SSL Encryption

[Bull Winkus]

It happened again. This time I was using Safari and iTunes started with music playing. I didn't have the Safari window maximized, so it remained on top. I exited iTunes. It restarted immediately. I exited again. It restarted again. I selected restart from the Apple menu. After rebooting, iTunes did not restart.

Attached is a log. iTunes first appears at 9:30:57, and again at 9:31:39, and again at 9:32:07. From 9:32:18 on, seems to be the restart sequence.

Below is a copy/paste of the sequence from one iTunes appearance to the next. It appears to be my iPod, which is the only USB device connected that would have a relationship with iTunes. This started happening with the installation of 10.11.6 and may be a bug or an issue with having had to restore from Time Machine during the issues I had with this Mac OS upgrade.

8/1/16 9:30:57.147 AM   iTunes[2983]   Entered:_AMMuxedVersion2DeviceConnected, mux-device:20
8/1/16 9:30:57.159 AM   iTunes[2983]   tid:907 - unable to query device capabilities
8/1/16 9:30:57.533 AM   iTunes[2983]   ApplePushService: APSConnection being used without a delegate queue
8/1/16 9:30:57.886 AM   com.apple.xpc.launchd[1]   (com.apple.xpc.launchd.domain.pid.MediaLibraryService.2985) Path not allowed in target domain: type = pid, path = /Library/Frameworks/iTunesLibrary.framework/Versions/A/XPCServices/com.apple.iTunesLibraryService.xpc error = 147: The specified service did not ship in the requestor's bundle, origin = /System/Library/Frameworks/MediaLibrary.framework/Versions/A/XPCServices/com.apple.MediaLibraryService.xpc
8/1/16 9:30:57.887 AM   com.apple.xpc.launchd[1]   (com.apple.xpc.launchd.domain.pid.MediaLibraryService.2985) Path not allowed in target domain: type = pid, path = /Library/Frameworks/iTunesLibrary.framework/Versions/A/XPCServices/com.apple.iTunesLibraryService.xpc error = 147: The specified service did not ship in the requestor's bundle, origin = /System/Library/Frameworks/MediaLibrary.framework/Versions/A/XPCServices/com.apple.MediaLibraryService.xpc
8/1/16 9:30:57.896 AM   com.apple.SecurityServer[76]   Session 100109 created
8/1/16 9:30:57.928 AM   com.apple.usbmuxd[75]   LOCKDOWN_V2_BONJOUR_SERVICE_NAME is _apple-mobdev2._tcp,91ca07d3
8/1/16 9:30:58.048 AM   photolibraryd[441]   Failed to open library Photos Library.photoslibrary Error: Error Domain=com.apple.lithium Code=325 "LiErrorLibraryRestoredFromTimeMachine" UserInfo={NSURL=file:///Users/herbvic/Pictures/Photos%20Library.photoslibrary/, NSLocalizedDescription=LiErrorLibraryRestoredFromTimeMachine}
8/1/16 9:30:58.049 AM   com.apple.MediaLibraryService[2985]   Unable to open system photo library. Error: Error Domain=com.apple.reddwarf Code=505 "RDErrorLibraryRestoredFromTimeMachine" UserInfo={NSURL=file:///Users/herbvic/Pictures/Photos%20Library.photoslibrary/, NSLocalizedDescription=RDErrorLibraryRestoredFromTimeMachine, NSUnderlyingError=0x7f934070c040 {Error Domain=com.apple.lithium Code=325 "LiErrorLibraryRestoredFromTimeMachine" UserInfo={NSURL=file:///Users/herbvic/Pictures/Photos%20Library.photoslibrary/, NSLocalizedDescription=LiErrorLibraryRestoredFromTimeMachine}}}
8/1/16 9:30:58.299 AM   com.apple.usbmuxd[75]   _SendAttachNotification Device 48:e9:f1:1f:91:59@fe80::4ae9:f1ff:fe1f:9159._apple-mobdev2._tcp.local. has already appeared on interface 4. Suppressing duplicate attach notification.
8/1/16 9:30:58.785 AM   photolibraryd[441]   Failed to open library Photos Library.photoslibrary Error: Error Domain=com.apple.lithium Code=325 "LiErrorLibraryRestoredFromTimeMachine" UserInfo={NSURL=file:///Users/herbvic/Pictures/Photos%20Library.photoslibrary/, NSLocalizedDescription=LiErrorLibraryRestoredFromTimeMachine}
8/1/16 9:30:58.786 AM   com.apple.MediaLibraryService[2985]   Unable to open system photo library. Error: Error Domain=com.apple.reddwarf Code=505 "RDErrorLibraryRestoredFromTimeMachine" UserInfo={NSURL=file:///Users/herbvic/Pictures/Photos%20Library.photoslibrary/, NSLocalizedDescription=RDErrorLibraryRestoredFromTimeMachine, NSUnderlyingError=0x7f93433296d0 {Error Domain=com.apple.lithium Code=325 "LiErrorLibraryRestoredFromTimeMachine" UserInfo={NSURL=file:///Users/herbvic/Pictures/Photos%20Library.photoslibrary/, NSLocalizedDescription=LiErrorLibraryRestoredFromTimeMachine}}}
8/1/16 9:30:59.347 AM   com.apple.usbmuxd[75]   _SendAttachNotification Device 48:e9:f1:1f:91:59@fe80::4ae9:f1ff:fe1f:9159._apple-mobdev2._tcp.local. has already appeared on interface 4. Suppressing duplicate attach notification.
8/1/16 9:30:59.347 AM   com.apple.usbmuxd[75]   _SendAttachNotification Device 48:e9:f1:1f:91:59@fe80::4ae9:f1ff:fe1f:9159._apple-mobdev2._tcp.local. has already appeared on interface 4. Suppressing duplicate attach notification.
8/1/16 9:31:34.658 AM   WindowServer[172]   _CGXRemoveWindowFromWindowMovementGroup: window 0x91d is not attached to window 0x91e
8/1/16 9:31:39.037 AM   iTunes[2990]   Entered:_AMMuxedVersion2DeviceConnected, mux-device:20

