Convenience vs. Security I: Change Safari’s “safe” files list

This is a rewrite of an article from last year, with more clear instructions and images this time around.

Something that you should probably know about me is that my computer making my life more difficult in the name of “security” drives me utterly up the wall. At least give me the option! Things like how Windows has a nasty habit of forcing restarts overnight, causing you to lose anything you had open.. grr. More so when you change the settings to not do this and they get changed back automatically in a future update.

Listen, you jerks, did you forget whose computer this was?!

But that is a rant for another time.

One of the nicest things about Mac OS X is what I’d call “thoughtful” design. That is, you see little touches in various places that make your life easier, that make you think that the developers have thought of everything, the rough edges that you’ll run into as an everyday user.

And yet, even they’re not immune to the constant irritant of outright removing convenience in the name of security.

So, Safari. It’s a nice browser. Reasonably secure, reasonably fast, uses Webkit.

One of the nice little touches is has is that it’ll automatically open some files when they’re downloaded. If you download a .zip for instance, it’s a reasonably good bet that you want the contents extracted, so it just launches the system archive utility and away you go. Nice and smooth. If this bothers you, you can turn it off with a prominently placed check box:

SafariPrefs

Here’s the thing: What is considered a “safe” file changes from time to time.

Back in Safari 5, DMGs (disk images) were considered safe files.

SafariOpenSafeFiles-1

Note the inclusion of “disk images” in the text.

This goes back to what I was talking about, removing convenience outright in the name of security. If I download a disk image, there is a 99.999% probability that I want to use its contents immediately.

Presumably, this was done due to the threat of malware automatically downloading to your PC and then having its disk image mounted. I’m kind of unsure what the real threat is, as long as you’re careful not to open random files on random disk images that appear on your computer unsolicited…

Thankfully, in this case, we have the ability to return that convenience on our own terms. Score one for usability!

While we can’t edit what Safari thinks a safe file is by hand, Mac OS has two very cool features we can use to work around this silliness. AppleScript, and Folder Actions.

  • AppleScript is, as the name implies, a scripting language which is tied deeply into the operating system.
  • Folder Actions is a feature where you can tie AppleScripts into folders and have them do things when files are added, removed, or modified.

See where this is going? We’re going to make an AppleScript that opens certain files placed into our Downloads folder automatically.

The first thing you should do is open up your AppleScript editor. This will be under Utilities in your Applications folder.

ApplescriptEditor

AppleScript is pretty simple, yet pretty powerful. You’ll notice that it sounds a lot like english. The hardest part is spelling “receiving” correctly :)

Paste this block of text into your AppleScript editor:

It should be relatively obvious what happens here. Whenever an item gets added to our folder, Finder is told to open the file if it’s a .dmg.

Now we need to make this a folder action. Save your script as something memorable, like “Open folder contents on add” then move it into the Folder Actions folder. You can find this under /Library/Scripts/Folder Action Scripts. (You’ll be prompted for your password here.)

Folder Action Scripts folder

This will make the script you just created ready for the next step.

Now, you need to find your user folder. The simplest way to do this is to click Downloads in the sidebar, then right-click and hit “Show enclosing folder”.

Right click on Downloads in the main window now, go to Services, and select “Folder Actions Setup…”

 

Folder actions on Downloads folder

 

As soon as you click on this, you’ll be prompted for “Choose a script to attach”. The script you just saved will be in this list. Click it, and hit attach.

Folder actions window

Once you do this, simply close the window. Now it’s time to test.

If you’re like me, you’ll have a ton of junk in your downloads folder already. Grab a disk image file from there and throw it onto your desktop.

Then, move it back into downloads. As soon as you hear the “sproing”, the disk image window should come up in a couple of seconds.

This may take a bit longer to work than usual the very first time.

And you’re done! Any time you download a disk image from now on, it automagically opens. The way it always should.

UniBeast 1.7.0 released today, same DRM shenanigans and hypocrisy apply

One day after my last post, talking about how silly the Tonymacx86 attempts at “antipiracy” are (considering that their tools amount to nothing greater than a software crack themselves), version 1.7.0 has been released.

Among the change notes is this:

  • Removed misleading messages

No way!

So I downloaded the latest version and extracted it as usual. To my utter surprise, the preinstall script inside extra.pkg is removed outright!

Well then. So either they’ve gained principles and removed the check, or it’s been hidden elsewhere.

