Apple Releases Security Update 2005-007 — Apple Computer today released Security Update 2005-007 for both client and server versions of Mac OS X 10.3.9 Panther and Mac OS X 10.4.2 Tiger. The update includes a number of patches to Apple software (such as Mail, Safari, under-the-hood technologies like the Quartz and CoreFoundation frameworks, and, in Mac OS X Server 10.4.2, the Server Admin tool used to create firewall policies). Apple also patched components of Mac OS X’s Unix underpinnings, including OpenSSL, the X11 windowing system, Apache 2, CUPS, Kerberos, and zlib. Apple recommends all Mac users install this update since it addresses several security problems which could, in theory, enable a remote attacker to access data on the computer, create user accounts, execute arbitrary programs, or let URLs bypass Mac OS X’s built-in security check when clicked. The update is available from Apple via Software Update and at the first URL below; the download ranges from 13.3 MB to 29.9 MB, depending which version of Mac OS X you need to update. Apple details the changes included in Security Update 2005-007 at the second URL below. [GD]

<http://docs.info.apple.com/article.html? artnum=61798>

<http://docs.info.apple.com/article.html? artnum=302163>

PowerBook Graphics Update Solves Narrow Issue — Last week, Apple released PowerBook G4 Graphics Update 1.0, a 2.1 MB patch that improves graphic stability for some 15-inch and 17-inch PowerBook G4 models running the 1.67 GHz PowerPC processor; apparently the installer performs a hardware check to determine if the update is required. The update requires Mac OS X 10.4.2. [JLC]

<http://www.apple.com/support/downloads/ powerbookg4graphicsupdate10.html>

SaveScreenie Switches File Formats — A few weeks back, I mentioned that you could enter a particular command into Terminal to change the format Mac OS X 10.4 Tiger uses for screen captures made with Command-Shift-3 and Command-Shift-4 (see "How to Change Screen Capture Formats" in TidBITS-785). Needless to say, it’s not hard to copy and paste such a command, but it’s about as elegant as a waltzing kangaroo, so Christian Franz of cf/x decided to embed the functionality into a small utility as a way of getting to know Apple’s Xcode better. The result is the free SaveScreenie 1.2, which presents you with a few radio buttons corresponding to the available formats (PNG, PDF, JPG, TIFF, BMP, PSD, and PICT); select one, click the Set button, and log out or restart your Mac to have it change the screen capture format. After Christian showed me the initial version, I made a few wording suggestions (once an editor, always an editor) and recommended that he include a Web page link for each format that would tell the user more about that format. He whipped up a new version with my changes, and if you’ve been wanting to fiddle with your screen capture formats, SaveScreenie is now ready to help. [ACE]

<https://tidbits.com/getbits.acgi?tbart=08147>

<http://www.imovieplugins.com/other%20products/ savescreenie.html>

The Mighty Mouse is mighty fussy. Apple sent me a review unit last week, and in our testing the mouse falls short in several regards. Most obviously, I continue to find the overall shape of the mouse ergonomically unsatisfying, but I have hand and wrist problems that make a regular mouse uncomfortable. (For a general description of the Mighty Mouse, see "Apple Ships a Multi-Button Mouse" in TidBITS-791.)

<http://www.apple.com/mightymouse/>

<https://tidbits.com/getbits.acgi?tbart=08201>

First, the scroll ball (what New York Times columnist David Pogue calls a trackpea, a term I like) is not a revolutionary breakthrough that puts shame to all other scroll wheels. It’s a tiny, hard-to-use ball that makes a barely audible ticking sound (generated via an internal speaker) as it’s used. I found it tricky and no improvement over a scroll wheel.

<http://www.nytimes.com/2005/08/04/technology/ circuits/04POGUE-EMAIL.html>

The left-right touch-sensitive clicking works fine, but it’s not worth crowing about. But I have no complaints about two physically, mechanically separate buttons either, making Apple’s design mostly of interest for the way it can switch between one button for those who prefer simplicity and two buttons for those who want more flexibility. However, TidBITS Managing Editor Jeff Carlson found the touch-sensitivity to be tricky, because he often rests his index and middle fingers on his two-button Kensington mouse; using the Mighty Mouse required that he either suspend his middle finger in the air above the right button (quickly creating a sore finger) or move it off to the side.

Squeezing the mouse to activate the two side buttons seems to be a particularly strange action, versus pressing a single button, and the addition of extra buttons doesn’t solve any problems for me.

