jwdunn

Norton (Anti)Virus

The number one security-related threat to Mac users at Stanford is Symantec’s Norton AntiVirus 10.0. With backing from Residential Computing (Rescomp), Norton AV has caused more pain and suffering at Stanford than any OS X-based virus could aspire to.

How It Spread

Before I get into the dastardly nature of Norton AV and how to kill it, I’d like to cover its propagation from Rescomp. Naturally, Rescomp requires faculty and students to register their devices before they can use them to access Stanford’s network. The first step in this process is to run their Computer Health Tool, some software that, among other shady data mining operations, will prevent registration if it doesn’t find any anti-virus software installed.

A variety of anti-virus suites satisfy the Computer Health Tool (see the bottom of the CHT’s page for a list) but Stanford’s recommendation for Panther, Tiger, and Leopard users is Norton AV. Rescomp has a crazy licensing deal with Symantec and offers Norton AntiVirus 10.0 free to anyone with a Stanford ID, as part of their “Essential Stanford Software” suite.

Basically, anyone who isn’t hyper-aware of where Rescomp is directing them will follow this path to a Norton AV install: registration requires Computer Health Tool check, Computer Health Tool check requires an anti-virus program, and Stanford provides Norton AV. Most students I’ve talked to whizzed through every “Continue” button in this process, and all regretted it.

The easiest way to avoid ending Rescomp’s registration process with Norton AV installed is to specify an archaic operating system (OS 8 or 9 will both do) when prompted to download the Computer Health Tool. This will bypass the CHT altogether and lead directly to registration, without getting Norton AV involved at all.

Why It Sucks

Rescomp acknowledges some of the “malware on OS X” dialogue’s finer points in its description of Norton AV:

The majority of the virus and worm attacks do not effect Macintosh users. However, some users may unwittingly promote virus attacks if they use Microsoft Outlook or other MS products.

Indeed, whether Mac users need anti-virus software at all is debatable. Whether Mac users need a steaming pile, however, is not—and Norton AV is significantly closer to the latter than the former. In fact, Norton AV has all of the essential qualities of a nasty computer virus: it mucks about in system folders, invades most aspects of the Mac user interface, bogs down the CPU, causes hangs and crashes, is difficult to cleanly uninstall, and generally decreases productivity while generating frustration.

Norton AV’s first sin is its installer, which forces the user to install 18 separate components. I love how the “Customize” interface teases with greyed out radio buttons:

Symantec doesn’t include any list of installed files in Norton’s readme or user guide. So, I used Pacifist to examine Norton AntiVirus Installer.pkg’s 18 components and compile a list of every file it copies to the hard drive during an installation of Norton AntiVirus 10.0:

/Applications/Norton AntiVirus
/Applications/Symantec Solutions/*
/private/etc/Symantec.conf
/Library/Application Support/Norton Solutions Support/*
/Library/Contextual Menu Items/NAVCMPlugin.plugin
/Library/Documentation/Help/Norton Help Scripts/*
/Library/Frameworks/Stuffit.framework/*
/Library/Preference Panes/APPrefPane.prefPane
/Library/Preference Panes/SymantecQuickMenu.prefPane
/Library/PrivateFrameworks/SymAppKitAdditions.framework/*
/Library/PrivateFrameworks/SymBase.framework/*
/Library/PrivateFrameworks/SymNetworking.framework/*
/Library/PrivateFrameworks/SymScheduler.framework/*
/Library/PrivateFrameworks/SymSystem.framework/*
/Library/StartupItems/NortonAutoProtect/*
/Library/StartupItems/NortonMissedTasks/*
/Library/Widgets/Symantec Alerts.wdgt
/System/Library/Extensions/KTUM.kext
/System/Library/Extensions/SymEvent.kext
/System/Library/Extensions/SymOSXKernelUtilities.kext
/Users/Shared/NAV Corporate
/usr/bin/navx

During use, Norton AV will also generate several preference files in ~/Library/Preferences/, which can be identified by the “com.symantec” in their filenames.

There are several objectionable elements in the above file list. The first item, Norton AntiVirus, is an alias to /Applications/Symantec Solutions/Norton AntiVirus.app. To counter stupidity like this, I don’t think OS X should support aliases that link to files they are separated from by less than two directories. If Symantec wanted more presence in the Applications folder, why didn’t they just install Norton AntiVirus.app there in the first place and avoid the useless alias altogether?

