TidBITS#853/30-Oct-06
=====================
Issue link: <http://db.tidbits.com/issue/853>
Most of the news this week revolves around Apple's portable Macs, as
the company releases new Core 2 Duo-powered MacBook Pros and a
firmware update for the MacBook that fixes sudden shutdowns. Plus,
Glenn Fleishman looks at a new Bluetooth-related security exploit
that's likely to affect only laptop users (if anyone at all). Also
with an eye toward helping you improve your security, Joe Kissell
contributes a look at the humble but essential login password; this
is an excerpt from his just-released ebook, "Take Control of
Passwords in Mac OS X." In other news, Adobe releases a beta audio
tool called Soundbooth, we announce a new sponsor, .Mac's webmail
interface receives a major makeover, and we release the second and
third editions, respectively, of "Take Control of Buying a Mac" and
"Take Control of Buying a Digital Camera."
Articles
Apple Issues Fix for MacBook Shutdowns
MacBook Pro Gets Core 2 Duo, FireWire 800
Adobe Releases Soundbooth Beta
Microsoft Sponsoring TidBITS
.Mac Webmail Gets a Makeover
Understanding Mac OS X's Login Passwords
Unpatched Macs Face Bluetooth Root Exploit
Take Control News/30-Oct-06
Hot Topics in TidBITS Talk/30-Oct-06
------------ This issue of TidBITS sponsored in part by: --------------
* READERS LIKE YOU! Support TidBITS with a contribution today!
<http://www.tidbits.com/about/support/contributors.html>
Special thanks this week to James Atkinson, Conrad Halling,
William Bruce Harris, and Alec Ruderman for their kind support!
* Make friends and influence people by sponsoring TidBITS!
Put your company and products in front of tens of thousands of
savvy, committed Macintosh users who actually buy stuff.
For more information and rates, email <[EMAIL PROTECTED]>.
* SMALL DOG ELECTRONICS: Exclusive for TidBITS Readers!
Classic 60 GB Click Wheel iPod Photo, Apple Refurbished,
one year warranty, on sale for $189!
Visit: <http://www.smalldog.com/tb> -- 800-511-MACS
* GET FETCH 5 FOR FREE! Fetch Softworks makes Fetch, the original
Macintosh FTP client, free for educational and charitable use.
Fetch 5.1 is Universal with a new widget and Automator actions.
Apply today at <http://fetchsoftworks.com/edapply>!
* WebCrossing Neighbors Creates Private Social Networks
Create a complete social network with your company or group's
own look. Scalable, extensible and extremely customizable.
Take a guided tour today <http://www.webcrossing.com/tour>
* Circus Ponies NoteBook: Get organized, in two easy steps!
De-clutter your Desktop. Organize your Web clippings. Manage
your projects. Voice annotate your notes. With NoteBook, it's
simple. Try it free for 30 days. <http://www.circusponies.com/>
* MARK/SPACE, INC: Connecting the coolest gadgets from Dell,
Garmin, HP, HTC, Motorola, Palm, Samsung, Sony and others to
Mac OS X. Address Book, iCal, iPhoto, iTunes and more. See
what you've been missing! <http://www.markspace.com/bits>
* StuffIt Deluxe 11 from Smith Micro introduces the StuffIt Archive
Manager. It collects related files of any type, searches
offline archives, and can display previews of archived JPEGs!
Only $29.99 till 31-Oct-06! <http://www.stuffit.com/tidbits/>
* Microsoft: Supporting professional Mac users with Office 2004.
Supporting the Mac community through tech support newsgroups,
user group appearances, our new team blog, and more!
Subscribe to our blog today! <http://blogs.msdn.com/macmojo/>
---------- Help support TidBITS by supporting our sponsors ------------
Apple Issues Fix for MacBook Shutdowns
--------------------------------------
by Jeff Carlson <[EMAIL PROTECTED]>
article link: <http://db.tidbits.com/article/8723>
No product is ever perfect, even Apple's wildly successful MacBook
line. A number of vocal MacBook owners have been experiencing
annoying random shutdowns, and fortunately, according to Apple, a
fix is finally at hand. MacBook SMC Firmware Update 1.1 promises to
fix the problem by adjusting the MacBook's internal monitoring
system. Apple recommends the 417K download for all owners of
MacBooks, even those units that have already gone through a repair
process. You need to be running at least Mac OS X 10.4.7. And
because this is a firmware update, remember to back up your data
beforehand in case something goes wrong.
