Open helloperl.pl and paste the following in there:
print "Hello Cruel Perln";
Make sure you have executable permissions for helloperl.pl. Then run:
krypted February 29th, 2012
I use the term “groups” loosely here. On my list of features that are needed in Lion Server (a much smaller since the advent of 10.7.3 btw) is the fact that Address Book Server doesn’t have groups, resources or whatever you want to call a logical structure that is a place for groups of users to keep contacts whose access can be limited to only certain users. The Address Book client fully understands such constructs, given that it separates the GAL from a user’s contacts and that user’s can themselves have groups of contacts. This area is a huge miss. The reason this annoys me is that you have the ability to do this stuff with iCal Server, which uses roughly the same technology (Twisted CalDAV vs. CardDAV). You can include LDAP contacts in an Address Book search, which just gives users access to users configured on the local server. Helpful if your user base is a walled garden. And don’t tell me that it kinda’ works the same in Exchange. Because a contact is not a user in Exchange…
Anyway, one way to get a shared list of contacts is to create a user just to be the shared list. This user is going to have a password. That password is going to end up in the keychain for all users who we install this account for. Furthermore, all of those users can delete contacts. And those users will invariably delete an account and blame said deletion on the server. Given that servers don’t delete data on their own, the blame is basically poorly placed.
If you need granular permissions control over shared contact lists, then Address Book server is not for you. But if you just need a “group” or two that is wide open permission-wise for all users, then consider this strategy. First, let’s enable Address Book services. To do so, first open the Server application from an Open Directory Master. Then, click on the Address Book entry in the Server application’s sidebar. Here, click on the ON button (by the way, I could have just used this paragraph as an article on Setting Up Address Book Server).
Once created, to make sure that the user has access to the Address Book service. To do so, click on the account and then select Edit Access to Services… from the cog wheel icon and verify that the Address Book service is enabled for the user.
Now, let’s check out how this looks on a client. These accounts can be deployed through profiles easily. But we like doing things the hard way. Therefore, let’s open the nifty Mail, Contacts & Calendars System Preference pane and then click on the Add Account… button. From the Choose an account type field, click on the Add a CardDAV account button. Click on the Create… button.
Provide the username and password recently created, as well as the name or IP of the server.
Now open Address Book. Click on the red bookmark icon. You’ll then see your contact stash. Click on it and you can create, delete and otherwise do whatever you like here. If you create contacts and install this account on multiple machines then you’ll be able to edit or delete them from any of the stations they’re installed on.
Good luck. And may Billy Madison have mercy on your Address Book.
krypted February 28th, 2012
Posted In: Mac OS X Server
There have been a number of articles on using the Podcast Producer service in Snow Leopard and previous operating systems. The Podcast Producer service itself in Lion remains unchanged. It still needs shared storage (e.g. NFS, Xsan, etc), Xgrid, Kerberos (for Xgrid) and while seeming to sit atop a house of cards, is one of the coolest and most complex services in Mac OS X Server. But there have been a lot of environments where Podcast Producer seemed out of reach where it shouldn’t have. If you have a single server, why do you need shared storage, a truly scalable grid computing cluster and all that complex workflow goodness at your fingertips? In Lion Server, you don’t. In fact, it’s easier than ever to get up and running, access Podcasts from a web browser and even subscribe to Podcasts in iTunes.
Setting Up the Podcast Service
Podcasting can now become one of the easiest services to use in Lion Server, provided your needs are as simple as the new Podcast service is to use. As with most services in Lion Server, you’ll need a working Open Directory master. You can still use Active Directory accounts, and when you initially configure the Podcast service you can enable an Open Directory master on your server; however, you should configure Open Directory prior to setting it up (as I believe you should with all services). You should also populate the list of Open Directory users with all of the users you’d like to have access to create podcasts and administer them before setting up the Podcast service. Okay, okay, so Open Directory isn’t actually required. You can use local accounts. But don’t, it’s easy to setup Open Directory and it will be very helpful in the future if you need to migrate to Podcast Producer some day!
Once Open Directory has been configured, open up the Podcast service by clicking on Podcast in the Server application’s sidebar. From here, you’ll see a whopping two settings. The first controls who can access the Podcast service. The options are:
The second option is who can administer the Podcast wiki. Here, use the plus sign to add each user who should be able to administer Podcasts. Once your admins are added, start the Wiki service as well, by clicking on Wiki in the Server sidebar and then clicking on the ON button, leaving the defaults untouched.
