Continued
Transcription
Continued
Nov Dec Jan ‘08 Edition Articles •Apple Opens Flood Gates on Fall Releases Cover Apple Opens Flood Gates on Fall Releases by Monte T Ferguson HERE’S ONE THING YOU CAN SAY about Apple, it’s rarely a dull moment. But lately it had been looking pretty •Product Review quiet over in Apple Pro Training Series: Cupertino. Aperture 1.5 There hadn’t Page 3 been a flashy announce•Securing Communications ment or one with SSL/TLS: A High-Level last thing in Overview months. It was Page 3 starting to look like Fall 2007 •Scroll Wheel Tips was going to be Page 7 a ho hum season for Apple •1Passwd Eases Password fans. But then Pain a special press Page 9 event was announced. The wait was finally over. •New iMacs Debut and Mac Mini Sees a Refresh This one event held enough announcePage 10 ments to last us the entire quarter! •GRAMUG Meeting Highlights Page 2 •iWork ‘08 by the Numbers Page 19 • .Mac Gets an Upgrade Page 23 Get Info is a publication of the Grand Rapids Area Microcomputer Users Group. iLife ‘08 At long last Apple announced the next version of the iLife suite. The name was bumped from ‘06 to ‘08. But there is more to this update than some cosmetic changes. iPhoto ‘08 iPhoto just keeps getting better. This years release is an evolutionary upgrade. Its main new feature is that it organizes photo’s by “events”. The idea is that many photos are taken at a particular event, say Christmas. Events in iPhoto ‘08 are created automatically and contain photos taken on a particular day. This contrasts with the old way of organizing photos which worked with the idea of film rolls, ie all photos imported from a memory card were all grouped together. Events can be split or merged as needed. You can therefore browse by event. The photos for an event are all stacked together in the interface. You can move your mouse over an event’s icon and skim through the photos contained. It reminds me a bit of the animated menus in iDVD. iPhoto adds a feature to suppress displaying photos you don’t want to delete. This could come in handy for folks who have thousands of photos some of which might be multiples of the same scene. Searching in iPhoto has received a boost. There is now a single interface for searching by date, text, or keyword. iPhoto’s editing features also get some improvements. Added are a shadow and hilight tools that work on bringing out details in under and over exposed areas of a photo. Continued on Page 4 GRAMUG Meeting Highlights by Monte M Ferguson any folks think that user group meetings are for computer wizards and geeks. That the conversation will be way over their heads. While others have no idea what such meetings have to offer. I have showcased several recent gatherings below. As you can tell from these excerpts, a user group has something to offer nearly everyone no matter what their skill level. June Our June Meeting focused on the phenomenon called RSS, Really Simple Syndication. Katie found a blog entry that has a video which does a really great job of explaining what RSS is and what it is good for. You can check it out at: Wikipedia describes it as: RSS (which, in its latest format, stands for “Really Simple Syndication”) is a family of web feed formats used to publish frequently updated content such as blog entries, news headlines or podcasts. An RSS document, which is called a “feed”, “web feed”, or “channel”, contains either a summary of content from an associated web site or the full text. RSS makes it possible for people to keep up with their favorite web sites in an automated manner that’s easier than checking them manually. RSS content can be read using software called a “feed reader” or an “aggregator.” The user subscribes to a feed by entering the feed’s link into the reader or by clicking an RSS icon in a browser that initiates the subscription process. The reader checks the user’s subscribed feeds regularly for new content, downloading any updates that it finds. One of our April giveaway winners, Mr. Thomas Johnston, is shown with his prize, a pack of CDR disks. One of our April giveaway winners, Ms. Juliet Kauffman, is shown with her prize, iWork ‘07 RSS Tools You already have one tool that you can use to subscribe and view RSS feeds. It’s your browser. Both Firefox and Safari can be used to view and subscribe to feeds. The benefit is you already have the software and it’s free. The downside is they don’t offer much in the way of features or customization. And you have to be online to read the summaries. You can also set up web sites like Google Reader, NetVibes, and Yahoo to subscribe and display your RSS feeds. The benefit being you can read up on your feeds from any computer. The downside is they’re rather limited on features and require that you use a browser to access them. (There is an extension for Firefox, or Google Gears, which allow to do your reading offline. Otherwise you have to be online to view your feeds.) A third category is a dedicated news reader. It’s a standalone program that handles RSS. The benefit is all kinds of features and customization. There are free edtiions but if you want all of the bells and whistles you have to pay. For instance Shrook, the news reader, is free. But it requires a shrook.com membership, 2.50 by the month or 19.95 a year, to enable syncing. NetNewsWire, $30, requires a NewsGator, account. (There is a free NetNewsWire Lite but it doesn’t feature syncing, but doesn’t require a NewsGator account.) Another contender is a NewsFire, $20.00, it brings a streamlined interface, much like iTunes. There are a wide range of choices on how you get, organize, and read your feeds. With prices ranging from free to pay for, there is bound to be a tool that will fit your needs. Katie did a great job talking about the technology as well as showcasing the various ways you can tap into it. Continued on Page 18 2 Product Review: so it is not that easy to jump around in the book. In fact that was my only beef with this book: this book is not a reference book, this book is a written college course... if that makes sense!?! Apple Pro Training Series: Aperture 1.5 This book was great for understanding and learning how to set up my work environment to use Aperture. It helps by Terry Johnston explain how Aperture works. This can be a time saver as Aperture is quite PERTURE IS APPLE’S PROFESSIONAL different from an image editor like program that creates a workflow for Photoshop. Aperture has certain condigital images. Think of it as the proventions that seem limiting until you fessional version of iPhoto or, as I like to say, understand how it all fits together. iPhoto on steroids. It’s designed to handle Authors: Orlando Luna, Ben Long RAW images which most professional dSLR Publisher: PeachPit Press The book starts with calibrating cameras shoot. Price: $39.99 your display and covers the basics. Aperture has many nondestructive editPublisher URL: http://www. It has 12 lessons that cover exploring ing features built into it. Aperture is not a peachpit.com/store/product. the Aperture workflow: Importing substitute an external image editor such as aspx?isbn=0321502108 images in Aperture; Organizing and Photoshop, Photoshop Elements or other rating images; Image adjustment photo editing programs if you are interested in more crebasics; Creating web output, Evaluating images; Finishing, ative editing. Delivering, and Archiving images; Advanced organiza- A From what I can tell this book is geared towards the intermediate user. The reader needs to have a good understanding of OS X. You also need to use the images provided in conjunction with the enclosed DVD. The book was useful when I followed the exercise instead of just reading the book and I found the book to have that college text book feel. It tended to be dry and uses an exercise type format. Each chapter tends to build on the next chapter In closing this book is very well written and organized. I’m positive that if you read it all, and did all the exercises , anyone would have a good understanding of Aperture. You just need to stick with it. Securing Communications with SSL/TLS: A High-Level Overview byChris Pepper S tion and rating; Advanced editing; Advanced output; Advanced file structure and archiving; and Aperture automation. SL (Secure Sockets Layer) and TLS (Transport Layer Security) are systems for providing security to Internet communications, particularly Web browsing. Specifically, they use encryption to provide confidentiality (privacy) and authentication (authorization). There are three major versions of SSL; the fourth version was renamed, becoming TLS version 1. SSL and TLS are based upon public key encryption and decryption, simple identifying information, and trust relationships. In combination, these three elements make SSL/TLS suitable for protecting a broad range of Internet communications. <http://en.wikipedia.org/wiki/ Public_key> If you are concerned about phishing scams and identity theft (and everybody should be, to some degree), this article should help you understand one of the more important protections from online criminals. For those who manage Web sites, information about working with SSL/TLS and certificates may be helpful, both for providing privacy and security, and also for deciding whether it is appropriate or worthwhile to purchase your own digital certificate. The certificate is, in essence, an electronic guarantee from a trusted authority that your site is legitimate, and under the control of a legitimate organization. To establish an SSL/TLS connection, one or both parties must have a certificate, which includes start and end dates for validity, the name of the entity certified, and a digital “signature” attesting to its validity. In addition to this identification function, certificates are also tied to a “private key” used for encryption (see below). In HTTPS communications (encrypted Web browsing, signified by URLs that start with “https”), the server always provides a certificate; the client may as well, although client certificates are not yet common. Public Key Encryption: The Short Version Regular (symmetric) encryption works by using a key (a password) to transform text mathematically into gibberish. Only the same password can be used to reverse the process and recreate the original text. However, symmetric encryption requires both parties to know both the password Continued on Page 5 3 Cover Story Continued From Page 1 A VMware Posts Fusion Release Candidate, Announces Final Pricing VMware last week posted the first release candidate for Fusion, their software for running Windows on Intel-based Macs. This version includes improvements to Unity, a mode in which Windows applications can run side-by-side with Mac applications, rather than in a separate Windows window. Unity now supports drag-anddrop, offers a menu of Windows applications in the Fusion Dock icon, works with more versions of Windows, and features several other improvements. Release Candidate 1 also provides better keyboard support, including the option to use Control-click with a one-button mouse to produce a right click in Windows. Other improvements include better performance for Boot Camp-based virtual machines, new memory optimization options, and a variety of bug fixes. Fusion RC 1 is a 160 MB download. <http://www.vmware.com/beta/fusion/> cropping tool that helps you follow the “rule of thirds”. Also added are tools for noise reduction, edge sharpening, and white balance. You can even copy and paste a combination of adjustments from one photo to other photos that need similar fixes. iPhoto includes tighter support for .Mac. The newly named .Mac Web Gallery can be easily published to and it features one button photo sharing. The .Mac galleries can be viewed as a: grid, in a slideshow, in a mosaic or in a Cover Flow inspired carousel. .Mac galleries also sport print quality downloads, uploads via email, and easy uploading of photos taken by an iPhone (in essence it’s upload via email from an iPhone. You can set permissions for who can view or contribute to the gallery, as well as sync back down to iPhoto for photos contributed by others. VMware has announced that Fusion will retail for $79.99 when it ships by the end of August. Customers who pre-order it before the final release get a 50 percent discount. <http://www.tidbits.com/about/support/ vmware-fusion.html> MacBook Pro Software Update 1.0 Released Apple has released MacBook Pro Software Update 1.0, which fixes a number of unspecified problems with 2.2 GHz and 2.4 GHz MacBook Pro models. According to a post at MacFixIt, the update appears to patch several issues with the Nvidia graphics cards and may solve an issue with “shimmering” display issues. The update is available via Software Update on the affected machines, or as a 14.7 MB download. <http://www.apple.com/support/downloads/macbookprosoftwareupdate10.html> Adobe Ships Rest of Creative Suite 3 Adobe Systems has broken with tradition Continued on Page 5 iMovie ‘08 iMovie ‘08 rather than being an incremental update is a totally new application. It sports a totally different interface than it’s predecessor. Steve Jobs said that the total rewrite was inspired by one of the lead engineers frustrations trying to make a quick video. Taking it’s cues from iPhoto, iMovie tracks all of your video in a library. It uses events to make finding clips easier. Besides supporting standard DV and high-definition HDV video formats, iMovie now supports editing AVCHD (Advanced Video Codec High Definition), a compressed format intro Continued on Page 6 4 SSL Cont’d from Page 3 Continued by releasing products promised for third quarter of 2007 on the second day of that quarter. A quarter-based release typically means “as close to the last day of the quarter as possible so we can book the revenue in that quarter.” In April, Adobe released 9 of the 13 main applications that form Creative Suite 3 (CS3) as both individual programs and 6 editions (see “Adobe Announces Creative Suite 3 Plans, Pricing, Dates,” 2007-04-02, and “Adobe Ships Creative Suite 3, Offers Video Betas,” 2007-04-16). The released programs spanned their entire print and online range, including Photoshop (in two versions, no less), InDesign, and Dreamweaver. The company then promised four video and audio tools and support applications by the third quarter of this year. <http://www.adobe.com/products/creativesuite/> Today, Adobe shipped After Effects, Premiere Pro, Soundbooth, and Encore for Intel-based Macs and Windows XP and Vista, along with two Windows-only applications, OnLocation and Ultra. OnLocation, a direct-to-disk