Dour prognostications for the new year have failed to materialize, but other troubles abound: we look at Apple’s OT Tuner 1.0, the problem that sparked it, and cover sources of network security information. We also note updates to Microsoft Excel 98, Internet Explorer 4.51, Outlook Express 5.01, and Now Up-to-Date & Contact. Changing topics, we interview Neil Shapiro about the Internet reappearance of MAUG, the first online Apple community. This week’s poll queries your Y2K experience, and we have a schedule of staff appearances at this week’s Macworld Expo.
TidBITS Appearances at Macworld SF — We may be a virtual organization, but we love meeting you in person at Macworld Expos. If you’re attending the show this week in San Francisco, stop by one or more of the events below and say hello.
Wednesday, 05-Jan-00: Adam will be signing copies of his Eudora VQS book at the Aladdin Systems booth (#2217) from 1:00-2:00 PM. Jeff Carlson and his co-author Glenn Fleishman will be signing their Real World GoLive book and answering questions about GoLive in the Adobe booth from 2:00-4:00 PM.
Thursday, 06-Jan-00: Adam will be signing copies of his Eudora VQS book at the Peachpit Press booth (#2428) from 11:00 AM to 12:30 PM. Jeff will also be at the Peachpit booth from 10:00-11:00 AM signing his Real World GoLive book, and then again from 2:00-3:00 PM for his Palm VQS book. We’ll both be at the Netter’s Dinner Thursday night – make sure to sign up in advance if you wish to attend. Matt Neuburg will be signing his REALbasic book at the REAL Software booth (#949) at 10:30 AM.
Friday, 07-Jan-00: Jeff Carlson and Glenn Fleishman will be signing their Real World GoLive book in the Adobe booth from 10:00 AM to 12:00 PM.
Unfortunately, since O’Reilly & Associates doesn’t have a booth at Macworld Expo, I don’t have any signings scheduled for Crossing Platforms: A Macintosh/Windows Phrasebook. However, visit the Connectix booth (#1707) since they’ll be giving away signed copies of the book throughout the show, and I might be able to set up some sort of an appearance there. In lieu of that, check out the URL below (after Wednesday, 05-Jan-00), where David Pogue and I interviewed each other about the book. [ACE]
Minor Y2K Fix for Excel 98 — Microsoft Corporation has released a minor update to Excel 98 for Macintosh to address a problem exporting date information to text files using Visual Basic for Applications (VBA). Dates with four-digit years will be exported using two-digit years, meaning century information about the dates is lost. Depending on how the data is subsequently used, this may cause date problems: for instance, Excel 98 assumes two-digit years 00 to 29 are in the 21st century, so any dates pointing to the years 1900 through 1929 would be misinterpreted by Excel if they were exported to a text file using VBA, and re-imported into Excel 98. Other applications may interpret two digit years as being in the 20th century, while some use varying "date windows" for interpreting two-digit years. (See "Parsing Like It’s 1999" in TidBITS-475 for more details.) This issue applies only to dates with four-digit years exported to text files using VBA: no other instance of saving or exporting Excel data is affected. Microsoft’s Excel 98 Y2K Update is available for English language versions of Office 98, either as a new part of its Mac OS 9 Updater for Office 98 released earlier this month, or separately as an 818K download for those who have already installed the Mac OS 9 update. Microsoft says versions for non-English versions of Office 98 should be forthcoming. [GD]
Now Up-to-Date & Contact Are Now Up to Date — Power On Software is delivering on its promise to continue development of Now Up-to-Date & Contact, its calendar and contact combo purchased from Qualcomm earlier this year. Version 3.8 fixes compatibility issues with Mac OS 8.5 and later, solves problems associated with its Internet features, and includes Now Up-to-Date & Contact Web Publisher for free (it was formerly a separate $400 product). Power On claims that Palm device synchronization is scheduled to arrive in an upcoming version 3.9, tentatively scheduled for early 2000. Now Up-to-Date & Contact costs $90; owners of previous versions can upgrade for $40. A fully functional 30-day demo is a 4.6 MB download. [JLC]
