Previous Issue | Search TidBITS | TidBITS Home Page | Next Issue
Is your wireless network secure? The better question is: how can you evaluate the level of security you should implement? Adam weighs in with his Three L's of security. While you're thinking ahead, Jeff Carlson explains things to consider when buying a laptop bag. Also, we announce the winner of last issue's DealBITS drawing for an autographed can of Spam, and note the releases of Security Update 2004-04-05, Retrospect 6.0.193, LaunchBar 3.3 and 4.0b1, and Panorama V 4.9.6.
Copyright 2004 TidBITS: Reuse governed by Creative Commons license
<http://www.tidbits.com/terms/> Contact: <firstname.lastname@example.org>
This issue of TidBITS sponsored in part by:
Make friends and influence people by sponsoring TidBITS!
Put your company and products in front of tens of thousands of
savvy, committed Macintosh users who actually buy stuff.
For more information and rates, email <email@example.com>.
READERS LIKE YOU! Help keep TidBITS great via our voluntary
contribution program. Special thanks this week to Alpha Walker,
John Gebhart, and Andrew Laurence for their generous support!
SMALL DOG ELECTRONICS: iMac Sale!
iMac G4/1.25 GHz 20" SuperDrive Only $1949! iMac G4/1GHz 17"
SuperDrive Only $1545! iMac G4/1GHz 15" Combo drive Only $1095!
Visit: <http://www.smalldog.com/tb/> 802-496-7171
FETCH SOFTWORKS: Is maintaining your Web site tedious? Use
Fetch, the original Macintosh FTP client, and you can record
AppleScripts that automate repetitive uploads and downloads.
Get Fetch now at <http://fetchsoftworks.com/>!
Dr. Bott, LLC: We got into this business because we love
computer stuff. We now have the chance - the DUTY - to sit and
geek out with technology every day under the guise of "work."
And if it's cool enough, we sell it. <http://www.drbott.com/>
Web Crossing: Free _Web Crossing Express_ now adds discussions &
plug-ins (low-volume) to the unlimited Web/FTP/email server.
Plug-ins add blogs, wikis, RSS, & more. Perfect for small biz,
families or clubs. Try it! <http://www.webcrossing.com/tb-304>
Security Update 2004-04-05 Released -- Apple posted two versions of Security Update 2004-04-05 for Mac OS X today. The update for Mac OS X 10.3.3 Panther replaces the Mail, OpenSSL, libxml2, and CUPS Printing components and is a 3.7 MB download. The update for Mac OS X 10.2.8 Jaguar includes only the CUPS Printing update, but also incorporates Security Update 2004-01-26 and is a 4.8 MB download. No other details were released; the updates are available from Software Update or as standalone downloads. [JLC]
Retrospect 6.0.193 Released -- Dantz Development has released Retrospect 6.0.193, a minor update to the company's powerful backup program (see "Dantz Ships Panther-Compatible Retrospect 6.0" in TidBITS-714). Retrospect 6.0.193 is designed to address a number of annoying bugs and incompatibilities. It features a workaround for a change in Mac OS X 10.3.3 that prevented tape autoloaders and fibre channel tape libraries from working, and offers better performance for duplicates and restores during the Closing phase. This version also works better with pre-6.0 backup sets: freezes and errors when accessing pre-6.0 backup sets have been addressed; it now allows New Media backups to pre-6.0 backup sets; and you can now restore data from pre-6.0 Internet backup sets. Also important is the included Retrospect Driver Update 5.2.101, which solves crashes when backing up to VXA and DAT drives, fixes a problem with the magazine being ejected from a desktop autoloader after cleaning, and eliminates a crashing bug that could occur during device scanning if more than 2 GB of RAM was installed. Retrospect 6.0.193 is a free update to registered users of Retrospect 6.0; it's a 23.8 MB download. [ACE]
LaunchBar 3.3 and 4.0b1 Released -- Objective Development last week released both LaunchBar 3.3, the latest version of their slick keyboard-based application launcher, and LaunchBar 4.0b1, a public beta of the next major version (see "Tools We Use: LaunchBar" in TidBITS-671). LaunchBar 3.3 distinguishes itself by scanning address books for phone numbers, which are displayed in large type when accessed via LaunchBar. Most of the other changes are relatively minor, though undoubtedly welcome to specific users (for instance, you no longer need to press Command to move the LaunchBar window, and Unix aficionados can now navigate the search results list with Emacs key bindings). It's a 269K download and is free to registered users; new copies cost $20 for home use or $40 for business use.
