Glenn Fleishmann over at Ars Technica has a great article explaining the new WPA crack. Here’s the quick & dirty explanation:

[I]t’s a method of decrypting and arbitrarily and successfully re-encrypting and re-injecting short packets on networks that have devices using TKIP. That’s a very critical distinction; this is a serious attack, and the first real flaw in TKIP that’s been found and exploited. But it’s still a subset of a true key crack.

Tews pointed out that “if you used security features just for preventing other people from using your bandwidth, you are perfectly safe,” which is the case for most home users. Someone can’t use this attack to break into a home or corporate network, nor decipher all the data that passes.

Fortunately, WPA2’s AES encryption is not susceptible to this crack, so making sure your AirPort & WiFi networks are switched over to WPA2 is best done sooner rather than later. If you still have some 802.11b/g clients that only support WPA, you’ll want to assess how much of a risk this is for your environment.

[Via Daring Fireball]

The next edition of Mac OS X Server, dubbed “Mac OS X Snow Leopard”, will include a few major enhancements and additions. I for one am hoping the Address Book server & the iCal server will become more group-ware based. The iCal server right now is, and I lightly say, TERRIBLE. It’s definitely a step in the right direction but I think it’s implemented poorly. How about you, what new feature in Mac OS X Snow Leopard Server are you most looking forward too?

iCal Server 2
iCal Server, a calendaring and scheduling service based on open standards, was the first commercial CalDAV calendar server. Snow Leopard Server follows up with the next major release of iCal Server, which includes group and shared calendars, push notifications, the ability to send email invitations to non-iCal Server users, and a browser-based application that lets users access their calendars on the web when they’re away from their Mac.

Collaboration
Leopard Server provided businesses with the power of online group collaboration through the use of wikis, blogs, mailing lists, and RSS feeds. Snow Leopard Server furthers collaboration with wiki and blog templates optimized for viewing on iPhone; content searching across multiple wikis; and attachment viewing in Quick Look. It also introduces My Page, which gives users one convenient place to access their web applications, receive notifications, and view activity streams.

Remote Access
Secure remote access to your business network has never been more critical than in today’s increasingly mobile world. Snow Leopard Server delivers push notifications to mobile users outside your firewall, and a proxy service gives them secure remote access to email, address book contacts, calendars, and select internal websites.

Multicore
More cores, not faster clock speeds, drive performance increases in today’s processors. Snow Leopard Server brings unrivaled support for multicore processors with “Grand Central,” a new set of built-in technologies that makes all of Mac OS X Server multicore aware and optimizes it for allocating tasks across multiple cores and processors. Grand Central also makes it much easier for developers to create programs that squeeze every last drop of power from multicore systems.

ZFS
For business-critical server deployments, Snow Leopard Server adds read and write support for the high-performance, 128-bit ZFS file system, which includes advanced features such as storage pooling, data redundancy, automatic error correction, dynamic volume expansion, and snapshots.

Podcast Producer 2
Podcast Producer 2, an end-to-end solution for encoding, publishing, and distributing high-quality podcasts, features an intuitive new workflow editor that leads you through all the key steps involved in creating a successful podcast. This includes everything from selecting videos, transitions, titles, and effects to adding watermarks and overlays to specifying encoding formats and target destinations — wiki, blog, iTunes U, Podcast Library — for your finished podcast. Support for dual-video source capture lets users record both a presenter and a presentation screen, allowing a picture-in-picture style ideal for podcasting lectures. Podcast Producer now includes Podcast Library, which lets you host locally stored podcasts and make them available for subscription by category via automatically generated Atom web feeds.

Mail Server
Mac OS X Server’s open standards-based mail service is the ideal server for small businesses or companies looking to bring email in-house. Snow Leopard Server dramatically increases its performance and scalability with an overhauled engine designed to handle thousands of simultaneous connections. Mail services have been enhanced to include server-side email rules and vacation messages.

Address Book Server
Introducing the first open standards-based Address Book Server, Snow Leopard Server makes it easier than ever to share contacts across multiple computers. Based on the emerging CardDAV specification, which uses WebDAV to exchange vCards, Address Book Server lets users share personal and group contacts across multiple computers and remotely access contact information without the schema limitations and security issues associated with LDAP.

