Ten Myths of Leopard: 5 “Back To My Mac” Security Panic!
November 5th, 2007
Daniel Eran Dilger
Myth 5 in the Ten Myths of Leopard. (Updated)
Ten Myths of Leopard: 1 Graphics Must Be Slow!
Ten Myths of Leopard: 2 It’s Only a Service Pack!
Ten Myths of Leopard: 3 Nothing New for Developers!
Ten Myths of Leopard: 4 Java 6 Abandonment!
Ten Myths of Leopard: 5 “Back To My Mac” Security Panic!
Myth 5: Leopard’s new “Back to My Mac” Feature is a Security Hazard. This new feature, when turned on, advertises your computer’s location and sharing settings to Apple’s .Mac servers, which then relay it to you when you are working from another location. This allows a laptop user to access files from their desktop at home, print to a shared printer, even set up a screen sharing session to remotely control the system at home.
Apple doesn’t advertise how it works, it simply presents it as a useful feature that is easy to use: you turn it on, and it just works, just like the original AppleTalk in the mid 80s. In reality, Back To My Mac actually uses Bonjour, which is a modern implementation of some of the technologies from AppleTalk designed to work over the standard Internet Protocol.
As an expansion of the functionality offered by local Bonjour browsing–the technology behind the automatic presentation of shared music in iTunes, shared pictures in iPhoto, and shared files in the new Leopard Finder–the new Back to My Mac uses “Wide Area Bonjour,” which relays information through Apple’s .Mac servers so you can discover your shared information from other locations. In order to secure this information, Apple ties it into your .Mac account.
Pundits Punt It On Security.
Several pundits have put on faux-security expert hats and concluded that, because .Mac doesn’t ask you for your stored passwords when you connect to your own systems, it must be insecure. As Rob Mead (a non-technical product reviewer) of Tech.co.uk writes, “The downside is that you access your home Mac using a .Mac login – and that means any other Leopard owner who knows it can also access your files.”
Right Mead, and anyone who knows your .Mac account can also read your email. In fact, anyone who knows any of your email accounts can read your email. Or to really simplify things: anyone with your password can also use it. That’s why it’s a password, and why you don’t share it. That’s the idea behind passwords: a word that grants passage. If you give away your password randomly, you are not the victim of a security problem, but rather simply making a user error.
Security is a practice, not a status. Nothing is “secure” in any absolute sense. Even an adequately secured system can be taken over by social attack. A high security army base could be exploited by traitors who give away secrets. That imagined potential does not render it “insecure.” The ability to imagineer insecure scenarios is not the same thing as actually having a security problem.
Windows has serious architectural problems that require users to run a significant overhead of precautionary measures. Mac OS X does not have the same flaws by any stretch of the imagination. This is an issue that requires its own broader examination; however, there is no doubt that ignorant, fear-based assumptions about security are irresponsible to advertise without having any understanding of how things actually work.
Secured Wide Area Bonjour.
When I wrote about Wide Area Bonjour back in May, I hadn’t heard of “Back to My Mac,” which was first announced at WWDC 2007. However, I described what Wide Area Bonjour could do, using DNS-SD (service discovery):
“Wide area Bonjour extends upon the existing DNS infrastructure to allow automatic advertising and discovery of services that would otherwise be hidden from the open Internet. Just as Bonjour devices automatically pop up on the local network, users can register with a given Internet domain name–something like danieleran.mac.com–and receive dynamic updates on the wide area Bonjour services available.”
I gave examples of shared printers, files, bookmarks, and remotely accessible device configuration. A handful of readers worried that this would present a security problem. The answer to many security problems is password authentication. That’s why you need to sign into a DNS-SD account. Apple just simplified everything by vending the service through .Mac, so users have a single password. It then put users in control of deciding which services they want to vend. It is not a security issue that your shares are visible to anyone with your password.
Update: Guillaume Gete of Gete.Net Consulting says that Back to My Mac uses Kerberos authentication:
“The fact is that Apple did not lower security by asking no password to use Back to my Mac. In fact, it uses Kerberos to strengthen security by preventing passwords to be sent through the Internet. If you have a valid Kerberos ticket from your Mac on your local network and you connect if from Bonjour, you don’t have to identify yourself because the ticket does it for you. And of course, there is also the Keychain, which keeps the passwords for you.”
“I won’t go in further details, but the fact is that you can use Back to My Mac without using the same .Mac password than on every of your Macs. This is further proof that Back to My Mac is more secure than a simple password. In fact, it’s probably much better than any other security Apple could have introduced in Mac OS X. The fact that Kerberos is tightly integrated to Bonjour is some serious security fact that nobody really noticed, though it is a significant step in the right direction for everyone’s security.”
Gete notes more in his blog (in French): Serial Serveur
Like reading RoughlyDrafted? Share articles with your friends, link from your blog, and subscribe to my podcast! Submit to Reddit or Slashdot, or consider making a small donation supporting this site. Thanks!