Welcome to the MacNN Forums.

Ruahrc · Apr 7, 2009, 02:07 AM

I'm planning to get a new mac soon as my old PBG4 is getting to be too slow for what I need. Anyways I was thinking maybe at the same time I would pick up a Time Capsule. I recently started playing with Time Machine using a FW800 external drive to back up my PBG4 (I used to use Synk to do a full system backup prior to this) and like its transparentness. I still do Synk backups of selected folders (i.e. documents, music, etc) for an added layer of security.

Anyways, the thing that really surprises me is that time Capsule (and the Airport Extreme actually) lack 2 of the most basic features found on even the cheapest routers...

1) no SPI firewall
2) lack of web browser interface

The SPI firewall concerns me because I feel that for what is supposed to be a high qualtiy feature packed base station, the lack of SPI firewall is surprising. Especially when my $30 Netgear router has one? "OS X is secure enough" you may say, and it may be true, but again why skimp on such a basic function? And also I have a windows XP SP3 PC on the network as well. I don't run antivirus or other garbage like that on it because I only use it for very light browsing (i.e. mostly to a few well known sites) and figure the hardware firewall plus the windows firewall are protecting me. I've been using Windows XP for years and have never had a problem.

The lack of a web-based browser interface may not be as bad, but certainly makes it more difficult to manage the Airport Express from the Windows PC that is on my network. Why force me to use my Mac and it's software utility to manage the router when again even the cheapest piece of junk router has web browser based configuration? Doesn't make sense if you ask me.

Anyhow, I'm asking if you think either of these is a big enough deal to worry about. Remember, I will have 1-2 Macs and 1 Windows XP computer on the network.

Having the TC seems like a nice clean way to get backup for my eventual new mac, and upgrade the wifi network to 802.11n at the same time to take advantage of the 802.11n wifi the new mac woudl have. But these 2 issues (well mostly the subpar firewall) seem almost like a deal-breaker to me. Perhaps I should stick with a local external TM backup instead.

Ruahrc

Simon · Apr 7, 2009, 03:32 AM

You're not forced to use your Mac to configure it. AirPort Utility comes in both OS X and Windows flavors.
http://www.apple.com/downloads/macos...orwindows.html

This Apple manual explicitly mentions how to do things on the Win side.
http://manuals.info.apple.com/en/Des....5-Windows.pdf

The fact that you don't have to use a browser interface to configure it is considered a feature by Apple (and many others actually).

Spheric Harlot · Apr 7, 2009, 03:58 AM

It does, however, mean that you need to install extra software. That wouldn't be a problem on the Mac, where you can just delete it after you're done, but on Windows, removing software entirely is a real problem. I can easily see why anybody with half a mind would be reluctant to install software under Windows that isn't absolutely necessary.

Ruahrc · Apr 7, 2009, 04:18 PM

Could somebody explain how this is supposed to be a feature? Less functionality and more hassle to manage the router (requiring a mac) vs. just visiting the router's IP address in any browser, on any platform? Not to mention that the millions of mac users out there who don't use apple routers have a piece of useless software on their hard disks taking up room.

Installing software is not much better on a Mac than it is on a PC. Sure you can just drag that app into the trash, but it leaves behind preference and application support files, and sometimes other files in other locations. And no maybe it doesn't slow the computer down like a clogged registry might, but it goes on the same principle that removing a program should remove all traces of it from the computer, Mac or PC. I really think that Mac software needs real uninstall routines too (Try uninstalling Office? or Adobe Photoshop?). Honestly I don't think the situation on Macs is much better than it is on PCs. Because of this, I try my hardest not to install any software I don't absolutely need, on either platform.

Management of the TC aside, what about the firewall? This is the one I really care about. Lack of SPI supposed to be a feature too?

Ruahrc

goMac · Apr 7, 2009, 04:22 PM

Why does your router, which is already preventing traffic from reaching your machines by definition, need a firewall?

Spheric Harlot · Apr 7, 2009, 04:39 PM

Originally Posted by Ruahrc

Could somebody explain how this is supposed to be a feature? Less functionality and more hassle to manage the router (requiring a mac) vs. just visiting the router's IP address in any browser, on any platform? Not to mention that the millions of mac users out there who don't use apple routers have a piece of useless software on their hard disks taking up room.