I also find the Might Mouse software (which installs from an included CD) confusing. Plug in a Mighty Mouse without installing any software on any platform (Windows or any Mac OS X release), and the main left and right buttons work by default. Install the software for Mac OS X 10.3.9 to 10.4.1, plug it in, and the left and right buttons work. However, install the software for Mac OS X 10.4.2 or later, plug in the mouse, and you get only a single big button at the top, requiring you to enable the multi-button functionality manually.

Another shortcoming, Jeff noted, is that you can’t reprogram the right-button action. He uses a right-click as a double-click (which I find mystifying, but each to his own), but that’s not possible using the Mighty Mouse software, unlike the commonly used Kensington MouseWorks (for Kensington pointing devices) or Alessandro Levi Montalcini’s $20 USB Overdrive utility (for nearly any USB controller), neither of which dictates particular actions mapped to particular buttons. USB Overdrive 10.3.9 already appears to work with the Mighty Mouse if you don’t install Apple’s drivers, and Alessandro has committed to supporting the Mighty Mouse fully in future releases.

<http://www.kensington.com/html/1385.html>

<http://www.usboverdrive.com/>

Overall, Mighty Mouse doesn’t measure up in design and function to many other mature mice. Its features are unique, but not compelling.

Recent articles in TidBITS and discussions in TidBITS Talk have mentioned virtual private network (VPN) technologies. VPNs are usually brought up as a tool for securing communications across insecure networks. Glenn Fleishman used a VPN to hide all his network traffic while connected to public wireless hotspots during the South by Southwest Interactive conference, and I mentioned VPN technology in TidBITS Talk as a way to enable Apple’s Remote Desktop to control computers behind a firewall. But what exactly is a VPN? This article is intended to explain some of the concepts and terminology behind VPN.

<https://tidbits.com/getbits.acgi?tbart=08028>

<https://tidbits.com/getbits.acgi?tlkthrd=2324>

<https://tidbits.com/getbits.acgi?tlkthrd=2329>

A VPN is a way of securely connecting computers across insecure networks such as the Internet. Although this might sound straightforward, building a secure network involves several subtleties beyond simple encryption. Security requires authentication – each communicator must prove its identity to the other end. Even the encryption component can be difficult – how do you exchange encryption keys on a network that’s insecure?

Why VPN? Why would you want a virtual private network? Most people use them to connect with corporate networks while traveling or working at home, but they have other uses as well. The primary reason I installed a VPN was so I could travel with my laptop, but still access home resources like my iTunes library and email server, resources that are normally protected from other computers on the Internet by a firewall. I also used it at home initially to protect wireless connections that were "secured" by the easily breakable WEP. When I upgraded to an AirPort Express and a Mac mini using the far-more-secure WPA security instead of WEP, I decided to keep using my VPN as a paranoid defense against the possibility that someone figures out how to break WPA. A VPN can also provide a secure connection for programs such as Apple’s Remote Desktop 2, which has weak security on its own.

Do you perform tech support for your extended family, or for home users at a business? Ever run into problems trying to help them remotely because they are behind a firewall? Upgrading to a firewall that provides a VPN can solve this situation by bypassing all the firewall rules, letting you connect and troubleshoot problems remotely.

Firewalls for Security — Broadband users are often wisely advised to install a DSL or cable router with a built-in firewall to protect their home networks, and most use Network Address Translation (NAT) to share the single public IP address that their Internet service provider allocates among several computers. The firewalls in these low-cost routers are usually enabled by default. Or, if you only have one computer, you can activate the firewall built into Mac OS X with the click of a button in the Sharing preference pane.

Firewalls restrict access from the Internet to the local network. If my father has a firewall protecting his home network and I want to provide tech support for him, I can’t just fire up Apple Remote Desktop or a VNC (virtual network computing) program and connect to his computer. There are two reasons for this problem: first, to which IP address do I connect? The public IP address is just the address for the router, not for his computer. Even if he can tell me the IP address that appears in his Network preference pane, that IP is a private address assigned by his NAT firewall and not directly accessible from the Internet.

The second reason is that most firewalls employ a "speak only when spoken to" philosophy. Examples of this idea in action include the Web and the iTunes Music Store: I can view pages from a Web server, but not until my browser makes the initial connection to the server; similarly, the iTunes Music Store can display within iTunes, but only after my computer has sent it a request to send me the info. To extend the analogy, the request for a remote control connection would have to come from the remote computer first to get through the firewall, and since the remote computer won’t necessary have a person in front of it, it’s hard to generate that initial request. (See Chris Pepper’s article, "What’s a Firewall, and Why Should You Care?" in TidBITS-468, for more detailed information on firewalls.)