64-bit
To accommodate the enormous amounts of memory being added to today’s servers, Snow Leopard Server uses 64-bit kernel technology to support breakthrough amounts of RAM — up to a theoretical 16TB, or 500 times what is possible today. More RAM makes server applications run faster and dramatically improves the total number of simultaneous network connections that can be made.

OpenCL
Another powerful Snow Leopard technology, OpenCL (Open Computing Language), makes it possible for developers to efficiently tap the vast gigaflops of computing power currently locked up in the graphics processing unit (GPU). With GPUs approaching processing speeds of a trillion operations a second, they’re capable of considerably more than just drawing pictures. OpenCL takes that power and redirects it for use in high-performance computing applications like genomics, video encoding, signal processing, and simulations of physical and financial models.

[Via Apple]

The past couple of days have seen a number of software updates related to Mac OS X Server, including Mac OS X Server 10.5.5 (combo):

- directory service reliability and authenticating new File Sharing connections
- binding and authentication in Active Directory environments
- editing Wiki content in Safari, Firefox and Internet Explorer
- viewing Wikis and Blogs from an iPhone or iPod touch
- searching with Spotlight in the Finder and on the web
- sending ‘Welcome’ email messages to users in Server Preferences
- importing users and working with nested groups in Server Preferences
- randomization of DNS source ports and transaction IDs
- updating DNS information when server IP address changes occur
- hosting DHCP services
- supporting private events in iCal
- synchronizing Portable Home Directories
- enabling Software Update Server
- using SNMPv3 services
- hosting with WebObjects; update to version 5.4.3
- hosting mail services for users with long user names
- preventing mail server database corruption
- ensuring security of LDAP password hashes
- propagating password changes to Open Directory replicas
- creating and editing DNS records in Server Admin
- using System Image Utility to create NetBoot and NetInstall images
- creating augment directory records in Advanced server configuration
- using Managed Preferences when clients are bound to Active Directory
- providing RADIUS authentication to 802.11n-enabled AirPort Base Stations

And, of course, there’s the 10.5.5 Server Admin Tools to go with it:

Server Admin

- Server Admin can now correctly enable and show the status of RADIUS or Kerberos authentication for the PPTP VPN service.
- RADIUS service now reliably displays the primary IP address for 802.11n-enabled AirPort Base Stations.
- Server Admin can now sort by Value in the Zones tab of the DNS service.

System Image Utility

- Fixes issues with certain options in the Apply System Configuration Settings action, including “Change ByHost settings”, “Apply Computer Name and Local Hostname”, and “Map clients to other directory servers”.
- The Add Packages and Post-Install Scripts action now works correctly when creating a NetInstall image from a volume.

Workgroup Manager

- Improves browsing, adding, and removing computers to or from a computer group.

Last, but not least, Apple Remote Desktop Admin and client have been updated to version 3.2.2:

- Improved reliability with the Copy Items command.
- Upgrade Client Software command now uses unicast packets for improved reliability on some networks.
- Fixes to the Force Quit All Applications and Copy Items to Computer Automator actions.

Let us know any success or horror stories you may have related to these updates.

Snow Leopard’s across-the-board leap to 64-bits, from the kernel to all of its bundled apps, will do more than just make more memory available. It will also have a significant positive impact on performance system wide, even more than the same jump to 64-bits in Windows Vista. Here’s why.

Source: AppleInsider.com

Corsair has updated their Securing Mac OS X 10.4 Tiger white paper to include “the new security features offered by Mac OS X Leopard (10.5)” as of August 18th.

You can grab any of their white papers (including the Tiger & Panther versions of “Securing Mac OS X”) from their Technical White Papers page. Or, you can grab the Securing Mac OS X Leopard (10.5) (PDF) directly.