You've never set up any Apple routers. It's a rather smooth experience, usually, compared to browser-based configuration.

Originally Posted by Ruahrc

Installing software is not much better on a Mac than it is on a PC. Sure you can just drag that app into the trash, but it leaves behind preference and application support files, and sometimes other files in other locations. And no maybe it doesn't slow the computer down like a clogged registry might, but it goes on the same principle that removing a program should remove all traces of it from the computer, Mac or PC. I really think that Mac software needs real uninstall routines too (Try uninstalling Office? or Adobe Photoshop?).

Sorry, but please don't go overboard. Uninstalling Office is really as simple as dragging the whole PoS to the trash and emptying that.

It leaves behind a preference file - which is a text file - and a handful of fonts in the Fonts folder.

If you're worried about applications leaving traces in form of text files in your Preferences folder, then you're probably pirating stuff, because there simply isn't any other conceivable situation in which these would be of any concern whatsoever.

Adobe installs stuff in your Application Support folder, as well, and there's some weird copy protection going on elsewhere. Any application that requires an installer will usually come with an uninstaller, though.

There is absolutely no concerns about conflicting DLLs or uninstalling an application removing a DLL that is vital to some other application and causes half a dozen other things to break, while the orphaned entries in the endlessly bloated Registry continue to tax the system.

Application management under OS X is NOTHING as annoying and chaotic as under Windows.

ghporter · Apr 7, 2009, 05:07 PM

Originally Posted by Ruahrc

Management of the TC aside, what about the firewall? This is the one I really care about. Lack of SPI supposed to be a feature too?

Ruahrc

Which "cheapest" routers that have SPI firewalls are you thinking of. That's a premium feature, not an entry level staple. And what benefit do you get from SPI on a home network? Are you subject to well-planned attacks? Do you frequently have denial of service attacks? Or are you worried about apps you are running "phoning home?" (SPI won't really help with phoning home-those apps that need Internet access would almost certainly get their phone-home messages through SPI unless you crafted a very special rule against it.)

Ruahrc · 07:31 PM

Originally Posted by Spheric Harlot

You've never set up any Apple routers. It's a rather smooth experience, usually, compared to browser-based configuration.

That may be true, but I have never found setting up any wireless router I've owned before a hassle either. Sure it may not look as pretty, but the process was usually nothing more than typing in an SSID, WPA key, and configuring the wireless channel. I usually disable SSID broadcast and set up MAC Address filtering too- but again none of this has ever been complicated via any web-based interface I've used.

Originally Posted by Spheric Harlot

Sorry, but please don't go overboard. Uninstalling Office is really as simple as dragging the whole PoS to the trash and emptying that.

It leaves behind a preference file - which is a text file - and a handful of fonts in the Fonts folder.

If you're worried about applications leaving traces in form of text files in your Preferences folder, then you're probably pirating stuff, because there simply isn't any other conceivable situation in which these would be of any concern whatsoever.

A quick search of Spotlight with the terms "Microsoft" or "Office" and including the system files in the search shows multiple items that would be left behind. Documents\Microsoft User Data is the most obvious but that's not the half of it. There's an Application Support\Microsoft folder, an entire folder of preferences in Library\Preferences\Microsoft\Office 2008\. Don't forget about Library\Caches\Microsoft Office, or System\Library\PrivateFrameworks\OfficeImport.fram ework. Or the "Office Shared Library" files Spotlight found in System\Library\CFMSupport. I could go on, but you get the picture.

The point is that when a program is removed, all associated files should be removed, because a few files here a few files there it begins to add up. Again I agree it's not really the bogging down or the space, but the principle that programs should just be allowed to leave items behind, especially such simple items like text preferences files! If you think about it, text preferences files are really the equivalent of registry bloat in Windows PCs.

Accusing me of piracy is going overboard, and you're wrong about it too. Why the need to resort to baseless accusations?

Originally Posted by ghporter

Which "cheapest" routers that have SPI firewalls are you thinking of. That's a premium feature, not an entry level staple. And what benefit do you get from SPI on a home network? Are you subject to well-planned attacks? Do you frequently have denial of service attacks? Or are you worried about apps you are running "phoning home?" (SPI won't really help with phoning home-those apps that need Internet access would almost certainly get their phone-home messages through SPI unless you crafted a very special rule against it.)

