TidBITS#1243/06-Oct-2014

Severe vulnerabilities in OS X’s Unix-based underpinnings could put your Mac at risk. Adam Engst explains how to test your system and install Apple’s OS X Bash Update 1.0 to eliminate your exposure to Shellshock. Glenn Fleishman joins us to explore 1Password 5 for iOS, which takes advantage of iOS 8’s browser extensions and works with Touch ID in supported iPhone models. Glenn also takes Quicken 2015 for a spin to see if it can replace the languishing Quicken 2007 for managing his finances. Finally, one of the biggest hit games of the year puts you behind the eyes of a violent… goat? In FunBITS, Josh Centers looks at how Goat Simulator has become a surprise success. Notable software releases this week include Photoshop Elements 13, StuffIt Deluxe 16, and Default Folder X 4.6.9.
 
Articles
 

This issue of TidBITS sponsored in part by:
Help support TidBITS by supporting our sponsors!

Apple Updates Bash for the Shellshock Vulnerability

  by Adam C. Engst: ace@tidbits.com, @adamengst
  11 comments

In a quick fix for the Shellshock vulnerability in the Bash shell, Apple has released OS X Bash Update 1.0 for the three most recent versions of OS X: 10.7.5 Lion (3.5 MB), 10.8.5 Mountain Lion (3.3 MB), and 10.9.5 Mavericks (3.4 MB) — see “Macs Mostly Safe from Bash Vulnerability, but Be Ready to Patch” (26 September 2014). We presume the next beta release of 10.10 Yosemite will also include the fix. Oddly, the updates are not available via Software Update, but you can download and install the appropriate one from Apple’s Support Downloads page. No reboot is required.

Installing OS X Bash Update 1.0 updates Bash (in Mavericks) from 3.2.51 to 3.2.53 — you can determine your version before and after with this command in Terminal:

bash --version

If you have modified /etc/profile or /etc/bashrc be sure to back up those files before installing the update, since Apple overwrites both.

In the initial version of this article, I explained how to test for several of the vulnerabilities involved in Shellshock, but I subsequently wrote a more comprehensive article that shows how to test for all six of the currently known Shellshock vulnerabilities (“How to Test Bash for Shellshock Vulnerabilities,” 30 September 2014) – read that if you want to confirm that Apple’s patches are effective. The quick summary is that OS X Bash Update 1.0 appears to address the known vulnerabilities, with one ambiguous result.

Those still running 10.6 Snow Leopard or earlier must jump through an additional hoop to patch Bash, since Apple’s installers won’t work on Snow Leopard due to version number checking. Jorge Chamorro has modified the version checking script in the 10.7 Lion version of the update to allow installation in older versions of Mac OS X; try his version for older Macs. If you would prefer to work at the command line, we’ve also run across instructions for updating Bash manually in 10.4 Tiger and later.

Read and post comments about this article | Tweet this article


How to Test Bash for Shellshock Vulnerabilities

  by Adam C. Engst: ace@tidbits.com, @adamengst
  9 comments

As the ripples from the Shellshock vulnerability spread, an increasing number of problems are being found in the Bash shell, and those problems are being fixed. Apple got into the game with OS X Bash Update 1.0, which explicitly addresses several of the bugs, and may address others (see “Apple Updates Bash for the Shellshock Vulnerability,” 29 September 2014). In this article, I plan to keep track of the vulnerabilities and how you can test to determine if the copy of Bash running on your system — OS X or not — is vulnerable. Thanks to Derek Currie for the idea!

Security vulnerabilities are described and referenced in the CVE (Common Vulnerabilities and Exposures) system, which is run by MITRE Corporation, with funding from the National Cyber Security Division of the U.S. Department of Homeland Security. Every vulnerability is assigned a unique CVE identifier, although merely having a CVE number doesn’t mean that the vulnerability will appear in the National Vulnerability Database run by the National Institute of Standards and Technology — it may turn out to be a duplicate, or its public release may be embargoed until the company in question has a chance to fix the underlying problem.

As of this writing, there are six CVEs surrounding Bash. I’m not going to attempt to describe each of these, since the details are too technical to be useful, but for each I’ll give a test that you can copy and paste at the command line to see if your copy of Bash is vulnerable. Note that there are a number of versions of Bash still in use, including 2.0, 3.1, 3.2, 4.0, 4.1, 4.2, and 4.3 — all are receiving patches. Apple uses Bash 3.2 in OS X 10.9 Mavericks. To learn which version of Bash you have, use this command:

bash --version

Please excuse some of the repetition below — I’m going more for clarity and accuracy than smooth reading.

CVE-2014-6271 -- Apple’s OS X Bash Update 1.0 explicitly says that it addresses CVE-2014-6271. To test CVE-2014-6271, copy the line below and paste at the Unix prompt.