<http://www.apple.com/macbook/>
<http://www.apple.com/support/downloads/macbooksmcfirmwareupdate11.html>
MacBook Pro Gets Core 2 Duo, FireWire 800
-----------------------------------------
by Mark H. Anbinder <[EMAIL PROTECTED]>
article link: <http://db.tidbits.com/article/8724>
Apple upgraded its entire MacBook Pro line of professional laptops
last week, incorporating Intel's new Core 2 Duo processor instead of
the Core Duo processor introduced early this year (see "Intel-Based
iMac and MacBook Pro Ship Earlier than Expected," 16-Jan-06). The
company says its latest 15-inch and 17-inch laptops are up to 39
percent faster than the previous models.
<http://www.apple.com/macbookpro/>
<http://db.tidbits.com/article/8392>
At the same time, Apple has doubled the memory and increased the
storage capacity of the basic MacBook Pro configurations. Starting
at $2,000, Apple's stock models offer 1 or 2 GB of RAM, and a 120 GB
or 160 GB Serial ATA hard drive. The machines can be custom
configured with up to 3 GB of RAM and a 200 GB hard drive. New to
the 15-inch MacBook Pro is a FireWire 800 port, previously available
only with a third-party FireWire 800 ExpressCard (see "FireWire 800
ExpressCard for MacBook Pro," 08-May-06). (Late-model PowerBook G4s
and the 17-inch MacBook Pro offered FireWire 800.)
<http://db.tidbits.com/article/8516>
The company says Intel's Core 2 Duo processor, with 4 MB of shared
L2 cache, offers increased performance in such professional
applications as Aperture 1.5 and Final Cut Pro 5.1, both released
earlier this month. (We're left wondering what Intel calls this chip
in non-English-speaking markets, and whether the next revision will
be the Intel Core 2 Duo Squared.)
<http://www.apple.com/aperture/>
<http://www.apple.com/finalcutstudio/finalcutpro/>
The new 15-inch MacBook Pro is available now, and Apple says the
17-inch model will ship this week. The company also announced a new
$60 Apple MagSafe Airline Adaptor, something sorely lacking to date.
If you're a frequent flier and your preferred airline offers EmPower
and 20mm power ports, you can operate your MacBook or MacBook Pro in
flight (though it won't charge the battery).
<http://store.apple.com/1-800-MY-APPLE/WebObjects/AppleStore?productLearnMore=MA598Z/A>
Adobe Releases Soundbooth Beta
------------------------------
by Jeff Carlson <[EMAIL PROTECTED]>
article link: <http://db.tidbits.com/article/8725>
Adobe has been burning the development oil lately. After garnering
attention with its Photoshop Lightroom beta, last week it released a
public beta of Adobe Soundbooth, an apparent competitor to Apple's
Soundtrack Pro that is "focused on creative professionals without
audio expertise, or those who prefer an application focused on
making short work of the most common tasks they handle every day.
The tools in Soundbooth remove the mystery from editing while
preserving superb sound quality."
<http://labs.adobe.com/technologies/lightroom/>
<http://labs.adobe.com/technologies/soundbooth/>
<http://www.apple.com/finalcutstudio/soundtrackpro/>
Due to licensing issues, the application doesn't yet support MP3,
MPEG-2, H.264, and FLV formats. Interestingly, Soundbooth works only
on Intel-based Macs (and on PCs running Windows XP). The beta, a 59
MB download, expires in February 2007, and Adobe says that the final
release version will appear sometime in mid-2007.
Microsoft Sponsoring TidBITS
----------------------------
by Adam C. Engst <[EMAIL PROTECTED]>
article link: <http://db.tidbits.com/article/8726>
Halloween, at least in the United States, is upon us, and we're
pleased to welcome, along with the usual bunch of trick-or-treating
kids, our latest long-term sponsor, Microsoft's Macintosh Business
Unit, more commonly known as MacBU and pronounced, at least for
Halloween, as MacBOO! (Sorry, couldn't resist.)
