Monthly Archives: November 2013

Mac security updates

Posted on by

This article, while mostly click-baiting troll fodder, does raise a reasonable point.

The release notes for OS X Mavericks list a large number of security issues which are resolved in 10.9 only. A month on from the release of Mavericks no equivalent updates have been posted for Snow Leopard, Lion, or Mountain Lion. Absent official comment from Apple it seems that since the update to Mavericks is free, that’s your security patch.

Given the problems that come with any major system update this seems an utterly unreasonable approach, especially for cases where we’re dealing with complex third-party software which needs to be validated on each update. It’s bad enough that new Macs can never have older versions of the OS installed on them, but this is affecting machines which are currently running properly and now one has to choose between security and application stability. I’m at a loss to suggest the less bad option. Various applications require new versions to work on Mavericks, and not all of these updates are free.

This also absolutely reinforces my relief that I am no longer using OS X Server for anything apart from an illustration of why Linux or even Windows is a better server OS…

Kernel? Panic!!!

Posted on by

An interesting Mac problem today, one I’ve never seen before in all my years of messing about with Apples.

The user had applied some system updates from the App Store, and rebooted the MacBook Air as usual. Immediately on boot there was a kernel panic, with white text on a black background showing up over the grey boot screen. This happened even when trying to boot into safe mode (holding down Shift) though Recovery mode worked OK.

A quick google for the main text of the error – Unable to find driver for this platform: \”ACPI\”. – showed this was something others had seen at various times over the years when an update failed. The most common recommendation was to boot to recovery mode and reinstall OS X, though some other users suggested reapplying the most recent Combo updater to the affected machine. 

Combo updaters have all the files needed to update a machine from any point release of OS X to the latest, eg. 10.8.3 to 10.8.5 directly; the delta updaters only upgrade from one release to the next. Applying the combo updater is often a cure for small errors which seem to happen in incremental updates, as they replace a lot of files with fresh copies, eliminating small errors that can creep in over time.

I booted the afflicted Mac into Thunderbolt Target Disk mode, and plugged it into my MacBook – the disk showed up as expected. I downloaded the 10.8.5 Combo updater from Apple, and tried to run it. My grand plan fell apart at this point as my MacBook was running Mavericks, and the Combo updater plain refused to run, even to be applied to an external drive. After a quick look for a Mac running Mountain Lion which had a Thunderbolt port (my Mountain Lion iMac doesn’t sadly) I repeated the process, which took about 10 minutes to apply the full updater, and rebooted the Mac. Thankfully at that point it booted up perfectly fine, and afterwards had more updates applied from the App Store without problem.

So, lessons learned? Firstly, I need to keep some Mountain Lion machines around for the foreseeable future. Secondly, some people swear by always downloading the Combo updates from Apple and running those instead of the Delta updates from Software Update/App Store; I’m not at that point yet but I do start to see the attraction, and it does illustrate the utility of the Combo update for solving bizarre glitches.

Windows XP end-of-support

Posted on by

As of April 8 2014 Microsoft will terminate all support for Windows XP – this means there will be no further security updates issued regardless of the severity of the problem. In effect this means that all machines running Windows XP must be upgraded to Windows 7/8, or replaced, before this date.

If you have a Windows XP system which you currently use to your satisfaction you will likely be unhappy with this news, but there are sound reasons for taking action. Many security issues which are found in more modern variants of Windows actually affect XP too; hackers will analyse the patches for modern Windows systems to identify the issue and test it against XP – if they find an exploit it will never be fixed on XP. While running AV software may help in the short term, sooner or later it’s likely there will be issues which cannot be avoided. As JANET rules require that any machine attached to the QUB network has up to date security software and a fully patched OS, we simply cannot have XP machines attached to the campus network once support ends.

Even if your machine does not connect to the network (e.g. one used for instrument control) you will still have to upgrade sooner or later. If you use USB keys to transfer data from a standalone machine it can still be infected with viruses transferred on the stick itself, and without a network connection it can’t have up-to-date AV software which might block these.

Aside from the security issues, if you have a system which requires XP for some reason then you are already at significant risk, since modern systems may well not support running XP. As/when the machine breaks it may be impossible to repair/replace it, forcing you to update in an uncontrolled manner. If you have software which only works on XP then you need to plan to either upgrade to a more recent version or migrate to another package if there is no update available. Virtual machines may help in a pinch, but are still subject to security issues.

If you are running Windows XP at the moment you should urgently speak with your computer support officer to begin planning your migration. Within Physics we will be trying to identify XP systems by walking around offices and labs, but that is solely so we know what may need to be removed from the network come April!

