TidBITS#792/15-Aug-05
=====================
Is Apple's new Mighty Mouse really a super rodent? Glenn Fleishman
grabs one and finds it a bit hairy. Also, Kevin van Haaren sheds
light on an often perplexing topic: virtual private network (VPN)
technology, and explains why you might want to start using one.
We also note the release of Security Update 2005-007, Apple's
PowerBook G4 Graphics Update 1.0, the SaveScreenie utility,
and announce Joe Kissell's free "Take Control of Now Up-to-Date
& Contact" manual.
Topics:
MailBITS/15-Aug-05
Mighty Mouse Not a Strong Contender
For Your Eyes Only: Virtual Private Networks
Take Control News/15-Aug-05
Hot Topics in TidBITS Talk/15-Aug-05
<http://www.tidbits.com/tb-issues/TidBITS-792.html>
<ftp://ftp.tidbits.com/issues/2005/TidBITS#792_15-Aug-05.etx>
Copyright 2005 TidBITS: Reuse governed by Creative Commons license
<http://www.tidbits.com/terms/> Contact: <[EMAIL PROTECTED]>
---------------------------------------------------------------
This issue of TidBITS sponsored in part by:
* READERS LIKE YOU! Support TidBITS with a contribution today! <----- NEW!
<http://www.tidbits.com/about/support/contributors.html>
Special thanks this week to James Butzberger, Jerry Keller,
Don Thomson, and Leon Menzer for their generous support!
* SMALL DOG ELECTRONICS: $50 Amazon Gift Certificate <--------------- NEW!
with the purchase of select computers or bundles
20" iMac - $1499; 15" PB - $1699; iBook Bundle - $1163
Visit: <http://www.smalldog.com/tb/> 800-511-MACS
* GET FETCH 5 FOR FREE! Fetch Softworks makes Fetch, the original <-- NEW!
Macintosh FTP client, free for educational and charitable use.
Apply today at <http://fetchsoftworks.com/edapply>!
* Dr. Bott, LLC: Swiss Army functionality in an iPod case? <-------- NEW!
Okay, not quite. In the box: armband, clip, front cover with
headphone storage, and the stylish and protective SportSuit
Convertible case for any iPod. <http://www.drbott.com/>
* Web Crossing, Inc: Site Crossing brings Web Crossing power to
your small biz, family or club. Build a core site or bolt onto
a current one for discussions, blogs, chat, polls, calendars,
podcasts, and more. <http://www.sitecrossing.com/tb-305>
* Circus Ponies NoteBook: Never lose anything again. NoteBook <------ NEW!
keeps your digital life organized. Take notes, clip content,
share information. Find anything instantly with automatic
index pages. Free 30-day demo! <http://www.circusponies.com/>
* ROGUE AMOEBA SOFTWARE: With a Name Like Rogue Amoeba, <------------ NEW!
It's Gotta Be Good. Good software with a bad attitude,
only for Mac OS X. Free downloads from
<http://www.rogueamoeba.com/tb/>
* [Math+Magic] - The ultimate Equation Editor on the planet!
Write beautiful math equations & symbols easily in MathMagic,
use them widely in your word processors, Keynote, DTP software.
Fully working trials at <http://www.mathmagic.com/download/>
---------------------------------------------------------------
MailBITS/15-Aug-05
------------------
**Apple Releases Security Update 2005-007** -- Apple Computer
today released Security Update 2005-007 for both client and
server versions of Mac OS X 10.3.9 Panther and Mac OS X 10.4.2
Tiger. The update includes a number of patches to Apple software
(such as Mail, Safari, under-the-hood technologies like the Quartz
and CoreFoundation frameworks, and, in Mac OS X Server 10.4.2, the
Server Admin tool used to create firewall policies). Apple also
patched components of Mac OS X's Unix underpinnings, including
OpenSSL, the X11 windowing system, Apache 2, CUPS, Kerberos,
and zlib. Apple recommends all Mac users install this update since
it addresses several security problems which could, in theory,
enable a remote attacker to access data on the computer, create
user accounts, execute arbitrary programs, or let URLs bypass
Mac OS X's built-in security check when clicked. The update is
available from Apple via Software Update and at the first URL
below; the download ranges from 13.3 MB to 29.9 MB, depending
which version of Mac OS X you need to update. Apple details the
changes included in Security Update 2005-007 at the second URL
below. [GD]
<http://docs.info.apple.com/article.html?artnum=61798>
<http://docs.info.apple.com/article.html?artnum=302163>
**PowerBook Graphics Update Solves Narrow Issue** -- Last week,
Apple released PowerBook G4 Graphics Update 1.0, a 2.1 MB patch
that improves graphic stability for some 15-inch and 17-inch
PowerBook G4 models running the 1.67 GHz PowerPC processor;
apparently the installer performs a hardware check to determine
if the update is required. The update requires Mac OS X 10.4.2.