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If your copy of Bash is vulnerable, you’ll see:

vulnerable this is a test

And if your copy has been patched successfully, you’ll see only:

this is a test

In my testing of patched (3.2.53) and unpatched (3.2.51) copies of Bash in Mavericks, I get exactly these results.

CVE-2014-7169 -- Again, Apple says that it has patched CVE-2014-7169 with OS X Bash Update 1.0. To test CVE-2014-7169, run the following line in Bash.

env X='() { (a)=>\' sh -c "echo date"; cat echo; rm ./echo

If your copy of Bash is vulnerable, you’ll see:

sh: X: line 1: syntax error near unexpected token `=' sh: X: line 1: `' sh: error importing function definition for `X' Tue Sep 30 11:14:49 EDT 2014

However, if your copy of Bash has been patched successfully, you’ll see only:

date cat: echo: No such file or directory rm: ./echo: No such file or directory

In my testing of patched (3.2.53) and unpatched (3.2.51) copies of Bash in OS X 10.9 Mavericks, I get exactly these results.

CVE-2014-6277 and CVE-2014-6278 -- These two exist because of incomplete fixes for the previously mentioned vulnerabilities. To test for both, use this command:

foo='() { echo not patched; }' bash -c foo

If your copy of Bash is vulnerable, you’ll see:

not patched

And if your copy of Bash has been patched to address the incomplete fixes, you’ll get:

bash: foo: command not found

My patched (3.2.53) copy of Bash in Mavericks passes with flying colors, whereas an unpatched (3.2.51) copy of Bash fails the test. So even though Apple doesn’t mention CVE-2014-6277 and CVE-2014-6278 in its release notes, it appears that the OS X Bash Update 1.0 patches Bash successfully for them.

CVE-2014-7186 -- Apple also says nothing about CVE-2014-7186 in its release notes, and this one proves tricky to test in OS X, since a number of the tests I found return identical successful results in both patched (3.2.53) and unpatched (3.2.51) copies of Bash in Mavericks.

Luckily, Eric Blake of Red Hat runs through a number of these tests for CVE-2014-7186 before settling on this one.

bash -c "export f=1 g='() {'; f() { echo 2;}; export -f f; bash -c 'echo \$f \$g; f; env | grep ^f='"

If your copy of Bash is vulnerable, you’ll see something like the following:

bash: g: line 1: syntax error: unexpected end of file bash: error importing function definition for `g' 1 2 f=1 f=() { echo 2

Blake says that there are two possible successful results if your copy of Bash is immune to Shellshock:

1 () { 2 f=1

and

1 () { f: bash: f: command not found f=1

The first of the successful results is what I see on a patched (3.2.53) copy of Bash in Mavericks, whereas an unpatched (3.2.51) copy of Bash fails the test. So again, even though Apple doesn’t call out CVE-2014-7186 in its release notes, it appears that the OS X Bash Update 1.0 patches Bash successfully for it.

CVE-2014-7187 -- Again going unmentioned in Apple’s release notes, CVE-2014-7187 is the most troubling of the vulnerabilities from the testing standpoint. To test, invoke this command, being sure to remove the line break first:

(for x in {1..200} ; do echo "for x$x in ; do :"; done; for x in {1..200} ; do echo done ; done) | bash || echo "CVE-2014-7187 vulnerable, word_lineno"

If your copy of Bash is vulnerable, you’ll see:

CVE-2014-7187 vulnerable, word_lineno

What’s not clear to me is what will happen if your copy of Bash has been patched successfully. I’ve run this on patched (3.2.53) and unpatched (3.2.51) copies of Bash in Mavericks, and in a patched copy (4.1.2) in CentOS 6.5, all with the same results — nothing happened anywhere. That could mean that the test is flawed when running on Bash 3.2.5x in OS X, and thus doesn’t provide accurate results, or it could mean that the older 3.2.51 in OS X was never vulnerable. If you find a better test for this vulnerability, let me know.

Shellshocker Web Testing -- I’ve heard that Web servers are particularly vulnerable to Shellshock, via CGIs that rely on Bash. The Shellshocker Web site has a tool that allows you to test any given CGI on your Web server, and provides an example CGI that’s designed to be vulnerable if Bash on the targeted server hasn’t been patched.

Unfortunately, I didn’t have a known vulnerable server to test against, and all the tests I ran against my server were inconclusive. So I’d encourage you to give this tool a try, but be sure to test before and after patching, if possible, to see if there’s a difference in the results.

Shellshock Will Continue -- I fear that new vulnerabilities will be discovered in Bash and we’ll see new patches. Apple was careful to give the OS X Bash Update a 1.0 version number; it’s entirely likely we’ll see that number increasing over time.

