Everything In Between

This is already horribly old news, and by old I mean several days ago since that’s about as fast as it takes technology news to grow old, but Apple is releasing Mac OS X 10.5 “Leopard” at the end of this month. Apple is calling this release a “major upgrade,” and indeed Apple has rarely made its users wait so long between operating system releases as they have done between Tiger (Mac OS X 10.4) and Leopard. So, I’m already excited.

But then today I was glossing over Apple’s featured features list and I got even more excited. There are the usual, largely meaningless, fluff updates that are nice for Joe Schmo or his mother, but that power users simply don’t care about, like the new iChat support for animated buddy icons, but the list is also chock-full of really cool, really useful features.

What’s interesting is that a good deal of these features aren’t really new features at all. For instance, if you knew how to manipulate the NetInfo database on your Mac, you could already share any folder via Apple’s “Personal File Sharing” feature. (Here’s a Mac OS X Hints hint explaining how to do it.) In Leopard, however, Apple claims that this functionality is now integrated straight into a folder’s Get Info… window. If it works as smoothly as Apple claims, this is finally going to bring Mac OS X (client) into decent competition with Windows XP Professional in terms of GUI-level power-user features.

However, while all of these features are really cool, here’s a list of the ten geekiest features I will probably absolutely love, for one reason or another.

• Ruby on Rails, out of the box — The hot thing in web development right now is Ruby on Rails. Macs have already been the best personal desktop and web development platform because they have built-in support for the Apache web server and a host of other features, but now they will come with a ready-to-roll installation of Ruby on Rails, sporting Mongrel and (better yet) Capistrano! Specifically with the addition of Capistrano, which is terribly undersold as simply a Ruby on Rails deployment platform, these UNIX-y “toolbox” items are bound to make Macs that much more useful right out of the box.
• Safari’s full history search — As their recent public partnerships with Google have shown, Apple is very clearly invested in search technologies. Spotlight gets a huge number of improvements in Leopard, but none which I think are going to be more useful to more people than this one: spotlight searches on the full text of each web page in your visited history list. That’s just awesome. Also awesome: using spotlight as a calculator and as a dictionary, which also shows just how Google-like Apple is trying to be. (Google also lets you ask it arithmetic questions and a dictionary.)
• Wikipedia articles in Dictionary.app — I love Wikipedia because it’s one of the fastest ways to get (relatively) reliable information quickly. Now that Dictionary.app has built-in integration with Wikipedia, imagine the possibilities for getting that knowledge instant-gratification craving fixed. Apple has not yet announced this capability, but I can easily envision a scenario where all Cocoa text fields are instantly “wikified” (with text that matches Wikipedia articles highlighted) much in the same way that current Cocoa text fields allow you to right-click on a misspelled word and have it corrected by Dictionary.app.
• Application-based firewall — In classic Apple fashion, functionality that was previously available via third-party additions is now available from Apple itself. In this case, I have to wonder how well Apple’s updates to its firewall will obviate the need for Little Snitch, which is basically an application-based firewall, too, and a good one at that.
• Built-in guest log-in account — If you’re as paranoid about security as I am, you’ve already created a special, limited-access user on your system (called Guest or Visitor or whatever) and whenever friends are over, you tell them to use that account instead of your own. Now in Leopard, Apple has gone through the trouble of setting this up for us already. A small change that is going to have a big impact.
• Scriptable System Preferences & applications — With AppleScript, you can automate the things your computer does with scripts, as long as those things are “scriptable.” In previous versions of Mac OS X, huge gaping holes of what things shipped by Apple were scriptable existed, causing me (personally) some really annoying headaches. AppleScript GUI scripting helped me get around many of those roadblocks, but now it seems Apple is finally filling in some of the most notorious gaps in this functionality with scriptable System Preferences. Yay!
• Automator workflow variables — Automator brings the power of AppleScript I just mentioned to more people with a completely graphic programming environment. There is no need to open up a text document and write AppleScript code because Automator lets you create a script (called a Workflow in Automator jargon) using your mouse by dragging and dropping actions into the order you want them to be performed. It’s very slick, but until now it’s been very limited. With Leopard, Apple is beefing up Automator so that it includes things like variables, basic programmatic capability that was sorely lacking before. (Also majorly cool: a command-line utility to access Automator!)
• Finder.app’s path bar — Every serious Mac user knows that the Finder needs a lot of help. Now, it’s getting some. Something the Windows Explorer has had forever (as had every desktop environment for Linux, of course) is a visual cue to show you where in your filesystem tree a given folder is located when you are viewing said folder. Now the Finder gains this capability (though Apple’s description implies that it’s going to be off by default) with what Apple is calling a “Path Bar”. Finally!
• Cocoa and scripting bridges — Even though no one really seems to know about it, it has long been possible for languages other than AppleScript to do things like send Apple Events to Mac OS X applications. Specifically, Ruby and JavaScript, two of the most well-known web development languages in existence, can already do this with a single ScriptingAddition (OSAX). But now Apple is making this functionality a central feature and fully extending it to their Objective-C (and Cocoa) language and applications such as Xcode and Interface Builder. This means people like me will have a shallower learning curve before we’re able to create full-fledged, native Mac OS X applications. Now that’s exciting!
• Xcode 3 refactoring — This is something you kind of have to see to believe. I got the opportunity to see it demoed at Apple’s Leopard Tech Talks last year and I was really excited by it. With the new Xcode, Apple’s development IDE, you can do away with find-and-replace searches for things like renaming functions because Xcode understands what parts of your code are what structures and, when you tell it to “change the function named myFunction to myNewFunction,” it’ll only find-and-replace function names instead of every instance of the string “myFunction.” That’s pretty big, and if it were available for more languages, it’s almost enough to make me ditch vim.

