So you think Apple could do a better job marketing Macs on the Internet? Put your mouse where your mouth is and win Apple garb! We also bring you news on Apple’s latest set of Internet servers, info on Internet Explorer and Symantec’s Java development tools, plus Tonya’s overview of new and updated HTML authoring tools, including Adobe’s PageMill and SiteMill. Finally, do you remember the $10,000 Macintosh Web Security Challenge? Find out what did – or didn’t – happen.
Internet Explorer 2.0b3 — Microsoft released beta 3 of Internet Explorer last week. The release includes support for Netscape plug-ins, Internet Config, and GIF animations, as well as an enhanced History feature and support for inline QuickTime movies without a plug-in. If you have a Power Mac and QuickDraw 3D, Internet Explorer also includes preliminary support for VRML (Virtual Reality Modeling Language); ironically, Internet Explorer now directly supports more Mac-specific technologies than Netscape Navigator. The beta can be downloaded from Microsoft’s Web site, and is a little over 1 MB in size. [GD]
Free Java Tools for Symantec C++ — Symantec released its first set of Macintosh Java development tools (codenamed Caffeine) for Symantec C++. Caffeine is free to Symantec C++ customers, and integrates Sun’s virtual machine, Java compiler, and other components of Sun’s Macintosh Java Development Kit into the Symantec Project Manager, letting users create and compile Java applets, then run them in Sun’s Java Applet viewer. Caffeine is a precursor to Symantec’s already-announced Java development environment Cafe, a stand-alone set of Java development tools that will also be free to Symantec C++ customers. The Caffeine release is about 5 MB in size. Caffeine is available for Power Macintosh, with a 68K version due "in a few weeks." [GD]
Apple Recalling Early PowerBook 5300s — MacWEEK reports that Apple is quietly recalling some early PowerBook 5300s shipped on or before 12-Nov-95 and with serial numbers at FC545 or lower. Before you ask, no, the problem doesn’t have anything to do with fire, but rather a potential lock-up during intense use of a PC Card and expansion-bay devices like the floppy drive. Users experiencing problems can call the Apple Assistance Center at 800/767-2775 to get their machines serviced under warranty. [GD]
In TidBITS-311 I wrote about a dinner Apple gave at Macworld Expo to solicit feedback from various Internet folks. In that article I said Apple planned to set up a way for you to provide your opinion on how Apple should market the Mac as an Internet machine. Needless to say, with rumors of acquisition and a change in CEO, things have taken longer than the marketing people at Apple would have liked, but the project’s in place now.
We all know the Mac is a killer Internet machine, but for the most part Apple’s marketing message hasn’t done a great job of expressing that fact, especially in market segments where the Mac isn’t already strong. So, you can help Apple by sending in suggestions for ways Apple can improve its Internet marketing message.
Hang on a second before you start writing. Apple doesn’t want feel-good notes saying "my Mac was super easy to set up on the Internet and DOS sux." (The place to send those stories – especially amusing ones – is Guy Kawasaki’s EvangeList – to subscribe, send email to <[email protected]> with "subscribe macway your name" in the body of the message.) Instead, Apple’s looking for serious messages that point out a specific advantage the Mac has over other systems in quantitative terms. Something such as the following hypothetical example would be helpful:
"Apple should tell IS managers Mac Web servers are easier to set up and more reliable than Windows NT Web servers. I’m a system administrator in charge of 300 Macs and PCs at Widgets International. We recently set up a Power Mac 6100 running WebSTAR and a Pentium running Microsoft’s Windows NT Web serve. The Mac server took approximately 15 minutes to set up, as compared to five hours for the NT server, and in the four weeks we’ve been using them, the Mac server has crashed twice, whereas the NT server dies about once per day."
In other words, think numbers. Point out features that make an appreciable difference. Quantify your experiences. Apple wants marketing suggestions about the advantages the Mac currently has as an Internet client, an Internet server, or as a tool for creating Internet content. They’re not looking for suggestions for ways to improve the Mac or Mac software, though. Send your ideas to <[email protected]>.
