TidBITS#830/22-May-06
=====================
Is your iBook on its last legs? Apple completed its notebook line
last week with the MacBook, a 13-inch widescreen laptop with an
Intel Core Duo processor. Mark Anbinder and Jeff Carlson bring
you their hands-on report. Also this week, Apple's lawyers stay
busy fending off a lawsuit from Creative Technology over iPod
patents (and countersue in return). Plus, Apple released Final
Cut Express HD 3.5, speed-bumped the MacBook Pro, and we note
both the release-candidate status of Parallels Desktop and two
new Take Control ebooks that explain how fonts work - and don't
work - in Mac OS X.
Topics:
MailBITS/22-May-06
MacBook Fills Out Laptop Line
Creative Hits Apple With iPod Patent Suit
Final Cut Express HD 3.5 Goes Universal
Apple Reminds Us of Trusting, Verifying
Take Control News/22-May-06
Hot Topics in TidBITS Talk/22-May-06
<http://www.tidbits.com/tb-issues/TidBITS-830.html>
<ftp://ftp.tidbits.com/issues/2006/TidBITS#830_22-May-06.etx>
Copyright 2006 TidBITS: Reuse governed by Creative Commons license
<http://www.tidbits.com/terms/> Contact: <[EMAIL PROTECTED]>
---------------------------------------------------------------
This issue of TidBITS sponsored in part by:
* READERS LIKE YOU! Support TidBITS with a contribution today! <----- NEW!
<http://www.tidbits.com/about/support/contributors.html>
Special thanks this week to Darryl Oliver, Juerg Fehr,
Kevin Fong, and John Miller for their generous support!
* Make friends and influence people by sponsoring TidBITS! <--------- NEW!
Put your company and products in front of tens of thousands of
savvy, committed Macintosh users who actually buy stuff.
For more information and rates, email <[EMAIL PROTECTED]>.
* SMALL DOG ELECTRONICS: Free Shipping on select <------------------- NEW!
previous generation and refurbished iPods,
iPod photos, and iPod minis. Starting at $145.
Visit: <http://www.smalldog.com/tb> 800-511-MACS
* FETCH SOFTWORKS: With Fetch 5, FTP and SFTP are simpler <---------- NEW!
than ever. Use it on Mac OS X to upload, download, mirror,
and manage your Web site, eBay images, and data sets.
Download your free trial version! <http://fetchsoftworks.com/>
* Web Crossing, Inc: Web Crossing offers integrated collaboration
tools with a broad spectrum of functionality, but did you know
adding discussions, blogs, podcasts, chat, polls, and calendars
is point-click easy? Try a demo! <http://www.webcrossing.com/>
* Yojimbo 1.1 from Bare Bones Software: Your effortless, reliable <-- NEW!
information organizer for Mac OS X. It will change your life,
without changing the way you work. Download the demo or buy it
today! <http://www.barebones.com/products/yojimbo/>
* Circus Ponies NoteBook: Never lose anything again. NoteBook <------ NEW!
lets you take notes, clip content, and share information. Find
anything instantly with automatic index pages. One-step Web
publishing. Free 30-day demo! <http://www.circusponies.com/>
---------------------------------------------------------------
MailBITS/22-May-06
------------------
**Apple Speeds Up MacBook Pro Models** -- On the same day that
Apple released the MacBook (see our coverage in this issue), the
company shuffled the configurations on the MacBook Pro laptops.
Both the 15-inch and 17-inch MacBook Pro models offer Intel Core
Duo 2.0 GHz and 2.16 GHz configurations at the previous prices
of the 1.83 GHz and 2.0 GHz models (2.16 GHz was previously
a build-to-order option.) Apple also added a new build-to-order
change to the MacBook Pro: both models can be configured, at no
extra charge, with the glossy screen introduced with the MacBook.
[MHA]
<http://www.apple.com/macbookpro/>
**Parallels Issues Release Candidate of Virtual Machine** --
Parallels Desktop, a virtual machine environment for Mac OS X
that runs operating systems that require an Intel processor
(such as Microsoft Windows XP) has reached the release candidate
stage, a point where all bugs should be fixed or classified as
not worth fixing. Thanks no doubt to the high profile it garnered
following Apple's beta release of Boot Camp, the company said it
had over 100,000 beta testers. The release candidate is available
now as a 21.5 MB download. Although we normally don't cover pre-
release software in TidBITS, it's worth noting that Parallels is
still offering $10 off the $50 retail price for the product if
you order before the actual 1.0 version appears.
