Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Apple Fixes 'Misleading' Leopard Firewall Settings

Zonk posted more than 6 years ago | from the walls-need-to-be-just-a-teensy-bit-thicker dept.

Security 264

4 for 52 writes "ZDNet is reporting that Apple has fessed up to at least three serious design weaknesses in the new application-based firewall that ships with Mac OS X Leopard. The acknowledgment comes less than a month after independent researchers threw cold water on Apple's claim that Leopard's firewall can block all incoming connections. The firewall patches come 24 hours after a Mac OS X update that provided cover for at least 41 security vulnerabilities."

Sorry! There are no comments related to the filter you selected.

As usual, other considerations... (5, Informative)

daveschroeder (516195) | more than 6 years ago | (#21371211)

Apple's "everything just works" niceties depend on things like Bonjour, in particular, being able to be accessed, and most users would end up selecting "Block all incoming collections" when making a firewall choice, because they won't really understand anything else...and "more" is "better", right? So blocking all must mean I'm super secure! Firewall good! Hacker bad! ...Except that now when I get my AppleTV and buy my son or daughter an iMac and expect to be able to do all the cool stuff that doesn't require any configuration and "just works"...nothing works. Why doesn't it work?

They won't be able to answer that any more than they know what to pick on the Firewall preferences screen.

So what Apple does is a little bit of deciding for the user what makes sense. The first step was going to an intelligent application level firewall that makes it a lot more functional and easier to use. The next was making some policies that allow services Apple considers "essential" to the whole Mac OS X user experience. And like it or not, Bonjour is an integral part of that.

Anyone who knows enough to know, for certain, that they don't want, e.g., Bonjour open, also knows how to use any of a number of free or commercial commandline or graphical options to set up ipfw or other network level protections any way they wish. That's the bottom line: anyone who knows enough to "know" they "really" want to disable all incoming connections can still easily do so.

This is about making security easy for typical, average users, while still keeping things that make the Mac experience "just work".

Now, I *do* wish that Apple had one more option: Block *everything*, but explain, hey, this is going to break some things like Bonjour, etc., so be SURE that you want to do this, and don't complain if all of a sudden your AppleTV syncing and iTunes sharing and automatic local machine discovery no longer work.

Apple describes all of this very explicitly here [apple.com] :

The 10.5.0 Application Firewall blocked all but:

          Processes that are running as UID 0
          mDNSResponder

The 10.5.1 Application Firewall blocks all but:

          configd, which implements DHCP and other network configuration services
          mDNSResponder, which implements Bonjour
          racoon, which implements IPSec

So, while I haven't extensively tested yet, it does NOT appear to allow UID 0 processes, but rather only the above processes.

And from here [apple.com] :

CVE-ID: CVE-2007-4702

Available for: Mac OS X v10.5, Mac OS X Server v10.5

Impact: The "Block all incoming connections" setting for the firewall is misleading

Description: The "Block all incoming connections" setting for the Application Firewall allows any process running as user "root" (UID 0) to receive incoming connections, and also allows mDNSResponder to receive connections. This could result in the unexpected exposure of network services. This update addresses the issue by more accurately describing the option as "Allow only essential services, and by limiting the processes permitted to receive incoming connections under this setting to a small fixed set of system services: configd (for DHCP and other network configuration protocols), mDNSResponder (for Bonjour), and racoon (for IPSec). The "Help" content for the Application Firewall is also updated to provide further information. This issue does not affect systems prior to Mac OS X v10.5.

CVE-ID: CVE-2007-4703

Available for: Mac OS X v10.5, Mac OS X Server v10.5

Impact: Processes running as user "root" (UID 0) cannot be blocked when the firewall is set to "Set access for specific services and applications"

Description: The "Set access for specific services and applications" setting for the Application Firewall allows any process running as user "root" (UID 0) to receive incoming connections, even if its executable is specifically added to the list of programs and its entry in the list is marked as "Block incoming connections". This could result in the unexpected exposure of network services. This update corrects the issue so that any executable so marked is blocked. This issue does not affect systems prior to Mac OS X v10.5.

CVE-ID: CVE-2007-4704

Available for: Mac OS X v10.5, Mac OS X Server v10.5

Impact: Changes to Application Firewall settings do not affect processes started by launchd until they are restarted

Description: When the Application Firewall settings are changed, a running process started by launchd will not be affected until it is restarted. A user might expect changes to take effect immediately and so leave their system exposed to network access. This update corrects the issue so that changes take effect immediately. This issue does not affect systems prior to Mac OS X v10.5.


Based on this, I'd say that several major issues with the Application Firewall have been addressed. Namely, the assertion that "Block all incoming connections" was misleading, and always allowing access to all UID 0 applications, regardless of explicit settings.

And from the comments in the last slashdot article about this, a lot of people weren't upset so much that Apple was making a judgment to still allow things like, e.g., Bonjour, but that "Block all incoming connections" didn't do just that. So they've tightened up the implementation and clarified the user interface. And, "ipfw technology is still accessible [...] and the Application Firewall does not overrule rules set with ipfw; if ipfw blocks an incoming packet, the Application Firewall will not process it."

That, and firewalls that are blocking "everything" often really still aren't blocking everything. They're still allowing back stateless traffic from DNS queries and VPN traffic and things of that nature, often by default. There's a lot more nuance here. And Apple fixing these problems isn't "fessing up" to anything. It's addressing legitimate security concerns that have been brought to their attention in a timely manner. Is that not what we expect and want Apple to be doing?

This summary is laughable: "fessed up"..."threw cold water on"..."provided cover for"..."Apple's claim that Leopard's firewall can block all incoming connections". Come on. It wasn't like Apple tried to make a firewall that could block all incoming connections and failed. They made a firewall that intentionally still allowed some services; essentially "Block all (but essential) incoming connections". And they had some mistakes in implementation. And the other security updates are for 10.4.x.

But instead of pointing out that Apple, for the first time, is also providing [apple.com] security updates for 10.x-2 where 10.x is the current release (Sec Update 2007-008 provides fixes for 10.3.9), I guess it's better to poke fun at Apple for actually fixing security vulnerabilities... :-/

Re:As usual, other considerations... (0, Redundant)

giminy (94188) | more than 6 years ago | (#21371397)

Excellent review, but one question:

The original article was posted at 5:23, and your response came at 5:24. Did you really type all of that up in just one minute, or does Slashdot not post the actual "submit" time as the time that a comment was posted? (Or was it pre-prepared, cut&paste :))

Reid

Re:As usual, other considerations... (4, Informative)

daveschroeder (516195) | more than 6 years ago | (#21371417)

The * by my name means subscriber, which means I see the articles early, and have an opportunity to compose a reply before the article goes live.

