TidBITS#830/22-May-06
=====================

  Is your iBook on its last legs? Apple completed its notebook line
  last week with the MacBook, a 13-inch widescreen laptop with an
  Intel Core Duo processor. Mark Anbinder and Jeff Carlson bring
  you their hands-on report. Also this week, Apple's lawyers stay
  busy fending off a lawsuit from Creative Technology over iPod
  patents (and countersue in return). Plus, Apple released Final
  Cut Express HD 3.5, speed-bumped the MacBook Pro, and we note
  both the release-candidate status of Parallels Desktop and two
  new Take Control ebooks that explain how fonts work - and don't
  work - in Mac OS X.

Topics:
    MailBITS/22-May-06
    MacBook Fills Out Laptop Line
    Creative Hits Apple With iPod Patent Suit
    Final Cut Express HD 3.5 Goes Universal
    Apple Reminds Us of Trusting, Verifying
    Take Control News/22-May-06
    Hot Topics in TidBITS Talk/22-May-06

<http://www.tidbits.com/tb-issues/TidBITS-830.html>
<ftp://ftp.tidbits.com/issues/2006/TidBITS#830_22-May-06.etx>

Copyright 2006 TidBITS: Reuse governed by Creative Commons license
   <http://www.tidbits.com/terms/> Contact: <[EMAIL PROTECTED]>
   ---------------------------------------------------------------

This issue of TidBITS sponsored in part by:

* READERS LIKE YOU! Support TidBITS with a contribution today! <----- NEW!
   <http://www.tidbits.com/about/support/contributors.html>
   Special thanks this week to Darryl Oliver, Juerg Fehr,
   Kevin Fong, and John Miller for their generous support!

* Make friends and influence people by sponsoring TidBITS! <--------- NEW!
   Put your company and products in front of tens of thousands of
   savvy, committed Macintosh users who actually buy stuff.
   For more information and rates, email <[EMAIL PROTECTED]>.

* SMALL DOG ELECTRONICS: Free Shipping on select <------------------- NEW!
   previous generation and refurbished iPods,
   iPod photos, and iPod minis. Starting at $145.
   Visit: <http://www.smalldog.com/tb> 800-511-MACS

* FETCH SOFTWORKS: With Fetch 5, FTP and SFTP are simpler <---------- NEW!
   than ever. Use it on Mac OS X to upload, download, mirror,
   and manage your Web site, eBay images, and data sets.
   Download your free trial version! <http://fetchsoftworks.com/>

* Web Crossing, Inc: Web Crossing offers integrated collaboration
   tools with a broad spectrum of functionality, but did you know
   adding discussions, blogs, podcasts, chat, polls, and calendars
   is point-click easy? Try a demo! <http://www.webcrossing.com/>

* Yojimbo 1.1 from Bare Bones Software: Your effortless, reliable <-- NEW!
   information organizer for Mac OS X. It will change your life,
   without changing the way you work. Download the demo or buy it
   today! <http://www.barebones.com/products/yojimbo/>

* Circus Ponies NoteBook: Never lose anything again. NoteBook <------ NEW!
   lets you take notes, clip content, and share information. Find
   anything instantly with automatic index pages. One-step Web
   publishing. Free 30-day demo! <http://www.circusponies.com/>
   ---------------------------------------------------------------

MailBITS/22-May-06
------------------

**Apple Speeds Up MacBook Pro Models** -- On the same day that
  Apple released the MacBook (see our coverage in this issue), the
  company shuffled the configurations on the MacBook Pro laptops.
  Both the 15-inch and 17-inch MacBook Pro models offer Intel Core
  Duo 2.0 GHz and 2.16 GHz configurations at the previous prices
  of the 1.83 GHz and 2.0 GHz models (2.16 GHz was previously
  a build-to-order option.) Apple also added a new build-to-order
  change to the MacBook Pro: both models can be configured, at no
  extra charge, with the glossy screen introduced with the MacBook.
  [MHA]

<http://www.apple.com/macbookpro/>


**Parallels Issues Release Candidate of Virtual Machine** --
  Parallels Desktop, a virtual machine environment for Mac OS X
  that runs operating systems that require an Intel processor
  (such as Microsoft Windows XP) has reached the release candidate
  stage, a point where all bugs should be fixed or classified as
  not worth fixing. Thanks no doubt to the high profile it garnered
  following Apple's beta release of Boot Camp, the company said it
  had over 100,000 beta testers. The release candidate is available
  now as a 21.5 MB download. Although we normally don't cover pre-
  release software in TidBITS, it's worth noting that Parallels is
  still offering $10 off the $50 retail price for the product if
  you order before the actual 1.0 version appears.