<http://www.parallels.com/en/download/desktop/>
Whereas Boot Camp will install only Windows XP Service Pack 2,
and a generic Intel computer might balk at older operating
systems or have other limitations, virtual machines such as
Parallels Desktop can handle almost anything, including IBM OS/2,
Windows 95, various versions of DOS, and the parade of Linux,
Unix, and BSD versions. [GF]
**DealBITS Drawing: DoorStop X Security Suite Winners** --
Congratulations to Bob Dain of mac.com, Charles Kinney of
earthlink.net, and Steve B of macrepair.com, whose entries
were chosen randomly in last week's DealBITS drawing and who
each received a copy of Open Door Networks' DoorStop X Security
Suite. And since Steve B entered this DealBITS drawing after being
referred to it by Chris Harnish of mac.com, Chris too will receive
a copy as a thank you. Even if you didn't win, you can still
save $20 on the $79 DoorStop X Security Suite through 29-May-06.
To receive your discount, enter "Tidbits0506" in the Comments
field of the order form (the third link below). With 1,022
entrants, this was one of the most popular drawings of late;
keep an eye out for future DealBITS drawings! [ACE]
<http://db.tidbits.com/getbits.acgi?tbart=08527>
<http://www.opendoor.com/doorstopsuite/>
<http://www.opendoor.com/order.html>
MacBook Fills Out Laptop Line
-----------------------------
by Mark H. Anbinder and Jeff Carlson <[EMAIL PROTECTED]>
Since Apple's January introduction of the 15-inch MacBook Pro,
the unspoken (well, maybe a little spoken) assumption has been
that a MacBook without the "Pro" was on the way. Apple's
introduction of the 13-inch MacBook last week fills that void,
effectively replacing both the iBook and 12-inch PowerBook with
a capable, affordable, Intel-based laptop - now available in
white or black.
<http://www.apple.com/macbook/macbook.html>
Unlike the aluminum skin of recent PowerBook and MacBook Pro
models, the MacBook comes in a white or black polycarbonate shell;
the black model is available only on the high end for a $200 price
premium that gives you black instead of white and a larger hard
drive (80 GB instead of 60 MB). The case also sports a new
latchless design, with magnets to hold the laptop firmly closed.
The MacBook features an Intel Core Duo processor running at
1.83 GHz or 2.0 GHz, with a 667 MHz bus. It includes a built-in
iSight video camera, Apple Remote and infrared port, Gigabit
Ethernet, AirPort Extreme and Bluetooth wireless networking,
and Apple's innovative "klutz-proof" MagSafe power adapter,
designed to separate easily from the laptop to avoid accidents.
The Apple Remote controls not only the included Front Row media
software, but also presentations in Keynote. (Apple has put
together an informative chart comparing the various MacBook
and MacBook Pro configurations.)
<http://store.apple.com/Catalog/US/Images/comparison_chart.html>
The stock configurations ship with 512 MB of memory, which
unfortunately is configured as two 256 MB DIMMs. If you install
more RAM (up to 2 GB), you should buy two chips of the same
capacity to take advantage of better performance by upgrading
RAM in pairs; which means you're stuck with those 256 MB DIMMs
(and with people buying MacBooks, there may not be much of a
market for used 256 MB RAM). Upgrading the RAM is fairly simple:
remove three screws and a bracket in the battery bay, and flip
two levers that eject the RAM. Macworld's Jason Snell created
a short video showing just how easy it is.
<http://www.macworld.com/weblogs/macword/2006/05/macbookvideo/>
An exciting offshoot of this step is that the hard drive is easily
accessible from the left side of the bay. The iBook and 12-inch
PowerBook models required an almost complete disassembly to
replace the hard drive, which made users (like Jeff) reluctant to
upgrade old machines with more storage. No doubt this change makes
it easier for Apple technicians to speed up repairs and upgrades.
The MacBook also comes with a 60W power adapter, which is the
same physical size as the power brick that shipped with the last
generation of PowerBooks and iBooks. The MacBook Pro models use a
physically larger 85W adapter. You can use the MacBook Pro adapter
to power a MacBook and charge its battery, but not the reverse:
a MacBook's 60W adpater will power a MacBook Pro, but it won't
charge the battery.
