Felipe Alfaro Solana

In case you are worried about Bonjour sending advertisements onto the local network because it compromises your privacy or because you are worried about security, know that you can disable them. It is described in http://support.apple.com/kb/HT3789:

$ cd /System/Library/LaunchDaemons
$ sudo vi com.apple.mDNSResponder.plist

and replace:

        <array>
                <string>/usr/sbin/mDNSResponder</string>
                <string>-launchd</string>
        </array>

with

        <array>
                <string>/usr/sbin/mDNSResponder</string>
                <string>-launchd</string>
                <string>-NoMulticastAdvertisements</string>
        </array>

Recently, I could not get db46 to install from Macports:

$ sudo /opt/local/bin/port install db46
...
Error: db46 requires the Java for Mac OS X development headers.
Error: Download the Java Developer Package from:
Error: Target org.macports.configure returned: missing Java headers

The solution consists of creating symbolic link to the installed files:

sudo ln -s /Developer/SDKs/MacOSX10.6.sdk/System/Library/\
  Frameworks/JavaVM.framework/Versions/CurrentJDK/Headers \
  /System/Library/Frameworks/JavaVM.framework/\
  Versions/CurrentJDK/Headers

From Mac OS X v10.6: Disabling mDNSResponder will disable DNS I found how to disable Bonjour broadcasting without disabling mDNSResponder — because disabling mDNSResponder effectively breaks DNS name resolution.

To disable Bonjour broadcasting, just add:

<string>-NoMulticastAdvertisements</string>

to the array in the ProgramArguments section in System/Library/LaunchDaemons/com.apple.mDNSResponder.plist:

...
        <key>ProgramArguments</key>
        <array>
            <string>/usr/sbin/mDNSResponder</string>
            <string>-launchd</string>
            <string>-NoMulticastAdvertisements</string>
        </array>
...

Currently available version of Google Talk Video plug-in for Mac OS X (1.0.13.1284) might cause up to a 30-second delay while putting the computer to sleep under Snow Leopard.

This has been reported and discussed in the following Apple support thread. In the end, the solution typically requires to uninstall Google Talk Video. The solution was found and reported by Snoop Dogg in that same thread.

Basically, the misbehaving process can be found by running sudo pmset -g log then looking for the process with the highest response time. In my case:

$ sudo pmset -g log
...
 * Domain: applicationresponse.timedout
 - Message: Kernel GoogleTalkPlugin com.apple.powermanagement.applicationrespons
e.timedout 30000 ms
 - Time: 9/2/09 12:42:47 AM GMT+02:00
 - Signature: GoogleTalkPlugin
 - UUID: AD1E9199-B66D-41CB-BF4F-590EF232DE79
 - Result: Noop - Response time (ms): 30000
...

Recently, the Chromium team has started to provide official builds of Chromium for Mac OS X. Looks to me these builds are just the output of the continuous build process — also known as waterfall.

In any case, these are good news and to me a proof that Chromium for Mac OS X keeps evolving at a fast pace and that it is making very good progress. As a consequence, a few days ago, I switched to Chromium as my main browser (also in Linux) and I must say it feels great so far.

PS: This post was written entirely under Chromium for Mac OS X. No crashes or any strange behavior were experienced.

Chromium is the open source browser developed by Google. The differences between Chromium and Chrome are very minimal. Chrome has custom icons and other parafernalia that, due to licensing issues, can’t be made available in Chromium. Chrome is also available as a binary for Microsoft Windows operating systems, and can be downloaded from the Google Chrome Web site.
Other than that, Chromium is a fully functional browser product that is currently available only as source code. Chromium is available for Windows, Mac OS X and Linux. The Mac OS X and Linux ports are still under heavy development but are becoming more and more usable over time.

For more than a month I’ve been tracking development of Chromium for Mac OS X. I’ve been building and testing Chromium for Mac OS X myself [1] and my general impression is that development pace is pretty fast. For example, yesterday, a mock Preferences dialog box was added. A few days ago, working support for draggable and dettachable tabs was also added (previously it was possible to detach a tab from a window but it was not possible to re-attach it to an existing window).