Read and post comments about this article | Tweet this article


1Password 5 Touches New Heights in iOS 8

  by Glenn Fleishman: glenn@glennf.com, @glennf
  9 comments

For years, 1Password has been a constant part of my workflow and security profile. The password creation and management software, first released for Mac OS X and later for iOS, makes quick work of creating a strong password for every site and retrieving it on request. The new 1Password 5 for iOS 8 unlocks the utility’s full capability and makes iOS 8 itself much better. It’s also now free, with an in-app purchase for a small set of Pro features. (1Password is also available for Windows and Android.)

As 1Password aged, it matured. In version 4, its improved browser integration in Mac OS X and interface overhaul on both platforms reduced the effort required to access passwords and other confidential data while also improving how categories of disparate things were organized and could be filed into folders or tagged with metadata. With 1Password 4 for OS X, I finally started filling in all my forms and credit card numbers from the program.

But 1Password integration in iOS suffered before iOS 8’s release because of Apple’s strict limitations on inter-application communication. While 1Password could (and still can) sync via Dropbox and iCloud to keep passwords and other data up to date between various installations on mobile and desktop systems, there was an awful lot of copying and pasting required, and that isn’t one of iOS’s strengths. An improved in-app browser in 1Password 4 was a big step up for accessing Web resources, but it carried a lot of compromises: cookies couldn’t be shared between Safari and 1Password’s browser, and so forth.

iOS 8 has given AgileBits the tools they needed to pull a lot of threads together. But because of Apple’s requirements and how AgileBits adapted some of 1Password’s current settings and thinking to iOS, how to make use of all the new options can be confusing. Here’s some step-by-step advice.

What’s New -- You can read AgileBits’ announcement, but the brief story is that 1Password 5 for iOS sports three key additions and two improvements, one of which has yet to be enabled. The additions are:

The two improvements relate to syncing. AgileBits rewrote its iCloud sync to use Apple’s overhauled CloudKit, and the company says it’s fantastic compared to the previous set of tools, although it requires iCloud Drive, which in turn requires the upcoming OS X 10.10 Yosemite. AgileBits also made Wi-Fi sync automatic — you don’t have to invoke it — but this change will come into effect only once 1Password 5 for the Mac sees the light of day.

The other major change is that 1Password for iOS is now free. The Pro upgrade to add some organizational features is a one-time in-app purchase of $9.99. Existing 1Password 4 for iOS owners get these features unlocked without paying for them.

The freemium split is interesting, because I imagine most users won’t particularly care about support for less common items (bank accounts, reward programs, software licenses, and so on), multiple password vaults, custom fields, and folder/tag organization, but they will want to sync with desktop versions of 1Password on the Mac or in Windows, both of which remain paid products. The freemium model is a great way to get new people using 1Password for iOS, and then either paying the in-app fee or buying desktop software licenses.

Turn On and Use Touch ID -- All versions of 1Password rely on a master password, which unlocks your vault. The iOS version also has an option that lets you compromise between having to enter the full master password repeatedly — often a pain for a good password on the iOS keyboard — and leaving 1Password unlocked for extended periods of time. You can set a short PIN that you can use between times you’re required to enter the full master password. The PIN unlocks the master password, and that unlocks the vault. Thus, you could have 1Password ask for the master password every 24 hours, but set it to require the PIN after a specified delay (like 2 minutes of idle time) or after switching away from and then back to 1Password.


If you own an iPhone 5s, 6, or 6 Plus, Touch ID replaces the PIN option and must be enabled to be effective. Even if you’d prefer to use a PIN, it’s not available.


Turning on Touch ID is simple: in 1Password, tap Settings > Security > Touch ID. (Note that this interface changed from 5.0 to 5.1, so be sure to update if you’re not yet using 5.1.)


1Password will require a Touch ID scan whenever it locks. If you enable Lock on Exit in Settings > Security, it will lock whenever you leave the app. It will also lock after a set amount of time, which you can change in Settings > Security > Auto-Lock. However, you must enter your master password after a device restart, or whenever Touch ID fails. (AgileBits tells me that Apple won’t let a developer replace a password with Touch ID entirely.)

I set Auto-Lock to 2 minutes, though conceivably I could have set it to longer, because my iPhone is rarely out of my control. But I also enabled Lock on Exit, which adds a little inconvenience in return for more peace of mind.

Once enabled, here is the super cool part: you can use Touch ID everywhere 1Password can be invoked, whether through its Safari extension or direct integration with an app! I’ll explain that in a moment.

Sometimes, Touch ID doesn’t appear as an option when you use 1Password, and it took me some back and forth with AgileBits to understand why. iOS 8 gives developers only a “yes” or “no” response from a Touch ID interaction. If, when 1Password asks for your Touch ID, you tap Cancel or navigate away, iOS interprets that as a “no,” causing 1Password to see your action as an authentication failure and prompt you for your master password.