**Graphics** -- The included Intel GMA 950 graphics processor has
64 MB of video memory, and shares the MacBook's main memory as
needed, depending on selected resolution and use of external
display. This relatively weak graphics capability means you won't
want to purchase a MacBook for playing high-performance 3D games,
and limits the capability of running Apple's professional
applications; for example, Apple confirmed that Aperture's
performance is acceptable, but that the MacBook is not the
first choice for running the photo-management program. As with
previous PowerBook and MacBook Pro models, but not the iBook line,
the MacBook supports mirroring or an extended desktop on external
displays.
<http://www.apple.com/aperture/>
The built-in display's resolution is 1280 by 800, and the
MacBook's mini-DVI port can support Apple's 20-inch or 23-inch
Cinema Displays (or other displays up to 1920 by 1200 pixels)
with the use of a mini-DVI to DVI adapter (available separately
for $20). The 30-inch Cinema Display is not supported.
Like the 15-inch MacBook Pro, the new MacBook offers FireWire 400
but not FireWire 800, and its 4x SuperDrive lacks dual-layer write
capability. The low-end MacBook includes a Combo drive (DVD-ROM
and CD-RW) by default; the SuperDrive is optional. All versions
include two USB 2.0 ports and optical digital and analog audio
input and output; as with all of Apple's newest computers,
an external USB modem is optional.
**Gloss: Boss or Loss?** The company says the new wide-format
13.3-inch MacBook display is 79 percent brighter than that of
the iBook or 12-inch PowerBook, but people are more likely to
first notice the new glossy screen. Windows laptops have sported
glossy screens for a few years, but the MacBook is the first
Apple product to do so (the glossy screen is also now a build-
to-order option for the MacBook Pro). In a briefing following the
announcement, Apple said that the new screen improves color and
image quality (offering blacker blacks, whiter whites, etc.),
and that the MacBook's display is less reflective than many
Windows laptops.
The reflectivity is certainly noticeable, though looking at the
display head-on reduces the effect, especially when the brightness
setting is fairly high. We suspect that the glossy screen will
invoke a love-it-or-hate-it reaction in Mac users; but since the
screen is the only option for the MacBook, we may have to just
learn to adapt.
**The Keyboard and Trackpad** -- Another significant change to
the MacBook's exterior is the keyboard, which looks like an old
chiclet type found on early PDAs or calculators. The sides of the
keys drop straight down instead of tapering up from the bottom,
making it appear as if the keys are spaced further apart, even
though they're not. However, the key response is slightly firmer
than the MacBook Pro and doesn't feel odd when touch-typing.
The keyboard is also recessed into the case, giving the lower
section of the laptop a flat plane that will hopefully reduce
or eliminate screen smudges, a common irritant with Apple laptops
for several generations.
<http://en.wikipedia.org/wiki/Chiclet_keyboard>
The trackpad is the wide variety found on recent Apple laptops,
and features two-fingered scrolling. It also adds a new
capability: click the mouse button with two fingers resting on
the trackpad, or tap two fingers at the same time, to display
a contextual menu (the same action as a right-click or Control-
click); this feature needs to first be enabled in the Keyboard
and Mouse preference pane. Apple confirmed that this is a software
feature, not tied to the MacBook's hardware. (Another option is
to install SideTrack by Raging Menace, which offers more trackpad
configurability.)
<http://www.ragingmenace.com/software/sidetrack/>
Apple's new MacBook is available immediately from the Apple
Store Web site and retail locations and Apple resellers, in
configurations ranging from $1,050 to $1,500. Build-to-order
options include up to 2 GB of RAM and hard drives ranging up
to 120 GB.
Creative Hits Apple With iPod Patent Suit
-----------------------------------------
by Geoff Duncan <[EMAIL PROTECTED]>
Creative Labs, the company that has been struggling in the digital
music player market longer than Apple has been making iPods,
announced it has filed a patent infringement suit against Apple
Computer over the interface to its iPod and iPod nano music
players.
<http://us.creative.com/corporate/pressroom/releases/welcome.asp?pid=12405>
Creative claims Apple's products infringe on its "Zen" patent
(U.S. patent 6,928,433), which it applied for in January 2001
but which was granted only in August of 2005. The patent covers
the organization and navigation of music tracks on high-capacity
portable digital music players. Creative claims it implemented and
demonstrated its interface as early as January 2000; Apple's first
iPods didn't ship until October 2001.
<http://patft.uspto.gov/netacgi/nph-Parser?patentnumber=6,928,433>
Creative's suit is filed in the U.S. District Court for the
Northern District of California; the company has also filed a
complaint with the U.S. International Trade Commission seeking
an investigation of whether Apple's importing of iPods from Taiwan
is a violation of the Tariff Act of 1930. Creative is seeking an
injunction against Apple importing, marketing, or selling its
current iPod and iPod nano music players: if granted, such an
injunction would be a major blow to Apple's music business.