recording tool, works with Boot Camp, Adobe says. The two delayed editions are now shipping, too: Production Premium ($1,700) and Master Suite ($2,500). Master Suite contains the entire CS3 line of products. Final Cut Studio 2 Applications, SuperDrive Firmware Updated Apple has released updates for the Final Cut Studio 2 suite of video production applications via Software Update and as stand-alone installers; the latter require that you sign in using your Apple ID and your Final Cut Studio 2 serial number. Most of the updates cover bug fixes and improve stability, but a few items are notable. Pro Applications Update 2007-01 (an 8.1 MB download) patches the underlying frameworks and shared components of Final Cut Studio 2 (the package also seems to be specific to those applications). <http://www.apple.com/finalcutstudio/> Final Cut Pro 6.0.1 (a 37.5 MB download) adds support for importing AVCHD (Advanced Video Codec High Definition) footage, a video format introduced last year that is designed to be saved to random-access storage devices such as hard disks, solid-state memory, and MiniDVD discs Continued on Page 6 and the encryption/decryption algorithms, and to keep the password secret from everybody else. This clearly doesn’t scale well - it wouldn’t be possible to visit every person or organization with whom you communicate, create a new secret password, and use that password to communicate with just that party. Establishing and tracking a unique and secret password for each bank, online vendor, and community site in this way would be extremely difficult. In contrast, public key encryption (also called “private key cryptography”) uses pairs of keys (called “private” and “public”), each of which can reverse the other. In other words, data encrypted with a public key can be decrypted only with the corresponding private key, and data encrypted with a private key can only be decrypted with the paired public key. This is a strange concept to those who are familiar with symmetric encryption, but it proves extremely useful, because paired keys solve several problems of privacy and identification. Possession of a private key can “prove” identity: As a rule, only a private key’s creator can encrypt and decrypt with that private key (private keys are never shared). For an over-simplified example, imagine a Citibank customer uses her private key to encrypt her account number, and sends it to www.citibank.com. If Citibank has her public key on file and linked to an account, successful decryption provides strong assurance that the party who sent the encrypted account number is the right customer - private keys are much harder to steal or forge than ink signatures on paper. As a bonus, digital signatures work instantaneously across the Internet. Digital signatures have one highly unusual characteristic. Most secrets tend to leak out if they’re used too frequently, but digital signatures (and private keys in general) become more valuable as they are used, building up credibility. In public key terms, this is called “trust.” Private keys start out with no trust, since no one knows that a given private key actually does correspond to a particular person, and can gain trust in a number of ways: * Blind faith: “Nobody would bother to break into my personal webmail server.” * Assurance: If I vouch for your key, then people may trust either me or you to identify other people’s keys (this “web of trust” is the basis for PGP). People normally exchange key “fingerprints” rather than full keys because public keys are long numbers and hard to transcribe exactly; fingerprints are shorter and easier to use, and identify their corresponding keys effectively. * Out-of-band verification: A bank could put its public key fingerprint on ATM cards or checks, or provide an 800 number that simply reads a recording of the fingerprint. * Experience: If I have performed successful money transfers through my bank’s Web site, the experience builds confidence in that Web site. * Personal verification: If you give me your key fingerprint in person, I gain a great deal of confidence in that key. Each such key exchange event adds value to the keys exchanged. Personal verification is really a special case of out-of-band verification. It can get tricky in primarily electronic communities, where people may not even recognize each other on sight. In reality, sending account numbers is not a good use of encryption, because if an attacker knows both the encrypted “ciphertext” (which we have to assume could be intercepted - if we knew nobody could tap our communications, we wouldn’t need encryption!) and the unencrypted “plaintext,” it might help them find a correlation between the two to help break the encryption. Real encryption tends to use lots of random numbers and disposable keys, to defend against “known plaintext” attacks. Unfortunately, the actual Continued on Page 13 5 Cover Story Cont’d from Page 4 Continued (versus MiniDV tapes, the media of choice for many consumer camcorders as well as cameras that record to the high-definition HDV format). Although a few AVCHD camcorders are currently available, editing the footage has been limited under Windows and nonexistent on the Mac. Apple’s release notes indicate a few caveats with AVCHD footage, namely that as it’s imported, the video is transcoded into either Apple ProRes 422 or Apple Intermediate Codec; that could require up to 10 times the size of the native AVCHD file of available hard disk space. (The inclusion of AVCHD also potentially means the format could be supported in the next version of iMovie HD.) <http://www.apple.com/support/releasenotes/ en/Final_Cut_Pro_6.0_rn/> Motion 3.0.1 (a 19.4 MB download) fixes a number of known issues with 32-bit float projects and rendering of intersecting 3D groups, and improves performance. Soundtrack Pro 2.0.1 (a 74.5 MB download) improves stability and performance and updates the Delay Designer surround effect plug-in. Compressor 3.0.1 (a 93.3 MB download) adds the capability to export music in the 256 Kbps AAC format used by iTunes Plus, can now set poster frames, and applies other fixes. Color 1.0.1 (an 8.3 MB download) improves stability, metadata support from Final Cut Pro, and single-display mode, as well as floating-point processing on Macs with Nvidia graphics cards. Lastly, unrelated to Final Cut Studio 2, Apple released SuperDrive Firmware Update 2.1 (a 12 MB download), which provides unspecified fixes but notes improved readability of certain CD media. The installer puts an application called SuperDrive Update 2.1 into your Utilities folder that must be run separately, which is unusual. Note that the application starts the update process at launch, which is bad form; it should behave like most updaters, where the user initiates the process (for example, to make sure the drive isn’t in use, I would imagine). The updater also requires a restart of the Mac to take effect. Continued on Page 7 duced last year that’s designed to be saved onto random-access storage devices such as SD memory cards, hard disks, and MiniDVD discs. iMovie strengthens its sharing capabilities by offering option for encoding and sending video to YouTube, an iPhone, via iTunes, and to the enhanced .Mac service. iMovie ‘08 has inspired a love/ hate reaction from first adopters. Those that can’t stand it bemoan the loss of third party plug in support, such as extra effects and transitions. They also cite the lack of features present in the previous edition: DVD chapter markers, bookmarks, and themes. Also troublesome is the fact that iMovie ‘08 can only import (not open) projects created in earlier versions, and even then the process only acquires the raw video; transitions and effects don’t move over. Those that love it point out that the new interface makes working on video a snap. They also say that the program is very responsive and that it’s easier to use than the older versions. It also provides a greater control over color and exposure. Lastly some people also rave about the way the Ken Burns effect works in iMovie ‘08. For those who need the features found in iMovie HD 6 there is some good news. Upgrading from the previous version of iLife leaves iMovie HD intact. It’s put in a sub folder. Apple has now made iMovie HD 6 available free for owners of iMovie ‘08, say those who bought a new Mac. The installer checks to see if iLife ‘08 is installed, so it’s not a gift to owners of earlier versions of iMovie. iMovie HD 6 is a 154.6 MB download. iDVD ‘08 iDVD gains features that subtly enhance the program. There are no flashy new interface changes. But under the hood there are some welcome additions and improvements. iDVD ‘08 feels snappier and is faster throughout than previous versions. A new professional quality encoding ensures that the highest possible quality settings are used for your projects, even if they are near or at the capacity of the disk. A built in quality capacity meter allows you to see which quality setting works with the content you want to include on your finished DVD. Slideshows now allow you to use higher quality images. You can also combine video clips and photos in slideshows. The new drop zone editor allows you to see your project and the drop zone editor at the same time. iDVD ‘08 also comes with 10 new animated themes, and an expanded button library. iWeb ‘08 Apple’s easy Web-page creation soft Continued on Page 16 6 by Adam Continued <http://www.apple.com/support/downloads/ superdrivefirmwareupdate21.html> iTunes 7.3 Adds iPhone, Apple TV Features Apple has released iTunes 7.3, which enables support for the iPhone. iTunes acts as the hub between the computer and the iPhone (much as it does with the iPod), handling synchronization of contacts, calendars, music, and movies. iTunes is also the interface for activating the iPhone’s phone and data service plans; a video at Apple’s site demonstrates the activation process. iTunes 7.3 is available via Software Update or as standalone downloads for Mac (a 33.8 MB download) and Windows (a 47.4 MB download). Note that iTunes 7.3 updates your iTunes library, so it’s a good idea to have a current backup before you apply the update. <http://www.apple.com/iphone/usingiphone/ activation.html> iTunes 7.3 also adds a requested feature to the Apple TV: photo streaming. Previously, photos could only be synchronized (copied to) the Apple TV. Mac OS X 10.4.10 Released Boldly marching into double-digit version number territory, Apple has released Mac OS X 10.4.10, a maintenance update that adds more RAW image support, fixes issues with Bluetooth and USB, and addresses a few other issues. The delta update from 10.4.9 is available via Software Update or it can be downloaded for Intel-based Macs (a 72 MB download) and PowerPC-based Macs (a 25 MB download). A combo update (weighing in at a 293 MB for Intel Macs and 165 MB for PowerPC Macs) updates any version of Mac OS X 10.4. <http://docs.info.apple.com/article. html?artnum=305533> T Scroll Wheel Tips C. Engst HANKS TO OUR BUDDY Bill Rabel in Seattle for the impetus to write this article. After Mark Anbinder wrote in “Call Me ‘Two Finger’ Mark” (2007-0521) about how he was surprised to find himself addicted to two-finger scrolling on his MacBook (which is equivalent to using a scroll wheel or Mighty Mouse scroll ball), Bill went spelunking and found a trick I hadn’t previously known, causing me to look for other scroll wheel tips. (And if you’re interested in the history of the scroll wheel, check out “The Evolution of Scrolling: Reinventing the Wheel,” 2004-12-13.) Scroll Horizontally Many applications, such as word processors, are oriented vertically, so scrolling up and down with the scroll wheel is intuitive. But what about applications like Microsoft Excel and ProVUE Development’s Panorama database, which often require scrolling horizontally? Just hold down the Shift key and your scroll wheel switches to controlling the horizontal scroll bar instead of the vertical scroll bar. Applications must support this Mac OS X feature explicitly, so it may not be universal to all applications with a horizontal scroll bar. Zoom In, Zoom Out Hold down the Control key while you scroll with the scroll wheel and Mac OS X 10.4.8 or later will zoom the screen smoothly. Mac OS X has long provided screen zooming (see the Universal Access preference pane), but it required keyboard shortcuts that were awkward and jerky. Screen zooming isn’t just for This new version of Tiger fixes a problem where those who have trouble reading a Bluetooth headset may not be correctly too-small text or for presenters who removed from Bluetooth preferences, improves want to focus on a particular part reliability when using the Apple Remote after of the screen, though; it’s also great waking from sleep and when mounting exterfor zooming tiny Internet videos up nal USB drives, and resolves an issue with the to full-screen size. Of course, they TomTom GO 910 GPS navigation device on Intel- pixelate more at larger sizes, but based Macs. It also fixes distortion and discolor that’s fine if you’re sitting further back from the screen anyway. The Continued on Page 8 only downside is that it’s hard to get the mouse pointer out of the picture when you’re zoomed in on a video; normally you want the pointer to stay in the zoomed screen. A further tip: if you take a selection screenshot with CommandShift-4 or Snapz Pro X while zoomed in, the screenshot reflects your zoom level properly (trying to take a screenshot of an entire window while zoomed doesn’t work, though). Scroll to Switch Applications I’m not sure if this is any easier or not, but if you press Command-Tab, let up on the Tab key, and then use your scroll wheel, Mac OS X will scroll the selection in the application switcher. Of course, you can also just keep pressing Tab, which seems easier, or hover the mouse pointer over an application’s icon to select it. Per-Frame Advance in QuickTime Player and iMovie HD 6 Want to see if animators hid secret messages in individual frames of a film? If you can open it in QuickTime Player, using the scroll wheel pauses playback and then either advances or rewinds a frame at a time. It’s probably a little easier to do with a real scroll wheel that has little detents as you scroll. Alas, this trick doesn’t work in iTunes, DVD Player, or VLC, though you can play .m4v files from the iTunes Store in QuickTime Player. The same trick works in iMovie HD 6, too, but with a caveat. The scrolling seems to work only as a per-frame preview; if you press the left or right arrow keys, which also rewind or advance per frame, the video jumps back