect in slowing the spread of a zero-day exploit since the malware would face difficulties propagating itself beyond the local subnet.

The Lighter Side

I ran across some pretty funny IT stories on ComputerWorld's website, in the Sharkbait section. Read a few if you need a short break.

<http://sharkbait.computerworld.com/>

--Paul