An open community 
of Macintosh users,
for Macintosh users.

FineTunedMac Dashboard widget now available! Download Here

Topic Options
#244 - 08/05/09 02:57 PM ":your net setting been changed" after cell usb
Virtual1 Offline


Registered: 08/04/09
Loc: Iowa
We've had a swarm of people buying vontage and other usb cellular network usb adapters for their macbooks recently. The sellers are directing their mac customers all to us because the setup instructions are botched and blow up 10.4 into that "your network settings have been changed" gotcha. We fixed THREE of them today.

So far though, the script we formulated recently to nuke network settings has been 100% successful at regaining access to the Networks pref pane to fix things. Just an FYI for y'all. The destructions they ship those adapters with will do it every time to 10.4 (intels only?)
_________________________
I work for the Department of Redundancy Department

Top
#246 - 08/05/09 03:09 PM Re: ":your net setting been changed" after cell us [Re: Virtual1]
Rick Deckard Offline


Registered: 08/04/09
That is a nasty bug in Tiger, and the only workaround I know of is to lock your network settings.

I'll bet if those network USB adapter work with PPC Macs, the problem will occur on those machines under Tiger as well, given the same set of instructions.

Top
#256 - 08/05/09 04:15 PM Re: ":your net setting been changed" after cell us [Re: Virtual1]
alternaut Offline

Moderator

Registered: 08/04/09
[off topic]

Virtual, your avatar looks squished from before its allowed size was increased to 100 x 100 px.
Try removing it and then putting it back up, that may just fix it.

[/off topic]
_________________________
alternaut moderator

Top
#395 - 08/06/09 05:56 PM Re: ":your net setting been changed" after cell us [Re: Rick Deckard]
ganbustein Offline


Registered: 08/04/09
Originally Posted By: Rick Deckard
That is a nasty bug in Tiger, and the only workaround I know of is to lock your network settings.


We had a long discussion about this on MacFixitForums, while it was still reachable. I can't find that thread anymore, but I posted of the gist of it to MacOSXHints, in the Dialog From Hell: Your network settings have been changed by another app thread.

As explained there, there's actually a pretty simple permanent fix.

As for the network USB adapter triggering the problem, my guess is: as part of the installation, you needed to type in a password for the new network interface. Sometime later, you installed the Apple Security Update that tries to harden the protection for that password, and gets all discombobulated trying. If you want to point fingers, point at Apple. It's their Security Update that dropped the ball.

Or better yet, if you just want to fix the problem:

a) Lock the padlock in System Preferences (anywhere you see it, for example in the Security pane) before going to the Network pane. That's just to temporarily hush the dialog.

b) Go to System Preferences -> Network. This is safe as long as the padlock is already locked when you arrive on this pane.

c) Now you can unlock the padlock again.

d) Run through all of your network settings. For every location, for every interface of that location, glance at the PPP or PPPoE or PPPoA subpane. You're looking for anywhere you have "Save password" checked.

e) Uncheck "Save password". If you want, you can turn it right back on by re-entering the password. The important thing is that the password be entered after applying the problematic Security Patch.

f) That's all. Problem fixed. If you want to check that you didn't miss any passwords, leave the padlock unlocked, leave the Network pane, and come back. If you do not get the "Your network settings..." error message, you're completely and permanently healed.

The script that virtual1 developed automates the above for you, without forcing you to go through the GUI. Last time I saw it, it did not re-enter the password for you, although we discussed several ways to recover it if you've forgotten, and those may well be in the current version of the script. (There's a reason for that Security Update; it was just too darned easy to retrieve passwords that should have been encrypted better.)

Top
#409 - 08/06/09 07:48 PM Re: ":your net setting been changed" after cell us [Re: ganbustein]
dkmarsh Offline
Moderator

Registered: 08/04/09

Quote:
We had a long discussion about this on MacFixitForums, while it was still reachable. I can't find that thread anymore...

Here it is. Be prepared to wait awhile for it to load, however.
_________________________

dkmarsh • member, FineTunedMac Co-op Board of Directors

Top
#459 - 08/07/09 05:36 AM Re: ":your net setting been changed" after cell us [Re: Rick Deckard]
Virtual1 Offline


Registered: 08/04/09
Loc: Iowa
Originally Posted By: Rick Deckard
That is a nasty bug in Tiger, and the only workaround I know of is to lock your network settings.

