How a hidden OS X process made my old employer think my Mac had been hacked

A slow Monday that I’d hoped would ease my way back into a semi-normal workweek was interrupted by a note from an old Post colleague–specifically, somebody in the IT department–with the never-good subject line of “virus?”

The security guys are reporting that someone is attempting to logon to VPN with your old credentials.

I replied saying that it was probably something spurious unless it was coming from the IP address my home currently had assigned from Verizon. He wrote back to say “turns out that IP is what is pinging the VPN server.”

Well, crap.

Little Snitch network monitorI updated my Mac’s ClamXav malware-scanner for the first time in months and got it started on a tedious inspection of my Mac, then downloaded the trial version of a network monitor called Little Snitch.

The virus scan found nothing, and Little Snitch didn’t report any oddball apps trying to send out data either. I also checked the settings of apps that I’d once configured to log into the newsroom remotely, but found nothing there.

Then I thought to try searching for the Post VPN address in Little Snitch’s network monitor. That revealed that Safari–to be exact, its WebProcess component–had pinged it only a few hours ago. A search for that address in Safari’s bookmarks and history located an old bookmark for the site that I’d misplaced in an unrelated, rarely-opened folder. Since deleting that, Little Snitch hasn’t recorded any more access attempts, and I haven’t gotten any other reports of those from the Post’s IT people.

WebProcess itself seems remarkably undocumented on Apple’s customer and developer sites, aside from references to it by users in the company’s tech-support forums. A further inquiry confirmed my initial hunch that this process updates Safari’s “Top Sites” view of pages you’ve visited recently–how else will the browser know to provide current previews of them?

What I still don’t get is why WebProcess would have kept on checking a site I hadn’t visited in close to two years–and which I don’t remember seeing in Top Sites anytime since. But I’ve witnessed enough weird behavior lately from individual Apple apps that I can’t put this past Safari… which is to say, I hope that’s all this is and that I haven’t missed something else.

About these ads

A CalendarAgent cure

A runaway, memory-eating process in Mac OS X Mountain Lion that I’ve whined about on Twitter and in last weekend’s USAToday.com column seems to have returned to sanity.

At first, this CalendarAgent program had been a mild-mannered citizen on both my MacBook Air and on my older iMac. But a day or two after Discovery News posted my generally positive review of Mountain Lion, the iMac started locking up as CalendarAgent devoured as much as three to four gigabytes until I force-quit it with OS X’s Activity Monitor app.

The problem went away long enough for a cautious endorsement of Activity Monitor in Sunday’s USAT piece, but then it resumed. After a few days of getting bored with killing off this process two or three times an hour, I was trying to remember how to yank its execute privileges when I thought to check the Console app.

The repeated errors listed in this troubleshooting tool indicated that CalendarAgent was choking on my wife’s shared Google Calendar feed. I’d subscribed to that in Lion’s iCal without any issues (parenthood requires a non-trivial coordination of schedules), but Mountain Lion apparently had other opinions. I deleted the subscription from ML’s Calendar app,  added it back in the BusySync software I use to publish my own set of calendars to Google, and was soon treated to the welcome and overdue sight of CalendarAgent’s memory allocation dropping back to normal levels.

I still don’t know what exactly went wrong on the iMac; the MacBook Air didn’t have this problem even after I subscribed directly to my wife’s schedule in its Calendar app. Adding it under the “delegation” option for the Google account I’d already configured in that copy of Mountain Lion–but which I hadn’t set up on the iMac–didn’t result in any memory leaks either.

But if you’re tired of seeing CalendarAgent hold up your Mac, try changing how Google calendars get to the computer. Instead of adding a direct .ics subscription via Calendar’s Edit menu, subscribe to that feed in your Google Calendar, add that Google account in System Preferences’ Mail, Contacts and Calendars pane and you should see the subscription when you click Calendar’s “Calendars” button look under “Delegates.” Or revert from the delegation approach to a direct subscription. Let me know if that yields any better results.

How Windows (may have) killed my laptop

Little-known fact about me: For the past two weeks or so, I haven’t been able to use the ThinkPad I bought last summer. Here’s what happened, in 10 painful steps.

1. Months after successfully installing the Customer Preview of Windows 8 in a separate partition of my  ThinkPad X120E (and somewhat regretting that it required me to wipe out Lenovo’s recovery partition), I finally got around to trying to install the Win 8 Release Preview Microsoft shipped at the end of May.   At the tail end of a seemingly-nominal installation, the Release Preview installer, it got stuck at the “Finalizing your settings” screen. After waiting a few hours, I forced the machine to shut down and got a prompt at startup saying that Windows would undo the RP installation and return me to CP.