MWJ Mac OS 9 Coverage at Fatbrain.com — GCSF, Inc., the publisher of the weekly Macintosh journal MWJ, has made its extensive Mac OS 9 coverage available as a free 76-page PDF file. MWJ’s coverage of Mac OS 9 is quite possibly the most complete (and technically detailed) available anywhere. If you’ve been looking for more depth than TidBITS’s coverage of Mac OS 9, this is the reference for you. MWJ’s Mac OS 9 guide is free 1 MB download from Fatbrain.com’s eMatter service. [JLC]
Poll Results: Buying Digital Cameras — From 06-Dec-99 to 31-Dec-99 we ran three polls about digital cameras, and for once, I’m pleased to say that barely anyone participated at all. Kudos to everyone who let their computers sit idle and enjoyed some time off for the holidays! In the first poll, which queried camera ownership, the approximately 600 responses were split roughly three ways between "currently own," "play to buy," and "no plans." The second poll narrowed the topic, and about 300 people answered when they bought or planned to buy a digital camera. Ignoring the specific numbers, the trend was clearly toward more people buying into digital camera technology every year. Finally, in our third poll, which asked how much you paid for your first digital camera, about 100 people participated, scattering their answers roughly along a standard bell curve, with most people paying between $500 and $750. [ACE]
Poll Preview: A-OK for Y2K? The world did not end at the stroke of midnight on 01-Jan-00 – nor did the world’s computer systems come crashing to a halt, even in regions that had taken Y2K-preparedness lightly. It’s tempting to laugh off Y2K hysteria now, but according to estimates I’ve seen, between $300 and $600 billion was spent worldwide on addressing Y2K-related computer problems. The fact that 01-Jan-00 came and went without significant problems is indicative primarily of the effort put into ensuring that Y2K would not cause troubles, not that concerns were unjustified. Those who spent the last few years slaving over old code and testing systems deserve a lot of credit for ensuring that New Year’s Eve could be a time of celebration, rather than just a really dark night. Of course, there have been a few quirks here and there, so this week’s poll question asks "Did you personally experience a Y2K-related computer problem?" A few TidBITS Talk participants have, but visit our home page and register your vote! [ACE]
In a nutshell, Internet Explorer 4.51 includes new SSL version 3 security certificates from VeriSign. Some certificates which originally shipped with Internet Explorer 4.5 expire 01-Jan-00, at which point it becomes impossible for Explorer to establish secure connections to some Web sites (such as online merchants or financial services). Both Internet Explorer 4.51 and Outlook Express 5.01 offer improved support for version 3 certificates that should allow automatic updating in the future. Installing Explorer 4.51 is merely a matter of drag & drop in the Finder, though a few people have had troubles; see TidBITS Talk for details and fixes. Netscape browsers earlier than version 4.06 may also have the same problem with certificate expiration.
Apple Computer has released OT Tuner 1.0, a tiny patch which disables an option in Open Transport that could enable Macs connected to the Internet to be used as traffic amplifiers (see below) in a distributed denial-of-service attack. The update is for any computer running Mac OS 9, or Power Mac G4s, iBooks, or current slot-loading iMacs (like the iMac DV) running Mac OS 8.6. OT Tuner 1.0 is a 175K download, although the patch itself is less than 2K.
[05-Jan-00: Apple has withdrawn OT Tuner 1.0 in favor of Open Transport 2.6 which purports to offer the same abuse prevention without the problems some users experienced with OT Tuner 1.0. -Geoff]
OT Tuner 1.0 is a direct response to a behavior in Open Transport publicized by John Copeland at the Georgia Institute of Technology. The basic premise is that Open Transport will sometimes send a 1,500-byte response to certain small data packets sent from a remote machine elsewhere on the Internet. (This behavior is part of a standard called Path MTU Discovery detailed over nine years ago in RFC 1191.) The problem is that the small data packets could be forged to look like they came from a third computer elsewhere on the Internet; in that case, Open Transport would send its 1,500-byte response to that third computer. According to Copeland, the forged packet might be as short as 29 bytes, so Open Transport effectively enables a malicious third party to send 1,500 bytes to a remote computer by transmitting a mere 29 bytes – a traffic amplification of over 5000 percent.