In many cases the best option will be to obtain a new machine, though with more recent machines it may be possible to install Windows 7. Since direct upgrades from XP to Windows 7 are potentially problematic in most cases clean installs will be required, with subsequent reinstallation of other software, which will not be that different to migrating to a new machine.

Please do not interpret this as persecution of Windows users – the requirement for machines to have up-to-date operating systems and software applies to all platforms, from Macs to Linux to Unix. All Macs should be running at least OS X 10.6 or later, for example. Windows XP simply currently has wider use around Queen’s, and more hackers interested in exploiting those systems.

Update – those contemplating an update from XP to Win7 should probably review this guide from Microsoft.

Waiting for Mavericks.1

Posted on by

Things which I observed Mavericks cause problems with today:

  1. 2013 MacBook Airs discharging their batteries as they can’t maintain a sleep state.
  2. Keynote ’09 showing font problems – some fonts lose their spacing information and end up showing text bunched together. This happens on two machines. So the old Keynote is now broken (by a bug) while the new one is broken by design.
  3. Similarly Pages does not care for those fonts, but seems to overspace as opposed to squishing together.

In summary, wait for Mavericks.1 or Mavericks.2 if you possibly can…

Flaming Thunderbolts!

Posted on by

Stay on this channel…

A Zeroid

A Zeroid. Image via Flickr – click for link.

Sadly this is not a post about the classic TV show Terrahawks, but instead about Thunderbolt docks and expansion devices.

Thunderbolt (TB) is an Intel/Apple standard for connecting high-speed peripherals to computers. With modern Macs having limited numbers of expansion options TB is quite important. While there are all sorts of things one can plug in via Thunderbolt, I’ll talk about the most commonly used option around QUB, which is the laptop docking station.

MacBook Airs are wonderful machines but when at your desk you’ll generally want to use a larger LCD, wired network connection, and external backup drives. Without a docking station you’re probably going to have to use your TB/Mini-DisplayPort socket to plug into an external monitor, and then run hard drives and even ethernet over USB. Rapidly you run out of USB ports, so you need a USB hub, and it all gets very tedious. Apple’s USB ethernet adapter only works at 100MBit, and while that’s better than many WiFi connections it’s still well down on the standard 1GBit connections we have on campus.

It’s technically possible to connect gigabit ethernet adapters and even DisplayLink video devices over USB3, on the Mac at least I emphatically discourage it. I have yet to find a USB3 ethernet adapter which worked well on the Mac, and Displaylink leaves a lot to be desired; under Mavericks it doesn’t really work at all. So, if you want significant expansion on your MacBook, TB is the only game in town.

There are now four ‘docking’ products on the market:

  1. Apple Thunderbolt Display
  2. Belkin Thunderbolt Express Dock
  3. Matrox DS-1 Thunderbolt Docking Station
  4. Caldigit Thunderbolt Station

Here’s my opinions on each of them, based on having used each at various times. Note that all of them will require you to purchase a TB cable (around £25 for a 0.5m one) to connect to the dock, apart from the Apple TB Display which has one built-in.

1. Apple Thunderbolt Display

This was the first TB docking option, and comprises a 27″ 2560×1440 display, MagSafe charger, speakers, FaceTime HD camera, FireWire 800, 3xUSB2 ports, gigabit ethernet, and a downstream TB port for adding additional devices. It costs about £750 for education customers.

Coming from Apple it’s a well built bit of kit, and if you need an external display and don’t mind glossy glass fronts then it’s a good choice. It has a few downsides though: obviously if you’re not in the market for a new LCD, or don’t like glossy glass, you’re not going to be happy; it only has USB2 ports; and adding an extra display is problematic – the Apple solution is to add another TB display, and plugging one of the standard MiniDP-DVI adapters into the downstream TB port won’t work (though from personal experience I know that adding a DS-1 to the downstream port will allow you to add another LCD).

In summary, elegant and well built, but may be a little limiting in some cases. Not the worst option though as the cost of a third party dock plus similar LCD will not be that different.

2. Belkin Thunderbolt Express Dock

The first third party dock on the market, the Belkin offers a downstream TB port, gigabit ethernet; FireWire 800; 3.5mm headphone and microphone sockets; and 3xUSB3 ports though these are only capable of 2.5Gbps transfers instead of the full 5Gbps USB3 is capable of. List price is £249.

This works well, though the lack of an onboard display connector means you will end up using the downstream TB port with a mini-DP to DVI adapter, making daisy-chaining additional TB devices difficult. No drivers are required (at least with OS X 10.8 onwards). Still, it’s expensive compared to more recent options and you’ll still need to obtain a display adapter. Reviews suggest you can use the Apple Dual-link DVI adapter kit to add high-resolution 27″ displays though.