<http://www.microsoft.com/mac/>
Microsoft has sponsored TidBITS at various times over our 16-year
history, but I hadn't known the current folks in the MacBU before
the conversations that led to this sponsorship, conversations that
started in response to their desire to make the MacBU a more active
member of the Macintosh community. I was happy to discover that they
were both clued into the Mac world in general and fully aware of how
Microsoft as a company is often viewed, which is why they've been
working on outreach efforts like more user group presentations,
starting and maintaining a blog, and supporting publications like
TidBITS. I expect they'll also be gathering feedback in a variety of
ways as they work on the next version of the Microsoft Office
applications. (Not surprisingly, I'm lobbying for collaboration
features that will simplify sharing files while tracking changes
across versions and enabling commentary.)
<http://blogs.msdn.com/macmojo/>
<http://www.microsoft.com/mac/products/office2004/office2004.aspx>
In the spirit of the season, the MacBU folks wanted to offer a treat
for TidBITS readers to launch the sponsorship. Unfortunately, with
two members of their team out on maternity leave, they couldn't find
the time to create what I suggested - a batch of MacBOO! t-shirts
with a bunch of ghostly Office icons floating around. Instead,
they're giving away five copies of Microsoft Office 2004, which list
for $399. If you'd like a copy, we're using our DealBITS system to
pick the five winners - just enter as you would any other DealBITS
drawing. As usual, all entries are covered under our privacy policy.
<http://www.tidbits.com/dealbits/microsoft/>
<http://www.tidbits.com/about/privacy.html>
In the end, it's good to see the MacBU making efforts like this,
since one way or another, Microsoft remains one of the most
important software vendors for professional Macintosh users, and
everyone stands to benefit if they become all the more invested in
the world of the Macintosh.
.Mac Webmail Gets a Makeover
----------------------------
by Joe Kissell <[EMAIL PROTECTED]>
article link: <http://db.tidbits.com/article/8727>
Last week Apple rolled out a major overhaul to the email portion of
the .Mac Web site. With the changes, the .Mac webmail interface
looks and acts strikingly similar to Apple's Mail application. In a
dramatic departure from its previous design, .Mac webmail now uses
Tiger Mail-style buttons and icons, supports drag-and-drop for
moving messages, offers tighter Address Book integration, supports
keyboard shortcuts, and features a three-pane interface - with
mailboxes on the left, a message list at the top, and a preview pane
at the bottom.
<http://www.mac.com/>
The new design is a fine example of Ajax, or Asynchronous JavaScript
and XML, a programming technique that enables Web sites to display
dynamic data and interact with user input without requiring pages to
reload after each change. Part of the way sites accomplish this
magic is by predicting which information a user is most likely to
need and transferring that data in the background, before the user
explicitly asks for it. As a result, most actions you perform, such
as checking for new messages or switching mailboxes, can be
accomplished without refreshing the entire page.
<http://en.wikipedia.org/wiki/Ajax_%28programming%29>
Among the nice touches are a Quick Reply button, to enable users to
reply to a message without opening a separate window; an Action menu
with commands for actions such as Delete, Move to Folder, Reply, and
Mark as Read/Unread; and expanded preferences (you can turn off the
preview pane, for example, control the appearance of mailbox icons,
turn off the display of images in HTML messages, and even opt for
Unicode [UTF-8] encoding for outgoing messages). Assuming you've
synchronized your Mac OS X Address Book with .Mac, you can begin
typing a contact's name or email address in a message's To, Cc, or
Bcc field and use an auto-complete feature to fill in the rest (or
choose among a list of partial matches). And, if you change a
message's Flagged indicator in the webmail interface, the change
shows up in Mail too (and vice versa).
For all the spiffy goodness of the new Ajax interface, though, a few
features are less useful than they could be. First, .Mac webmail
offers a search field that looks just like Mail's Spotlight search
field. Unfortunately, unlike in Mail, .Mac webmail can search only
From, To, Cc, and Subject headers - but not other headers or the
content of messages. And searches work only within the selected
mailbox.
Also missing from the toolbar is the Junk button, which in Mail can
not only move a message to the Junk mailbox but also add a Junk flag
and update Mail's junk mail filter with information about that
message. Unlike Mail, .Mac webmail does not have a learning spam
filter. You can manually drag a spam message to the Junk folder, but
doing so does not set its Junk flag (as that's something Mail tracks
locally, not a message attribute that's changed on the server) and
does not make .Mac webmail more likely to discard similar messages
in the future. There's no way to use .Mac webmail to help train
Mail's spam filter, and no way to affect the way the .Mac mail
servers themselves filter out spam.