Re:As usual, other considerations... (-1, Troll)

Anonymous Coward | more than 6 years ago | (#21371427)

apple apologists such as he must surely have it done in advance, with a standby crew of other apple fans ready to mod all the way to +5 informative before anyone else posts

Re:As usual, other considerations... (2, Funny)

Blakey Rat (99501) | more than 6 years ago | (#21372079)

Crazily, he actually *pays* for Slashdot. Subscribers can see stories like a half hour early and compose their reply during that time.

Paying for Slashdot? *shakes head slowly*

Re:As usual, other considerations... (5, Insightful)

Anonymous Coward | more than 6 years ago | (#21372197)

Supporting the services he uses with monetary compensation? Absurd!

Re:As usual, other considerations... (4, Funny)

liquidpele (663430) | more than 6 years ago | (#21371399)

Damn. That's one hell of a first post.
Is there even anything left to say?

Re:As usual, other considerations... (1, Funny)

Anonymous Coward | more than 6 years ago | (#21372131)

yes.

Re:As usual, other considerations... (3, Funny)

toadlife (301863) | more than 6 years ago | (#21372523)

yes.
I disagree.

Re:As usual, other considerations... (2, Insightful)

djh101010 (656795) | more than 6 years ago | (#21371423)

There ya go, Dave, being all informative, complete, accurate, and factual. You realize the haters are about to label you, let's see, what is it this time? Fanboi, apologist, and employee of Apple I think is due this time, right?

For the record, I saw the writeup and was hoping you'd have written a response, and am glad to see you did. Those of us who are capable of understanding facts and logic, rather than knee-jerk pretending that "w000, this is just as bad as Vista on a good day" and all that, appreciate your time and efforts.

Re:As usual, other considerations... (-1, Flamebait)

kc2keo (694222) | more than 6 years ago | (#21372341)

go fuck yourself

Re:As usual, other considerations... (0, Flamebait)

kc2keo (694222) | more than 6 years ago | (#21372381)

...because I'll be fucking myself

Re:As usual, other considerations... (5, Insightful)

Rodyland (947093) | more than 6 years ago | (#21371485)

Let me first say that I get what you're saying, and I can understand where Apple are coming from....


But... can anyone here honestly say that if you took the entire story about the 'dodgy' firewall and replaced Apple with Microsoft that there wouldn't be people literally screaming themselves blue in the face about how insecure MS is _by_design_?

Seriously, if an MS-shipped firewall decided (without telling you) that 'block all incoming connections' really meant 'block all incoming connections except for MSN Messenger and oh, I don't know, maybe Media Player', would you be making excuses about how it was really necessary and understandable to deliver the "Microsoft Experience(TM)"?

No, I didn't think so either.


Yes, Apple should be applauded for recognising a problem in their software, as well as a problem in the way their software presents itself, and fixing it.

But they should not be forgiven for creating the problem in the first place because their hearts were in the right place. That kind of thinking leads to bad places.

Re:As usual, other considerations... (3, Insightful)

geekoid (135745) | more than 6 years ago | (#21371635)

It's about reputation.
MS has a well deserved crappy reputation. Apple has a well deserved good reputation.

Historically speaking, MS would avoid, pretend it doesn't exist, refuse to take the blame, and release a patch 2 weeks later that just happened to fix this issue.

Yeah,Apple screwed up but they are fixing it and the admit it. Integerity can go a long way.

In your world it seems nothing and nobody can every be forgiven for making a mistake. How sad.

Appl ewas very clear about what it does:
The 10.5.0 Application Firewall blocked all but:

                    Processes that are running as UID 0
                    mDNSResponder

The 10.5.1 Application Firewall blocks all but:

                    configd, which implements DHCP and other network configuration services
                    mDNSResponder, which implements Bonjour
                    racoon, which implements IPSec

Re:As usual, other considerations... (2, Funny)

davidsyes (765062) | more than 6 years ago | (#21371799)

"In your world it seems nothing and nobody can [*every*] be forgiven for making a mistake. How sad."

ON MEE-SA-PLANET, WEE-SA CALL A BIG MAC A NABU ROYALE... How's daaad????

Re:As usual, other considerations... (0, Offtopic)

geekoid (135745) | more than 6 years ago | (#21372223)

sweet, a new enemy to trash.
Not that somebody selling crude sketchings of boats is a hard target.

Re:As usual, other considerations... (0, Offtopic)

davidsyes (765062) | more than 6 years ago | (#21372413)

Not sure what you're implying. Yes, the dwgs are crude, but not sketches. No, I'm not trying to be a hard target. Hmmm, do I appear to be a target? If anything, my existence will just make the various governments display themselves to be connected to self-preservation of redundant artillery and other warship pieces.

I haven't totally escaped FROM reality. But there are a LOT of mad people in corporation, government, and military clothing. I'm probably just giving them reasons to seek out more enemas and enemies.

Re:As usual, other considerations... (0, Troll)

Rodyland (947093) | more than 6 years ago | (#21371851)

Yeah,Apple screwed up but they are fixing it and the admit it. Integerity can go a long way.

Like I said, they deserve applause for recognising the issue, admitting the problem, and fixing it. Kudos to them.


In your world it seems nothing and nobody can every be forgiven for making a mistake. How sad.

Wow. Did you read my post?

They should be forgiven for making a mistake. But they deserve a spanking first, otherwise what reason is there for them to get better? You think they'll just learn to be better because some of their customers are annoyed? If so then you are either delusional or a fanboi, because anyone in tune with recent Apple support issues (specifically with regards to problems with the new aluminium iMacs) will know that Apple's shit does, in fact, stink.

Re:As usual, other considerations... (3, Informative)

Rodyland (947093) | more than 6 years ago | (#21371875)

Quick update before I get flamed, I re-read my original post and saw where I said they should not be forgiven. Seems I'm the one who should read their own posts.

I admit in my original post my words were inaccurate.

I meant something more like "forgive, but don't forget". Also more like I said in my reply to your reply.

Again, apologies for inaccurate and/or argumentative tone.

Re:As usual, other considerations... (4, Funny)

geekoid (135745) | more than 6 years ago | (#21372165)

Curse you!

I was about to quote you and make you eat those words. But you had to go read you post and post a nice apology.

How can I insult you now, and retain the high ground?

Jeez, we get anymore people like you on slashdot it might get all 'reasonable' and 'adult' like. ;)

Re:As usual, other considerations... (1)

Rodyland (947093) | more than 6 years ago | (#21372595)

Shhh, keep that under your hat, we don't want it spreading...