The one lingering issue with Touch ID isn’t limited to 1Password: physical coercion. Because you could be forced to use Touch ID by force (or even while unconscious), using it as a means to gain access to a password store could leave you vulnerable if you have concerns about potentially violent people having physical access to both you and your iPhone.

For most of us, that’s not an issue. Garden-variety muggers aren’t likely to know about Touch ID, and even if they do, access to someone’s passwords isn’t a guarantee of financial reward. If you live in a country or engage in a profession in which you might be physically compelled to unlock your secrets, Touch ID and 1Password may not be for you. Of course, your master password may not be much help then either.

Use 1Password with Safari -- “Oh, joy!” I exclaimed, when I first tried 1Password within Safari in iOS 8. Apple’s iCloud Keychain for generating, storing, and syncing passwords in Safari across mobile and desktop systems is good, but 1Password is great. Turning it on requires a few steps, after which you’ll never have to mess with setup again.

Somewhat counterintuitively (Apple’s fault, not AgileBits’), 1Password’s extension is accessible from the Share view in Safari, but getting it to show up requires a little work. After installing or upgrading 1Password and configuring your password preferences, open Safari.

With any page open, tap the Share button. On the list of actions on the second row, which starts with Add Bookmark at the left, by default, slide right until you see More. Tap More.


At the bottom of the list you see 1Password (with an on/off toggle) and any other apps that have Safari extensions. Toggle 1Password on, and then drag the three-line handle at right to move it to the top. In testing, I found that re-ordering Share items doesn’t stick. I’ve had to re-do it (with Apple’s items as well as 1Password) multiple times.


Now, when you visit a site that requires a log in, tap the Share button, tap 1Password, use Touch ID or the master password to unlock if necessary, and then you should see any matching logins. Tap the i icon to make changes or review or copy individual settings, or tap the item to fill. You may need to also tap a Login button.


For now, 1Password can fill in only login details; AgileBits says support for filling in street address and credit card information is in the works.

Use 1Password within an Integrated App -- AgileBits says that 100 developers are integrating 1Password’s iOS 8 extension directly into their apps. A few are ready now, including the latest release of Instapaper.

The process of logging into an app using 1Password requires a few steps, none of which is onerous, especially on devices with Touch ID. In Instapaper, for instance, when not logged in, tap the Sign In button on its home screen.


With 1Password installed, the Password field shows a 1Password logo at the far right. Tap it, and in a pop-up menu that shows extensions, you can select 1Password. Unlock 1Password, including with Touch ID, and then tap the correct Instapaper login entry — the sole entry for most people. The app handles the rest.




You can also create a new login within apps that support 1Password, something that’s not yet available when using 1Password within Safari.

Seamless Security without the Pain -- The new release of 1Password dramatically improves my overall iOS experience without compromising security. It’s more likely that I and other users of 1Password will become even more dedicated users of the software, because of its wider availability in Safari and apps, and its far easier use.

The more that regular users can be encouraged to create a unique, secure password for every site, the less likely a single site’s password breach will be seriously problematic. Combining passwords with Touch ID reduces friction even more.

The main missing piece, apart from filling in contact and credit card information, and something that AgileBits may not be able to do within Apple’s parameters, would be to let people create Web logins within Safari. But that’s minor, in the scope of things.

Read and post comments about this article | Tweet this article


Quicken 2015: Close, But Not Yet Acceptable

  by Glenn Fleishman: glenn@glennf.com, @glennf
  25 comments

What I wanted out of Quicken 2015 for Mac wasn’t improvement so much as a path forward: I wanted to know that when OS X 10.10 Yosemite shipped, I wouldn’t be waiting for Intuit to issue yet another extension on life for Quicken 2007. I pictured myself setting up (as I had before) a virtual machine running an older version of Mac OS X just to keep Quicken 2007 alive. Horrors.

I have tried nearly every Quicken alternative over the last five years, including Mint and the terrible Quicken Essentials, and none suited me. Some couldn’t import the full 15 years of data from my Quicken file; others lost valuable information in conversion; and many just didn’t match the way I thought about recording transactions and running reports, something that Quicken had certainly shaped. (Quicken emulates the approach of paper accounting ledgers in terms of how transactions are entered and discretely represented as line items, but it isn’t skeuomorphic — no torn page edges or leather stitching.)

Quicken 2015 isn’t awful. That’s great praise given how bad Quicken Essentials was and Intuit’s long-running inability to update its flagship financial software for a platform of customers who desperately wanted a new version. At $74.99, Quicken 2015 is also not cheap, but given the small amount I’ve paid for minor updates to 2007 over the years, I was willing to plop my money down.

But for my purposes, Quicken 2015 still isn’t fully baked. After finding much to like about it, including a crisp interface, a better way to specify transaction details, and good connections to online financial accounts, its failure to import my Quicken 2007 reports (honed over 15 years for business and personal tax and other reporting) and its lack of report customization makes it a non-starter.