to the point where you started scrolling. Tab History Navigation in Mozillabased Browsers Here’s the tip Bill found. If you use Firefox or Camino with tabbed browsing, hold down the Option Continued on Page 8 7 Scroll Wheel Cont’d from Page 7 Continued ation of DNG images, and adds support for RAW images created by the following cameras: Panasonic DMC-LX1, Panasonic DMC-LX2, Leica M8, Leica D-LUX 2, Leica D-LUX 3, Fuji S5 Pro, Nikon D40x, and Canon EOS 1D Mk III. The release notes also claim improved compatibility with Mathematica 6 on 64-bit Macs and a fix for a specific issue with dropped frames while importing video from a DV camera, among other changes. Mac OS X Server 10.4.10 has also been released as a delta update for PowerPC-based Macs (a 58 MB download), and as a combo update in universal (391 MB download) and PowerPC (218 MB download) versions. <http://www.apple.com/support/downloads/macosxs erver10410updateppc.html> YouTube Comes to iPhone and Apple TV As the iPhone nears release, Apple has unveiled another previously unannounced feature: a YouTube application that will download and play back YouTube videos directly on the iPhone. (Earlier, the company revealed that the iPhone would sport improved battery life and a glass - not plastic - screen; see “Apple Announces iPhone Changes,” 2007-06-18.) Apple also released a promised update for the Apple TV that enables YouTube video playback (see “Apple TV Gains 160 GB Drive, YouTube Downloads,” 2007-06-04). <http://www.apple.com/pr/library/2007/06/ 20youtube.html> YouTube (which is owned by Google) has been encoding its video library into H.264 format, so I’m assuming that the Apple TV and the iPhone are somehow tapping directly into the H.264 feeds, since normally YouTube delivers its content using Flash. At one point, Apple’s press release talks about H.264 video in the context of the iPhone’s Wi-Fi capability, suggesting perhaps that YouTube downloads could be quite sizable. Using Wi-Fi, that’s not a problem, but downloading over a cell data connection could be costly. Neither Apple nor AT&T have announced pricing for the iPhone’s phone and data services. The Apple TV 1.1 update also patches a potential security vulnerability in UPnP IGD (Internet Gateway Device Standardized Device Control Protocol) where a remote party could cause a denial-of-service attack. The update is available via Continued on Page 9 key and turn the scroll wheel to scroll backward and forward in the tab’s history. These browsers navigate back or forward one page for every scroll detent. It’s a fast way to move back through a lot of pages in a tab, though it’s easy to overshoot your target. Oddly, Netscape and Mozilla use Shift as the modifier key to navigate through a tab’s history, and Safari and OmniWeb don’t have the feature at all. Change Font Size in Firefox and Camino It’s all too common to run across a Web page with text that’s too small to read (Geoff Duncan explained this in “Why Windows Web Pages Have Tiny Text,” 199902-15). All Web browsers make it easy to expand or shrink text, usually with Command-+ and Command--, but you can also use the scroll wheel to do this in Firefox and Camino. Just hold down Command-Control and scroll to adjust text size. can zoom in and out with the scroll wheel. In Word, hold down Command-Control and scroll to change the zoom level by 10 percent increments per detent. In Excel, hold down Control-Option to zoom in and out by 15 percent increments. If you’re using twofinger scrolling on a trackpad, zooming in and out in this fashion may be hard to control. Control Time with iCal In iCal’s Day and Week view, you normally see the hours from 8 AM to 6 PM, or whatever you’ve set in iCal’s General preference pane. But by holding down Option and rolling your scroll wheel, you can increase or decrease the number of hours that appear in Day or Week views without opening the preferences window. Note that the changes are persistent, but they aren’t reflected in the preferences window. Slow Down Text Scrolling in Firefox Normally, if you’re scrolling through a long Web page, the speed accelerates as you turn the wheel. That’s good, since it means you can get to the bottom of a page quickly if you want. But at times you might want a slower scrolling speed so you don’t accidentally scroll past where you’re reading. Hold down the Command key while scrolling in Firefox and scrolling will slow to what seems to be an almost fixed rate. It might be useful if you prefer to keep your eyes in one spot on the page and scroll the text past that spot. Scroll Through the Years in iPhoto In iPhoto 6’s Calendar pane, Apple gave us funny little up and down arrows on either side of the pane’s title for scrolling through the years. An easier way to scroll forward and backward in time in that pane is to use the scroll wheel - just make sure the mouse pointer is over that portion of the screen first. There is one notable place where the scroll wheel doesn’t match up to dragging the scroller in the scroll bar. In iPhoto 6, when you scroll by dragging the scroller, iPhoto pops up a translucent display containing the name and date of the current film roll, updating it smoothly as you drag. Alas, that doesn’t work if you scroll with a scroll wheel, so here’s hoping that iPhoto 7 rectifies that situation. Zoom In and Out in Word and Excel Speaking of small text... In Microsoft Word and Excel, if you find yourself squinting to read text at the default font size, you This article orginally appeared in Tidbits Magazine issue #881, published 5/28/07. It is reprinted with the permission of the Author. 8 1Passwd Eases Password Pain Continued the Apple TV itself, not as a standalone download. From the device’s main screen, choose Settings, and then choose Update Software. It’s unclear at this time whether other enhancements are included in the update. <http://docs.info.apple.com/article. html?artnum=305631> A Pair of Updates Fix Safari 2 and 3 Late last week, Apple released Security Update 2007-006 to address bugs in the WebCore and WebKit code upon which Safari and many other Web-savvy Macintosh applications rely. The details are unimportant, but both exploits required the user to be enticed into visiting a maliciously crafted Web page, emphasizing the advice to be aware of what sort of Web sites you’re reading. Security Update 2007-006 is available via Software Update and as standalone downloads for Mac OS X 10.3.9 (2.2 MB) and for Mac OS X 10.4.9 or later in both PowerPC (2.7 MB) and universal (4.5 MB) versions. Note that if you’ve installed the Safari 3 beta, you won’t see Security Update 2007-006 in Software Update. <http://www.apple.com/downloads/macosx/apple/ security_updates/securityupdate20070061039. html> That’s because Safari 3 Beta Update 3.0.2 includes the fixes in Security Update 2007-006 and addresses two other security problems, one that’s specific to the Windows version of Safari 3 and another that can affect both Macintosh and Windows users of the beta-release Web browser. Apple also claims that Safari 3.0.2 features improved stability and provides better WebKit support for Mail, iChat, and Dashboard (several TidBITS staff members had to uninstall the initial beta of Safari 3 because of annoying interactions with iChat). The 9.5 MB Safari 3 Beta Update 3.0.2 is available only through Software Update, although down loading a new copy of the Safari beta also gets you the fixes. <http://www.apple.com/safari/download/> Snapz Pro X 2.1 Goes Universal Ambrosia Software has released Snapz Pro X 2.1, making the popular still image and video screen capture utility a universal binary for native performance on Intel-based Macs. Other changes provide generally improved performance, support for QuickTime compression sessions, compatibility with the Mac OS X 10.5 Leopard beta from Continued on Page 10 by Joe Kissell W HEN I WAS WRITING “Take Control of Passwords in Mac OS X,” I thought long and hard about what sorts of strategies I could recommend for creating strong yet memorable passwords. Security experts will tell you that, all things being equal, longer passwords are safer than shorter ones; random passwords are better than those that contain words or follow other patterns; good passwords should include a mix of lowercase and uppercase letters, numbers, and special characters; and you should not reuse a password in more than one context. From a security point of view, that’s all true, but all those practices also make passwords harder to create and harder to remember. So I outlined some ways to lighten one’s password workload without seriously compromising security, but I also recommended that readers save themselves some mental effort and simply let their computers do all that work for them. And, of all the tools available for doing this sort of thing on the Mac, I mentioned that my current favorite is 1Passwd from Agile Web Solutions. For anyone who has struggled with passwords, 1Passwd is the best $30 you can spend. (It’s only $25 if you use the coupon at the back of “Take Control of Passwords in Mac OS X,” which is of course the best $10 you can spend!) <http://1passwd.com/> The first time I heard about 1Passwd, though, I was completely mystified as to why anyone would need it. It was described as a password manager that stores items in the Mac OS X Keychain and fills forms (particularly user names and passwords) in Web browsers automatically. And I was thinking: Safari can do that. Almost every browser can do something like that. Why exactly do I need something else to do the same thing? But I decided to try it anyway, and I’m glad I did. It’s become indispensable to me in a subtle but important way, and it performs a whole list of password management tricks that make my day-to-day Web browsing much easier. Plug It In 1Passwd consists of an application in which you can browse and edit passwords and adjust settings, and a set of browserspecific plug-ins. For Firefox and Flock, the plug-in is a conventional extension; for other browsers, 1Passwd relies on SIMBL-based Input Manager plug-ins (see “Are Input Managers the Work of the Devil?,” 2006-02-20). If you object to the use of Input Managers on philosophical grounds, turn away now. However, I think the utility, in this case, outweighs the potential risk - and it’s a method that enables 1Passwd to do its magic not only in Safari, Firefox, and Flock but also Camino, OmniWeb, NetNewsWire, and DEVONagent. <http://culater.net/software/ SIMBL/SIMBL.php> The browser plug-ins enable 1Passwd to record user names, passwords, and other form data when you enter them (either automatically or on request); fill in form data when needed (only at your request); and generate strong new passwords. It can even generate, fill in, and store a new password with as few as two clicks. Like Safari, 1Passwd uses the Keychain to store its data, but it uses its own keychain - not your default keychain - giving you an extra layer of security, at least if you choose a different Continued on Page 11 9 New iMacs Debut and Mac Mini Sees a Refresh Continued WWDC, the (restored) capability to use “Save Later” when post-processing movie captures, and various bug fixes. The update is free to registered users; it’s an 11.8 MB download. New copies of Snapz Pro X cost $30 for still image capture only, or $70 if you want to add movie capture capabilities. <http://www.ambrosiasw.com/utilities/ snapzprox/> Apple Updates Windows Safari Beta with Security Fixes Within three days of Apple’s release of the Safari Web browser for Windows XP and Vista in beta testing versions, several significant security flaws were discovered, some of which were reported to Apple. The company responded quickly, issuing a bug fix release last week for three potential problems that involved specially crafted content at malicious Web sites that must be visited to trigger the vulnerabilities. <http://www.apple.com/safari/> The bugs were discovered - at least in the descriptions provided by the coders who found them - through the use of fuzzing, a technique that throws piles of crud at targeted areas of a system or application to see what breaks. Fuzzing is a brute force method, but it has to be paired with more refined technical knowledge to understand how to take advantage of a flaw. A non-programmer could potentially use fuzzing to figure out how to crash a piece of software or even an operating system, but they used to have a harder time making use of that crash to tailor an attack that would allow them some sort of access. Programs like Metasploit provide a bridge between fuzzing and exploitation, however, and as they become increasingly powerful, “script kiddies” - relatively unsophisticated users who use prefabricated attacks - may have Continued on Page 11 I N A SPECIAL PRESENTATION for the press Steve Jobs unveiled redesigned iMacs and updated Mac Minis. Unlike most such events Jobs seemed to hurry through the presentation. (Perhaps because the most striking features were already hot news on rumor web sites.) The big news for the iMac was its new industrial design. The previous design was inspired by the iPod. The new design takes its cues from the iPhone. the outer shell is now made of aluminum. The display sports real glass rather than plastic. Jobs called attention to the fact that the two materials are highly recyclable. The display has the glossy finish, rather than matte finish, like the MacBooks. It’s also thinner than the previous models. Gone from the line up is the 17 inch model. You now have a choice between a 20 inch or 24 inch iMac. As with the previous iMac models, the new iMac includes a built-in iSight video camera and microphone, an infrared port (with an Apple Remote for talking to it), and a slot-loading SuperDrive (with dual-layer support). In a row along the back, the new iMac offers audio input and output jacks, three USB 2.0 ports, one FireWire 400 and one FireWire 800 port, gigabit Ethernet, and DVI video out (a separate adaptor required which costs $20, if you want to use it). 