Re:As usual, other considerations... (2, Insightful)

dave562 (969951) | more than 6 years ago | (#21371659)

Apple is facing the same problem that Microsoft is facing. Microsoft wanted to make their software appear user friendly and easy to use. They went ahead and created ActiveX and in numerous places like with network shares, setup the default permissions so that everyone could use it. That eventually came back in the end to bite them in the ass. Luckily for Apple, they are able to learn from the collective wisdom of all who have gone before them. But like this instance shows, Apple is not necessarily any better when it comes to making arbitrary decisions about the balance between ease of use and security.

Re:As usual, other considerations... (3, Insightful)

99BottlesOfBeerInMyF (813746) | more than 6 years ago | (#21372127)

Microsoft wanted to make their software appear user friendly and easy to use. They went ahead and created ActiveX and in numerous places like with network shares, setup the default permissions so that everyone could use it.

There is a significant difference between Apple's firewall settings and MS's use of DirectX. Apple changed the way the firewall worked to be application level and sandboxed the services that it let by the firewall. Unfortunately they misleadingly labeled that setting. When users tested it, they became upset. Apple needs to keep customers happy in order to make money, so they changed it to conform to what customers wanted. It is good business and the way the market is supposed to work. Apple wants to make money, so acting out of what could be called avarice, they give users what they want.

Microsoft has monopoly influence in the desktop OS market as well as a few other markets. They included ActiveX partly to motivate sales, but also partly to try to make Web applications tied to their monopoly to lock in customers and help leverage that OS monopoly into a Web monopoly and into the online media and services markets. It makes them a lot of money, even if it brings negative consequences to users. Users don't want to be locked in making migrations and cross-platform tools hard. Users don't gain benefit from MS taking over other markets. Because MS has a monopoly, however, it doesn't matter what users want. Since they don't have to keep users happy, MS has literally no financial motivation to fix the security problems ActiveX creates and they have significant financial motivation to not fix it.

On a very basic level, a monopolist will almost always be worse at innovating and giving users what they want than a company competing in a healthy market. The #1 best way I can think of to fix all of Window's security problems is to break up MS. Split the company into two new companies, forbid them from any non-public communication or collusion, and give both the rights to all the code, copyrights, trademarks, and patents in Windows. Users want security and both will start making real improvements since otherwise the other will be getting the money from consumers. It is my firm belief that until MS's monopoly is broken one way or another, MS will never be able to compete with Apple or Linux when it comes to security. They just aren't motivated.

Re:As usual, other considerations... (3, Insightful)

Anonymous Coward | more than 6 years ago | (#21372485)

Microsoft has monopoly influence in the desktop OS market as well as a few other markets. They included ActiveX partly to motivate sales, but also partly to try to make Web applications tied to their monopoly to lock in customers and help leverage that OS monopoly into a Web monopoly and into the online media and services markets. It makes them a lot of money, even if it brings negative consequences to users. Users don't want to be locked in making migrations and cross-platform tools hard. Users don't gain benefit from MS taking over other markets. Because MS has a monopoly, however, it doesn't matter what users want. Since they don't have to keep users happy, MS has literally no financial motivation to fix the security problems ActiveX creates and they have significant financial motivation to not fix it.
What ??? Do you even read what you type? Since when is making money bad and trying to get maximum market share for your platform/service bad? People weren't forced to **DEVELOP** applications for activeX even if it came installed with the OS. They were certainly not tied in or locked in any way shape or form. Technically competent people were capable of easily disabling it (which is bad for the newbies.. i agree) Other software firms still had the option of creating their own standard. Hello... Java??

On a very basic level, a monopolist will almost always be worse at innovating and giving users what they want than a company competing in a healthy market. The #1 best way I can think of to fix all of Window's security problems is to break up MS. Split the company into two new companies, forbid them from any non-public communication or collusion, and give both the rights to all the code, copyrights, trademarks, and patents in Windows. Users want security and both will start making real improvements since otherwise the other will be getting the money from consumers. It is my firm belief that until MS's monopoly is broken one way or another, MS will never be able to compete with Apple or Linux when it comes to security.

Wow did that just come out of your ass? So the thousands of Windows Server installations are being hacked 24/7? Linux is never hacked? No Vulnerabilities? Get real... Linux or OS X is in *NO* way more secure than windows given a competent sys-admin.

  I've been running windows since Windows 3.1 and have never been infected by a virus, spyware or rootkit and nor has my installation ever been compromised. No matter what horror stories you have about Windows they are almost always the result of somebody's stupidity. If you aren't competent enough to secure your installation, get someone else to do it, stop blaming the OS. No *OS* can ever be 100% secure.

Re:As usual, other considerations... (3, Insightful)

99BottlesOfBeerInMyF (813746) | more than 6 years ago | (#21371905)

But... can anyone here honestly say that if you took the entire story about the 'dodgy' firewall and replaced Apple with Microsoft that there wouldn't be people literally screaming themselves blue in the face about how insecure MS is _by_design_?

Umm, people were screaming themselves blue about how Apple's firewall was broken or fundamentally flawed or misleading. There were dozens of articles about it and hundreds of postings in discussion groups.

The difference between Apple and MS (or for that matter Linux developers and MS) is that Apple does not have a monopoly so they actually have to listen to their users and make changes to make them happy. They very quickly made sensible changes to make it clearer how the firewall behaves and addressed pretty much everyone's concerns, even those of people who really didn't know what they were talking about.

But they should not be forgiven for creating the problem in the first place because their hearts were in the right place. That kind of thinking leads to bad places.

Security is a journey not a destination. Security is about trying to allow users to do what they want while stopping things they don't want from happening. There will always be security holes and room for improvement. Concentrating on mistakes made by any vendor is counter productive. So long as the vendor responds and fixes the problem and takes a responsible attitude, they're doing fine by me.

Re:As usual, other considerations... (2, Interesting)

Rodyland (947093) | more than 6 years ago | (#21372037)

I agree wholeheartedly with your post. What I objected to mostly was the way the OP explained away why it was broken like it didn't matter. It does matter when companies put out software that doesn't do what it says it does, moreso when it's security software and what it doesn't do is make things more secure.

Don't explain it away with "the apple experience". Apple stuffed up badly, and now have fixed it. Simple

Re:As usual, other considerations... (1)

nine-times (778537) | more than 6 years ago | (#21372175)

Meh. I think you're kind of right, but the reasons are semi-valid. Every time there's any kind of a problem with Linux or OSX, someone makes a big todo about "If this happened with Windows, you all would be screaming bloody murder!"

