krypted.com

Tiny Deathstars of Foulness

Firefox describes their malware posture at https://support.mozilla.org/en-US/kb/how-does-phishing-and-malware-protection-work which heavily leverages Google SafeBrowsing, as do many a browser. Settings for SafeBrowsing are set in the browser.safebrowsing.downloads.remote.enabled pref. To lock this pref, you would need to create an autoconfig.js file in 

/Applications/Firefox.app/Contents/Resources/defaults/pref that points to a firefox.cfg file with a lock pref in it. To do so, create the autoconfig.js file and paste in these settings:

// Configure SafeBrowsing
pref("general.config.filename", "firefox.cfg");
pref("general.config.obscure_value", 0);

Then create the firefox.cfg file and paste in these settings:

// Configuring SafeBrowsing
lockPref("browser.safebrowsing.downloads.remote.enabled", TRUE)

Live Firefox preferences can be seen at /Users/charles.edge 1/Library/Application Support/Firefox/Profiles/*.default. Because SafeBrowsing is enabled by default, you shouldn’t see it listed unless it’s been disabled. But you can confirm it’s doing its thing by parsing the contents of these settings:

user_pref("browser.safebrowsing.provider.google4.lastupdatetime", "1537457871853");
user_pref("browser.safebrowsing.provider.google4.nextupdatetime", "1537459685853");
user_pref("browser.safebrowsing.provider.mozilla.lastupdatetime", "1537457872202");
user_pref("browser.safebrowsing.provider.mozilla.nextupdatetime", "1537461472202");

September 21st, 2018

Posted In: Mac OS X, Mac Security

Tags: , , ,

Leave a Comment

Most phishing sites follow a known pattern. And people like to flag bad sites. So Google and a few other organizations, such as stopbadware.org have a collection of feeds that can be leveraged by software vendors to provide a warning or flat-out block potentially fraudulent sites. If a piece of malware is found, even if buried deep in a site, the site will likely get picked up by a robot or reported by a user. Robots can pick up a lot, as people who exploit WordPress sites and stuff like that are often after playing a numbers game. Harvesting hundreds of thousands or email address and sending phishing emails. It only takes one person to give you banking information Given that they’re just dropping a file in an open web directory, the attacker might otherwise go months before enough people complained and the web host shut them down.

Google Safe Browsing came about similar to how realtime blacklisting has worked with email for a long time. Sites are listed and then blocked as needed. But privacy works differently with web browsing and so Google added a bunch of cool stuff that is described at https://safebrowsing.google.com. Basically though, there are some encrypted files on nearly every computer running Safari, Firefox, Chrome, etc that contains information about bad sites. This is updated fairly regularly, as well as some signatures of known nastiness and a little machine learning magic so that the systems are able to react to emerging threats.

In case you’re interested in writing your own tools, Google Safe Browsing has an API, which is documented at API Documentation.

So what is sent to Google? Only information from unsigned executables (or when the signature isn’t accepted) is sent to the Google SafeBrowsing service. The implementation and also how to turn that remote app reputation check are explained in https://wiki.mozilla.org/Security/Features/Application_Reputation_Design_Doc.

If you find that you’re managing a site that gets attacked, maybe you learn about it initially from having the site blocked. If this happens, you would need to remove the stuff that was put on your site that resulted in the site being blocked and then request removal from the list of reported phishing sites, use this form provided by Google.

Also request removal from stopbadware.org.

Safari uses Google Safe Browsing. There is a “Fraudulent sites” setting in the Security Preference pane for Safari. Here, you check a box and then you get prompted when you attempt to open a bad site. 

