Sorry for the cross-posting, but I just had to forward this to you all. Apple seems to have the right idea, IMO. However, the current Leopard firewall is still relatively new. But I find it very promising to have an "AI-like" firewall intelligent enough to perform checksums, block and permit applications and ports at will. To me this is very promising, provided that they could integrate the correct checksums for every applications that you install.
For now, they bungled the Skype and WoW signatures. However, if they will perfect this method, I'd be impressed to have this type of firewall on my workstations. Once this firewall gets dissected on how it works, I think IPtables/Netfilter will integrate almost the same functionality (if non-existent in current builds.) ================ Forwarded message ========================= from Juergen Schmidt <email removed> hide details 3:36 am (6 hours ago) to [EMAIL PROTECTED], [EMAIL PROTECTED] date Nov 6, 2007 3:36 AM subject [Full-disclosure] Leopard's firewall damages Skype and WoW mailed-by lists.grok.org.uk Hi, some further research on the firewall of Mac OS X Leopard proved, that the firewall is altering binaries on the disc -- in some cases they refuse to work after that. In contrast to Tiger, the firewall in Leopard no longer operates at the packet level but rather it works with applications, to which it permits or denies specific network activities. In order to unambiguously identify applications, Apple uses code signatures. Certain applications signed by Apple are automatically permitted to communicate with the network past the firewall without showing that in the user interface -- even if the firewall is set to "Block all incoming connections". (see: http://www.heise-security.co.uk/articles/98120). By contrast, if an application which does not have a valid signature opens a network port, the firewall swings into action. In restricted mode, simply trying to start a service brings up a window asking the user for permission. The system records this choice and enters it into the firewall's exceptions list. Hitherto Apple furnishes unsigned programs with a digital signature in the process. If changes are made to the program subsequently, the permission is withdrawn. Code signing becomes a problem when an application performs its own self-integrity check and determines that the file on the hard disk has been changed. The firewall's code signature changes the checksum of Skype's binary on the disc: MD5 (Skype) = 9d7fa7f77b8dc2a3c2ae61737a373c11 MD5 (Skype-org) = 4245cb201a94c76ddcb54b1cc1e58cfa after which, if the user attempts to start Skype from the command line it displays the following message: Main starting Check 1 failed. Can't run Skype Similar behaviour has been observed by World of Warcraft users. For more see: http://www.heise-security.co.uk/news/98492 Code Signing is documented in: http://developer.apple.com/releasenotes/Security/RN-CodeSigning/ http://developer.apple.com/documentation/Security/Conceptual/CodeSigningGuide/Introduction/chapter_1_section_1.html bye, ju -- Juergen Schmidt, editor-in-chief heise Security www.heise-security.co.uk GPG-Key: 0x38EA4970, 5D7B 476D 84D5 94FF E7C5 67BE F895 0A18 38EA 4970 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- "A dog that has no bite, barks loudest." Registered Linux User #400165 http://baudizm.blogsome.com Full-Disclosure,LARTC,Open-ITLUG, PRUG, KLUG, linuxusersgroup, sybase.public.ase.linux
_________________________________________________ Kagay-Anon Linux Users' Group (KLUG) Mailing List [email protected] (http://cdo.linux.org.ph) Searchable Archives: http://archives.free.net.ph