LaunchBar 4.0b1, though, brings major features to the application, including a new configuration interface, a multithreaded indexing engine that scans in the background, new scanners dedicated to specific types of data (such as music in iTunes, pictures in iPhoto, Web browser history, Watson tools, Sherlock channels, and more), built-in Web searching, an Open With command, access to recent documents for any application, and execution of AppleScript scripts and Unix executables. It's a beta, so if you're not willing to take the usual precautions, stick with version 3.3. It's a 450K download. [ACE]
Panorama V 4.9.6 Released -- Back in September 2003, we noted in TidBITS-697 that ProVUE Development had released a public preview version of Panorama, their long-standing database program. Although Panorama V retains its preview status, it's working well in Mac OS X and ProVUE continues to add features quietly while moving toward a major release. New in the just-released Panorama 4.9.6 is a feature called Channels that links data in Panorama to the outside world in abstracted ways, initially via dialing the phone and sending email; a Channel Workshop wizard helps develop new channels. Another new feature, "generic fields," helps you link Panorama databases with similar information, and to link a database with external software such as Mac OS X's Address Book. More minor improvements include scroll wheel support, additional options for elements like checkboxes and radio buttons, support for building AppleScript scripts on the fly, and the capability to run procedures in the background. The upgrade is free to registered users of the preview version; anyone who wants to give Panorama V a spin can download the 7.4 MB file and use it with up to 250 records. [ACE]
DealBITS Drawing: Autographed Spam Winner -- Although we had only 257 entries in our one-day DealBITS drawing for an autographed can of actual Spam, as announced in last Thursday's extracurricular issue, the competition for that can was hot and heavy, with a number of people begging for special dispensation. But such shenanigans would be against our carefully amended rules, which made for tasty reading, so I'm pleased to congratulate Guy Plunkett III of charter.net, whose entry was chosen randomly and who will be receiving a can of Spam, autographed by me. It's worth $2.95 in raw materials, although I wouldn't be surprised if Guy could get $4 or even $5 if he were to auction it on eBay. Unfortunately, our deal with Hormel to provide a discount on Spam by the case fell through, so if you're hankering for some Spam Quesadillas, Spamghetti and Spamballs, or other delicious Spam treats (or even if you just want to break into the cutthroat world of Spam architecture), you'll have to ante up full price on your own. Many thanks to those who entered this special DealBITS drawing, and for those who either didn't win or failed to enter because you thought we were kidding, I hope the devastating disappointment you're undoubtedly experiencing won't prevent you from participating in the future. Who knows, maybe this time next year I'll give away a can of Turkey Spam. [ACE]
by Adam C. Engst <firstname.lastname@example.org>
Crackers, worms, viruses, zombies, trojans... it seems as though the promise of constant access and instantaneous communication through networking has been twisted in such a way that people are afraid in ways that few expected back in less-connected days. In large part because of co-authoring The Wireless Networking Starter Kit with Glenn Fleishman, many of the interviews I do end up working their way around to security, which I find somewhat depressing. For me, wireless networking is all about breaking down barriers - physical barriers - and I'm more interested in sharing connectivity than erecting virtual barriers.