[JLC]
<http://www.apple.com/support/downloads/powerbookg4graphicsupdate10.html>
**SaveScreenie Switches File Formats** -- A few weeks back,
I mentioned that you could enter a particular command into
Terminal to change the format Mac OS X 10.4 Tiger uses for screen
captures made with Command-Shift-3 and Command-Shift-4 (see "How
to Change Screen Capture Formats" in TidBITS-785_). Needless to
say, it's not hard to copy and paste such a command, but it's
about as elegant as a waltzing kangaroo, so Christian Franz of
cf/x decided to embed the functionality into a small utility as
a way of getting to know Apple's Xcode better. The result is the
free SaveScreenie 1.2, which presents you with a few radio buttons
corresponding to the available formats (PNG, PDF, JPG, TIFF, BMP,
PSD, and PICT); select one, click the Set button, and log out or
restart your Mac to have it change the screen capture format.
After Christian showed me the initial version, I made a few
wording suggestions (once an editor, always an editor) and
recommended that he include a Web page link for each format that
would tell the user more about that format. He whipped up a new
version with my changes, and if you've been wanting to fiddle with
your screen capture formats, SaveScreenie is now ready to help.
[ACE]
<http://db.tidbits.com/getbits.acgi?tbart=08147>
<http://www.imovieplugins.com/other%20products/savescreenie.html>
Mighty Mouse Not a Strong Contender
-----------------------------------
by Glenn Fleishman <[EMAIL PROTECTED]>
The Mighty Mouse is mighty fussy. Apple sent me a review unit last
week, and in our testing the mouse falls short in several regards.
Most obviously, I continue to find the overall shape of the mouse
ergonomically unsatisfying, but I have hand and wrist problems
that make a regular mouse uncomfortable. (For a general
description of the Mighty Mouse, see "Apple Ships a Multi-
Button Mouse" in TidBITS-791_.)
<http://www.apple.com/mightymouse/>
<http://db.tidbits.com/getbits.acgi?tbart=08201>
First, the scroll ball (what New York Times columnist David
Pogue calls a trackpea, a term I like) is not a revolutionary
breakthrough that puts shame to all other scroll wheels. It's
a tiny, hard-to-use ball that makes a barely audible ticking
sound (generated via an internal speaker) as it's used. I found
it tricky and no improvement over a scroll wheel.
<http://www.nytimes.com/2005/08/04/technology/circuits/04POGUE-EMAIL.html>
The left-right touch-sensitive clicking works fine, but it's
not worth crowing about. But I have no complaints about two
physically, mechanically separate buttons either, making Apple's
design mostly of interest for the way it can switch between one
button for those who prefer simplicity and two buttons for those
who want more flexibility. However, TidBITS Managing Editor Jeff
Carlson found the touch-sensitivity to be tricky, because he often
rests his index and middle fingers on his two-button Kensington
mouse; using the Mighty Mouse required that he either suspend his
middle finger in the air above the right button (quickly creating
a sore finger) or move it off to the side.
Squeezing the mouse to activate the two side buttons seems to be a
particularly strange action, versus pressing a single button, and
the addition of extra buttons doesn't solve any problems for me.
I also find the Might Mouse software (which installs from an
included CD) confusing. Plug in a Mighty Mouse without installing
any software on any platform (Windows or any Mac OS X release),
and the main left and right buttons work by default. Install the
software for Mac OS X 10.3.9 to 10.4.1, plug it in, and the left
and right buttons work. However, install the software for Mac OS X
10.4.2 or later, plug in the mouse, and you get only a single big
button at the top, requiring you to enable the multi-button
functionality manually.
