Concerned about Macintosh security? This week, Adam takes another look at Microsoft Word macro viruses and Geoff examines some of the motivations behind Macintosh Web server challenges (plus notes creative techniques for cracking them). We also have news about Adobe SiteMill 2.0, and the second part of Tonya’s coverage of HTML editors. This week, she checks out PageSpinner’s competition: World Wide Web Weaver, BBEdit, and Alpha.
TidBITS Search Engine Online — As promised, we’ve put the winner of our Search Engine Shootout online (see TidBITS-368, TidBITS-379, and TidBITS-380). The custom Apple e.g. implementation currently runs on a Power Macintosh 7100/80 with 24 MB of RAM. This Mac has a 56K frame relay Internet connection instead of the full T1 our main Web server enjoys, so we’ll be curious to watch the performance. If you want to bookmark the search page, use the URL below rather than where you end up when you follow the link – we may move things around over time. [ACE]
Hide and Seek with SiteMill 2.0 — Although Adobe SiteMill 1.0 was among the first commercial Web site management tools for the Macintosh, with SiteMill 2.0 seemingly way overdue, many wondered if it would ever ship. Even after Adobe informed me they had shipped SiteMill 2.0, they did not quickly update their Web site to reflect this information, and press kits they’ve sent all concern the Windows version.
SiteMill is no longer a separate product; instead, it comes in a bundle with PageMill 2.0 and Photoshop LE, Adobe’s "light" version of Photoshop. This PageMill bundle lists for $149 and replaces the previous PageMill package. Those having a registration number for SiteMill 1.0 or PageMill 2.0 can download a free copy of SiteMill 2.0, sized at approximately 2 MB. As of this writing, a number Adobe’s Web pages lead to the beta release, but this page linked to the real goods when I tried it. Adobe Systems — 800/411-8657 — 408/536-6000 [TJE]
The point of many viruses, macro or otherwise, is to annoy people, waste time, and generally eat bandwidth of various sorts. That’s ironic, given the amount of space the topic consumes whenever it appears in the press (see TidBITS-383). But, since numerous readers made useful comments and suggestions, we wanted to pass along the information to help everyone understand more about the macro virus problem. This will be it for virus coverage in TidBITS for a while, but you can find a great deal more information about viruses on the Macintosh (including macro viruses) on David Harley’s Viruses and the Macintosh FAQ at:
If it hurts… Of all the responses I received, the simplest (and often presented with tongue firmly planted in cheek) solution offered to the Word macro virus problem was simply to avoid using Microsoft Word 6 or other programs that suffer from macro viruses. That of course won’t work universally, because people don’t always have much choice about the programs they use.
Auto-running Macros — Others suggested turning off auto-running macros in Word 6, which prevents some macro viruses from replicating or performing other anti-social acts. Unfortunately, many macro viruses use alternate methods of activation, including deceptive names, co-opted common command key shortcuts, and captured menu items. So, although turning off auto-running macros in Word 6 might help slightly, it’s not a reliable solution.
Locked Normal Template — One intriguing solution for preventing the spread of Word macro viruses, from Tyler Stewart <[email protected]>, was to lock the Normal template file, which lives in the Templates folder in the Word folder. Select it in the Finder and choose Get Info from the File menu, then click the Locked checkbox. Locking the Normal template prevents any macro virus from infecting it, but macro viruses could also transfer themselves to other open documents or run without replicating. More problematic is the fact that Word 6 seems to cache the Normal template in RAM, so the RAM copy can be infected (and thus pass on the infection during that session) even with the Normal template locked. In other words, this solution won’t always work and might prove irritating if you need to change the Normal template.
File Conversions — A number of readers suggested variants on file conversion techniques. Microsoft Word 5 can’t run macros of any sort, so it’s safe from Word 6 macro viruses. Some people thought that macros could be carried in a file that Word 5 had converted, opened, saved, and which was then re-opened in Word 6. Datawatch’s Mike Groh reported that they’ve had no reports of macros surviving the conversion process, either via Word 5 or via translators such as DataViz’s MacLinkPlus. In both our and Datawatch’s testing, conversions stripped the macros.
