We’re looking out for you and your data with this issue! First, Derek Miller passes on a warning (and identification tips) about clever spam that purports to be from PayPal in an attempt to get you to reveal your PayPal password. Then Adam reviews Granite Digital’s FireVue Hot Swap Drive System; a great option for hard drive-based backups. In the news, we cover the releases of Entourage’s new Exchange support, Tinderbox 2.0 and Font Reserve 3.1.2.
Entourage Gets Exchange Support — In a move to welcome Macs into mixed computing environments, Microsoft has updated Entourage X to work with a Microsoft Exchange Server. In addition to the email and calendar features that Entourage already supports, the update makes it possible to view and schedule Exchange meetings, synchronize your calendar with the server, and look up email addresses in the server’s global address list. These improvements are part of a larger Office X 10.1.4 Update, which also provides small updates to address stability issues in Word, Excel, and PowerPoint.
Before you install the latest update, check to make sure you’ve installed Microsoft’s Office X 10.1.2 Update, which grouped together several previous patches and security updates. (Since I had installed those earlier updates, I never bothered to apply the full Office X 10.1.2 Update. However, the installer for the 10.1.4 update wouldn’t work until I applied the full 10.1.2 update, a 14.6 MB download.) To further muddy the version number waters, you do not need to install the earlier Office X 10.1.3 Update (which tweaked the Italian Spelling Tool and French Proofing Tools) in order to upgrade to version 10.1.4. The Office X 10.1.4 Update is a free 28.6 MB download. [JLC]
Tinderbox 2 Improves Weblog Tools — Eastgate Systems has released Tinderbox 2, an update to its utility for storing and organizing notes and other informational content (see "Light Your Fire with Tinderbox" in TidBITS-651). In addition to gaining an overall speed boost and interface polish, the new version includes the Tinderbox Weblog Assistant for setting up a personal weblog. If you already use weblog software such as Moveable Type, Radio UserLand, or Blogger, Tinderbox 2 can easily send notes as weblog entries. The Tinderbox 2 upgrade is available for $70, which includes a year of free upgrades; if you’re still within a year of purchasing a previous version of Tinderbox, downloading and installing the 3.7 MB demo automatically unlocks the application. A full version of the program costs $145. [JLC]
Font Reserve 3.1.2 Update Released — Extensis has released a minor update to Font Reserve, one of the font management utilities in its stable. (Extensis also owns Suitcase, and recently purchased Font Reserve’s parent company DiamondSoft; see "Extensis Buys DiamondSoft" in TidBITS-686. You can also find a FAQ about the purchase, and what it means for the future of both products, at the Extensis Web site.) Most notable in the Font Reserve 3.1.2 update is improvement when activating fonts within the Classic environment. Also, a crashing problem with the Font Reserve plug-in for Adobe Illustrator 10 has been fixed. Other unspecified improvements have also been made for the plug-ins for InDesign 2 and QuarkXPress 4 and 5. (For more on Font Reserve, see "Font Reserve Moves to Mac OS X" in TidBITS-620). The update is a free 9.4 MB download. [JLC]
Most spam is simply annoying – a waste of time, effort, and computer resources, to be sure, but not usually dangerous. However, a small but significant number of spammers go beyond being merely misleading or offensive by actively trying to defraud people. Their methods are increasingly sophisticated, both technically and socially, and many are now focusing their efforts on major ISPs, online retailers, telecommunications carriers, and, for my discussion here, the popular PayPal online payment service, which is owned by eBay.
Email fraud is nothing new. It follows naturally from the methods criminals use in mail, wire, and telephone fraud. The notorious "Nigerian banking" scams have even been traced back as far as the 1920s, when they were conducted through the mail and involved a fictitious Spanish prisoner instead. But the Nigerian banking scams are almost laughably obvious, whereas the new scams aimed at PayPal are really quite subtle.
Why PayPal? PayPal is not to blame for the situation. Some people dislike the service for a variety of reasons, but PayPal’s staff makes significant efforts to keep it both secure and easy to use, two goals that are sometimes at odds. So why are these scam artists targeting PayPal?
