Apple Resumes Shipping PowerBook 5300s — Following the firestorm of negative publicity concerning safety problems with the batteries in its new PowerPC PowerBooks, Apple announced on 25-Sep-95 that it was resuming shipments of the 5300-series PowerBooks, having replaced the original lithium-ion battery packs with nickel-metal-hydride (NiMH) batteries originally developed for the PowerBook 190. (See TidBITS-295.) Apple also announced new pricing for the 5300-series machines that should lower street prices by about $100. There are no known safety issues with the NiMH batteries (although I’m sure it wouldn’t be a good idea to eat one for dinner); however, they’re expected to deliver about 20 percent less battery life than the original lithium-ion batteries. [GD]

Quarterdeck Acquires StarNine — Hot on the heels of StarNine’s acquisition of the Macintosh version of Microsoft Mail (see TidBITS-296), Quarterdeck Corporation announced on 28-Sep-95 that it has acquired StarNine for nearly 700,000 shares of Quarterdeck common stock. In case you’re wondering who Quarterdeck is, you’ve been fortunate to live in a Macintosh-only world: Quarterdeck is a major developer of utility and remote computing software for DOS and Windows, including Internet products, a version of Mosaic, and the famous (infamous?) QEMM enhanced memory manager. This is the latest in a series of Internet-related purchases from Quarterdeck, and they’re expected to take advantage of StarNine’s Macintosh development experience to port its existing Windows and Windows 95 Internet products to the Macintosh, as well as ship StarNine’s email software with its own products to provide "complete" cross-platform solutions. Quarterdeck is also expected to place a high priority on porting StarNine’s WebSTAR HTTP server product to Windows NT and/or Windows 95. [GD]

http://www.quarterdeck.com/
http://www.starnine.com/

English DeskWriter Drivers for PCI Macs — In TidBITS-296, we noted HP has made new drivers available to address serial printing problems with DeskWriters and the new Power Mac 7200, 7500, and 9500; however, we incorrectly said these drivers were available in versions other than English. Hewlett-Packard has (cleverly) named all its DeskWriter files in such a way that it’s difficult to determine whether updates have been made. We apologize for any inconvenience – the URL for the English version of the drivers remains: [GD]

ftp://ftp-boi.external.hp.com//pub/printers/ software/dw110en.hqx

Apple Paris Expo Follow-up — We gave the wrong email address for Richard Erickson in his article in TidBITS-296 on the recent Apple Expo in Paris; Ric can be reached at <[email protected]>. Ric also writes to let us know that Nomai strongly prefers the media for its new 540 MB removable media drive be called "diskettes" rather than "cartridges," since they’re based on a flexible media and not compatible with SyQuest drives. Gee, I hope I don’t get them confused with floppy disks, or CD-ROM disks, or magneto-optical disks, or…. [GD]

We’ve decided to try something a little different. Today’s computer industry continually pressures companies to lower prices, but at the same time the price of entrance for a small business trying to make a name for itself continues to increase. A single four-color page in Macworld reportedly costs over $30,000, and the other major magazines charge comparable rates. Yet advertising remains a necessity in the industry, especially in the less-traditional formats, such as the constant stream of MacWare/Mall/Connection catalogs we all receive every other week. Those catalogs aren’t merely collections of software for you to browse and order – they’re also big-time advertising vehicles, and the ad revenues no doubt go a long way toward keeping mail order prices low.

But isn’t the Internet the great equalizer, the place where the little guy can appear larger than life? Yes, certainly, but it’s never guaranteed, because (as I’ve said for some time now) you need content, but attention is even more important. Lots of people have great products and great content, but far fewer have the necessary level of attention.

TidBITS has that attention, if our mailing list of 26,000-plus readers and estimated total readership of 150,000 is any indication. And, we think we’ve found a way to use our strength to do something interesting. We call that something DealBITS.

DealBITS is a new publication of sorts, parallel to TidBITS but independent and rather different. Instead of offering editorial opinions, news, and reviews, DealBITS is devoted to straight-up advertising.