Eliminating Macros Entirely — Some folks suggested techniques that might work for eliminating all macros in Word documents. But, macros are not inherently evil, and anything that blindly removes all macros could easily destroy useful or even necessary macros. Tools like Microsoft’s MVTOOL aren’t so destructive, since they offer the choice of opening documents without macros on a per-file basis. However, don’t trust MVTOOL’s protection (accomplished via a macro called SCANPROT, which confused some readers), because it works only if you use the Open command in Word’s File menu to open the files. If you double-click a Word file in the Finder or use other methods of opening files from outside Word (like the Recent Files hierarchical menu, or Now Super Boomerang), MVTOOL won’t work. Read the documentation with MVTOOL carefully before relying on it.
Other Anti-virus Utilities — Just to be complete, Datawatch’s Virex and Symantec’s SAM aren’t the only commercial anti-virus programs available for the Mac that can detect and eliminate macro viruses. Also available are McAfee’s VirusScan and Dr. Solomon’s FindVirus, and others may exist as well. I have no recommendations here other than to note that Datawatch’s Mike Groh was voluntarily helpful in checking and commenting on these articles. Viruses affect everyone, so I’d lean toward companies who participate in the communities their software protects.
Eternal Vigilance — This entire topic came up because of my warning in TidBITS-381 that the Macintosh community was becoming complacent about viruses. Several readers alerted me to infected CD-ROMs that have recently been distributed to numerous people, including Apple’s Official May 1997 Marketing ToolKit, which goes to dealers and the media. There are two lessons to be learned. First, don’t trust even seemingly innocuous sources, because even CD-ROMs and disks from reputable companies can become infected. Second, if you’re in charge of mastering CDs or creating master disks, check the disks with anti-virus software! It’s simply unacceptable for any widely distributed CD-ROM or floppy to carry infected files.
Design a Sandbox — I believe that the eventual solution to these macro viruses is for the companies producing software with macro capabilities to take the responsibility of designing their programs in such a way to eliminate macro viruses. Although Sun’s Java language undoubtedly isn’t perfect, it was designed to prevent malicious uses. Even if someone finds a way around that design, it won’t be as easy as it is with macro languages. I won’t pretend to know if it’s even possible to create a macro language that doesn’t suffer from macro viruses, but with the number of macro viruses that appear every day, it’s clear that the problem is very real.
Computer security – or, rather, computer data security – is not a new idea. For as long as sensitive information has been stored on punch cards, tapes, and disks, money has been changing hands to make sure that information cannot be accessed without permission. Until recently, security tests were often expensive, contracted, protracted affairs conducted by professionals and consulting firms; however, the breakneck growth of the Internet has given rise to something new: public data security challenges. These events usually offer substantial cash prizes and are open to anyone with a machine and a net connection.
Public challenges usually have goals like demonstrating a technology, promoting products or services, and generating media coverage. TidBITS has covered two Mac-specific security challenges (see TidBITS-317 and TidBITS-378); these challenges helped establish the Mac OS as a secure and robust Web server platform, and gave Apple, the Mac, software developers, and the contest sponsors some good press when no one claimed the contests’ prizes. However, current public Macintosh security challenges seem more concerned with marketing than security, which does little to further test the limits of Macintosh security.
Apple Europe — The two previous Macintosh security challenges were conducted by private organizations; now, Apple Europe has thrown its hat in the ring, offering a brand-new 240 MHz PowerBook 3400 to anyone who alters the contents of a specific Web page hosted on a standard Apple Workgroup Server 9650 running Mac OS 7.6 and WebSTAR 2.0.