Quicken 2015 could be adequate if you don’t rely on its reporting or don’t mind its simple set of reports. That could be true if you don’t need detailed itemization and summation reports for tracking income and expenses as a sole proprietor or small corporation. Some people use Quicken just to enter or download transactions and then check them off, keeping their budget in line and ensuring there are no illegitimate charges. Because I use a large set of custom reports to manage my business — from tracking income to filing city, state, and federal taxes — I’m holding out to see if Intuit addresses the reporting limitations.

A bit later in this review, I’ll get into the missing features of importing and reconciling. (I didn’t test the mobile app, as I don’t plan to use this release, and the mobile app has extremely limited features.)

Critical Advice before Starting -- Before I start on the review proper, if you’re converting from Quicken 2007, please read the following advice. I made mistakes so you don’t have to.

Now on to the meat.

A Random Walk Down Quicken 2015 -- This new release is crisper and cleaner than Quicken 2007. Intuit has created an up-to-date Mac program that looks like it was written this year, and that acts as expected. It’s generally stable, and clearly has some auto-save capability. After a crash — the only one across many hours of imports and intensive use — all my data changes were saved, but changes to the default column view in every account were gone. Clearly, Intuit needs to auto-save preferences, too. Also missing from Quicken 2007 is automatic backup on quit — you’ll need to rely on Time Machine, other backup software, or Dropbox to retrieve older versions of your financials.

Quicken 2007 made heavy use of palettes and windows and menu items, which was common in older Mac apps. The 2015 version integrates the Accounts view directly into the main window, as well as reports, bill reminders, investment views, and budget. It’s a good approach, because you rarely need to see those elements in multiple windows at once. However, if you do want to bring up multiple items at once, you can right-click on any item in the list on the left of the main screen and duplicate the view into its own window.


Preferences are similarly slimmed down: many options are now gone and others are neatly integrated into contextually appropriate places. For instance, right-click anywhere on the header bar of any view and you can choose columns to show or hide. (You can also click a Columns button at the bottom right of the view.)

Entering and reconciling transactions in Quicken 2015’s simplified view is much the same as in the 2007 edition, but Intuit has made improvements in the amount of detail you can attach in this update. Click the New button to create a transaction or double-click on an existing transaction, and you can modify simple details: date, payee/payer, category, amount, and any other editable columns you choose to display.

(Massive irritant: the default view doesn’t show the Reconcile column, which would seemingly be the point of integrating online accounts with a financial app. And after this many years, there is still no keyboard shortcut to mark an item reconciled, my single most common mouse action in the program?)

Click Edit Details, and you get a four-tab view containing:


Altogether, transaction entry and editing is improved, but it often requires more clicks or pressing Return than should be necessary. If I press Return, that signals “I’m done editing” in most software; in Quicken 2015, it advances to the next field if the cursor is in the date or payee/payer field, and accepts the transaction and records it only when the focus is on the category field.

If you’re familiar with Smart Payees from Quicken 2007, the change in Quicken 2015 may be maddening. Smart Payees used patterns or partial matches to identify similar items or rewrite them from imported online transactions or imported data files to improve reporting. For instance, one grocery store chain in Seattle shows up on my credit card bills as several because each store has a unique number. Quicken 2007 had “learned” all these, and they all collapsed on entry to a single line item.

In Quicken 2015, the Smart Payees set of rules has disappeared, and you’re left with a simple text entry. If there’s a way to edit these rules I haven’t found it, and if it’s really gone, that would mean that all imported entries from 2007 would have changed from storing both the original data and the display/report name to just the plain text of the matched name — reducing utility in my older records!

The category entry has also been simultaneously improved and made worse. Start typing in the field, and it pre-fills matching entries and also provides a useful pop-up menu with all the matching options. However, unlike in Quicken 2007, you can’t type a colon to jump to the next level in hierarchical category. For instance, if I have “Business:Hardware:In-State” defined, I can pull reports for Business, Business + Hardware, and Business + Hardware + In-State. In the past, I could type bus and then a colon to leap to the end and start autofilling the next level. Not so in Quicken 2015, which dramatically reduces my manual entry efficiency.

Linking to Online Accounts -- One of the hardest parts of sticking with Quicken 2007 is that banks and other institutions gave up supporting it over time. My credit union dropped its legacy support two years ago, insisting that I could just switch to Quicken Essentials. No thank you. Happily, Quicken 2015 supported six different institutions that I entered, which reduces a lot of the manual work I’ve had to do.


The online connection seems to be among Quicken 2015’s strongest new components, although Intuit removed the familiar reconciliation screen in the interest of simplicity. That’s a good choice, but it means retraining this old dog.

Each Quicken account, like a bank account or loan, can be linked directly to an institution, but the first time you connect to a site at which you have multiple account numbers associated with a single login, the software prompts you to associate all accounts. You can opt to create a new Quicken account to associate, ignore it, or link it to an existing local account.