Safari SafeBrowsing involves having Safari pull a new version of the bad stuff from Google every now and then. You can see the date and timestamp that this occurred using the defaults command to read com.apple.Safari.SafeBrowsing.plist, as follows:

defaults read com.apple.Safari.SafeBrowsing.plist

The output contains the SafeBrowsingRemoteConfigurationLastUpdateDate key for /Users//Library/Preferences/com.apple.Safari.SafeBrowsing.plist:

defaults read com.apple.Safari.SafeBrowsing.plist
{
SafeBrowsingRemoteConfigurationLastUpdateDate = "2018-09-19 22:43:30 +0000";
}


Or to wrap this into a command that just displays the last date updated:

defaults read /Users/charles.edge\ 1/Library/Preferences/com.apple.Safari.SafeBrowsing.plist SafeBrowsingRemoteConfigurationLastUpdateDate | awk ‘{print$1}’


The actual bad stuff file is tricky. A number of temporary dynamic files are stored in /var/folders, and then inside a hierarchy generated by guids for a given system. Here, you’ll find a couple of files, including /var/folders/r1/05ns3cqs0cg5c42x38gk0c0w0000gn/C/com.apple.Safari.SafeBrowsing and /var/folders/8s/s9k75nys3rb399w4fwwtk04h0000gn/C/com.apple.Safari.SafeBrowsing. 

These files are binaries and cannot be viewed. They appear to be downloaded via the com.apple.Safari.SafeBrowsing.BrowsingDatabases.Update service routinely. Looking at their date and time stamp though, will give you a good idea of when the last update was run if you care to find that out.

Enable SafeBrowsing via the WarnAboutFraudulentWebsites key in ~/Library/Preferences/com.apple.Safari.plist as can be seen below:

defaults write /Users/charles.edge/Library/Preferences/com.apple.Safari.plist WarnAboutFraudulentWebsites 1

September 17th, 2018

Posted In: Mac Security

Tags: , , ,

Leave a Comment

Just some little one-liners to grab the version of a few common Apple services/built-in apps you might need the version of for another project I’m working on kinda’:
  • cups: cups-config –version
  • Finder: mdls -name kMDItemVersion /System/Library/CoreServices/Finder.app | cut -d ‘”‘ -f2
  • Help Viewer: mdls -name kMDItemVersion /System/Library/CoreServices/HelpViewer.app | cut -d ‘”‘ -f2
  • iBooks Author: mdls -name kMDItemVersion /Application/iTunes\ Author.app | cut -d ‘”‘ -f2
  • ical/Calendar: mdls -name kMDItemVersion /Applications/Calendar.app/ | cut -d ‘”‘ -f2
  • ichat/Messages: mdls -name kMDItemVersion /Applications/Calendar.app/ | cut -d ‘”‘ -f2
  • iMovie: mdls -name kMDItemVersion /Applications/iMovie.app | cut -d ‘”‘ -f2
  • installer: /usr/sbin/installer -vers
  • Photos/iPhoto: mdls -name kMDItemVersion /Applications/Photos.app | cut -d ‘”‘ -f2 
  • iTunes: mdls -name kMDItemVersion /Applications/iTunes.app | cut -d ‘”‘ -f2 
  • Java: /usr/bin/java -version
  • Keynote: mdls -name kMDItemVersion /Applications/Keynote.app | cut -d ‘”‘ -f2
  • macOS: sw_vers -productVersion
  • macOS Server: mdls -name kMDItemVersion /Applications/Server.app | cut -d ‘”‘ -f2
  • Mail: mdls -name kMDItemVersion /Applications/Mail.app | cut -d ‘”‘ -f2
  • mdnsresponder
  • Motion: mdls -name kMDItemVersion /Applications/Motion.app | cut -d ‘”‘ -f2
  • Numbers: mdls -name kMDItemVersion /Applications/Numbers.app | cut -d ‘”‘ -f2
  • Pages Required mdls -name kMDItemVersion /Applications/Pages.app | cut -d ‘”‘ -f2
  • Preview: mdls -name kMDItemVersion /Applications/Preview.app | cut -d ‘”‘ -f2
  • Quicktime: mdls -name kMDItemVersion /Applications/Quicktime\ Player.app | cut -d ‘”‘ -f2 quicktime_broadcaster No (Darwin Stream Server deprecated) N/A quicktime_darwin_mp3_broadcaster No (deprecated service) N/A quicktime_pictureviewer No (for QuickTime for Windows) N/A quicktime_streaming_server No (deprecated service) N/A
  • Remote Desktop: defaults read /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/version.plist CFBundleShortVersionString
  • Safari: mdls -name kMDItemVersion /Applications/Safari.app | cut -d ‘”‘ -f2 server_manager No (deprecated in 2006ish) N/A software_update tcp_ip_configuration_utility No (Laserwriter vuln from 2002) N/A terminal Required mdls -name kMDItemVersion /Applications/Utilities/Terminal.app | cut -d ‘”‘ -f2
  • Textedit Required mdls -name kMDItemVersion /Applications/TextEdit.app | cut -d ‘”‘ -f2
  • Transporter: /Applications/Xcode.app/Contents/Applications/Application Loader.app/Contents/itms/bin/itsmtransporter
  • Xcode: mdls -name kMDItemVersion /Applications/Xcode.app | cut -d ‘”‘ -f2
  • Xsan: /usr/sbin/cvversions
  • openSSL: openssl -version
  • Apache: httpd -v
If you notice, a lot of the built-in apps can be scanned with the same mdls command. There are certainly better ways for some, but when it comes to runtime cost, spotlight can respond quicker than a lot of other tools (other than purpose-built open source tools of course, who already have a smaller amount of data specific to the task). 3rd party software can be checked the same way. Let’s take Microsoft Outlook as an example:

mdls -name kMDItemVersion /Applications/Microsoft\ Outlook.app | cut -d ‘”‘ -f2

Additionally, Frameworks work a little differently. If I wanted to get the WebKit Framework version programmatically, I will need the system_profiler command along with the SPFrameworksDataType option. This will show me the version of WebKit, but strictly piping the output into grep won’t find the WebKit version. Instead I actually need to use an option I don’t use often with grep. Note that -A will allow you to define a number of lines to output following the pattern in question, so here I’m saying constrain my output to what you find that’s WebKit + the next ten lines, then constrain further for just the version number. 

system_profiler SPFrameworksDataType | grep -A10 WebKit: | grep Version

Anyway, more on all this soon.

September 13th, 2018

Posted In: Mac OS X, Mac Security

Tags: , , , , , ,

One Comment

The Mac comes with a number of tools for querying version numbers of things like apps and operating systems. First, let’s look at operating systems. The quickest way to derive the version of an operating system would be 

sw_vers -productVersion

It then becomes trivial to pipe these into other language provided you can reach them from within a script. For example, if you import os into a python script, you can use the sw_vers command:

import os
os.system('sw_vers -productVersion')


Or to grab the version of the OS you could import a function just for that:

version = platform.mac_ver()

So in the following example, we’ll 

#!/usr/bin/python import sys, urllib, json, platform
if len(sys.argv) > 1: url = 'https://cve.circl.lu/api/search/apple/mac_os_x:{}'.format(sys.argv[1]) print([j['id'] for j in json.loads(urllib.urlopen(url).read().decode('utf-8'))]) else: version = platform.mac_ver() url = 'https://cve.circl.lu/api/search/apple/mac_os_x:{}'.format(version[0]) print([j['id'] for j in json.loads(urllib.urlopen(url).read().decode('utf-8'))])

This can be found at https://github.com/krypted/maccvecheck

So what might I want to do with it next? Well, you can also read the index of an app using mdls, using the -name option and the kMDItemVersion attribute, as follows for iTunes:

mdls -name kMDItemVersion /Applications/iTunes.app

And then you can lookup that up in the CVE database as well:

curl https://cve.circl.lu/api/search/apple/itunes:12.5

Or to merge the version check and the cve check:

curl -s https://cve.circl.lu/api/search/apple/itunes:`mdls -name kMDItemVersion /Applications/iTunes.app | cut -d '"' -f2`

Ultimately, Apple has a number of products that are tracked in the cve database and a library of each could easily be built and parsed to produce all cve hits encountered on a Mac. Obviously, you might not want to trust some random site from Luxembourg (those Luxembourgians are troublesome after all) and you can do this directly against the zip from NIST or create your own microservice that responds similarly to this site. 