It’s nice to see Apple using new methods to promote the Mac OS as an Internet server platform, but this contest is only about promotion. On a technical level, this challenge imitates the Crack-A-Mac challenge conducted by Infinit Information AB in Sweden this spring – and its public face is a little rougher around the edges. For instance, the contest runs from 04-Jun-97 to 31-Jul-97, but you won’t find that information on the challenge server or in the challenge rules: you need a press release or article to uncover the contest dates and a few other pertinent details. Of course, you must read around mellifluous statements about Apple’s "complete confidence" in the server – small wonder, given that the prize money in Infinit’s contest went unclaimed just a few weeks earlier. There has also been some criticism of the contest prize: prices for 240 MHz PowerBook 3400s start around $5500, so it could be argued there’s less financial incentive to break into this server than there was in previous Mac security challenges. That might be true, but perhaps it’s more important that winning a PowerBook 3400 appeals to a smaller set of the server-cracking population than cold, hard cash. After all, few Windows or Unix loyalists will spend time trying to win a Macintosh.
VanHacking — Cash is not a problem for the VanHacking Challenge being hosted by VirTech Communications in Vancouver, British Columbia from 01-Jun-97 to 15-Jul-97. They’re offering $10,000 Canadian (about $7,200 U.S.) to anyone who can do two things:
Break into a protected Web page to find encrypted credit card information and a special phrase.
Decrypt the credit card information and alter the wording of the special phrase on the protected Web page.
The VanHacking server is a Power Mac 7200/120 running System 7.5.3, Timbuktu Pro 3.0.2, WebSTAR 1.3.2, and the challenge page is protected with WebSTAR’s Realms capability (so you’ll be prompted for a password if you try to access it with a Web browser).
On the face of it, the VanHacking Challenge is a new variation on the "alter a Web page" contest, and – by including an encrypted credit card number – the contest confronts the issue of secure electronic commerce on the Internet. VirTech’s press release (and Apple’s recent promotion of the contest on its corporate home page) plays up this factor: VirTech says it wants to refute the idea "plaguing the media today" that Internet commerce is unsafe and insecure.
Unfortunately, the VanHacking Challenge is aimed squarely at mainstream media and has little to do with electronic commerce. First, although earlier Macintosh Web server challenges have not directly tested WebSTAR’s Realms capability, it certainly played a factor in protecting Infinit’s server from attacks on WebSTAR 2.0’s remote administration features. And even if the Web page were unprotected, that cracker still has to figure out how to alter the contents of the contest page, which Infinit’s and ComVista’s contests essentially proved can’t be done for $10,000.
Then there’s the matter of the encrypted credit card information. According to the VanHacking contest rules, the credit card information is encrypted using PGP (Pretty Good Privacy), a strong public key encryption program developed by Phil Zimmerman and available for a variety of platforms.
There are essentially three ways to access encrypted data: decrypt the data computationally, find a copy of the unencrypted data, or somehow obtain the appropriate key or pass phrase to decrypt the information.
Despite (occasionally paranoid) speculation that PGP may have been cracked by the U.S. government, it’s highly improbable that someone will win the VanHacking contest by computationally decrypting the PGP data. Obtaining PGP keys by brute force is currently impractical, and to date there is no public evidence of weakness in PGP algorithms that would assist would-be decrypters. To put it bluntly, finding a method to quickly and reliably crack PGP-encrypted data is potentially worth tens of millions of dollars; it proves nothing if the VanHacking prize money goes unclaimed because PGP wasn’t broken.
It might be possible to find an unencrypted copy of the VanHacking credit card number: there have been instances where pass phrases or unencrypted copies of encrypted information have been found in RAM, unused disk sectors, virtual memory, or temporary files. However, since it’s been repeatedly demonstrated that the Mac OS is secure from most Internet attacks, it’s unlikely someone on the Internet will be able to examine these areas of the contest server or other VirTech machines.
Logistically, it’s easier for me to walk into the offices of VirTech Communications in Vancouver (or set up decent surveillance) than it is for me to break into its Web server. If I’m clever, I could pretend I’m a journalist and perhaps get someone to tell me what I want to know. If I’m willing to snoop, there’s probably a copy of the credit card number (or a clue as to where I could find it), a PGP pass phrase, a Timbuktu Pro password, or a sensitive email message or memo to be found. If I’m willing to break some laws – which isn’t an obstacle for parties interested in credit card fraud – I’m sure I could be more persuasive. VirTech has thought of this angle ("breaking into VirTech’s office building will also disqualify the participant"), and while they don’t mention fraud, extortion, or impersonating a law enforcement officer, the spirit of the rules is clear. Sure, these tactics sound like the stuff of corporate espionage and spy thrillers – and frankly a $10,000 prize doesn’t merit this sort of effort – but when millions of dollars hang in the balance, these things can happen.
