Security isn’t much of a concern when working with vintage Macs, but it’s something to take seriously with modern systems. Some recent suspicious incidents on my Mac Pro led me to suspect my system had somehow been compromised. Little did I realize the true culprit.
My home office Mac Pro sits on the floor, with a monitor, keyboard and trackpad on my desk. One of my companions is a big, sweet lug of a cat named Fudge. Like many felines Fudge likes to install himself in front of the computer monitor, and he’s been known to sit on the keyboard or trackpad in this position, which can cause a constant “mouse-down” or Control-key press. Usually it takes a few seconds for me to realize what’s going on, then I shuffle him away or move the equipment.
One day a few weeks ago Fudge hopped up, staked himself in front of the computer and made himself comfortable. I was in the middle of typing an email so I put him on his co-pilot’s chair next to mine (to his chagrin) and continued working. About 5 minutes later a window popped open in the Finder, showing a normally hidden directory named /private/var/tmp.
This was unusual, both in that the window popped up on its own, and in what it was displaying. /private/var/tmp is one of a set of directories setup by the UNIX (or Darwin) layer of Mac OS X; it’s invisible and not typically accessed in standard Macintosh operations. Inside this directory was some kind of system diagnostic file and other information about my setup. I’d never seen this happen before.
I took a screen snapshot of the situation and continued my work. Nothing else odd happened for the next couple days, so I put the incident aside as a low priority curiosity.
A few weeks later I was playing another round of the block-the-computer game with Fudge, and he again sat on the keyboard. I moved him to a chair, then a few minutes later BAM up pops the /private/var/tmp window. OK there’s something going on, and Fudge sitting on the keyboard seems to have some connection.
The sysdiagnose report that was highlighted was a very comprehensive document, or rather a compressed set of documents, like a System Profiler report on steroids. It’s a complete dump of the setup of your computer, logs, installed software, memory and disk configuration, etc.. Everything a tech, or hacker, might wish to know about your system. Why was this file suddenly popping up on my Mac?
I turned to the Oracle of Google for guidance, and soon found out that this report was the output of a Terminal command called sysdiagnose. The man page writeup says:
sysdiagnose — gathers system diagnostic information helpful in
investigating system performance issues. A great deal of information
is harvested, spanning system state and configuration. sysdiagnose
needs to be run as root.
That would explain the report’s contents, but why was this command getting run at all? Especially since it required Root access? I read a bit further, and the description for the command then noted:
sysdiagnose can be triggered upon pressing a special key chord;
this is currently Control-Option-Command-Shift-Period.
That five key combination was certainly not one I’d ever heard of, nor was it something you were likely to hit by accident. But then I looked at my keyboard, and the six keys in the lower right area next to the spacebar are:
The spacebar and those keys just to its right are exactly where Fudge’s furry butt gets placed when he lies on my desk. One well placed rump would depress all those keys (plus a few more), and since the command takes a few minutes to run the output doesn’t appear immediately. I tried it, and it worked. Well I’ll be.
Mystery solved, with no nefarious spyware involved. I’ve now learned about a completely new, feline-assisted diagnostic tool on my Mac. And – for a change – Fudge actually was being helpful typing on the computer for me!