<http://www.parallels.com/en/download/desktop/>

  Whereas Boot Camp will install only Windows XP Service Pack 2,
  and a generic Intel computer might balk at older operating
  systems or have other limitations, virtual machines such as
  Parallels Desktop can handle almost anything, including IBM OS/2,
  Windows 95, various versions of DOS, and the parade of Linux,
  Unix, and BSD versions. [GF]


**DealBITS Drawing: DoorStop X Security Suite Winners** --
  Congratulations to Bob Dain of mac.com, Charles Kinney of
  earthlink.net, and Steve B of macrepair.com, whose entries
  were chosen randomly in last week's DealBITS drawing and who
  each received a copy of Open Door Networks' DoorStop X Security
  Suite. And since Steve B entered this DealBITS drawing after being
  referred to it by Chris Harnish of mac.com, Chris too will receive
  a copy as a thank you. Even if you didn't win, you can still
  save $20 on the $79 DoorStop X Security Suite through 29-May-06.
  To receive your discount, enter "Tidbits0506" in the Comments
  field of the order form (the third link below). With 1,022
  entrants, this was one of the most popular drawings of late;
  keep an eye out for future DealBITS drawings! [ACE]

<http://db.tidbits.com/getbits.acgi?tbart=08527>
<http://www.opendoor.com/doorstopsuite/>
<http://www.opendoor.com/order.html>


MacBook Fills Out Laptop Line
-----------------------------
  by Mark H. Anbinder and Jeff Carlson <[EMAIL PROTECTED]>

  Since Apple's January introduction of the 15-inch MacBook Pro,
  the unspoken (well, maybe a little spoken) assumption has been
  that a MacBook without the "Pro" was on the way. Apple's
  introduction of the 13-inch MacBook last week fills that void,
  effectively replacing both the iBook and 12-inch PowerBook with
  a capable, affordable, Intel-based laptop - now available in
  white or black.

<http://www.apple.com/macbook/macbook.html>

  Unlike the aluminum skin of recent PowerBook and MacBook Pro
  models, the MacBook comes in a white or black polycarbonate shell;
  the black model is available only on the high end for a $200 price
  premium that gives you black instead of white and a larger hard
  drive (80 GB instead of 60 MB). The case also sports a new
  latchless design, with magnets to hold the laptop firmly closed.

  The MacBook features an Intel Core Duo processor running at
  1.83 GHz or 2.0 GHz, with a 667 MHz bus. It includes a built-in
  iSight video camera, Apple Remote and infrared port, Gigabit
  Ethernet, AirPort Extreme and Bluetooth wireless networking,
  and Apple's innovative "klutz-proof" MagSafe power adapter,
  designed to separate easily from the laptop to avoid accidents.
  The Apple Remote controls not only the included Front Row media
  software, but also presentations in Keynote. (Apple has put
  together an informative chart comparing the various MacBook
  and MacBook Pro configurations.)

<http://store.apple.com/Catalog/US/Images/comparison_chart.html>

  The stock configurations ship with 512 MB of memory, which
  unfortunately is configured as two 256 MB DIMMs. If you install
  more RAM (up to 2 GB), you should buy two chips of the same
  capacity to take advantage of better performance by upgrading
  RAM in pairs; which means you're stuck with those 256 MB DIMMs
  (and with people buying MacBooks, there may not be much of a
  market for used 256 MB RAM). Upgrading the RAM is fairly simple:
  remove three screws and a bracket in the battery bay, and flip
  two levers that eject the RAM. Macworld's Jason Snell created
  a short video showing just how easy it is.

<http://www.macworld.com/weblogs/macword/2006/05/macbookvideo/>

  An exciting offshoot of this step is that the hard drive is easily
  accessible from the left side of the bay. The iBook and 12-inch
  PowerBook models required an almost complete disassembly to
  replace the hard drive, which made users (like Jeff) reluctant to
  upgrade old machines with more storage. No doubt this change makes
  it easier for Apple technicians to speed up repairs and upgrades.

  The MacBook also comes with a 60W power adapter, which is the
  same physical size as the power brick that shipped with the last
  generation of PowerBooks and iBooks. The MacBook Pro models use a
  physically larger 85W adapter. You can use the MacBook Pro adapter
  to power a MacBook and charge its battery, but not the reverse:
  a MacBook's 60W adpater will power a MacBook Pro, but it won't
  charge the battery.


**Graphics** -- The included Intel GMA 950 graphics processor has
  64 MB of video memory, and shares the MacBook's main memory as
  needed, depending on selected resolution and use of external
  display. This relatively weak graphics capability means you won't
  want to purchase a MacBook for playing high-performance 3D games,
  and limits the capability of running Apple's professional
  applications; for example, Apple confirmed that Aperture's
  performance is acceptable, but that the MacBook is not the
  first choice for running the photo-management program. As with
  previous PowerBook and MacBook Pro models, but not the iBook line,
  the MacBook supports mirroring or an extended desktop on external
  displays.