Nonetheless, there are very real situations in which security - often serious security - is called for, and in trying to help people decide if they need it, I've come up with what I call the three L's of security: Likelihood, Liability, and Lost Opportunity. This article will help you think about security in general and wireless security in particular; to learn more about how to address wireless security concerns, Glenn and I wrote four chapters on the topic in The Wireless Networking Starter Kit, Second Edition, available in both paper and electronic form.
Likelihood -- The first aspect of security to consider is likelihood: how likely is that someone will violate your privacy, steal your belongings, or otherwise exploit you? For instance, when I was growing up in rural New York State in the early 1980s, my family lived on top of a hill in the middle of roughly nowhere. Our nearest neighbors were a mile away, the dirt road that went by our house seldom saw an unrecognized car, and the road wasn't even plowed past our house in the winter. As a result, I left the keys to my car (a rusty Dodge Colt that needed bits of mouse nest cleaned from its fuel filter on a regular basis) in the ignition when it was parked in the driveway. It was easier than bothering to bring the keys inside, and when I evaluated the likelihood that anyone would steal the car, I just couldn't see it happening.
Fast forward ten years to when Tonya and I were living in a populous suburb of Seattle. Our car was a shiny red Honda Civic, we barely knew the next-door neighbors, much less everyone on the street, and unknown vehicles zipped by day and night. We did not leave the keys in the car when it sat in our driveway; we locked the doors at all times, and we had a lock that connected the brake pedal to the steering wheel for when we parked in seedier neighborhoods in downtown Seattle. The change in location and situation affected our perception of the likelihood of someone stealing the car, and we responded in kind.
I like to use the car analogy because I think people understand it on a visceral level; a beater car in the country is of course much less likely to be stolen than a new car in the suburbs. But the lesson applies equally well to wireless networks. Your location is important, as is the type of data that passes across your network. If you live in a lightly populated area, and no one could easily come within range of your network without sitting in your driveway, you probably don't have much to worry about. Turning on WEP or WPA and dealing with the passwords is probably more trouble than it's worth. That's especially true if your network is just a standard home network that you use for browsing the Web, checking email, and moving files around. But if you live in an apartment building with neighbors who could pick up your connection, the likelihood of someone connecting to your network rises significantly, generating the question of whether you want to allow others to share your Internet connection or not. Even apartment dwellers aren't likely to have "interesting" (to a thief) data on their network, so there's little incentive for someone to do more than use the Internet connection.
The likelihood of attack increases significantly if you're running a business, since it's plausible that your network would carry sensitive information such as credit card numbers, business plans, and so on. Also, most businesses are located in areas or buildings where someone could easily sit and hack into your network without being noticed.
Liability -- Think about the car analogy again. What was the liability if someone were to steal my rusty Dodge Colt? It was probably worth a few hundred dollars at the time, and although that amount of money meant more to me than it would later, it still didn't compare to the thousands of dollars embodied in the new Honda Civic. Again, with physical property, the liability of loss is fairly obvious. You might not think twice about leaving an old 3-speed bicycle on your front porch, but you'd be much less likely to leave a 21-speed racing bike out there without a strong lock.
Now transfer that kind of thinking to your wireless network. What is the realistic liability if someone were to record all the traffic that passed across your wireless network? For most home networks, the amount of network data that's at all sensitive is extremely low; perhaps a credit card number being sent to a unusual Web site that doesn't use SSL, maybe some financial data, possibly some bits that would be embarrassing if made public.
(It's worth noting that although you should also apply this consideration of likelihood, liability, and lost opportunity to the data on your hard disk, a wireless network is only one way someone could access your stored data. An always-on Internet connection could provide an avenue for attack, and physical theft would also give a burglar access to your files. Of course, if you're using Windows system, even with all the patches applied, firewalls, and anti-virus tools, you may need to take stronger measures than when using a Mac running Mac OS 9 or Mac OS X.)
