Monday, November 19, 2007

R.I.P. EarthLink WebLife

This just in my inbox:


Dear WebLife Subscriber,

We're writing to let you know that due to market trends, we
will be discontinuing EarthLink WebLife on January 7, 2008
at 12:00 a.m. Eastern.

We apologize for this inconvenience and thank you for your
subscription to WebLife. We hope this email will help explain
what to expect.

************************************
SCHEDULE OF WEBLIFE DISCONTINUATION:
************************************
* Today through December 7th -- Normal Access. No changes.

* December 7th through January 7th at 12:00 a.m. Eastern --
Limited Access. You will be able to download files, but not
upload or share them.

* After January 7th -- No Access. WebLife will be discontinued
and all remaining files deleted.

IMPORTANT: Please save all your WebLife files (including photos
and other files) to your computer's hard disk or to another back-
up option. After January 7, 2008 at 12:00 a.m. Eastern, those
files will be deleted and can not be recovered by you or
EarthLink.

After saving your WebLife files elsewhere, you can remove
WebLife from your computer by clicking the link below and
following the prompts. Your computer may restart once WebLife
has been removed. Please be sure to save any files that you are
working on or have open before clicking the link:
http://csupdate.earthlink.net/win/weblife/WebLifeUninstall.exe

If you have questions about removing WebLife, please call
Technical Support at 888-EarthLink (888-327-8454).

Please note: Any prepaid balance will be credited to your
account, which will appear on your next EarthLink invoice.

If you need assistance, you can trade real-time
messages with a friendly Live Chat representative:
http://support.earthlink.net/chat

Once again, we apologize for the inconvenience and thank you
for your subscription.

Sincerely,

EarthLink Customer Support

Wednesday, November 07, 2007

MacOS 10.5 Leopard Phones Home, Reveals Little Snitch 2

Apple's Mac OS 10.5 Leopard 'loginwindow' process phones home to lcs.mac.com on port 443 which is only revealed by running the new Little Snitch 2 security monitoring tool.

read more | digg story

I find Alex's story a bit prematurely accusatory toward Apple, though he did seize a worthwhile opportunity for some healthy advocacy of Little Snitch. I just upgraded my license to 2.0, and it's well-worth the $13 :).

It's good to track these types of issues, but there are a lot of processes on OS X that'll communicate to other servers, even over SSL, including webdav client for idisk, Mail.app for .Mac Mail over IMAP. It's just that loginwindow isn't a process you'd typically expect to connect to some mac.com host, which happens to be lcs.mac.com, so it's definitely worth raising an eyebrow.

Engadget mentions some "secure magic" of the "Back to My Mac" feature, allowing a Mac linked to a .Mac account to control another Mac linked to the same .Mac account:
[...] On the back end of things, Leopard includes "Back to my Mac," which keeps track of your home Mac's IP address through various (and secure!) magicks [... Read More ]
Apple has a page dedicated to the Back to My Mac feature. The requirements section is particularly interesting:
    Requirements to use Back to My Mac
  • A .Mac membership.
  • Two or more Mac OS X 10.5 Leopard-based Macs that are configured for use with the same .Mac account.
  • For screen sharing, a 128Kbps or faster bi-directional network connection between the computers (file sharing may be usable with slower connections).
  • An AirPort base station, or third-party Internet router which supports UPnP or NAT-PMP.
NAT-PMP? Interesting. Wikipedia gives us some interesting information about NAT-PMP, a protocol introduced by Apple in June 2005:
It essentially automates the process of port forwarding.
Included in the protocol is a method for retrieving the public IP address of a NAT gateway, thus allowing a client to make this public IP address and port number known to peers that may wish to communicate with it.
This may be wild speculation but could it be possible that loginwindow is sending public IP and ports information to .Mac, to enable other Macs linked to the same .Mac account to connect?

I don't find the mere fact that Leopard is sending data over an encrypted connection to lcs.mac.com a security concern in and out of itself. And until a crafty developer manages to extract information out of the perpetrating process before it sends its data over the encrypted connection, i won't just assume this is a privacy concern.

On the other hand, reading more about this "Back to My Mac" feature makes me nervous. A long time ago, I wrote a rant about Layers of Operating System Security, touting the fact that OS X had virtually no open ports on a default installation, dramatically reducing vectors of attack. Making this "Back to My Mac" feature available on default Leopard installations could, possibly, one day, present a vector of attack.

Let's hope Apple's got their proverbial sh*t together, and if not, let's hope some crafty ethical hackers manage to find holes and get Apple to plug them, before some zero-day exploit gets in the wild.