Here is a list of 37 routers on Newegg that have "Stateful Inspection" in the description. A whole slew of them under $50. Don't argue that the cheapest routers are b/g only- that is not the point. The point is that if a low-end $25 b/g router can have SPI why can't the premium Time Capsule (or AEBS) have it too? In fact, SPI has become quite commonplace. All the routers I saw that do have firewalls have both NAT+SPI.

http://www.newegg.com/Product/Produc...less%20Routers

Am I subject to well planned attacks? Not that I am aware of, and I certainly hope it stays like that. But I also don't plan on getting in car accidents either yet I still wear a safety belt. Do I partake in particular activities making me a target for attack? No, but again that's a weak excuse to not have security. Especially when SPI is widely available in other router manufacturers.

I really don't see the need for everyone to get defensive over what I feel are legitimate questions. I ask because I am genuinely interested in the Time Capsule, as it seems like an elegant backup solution combined with a router that has some pretty nice features (i.e. dual band radios, guest wireless access)- yet it seems to lack some pretty basic features that are available on nearly every other router sold.

Ruahrc

ghporter · Apr 7, 2009, 08:44 PM

That's an impressive list. I didn't know that so many Netgear routers had SPI, nor that the WRT54G series did either. That's a different sort of thing.

I have three (four if you count the XBox 360) clients on my network all the time, and I have never worried about SPI; by configuring my primary router to block anonymous requests, I have fairly good control of what comes into my network, and I'm comfortable with that. On the other hand, knowing that so many inexpensive routers DO have SPI, I know what I would do when upgrading when my primary router finally dies.

I now agree that Time Capsule, as a router is lacking in what is obviously now a very common feature that has plenty of application in most home networking situations. However, getting Apple to add a feature to this already complex device won't be quick or easy. It just should be added.

Ruahrc · Apr 7, 2009, 10:10 PM

Yeah, that's the frustrating part. Apple makes great strides with products like the TC, but then totally drops the ball in the last few yards by making IMO bonehead omissions like this. Same thing happened for the original iPod touch not having the set of iPhone apps like it should have, or continuing to not offer a high resolution option for more of their laptops.

Hopefully they improve upon things w.r.t. the TC in the future. The easiest way, of course, to make this happen is for me to simply buy one. Then Apple will release an updated version about 2 weeks after my purchase

Ruahrc

Spheric Harlot · Apr 8, 2009, 01:44 AM

Originally Posted by Ruahrc

A quick search of Spotlight with the terms "Microsoft" or "Office" and including the system files in the search shows multiple items that would be left behind. Documents\Microsoft User Data is the most obvious but that's not the half of it. There's an Application Support\Microsoft folder, an entire folder of preferences in Library\Preferences\Microsoft\Office 2008\. Don't forget about Library\Caches\Microsoft Office, or System\Library\PrivateFrameworks\OfficeImport.fram ework. Or the "Office Shared Library" files Spotlight found in System\Library\CFMSupport.

The Microsoft User Data is harmless, the OfficeImport.framework is APPLE's, not Microsoft's, and the reason none of the others occurred to me is because they don't exist with Office 2004 and prior.

I realize that Office 2008 is a colossal ****-up, but did Microsoft really **** it up on such an epic scale? That's just plain astounding.

All the more reason to stay away...

(And yes, you make a good point if this is the case.)

Originally Posted by Ruahrc

If you think about it, text preferences files are really the equivalent of registry bloat in Windows PCs.

They have no impact on system performance or stability, so no.

Originally Posted by Ruahrc

Accusing me of piracy is going overboard, and you're wrong about it too. Why the need to resort to baseless accusations?

You're right. My apologies.

Simon · Apr 8, 2009, 02:37 AM

If you really want to do a total uninstall of an app it's quite easy to do. Every OS X installer has a menu entry File > Show Files that lists which files (including paths) the installer will install. Save that list. When you want to get rid of the app, pipe that list to rm and you're done. Simple as that.

OS X is built so uninstallers aren't necessary. It's one of the great benefits of having a Mac.

turtle777 · Apr 8, 2009, 12:51 PM

Originally Posted by Simon

Save that list. When you want to get rid of the app, pipe that list to rm and you're done. Simple as that.