I’ve made some suggestions as to how Apple can run this project, and as a result, I’ll be writing a follow-up in TidBITS, focusing on some of the best ideas and reporting on how useful the information has been to Apple. In addition, although the email address is an auto-reply (and Apple won’t respond to each suggestion), they will read each one. On a periodic basis, they’ll select some of the best suggestions and award those people an Apple t-shirt wardrobe, including classics like Windows 95 = Macintosh 89; Been There, Done That; MacAttack; and 21 million Macs say thanks. (If you’re especially lucky, they may have a few extra Apple Internet Server Solution shirts, which read "Get your AISS online.")
Apple has promised to avoid the "black hole syndrome," in which they ask for feedback and never provide any of their own. If you go to the effort of making a suggestion, they’ll return the favor and let you know every few months how the project is going.
Here’s your chance to tell Apple how they can do a better job of communicating the Mac’s current Internet advantages. Some advantages may be obvious – such as ease of use – but others may be less clear. For instance, the vast majority of Web servers on the Internet reportedly take less than 5,000 hits per month. Why then, do so many people setting up Web servers think they need a high-end Unix or NT machine, when a PowerBook 100 could handle that many hits if it didn’t get bored and go to sleep?
Again, send suggestions to <[email protected]>. There could be a t-shirt wardrobe with your name on it if you do.
Last week Apple announced a slew of new servers, ranging from the high-end Network Servers to the second release of the popular Apple Internet Server Solution machines. For more information about these servers and their shipping dates, check out Apple’s Web site at:
Network Servers — In a fairly drastic move, Apple announced the Network Servers 500/132 and 700/150, which run not the Mac OS, but rather AIX 4.1.4, IBM’s variant of Unix. The Network Servers are based on the PowerPC 604 chip running at either 132 or 150 MHz, come with two built-in Fast/Wide SCSI-2 channels for optimal hard disk performance, and accept up to 512 MB of RAM. They sport two PCI buses and slots for up to six PCI cards. Reportedly, one of the coolest features of the new servers is their physical design, with a patented access door that provides key-controlled security and access to the main parts of the machine, including the hot-swappable drives (you can install up to seven half-height 3.5" or 5.25" hard drives or three 5.25" full-height drives), hot-swappable cooling fans, and the logic board. The Network Server 700 has an option for redundant, hot-swappable power supplies for truly mission-critical environments. Prices range from about $10,000 to $16,500 for a system without enhancements.
Apple intends the Network Servers to satisfy performance-hungry server customers, especially those who may already have AIX or other Unix expertise in place. However, I think Apple must be careful, since the Network Servers could hurt the marketing message Apple’s been creating about its servers, particularly the Internet servers. Since these Network Servers run Unix, they won’t be easy to set up or maintain, they won’t be as secure as Mac OS-based servers if they’re on the Internet, and they certainly won’t be as easy to sell or support, given that Apple’s expertise isn’t in the Unix world. MacWEEK tested the Network Servers and found their performance impressive.
Apple Workgroup Servers — On a more prosaic note, Apple also announced two new Mac OS-based Apple Workgroup Servers (AWS) based on the PowerPC 604 chip running at 120 and 132 MHz. The AWS 7250/120 and 8550/132 sport a PCI bus and run System 7.5.3, which includes Open Transport 1.1. Along with the Internet software bundle discussed below, there are two other software bundles. The Application Server Solution bundle, worth about $4,000, includes FileWave, Now Contact, Now Up-to-Date, Viper Instant Access, 4-Sight Fax, netOctopus, Virex, and Skyline/Satellite. The AppleShare Server Solution comes with AppleShare 4.2.1, which now has a PowerPC-native file server engine and support for Open Transport 1.1 to increase performance significantly (it supports up to 3,000 open files and 250 simultaneous logins). Other software, for a total value of about $6,000, includes Server Manager, AppleShare Client for Windows, Apple Remote Access Multiport Server Software, and Retrospect Remote. Prices for new Workgroup Server bundles range from about $2,900 to about $8,000.
Apple Internet Server Solution 2.0 — Although it remains to be seen how the market will receive the Network Servers, the second release of the Apple Internet Server Solution for the World Wide Web machines should sell extremely well, thanks primarily to an extensive software bundle. As with the initial release of these machines, there are three different options for hardware, the Workgroup Server 6150/66, the 7250/120, and the 8550/132. Prices range from $2,300 to $6,500, but the low-end 6150/66 will easily handle most Web serving needs. The beefier machines should attract people planning to run intensive CGIs.