[Via TUAW]

Just recently I had a consulting appointment with a school that needed to use a proxy server in order to block students from inappropriate websites. Previous to my visit they were using a tangerine iBook with OS9 and some piece of software that did the proxy work. After some thought we came up with the idea of using OS X Server (since they also were running that) as the proxy server. It was much more up to date and it seemed like it would be pretty easy to transfer the list from the iBook’s proxy software to OS X Server. Unfortunately, I have a feeling the list was so huge that it kept crashing the Web service, so it was back to the drawing board.

We finally decided to use OpenDNS and after some initial testing it all seemed to work fine. We assigned all the student computers static IPs and setup the DNS using the OS X Leopards IP and then OpenDNS. We included the the servers IP first because it allowed the clients to find the server for network home directory use and then I assumed it would use OpenDNS second (for all other queries).

Unfortunately, while we could login to the network home directories, OpenDNS and blocking in-appropriate websites failed to work. Puzzled, I searched for a way to allow us to use the server for initial DNS, but anything else had to pass through OpenDNS. A quick search through the knowledge base turned up this article. Basically you just had to add a few lines into one of the DNS configuration files. Really simple. When I restarted the DNS service, nothing worked. I believe that is because the article linked above is for OS X Server Tiger and previous versions. After looking around in the DNS service settings (via the Server Admin tool) I found a box called, ‘DNS Forwarding’. I simply plugged in the OpenDNS IP addresses and removed all but the servers IP from the client DNS servers.

Restarted the DNS service and rebooted the client machine for good luck and attempted to login to the network home directory. It worked! Next I tried loading a site on my OpenDNS blacklist and it too was blocked. It worked just as I had wanted it too.

DNS Forwarding in my understanding works like so:

• The client machine use the server’s IP for it’s main DNS server.
• In my case the server contains one DNS entry (well two if you count the reverse DNS record). The one record is of itself. That way the clients know of the server.
• Anything that isn’t in the servers DNS list gets sent to the entries in your DNS Forward records. In this case it was OpenDNS so pretty much every request except one’s for the server were forwarded to OpenDNS.

Hopefully this article can help people out who use in-house DNS and are also looking for a way to send other DNS queries to other outside services such as their ISPs DNS servers or even OpenDNS.

Yesterday Apple released an update of Leopard Server to version 10.5.4, including the following changes:

- directory service reliability and authenticating new File Sharing connections
- binding and authentication in Active Directory environments
- editing Wiki content in Safari, Firefox and Internet Explorer
- searching with Spotlight in the Finder and on the web
- sending ‘Welcome’ email messages to users in Server Preferences
- importing users and working with nested groups in Server Preferences
- hosting DHCP services
- supporting private events in iCal
- synchronizing Portable Home Directories
- enabling Software Update Server
- using SNMPv3 services
- hosting with WebObjects 5.4.2
- hosting mail services for users with long user names
- preventing mail server database corruption
- ensuring security of LDAP password hashes
- propagating password changes to Open Directory replicas
- creating and editing DNS records in Server Admin
- creating augment directory records in Advanced server configuration
- using Managed Preferences when clients are bound to Active Directory

Mac OS X Server Combo 10.5.4 is available for download from Apple’s web site as well as via Software Update.

Please let us know your experiences, positive or negative.

Previous to my switching over to a Mac Mini for my Apple servers I used Xserves which had dual Ethernet ports. This allowed for a external public IP and an internal private IP address. This of course if the optimal setup for creating a VPN when using Mac OS X Server.

Initially I had thought I had setup my VPN correctly, as I was able to connect to it, although after looking at some websites and AFP shares from the server, I wasn’t getting the results I had wanted.

Unfortunately after checking my IP when I was on the web, I noticed it was still using my non-VPN IP which meant all my web traffic was not going through the VPN. I then tried to connect to some AFP shares, and they worked, but after looking in Server Admin, I was still connecting with my Verizon IP address, and not the IP from the VPN.

Speaking with my good friend we figured out that the IP blocks couldn’t be the same. I was dishing out 192.168.1.x from the VPN and my local network was also dishing out that same block. I also had to make sure I had “Send all traffic through VPN” was switched on. This parameter can be found in System Preferences >> Network >> VPN Connection’s Advanced button >> and under the Session section. It’s turned off by default but make sure it’s turned on.