I can almost hear the collective gasp. That’s right, DealBITS is an unabashed advertising vehicle. This may seem out of character for us, but let me explain our two major goals for DealBITS, and I think you’ll see how it fits in with our philosophies and ideals.

First, we want DealBITS to serve the Mac and Internet communities by ensuring that every advertisement in DealBITS is a deal that will interest the sort of people who read TidBITS (in other words, ads for computer stuff). Everyone’s interested in getting a good deal on hardware, software, and services, and we require that companies advertising in DealBITS offer lower prices, free shipping, free t-shirts, or something that constitutes a deal. No deal, no ad. Along the way, we’re trying to encourage some of our pet ideals – email addresses in every ad, Web site URLs when possible, and non-800 numbers and fax numbers for overseas readers.

Second, we want DealBITS to help level the playing field between large and small companies. Sure, Microsoft can afford those mega-buck, multi-page ads in the big magazines, but most companies can’t. We’ve set the price of advertising in DealBITS low enough that any company should be able to afford it. In addition, we’ve set some rules to keep things equal, including a size limit of 250 words and a no-exceptions policy of one ad per company. And, of course, we’ll be sticking with our standard setext format and clean HTML design, sans graphics, so companies will have to make themselves stand out by providing great deals. If DealBITS can help put some small companies with innovative products on the map, we’ll be happy. If DealBITS can get TidBITS readers some great deals on cool products, we’ll be even happier.

In addition, DealBITS has virtually no impact on TidBITS. This article and a two-line announcement at the beginning of TidBITS issues is all the evidence of DealBITS you’ll see. These advertisements will not appear in TidBITS, and TidBITS readers need only see DealBITS if they’re interested.

Details — As far as the details go, a new issue of DealBITS will be published on the first and third Monday of each month. Like TidBITS, you can get it in many ways, including email, FTP, and the Web.

• To receive a single issue via email as an auto-reply, send email to <[email protected]>.
• You can subscribe to a special DealBITS mailing list and receive each issue automatically when it’s released. Send email to <[email protected]> to subscribe, and you can sign off by sending email to <[email protected]>.
• DealBITS will be available by FTP and the Web at the following URLs:

ftp://king.tidbits.com//King/pub/dealbits/
http://king.tidbits.com/dealbits/

Everything will be run from our new Apple Internet Server 6150 using Peter Lewis’s FTPd, StarNine’s WebSTAR and ListSTAR, and Apple’s Apple Internet Mail Server. Assuming I’ve set the programs up right and assuming the 56K line provides sufficient bandwidth, everything should be copacetic.

We won’t be distributing issues of DealBITS on the commercial online services. All the commercial services offer free or inexpensive Internet email and most offer FTP and Web access as well, so there’s no reason to look beyond the Internet.

Unlike TidBITS, DealBITS issues aren’t meant to be kept around. Once a new issue comes out, it totally replaces the previous one, which will disappear from our site. Deals may only be good for the time the ad exists in DealBITS, so there’s no point in archiving old issues.

How will DealBITS interact with TidBITS? Not much. TidBITS will continue its sponsorship program, because the sponsorships provide a different (and more noticeable) form of exposure. There’s no way we could fit the content of DealBITS into TidBITS, from both the perspectives of space and editorial mission. The DealBITS footprint within each issue of TidBITS will be just two lines at the top, much like the sponsorship mentions. As with the sponsorships, we’ll mark when the contents of DealBITS change.

If your company is interested in finding out more about participating in DealBITS, send email to <[email protected]> and we’ll send along details about costs, content, and the like.

The goal is for everyone involved in DealBITS to come out ahead. Readers can take advantage of better deals than would otherwise be available, and companies both large and small can present their products to Macintosh and Internet users on a playing field where company size and budget won’t hamstring great products.