I think this one is solved. I'm not sure what to do about it, but at least I wasn't hacked.
 

[Blicj11]

Hope you guys don't mind if I pop back into my thread. 

Herb, have you tried the time-honoured Apple fix of running First Aid on your HD in Disk Utility (formerly known as Repair Disk) to repair permissions?

Also, relative to the OP, apparently no WeatherCatters are running SSL on their website and I haven't found a compelling argument to do so on mine, yet. 

Cheers.

[xairbusdriver]

iTunes Shenanigans
I missed that Bull had an iDevice connected when these events occurred. While I use iTunes for nothing more than interaction with my iDevices, I have noticed that iTunes is particularly sensitive to things happening on the iPhone. Simply connecting the iPhone with the USB cord for charging causes iTunes to open. I'm sure there is a setting in it somewhere to prevent that, but I generally only connect it when I want to sync or download something to it, so it saves be a couple of mouse clicks to let it open automatically.

However, even if I Quit iTunes, the mere presence of the iPhone on the USB cable can cause iTunes to re-Open. I have assumed it is simply some activity on the iPhone; fluctuating charge state, a browser updating a page, Location Services being used (my wife likes to know when I'm home ... or not!). So, if Bull is convinced that he or the game (and its stated connections to its developer's site(s) and his computers ) Then it may be nothing more than iTunes 'thinking' that it is needed. I assume it can also start playing songs that might have been playing when it was last Quit? In other words, iTunes just wants a bit of attention! It just wants to know it's still 'needed'!

SSL
I doubt that any WeatherCaters are selling anything on our sites. SSL can be a help in protecting both parties in that situation. Other than that, it won't protect your site a bit from hackers. The main purpose of SSL is to encrypt the data while it's being transmitted through the interweb pipes. It does nothing to protect the data storage at either end.

There's probably not any sensitive, financial, or personal info going or coming from our sites. The protection needed to make hacking more difficult needs to reside on the server (or its web-facing entry point) where our sites are housed. And our own computers, also, of course. In both cases, strong, l o n g passwords. With the availability of really good password managers, there's no excuse for not having good passwords that are also changed quite frequently.

So far, I've not found a firewall system for those servers that is not rather expensive.

[elagache]

Dear Herb and WeatherCat troubleshooters,

Remember, I was in Minecraft, and without warning or action on my part, the screen switched to iTunes (presumably on launch). The first time, I quit iTunes and resumed playing. The second time. I quit iTunes, quit Minecraft, and rebooted, then went straight to System Preferences/Sharing/ and disabled Remote Login.

Unfortunately, we can't know how sloppy Apple has gotten, but the log entries aren't the sort of thing you would expect if the controls for Remote Login were handled "gracefully."  Do you think you could enable Remote Login and then disable it - then look in the log files for any messages?  I can't be sure, but I'm suspicious those aren't related to disabling Remote Login.  Normally those sorts of log messages are for something unusual.