Notice that Norton populates an astounding eight folders in /Library, which makes it a ubiquitous presence in OS X. Norton AV 10.0 includes four application bundles, a menubar item, a widget, a contextual menu item, and not one, but two preference panes. These various manifestations rely on three background processes (not including the widget) which, according to Activity Monitor, are responsible for eating around 30 MB of real memory. Words cannot express how obnoxious this is. If I could right click with all four Norton applications open, my dashboard forward, and System Preferences up, I would actually see seven independent manifestations of Norton AV at once, all with overlapping featuresets and options. Holy Norton-spam:

The pathetic part is, Norton AV could easily be just as useful if it comprised one preference pane and one background process.

Stuffit.framework is the backbone for Smith Micro’s Stuffit (.sitx) archive format, a relic of pre-Tiger days when the Mac was not .zip-friendly. Why Norton AV uses Stuffit I have no clue, but its presence in the installer is yet another indication that Symantec is behind the times—so behind the times, it turns out, that Norton AV relies on an outdated version of the outdated archive format, and is actually broken by Stuffit updates.

Finally, and most crucially, Norton AV commits a faux pas by installing three kernel extensions in the /System directory, which is reserved for the inner workings of OS X and generally should not be messed with. The first section in Apple’s article on kernel extensions is “Why to Avoid KEXTs,” and warns

Finally, for security reasons, some customers restrict or don’t permit the use of third-party KEXTs. As a result, use of KEXTs is strongly discouraged in situations where user-level solutions are feasible…When you are trying to determine if a piece of code should be a KEXT, the default answer is generally no.

I’m not a programmer, but Norton AV does not achieve any functionality that I’ve been unable to duplicate using other applications which do not rely on any kernel extensions. This leads me to believe that its kernel extensions fall into the category of “strongly discouraged in situations where user-level solutions are feasible,” and are ultimately unnecessary tampering with OS X’s internals. In any case, their sheer number (three .kext files for one anti-virus suite) makes Norton AV’s presence in /System shady at best.

I won’t get into the Norton AV user experience much. It rivals the installation in suckiness. I’m just going to cover one egregious behavior that is responsible for much angst, force quitting, and hard rebooting at Stanford: Auto-Protect.

Auto-Protect is an on-by-default “feature” of Norton AV that protects Mac users by crashing their computers when they plug in their iPods. More specifically, it automatically scans every file on every removable disk upon mount, checking for malware that might produce such nuisances as, say, 100% CPU load upon mounting a removable disk.

Where Auto-Protect runs into trouble is with drives containing thousands of files—iPods and external hard drives, for example. The task of indexing and scanning each file on such a massive disk is enough to occupy any Mac’s CPU, cause OS X to hang, and, in many cases I’ve observed, lead to a beach ball of death and a hard reboot. At the very least, Auto-Protect forces users to click “Cancel” whenever they mount a disk image—a process that is by now responsible for costing Stanford students and professors enough man-hours to prove the Riemann Hypothesis and then go out for celebratory drinks.

Auto-Protect might be a good idea, if it operated with any intelligence whatsoever. It doesn’t remember disks it has scanned before or recognize “trusted” disks such as iPods or external drives. And here’s something mind-blowingly ironic: Auto-Protect actually scanned the Norton AV disk image—and, potentially worse, deemed it safe for installation!

Stanford is making a serious mistake by recommending that Mac users install Norton AntiVirus. I wouldn’t touch Norton AV even if I believed that Macs were involved in the spread of malware at Stanford, and other Mac owners at Stanford should do anything in their power to avoid it.

Instead, I recommend the simple, free, and open source virus scanner ClamXAV. ClamXAV requires only one file to keep your computer healthy: ClamXAV.app.

How to Uninstall It

This post wouldn’t be complete if I didn’t offer Norton AV’s victims a way out.

Symantec was kind enough to include an uninstaller as one of Norton AV’s 18 components: /Applications/Symantec Solutions/Symantec Uninstaller. In Norton AV’s tradition of behaving quite like the viruses it was created to destroy, however, the uninstaller only deletes a fraction of Norton AV’s installed files.