<http://www.apple.com/aperture/>

  The built-in display's resolution is 1280 by 800, and the
  MacBook's mini-DVI port can support Apple's 20-inch or 23-inch
  Cinema Displays (or other displays up to 1920 by 1200 pixels)
  with the use of a mini-DVI to DVI adapter (available separately
  for $20). The 30-inch Cinema Display is not supported.

  Like the 15-inch MacBook Pro, the new MacBook offers FireWire 400
  but not FireWire 800, and its 4x SuperDrive lacks dual-layer write
  capability. The low-end MacBook includes a Combo drive (DVD-ROM
  and CD-RW) by default; the SuperDrive is optional. All versions
  include two USB 2.0 ports and optical digital and analog audio
  input and output; as with all of Apple's newest computers,
  an external USB modem is optional.


**Gloss: Boss or Loss?** The company says the new wide-format
  13.3-inch MacBook display is 79 percent brighter than that of
  the iBook or 12-inch PowerBook, but people are more likely to
  first notice the new glossy screen. Windows laptops have sported
  glossy screens for a few years, but the MacBook is the first
  Apple product to do so (the glossy screen is also now a build-
  to-order option for the MacBook Pro). In a briefing following the
  announcement, Apple said that the new screen improves color and
  image quality (offering blacker blacks, whiter whites, etc.),
  and that the MacBook's display is less reflective than many
  Windows laptops.

  The reflectivity is certainly noticeable, though looking at the
  display head-on reduces the effect, especially when the brightness
  setting is fairly high. We suspect that the glossy screen will
  invoke a love-it-or-hate-it reaction in Mac users; but since the
  screen is the only option for the MacBook, we may have to just
  learn to adapt.


**The Keyboard and Trackpad** -- Another significant change to
  the MacBook's exterior is the keyboard, which looks like an old
  chiclet type found on early PDAs or calculators. The sides of the
  keys drop straight down instead of tapering up from the bottom,
  making it appear as if the keys are spaced further apart, even
  though they're not. However, the key response is slightly firmer
  than the MacBook Pro and doesn't feel odd when touch-typing.
  The keyboard is also recessed into the case, giving the lower
  section of the laptop a flat plane that will hopefully reduce
  or eliminate screen smudges, a common irritant with Apple laptops
  for several generations.

<http://en.wikipedia.org/wiki/Chiclet_keyboard>

  The trackpad is the wide variety found on recent Apple laptops,
  and features two-fingered scrolling. It also adds a new
  capability: click the mouse button with two fingers resting on
  the trackpad, or tap two fingers at the same time, to display
  a contextual menu (the same action as a right-click or Control-
  click); this feature needs to first be enabled in the Keyboard
  and Mouse preference pane. Apple confirmed that this is a software
  feature, not tied to the MacBook's hardware. (Another option is
  to install SideTrack by Raging Menace, which offers more trackpad
  configurability.)

<http://www.ragingmenace.com/software/sidetrack/>

  Apple's new MacBook is available immediately from the Apple
  Store Web site and retail locations and Apple resellers, in
  configurations ranging from $1,050 to $1,500. Build-to-order
  options include up to 2 GB of RAM and hard drives ranging up
  to 120 GB.


Creative Hits Apple With iPod Patent Suit
-----------------------------------------
  by Geoff Duncan <[EMAIL PROTECTED]>

  Creative Labs, the company that has been struggling in the digital
  music player market longer than Apple has been making iPods,
  announced it has filed a patent infringement suit against Apple
  Computer over the interface to its iPod and iPod nano music
  players.

<http://us.creative.com/corporate/pressroom/releases/welcome.asp?pid=12405>

  Creative claims Apple's products infringe on its "Zen" patent
  (U.S. patent 6,928,433), which it applied for in January 2001
  but which was granted only in August of 2005. The patent covers
  the organization and navigation of music tracks on high-capacity
  portable digital music players. Creative claims it implemented and
  demonstrated its interface as early as January 2000; Apple's first
  iPods didn't ship until October 2001.

<http://patft.uspto.gov/netacgi/nph-Parser?patentnumber=6,928,433>

  Creative's suit is filed in the U.S. District Court for the
  Northern District of California; the company has also filed a
  complaint with the U.S. International Trade Commission seeking
  an investigation of whether Apple's importing of iPods from Taiwan
  is a violation of the Tariff Act of 1930. Creative is seeking an
  injunction against Apple importing, marketing, or selling its
  current iPod and iPod nano music players: if granted, such an
  injunction would be a major blow to Apple's music business.