Yes, using rm is great, since there is *no possible* way that this could go wrong.

-t

turtle777 · Apr 8, 2009, 12:55 PM

But back on topic: can some one tell me why I would need SPI on my router ?

I have NAT enabled on my router.
What kind of attacks would SPI prevent, assuming that my OS 10.5 is fully updated and patched ?
Oh, and btw, I use Little Snitch, so that should be factored into the equation.

-t

Simon · Apr 8, 2009, 04:49 PM

Originally Posted by turtle777

Yes, using rm is great, since there is *no possible* way that this could go wrong.

Of course things can go wrong. So what? If you don't feel comfortable using rm just drag the stuff to the trash by hand. Same idea.

It's a whole lot more productive than complaining about the missing uninstaller on a board, that's for sure.

turtle777 · Apr 9, 2009, 10:58 AM

Originally Posted by Simon

It's a whole lot more productive than complaining about the missing uninstaller on a board, that's for sure.

*I* did not complain about missing uninstallers.

To be honest, for most users, I think leaving the app installed is the better / safer option than fiddling with rm.

But if you wanna use rm, I suggest using the -i (--interactive) flag, just to make sure you don't bork the system.

-t

Simon · Apr 9, 2009, 11:29 AM

No worries. I know you weren't complaining abut the uninstaller. But this issue does regularly come up even though people already have all the tools at their disposal.

I think the necessary logging is provided so people who really really want to get rid of all app traces can do so on their own. Apple IMHO rightly does not supply an uninstaller. Doing so would encourage littering the FS. Sticking to default installers (with install logs) and drag 'n drop installs is IMHO the right way to go.

fubar_this · 11:31 PM

Originally Posted by turtle777

But back on topic: can some one tell me why I would need SPI on my router ?

I have NAT enabled on my router.
What kind of attacks would SPI prevent, assuming that my OS 10.5 is fully updated and patched ?

First, you have no guarantees that just because your OS is fully updated & patched that it's not vulnerable. Apple is actually pretty slow about security patches. On Linux most zero-day vulnerabilities are patched in a matter of hours or days. Apple takes weeks.
Second, NAT != firewall. Many routers have had silly (but exploitable) holes in their NAT implementation that allowed people from the outside world to traverse the inside network. Also, many, many applications actually open up holes in your precious NAT network. iChat, YahooIM, Back to my Mac, and most games all use UPNP (or Apple's equivalent) to open up a port on the router (thus explicitly making your network vulnerable). Worse, many use STUN to open a port on your computer and then "punch" that hole in the NAT state table, which is even less visible (at least you can turn off UPnP on the router).
Finally, many people (like me) have to use portmappings and other advanced network features so that we can access our home machines from work (since Back to My Mac seems to take a crap all over the corporate Internet, I can't use it, and regardless, Back to my Mac uses UPnP to open up your router's NAT anyway).

Originally Posted by turtle777

Oh, and btw, I use Little Snitch, so that should be factored into the equation.

Little Snitch provides no security in this case as it does not handle incoming connections, only outgoing connections. A firewall is intended to block incoming connections (although I admit the term has become abused recently). But a true firewall would block incoming connections, and Little Snitch has no feature.

<rant>
IMHO Little Snitch provides dubious value for security because it purports to protect against a problem that doesn't exist on the Mac—rogue applications connecting to the Internet without your knowledge/consent. If that sounds like spyware, that's because it is, and there's no real threat of it on the Mac. If you want to say "preventive medicine" and such, then you shouldn't be arguing about the need for an SPI. If you want to argue that it provides "knowledge" about which applications are using the Internet, it really doesn't provide that--once you connect to a network mount (such as an AFP server) then every application is accessing the Internet whenever it opens a Open/Save dialog box (which Little Snitch is only too happy to tell you about). That's a half truth as it's the AFP filesystem, through your application, that's accessing the Internet, making it virtually impossible to tell what is rogue and what's benign. In Windows security products, they have a "leak tests" feature that actually detects which DLL is making the syscall, thus allowing you to differentiate between "Apple's Open/Save dialog box" and "some rogue process". Little Snitch goes by process name only. But I digress.
</rant>

turtle777 · Apr 9, 2009, 11:35 PM

Originally Posted by fubar_this

First, you have no guarantees that just because your OS is fully updated & patched that it's not vulnerable. Apple is actually pretty slow about security patches. On Linux most zero-day vulnerabilities are patched in a matter of hours or days. Apple takes weeks.