Another shortcoming, Jeff noted, is that you can't reprogram
the right-button action. He uses a right-click as a double-click
(which I find mystifying, but each to his own), but that's not
possible using the Mighty Mouse software, unlike the commonly
used Kensington MouseWorks (for Kensington pointing devices) or
Alessandro Levi Montalcini's $20 USB Overdrive utility (for nearly
any USB controller), neither of which dictates particular actions
mapped to particular buttons. USB Overdrive 10.3.9 already appears
to work with the Mighty Mouse if you don't install Apple's
drivers, and Alessandro has committed to supporting the Mighty
Mouse fully in future releases.
<http://www.kensington.com/html/1385.html>
<http://www.usboverdrive.com/>
Overall, Mighty Mouse doesn't measure up in design and function
to many other mature mice. Its features are unique, but not
compelling.
For Your Eyes Only: Virtual Private Networks
--------------------------------------------
by Kevin van Haaren <[EMAIL PROTECTED]>
Recent articles in TidBITS and discussions in TidBITS Talk have
mentioned virtual private network (VPN) technologies. VPNs are
usually brought up as a tool for securing communications across
insecure networks. Glenn Fleishman used a VPN to hide all his
network traffic while connected to public wireless hotspots during
the South by Southwest Interactive conference, and I mentioned
VPN technology in TidBITS Talk as a way to enable Apple's Remote
Desktop to control computers behind a firewall. But what exactly
is a VPN? This article is intended to explain some of the concepts
and terminology behind VPN.
<http://db.tidbits.com/getbits.acgi?tbart=08028>
<http://db.tidbits.com/getbits.acgi?tlkthrd=2324>
<http://db.tidbits.com/getbits.acgi?tlkthrd=2329>
A VPN is a way of securely connecting computers across insecure
networks such as the Internet. Although this might sound
straightforward, building a secure network involves several
subtleties beyond simple encryption. Security requires
authentication - each communicator must prove its identity to
the other end. Even the encryption component can be difficult -
how do you exchange encryption keys on a network that's insecure?
**Why VPN?** Why would you want a virtual private network? Most
people use them to connect with corporate networks while traveling
or working at home, but they have other uses as well. The primary
reason I installed a VPN was so I could travel with my laptop,
but still access home resources like my iTunes library and email
server, resources that are normally protected from other computers
on the Internet by a firewall. I also used it at home initially
to protect wireless connections that were "secured" by the easily
breakable WEP. When I upgraded to an AirPort Express and a Mac
mini using the far-more-secure WPA security instead of WEP,
I decided to keep using my VPN as a paranoid defense against the
possibility that someone figures out how to break WPA. A VPN can
also provide a secure connection for programs such as Apple's
Remote Desktop 2, which has weak security on its own.
Do you perform tech support for your extended family, or for home
users at a business? Ever run into problems trying to help them
remotely because they are behind a firewall? Upgrading to a
firewall that provides a VPN can solve this situation by bypassing
all the firewall rules, letting you connect and troubleshoot
problems remotely.
**Firewalls for Security** -- Broadband users are often wisely
advised to install a DSL or cable router with a built-in firewall
to protect their home networks, and most use Network Address
Translation (NAT) to share the single public IP address that
their Internet service provider allocates among several computers.
The firewalls in these low-cost routers are usually enabled by
default. Or, if you only have one computer, you can activate the
firewall built into Mac OS X with the click of a button in the
Sharing preference pane.
Firewalls restrict access from the Internet to the local network.
If my father has a firewall protecting his home network and I want
to provide tech support for him, I can't just fire up Apple Remote
Desktop or a VNC (virtual network computing) program and connect
to his computer. There are two reasons for this problem: first,
to which IP address do I connect? The public IP address is just
the address for the router, not for his computer. Even if he can
tell me the IP address that appears in his Network preference
pane, that IP is a private address assigned by his NAT firewall
and not directly accessible from the Internet.