  When Creative announced it had been awarded the "Zen" patent,
  industry speculation already had the company seeking license fees
  from Apple Computer; at the time, Creative merely said it was
  examining all options. Patent license income from a product as
  widespread as the iPod would certainly help a company which posted
  a $114 million loss in its most recent fiscal quarter. However,
  Creative's filing would indicate the companies were not able to
  reach an agreement, or Apple thinks Creative's patent lacks merit,
  or that it can keep selling iPods while weathering an undoubtedly
  long and technical patent lawsuit.

  Apple has yet to publicly comment on Creative's suit, but actions
  speak louder than words: on the same day Creative launched its
  legal action, Apple filed suit against Creative in the United
  States District Court for the Western District of Wisconsin,
  alleging infringement on four of Apple's patents, then updating
  its complaint two days later to include a total of seven Apple
  patents. Such tit-for-tat legal maneuvering is common, and often
  the countersuit results in a settlement rather than both suits
  being followed to their ultimate end.


Final Cut Express HD 3.5 Goes Universal
---------------------------------------
  by Jeff Carlson <[EMAIL PROTECTED]>

  Apple released Final Cut Express HD 3.5 last week, an update that
  brings Intel compatibility and a few welcome improvements to the
  company's intermediate video editor. Until recently, the Final
  Cut family wouldn't run at all on Intel-based Macs; Apple released
  Final Cut Studio 5.1 in April, which includes universal versions
  of Final Cut Pro, Soundtrack Pro, DVD Studio Pro, and Motion,
  but Final Cut Express didn't make the jump to Intel.

<http://www.apple.com/finalcutexpress/>
<http://www.apple.com/pr/library/2006/may/18fcexpresshd.html>
<http://db.tidbits.com/getbits.acgi?tbart=08485>

  In addition to Intel compatibility, Final Cut Express HD 3.5 adds
  Dynamic RT, which enables real-time streaming of effects and edits
  that previously would require rendering. Performance is dependent
  upon the capabilities of the hardware you're running, but even
  compatible machines at the lower end of the scale can use it;
  Dynamic RT dynamically adjust the quality of playback to render
  video on the fly, so a low-end machine might see degraded image
  quality instead of choppy playback. Also new is more powerful
  keyframing for creating effects and moving objects (such as a
  floating title or picture-in-picture clip, for example) with more
  control; keyframing used to be one of the differentiating features
  between Final Cut Express and Final Cut Pro.

  This new version also includes the updated Soundtrack 1.5 for
  audio production and LiveType 2.1 for creating animated text.
  Soundtrack 1.5 is a big improvement over Soundtrack 1.2.1
  (which comes with Final Cut Express HD 3.0): instead of updating
  the previous version, Apple took Soundtrack Pro and removed
  features to make it more in line with the package's intermediate
  focus. (Final Cut Express itself is basically just Final Cut
  Pro with some of the professional features disabled.) This new
  Soundtrack adds real-time audio effects processing, real-time
  crossfades, and enhanced multi-take recording. LiveType 2.1
  includes 10 GB of type effects, including new vector-based
  Live Fonts which scale well for HD-sized content.

<http://www.apple.com/finalcutexpress/soundtrack.html>
<http://www.apple.com/finalcutexpress/livetype.html>

  Final Cut Express HD 3.5 is available now for $300; owners of
  any previous version can upgrade for $100. (For more on Final Cut
  Express HD, see my review of version 3.0 in Macworld.)

<http://www.macworld.com/2005/06/reviews/finalcutexpresshd/>


Apple Reminds Us of Trusting, Verifying
---------------------------------------
  by Glenn Fleishman <[EMAIL PROTECTED]>

  Apple's security team recently sent email to their security
  announcement list that they had updated their PGP public key.
  While this seems like an obscure or even unimportant announcement,
  it's worth looking at for two reasons. First, it highlights
  how seriously Apple takes security these days versus about four
  years ago; secondly, it's worth reviewing how you verify and use
  a public key to ensure the integrity of messages you receive from
  parties that use them.

<http://lists.apple.com/archives/Security-announce/2006/May/msg00000.html>
<http://lists.apple.com/mailman/listinfo/security-announce>

  Four years ago, Apple became more serious about using encryption
  to allow validation of material it sends out after the BuqTraq
  security list posted a brief vulnerability report noting that
  Apple didn't verify the integrity of programs and patches released
  via Mac OS X's Software Update feature.