Now for the IP block that the VPN dishes out, I changed that to something a bit more secure, something that normal home routers don’t dish out. I chose 192.168.10.x, which I’ve yet to see a DHCP/home router dish out. I would think you might find that block in a bigger organization, but it should be safe to use. Saved that setting and then I tried to connect. Unfortunately, it didn’t work right just yet.

Then I added a virtual interface to the single Ethernet port and assigned it an IP address within the range that the VPN server was handing out. I gave it the router address of my public IP and then tried to connect again.

It worked! So in summary, when you’ve got a server with a single Ethernet port and an external IP address, it’s a good idea to:

• Give it a virtual interface
• Change the block range of IPs your VPN hands out
• Give your virtual interface an IP from that range
• Make sure your client(s) have the “Send all traffic through VPN” turned on. Security is good :)
• Verify that it’s working correctly by visiting FindMyIP.com and looking in Server Admin

I’ve also allowed people to connect to the AFP service ONLY if they’re coming from the VPN IP range, which is much more secure then letting everyone connect to it.

Server Assistant is a wonderful tool that allows OS X Server administrators to install and configure their server(s) remotely. I personally have used the tool multiple times in setting up servers, but not to install OS X Server to a machine.

Finally this past week I got the chance to do it. Despite being incredibly easy to do, there was one drawback that will definitely make me think twice about using it in that fashion again.

It will not allow you to choose which packages to install and which to leave out. Because of this I had to install all 11.4GBs instead of the 5-6GBs that I usually do. I tend to leave out the languages, printer drivers and fonts.

If there’s one thing I hope Apple fixes, it’s being able to select which packages to install and which not to when using Server Assistant to do a remote server install.

Just a heads up for people interested in doing remote OS X Server installs, keep in mind you won’t be able to choose the software that gets installed and make sure you can afford to spend ~11GBs of drive space!

I really enjoy how easy Tiger and Leopard makes setting up RAIDs. A RAID is essentially a collection of hard drives connected together. There are multiple RAID types but I generally stick with the mirror RAID type as it works well for my purposes.

To the point, one of the two drives in my mirror RAID failed. It made those tell tale clicking noises and wouldn’t mount at all. I opened up Disk Utility and sure enough it reported that my RAID was degraded. A day or two later I had bought a new hard drive to replace the failed one. I connected it up to my system and opened up Disk Utility again. I added the new drive (a simple drag and drop) into my degraded RAID and clicked on ‘rebuild’. Within a few seconds I was told that the ‘filesystem was unrecognized’ and the RAID could not be rebuilt. After trying again multiple times, I was prompted with that lovely message each time.

Being that I had about 450GBs of data on that RAID set I wasn’t about to give up so easily. I search Google for the exact error message that I was getting. I came across 2 good sources.

First was this thread in the Apple mailing lists. Apparently it’s a known bug. Great. Unfortunately the site didn’t seem to provide any solution for fixing the degraded RAID set.

The second link was to the Apple discussion boards. A few posts down a user posted a solution that worked and was confirmed working by following posts by other users. With only 450GBs of data to loose I thought I’d just give it a shot!

So a few days later I came back with my Leopard install disk and booted the machine off that. I opened up a terminal window and used the following commands (taken right from the post):

• diskutil list (to find the partition that is going to be added)
• diskutil checkRAID (to get the RAID UUID)
• diskutil addToRAID
• diskutil checkRAID (to watch the rebuild)
• diskutil removefromRAID (to remove the “Failed” drive once the rebuild is done)

12-13 hours later my RAID had been rebuilt and worked just great! It’s too bad that Disk Utility isn’t working the way it should, although I could have sworn that I read something about 10.5.1 including a fix so that it works the way it should, and doesn’t return the ‘unrecognized filesystem’ error. Either way, if you have a degraded RAID system and are receiving that error when trying to rebuild it, the previous steps should get you back on track.

Of course if you’ve got some really important data and aren’t too daring, and use a mirror RAID, I recommend copying all the data to another drive, purchase a new drive for the RAID set, destroying the current set and then creating it again with the new drive. Then copy the data back over.