These data packets aren’t enormous, but they can be generated quickly and the behavior could be exploited in several Macs to launch a distributed denial-of-service attack. In theory, a targeted computer’s Internet connection could be flooded with thousands of 1,500-byte packets per second, and the computer would probably be brought to its knees trying to process all the inbound data. Distributed denial-of-service attacks are a relatively new phenomenon – see CERT Advisory CA-99-17 – and so far no tools are known to take advantage of Open Transport’s potential vulnerability. In any case, only Macs running Mac OS 9 (or the models above running Mac OS 8.6) that are continuously connected to the Internet would be in any danger of exploitation.
Although many folks are using Apple’s OT Tuner 1.0 without trouble, there are persistent reports of the patch causing problems for users with AirPort networks as well as some cable modem and DSL connections. Some users also report difficulty switching TCP/IP configurations with the patch installed. It’s probably safest to err on the side of caution and give Apple’s OT Tuner a try, but disable it using the Extensions Manager if you find it causes problems with your connectivity.
Like many Mac users, I’ve been busy this last week installing Apple’s Open Transport Tuner 1.0. This patch blocks a potential denial of service attack that can be launched from Macintosh systems running Mac OS 9 and certain CPU configurations running Mac OS 8.6 – see Geoff Duncan’s piece in this issue for details on the vulnerability and Apple’s fix.
John Copeland, a professor at the Georgia Institute of Technology, identified this potential attack after detecting a port scan on his home network. Credit should go to Mr. Copeland for discovering this vulnerability, but how this information was disseminated and the Macintosh community’s response to it have left something to be desired.
Heads in the Sand — Many of us in the Macintosh community have become smug about network security, and with good reason. For years, Macs have been the most secure platform for deployment of Internet servers, and have proven repeatedly they are almost invulnerable to network attacks or cracking. Although the Macintosh is still the most secure platform for Internet use, we can neither blithely ignore security issues nor overreact when security issues are identified. In this instance, the confusion was spread by Macintosh news and information services and mixed with a good helping of paranoia regarding Y2K cyber-terrorism. This incident highlights that we as a community don’t know how to deal with network security issues, simply because we’ve rarely had to deal with them before.
Looking to other communities can be instructive for us, and show us how the rest of the computing world has been dealing with their network security issues for years.
Stay Informed & Prepared — The CERT Coordination Center at Carnegie Mellon University is the global clearinghouse for network security alerts, advisories, and guidance. The CERT team updates their Web site each time a vulnerability is identified, and they rank the level of vulnerability along with providing links to patches. They also run an announcement mailing list so you don’t have to check their Web site every day.
There are also hundreds of books available that discuss network security. Books published by O’Reilly and Associates are generally of a high caliber. Nearly all of these titles are concerned with the Unix and Windows worlds, but many principles are generally applicable to any platform.
The BugTraq mailing list is also helpful if you’re interested in detailed technical analysis of current computer security issues for any platform.
Another good information resource is the System Administration, Networking, and Security (SANS) Institute. This group runs regular security workshops nationwide and has a Web site full of useful information. Much of their information is geared towards Unix administrators, but that leads me to my next point.
Mac OS X Server and the forthcoming Mac OS X have BSD Unix at their cores. This means once Mac OS X ships and is installed on our Macs, we will be running Unix workstations on our desktops – and we will potentially be just as vulnerable as any other Unix workstation. Although this doesn’t mean you will need to become a Unix system administrator to operate your Macintosh, it does mean you should keep yourself informed of network security topics and respond to issues and alerts in a timely fashion.