The second reason is that most firewalls employ a "speak only when
spoken to" philosophy. Examples of this idea in action include
the Web and the iTunes Music Store: I can view pages from a Web
server, but not until my browser makes the initial connection to
the server; similarly, the iTunes Music Store can display within
iTunes, but only after my computer has sent it a request to send
me the info. To extend the analogy, the request for a remote
control connection would have to come from the remote computer
first to get through the firewall, and since the remote computer
won't necessary have a person in front of it, it's hard to
generate that initial request. (See Chris Pepper's article,
"What's a Firewall, and Why Should You Care?" in TidBITS-468_,
for more detailed information on firewalls.)
<http://db.tidbits.com/getbits.acgi?tbart=05291>
**Open the Ports** -- One frequently recommended solution to
getting through a firewall is to open the port (or ports) an
application uses to communicate. Network applications talk using
ports. Stealing an analogy from Chris's firewall article, ports
are like apartment numbers in regular mail addresses. If you
send a letter to a friend in an apartment building, the building
address is not enough: an apartment number is needed to get the
letter to the right apartment. Similarly, a computer's IP address
is not enough to get network data to the correct application.
The port number is used to direct the data to the correct program
such as the Web or mail server. Most popular Internet services
have a default "well known" port number.
<http://www.iana.org/assignments/port-numbers>
NAT-based firewalls can redirect incoming traffic to a specific
computer on the internal network based on the port number. If you
need to use the same application to connect to multiple computers
on the internal network there are two options available: configure
the firewall to listen on additional non-standard ports and
redirect those ports to the standard port on the destination
computer (not all firewalls support this capability), or connect
to one of the internal computers, then use that computer to access
the other computers on the network.
With simple firewalls, opening a port opens it to everyone on the
Internet. More complex firewalls can limit access to a port based
on things such as source IP address and time of day.
Mac OS X has a full-featured firewall built-in, but
Apple's preference pane limits your options to the simplest
configurations - opening a port opens it to everyone on the
Internet. Third party tools such as Brian Hill's BrickHouse
can provide GUI access to a much broader range of functionality,
or you can use even more full-featured tools like DoorStop X
from Open Door Networks or IPNetSentry from Sustainable
Softworks.
<http://personalpages.tds.net/~brian_hill/brickhouse.html>
<http://www.opendoor.com/doorstop/>
<http://www.sustworks.com/site/prod_ipns_overview.html>
Even with the more advanced configuration options that BrickHouse
or your cable or DSL router offers, building these exceptions can
be time consuming and error prone (IPNetSentry takes a different
approach for this reason, looking for suspicious activity and,
when triggered, banning the intruder). Some simple facts of
Internet use can make maintaining these rules difficult.
For example, adjusting access for someone with an ever-changing
dynamic IP address can be frustrating, or even impossible if you
are trying to make the change from a dynamic address not already
configured in the firewall rules.
Another issue that opening firewall ports cannot solve is
unencrypted data streams. Anybody on the network path between
the source and destination can use simple tools to extract the
traffic. If you use VNC software for remote control, others
on the Internet can view exactly what you are seeing/typing.
VNC does encrypt the initial authentication made to a remote
computer, but if you use it to change a password or unlock a
remote screen saver, the password is sent unencrypted. Both FTP
and telnet also send your password as plain text.
The ideal solution is to make your local computer connect over
the Internet, through the remote firewall, bypassing all the
rules, to any number of computers or devices behind the firewall.
Additionally we want to keep those communications secret from
prying eyes, and we want to ensure the connecting computer is
really the one it is claiming to be.
Virtual private networks were designed to provide this solution
by creating a secure tunnel through which all traffic flows
from you - wherever you may be on the Internet - to your network.
Several types of VPN are available: a group of open protocols
referred to as IPsec; Point-to-Point Tunneling Protocol (PPTP);
Layer 2 Tunneling Protocol (L2TP), frequently used with IPsec;
SSH tunnels; and SSL VPN.
<http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html>
<http://www.microsoft.com/ntserver/ProductInfo/faqs/PPTPfaq.asp>
<http://www.microsoft.com/technet/community/columns/cableguy/cg0801.mspx>
<http://www.infoworld.com/article/03/10/24/42TCsslvpn_1.html>
**IPsec** -- Originally, IPsec was used on corporate enterprise
networks as a way to connect remote offices over cheaper Internet
connections instead of more expensive dedicated lines. Large
dedicated VPN firewalls would be placed in each office and
connected together. Fortunately, the costs of implementing
these systems has dropped considerably over the years, with
many inexpensive home routers including VPN capabilities for
only a slightly increased cost.