1 GB of RAM is standard, upgradable to 4 GB (by removing just one screw, the only one that’s visible), and 802.11n wireless networking and Bluetooth 2.0 are built-in. Base models are accompanied by a keyboard and Mighty Mouse. The 20-inch iMac at $1,199 includes a 2.0 GHz Intel Core 2 Duo processor and a 250 GB hard drive with an ATI Radeon HD 2400 XT graphics card with 128 MB of GDDR3 memory; switching to a 2.4 Ghz Intel Core 2 Duo, a 320 GB drive, and an ATI Radeon HD 2600 Pro with 256 MB of GDDR3 memory increases the price to $1,499. The 24-inch iMac drops in price by $200 to $1,799 and includes the same 2.4 Ghz Core 2 Duo processor, 320 GB hard drive, and ATI Radeon card as the mid-level model. A souped-up version of that model with a 2.8 Ghz Core 2 Extreme processor, 500 GB hard drive, and 2 GB of RAM costs $2,299. You can also purchase the base 24-inch model with a 2.8 Ghz Core2 Extreme for an additional $250. All the new models are currently available, and include the just-released iLife ‘08. Mac Mini The Mac Mini was also refreshed. Though Apple barely mentioned it. The Mini went from 1.66 or 1.83 GHz Core Duo processors to 1.83 GHz or 2.0 GHz Core 2 Duo processors. Which means it jumped an entire processor generation, and is therefore around 20% faster than the previous models at equivalent speeds. The base model includes 1 GB of memory, up from 512 MB and expandable to 2 GB. Other features remain unchanged, including only 802.11g Wi-Fi, and four USB 2.0 ports. Although it is a modest update it provides good value. Apple has kept the price on the Mac Mini the same while delivering a more capable entry level Continued on Page 24 10 iPasswd Cont’d from Page 9 Continued more disruptive power. <http://framework.metasploit.com/> It’s disturbing that Apple isn’t stress-testing its public beta software with the same kind of readily available tools for fuzzing used by both researchers and the nefarious. Many of the Month of Apple Bugs flaws (see “MoAB Is My Washpot,” 2007-02-19), as well as many recent AirPort and AirPort Extreme problems, were discovered through fuzzing. Apple’s security update notice, which I cannot find archived online, notes, “This beta software is for trial purposes and intended togather feedback prior to a full release.” That is, “Bite us: This is beta software.” The flip side, of course, is when Steve Jobs says, hey, go download the beta, it’s hard to argue that serious security flaws aren’t just as serious as they are in released software. Apple also said, “As with all our products, we encourage security researchers to report issues to productsecurity@apple.com.” No researchers were credited for the three fixed bugs. Apple iPhone Won’t Be Barred Under Ruling Apple should be breathing a sigh of relief right now that they didn’t include thirdgeneration (3G) cellular data networking technology in the iPhone. A highly unusual U.S. International Trade Commission (ITC) ruling last week prevents the importation of any new 3G phone that uses silicon chips from Qualcomm. Bloomberg News confirmed that the iPhone doesn’t use any Qualcomm chips. <http://www.usitc.gov/ext_relations/news_ release/2007/er0607ee1.htm> The ITC ruled in October 2006 that Qualcomm had infringed patents owned by Broadcom, a rival maker of cellular chips as well as a major Wi-Fi chip maker. However, until last week’s ruling, it was unclear what action might be taken. The ban affects all 3G chips sold by Qualcomm; most handsets are manufac- Continued on Page 16 password for your 1Passwd keychain. Here’s a typical example of how I might use 1Passwd: A site asks me to come up with a user name and password. I type in my standard user name and then choose Generate Strong Password from the 1Passwd pop-up menu. In the dialog that appears, I can select password length and how many numbers and special characters to include. 1Passwd immediately displays the password it has generated; changing any setting produces a new password choice. Usually I leave those sliders set at my default preferences and simply click Fill. 1Passwd then enters the newly generated password in the appropriate field (repeating it in a confirmation field, if necessary) and saves all the data from that form (including my user name) in its keychain. My work is done: I never had to give any thought to creating a password, and I don’t have to remember it, either. The next time I return to that login page, I can choose a menu command or press a keystroke to fill in the form and log me in. Form Factor To explain why 1Passwd is useful beyond merely generating and storing passwords, let me describe a couple of the problems it’s designed to solve, both of which involve Web-based forms. One problem is any domain for which you have multiple sets of user names and passwords. In my case, google.com is such a domain: I have one user name/password combination for Gmail, another for AdSense, and a third for Google Docs & Spreadsheets. If I were to let Safari (or any other browser) remember my passwords, it would be unable to distinguish between different URLs in the google. com domain. So, if I’ve saved three sets of credentials and I go to log in to, say, Gmail, Safari may not fill in my Gmail user name and password - instead, it’ll use whichever set of credentials I saved most recently. 1Passwd solves this problem by enabling you to save, and restore, any number of forms for a given domain - you can choose the one you want to use, when it’s time to fill out a form, using a pop-up menu or keyboard shortcuts. This means that, by default, form fields won’t be pre-filled when the form loads (though you can re-enable this feature in Safari or OmniWeb if you prefer), but in exchange for perhaps one additional click or keystroke, you avoid the hassle of having to enter your credentials manually if your browser chooses the wrong ones. You can also store multiple identities - sets of information about yourself, including address, phone number, and even credit card information - and fill in data from any identity when a site asks you for your information (even when a password is not actually required). A second problem I’ve frequently encountered is that passwords saved in one browser aren’t available in another. For example, I always have both Firefox and Safari running - I generally prefer Safari, but there are certain sites I can access only using a Mozilla-based browser, and I’m also fond of several useful Firefox extensions. So, if I happen to log in to a certain site in Firefox, and allow it to save my user name and password, they’re stored in Firefox’s internal list. When I later visit the same site in Safari, it knows nothing about my credentials, which I then have to type in manually (or, if I’ve forgotten them, go fishing for them in Firefox’s preferences window). Because 1Passwd uses a single keychain, accessible via all supported Web browsers, one need store a given set of credentials only once. It can then be accessed as easily in one browser as in another. It can even import your existing passwords from just about any browser, so crossbrowser compatibility issues disappear almost instantly. Further Tricks Another thing I’ve appreciated about 1Passwd is that it can often fill in passwords even on pages where autofill is otherwise disabled. Bank Web sites, in particular, typically disable the use of autofill as a security measure, the rationale being that if your Continued on Page 12 11 iPasswd Cont’d from Page 11 computer falls into the wrong hands, an unscrupulous person could log into your bank account and do considerable damage without ever knowing your user name or password. Because I can (and do) take other security measures to prevent that problem, I bristle at the inconvenience of having to remember, and manually type, my passwords for such sites. In general, 1Passwd can transparently handle sites where conventional autofill is disabled, though I do have an account at one bank where the password mechanism is so hyper-secure (and so novel) that not even 1Passwd can penetrate it. 1Passwd claims to have an “antiphishing” feature, which prevents you from entering your credentials on an illegitimate site pretending to be your bank, PayPal, eBay, or some other such institution frequently appearing in spam email. In reality, all this means is that if you click a link in an email message that purports to take you to your bank site, and 1Passwd sees that the domain name in the URL doesn’t match the one in its keychain for your bank, your credentials won’t appear as an autofill option. So 1Passwd doesn’t explicitly alert you in any way that a site may be fraudulent, nor does it prevent you from manually typing in your login information, but it does at least provide a minimal level of protection. Among the numerous other interesting features in 1Passwd is the capability to lock just your 1Passwd keychain when you quit the 1Passwd application; you can also (as for any keychain) set it to lock automatically after a user-defined period of inactivity or when your computer sleeps, as well as sync it using .Mac. Agile also offers an optional ($13) application you can buy to read (but not edit or add) passwords from your 1Passwd keychain on your Palm or Treo. What’s Not to Like As much as I like 1Passwd - and I truly do like it a great deal - it has a few irritating rough edges. One is the way it handles multiple identities: it seems like the wrong way to remem- ber the wrong combination of data. For instance, suppose I want to use a single set of personal data - name, address, phone number, email address - on many different Web sites, but I want to store details about six different credit cards. In 1Passwd, that means creating six different identities, which will all be the same except for the page of credit card information. Not that this is hard - yes, there’s a Duplicate button - but credit card information strikes me as the sort of thing that should be handled separately from other data. For that matter, the same could be true of other items: my name will always be the same, but I might use different email addresses on different forms. I’d like to see some mechanism for storing any given piece of data in just one place, which would entail slicing up the Identity feature in a different way. (Even so, I consider the Identity part of 1Passwd a relatively minor feature; you can ignore it completely and still get tremendous value from letting it handle user names and passwords.) Speaking of credit cards, 1Passwd often has trouble filling in credit card data in forms it has never seen before. I suspect the reason for this is that it’s looking for form fields with specific names, and Web sites vary too much for 1Passwd to be able to perceive a match in many cases. You can still copy and paste your card number from 1Passwd, but that’s barely easier than manually entering the data manually. Although 1Passwd can store multiple sets of credentials per domain, what I’d really like to see is an even finer level of granularity in the use of autofill. For example, even though the URL for Gmail and the URL for AdSense both start with “http://www.google.com/”, what comes after that is sufficiently different in the two cases that 1Passwd should be able to determine which user name and password I want on a given occasion, rather than making me choose one or the other from a menu manually. I’d also like to see customizable keyboard shortcuts for absolutely everything (shortcuts are present, but limited, currently) and a way to access its password generator within the 1Passwd application itself (since sometimes I want to create new passwords for uses other than Web pages). And finally, I’d prefer that the documentation be provided locally; the other day, when I chose Help > 1Passwd Help, Safari attempted to open the help pages on 1Passwd’s Web site, but as the site wasn’t responding at that moment for whatever reason, I was unable to get a quick answer to my question. Nevertheless, I can’t pretend that these are anything other than quibbles. 1Passwd is a fine example of intelligent and helpful programming at a reasonable price, and I recommend it heartily. The program is a 4.7 MB download; until it’s registered, it functions as a free demonstration version that limits users to a single identity and 12 stored Web forms. This article orginally appeared in Tidbits Magazine issue #884, published 6/18/07. It is reprinted with the permission of the Author. 12 SSL Cont’d from Page 5 process of private/public key encryption and decryption is slow - it’s much more difficult to compute than conventional single-key algorithms, due to the exotic mathematics underpinning asymmetric algorithms of public-key cryptography. Most public-key cryptography systems (including SSL/TLS) actually encrypt the data to be exchanged with symmetric encryption, which is fast and efficient. Asymmetric encryption is reserved for exchange of the short-lived symmetric keys. As a bonus, this combination frustrates cryptanalysis by not providing large amounts of data encrypted with any single key to analyze. Symmetric keys are used only for a short time and then discarded, while asymmetric keys are only used for the exchange of symmetric keys, rather than for user data. Imagine an idealized and simplified example: 1. Citibank and I each separately create our own private/public key pairs, which we can use with each other and also to communicate with others. 2. I create a new bank account, and Citibank and I exchange _public_keys (in addition to, or instead of, my handwritten signature). Note that we never give our _private_ keys to anyone else; having a private key could be considered a limited power-ofattorney. 3. I visit www.citibank.com with my Web browser. 4. Citibank’s Web server randomly generates a very large number between 0 and 2^1024-1 (“a 1024-bit number”), which we will call “randomServerKey.” 5. Citibank encrypts randomServerKey with my public key, and sends it to my browser. 6. My browser decrypts randomServerKey with my private key. 7. My browser generates another 1024-bit random number, encrypts it with Citibank’s public key, and sends it to Citibank (call this “randomClientKey”). 