I'll bet if those network USB adapter work with PPC Macs, the problem will occur on those machines under Tiger as well, given the same set of instructions.


The adapter's setup/installation assistant is what's causing the problem on several levels. It auto-sets-up wrong, requiring us to go in and fix it, and when it enters that password, it enters it in the old format directly into the preference, which drops it into the loop. These are on machines that have had the problem security update installed for months. It's the setup software that triggers the dormant issue because it's inserting the old password format into the networking plist when it runs. Then the sys prefs gets manic trying to update it.

As for the "fix" of locking the padlock, that gets you into the pref, but isn't a permanent fix. We may be able to go in and make changes then, but we don't want to leave the user with a locked padlock in sys prefs forever. So a real "fix" requires nuking network locations and going in and re-entering the information manually.
_________________________
I work for the Department of Redundancy Department

Top
#569 - 08/07/09 09:30 PM Re: ":your net setting been changed" after cell us [Re: Virtual1]
ganbustein Offline


Registered: 08/04/09
Originally Posted By: Virtual1
These are on machines that have had the problem security update installed for months. It's the setup software that triggers the dormant issue because it's inserting the old password format into the networking plist when it runs.

Ack! That's ugly. Apple repeatedly tells developers not to manipulate plists directly.

Originally Posted By: Virtual1
As for the "fix" of locking the padlock, that gets you into the pref, but isn't a permanent fix. We may be able to go in and make changes then, but we don't want to leave the user with a locked padlock in sys prefs forever. So a real "fix" requires nuking network locations and going in and re-entering the information manually.


You only need to lock the padlock briefly, just long enough to be able to go into your settings and re-type your password. Once you've done that, it's safe to leave the padlock unlocked (if you want).

Asking users to nuke their network settings and re-enter everything is way to draconian. They don't need to do that. Just re-entering the password (which they would need to do anyway) is all that's required.

As a side note: this issue affects PPC and intel users equally. It is not an intel-only thing.

Top
#2404 - 08/29/09 05:44 PM Re: ":your net setting been changed" after cell us [Re: ganbustein]
steve626 Offline


Registered: 08/29/09
Originally Posted By: ganbustein

You only need to lock the padlock briefly, just long enough to be able to go into your settings and re-type your password. Once you've done that, it's safe to leave the padlock unlocked (if you want).

Asking users to nuke their network settings and re-enter everything is way to draconian. They don't need to do that. Just re-entering the password (which they would need to do anyway) is all that's required.

As a side note: this issue affects PPC and intel users equally. It is not an intel-only thing.


Here's the problem with your "fix" -- certain broadband USB modems (or broadband cards) have an installer run to "install" the device. The way some of these broadband devices work is that they sense the network they are on, and then dial a specific number (much like a modem except these devices get broadband speeds) and interact with the network by providing a password. The phone number and password may vary according to location. I recently used such a USB device and it dialed one number for California, and another number while I was in France. No doubt the passwords are different for the different phone numbers and networks. This password is stored somewhere in the settings or preferences or somewhere. So when I have followed your instructions (which I have seen suggested elsewhere in other forums), I arrive at a PPP setting that has a phone number and a password -- but I don't know what the password is, the installer does. So if a were to delete that password to then re-enter it, I don't know what to re-enter. Furthermore, there are other phone numbers and passwords for other physical locations. So this cure is not suitable for a number of users. The long Macfixit thread provided a means to get into the file and figure out what the password is/was, but I lost interest after seeing how convoluted it was. For me, it is just easier to lock, unlock, then re-lock the security preferences panes and call this a clumsy workaround that will be history when we move beyond Tiger (the problem doesn't exist in Leopard).
_________________________
iMac Intel Core 2 Duo 2.67 GHz, 4 Gig RAM 10.5.8
Macbook Pro Core 2 Duo 3.06 GHz, 4 GB RAM, 10.6.3
iMac G5, 2GHz, 1.5 Gig RAM, 10.4.11

Top
#2428 - 08/30/09 02:43 AM Re: ":your net setting been changed" after cell us [Re: steve626]
ganbustein Offline


Registered: 08/04/09
The MacFixIt thread was indeed long; for some of us it was also very interesting, but I can well understand that to others it may have been somewhat less so.