Let’s find out!

Oh. Apparently I ask too much; they just moved it.

..into a package called “dsmos”.

Now, you see, that’s very interesting. DSMOS in any other context would refer to a Mac OS kernel extension. It stands for “Don’t Steal Mac OS X”. This module uses the hardware SMC present on real macs to prevent the OS from booting on any device other than Apple hardware.

I say this is interesting, because this DSMOS kernel module is patched by Unibeast to allow Mac OS X to boot!

There’s that honor among thieves, again. Disregarding and cracking one part of Apple’s rights while going out of their way to uphold the other.

What the f*ck.

So let’s see what they’re checking this time. Inside Unibeast.pkg/dsmos.pkg/Scripts/preinstall:

  • Lines 10-15: Check that the volume mounted isn’t called “Mac OS X Install ESD”
  • Lines 17-22: Check for the existence of _MASReceipt/reciept in the install app
  • Lines 24-29: Performs a md5sum(!!) of the receipt file to ensure it matches f4747dbc07df72ad92a84186e2b5488d
  • Lines 31-36: Checks to see if the receipt file is less than 4600 bytes
  • Lines 38-43: Checks to see if the phrase com.apple.InstallAssistant.MountainLion is not in the reciept (??)
They’ve definitely scaled up a bit, adding two more checks. Much to their credit, they no longer assert that a missing receipt is an indication of piracy.

 

Now, if they’d remove these boneheaded checks outright, we could get back to every person being able to run whatever code they want on their own computer. But, barring that, we have to fix it ourselves..

 

The fix for 1.7.0 is identical to the fix for the earlier version, save we change a path and a digit:

If this is problematic for you, I’ve also created an Automator app which will make the same change: Unibeast1.7.0-Patcher-V2.zip

Edit: Nope. Just use the command line above (thanks John!).

You should probably be familiar with the command line before making a modification like this anyways, and if not, you’re going to have a bad time hackintoshing ;)

Further Edit: The command above will only work on a Mac. It’s assumed that you have one since you’re using Unibeast, but if you unpackage the .pkg some other way on Linux, the sed command changes as follows:

You’ll lose the cute googly eyes on the installer, but alas, such is the price of freedom :)

TK Out.

Honor among thieves: The Tonymacx86 hypocrisy becomes a story

Well, this was unexpected.

The very last post here (at least I guess, more on that in a minute) has garnered me a “DMCA” takedown notice from an unspecified “Tonymacx86 legal”.

Why all the brackets and air quotes, you ask? Because the message I received isn’t worth the bytes used to compose it.

I’d assume receiving such a notice would be rather intimidating- however .. well, let’s just have a look shall we?

A missive from a sad, bleak future

Subject: DMCA Take Down Notice
From: ModBot
To: [email protected]
Cc: team <team@tonymacx86.com>

(my name and address)

Sir,

You are in violation of DMCA by posting the source code to UniBeast which is copyrighted by tonymacx86 LLC and is documented on line 8 in the content in question. This content along with any modified versions of UniBeast must be immediately removed from your site and any other site or server that you have shared this content with.

Failure to comply with this notice will require us to take further action.

This communication and it’s content is confidential. As such, this content may not be disclosed outside of this email or any future communications by either party.

Sincerely,

tonymacx86 LLC Legal

Sounds pretty bad.

Unfortunately, the folks behind “tonymacx86 LLC Legal” seem to be unclear on what a DMCA takedown notice is and requires.

The digital what?

The Digital Millenium Copyright Act is a law, passed by the 105th congress, which amends the US Code to reflect realities of the connected world we live in. It sets out further definitions and extensions of copyright, basically.

The “notice” we’re referring up to above is a weak attempt (much like their weak DRM scheme from last post) at the real thing.

A quick reading of the DMCA, section 512, subsection 3, paragraph A, sets out these requirments.

