security

Apple's Mac OS 10.5 Leopard loginwindow process phones home to lcs.mac.com on port 443 which is only revealed by running the new Little Snitch 2 security monitoring tool.

UPDATE: It appears from Digg comments that verbose booting shows this is Back To My Mac communications and that machines without any .Mac preferences don't send anything. Mystery mostly solved, although we still don't know for sure what's in the HTTPS packets. Additionally: Chris Holland points out there's a chance this might be NAT-PMP traffic. The moral of the story is guard your COMSEC well with tools like Little Snitch.

You can reproduce and deny the suspicious unauthorized outgoing packets by installing Little Snitch 2 beta 10 and rebooting. You can tell it to deny once or forever when it tries this until we discover a legitimate purpose for this transmission.

I googled the strings and Russian hackers are the only ones I could find who have noticed so far in this LiveJournal post which I translated into English. Here's a not entirely innapropriate picture they posted in the thread:

What is going on exactly? Why is Apple contacting itself? Can anyone with more expertise in traffic analysis tell us what is being sent through HTTPS?

Little Snitch 2 For The Win

This is a potentially suspicious behavior but it does bring to our attention the importance of independent security tools like Little Snitch that are not designed by the operating system manufacturer. Without Snitch, there is no easy way for users to audit and control their computer's security independent of the manufacturer's whims.

It also highlights the excellence of Little Snitch 2, which is packed with new visual network monitoring features and a new Star Trek-esque configuration interface.

I recommend 10.5 users download Little Snitch 2 and get control over this kind of suspicious network activity. If Apple is doing it, the rest of your software could be doing worse behind your back. Buy yourself a license for Little Snitch 2 for $25 and support the indy developer because without him we would be at Apple's mercy.

Little Snitch Secures Leopard's Area

Leopard almost copies Little Snitch 1's preference pane and Allow/Deny dialogs with a new Application Firewall under System Preferences Security but they only monitor incoming connections, ignoring outgoing spyware like Leopard's loginwindow. Leopard imitates Little Snitch just in time to be dusted by Little Snitch 2 and caught in the act of apparently breaching user privacy.

Apple Must Explain: Bug or Feature?

I hope someone from Apple responds to this to show either that there is a good reason to justify it or that it will be removed in 10.5.1. Apple's overall security record is impressive compared to Microsoft but we must be ever vigilant to keep them on their toes. The obviousness of this phoning home and the inevitability of all such transmissions being exposed makes it unlikely that this is something really nefarious but even an oversight can breach privacy and great care must be taken by companies like Apple whose software is running on an increasing percentage of our computers worldwide.