You should also have the Web service enabled, so click on it in the Server sidebar and click on the ON button as well (again, leaving the settings as default for now).
The Podcast service is now setup and you can move on to creating some podcasts and actual content.
Once you’ve enabled all three services, it’s time to create a Podcast and capture some content. To get started, open the Podcast Publisher application from /Applications/Utilities. From here, click on the Podcast Publisher menu and then click on Preferences. Here, you’ll be able to configure the connection to the server. Enter the address (IP address or hostname of the server), username (one of the administrative user names from earlier) and password that you want to use for podcasts.
Once you’ve supplied your credentials, close the Settings window. Then click on the New Podcast button to see the pin board, as I call it. Here, provide a name to your Podcast. Each podcast will have its own feed and be able to be subscribed to in iTunes. Each podcast is comprised of one or more episodes. The podcasts appear as pin boards, the episodes will appear as though they were photos on the pin board. Click on the Add a new episode… button. (you can also choose New Movie Episode or New Audio Episode from the list by clicking the down arrow towards the bottom of the screen.
At the Episode screen, you’ll see two buttons in the bottom left corner of the screen. Here, click on the film strip icon (the one on the left side) to record video from a camera or the screen recording icon (the one on the right side) to capture video from the video screen. Click on the button in the middle of the screen with a red dot to start recording.
After a 3 second countdown, the screen recording will begin. Don’t rush. Get ready and then start speaking into your microphone and record video as you so choose. Pay attention to the volume level, trying to keep an even level towards the middle of the indicator. Click on the red button again when you’re finished capturing the video (I usually like to minimize the Podcast Publisher screen and then open it to stop the recording.
At the next screen, you’ll be able to provide a title for your podcast. Enter the title and then use the yellow bar at the bottom to remove any video from the front and back of the video you actually want to use (as you drag the double lines you’ll scrub through video). Use the TRIM button to remove any of the video that you no longer need. You can also use the Play button to play the video and pause it to make sure you’re happy or trimming to the right location(s).
Or if you’d like to start over, click on the Record button, which will bring up the Overwrite screen that basically tells you it’s going to ditch the clip you just created and start over.
Assuming you would like to save the Podcast, you can now share it or just click done to keep a local copy. Let’s click Done just to see what happens. You’ll now see a photo of your clip thumb-tacked to the pin board. Here, double-click on the board to see a list of all of your local episodes for that podcast.
When the list of episodes fills the Podcast Publisher screen, you’ll be able to do a new GUI-level feature. Control-click (or right-click) on the podcast and you’ll be able to Get Info or Delete. You can now delete episodes from the GUI. Hooray as my daughter often says!
The Get Info screen also lets you change the title of an episode, add an author and provide a description. Click Show Advanced to see that you can also fake out the date you captured the episode, change the order that the episode will appear in iTunes (no more having to record in the exact opposite order you want episodes to appear in iTunes!) and even add an Advisory Label, which lets you indicate that your podcast is better geared for adults if that’s what you’re into.
At this point, the video is still local to your computer. Click back on the board and then double-click on the episode again and let’s send it to the server. Click on the Share button to bring up a menu of places you can send your video to. These include:
Once you click on Podcast Library, the video clip will be created, put in the right location and the entry in the Wiki created. You can use then use the All Podcasts navigation towards the top of the screen to go back to the list of podcasts.
The longer episodes are, the longer they take to upload. Once done, you’ll then get an indication that the episode has been published. If it fails, make sure the account you’re using has access to write to the server. Click OK or use the Announce button to send a link to view your vicious rant to your friends/coworkers/stalkers.
If you’d like to create another episode use the New Movie Episode or New Audio Episode buttons. Or to create a new Podcast, click the New Podcast button. At the All Podcasts screen, use the left and right arrow keys or click through to new podcast boards. As your library grows, you can also use the spotlight field(s) in the lower right corner of the screen to find recorded content (although I haven’t been able to get Spotlight to work on my library just as of yet). You can also use the View menu to bring up the Media Browser. Here, you can drag video or audio previously captured onto a pin board (podcast) to import the media into that podcasts library on your local computer and share the media if you so choose. You can also trim content from previously captured video, pretty cool if you’re gonna’ be bringing in video from an iOS based device!
Now that we’ve captured some content, let’s look at how users and administrators will access that content. From the server, you can access Podcasts by pointing your favorite web browser at the URL https://127.0.0.1/wiki/podcasts. From a client, just replace the 127.0.0.1 with the name or IP address of the server. Here, you’ll see a list of Podcasts available.