8. Now that Citibank’s Web server and my browser both know two secret numbers (and nobody else can, because they don’t have our private keys to decrypt and discover the secrets, even if they are eavesdropping on our communications), we can combine randomServerKey and randomClientKey and some additional random data to create a “sessionKey” that will be good only for a short time. 9. Each time either of us wants to send information to the other whether a URL, account number, dollar amount, or a whole Web page - we use symmetric encryption such as AES-128 (the Advanced Encryption Standard with 128-bit blocks) to encrypt it with sessionKey before sending; the recipient decrypts using AES-128 with the sessionKey. <http://en.wikipedia.org/wiki/ Advanced_Encryption_Standard> 10. Every two minutes, my browser and Citibank’s Web server automatically repeat the key exchange procedure to generate a brand-new session key. This counters decryption attacks based on analyzing large amounts of ciphertext, by ensuring that a cryptanalyst never has much encrypted data from any one sessionKey to analyze. It’s important to keep in mind that I can safely use the same procedure with any number of different Web sites, discarding the session keys after use, reusing the same private key for all my communications. As I noted, this is an idealized example of how online bank account creation could work. Banks and customers don’t actually exchange their public keys when creating new bank accounts, but instead still rely on passwords and sometimes other methods such as scratch-off password sheets and physical password generators, called “hard tokens” (an example would be a SecurID key fob). In the future, public key exchanges as part of opening accounts could provide strong cryptographic identification and secure communications. Banks do some of this today with each other, but generally not for their customers. <http://en.wikipedia.org/wiki/ SecurID> How does having a public and private key pair identify me, though? Anyone could generate a set of keys and claim any identity they wanted. Certificates are one way of answering this question. A certificate combines three elements: 1) identification, 2) a public key, and 3) external assurance. Let’s look at how these elements can be combined to make keys useful in the real world. Who Do You Trust? Keeping in mind that public keys are really just large numbers, how can we connect a public key with a human being or corporate entity? I could create a certificate and claim it belongs to the Pope, so there needs to be some cross-checking. SSL/TLS handles this with trusted certificate authorities, where a trusted party vouches for a given certificate. Every Web browser includes its own bundle of trusted “root” SSL/TLS certificates, and every certificate signed by any of those root certificates is trusted by the browser. Additionally, the entities that own these certificates (called “certificate authorities”, or “CAs”) may delegate their trust to additional companies, signing “intermediate” certificates which are then also trusted to sign further certificates; this hierarchy of trust is called a “certificate chain.” So long as you visit only Web sites certified (directly or indirectly) by CAs trusted by your browsers, you need not worry about this. If you want to step outside the lines, however, things become more complicated. CAs are not the only way to establish trust, of course. In particular, PGP/ GPG (Pretty Good Privacy/GNU Privacy Guard, popular tools for public key cryptography) uses a “web of trust” concept, eschewing commercial authorities in favor of people signing each other’s public keys. SSL for Surfers In real-world terms, people use SSL/ TLS for two reasons: privacy and identity assurance. First, the encryption helps prevent criminals from prying into electronic communications, and particularly from capturing passwords that could provide access to email, PayPal, bank accounts, and the like. Second, SSL/TLS certificates provide a fairly good guarantee that a Web site branded with the browser’s lock icon is legitimate and trustworthy. Continued on Page 14 13 SSL Cont’d from Page 13 Anyone who ever enters sensitive information at a Web site, whether it’s a credit card number, phone number, home address, or supposedly anonymous rant, should check for “https” in the URL, and consider seriously any warnings about expired, misnamed, or otherwise untrusted certificates. If your browser warns you about a site, **please** consider the warning carefully, and decide if it means you should go elsewhere or proceed with your eyes open. Unfortunately, there are easier ways to attack SSL/TLS-protected Web sites than actually breaking the encryption, including creating new sites with names confusingly similar to legitimate popular sites (with foreign alphabets, they may even be visually indistinguishable from the legitimate name), or putting a lock icon into the Web page. The browser is supposed to show the lock outside the HTML display area, so a lock _inside_ the HTML area of the page is a design element by someone who wants you to trust this site, rather than an assurance from your browser that it is in fact trustworthy. People sometimes do not notice that the lock is in the wrong place, and blindly trust the site. They are often unhappy soon afterwards. To see a Web site’s SSL/TLS certificate details, visit the site in a Web browser (URLs of SSL/TLS Web sites start with “https://”), and click the lock icon (Safari shows it in the upperright corner; Firefox and Internet Explorer use the lower-right corner). As an example, Apple’s https://store. apple.com/ certificate was issued by the “VeriSign Trust Network” and signed by “VeriSign, Inc.” That VeriSign certificate was in turn signed by VeriSign’s “Class 3 Public Primary Certification Authority”. The “Class 3” root certificate is trusted by most browsers in use today. In Mac OS X, you can see this certificate in Keychain Access, in the “X509Anchors” keychain (SSL/TLS certificates are based on the X.509 digital certificate standard); Firefox stores its bundle of X.509 root certificates in its application package, because Firefox doesn’t use the Apple Keychain. Because the Class 3 certificate is built in, Safari and Firefox users see a lock icon instead of scary warnings when using SSL/TLS sites authorized by that Class 3 certificate, such as https://store.apple. com/. <http://en.wikipedia.org/wiki/ X.509> SSL/TLS isn’t limited to securing Web sites. To be secure, email communications can also use encryption, and SSL/TLS is one of the easier ways to accomplish this. Unfortunately, support for SSL/TLS varies widely, and server-to-server SMTP connections are rarely encrypted. On the other hand, Apple Mail, Apple’s .Mac mail service, and Mac OS X Server all support SSL/TLS for secure IMAP, although unfortunately .Mac does not support SSL/TLS for webmail. To configure a Mail account to use SSL/TLS for checking email, open Preferences, click Accounts, select the desired account, and click the Advanced tab; there check “Use SSL”. If your mail server runs on a dedicated IMAP/SSL or POP/SSL port (like Mac.com), enter the appropriate port number (993 for IMAP/SSL; 995 for POP/ SSL). To encrypt sending mail, click the Account Information tab, then the Server Settings button at the bottom under “Outgoing Mail Server (SMTP)”; check “Use Secure Sockets Layer (SSL).” If you need a special port for SMTP, it’s probably 587 (this works for Mac.com). Getting a Certificate for Your Site To set up a secure Web site, you must first create a public/private key pair. Keep your private key secret and never share it with anyone. Next, combine the public key with your identifying information, including the site’s domain name and owner, to create a “certificate signing request” (CSR). CSRs themselves aren’t useable for encryption, but the process of signing a CSR creates an X.509 certificate, which identifies a site and its claim to trustworthiness (the signature), and ties the site’s public key to its private key (normally kept in a separate file). When a CA (typically a commercial security company) receives a CSR, it is reviewed to determine if the request is acceptable. Is it properly formatted? Was the request made by a customer with authorization to make requests for that domain name, in good finan- cial standing? If the request passes all the CA’s checks, which vary broadly between organizations, the CA folds in additional information, such as dates of issue and expiration (which ensure that old certificates don’t last, and also that CAs keep getting paid), and signs the whole thing (CSR data, CA data, and customer-provided public key), producing the certificate, which it then returns to the customer, formatted for the particular software used by the requester. Components of Mac OS X Server (specifically the included Apache Web server, Cyrus and Postfix mail servers, and Jabber chat server) all use the same certificate formats, and can share certificates. Of course, a certificate is useless without its matching private key (created with the CSR), since the certificate is based upon a particular public key. Because CAs vouch for the identity of the certificate’s owner, they tend to be picky about the details of the certificate request. Misspelling a name can delay certificate issuance, and requests for certificates under different business names can be even more troublesome. Since people trust signed certificates to identify Web sites and protect their confidentiality, SSL/TLS keys (the secret part) must be kept secret and safe. In the best case, if your key is destroyed, you could be out a few hundred dollars and offline while processing a brand-new CSR, private key, and certificate. In the worst case, if a hostile party (a cracker, an FBI agent, or your ex) gets a copy of your SSL/TLS certificate and private key, they could either impersonate the real site, or decrypt all supposedly secure communications sent to that site - a phisher’s dream. There is a U.S. federal standard (FIPS 140) dealing with how to secure such confidential data, and it describes tamper-proof hardware and multi-party authorization, but most people secure their private keys either with a password that must be entered to start the SSL/TLS service after a reboot, or simply by protecting the computer containing the unencrypted key, which enables rebooted computers to resume serving SSL/TLS services (including HTTPS Web sites) without human intervention. This is important to think about when first venturing into SSL/TLS, Continued on Page 15 14 SSL Cont’d from Page 14 and much more so for certificate authorities. <http://en.wikipedia.org/wiki/FIPS_140-2> Theft of a private key gets very complicated. If you lose your car or house keys it’s a nuisance, but changing locks is straightforward. For SSL/TLS the equivalent is certificate revocation, identifying a key pair as compromised and informing others not to use it. Unfortunately, revocation is an extremely difficult problem for several reasons. For one, revocations must be managed as carefully as certificate signatures - it would be unacceptable if a competitor could revoke Amazon’s SSL/TLS certificate. Additionally, since private keys are tightly restricted, what if the computer containing the only copy of the key is stolen? Finally, the SSL/TLS design doesn’t make any assumptions or demands about timeliness, but if a certificate has been compromised, the revocation should happen before anyone is able to commit fraud with the stolen certificate and key. As a result, although there are many revocation systems, they are largely unused. All about Certificate Authorities A certificate authority is responsible for verifying that each request comes from the party described in the certificate, that this organization has legitimate ownership of the domain, and that the requester is authorized to make the request. The details of what is required and how it is verified vary widely between CAs. There are many CAs, but working with a new CA is problematic compared to using a better established authority. In this case “better established” means bundled into more browsers, because when a browser connects to a site with an unknown certificate, it presents a deliberately scary warning that security cannot be assured, and nobody wants that to be the first user experience of their Web site especially when selling online. This applies equally to selfsigned certificates, those signed by private CAs (such as universities and corporations for internal use), and certificates signed by upstart commercial CAs not yet bundled in the user’s particular browser. <http://news.netcraft.com/SSL-survey> With Internet Explorer 7, Microsoft introduced “Extended Validation” (EV) for “High Assurance” SSL/TLS certificates, stipulating additional checks on all EV CSRs and Web sites in an attempt to bring some consistency to the somewhat chaotic range of CAs and CA policies. Mozilla has stated that Firefox will support EV certificates, and Safari is expected to as well. These certificates are of course more expensive. EV certificates are particularly welcomed by CAs, as they provide an opportunity to re-raise certificate prices, which had been trending downward with competition. <http://en.wikipedia.org/wiki/Extended_Validation_ Certificate> Prices vary widely among the different certificate authorities. VeriSign is one of the largest and most expensive, charging $1,000 for a 128-bit certificate lasting a year, or $1,500 with EV. When Thawte undercut VeriSign’s prices and threatened their market share, VeriSign bought Thawte, retaining the brand for cheaper certificates. Thawte charges $700 or $900 (with or without EV) for a 1-year 128-bit certificate, but the process of installing a Thawte certificate is more difficult, because an intermediate certificate must also be installed; this appears to be an attempt by VeriSign to prevent the cheaper Thawte certificates from being as functional as VeriSign-branded certificates. Recently, when GeoTrust threatened VeriSign’s popularity and pricing with 1-year 128-bit certificates for $180, VeriSign repeated the performance and bought GeoTrust, preventing them from seriously undercutting VeriSign EV certificates. Cheaper options do exist, though, such as RapidSSL, which charges only $62. <http://www.verisign.com/ssl/buy-ssl-certificates/ secure-site-services/> <http://www.thawte.com/ssl-digital-certificates/buy-sslcertificates/> <http://www.geotrust.com/buy/geotrust_ssl_certs.asp> <http://simplessl.com/rapid_ssl.shtml> Because certificates are so expensive, CAs offer various discounts for longer-lasting certificates or multiple purchases, and renewals typically cost less than new certificates. Most CAs are conscientious about reminding their users to renew certificates before they expire (and pay for the privilege), but they are also generally good about carrying any unused time onto renewed certificates so there is no penalty for early renewal. A late renewal can be quite embarrassing, as Web site visitors are asked if they trust the expired certificate; putting certificate expirations into a calendar can help avoid these problems. All CAs offer the same basic service of signing CSRs to produce trusted certificates, but there are many variables including CA reputation, complexity of the certification process, ease of installation and use for certificates, user convenience in accessing certified sites, and CA policies. In an attempt to justify their prices, many CAs offer guarantees of integrity for the certificates (and thus the associated Web sites) that they certify, such as