When Creative announced it had been awarded the "Zen" patent,
industry speculation already had the company seeking license fees
from Apple Computer; at the time, Creative merely said it was
examining all options. Patent license income from a product as
widespread as the iPod would certainly help a company which posted
a $114 million loss in its most recent fiscal quarter. However,
Creative's filing would indicate the companies were not able to
reach an agreement, or Apple thinks Creative's patent lacks merit,
or that it can keep selling iPods while weathering an undoubtedly
long and technical patent lawsuit.
Apple has yet to publicly comment on Creative's suit, but actions
speak louder than words: on the same day Creative launched its
legal action, Apple filed suit against Creative in the United
States District Court for the Western District of Wisconsin,
alleging infringement on four of Apple's patents, then updating
its complaint two days later to include a total of seven Apple
patents. Such tit-for-tat legal maneuvering is common, and often
the countersuit results in a settlement rather than both suits
being followed to their ultimate end.
Final Cut Express HD 3.5 Goes Universal
---------------------------------------
by Jeff Carlson <[EMAIL PROTECTED]>
Apple released Final Cut Express HD 3.5 last week, an update that
brings Intel compatibility and a few welcome improvements to the
company's intermediate video editor. Until recently, the Final
Cut family wouldn't run at all on Intel-based Macs; Apple released
Final Cut Studio 5.1 in April, which includes universal versions
of Final Cut Pro, Soundtrack Pro, DVD Studio Pro, and Motion,
but Final Cut Express didn't make the jump to Intel.
<http://www.apple.com/finalcutexpress/>
<http://www.apple.com/pr/library/2006/may/18fcexpresshd.html>
<http://db.tidbits.com/getbits.acgi?tbart=08485>
In addition to Intel compatibility, Final Cut Express HD 3.5 adds
Dynamic RT, which enables real-time streaming of effects and edits
that previously would require rendering. Performance is dependent
upon the capabilities of the hardware you're running, but even
compatible machines at the lower end of the scale can use it;
Dynamic RT dynamically adjust the quality of playback to render
video on the fly, so a low-end machine might see degraded image
quality instead of choppy playback. Also new is more powerful
keyframing for creating effects and moving objects (such as a
floating title or picture-in-picture clip, for example) with more
control; keyframing used to be one of the differentiating features
between Final Cut Express and Final Cut Pro.
This new version also includes the updated Soundtrack 1.5 for
audio production and LiveType 2.1 for creating animated text.
Soundtrack 1.5 is a big improvement over Soundtrack 1.2.1
(which comes with Final Cut Express HD 3.0): instead of updating
the previous version, Apple took Soundtrack Pro and removed
features to make it more in line with the package's intermediate
focus. (Final Cut Express itself is basically just Final Cut
Pro with some of the professional features disabled.) This new
Soundtrack adds real-time audio effects processing, real-time
crossfades, and enhanced multi-take recording. LiveType 2.1
includes 10 GB of type effects, including new vector-based
Live Fonts which scale well for HD-sized content.
<http://www.apple.com/finalcutexpress/soundtrack.html>
<http://www.apple.com/finalcutexpress/livetype.html>
Final Cut Express HD 3.5 is available now for $300; owners of
any previous version can upgrade for $100. (For more on Final Cut
Express HD, see my review of version 3.0 in Macworld.)
<http://www.macworld.com/2005/06/reviews/finalcutexpresshd/>
Apple Reminds Us of Trusting, Verifying
---------------------------------------
by Glenn Fleishman <[EMAIL PROTECTED]>
Apple's security team recently sent email to their security
announcement list that they had updated their PGP public key.
While this seems like an obscure or even unimportant announcement,
it's worth looking at for two reasons. First, it highlights
how seriously Apple takes security these days versus about four
years ago; secondly, it's worth reviewing how you verify and use
a public key to ensure the integrity of messages you receive from
parties that use them.
<http://lists.apple.com/archives/Security-announce/2006/May/msg00000.html>
<http://lists.apple.com/mailman/listinfo/security-announce>
Four years ago, Apple became more serious about using encryption
to allow validation of material it sends out after the BuqTraq
security list posted a brief vulnerability report noting that
Apple didn't verify the integrity of programs and patches released
via Mac OS X's Software Update feature.