2. Because I am an idiot, and because I was getting fed up with some networking problems in Win 8 CP, I decided I’d try installing Release Preview again the night before I was heading out to San Francisco to cover Google’s I/O conference. Once again, the installer couldn’t get past “Finalizing your settings”–which is a funny place for Win 8 RP to halt, since it doesn’t preserve any of your settings in the first place.

3. Because I’m an idiot, I then tried wiping the Win 8 partition and doing a clean installation. The results were much worse:

4. After yet another restart that night–which by now counted as “early morning,” I got as far as the setup screens where Windows 8 asks you to set a live.com user account. It said mine was already in use on the machine. Trying different usernames only resulted in yet another stall

5. With no Win 8 system available and less than six hours remaining before my 8 a.m. departure from National Airport, I gave up, reverted to Windows 7, and resented its slower performance all week long.

6. Back home, I took yet another stab at installing Win 8 RP in early July. I got the same failure: a bogus report that somebody else was trying to use my Windows Live account on the system. (By then, I had gotten a few sympathetic e-mails from a Microsoft publicist promising help from people on the Windows team, but I never got more than an initial, friendly “what can I do to help?” response from them.)

7. For reasons I don’t remember precisely, I elected to switch back to Windows 7, saw that the system had a round of updates to install, and thought I’d proceed with them. Bad idea: The installation failed, leaving the computer unbootable in two different versions of Windows.

8. Successive attempts to use the disk-repair tools in Windows 7 failed; a Lenovo troubleshooting utility came up, complained that it needed me to log in, and demanded a reboot with an “Okay” button. No, it’s not okay. The disk-repair tools on the Win 8 installer’s flash drive didn’t do any better.

9. Because I’m not a complete idiot, I had a complete drive-image backup of my pre-Win 8 system (plus incremental backups from mid-July). But I can’t recover it: The Win 8 installer flash drive said it couldn’t restore a 32-bit disk image–even though there’s nothing bit-specific about that job. (Sometimes I think the only way the 32- and 64-bit editions of Windows could get along worse is if Microsoft farmed out the development of each to the Israeli Defense Forces and the PLO.) Edit, 2:43 p.m. And as of this morning, booting up the laptop yields the results you see in the photo above.

10. A 32-bit version of the Windows 8 Release Preview installer then said it couldn’t restore an image from an earlier version of Windows. So now I need to generate a Windows recovery-tools flash drive from a 32-bit version of Windows 7. And thanks to Microsoft’s unwillingness to offer a download of that program, this job apparently either requires a machine with CD or DVD burner or a painful amount of monkeying around with DOS commands.

But things could be worse. Wired writer Mat Honan, one of the smarter observers of technology around and one of the more decent human beings on the Internet, had somebody break into his iCloud account and use its remote-wipe feature to nuke his MacBook Air, iPad and iPhone–while also laying waste to his Twitter and Google accounts. So I’m not going to whine too much about this self-inflicted wound. Besides, I can always install Linux on the machine.

Epilogue, 10/21: In case anybody was wondering how this turned out, I was able to generate a USB-based, 32-bit Windows 7 system-repair volume using Into Windows’ directions. My only hangups involved having to disable Parallels Desktop from sharing USB volumes with OS X, followed by the exceptionally long time it took to format this USB flash disk in NTFS from the command line. Things worked as advertised otherwise, and I once again have a working Windows laptop–ready for me to try out Windows 8 once again when it ships next week.

 

Steve Jobs storytelling and Apple history

I knew I would have to write an obituary for Steve Jobs someday. I didn’t think it would happen this soon–or that the subject would draw so much interest.

But it did, and it has.

I haven’t seen such a rush by people to document What They Felt since… okay, the tenth anniversary of 9/11 last month. But I understand where that comes from: When certain big things happen, if you don’t instinctively clutch for a keyboard or a notepad, you’re not much of a journalist.

So after learning the news–through a voicemail from a local TV producer who wanted to know if I could come on the Thursday morning show to talk about Jobs’ passing–I spent about two hours writing an appreciation of Jobs. Then I spent another two hours rewriting it. Something about an obituary does not tolerate factual errors or even merely inelegant writing.

Every other tech journalist seems to have done the same thing. A few shared stories of getting repeated phone calls from Jobs, sometimes even at their homes–or of visiting Jobs at his home–while others only connected with Jobs in brief interviews.

What’s surprised me since has been the expressions from individual users: the posts on Twitter, Facebook and Google+ (some from users who changed their avatars to Apple icons or pictures of Jobs); the “what Apple products I’ve owned” inventories (mine appears after the jump); the testimonials that have been piling up in front of Apple Stores. The photo at right shows the Clarendon location, where passerby have been leaving messages on Post-It notes (provided by the store, I think). One of my favorites reads “Thanks for ignoring the focus groups”; another simply has the word “Sleep” inside a rounded rectangle, as if it were a button in an OS X dialog box.