But buried deep in that thread was a very simple script I wrote to extract passwords, in case you can't remember them. Afterwards, I decided that any script would be daunting to many users, who I thought would be able to recover their passwords using more user-friendly methods, so I stopped pushing it.

But you've alerted me to a scenario where the password may be one that exists nowhere except in the preferences.plist. I guess the script is useful after all. So, here it is again:

extractpasswords.pl
Code:
#!/usr/bin/perl 
use strict;
use warnings;

# Extracts unencrypted passwords
# Optionally, specify the .plist file to extract from. (The .plist extension
# is optional.)
# By default, reads from /Library/Preferences/SystemConfiguration/preferences

my $f = shift || "/Library/Preferences/SystemConfiguration/preferences.plist";
$f =~ s/.plist$//;
my $authname = '';

open ( PLIST, "/usr/bin/defaults read '$f' |") or die "Couldn't read $f\n";

while (my $line = <PLIST>) {
	if ($line =~ /AuthName = "(.*)";/) {
		$authname = $1; }
	
	if ($line =~ /AuthPassword = <((?:00[0-9a-fA-F][0-9a-fA-F] ?)*)>/) {
		my $raw = $1;
		$raw =~ s/00(..) ?/$1/g;
		my $pass = pack ('H*', $raw);
		print "The password for account \"$authname\" is \"$pass\"\n"; }}



The usual unix rules apply. Save that file as a plain text file with Unix line endings. If you've saved it in your current working directory as extractpasswords.pl, then you can run it either by making it executable and invoking it:

chmod +x extractpasswords.pl
./extractpasswords.pl

or by just passing it to perl

perl extractpasswords.pl

By default, it scans your active SystemConfiguration/preferences.plist, but if you've saved off a copy of that file elsewhere (perhaps on a backup) you can pass that location as an extra parameter: either

./extractpasswords.pl /path/to/saved/preferences.plist

or

perl extractpasswords.pl /path/to/saved/preferences.plist

Either way, the file must still have the .plist extension, but you don't have to type it.

Would you run the script and see what it says? I'm especially interested in knowing if different locations have different passwords but the same account name. If so, I'll need to beef up the script to extract the phone number too, so you'll know which password goes with which location.


Top
#2467 - 08/30/09 11:28 AM Re: ":your net setting been changed" after cell us [Re: ganbustein]
steve626 Offline


Registered: 08/29/09
I will try the script ... in fact I had tried it weeks ago but ran into trouble, probably because I hadn't specified chmod properly, or maybe because I didn't save it in the right text file format. After a little while, I sort of lost interest because it seemed like there was a much simpler work around and this script would need to be run for all such PPP locations (in addition to the broadband card/modem locations, on two of our computers that don't have access to the broadband USB modem, we have dial up which is used only occasionally when the cable internet goes out for a few hours).

However if what I surmised is true (the broadband USB modem taps into different networks with different passwords depending on physical location of the user), I will probably only be able to get the password for my present network because I don't know how to "spoof" being in France again when I am really in the U.S. Maybe the Preference file is modified on the fly by some embedded background process? Again, I tried to inspect the Preferences file manually but again, something told me, "this shouldn't be this complicated" and I just reverted to locking the security-related System Preferences panes, which seemed simpler. However I agree that having these passwords inside a plain old preference file is not a good security practice, a real flaw that Apple somehow allowed to remain in Tiger. On the other hand, one has to ask -- in real-life practice, is there even a smidgen of likelihood that anyone would exploit this? I would think not, but I guess eternal vigilance is always a good thing.
_________________________
iMac Intel Core 2 Duo 2.67 GHz, 4 Gig RAM 10.5.8
Macbook Pro Core 2 Duo 3.06 GHz, 4 GB RAM, 10.6.3
iMac G5, 2GHz, 1.5 Gig RAM, 10.4.11

Top
#2515 - 08/31/09 02:47 AM Re: ":your net setting been changed" after cell us [Re: steve626]
ganbustein Offline


Registered: 08/04/09
Originally Posted By: steve626
After a little while, I sort of lost interest because it seemed like there was a much simpler work around and this script would need to be run for all such PPP locations

No, you run the script, and it lists all of your unencrypted passwords for all locations. That matches the bug, which will manifest itself if you have any unencrypted passwords, even if they're not in the current location.

I'm guessing that the modem installer sets up multiple locations, each with its own phone number, username, and password. Then they respond to a change in your physical location by switching to the corresponding logical location. That is, after all, the very reason your network settings supports a "locations" concept.

