And why isn't it enabled by default, Steve?
April 11, 2007 1:34 PM Subscribe
This is so embarrassing. I'd post it anonymously if I didn't think I'd have to provide more info. Anyway...I set up my new iMac last night and didn't even think about the firewall 'til this afternoon. So it was off for something like 12 hours of broadband, static-IP connectedness to the Net. How hosed am I, and is there anything I can do to put some or all of the horses back in the barn?
You have a Mac. You are fine.
posted by phoenixy at 1:38 PM on April 11, 2007 [1 favorite]
posted by phoenixy at 1:38 PM on April 11, 2007 [1 favorite]
OS X is not as vulnerable to internets as an older Windows install would be. You likely have nothing to worry about.
posted by aeighty at 1:39 PM on April 11, 2007
posted by aeighty at 1:39 PM on April 11, 2007
You're totally, utterly fine.
This ain't Windows XP.
posted by nathancaswell at 1:41 PM on April 11, 2007 [1 favorite]
This ain't Windows XP.
posted by nathancaswell at 1:41 PM on April 11, 2007 [1 favorite]
Oops! That reminds me I turned off my firewall six months ago and forgot to turn it back on.
Ok, just did that now. Thanks. Yeah, no reason to worry.
posted by vacapinta at 1:43 PM on April 11, 2007
Ok, just did that now. Thanks. Yeah, no reason to worry.
posted by vacapinta at 1:43 PM on April 11, 2007
How hosed am I
Possibly not hosed at all - I inadvertantly left the firewall off on my old iMac for over a month, and nothing untoward happened.
posted by jack_mo at 1:43 PM on April 11, 2007
Possibly not hosed at all - I inadvertantly left the firewall off on my old iMac for over a month, and nothing untoward happened.
posted by jack_mo at 1:43 PM on April 11, 2007
Also, I just checked my old iBook, which sits there automatically downloading stuff with Bittorrent, and the firewall is off - last time I touched it was when I installed Tiger when it first came out, which must be over two years ago now. So, yeah, no worries.
posted by jack_mo at 1:48 PM on April 11, 2007
posted by jack_mo at 1:48 PM on April 11, 2007
why are you asking here if anything's wrong? just check if anything's wrong!
I also took ages to set up the firewall nonsense (not 12 hours - like, months... just didn't think of it until a friend made a case for it and I figured, hey, what the hell, may as well). You have to be pretty unlucky for it to end up mattering. Which isn't to say that you are not unlucky, but we can't tell you that.
posted by mdn at 1:52 PM on April 11, 2007
I also took ages to set up the firewall nonsense (not 12 hours - like, months... just didn't think of it until a friend made a case for it and I figured, hey, what the hell, may as well). You have to be pretty unlucky for it to end up mattering. Which isn't to say that you are not unlucky, but we can't tell you that.
posted by mdn at 1:52 PM on April 11, 2007
Best answer: The firewall just prevents network requests from reaching an application. If the packets are making it to an application listening on a port, that application still has to be vulnerable to some sort of attack.
Given that this is a new computer (and thus has newer versions of the network services), you're almost surely fine.
Windows is a different matter because it tends to have many, many vulnerabilities in its network services that aren't patched very quickly. Your Mac uses open-source network applications like apache and openssh that tend to be very secure and are updated almost immediately when vulnerabilities are found or announced.
posted by hutta at 1:53 PM on April 11, 2007
Given that this is a new computer (and thus has newer versions of the network services), you're almost surely fine.
Windows is a different matter because it tends to have many, many vulnerabilities in its network services that aren't patched very quickly. Your Mac uses open-source network applications like apache and openssh that tend to be very secure and are updated almost immediately when vulnerabilities are found or announced.
posted by hutta at 1:53 PM on April 11, 2007
Response by poster: Well, that's an unexpected relief. Thanks, everyone.
posted by bricoleur at 1:54 PM on April 11, 2007
posted by bricoleur at 1:54 PM on April 11, 2007
You're fine. As a Mac owner, currently the only problem you'll have is downloading and executing malicious code, and even then you'll have to give the system permission to run it. That doesn't give you permission to be completely carefree, but 12 hours of unprotected broadband access is not something you have to worry about for now.
posted by lekvar at 1:56 PM on April 11, 2007
posted by lekvar at 1:56 PM on April 11, 2007
Most of the crap that is on people's computers is there because THEY PUT IT THERE, either by clicking on the wrong things or going "oooh look, it tells me the weather" or whatever, rather than from "unprotected broadband access"
posted by dagnyscott at 2:03 PM on April 11, 2007
posted by dagnyscott at 2:03 PM on April 11, 2007
I've been running Mac OS X since the Public Beta days. I've not turned the firewall on once.
If you're not sure, you don't need the Mac OS X firewall.
posted by stereo at 2:04 PM on April 11, 2007
If you're not sure, you don't need the Mac OS X firewall.
posted by stereo at 2:04 PM on April 11, 2007
if you've enabled ssh AND created a dummy 'test' user (with equally stupid password of 'test') you *might* be screwed, but that could happen with the firewall on.
embarrassingly, i had that happen to me. random ssh bot got in, quickly installed an irc client, and connected to an irc server, sitting there, as part of a botnet, waiting for commands. luckily, os x is secure enough, i was able to just delete the test account and be done with it.
posted by sxtxixtxcxh at 2:25 PM on April 11, 2007
embarrassingly, i had that happen to me. random ssh bot got in, quickly installed an irc client, and connected to an irc server, sitting there, as part of a botnet, waiting for commands. luckily, os x is secure enough, i was able to just delete the test account and be done with it.
posted by sxtxixtxcxh at 2:25 PM on April 11, 2007
Most of the crap that is on people's computers is there because THEY PUT IT THERE, either by clicking on the wrong things or going "oooh look, it tells me the weather" or whatever, rather than from "unprotected broadband access"
Generally that's probably true, and certainly a mac is going to be safer, but if you're on windows there's this to consider.
posted by juv3nal at 2:29 PM on April 11, 2007
Generally that's probably true, and certainly a mac is going to be safer, but if you're on windows there's this to consider.
posted by juv3nal at 2:29 PM on April 11, 2007
Response by poster: This is a very bizarre question indeed
Not bizarre at all if you factor in my ignorance.
why are you asking here if anything's wrong? just check if anything's wrong!