Keep in mind that back when we set up the service, you defined who should be able to access your podcasts. If podcasts are shared to everyone then you should see them listed. Click on each to see a list of their episodes and click on the Play button to view an episode in a web browser.
Click on the X in the upper left corner of the episode to close it. If you have to authenticate to see podcasts, you’ll need to authenticate now. You can also authenticate in order to delete podcasts or configure who can access each podcast. To authenticate, click on the lock icon in the grey toolbar that runs along the top of the screen.
When prompted, provide the appropriate user name and password. Once authenticated, if you are an administrative user, you can use the x beside any podcast or episode name to delete that podcast or episode. Clicking on a podcast also adds the Settings… button into the cog wheel menu.
The Settings screen enables you to configure who can access podcasts. Owners can create, edit and delete episodes whereas users with Read & Write access can create and edit podcasts and Read Only users can only view content. All logged in users includes anyone with an account on the server and All guests are anyone that can load the web page. Add users by typing their name in the provided field and clicking them when their name appears. Click on the Save button when you’ve configured who can access what.
One of the coolest aspects of Podcast Producer and the Podcast service are that both can quickly provide access to users in iTunes. To subscribe a client in iTunes, click on the cog wheel icon and then click on the Subscribe in iTunes button. The Podcast will then be added into iTunes automatically and the first episode will begin to synchronize. When it’s done, double-click to watch (assuming your DNS is cool, given that the links are DNS-based).
The link works by sending a past:// based URL to the client. For example, pcast://127.0.0.1/podcastlibrary/collection/uuid/ followed by the uuid of the podcast you are viewing in the browser.
The new Podcast Library is pretty awesome in how accessible it is to almost anyone with a functioning server. It’s not for anyone that’s going to need an Xgrid cluster to act as a render farm because they’re capturing so many podcasts. It’s also not for people needing custom workflows or the ability to capture podcasts of content from the web (e.g. Windows or Linux clients). But what it is, is easy. If you’re sitting at home and thinking that you’d like to build a podcast so your friends can look at your new hair color, your followers can see the Top 10 Screamo Videos of All Time you like to post, helping a classroom podcast as a way of teaching them various subjects, capturing corporate training videos or you’re showing your parents videos of your children, the new Podcast library is simple, fast and can be highly impactful.
If you need more, then look to Podcast Producer. It can write to a variety of systems, has a full suite of command line management functions and in general is the grown up version of Podcast. Not that Podcast isn’t pretty cool in and of itself in the right circumstances. It’s like having your own little YouTube!
krypted February 27th, 2012
Tags: collection, configure permissions, delete episodes, Lion, lion server, Mac OS X Server, podcast capture, Podcast Composer, podcast library, podcast publisher, podcast service, record podcast, scrub, setup podcast producer, subscribe, subscribe in iTunes, use web portal, UUID
Whenever someone mentions Apple and BYOD devices, this is what immediately springs to mind as what will invariably walk through the door requiring support:
krypted February 25th, 2012
“We’re too young and still under NDA, so please don’t talk about us publicly just yet!”
krypted February 24th, 2012
One of my favorite tools for penetration testing is Nessus from Tenable Network Security. Nessus 5 is the latest release in the family of vulnerability scanners that is probably amongst the most prolific. Nessus 5 does discovery, configuration auditing, profiling, looks at patch management and performs vulnerability analysis on a variety of platforms. Nessus can also run on a Linux, Windows or Mac OS X and can be used to scan and keep track of vulnerabilities for practically any platform, including Mac OS X.
To install Nessus, go to the Nessus site and click on the Download button, around the middle of the page. Agree to the download agreement and then choose the version that is right for you (Mac OS X in this case).
The software will then download and need to be installed. Once downloaded, open the Nessus dmg and extract it. Inside will be the Nessus 5 package installer.
Open the installer and click through the defaults to perform a basic installation.
Once done, you’ll have the Nessus Server Manager and Nessus Client.url in a Nessus folder in the Applications directory.
Open the Nessus Server Manager and authenticate as an administrator when prompted. When you downloaded the software you would have been prompted for registration. Provide that information in the registration field. Then click on Update plugins to make sure all of the Nessus plugins are running the latest version. Finally, click on Manager Users… to create your users.
At the list of Nessus users, click on the plus sign and create a new user, likely making the user an admin (I see few vulnerability scanning stations that have non-administrative users, which would just be for viewing reports and the such). Click Save to create the user and then close at the List of users screen.