Simply allowing someone else to use your Internet connection has a relatively low liability in most cases. However, you may think differently if you pay per byte, if you have a slow dialup connection that would be impacted by someone else's use (with high speed DSL and cable modem connections, you're unlikely to notice another user), or if you're concerned that allowing someone else to use your connection would be violating your ISP's terms of service in a way that was likely to result in you being disconnected.
Business are once again a different story. The likelihood of sensitive and confidential information passing through a wireless network is much higher, of course, and the liability of an outsider learning that information is significantly greater. If a business's customer data were extracted from a wireless network, it could involve a disastrous loss of reputation or even lawsuits. And if confidential business plans were learned by a competitor, the ramifications could be catastrophic.
Lost Opportunity -- This last security consideration was suggested by my friend Oliver Habicht, an IT director at Cornell University Library. Oliver pointed out, rightfully enough, that the opportunity cost of implementing and living with security measures also has to be factored into the equation. To return to the car analogy, you can buy car alarms and security systems, but they're expensive and a hassle to use on a regular basis. A car alarm would have been wasted on my elderly Dodge Colt, and it was overkill even for the Honda Civic. Had we owned a Ferrari, though, I would have considered a security system mandatory, and even with our Civic, if petty theft was common, the security system might have been worth it. Put another way, you can expend significant time and money to ensure a high level of security, but would your effort and expense have been better employed elsewhere?
With home wireless networks, the opportunity cost comes mostly in the form of troubleshooting irritating problems, which is more necessary and harder when security is on, and in the annoyance of dealing with passwords with new machines or when you have visitors. In a corporate environment, you have both the extra work of dealing with the security measures and the extra expense of authentication servers, VPN hardware, and so on. But since your data is so much more valuable in a business environment, the expenses are more easily justified... to a point (armed guards with attack dogs patrolling your parking lot may be an excessive reaction to the possibility of someone sitting in a car within range of your wireless network, for instance).
Your Spot in the Security Spectrum -- I hope I've made it clear that there are no cut-and-dried answers when it comes to security. It's up to you to determine the likelihood of someone breaking into your network and either using your Internet connection or eavesdropping on the data that flies by. Next, you must determine the severity of the problems that would ensue from someone using your bandwidth or using a network sniffer to record your data. Lastly, you need to figure out what the lost opportunity of different levels of security is: the higher the likelihood of attack and the higher the liability if your network were to be invaded, the more you're probably willing to spend and the more annoyance you're willing to endure. Only by seeing where your situation fits for likelihood, liability, and lost opportunity can you ascertain how much effort you should expend on security.
by Jeff Carlson <email@example.com>
Unlike buying a desktop Mac, purchasing a PowerBook or iBook often means purchasing a bag of some sort to carry it in. But buying a laptop bag can involve as much, if not more, consideration than buying the computer itself. What sort of cushioning will protect your investment? How much should the bag carry? How often will you be carrying it? And what other features should you look for?
For this article, I originally wanted to review a few specific bags, but because there are so many types of bags and ways that people use them, I'm going to take a broader approach instead and look at some of the factors you should consider when buying this essential laptop accessory.
Types of Bags -- In general, you can find four types of laptop bags. For the traditional business look, you can opt for a briefcase shape that sports one handle and possibly a shoulder strap. Briefcase bags range from slim slabs of leather to bulky expandable contraptions that offer more concealed pockets than you may ever need. The largest of the briefcase-style bags even feature wheels and handles for pulling through airports. (As far as I know, none yet feature their own motors, but never say never!)
Bike messenger-style bags tend to be larger than briefcases, with a strap that goes over one shoulder and across the chest. A second strap that connects to the main strap is sometimes included to improve stability (such as when riding a bike, naturally). Some messenger bags consist of just one large pocket where you store everything, laptop included, but you can also buy modified messenger bags that include padded compartments for laptops and accessories.
Backpacks are also popular, especially among students and travelers who prefer to keep their hands free when carrying their gear. Like briefcases, you can find backpacks that hold little more than the laptop and its power cord, as well as beefier models with enough room for your accessories, a few changes of clothes, and maybe even a very small consultant.