Handle Problems Responsibly — For years the Unix community has been dealing with these issues by following some simple steps:
- As issues are identified by end users, programmers, or security professionals, they are reported to CERT and appropriate software vendors
- CERT issues an advisory or alert, and the vendor releases a patch
- Affected users apply the patch, and life goes on
Note that nowhere in this list appear the words panic, fret, worry, or hide. If you’re one of the "lucky" people to identify a network security issue, you should:
- Contact CERT
- Contact the vendor(s) of the vulnerable product(s) involved
- Help them to identify and develop a patch
Also note that this list doesn’t include tasks like alerting the media, publicly speculating on possible ways of exploiting the problem, or suggesting what end users should do. Advising end users and providing accurate information is the job of CERT and the vendors, and they’ve been doing it for years.
Evaluate Reports Critically — Not everyone is a networking expert, and the level of detail available from resources like CERT can be overwhelming. It’s not necessary for everyday computer users to follow the technical minutia of network security problems, but folks should know these resources exist so they’re better able to evaluate problem reports as they arise. When a new network security problem is reported, consider whether the problem report seems responsible and credible to you, whether the problem has been reproduced by trusted third parties, and whether CERT and software vendors have been informed or issued statements. The Internet can spread misinformation and unfounded speculation as rapidly as it can disseminate critical news and software updates – it’s always better to make an informed decision than let haste and trepidation get the better of you. In the immortal words of Douglas Adams (a diehard Mac user), Don’t Panic!
[Chris Kilbourn is President of digital.forest, Inc., a Mac-focused
network service provider specializing in FileMaker Pro database web
hosting, server colocation, QuickTime Streaming, and other Internet
Some years ago we published a couple of interviews in TidBITS, including one with Peter N Lewis of Anarchie fame and another with Daryl Peck, founder of Outpost.com. However, despite the fact that we received tremendous positive feedback on those interviews, we somehow stopped doing them, a move I’ve long regretted.
However, when Neil Shapiro, a legend from the early days of online communities in the Macintosh world, popped up in my email to tell me that he was bringing back MAUG on a Web site called ForumsAmerica.com, I immediately realized that an interview would be the best way to explain what MAUG was and to introduce the new MAUG.
[Adam] First off, tell me a bit about how MAUG got started back in…
[Neil] 1979! I had just bought an Apple II computer and had no idea how to use it. I was one of the journalists beta-testing the new CompuServe (then called MicroNet) network. So I left a note pleading for help on the main bulletin board (there were no Forums) and some people met me in the CB Simulator (what Chat was then called). It developed into weekly Sunday night meetings. We were originally called the MicroNet Apple Users Group (MAUG). After a year of meetings we started one of the very first Forums. In 1984 we expanded into the Macintosh and wound up with more than twenty Forums devoted to Macintosh topics. We kept the MAUG acronym, but it became a registered trademark (now owned by my company eFriends, Inc.) and now stands for Micronetworked Apple Users Group, somewhat of a mouthful.
[Adam] So in the days before the Internet hit big, MAUG was one of the main online Macintosh communities. When would you say that MAUG hit its peak?
[Neil] I think the entire online world on all the various networks seemed, to me anyway, most active in the early nineties. People were then discovering it as a mass market, rather than a service just for experts. It was around then that, at dinner parties, I found most people at the table at least knew what a modem was, and that was a huge change from the seventies and eighties.
[Adam] Although AOL has purchased CompuServe, the service is still around. What happened that caused MAUG and CompuServe to part ways?
[Neil] Sorry but I can’t comment on that other than to say that I had many good years with CompuServe and still have some good friends who work there.
[Adam] Fair enough. You’ve probably spent more time on CompuServe than almost anyone, though – what future do you see for proprietary online services like AOL and CompuServe, whether or not they provide varying degrees of access to the Internet? It would seem that the Internet is the big deal now, but that hasn’t stopped AOL from signing up 20 million subscribers, or whatever they’re up to now.
[Neil] I think that proprietary networks in general (not speaking here specifically of any one) are becoming learning areas – places where people go because it is easy both to install the software and to sign on. Two forces are moving though to where they may find it increasingly difficult to maintain market share. First, hardware is becoming more and more Internet-ready, the iMac being a wonderful example. Second, large ISPs are bundling their access software on CD-ROM with easy-to-use installers. I don’t know what the future of the proprietary services will be.