Finally, the .Mac webmail interface offers no filtering rules, which
I find indispensable in Mail (explained in detail in my "Take
Control of Apple Mail in Tiger" ebook). You can, as before, set up
an automatic reply to all messages (as you might use when on
vacation, for instance) or forward your mail to another account. But
you can't tell .Mac webmail to transfer all messages matching
certain criteria to a specific mailbox, send message-specific
replies, or perform any of the many other useful tasks offered by
rules. (I'll be covering all these changes in more depth in a future
update to my "Take Control of .Mac" ebook.)
<http://www.takecontrolbooks.com/tiger-apple-mail.html?14@@!pt=TB853>
<http://www.takecontrolbooks.com/dot-mac.html?14@@!pt=TB853>
While the new and improved .Mac webmail is unmistakably prettier and
easier to use than before, it remains much less capable than Mail
(or indeed virtually any desktop email client), and is still less
than ideal for regular use unless the quantity of email you send and
receive through .Mac is quite small.
Understanding Mac OS X's Login Passwords
----------------------------------------
by Joe Kissell <[EMAIL PROTECTED]>
article link: <http://db.tidbits.com/article/8728>
One of the most striking things I noticed when switching from Mac OS
9 to Mac OS X years ago was how frequently the operating system asks
me for a password. I've gotten used to this by now, but it's taken
me a while to understand what all the different passwords are for,
how they work, and how I should select them. Not counting the
hundreds of passwords I have for Web sites, I must keep track of
login passwords for each of my user accounts, a firmware password, a
master password, a root password, and passwords for file sharing,
wireless networks, and my keychains. Even a propellerhead like
myself can often find that array of passwords confusing.
In this brief excerpt from my new ebook, "Take Control of Passwords
in Mac OS X," I look at just one of these password types: the login
password. For many of us, it's the password we're asked to supply
most frequently, and it's one cause of significant confusion and
grief among Mac users.
<http://www.takecontrolbooks.com/passwords-macosx.html?14@@!pt=TB853>
**User Accounts** -- Every computer running Mac OS X has at least one
user account - a means of identifying the person using the computer
at any given time. Using the Accounts preference pane, you can set
up additional users on your computer if you wish. Each user gets a
separate virtual (and private) space in which to work; this includes
access to the user's own preferences, documents, and Finder
settings. The password associated with a user account is called the
"login password." It's what you use to log in, thus gaining access
to your personal space, but it has other uses too (as I explain a
bit later).
When you set up a new Mac or install Mac OS X for the first time,
you're asked to enter your real name, a user name (typically shorter
than your real name; all lowercase and without spaces), and a
password. In so doing, you set up a user account for yourself with
administrator privileges - meaning that you have the authority to
add and delete other user accounts, make changes anywhere on your
disk, and install and run any application. Every Mac has one or more
administrator accounts. The login password for such an account is
also known as an "administrator password." Mac OS X asks you for an
administrator password when you take certain actions that can have
far-reaching consequences - for example, installing or using
software that makes changes to the /Applications, /Library, or
/System folder.
**Choose and Set a Login Password** -- Your login password not only
identifies you but also protects a variety of resources (such as
your personal files), so it's clearly a security password. (I
describe "security" passwords, as distinguished from "identity"
passwords that serve merely to identify you, in full detail in the
ebook.) This implies it should be at least 10 or 11 characters long
and should follow the rules for secure passwords - using a
combination of numbers and capital and lowercase letters, avoiding
words in the dictionary, and so on. However, if you use a different
password for your keychain, you can get away with a less secure
login password - and you may wish to do this, because you'll be
entering it often and because administrator passwords can be
circumvented so easily (see "Reset an Administrator Password,"
ahead).
To change your login password, go to the Accounts preference pane,
click the lock icon at the lower left to "authenticate" (to identify
yourself with a user name and password), and select your name in the
list on the left. Click Change Password, fill in the appropriate
fields, and click Change Password again.
**Use Your Login Password** -- You enter your login password when you
log in to your Mac OS X account (which may happen automatically when
you turn on your computer); this gives you access to all your
personal files and settings until you log out or turn off your
computer.
Entering an administrator password at login doesn't unlock every
protected resource for the entire time you're logged in, as you
might expect. You must, in general, enter it again every time you do
something that makes changes outside your home folder
(/Users/your-user-name). Note that if you're currently logged in as
a non-administrator and you're asked to supply an administrator
password, you must also enter the administrator's real name or user
name in the Name field.