<https://tidbits.com/getbits.acgi?tbart=05291>

Open the Ports — One frequently recommended solution to getting through a firewall is to open the port (or ports) an application uses to communicate. Network applications talk using ports. Stealing an analogy from Chris’s firewall article, ports are like apartment numbers in regular mail addresses. If you send a letter to a friend in an apartment building, the building address is not enough: an apartment number is needed to get the letter to the right apartment. Similarly, a computer’s IP address is not enough to get network data to the correct application. The port number is used to direct the data to the correct program such as the Web or mail server. Most popular Internet services have a default "well known" port number.

<http://www.iana.org/assignments/port-numbers>

NAT-based firewalls can redirect incoming traffic to a specific computer on the internal network based on the port number. If you need to use the same application to connect to multiple computers on the internal network there are two options available: configure the firewall to listen on additional non-standard ports and redirect those ports to the standard port on the destination computer (not all firewalls support this capability), or connect to one of the internal computers, then use that computer to access the other computers on the network.

With simple firewalls, opening a port opens it to everyone on the Internet. More complex firewalls can limit access to a port based on things such as source IP address and time of day.

Mac OS X has a full-featured firewall built-in, but Apple’s preference pane limits your options to the simplest configurations – opening a port opens it to everyone on the Internet. Third party tools such as Brian Hill’s BrickHouse can provide GUI access to a much broader range of functionality, or you can use even more full-featured tools like DoorStop X from Open Door Networks or IPNetSentry from Sustainable Softworks.

<http://personalpages.tds.net/~brian_hill/ brickhouse.html>

<http://www.opendoor.com/doorstop/>

<http://www.sustworks.com/site/prod_ipns_ overview.html>

Even with the more advanced configuration options that BrickHouse or your cable or DSL router offers, building these exceptions can be time consuming and error prone (IPNetSentry takes a different approach for this reason, looking for suspicious activity and, when triggered, banning the intruder). Some simple facts of Internet use can make maintaining these rules difficult. For example, adjusting access for someone with an ever-changing dynamic IP address can be frustrating, or even impossible if you are trying to make the change from a dynamic address not already configured in the firewall rules.

Another issue that opening firewall ports cannot solve is unencrypted data streams. Anybody on the network path between the source and destination can use simple tools to extract the traffic. If you use VNC software for remote control, others on the Internet can view exactly what you are seeing/typing. VNC does encrypt the initial authentication made to a remote computer, but if you use it to change a password or unlock a remote screen saver, the password is sent unencrypted. Both FTP and telnet also send your password as plain text.

The ideal solution is to make your local computer connect over the Internet, through the remote firewall, bypassing all the rules, to any number of computers or devices behind the firewall. Additionally we want to keep those communications secret from prying eyes, and we want to ensure the connecting computer is really the one it is claiming to be.

Virtual private networks were designed to provide this solution by creating a secure tunnel through which all traffic flows from you – wherever you may be on the Internet – to your network. Several types of VPN are available: a group of open protocols referred to as IPsec; Point-to-Point Tunneling Protocol (PPTP); Layer 2 Tunneling Protocol (L2TP), frequently used with IPsec; SSH tunnels; and SSL VPN.

<http://www.freebsd.org/doc/en_US.ISO8859-1/ books/handbook/ipsec.html>

<http://www.microsoft.com/ntserver/ProductInfo/ faqs/PPTPfaq.asp>

<http://www.microsoft.com/technet/community/ columns/cableguy/cg0801.mspx>

<http://www.infoworld.com/article/03/10/24/ 42TCsslvpn_1.html>

IPsec — Originally, IPsec was used on corporate enterprise networks as a way to connect remote offices over cheaper Internet connections instead of more expensive dedicated lines. Large dedicated VPN firewalls would be placed in each office and connected together. Fortunately, the costs of implementing these systems has dropped considerably over the years, with many inexpensive home routers including VPN capabilities for only a slightly increased cost.

IPsec uses a two-phase system to establish the VPN. In phase one the identity of each participant is authenticated. Phase two is the actual exchange of encrypted data. Each phase negotiates the various methods to be used for authentication and encryption key exchange. To increase the security of the tunnel the two phases re-negotiate, re-authenticate, and exchange new encryption keys at periodic intervals.