I'm also guessing that the only difference between those locations is the phone number. The username/password is probably the same wherever you are.

But we'll see.

Quote:
However I agree that having these passwords inside a plain old preference file is not a good security practice, a real flaw that Apple somehow allowed to remain in Tiger.

Apple did not allow this flaw to remain in Tiger. Their patch may be a little twitchy, but they did patch it!

Quote:
On the other hand, one has to ask -- in real-life practice, is there even a smidgen of likelihood that anyone would exploit this? I would think not, but I guess eternal vigilance is always a good thing.

With security, it's better to be proactive than reactive. Lock the barn door before the horse gets out, not after.

And in this case, the weakness is ridiculously easy to exploit (25 lines of perl code, counting comments and blank lines), and the downside is enormous. In the usual case, this password is the password for your email account, which leaves you wide open for identity theft. If they want any of your other online passwords, they can just tell that site that you forgot the password and want a new one emailed to you, then snag it from your inbox. They can even set up new accounts in your name, proving that they're you by their ability to respond to emails sent to your account.

This isn't a hypothetical attack. A hacker recently hacked into Twitter by hijacking an abandoned hotmail account used by an employee, and using that to intercept "I forgot my password" responses sent to the employee's other accounts (including gmail). How much more powerful if they can hijack your active email account?

Top
#2609 - 08/31/09 09:31 PM Re: ":your net setting been changed" after cell us [Re: ganbustein]
steve626 Offline


Registered: 08/29/09
Originally Posted By: ganbustein

Apple did not allow this flaw to remain in Tiger. Their patch may be a little twitchy, but they did patch it!


Maybe I misunderstood this Apple Security Update for 10.4.11 that led to the endless loop "your network settings have been changed ..." message. Are you saying that applying the update from Apple means you are protected from the security flaw, and the endless loop "network settings" in the Preference Pane is more of an annoyance than anything else? If so, maybe I misunderstood the long Macfixit thread about this. Because if it is just a residual annoyance, why not just lock the Preference Pane when one is done making modifications? I thought the real concern was the unencrypted passwords left on the Tiger computer even after applying all the Apple Tiger Security Updates.

As for the high-speed broadband card I used overseas, I had to return that laptop and its card to my employer, they provided that to me just for that overseas trip, so I can't do any experiments with it any more. The domestic one I have shows only one location for the USB broadband modem. So I suspect that your script works fine for that one location. Unfortunately, the broadband modem frequently updates its software version as well as its "contact info" (which I presume means phone numbers and passwords) via an updater. I don't know whether these installers and updaters write or update passwords in such a way that might bring back the "network preferences changed" problem (or place passwords in unencrypted places).
_________________________
iMac Intel Core 2 Duo 2.67 GHz, 4 Gig RAM 10.5.8
Macbook Pro Core 2 Duo 3.06 GHz, 4 GB RAM, 10.6.3
iMac G5, 2GHz, 1.5 Gig RAM, 10.4.11

Top
#2663 - 09/01/09 11:33 AM Re: ":your net setting been changed" after cell us [Re: steve626]
Virtual1 Offline


Registered: 08/04/09
Loc: Iowa
the flaw he speaks of was the storing of passwords in easily recovered format outside the keychain. The patch moved the passwords to the keychain, but causes certain passwords, if set, to trigger the loop. So yes, the security update fixes the security problem, and causes the looping for certain users. (that have PPP passwords saved, typically)
_________________________
I work for the Department of Redundancy Department

Top
#3302 - 09/08/09 09:32 AM Re: ":your net setting been changed" after cell us [Re: Virtual1]
Hal Itosis Offline


Registered: 09/03/09
Loc: 10.6.8 (build 10K549)
Originally Posted By: steve626
Maybe I misunderstood this Apple Security Update for 10.4.11 that led to the endless loop "your network settings have been changed ..." message. Are you saying that applying the update from Apple means you are protected from the security flaw, and the endless loop "network settings" in the Preference Pane is more of an annoyance than anything else? If so, maybe I misunderstood the long Macfixit thread about this.

Originally Posted By: Virtual1
the flaw he speaks of was the storing of passwords in easily recovered format outside the keychain.

That's what i tried to say back in May (though the thread itself seemed self-explanatory): linky

Top

Moderator:  alternaut, dianne, MacManiac