What makes these machines so compelling is the software bundle, which includes: WebSTAR 1.2.5, PageMill 1.0, RealAudio Server 1.0, NetCloak 2.0, HomeDoor 1.0, MacDNS, ServerStat 1.0, BBEdit 3.5.2, Netscape Navigator 2.0, AppleSearch 1.5.1, Acrobat Pro 2.1, MapServe and WebMap, Tango and a 100-record trial version of Butler SQL, Email CGI, HyperCard, and AppleScript. If you want most of that software, it’s cheaper to buy the low-end 6150 than it is to buy the software separately. The one liability of the software bundle is that you may not qualify for free upgrades. Unfortunately, that also applies to owners of the software that came with the first Apple Internet Server Solution machines – there’s no upgrade path for the bundle, so you must upgrade each piece of software independently.
Overall, Apple’s new Mac OS-based servers look like they’ll do well since they provide good performance and excellent functionality via their software bundles. More questionable are the Network Servers, which represent an entirely different path for Apple; that path may prove too slippery for comfort despite the significant performance gains from moving to AIX.
Although much of the Web authoring software available a year ago rated as depressingly mediocre, some tools coming out now are rather good. This last month saw the release of a number of new products and updates to existing tools, and I anticipate the next few months will feature a fast and furious overturning of who’s who in the Web authoring world. So, hang on to your hat and stay tuned for future updates.
W4 Adds New Features — Miracle Software (formerly Best Enterprises) recently updated World Wide Web Weaver (W4) to version 1.1.1. Given the level of changes and improvements, I wouldn’t have thought twice if Miracle had released W4 at version 1.5.
New features include improved HTML error checking, a dialog box to help with making frames (those awkward windows-within-windows currently supported only by Netscape), and help with adding fonts and colors using Netscape extensions to HTML. You can now paste in styled text from other programs and W4 automatically applies appropriate HTML tags to the text. The new release fixes a number of bugs, addresses several performance issues, and improves the Find/Replace feature. W4 looks like an increasingly good choice as a Web authoring tool, particularly if you want to learn HTML but don’t see yourself as highly text oriented. (See my review of W4 1.0 in TidBITS-306.)
New HoTMetaL PRO Rule Set — SoftQuad has released a new rules file for HoTMetaL PRO that enables HoTMetaL PRO users to take advantage of additional Netscape and Internet Explorer extensions to HTML (see my HoTMetaL PRO review in TidBITS-314).
PageMill Update — Adobe recently updated PageMill to 1.0.1. The update fixes a number of rather technical bugs, but does not address problems with PageMill’s handling of paragraphs (see my review of PageMill in TidBITS-305). The new release also introduces a bug where colors in GIF images may shift dramatically when you open them in the image editor. An Adobe representative described the problem as a "mysterious bug" that only appears on 68K machines and that tends to go away if you run your monitor at 256 colors. If you experience the bug, don’t save, since the incorrect colors will be saved. Instead, try opening the graphic into the image editor again.
SiteMill Ships! SiteMill, Adobe’s much-anticipated Web site management program, shipped about two weeks ago. SiteMill works much like PageMill (and includes PageMill 1.0.1), but integrates some tools that facilitate the creation and maintenance of entire Web sites. Although SiteMill’s suggested retail price is $595, PageMill owners can purchase SiteMill for $299, and Adobe will currently sell you a copy for $399. I’ve had a chance to try SiteMill, and even with Adobe’s discounts, I think it’s significantly over-priced.
Although you can get by with some lesser Macs, Adobe recommends you have a 68040 or better, System 7.5, 6 MB of application RAM, and a color monitor to use SiteMill. To use SiteMill’s site management tools, you must have the site on a volume that you can mount on your desktop. Once you load a site, SiteMill does three things for you:
First, it checks your entire loaded site and identifies any relative links (links to other files in the site) that don’t terminate properly. SiteMill then makes it reasonably easy to fix those links. If you can’t load your entire site, relative links to unloaded portions of the site appear as errors.