AFAIK, there has not been a single remotely exploitable security hole in OS X. Am I missing something ?

Originally Posted by fubar_this

Second, NAT != firewall. Many routers have had silly (but exploitable) holes in their NAT implementation that allowed people from the outside world to traverse the inside network. Also, many, many applications actually open up holes in your precious NAT network. iChat, YahooIM, Back to my Mac, and most games all use UPNP (or Apple's equivalent) to open up a port on the router (thus explicitly making your network vulnerable). Worse, many use STUN to open a port on your computer and then "punch" that hole in the NAT state table, which is even less visible (at least you can turn off UPnP on the router).

Thanks, fubar.

How can I test / check if my router's NAT is vulnerable ?

Also, my router (i.e. cable modem + router) is so old school, it doesn't even have UPnP.

But this "hole punching" thing is a bit above my paygrade...

-t

fubar_this · Apr 10, 2009, 01:23 PM

Originally Posted by turtle777

AFAIK, there has not been a single remotely exploitable security hole in OS X. Am I missing something ?

Yes, tons. Mac OS X has had plenty of remotely exploitable holes. There is a difference between vulnerabilities and exploits however. Basically Mac OS X has had the potential to be exploited hundreds of times. Search BugTraq for Mac OS X remote vulnerabilities, and Leopard alone will reveal dozens of matches. However, for a variety of reasons (which I won't go into here since most people will lambast me) nobody has exploited them. Meaning the opportunity was there, but nobody cared enough to actually exploit it (there I said it, rant all you want).

How can I test / check if my router's NAT is vulnerable ?

Also, my router (i.e. cable modem + router) is so old school, it doesn't even have UPnP.

But this "hole punching" thing is a bit above my paygrade...
-t

STUN stands for Simple Traversal of UDP over NAT. It is used by many, many applications like iChat that need to connect to another computer that is behind a NAT. For example video chats use direct messaging—instead of two people connecting to the AOL servers and using the server to pass messages back and forth, you connect directly to the other people in video chats. iChat uses the STUN protocol to "punch" a hole in your NAT so that your NAT will allow traffic from the other video chat participants (it also uses STUN when sharing photos, audio chats, even sometimes randomly it seems like). It's a common protocol and is generally benign, but the idea that once you have your network NAT'd you are totally safe is not true at all. As I said before, NAT != firewall.
You can't really check for STUN unless your router has a way to look at the state table. Most don't, even the fancy ones, unless you hack them and install ssh.

turtle777 · Apr 10, 2009, 01:31 PM

Great, thanks for the explanation.

If I understand right, STUN requires an application from my client to establish the connection, only THEN, an outside client could address my client directly. So one should be careful what one installs on their machine.

Re: security holes: of those that OS X had in the past, how many would have been "caught" by a SPI firewall ? All ? Some ?

-t

fubar_this · Apr 10, 2009, 01:47 PM

Originally Posted by turtle777

Great, thanks for the explanation.

If I understand right, STUN requires an application from my client to establish the connection, only THEN, an outside client could address my client directly. So one should be careful what one installs on their machine.

Re: security holes: of those that OS X had in the past, how many would have been "caught" by a SPI firewall ? All ? Some ?

-t

Yes STUN is a network protocol, not an API. So an application connects out, does some network trickery and then tada, your NAT has a hole in it the application on another person's computer can use to connect back to you. Thing is, that hole can be used by anybody. Sure its purpose is for the application that opened it, but the Internet police aren't going to come and make sure only the person on the other end of your video chat, etc. use it--anybody that sees that hole open in the NAT device can use it. To control who uses it you need a firewall.
You could say yes, you have to be careful about what one installs, but that doesn't solve this particular problem (though it's good practice). STUN is a perfectly legit protocol, but once it's used it has potential misuse by other people who see that port being opened, and you can't control those people. Saying you need to be careful about which programs you install is like saying you can protect your house from invaders by being who you let into your house and then having some occupant purposefully leave the door unlocked.

