Daniel Eran Dilger in San Francisco
Random header image... Refresh for more!

Ten Myths of Leopard: 5 “Back To My Mac” Security Panic!

Ten Myths of Leopard: 5 "Back To My Mac" Security Panic!
Daniel Eran Dilger
Myth 5 in the Ten Myths of Leopard. (Updated)

Ten Myths of Leopard: 1 Graphics Must Be Slow!
Ten Myths of Leopard: 2 It’s Only a Service Pack!
Ten Myths of Leopard: 3 Nothing New for Developers!
Ten Myths of Leopard: 4 Java 6 Abandonment!
Ten Myths of Leopard: 5 “Back To My Mac” Security Panic!

Ten Myths of Apple iPhone
Ten Myths of the Apple TV


Myth 5: Leopard’s new “Back to My Mac” Feature is a Security Hazard. This new feature, when turned on, advertises your computer’s location and sharing settings to Apple’s .Mac servers, which then relay it to you when you are working from another location. This allows a laptop user to access files from their desktop at home, print to a shared printer, even set up a screen sharing session to remotely control the system at home.

Apple doesn’t advertise how it works, it simply presents it as a useful feature that is easy to use: you turn it on, and it just works, just like the original AppleTalk in the mid 80s. In reality, Back To My Mac actually uses Bonjour, which is a modern implementation of some of the technologies from AppleTalk designed to work over the standard Internet Protocol.

As an expansion of the functionality offered by local Bonjour browsing–the technology behind the automatic presentation of shared music in iTunes, shared pictures in iPhoto, and shared files in the new Leopard Finder–the new Back to My Mac uses “Wide Area Bonjour,” which relays information through Apple’s .Mac servers so you can discover your shared information from other locations. In order to secure this information, Apple ties it into your .Mac account.

Apple – .Mac – Back to My Mac

Pundits Punt It On Security.
Several pundits have put on faux-security expert hats and concluded that, because .Mac doesn’t ask you for your stored passwords when you connect to your own systems, it must be insecure. As Rob Mead (a non-technical product reviewer) of Tech.co.uk writes, “The downside is that you access your home Mac using a .Mac login – and that means any other Leopard owner who knows it can also access your files.”

Right Mead, and anyone who knows your .Mac account can also read your email. In fact, anyone who knows any of your email accounts can read your email. Or to really simplify things: anyone with your password can also use it. That’s why it’s a password, and why you don’t share it. That’s the idea behind passwords: a word that grants passage. If you give away your password randomly, you are not the victim of a security problem, but rather simply making a user error.

Security is a practice, not a status. Nothing is “secure” in any absolute sense. Even an adequately secured system can be taken over by social attack. A high security army base could be exploited by traitors who give away secrets. That imagined potential does not render it “insecure.” The ability to imagineer insecure scenarios is not the same thing as actually having a security problem.

Windows has serious architectural problems that require users to run a significant overhead of precautionary measures. Mac OS X does not have the same flaws by any stretch of the imagination. This is an issue that requires its own broader examination; however, there is no doubt that ignorant, fear-based assumptions about security are irresponsible to advertise without having any understanding of how things actually work.

Five Windows Flaws # 4
Three Reasons Why Microsoft Can’t Ship (and Apple can)
10 FAS: 10 – Apple’s Mac and iPhone Security Crisis!

Secured Wide Area Bonjour.
When I wrote about Wide Area Bonjour back in May, I hadn’t heard of “Back to My Mac,” which was first announced at WWDC 2007. However, I described what Wide Area Bonjour could do, using DNS-SD (service discovery):

“Wide area Bonjour extends upon the existing DNS infrastructure to allow automatic advertising and discovery of services that would otherwise be hidden from the open Internet. Just as Bonjour devices automatically pop up on the local network, users can register with a given Internet domain name–something like danieleran.mac.com–and receive dynamic updates on the wide area Bonjour services available.”

I gave examples of shared printers, files, bookmarks, and remotely accessible device configuration. A handful of readers worried that this would present a security problem. The answer to many security problems is password authentication. That’s why you need to sign into a DNS-SD account. Apple just simplified everything by vending the service through .Mac, so users have a single password. It then put users in control of deciding which services they want to vend. It is not a security issue that your shares are visible to anyone with your password.

A Global Upgrade for Bonjour: AirPort, iPhone, Leopard, .Mac

Update: Guillaume Gete of Gete.Net Consulting says that Back to My Mac uses Kerberos authentication:

“The fact is that Apple did not lower security by asking no password to use Back to my Mac. In fact, it uses Kerberos to strengthen security by preventing passwords to be sent through the Internet. If you have a valid Kerberos ticket from your Mac on your local network and you connect if from Bonjour, you don’t have to identify yourself because the ticket does it for you. And of course, there is also the Keychain, which keeps the passwords for you.”