People trust PayPal with information about their bank accounts and credit cards. PayPal is widespread, with many of its users maintaining a significant balance of funds in their PayPal accounts. A large majority of eBay auctions accept PayPal, and many services outside the eBay community use it as well – including TidBITS’s own PayBITS author-payment system. Put bluntly, PayPal is where the money is.
Also, it’s simple for nearly anyone with Internet access to use PayPal. That means many PayPal users are unfamiliar with the details of how Internet email and online transactions work, even if they use those technologies every day. With a bit of effort, criminals can convince even fairly experienced Internet users that they are logging into the PayPal Web site, when in fact they are giving personal and financial information away to unknown parties.
In short, PayPal appeals to fraud artists for the same reason it appeals to users: it makes accessing and transferring money entirely online both easy and quick. So people also can be tricked into losing their money quickly, easily, and entirely online.
Why Me? How do PayPal scammers get your email address? The same ways other spammers do, which include harvesting addresses posted in Usenet and on Web pages (perhaps especially if you have a PayPal payment link on your site, as I do), obtaining illegitimately compiled databases of addresses from unscrupulous companies with whom you might do business, crawling eBay’s active auctions looking for usernames, and unleashing semi-random "dictionary" attacks on major email providers such as Hotmail, EarthLink, AOL, and Pobox.
Since so many people use PayPal, even random spamming of millions of email addresses will turn up a fair number of people who have PayPal accounts, and therefore some who can be convinced that PayPal needs them to re-type some information.
Anatomy of a Scam — Like most varieties of spam email, every PayPal scam is slightly different. The goal of each one, though, is the same: to mislead victims into believing that they are communicating with PayPal, so that their trust in it, and thus their money, can be misappropriated.
Usually that attempt takes the form of an email forged to look like it comes from PayPal, claiming that the company is trying to verify its customer list, has had a database problem and needs some information re-entered, or has another apparently legitimate reason for you to log in with your user name, password, and maybe credit card information and ATM code. The email might include a link to a site that seems to be owned by PayPal, but is not, or the email might include an HTML form itself, as the one I received last week did:
Over time, the perpetrators of these scams have gotten trickier. Early versions were plain-text email messages with links that were obviously misleading. More recent attempts are HTML-formatted messages with genuine PayPal logos (sometimes linked directly from PayPal’s site) and a layout similar to PayPal’s genuine Web pages.
There are still signs that give away the real nature of these messages. Every one I have seen has errors in design or language that are unlikely in correspondence from a legitimate company. The writers might misspell words or use them sloppily (such as writing "e-mail" in one place and "email" in another), use slightly inconsistent font sizes, or have spaces missing between words. Often the phrasing that isn’t stolen directly from PayPal’s own pages is off-kilter and strange, obviously not written by professionals. Another giveaway is URLs that point at IP numbers or other domains rather than the paypal.com domain. With HTML email, though, you must view the source of the message and scan it carefully to find these telltale signs.
Yet for someone who isn’t a technical writer and editor like me, those mistakes are easy to miss. The scam email I received last week is even set up to redirect you to the real PayPal site after it has harvested your personal information, so unsuspecting victims may never know they had been duped until the money started disappearing from their PayPal account (a good reason to check your account activity every so often too).
Consequences and Precautions — Crooks who manage to obtain your name, email address, password, and banking information are in a position to drain your PayPal account of all its funds, at the very least. They could also launch fraudulent auctions in your name, launder money, or (in the extreme) use the information they have as the basis for identity theft. These are not misdemeanors, but serious crimes.
So, if you use PayPal, you should be cautious. Fortunately, that’s easy to do. First of all, PayPal never sends email messages requesting your password. Any transaction requiring you to log in goes through the paypal.com Web site and uses a secure (https), encrypted connection (so make sure you see https at the beginning of the URL in your Web browser’s address field and paypal.com as the URL’s domain name). Be careful, though, since some scammers are using unusual URLs that use the paypal.com domain as a username for another site, whose domain is hidden later on in the URL (after an @ character). So if you see something like the following URL, your browser is actually going to example.com, not paypal.com.
