MacDailyNews - Where Mac news comes first

Bullshit FUD.

DON'T panic, just use ipfw:

1. If you have OS X Tiger, turn on the firewall in System Preferences
2. Open Terminal in your admin account and type at the prompt: sudo ipfw list
3. Apply these rules to Leopard
4. For more info, type: man ipfw

P.S. Imagine Apple is trying to help you learn something.

Wot! No comment MDN?

..."failed every test" because it was TURNED OFF!!! Wankers.

Windows XP's firewall may be on by default with SP2, but it has to be disabled to get anything done. Not very helpful.

I'll start worrying about this as soon as security threats to OS X pass the theoretical stage.

Apple needs to get this fixed asap.

I've maintained several Mac computers and servers running every Mac OS X version since 10.0 DP4, and every one of them remained online with a public static IP address on the internet, with no firewall enabled, and I use ARD, AFS, POP/SMTP, etc. No intrusions, no malware. Thwarted bot attempts in the logs, but no successful breaches.

MDN word: deal

This will teach those hacking bastards to allow Leopard to be installed on pc's!!!!

Those pc's will be mauled by Win's viruses, worms, trojans & combo's of vwt's to the point where any person having done the deed will be needing to replace their computers rather than disinfecting them.

Mac's of course will ("Although the problems and peculiarities described here are not security vulnerabilities in the sense that they can be exploited to break into a Mac",) always run & run & run & run & run...............

That's pretty serious if it's true. Apple can't fall down on the job with security – it MUST keep OS X free from viruses, worms, spyware, etc. or Mac users could face the same sort of future as Windows users.

The last thing Apple needs is a major PR issue over security when no viruses, better security is a big driving point for switchers.

@Developer: RTF article. Even when enabled, the Leopard firewall didn't work correctly. Shame on Apple.

Leopard firewall is turned off by default? Is this really true?

It's likely that the firewall is off because the Mac is set up to receive connections from the internet, but that those connections only expose very specific items and are blocked from going anywhere else. Heise simply says, "the problems and peculiarities described here are not security vulnerabilities in the sense that they can be exploited to break into a Mac."

That said, Apple should comment on this.

OK, I finally got it, and I am loading it now. Been waiting a long, long time for this. I was surprised that there wasn't much of a line to buy it. Wow, two disc......I didn't know the Eagles had that much left in them....(I hope it is better than Joni's "I Hate America" CD I bought last month)


Oh, and death to Jerken Schitt.

I'm not sure how much credibility this author has. He spelled "learned" wrong!

IT master says
this no true

F you windoze suck ass

@ Reality check: every version of Mac OS X has shipped with its firewall disabled. Leopard is no different. It's just FUD.

Yeah, I thought it was weird that that I had to know enough to go into System Prefs to turn on and configure the Firewall.

Even more surprising given that so much Little Snitch functionality has been co-opted into Leopard.

The only open port on a vanilla Leopard installation is UDP port 88, which is used for Kerberos, a secure authentication protocol developed by MIT.

http://en.wikipedia.org/wiki/Kerberos_protocol

Just get a damn router

I was surprised when I saw that the firewall wasn't turned on by default as well. Bad Apple.

@Reality Check: you need to RTFA buddy, and stop spreading your FUD around, because it stinks. Report back with the line just before: "The Verdict" - that's the one in big fat letters at the end of TFA. Ok?

Gotcha!!!

I am with UltraVisitor on this one: This is just so much FUD until there is a successful exploit of Leopard in the wild. I rate the chances of that happening any time soon as pretty remote. In the meantime, some people will say things like "this sounds serious" while those of us who actually have to deal with network security issues are yawning. The vast, vast majority of personal computers sit behind firewalls in routers and other network devices. You have to get through one of them to get to your PC or Mac. And even if a hacker gets that far, the likelihood of anybody getting into your Mac and doing something harmful is incredibly small. Honestly folks, nothing to see here... move along.