Note: Special thanks to Yuresko for fixing my else statement.

September 12th, 2018

Posted In: Mac OS X, Mac Security

Leave a Comment

My session from MacTech 2017.

September 10th, 2018

Posted In: Mac OS X, Mac OS X Server, Mac Security

Tags: , , ,

Leave a Comment

Ever wonder what binaries have dependencies on a given binary? The otool command allows you to look up what dependencies a binary has, but there’s some extra work to get to reversing it. So looto.sh. 

https://github.com/krypted/looto
https://github.com/krypted/looto.git


August 22nd, 2018

Posted In: Mac OS X, Mac OS X Server, Mac Security

Tags: , , ,

I’ve seen a few issues now where ApplePay and Health stopped working properly on a Mac and iOS device and when you fixed one, it seemed to wreck the connection with the other. Turns out that the information on a local system is managed with the new(ish) ckksctl command. Using ckksctl is pretty straight forward. First, let’s look at what’s on the Mac, using the ckksctl command with the status verb:

/usr/sbin/ckksctl status

There will be a section for ApplePay and another for Health. Here, if the services are configured, you should see the following in that section:

CloudKit account: logged in

Now, let’s force a pull of what’s in iCloud using the fetch verb:

/usr/sbin/ckksctl fetch

A successful sync will simply exit. However, that doesn’t mean that the keys are actually working. So if the issues persist, what we’re going to do is reset what’s in the local system and then pull the information from CloudKit again and show the status:

/usr/sbin/ckksctl reset; /usr/sbin/ckksctl status

Additionally, if you feel the local system is correct and the CloudKit data is incorrect then you could do the opposite and push a fresh config from the client to CloudKit:

/usr/sbin/ckksctl reset-cloudkit; /usr/sbin/ckksctl status

This has resolved issues I’ve seen. The status is also useful to track what a client has been configured to access. Please feel free to comment if you’ve had other experiences as I’ve found practically no information on this command.

August 10th, 2018

Posted In: cloud, Mac OS X, Mac Security

Tags: , ,

Awhile back, I wrote a tool to rewrap ipa files that I called ipasign: https://github.com/krypted/ipasign/blob/master/ipasign.py. But I wanted to do something similar for the Mac, and specifically have it run in Linux. So looking at what you’d need to be able to do, let’s start with viewing the contents of a flattened Apple package. This command will show you the files installed as a part of the Node JS package. Why did I choose that package? It was sitting on my desktop…

pkgutil --files org.nodejs.node.pkg

Now, this logic is available because you’re running pkgutil on a Mac. But that can’t run in Linux. So what would you do if you wanted to complete that same operation? If the package hasn’t been flattened then you can simply traverse the files in the package. If it has been flattened (and it must be in order to properly be signed) then that can’t work. So to see the files installed from a Linux system will require a tad bit more work. First, we’ll create a directly to extract our package into:

mkdir node-v8.11.1.pkg

Then cd into that directory and use xar to extract the package:

xar -xf /Users/charles.edge/Downloads/node-v8.11.1.pkg

In there, you’ll see three files: Bom, PackageInfo, and Payload. The contents, which mimic the –files option to some extent are found by first changing the name of payload to Payload.gz:

mv ./node-v8.11.1.pkg/Payload ./node-v8.11.1.pkg/Payload.gz

Then unzipping it:

gunzip Payload

And viewing the contents:

cpio -iv < Payload

Or throw all that into a one-liner:

cpio -o | gzip -c > Payload

You can also use bomutils to traverse and make BOMs: http://bomutils.dyndns.org/tutorial.html

You can also see some metadata about how the package will lay down by catting the distribution file:

<?xml version=”1.0″ encoding=”utf-8″ standalone=”yes”?>
<installer-gui-script minSpecVersion=”1″>
<title>Node.js</title>
<welcome file=”welcome.html”/>
<conclusion file=”conclusion.html”/>
<background alignment=”topleft” file=”osx_installer_logo.png”/>
<pkg-ref id=”org.nodejs.node.pkg” auth=”root”>
<bundle-version/>
</pkg-ref>
<pkg-ref id=”org.nodejs.npm.pkg” auth=”root”>
<bundle-version/>
</pkg-ref>
<options customize=”allow” require-scripts=”false”/>
<license file=”license.rtf”/>
<choices-outline>
<line choice=”org.nodejs.node.pkg”/>
<line choice=”org.nodejs.npm.pkg”/>
</choices-outline>
<choice id=”org.nodejs.node.pkg” visible=”true” title=”Node.js v8.11.1″>
<pkg-ref id=”org.nodejs.node.pkg”/>
</choice>
<pkg-ref id=”org.nodejs.node.pkg” version=”v8.11.1″ onConclusion=”none” installKBytes=”37377″>#node-v8.11.1.pkg</pkg-ref>
<choice id=”org.nodejs.npm.pkg” visible=”true” title=”npm v5.6.0″>
<pkg-ref id=”org.nodejs.npm.pkg”/>
</choice>
<pkg-ref id=”org.nodejs.npm.pkg” version=”v5.6.0″ onConclusion=”none” installKBytes=”20113″>#npm-v5.6.0.pkg</pkg-ref>

If you want to make a package, check out this gist: https://gist.github.com/SchizoDuckie/2a1a1cc71284e6463b9a.

Next up, you frequently want to check the signature of a package. So to see the signature, I can simply use: pkgutil if on a Mac:

pkgutil --check-signature org.nodejs.node.pkg

Or I can use codesign:

codesign -v node-v8.11.1.pkg

The beauty of codesign is that it’s been open sourced by Apple. The bummer about codesign is that it uses multiple CoreFoundation frameworks:

otool -L /usr/bin/codesign

/usr/bin/codesign:

/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation (compatibility version 150.0.0, current version 1452.23.0)

/System/Library/Frameworks/Security.framework/Versions/A/Security (compatibility version 1.0.0, current version 58286.51.6)

/usr/lib/libc++.1.dylib (compatibility version 1.0.0, current version 400.9.0)

/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1252.50.4)

April 24th, 2018

Posted In: Mac OS X, Mac Security, Mass Deployment

Tags: , , , , , ,

Since some of the more interesting features of Time Machine Server are gone, let’s talk about doing even more than what was previously available in that interface by using the command line to access Time Machine.

As with any other command, you should probably start by reading the man page. For Time Machine, that would be:

man tmutil

Sometimes, the incantation of the command you’re looking for might even be available at the bottom of the man page. Feel free to use the space bar a few times to skip to the bottom, or q to quit the man interface.

In addition to the man page, there’s a help command, which can be used in conjunction with any of the command verbs (which makes me think of “conjunction junction, what’s your function”). For example, you can tell tmutil to compare backups using the compare verb. To see more on the usage of the compare verb, use tmutil followed by compare (the verb, or action you wish the command to perform), followed by help:

/usr/bin/tmutil compare help

Before you start using Time Machine, you’ll want to set a backup source and destination. Before you do, check the destination that’s configured:

/usr/bin/tmutil destinationinfo

The output will include

Name: TimeMachineBackup
Kind: Network URL: afp://;AUTH=No%20User%20Authent@MyCloud-YAZ616._afpovertcp._tcp.local/TimeMachineBackup
ID: 265438E6-73E5-48DF-80D7-A325372DAEDB


Once you’ve checked the destination, you can set a destination. For example, the most common destination will be something like /Volumes/mybackupdrive where mybackupdrive is a drive you plugged into your computer for Time Machine. 