As a new Power Macintosh 7200/90 owner, I wanted to pass on a few impressions and a warning. First the warning: Beware the kickstand! After opening the hinged power supply and drive assembly (which works great!), I installed extra DRAM and VRAM. I then moved to close it – there was a moment of slight resistance, then SNAP! I had broken the little plastic kickstand that is meant to hold the machine’s swing-out assembly upright. It took so little effort to snap that it doesn’t seem capable of providing much support. I then read with amusement three reports in <comp.sys.mac.hardware.misc> from people who did the same thing. One of them reported that after suffering on hold at 800/SOS-APPL, Apple sent them five new ones in the mail. Owners of the 7200 and 7500 should be careful of this little kickstand.

In terms of memory, I found out some interesting facts. My Apple dealer and also a RAM vendor were under the mistaken impression that the 7200 does memory interleaving. It doesn’t, although the 7500, 8500, and 9500 do when DIMMs are installed in pairs and in paired slots. This means that it’s better for 7200 owners to get one 16 MB DIMM and save some money and a slot, rather than buying two 8 MB DIMMs.

Finally, neither the 7200 nor the 7500 ship with a level 2 (L-2) cache DIMM installed, so price or performance comparisons with the 8500 (which has a 256K L-2 cache DIMM) should take this into account. Also, the L-2 cache DIMM used by the PCI Power Macs seems to be difficult to find at the moment. Rumor has it that the L-2 cache DIMMs are constrained by supplies of the high-speed memory chips used.

[A quick check of memory vendors indicates L-2 cache DIMMs are more widely available, but many vendors were currently out of stock. -Geoff]

If you do significant work with secure transactions over the Internet using Netscape Navigator, you might want to download version 1.12 of the popular Web browser, which patches a security loophole identified by Ian Goldberg and David Wagner, two U.C. Berkeley students, a little over a week ago. This version doesn’t incorporate any new features of the forthcoming Netscape 2.0, but allegedly fixes a problem that could allow savvy hackers to decipher Netscape-encrypted transactions in a relatively short amount of time (estimates range from a few seconds to a few hours per message, depending who you talk to).

http://www.c2.org/hacknetscape/

Netscape was very fast to respond to the discovery and (correctly) points out this is still a potential problem since there are no known cases of it having been exploited. However, news of the problem made it all the way to The New York Times, The Wall Street Journal, and CNN, and one wonders if there wasn’t some pressure put on the company by nervous investors holding their brand-new (and over-valued) shares of Netscape stock.

http://home.netscape.com/newsref/std/random_ seed_security.html

Where to Find It — Netscape has released both a new version of Navigator and a patcher application to update 68K, fat, and PowerPC versions of Netscape 1.1 to version 1.12:

ftp://ftp.netscape.com//pub/netscape/mac/ netscape-1.12.hqx
ftp://ftp.netscape.com//pub/netscape/mac/nscp_ 1.1_to_1.12_patch/

As usual, read the licence agreement and export restrictions before you download a copy. Netscape has seven FTP sites online right now, so if the URL above refuses connections, put the number 2 through 7 after "ftp" in the site names above to access a parallel site. Note some of the links to the Mac versions on Netscape’s own download pages are incorrect, since they point to version "1.22", which is correct for various versions of Windows, but not for Macintosh or Unix.

The Nature of the Problem — So what’s the fuss all about and should you be worried? The bottom line is that if you use Netscape to browse the Web and maybe buy the occasional book or CD, don’t break a sweat. Typical Internet users very rarely use the security features built into Netscape, and the Unix versions of Netscape Navigator are the ones most exposed to this problem. However, these events illuminate some interesting aspects of the technology behind online transactions.

The version of Netscape Navigator available for export uses a 40-bit "seed" to encrypt online transactions. An individual bit can have two values – the fabled 0 and 1 – so 40 bits allows 2^40 (about 1.1 trillion) possible combinations of bits that can be used for a seed. The idea is that these 40 bits are determined randomly – that is, it should be just as likely for one sequence of 40 bits to be used as any other sequence of 40 bits. Hence, clandestinely decrypting one of these transactions requires a hacker to use a "brute force" method (trying one combination of 40 bits after another in order) until they finally stumble across the correct sequence that allows them to decrypt the message.