If you can do that, let us know what you uncover.

Cheers, Edouard

[Bull Winkus]

As you wish, Edouard. No entries upon launching System Preferences. The following entries were made upon launching the Sharing pane of System Preferences. I did it twice just to make sure it wasn't random.

8/1/16 11:41:30.818 PM authd[125]: copy_rights: _server_authorize failed
8/1/16 11:41:30.819 PM authd[125]: copy_rights: _server_authorize failed
8/1/16 11:41:51.518 PM com.apple.preferences.sharing.remoteservice[1333]: CoreAnimation: warning, deleted thread with uncommitted CATransaction; set CA_DEBUG_TRANSACTIONS=1 in environment to log backtraces.

The following entries were made upon enabling Remote Login. The CalendarAgent entries may be random.

8/1/16 11:44:58.426 PM com.apple.xpc.launchd[1]: (com.openssh.sshd) Unknown key for Boolean: ForceEnableHack
8/1/16 11:44:58.426 PM com.apple.xpc.launchd[1]: (com.openssh.sshd) Unknown key for string: SHAuthorizationRight
8/1/16 11:45:00.000 PM syslogd[40]: ASL Sender Statistics
8/1/16 11:45:02.398 PM CalendarAgent[308]: [com.apple.calendar.store.log.caldav.coredav] [Refusing to parse response to PROPPATCH because of content-type: [text/html; charset=UTF-8].]
8/1/16 11:45:02.509 PM CalendarAgent[308]: [com.apple.calendar.store.log.caldav.coredav] [Refusing to parse response to PROPPATCH because of content-type: [text/html; charset=UTF-8].]

No entries were made upon disabling Remote Login, or upon closing the Sharing Pane or upon closing System Preferences.

The only remedy I've employed at this point is to update both devices to the latest iOS and to Sync them both to iTunes. I had disconnected the iPod from the USB connection, but as of this morning during the update and sync, they are both attached to the USB dock again.

Thanks for checking in, Blick! No on the First Aid. I didn't think of it, and the MacOS 10.11.6 had just been installed. Don't know if that makes any difference, but everything (else) was working nicely.

 

[elagache]

Dear Herb and WeatherCat system admins,

As you wish, Edouard. No entries upon launching System Preferences. The following entries were made upon launching the Sharing pane of System Preferences. I did it twice just to make sure it wasn't random.

Bummer dude . . . . 

That's a fairly clear indication that when you disabled Remote Access you kicked off somebody who was using the service.  That would explain the need for killing processes.

Perhaps you should post those log entries on the Apple Support Forum:

https://discussions.apple.com/welcome

Perhaps someone can tell you more about what they mean in that community.

Oh well, . . . . Edouard

[Bull Winkus]

I don't see how you can draw that inference from those log entries. "? when you disabled Remote Access you kicked off somebody who was using the service. ?" These entries into the log were observed upon launching the Sharing pane. Not enabling or disabling. No entries were observed when disabling.

8/1/16 11:41:30.818 PM authd[125]: copy_rights: _server_authorize failed
8/1/16 11:41:30.819 PM authd[125]: copy_rights: _server_authorize failed
8/1/16 11:41:51.518 PM com.apple.preferences.sharing.remoteservice[1333]: CoreAnimation: warning, deleted thread with uncommitted CATransaction; set CA_DEBUG_TRANSACTIONS=1 in environment to log backtraces.

I posited that Apple used to invoke links to copy_rights servers upon the launch of the Sharing pane of System Preferences, as part of their commitment to the music industry. I presume that these remnants are harmless, and haven't been removed due to the potential that they might be invoked again in a future release, for as yet unknown reasons.

 

[elagache]

Dear Herb and WeatherCat security troubleshooters,

I don't see how you can draw that inference from those log entries.

This stuff is way over my head at this point, so I can't be sure.  However, there is something rather odd going on in these log entries:

Code: [Select]