The Agony of Self-Defeat — Are public security challenges pointless? Of course not! These contests demonstrate the integrity and value of the Mac OS and some of the excellent products available for the platform. I think that’s significant.
Nevertheless, it’s important to look at the objectives behind each event to separate technical merit from mouse-thumping partisanship. Challenges that merely repeat previous efforts speak more to the motivations of the contest organizers than the validity of the challenge. Similarly, contests that require circumventing technologies like PGP or Java security don’t necessarily say anything more about the Macintosh than a book says about its shelf.
Last week, in TidBITS-384, I wrote about PageSpinner, a $25 shareware HTML editor from Optima Systems. I portrayed PageSpinner as offering a robust range of tagging options in an uncommonly open, helpful setting. This week, I’ll round out my discussion by comparing it to not only World Wide Web Weaver and BBEdit as promised, but also to Alpha.
W4 — World Wide Web Weaver 2.1, also known as W4, comes from Miracle Software and costs between $39 and $89 depending on how you buy it. It requires a 68020-based Mac, System 7.0, and 5.5 MB application RAM (8 MB recommended). In contrast, PageSpinner wants a 68020-based Mac, System 7.0.1, a grayscale monitor, and 2-4 MB application RAM. W4 has matured past its shareware origins, but lacks the polish I expect in a top-notch commercial product. Even so, if PageSpinner’s roll-your-own attitude feels overwhelming, W4 may fit the bill.
W4 doesn’t have the range of esoteric tags found in PageSpinner, but it includes all the basics, plus frames, forms, and tables. W4 comes with a built-in spelling checker and an HTML validation checker, features that PageSpinner users must add by downloading and configuring additional software. Although PageSpinner takes the prize for flexibility in configuration, W4 is not entirely rigid. For instance, it lets you add new tags to the interface, and you can freely configure the style of tags and text as they appear in a W4 document.
An HTML document in W4 looks much like a document in any text-based editor, but a few of W4’s dialog boxes take a visual approach. For example, W4 contains a visual image map editor, where you indicate which areas of a graphic should act as buttons linking to other parts of the Internet. The editor lacks the bells and whistles (such as a zoom) in visually oriented HTML editors like Adobe PageMill, but gets the job done. By comparison, PageSpinner expects you to set up image maps elsewhere.
More differences between the programs appear when comparing their Table features. When you set up a new table in W4’s Table Editor, you see a rough mock-up of the table. From the mock-up, you can select any cell and then add text or apply cell-based formats (like background color). The formats won’t show in the mock-up, but the text will. After exiting the Table Editor, you can modify the table by hand or select the entire table, choose the Re-Edit Tag command, and you’ll be back in the Table Editor with the mock-up intact and ready for modification.
In contrast, making a table in PageSpinner is a one-time, text-only affair. You select or import tab-delimited text and then use the HTML Assistant to apply table tags to it quickly (though you cannot format individual cells in HTML Assistant). You can also insert table-related tags one by one. There’s no Re-Edit Tag option, so changes take more time to implement.
W4’s Re-Edit Tag feature also comes in handy when working with lists – lists can be re-edited and thus quickly converted between various types, and there’s even a sorting feature inside the List Editor.
W4 has one hot feature that you won’t find elsewhere – an auto-preview. When working in W4, I keep a Netscape Navigator/Communicator window open, and anything I do in W4 shows in the browser window a second or two later. What’s so important about this feature is that I need not do anything to see the preview; most programs make you at least press a keyboard shortcut. This feature only works with Navigator/Communicator, and it worked fine for me in Navigator 3.01 and Communicator 4.0 PR 5.