So there you have it. Ten features you might not have already known about that are some of the most promising features I can see in Leopard. And I didn’t even get into Wide-Area Bonjour, which could make services like DynDNS or No-IP a thing of the past (and which I still want to learn more about), or the new Terminal application (finally with tabs!), or even the multiple user certificates for S/MIME encrypted email.

Note: One of the least known security features available on Mac OS X is also possibly one of the best, and the simplest. Evidently, all Intel-based Macs are shipped with the XD (aka. NX, aka. DEP) bit turned on—and thankfully there doesn’t seem to be any way for users to turn it off. However, this isn’t a silver bullet and if you want to learn why you should check out this excellent Anandtech article: A Bit About the NX Bit.

I have the simplest personal email spam solution in the world. I use Apple’s Address Book and, in it, I keep all the email addresses I ever want to get mail from. In Apple’s Mail program, I simply tell it that email from an address in my address book is exempt from being treated as junk mail. Then I set up a Mail rule that says if the sender is not in my address book, the message should be moved to the Junk Mail folder.

Voila. This system is flawless. You will never be able to send me loads of spam that go anywhere but my spam box, and I hardly ever look in there.

Naturally, there is a caveat to using this technique, but I actually consider it to be an advantage. By necessity, this technique, keeps me pro-active about getting people’s contact information when I meet them (and want to talk again). If I don’t get that person’s email address, I’ll probably never see that person’s email unless I’m looking out for it. Nine times out of ten, however, that’s what I want to have happen anyway.

So this solves the problem of unwanted mail. However, what if I want to let people contact me that I don’t know ahead of time or have previous whitelisted? Well, in that case I rely on an out-of-band communication, such as an introduction from a friend, leaving a comment on my blog(s), or some other method such as an instant message to let me know that there is someone who wants to talk to me.

My contact information is so available (in so many places), and many IM services are now equipped with store-and-forward messaging that there really is no reason for email to be the first time I hear from someone. Even better, if I’m contacted over Google Talk (as an example), I automatically have an email address for that person.

Voila. Simplest. Spam. Filter. Ever.

As if there weren’t enough reasons not to use Internet Explorer for Windows, this week alone two new threats were discovered. The first is a Trojan horse that exploits a (still unpatched) bug found in Internet Explorer first discovered in May.

Microsoft has yet to provide a fix for the vulnerability, but is working on a patch, according to the security advisory. Security-monitoring company Secunia deems the problem “extremely critical,” its rarely given highest rating.

The vulnerability puts computers running Windows 98, Windows Millennium Edition, Windows 2000 and Windows XP at risk. An attacker could gain complete control of vulnerable systems by hosting malicious code on a Web site. Once an IE user visits the site, the malicious program would run without any user interaction.

[via ZDNet]

The second is a design flaw in the way Internet Explorer handles CSS import commands and allows an attacker to retrieve private user data or execute operations on the users behalf on remote domains, Matan Gillon, who discovered the vulnerability, wrote in his article. The reason this is so troubling is because, by exploiting this vulnerablity, attackers can actually bypass extremely strict security limitations and create JavaScripts that have inter-domain communications ability (XSS attacks). If that sounds scary it’s because it should.

[Unlike] classic XSS holes […] in this case the target site doesn’t have to be vulnerable to script injection. All an attacker has to do is lure a user to a malicious web page. Thousands of web sites can be exploited and there isn’t a simple solution against this attack at least until IE is fixed. That means millions of IE users are affected by this design flaw.