[Adam] But now you’re back, on ForumsAmerica.com They’re still in beta – what can you tell us about them?
[Neil] ForumsAmerica.com is the most exciting thing I have been involved with for many years. It is a breakthrough both in conception and execution.
The concept was to design a message base (reachable by any major browser/platform combination) that did not have the drawbacks of present Web forums. We wanted to create a message base that felt more like a community (the word is way overused, but since I was one of the first to use it I still feel entitled). To do this we stepped out of the box of topic-oriented messaging and moved toward the area of conversational threads. For instance, this means that if you leave a message and I respond, then others see my response right after your message and attached to it. And when you return to the forum, the software tells you that you have messages waiting for you. It’s a little hard to explain, but the effect is that people talk to other people, rather than just posting in a topic. Yet it’s fast and easy to use, far easier in my opinion than the few other thread-oriented message boards one may find.
[Adam] I’m racking my brains to remember the old CompuServe interface, but this is sounding similar. Perhaps one way to think of it is as a cross between a Usenet news thread and email, in the sense that the conversation is public, but the forum encourages people to converse with one another?
[Neil] It is less like email and much more like Usenet. But when I go onto Usenet, I find myself often confused about why someone is saying something because the message they are responding about may have happened far back in the topic. On ForumsAmerica.com the progression of the discussion is far easier to track. Threaded messaging began, I think, back in the seventies on BBS systems that ran on TRS-80 Model Ones. They then evolved further on networks like Delphi and CompuServe. We have continued the evolution by designing an interface that we knew, from the ground up, was going to be Internet-based and read via a Web browser.
[Adam] Of course, trying to create a usable interface in a Web browser is a difficult task, especially when you have to support multiple platforms.
[Neil] One thing I appreciate is that the ForumsAmerica.com programmers spent an incredible amount of time ensuring that the service would be truly multi-platform and that Macintosh users in particular wouldn’t feel like second-class citizens. When you log onto ForumsAmerica.com the first thing the software does is identify your computer and browser. Macintosh users wind up with their own style sheet that customizes fonts and other design elements for display on the Mac. Have you ever gone to a Web site with your Mac, maybe after seeing it on a friend’s PC, and noticed the fonts are squashed or the layout screwed up? ForumsAmerica.com looks great – and the same – on both PC and Mac. It wasn’t an easy thing to do!
[Adam] Indeed – we ran into many of the same issues with the recent redesign of our home page, except that we were trying to make it look better for those people who read TidBITS from a PC. Geoff Duncan also wrote an excellent article for us explaining the difference in font display between the Mac and PC. But I digress. How does the MAUG setup on ForumsAmerica.com compare to the old setup on CompuServe in terms of forums and libraries and the like?
[Neil] We have chat, and we have the message boards of course, but we’re not planning on having file libraries right now. I feel that there are many great places to go now for software online. I see our mission as being the place to go to find out from your friends what new software is cool and what not to bother with. We do have features and releases up that have links to take people to the places to download or find out more information. There are so many people doing so many wonderful things for Mac owners on the Internet that we don’t want to duplicate effort or do something poorly. What we do is messaging, nothing more. I truly feel that we are the best for that now on the Internet, and I hope other Mac owners will agree with me once they try it!
[Adam] Is MAUG the only topic discussed on ForumsAmerica.com right now?
[Neil] Nope. The breadth of topics covered on ForumsAmerica.com will, I think and hope, keep people thinking of it as an online home to discuss most anything. Along with MAUG, I run the News and Politics area along with the Books and Reading area. Then there are areas in Gaming and in Cooking, Men, Home Improvement, Space, and even something called Windows. There are many more on the way. All will be managed by professional moderators – people who know what it takes to make a message board feel like a safe and fun place to be.
[Adam] Moderation is extremely important – in many ways it’s another form of editing, and the most important people to have when information becomes overwhelming are editors, because they’re trained to separate the wheat from the chaff.