Overall, the Mac OS X port of Chromium is getting more and more usable and stable. I’m now able to use it for most browsing tasks. The look and feel matches perfectly Aqua but also resembles a lot its Windows counterpart. While it is true there are a few annoyances, like losing the focus on edit controls when switching tabs, or tabs crashing at times when executing a paste operation, they are getting fixed in each iteration. The browser feels extremely fast when compared to Firefox 3.0 and faster than Firefox 3.1, Safari or Safari 4 beta. Heavy and complex Web pages like Google Reader or Google Mail load almost instantly while still looking correct. Some Web pages get rendered slightly different from other browsers. As an example, Google Mail looks slightly different with bigger spacing between lines in the mail thread (main) view and also slightly smaller fonts, but these are very subtle differences that do not affect usability or readability.

I must confess I’m pretty impressed about Chromium. When Google disclosed Chrome and the initial availability for the Windows platform only I was very disappointed. I also thought that it’d take much longer to see a nearly-functional port for Mac OS X or Linux. But I was wrong. It is good to be wrong. Let’s hope the development pace keeps on the same levels

PS: By the way, this post was written entirely from Chromium in Mac OS X. The tab crashed a couple of times but WordPress has a nice auto-save feature that I really appreciate

[1] http://code.google.com/p/chromium/wiki/MacBuildInstructions

It is probably not very well-known for many, and probably ignored by most, but it seems that Mac OS X and specifically Safari leaves much to be desired when talking about security.

During the Pwn2Own contest, Safari was the first browser to fall, in the order of seconds, when put under attack by Charlie Miller. This has been reported in several places, like Pwn2Own 2009: Safari/MacBook falls in seconds, or Miller: Safari on Mac First to Fall During PWN2OWN Contest, or Miller Cracks Safari Within Seconds, Wins PWN2OWN Contest. For the second year in a row, Safari/MacBook has been the browser to fall under attack the first.

So, if you are a user of Mac OS X, be very careful when using Safari. These attacks so far require you to click on links specifically crafted to cause harm to your computer, which might allow the attacker to gain total control of your machine. Hence, the importance of never running with an account that has administrative privileges.

I’ve always been looking for a way in NX/FreeNX to be able to authenticate using mechanisms other than username and password, like SSH private/public keys or Kerberos. Turns out that it is possible

Someone pointed me to the FreeNX 0.7.3 announcement that contains the following excerpt:


Usermode and SUID Wrapper
==================

We are now very close to login directly with users and I also heard of a C program, which can be seamlessly put between nxclient and nxssh. So with client support we now have three alternatives:

1. Login as user via ssh and connect to server with ssh command on server again.
2. Login as user and use usermode to save all sessions locally for each user.
3. Use a SUID nx (not root!) wrapper to startup a new "trusted" session.

One is error prone, two is good, but looses the central structure, three is best of both worlds and with being suid nx also has the most advantages, however not the dreaded public key problems.

_Yes_, this means if you use the suid wrapper, you still need the nx user, but you can remove the public keys and it'll still work.

The SUID wrapper is a part from the work of the redesign and thanks goes to Alistair Riddoch from Google here.


By default, NoMachine’s NX nxserver requires nxclient to login via SSH into the remote machine as user nx. As nxserver is defined as the login shell, it is run by the sshd daemon. From there on, there is a dialogue between nxclient and nxserver where nxclient supplies the user credentials (username and password that were specified in the nxclient configuration). There is, in fact, a second authentication that is performed via another SSH session to 127.0.0.1 using nxclient’s supplied credentials. If this second authentication succeeds, the NX session is activated and accessible from the NX client.

This works well for remote servers that are shared by multiple users, as the nx user and its centralized approach makes it very easy to see how many sessions are currently running (or suspended), terminate them, etc. However, for machines that are not shared by multiple users, or in those cases where authentication mechanisms other than username and password are required, this model does not work very well.

This is where FreeNX’s usermode enters the scene. Basically, what it means, is that authentication to nxserver does no longer happen as the nx user but as the end-user himself. Now, the number of SSH sessions is reduced to one that authenticates the user directly by means of SSH’s built-in authentication capabilities, and where nxserver is run under the end-user credentials instead of the nx user. This, obviously, kills the centralized approach originally envisioned by NoMachine, since now all the control and session files can’t be stored easily and securely in a central location but are now stored in the user’s home directory. But I think the upsides of the usermode support outdo the lack of centralized management. At least in my case, I don’t need centralized management since it’s me who manages all my boxes and logs into them.