To perform a real uninstall, a) manually delete every file I listed above or b) run the uninstaller and then clean up the remaining garbage by hand. Option b is faster, especially because I’ve already gone through the trouble of finding all the files that the uninstaller neglects:

/Library/Application Support/NAV.history
/Library/Application Support/Norton Solutions Support/*
/Library/Frameworks/Stuffit.framework/*
/Library/StartupItems/NortonAutoProtect/*

Don’t forget the “com.symantec” .plist files that Norton generates in ~/Library/Preferences. These are also missed by the uninstaller.

In short: run the uninstaller, trash the above files, and restart to begin a new, happier, life without Norton AV. If Rescomp asks to run their Computer Health Tool, feign outdated-ness and specify OS 8.

I sincerely hope that Rescomp sees a surge in the number of Macbooks running archaic operating systems come next year’s network registrations—every computer that avoids Norton is a small victory for Stanford’s Mac community.

Ten Reasons to Stick with Safari

Every few months I’ll open up Activity Monitor to see what is eating my RAM and notice Safari chilling at about 500 MB real memory usage. This is an outrageous RAM footprint for a web browser—most operating systems’ core functions can run speedily on half a gig of real memory.

Disgusted, I vow never to use Safari again and switch to some alternative browser, usually the lightweight Camino. After a few minutes’ worth of browsing, though, I begin to remember why Safari is worth its resource demands. This list is to remind me why I shouldn’t swear off Safari: because, if you can spare the RAM, it’s hands down the best web browser for OS X.

1. “Open Page With”

Many Apple applications have a hidden debug menu. To activate Safari’s debug menu, simply run the following terminal command:

defaults write com.apple.Safari IncludeDebugMenu 1

When you restart Safari, you should see “Debug” to the right of “Help” in your menubar. The debug menu has several handy features (another one of which is next in this list) but what I most often use it for is the “Open Page With” function, which will load the frontmost site in any other browser you’ve installed, with one click of the mouse.

This function is a huge timesaver for testing websites or making sure a certain page is loading properly in Safari.

2. The Web Inspector

Safari 3’s biggest improvement over Safari 2 is in a feature that most of its users don’t even know exists: the web inspector. Accessible from the debug menu, the inspector is a window into the code that makes up the frontmost page.

As someone who is attempting to learn CSS and HTML on the fly, I can tell you that the web inspector is invaluable for debugging. It’s compact and slick to boot, so give it a spin even if you’re not into webdesign. Sometimes it’s just interesting to reduce the internet to plain text.

3. The Activity Window

As I explained in a post about using Safari to download YouTube video, the activity window is simply a list of every file that composes the frontmost site. It can be opened from the Window file menu.

If you are having trouble loading a certain page, the activity window may reveal why. It’s also useful for identifying advertising sources and downloading hidden files.

4. Attractive, Windowless In-Line Searching

I’m a sucker for clean, flashy graphics, and Safari’s find function is a case in point. Unlike Camino or Safari 2, which pop find windows in your face, Safari 3 slides out a find bar in the frontmost window, Firefox-style.

Safari highlights results clearly and scanning between them with command-shift-G/command-G produces nice fade effects.

5. SafariStand

Safari wouldn’t be half as useful without SafariStand, the ultimate browser plugin. SafariStand can auto-hide your downloads window, apply custom stylesheets, and hook Safari up with an awesome tab preview sidebar.

I like SafariStand’s vertical tab preview sidebar so much that I’ve used it to completely replace Safari’s tab bar with some quick .nib file hackery. You can take a peek at my modded-up interface in this older post on SafariStand.

6. Microformat Support

Microformats are open formats for common data that can be “attached” to a website just like an RSS feed. The idea is that, when you visit someone’s website, their phone number and upcoming events are one click away from your address book and calendar.

I suspect the next generation of browsers will support Microformats by default, but until then there’s the Safari Microformats plugin, which will generate an icon in Safari’s address bar to access a page’s Microformats with one click.

7. PithHelmet

Safari Adblock, a plugin named after the popular Firefox extension, recently got a lot of attention as a method for blocking online advertisements in Safari.

However, Safari AdBlock is truly lame in comparison to PithHelmet, a powerful ad-blocking plugin that has been around since Panther and recently went Leopard-compatible.