PayPal itself maintains a repository of useful anti-fraud information in its Security Center:
If someone attempts to defraud you with a PayPal scam – even if you don’t respond and suffer no loss – the "Report a Problem" link on PayPal’s Security Center page lets you tell the company about it so that it can try to track down and prosecute the offenders. The company also encourages you to forward any scam email messages purporting to involve PayPal (including all headers) to <[email protected]>.
PayPal remains profoundly useful. We must learn to recognise those people who are trying to degrade that usefulness and steal our money, just as we recognize suspicious activities in other areas of our lives. One simple way to avoid any problems is to log into PayPal only when you type its URL into your browser yourself.
The situation reminds me of a Calvin and Hobbes cartoon where Calvin brings a note to school, written in big lettering using a pencil on lined paper: "Please let Calvin off from school today as his genius is needed on a matter of vital national importance. Signed, The President. P.S. Really." With a bit of scrutiny, you too can learn to spot fraudulent messages.
[Derek K. Miller is a writer, editor, drummer, and stay-at-home dad in Vancouver, Canada. He maintains a disturbingly extensive weblog journal on his Web site.]
PayBITS: If Derek’s warning helped you or someone you know
being scammed, why not send him a few bucks via PayBITS?
Read more about PayBITS: <http://www.tidbits.com/paybits/>
I’m a huge promoter of solid backup practices (have you backed up recently?) and for many years I relied on a combination of Dantz Development’s Retrospect and a DAT tape drive. Eventually the 2.6 GB DAT tapes simply weren’t sufficiently capacious to handle the amount of data from the machines on my network, so I switched to a VXA-1 tape drive from Ecrix (now owned by Exabyte; see "Ecrix’s VXA-1 Tape Drive: Big Fast Backups" in TidBITS-569 and "Ecrix, Exabyte Merge" in TidBITS-594). It worked well for a year or so, but its tapes held only 33 GB uncompressed, and the amount of data I had soon grew to the point where I needed to buy more tapes to maintain a reasonable three-set backup strategy. At the time, each 33 GB tape cost about $65 when bought in a 5-pack – a good bit of money to spend on tapes. That’s when the problem began. An older version of Retrospect on the Performa 6400 I was using as a backup server crashed occasionally during backup, at which point the VXA-1 drive would go into some sort of a loop that required manual intervention. That was annoying, but the final kicker was that several times after I broke the VXA-1 out of the loop, the inserted tape was unusable. Needless to say, at $65 per tape, this was not a situation I could tolerate for long.
Enter the Hard Drive — When I did some price comparisons on different forms of backup media, I saw that hard drives were solidly in the lead for price per gigabyte. It’s a bit tricky to make those calculations, though, since a FireWire drive costs about $100 more than the equivalent bare IDE drive thanks to the necessary FireWire bridge board, case, and power supply. A number of manufacturers make kits into which you can pop your own drive, and I considered them briefly, but it seemed that I’d have to choose between two unpalatable options: swapping bare drives into and out of a case every time I switched backup sets, or buying three separate kits and fussing with FireWire and power cables for each swap. (For more thoughts on this topic, see "What About Backing Up to FireWire Hard Disks?" in TidBITS-574.)
So when I became disenchanted with the VXA-1 and wanted to switch to a hard drive backup solution, I turned to Granite Digital, a company long known for high-quality SCSI cables and other storage-related accessories. They make an unusual product called the FireVue Hot Swap Drive System, which is a FireWire drive bay with the necessary power supply, fan, and Oxford 911-based FireWire bridge board. What it doesn’t contain is a hard drive; you add that by purchasing a standard 3.5 inch IDE drive, installing it into a special tray, and then inserting the tray into the FireVue’s bay. A kit containing the FireVue bay and one tray costs $200 ($180 on sale at the moment) and additional trays are $30.
You can buy the FireVue Hot Swap Drive System complete with a drive from Granite Digital, but realistically, you’ll find cheaper prices on drive mechanisms elsewhere. I generally check hard drive prices on PriceWatch, and I also look for special sales on Dealnews; between the two, I generally spend about $100 per drive – in my experience so far, first a pair of 80 GB drives and then a 120 GB drive.