In summary, W4 is a capable, text-based HTML editor. It lacks high-end features found in BBEdit and Alpha, but represents a finite environment worth considering for new computer users and those who occasionally work with HTML. Given its price and competition, W4 is in a tight spot – it just doesn’t have the features to make it compelling to a large audience. W4’s ace in the hole, however, may be its special relationship with Site Weaver, a site management tool from Miracle Software. I plan to look at Site Weaver later in this article series.
If PageSpinner’s high-end features like scriptability and includes attract you, check out BBEdit and Alpha, two mature text editors that have HTML features.
BBEdit — BBEdit, from Bare Bones Software, became a popular HTML editing tool before it had HTML features, in part because it is an excellent text editor, and in part because Carles Bellver and Lindsay Davies both released reasonably complete sets of BBEdit extensions for HTML (these extensions extend BBEdit only, and are not system extensions). Carles is no longer updating his extensions, though they are still available, but Lindsay’s BBEdit HTML Tools now ship with BBEdit, and Bare Bones Software has added HTML features like an HTML-savvy spelling checker, an FTP feature that can open from and save directly to a remote server, and tag-styling options so tags look different from body text.
To apply HTML to text in BBEdit, you use a long drop down menu, keyboard shortcuts, or a palette. Using the triangle menu at the palette’s upper left, you can adjust its size and set what commands appear on it. The palette would benefit from additional customization, especially the ability to add colors or graphics, since it’s hard to pick out the right command quickly among the many black-text-on-gray buttons. BBEdit offers a reasonable amount of flexibility for customizing the interface, tag appearance, and so on, but is not as flexible as PageSpinner. (For example, PageSpinner can lock tags so others can edit a document without accidently changing the tags.)
BBEdit HTML Tools enables users to create not only new tags, but also macros that automate applying tag sequences. For instance, one of my macros places selected text inside an anchor tag, and fills in the anchor tag’s URL from the clipboard.
What’s compelling about BBEdit is the mix of a professional, serviceable interface with raw power. One key feature, grep-based, multi-file Find and Replace, enables sophisticated searches that leave PageSpinner gasping in the dust. Another major feature is synergy with UserLand Frontier’s Web publishing options.
As I explained last week, PageSpinner has includes, and it is possible to update the date and time when updating includes. BBEdit HTML Tools one-ups PageSpinner with a handier way to update includes (just click a button), plus more options for updating the date, time, and other bits of information. You can also employ "variables" that let individual documents dictate how information flows in from an include (for instance, an include might contain a tag for a graphic, but the variable on the page would specify the graphic’s location).
With its mix of high-end features, HTML-specific features, and simple system requirements (a Mac Plus or better, 1 MB RAM, and System 7.0), it’s not surprising that BBEdit has become a mainstream HTML editor for professionals and even some hobbyists. BBEdit costs $119 ($79 crossgrade). To learn more about BBEdit, see the review in TidBITS-365.
Alpha — A few readers wrote in last week to note that I should look at Alpha 6.5.2, a $30 shareware program by Pete Keleher. In particular, Chris Ruebeck <[email protected]> commented:
"A BBEdit-like program is Alpha, used by many programmers and TeX/LaTeX writers. It has an HTML mode in addition to the various programming languages and environments. What’s nice about Alpha is that the pull-down menus function much like an assistant by pasting in templates, although not with the context-help that PageSpinner provides. But there is a good set of HTML documentation. Alpha integrates well into the Web environment, too, with Web links in its Help pages, and drag & drop editing."
Previously, I’d thought that Alpha was too much of a programmers’ text editor for the likes of me, but I decided it wouldn’t hurt to try it. After being initially flummoxed by the fact that the HTML commands don’t show unless you are in HTML mode, I discovered a capable, likeable HTML editing environment. The HTML commands in Alpha (which can convert into a palette) come courtesy of an Alpha extension called HTML mode, which is postcardware written by Johan Linde.
Still to Come — Text-based HTML editors pack many great features and give authors a great deal of control, but they are lousy environments for trying different layouts and navigation systems. For these tasks, most people use software that hides the HTML and shows a WYSIWYG approximation of how a browser will interpret the page. Next week, we’ll look at some of those programs.