Although testing up to 1.1 trillion combinations seems daunting to most folks, it’s considered barely adequate by people involved with computer security, and in light of the explosive increase in computing power over the last few years, they’re right. The not-for-export version of Netscape uses a considerably larger 128-bit key (allowing about 3.4^38 combinations) which is considered reasonably secure. However, 128-bit encryption keys are considered a munition by the U.S. government and, hence, cannot be exported. A 40-bit encryption key is the largest allowable under U.S. export law, so that’s what the exportable versions of Netscape use.

The problem with Netscape is not that Ian and David found some new algorithm to quickly break all 40-bit encryption schemes; instead, they found a problem with the way Netscape "randomly" determines the 40 bits it’s going to use for the key. Some intelligent guesswork based on the time and process attributes of the Netscape application resulted in a substantially fewer than 1.1 trillion possible combinations of keys, making a brute force test of the remaining combinations much more practical. Ian and David claim to have determined the key used for transactions within as little as 25 seconds on a high-end machine; furthermore, once you have a valid key, determining the keys used for subsequent transactions is apparently rather simple.

Netscape has determined the problem will also affect the 128-bit version of its encryption scheme (although it still remains considerably harder to break); however, perhaps more significant is how the problem may affect users of the Netscape Commerce Server product. With the Commerce Server, it may not be simply a matter of installing a software update; users may have to generate and validate new digital signatures using the updated software. Netscape has had little to say about this possibility, save that it will issue a patch for Commerce Server customers.

Security Through Obscurity — Netscape claims this key-generation problem does not affect its Secure Sockets Layer (SSL) or other encryption technologies, but – at the moment – there’s simply no way to know for certain if this or other problems might impact those features. In its public response to this problem, Netscape announced it will begin consulting with a group of external security experts to validate its solution to this problem, and "to work with Netscape’s internal security experts to review the design and implementation of security in Netscape’s products and to provide an additional measure of assurance that these products implement the highest levels of security possible."

It seems to me that what’s most important about this statement is what’s not said: it implies that previously Netscape has not been consulting with external experts, and is only doing so after a problem was uncovered. When one considers the sheer number of client and server products Netscape develops, the nature of the security features they implement, and the length of those products’ development cycles, there would seem to be a possibility that other, as-yet-undiscovered problems exist. For security software to be considered reliable, it seems reasonable that it should be subjected to wide-ranging, detailed scrutiny.

Although Netscape seems to be taking these issues seriously, their statement also makes no mention of whether it will supply these security experts with details of its security implementations. Releasing detailed information might seem counter-intuitive – after all, you don’t give a thief the combination to a safe then see if that thief can open it. However, without releasing that information (even to trusted "external experts" rather than the general public), Netscape is relying on "security through obscurity" – basically assuming that if no one knows how their security software works, no one will be able to compromise it.

It’s worth noting that security algorithms don’t have to be secret to be effective – the methodology behind DES encryption has been well-known for years, and recently t-shirts have been appearing with "munitions-grade" encryption schemes printed on them. By failing to make their security mechanisms available for scrutiny, users and customers must decide whether they trust Netscape when it says its software is secure. In light of last week’s events, that question is probably on a lot of people’s minds.

Mountains and Molehills — Again, it should be emphasized this particular problem does not impact the vast majority of Netscape users, and the odds of anything bad happening even if you are affected are pretty darn low. Also, Netscape’s response to the problem was rapid and public, which is more than can be said for most software companies faced with issues of this nature. Still, combined with popular paranoia about computers and the Internet, these events make clear that online security and transactions are now a headline issue.