IPsec uses a two-phase system to establish the VPN. In phase one
the identity of each participant is authenticated. Phase two is
the actual exchange of encrypted data. Each phase negotiates the
various methods to be used for authentication and encryption key
exchange. To increase the security of the tunnel the two phases
re-negotiate, re-authenticate, and exchange new encryption keys
at periodic intervals.
**PPTP & L2TP** -- PPTP is an older and less secure VPN technology
developed by Microsoft. PPTP is still quite popular (especially
in Europe) because it is built into Windows. L2TP is a combination
of Microsoft's PPTP and Cisco's L2F (Layer Two Forwarding)
technology. L2TP over IPsec encapsulates the L2TP traffic in
IPsec packets. The use of IPsec allows the authentication phase
of the VPN to be encrypted, something PPTP does not support
otherwise. Mac OS X supports both PPTP and L2TP over IPsec,
both configured via Apple's Internet Connect application.
**SSH** -- SSH tunnels are a popular method of encrypting and
authenticating communications between computers. An SSH tunnel
uses a port forwarding model where ssh on the client side gathers
all data packets sent to a particular port and sends them through
an encrypted tunnel. The server on the far end (running sshd)
decrypts the packets and forwards them to the appropriate
destination.
Unfortunately, an SSH tunnel is a computer-to-computer system.
If I want to use SSH to multiple computers behind a NAT firewall,
I must either open additional ports on the firewall, one for
each system, or tunnel to one machine, then connect from that
computer to other machines. Both methods can be complex to
set up. An additional limitation of SSH tunnels is that they
support only TCP connections, and not UDP. As a result, ssh
tunneling is insufficient for applications like Apple Remote
Desktop.
**SSL VPN** -- SSL VPNs are the current hot items in networking.
An SSL VPN uses standard Web protocols for authentication
and encryption. This approach enables the VPN to work through
restrictive firewalls that block the ports of other VPN
protocols. SSL VPN technology offers a range of capabilities.
At its simplest, the VPN may be a reverse Web proxy, providing
authenticated Internet users access to intranet Web servers
behind the remote firewall.
SSL VPNs can also provide Web-based file browsers that enable
users to access Windows and NFS file shares on the remote network.
No special client is needed for this, as the VPN hardware handles
the translation from network shares to Web pages.
More advanced SSL VPN units offer functionality similar to SSH
tunnels. The user logs in to a Web application and launches a Java
or ActiveX client that configures all port forwarding options.
In this configuration, just ports needed for an application
are tunneled, so the chance of infection from viruses and
Trojans is greatly reduced. This limited access enables many
corporations to use an SSL VPN to provide network access to
untrusted computers, such as employees' home computers and vendor
systems for supporting internal applications. Additionally, many
handhelds with wireless networking and Java support can tunnel
in via an SSL VPN too.
High-end SSL VPN products offer a complete TCP/IP stack that
encrypts packets across an SSL link, an approach called "IPsec
replacement" mode because it provides the security of a full IPsec
VPN while still being able to work through restrictive firewalls.
<http://www.nwfusion.com/reviews/2004/0112revmain.html>
<http://openvpn.net/>
<http://www.f5.com/>
<http://www.caymas.com/>
SSL VPNs are popular in enterprise networks, but the current high
cost of entry keeps them out of the reach of most home and small
business users. Because of their flexibility and low cost, I focus
on IPsec VPNs for the remainder of this article.
**VPN to What?** Once you select a VPN protocol, you need to
decide the type of connection you want to make: computer-to-
computer, computer-to-network, or network-to-network. The
computer-to-computer connection enables access only to the
individual remote computer. Computer-to-network enables one
computer access to all devices on a remote network. And a
network-to-network connection enables entire offices of computers
to communicate, without the need to configure each machine.
Most people are interested in connecting a laptop or small home
office machine to a remote network (computer-to-network), so
I focus on this scenario.