<http://msgs.securepoint.com/cgi-bin/get/bugtraq0207/49.html>
<http://www.cunap.com/~hardingr/projects/osx/exploit.html>

  Apple fixed the problem by stapling on an encryption-based
  validation method that ensured that downloaded updates actually
  came from Apple before they were installed - and released that
  update about 10 days after the report.


**Sharing Secrets without Revealing Them** -- Public key
  encryption is an integral part of PGP (Pretty Good Privacy),
  a system that allows a strong encryption key for a single
  document or set of text to be exchanged between two or more
  parties over untrusted networks - i.e., the Internet or most
  local area networks! An untrusted network is one in which you
  can't be sure of the identity of the person you're communicating
  with - they could be an impostor - nor can you tell if someone
  is eavesdropping on your exchanges. That's the compromise we have
  in using any programs that move data over the Internet, within
  a local academic network, or even between parties using a free
  Wi-Fi network in a cafe.

<http://en.wikipedia.org/wiki/Pretty_Good_Privacy>

  With PGP, each party to a message creates and maintains two
  encryption keys: one public, one private. These keys are related
  mathematically. The private key must be heavily protected
  and stored on a local hard drive or a removable USB drive;
  by contrast, the public key may and should be shared with anyone.
  Public keys are often published to a keyserver, or a directory of
  keys, and to Web sites, although that's problematic for reasons
  I'll discuss later.

  The algorithms that drive public key cryptography make cracking
  the private key effectively impossible over epochal time, taking
  into account current cracking techniques, expectations in the
  advances in computation power and distributed computation, and
  the ongoing formal and malevolent testing that looks for flaws in
  these algorithms. In general, too, choosing keys that are longer -
  say 2048 bits instead of 512 - increases complexity without taxing
  anyone's computer, too.

  The same algorithms make it impractical to attempt to forge a
  digital signature that would prove that an individual was the
  possessor of a given public key's private counterpart.

  PGP's clever bit - now a common approach for all kinds of secure
  protocols - is that it doesn't use the slow-to-compute public
  key encryption to encrypt messages or files. Rather, it uses a
  public key to protect a strong symmetric key; data protected with
  a symmetric key is encrypted and decrypted with the same key,
  and this method is much easier for a CPU to process. PGP thus
  protects the vulnerable symmetric key with a very strong method.
  SSL/TLS (Secure Sockets Layer/Transport Layer Security), SSH
  (Secure Shell), IPsec (IP security often used with virtual
  private networks), and S/MIME (secure enclosures), among others,
  use similar methods.

  A related benefit is that the same symmetric key can be separately
  encrypted for many different recipients of the same document.
  Rather than encrypt a 100 MB file 20 times, you can send a few
  thousand extra bytes for each recipient attached to a single
  100 MB file.

  By way of history, PGP was developed in 1991 by Philip Zimmermann,
  who faced a variety of legal threats from the U.S. government
  through the 1990s for illegal munitions exports due to how
  cryptography was classified and how he allowed the program to be
  disseminated. He went commercial with the software, and it passed
  through intermediate owners until ending up at PGP Corporation.
  PGP Corp. offers a free version of PGP Desktop Home 9 for non-
  commercial use; download the 30-day trial of the full-featured
  version and let it expire. There's also an open-source project
  called GPG (GNU Privacy Guard) that uses PGP principles and
  conforms to the OpenPGP specification.

<http://en.wikipedia.org/wiki/Phil_Zimmermann>
<http://www.pgp.com/downloads/desktoptrial.php>
<http://www.gnupg.org/>

  Zimmermann's latest project, by the way, is an encrypted version
  of voice over IP that encrypts and decrypts sound packets from
  standard VoIP software that relies on SIP, or Session Initiation
  Protocol. His Zfone software is even simpler than PGP to use.

<http://www.philzimmermann.com/EN/zfone/>


**Trust but Verify** -- Public key encryption and PGP are
  typically used either for encrypting and/or signing a file
  to transmit or store, or for decrypting and/or validating a
  received or archived file. Encryption and decryption require
  that the sending party knows the receiving party's public key,
  which they obtain directly or from a directory. The sender
  uses PGP or GPG to encrypt the message with the public key,
  and the recipient then uses their private key - handled by their
  encryption software - to read the original message or use the
  file that was encrypted.

  Signing lets the sending party use PGP to compute a relatively
  short series of numbers that provides a kind of fingerprint
  of the original message, a bit like a checksum but with much
  higher complexity. The message can't be reconstituted from
  the fingerprint - much like you can't produce a finger from
  a fingerprint - and duplicating the snapshot's number sequence
  from other text is almost impossible. PGP then uses the sending
  party's private key to create a signature from the fingerprint.
  The recipient can then verify the signed message hasn't been
  tampered with by using the sender's public key.