PPTP & L2TP — PPTP is an older and less secure VPN technology developed by Microsoft. PPTP is still quite popular (especially in Europe) because it is built into Windows. L2TP is a combination of Microsoft’s PPTP and Cisco’s L2F (Layer Two Forwarding) technology. L2TP over IPsec encapsulates the L2TP traffic in IPsec packets. The use of IPsec allows the authentication phase of the VPN to be encrypted, something PPTP does not support otherwise. Mac OS X supports both PPTP and L2TP over IPsec, both configured via Apple’s Internet Connect application.

SSH — SSH tunnels are a popular method of encrypting and authenticating communications between computers. An SSH tunnel uses a port forwarding model where ssh on the client side gathers all data packets sent to a particular port and sends them through an encrypted tunnel. The server on the far end (running sshd) decrypts the packets and forwards them to the appropriate destination.

Unfortunately, an SSH tunnel is a computer-to-computer system. If I want to use SSH to multiple computers behind a NAT firewall, I must either open additional ports on the firewall, one for each system, or tunnel to one machine, then connect from that computer to other machines. Both methods can be complex to set up. An additional limitation of SSH tunnels is that they support only TCP connections, and not UDP. As a result, ssh tunneling is insufficient for applications like Apple Remote Desktop.

SSL VPN — SSL VPNs are the current hot items in networking. An SSL VPN uses standard Web protocols for authentication and encryption. This approach enables the VPN to work through restrictive firewalls that block the ports of other VPN protocols. SSL VPN technology offers a range of capabilities. At its simplest, the VPN may be a reverse Web proxy, providing authenticated Internet users access to intranet Web servers behind the remote firewall.

SSL VPNs can also provide Web-based file browsers that enable users to access Windows and NFS file shares on the remote network. No special client is needed for this, as the VPN hardware handles the translation from network shares to Web pages.

More advanced SSL VPN units offer functionality similar to SSH tunnels. The user logs in to a Web application and launches a Java or ActiveX client that configures all port forwarding options. In this configuration, just ports needed for an application are tunneled, so the chance of infection from viruses and Trojans is greatly reduced. This limited access enables many corporations to use an SSL VPN to provide network access to untrusted computers, such as employees’ home computers and vendor systems for supporting internal applications. Additionally, many handhelds with wireless networking and Java support can tunnel in via an SSL VPN too.

High-end SSL VPN products offer a complete TCP/IP stack that encrypts packets across an SSL link, an approach called "IPsec replacement" mode because it provides the security of a full IPsec VPN while still being able to work through restrictive firewalls.

<http://www.nwfusion.com/reviews/2004/ 0112revmain.html>

<http://openvpn.net/>

<http://www.f5.com/>

<http://www.caymas.com/>

SSL VPNs are popular in enterprise networks, but the current high cost of entry keeps them out of the reach of most home and small business users. Because of their flexibility and low cost, I focus on IPsec VPNs for the remainder of this article.

VPN to What? Once you select a VPN protocol, you need to decide the type of connection you want to make: computer-to-computer, computer-to-network, or network-to-network. The computer-to-computer connection enables access only to the individual remote computer. Computer-to-network enables one computer access to all devices on a remote network. And a network-to-network connection enables entire offices of computers to communicate, without the need to configure each machine. Most people are interested in connecting a laptop or small home office machine to a remote network (computer-to-network), so I focus on this scenario.

First, you need to pick a VPN client. Mac OS X includes an IPsec implementation based on Racoon from the KAME Project. As with many Unix applications, you configure the software via a text-based config file. "Simple" configuration examples are available online.

<http://www.kame.net/racoon/>

<http://www.kame.net/newsletter/20001119/>

After examining the available documentation, I decided there must be a better way. Fortunately I was not the only one with this idea. A quick Internet search turned up several graphical configuration tools. VPN Tracker ($90 for a personal license, $200 for a professional license) from Equinux, and IPSecuritas (free) from Lobotomo are two of the most popular.

<http://www.equinux.com/us/products/vpntracker/>

<http://www.lobotomo.com/products/IPSecuritas/>

Additionally, many VPN firewall makers have produced Mac OS X versions of their client software. Check Point and Cisco both offer Mac OS X clients for their VPN products. Be sure to check the supported configurations and versions of the software. Cisco only recently added support for dual-processor Macs and Mac OS X 10.4 Tiger, although there are reports it doesn’t completely work even with 10.4.2. MacInTouch has a lengthy list of reader reports on the Cisco VPN client.