It’s all a reminder: These things with screens and buttons aren’t just tools we use and then set aside. They change us. They are part of our culture.

Today’s commemorations of Steve Jobs remind me of another, less pleasant reality: The price of being around at a time when you can meet the inventors of the technologies that changed your world is eventually having to say goodbye to them. There will be other farewells like this, I hope not too soon.

Continue reading

Chromebook contemplation, cont’d.

At home, my wife and I have an iPad 2 parked more or less permanently on the coffee table–and, aside from Skype, we spend most of our time on this thing in its Web browser. Given that background, I should have liked Google’s “nothing but the Web” Chromebook concept. Right?

Wrong. I detail the reasons why I did not in my review for Discovery News, posted on Friday: The Samsung Series 5 machine I tested costs a little too much, weighs a little too much, is sometimes sluggish and is liable to turn into a brick should you stray beyond a wireless signal. I could have inventoried other gripes, such as its cooling fan’s distractingly loud whir, the overly-sensitive keyboard that repeatedly caused me to type duplicate characters, and the strange failure of Google’s Chrome Web Store to highlight Web apps that can run in an offline mode.

All of those aspects fell short of the optimistic presentation at this summer’s Google I/O developer conference that I watched on YouTube after the fact.

Don’t forget the inconvenient fact that Google already has a Web-friendly operating system that both runs  programs and saves data on your own device and automatically backs up everything online: Android.

But then there’s the possible market that Google didn’t pursue, the same one that Apple neglected when it introduced the iPad: the beginners who use a computer almost exclusively for Web and e-mail access, and never outside of the house. If you’ve had the privilege of providing Thanksgiving-weekend tech support for these first-timers, you’ll also admit that they probably don’t keep their applications up to date and often neglect to back up their data.

The Chromebook or something like it–a computer that updates itself, focuses on Web and e-mail use, and backs up everything automatically to secure Web storage–could serve that constituency well. But Google’s own marketing message, echoed by such retailers as Best Buy and Amazon, speaks right over this crowd:

Chromebooks are built and optimized for the Web, where you already spend most of your computing time.

There’s a chance left for somebody to connect with people who can’t give a billable-hours breakdown of their computing time and don’t throw around verbs like “optimize.” Right?

Debugging a few defective defaults in Lion

My review of Mac OS X Lion for Discovery News represented a departure from long-standing practice: For the first time in maybe a decade, I reviewed a new Apple operating-system upgrade by installing it on my primary computer, not an expendable review machine.

As you can read in that writeup, the installation went fine on my late-2009 iMac, and I consider Lion to be a good deal overall. But I also disliked enough of Apple’s changes to prior Mac behavior that I found myself quickly undoing these new defaults–which is another thing I traditionally haven’t had to do with a Mac upgrade. Here are my major corrections:

Tame scrolling and zooming behavior. By default, Lion imposes two iOS aspects on OS X, “reverse scroll” and “smart zoom.” The former has you flicking two fingers in the direction of scroll on a Mac laptop’s trackpad or a Mac desktop’s Magic Mouse, as if either were the screen of an iPad or iPhone–i.e., the opposite of how you’ve scrolled on a computer until now. The latter zooms into a window if you tap two fingers on either input device–which I found myself doing unintentionally way too often. Fundamentally, I think you need a different user-interface grammar on a computer and a touchscreen mobile device. As long as the computer requires you control it through indirect manipulation–that is, by touching something besides the display–the mobile model breaks down. If you agree, you can undo both of Apple’s changes in the Mouse and Trackpad panes of System Preferences.

Show scroll bars. In general, I appreciate Apple’s willingness to edit out complexity and pare things down to the minimum. But hiding scrolls bars until you start to scroll with the mouse or trackpad seems an enormous mistake. In long documents, I felt lost and kept gesturing with the mouse to force the scroll bar to resurface. The effect was even more annoying in Web forms on a page and in other cramped, scrolling-required boxes. And to what benefit–to save a few pixels of screen real estate on the right edge of the window or form? No thanks, Apple. I’ll live with that clutter if it stops me from reflexively twitching a finger on the mouse every few minutes. To undo that mistake, click the button next to “Always” under “Show scroll bars” in the General pane of System Preferences.