I heard Vista was fast!

Come on MDN... Wheres the biting commentary about what a fool Heise is; about how they totally missed the point; how they just dont get it.

Surprised this was even published here.

Well?

There are free websites that will attempt to penetrate your Mac for you to test it's security.

I must admit since the last few 10.4 updates and when the Intel Mac's appeared, that Mac's have been "visible" on the internet, which is the first step in locating a Mac to penetrate.

Before the Intel Mac's arrived Mac OS X was invisible online. No response, not even a ping response.

Something has changed obviously, which is very bad.

Then of course just look at EFI. A powerful OS like firmware level with it's own partition on the hard drive that can contact the internet and do whatever it pleases without the OS or you even knowing about it. TPM module installed or not.

I say Apple has adopted the Trusted Computing Group mentality.

Your computer is not your own, you may buy it, but they control it.

@ effwerd and others.

OS X firewall is always turned off by default.
Why?
Because all other services are turned off by default.

You can't hack something you can't see.

I have had 3 OS X and OS 9 computers on my home Broadband network with no firewall on and no virus software for 8 years. Never a problem.

This isn't rocket science, these are Macs, not PCs with Windows, the swiss cheese of the universe.

Basically these Heise douchebags are trolling for hits. Saying the firewall "doesn't work as expected" is the same as saying "we [are clueless about Mac's and therefore] expect the Mac to be vulnerable and behave like a Windows PC..."

Reality: nearly 99% of Mac OS X users don't have ANY substantial reason to enable the firewall, whatsoever. The remaining 1% may have a need to block certain services to enforce their own security and/or restricted usage policies, ie K-12 labs, public kiosks, government, etc.

Quoted for truth....

OS X firewall is always turned off by default.
Why?
Because all other services are turned off by default.

In other words, unless you go turning on services, you don't need the firewall in the first place!!!

LOL! honestly. MDN didn't need to comment on this one. Actually if I was them I'd just publish the summary shaking my head. Anyone who has any idea at all knows it's just FUD.

Apple should ship all Macs with the highest security settings by default, period. The user then assumes all responsibility for lowering his or her security. This would save Apple from public embarrassment. Where are those Apple geniuses when you need them?

Has anyone with Leopard tested using Gibson Research's port probe (http://www.grc.com). When I test with Tiger through my Verizon DSL installation, I am deemed "invisible" - perfect score.

Jesus man buy a clue, stealth mode is a system setting, it has nothing to do with hardware

Go to the system preferences | sharing | firewall

Hit advanced, check the "stealth mode" box

When I ran the install as an upgrade it retained the pre-existing firewall settings, as I would expect.

Now lets see, I have installed pre-hardened versions of most of the major operating systems in the last 2 years alone and cannot remember one that had the firewall on by default in a clean install, however all retained the previous firewall settings when run as an upgrade. How is this not as expected?

Seems like trolling for hits to me, just like those paragons of scientific excellence at GP.

What a load of waffle. Call me when there has been a real breach.

I always wondered what exactly does the firewall in OS X do. In other OS's, turning on a firewall (like ZoneAlarm in XP. The built in firewall in XP isn't a real firewall) blocks all programs from connecting to the network, until they are given permission to (for example, I set Firefox to always be able to the internet, while IE has to ask permission each time it tries to connect.)

But in OS X, enabling the firewall does not make any noticeable changes to how applications access the internet. After enabling it, Firefox or iTunes or any program has just as much access to the network as they did before.

It seems like the firewall in OS X isn't about comprehensive control over all network activity, like ZoneAlarm is. Apple seems to have taken a different approach: one that doesn't bother the user, or deny normal application net access. Instead OS X uses a variety of other means to prevent security threats.

If anyone wants to correct my layman's understanding of this, by all means.

"...and that's why YOU NEED our product and/or service, for the low, low price of only..."

These type of articles always bring out the trolls. They want to try and make us Mac users as miserable at the windblows crowd is. Nice try; no luck!