7/29/16 4:54:25.142 PM ChronoSync Scheduler[313] ChronoSync Scheduler v4.6.5 has terminated.
7/29/16 4:54:25.150 PM com.apple.xpc.launchd[1] (com.apple.rcd[1080]) Service exited due to signal: Killed: 9
7/29/16 4:54:25.151 PM com.apple.xpc.launchd[1] (fr.madrau.switchresx.daemon.661472[320]) Service exited due to signal: Killed: 9
7/29/16 4:54:25.167 PM com.apple.xpc.launchd[1] (com.apple.AirPlayUIAgent[286]) Service exited due to signal: Killed: 9
7/29/16 4:54:25.173 PM com.apple.xpc.launchd[1] (com.apple.lateragent[416]) Service exited due to signal: Killed: 9
7/29/16 4:54:25.182 PM appleeventsd[47] SecTaskLoadEntitlements failed error=3
7/29/16 4:54:25.187 PM appleeventsd[47] SecTaskLoadEntitlements failed error=3
7/29/16 4:54:25.188 PM appleeventsd[47] SecTaskLoadEntitlements failed error=3
7/29/16 4:54:25.188 PM appleeventsd[47] SecTaskLoadEntitlements failed error=3
7/29/16 4:54:25.188 PM appleeventsd[47] SecTaskLoadEntitlements failed error=3
7/29/16 4:54:25.189 PM appleeventsd[47] SecTaskLoadEntitlements failed error=3
7/29/16 4:54:25.189 PM loginwindow[89] ERROR | -[SessionLogoutManager allPrivateProcesses] | No LS dictionary found for LSASN: LSASN:{hi=0x0;lo=0x24024}
7/29/16 4:54:25.190 PM appleeventsd[47] SecTaskLoadEntitlements failed error=3
7/29/16 4:54:25.190 PM appleeventsd[47] SecTaskLoadEntitlements failed error=3
7/29/16 4:54:25.190 PM appleeventsd[47] SecTaskLoadEntitlements failed error=3
7/29/16 4:54:25.191 PM appleeventsd[47] SecTaskLoadEntitlements failed error=3
7/29/16 4:54:25.194 PM com.apple.xpc.launchd[1] (com.apple.BezelUIServer[518]) Service exited due to signal: Killed: 9
7/29/16 4:54:25.195 PM com.apple.xpc.launchd[1] (com.apple.speech.speechsynthesisd[570]) Service exited due to signal: Killed: 9
7/29/16 4:54:25.195 PM com.apple.xpc.launchd[1] (com.apple.coreservices.uiagent[421]) Service exited due to signal: Killed: 9
7/29/16 4:54:25.195 PM com.apple.xpc.launchd[1] (com.apple.ImageCaptureExtension2.112992[399]) Service exited due to signal: Terminated: 15
7/29/16 4:54:25.197 PM appleeventsd[47] SecTaskLoadEntitlements failed error=3
7/29/16 4:54:25.198 PM appleeventsd[47] SecTaskLoadEntitlements failed error=3
7/29/16 4:54:25.200 PM com.apple.xpc.launchd[1] (com.apple.noticeboard.agent[747]) Service exited due to signal: Killed: 9
7/29/16 4:54:25.200 PM com.apple.xpc.launchd[1] (com.apple.EscrowSecurityAlert[620]) Service exited due to signal: Killed: 9
7/29/16 4:54:25.204 PM com.apple.xpc.launchd[1] (com.apple.storeuid[593]) Service exited due to signal: Killed: 9
7/29/16 4:54:25.205 PM com.apple.xpc.launchd[1] (com.apple.cloudphotosd[324]) Service exited due to signal: Killed: 9
7/29/16 4:54:25.205 PM com.apple.xpc.launchd[1] (com.apple.wifi.WiFiAgent[291]) Service exited due to signal: Killed: 9
7/29/16 4:54:25.207 PM com.apple.xpc.launchd[1] (com.apple.ViewBridgeAuxiliary[583]) Service exited due to signal: Killed: 9
7/29/16 4:54:25.208 PM com.apple.xpc.launchd[1] (com.apple.FolderActionsDispatcher[264]) Service exited due to signal: Killed: 9
I'm puzzled by the need to terminate these services with a -9 signal.  Normally processes should be terminated more gracefully.  One reason to use the UNIX kill -9 signal is if they aren't responding to the normal operating system request to quit.  That could be an indication that these processes weren't owned by you and it took root permission to kill them.

So as I say, I can't be sure but I'm surprised to see them here.

Sorry, that's as far as my rusty UNIX sysadmin understanding takes me, . . . . Edouard

[Blicj11]

Last year on a tech support call with Apple, I mentioned an error message I was getting in the console and the young whippersnapper said, "We don't encourage people to open that app. It just confuses them. Ha ha ha. I told him the only person who is confused on this call is you.

[Bull Winkus]

LOL! Good for you, Blick! He probably just got off a call from me. JK 

~~~

Edouard, I'll keep that in mind. I spent a little time trying to see if I could find anything on it, using Google. Nothing panned out. If anything further happens, with Blick's permission I'll add it to the thread's content.

 

[Blicj11]

My thread is your thread.