VeriSign’s Secured Seal program. What kind of certificates should you use? Public ecommerce sites, and those dealing with other highly sensitive information, should be using 128-bit commercial certificates. The details of which certificate you should buy depend on the site itself, but it’s worth keeping in mind that the main differentiators revolve around visitor confidence (EV certificates, well-established root keys, etc.) and ease of use for administrators, while the actual signing process is cryptographically equivalent for all CAs. Remember that you provide the private and public keys yourself; the certification authority vouches for the certificate’s owner, but isn’t involved at the encryption level. All 128-bit SSL/ TLS certificates are cryptographically equivalent, although browsers treat EV sites differently. Alternatives to Commercial CAs There are alternatives to paying a CA up to $1,500 per year to sign your certificate. First, you create a new CSR and use it to sign itself; such a “self-signed certificate” lacks a third party’s assurance of authenticity but provides exactly the same encryption as a “real” certificate with a proper sig Continued on Page 17 15 Cover Story Continued from Page 6 Continued tured overseas and then imported. Any handset model imported by 07-Jun-07 can continue to be imported in future shipments, according to the ruling. The iPhone uses Wi-Fi for local networks and EDGE for cell networks. EDGE fits into the 2.5G cell technology category, a peculiar name - “second and a half generation” - assigned to interim standards released mostly in the United States to bridge the gap between 2G (slow modem speed) and 3G (low-end broadband speed) offerings during a long period that 3G wasn’t ready to deploy. EDGE offers as much as three times the bandwidth of a dial-up analog modem, or roughly 150Kbps in ideal cases. Many pundits and journalists opined that by charging $500 or $600 for the iPhone (depending on capacity) and by including a slower-than-3G cell data connection, Apple had missed the boat -forgetting, of course, that smartphones are only gradually adding 3G networking, that few offer 3G and Wi-Fi in a single offering (and none allow seamless network handoffs), and that other smartphones cost in the hundreds of dollars. With new Qualcomm-based 3G phones banned, Apple may get the last laugh. The decision went into effect immediately, and Qualcomm, Verizon, and others are already attempting to have the ruling reversed. The ruling becomes final within 60 days unless overturned by the U.S. president; the White House said that it would delegate the decision to the U.S. Trade Representative, as it has since 2005. If there’s no decision from U.S. Trade Representative Susan Schwab, Qualcomm can file an appeal in federal court. Apple Improves MacBook Pro Apple revamped its MacBook Pro line of portables last week with faster processors, better graphics capabilities, 802.11n wireless networking (removing the need to run an enabler), and screens that are backlit using LED technology. I need to remind myself that the MacBook Pro I bought last November is still a perfectly fine machine for my needs, and not allow techno-lust to overpower me (see “More Bang, Less Bucks for My MacBook Pro,” 2006-11-20). That won’t be easy, however. <http://www.apple.com/macbookpro/> ware, iWeb ‘08, gained support for widgets that can be embedded in web pages. Using a widget you can add things like a Google map or a custom html snippet. You can also add Google Adsense adds to your site, registering directly from within iWeb ‘08. iWeb provides media index pages and enhanced photo gallery pages (requires .Mac). New in this release is support for personal domains. iWeb also gains support for multiple web sites, though there are some issues with publishing for those not hosting their sites at .Mac. GarageBand ‘08 The major new feature in Apple’s consumer music-editing application is Magic GarageBand. Magic Garage Band is a feature that lets you play music in a “virtual band”: choose a genre, assign some instruments on the faux stage, and then pick an instrument for you to play along with a pre-loaded track. GarageBand ‘085 also supports multi-track recording and 24-bit audio. It adds a new arrangements feature that allows you to select sections of a song, such as a chorus, and move it around easily in the song timeline. A visual equalizer lets you change EQ bands by dragging a wave form. Professionally designed EQ presets are also available. It also allows you to automate tempo effects and instruments to give your compositions a fresh sound throughout. Conclusion Overall there is a lot to like with this iLife suite. The major stand outs are iPhoto and iMovie. For some iMovie ‘08 is just not up to par. But the good news you can still use iMovie HD 6, you can even transfer projects from iMovie ‘08 to iMovie HD 6 to work with some of the features missing in the new iMovie. With iWeb and GarageBand gaining some well thought out, and powerful, new features. Of the mix iDVD has changed the least but its gains are mainly under the hood. Editors Note: Considering the number of new products released at the same time, it was decided that one long article was not The new 15-inch and 17-inch models are powered by appropriate. Therefore each product has it’s own article. See Page 10 for the new iMacs and Mac Mini’s. See page 19 for covIntel Core 2 Duo processors running at 2.2 GHz or 2.4 GHz. The new chips belong to the recently erage of iWork ‘08. See Page 23 for coverage of .Mac. 16 Cont’d on Page 19 Continued on Page 17 SSL Cont’d from Page 15 Continued announced Intel “Santa Rosa” family, which offer improvements in power consumption and bus speed (800 MHz versus 667MHz for the Core 2 Duo processors used in the previous MacBook Pro revision). The chips also enable the use of up to 4 GB of RAM, up from a maximum of 3 GB. The base configurations include 2 GB of memory. For graphics, the MacBook Pros use the Nvidia GeForce 8600MGT processor with either 128 MB or 256 MB of memory. That memory comes in handy not only for graphics-intensive applications such as Final Cut Studio but also for powering the 17-inch model’s optional (for $100 more) display with a resolution of 1920 by 1200 pixels, large enough to view and edit 1080i high-definition video at native resolution. The default configuration remains the same as before, with a native resolution of 1680 by 1050 pixels. The MacBook Pro is also the first Mac to use energy-efficient LED (light-emitting diode) backlighting for its display, though only on the 15-inch model for now. Steve Jobs alluded to LED-backlit displays in his “A Greener Apple” open letter posted at the Apple Web site in May (see “Steve Jobs Talks Green,” 2007-05-07) because replacing fluorescent backlighting with LEDs reduces the amount of toxic mercury used in computers. According to comments by Apple, the LED backlighting can also add 30 to 60 minutes of time to a battery charge. <http://www.apple.com/hotnews/agreenerapple/> Storage has been increased, offering 120 GB or 160 GB hard drives running at 5400 rpm for the 15-inch model, with an optional 160 GB drive at 7200 rpm or a 200 GB drive at 4200 rpm. The 17-inch model comes with a 160 GB drive, but can be outfitted instead with the 7200-rpm 160 GB drive or a 250 GB 4200-rpm drive. Note that drives spinning at faster rates will not necessarily perform more quickly in real-world usage. In most other respects, the configurations are similar to the previous generation, including one FireWire 400 port, one Cont’d on Page 20 nature. For one or two host names (since certificates are tied to host names) and for sites where consumer confidence isn’t important, using selfsigned certificates is a good option. It’s perfect for personal sites, where a few hundred dollars could be a waste of money. Even for sites which do not provide SSL/TLS access for visitors, securing administrative access (updating blogs, checking statistics online, etc.) is a perfect use for self-signed certificates. If you have many sites, such as might be true at a university or corporation, it may make more sense to create your own CA, and use that to sign individual certificates, avoiding all CA fees. The downside is that visitors to your site must both deal with legitimate security warnings from their browsers, and manually trust your private CA certificate. The procedures for dealing with private CAs vary across browsers, and because criminals can be CAs as easily as anyone else, some browsers make it deliberately difficult to trust a new private CA. However, users must trust your CA only once, and never again have to deal with untrusted certificate warnings (unless they switch computers or browsers, in which case the process must be repeated). If you opt to follow this path, you should first think seriously about both electronic and physical security of your root certificate’s key, including backups and staff turnover. Fortunately, being a CA is not technically much more complicated than self-signing a certificate, although assisting users with installing root certificates is deliberately more complicated than simply trusting a selfsigned certificate in some browsers. Establishing your own private CA costs nothing - the free OpenSSL can do it all. It just takes an investment of time to learn the procedures and a security commitment to protect the root key, which is the security linchpin for all child certificates. The details are outside the scope of this article, but there are several online resources to get started, and the procedure can be automated and streamlined quite effectively. OpenSSL includes CA.pl, a Perl script to automate these tasks; it’s effective but not perfect. Dissatisfied with CA.pl and manual procedures, I have produced two simple scripts, cert.command to create and sign new certificates, and sign.command to sign existing certificates. Using either of these scripts, I provide the host name twice, enter the root key’s passphrase, and hit Return a bunch of times; the rest is automated. <http://www.openssl.org/> Secure in My Conclusions SSL/TLS is by no means the only way to secure Web and email communications on the Internet, but it does yeoman service every day for millions of people, protecting credit card numbers, online banking sessions, email, and more. For normal users, seeing the lock icon and “https” in URLs provides confidence that SSL/TLS is keeping us safe. For admins, although the technology behind SSL/TLS definitely falls into the realm of cryptography (the software equivalent of rocket science), the cost and effort of implementation are well within the means of anyone capable of running a Web server. [Chris Pepper is a Unix System Administrator in New York City. He’s still amused that Mac OS X has turned out to be such a great management workstation for the Unix systems he works with. Chris’s invisible signature block reads “Editing the Web, one page at a time.” After banging his head against the issues discussed in this article, Chris has written an additional article on how to use OpenSSL’s CA.pl script (included with Mac OS X) to manage SSL/TLS certificates. He has also developed a pair of double-clickable scripts to help run a private CA.] <http://www.reppep.com/~pepper/ ssl/> . This article orginally appeared in Tidbits Magazine issue #885, published 6/25/07. It is reprinted with the permission of the Author. 17 GRAMUG News Continued from Page 2 July Our July Meeting encompassed two topics: World Wide Developers Conference and the iPhone. Guess which one got more attention? First up was a hilight of announcements from WWDC. To be honest this years WWDC wasn’t as dramatic as many had hoped. Leopard took center stage. The big news was a redesigned Finder that borrows it’s looks from iTunes. There are some new interface tweaks, like translucent menu bars,the Dock goes sort of 3D, and Apple has added Stacks as a way to help you organize your files. It still seems like Apple is holding back on some “secret features”. The only surprise was when Apple announced a Safari 3 beta program and that for the first time Safari would be released for Windows. We then launched into the iPhone part of the meeting. Our own Terry Johnston risked life and credit card to snag an iPhone. The first thing Terry mentioned was that buying an iPhone was a snap. You don’t do any conifguring or activation in the store. You go home and do it through iTunes. (PC folks who didn’t have iTunes had to download it before activating their phones as there is no install cd with the iPhone. ) The box the iPhone comes in is really quite small. It contains the iPhone, dock, cables, and headphones. Terry reported some problems activating his phone mainly due to Verizon taking their own sweet time porting his number. By now this snag has been worked out and people are reporting activation just takes a few minutes. The iPhone is smaller, thinner than the 5G iPod. But it is longer. Terry recommended watching the tutorial videos on Apple. com to get up to speed with some of the features of the iPhone. One caveat with the iPhone is that currently you can not mount it like a hard drive. Which means you can’t drag Shown abovie is Andy Dragt holding his and prize, a Belkin USB 2.0 4 port hub drop files on it. You HAVE to use iTunes to sync and move files onto the iPhone for now. Similarly music syncing is limited to playlists. You can sync contact groups from the Address Book. And certain calendars can be synced. Another limitation is that you can’t use the internet features while you’re on AT&T’s EDGE network. But if you’re near a WIFI hotspot they work great. Terry reports getting 6-8 hours of very intense use, especially of the internet features, before his battery conked out. He said he recharges it every other day. The mapping feature Shown abovie is another lucky winner holdworks great. It ing his price, an iGrip iPod Sticky Pad. must use cell towers to triangulate your position. The coverage and quality of cell phone calls are great and very reliable. The built in camera takes great shots, much better than it’s 2 megapixel rating would seem to suggest. Terry says he’s so happy with it he rarely feels the need to take a laptop with him when he’s out and about. He says most of the things he used to use a laptop for he can do on the iPhone. Terry wrapped up his presentation by showcasing a couple of third party applications that have come out for the iPhone. Such as: Jive Talk JiveTalkTM for iPhone brings the desktop Instant Messaging experience to your iPhone. With JiveTalkTM, you get a complete IM solution with real-time connectivity to all of your IM buddies. Multiple IM networks, multiple accounts per network: AIM®/iChat, MSN®, Yahoo!