First, you need to pick a VPN client. Mac OS X includes an IPsec
implementation based on Racoon from the KAME Project. As with many
Unix applications, you configure the software via a text-based
config file. "Simple" configuration examples are available online.
<http://www.kame.net/racoon/>
<http://www.kame.net/newsletter/20001119/>
After examining the available documentation, I decided there
must be a better way. Fortunately I was not the only one with
this idea. A quick Internet search turned up several graphical
configuration tools. VPN Tracker ($90 for a personal license,
$200 for a professional license) from Equinux, and IPSecuritas
(free) from Lobotomo are two of the most popular.
<http://www.equinux.com/us/products/vpntracker/>
<http://www.lobotomo.com/products/IPSecuritas/>
Additionally, many VPN firewall makers have produced Mac OS X
versions of their client software. Check Point and Cisco both
offer Mac OS X clients for their VPN products. Be sure to check
the supported configurations and versions of the software. Cisco
only recently added support for dual-processor Macs and Mac OS X
10.4 Tiger, although there are reports it doesn't completely work
even with 10.4.2. MacInTouch has a lengthy list of reader reports
on the Cisco VPN client.
<http://www.checkpoint.com/press/2004/mac120704.html>
<http://www.cisco.com/en/US/products/sw/secursw/ps2308/
products_user_guide_book09186a00802e1fa2.html>
<http://www.cisco.com/en/US/products/sw/secursw/ps2308/
products_data_sheet0900aecd801a9de9.html>
<http://www.macintouch.com/tigerreview/incompatibility.html>
Next, to connect your Mac to an entire network via VPN, your
network needs a VPN router. Mac OS X 10.4 Tiger Server has many
nice VPN configuration options built-in. Academic versions of Mac
OS X Server are typically available starting at $250; retail is
$500 or $1,000. If you have not yet upgraded, going from Jaguar
to Tiger Server is about $370 more than going to non-Server Tiger
(non-academic).
In theory, a Mac running the client version of Mac OS X should be
able to act as a VPN router too, but most of the documentation
I've found is for Mac OS X Server. Instructions for setting up a
FreeBSD box as a VPN router are available, and they may translate
over to Mac OS X.
<http://www.lugbe.ch/lostfound/contrib/freebsd_router/>
I don't have a spare Mac capable of running Mac OS X lying
around, so I began looking for a small dedicated VPN router.
Most manufacturers of broadband routers offer VPN versions
of their products for $10 to $20 more than the non-VPN
versions (see below for links to a number of common devices).
When looking for a VPN router, watch out for products labeled
"IPsec Pass-Thru" - these are not what you want. IPsec Pass-Thru
enables a VPN connection to work through the device, but does
not mean the router can act as a VPN endpoint. The specifications
for a true VPN router should list the number of VPN tunnels the
device supports.
<http://www.dlink.com/products/?sec=0&pid=274>
<http://www.dlink.com/products/?sec=0&pid=59>
<http://www.netgear.com/products/details/FVM318.php>
<http://www.netgear.com/products/details/FVS328.php>
<http://www.linksys.com/servlet/Satellite?childpagename=US%2FLayout
&packedargs=c%3DL_Product_C2%26cid%3D1115416832406&pagename=
Linksys%2FCommon%2FVisitorWrapper>
<http://www.linksys.com/servlet/Satellite?childpagename=US%2FLayout
&packedargs=c%3DL_Product_C2%26cid%3D1118334818868&pagename=
Linksys%2FCommon%2FVisitorWrapper>
Some routers have third-party firmware upgrades available that
add VPN server support. The Linksys WRT54G is the most commonly
upgraded router, with the Sveasoft firmware upgrade providing
a variety of sophisticated features to what Linksys provides.
<http://www.sveasoft.com/>
**Quick Tiger Update** -- When Tiger shipped, it introduced a VPN
bug that slowed down certain VPN connections. After I upgraded to
Tiger, a ping to my server through a VPN connection took around
a thousand milliseconds. Normal ping times with my VPN are about
4 milliseconds.