The default settings for when your login password is required are
not very secure. For example, if you walk away from your computer
for a few minutes, someone else could sit down and access any of
your files. If you live alone in a house in the country, that's
hardly a concern; however, if you do most of your work on your
laptop in crowded city cafes, you probably want as much extra
security as you can get. So, given the environment in which you use
your computer, you should consider whether additional security is
advisable.
Each of the following options that you change from the default will
result in your being asked to enter your password more frequently,
but with a corresponding increase in security:
* Sleep and screen saver: Normally, your login access remains active
when your computer's screen saver activates or when the computer
goes to sleep; waking up the computer puts you right back where you
were before. However, you can require entry of your login password
when the computer wakes from sleep or when the screen saver
deactivates, to make your data safer if you're away from your
computer for a while. To require a password in both situations, go
to the Security preference pane and check Require Password to Wake
This Computer from Sleep or Screen Saver. If you use your computer
only in a setting where you need not worry about someone else
walking up to it and accessing your accounts, leave this disabled;
in other situations, I recommend enabling it.
* Keychain password: By default, your login password is also used as
your keychain password, which means your keychain is unlocked
automatically when you log in. To prevent this, you can change the
keychain's password. Because the keychain password is particularly
valuable, I recommend that all users change it to be different from
their login password. To accomplish this, launch the Keychain Access
utility, select the keychain, and choose Edit > Change Password for
Keychain "keychain-name".
Note that the remaining options apply to all users on the computer,
not just your own account.
* Automatic login: By default, Mac OS X logs you in automatically when
you turn on or restart your computer. If your computer is in a
secure place where no one but you can access it, that's probably
fine; otherwise, it's wise to disable automatic login (so that the
login window appears every time the computer starts up). You can do
this in the Accounts preference pane: click the lock and
authenticate with an administrator password; then click Login
Options and uncheck Automatically Log In As. Or, in the Security
preference pane, simply check the Disable Automatic Login checkbox.
In general, laptops should always have automatic login disabled; for
other computers, the choice depends on whether anyone you don't
completely trust has physical access to your computer.
* Automatic logout: When your computer goes to sleep or the screen
saver activates, you're still logged in, and any applications or
documents you had open remain so (even if a password is required
when the computer or display wakes up); this can potentially
increase your vulnerability to certain kinds of network-based
attacks. To take security one step further, you can have Mac OS X
log you out automatically after a period of inactivity; all programs
running under your user account will quit. To activate this feature,
go to the Security preference pane and check the Log Out After __
Minutes of Inactivity checkbox. Enter the desired number of minutes
before automatic logout in the field provided. For most users,
enabling this setting is unnecessary, but it may be useful for
computers kept in highly public places.
* Secure system preferences: Several preference panes contain settings
that affect all users' accounts and potentially have security
implications for all users. To make it harder for an unauthorized
user to modify these settings, you can require that an administrator
password be used to unlock each pane individually. (The default
setting is that unlocking one pane unlocks them all.) This setting
is useful primarily for computers shared by many people, such as in
schools and libraries. To activate this feature, go to the Security
preference pane and check Require Password to Unlock Each Secure
System Preference. The affected preference panes are Accounts, Date
& Time, Energy Saver, Network, Print & Fax, Security, Sharing, and
Startup Disk (and some third-party preference panes).
* Login window as list: When the login window appears, it normally
displays a list of all the computer's users, each with an icon; you
can click one of them and enter a password to log in. Alternatively,
the login window can display two empty fields, one each for user
name and password; this makes it harder to break in, because the
intruder has to guess not only a valid password but a valid user
name as well. To switch the login window from a list to name and
password fields, go to the Accounts preference pane, authenticate if
necessary, and click Login Options. Then select the Name and
Password radio button. Displaying the login window as name and
password fields is a good idea for laptops and for situations where
more than a handful of people have user accounts.
* Password hints: After a user tries to enter a login password three
times in a row without success, Mac OS X displays that user's
password hint (if one was entered). Because these hints can also
help an attacker figure out someone's password, you can disable
their display. To do this, go to the Accounts preference pane,
authenticate if necessary, and click Login Options. Then uncheck Use
Password Hints. For even greater security, I suggest not using
password hints at all.