  Apple signs messages sent via its security list and also signs
  files that are offered for download via Software Update. In the
  case of the security list, you're on your own for checking the
  validity of the message. If you use PGP Desktop Home 9 or similar
  software, you can use one of several methods to let PGP validate
  signed messages. (Software Update has a built-in method of
  checking signatures. You may even notice that Software Update
  itself occasionally downloads a new PGP key!)

  Apple uses a similar method to help validate its security
  updates. If you go to a page, like the one for Security Update
  2006-003 for Mac OS X 10.4.6 Client (PPC), you'll see a note
  at the bottom reading:

   SHA1SecUpd2006-003Ti.dmg=f0dcb0dc51add2b51c297a8f416c4c23da67057c

  That's the computed fingerprint of that particular disk image.
  To verify that a download of that disk image is identical to what
  was packaged up by Apple, you can follow instructions provided on
  a linked page. This requires the use of Terminal.

<http://www.apple.com/support/downloads/
securityupdate2006003macosx1046clientppc.html>
<http://docs.info.apple.com/article.html?artnum=75510>

  I use Bare Bones Software's Mailsmith 2.1 with PGP Desktop 9,
  enabling PGP to handle my email streams (an extra feature in PGP's
  commercial version). Any incoming signed message is automatically
  processed by PGP, checked against keys I have stored, and
  converted before it reaches Mailsmith so that I can see whether
  a trusted or unknown key signed the message, or whether the
  message can't be validated. The downside, of course, is that
  I now have the unencrypted messages stored on my computer;
  I'd have to re-encrypt them and delete the stored copies to
  achieve the same original security. (PGP Desktop and GPG work
  with other mail programs. PGP Desktop includes several plug-ins
  and scripts, and there's a GPG plug-in for Apple Mail.)

<http://www.sente.ch/software/GPGMail/English.lproj/GPGMail.html>

  For instance, PGP inserted this message into the email received
  from Apple on 08-May-06, about their new public key: "PGP Signed
  by an unverified key: 05/08/06 at 15:56:15". This alert indicates
  that while the signing was valid, the key was unknown.

  Within PGP, I can mark a given key as verified, once I'm sure
  that it's really valid. But how can I validate that a public key
  is valid without recourse to the same untrusted network from which
  I received the key? That's the next step.


**Validating a Key** -- For key verification, which I need perform
  only once per key, I have to find a method other  than email -
  otherwise one interception could disrupt the trust for both the
  key and the verification of the key. This is where phone calls,
  faxes, and other information come in handy. You can validate
  that someone's public key is really the one that they created
  and distributed by checking its fingerprint with the owner of
  that key. For the best security, you call up the owner or use
  another out-of-band method - something other than the Internet,
  for instance - to get the fingerprint. A secure Web site would
  also work, though it has both advantages and disadvantages I'll
  discuss below.

  In either version of PGP Desktop Home 9, after pasting in a public
  key sent via email or copied from a Web page or after importing
  a key from a public keyserver, you can reveal its fingerprint
  through these steps. First, select the key in the main PGP Desktop
  window. Next, press Command-I or select Show Key Info from the
  contextual menu. The middle of the Info dialog box shows the
  fingerprint.

  If you and the other party use PGP 8 or later, you can use the
  hilarious Biometric tab, in which each number from 0 to 255
  has been assigned a unique word. This is easier to read over
  the phone. For other versions of PGP or GPG, you'll need to click
  the Hexadecimal tab and read the short sequence of groups of four
  hexadecimal digits. If the numbers don't match, the public key
  you have isn't the one published or sent by the party you're
  talking to. Time to review your security, if that's the case.

  If the fingerprints match, which they always have for me over
  a decade of using PGP, you've accomplished your out-of-band step
  and have a secure PGP key that can be used in the future.

  You might ask: If Web servers use SSL/TLS to secure connections,
  and SSL/TLS uses public keys in a similar way to PGP, how do they
  perform this external verification? The answer is through what's
  called a certificate authority (CA), a third party that confirms
  some measure of the truth of identity expressed in an SSL/TLS
  certificate. These certificates contain a public key for the
  server using SSL/TLS that are signed by the CA. How does my Web
  browser then trust the CA? Browsers (and, for other purposes,
  operating systems) vouch for certificate authorities by embedding
  the certificates of the CAs - dozens of them - in the browser
  or operating system. You trust your operating system vendor
  or browser developer to pick trustworthy CAs, and then the CAs
  to identify correctly the organizations that are using the
  certificates the CAs have validated.