sudo /usr/bin/tmutil setdestination /Volumes/mybackupdrive

Once you’ve configured a destination for your backups, it’s time to enable Time Machine. The simplest verbs to use are going to be the enable and disable verbs, which you might guess turn Time Machine on and off respectively. For these, you’ll need elevated privileges. To turn Time Machine on:

sudo /usr/bin/tmutil enable

To then disable Time Machine:

sudo /usr/bin/tmutil disable

You can also kick off a backup manually. To do so, use the startbackup verb as follows:

sudo /usr/bin/tmutil startbackup

To see the status, once you’ve kicked off a backup (this one is gonna’ be hard to remember) use the status verb:

sudo /usr/bin/tmutil status

Or to stop a backup that is running (e.g. if your computer is running slowly and you think it’s due to a backup running), you’d use the stopbackup verb:

sudo tmutil stopbackup


Once backups are complete, you can see the directory they’re being stored in with the machinedirectory verb. This will become important when we go to view information about backups and compare backups, which require that directory to be available as those options check local files and databases for information directly. The tmutil verb to do that is machinedirectory:

sudo /usr/bin/tmutil machinebackup

Other options you can enable, include the ability to exclude files or directories from your backups. For example, you won’t likely want to backup your music or movies that were purchased on iTunes as they take up a lot of space and are dynamically restored from Apple in the event that such a restore is necessary. The verb to do so is addexclusion and this also requires sudo. So to exclude the user krypted’s ~/Music directory, you’d use a command as follows:

sudo /usr/bin/tmutil addexclusion /Users/krypted/Music

To then check if a directory is excluded, use the isexcluded verb and define the path:

sudo /usr/bin/tmutil isexcluded /Users/krypted/Music

If you make an errant exclusion do the opposite to remove, leveraging the removeexclusion verb:

/usr/bin/tmutil removeexclusion /Users/krypted/Music

Once a backup is complete, you can also check various information about the backups. This can be done using a few different verbs. One of the more common manual tasks that is run is listing the recent backups that can be restored. This is done using the listbackups verb with no operators (the backup directory needs to be available when run, so cd into that before using listbackups).

/usr/bin/tmutil listbackups

You can also view the latest backup, which can then be grabbed by your management tool, which is provided in the YYYY-MM-DD-HHMMSS format.
/usr/bin/tmutil latestbackup

You can also compare backups so you can see the files that have been changed, added, and removed, as well as the size of the drift between the two backups. To do so, use the compare verb and provide the paths between the two backups that were obtained when using the listbackups verb, as follows:

/usr/bin/tmutil compare “/Volumes/mybackupdrive/Backups.backupdb/Krypted/2018–04–24–051014” “/Volumes/mybackupdrive/Backups.backupdb/Krypted/2018–04–24–061015”

In the above paths, we’re using the mybackupdrive and krypted is the source volume name. You can also look at all of the backups (and potentially derive future space requirements based on a trend line) by using the calculatedrift verb:

/usr/bin/tmutil calculatedrift /Volumes/mybackupdrive/Backups.backupdb/Krypted

At times, you may end up replacing infrastructure. So you might move backups to a new location, or move backups to a new solution. You can use the inherent backups to claim a new machine directory. So if you moved your backups from /Volumes/mybackupdrive/Backups.backupdb/Krypted to /Volumes/mylargerbackupdrive/Backups.backupdb/Krypted during an upgrade you might run the following so you don’t have to start backing up all over again and end up wiping out your backup history:

/usr/bin/tmutil inheritbackup /Volumes/mylargerbackupdrive/Backups.backupdb/Krypted

Or if you have both available at once, use the associatedisk verb with the new volume followed by the old volume:

sudo /usr/bin/tmutil associatedisk "/Volumes/mylargerbackupdrive/Backups.backupdb/Krypted" "/Volumes/mybackupdrive/Backups.backupdb/Krypted"