Just for the sake of education, how would one do that? In other words, if I thought I knew how to do that, I wouldn't have asked the question in the first place, would I?
posted by bricoleur at 3:36 PM on April 11, 2007
Not bizarre at all if you factor in my ignorance.
why are you asking here if anything's wrong? just check if anything's wrong!
Just for the sake of education, how would one do that? In other words, if I thought I knew how to do that, I wouldn't have asked the question in the first place, would I?
posted by bricoleur at 3:36 PM on April 11, 2007
bricoleur, the only way to check for something is by booting from another volume that isn't infected and eyeballing entirely too much or comparing against known pristine information.
You can never trust a cracked machine to tell you the truth about whether it's cracked or not.
posted by cmiller at 3:47 PM on April 11, 2007
You can never trust a cracked machine to tell you the truth about whether it's cracked or not.
posted by cmiller at 3:47 PM on April 11, 2007
Just to make yourself feel better, check out Shields UP!! where you can scan your computer for open ports. I suspect you'll do petty well.
posted by niles at 4:34 PM on April 11, 2007 [1 favorite]
posted by niles at 4:34 PM on April 11, 2007 [1 favorite]
If you set it up and haven't done anything on it yet worth saving, you can use the install disks that come with the computer to wipe and reinstall the OS. It's less onerous than doing so with Windows, because you don't have to jump through hoops dealing with registration and the serial number.
Still, I'll echo what the folks above have said: Odds of having been compromised are low. Don't sweat it.
posted by ardgedee at 5:32 PM on April 11, 2007
Still, I'll echo what the folks above have said: Odds of having been compromised are low. Don't sweat it.
posted by ardgedee at 5:32 PM on April 11, 2007
Wow, that Shields Up link is great.
Apparently my machine is an impenetrable fortress.
(runs off to smooch picture of Steve Jobs)
posted by bink at 5:57 PM on April 11, 2007
Apparently my machine is an impenetrable fortress.
(runs off to smooch picture of Steve Jobs)
posted by bink at 5:57 PM on April 11, 2007
Hehehe. Former Windows users who've just converted to the Mac are so amusing. And so CUTE! :-)
posted by CommonSense at 6:45 PM on April 11, 2007
posted by CommonSense at 6:45 PM on April 11, 2007
Let me chime in again -- I, too, have run OS X since not just the Public Beta days, but BEFORE that time, and never, EVER turned on the firewall. I'm kind of biased, in that I HATE firewalls on principle (something about the old-school, "I remember the Internet the way it USED to be" mentality), and being behind NAT I can be a little lazy, but really, it's OS X. You'll be fine.
Also, to clarify -- someone said "very few" services are running by default. No, NONE are running by default. Zero.
I'm a Mac consultant by trade, so I have a home network with OS X and OS X Server, and I have two broadband connections, one with eight public IPs. A couple of my servers are wide open to the Internet, public IP, no firewall. And all my machines, NATted or not, are also running IPv6, which effectively makes them publicly available on the IPv6 Internet, too. No problems whatsoever.
Not that I'm getting sloppy and complacent, but the fact is that one of the many beautiful things about OS X is that I CAN be this relaxed about security, and worry about other things. I know enough to detect when/if someone stats trying unsavory things with my boxen, but thus far, aside from a ping-flood incident a few years ago (which is not platform-specific), it's been smooth sailing.
Welcome to the REAL social.
posted by CommonSense at 6:51 PM on April 11, 2007
Also, to clarify -- someone said "very few" services are running by default. No, NONE are running by default. Zero.
I'm a Mac consultant by trade, so I have a home network with OS X and OS X Server, and I have two broadband connections, one with eight public IPs. A couple of my servers are wide open to the Internet, public IP, no firewall. And all my machines, NATted or not, are also running IPv6, which effectively makes them publicly available on the IPv6 Internet, too. No problems whatsoever.
Not that I'm getting sloppy and complacent, but the fact is that one of the many beautiful things about OS X is that I CAN be this relaxed about security, and worry about other things. I know enough to detect when/if someone stats trying unsavory things with my boxen, but thus far, aside from a ping-flood incident a few years ago (which is not platform-specific), it's been smooth sailing.
Welcome to the REAL social.
posted by CommonSense at 6:51 PM on April 11, 2007
Holy crap, Os X has a firewall!?
posted by stresstwig at 7:23 PM on April 11, 2007 [1 favorite]
posted by stresstwig at 7:23 PM on April 11, 2007 [1 favorite]
Your new horses like the barn a lot, and won't be tempted out. Forgot about the stable door; they won't bolt.
posted by bonaldi at 7:33 PM on April 11, 2007
posted by bonaldi at 7:33 PM on April 11, 2007
For posterity, as you question was answered, it also is common for broadband users to be running off of a router that has NAT. This effectively is a hardware firewall. If you are using NAT and OS X, you are pretty golden. And as stated above, you have little to worry about even without the router due to OS X's BSD underpinnings.
posted by qwip at 7:56 PM on April 11, 2007
posted by qwip at 7:56 PM on April 11, 2007
This thread is closed to new comments.
I think you're probably fine.
posted by bink at 1:38 PM on April 11, 2007