How to install and configure FreeNX to support usermode

Next I describe what I had to do, both on the remote machine and also on the client, to get a working FreeNX environment that supports usermode. Other modes are also supported, like legacy nx-based, SUID and others.

Download NX4U tarball from BerliOS and extract it

$ wget http://download.berlios.de/freenx/NX4U.tar.gz
$ sudo tar -C /opt -zxf NX4U.tar.gz

NOTE: The NX4U tarball that I used can also be downloaded from this Web site here.

NOTE: The NX4U set and the nxssh wrapper are smart enough so that you can also extract the NX4U tarball in other locations. Looking at the source code for the nxssh wrapper — nxssh-4US.c — nxssh wrapper uses the following PATH to locate the nxserver binary:

#define NXSERVER_PATH \
"~/bin:
~/NX4U/:
/usr/NX/bin:
/opt/NX/bin:
/opt/NX4U/bin:
/usr/NX4U/bin:
/usr/local/NX4U/bin:
/usr/lib/nx/bin"

Compile the nxssh wrapper

First, download the source code from the SVN repository:

$ svn checkout https://developername@svn.berlios.de/svnroot/repos/freenx/trunk

NOTE: I saved a copy of the SVN repository that I used. The tarball is available in this Web site here.
Build the nxssh wrapper for Mac OS X. nxssh is a simple C program that currently compiles for me with no problems on Linux and Mac OS X:

$ cd trunk/freenx-utils/nxpublickey/
$ make nxssh

NOTE: The Makefile also has a target named nxssh.exe to compile the wrapper for Windows.

Now, let’s rename NoMachine’s nxssh binary to mxssh (the nxssh wrapper expects NoMachine’s nxssh binary to be renamed to mxssh), then install the nxssh wrapper:

$ sudo bash
# mv /usr/NX/bin/nxssh /usr/NX/bin/mxssh
# install -m755 nxssh /usr/NX/bin/nxssh
# ^D

Configure .ssh/config

What looks like a bug in NoMachine’s nxssh, will cause authentication requests using public key to fail with a "percent_expand: NULL replacement" error unless .ssh/config is modified to explicitly state the location of the public key. For example:

Host my.host.org
        IdentityFile ~/.ssh/id_dsa

Configure nxclient

In order to use usermode authentication, make sure to prepend the hostname with the @ (at) sign:

Hostname: @my.host.org

Also, make sure the username has the @ (at) sign prepended plus @U (at U) appended. These non-standard forms are parsed by the nxssh wrapper and enable usermode authentication (or other authentications like SUID):

Username: @myself@U

For more information about possible syntaxes, take a look at freenx-utils/nxpublickey/nxssh-wrapper (the shell script implementation of the nxssh wrapper).

While testing Windows 7 on an Apple MacBook Pro system, I noticed that sound didn’t work at all. Of course, this was after I installed BootCamp drivers and everything was working (more or less as expected) except the sound.

What’s the solution? I found it here. In essence, the solution consists of running the RealTekSetup.exe binary from the Leopard DVD using “Troubleshoot Compatibility“, telling it that “The program worked in earlier versions of Windows” and that it worked fine in “Windows Vista“. After it has been installed no reboot it’s even needed!

Recently I bought an iPod touch. It originally came with OS 1.1.4 and as soon as Apple made the 2.0 software available (and downloadable), I upgraded.

While the new iTunes App Store is a welcome addition, I found most of the applications not very useful to me. While some like Remote, Facebook, Last.fm or eReader are awesome, I have yet to see applications on the store that fully unleash the power of the iPhone/iPod platform. For example, I’m waiting for a PDF reader that can fetch files from the local disk.

Here comes the power of jailbreak. There are so many things one can do with a jailbroken box. For example, with OpenSSH I can upload e-books to my iPod and bypass the limitations of eBook.app (it only likes e-books purchased from two web sites, but I have a few books that I legally downloaded from manybooks.net licensed under Creative Commons). I can also install Light HTTPd to serve PDFs locally that I can browse using Safari. It is very convoluted but it works.

Apple: if you read this, please lift all the absurd restrictions from the iPhone/iPod software and let people unleash the true power of this amazing portable platform.