After a first failed attempt to set up Quicken 2015 and deal with duplicated transactions (the ones I had entered manually and those downloaded from my various accounts), I discovered that the app offers drag-and-drop transaction matching. You drag a downloaded transaction onto a manually entered one, and it merges the information into a single, confirmed entry. This is nifty, but because Quicken 2015’s online help is so terrible and there is, so far as I could find, no manual, I learned this only after complaining on Twitter and then searching the Web.

Intuit advertises this as a feature, too, but it’s unclear what the utility is until you drill down into what the company means by “drag-and-drop transaction matching.” This drag-and-drop interface replaces Quicken 2007’s wonky transaction-matching window, in which you viewed downloaded items and accepted them one at a time, as a whole, or worked to match them against manual entries. This new method is far superior, and if your accounts actually sync, you should need to use it only rarely.

With my accounts — including separate business and personal accounts at my credit union — I found that it wasn’t always possible to get everything to line up. This surely has something to do both with the cruft of previous data imported from Quicken 2007 and varying levels of support for Intuit’s online banking standards.

For instance, I was unable to get a home equity line of credit to match up until I realized that it probably had outdated information already stored. Even though I hadn’t linked it in Quicken 2015 and had been unable to sync for years in Quicken 2007, the account remained set to sync. Once I disabled and re-enabled online syncing for it, I was able to create the linkage. However, I was never able to get my home mortgage account to link correctly in all my testing, though I don’t know whether to blame the bank or Quicken.

The online sync, which is modal and cannot be canceled, includes a transaction upload stage if you have mobile access enabled. For some reason, on every sync, it wanted to upload thousands upon thousands of my transactions, even if none had changed. I didn’t put the time into figuring out which account was causing the error, or if the problem was with Quicken 2015 or the remote institution.

What’s Missing and What’s to Come -- To Intuit’s credit, the company has been completely up front about what’s not yet in Quicken 2015 and how it may add popularly requested features. One expects, based on my testing, bug fixes and feature adjustments as well. A “compare” page at Intuit’s site shows two lists: at the top, it’s a “positive” list showing every major feature across current and past flagship products (Quicken 2015 for Mac, Quicken Essentials for Mac, Quicken 2007 for Mac, and Quicken Premier for Windows).

It’s odd to note when releasing new software, as Intuit does in the top item, “free feature improvements included,” but the company backs it up with a second list on that page which shows all the lacunae! These proposed features include everything that was dropped or needs to be added, most of which was found in Quicken 2007 and all of which is already in the Windows release.

This is bold and honest, and with the Vote buttons next to each item, I hope Intuit is serious about moving forward. Given that Quicken 2015 dropped amortization support (calculating loan principal for you), advanced reporting, and bill-pay support, there’s plenty of room to grow.

This is an idiosyncratic review, I admit. I have my set ways, which are undoubtedly different from how others have used Quicken over the years. Quicken 2007 was sufficiently rich and robust that everyone was able to choose a different approach, and thus some people will find this new release adequate.

People like me, however, need Intuit to bring Quicken 2015 into closer feature parity with Quicken 2007 so it’s not just a compatibility upgrade with fewer capabilities, but a full-featured financial package that allows us to move forward. For now, I’m sticking with Quicken 2007 as Quicken 2015 is not ready for my version of prime time, but I’ll be keeping a close eye on updates to see when it will meet my needs. If you’re in that subset of users who just need sophisticated tracking and reconciliation, but not reporting, Quicken 2015 may work for you as it currently stands.

Perhaps I am too forgiving. After so many years and so many missteps since Quicken 2007’s initial release, I should have given up on Intuit. (Do all Quicken users feel like Charlie Brown, taking yet another run at Intuit’s football?) But since I still can’t find a comparable package that meets my modest needs for entry, sync, and reporting, I have to hope Intuit succeeds in rebuilding a full 2007 house on 2015’s new foundations.

Read and post comments about this article | Tweet this article


FunBITS: Goat Simulator Keeps Gaming Weird

  by Josh Centers: josh@tidbits.com, @jcenters

As gaming becomes a bigger and bigger business, it also becomes more and more serious. Back in the 1980s and 1990s, when you thought of gaming, you probably thought of a little Italian plumber who eats magic mushrooms and jumps on turtles. Or maybe an animated circle that eats dots while being chased by ghosts. At the risk of sounding like Old Man Centers, games were quirky and fun. These days, it seems like the face of gaming is a bald, angry, usually white man with a grimace and a gun.

And if you think that trend in gaming doesn’t have an effect on your life, consider that Dave Anthony, who directed Call of Duty: Black Ops and Call of Duty: Black Ops 2, is now advising governments on how to sell the public on a police state. “The public won’t like it, they’ll think it’s a police state,” Anthony said of putting soldiers in public schools. He likens selling policy to selling videogames: “We market it, and we market it as much as we can — so that whether people like it or not, we do all the things we can to essentially brainwash people into liking it before it actually comes out.”

