The problem was that when the ssh daemon was confronted with an incorrect password, it was checking against the password database multiple times, which was overwhelming the password services. A better explanation from [1] is “every time the attacking machine tried another key/password, it would spawn a new sshd process, which had to communicate with the password services (com.apple.SecurityServer) in order to validate the password. Eventually what ended up happening is that there were so many requests to the password services that they basically ended up just hanging, and anything that required a password: ssh, ftp, etc, just stopped working.”

Firstly I changed the default /etc/sshd_config file, un-commenting this line and changing yes to no:
ChallengeResponseAuthentication no
This edit does not stop attackers from trying but it does protect the password services from the attack.

Next I installed the most excellent sshdfilter [2] – a perl daemon that actively monitors ssh logins and detects signs of intrusion attempts and then blocks the attacking IP addresses. Blocked addresses are saved in between reboots and the he startup script is here:
/Library/LaunchDaemons/net.jonbell.sshdfilter.plist
(this runs /etc/sshdfilterLoad.sh which runs /etc/firewallrules)

To receive email notifications for each block, edit the /etc/sshdfilterrc file (the mail= and mail policy sections – there are comments in the policy).
“The default setting is to block most failed logins after 5 attempts, some common invalid logins after 0 attempts, incorrect root logins after 2 attempts, and logins to non-existent accounts after 3 attempts. Counters are reset upon a valid login. These thresholds can be modified in the sshdfilterrc file if desired. It is not currently setup to expire the blocks (even if you set it here in the configuration file, they will remain in the persisting file).”

[1] http://www.slicksurface.com/blog/2008-06/ssh-attack-and-password-problems-on-os-x

[2] Mac OS X sshdfilter Installer:

http://projects.seas.columbia.edu/sshdfilter/sshdfilter_mac.zip

sshdfilter Project Home:

http://www.csc.liv.ac.uk/~greg/sshdfilter/

Vulnerability Database National Vulnerability Database (NVD) National(CVE-2009-3555)
“The TLS protocol, and the SSL protocol 3.0 as used in… mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l… does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions..”

TLS renegotiation attack. More bad news for SSL | Cupfighter.net
While the attack only works for the first request sent over a TLS session (subsequent renegotiation requests are sent in the encryption context and can thus not be inserted) M[an in the middle] could force the session to reset after x seconds of inactivity by sending a reset packet to both Client and Server, thus forcing a new TCP and TLS session to be re-established and thus gaining a new window of opportunity.
In response to this attack OpenSSL (Nov 8th) released OpenSSL 0.9.8l which does fix the vulnerability, but disables renegotiation completely. This change to OpenSSL may break certain applications so it should be carefully tested before it is implemented. [Server-side HTTPS will generally not be broken.]
This attack will first appear in highly targeted scenarios. Since the attack is a man in the middle attack the attacker will have to have control over all the traffic between client and server and vice versa in order to fully exploit the attack. With this attack TLS does not fully protect the integrity of the communication between client and server.

The root of the problem is servers that perform (allow) TLS renegotiations and make flawed assumptions about what a successful TLS renegotiation means for the data previously received.

PhoneFactors Status of Patches

Understanding the TLS Renegotiation Attack – Educated Guesswork
‘CVE-2009-3555 – apache/mod_ssl vulnerability and mitigation’ – MARC
Links » Another Protocol Bites The Dust
Extended Subset » Blog Archive » Authentication Gap in TLS Renegotiation
The Secure Goose: TLS renegotiation vulnerability (CVE-2009-3555)
Confidence 2009.02 – Cupfighter renegotiation vulnerability slides
TLS Test here:

Renegotiation Test | netsekure rn

In a poll, he says [Al Gore], 80 percent of CEOs and CFOs said they would not spend money to make their factories more efficient and save money in the long run if it hurt their next-quarter bottom line. “That,” says Gore, “is functionally insane.”

I couldn’t agree more. Such short-term thinking from such highly paid people.
That sound you can hear is my mind boggling.

You get full CS3 versions of InDesign, Photoshop Extended, Illustrator, Flash Professional, Dreamweaver and Acrobat 8 Professional. All future updates are included as long as you are still subscribed. Coretech is taking preorders if you’re interested.

Be warned that the 12 month subscription can not be cancelled and automatically renews unless you turn off the “auto-renew-subscription” option.
At this stage this is the only product that you can get via subscription. I’m sure there’ll be more.

If the battery is removed from a MacBook or MacBook Pro, the computer will automatically reduce the processor speed. This prevents the computer from shutting down if it demands more power than the A/C adaptor alone can provide.

Of course, if you bump the power adapter and unplug your laptop, you will lose all unsaved work. Not to mention that if dirt and dust collects on the battery connectors you may have problems later.

There’s an Apple article here explaining how to calibrate your battery – this should be done every couple of months.

Sounds kinda annoying to me, so I’m going to buy a second battery and one of Newertech’s battery charger and reconditioner units – gotta keep the MacBook Pro on 24/7….

I’ll let you know how I go.

$ plutil -lint ~/Library/Preferences/com.apple.iChat.plist
/Users/waffleblog/Library/Preferences/com.apple.iChat.plist: OK

Please note that this utility will only check the syntax of the file, not the deeper meaning as understood by the owning application.

To check all preferences in your Library folder:

$ find ~/Library/Preferences -name “*.plist” -print0 | xargs -n1 -0 plutil -lint

(This uses -print0 and -0 to cope with spaces in filenames.)

Here are the steps:
1. Quit Mail. Please BACKUP if you haven’t already.
2. Open Terminal (in Applications/Utilities).
3. Check your current ‘envelope archive’ size by entering this in the terminal:
ls -lah ~/Library/Mail/Envelope\ Index
4. Then enter the following:
sqlite3 ~/Library/Mail/Envelope\ Index vacuum;

On my 2.75GB worth of email (not including attachments) this command took about 4 minutes on my MacBook Pro – don’t worry if it takes longer.

Then check your envelope size by running the first command again. My Envelope Index went from 155MB to 134MB and the performance improvement was surprisingly good.

There’s also his interesting comments on DivX versus H.264 codecs:
> you’re bound to hear a lot about DivX being better than h.264, some reasons are valid,
but for content providers (i do pro video work), h. 264 is preferred for a number of reasons – not the least of which is that its an open standard and the licensing fees are reasonable, and there is pro mac software for it. There is a ton of hardware that does broadcast quality h.264 encoding realtime – its what the pros are moving to for content distro. It streams better than anything else in its range (WM9, Real).
This is why DirecTV, Apple, Verizon, T-Mobile, Orange, Thales, and a ton of actual content makers are using h.264 rather than DivX….

This dude also uses his mini as a media centre running Vista so that he can use Microsoft’s latest Media Centre software and a remote control with more features than the Apple remote. This results in a richer TV interface than running a Mac OS X / Elgato solution but you do have to run windows.

Infinite Loop have a mini setup more as a media jukebox and less as a personal video recorder (PVR) (i.e there’s no Elgato digital TV receiver). There’s lots of good stuff in the comments here.

As a further note Elgato’s software, EyeTV now works with iTunes so you can record TV shows and have them automatically loaded into iTunes for playback on whatever device your mini is driving (HDTV with DVI to HDMI cable).