PithHelmet is $10.00 shareware, but it has an indefinite trial period (I strongly encourage you to pay). It offers complete control over what Safari loads and what it doesn’t: you can literally eliminate any element of any page by using its simple rule editor. I wrote a tutorial for Macinstruct about how to locate and block certain .jpg ads, for example. It’s a snap.

Before you commit to blocking internet advertising, you might consider the economic implications of your decision. It’s also worth noting that, like SafariStand and the Safari Microformats plugin, PithHelmet is an InputManager and thus unsupported (but fully functional, so far) in Leopard.

8. Option-Click to “Save Target As…”

Number eight hardly qualifies as a feature, but its absence in other OS X browsers drives me nuts. In Safari, I can download any file by option-clicking on its link. Unlike in Camino, no dialog box pops up to pester me when I perform this action—the linked file just adds itself to my downloads queue.

Camino seriously needs to get its act together on this one. Why should I need to specify a save location when I already have a downloads folder assigned?

9. Cooperation with Other Applications

Safari does have something to gain merely by shipping from Apple with every copy of OS X: it’s the standard in browsing on the Mac.

This means that every script and third-party application on OS X that interacts with a web browser will support Safari. A small example that I use regularly is the Safari button in Adium’s toolbar, which copies the URL of Safari’s frontmost page to the IM field for sending. Of course it’s possible to write my own URL-fetching script for for any other browser, but the point is: if I use Safari, I don’t have to.

10. Resizeable Text Fields

A few members of this list are features that are available in other browsers, but to my knowledge no other browser (on any platform) offer resizeable text fields. Honestly, I thought this was a pretty useless feature when I saw Apple advertising it as new in Safari 3. That was before I realized that long forum posts and blog comments are really a pain to format and revise in a 2” by 3” box.

Of course, there’s still something to be said for conciseness.

The SAFE Act and Sensationalism

On December 5th, the House of Representatives approved the Securing Adolescents from Exploitation-Online (SAFE) Act by a vote of 409 to two.

In “House vote on illegal images sweeps in Wi-Fi, Web sites”, CNet News’s coverage of the SAFE Act that made the internet rounds today, Declan McCullough opens with quite a hook:

The U.S. House of Representatives on Wednesday overwhelmingly approved a bill saying that anyone offering an open Wi-Fi connection to the public must report illegal images including “obscene” cartoons and drawings– [sic] or face fines of up to $300,000.

McCullough’s opener, while successfully generating a comment thread fueled by anti-Federalists who didn’t bother to read the remainder of the article or the act itself, severely misrepresents the SAFE Act with an egregious omission.

The SAFE Act specifies punishment for “an electronic communication service provider or remote computing service provider that knowingly and willfully fails to make a report” of illegal traffic on its network. The operative words here are “knowingly” and “willfully,” and McCullough knowingly and willfully chose to ignore them.

It is not until the 356th word of his article, “learn,” that McCullough even alludes to the SAFE Act’s limitations—so I’ll clear things up for him.

The Securing Adolescents from Exploitation-Online Act absolutely does not apply to network traffic service providers are unaware of, nor does it require or even encourage service providers to become aware of illegal activity they would be required to report:

Nothing in this section shall be construed to require an electronic communication service provider or a remote computing service provider to:

1. monitor any user, subscriber, or customer of that provider;
2. monitor the content of any communication of any person described in paragraph (1); or
3. affirmatively seek facts or circumstances described in subsection (a)(2).

The most amusing quality of the SAFE Act is that it’s not even anything new (a fact it cost me five minutes of poking around in the United States Code to discover). Before December 5th, anyone knowingly distributing child pornography was already a criminal under a number of laws, including Title 42’s Section 13032 and Title 18’s Section 2252A:

Any person who…knowingly mails, or transports or ships in interstate or foreign commerce by any means, including by computer, any child pornography…shall be punished as provided in subsection (b).

All in all, I’d say McCullough must be pretty satisfied with himself for creating a good amount of ruckus over an essentially redundant law.

Congress must intend the SAFE Act as a clarification on reporting illegal traffic, but service providers will see it as another disincentive to monitor their network traffic. By further regulating responsible network monitoring, the government is encouraging an “ignorance is bliss” philosophy when it comes to illegal activity over the internet—a service provider assumes risk proportional to its knowledge about user activity.