®, GoogleTalk®, ICQ®, and Jabber Leaflets Leaflets are fun, useful applications designed to run fast on your iPhone—even over AT&T’s EDGE network. Just visit getleaflets.com on your iPhone and you’re good to go. 18 T iWork ‘08 by the Numbers HE PRODUCT RELEASES just keep rolling along. Apple announced, on the heels of iLife ‘08, that it’s iWork suite was also getting a significant update. While Pages and Keynote see incremental improvements, the big news is the addition of a new program to the suite called Numbers. It’s a spreadsheet program that rounds out the only glaring omission in the productivity bundle. Numbers Numbers takes a different approach to spreadsheets than a traditional program like Excel. Excel opens to this huge rigid structure of columns and rows. Numbers opens to a blank page, Apple calls it a flexible canvas, you drop in what it calls intelligent tables. These tables are spreadsheets. You control how many rows and columns you need. If you need to add more you can drag out the control point to add them. You can also have multiple intelligent tables on the same page. Each one is formatted independently of the others. Each table’s address tabs contain pull-down menus that store frequently used tools for adding, deleting, hiding, or sorting rows and columns. A Format Bar allows quick formatting on the fly. A Sheets Pane lists every sheet, table and chart as an outline making navigating through a complex document that much easier. Numbers comes with 150 ready to use functions. Just drag and drop one onto a cell and it’s applied. Numbers is also smart enough to realize that it looks to the data in a header cell to determine cell names. Cells can be formatted as “sliders or steppers” allowing you to run through “what if” scenarios. Numbers works seamlessly with Excel documents. You can import and export into the new Microsoft Excel 2007 format, which uses Microsoft Office’s Open XML format. Numbers can also import OFX (Open Financial Exchange) documents. Of course, it can also export PDF’s. Working well with raw data is essential. Another necessary element is being able to extract and present information in a easily understood manner. Numbers truly shines when it comes to creating reports and charts. Customizable templates help even the greenest novice. They allow you to be up and running quickly, and assist you to create very professional results. As you might expect Numbers works well with other Apple apps. For instance you can use a media browser to add images from iPhoto. Thanks to the flexible canvas metaphor you can add or move Cont’d on Page 22 19 News Cont’d from Page 17 FireWire 800 port, two USB 2.0 ports (three ports on the 17-inch model), 8x slot-loading SuperDrive, built-in iSight camera, backlit keyboard, ExpressCard/34 slot, Bluetooth 2.0+EDR short-range wireless networking, and gigabit Ethernet. <http://www.apple.com/macbookpro/specs. html> The new MacBook Pro models are available now for the same prices as the previous generation. The 15-inch model with the 2.2 GHz processor, 120 GB hard drive, and Nvidia card with 128 MB of memory costs $2,000. The 15-inch model with the 2.4 GHz processor, 160 GB hard drive, and Nvidia card with 256 MB of memory runs $2,500. And the 17-inch model with the 2.4 GHz processor, 160 GB hard drive and an Nvidia card with 256 MB of memory costs $2,800. NetNewsWire 3.0 Speeds Up, Adds Integration The latest version of the popular news reader NetNewsWire is out, sporting a spiffier interface, improved performance, and direct connections to several Apple and third-party applications. NetNewsWire 3.0 lets you subscribe to RSS and Atom syndication feeds offered by media sites, blogs, search engines, and others, regularly checking for updates and aggregating the results into a compact window. <http://www.newsgator.com/Individuals/ NetNewsWire/> The new release, despite its major version number change, has much the same abovethe-hood functionality as version 2.1. The interface revision is welcome, adding quite a bit of subtlety and shading to the previous, more quotidian look. NewsGator, the developer, says that under the hood, they revised some fundamental parts of how the program stored its bits of news, making it more robust and quicker in handling extremely large subscriptions and quantities of news items. NetNewsWire has insinuated itself more deeply into Mac OS X by tying into Spotlight, Address Book, iCal, and iPhoto. In Spotlight, searching on any word found within any retrieved item shows a stub within the list of Document results with a NetNewsWire icon. Double-clicking the result opens the item within NetNewsWire. Photos can be copied from a feed into iPhoto, too. The program supports micro-formats, which are embedded structured elements within Web pages that can be interpreted by clever software. If a page includes a calendar or contact entry in this format, NetNewsWire presents you with the opportunity to add it to iCal or Address Book. NetNewsWire 3.0 adds Growl notifications, Twitterific support, and the capability to email the contents of a news item or a link to a news item through a menu command. Also new is what NetNewsWire calls “cover art”: a tiny screen capture of the home page of the Web site for the news feed you’re currently viewing. Finally, you can now store news items as clippings, which are synchronized with an account you set up at NewsGator’s Web site. <http://growl.info/> <http://twitter.com/Twitterrific> LogMeIn Adds Remote Control for Mac Mac users have a new tool for remotely accessing other Macs regardless of whether the remote computers have routable IP addresses. LogMeIn released a beta last week of their LogMeIn Free software for Mac OS X. LogMeIn already supports Windows and Linux operating systems, and some handheld platforms. This version enables a Mac running Mac OS X 10.4.9 to connect to, or be connected to by, any LogMeIn client on their supported platforms. <https://secure.logmein.com/products/mac/ download.asp> Remote control software is often used to view and control the operating system interface of a computer elsewhere on a local or remote network, and to retrieve or transfer files among multiple computers owned by one person - I have Quicken installed only on my computer at home, for instance, and use it remotely while I’m in the office. Remote control software is also widely used for technical support, enabling a technician to view precisely what a user is doing, and to install software remotely. The free flavor of LogMeIn allows unlimited computers and connections, but doesn’t include file transfer, just remote screen control. The company offers several paid versions of their products, including a premium personal release that does include file transfers, remote printing, and a dashboard for managing multiple machines. The Mac version is available only in the free edition at the moment. LogMeIn requires a software installation (but without the need to restart) on the computer that will be remotely controlled. The company’s Web site manages your connection to remote computers. Remote control is handled through a Web browser: a Web plug-in for Safari and a Java applet that works in Firefox provides the interface. Just like iChat, Skype, and other communications software, LogMeIn can work with either routable IP address or private, non-routable addresses typically used in home networks, hotspots, and some business networks. (The trick is that computers on either end of a connection open a link to a central server which ties each separate connection together.) Other Buttons on the Remote While Timbuktu Pro has long provided a combination of remote control, file transfer, and other communications features, the product is priced and designed for technical support or advanced users with specific needs, not personal use. Timbuktu Pro can’t penetrate networks to reach private addresses, either, since Netopia doesn’t operate central servers that would enable that. Timbuktu Pro can traverse NAT gateways using Skype, but I have found that slow and sometimes unreliable in practice. <http://www.netopia.com/software/products/tb2/> Similarly, Apple’s Remote Desktop software provides remote control, file transfer, and client management, but it’s relatively expensive; has no capability for working with private, non-routable IP addresses; and is aimed at large installations (see “Apple Remote Desktop 3 Released,” 2006-04-17). <http://www.apple.com/remotedesktop/> Fog Creek’s Copilot software can reach routable and non-routable addresses, but is sold on a time-used basis and is meant for technical support (see “Fog Is My Copilot,” 2007-01-09); usage can cost 25 cents a minute or $5 per day, or can be included in monthly subscription plans. Likewise, Mac HelpMate Remote can reach any computer, but is designed for remote technical support, and is part of a package starting at $600 per year. <https://www.copilot.com/> Cont’d on Page 21 20 News Cont’d from Page 20 iTunes 7.2 Enables DRM-Free Music Apple has released iTunes 7.2, which is notable for only one thing -the fact that it now lets you preview and purchase “iTunes Plus” music that is both higher in quality and free of Apple’s FairPlay digital rights management. As I wrote in “Apple and EMI Offer DRM-Free Music via iTunes” (200704-02), Apple and EMI Music announced in April 2007 that EMI’s entire digital catalog of music would be available for purchase in DRM-free form from the iTunes Store worldwide. The promised start date was May 2007, so they just squeaked in under the wire, but that’s good enough to consider it a kept promise. iTunes 7.2 is available via Software Update and as a 29.6 MB standalone download. <http://www.apple.com/support/downloads/itunes72formac.html> the iTunes Plus preferences and the Upgrade My Library functionality in the iTunes Store, rather than in iTunes itself. The approach makes sense, since iTunes is increasingly becoming a true Internet application that’s easier to enhance without pushing code to millions of Macs and PCs.) iTunes Plus is certainly a good thing for consumers who found even FairPlay’s relatively reasonable restrictions irritating, for those who will appreciate the higher audio quality, and for the subset of people who refused to purchase from the iTunes Store because of DRM restrictions. Even though EMI is offering DRM-free music to other online music stores, and eMusic has long sold DRM-free music, it’s also a PR boon for Apple, which gets to be seen as helping in the push to free music from onerous DRM. EMI wins too, both in terms of increased revenue from sales of iTunes Plus tracks and the increased sales that will no doubt result from EMI music being featured on the new iTunes Plus page in the iTunes Store. However, Ars Technica is reporting that Apple embeds your full name and email address in tracks purchased from the iTunes Store, something that has apparently been true since the beginning but that wasn’t relevant when those tracks couldn’t be played without authorization. With iTunes Plus tracks, though, this hidden branding could theoretically be used to trace shared tracks back to the original purchaser, although without some form of digital signature, that information could also be spoofed as a way to frame an innocent user. It’s not yet clear what Apple plans to do with this information, if anything, but such use of personally identifiable information should be included in the company’s privacy policy. This could be an issue particularly in the EU, where privacy is treated with significantly more importance than in the United States. <http://arstechnica.com/news.ars/ post/20070530-apple-hides-account-info-indrm-free-music-too.html> Besides lacking FairPlay, iTunes Plus songs and music videos are encoded as 256 Kbps AAC files, up from 128 Kbps AAC. The price for songs increases as well to $1.29, up from $0.99. Music videos remain priced at $1.99, and although their audio quality increases, the video quality remains the same. To purchase songs and videos in iTunes Plus format, you must enable iTunes Plus in your account preferences, although iTunes 7.2 prompts you to do this if you try to purchase a song that’s available in iTunes Plus. Once enabled, you see a little + sign next to the $1.29 price of iTunes Plus tracks. If you’ve purchased DRM-protected songs already, you can upgrade them to iTunes Plus versions for the $0.30 price difference from the Upgrade My Library page in the iTunes Store. You’ll have to check back at that page over time to see if additional songs have been released in iTunes Plus format. Music videos cost $0.60 to upgrade, and entire albums are available at 30 percent of the current album price. When you upgrade a song, iTunes downloads the new one and optionally places Audio developer Rogue Amoeba is happy the original version in an “Original iTunes about iTunes Plus, since the removal of Purchases” folder so you can compare it to DRM enables their Fission audio manipulathe iTunes Plus version tion program to work with iTunes Plus to see if you can hear the quality difference. tracks to create ringtones, create sound <http://phobos.apple.com/WebObjects/ bites, or just edit out the applause in live MZPersonalizer.woa/wa/upgradeMyLitracks. (John Gruber of Daring Fireball braryPage> noted, however, that updated terms of service for iTunes 7.2 specifically disallow use (It’s interesting to see Apple putting both of purchased music as ringtones, not that such a limitation is in any way enforceable.) What I’m really looking forward to, though, is audiobooks in iTunes Plus format, since it bugs me that a single audiobook comes from the iTunes Store in multiple files, making it annoying to play. There are workarounds (see “Audio File Concatenation: Driven to Distraction by DR,” 2005-11-14), but they’re cumbersome, and just being able to join unprotected AAC files would be a boon. <http://www.rogueamoeba.com/utm/posts/ News/Fission-loves-iTunesPlus-2007-05-3017-30.html> <http://daringfireball.net/linked/2007/ may#wed-30-ring_tones> The two questions that remain are how quickly other music labels will jump on the iTunes Plus bandwagon and whether Apple will remove DRM from video. Stay iTuned... Apple TV Gains 160 GB Drive, YouTube Downloads Call me a rainmaker. Just a few days after I sent my latest book (“The Apple TV Pocket Guide”) to be printed, Apple announced upgrades to the Apple TV. <http://www.amazon.com/Apple-TV-PocketGuide/dp/0321510216/tidbitselectro00/> <http://www.apple.com/appletv/> During