[Neil] Wow, Adam – I never thought of it as editing. Given my background (an editor at Popular Mechanics for years and founding editor of MacUser) I admit I am surprised at myself! It does have a lot to do with the same communication skills that go into editing. In our new area these are even more important as we have a special area of "features." These features can be press releases, publicity from other sites, original articles, whatever, all with links, graphics and so on. I’ve been trying to find interesting features and then start messages going about the topics. For example, a popular game (Might and Magic III) is finally coming to the Mac. So one of our features was the press release and we had a thread about cross-platform games. From the front page people could click to read the feature or click to discuss the topic. We’re aiming to create a synergy of information.
[Adam] In the past, being a forum moderator was a big deal, since time on CompuServe was expensive, so there were some major financial benefits as well. That won’t happen on ForumsAmerica.com, I assume, so what benefits will moderators receive? For that matter, what is ForumAmerica.com’s business model?
[Neil] ForumsAmerica.com is completely free to users but carries banner ads for revenue. Like many Web sites we charge advertisers for the impressions generated by users seeing the ads. ForumsAmerica.com plans to share ad revenues with the moderators or, as we call them Community Managers. By the way, ForumsAmerica.com is open to new Forum proposals so this is a chance for people to get in on a ground floor. If anyone is interested in running an online community (particularly if they have experience doing so), they can send a proposal to <[email protected]>.
[Adam] You talk a lot about community, so here’s a question. What role do you see real world user groups playing in today’s wired world? We’ve seen BMUG and LAMUG suffer significant problems, and other user groups have had troubles as well. Real world user groups probably hit their peak in the early nineties as well; does the return of MAUG indicate that community in general might be making a comeback?
[Neil] I’m not an expert concerning real world user groups but I recall how Apple used to evangelize for them, helped them get speakers and software for review, and generally supported them. The Macintosh is still a computer that attracts people who are not worried about being different or going against the grain. Apple’s slogan of Think Different is right on target. So, it seems to me that people who buy Macs are still differentiated enough from the overall audience of computer buyers to form a community bonding via this choice of platforms. It would not surprise me to see user groups make a comeback generally in the next year.
[Adam] Have you seen similar levels of community in the Windows world? The Mac world may be smaller, but small size seems to have fostered a sense of togetherness that often seems lost on PC users.
[Neil] There is no community of PC users! At least, no community based around their choice of computer. Most people with PCs think of them as simply a hammer they use to knock together some projects around the office. Many people with Macs still think of their machines as being exciting, they – we – see them as empowering. It’s a completely different mindset.
[Adam] Not to imply damning analogies, but the online world has changed since MAUG ruled the earth. How has MAUG evolved to fit into today’s Internet?
[Neil] I surf the Internet for hours each day and have for a long time, so I know that we’re not still in Kansas. It really is like the magic of Oz with all sorts of colorful characters, amazing feats and, yes, even a few dark and scary places. But to extend this analogy – there’s no place like home! I have yet to find a message board that isn’t tied to a single publication, product, company, or portal and that delivers the whole world of the Mac in an open-ended way. If we have evolved then I think it is in realizing that our strength is in the independence of our information and in letting people treat the place like their home.
[Adam] Perhaps this was already covered in the previous question, but with the vast number of mailing lists, Web sites, and other resources on the Internet, what does MAUG have to offer that’s unique?
[Neil] I hope that our uniqueness is still in what it has always been – how the staffers and I feel about the Macintosh community and our role in it. We are here for you, for anyone with a Macintosh. It’s a free service, you don’t have to buy anything, and we are as wide open as we can be. Lofty Becker, Charlie Downs, Bill Cook, Alan August, Marty Silbernik, David Ramsey, David Rose – these guys have been with me some for upwards of two decades. It is not because I am so lovable! Rather, it is because we all love what we do – we love the Macintosh community.
We’re glad to be back!
[Adam] Thanks for your time, and I’d encourage everyone to check out the new MAUG on ForumsAmerica.com. It’s a little sparse still, having been open for only a short time, but it’s good to see such a pillar of the Macintosh community return to action.