Can we call collect? Phone number?
Even Superman has kryptonite.

"What a load of waffle. Call me when there has been a real breach."

Are you people stupid? If the MacOSX firewall is ineffective, it needs to be reported and patched.

Pointing out potential problems is how they are avoided in the future and is how a system is made safe.

All this Apple fanboyism simply reenforces the idea that Apple users are elitist wankers.

APPLE ARE NOT PERFECT.

GET OVER IT.

One difference between Mac OS X and Windows XP (and, maybe, Vista) is that some Windows XP services are turned on by default. In Mac OS X, no services are on by default so you don't need to have the firewall on by default.

That said, when you turn on services, it's a good idea to consider turning on the Firewall to keep others from connecting to them inadvertently.

So? I've never used the Apple firewall since I'm behind the hardware firewall in my router.

Alex
"Are you people stupid? If the MacOSX firewall is ineffective, it needs to be reported and patched."

What most of us Mac users are saying is, "Is this artice BS and trying to troll for hits?"

You can't honestly believe Apple extended the release date and got a major piece of security wrong. This just needs to be followed up by multiple, reputable sources, PC World, Mac World, ect. to prove or expose the original story.

Who ARE all you guys? What are your credentials and real world experience? Why should I believe one word you say, pro or con of this issue?

NOTE: Welcome to the wonderful world of chat rooms and bulletin boards where everybody is a f*cking genius, where everybody knows more than everybody else, where nobody else's standards are as high as "mine."

You guys REALLY need to start your own company and show 'em what you're truly made of.

Until then, I call b*llsh*t all 'round.

Keep in mind the lengths people will go to for their 15 minutes of fame.

The oh so accurate laptop wireless hacking story comes to mind.
The first week it was touted as true and us Mac fanboys better get used to it.

Months later it was all proved very wrong multiple times. The idiot writer had a personal agenda against Apple.

So when stories like this first come out, I take it with a grain of salt and then wait for others to duplicate the same thing.

Keep in mind the Windows FUD machine is going to go into overdrive when sales of OS 10.5 take off and Vista just languishes in the retail market.

Don't forget how much money MS has in the bank to buy "stories" or slant reviews. It's sad but it happens.

@Alex: You need to appreciate that the issue of security here is 'way more complex than just "oh-my-god the firewall isn't turned on by default." Aside from the FUD masquerading fact in the article, the author truly doesn't seem to understand that Apple's approach to security at the OS level is different than Windows, but he expects it to behave the same. That's his problem, not Apple's.

@Alex: You really say it best with "Are you people stupid?" and the very ironic "APPLE ARE NOT PERFECT."

It gave me a good long chuckle.

Here's a simple, but effective test:

http://www.hackerwatch.org/probe/

@Raymond from DC -

Per your request, I ran the Service Port Probe at http://www.grc.com using Leopard with the firewire first set to "Block all incoming connections". I too received a perfect score (Full Stealth Mode). I then reset the firewall to "
Set Access for Specific Services and Apps". Once again a perfect stealth score was achieved.

I running Leopard on a Powermac G5, Dual 1.8. My ISP service is also Verizon FIOS. (Pretty nice!)

I do not know if the results would change for anyone using an Intel based Mac.

Peace.

After having just performed an nmap test matrix of a fresh install of Leopard, imagine my surprise at reading the FUD presented in this article. In my tests, the firewall (which is OFF by default just as in all previous versions of OSX), responses EXACTLY as one would expect. When "Block all incoming connections" is selected, nmap reports no ports are available. When "Allow all incoming connections" is selected, nmap reports any services/ports which have been enable (by default, none are enabled). When "Set access for specific services" selected, nmap reports the services, ports, applications which are listed in the box below that option. If you select "stealth" option in the Advanced button, nmap reports that "the host appears to be down". I think either Heise Security has an agenda, or someone needs to go back to school.