Second, it lists any full URLs linked to in the site, and – for each URL – it shows what pages have links going out to them. SiteMill can’t tell you if such a link is broken, but if you wish to change one, you can change it just once within the list, and SiteMill will change all the appropriate HTML for you.
Third, SiteMill presents you with a Finder-like list view of your site. In that view, you can move files around (but only one at a time, and not folders that contain files) and SiteMill automatically updates the HTML as needed. You can also see an overview of the structure of your site and identify files that don’t link to or from anything.
So, the good news is you can use SiteMill to update and fix links in a site, and you can do this without SiteMill otherwise altering the HTML in your documents. The bad news is that SiteMill lacks features that would justify its price. SiteMill won’t be much use to people who work locally on mirrors of their Web sites and then use FTP to transfer modified files to remote Web servers. If you make changes to a site, SiteMill does little to help you track which files have changed and it does nothing to help you transfer changed files to the correct directories on a server. SiteMill can’t go out and check external links to see if they are valid. My final objection is that SiteMill has a tiny interface and offers no way to enlarge it.
In the beginning, the concept was simple: pay $10,000 to anyone who could bypass the security on a Macintosh Web server using only off-the-shelf software to protect the system (see TidBITS-303). From 15-Oct-95 to 31-Nov-95, digital.forest, ComVista Internet Solutions, Westwind Computing, Maxum Software, StarNine, and WebEdge Technologies sponsored the $10,000 Macintosh Web Security Challenge. Anyone who could break through the security on a designated server and retrieve the protected information would receive $10,000. The goal was to raise awareness of the fact Macintosh servers make the most secure platform for World Wide Web servers.
The Plan — Our original plan was to protect a single page on the Web server so only one person would have access to it. After some consideration, we decided to make the challenge even more enticing by allowing users to see the page and only protect one line on the page. The only software used was StarNine’s WebSTAR (the Web server) and NetCloak (a CGI application from Maxum Development). Security was provided in two ways. We used WebSTAR’s Realms capability to require a username and password of anyone viewing the secure page, and we employed the filtering capability of NetCloak to hide the secure line on the page from anyone who did not provide both the proper password and come from the proper IP address. The server was available at challenge.comvista.com (it is no longer on the Web) and Henry Norr of MacWEEK was enrolled as the "authorized user" with access to the secure page. Henry logged in during the Challenge to verify that the page was, in fact, available to the proper user while still denying all others.
Challengers were given a username and password to access the page, as well as Henry’s username (just to get them started), the IP address of the server, information about our AppleTalk and IP network, and a listing of the software available on the server. Occasionally, we received requests for additional information about the setup and, with the exception of the password and IP address, we answered them. The only restrictions on claiming the prize were that we had to receive notice within two days of the end of the Challenge and the winner had to explain how the feat was accomplished.
Designing the Network — digital.forest provided the Internet connection for the server and monitored the Web site at the network layer. The network configuration consisted of a burstable T-1 connection to the Internet through a Cisco 2501 router. The network hub was an Asante 24 port non-managed hub, and the Web server itself was an Apple Workgroup Server 8150 with the Apple Internet Server bundle.
When we planned the challenge, I’d hoped to experiment with various network configurations to help isolate traffic. Our original start date was 01-Oct-95, but unfortunately delay of the installation of our T-1 (read about my struggles with GTE at the URL below) did not allow time for network configuration experiments. With the new start date approaching, I settled on the rather flat network architecture of router-hub-server. The server was on the same network segment as all other computers served by our T-1. We didn’t need a firewall or packet filter on the router, since all of the CPUs on the network were Macs.
Watching and Waiting — This network configuration made traffic analysis more of a bother than I would have liked, but it wasn’t impossible. Apple Computer Northwest loaned me a Quadra 630 for a monitoring station, but I rapidly discovered NetMinder Ethernet from Neon Software would not work with the 630’s communication slot Ethernet card. Disappointed, I used my trusty PowerBook 165 with an Asante SCSI Ethernet adapter. I experienced a performance loss running through the SCSI adapter, but I could still track what was going on behind the scenes.
The Results — In the 45 days the contest ran, no one broke through the security barriers and claimed the prize.