<http://msgs.securepoint.com/cgi-bin/get/bugtraq0207/49.html>
<http://www.cunap.com/~hardingr/projects/osx/exploit.html>
Apple fixed the problem by stapling on an encryption-based
validation method that ensured that downloaded updates actually
came from Apple before they were installed - and released that
update about 10 days after the report.
**Sharing Secrets without Revealing Them** -- Public key
encryption is an integral part of PGP (Pretty Good Privacy),
a system that allows a strong encryption key for a single
document or set of text to be exchanged between two or more
parties over untrusted networks - i.e., the Internet or most
local area networks! An untrusted network is one in which you
can't be sure of the identity of the person you're communicating
with - they could be an impostor - nor can you tell if someone
is eavesdropping on your exchanges. That's the compromise we have
in using any programs that move data over the Internet, within
a local academic network, or even between parties using a free
Wi-Fi network in a cafe.
<http://en.wikipedia.org/wiki/Pretty_Good_Privacy>
With PGP, each party to a message creates and maintains two
encryption keys: one public, one private. These keys are related
mathematically. The private key must be heavily protected
and stored on a local hard drive or a removable USB drive;
by contrast, the public key may and should be shared with anyone.
Public keys are often published to a keyserver, or a directory of
keys, and to Web sites, although that's problematic for reasons
I'll discuss later.
The algorithms that drive public key cryptography make cracking
the private key effectively impossible over epochal time, taking
into account current cracking techniques, expectations in the
advances in computation power and distributed computation, and
the ongoing formal and malevolent testing that looks for flaws in
these algorithms. In general, too, choosing keys that are longer -
say 2048 bits instead of 512 - increases complexity without taxing
anyone's computer, too.
The same algorithms make it impractical to attempt to forge a
digital signature that would prove that an individual was the
possessor of a given public key's private counterpart.
PGP's clever bit - now a common approach for all kinds of secure
protocols - is that it doesn't use the slow-to-compute public
key encryption to encrypt messages or files. Rather, it uses a
public key to protect a strong symmetric key; data protected with
a symmetric key is encrypted and decrypted with the same key,
and this method is much easier for a CPU to process. PGP thus
protects the vulnerable symmetric key with a very strong method.
SSL/TLS (Secure Sockets Layer/Transport Layer Security), SSH
(Secure Shell), IPsec (IP security often used with virtual
private networks), and S/MIME (secure enclosures), among others,
use similar methods.
A related benefit is that the same symmetric key can be separately
encrypted for many different recipients of the same document.
Rather than encrypt a 100 MB file 20 times, you can send a few
thousand extra bytes for each recipient attached to a single
100 MB file.
By way of history, PGP was developed in 1991 by Philip Zimmermann,
who faced a variety of legal threats from the U.S. government
through the 1990s for illegal munitions exports due to how
cryptography was classified and how he allowed the program to be
disseminated. He went commercial with the software, and it passed
through intermediate owners until ending up at PGP Corporation.
PGP Corp. offers a free version of PGP Desktop Home 9 for non-
commercial use; download the 30-day trial of the full-featured
version and let it expire. There's also an open-source project
called GPG (GNU Privacy Guard) that uses PGP principles and
conforms to the OpenPGP specification.
<http://en.wikipedia.org/wiki/Phil_Zimmermann>
<http://www.pgp.com/downloads/desktoptrial.php>
<http://www.gnupg.org/>
Zimmermann's latest project, by the way, is an encrypted version
of voice over IP that encrypts and decrypts sound packets from
standard VoIP software that relies on SIP, or Session Initiation
Protocol. His Zfone software is even simpler than PGP to use.
<http://www.philzimmermann.com/EN/zfone/>
**Trust but Verify** -- Public key encryption and PGP are
typically used either for encrypting and/or signing a file
to transmit or store, or for decrypting and/or validating a
received or archived file. Encryption and decryption require
that the sending party knows the receiving party's public key,
which they obtain directly or from a directory. The sender
uses PGP or GPG to encrypt the message with the public key,
and the recipient then uses their private key - handled by their
encryption software - to read the original message or use the
file that was encrypted.
Signing lets the sending party use PGP to compute a relatively
short series of numbers that provides a kind of fingerprint
of the original message, a bit like a checksum but with much
higher complexity. The message can't be reconstituted from
the fingerprint - much like you can't produce a finger from
a fingerprint - and duplicating the snapshot's number sequence
from other text is almost impossible. PGP then uses the sending
party's private key to create a signature from the fingerprint.
The recipient can then verify the signed message hasn't been
tampered with by using the sender's public key.
