My latest Inc.com piece is up. This one focuses on perfecting your sales pitch. It starts as follows:
So how do you incite interest rather than yawns? Here are six simple tips.
You can find the rest of the article here: http://www.inc.com/charles-edge/how-to-pitch-your-product-in-6-easy-steps.html.
krypted February 16th, 2017
Posted In: Articles and Books
krypted February 10th, 2017
Posted In: MacAdmins Podcast
When you’re regression testing, you frequently just don’t want any delays for scripts unless you intentionally sleep your scripts. By default Safari has an internal delay that I’d totally forgotten about. So if your GUI scripts (yes, I know, yuck) are taking too long to run, check this out and see if it helps:
defaults write com.apple.Safari WebKitInitialTimedLayoutDelay 0
With a script I was recently working on, this made the thing take about an hour less. Might help for your stuffs, might not.
If not, to undo:
defaults delete com.apple.Safari WebKitInitialTimedLayoutDelay
krypted February 1st, 2017
The “What’s New in macOS” page for Sierra (10.12) lays out a little known change that a colleague at Jamf was working on the other day (hat tip to Brock):
Starting in macOS 10.12, you can no longer provide external code or data alongside your code-signed app in a zip archive or unsigned disk image. An app distributed outside the Mac App Store runs from a randomized path when it is launched and so cannot access such external resources. To provide secure execution, code sign your disk image itself using the codesign tool, or distribute your app through the Mac App Store. For more information, see the updated revision to macOS Code Signing In Depth.
This is further explained in the equally misnamed “OS X Code Signing In Depth“:
If using a disk image to ship an app, users should drag the app from the image to its desired installation location (usually /Applications) before launching it. This also applies to apps installed via ZIP or other archive formats or apps downloaded to the Downloads directory: ask the user to drag the app to /Applications and launch it from there.
This practice avoids an attack where a validly signed app launched from a disk image, ZIP archive, or ISO (CD/DVD) image can load malicious code or content from untrusted locations on the same image or archive. Starting with macOS Sierra, running a newly-downloaded app from a disk image, archive, or the Downloads directory will cause Gatekeeper to isolate that app at a unspecified read-only location in the filesystem. This will prevent the app from accessing code or content using relative paths.
The gist is, if an app isn’t signed via the Mac App Store, Gatekeeper is going to limit the ability of the app to launch via “Gatekeeper Path Randomization.” Basically, treat an app from a mounted drive as if it were coming from a Safari download. There are a few ways to distribute app bundles or binaries that do not violate this. One is to sign a disk image that contains such an app:
spctl -a -t open --context context:primary-signature -v /Volumes/MyApp/MyApp.dmg
If spctl runs properly, you should see the following:
/Volumes/MyApp/MyAppImage.dmg: accepted source=mydeveloperid
In the above spctl command, we use the following options:
For more on managing Gatekeeper from the command line, see http://krypted.com/mac-security/manage-gatekeeper-from-the-command-line-in-mountain-lion/.
Another method is to remove the lsquarantine attribute, which is automagically applied, using xattr as follows:
xattr -r -d com.apple.quarantine /Volumes/MyApp/MyAppImage.app
The options in the above use of the xattr command:
Xattr has a lot of different uses; you can programmatically manage Finder tags with it, http://krypted.com/mac-os-x/command-line-finder-tags/. To see the full
xattr dump on a given file, use the -l option as follows:
xattr -l com.apple.quarantine MyAppImage.dmg
The output is as follows:
xattr: No such file: com.apple.quarantine
00000000 62 70 6C 69 73 74 30 30 A1 01 33 41 BE 31 0B A5 |bplist00..3A.1..|
00000010 70 D4 56 08 0A 00 00 00 00 00 00 01 01 00 00 00 |p.V………….|
00000020 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 |…………….|
00000030 00 00 00 00 13 |…..|
00000000 62 70 6C 69 73 74 30 30 A1 01 5F 10 22 63 69 64 |bplist00.._.”cid|
00000010 3A 69 6D 61 67 65 30 30 31 2E 70 6E 67 40 30 31 |:myappimage.dmg@01|
00000020 44 32 36 46 46 44 2E 35 37 31 30 37 30 46 30 08 |D26FFD.571070F0.|
00000030 0A 00 00 00 00 00 00 01 01 00 00 00 00 00 00 00 |…………….|
00000040 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |…………….|
00000050 2F |/|
This could be helpful when troubleshooting and/or scripting (or just way too much informations!).