But the things that piss people off about Microsoft are usually... well.... worse. No one is accusing Apple of misuse of hidden APIs or anything. It's not like, "You enable the firewall and Firefox stops working, but suspiciously Safari works fine!" It's not as though these holes in the firewall are set to phone home to iTunes. Apple assumed that, even if you told the firewall to block everything, you'd still want your basic networking services to continue to work. In their minds, mDNS is a basic networking service, and though I can definitely see how someone would disagree, it doesn't seem that there's any nefarious intent.

Re:As usual, other considerations... (1)

OldSoldier (168889) | more than 6 years ago | (#21372407)

From a simple-end-user point of view, a firewall isn't an application. If you're trying to design a simple functional "firewall" interface for average non-techie user to use you need to put some of the firewall configuration functionality in the apps requesting the service in the first place.

Imagine, Bonjour (or MSN Messenger) start up and notice that the firewall setting is blocking them, and right there alerts the user to this fact and asks the user if they want to change their firewall setting to allow this communication to take place. That's the sort of thing a non-techie user would understand and expect.

Are there security problems with this approach? Only if the app/os is designed to let 3rd party apps directly change the firewall settings, but that's not what I'm advocating. I'm suggesting the interface be changed so that the app can tell the firewall is blocking it (or can reasonably guess) and the app can at least activate the firewall configuration screen and let the user proceed from there.

JESUS H CHRIST ON A BICYCLE, TOLSTOY. TLNR!!!!! (-1, Troll)

Anonymous Coward | more than 6 years ago | (#21371497)

n/t jagoff

Re:As usual, other considerations... (0, Troll)

drewmoney (1133487) | more than 6 years ago | (#21371517)

A little precognitive slashdot response, huh? Must've been burning a hole in your clipboard...

Re:As usual, other considerations... (2, Insightful)

rmerry72 (934528) | more than 6 years ago | (#21371755)

So what Apple does is a little bit of deciding for the user what makes sense.

MS did exactly the same with Windows. All those nice important services that are on and open and insecure just for the user. Comcast do the same for all their users - let you do what makes sense and block everything else. Sony also did what makes sense with their rootkit - after all a CD shouldn't be played i a computer, right, that's what a CD player is for?

And all LIED about it and misled paying customers.

But this is Apple so it's different right? Must be hard to take when you see your God making mistakes and deceiving you. Hypocrite!

The Difference Being... (1)

Jon.Laslow (809215) | more than 6 years ago | (#21371907)

...MS didn't label the firewalls default settings as 'Block all incoming connections', just 'On'. If you turn on 'Block all incomming connections', it does just that and everything from file sharing to basic network functions are crippled, as intended.

Re:The Difference Being... (1)

rmerry72 (934528) | more than 6 years ago | (#21372345)

...MS didn't label the firewalls default settings as 'Block all incoming connections', just 'On'. If you turn on 'Block all incomming connections', it does just that and everything from file sharing to basic network functions are crippled, as intended.

Yup, that's key. That makes Apple worse than MS. Imagine that. Apple's no cleaner or more honest than MS. Or any other organisation with more than a couple of dozen employees. That's hard for fanboys like the GP to accept though. Its like telling Christians the Jesus was a real man - and only a man. Same with all prophets and religious beliefs... Whoops, off topic :-)

Re:The Difference Being... (1)

marcello_dl (667940) | more than 6 years ago | (#21372645)

> Apple's no cleaner or more honest than MS...Its like telling Christians the Jesus was a real man - and only a man.

I totally agree.

Tying the non-divinity of Jesus to apple being the same as MS is going to convert quite a lot of ipod- and mac- dependent infidels. Thank you for your effort.

Nice. (0)

mattgreen (701203) | more than 6 years ago | (#21371763)

You should write for RoughlyDrafted. With that sort of response time (1 minute between the front page and your thesis of a comment), combined with Daniel Eran's fabulous pie charts and hilarious Photoshop montages, you could convert everyone in the world within a few weeks!

I guess it's better to poke fun at Apple for actually fixing security vulnerabilities... :-/
No company deserves to be taken seriously. They exist solely to make money off of you. This nonsense about aligning yourself with a particular brand and defending it to the death is naive, because the products that we consume are not our identities. Nothing personal, but it is pretty hilarious to see someone expound for paragraphs on a slight security change while not on their payroll.

Re:Nice. (1)

peragrin (659227) | more than 6 years ago | (#21372063)

read the first comment under his. he is a subscriber and sees the articles 20 minutes before cheap bums like you and me.

Re:Nice. (2, Insightful)

WinterSolstice (223271) | more than 6 years ago | (#21372235)

As opposed to seeing a whole site where anyone who likes any company but google gets pounded into the dust? Pages and pages of hate, fud, criticism, and conjecture?

I think his comment was reasonable. Not at all lunatic fringe like some Roughly Drafted stuff can be.

Re:As usual, other considerations... (1)

yo_tuco (795102) | more than 6 years ago | (#21372101)

"Based on this, I'd say that several major issues with the Application Firewall have been addressed."

So what do you do when you're at Starbucks with your PowerBook and you want to ensure that *ALL* connections are closed except TCP, ports (80, 443)? Maybe you would like to quickly change your settings to this scenario in a nice GUI without having to writing new ipfw rules you can't remember off the top of your head while sipping your quad latte.

Re:As usual, other considerations... (1)

99BottlesOfBeerInMyF (813746) | more than 6 years ago | (#21372253)

So what do you do when you're at Starbucks with your PowerBook and you want to ensure that *ALL* connections are closed except TCP, ports (80, 443)?

Umm, I don't want to, since it disables some pretty nice services I use, services that are sandboxed for added security anyway. If I did I'd configure the firewall with those settings. Note: ZeroConf (AKA Bonjour) rules at the coffee shop. There is nothing like being able to send an IM to all the mac users on the local LAN and see if anyone has a Firewire cable I can borrow.

Maybe you would like to quickly change your settings to this scenario in a nice GUI without having to writing new ipfw rules you can't remember off the top of your head while sipping your quad latte.

There are several third party, GUIs to configure the firewall for 10.4, including at least one that allows you to save multiple configurations and automatically switch between them based upon location. I don't know if 10.5 allows you to do this without an added GUI, but seeing as it is something rarely desired by average users, I don't see it as a big concern.