Apple signs messages sent via its security list and also signs
files that are offered for download via Software Update. In the
case of the security list, you're on your own for checking the
validity of the message. If you use PGP Desktop Home 9 or similar
software, you can use one of several methods to let PGP validate
signed messages. (Software Update has a built-in method of
checking signatures. You may even notice that Software Update
itself occasionally downloads a new PGP key!)
Apple uses a similar method to help validate its security
updates. If you go to a page, like the one for Security Update
2006-003 for Mac OS X 10.4.6 Client (PPC), you'll see a note
at the bottom reading:
SHA1SecUpd2006-003Ti.dmg=f0dcb0dc51add2b51c297a8f416c4c23da67057c
That's the computed fingerprint of that particular disk image.
To verify that a download of that disk image is identical to what
was packaged up by Apple, you can follow instructions provided on
a linked page. This requires the use of Terminal.
<http://www.apple.com/support/downloads/
securityupdate2006003macosx1046clientppc.html>
<http://docs.info.apple.com/article.html?artnum=75510>
I use Bare Bones Software's Mailsmith 2.1 with PGP Desktop 9,
enabling PGP to handle my email streams (an extra feature in PGP's
commercial version). Any incoming signed message is automatically
processed by PGP, checked against keys I have stored, and
converted before it reaches Mailsmith so that I can see whether
a trusted or unknown key signed the message, or whether the
message can't be validated. The downside, of course, is that
I now have the unencrypted messages stored on my computer;
I'd have to re-encrypt them and delete the stored copies to
achieve the same original security. (PGP Desktop and GPG work
with other mail programs. PGP Desktop includes several plug-ins
and scripts, and there's a GPG plug-in for Apple Mail.)
<http://www.sente.ch/software/GPGMail/English.lproj/GPGMail.html>
For instance, PGP inserted this message into the email received
from Apple on 08-May-06, about their new public key: "PGP Signed
by an unverified key: 05/08/06 at 15:56:15". This alert indicates
that while the signing was valid, the key was unknown.
Within PGP, I can mark a given key as verified, once I'm sure
that it's really valid. But how can I validate that a public key
is valid without recourse to the same untrusted network from which
I received the key? That's the next step.
**Validating a Key** -- For key verification, which I need perform
only once per key, I have to find a method other than email -
otherwise one interception could disrupt the trust for both the
key and the verification of the key. This is where phone calls,
faxes, and other information come in handy. You can validate
that someone's public key is really the one that they created
and distributed by checking its fingerprint with the owner of
that key. For the best security, you call up the owner or use
another out-of-band method - something other than the Internet,
for instance - to get the fingerprint. A secure Web site would
also work, though it has both advantages and disadvantages I'll
discuss below.
In either version of PGP Desktop Home 9, after pasting in a public
key sent via email or copied from a Web page or after importing
a key from a public keyserver, you can reveal its fingerprint
through these steps. First, select the key in the main PGP Desktop
window. Next, press Command-I or select Show Key Info from the
contextual menu. The middle of the Info dialog box shows the
fingerprint.
If you and the other party use PGP 8 or later, you can use the
hilarious Biometric tab, in which each number from 0 to 255
has been assigned a unique word. This is easier to read over
the phone. For other versions of PGP or GPG, you'll need to click
the Hexadecimal tab and read the short sequence of groups of four
hexadecimal digits. If the numbers don't match, the public key
you have isn't the one published or sent by the party you're
talking to. Time to review your security, if that's the case.
If the fingerprints match, which they always have for me over
a decade of using PGP, you've accomplished your out-of-band step
and have a secure PGP key that can be used in the future.
You might ask: If Web servers use SSL/TLS to secure connections,
and SSL/TLS uses public keys in a similar way to PGP, how do they
perform this external verification? The answer is through what's
called a certificate authority (CA), a third party that confirms
some measure of the truth of identity expressed in an SSL/TLS
certificate. These certificates contain a public key for the
server using SSL/TLS that are signed by the CA. How does my Web
browser then trust the CA? Browsers (and, for other purposes,
operating systems) vouch for certificate authorities by embedding
the certificates of the CAs - dozens of them - in the browser
or operating system. You trust your operating system vendor
or browser developer to pick trustworthy CAs, and then the CAs
to identify correctly the organizations that are using the
certificates the CAs have validated.