Anyway all of this is somewhat theoretical. Yes you are probably safe, especially on a Mac (even a Windows computer is probably safe). But there will definitely come a time when NAT will not be any kind of safeguard. Many more applications are using UPnP to just open up a port on the computer. Back to my Mac is pretty useful, but every person that uses it has just opened up their NAT device. There are several other applications, from games to applications like Skype, that do the same thing.

And then there's IPv6, the future. There is no NAT in IPv6. You are directly connected to the entire Internet, which is a good thing—NAT is an evil that has been unleashed upon this world and now must be contained, not spread. Because of NAT we have protocols like UPnP and STUN to subvert NAT.

Finally there's the devices themselves. NAT devices are inherently insecure because most people don't know how to configure them. Many of them are wireless, and wireless is very insecure. Even WEP 128 has been broken, though it takes more time then WEP 48 (thank God). So once you enable wireless your home network is pretty wide open to people in the vicinity who have a malicious heart and some spare time. Most people leave the default password enabled and leave wireless settings at their most relaxed.

zerock · Apr 10, 2009, 03:07 PM

i have mostly macs at home. what i do is i have OSX firewall on and a new airport extreme router. works pretty good

Le Flaneur · Apr 13, 2009, 03:53 PM

Originally Posted by Ruahrc

Could somebody explain how this is supposed to be a feature? Less functionality and more hassle to manage the router (requiring a mac) vs. just visiting the router's IP address in any browser, on any platform?

Apple hardware is conceived to work for the vast majority of users, which means that they're not primarily conceived for techies (especially not the Time Capsule and Airport Extreme, which are network/backup devices for the rest of us). The problem with entering a URL is precisely that -- you have to enter a url, which doesn't look like a "usual" URL anyway because it is composed of numbers.

When you run, Apple's Airport Utility, it automatically finds not just one's Time Capsule but all the Apple networking devices on one's network (such as Airport Express units) -- a huge convenience for most people.

Frankly, computer hardware and software is still way too difficult to configure and use. You should see my parents in their 70s try to transfer a photo from web-based mail to iPhoto or respond to a videochat invitation to get a sense of how non-obvious this is to many people. But Apple's stuff is in general much easier to use than the devices of other manufacturers.

CharlesS · Apr 13, 2009, 04:25 PM

Originally Posted by Simon

Of course things can go wrong. So what?

Because piping that list to rm is almost guaranteeing that you'll get tragic results. If you use the -r flag, then if the package has a reference to the Applications in it, then whoops, you just nuked the Applications folder. If it's got a reference to / then, well, you just nuked your entire hard drive, as well as all other attached disks. What's more, all of these packages have . as the first entry, which means that you'll nuke whatever the current directory is, every time.

And if you don't use the -r flag, then it's useless anyway because it won't delete any directories, and you'll end up with a bunch of empty .apps and .frameworks and whatnot scattered throughout the hard disk.

Whether you use the -r flag or not, you've also got the possibility that some important system file existed prior to running the package, and the package merely updated it to a newer version. Piping the list to rm means that this important system file will get nuked. Perhaps the system won't even boot anymore after this, or will otherwise behave strangely.

Add to all this the fact that the paths are all relative, and the directory they're relative to is specified in the package. Some packages install to the root of the drive, some to /Applications, some to /usr/local, etc. and there's no way to tell this from the "Show Files" listing, so this won't even work that well in the first place.

It's just a bad idea, plain and simple. I wouldn't recommend doing it.

Simon · Apr 14, 2009, 04:28 AM

Originally Posted by CharlesS

It's just a bad idea, plain and simple. I wouldn't recommend doing it.

I didn't mean pipe as in | literally.

The installer log file will however show you were things were installed. Grab the parent folder in the Finder and drag it to the trash (or what I do, a cd /wherever and then a rm -r whatever.app). It's no less safe than searching your HD by hand and then throwing out stuff you believe belongs to the app.

The simple point I was trying to make is that that file tells you what to remove and where it is so you can do the "uninstall" yourself if that is what you really want to do. No special uninstaller app is needed. Of course in 95% of the time simply dragging the app package to the trash should be sufficient. And for regular users that's definitely the method of choice.