Re:As usual, other considerations... (1)

yo_tuco (795102) | more than 6 years ago | (#21372437)

"Umm, I don't want to, since it disables some pretty nice services I use..." The scenario has you in a hostile environment. It is untrusted. You shouldn't want to expose anything except the bare minimum. Save the "nice" services for when you are on a trusted network. I don't want 3rd party.

Re:As usual, other considerations... (5, Insightful)

99BottlesOfBeerInMyF (813746) | more than 6 years ago | (#21372639)

The scenario has you in a hostile environment. It is untrusted. You shouldn't want to expose anything except the bare minimum.

Funny. Technically, I don't need to use the Web at all in coffee shops, so by your argument I should block all traffic. On the other hand, I prefer my computer to be functional, when that functionality does not pose a significant security risk. Guess what, I also have SSH enabled for access, even though I only need to access it occasionally. The service I originally referred to (Bonjour) is unlikely to pose a security risk, especially since in addition to finding an exploit in it, an attacker would have to find an exploit in the Mandatory Access Control sandbox OS X runs it in by default. I'm a lot more likely to be exploited by an attack on my Mail.app than by an attack on Bonjour. Do you also advocate that I do not check my e-mail while at the coffee shop?

Save the "nice" services for when you are on a trusted network.

Screw that. Half the benefit of Bonjour enabled chatting is that I can easily talk to people I don't have in my "buddy" list while at conferences and coffee shops. Sacrificing function out of unjustified fear is not my cup of tea.

I don't want 3rd party.

Umm, okay, then don't use it. Good luck finding a capable first party GUI firewall configuration tool on a platform that is not riddled with security holes.

Honestly, it sounds to me like you're looking for something to complain about. I really wish people with your sort of an attitude on security would revisit your basic assumptions. Security is about allowing users to do what they want with a system, and prevent things they don't want from happening, especially without their permission. Reducing functionality just means users turn off security features or move to a system where they have more functionality. If I had a dollar for every time I've seen someone at a LAN party shut off their firewall completely because it was restricting something they wanted to do and was too hard to enable just that application/behavior... well, I'd have enough cash to buy a good steak and some scotch anyway.

Fessed up? (0)

necro2607 (771790) | more than 6 years ago | (#21371437)

Hmm... "fessed up"? Funny way of putting it, considering that companies actually taking responsibility seems to be somewhat of a rarity. My first thought was, "hey, that's great, they're acknowledging the problem and will fix it". Compare this to your own likely experiences of finding companies turning the other cheek and ignoring issues. I realize every company does it at one time or another, but I'm glad to see this issue actually being addressed, and not swept under the rug like one might expect.

Did they really say that? (-1, Troll)

geekoid (135745) | more than 6 years ago | (#21371483)

"can block all incoming connections. "

Re:Did they really say that? (0, Offtopic)

geekoid (135745) | more than 6 years ago | (#21372061)

Why is that a Troll? I am generally curious if Apple claimed that their firewall can block all incoming connections. I would think since Ellison's famous comment regarding oracle as bine 'hacker proof' large companies would shy a way from absolutes like that.

Of course, I have read the posts and understand it is a poor description in the gui.

I am still at a loss as to being marked troll. Sometime I may nopt come across the way I intended online, but I can't figure out how that can be interpret as a troll.

Does it move files correctly? (2, Informative)

Hatta (162192) | more than 6 years ago | (#21371519)

My biggest concern about Leopard is the bug which causes it to delete files you're moving if the destination becomes unavailable. They forgot to put in a check to see whether the move completed correctly. So it just deletes them whether it finished or not. Is this behavior fixed with this update?

Re:Does it move files correctly? (2, Informative)

slyn (1111419) | more than 6 years ago | (#21371585)

Yes. [appleinsider.com]

Its listed under system and finder.

Re:Does it move files correctly? (0)

Ford Prefect (8777) | more than 6 years ago | (#21371587)

Is this behavior fixed with this update?

Unless Tiger had that problem, then no - this update is 10.4.11, not the much-awaited 10.5.1, which is apparently in testing...

Re:Does it move files correctly? (0)

Anonymous Coward | more than 6 years ago | (#21371611)

10.5.1 is released.

Re:Does it move files correctly? (1)

Ford Prefect (8777) | more than 6 years ago | (#21371639)

Argh... Is 10.5.1 out? It wasn't when I did my overly optimistic daily manual run of Software Update a few hours ago. I must install! ;-)

Re:Does it move files correctly? (1)

Ford Prefect (8777) | more than 6 years ago | (#21372399)

... And now my iMac is stuck at 'Writing files: 83% complete'.

Oh ... bollocks? I'm not sure if I dare switching it off!

Re:Does it move files correctly? (1)

argent (18001) | more than 6 years ago | (#21371605)

Luckily another design flaw in OS X makes it hard to trigger this bug. Because of the single-button mouse the only way to move files from one volume to another (rather than copying them) requires you to hold down some meta-key while dragging. If you just drag the files you get a copy.

Re:Does it move files correctly? (3, Insightful)

arlanTLDR (1120447) | more than 6 years ago | (#21371673)

All apple computers now ship with two button mice, and have for a while. Just because it looks like it has only one button, doesn't mean it lacks two button functionally. Also, I cant see why it would be a flaw to have the default action of a drag and drop be a copy instead of a move. I understand that it's a flaw to delete the moved files without checking to see if the move was successful, but really you should be just copying and then manually deleting after confirming that your files moved properly.

Re:Does it move files correctly? (1)

argent (18001) | more than 6 years ago | (#21371729)

All apple computers now ship with two button mice, and have for a while.

But the user interface is defined in terms of a single button mouse.

I cant see why it would be a flaw to have the default action of a drag and drop be a copy instead of a move.

The default action of a drag and drop in the situation where this flaw can occur *IS* a copy instead of a move. The only way to trigger the flaw is to hold down a meta-key while dragging.

It's only a move when it's on the same disk, and so the underlying operation really IS a move and not a copy-and-delete, and the problem doesn't show up.

Re:Does it move files correctly? (1)

that this is not und (1026860) | more than 6 years ago | (#21371965)

But the user interface is defined in terms of a single button mouse.


Now you're making it sound like MacOS is copying Windows 3.1.

Re:Does it move files correctly? (2, Informative)

argent (18001) | more than 6 years ago | (#21372021)

Now you're making it sound like MacOS is copying Windows 3.1.

The multi-button mouse comes from Xerox: Smalltalk, Interlisp-D, and the Xerox Star office system.

Re:Does it move files correctly? (1)

chartreuse (16508) | more than 6 years ago | (#21372431)

All apple computers now ship with two button mice, and have for a while.