This vulnerability has been tested to work on a fully patched Microsoft Internet Explorer 6 browser and earlier versions are possibly vulnerable as well. Mozilla Firefox seems to adequately keep domain restrictions in CSS imports and doesn’t seem to be vulnerable to this type of attack. Opera isn’t vulnerable because it doesn’t support the styleSheets collection. Possible solutions for users to mitigate this attack would be to disable Javascript in IE or use a different browser.

If you haven’t yet, now it’s really time to switch.

I’ve been kept rather busy as of late and have not been able to keep very up to date with this blog. However, I checked up on it today and noticed what appears to be the strangest comment spam I’ve ever gotten. In a nutshell, on one of my past posts that talk about email security, there are a couple of comments hailing the security and reliability of Microsoft Outlook Express.

The reason this is interesting is because they are clearly spam messages. I have to wonder, then, why spammers would want to leave comments raving about how secure Outlook is. The thing is, Outlook (and especially Outlook Express) is one of the most unsafe pieces of software you can have on your computer. In my experience cleaning and repairing other people’s computers, more viruses and other computer nasties arrive on a machine via Microsoft Outlook than any other program.

So why are spammers hailing the security of this program? Are they trying to get people to use it? Do they think people will switch their email program because they saw some comment on a blog somewhere?

Strangest. Spam. Ever.

Yesterday I finally got my new apartment hooked up with Time Warner Cable’s Road Runner Internet service. (While I was at it, I totally ditched TV and along with the quieter home, I’m looking forward to the nearly $40 savings on my bill each month!) The cable guy woke me up at noon and I answered the door in a t-shirt and boxers because I couldn’t find my pants. Oh well.

Anyway, he quickly set me up, left me extra cable wires at my request, and I started to set up my computer corner. Got my router hooked up after spoofing its MAC address, and started a cursory test of the Wi-Fi router’s signal around my apartment. Everything looked good for a while, so I moved on to more pressing matters, but later on in the day I began experiencing inexplicable network slow-downs and disconnects. I couldn’t make heads or tails of it until I launched NetStumbler and began exploring a little more in-depth.

(I had to do some quick research to gain any valuable information from NetStumbler’s findings, but luckily Wikipedia is perfect for this sort of thing.)

NetStumbler was able to locate 3 other wireless networks in addition to my own which were broadcasting through my apartment. The interference was remarkable. Each of them were transmitting in the mid-channel range from 3 through 6, and I was caught right in the middle. My network’s SNR decreased considerably the more I travelled away from the AP.

The thing about Wi-Fi is that the signals aren’t typically very strong to begin with becuase the coverage is intended to remain confined. This means that competing signals transmitted in close frequencies (termed channels) cancel each other out, causing the headaches my network was giving me.

Thanks to NetStumbler I knew what channels the other guys were using, so I started broadcasting at the other end of the spectrum and suddenly my reception was loud and clear all over the apartment, and I would guess wherever they are broadcasting from too. The lesson in radio technology and Wi-Fi in general was extremely interesting and informative, but on a more practical note this is about being a good Wi-Fi neighbor and not competing for signal strength on the same channels.

It also brings up some very critical concerns involving security and privacy issues. One of the networks NetStumbler found was an unsecured Linksys-based AP. The owner probably doesn’t realize that his home computer network is wide open to anyone with a wireless networking card and a computer, but it is. Since Wi-Fi works on radio technology, and radio can pass through solid objects like walls, the area covered by his transmitter pokes out of the confines of his apartment.

If I were the bad neighbor, I could use his Internet connection, or even browse his iTunes music collection and he would probably be none the wiser. If he had a wireless web cam hooked up to the network, I could see whatever images it broadcasted too. And I wouldn’t even have to start hacking. That’s why it’s so important that you take the steps to protect your wireless network with something like WPA or WEP.

WEP is not very strong, and the new generation of WEP-cracking tools can break it in a matter of minutes, so it should never be considered a preventative measure to keep crackers out of your network. Rather, it is a detterant that should be used to dissuade crackers from trying. My old router only supports WEP encryption on its WLAN so that’s what I’m stuck with, but the fact that this other guy keeps his network wide open means I feel pretty safe here.

Afterall, which house do you think a burglar would break in to? The one with the big security-company sticker on all the windows and doors and the lights on, or the one in the dark with the open window and unlocked door?

This is precisely why I uninstalled Norton AntiVirus the moment I discovered Avast! 4.5.