(If you need to use digital certificates for private purposes
or within a company, and don't want to pay a yearly fee for a
CA-issued certificate, you can create your own. These self-signed
certificates put you in the role of CA by creating a special
certificate that's separately installed on any computer with which
you'd interact. Mac OS X has great tools for examining self-signed
certificates when presented via a Web browser or as part of a
kind of Wi-Fi network login called WPA Enterprise that also uses
certificates. You can choose to trust a self-signed certificate
once or always, along with other parameters. Apple includes
tools for generating your own certificate and self-signing
within Keychain Access. Choose Certificate Assistant from
the Keychain Access application menu.)
**Why Is Apple Updating Its PGP Key?** That brings us to the issue
I started with: Apple has updated its public PGP key for security
messages - both messages it sends out on the list and messages you
want to send them. Why? When you create a public/private key pair,
you determine how long the keys remain valid. The expiration date
is another way to limit the damages from a private key that slips
into the wrong hands. (There's also a way to revoke keys, but
it's unreliable and a bit complicated to discuss in brief.)
Apple expires many of their public keys as a routine part of
encryption hygiene.
Now, the one mistake Apple made with distributing their new key
is that while they provided full information with their key,
including the fingerprint, they provided no external validation
method. The link included in the email they sent is for a plain
HTTP transaction. Because HTTP transactions occur in the clear,
it would be possible for an attacker at an institution - say
a university or corporation - to modify both the email and the
appearance of an Apple Web page that you view on your computer
through a variety of well-known local area network exploits.
You might see a different fingerprint and public key on the Web
page served to your computer than Apple has on its.
Sure, this is extremely unlikely, but when you're working with a
key that will last a year and a process that's designed to provide
commercial-grade security for tens of millions of people, well,
it's an oversight.
I did discover that Apple's SSL/TLS Web servers will let you
request the same page through a secure transaction. If you enter
"https" instead of "http" for the page containing their public
key and fingerprint, your browser uses its certificate authority
to ensure you're seeing a page Apple intended for you to see.
(Your CA list being cracked within the browser is an unthinkably
low probability unless this list were tampered with for millions
of people or as a common exploit.)
When you load the page via SSL/TLS, you may receive one warning
for a Web bug (tracking image) on the page that you can safely
ignore; some colleagues didn't see that warning at all.
<https://www.apple.com/support/security/pgp/>
For most people, any step beyond viewing a plain, non-encrypted
Web page at Apple is certainly unnecessary, but it's good to
review the chain of trust. For those who favor the most stringent
methods of external confirmation, Apple is just a mark or two
below that. It's much more likely that any exploit would be
an inside job - which has happened at some firms, but is an
unlikely event - than from the outside.
I do have one rather off-beat suggestion. Provide an automated
fingerprint reader by phone. Offer a telephone number that's
clearly within Apple's known phone range and have a voice that
says, "Here's is Apple's PGP security key fingerprint for the
key expiring May 1, 2007," followed by the string of hexadecimal
digits.
They could even use Talking Moose, for old times' sake.
Take Control News/22-May-06
---------------------------
by Adam C. Engst <[EMAIL PROTECTED]>
**Ultimate Guide to Fonts in Mac OS X Now Available** -- Wrangling
fonts in Mac OS X can be difficult. What with six different types
of fonts - some of which can contains thousands of characters -
and more than six possible locations for font storage, it's tough
to stay organized and work efficiently, and it's maddening when
something goes wrong with your fonts and eats an entire afternoon.
We know all about how hard it can be, both from hair-pulling
experience and because we've now spent over nine months writing,
testing, and polishing a pair of ebooks about how to take control
of fonts in Mac OS X. Both ebooks were written by Sharon Zardetto
Aker, a veteran Macintosh author best known for her work in the
early years of Macworld and MacUser, and on "The Macintosh Bible."
Her first ebook, the 255-page "Take Control of Fonts in Mac OS X,"
helps you organize existing fonts, install new ones successfully,
and use fonts like a pro (or more to the point, like a pro who
knows fonts inside and out!), and it comes with over $80 worth
of coupons for discounts on font-related products. Sharon's
second ebook, the 120-page "Take Control of Font Problems in
Mac OS X" helps you troubleshoot general font issues and solve
specific problems with ease.
<http://www.takecontrolbooks.com/fonts-macosx.html?14@@!pt=
TRK-0036-TB830-TCNEWS>
<http://www.takecontrolbooks.com/font-problems-macosx.html?14@@!pt=
TRK-0037-TB830-TCNEWS>
"Take Control of Fonts in Mac OS X" starts with a look at where
fonts are stored, why they are there, and how you can organize
them to achieve harmony and useful Font menus. Special attention
is paid to legacy fonts from Mac OS 9, fonts installed by Adobe
and Microsoft applications, and fonts from iWork and iLife.