3. Matrox DS-1 Thunderbolt Docking Station

This was the second third party dock, and comes in two variants – one with a DVI port and the other with an HDMI port. Both variants feature 1xUSB3 port; 2xUSB2; gigabit ethernet; plus 3.5mm headphone and microphone sockets. It costs around £200.

This is slightly cheaper than the Belkin, but lacks any downstream TB port, and only has one USB3 port – reviews suggest the throughput on this is not that of a full 5Gbps port though it’s still better than USB2. The maximum supported resolution from either the HDMI or DVI ports is 1920×1200, which means high-res 27″ displays are out.

So this is a compromised product – I’ve used one to add another LCD to an Apple TB Display, and as that was a 24″ unit the resolution limits were not a problem. But if you need a larger display and more USB3 you’re going to look elsewhere.

4. Caldigit Thunderbolt Station

The newest entrant to the market, retailing at £149, offers 3xUSB3 ports (full-speed with UASP mode for faster disk access, and capable of charging/powering USB devices); gigabit ethernet; downstream TB; 3.5mm microphone and headphone sockets; and HDMI capable of supporting resolutions up to 2560 x 1600. A network driver is necessary for OS X 10.8, but support is built in with Mavericks. The downstream TB port also supports video adapters and you can connect various combinations of displays depending on what your Mac supports.

I’m very impressed with this product so far – the price is good, the unit has excellent capabilities, and seems to work as described. I’ve ordered several for various people already. At this price you’re not so far away from the cost of a good powered USB3 hub, ethernet and display adapters.

And the winner is…

At the moment I’d go with either the Apple TB Display or the Caldigit TB Station. If you don’t need/like the Apple LCD then the Caldigit is an excellent solution, and I expect to be ordering them as my default docking solution for most MacBook Air users in the future.

Just to be clear, this is my personal opinion based on experience with each unit. It’s not an official QUB recommendation!

 

 

Bootable Mavericks disks

Posted on by

After downloading the Mavericks installer from the AppStore you may wish to make a backup copy of the ‘Install OS X Mavericks’ app since it will normally be deleted after a successful install. If you’re going to install to multiple machines then you can simply copy the Installer app to the other computers, saving yourself a few GB download per Mac.

For future use you may wish to make a bootable USB drive – here’s how:

Sadly Carbon Copy Cloner no longer has a simple button to do this, but DiskMaker X does.

Note that as Apple updates Mavericks the installer App will be updated too; you can re-download it by visiting the ‘Purchases’ tab in the App Store, then re-make the USB drive.

Posted in Mac

Happy Halloween

Posted on by

Here’s a little Halloween computer story which is quite possibly real and most definitely concerning.

Add in another story involving Adobe incompetence.

I have a pretty poor opinion of Adobe software. Flash and Reader are two of the worst security problems on any computer, and my honest advice is not to install either.

These days there are few things one really needs Reader for. Macs, Windows 8, and Linux systems all come with perfectly competent PDF reader applications; under Windows 7 there is the well regarded Foxit reader which is free and has a better track record. The only times I have ever needed Adobe Reader are

  • reading encrypted PDFs used for inter-library loans
  • printing some Royal Mail prepaid mail envelopes

so I tend to think that most people are fine without it. If you must install Reader, make sure it’s not the default PDF reader and stop it from installing its web browser plugin. On the Mac this is a tedious manual process – you have to manually remove it from /Library/Internet Plug-ins/ after each update. Another reason to avoid it!

Flash is known as a security disaster, and hopefully its failure on mobile devices will lead to its eventual demise. However for the moment it’s still out there and at times necessary. My preferred solution for some time was to use Safari as my default browser, with no Flash plugin installed, and have Google Chrome as the backup browser. Chrome has its own internal Flash install which is sandboxed and auto-updates. Even then I would use a plugin blocking extension so that Flash objects would only work when clicked on.

Newer versions of Safari on the Mac now have more granular control on which websites can use plugins, so combined with the ClickToPlugin Safari extension a Safari-only option is more tolerable. Under OS X Mavericks Safari also sandboxes Flash, which will help, but is not a universal panacea as sandboxes can be broken too.

In case you’re wondering why I’m so paranoid, a common infection vector for malware is the insertion of exploit code in either Flash objects, or even tiny PDFs, embedded in web pages. These can affect perfectly legitimate sites too – either the site is hacked, or a third party advert or content service the site uses is compromised; either way you could end up with these malicious objects running when you visit a web page. Hence it’s best to minimise the attack ‘surface area’ as much as possible!

In a future post I’ll talk about some more security matters, including passwords. Meanwhile, as they used to say on Hill Street, Let’s be careful out there.