YAY! I’m paranoid. But you know what, that’s good when considering computers and today’s world. So when I learned that Road Runner offers no real protection against network-sniffers, I stopped using my @nyc.rr.com email account almost immediately. I moved everything to my own server, which uses SSL over both POP and SMTP traffic to protect my passwords when checking email (and SSH all over the place for everything else).

It is similarly annoying that Hotmail (afaik) has never used it when checking email from a client such as Outlook, Outlook Express, or Entourage. Yahoo! Mail doesn’t even have POP, or POP-like, access to its mail accounts (again, only afaik), but by default their log-in forms are not secure.

So when Gmail announced its free POP service for its users, I was skeptical. “Great,” I thought. “I’ll never use it.” But today I clicked on the “New Features!” link, found the instructions for enabling their POP service and—low and behold—imagine my surprise when I read that they actually require the use of a secure connection!

What an incredibly sensible choice! And yet another reason to switch to Gmail if you can. I don’t see either Yahoo! Mail or Hotmail doing anything on the security front. In my eyes, Google should be advertising this fact more than they have. But I guess it only really matters to geeks like me.

P.S.: If you want a Gmail account and don’t have one yet, then I’m willing to give you one. (I’ve got more invites than I know what to do with.) Leave a comment or email me at meitarm (at-sign) gmail (dot) com, and give me a suggestion for how to improve this site. I’m most interested in design ideas, and if you’re handy with Photoshop, an image of one would be nice too.

I have been using Mozilla Thunderbird as my default (and only) email client application on my Windoze laptop for a while now. (It’s far better for email than Outlook in just about every way.) I’ve also been using the Enigmail encrypted email extension. I’ve even been able to get my mother into using it to send me sensitive emails, such as when she wants me to order something for her on Amazon.com and needs to give me her credit card number to do so.

This has a number of advantages:

1. The message’s security is on-par with some of the best privacy encryption around. The telephone is a surprisingly easy communication channel to compromise. At least sending an encrypted email (assuming keyloggers aren’t present on a compromised system and assuming the private keys are kept safe) will take some more intense computational power to crack.
2. I’m basically guaranteed to recieve the communiqué; my cell phone provider has the worst reception and delays imagineable. I’m always available by email, however, because I check it as if I’m paranoid.
3. Best of all, my mother need not call me as often as she once has. (No offense, I love you Mom.)

Anyway, the point is that I had wanted to now integrate GPG with Apple’s Mail.app, had heard about GPGMail, but was worried that it wouldn’t work because it says it needs MacGPG, and I have Fink’s GPG port.

Being the blatantly insubordinate individual and anti-authoritarian that I am, I decided to try to work with it anyway and see what would break. So I installed GPGMail and launched Mail.app. I was presented with the error, “Invalid crypto engine! GPGMail cannot work. It didn’t find GnuPG (/usr/local/bin/gpg) with at least version 1.2.2. Please quit Mail, blah blah blah blah!”

So, thinking that maybe that path was just hardcoded into GPGMail, I created a symbolic link from /usr/local/bin/gpg which pointed to my Fink gpg installation at /sw/bin/gpg.

sudo ln -s /sw/bin/gpg /usr/local/bin/gpg

Much to my delight, it worked wonderfully. Luckily, it turns out that GPGMail can work just fine with GPG ports other than MacGPG. You just have to tell it where your gpg executable is.

A short while ago my brother asked me if there was some way he could get to his home computer from his College dorm. This isn’t such a huge technical problem as it is a security concern.

His home computer was essentially the family computer. It has games, pictures, a music library, and lots of old homework. But it also has financial records, private email, and the like. Every family computer is a treasure trove of vital information for thieves and crackers. Its information would be far more valuable than a bunch of jewelry or the children’s stash of allownace, so you can clearly see why making a connection from the Internet to the family computer requires some security considerations.

This whole situation got me thinking of the state of information security as a whole. When it comes right down to it, my family’s home system is relatively more secure than most home or small business networks. Keeping the computer behind a firewall helps somewhat right off the bat because it separates us from the rest of our ISP‘s subnet. That’s probably the most important security step anyone can take, and its so utterly easy. I’ve walked into offices countless times where a single computer was plugged right into the cable or DSL line. That’s just inviting trouble!

The situation with dialup Internet access is much worse. Consider AOL, for example. For years, customers have been logging into their AOL accounts using no security precautions at all. Username and password sent in the clear, which is about as secure as writing your bank account and PIN numbers on the back of a postcard. To add insult to injury, AOL is now charging users extra for a secure log-in procedure, which is nothing more than pure greed. Two questions come to mind:

1. Why did it take more than a decade to implement a secure log-in procedure?
2. Why, when it finally comes, is it being offered only as a premium service?