But the user interface is defined in terms of a single button mouse.
That's completely untrue. Right-click menus are ubiquitous throughout the OS and nearly all apps, in fact programs like InDesign are difficult to use without a second mouse button. And Control-click menus were around back in OS 9, if not 8.

Re:Does it move files correctly? (4, Funny)

Stamen (745223) | more than 6 years ago | (#21371785)

Stop bringing facts into Myth propagation. Without the ability to propagate myths, what would many /. users do? You insensitive clod.

Macs have one mouse button. Java is slow. You can't run Office on a Mac, so it's useless. Windows machines lock up every 14.5 minutes. Microsoft innovates (tm). An iPod can't play mp3s.

/ Myths are cool
// So are slashies
// Oh, sorry, this isn't Fark

Re:Does it move files correctly? (1)

geekoid (135745) | more than 6 years ago | (#21372121)

Java IS slow. Ask anyu JAve programmers with experience in other languages. Of course that doesn't mean it's worth less or that it shouldn't be used.

Java is like VB without the stigma.
Yes, you can use that, but credit me.

Re:Does it move files correctly? (1)

stewbacca (1033764) | more than 6 years ago | (#21372333)

All myths, indeed. Well, except that Windows machines lock up every 4.5 minutes, not 14.5.

Re:Does it move files correctly? (1)

EvanED (569694) | more than 6 years ago | (#21372591)

Yeah, because after all, the XP box I'm on hasn't been up since 10/24/2007 2:02 AM, when it was automatically rebooted for updates.

In fact, I would be hard-pressed to think of a time when this computer has ever frozen in the last 14 months, when I first used it.

Re:Does it move files correctly? (1)

Ash Vince (602485) | more than 6 years ago | (#21372005)

. I understand that it's a flaw to delete the moved files without checking to see if the move was successful, but really you should be just copying and then manually deleting after confirming that your files moved properly.
Are you serious?

Moving a file is fairly basic functionality that has been in windows since the last versions of MS-DOS. It has been in unix since long before I have been using it.

The process you describe for moving a file in your post is so basic that it should be child's play to automate and combine it into a single function.

Re:Does it move files correctly? (1)

argent (18001) | more than 6 years ago | (#21372055)

The process you describe for moving a file in your post is so basic that it should be child's play to automate and combine it into a single function.

And yet the default behavior in Windows is the same as on the Mac. Funny thing, that.

The only difference is that on Windows you can drag with a different button to change the behavior, where on the Mac you have to hold down a meta-key (which also works on Windows, by the way). This is where Apple lucked out: it's harder to accidentally trigger the bad behavior than it would be if they'd adopted multi-button mice earlier.

Re:Does it move files correctly? (1)

stewbacca (1033764) | more than 6 years ago | (#21372313)

You can map your right mouse button on a Mac to be the same meta-key that would MOVE instead of COPY. But then again, why would you want to make a Mac more like a PC? For that torture, I'll just boot up in PC mode.

Re:Does it move files correctly? (1)

stewbacca (1033764) | more than 6 years ago | (#21372299)

If it is so wrong to default to COPY when moving files, then why does every version of Windows do it across a network? You can't stick this one solely on Mac. Hell, even if you don't like it, you can't say it isn't a well thought-out design element on Apple's behalf (and probably copied by Windows a few years back).

Re:Does it move files correctly? (1)

EvanED (569694) | more than 6 years ago | (#21372501)

All apple computers now ship with two button mice, and have for a while.
This doesn't apply to their laptops, does it?

but really you should be just copying and then manually deleting after confirming that your files moved properly.
What? I think this is a dumb statement. Why should I check? The system can check a lot easier than I can, it should be it's job.

Re:Does it move files correctly? (1)

arlanTLDR (1120447) | more than 6 years ago | (#21372627)

Well, actually there is a setting in the pref pane so that if you have two fingers on the trackpad, it will right click. I find it easier to use than physically having two buttons.

Re:Does it move files correctly? (1)

djh101010 (656795) | more than 6 years ago | (#21371709)

Luckily another design flaw in OS X makes it hard to trigger this bug. Because of the single-button mouse the only way to move files from one volume to another (rather than copying them) requires you to hold down some meta-key while dragging. If you just drag the files you get a copy.
1998 called, it wants its FUD back.

Re:Does it move files correctly? (1)

argent (18001) | more than 6 years ago | (#21371859)

OK, how do you drag files from one volume to another, triggering this bug, without holding down a meta-key?

(and how is pointing out that it's a minor problem FUD?)

Re:Does it move files correctly? (1)

djh101010 (656795) | more than 6 years ago | (#21371909)

OK, how do you drag files from one volume to another, triggering this bug, without holding down a meta-key?

(and how is pointing out that it's a minor problem FUD?)
Apparently, you're actually ignorant rather than lying. First for everything I guess. News to you apparently but, plug in an n-button USB mouse and for the last decade or so, It Just Works.

Re:Does it move files correctly? (1)

argent (18001) | more than 6 years ago | (#21371971)

News to you apparently but, plug in an n-button USB mouse and for the last decade or so, It Just Works.

Yes, I know, I use a Microsoft optical mouse on my Mac.

Now, plug in a 47 button USB mouse on your Mac. Having done that tell me how you drag files from one volume to another and thus trigger this bug using only the mouse? You can't do it. You have to deliberately hold down a meta-key on the keyboard while dragging to force OS X to MOVE rather then (as it does by default) COPY the files.

The Apple iMac mouse has four buttons. (0)

Anonymous Coward | more than 6 years ago | (#21371855)

This One button issue just seems to keep popping up and will not go away. The mouse that comes with an iMac actually has four buttons. One is the the scroll ball, another is the combination of the two buttons on the sides (you squeeze the mouse). The two main buttons are on top, on either side of the scroll ball. It looks like one button, but both the left and right sides click independently. I think the perception that is only has one button not only comes from the appearance, but also the fact that the factory default setting has the right button set to function the same as the left button. You have to enable "right click" in General Preferences/Mouse. This is probably just Apple trying to make the mouse less confusing for novice users. So if you have only demo'd the mouse in a store, it was probably set to the default settings. Assignments for all the buttons can be changed.

Re:The Apple iMac mouse has four buttons. (1)

argent (18001) | more than 6 years ago | (#21371921)

The mouse that comes with an iMac actually has four buttons.

No, it's got 7. The mouse button, the scroll ball, the squeeze button, and the shift, control, command, option chords.

That's beside the point, in any case. The issue is not whether Apple currently ships with a 1, 2, 4, or 8 button mouse, but that the user interface is designed for a single button mouse, which (in this case) is actually helpful because it avoids the possibility of a normal drag operation triggering this bug.

