GDE Got root?

Apple are always hiding things. They love to hide things. When they get found out they run and hide somewhere else.

The marvelous way Cupertino play with Unix hard links will go either to history or to Ripley's Believe It or Not. Right now they've got a new method like no other: they mark their secrets with an inode of zero. So the file system thinks the entries are scheduled for deletion and leaves them alone.

But they're not scheduled for deletion. Apple are playing tricks with Unix. Showing disrespect as always. Some day they'll get their comeupppance. Nawty nawty.

Until then you can use GDE to play hide and seek with them to see what they're up to. GDE compares different ways to access directories - not the files in them but the actual bits and bytes, fanboy. There are two common methods and right as rain they never match up. Not on Apple Unix systems at any rate. Haha.

So GDE crunches around and shows you the sore thumbs. Like in these screenshots which include a Leopard 10.5 root directory. Where you see them trying to hide the hard links again. Fools. They're also hiding two journal files the same way - and the new secret Time Machine directory - with comparable results.

Got Rootkit?

Files the file system doesn't see? If Apple can hide files this way can't the hackers too? Yes they can.

This stuff is admittedly creepy. You thought it was Unix but now you see it isn't. And now you know almost any hacker interloper could hide things from the very file system itself - but not from GDE. It's almost like having a rootkit on your box. But not quite. Yet GDE will tell you if files are being cloaked - and thus can give you a clue whether you've been rooted or not.

By your OS vendor Apple or by - shudder shudder - someone not Apple.

See Also
Developers Workshop: GDE-FAQ
Developers Workshop: GDE Screenshots
Developers Workshop: Getting Around HFS+ Private Data