Once that's under control, you'll learn where to find cheap
new fonts and the ins and outs of a variety of font installation
methods. Then Sharon turns her attention to using the fonts:
how to find them in menus, type on a foreign language keyboard,
and take advantage of the wealth of cool special characters hidden
in modern Unicode fonts. She wraps things up with font-related
advice for sharing documents with others, particularly people
using Windows applications.
"Take Control of Font Problems in Mac OS X" begins with a look at
the different types of fonts you may find on your Mac and where
they are stored, gives you advice on preventative measures and
a roundup of useful problem-solving tools, and gets you going
by teaching you how to perform basic troubleshooting measures.
Once that's out of the way, the ebook presents you with a table
that helps you determine if you have a specific sort of problem
or a general one. You'll find lots of solutions to specific
problems, as well as a colorful flowchart that gives a visual
overview of how to proceed with troubleshooting a general problem
(you can also download the flowchart as a stand-alone flier;
feel free to share it with friends). The flowchart links to
specific instructions for carrying out each troubleshooting
step. If you have a font problem, know people who have font
problems, or want to be sure you'll be on top of things if a
problem crops up, this ebook is for you. We expect that most
people will want both ebooks, but if you plan to pick up only
this one, note that it assumes you understand the basics of
managing fonts and working in Font Book.
<http://www.takecontrolbooks.com/resources/0037/
TakeControlOfFontProblemsFlier.pdf>
The ebooks are available separately for $20 and $10 respectively,
or you can save $5 by buying them bundled together. We realize
they're a bit more expensive than our other titles, but we feel
the price is warranted given their technical depth and size
(over 350 pages combined!) and the vast amount of work that went
into them, and the coupons could easily be worth more than the
purchase price. More to the point, this isn't a trend - the sheer
amount of content we had required proportionally more effort than
anticipated and caused troubles with our technology that don't
occur with our shorter books, so our next few ebooks will return
to the normal size and price range.
Hot Topics in TidBITS Talk/22-May-06
------------------------------------
by TidBITS Staff <[EMAIL PROTECTED]>
The first link for each thread description points to the
traditional TidBITS Talk interface; the second link points to
the same discussion on our Web Crossing server, which provides
a different look and which may be faster.
**Garmin StreetPilot 2720** -- Adam's review of this GPS device
prompts readers to share their own experiences with similar
devices, plus news that Garmin is working on a Mac version
of their software. (12 messages)
<http://db.tidbits.com/getbits.acgi?tlkthrd=2997>
<http://emperor.tidbits.com/TidBITS/Talk/828/>
**MacBook Fills Out Laptop Line** -- Readers share their opinions
of the MacBook laptop, including the eternal question of whether
to buy the new notebook or spend more money for the pro version.
(13 messages)
<http://db.tidbits.com/getbits.acgi?tlkthrd=2998>
<http://emperor.tidbits.com/TidBITS/Talk/829/>
**The War Over Neutrality** -- Responses to Geoff Duncan's article
on the Net Neutrality debate look at the power of content
providers and bandwidth suppliers. (5 messages)
<http://db.tidbits.com/getbits.acgi?tlkthrd=2999>
<http://emperor.tidbits.com/TidBITS/Talk/831/>
**TidBITS and ISIPP** -- The recent closure of anti-spam company
Blue Security brings up the Institute for Spam and Internet
Public Policy. (2 messages)
<http://db.tidbits.com/getbits.acgi?tlkthrd=3000>
<http://emperor.tidbits.com/TidBITS/Talk/832/>
$$
Non-profit, non-commercial publications may reprint articles if
full credit is given. Others please contact us. We don't guarantee
accuracy of articles. Caveat lector. Publication, product, and
company names may be registered trademarks of their companies.
For information: how to subscribe, where to find back issues,
and more, see <http://www.tidbits.com/>. TidBITS ISSN 1090-7017.
Send comments and editorial submissions to: <[EMAIL PROTECTED]>
Back issues available at: <http://www.tidbits.com/tb-issues/>
And: <ftp://ftp.tidbits.com/issues/>
Full text searching available at: <http://www.tidbits.com/search/>
-------------------------------------------------------------------
--
If you want to unsubscribe or change your address, use this link
http://emperor.tidbits.com/webx?unsub@@.3c557dc4!u=306a67f9