This is sending absolutely the wrong message to computer users everywhere.

The issue I take with it, of course, is that while iron-clad protection is indeed difficult if not impossible to achieve, an enormous difference can be made with just a little bit effort. In AOL‘s case, simple security such as end-to-end encryption during a log-in procedure should not be an incredibly difficult task to achieve. While their rotational password scheme does offer an added layer of security, and makes encryption a little less important as far as log-ins go, does this mean that regular users will just have to suck it up and be content with their lack of security?

I sure as hell wouldn’t be.

Yesterday I was having a bunch of fun playing with SSH tunnels. While I was at it, I glanced over at Thunderbird when it beeped at me, signifying I had new mail. That’s when I realized that I hadn’t yet taken the time to secure any POP3 or SMTP traffic travelling from my local machines. While I was having all this fun with various SSH shenanigans, I had completely forgotten about one of the simplest things I could do to secure my account: running POP3 and SMTP over SSL, aka POP3S and SMTPS (or SSMTP).

Enabling this kind of connection for my own server was no problem at all. Actually, my web hosting provider is smart enough to offer these services right off the bat, so it was merely a matter of confirming their existence.

telnet my-domain.com pop3s

However, I also have a Road Runner account because those folks are my home ISP. Unsure whether or not they offered these services, I scoured their online help pages but no avail. There was only scant information on security, and most of it had to do with how to block pop up windows in Internet Explorer (a futile excersize anyway).

So I turned next to their online chat support. In order to connect, they required that I fill out my full name and email address in a form (which was not itself secured with HTTPS by the way). Here’s a transcript of my conversation with their representative.

Mike S.: Thank you for choosing Road Runner Technical Chat. My name is Mike S.. May we have the first and last name, and the phone number with the area code of the master account holder?

Meitar: Believe I just gave that to you, but sure: Meitar Mxxxxxx (xxx) xxx-xxxx

Mike S.: Thank you, and with whom am I speaking currently?

Meitar: That’s me. Meitar.

Mike S.: Thank you, what technical issue may we assist you with?

Meitar: I’m wondering if you support pop3s (or POPs) for email?

Mike S.: What is it that you are attempting to do?

Meitar: Use it. If it’s available, I’d much rather retrieve my email via an SSL-secured connection than a plaintext one.

Mike S.: If you are trying to connect to a POP3, then that is fine. If you are attempting to setup a POP3 server on your home connection, this would not be supported, and in fact against the Road Runner Terms of Service Agreement.

Meitar: Nonono, I’m not trying to set up a server, I just want to know if *you* support the protocol.

Meitar: That way I can hit that “Use SSL” checkbox in my Mail program.

Mike S.: If you are connecting to the Road Runner POP3 e-mail server to receive your e-mail messages, you will not be able to set it to SSL. If you are using another POP3 server to receive e-mail from another account, you will have to contact the provider of that POP3 server.

Meitar: So you *don’t* use it, right? I’m connecting to the pop-server.nyc.rr.com machine, whichever that is, for my Road Runner email, in case that helps any.

Mike S.: I am sorry, but I do not understand what it is that you are asking of me. That is the correct POP3 server for the Road Runner e-mail accounts.

Meitar: I’d like to know if my computer can still talk to yours if I tell it to speak POP3S rather than plain-old POP3. I want to know this so that I can set up my mail programs to “use SSL” if your server supports it. As I said before, I’d much rather use an SSL connection than not because I frequently check my mail from hotspots around the city.

Mike S.: As I mentioned, you are not able to “use SSL” for the Road Runner e-mail server.

Meitar: Okay. That’s what I wanted to know. :) As an alternative, do I have access to an SSH account along with my subscription to Road Runner?

Mike S.: Unforunately we do not offer such a service at this time.

Meitar: Hm. Drat…. Well, thanks anyway Mike. Hopefully Road Runner will soon offer secure email alternatives for their customers. :) Have a great rest-of-the-day.

Mike S.: You are very welcome! Have a great day!

Mike S.: If you have no further issues that we can assist you with, you may end the chat session by clicking on the Hang Up button and a chat transcript will be displayed for you. Once again thank you for choosing Road Runner!

In an ongoing effort to continue improving our quality of service, we are conducting a customer survey. If you would like to participate, please copy and paste the following link into your browser: http://help.rr.com/html/chatsurvey.html .

Mike S. Has Disconnected

I couldn’t help but be so nice because he really made me laugh.