**Reset an Administrator Password** -- I have some good news and some
bad news. The good news is that if you forget your administrator
password, you can reset it without much difficulty; the bad news is
that this very fact makes administrator passwords relatively
insecure, because anyone else can do the same thing. However, you
can minimize this risk by setting a firmware password and physically
locking your computer with a security cable (both are described in
more detail in the ebook).
If you know the password of the administrator that was configured
when Mac OS X was first installed (the "original" administrator,
which Mac OS X sometimes treats in subtly different ways from other
administrators), you can change any other administrator password by
following these steps (which work similarly for changing other login
passwords, though it's generally best left to other users to change
their own passwords):
1. Log in as the original administrator.
2. Open the Accounts preference pane. If the lock icon is closed,
click it and enter your administrator password to authenticate.
3. Select an administrator and click Reset Password.
4. Enter (and repeat) a password, and optionally enter a hint.
5. Click Reset Password.
If your machine has just one administrator account (the original
one), you can reset its password as follows:
1. Put your Mac OS X Install CD or DVD in your optical drive and
restart with the C key held down (to boot from the optical disc).
2. Click through the language selection screen. Then choose
Utilities > Reset Password.
3. Select your usual startup disk. Then, from the pop-up menu below
the volume list, choose the user whose password you want to reset.
(Do not choose "System Administrator (root)," which represents an
entirely different account!)
4. Enter (and repeat) a new password, and optionally enter a hint.
Click Save, and then click OK.
5. Choose Reset Password > Quit, and then Installer > Quit
Installer. Click the Reset button to restart from the hard disk.
Once you've done this, you'll still be prompted to enter a password
for your login keychain. If that password was the same as your login
password - meaning it too is forgotten - you'll have to delete that
keychain, make a new one, and set that keychain as the default.
**Login's Run** -- It's important to understand how the login password
works, because it's typically the first line of defense against
unwanted access to your private data, misuse of your computer, and
installation of malware. But the login password is only one of
numerous passwords that affect your daily Mac usage. I cover the
rest, along with full discussion of how keychains work, the Keychain
Access utility, third-party password utilities, and ways to generate
secure passwords in "Take Control of Mac OS X Passwords," a 96-page
ebook available now for $10.
<http://www.takecontrolbooks.com/passwords-macosx.html?14@@!pt=TB853>
Unpatched Macs Face Bluetooth Root Exploit
------------------------------------------
by Glenn Fleishman <[EMAIL PROTECTED]>
article link: <http://db.tidbits.com/article/8729>
Security software developer Intego last week issued a press release
about a significant proof-of-concept Bluetooth exploit that has been
dubbed "Inqtana.d Bluetooth." This exploit works via a flaw in the
Bluetooth short-range wireless networking standard, and could affect
only Macs running unpatched versions of Mac OS X 10.3 Panther and
Mac OS X 10.4 Tiger (which is why we recommend installing Apple's
security updates!). However, unlike earlier known variants of this
exploit, the "D" version requires no user interaction to create an
account with root privileges, which can then be accessed via
Ethernet or Wi-Fi to carry out any tasks that are allowed by an
administrative user - that is, any action whatsoever. The exploit
was demonstrated at hack.lu last week, and the code released
following that.
<http://www.intego.com/news/ism0605.asp>
<http://www.digitalmunition.com/hacklu.html>
<http://hack.lu/>
If you are running Mac OS X 10.3 Panther, make sure Security Update
2005-005 is installed; it was released in May 2005. Mac OS X 10.4
Tiger users need at least 10.4.7 installed, which was released in
June 2006. If affected by the exploit, Mac OS X 10.3 users would be
compromised only after a restart; Mac OS X 10.4 users would be
compromised immediately.
<http://docs.info.apple.com/article.html?artnum=301528>
<http://docs.info.apple.com/article.html?artnum=303973>
Intego has a history of trumpeting their curatives for concept
viruses and exploits that are either relatively trivial or never
seen in the wild. And, according to "KF," the otherwise unidentified
operator of the Digital Munition site that released the exploit
code, this "D" variant involves just a minor change - with major
effect - to code that was disclosed on 02-Feb-06 by KF to Intego.
Intego's press release says you should have their latest virus
definitions to protect against this variant but doesn't say that
earlier virus signatures would be ineffective. I haven't seen any
alerts about this variant from Apple, CERT, or other software
developers, which may reflect the assessment of the number of
potentially exploitable computers.