last week’s D: All Things Digital conference, Apple CEO Steve Jobs and Wall Street Journal columnist Walt Mossberg chatted onstage about Apple’s latest “hobby,” the Apple TV. “The reason I call it a hobby,” said Jobs, “is a lot of people have tried and failed to make it a business. It’s a business that’s hundreds of thousands of units per year but it hasn’t crested to be millions of units per year, but I think if we improve things we can crack that.” <http://d5.allthingsd.com/> <http://www.engadget.com/2007/05/30/ steve-jobs-live-from-d-2007/> One method of cracking the business comes in the form of a build-to-order option, now available, to include a 160 GB hard drive in the Apple TV instead of the relatively small 40 GB capacity in the base model. Apple claims the more capacious drive will hold up to 200 hours of video or 36,000 songs, compared to 50 hours of video and 9,000 songs on the 40 GB model. The 160 GB version costs $400; the 40 GB version remains priced at $300. More intriguing is the addition of Cont’d on Page 24 21 iWork ‘08 Cont’d from Page 19 elements on your document’s page. That includes 2D and 3D charts, images, text labels and photos. When it comes time to output your document you can use the interactive print view. It enables you to scale and arrange items in a print preview mode before you print. No more trial and error printing to make sure a spreadsheet doesn’t get cut off. Pages ‘08 Pages is the word processing application in iWork. Quite frankly I’ve never used it that much. The page layout functions have always worked well. But the word processing part was lacking features and slow. Pages ‘08 might just change that reputation. It now comes with a separate Layout and Word Processing mode. Another welcome addition is a contextual format bar, ie it only shows tools that are appropriate for the content you’re working on, for text, graphics and charts. It now supports customizable paragraph, character and list styles. For those writing longer documents you’ll appreciate that it now supports section, layout and page breaks (rather than flowing text as one long story). A surprising addition, since before now Microsoft is the only one to have this feature in Word, is change tracking and reviewers comments. This is a welcome feature for group collaboration. Pages sports improved graphics editing tools. It even comes with an alpha channel tool. Pages ‘08 comes stocked with 140 templates so you can jump right in and create some professional looking documents right away . Pick a professionally designed template and replace text and images with your own content. Pages has some other less flashy features but they’re quite handy. Among them are: Mail merge with Address Book; Automatic table of contents; & Spellchecker and proofreader. Pages also lets you open legacy documents, like AppleWorks word processing (but not drawing or painting) documents. It can also function well with PC users as it can open Microsoft Word documents. variation. Apple designed themes and transitions, with coordinated text, tables and charts, allow you to easily create spectacular looking presentations. A new “instant alpha” tool masks out portions of an image, say a background. A smart builds feature makes creating impressive animations easy for anyone to make. You can, for example, animate objects moving along a path or scaling objects over time. Reviewer comments, like change tracking in Pages, come with Keynote ‘08. Another shared feature with Pages is the Format bar for text, tables, graphics, and charts. Another handy feature is the ability to record a voice over. Handy for self running presentations. You can also create interactive slideshows for kiosks. After you build your presentation you have to actually give your presentation. Keynote has handy tools like a presenter view, with notes, timer and next screen displays to aid you. Keynote can also play well with PC’s and legacy files. It opens AppleWorks presentation documents. It also imports and exports Microsoft Powerpoint files. Conclusion Apple has been very busy with the updates for iWork. In my opinion Numbers alone makes iWork ‘08 worth the upgrade. The improvements to Pages are welcome and I’m personally looking forward to trying them out. I’m really curious to see how well the track changes and reviewers comments feature works. Lastly Keynote just gets better and better. If you’re looking for a replacement to the recently discontinued AppleWorks you should give iWork ‘08 a try. (Apple has provided a 30 day demo of iWorks. You can find it at http://www.apple.com/iwork/trial. ) Keynote ‘08 Keynote is the veteran app of the iWork suite and it shows. The changes and additions for Keynote are not as dramatic as Pages. But there are some real gems. Keynote now supports text effects. A handy way of creating interest and 22 by Monte I .Mac Gets an Upgrade Ferguson scribers. The previous limit was 10GB, which you could only find out by calling or emailing .Mac support. This puts in on par with most web hosts. If that’s not enough storage you can always pay more to get more. For 49.95 a year you can double your storage and bandwidth limit (20GB and 200GB respectively) or for 99.95 a year you can triple the default storage and bandwidth limit (30GB and 300GB respectively.) iWeb users are going to be pleased that .Mac now adds support for personal domains. T’S BEEN A WHILE SINCE .MAC has seen an upgrade. In the meantime other online services, some of them ad supported, have come along and duplicated (if not surpassed) .Mac’s features. As recently as this past summer Steve Jobs had been questioned about .Mac and it’s relative value. At the time he had indicated it had not been getting as much attention but would be receiving an update with new features. Well now the wraps are off on the new .Mac service. The most talked about new feature is the .Mac Web Gallery. It’s a feature for sharing photos and movies over the internet. .Mac members can share photos and video from within iLife ‘08. The quality of pictures online are “stunning”. Anyone visiting a .Mac Web Gallery over the web can download high quality pictures for printing. Visitors can even contribute photos using a web browser or email. “ .Mac Web Gallery is an awesome way to share photos and movies on the Internet with friends and family.You can share your favorite photos and movies with anyone on a Mac, PC or iPhone, and they can turn them into high-quality prints as well as contribute photos to your site using a Web browser or email. Steve Jobs ” Apple CEO While .Mac Web Gallery is the snaz- .Mac is available as a subscription-based service for US$99.95 per year for individuals and $179.95 for a Family Pack, which includes one master account and four sub accounts. Apple said that it has 1.7 million subscribers. Which translates into approximately $150 Million a year in revenue (factoring in discounts on retail kits and bundles.) ziest new feature there is more to the upgraded .Mac service. For one thing Apple has increased the storage space from 1GB to 10 GB. That storage space is used for you .Mac mail, iDisk, .Mac Web Gallery, and any content uploaded through old and new iLife tools. Jobs also said that .Mac users will have 100GB of monthly data transfer included. That’s the first time Apple has gone on record to state a bandwidth amount available to its sub- Conclusion This is the first time since the service went commercial, ie paid for, that it seems like a good deal. Cont’d on Page 24 23 iMacs Cont’d from Page 10 machine. One Last Thing Apple Keyboard The last update was a surprise. Apple has come out with an all new keyboard. It is incredibly thin. It takes its cues from laptop keyboards. (For instance using the F9 key for Expose required hitting the FN key as well.) It’s only 0.33 inches/8.3 mm tall, as opposed to the 0.99 inch/25.1 mm height of the previous Apple Pro keyboard. Instead of plastic for the body of the keyboard it uses aluminum. It gives the keyboard a very sturdy feel. Yet its quite light. The wired model, which retails for $49, comes with new Macs and uses USB (it also provides a pair of USB 2.0 ports) and is an extended keyboard. A wireless model, which retails for $79, is an option for new Macs. It uses Bluetooth for wireless connections, lacks the USB 2.0 ports, and is not an extended keyboard. It is basically a laptop key- board. It runs on three AA batteries (included), and advanced power management means you’ll get up to nine months of battery life based on average usage patterns. Both keyboards offer, along with all the usual keys, dedicated keys for Mac OS X features like Exposé and Dashboard, along with media keys for play/pause, eject, brightness, and volume. Conclusion The new iMacs look great. They’re sleek. They’re slimmer than the previous models. They also weigh less than previous iMacs. Budget conscious shoppers are going to miss the 17 inch model as it was the only model Apple had priced below a thousand dollars. The glossy screen is going to be a personal call. Some will love it, others will hate it. I’ve had a chance to see one up close and personal and I think it’s a winner. The Mac Mini didn’t get much fanfare with it’s update. True it’s not an earth shattering update. But its a very solid upgrade. Anyone consider- .Mac Cont’d from Page 23 Rather than a necessary purchase, if you wanted to use something that supported Mac synchronization and media without any hassles. With the upgrades to the service Apple is catching up to its nearest competitors. So far Apple has stayed true to its subscription based model rather than using ads like the other big operators (namely Google, Yahoo, AOL, and Microsoft). And, unlike the others mentioned, who focus on mail with limited or no support for sharing media, Apple offers a wealth of options to allow it’s subscribers to produce and share content. .Mac allows Apple to bring the digital lifestyle concept full circle. It’s a good deal these days for subscribers ing a second Mac or who is on a budget should really consider the Mini. My employer picked up one of the 1.83Ghz models and I can tell you it’s a pleasure to use. Thanks to Parallels we’ve got it running Mac and Windows apps side by side all day. It is a workhorse of a computer yet takes up a tiny amount of desk space. The new Apple keyboard takes some getting used to. You can bang on the keys with out having to fear one might pop off. They keys are low profile like a laptops. But they are so low profile that I’ve had misfires, ie times when i hit a key but not hard enough or at the correct angle for it to register. It is a beauty to look at. I get ooohs and aaahs when people come over to my desk. Oh, and I switched it’s default behavior so I no longer have to hit the FN keys to make the function keys work. That was driving me batty initially. If you’re in the market for a new Mac, or a Mac keyboard, give these products a try. You won’t be disappointed. iMacs Cont’d from Page 21 downloadable YouTube content, something that we suspected would appear, given that the box is already capable of downloading movie trailers and other video content (see “Apple TV: The Real Video iPod,” 2007-03-26). A new YouTube menu item will lead to categories such as Featured and Most Viewed, with video streamed directly to the Apple TV. (Unofficial hacks have made it possible to view YouTube videos - and other online content - on the Apple TV since a few days after the device began shipping, but the process to implement them isn’t trivial.) The capability will be available sometime in June as a free update. <http://wiki.awkwardtv.org/wiki/Main_Page> Two Small Security Updates Apple released two security updates, version 1.1 of Security Update 2007-005 (see “Security Update 2007-005 Released,” 2007-05-28) and Security Update (QuickTime 7.1.6). As of this writing, Apple had said nothing about what was fixed in the 1.1 version of Security Update 2007-005, but the QuickTime security update fixes two issues in QuickTime for Java that could result either in arbitrary code execution or disclosure of sensitive information. That sounds similar to the security fixes in QuickTime 7.1.6 itself from earlier this month, but it seems to be different (see “QuickTime, AirPort, Security Updates Released,” 2007-05-07). In either case, both updates are likely worthwhile. Downloads for Security Update 2007-005 1.1 are available in PowerPC (15.7 MB) and Universal (29.2 MB) forms, and Security Update (QuickTime 7.1.6) is a 1.4 MB download. Or just use Software Update to get the appropriate version for your Mac. <http://docs.info.apple.com/article.html?artnum=305531> ����������������� ��������������������� �������������� ��������������� ����� ��������������� �������� ����� ������ ����� �������������� ���������������������������������� ���������������������������������� ���������������������������������� ���������������������������������� ����������������������������������� ������� ��������������������������� ������� ��������������������������� ���� ������������������� ������� ����������������������������������������������������������������������������� ��������� ����������������������������������������������������������������������������� ������������������������ ����������������������������������������������������������������������������������������������� ������������������������������������ ���������������������������������������������������������������� ��������������������������������������������������������������������������������������������� ����������������������������❒���������������❒�������������������❒ ����������������������❒ ����������������� ������������������������������������������������������������������������������������������������� ����������������������������������������������������������������������������������������� ������������������������������������������������������������ ❒������������������ ❒������������ ❒�������������������� ❒��������� ❒������������� ❒������� ❒������������������� ❒���������� ❒��������� ❒�������������������� ❒������������������� ❒��������������������������� ❒������������ ❒����������������� ❒����������� ������������������������������������������������������������������������������������������� ����������������������������������������������������������������������������������������� ����������������������������������������������������������������������������������������� ������������������������������ ������������ ���������������� ���������������������� �������������������� ������������������� ������������������������ ������������������������