It looks like one button, but both the left and right sides click independently.

No they don't. You can't click both at the same time (chording), and if you click on the right side without making sure that no part of your hand is touching the left side near the front it registers as a left-click.

Re:The Apple iMac mouse has four buttons. (0)

Anonymous Coward | more than 6 years ago | (#21372141)

"No, it's got 7. The mouse button, the scroll ball, the squeeze button, and the shift, control, command, option chords"

The mouse buttons is two buttons, not one. Shift, control, command, and option are on the keyboard, not the mouse. They can work in cinjuncrtion with the mouse, but they are not on the mouse. In the General Preferences settings for the mouse, there are four buttons that can be assigned. Left, Right, scroll, and squeeze.

  "It looks like one button, but both the left and right sides click independently."

  "No they don't. You can't click both at the same time (chording), and if you click on the right side without making sure that no part of your hand is touching the left side near the front it registers as a left-click."

Working at the same time (chording) is not working independently, that is working in unison. If the are assigned to do so, they can perform two separate functions.

Re:Does it move files correctly? (0)

Anonymous Coward | more than 6 years ago | (#21372371)

"Because of the single-button mouse..."

The Apple Migthy Mouse has 4 buttons. You get a pop-up menu when you "right-click" too. Yawn.

NIGGERSAURUS FINNALY DISCOVERED!! (-1, Troll)

Anonymous Coward | more than 6 years ago | (#21371539)

Dinosaur found with vacuum-cleaner mouth
110 million-year-old plant eater discovered in Sahara Desert



WASHINGTON - Perhaps it was one of those eureka moments, when the scientists realized they had discovered a new dinosaur with mouth parts designed to vacuum up food.

The 110 million-year-old plant eater, discovered in the Sahara Desert, was to be unveiled Thursday by the National Geographic Society.

Discoverer Paul Sereno named the elephant-sized animal Niggersaurus taqueti, an acknowledgment of the African country Nigger and a French paleontologist, Philippe Taquet.

Sereno, a National Geographic explorer-in-residence and paleontologist at the University of Chicago, said the first evidence of Niggersaurus was found in the 1990s and now researchers have been able to reconstruct its skull and skeleton.

While Niggersaurus' mouth is shaped like the wide intake slot of a vacuum, it has something lacking in most cleaners -- hundreds of tiny, sharp teeth to grind up its food.

The 30-foot-long Niggersaurus had a feather-light skull held close to the ground to graze like an ancient cow. Sereno described it as a younger cousin of the North American dinosaur Diplodicus.

Its broad muzzle contained more than 50 columns of teeth lined up tightly along the front edge of its jaw. Behind each tooth more were lined up as replacements when one broke off.

Using CT scans the researchers were able study the inside of the animal's skull where the orientation of canals in the organ that helps keep balance disclosed the habitual low pose of the head, they reported.

Niggersaurus also had a backbone consisting of more air than bone.

"The vertebrae are so paper-thin that it is difficult to imagine them coping with the stresses of everyday use -- but we know they did it, and they did it well," Jeffrey Wilson, assistant professor at the University of Michigan and an expedition team member, said in a statement.

The dinosaur's anatomy and lifestyle were to be detailed in the Nov. 21 issue of journal PLoS ONE, the online journal from the Public Library of Science, and in the December of National Geographic magazine.

The first bones of Niggersaurus were picked up in the 1950s by French paleontologists, but the species was not named at that time. Sereno and his team honored this early work by naming the species after Taquet.

The research was partly funded by National Geographic.

http://www.msnbc.msn.com/id/21818194/wid/18298287/?GT1=10628 [msn.com]

LOL (0)

Anonymous Coward | more than 6 years ago | (#21372355)

At first I thought it was a troll, but it really is named Niggersaurus (or at least close enough). Well done, sir.

Skype vs. the Leopard firewall! (2, Informative)

Ford Prefect (8777) | more than 6 years ago | (#21371551)

A rather entertaining issue - if you have the firewall enabled and run Skype then quit it, then Skype gets horribly broken [itwire.com] , and doesn't start again. Nobody can decide if it's Leopard cryptographically signing (and modifying) the Skype executable and tripping up Skype's own excessive intrusion detection, or Skype modifying its own executable and tripping up Leopard's checks that it's the same application being allowed access to the interweb. I suspect it's the former - as older installations of Skype got killed on my two recently upgraded machines in that way.

I had to re-download and install Skype, and now I have to run it with the firewall switched off. Pending a fixed Skype in 'a few weeks' [skype.com] . Aaaargh...

Time Machine doesn't work on my old-fashioned partitioned external hard disk (half is an NTFS partition for Windows backups...), the Leopard installer initially wouldn't detect my MacBook Pro's own hard disk, and my iMac got nearly deaded [apple.com] by the upgrade (fortunately I had SSH enabled, and was able to get in and run Software Update from the command line, and thus could install the important iMac updates). Oh, and it's all a little bit crashy. It's nearly fantastic - apart from those issues... ;-)

So don't use the firewall. (1)

argent (18001) | more than 6 years ago | (#21371685)

I had to re-download and install Skype, and now I have to run it with the firewall switched off.

The firewall is not an essential component on a UNIX system the way it is on Windows, because you can actually turn off all listening ports and go "dead" without having to firewall off internal services that can't run without a TCP port open.

A computer system with no open ports is just as secure whether it's firewalled or not.

Re:So don't use the firewall. (1)

FranTaylor (164577) | more than 6 years ago | (#21371721)

Not every program has the option to only listen on specific interfaces; it has to be coded into the program. You need a firewall if you want to run one of these programs without exposing it.

Re:So don't use the firewall. (0)

Anonymous Coward | more than 6 years ago | (#21371997)

Give an example of a _Unix_ program that listens on an external interface, with no option to listen only on an internal interface, and is still useful with it's external address forcibly blocked.

Thanks.

Is it safe? (0)

Anonymous Coward | more than 6 years ago | (#21371977)

I'm posting anonymously, because I feel a little stupid. I thought I understood networking, but am doubting myself in the face of all the "not safe without a firewall" posts. I have an iMac running 10.4.11. The OS X firewall is off. My Mac is wired to an ADSL router. It is the only device on the network. I haven't set up any port forwarding on the router. I haven't enabled any services on the sharing tab. I'm safe, right?

Re:So don't use the firewall. (2, Informative)

sqlrob (173498) | more than 6 years ago | (#21372117)

The firewall is not an essential component on a UNIX system the way it is on Windows, because you can actually turn off all listening ports and go "dead" without having to firewall off internal services that can't run without a TCP port open.