This problem has been resolved but requires upgrading to at least
Mac OS X 10.4.1 plus upgrading your IPsec front-end. IPSecuritas
version 2.1 and VPN Tracker 4.0.1 both work properly Mac OS X
10.4.1 and later. At the time of this writing, Check Point
had not updated their IPsec clients to work with any version
of Mac OS X 10.4. Cisco's latest release seems to work fine
for me. Again, verify the software's documentation show your
particular configuration is supported before installing.
**The Double-edged Sword of VPN** -- After selling you on the
concept of using VPN to bypass firewall rules, I'm going to
reveal that this is also one of the biggest dangers in using
a VPN. Firewall rules exist to increase security; bypassing that
security in any way creates very real risks. Many companies are
surprised to find themselves infected with Trojan horses and
viruses even though they had firewalls in place. It turns out
that many laptop users would go home, connect to their unprotected
home Internet connections, get infected, then connect via a VPN
(bypassing all the firewall rules) and spread the infection all
over the internal network. Of course, such problems are less
likely for Mac users, but we still cannot become complacent.
Some VPN clients include a client firewall, similar to the
firewall built into Mac OS X, to protect against these types of
vulnerabilities. Other clients check a list of rules before a VPN
connection is allowed. Some examples of rules include ensuring an
up-to-date anti-virus product is running, certain security patches
are installed, and the computer's firewall is running.
Even with these protections, you shouldn't allow any computer
to connect to your network if you don't explicitly trust its
maintenance and security. The reverse is true too; you shouldn't
connect your computer to any networks that you don't implicitly
trust; you may be opening yourself to attackers on their network.
[Kevin van Haaren works for a large corporation primarily
supporting Windows computers, with the occasional Mac call thrown
in to make the week more interesting. This has prepared him well
for the job of herding his two cats.]
PayBITS: If Kevin's article helped you, he asks that you
consider a donation to the EFF, which works to keep encryption
systems legal for everyone. <http://eff.org/support/>
Read more about PayBITS: <http://www.tidbits.com/paybits/>
Take Control News/15-Aug-05
---------------------------
by Adam C. Engst <[EMAIL PROTECTED]>
**Take Control of Now Up-to-Date & Contact Released** -- Late last
year, around the time I was finishing up "Take Control of iKey 2,"
our first manual in the form of a Take Control ebook, Randy Murray
of Now Software contacted me to see if we were interested in
writing the manual for the next version of Now Up-to-Date &
Contact. I've used the software for over 10 years and have known
John and Sheila Wallace of Now Software for ages (they and Randy
were responsible for creating my action figure during the Power On
Software incarnation of their company), but I knew I didn't have
the time to write it. My thoughts then turned to Joe Kissell,
who has done a bang-up job on five Take Control ebooks. Joe was
interested, so we worked out the business details and once Now
Software started delivering betas, Joe jumped into the project.
Randy had provided us with the previous manual, an overly wordy
tome that checked in at nearly 500 pages, but as Joe and I started
to go through it, we realized that it would be easier and more
effective to work from scratch.
<http://db.tidbits.com/getbits.acgi?tbart=07899>
<http://www.nowsoftware.com/>
<http://homepage.mac.com/adamengst/iMovieTheater15.html>
To make a long story short, Joe did a fabulous job at documenting
the ins and outs of Now Up-to-Date & Contact. Unlike our ebooks,
manuals have to be (or at least should be) comprehensive, and
by the time Joe was done, "Take Control of Now Up-to-Date &
Contact" had hit 249 pages. That's nearly 100 pages longer than
our longest ebook, but it's still far more concise and focused
than the previous manual. Despite the size, the large number of
links and bookmarks make the manual easy to navigate. But don't
take my word for it - you can download "Take Control of Now
Up-to-Date & Contact" for free from our Web site.
<http://www.takecontrolbooks.com/nudc.html>
In part because of the expected size of the manual, we decided
to do a few things differently than in the past. Most notably,
Joe used Microsoft Word 2004's fields to provide automatic
numbering of figure and automatic internal reference links.
Word's fields are fragile and persnickety - I had to update
many of the figure reference fields manually, and in several
situations, a field simply wouldn't work, forcing me to revert
to a hyperlink. Unsurprisingly, Word's interface for creating
fields and bookmarks is terrible; the entire process wouldn't
have been possible at all without some macros that Matt Neuburg
wrote for us. Nevertheless, it was the right decision in the end,
in large part because we ended up swapping two major sections
around at the last minute, and the fields mostly updated properly.