To wit:

 

      (3) ELEMENTS OF NOTIFICATION-
      (A) To be effective under this subsection, a notification of claimed infringement must be a written communication provided to the designated agent of a service provider that includes substantially the following:
      (i) A physical or electronic signature of a person authorized to act on behalf of the owner of an exclusive right that is allegedly infringed.
      (ii) Identification of the copyrighted work claimed to have been infringed, or, if multiple copyrighted works at a single online site are covered by a single notification, a representative list of such works at that site.
      (iii) Identification of the material that is claimed to be infringing or to be the subject of infringing activity and that is to be removed or access to which is to be disabled, and information reasonably sufficient to permit the service provider to locate the material.
        (iv) Information reasonably sufficient to permit the service provider to contact the complaining party, such as an address, telephone number, and, if available, an electronic mail address at which the complaining party may be contacted.
        (v) A statement that the complaining party has a good faith belief that use of the material in the manner complained of is not authorized by the copyright owner, its agent, or the law.
      (vi) A statement that the information in the notification is accurate, and under penalty of perjury, that the complaining party is authorized to act on behalf of the owner of an exclusive right that is allegedly infringed.

 

tl;dr: The law sets out 6 things required for a DMCA notice to be considered legitimate.

Failing 6 ways from Sunday

Looking at these 6 things, and the “notice” I received, there are a few issues here. Let’s compare what the law requires with what I received:

1. A physical or electronic signature of a person authorized to act on behalf of the owner of an exclusive right that is allegedly infringed.

Nowhere to be found. There’s a vague “tonymacx86 legal”, but no real signature.

2. Identification of the copyrighted work claimed to have been infringed, or, if multiple copyrighted works at a single online site are covered by a single notification, a representative list of such works at that site.

This works – sort of. They claim I’m infringing their copyright to the UniBeast source code. However, what version?  The code I talk about didn’t exist until recently. Legal matters require you to be specific.

3. Identification of the material that is claimed to be infringing or to be the subject of infringing activity and that is to be removed or access to which is to be disabled, and information reasonably sufficient to permit the service provider to locate the material.

Nope. The message refers to a “line 8″, but doesn’t give so much as a web link. Line 8 of what? Line 8 of my blog? Line 8 of my famous recipe for chocolate chip cookies? Line 8 of my telephone pool?  The message reads as “the content in question” – what content? Where?

One thing is obvious at this point – this message was created by a layman, not a lawyer. A lawyer would not have made these rookie mistakes. But let’s continue…

4. Information reasonably sufficient to permit the service provider to contact the complaining party, such as an address, telephone number, and, if available, an electronic mail address at which the complaining party may be contacted.

Not even close. No address, no phone number. All I get are two nebulous email addresses (on the from: and cc: lines) which, for all I know, go into a bit bucket somewhere.

Oddly enough, Tony’s site, and the email, makes a number of references to a “tonymacx86 LLC”. I thought I’d be proactive and get the necessary contact information from their whois. Let’s see here:

Oh wow. Not even a legitimate phone number. They registered the domain through “DomainsByProxy”, a privacy protection service which renders any random person unable to contact the party on the other side.

Great for people running websites, but of questionable use for a “business”.

5.  A statement that the complaining party has a good faith belief that use of the material in the manner complained of is not authorized by the copyright owner, its agent, or the law.

No such statement in the email. This is basic, basic boilerplate that any DMCA will contain. This only further confirms my suspicion that this email was created by some random, not by a legitimate legal team.

6. A statement that the information in the notification is accurate, and under penalty of perjury, that the complaining party is authorized to act on behalf of the owner of an exclusive right that is allegedly infringed.

Again, no such statement.

Conclusion

Congratulations, “tonymacx86 LLC Legal”! Out of the 6 elements required to make a DMCA notice, you successfully completed zero of them. That’s what we not in the biz refer to as an “epic fail”.

Speaking of confirming suspicions, dear readers, this should raise further question in your mind if you plan on using any Tonymacx86 tools for your Hackintosh needs. Why would a legitimate organization/person/group/thing take the extraordinary step of sending fake legal notices to someone who points out that they’re both acting hypocritically and ineffectively?

It reeks of sour grapes and immaturity.

Oh, and another quick note. Should any “tonymacx86 Legal” people be reading this, consider this your notification that any further communiqué with me will be published, critiqued, and quite possibly mocked on this website. Your “confidentiality notice” is about as worthless as your “DMCA”. Furthermore, should they actually decide to pull their heads out and build a passable DMCA notice, it will also be submitted to the Chilling Effects clearinghouse for public scrutiny and comment.

I await the next turn of this now-interesting story with bated breath.

Hypocrisy, thy name is Tonymacx86

Or: Why do I keep getting install failures when I try to use UniBeast?

So I’ve spent this past weekend in a kind of interesting situation. I own two macs, you see. One at home (which is very much dead, after a rollover accident which saw it chucked out the window, and Apple wanted north of $1K to fix), and one at work. Both of these devices run Mountain Lion.