  (If you need to use digital certificates for private purposes
  or within a company, and don't want to pay a yearly fee for a
  CA-issued certificate, you can create your own. These self-signed
  certificates put you in the role of CA by creating a special
  certificate that's separately installed on any computer with which
  you'd interact. Mac OS X has great tools for examining self-signed
  certificates when presented via a Web browser or as part of a
  kind of Wi-Fi network login called WPA Enterprise that also uses
  certificates. You can choose to trust a self-signed certificate
  once or always, along with other parameters. Apple includes
  tools for generating your own certificate and self-signing
  within Keychain Access. Choose Certificate Assistant from
  the Keychain Access application menu.)


**Why Is Apple Updating Its PGP Key?** That brings us to the issue
  I started with: Apple has updated its public PGP key for security
  messages - both messages it sends out on the list and messages you
  want to send them. Why? When you create a public/private key pair,
  you determine how long the keys remain valid. The expiration date
  is another way to limit the damages from a private key that slips
  into the wrong hands. (There's also a way to revoke keys, but
  it's unreliable and a bit complicated to discuss in brief.)
  Apple expires many of their public keys as a routine part of
  encryption hygiene.

  Now, the one mistake Apple made with distributing their new key
  is that while they provided full information with their key,
  including the fingerprint, they provided no external validation
  method. The link included in the email they sent is for a plain
  HTTP transaction. Because HTTP transactions occur in the clear,
  it would be possible for an attacker at an institution - say
  a university or corporation - to modify both the email and the
  appearance of an Apple Web page that you view on your computer
  through a variety of well-known local area network exploits.
  You might see a different fingerprint and public key on the Web
  page served to your computer than Apple has on its.

  Sure, this is extremely unlikely, but when you're working with a
  key that will last a year and a process that's designed to provide
  commercial-grade security for tens of millions of people, well,
  it's an oversight.

  I did discover that Apple's SSL/TLS Web servers will let you
  request the same page through a secure transaction. If you enter
  "https" instead of "http" for the page containing their public
  key and fingerprint, your browser uses its certificate authority
  to ensure you're seeing a page Apple intended for you to see.
  (Your CA list being cracked within the browser is an unthinkably
  low probability unless this list were tampered with for millions
  of people or as a common exploit.)

  When you load the page via SSL/TLS, you may receive one warning
  for a Web bug (tracking image) on the page that you can safely
  ignore; some colleagues didn't see that warning at all.

<https://www.apple.com/support/security/pgp/>

  For most people, any step beyond viewing a plain, non-encrypted
  Web page at Apple is certainly unnecessary, but it's good to
  review the chain of trust. For those who favor the most stringent
  methods of external confirmation, Apple is just a mark or two
  below that. It's much more likely that any exploit would be
  an inside job - which has happened at some firms, but is an
  unlikely event - than from the outside.

  I do have one rather off-beat suggestion. Provide an automated
  fingerprint reader by phone. Offer a telephone number that's
  clearly within Apple's known phone range and have a voice that
  says, "Here's is Apple's PGP security key fingerprint for the
  key expiring May 1, 2007," followed by the string of hexadecimal
  digits.

  They could even use Talking Moose, for old times' sake.


Take Control News/22-May-06
---------------------------
  by Adam C. Engst <[EMAIL PROTECTED]>

**Ultimate Guide to Fonts in Mac OS X Now Available** -- Wrangling
  fonts in Mac OS X can be difficult. What with six different types
  of fonts - some of which can contains thousands of characters -
  and more than six possible locations for font storage, it's tough
  to stay organized and work efficiently, and it's maddening when
  something goes wrong with your fonts and eats an entire afternoon.

  We know all about how hard it can be, both from hair-pulling
  experience and because we've now spent over nine months writing,
  testing, and polishing a pair of ebooks about how to take control
  of fonts in Mac OS X. Both ebooks were written by Sharon Zardetto
  Aker, a veteran Macintosh author best known for her work in the
  early years of Macworld and MacUser, and on "The Macintosh Bible."
  Her first ebook, the 255-page "Take Control of Fonts in Mac OS X,"
  helps you organize existing fonts, install new ones successfully,
  and use fonts like a pro (or more to the point, like a pro who
  knows fonts inside and out!), and it comes with over $80 worth
  of coupons for discounts on font-related products. Sharon's
  second ebook, the 120-page "Take Control of Font Problems in
  Mac OS X" helps you troubleshoot general font issues and solve
  specific problems with ease.