Tonya and I recently acquired one of Apple’s QuickTake 150 digital cameras, and it’s probably the Apple device that’s most affected us since the PowerBook 100 (the machine I’m using to write this, by the way). The QuickTake 150 holds either 16 or 32 pictures, depending on whether you shoot in high or low resolution. You can switch between resolutions on a per picture basis, but we’ve settled on using only the high resolution setting. I’m not quite sure (and the manual is singularly unhelpful on this count, as it is on most technical issues) what the difference between high and low resolution is, since both claim to be 640 by 480 and 24-bit color. I suspect the difference is in the level of lossy compression performed within the camera.

http://www.info.apple.com/qtake/

What’s made the difference with the QuickTake over the previous cameras we’ve owned is that there’s little or no penalty to shooting a bad picture with the QuickTake. Perhaps the only thing to concern yourself with is the number of pictures left at any given time. When we went to a friend’s wedding several weeks ago, we solved the capacity issue by simply bringing a PowerBook and the serial cable necessary to download the pictures from the camera to the PowerBook’s hard disk. Downloading the pictures is, for a computer person, probably easier and faster than changing a roll of film, and it’s instant gratification.

From a cost standpoint, once you’ve bought the $700 QuickTake camera (which isn’t cheap, especially considering the low-quality optics), your only recurring expense will be batteries, and the lithium batteries that come with our QuickTake 150 have lasted for several hundred images with no indication of dying yet. You can buy a lot of film and developing for the difference in price between the QuickTake and a point-and-shoot camera, but if you take many pictures, the QuickTake will eventually win out. And, if you’re like us, it always takes so long to get a roll of film developed that you forget some of the details of what was going on when you took the picture. We never would have taken 200 pictures in the last eight weeks with our regular camera, and we would have felt awful about the 50 or so photos that came out badly. With a digital image, a simple drag to the Trash solves that problem entirely.

Although the physical dimensions of the camera make it a conversation piece (it looks a bit like high-tech binoculars and garnered numerous comments at our high school reunions this July), you can use it in some interesting and subtle ways because it’s digital. For instance, most cameras make noise when the film winds, but the QuickTake, apart from a low click, gives almost no indication that you’ve taken a picture (assuming it’s light enough that the flash doesn’t kick in). Add this to the fact that you can crop and manipulate images in PhotoFlash – the image-editing application that Apple ships with the QuickTake 150 – and you realize that you can more easily take pictures from the hip, or holding the camera in a strange position in which you cannot see through the viewfinder. Sure, you might center the subject in the frame badly, but if you get it at all, you can fix the image later. It makes for some interesting pictures of people who aren’t expecting to be photographed, although the quality on motion shots isn’t good.

Once you’ve become accustomed to the relative freedom of taking pictures whenever you want, you start to realize how much additional freedom you’re afforded by having the images in digital form. For instance, you can attach the images to email and send them to friends and family, you can put them up on a personal Web page, or you can easily edit them and send them in to the National Enquirer as evidence that communist space aliens have taken over the U.S. ketchup industry. Physical photos are a pain to duplicate, and you probably wouldn’t get more than two copies of any standard image. But, of course, you can make as many copies of digital images as you want, which makes it easier to share them more widely. And since PhotoFlash is highly scriptable, anyone who knows AppleScript or Frontier at all well could write scripts that let you select images in a PhotoFlash catalog file and save them in an appropriate format and either attach them en masse to an email message or create a simple Web page using the captions you can add to each image.

[It took me about 10 minutes to write Adam and Tonya an AppleScript which exports images selected in a PhotoFlash catalog to an HTML page. The only real problems were caused by Adam misplacing a hard drive. -Geoff]

So no, the quality you’ll see in the images from the QuickTake 150 won’t hold a candle to a camera even a quarter of the price. But you can make up for a fair number of the quality issues with the editing capabilities in PhotoFlash (or Photoshop, if you’re more serious), and in my opinion, the flexibility and freedom afforded you by having the images in digital format is well worth the trade-off. Of course, the quality only stands to improve over time, so even if you don’t feel the 150 is sufficient for your needs, how long can it be before Apple or another company melds the technology (which will improve with time as well) with higher quality optics?

There are of course accessories for the QuickTake 150 that improve some of its capabilities, and there are also several other digital cameras that are becoming readily available. Tune in next week for another article on those two topics.