Well, since the dead mac is basically useless to me, I want to take its copy of Mountain Lion and install it on my PC.

Technically, this is against Apple’s EULA. Realistically, I don’t put too much stock in what a megacorp claims their rights are on something that I owned and purchased :)

So I headed over to the bay and downloaded a copy of the App Store Mountain Lion installer, with the intention on using it with a Tonymacx86 tool called Unibeast to generate a flash drive I can use to install the OS on my desktop.Well, I go through the process, and the installer quits, saying it encountered an error.

I dig through my system logs, and I see this gem:

I originally thought this was a new Apple check, so I take that error message verbatim to Google. Where I end up is the Tonymacx86 forums. Lots of people having install failures.

Their response is one that’s obviously canned: “Your copy of ‘Install Mac OS Mountain Lion.app’ is incomplete, redownload it from Apple”.

Interesting.. I think. It seems they’re being terribly evasive about this.

Well, the error message is coming from a script called preinstall, so let’s look at that.

I use pkgutil to unpack the .PKG installer:

Then, a grep command later:

Sure enough, in the preinstaller script, is this lovely bit of weak-sauce DRM:

Crude DRM in a tool which exists only to help break Apple’s DRM.

I also wonder why they’re saving off that receipt file to another location.

In any case:

It is now my firm belief that the Tonymacx86 project or any files or tools sourced from there can NO LONGER BE CONSIDERED TRUSTWORTHY.

If they’re willing to resort to tricks such as this to waste your time, using a script that runs with elevated permissions, it’s a quite short jump from there to causing system damage.

Imagine instead of echoing something out to the syslog, they threw an rm in there on something vital. A kext or two. Doesn’t take much to make a system unbootable.

I’ll be staying far, far away from these buffoons in the future.

Now, as an example of how utterly ineffective this kind of “DRM” is (like most kinds of DRM actually), here’s how you fix the bug and get Unibeast to work regardless of the source of your Mountain Lion installer. In one line of bash:

We unpack, drop the first 27 lines of the preinstall script (which serve no purpose whatsoever other than to inconvenience people), then repack.

Run, and you’re good.

I reiterate though, you should think very long and hard before using any tools from these people in the future.

SQL and Shell Shenanigans!

Two big projects I’m working on right now..

I’m putting the Minecraft project on the back burner for now – it provides most of the same data as the management dashboard on the host’s site.. Kind of want to add in disk usage and a couple of other small metrics, but that can come later.

The story generator is going to be more difficult (the Minecraft one is one of those problems that can be solved by brute force and time.. you know it’ll work, it just has to be configured). This will take some messing around to make work the way she wants it done.

I’ve learned a ton about SQL recently by messing around with this… For instance, another part of the same “bot” uses INI files for a profile system, and I want to migrate that to a database backend as well. There are 3 tables here..

(insert image)

The problem.. given some profile text, how do I find out who owns it? Mistakenly I thought this would need a JOIN of some kind, problem is how do you filter a join? If I were to say, join the itemsdata with the itemsmeta table using itemid from data and id from meta, I end up with a result set that includes the full content of the items_meta table.

Nope.. the right solution ended up being a nested query. You have to build it from the top down (start at owners, go to meta, go to data) instead of the other way around.

Which, when run, gives you exactly what you asked for – an ID from a post.

One challenge down :)

The one thing I’m missing now is a decent tool to build SQLite databases. Most of the interfaces suck for different reasons, are buggy as hell (I’m looking at you, almost every Windows one out there), and are just plain not enjoyable to use. I’d love something like MySQL Workbench but for SQLite, but..

I hope to have a working version of this done within the week. If this kind of random junk interests you, you can follow along using the Github link above.

Hello (again) world!

Well then, that was a ride and a half. Doing a massive server migration in the middle of crazy times at work was probably not the smartest idea I’ve ever had. Got to give a shout out to the folks at Hetzner (http://hetzner.de) for the most reasonably priced hosting I’ve ever seen anywhere. Seriously, they make stateside hosting seem like a huge rip off.

In any case, in lieu of starting with some overblown magazine-esque site that tries too hard to be Ars Technica, I’m going to start fresh, with a new theme, a new focus, maybe bringing in a couple of of my better articles from v2.

This is TKWMMB version 3 – and you know what they say, third time’s the charm :)