<http://www.takecontrolbooks.com/fonts-macosx.html?14@@!pt=
TRK-0036-TB830-TCNEWS>
<http://www.takecontrolbooks.com/font-problems-macosx.html?14@@!pt=
TRK-0037-TB830-TCNEWS>

  "Take Control of Fonts in Mac OS X" starts with a look at where
  fonts are stored, why they are there, and how you can organize
  them to achieve harmony and useful Font menus. Special attention
  is paid to legacy fonts from Mac OS 9, fonts installed by Adobe
  and Microsoft applications, and fonts from iWork and iLife.
  Once that's under control, you'll learn where to find cheap
  new fonts and the ins and outs of a variety of font installation
  methods. Then Sharon turns her attention to using the fonts:
  how to find them in menus, type on a foreign language keyboard,
  and take advantage of the wealth of cool special characters hidden
  in modern Unicode fonts. She wraps things up with font-related
  advice for sharing documents with others, particularly people
  using Windows applications.

  "Take Control of Font Problems in Mac OS X" begins with a look at
  the different types of fonts you may find on your Mac and where
  they are stored, gives you advice on preventative measures and
  a roundup of useful problem-solving tools, and gets you going
  by teaching you how to perform basic troubleshooting measures.
  Once that's out of the way, the ebook presents you with a table
  that helps you determine if you have a specific sort of problem
  or a general one. You'll find lots of solutions to specific
  problems, as well as a colorful flowchart that gives a visual
  overview of how to proceed with troubleshooting a general problem
  (you can also download the flowchart as a stand-alone flier;
  feel free to share it with friends). The flowchart links to
  specific instructions for carrying out each troubleshooting
  step. If you have a font problem, know people who have font
  problems, or want to be sure you'll be on top of things if a
  problem crops up, this ebook is for you. We expect that most
  people will want both ebooks, but if you plan to pick up only
  this one, note that it assumes you understand the basics of
  managing fonts and working in Font Book.

<http://www.takecontrolbooks.com/resources/0037/
TakeControlOfFontProblemsFlier.pdf>

  The ebooks are available separately for $20 and $10 respectively,
  or you can save $5 by buying them bundled together. We realize
  they're a bit more expensive than our other titles, but we feel
  the price is warranted given their technical depth and size
  (over 350 pages combined!) and the vast amount of work that went
  into them, and the coupons could easily be worth more than the
  purchase price. More to the point, this isn't a trend - the sheer
  amount of content we had required proportionally more effort than
  anticipated and caused troubles with our technology that don't
  occur with our shorter books, so our next few ebooks will return
  to the normal size and price range.


Hot Topics in TidBITS Talk/22-May-06
------------------------------------
  by TidBITS Staff <[EMAIL PROTECTED]>

  The first link for each thread description points to the
  traditional TidBITS Talk interface; the second link points to
  the same discussion on our Web Crossing server, which provides
  a different look and which may be faster.


**Garmin StreetPilot 2720** -- Adam's review of this GPS device
  prompts readers to share their own experiences with similar
  devices, plus news that Garmin is working on a Mac version
  of their software. (12 messages)

<http://db.tidbits.com/getbits.acgi?tlkthrd=2997>
<http://emperor.tidbits.com/TidBITS/Talk/828/>

**MacBook Fills Out Laptop Line** -- Readers share their opinions
  of the MacBook laptop, including the eternal question of whether
  to buy the new notebook or spend more money for the pro version.
  (13 messages)

<http://db.tidbits.com/getbits.acgi?tlkthrd=2998>
<http://emperor.tidbits.com/TidBITS/Talk/829/>

**The War Over Neutrality** -- Responses to Geoff Duncan's article
  on the Net Neutrality debate look at the power of content
  providers and bandwidth suppliers. (5 messages)

<http://db.tidbits.com/getbits.acgi?tlkthrd=2999>
<http://emperor.tidbits.com/TidBITS/Talk/831/>

**TidBITS and ISIPP** -- The recent closure of anti-spam company
  Blue Security brings up the Institute for Spam and Internet
  Public Policy. (2 messages)

<http://db.tidbits.com/getbits.acgi?tlkthrd=3000>
<http://emperor.tidbits.com/TidBITS/Talk/832/>



$$

 Non-profit, non-commercial publications may reprint articles if
 full credit is given. Others please contact us. We don't guarantee
 accuracy of articles. Caveat lector. Publication, product, and
 company names may be registered trademarks of their companies.

 For information: how to subscribe, where to find back issues,
 and more, see <http://www.tidbits.com/>. TidBITS ISSN 1090-7017.
 Send comments and editorial submissions to: <[EMAIL PROTECTED]>
 Back issues available at: <http://www.tidbits.com/tb-issues/>
 And: <ftp://ftp.tidbits.com/issues/>
 Full text searching available at: <http://www.tidbits.com/search/>
 -------------------------------------------------------------------




--
If you want to unsubscribe or change your address, use this link
http://emperor.tidbits.com/webx?unsub@@.3c557dc4!u=306a67f9

Reply via email to