Or if you do want to start over but want to clear out old backups, you can use the delete verb followed by the path to the backup or snapshot, as follows:

sudo /usr/bin/tmutil delete /Volumes/mybackupdrive/Backups.backupdb/Krypted

There are also a few more verbs available, mostly for apfs. The localsnapshot command creates new snapshots of APFS volumes, and is used with no operators, as follows:

sudo /usr/bin/tmutil localsnapshot

To then see the snapshots, use the listlocalsnapshots verb,

sudo /usr/bin/tmutil listlocalsnapshots

Which outputs as follows:
com.apple.TimeMachine.2018-04-20-061417

Or to constrain the output for easier parsing, use listlocalsnapshotdates:

sudo /usr/bin/tmutil listlocalsnapshotdates

Which outputs as follows

2018-04-20-061417
And you can delete a snapshot with the deletesnapshot

sudo tmutil deletelocalsnapshots 2018-04-20-061417

Now, thinning out your backups is always an interesting task. And in my experience your mileage may vary. Here, you can use the thinlocalsnapshots verb to prune the oldest data from backups. In the following example, we’re going to purge 10 gigs of data:

sudo /usr/bin/tmutil thinlocalsnapshots / 10000000000

Finally, let’s talk about automated restores. You could use this type of technology to do a rudimentary form of imaging or rolling users into a new machine. To restore a backup, you would use the (shocking here) restore verb. First, let’s look at restoring a single file. In the following example, we’ll restore a file called mysuperimportantfile from a computer called mycomputername and provide the date of the snapshot we’re restoring from:

sudo /usr/bin/tmutil restore /Volumes/mybackupdrive/Backups.backupdb/mycomputername/2018-04-24-051015/Macintosh\ HD/Users/krypted/Desktop/mysuperimportantfile

Now, let’s look at restoring a volume. Here, we’re going to change our working directory to the root of our latest backup, not booted to the volume we’re about to erase and overwrite with a backup):

cd "/Volumes/Time Machine Backup Disk/Backups.backupdb/mycomputername/Latest/Macintosh HD"

And then (this is dangerous, as it wipes out what’s on the old volume with the backed up data):

sudo /usr/bin/tmutil restore -v "/Volumes/Time Machine Backup Disk/Backups.backupdb/mycomputername/Latest/Macintosh HD" "/Volumes/Macintosh HD"

Now, let’s talk about what’s realistic. If I were to programmatically erase one of my coworkers data. I’d really, really want to verify that everything they need is there. So I’d run a checksum against the source and keep a copy of it only once I verify that absolutely everything is going where I want it to go. I would trust a cloning tool, but would I want to basically write my own archival solution using tmutil? No. I’ve simply seen too many strange little tidbits here and there that make me not… exactly… trust it with other people’s data. With my own data, though… sure! <3

April 23rd, 2018

Posted In: Mac OS X, Mac OS X Server, Mac Security

Tags: , , , ,

Backblaze is a great cloud and on-prem backup tool for Mac and Windows. You can download Backblaze at 
https://secure.backblaze.com/download.htm. Once downloaded, extract the DMG and open the Backblaze Installer. 

At the Installer screen, enter your existing credentials or create a new account and click Install Now.

The drive will then be analyzed for backup.

By default, once the analysis is complete, the computer will immediately start backing up to the Backblaze cloud. Let’s click on the Settings button to configure how the Backblaze app will work.

This opens the Backblaze System Preference pane. At the Settings tab, you’ll see a list of drives to back up and an option to set when to receive warnings when the computer hasn’t completed a backup recently.

By default, performance is throttled so as not to cause your computer to run poorly. Click on the Performance tab. Here, you can disable that option, 

By default, backups run continuously, as files are altered. You can use the schedule screen to move backups to a specific time (e.g. at 1am every night). I personally like having continuous backups if you have enough bandwidth to account for them. 

By default, the whole system is not going to get backed up. Click Exclusions and you can see what will be skipped and disable some of the skips.

By default, backups are encrypted using public keys. I inherently trust the people at Backblaze. But I still use an encryption key to add an extra layer of security to my backups.

To set that, click on the Security tab.

At the Security screen, click on Enter Your Private Encryption Key.

Once you’ve got a good backup policy set. Click on the Reports screen to see what’s getting backed up!

April 10th, 2018

Posted In: Mac OS X, Mac Security

Tags: , , ,

Next Page »