If the Nessus server isn’t started, click on Start Nessus Server. Then click on the Nessus Client.url file back where the Nessus Server manager was accessed. At the Nessus login screen, provide the username and password for the Nessus server that was previously created.
Once authenticated, you will be placed in the Scans screen. Before we configure any scans, we’re first going to create a Policy (which defines how a scan operates for the most part). To do so, click on Policies and then click on the Add button. There are four policy tabs (aligned on the left sidebar). In the General pane, you will configure the name for the Policy, “Mac Servers” in this example. Then we’re going to check the boxes in the Scan section for Designate Hosts by their DNS Name, Log Scan Details to Server, Stop Host Scan on Disconnect and Avoid Sequential Scans. Then check the boxes in the Port Scanners section for TCP, SYN, SNMP, Netstat SSH and Ping Host. Leave the Port Scan Range set to default and the Performance options at their default values as well. These are useful when you’re done tinkerating to get better performance out of the system, but we’re not really there just yet.
Click on the Next button to define any credentials you’ll use during scans. Initially, I’d leave this blank, although you can provide SMB information for up to 4 accounts to see what kind of access users have. You can also define Kerberos, SSH and various cleartext credentials as well. We’re going to skip that for now and click Next to define the Plugins.
At the Plugins screen, we’re initially going to leave all of the plugins on. The reason for this is that many of the Lion Server services are similar to those of the various Unix and Linux variants and we can scan SMB with the Windows plugins. These can’t hurt, they might just waste a little time though. Clicking on a Family and then a plugin will show you what each does. Clicking on the green light for each will disable it.
Click on Preferences and define any preferences that you need. Amongst the plugin preferences I usually enable network printer scanning, CGI scanning, Enable experimental scripts, set my Report verbosity to Verbose, provide any certificates needed and then hit Submit to create the new Policy.
Next, let’s click back on Scans in the navigation bar on the screen. As you can see here, I’ve created a few template scans, but we’re going to create a new one by clicking on the Add button.
Provide a name for the scan and then choose the Policy you just created. Set the Type to Run Now (since we’re just testing) and put the IP address of a target into the Scan Targets field. You can also import a large set of targets using the Brows button and a csv file or use Schedule or Template rather than Run Now in the Type field to schedule scans or create a template scan. Click Launch to kick off the first scan.
Once started, click on the Reports button in the top nav bar to see the status of the scan.
Once the scan is finished, click on the scan to see a list of vulnerabilities and open ports, sorted by the severity of issues. Here, double-click on the host.
The Report screen then shows each service and the vulnerabilities found for that service. Click on one of the vulnerabilities to see what Nessus thinks is problematic with it.
Now for the fun part. Each of the vulnerabilities listed will have CVEs attached.
By default, Nessus is just looking at the service banners to determine vulnerabilities. If you look up the CVE at CVE Details or PacketStorm you’ll see that it was patched a few months ago by most vendors. Now Nessus can get things wrong with Mac OS X. The issue is that Apple forks the code for many open source projects, not always updating version numbers on banners. Looking up or testing whether a vulnerability is still applicable can be tedious but would likely need to be done per service according to your internal security policies.
An easy way to test these vulnerabilities is to use Metasploit, a tool I’m long overdue to write an article on. Another way is to try and run the exploit against the host. Apple does a pretty good job of addressing CVEs in their security updates, so don’t waste a lot of time trying things if Apple has already patched them. I have found a really good tool for automatically attempting to exploit via msf + nessus to be Carlos Perez’ auto exploit tool, available on github.
Finally, Nessus is a great tool for scripting. One of the big differences that throws off many an experienced Nessus operator off with the version for the Mac is the location of the Nessus binaries. They are in /Library/Nessus/run/bin. In here you’ll find nasal, nessus, nessus-fetch, nessuscmd etc. The command line control here is pretty awesome. Let’s run nessuscmd to scan a net mask of hosts (192.168.210.0/24):
sudo /Library/Nessus/run/bin/nessuscmd 192.168.210.0/24
There are tons of other options for nessuscmd, such as adding ssh keys, smb logins, scanner options, using a remote nessus server, etc. Or use the nessus binary to kick off scans using a nessus config file. The nessus.conf file is also stored in the /Library/Nessus/run/etc/nessus directory, worth looking into.
krypted February 23rd, 2012
In an email to the Mac Enterprise list, Ed Marczak of Google announced that Google is open sourcing their much heralded FileVault 2 code, once again proving how awesome the Mac team at Google really is:
I’m very happy to announce Cauliflower Vest: a new, open source
product that is an end-to-end Mac OS X FileVault 2 recovery key escrow
solution. In short, this brings missing features that allow you to
better manage FileVault 2 machines.