The FireVue was the perfect solution for my situation, since $250 or so would get me started with the drive bay and three trays, and I could keep increasing the size of the hard drives I put in the trays as needed. My first three drives were a 60 GB drive I had around the office and the pair of 80 GB drives. When the 60 GB drive filled up, I removed it from its tray, and replaced it with a 120 GB drive. My goal is to rotate drives out of the system on a sporadic basis as they fill up, storing them for posterity. I’m under no illusions that hard drives are the best archival media for backups, but since I tend not to throw anything relevant out (my Macs keep coming with ever-larger hard drives too), I’m not worried about needing complete archives or losing anything should one of the archive disks prove unusable at some point in the distant future.
(For those of you paying attention and wondering how I managed this on a Performa 6400 – I didn’t. All this happened simultaneously with buying a new dual 1 GHz Power Mac G4 as my main desktop Mac so I could let my 450 MHz Power Mac G4 running Mac OS X take over server duties from the aging Mac OS 9-based Performa 6400. The Performa didn’t have FireWire and might have been too slow for the software-based compression I wanted to have Retrospect start doing. I also upgraded my network, replacing 10 Mbps Ethernet hubs with cheap 10/100 Mbps switches so backups of Macs with 100 Mbps Ethernet could run at full speed when backing up to the new server. It’s amazing how a single decision – moving from the SCSI-based VXA-1 tape drive to the FireWire-based FireVue – can require so many dependencies that must be satisfied first.)
Better Backups, Faster Restores — Tape backup systems are generally fairly sprightly when it comes to writing data to tape, but I’ve always found them annoying when restoring data (and remember, it’s restoring the data that you care about). Nonetheless, increasing the speed of my network and backing up to a fast hard disk meant that backups ran a lot faster than in the past, which was extremely welcome. If the act of backing up was better, restoring was even more so, since Retrospect didn’t have to ask the tape to seek for minutes to find the file I wanted, and I never had to swap tapes to access all the versions of the file backed up over time.
The other significant improvement when using hard drives for backup is that I can tell, by looking at the disk in the Finder, how much free space is left on it. That’s impossible with tapes, so knowing when you might need to add a new tape or recycle the media is pure guesswork, whereas with the hard drives I can now tell roughly when the drive will be filling up.
Unfortunately, even the just-released Retrospect 5.1 can’t span a backup set across multiple hard disks, as it can when you’re using any sort of removable media like CDs, DVDs, or cartridge drives. For me, right now, that’s not a problem, since my backup drives are large enough to store all the data on my network plus a few months of changes, and it seems that the size of the drives I can use for backup will outpace my ability to increase stored data. Remember too that Retrospect can compress data (30 to 45 percent on my data, which is largely email), and it backs up only one copy of files that are identical on different machines, thus eliminating a lot of redundant data copying.
Those of you who work with huge data sets – large image files, huge databases, or video that simply must be backed up – will need to stick with removable backup media like tapes for now, although I expect a future version of Retrospect to be able to span backup sets across multiple hard disks. And as I noted before, tape is still better for serious archiving.
Niggles and Annoyances — As much as the FireVue Hot Swap Drive System is ideal in conception, its implementation isn’t perfect. Installing a drive into a tight-fitting tray is tricky, and you must be careful not to damage a cable that runs alongside the edge of the tray. Although Granite Digital engineered a latching handle onto the front of the tray that aids insertion and removal, the insertion mechanism doesn’t have a solid feel to it, and sometimes the drive isn’t fully inserted when the handle latches down. More annoying is the fact that to remove a tray you must unlock it using a little round key. I’m not bothered by performing another action before removing the tray, but the keys are small, cheap, easily lost, require some fiddling to use, and I’d like to see a larger knob that could replace the key permanently if you weren’t concerned about security.
A SMARTer FireVue — After a few months of using the FireVue system that I’d bought quite happily, Granite Digital asked if I’d like to review their new version, the FireVue SMART Hot Swap Drive System, which adds an LCD panel that provides constant feedback on hard drives that support SMART (Self-Monitoring, Analysis, and Reporting Technology). Along with the SMART support, the new unit addresses some of my irritations with the original FireVue, making it somewhat easier to install a drive and improving the feel of the insertion. The key is still required, but at least it seems to be the same key, so I don’t have to keep track of two separate keys. These improvements come at a higher cost ($280 for the kit with one tray, $50 for additional SMART LCD trays, and $30 for additional standard trays), raising the question of whether or not it was worth the extra money. The FireVue SMART Hot Swap Drive System trays aren’t exactly the same as the plain FireVue Hot Swap Drive System trays, so you can’t mix and match.