It makes one long for an updated version of FrameMaker, not that
FrameMaker didn't suffer from other deal-breaking problems.
As an aside, I had to drop back to Word X to be able to finish
editing and production on "Take Control of Now Up-to-Date &
Contact." With 249 pages, 103 screenshots, and numerous inline
graphics, the file ballooned to 7.3 MB, and Word 2004 slowed
to a crawl in Page Layout mode on my dual 1 GHz Power Mac G4,
thanks to the constant repaginating. I don't know what Word X
does differently, but it was downright snappy in comparison.
Plus, Word 2004 suffers from a known crashing bug related to
generating a table of contents within a table; that one bit
me once before I gave up on Word 2004 for the duration of
the project.
We're also trying to make it easier for readers to comment
on the manual and see what others have said about it as well,
thanks to a service called QuickTopic Document Review. In essence,
I uploaded an HTML version of "Take Control of Now Up-to-Date &
Contact" (exported from Word and heavily munged via a BBEdit
Text Factory that I've developed), and QuickTopic Document Review
put a "comment dot" after each paragraph. Click a comment dot and
you can leave a note about the associated paragraph, and everyone
else who comes in can see your comments in one of three views:
inline in the document, in a forum-like display, or in a comment
review mode that shows an excerpt of the original text before the
comment. QuickTopic Document Review is brilliant, and we rely on
it heavily for group technical editing. Although we've subscribed
to QuickTopic Document Review Pro so we can password-protect
drafts about NDA products (normally, randomly generated URLs
provide only security by obscurity), this document review is
open to everyone, so feel free to check it out at the second
link below.
<http://www.quicktopic.com/cgi-bin/docreviewintro.cgi>
<http://www.quicktopic.com/32/D/zTvDUkXyy9p6?inline=1>
Of course, we'll be doing updates to the manual along with a
Windows version (nearly identical other than screenshots) to
keep pace with new releases of Now Up-to-Date & Contact from
Now Software, so be sure to click the Check for Updates button
and sign up for notifications if you want to keep your copy
current.
Hot Topics in TidBITS Talk/15-Aug-05
------------------------------------
by TidBITS Staff <[EMAIL PROTECTED]>
The second URL below each thread description points to the
discussion on our Web Crossing server, which will be faster.
**Japan's iTunes Music Store** -- The opening and initial success
of iTMS in Japan had some people in other countries excited
about the possibility of purchasing electronic versions of music
available only in Japan. Unfortunately, due to licensing issues,
you must have a Japanese credit card to buy those songs.
(7 messages)
<http://db.tidbits.com/getbits.acgi?tlkthrd=2670>
<http://emperor.tidbits.com/TidBITS/Talk/522/>
**Expanding the View with a Dell LCD Display** -- Jeff Carlson's
experience with the Dell 2005FPW 20-inch display reveals how many
people have taken advantage of Dell's special offers and brings
up other interesting tidbits, such as the fact that the screen
appears to be the exact same one used in Apple's 20-inch Cinema
Display. (13 messages)
<http://db.tidbits.com/getbits.acgi?tlkthrd=2671>
<http://emperor.tidbits.com/TidBITS/Talk/523/>
$$
Non-profit, non-commercial publications may reprint articles if
full credit is given. Others please contact us. We don't guarantee
accuracy of articles. Caveat lector. Publication, product, and
company names may be registered trademarks of their companies.
For information: how to subscribe, where to find back issues,
and more, see <http://www.tidbits.com/>. TidBITS ISSN 1090-7017.
Send comments and editorial submissions to: <[EMAIL PROTECTED]>
Back issues available at: <http://www.tidbits.com/tb-issues/>
And: <ftp://ftp.tidbits.com/issues/>
Full text searching available at: <http://www.tidbits.com/search/>
-------------------------------------------------------------------
--
If you want to unsubscribe or change your address, use this link
http://emperor.tidbits.com/webx?unsub@@.3c557dc4!u=sfjksldsdfjksdlfsfdfd