However, this is among the most severe attacks ever developed
against Mac OS X, and as such, I can't fault Intego for alerting
people to its existence at the same time as they promote their
anti-virus software. But while it's serious, that doesn't mean it's
actually going to be a problem for anyone. The Wi-Fi patches that
Apple released last month (see "AirPort Updates Stop Wi-Fi Exploit,"
25-Sep-06) resolved a problem with equally bad consequences, but
Apple stated there was no known exploit code available, and no
specific vector, only a general approach for attack.
<http://db.tidbits.com/article/8683>
With Inqtana.d Bluetooth, no user interaction is required, and thus
a machine could be quickly and quietly taken over at its fundamental
level. Firewall software might prevent remote access to the root
account that's created, but that's not a guarantee, especially if
the attacker were on your local network.
The good news is that virtually all Panther users and most Tiger
users that would be at risk could reasonably be expected to have
updated their computers with patches that already protect against
this exploit. And the vector for exploitation is rather tricky. The
code is out there, but I see little likelihood that it will be
developed into a simple-to-use package like KisMAC, which is a Wi-Fi
vulnerability assessor (or a pre-built cracking engine, depending on
your world view).
<http://kismac.de/>
In order for your machine to be compromised, an attacker must
install code to perform the compromise and find locations with Mac
users, and those Mac users must have Bluetooth turned on and be out
of date on patches by months... or by more than a year! Bluetooth's
short range means that it would be difficult to hack a fixed
computer located more than an apartment wall away, and thus mobile
Macs would be at the greatest risk.
I imagine most Mac laptop owners are in the universe of people who
frequently install patches, too, because they probably expect
they're at greater risk. The odds of actually being hacked in this
manner are thus vanishingly small. Even further, once compromised,
the attacker needs to be able to access your computer, and, if
you're a mobile user, you would likely have walked away by that
point, never to be seen again.
This is just another sign that increasing scrutiny is being paid to
Mac OS X by security researchers; it's not yet proof, however, that
virus and worm writers give a darn.
Take Control News/30-Oct-06
---------------------------
by Adam C. Engst <[EMAIL PROTECTED]>
article link: <http://db.tidbits.com/article/8730>
**Move to a New Mac with Adam's Latest Ebook** -- Last week, we
released the second edition of my "Take Control of Buying a Mac,"
which now features complete details about the Intel-based Macs that
have taken over Apple's product line. The ebook continues to provide
detailed advice for how to determine which Mac you need and how to
buy it without wasting money, but now it also includes a significant
new section that explains the best ways to move user data -
documents, applications, and settings - from an old Mac to a new
one. That task has become easier of late, thanks to Mac OS X's Setup
Assistant, but I include an explanation of exactly how it works,
along with advice for what to do if the old Mac lacks a FireWire
port.
<http://www.takecontrolbooks.com/buying-mac.html?14@@!pt=TRK-0015-TB853-TCNEWS>
**Up-to-Date Help for Holiday Camera Purchases Now Available** -- The
third edition of "Take Control of Buying a Digital Camera" is also
out, updated especially for anyone looking to buy a digital camera
for the holiday season. Written by professional photographer and
instructor Larry Chen, the ebook helps you sort out the latest
camera trends and marketing jargon in order to find a camera that
matches your budget, needs, and style, whether you want an
inexpensive snapshot camera or a professional digital SLR camera
system. Goodies in the ebook include a printable, customizable
shopping checklist, specific model suggestions for different types
of cameras, 25 color photos illustrating important concepts, and
tips for taking better photos.
<http://www.takecontrolbooks.com/buying-digicam.html?14@@!pt=TRK-0015-TB853-TCNEWS>
Owners of previous editions of the ebook should click the Check for
Updates button on the cover of the ebook for more information or
check their email for how to upgrade.
**Create and Manage Passwords without Taxing Your Memory** -- If
you're feeling confused or distressed by the many times your Mac
asks you to enter or create a password, help is at hand with our
latest ebook: "Take Control of Passwords in Mac OS X". Written by
Mac expert Joe Kissell, the 96-page ebook helps you assess your risk
factors and prepare a plan for generating different types of
passwords, using a special system that enables you to create strong
passwords that are easy to remember but virtually impossible to
crack.