I’d not heard of SMART before, but it’s an interesting technology designed by a number of major hard drive manufacturers to increase the reliability of hard drives. SMART-compliant drives incorporate a suite of diagnostic routines that monitor the internal operations of the drive and report the results back, either to special software running on the computer, or to an integrated interface such as the one Granite Digital built into their SMART LCD trays.
I quite like the SMART LCD display, since it constantly shows information like peak and average data rates, the latter of which was often quite low, due to data coming in over the comparatively slow network. Two buttons, Menu and Select, enable you to walk through the rest of the built-in interface, where you can view information about the FireVue’s FireWire bridge board, the drive itself, the FireWire ports, and even the host (where it told me that one was connected, but two were allowed, piquing my curiosity).
The seriously geeky information and controls are in the Diagnostics/Utils menu. You must unplug the drive’s FireWire cable from the computer to access these items since they could conflict with activities taking place on the Mac at the same time. You can view all the SMART attributes, such as various types of error rates, reallocated sectors, and internal temperature. You can even see error logs, though I suspect only support engineers are likely to understand them. If you’re concerned about the health of your drive, you can perform a series of short and long tests: SMART self-tests, read tests, and verify tests. There are even options for erasing the disk, which I found a little scary, since the interface is sufficiently simplistic that mistakes could be made (tip: just keep pressing Menu if you’re worried).
I can’t say that having SMART support has done more than entertained me on a few occasions, since I haven’t experienced any problems with the drive in that tray. But before I received the SMART version of the FireVue, I had trouble with another drive, and I would have appreciated SMART diagnostics then. As it was, Retrospect’s anal-retentive verification started showing odd errors that I eventually tracked to bad blocks on the drive. A simple reformat didn’t help, but reformatting with the option to "Zero all data" enabled in Disk Utility mapped out all the bad blocks. Even though it’s working fine now, I’ll probably be rotating that drive out of the backup mix next.
A SMART Backup Strategy — I must admit, I’m pretty happy with my backup strategy at the moment. It’s fast, it’s flexible, it’s relatively cheap, and I can easily store one of trays at my parents’ house for off-site security, rotating it every few weeks. I won’t pretend that it’s ideal for every situation, since people with very little data may be better served by backing up to CD or DVD, and those with a lot of data or archival needs would probably be better off with a tape-based backup solution. But for anyone with at least several Macs and no more data than can fit on a single hard disk, I definitely recommend the FireVue Hot Swap Drive Systems and a set of inexpensive drives.
PayBITS: If Adam’s review helped you decide how to set up your
backup system, why not acknowledge the article’s value via PayBITS?
Read more about PayBITS: <http://www.tidbits.com/paybits/>
The future of Casady & Greene products — A recent post to this old thread reveals where you can download Glider Pro, previously published by Casady & Greene, for free. (5 messages)
iTrip and other FM transmitters — In another useful update to an old thread, it turns out that the iTrip may not be legal to use in the UK. Worth investigating more if you plan to use an iTrip there. (13 messages)
Mailsmith 2.0 comments — Wide-ranging discussions about Mailsmith’s lack of Unicode handling, Address Book integration, AppleScript support, lack of IMAP, text editing capabilities, and much more. (32 messages)
Macworld Expo’s age policy — Most of the mail about IDG World Expo’s policy of banning children under 13 from Macworld Expo in New York agreed with our criticisms, though some people raised legitimate concerns (though not ones that IDG World Expo stated) with children at trade shows. (21 messages)
Installing iDVD 3.0.1 on Non-SuperDrive Macs — This single message thread is worth reading for its instructions on how to install iDVD 3 from the iLife DVD on Macs that don’t have SuperDrives. (1 message)
wOzNet tracking — Should we be worried about the privacy implications of Steve Wozniak’s new wOzNet project? Some think so, whereas others point out that we’re already tracked at all times by our cell phones. (11 messages)