For the minimalist, laptop sleeves have begun to gain popularity. Sleeves hold only the laptop itself, sometimes also including an outside pocket for a few sheets of paper or a couple of CDs, though not a power adapter and cord. Sleeves are often used in conjunction with other bags (of all sorts, not just computer bags) to further protect the laptop.
That said, hybrids and variations abound - some bags can be carried like a briefcase, slung over the shoulder like a messenger bag, and also include straps you can extract to carry the bag like a backpack. The specific type of bag is usually a personal choice based on your likely usage patterns; I own two bags I use regularly: a Timbuk2 messenger bag for when I ride my bicycle to work and a Tom Bihn Brain Bag backpack for when I'm traveling or need to carry more than my minimal complement of gear.
Essential Advice -- No matter which bag style you choose, keep the following factors in mind while you're shopping.
Weight is extremely important. My 15-inch PowerBook G4 is pretty svelte at 5.6 pounds (2.5 kg), but I also carry an extra power adapter, an assortment of cables, Palm organizer, iPod, and other stuff that adds up - I don't need more weight added by the bag itself. Although a rich leather exterior looks sharp, I prefer to carry something made of lighter materials.
Speaking of materials, other than leather you'll commonly find bags made of materials such as ballistic nylon and Cordura (a durable fabric manufactured by DuPont). They're resistant to tears and scuffs and provide some level of water-resistance - though be wary of companies claiming their bags as being "waterproof." Cordura or nylon alone won't keep the liquid out over time, and zippers and seams are often not properly sealed or treated to keep moisture out. If you really need a waterproof bag (if, say, you bike to work in Seattle every day throughout the year), look into getting a dry bag with a roll-down opening, such as those made by Ortlieb. For the ultimate in rough knocks durability, look for something like Matias Corporation's Laptop Armor case, which has a hard outer shell and a padded foam interior.
Also consider the bag's appearance - not just its color or how fashionably it's cut, but whether the bag is appealing to thieves. Too many bags scream, "Laptop inside!" and make for good targets. (TidBITS contributor Gideon Greenspan took the idea of concealment to one extreme when he embarked on a trip through Asia with his PowerBook sheathed in a padded FedEx box; see "Off the Beaten Track" in TidBITS-508.) Backpacks are good because they can just as easily hold textbooks or papers, and may not be worth a criminal's attempt.
The next consideration is access: can you grab your laptop with one hand? Are the buckles, clips, or straps easy to fasten and release (and can those be done with one hand)? Can you get to the laptop without taking the bag off your back or shoulder? This is especially important if you're a frequent air traveler, because you need to extract your laptop as you're going through airport security (at least in the United States; I haven't had the pleasure of visiting another country lately with my computer gear). For this reason I like a bag with convenient access from the top. In contrast, I actively avoid briefcase-style cases that require you to unzip most of the bag, then undo a pair of Velcro straps which anchor the computer into place. That approach might hold the PowerBook more snugly, but it's simply too much work.
And, of course, perhaps the most important factor is a bag that will protect your laptop from the inevitable indignities that accompany everyday use.
Damage Control -- Although a bag gives you a better way to carry your laptop than tucked under your arm, it should also offer protection from bumps, jostles, and environmental nasties. Just how much depends on your comfort level.
At the least, the bag should have some sort of padded pocket for the laptop. If it doesn't, such as with a single-pocket messenger bag design, get a padded sleeve that holds the computer. Even better are bags or sleeves that incorporate some sort of air cushion in addition to padded material. For example, the Tom Bihn Brain Cell sleeve that I use suspends my PowerBook in a sling - if I accidentally drop my bag a couple of inches, the laptop may not even hit the ground.