“I won’t go in further details, but the fact is that you can use Back to My Mac without using the same .Mac password than on every of your Macs. This is further proof that Back to My Mac is more secure than a simple password. In fact, it’s probably much better than any other security Apple could have introduced in Mac OS X. The fact that Kerberos is tightly integrated to Bonjour is some serious security fact that nobody really noticed, though it is a significant step in the right direction for everyone’s security.”

Gete notes more in his blog (in French): Serial Serveur

Translated version of http://www.gete.net/blog/ in English via Google Translate

Apple: Mac OS X 10.5: About Kerberos in Mac OS X 10.5 clients

What do you think? I really like to hear from readers. Comment in the Forum or email me with your ideas.

Like reading RoughlyDrafted? Share articles with your friends, link from your blog, and subscribe to my podcast! Submit to Reddit or Slashdot, or consider making a small donation supporting this site. Thanks!

Technorati Tags: , , , ,

8 comments

1 patrick { 11.05.07 at 8:24 am }

From the quote, it sounds like Mead was just making the point that anyone who may have previously given out their .Mac password to someone to share (relatively) benign data, such as email, address book information and calendaring would have to take away that password if they wanted to use the Back to My Mac feature. I’m just saying; I didn’t read the original review. I think the whole thing is neat, but it might be nice if you had the option of having a secondary level of security there. In Tiger, if someone found my .Mac password, it wouldn’t be that big a deal; now it seems like something I might think twice about entering in a public browser to check my email.

2 John Muir { 11.05.07 at 8:34 am }

Hands up any pundits whose authentication details are…

Username: Administrator
Password: [blank]

Now file out of the door at the back.

3 Gmanji { 11.05.07 at 2:31 pm }

This would be a great feature if it actually worked. I have 4 macs on one local network it works with, but 2 others that I set up that are at different locations over the internet seem to consistently drop off my Shared list after a day or so. Is this because Apple is still working out bugs with wide area bonjour in .mac itself?

4 gus2000 { 11.05.07 at 10:53 pm }

Purity of Essence! We must protect our precious bodily fluids!*

Gus

* From “Dr. Strangelove”, which popped into my head when Daniel mentioned the army base scenario. I’m also reminded of it by the so-called security experts on OSX, who seem to be screaming about flouridation and the communists.

5 maakuRD { 11.06.07 at 9:10 am }

I’m afraid I think you’re too charitable. It’s far from the end of the world, but it’s still a mistake. Your two or more computers and .Mac have independent passwords for a reason, and the Back to My Mac service shouldn’t create a single point of failure without warning. By default it should be like the logmein.com service, where after having entered one password to access the service, you need to the login password of the machine you’re connecting to. If you then choose to create a single point of failure by storing that password in your Keychain (logmein.com salts the name of the website representing your computer to make this ineffective but a rework of .Mac could make it an option) then that’s your business.

6 Ten Myths of Leopard: 9 Apple is Spying on Users! — RoughlyDrafted Magazine { 11.09.07 at 1:27 am }

[...] Ten Myths of Leopard: 3 Nothing New for Developers! Ten Myths of Leopard: 4 Java 6 Abandonment! Ten Myths of Leopard: 5 “Back To My Mac” Security Panic! Ten Myths of Leopard: 6 Time Machine Eats Hard Drives! Ten Myths of Leopard: 7 Premature Death for [...]

7 Ten Big Predictions for Apple in 2008 — RoughlyDrafted Magazine { 12.29.07 at 2:44 pm }

[...] Ten Myths of Leopard: 5 ”Back To My Mac“ Security Panic! Why Leopard’s Time Machine Doesn’t Support AirPort Disks [...]

8 Using Back to My Mac… to Catch a Thief! — RoughlyDrafted Magazine { 04.15.08 at 5:23 pm }

[...] Ten Myths of Leopard: 5 “Back To My Mac” Security Panic! A Global Upgrade for Bonjour: AirPort, iPhone, Leopard, .Mac Thief Identity Within a couple days, the owners were able to assemble a full profile of information on the stolen laptop user as he signed into a hookup sites, read his Gmail messages, and shopped on eBay for… a police scanner. They discovered his birth date, mother’s maiden name, email address, Comcast IP address, and were able to use Photo Booth to take a snapshot that was clear enough to read the lettering of his tattoos. [...]

You must log in to post a comment.