• Mac Security

    Use ChatGPT to Analyze macOS Logs for Anomaly Detection

    tldr: Posted this anomaly detector that uses ChatGPT at https://github.com/krypted/Lightweight-GPT-Log-Anomaly-Detector. Can be used untrained or with lightly trained troves of macOS system logs. Tweak to your delight… Use A number of options may need to be run in a given environment. To do so, use the following: Create a virtual environment python3.6 -m virtualenv venv Activate the virtual environment source venv/bin/activate Install the requirements pip install -r requirements.txt Create the log file sudo log show --last 10m > log-info-10m.txt Run the script log-analysis.py to parse log file and generate anomalous logs. Example usage: python log-analysis.py --log_filename log-info-10m.txt python log-analysis.py --log_filename log-info-10m.txt --use_error_keywords True --score_threshold 0.5 python log-analysis.py --log_filename log-info-10m.txt --use_error_keywords…

  • WebAuthn and Passkeys

    Inspecting WebAuthn Traffic

    Just released v2 of a Chrome Extension that overrides the navigator.credentials.get and navigator.credentials.create endpoints to show the json that is sent and received from a webauthn transaction. The extension simply produces a dialog box that shows the json submitted to the appropriate endpoints on a server that supports Passkeys. It’s available as an unpacked Chrome extension at https://github.com/krypted/webauthn-inspector. The two primary attributes I was interested in exploring are “id” and “challenge”. Visit webauthn.info and change the “Advanced Settings” it’s easy to see how the other fields change as the settings change and compare these to sites (e.g. bestbuy.com) that have implemented some of the WebAuthn spec. In general, the id…

  • Mac OS X,  Mac OS X Server,  Mac Security

    Secure Keyboard Entry on macOS

    The Secure Keyboard Entry option has been in Terminal going back almost a decade. Secure Keyboard Entry was added as EnableSecureEventInput way back in Mac OS X 10.3 and was developed to protect the more sensitive inputs people provided, so also made into a public API. It was meant to protect the more sensitive types of data so if we had a login screen with a password field or something else, we’d protect those with it. The purpose was to lock what other processes could use the GetKeys function (once used to write keystroke loggers), tap the IOHIDDeviceInterace and IOHIDOptionsTypeSeizeDevice processes or tap any events that involved any HID system…

  • Mac OS X,  Mac OS X Server

    Clear that QuickLook Cache

    Seems like just yesterday that I first wrote about using Apple’s QuickLook from the command line. And yet it’s been eight years: https://krypted.com/mac-security/qlmanage/. Guess time flies when you’re having fun. One thing that isn’t fun is when all of a sudden QuickLook stops generating previews for objects when you hit that space bar, or just provides a generic preview. I’ve been working with a lot of more resource intensive file types recently, like .stl files and these can clog the system up. Luckily, filling up the cache, or getting corrupted objects in the cache is something Apple planned for and this is cleaned during a reboot as part of standard…

  • bash

    Programmatically Generate qrcodes on macOS

    I recently needed to make device URLs easy for a service desk team to access. To do so I just piped the URLs into a little app called qrencode. First, I needed to install qrencode, which is pretty easy to do using brew: brew install qrencode Once installed, it’s trivial to pipe the quoted URL into the app with an output (or -o) into a png file. For example: echo "http://thehistoryofcomputing.libsyn.com" | qrencode -o ~/Desktop/History.png Once generated, you can use the camera on an iOS device to automatically open URLs by pointing them at the code and then tapping the notification that appears.

  • Apple TV,  Apple Watch,  Apps,  iPhone,  JAMF,  Mac Security,  MacAdmins Podcast

    Notes from the Underground: Apple WWDC and You

    Apple kicked off the annual WWDC conference yesterday and boy there was a flurry of information. There always is, but for people charged with managing Apple devices and vendors that support Apple devices there were some important releases. Some general themes to think about as you read through this list: Privacy is a thing. This includes securing files in the directories of a user by having the user accept a request to touch them (e.g. My Documents, er, I mean, Documents). This also means apps harvesting user data are doomed. The restrictions continue to flow in from iOS to the Mac. And that’s probably a good thing – as it…

  • Mac Security

    Controlling Multiple launchagents and launchdaemons concurrently

    Most of my examples for launchctl have been per-user, per-agent, per-daemon. But you can also control multiple launchctl targets concurrently. One example would be that you can unload everything in the user domain by not specifying a path but providing the userid. In the following example, we’ll just use $userid as a variable, but it’s worth noting that that would be, as an example, 501 for the : sudo launchctl bootout gui/$userid There’s another option that can be used to do the opposite from within single user mode, called bootshell. Bootshell is called similarly from single user mode: sudo launchctl bootshell

  • Mac OS X

    Device Snapshots and Crafting A Restore Device User Experience for Macs

    I recently worked on something where a design requirement was to build a good snapshot restore option but not to use Time Machine backups. You can capture a snapshot of a Mac without enabling Time Machine. To do so, you’d still use the same binary as you would with Time Machine, /usr/bin/tmutil. To do so, simply use the snapshot verb as follows: /usr/bin/tmutil snapshot Once you’ve run that, you get output similar to the following: Created local snapshot with date: 2019-04-12-110248 Now you have a snapshot that can be used to restore a Mac using the steps shown in this article: https://maclovin.org/blog-native/2017/restoring-from-a-snapshot-with-apfs. You can make a snapshot at the provisioning…