The lesson for America’s average e-citizen is this: it’s best not to leave your WiFi network open, but if you must, be sure not to check up on it.

How I Use Quicksilver III: Plugins

Quicksilver is the first program any self-respecting Mac user should install on their box. Instead of giving a general overview of its features (there are already plenty of those), I’m going to prove Quicksilver’s worth by going over exactly how I use it.

This is part three, on plugins.

If cool Quicksilver plugins are your thing, googling will reveal that most nerd blogs have already catered to you. I’m going to avoid my own “top plugin” list and instead write about exactly how I use a few choice plugins. The way I see it, the tricky part isn’t downloading and installing QS plugins, but knowing how to take advantage of them.

Social Bookmarks

After I became a fairly hardcore del.icio.us fan, I realized it was sort of silly to keep a few local bookmarks specifically so I could access them using Safari’s hotkeys (Safari will assign the leftmost bookmark in the bookmarks bar to command-1, the second to command-2, and so on).

Enter the Social Bookmarks plugin, which indexes my del.icio.us bookmarks — making them accessible as triggers or from the standard QS interface. The beauty of this plugin is that it takes all of the pain out of storing data in the cloud: my del.icio.us bookmarks are now just as easy to use as locally-stored bookmarks.

The Social Bookmarks plugin also indexes tags, so if I can’t remember a certain bookmark’s title I can still find it from within QS.

The plugin works with Ma.gnolia as well as del.icio.us. If you run into trouble, make sure your account password contains only alphanumeric characters.

Fumo Interface

Ankur Kothari’s Fumo Interface is my QS skin of choice. It’s just slick.

My version is a bit different than the default. Since I really like Primer’s wider style, I opened up Fumo’s .nib file in Interface Builder and stretched out its elements.1 The interface still works fine, but now it’s much better for searching items with long names and inputting text:

Transmit Module

I use Panic’s excellent FTP client Transmit, but the trick I’m going to cover here can easily be accomplished with the free client Cyberduck and its QS plugin.

The Transmit Module allows me to index FTP locations and upload files to them with the “Upload…” action. I created a folder in my webspace specifically for random files that I need while away from my computer, and the Transmit Module makes it ridiculously easy to access.

I can simply select a file in the Finder, press command-escape to bring QS forward with the selected file as an object, and choose “Upload…” to my dropbox. It doesn’t get any easier than that — I will never email myself a file again!

File Attribute Actions

The File Attribute Actions plugin offers seven actions for, surprise, changing file attributes. “Set Icon…” and “Set Comment…” are interesting, but where I get mileage out of this plugin is with “Make Invisible (hide)”.

Certain applications — P2P programs and Microsoft Office, I’m looking in your direction — like to put their data outside of ~/Application Support/ where it belongs. When I don’t want these support files cluttering up my hard drive but I’m afraid moving them will cause their messy application to run improperly, I can easily hide them using the make invisible action. I am positive there is a terminal command to do exactly this, but it can’t possibly be as fast or as unix noob-friendly.

Image Manipulation

The Image Manipulation plugin is absurdly useful. It enables QS to change images’ filetypes and dimensions, and quite intelligently so. You can specify a percent reduction or desired width in pixels.

With Quicksilver, any action has the potential to be a batch action, so batch resizes and conversions are a snap: select some images in Finder and press command-escape to apply an Image Manipulation action to each of them. I most recently used this method to size the thumbnails for my post on useful QS scripts.

I really hadn’t planned for how many sections this guide to QS would include, but I want to write at least one more about what sort of things I keep in my catalog. Keep posted for that next installment. Considering finals are right around the corner, it probably will be some time in coming.

Stanford 20, Cal 13

Stanford wins its first Big Game since 2001, in exciting fashion. Defense ruled the day, as we traded three-and-outs with Cal for most of the fourth quarter while the clock slowly ran down.

The new stadium was an awesome venue, and of course when time finally did expire we stormed the field to congratulate our players. Though the team has been disappointing in general this year, they’ve pulled off some huge upset wins.

I’m optimistic that new coach Jim Harbaugh can return Stanford’s football program to greatness.

Cal sucks!1