<http://www.takecontrolbooks.com/passwords-macosx.html?14@@!pt=TRK-0015-TB853-TCNEWS>
Once that's done, Joe sets about helping you create and use the many
different passwords on your Mac, including the login password, the
master password, the firmware password, and the root password, plus
your email, keychain, and AirPort passwords. But even more boggling
are all the passwords that many Web sites require to protect your
personal data, ranging from the trivial (your New York Times Web
site account) to the truly important (the PayPal account that's
directly linked to your credit card and bank account). Joe explains
how to deal with each, and how to use Apple's Keychain Access
password manager to ease the tasks of wrangling all these different
passwords. For those who want to go beyond Keychain Access for
additional features or cross-platform capabilities, the ebook
suggests several other password management utilities and provides
money-saving coupons for two of Joe's favorites: 1Passwd ($5-off)
and Web Confidential ($10-off). "Take Control of Passwords in Mac OS
X" costs $10, and is available in a discounted bundle with "Take
Control of Your Wi-Fi Security" for $17.50.
<http://www.takecontrolbooks.com/wifi-security.html?14@@!pt=TRK-0023-TB853-TCNEWS>
Hot Topics in TidBITS Talk/30-Oct-06
------------------------------------
by TidBITS Staff <[EMAIL PROTECTED]>
article link: <http://db.tidbits.com/article/8731>
**HTML email digression** -- Does HTML belong in email? Should
text-only messages be the norm? Like it or not, HTML-formatted email
is here to stay, and readers discuss the implications. (30 messages)
<http://emperor.tidbits.com/TidBITS/Talk/989/>
**MacBook Pro on DC power?** A reader is looking for a
MagSafe-compatible power adapter that can be run on an airplane or
in a car without bulky inverters. (14 messages)
<http://emperor.tidbits.com/TidBITS/Talk/992/>
**Email client wish list** -- Following news that Eudora was going
open-source and being built upon Mozilla Thunderbird, readers
started throwing out ideas for features that would make for an ideal
email client. (7 messages)
<http://emperor.tidbits.com/TidBITS/Talk/993/>
**Dual Intel Laptops & Naturally Speaking** -- Dragon's Naturally
Speaking software may be the best solution for voice dictation
software, but it still runs only on Windows. But how does it perform
on an Intel-based Mac running Parallels or Boot Camp? (4 messages)
<http://emperor.tidbits.com/TidBITS/Talk/994/>
**Bluetooth root exploit & "out-of-date" Macs** -- The recent
Bluetooth security vulnerability only affects unpatched Macs, but
not everyone updates their computers religiously. Readers discuss
ways of flagging software updates that are more important than
others. (3 messages)
<http://emperor.tidbits.com/TidBITS/Talk/995/>
**Green My Apple** -- The environmental group Greenpeace has garnered
much attention lately by targeting Apple for its campaigns. Are they
going after a large obvious target for the publicity? And how did
their behavior at Mac Expo in London get them kicked out of the
event? (5 messages)
<http://emperor.tidbits.com/TidBITS/Talk/996/>
**Why not Mailsmith?** The Bare Bones email client gets specific
attention in the aftermath of the news about Eudora becoming open
source. (5 messages)
<http://emperor.tidbits.com/TidBITS/Talk/997/>
**Telephone Messaging Software** -- Remember those quaint days when
you'd answer the phone and "take a message" for someone who wasn't
around? Now, a few software products let your Mac do all that for
you. (3 messages)
<http://emperor.tidbits.com/TidBITS/Talk/998/>
$$
This is TidBITS, a free weekly technology newsletter providing timely
news, insightful analysis, and in-depth reviews to the Macintosh and
Internet communities. Feel free to forward to friends; better still,
please ask them to subscribe!
Non-profit, non-commercial publications and Web sites may reprint or
link to articles if full credit is given. Others please contact us. We
do not guarantee accuracy of articles. Caveat lector. Publication,
product, and company names may be registered trademarks of their
companies. TidBITS ISSN 1090-7017.
Copyright 2006 TidBITS: Reuse governed by Creative Commons license.
Contact us at: <[EMAIL PROTECTED]>
TidBITS Web site: <http://www.tidbits.com/>
License terms: <http://www.tidbits.com/terms/>
Full text search: <http://www.tidbits.com/search/>
Subscriptions: <http://www.tidbits.com/about/list.html>
Account help: <http://www.tidbits.com/about/account-help.html>
--
If you want to unsubscribe or change your address, use this link
http://emperor.tidbits.com/webx?unsub@@.3c557dc4!u=306a67f9