Make the Library folder visible again. Apple somehow elected to copy one of Microsoft’s stupider interface decisions by hiding the Library folder in Lion. This is where your applications store their preferences, supporting files and some of their data–and it’s far more human-readable than the tangled array of hidden “AppData” sub-folders in Windows 7 that Microsoft hides from its users. Many common troubleshooting routines require access to your Library’s contents, but Lion hides the entire folder from view. To make it visible again, open the Terminal app and paste in the following command, then hit Enter:

chflags nohidden ~/Library

(That comes from a TidBITS post, but there are other ways to get at this folder. Macworld offers a full 18 workarounds.)

I may adjust more of Lion’s defaults as I get more familiar with this operating-system upgrade. I can also think of other changes I’d make on a laptop–for instance, setting Lion to show a messages when then screen is locked, then maybe adding Boxee to replace the Front Row media-browsing software Apple excised from OS X. But for now, these are the big three fixes I’d make to any Lion installation. What’s on your own list?

Update, 9/7, 4:17 p.m. Since writing this, I’ve had to change two other system settings:

  • To stop getting flicked from the Finder into the Dashboard by an unintended two-finger gesture, I unchecked the “Show Dashboard as a space” checkbox in System Preferences’ Mission Control pane.
  • After twice losing work when my attempt to scroll horizontally led Safari to assume I wanted to go to the previous page–after which this browser failed to return me to the blog post I’d been composing–I unchecked the “Swipe between pages” checkbox under the “More Gestures” heading in System Prefs’ Mouse pane.

The market for Mac malware

Are malware makers finally ready to pay Apple the ultimate compliment by writing viruses and trojans that target Mac OS X?

Sure–they already have. For the past few years, Mac trojans have been surfacing that will screw with your machine in various ways. But they all require assistance from the unwise or the unwary: You not only have to download and install one of these malicious programs, you also have to authorize its operation by typing your Mac’s admin password. And these phony applications are so rare and so obvious that Mac users can comfortably get by without running anti-virus software.

That’s not the case in Windows (nor was it always the case with “classic” Mac system software). On Thursday, ZDNet’s Windows columnist Ed Bott suggested that Mac users were due to experience that sort of anxiety, citing the Mac’s increased market share, the history of remote exploits for Mac OS X and the arrival of the first Mac-specific write-your-own-virus toolkit:

My prediction is that the bad guys are still “testing market conditions,” and waiting for the right time for their grand opening. I think we’ll see a few more of these tentative probes—beta tests, if you will—before anyone unleashes a truly widespread attack.

The next day, Bott wrote about a new trojan, hidden behind a “poisoned” image page found in a Google search, that featured both Windows and Mac versions.

The problem with predicting an imminent wave of Mac viruses is that so many people have been wrong before–as Mac blogger John Gruber noted in a post Thursday, titled “Wolf!”, that quoted more than a dozen forecasts of Mac malware doom, going back to 2004. But this time could be different. Veteran Mac journalist Glenn Fleishman surprised a few people, possibly including himself, by repeatedly defending Bott’s analysis in conversations on Twitter.

(This is why you should follow more than one person covering a subject you care about; you’ll see this shop talk among competing reporters and analysts that you’d otherwise miss if you only followed one of those people.)

As a Mac owner and the primary source of tech support for two others (my mom and my mother-in-law), I’m not too worried about Mac trojans. I think Bott slightly oversells that risk, for two reasons.

One, every Mac trojan that I’ve seen so far requires you to type an admin password. Any Mac user with a few weeks of experience should recognize as an unusual sign, reserved only for things like system-software updates and installing printer drivers–other apps only require you to drag their icons to the Applications folder. This sets the Mac apart from Windows, in which almost every single program requires running an installer and authorizing that action by clicking through a User Account Control dialog. That said, recent Windows switchers could easily see a password request from a new OS X app as something normal.

Two, Apple’s Mac App Store provides a safe alternative (though I’m happy it’s not the only way to add third-party software to a Mac.) Somebody worried about getting hit with viruses from strange downloads can stick to that and should be safe. I wish Windows had an equally simple, obvious alternative–a few of my readers at the Post seemed unable to avoid downloading the trojan of the week and desperately needed such an option.

And yet: Over Easter, I expanded my usual troubleshooting of my mom’s iMac by installing the free, open-source ClamXav anti-virus program on that machine.

I’m much more concerned about zero-day exploits of vulnerabilities in OS X’s Internet-facing software. As contests such as the annual Pwn2Own competition have shown, it’s not all that hard to take control of a Mac remotely by luring a victim to a malicious site. The Mac’s growing market share–which Apple put as more than 20 percent of the consumer market in the U.S. back in October–gives malware authors an increasing economic incentive to target those flaws. And Apple’s sometimes-sluggish pace at shipping security fixes makes their job easier.

That’s my worry. I hope I’m wrong about it.