Yikes. But I digress.

I suppose the lack of originality from big game publishers is to be expected. As game development has become astronomically more expensive, big-name publishers have become more risk-adverse. When they gamble $50 to $100 million on a single game, they demand a return on investment.

The good news is that smaller, more agile developers have an opportunity to cash in with originality, as developer Coffee Stain Studios has with the surprise hit Goat Simulator, which has sold nearly a million copies. It’s now available for the iPhone and iPad for $4.99 (99.8 MB). Check out the official trailer.

How did a game about goats become a smash hit? Before I try to answer that, let me describe the game briefly.

The title might make you think that you manage virtual goat herds, but the name, like the rest of the game, is a joke. The easiest way to describe it is as a parody of the Tony Hawk games, where you thrash around a neighborhood on a skateboard, pulling off tricks for points.

Except in Goat Simulator, you control a goat who trashes a neighborhood (which represents purgatory) for points. You can ram people, objects, and other players; lick things to drag them around; and faint, which leaves you helpless on the ground.

Goat Simulator gives you a lot of toys to experiment with. Cars explode when you ram them, and if you ram a gas pump, it creates an explosion that action-movie director Michael Bay would heartily approve of, flinging you across the map. There are trampolines to jump on, protesters of pointy food to chase, houses to trash, and even a swimming pool.



There are also different goat modes you can unlock and play with, like the Classy Goat (which is a penguin), Spider Goat (who bears a resemblance to a certain super hero), and the Goat Queen (the unlocking of which requires a pseudo-Satanic ritual). You can also equip your goat with a jetpack, which works about as well as you might think.


One of the things that adds a certain bizarre charm to Goat Simulator are the visual glitches that were intentionally left in place. The goat’s head often clips through fences and rubberbands in weird ways. There’s no animation when climbing a ladder; the goat just sort of hovers up, its head bobbling around like an over-caffeinated bobblehead.


There is no point to Goat Simulator, though there are achievements to unlock and goat statues to collect. But despite being run over and blown up repeatedly, your goat is never injured. Nor are the people it terrorizes. There is no end game to speak of, just endless violent silliness.

Is Goat Simulator the best way you can spend $4.99 in the App Store? Honestly, no. There are plenty of less-expensive games that will provide more fun for longer. At best, Goat Simulator is something you may spend a few minutes or hours on, then rarely pick up again.

That being said, I love the fact that Goat Simulator exists. Apparently, I’m not alone, as it quickly shot up to near the top of app store top charts at launch, selling 100,000 copies for both iOS and Android in less than 6 days.

So what it is about an eccentric, limited game that people have found so compelling? I think it’s that the concept itself is so strange. Playing as a goat, instead of a person, offers a degree of disconnection that lets the player rampage through the virtual world, with less of that uncomfortable sense of identification. Other touches, like the animation glitches, enhance this sense of otherworldliness, making Goat Simulator an even more potent diversion. And ultimately, what is the purpose of gaming if not to escape from reality for a while?

Goat Simulator helps keep gaming weird. And that’s a good thing.

Read and post comments about this article | Tweet this article


TidBITS Watchlist: Notable Software Updates for 6 October 2014

  by TidBITS Staff: editors@tidbits.com

Photoshop Elements 13 -- Adobe has released Photoshop Elements 13, the latest version of its consumer photo editing software (Jeff Carlson covered version 11 in “Take Control of Your Digital Photos on a Mac”). The new release adds the Photomerge Compose feature for easy copying of people or objects from one photo to another; the Intelligent Crop Suggestions tool that can recommend four different crops based on analysis of faces, horizons, and more within an image; and three new Guided Edits that help you fine-tune black-and-white photos. The Expert mode now offers a total of 50 ways to tailor photos in a single click, and it adds a Facebook-specific feature that enables you to create customized cover and profile photos that combine into an integrated layout. A free trial of Photoshop Elements 13 is available, but you’ll first need to download and install the Adobe Download Assistant and sign in with an Adobe ID. ($99.99 new, $79.99 upgrade, 1.96 GB, 10.8+)

Read/post comments about Photoshop Elements 13.

StuffIt Deluxe 16 -- Smith Micro has released StuffIt Deluxe 16 for Mac, a major new release of the long-standing compression and archiving utility. The StuffIt Destinations feature gets a couple of new additions, including the capability to add custom tiles to the StuffIt Destinations toolbar and integration with several popular cloud services, including Dropbox, Google Drive, Microsoft OneDrive, and Smith Micro’s own SendStuffNow. (StuffIt Deluxe 16 comes with a free six-month subscription to the SendStuffNow online storage service.) The StuffIt Archive Manager receives a new QuickLook search feature, and its streamlined navigation should make opening, expanding, creating, and scheduling archive creation go more smoothly. StuffIt Deluxe 16 now requires OS X 10.8 Mountain Lion or later. The separately available StuffIt Expander 16 remains free for those who need only to expand a host of formats including StuffIt archives, encrypted Zip archives, and more. ($49.99 new, $29.99 upgrade, 10.8+)

Read/post comments about StuffIt Deluxe 16.