Just as important, however, is protection from accidental spills and other mishaps. A problem with many bags is that their architecture doesn't provide support for keeping them upright. The weight of a computer and related gear causes the bag to tip over and disgorge its contents. This may not be a big deal when you're sitting on the floor at the airport waiting for a flight, but if you set the bag on a table and it tips the wrong way, that three-foot drop could cause serious damage.
The construction extends to zippers and clips, too. A friend of ours lost his PowerBook because the zipper on his bag slid loose and the laptop (with some help from gravity) pushed itself out into the open air. We've seen bags with zippers that extend almost the entire way around the bag, which seems like a nice idea for full access, but it also makes certain types of accidents far more likely if the zippers aren't closed properly.
Store, Organize, Access -- With the basics of protection out of the way, make sure the bag will hold the other gear that's bound to tag along, and make it easily available. Cables are notorious space-wasters, so look into buying a separate carrying case for them; heavy-duty ziplock bags also work. Nearly all bags come with some type of pockets for pens and pencils to help prevent ink exploding in the bag.
Specialized pockets are also a bonus. Adam has used a Kensington SaddleBag for years, not just because it holds his PowerBook snugly and includes hidden backpack straps for traipsing around New York City during Macworld Expos, but because it includes a clever pocket on the outside flap that's exactly the right size for stowing airline boarding passes or folded-up maps. (The SaddleBag Pro, which I haven't used, also includes a Junk-It drawer - a plastic slide-out tray at the bottom where you can store cables and other small miscellaneous items.) One unusual pocket you might appreciate is an external water bottle pocket; being forced to carry a water bottle inside the bag with his laptop and other gear always makes Adam nervous.
However, be careful of bags with too many pockets: in my experience, more pockets invite you to carry more stuff, which makes you need a bag with more pockets, until ultimately your idea of a portable computer case is one with wheels that hitches to the back of your car. It's more important to find a bag with just the pockets you need, especially when the designer has put a great deal of thought into size, placement, and accessibility.
It's in the Bag -- If at all possible, try to obtain some hands-on time with the bags you're thinking about purchasing. Computer-supply stores tend to have a moderate selection; Apple retail stores carry a several brands and types; and travel and luggage stores are good sources. A visit to Macworld Expo is also an excellent way to compare bags from a number of manufacturers in person. It's always worth asking your laptop-toting friends, who can give you their hard-won advice on what to look for or avoid in a particular case.
Whatever you choose, keep mind that the state of laptop bag design is continually advancing, and you may find yourself wanting a new bag in a few years anyway. Or you may need a new, larger bag to hold Apple's forthcoming 20" PowerBook G5 (kidding!).
by TidBITS Staff <firstname.lastname@example.org>
While we're waiting for the Web Crossing programmers to figure out how to let us eliminate HTML formatting from messages in TidBITS Talk, note that some of the messages in our existing archive are a bit more difficult to read because of the HTML tags. You may wish instead to read these threads in Web Crossing itself, where the HTML formatting is handled behind the scenes. You can see all the TidBITS Talk threads at the link below; the second link below each thread description takes you directly to that thread in Web Crossing. Although we've put absolutely no effort into making the Web Crossing archive look the way we want yet (so no snarky comments, please), you'll find that it's a lot faster than our old archive.
Tactile Pro Keyboard -- Adam's review of the Matias Tactile Pro Keyboard sparked a lot of comment (and reminiscences of truly terrible keyboards of the past), demonstrating that Apple's mushy offerings leave much to be desired. (40 messages)
Fixing keyboards -- On a related note, what are the best techniques for cleaning and repairing keyboards? (6 messages)
Setting up a Mac OS X VPN -- Advice on setting up a virtual private network under Mac OS X. (3 messages)
Non-profit, non-commercial publications and Web sites may reprint or link to articles if full credit is given. Others please contact us. We do not guarantee accuracy of articles. Caveat lector. Publication, product, and company names may be registered trademarks of their companies. TidBITS ISSN 1090-7017.
Previous Issue | Search TidBITS | TidBITS Home Page | Next Issue