Not all Unix systems. cf. OS X 10.5, which is a certified Unix.

A computer system with no open ports is just as secure whether it's firewalled or not.
Probably true on a modern system, but not a completely accurate statement. If there's flaws in the TCP stack, it doesn't matter if something's listening or not whena maliciously constructed packet blows things up before the "is something listening here" logic is hit.

Re:Skype vs. the Leopard firewall! (1)

dave562 (969951) | more than 6 years ago | (#21371693)

You must have been modded redundent for posting about this in another thread. As far as I can tell, you're right target with this one. Skype doesn't work with the new firewall.

Re:Skype vs. the Leopard firewall! (1)

ToasterMonkey (467067) | more than 6 years ago | (#21372161)

Time Machine doesn't work on my old-fashioned partitioned external hard disk (half is an NTFS partition for Windows backups...)
I'm curious what the OTHER half is. I had a hell of a time getting a drive partitioned so that Windows could see its part. Does Time Machine require a GUID format disk?

"macosux" ... ? (4, Funny)

dal20402 (895630) | more than 6 years ago | (#21371747)

Wow. Our lovely tag trolls have been forced to go all the way back to 1986.

I remember the endless "macs sux" ... "dos sux" ... repeat ad nauseam flamefests on BBSes. Evidently nothing has changed since we were all 8 and had nothing better to do than keep our parents from using the phone.

Seriously, people, if you don't want to hear about Mac OS X, is it really that hard to turn off the Apple stories in your /. preferences?

Re:"macosux" ... ? (1, Funny)

Anonymous Coward | more than 6 years ago | (#21371825)

What fucking slashdot preferences, you insensitive clod!

Also, Apple products suck.

Re:"macosux" ... ? (0, Troll)

that this is not und (1026860) | more than 6 years ago | (#21372025)

This one is on it.slashdot.org. Shouldn't you Apple shills be hanging out on apple.slashdot.org??

Re:"macosux" ... ? (1)

stewbacca (1033764) | more than 6 years ago | (#21372257)

Evidently nothing has changed since we were all 8 and had nothing better to do than keep our parents from using the phone.
Well nothing has changed other than Macs no longer suck.

modes (3, Interesting)

Anonymous Coward | more than 6 years ago | (#21371837)

In all honesty, why don't integrated firewalls have a basic/advanced settings mode?
Basic is ideal for most folks, but if you're so inclined just click on the advanced tab and not only have more configuration options but also a through, detailed explanation oh what the firewall is actually doing.

That'd be a great feature.

Slightly Disingenuous Summary (5, Informative)

ickoonite (639305) | more than 6 years ago | (#21371915)

The firewall patches come 24 hours after a Mac OS X update that provided cover for at least 41 security vulnerabilities.

Yes, that was an update for Mac OS X 10.4. This patch is for Mac OS X 10.5. The two are essentially unrelated, so trying to imply that this represents some kind of patch frenzy is at least a little disingenuous.

:|

Re:Slightly Disingenuous Summary (1)

G-News.ch (793321) | more than 6 years ago | (#21372357)

It's just another Linux freak gloating at Apple patching their products in large waves. Unlike Linux security holes, which are just a numerous, but get patched continuously all the time, making for considerably less interesting headlines. You could fill slashdot with Linux related security updates every day, but that just isn't interesting enough. When Windows or OS X are patched for several bugs at once, that sounds THAT much more insecure and thus is newsworthy.

a-hole year left in the whoreabull bushwhacking? (0)

Anonymous Coward | more than 6 years ago | (#21371919)

it doesn't seem as though we should have to put up with any more of that, let alone a-hole year? maybe that, & the phoney 'weather' will be addressed in the upcoming 'lonesome al gore' answers yOUR questions interview here on /.? robbIE? you with us on that?

Misleading! (3, Informative)

ducasi (106725) | more than 6 years ago | (#21371933)

The article blurb is misleading - the "41 security fixes" released in the Mac OS X update was part of 10.4.11.

The three issues in the 10.5 firewall were the only security fixes for 10.5.

maybe not (1)

pbjones (315127) | more than 6 years ago | (#21372011)

the flawed firewall application is just a GUI app for a standard UN*X firewall, so the firewall wasn't flawed, just the settings and GUI for the settings.

Re:maybe not (2, Insightful)

99BottlesOfBeerInMyF (813746) | more than 6 years ago | (#21372397)

the flawed firewall application is just a GUI app for a standard UN*X firewall, so the firewall wasn't flawed, just the settings and GUI for the settings.

I'd argue that the GUI an CLI are both standard interfaces to the firewall. A flaw where either of them incorrectly informs the user about the settings is a flaw in the firewall. I'd further argue that since the GUI is the more used interface, the flaw reflected there is more serious than a flaw in the CLI.

Oxymoron (2, Insightful)

osu-neko (2604) | more than 6 years ago | (#21372245)

Hopefully you can just turn the bloody thing off.

"Software firewall" is an oxymoron. A firewall is a physical box that sits between two networks, filtering the exchange of information between them.

For those of us who actually have firewalls, having the operating system muck things up with a "software firewall" is just a nuisance. For those who don't, it's a false and dangerous sense of security.

Re:Oxymoron (2, Insightful)

Ant P. (974313) | more than 6 years ago | (#21372425)

And how do you think that physical box works? Hard-wired transistors between the ethernet ports?

And yet, no problems? (1)

gsfprez (27403) | more than 6 years ago | (#21372419)

first of all - i do not subscribe to the concept that the only secure computer is the one that's turned off, unplugged, and not getting data. That's retarded. A box firewalled to the point where nothing can come in our out might as well not be plugged in.

now - i 100% agree that if it says "everything closed" it damn well better be.

But its still comforting to know that despite the legitimate problem - there was not galaxy-wide pandemonium as all the Macs running 10.5 cried out in terror. In fact, there were no problems at all.

In other words - just business as usual on the Mac front.

Now they need to fix the Printing options (2, Interesting)

Paul Pierce (739303) | more than 6 years ago | (#21372539)

In Tiger I had a bunch of drop-down options, like, say, hmmm, 'selection only' or say, duplex. This is entirely gone in Leopard for the printers that I have tried (i.e. HP 4050).

There is an app online that can do this for you, but it seems to only be for native programs (Safari, mail, etc...). Is it just me or should those options be built into the OS.

Everything else on Leopard has been very impressive, most of all it sped my computer up. Everything is faster, which I find very impressive for a new OS (ahem, buy-a-new-computer-4-me Vista).
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?