I generally ran the network packet analyzer for three to five hours a day to check for interesting packets destined for the Challenge server. I created packet filters that captured all TCP/IP network traffic in or out of the Challenge server. (Hint to Neon: drop the limit of five packet filters – it’s frustrating when you want to do advanced filtering). Some things I saw were amusing, others downright hilarious.
The Mac OS is not Unix — One of the more amusing things was that with all the information and technical specifications posted on the server itself, most people who tried to bypass the security thought the server was a Unix box! People tried to telnet and send mail to the server, looking for a process they could exploit. These types of attacks were fairly regular during the course of the challenge. I still smile when I think about how many people saw:
% telnet challenge.comvista.com telnet> Connection refused.
(A hint to crackers: there’s no shell in the Mac OS to talk to, and even if we ran a mail server, you still wouldn’t be able to mail yourself /etc/shadow. The Mac just doesn’t work that way.)
People also tried to FTP to the server, looking to either put something on the server, or copy something from it. Again, this was a fruitless exercise as there was no FTP server on the Challenge server.
Things became more interesting, however. I noticed a fair amount of UDP (User Datagram Protocol) traffic coming from various computer science departments in universities. It appeared some enterprising students had written scripts that went up the UDP and TCP port numbers, looking for hidden processes that could be attacked. We did not run any TCP/IP processes other than the Web server on port 80, so all this did was waste bandwidth.
Another MacTCP Quirk — There was also quite a bit of ICMP (Internet Control Message Protocol) redirect packet traffic on the network. As I traced them back to their source, they turned out to be from people trying to do traceroutes to the Web server. Something I was unaware of until the Challenge was that MacTCP does not respond to ICMP packets properly, making traceroutes to MacTCP hosts impossible. The packets time out at the closest gateway to the host because the Mac never responds to them. I confirmed this by running my own traceroutes to the Challenge server from a Unix host and comparing those packets with those coming from outside sources. Open Transport fixes this behavior, and it is now possible to do a traceroute to a Macintosh host that uses Open Transport.
This particular quirk of MacTCP begat an email message from a gentleman saying our challenge was unfair because he could not perform a traceroute to the server. After I pointed out that this was a failure of MacTCP and not anything I had done, he backed off. He then pointed out that it would be trivial to snoop the password to the locked page, yet for some reason he did not step forward to collect the $10,000. I wonder why?
Summary — On the whole, I learned that network-level security on the Macintosh is really quite good. Unlike Unix, there are no TCP/IP server processes built into the Mac OS, so there is nothing to attack unless you put it there yourself. In addition, TCP/IP services on a Mac lack the low-level communications available on Unix systems, which provides additional security. If you keep mail, FTP, and Web file spaces from overlapping, there is no way to pipe data from one service to another.
One note about server design: when installing multiple TCP/IP services on a single machine, be certain there is no way to upload a file with one service and make it available to another. If a user can FTP files directly into Web server file space, that user could upload a CGI application and immediately launch it.
In sum, the Challenge did nothing to contradict our belief that if you have a Macintosh-only TCP/IP Internet-connected network, you have little to fear from outside intruders coming from the Internet. Further, if you are running a Mac Web server, there appears to be no way to compromise it from the network level. However, if you have a Unix computer within your network, you must still safeguard and protect that machine lest it become compromised and provide a close and easy platform for launching other attacks.
A Closing Warning — Please note these results do not mean the Mac community can ignore security; on the contrary, we need to be even more on our toes for security breaches, simply because they will most likely come from an unexpected vulnerability. Most of the attacks attempted were based on known vulnerabilities in Unix systems. Once Macs become more popular as servers and make their way into larger commercial networks, crackers will have more incentive to compromise these systems.
In addition, it is not our contention that this contest proved anything about Macintosh network security, or that such a contest could replace quality testing for flaws in server software. In fact, we would not have risked our money if we had not first convinced ourselves of the security of the system.
Finally, it is possible that a cracker did bypass our security and discover the hidden phrase, but is unwilling to come forward because the information is potentially more valuable than the $10,000 reward.
[Chris Kilbourn, <[email protected]>, is President, System Administrator, and Network Janitor for digital.forest, an Internet service provider in Redmond, Washington. Jon Wiederspan, <[email protected]>, of ComVista Internet Solutions assisted in preparing this article.]