Finally, if you’re an application developer, check out new API for App Translocation in the 10.12 SDK for
<Security/SecTranslocate.h> I guess one way to think of this is… Apple doesn’t want you running software this way any more. And traditionally they lock things down further, not less, so probably best to find alternatives to running apps out of images, from a strategy standpoint.
krypted January 25th, 2017
Built a quick extension attribute for Jamf Pro environments to check if TouchID is enabled and report back a string in $result – this could easily be modified and so I commented a few pointers for environments that might need to modify it (e.g. to check for user-level as it’s currently system-level). To see/have the code, check https://github.com/krypted/TouchID_check.
krypted January 18th, 2017
The codesign command is used to sign apps and check the signature of apps. Apps need to be signed more and more and more these days. So, you might need to loop through your apps and verify that they’re signed. You might also choose to stop trusting given signing authorities if one is compromised. To check signing authorities, you can use
codesign -dv --verbose=4 /Applications/Firefox.app/ 2>&1 | sed -n '/Authority/p'
The options in the above command:
Then we pipe the output into a simple sed and get the signing chain. Or don’t. For example, if you’re scripting don’t forget a sanity check for whether an object isn’t signed. For example, if we just run the following for a non-signed app:
codesign -dv --verbose=4 /Applications/Utilities/XQuartz.app/
The output would be as follows:
/Applications/Utilities/XQuartz.app/: code object is not signed at all
krypted January 12th, 2017
Prepare for your network administrators to cringe… I’ve spoken on these commands but never really put them together in this way, exactly. So I wanted to find a coworker on a network. So one way to find people is to use a ping sweep. Here I’m going to royally piss off my switch admins and ping sweep the subnet:
Next, I’m going to run arp to translate:
Finally, if a machine is ipv6, it wouldn’t show up. So I’m going to run:
Now, I find the hostname, then look at the MAC address, copy that to my clipboard, find for that to get the IP and then I can flood that host with all the things. Or you could use nmap… :-/
krypted January 7th, 2017
macOS has keychains. Sometimes they’re a thing. When they are you might want to delete them. Let’s say you have an admin account. You want to keep the keychains for that account, but remove all the others. For this, you could do a shell operator to extglob. Or you could do a quick while loop as follows:
ls /Users | grep -v "admin" | while read USERNAME do; rm -Rf "/Users/$USERNAME/Library/Keychains/*" done;
If you borrow this, be careful.
krypted December 1st, 2016
You work for weeks, months, or years to build a business that is killing it. Then you get a huge new customer. You feel like you’ve been put on the map. But then the reality sets in. Maybe you won the business because you’re innovative, less expensive, faster, etc. But now you start getting completely destroyed by the overhead of making those sweet, sweet dollars from that new customer. Wouldn’t it have been great to have known about a few things to ask about? My response includes a few tips on how to work with them, that just might save you some serious margin!. Check it out at http://www.inc.com/charles-edge/how-to-work-with-big-companies-without-getting-caught-in-red-tape.html.
krypted November 18th, 2016
Posted In: Articles and Books
OK, I don’t talk politics, about personal stuff, etc on this site usually. And I’m not gonna’ start now. But with Give To The Max Day in Minnesota today, I did write an article on the meaning of Compassion on Huffington Post. It can be found at http://www.huffingtonpost.com/charles-edge/what-does-compassion-mean_b_12999974.html if you’re interested in such things; if not, hope you have a wonderful day!
krypted November 17th, 2016
Posted In: Tamarisk