Default Folder X 4.6.9 -- St. Clair Software has released Default Folder X 4.6.9 with several fixes to improve compatibility with OS X Yosemite. The Open and Save dialog enhancement utility’s menu bar icon now works correctly in Yosemite’s dark mode, and version 4.6.9 resolves problems that disabled the path menu above the list of files in Yosemite file dialogs and caused hierarchical menus to be empty when showing folders in /Volumes. The update also enables Photoshop to set a starting folder inside your ~/Library folder, adjusts several keyboard shortcuts to work correctly on Dvorak keyboards, and fixes a bug that prevented use of command keys to switch between folder sets. ($34.95 new, $10 off for TidBITS members, free update, 10.6 MB, release notes, 10.6+)

Read/post comments about Default Folder X 4.6.9.


ExtraBITS for 6 October 2014

  by TidBITS Staff: editors@tidbits.com

As Apple pushes into the fashion world with the Apple Watch, Vogue profiles Jony Ive, and smartwatch pioneer Pebble rethinks its strategy. We learn the secret origin of the Fifth Avenue Apple Store, Consumer Reports sees if the iPhone 6 will bend, and an iCloud Drive bug could delete your data.

Vogue Profiles Jony Ive -- Another sign of Apple’s push into the fashion world: Vogue has published an in-depth profile of Jony Ive, Apple’s SVP of Design. Interestingly, Vogue got to look at the Apple Watch weeks before it was announced. The magazine article details Ive’s upbringing, education, and his design philosophies. “I think what we sincerely try to do is create objects and products and ideas that are new and innovative,” Ive said, “but at the same time there is a slightly peculiar familiarity to them.”

Read/post comments

Pebble Cuts Prices, Adds More Features -- Until Android Wear and the Apple Watch announcements, Pebble was the hottest smartwatch company on the scene. Now, with big-name competition, Pebble is slashing the price of the original Pebble by $50 (to $99) and the Pebble Steel by $30 (to $199). The company is also adding background sleep and activity tracking to its smartwatches. Its new marketing campaign pokes fun at Apple’s SVP of Design, Jony Ive, saying “Breathe, Jony. It’s just a watch. Chill.”

Read/post comments

The Story of the Fifth Avenue Apple Store -- The glass Apple Store cube at the corner of 57th Street and Fifth Avenue isn’t just a New York City landmark — it’s as iconic as any product Apple has released, if not more so. But what you may not know is that the actual store, underground, was an unused basement for 40 years. New York Magazine tells the story of how Steve Jobs and real estate developer Harry Macklowe worked together to turn an unwanted basement into one of retail’s greatest success stories.

Read/post comments

Debunking the Bendable iPhone 6 -- Much has been made of claims that the iPhone 6 and iPhone 6 Plus are prone to bending in people’s pockets. Consumer Reports, which drew attention to antenna issues in the iPhone 4, put both phones to a “three-point flexural test,” the same test that Apple uses. While Apple reportedly tests with only 55 pounds of force, Consumer Reports found that the iPhone 6 didn’t deform until it reached 70 pounds of force, and the iPhone 6 Plus held up even better, deforming at 90 pounds of force. While the iPhone 5 is much tougher, deforming at 130 pounds, the iPhone 6 still exceeds even Apple’s own standards.

Read/post comments

iCloud Drive Bug Could Erase Your iCloud Data -- If you’ve enabled iCloud Drive, be leery of using Settings > General > Reset > Reset All Settings to reset an iOS device, as doing so could erase at least some of your iCloud data. MacRumors has confirmed that activating that option after upgrading to iCloud Drive deletes all iWork documents stored in iCloud. However, iCloud documents that cannot be accessed by iOS, like those in Preview and TextEdit, appear to not be affected. Just another reason to hold off on upgrading to iCloud Drive until Apple works out the kinks.

Read/post comments


This is TidBITS, a free weekly technology newsletter providing timely news, insightful analysis, and in-depth reviews to the Apple Internet community. Feel free to forward to friends; better still, please ask them to subscribe!
Non-profit, non-commercial publications and Web sites may reprint or link to articles if full credit is given. Others please contact us. We do not guarantee accuracy of articles. Caveat lector. Publication, product, and company names may be registered trademarks of their companies. TidBITS ISSN 1090-7017.
Copyright 2014 TidBITS; reuse governed by this Creative Commons License.