Cauliflower Vest allows you to:
– Forcefully enable FileVault 2 encryption.
– Automatically escrow recovery keys.
– Delegate secure access to recovery keys so that volumes may be
unlocked or reverted.
If you *just* want to have a command-line tool to enable FV2, that’s
in there, too.
For more information about Cauliflower Vest, please see the blog post
and visit the Google Code page at
krypted February 22nd, 2012
In search of the American Dream? Apple has sold approximately 122 million Macs over the course of 28 years. They have sold 55 million iPads since those were released in April 2010 (in less than 2 years) and sold 156 million iOS Devices for 2011 alone, bringing the total of iOS devices to 316 million. The handset market is set to increase by around 33 percent and there’s really no telling where the tablet market is set to go over the course of the next few years.
What does all of this mean? It means that iOS is continuing to increase in visibility, that App Store sales will continue to rise and that integration into mainstream business will continue. The traffic for mobile device data is set to increase 8 times over the course of the next four years, Cisco and other companies are starting to jump into the mobility space with product offerings and Windows 8 is supposedly going to make a big splash on release.
The Apple App Store is about to hit 25,000,000,000 downloads. That’s a lot of zeros. And that’s a lot of Angry Birds, 99 cent fart jokes and useful business apps that are driving innovation. Mobility as a term is on every CIOs mind at at the tip of their tongue. Giants such as IBM and HP are starting to jump into the MDM space that has previously been occupied by companies like JAMF Software and AirWatch.
I witnessed something similar to this twice before. The first was the final and complete domination of all things IT by Windows at the beginning of my career. Back when I was swapping out 32 floppies to install Windows 95, a vicious process that will make even the sanest person nasty with hallucinations, I had the chance to go to COMDEX a couple of times. The first year I went, it seemed like a lot of people interested in hacking things together. The second year, it was all corporate headhunters, looking to seize the IT revolution occurring inside their businesses by placing golden handcuffs on the best and the brightest in the industry. And of the companies presenting, well, they mostly got acquired by large companies with big names and their products diluted. A complete turnoff, this led me down the path of open source and security.
After COMDEX, I went to DefCon and Black Hat for a number of years. I used to love watching the random weirdness that these otherwise completely reclusive people would throw together. There were capture the flag events (that is, finding the flag on someone else’s box), people went out into the desert to shoot guns and of course, dumpster diving competitions. There still are all of these things actually. And DefCon itself has managed to very much stay true to that form. But the companies that used to have booths at Black Hat have now mostly been acquired by companies like IBM and HP. These corporate denizens only want to complete a portfolio or gain access to “synergistic” products. Mergers put great little companies with people that really care about their products as small parts of Symantec. And the top talent at those organizations usually leave once they realize they’re not in the least bit impactful and they move on to other companies. They’re replaced by people who’ve achieved the title of Vice President at a competitor, whether that person deserves it or not. In some cases they thrive, but in far more cases, the products flounder, end up getting renamed, repositioned and either sold off to another company for the brand recognition or simply fade into the distance.
In each of these there has been a moment. A moment where I said, you know, something substantial has changed here. There are a few things happening that make me leery about the Mac/iOS IT space, and a few things to look for.
But here’s the thing about all of this. It doesn’t have to be bad. If we all keep our eyes wide open about what’s going on around us the continued influx of massive amounts of money isn’t going to be a bad thing. Basically, our opportunities will explode over the next few years. If we learn our lessons from the dot com era, from COMDEX, from the rise of info sec, then we’ll stay off the coke, not buy really fast cars and remain engaged. I hope not to look at this as I’ve looked at other revolutions in the past. While he wasn’t much of a computer geek, Hunter S. Thompson put it into words best:
And that, I think, was the handle—that sense of inevitable victory over the forces of Old and Evil. Not in any mean or military sense; we didn’t need that. Our energy would simply prevail. There was no point in fighting—on our side or theirs. We had all the momentum; we were riding the crest of a high and beautiful wave.…
So now, less than five years later, you can go up on a steep hill in Las Vegas and look West, and with the right kind of eyes you can almost see the high-water mark—that place where the wave finally broke and rolled back.
krypted February 20th, 2012