<http://www.checkpoint.com/press/2004/ mac120704.html>

<http://www.cisco.com/en/US/products/sw/secursw/ ps2308/products_user_guide_ book09186a00802e1fa2.html>

<http://www.cisco.com/en/US/products/sw/secursw/ ps2308/products_data_ sheet0900aecd801a9de9.html>

<http://www.macintouch.com/tigerreview/ incompatibility.html>

Next, to connect your Mac to an entire network via VPN, your network needs a VPN router. Mac OS X 10.4 Tiger Server has many nice VPN configuration options built-in. Academic versions of Mac OS X Server are typically available starting at $250; retail is $500 or $1,000. If you have not yet upgraded, going from Jaguar to Tiger Server is about $370 more than going to non-Server Tiger (non-academic).

In theory, a Mac running the client version of Mac OS X should be able to act as a VPN router too, but most of the documentation I’ve found is for Mac OS X Server. Instructions for setting up a FreeBSD box as a VPN router are available, and they may translate over to Mac OS X.

<http://www.lugbe.ch/lostfound/contrib/freebsd_ router/>

I don’t have a spare Mac capable of running Mac OS X lying around, so I began looking for a small dedicated VPN router. Most manufacturers of broadband routers offer VPN versions of their products for $10 to $20 more than the non-VPN versions (see below for links to a number of common devices). When looking for a VPN router, watch out for products labeled "IPsec Pass-Thru" – these are not what you want. IPsec Pass-Thru enables a VPN connection to work through the device, but does not mean the router can act as a VPN endpoint. The specifications for a true VPN router should list the number of VPN tunnels the device supports.

<http://www.dlink.com/products/?sec=0& amp;pid=274>

<http://www.dlink.com/products/?sec=0&pid=59>

<http://www.netgear.com/products/details/ FVM318.php>

<http://www.netgear.com/products/details/ FVS328.php>

<http://www.linksys.com/servlet/Satellite? childpagename=US%2FLayout& amp;packedargs=c%3DL_Product_ C2%26cid%3D1115416832406& amp;pagename=Linksys%2FCommon%2FVisitorWrapper>

<http://www.linksys.com/servlet/Satellite? childpagename=US%2FLayout& amp;packedargs=c%3DL_Product_ C2%26cid%3D1118334818868& amp;pagename=Linksys%2FCommon%2FVisitorWrapper>

Some routers have third-party firmware upgrades available that add VPN server support. The Linksys WRT54G is the most commonly upgraded router, with the Sveasoft firmware upgrade providing a variety of sophisticated features to what Linksys provides.

<http://www.sveasoft.com/>

Quick Tiger Update — When Tiger shipped, it introduced a VPN bug that slowed down certain VPN connections. After I upgraded to Tiger, a ping to my server through a VPN connection took around a thousand milliseconds. Normal ping times with my VPN are about 4 milliseconds.

This problem has been resolved but requires upgrading to at least Mac OS X 10.4.1 plus upgrading your IPsec front-end. IPSecuritas version 2.1 and VPN Tracker 4.0.1 both work properly Mac OS X 10.4.1 and later. At the time of this writing, Check Point had not updated their IPsec clients to work with any version of Mac OS X 10.4. Cisco’s latest release seems to work fine for me. Again, verify the software’s documentation show your particular configuration is supported before installing.

The Double-edged Sword of VPN — After selling you on the concept of using VPN to bypass firewall rules, I’m going to reveal that this is also one of the biggest dangers in using a VPN. Firewall rules exist to increase security; bypassing that security in any way creates very real risks. Many companies are surprised to find themselves infected with Trojan horses and viruses even though they had firewalls in place. It turns out that many laptop users would go home, connect to their unprotected home Internet connections, get infected, then connect via a VPN (bypassing all the firewall rules) and spread the infection all over the internal network. Of course, such problems are less likely for Mac users, but we still cannot become complacent.

Some VPN clients include a client firewall, similar to the firewall built into Mac OS X, to protect against these types of vulnerabilities. Other clients check a list of rules before a VPN connection is allowed. Some examples of rules include ensuring an up-to-date anti-virus product is running, certain security patches are installed, and the computer’s firewall is running.

Even with these protections, you shouldn’t allow any computer to connect to your network if you don’t explicitly trust its maintenance and security. The reverse is true too; you shouldn’t connect your computer to any networks that you don’t implicitly trust; you may be opening yourself to attackers on their network.

[Kevin van Haaren works for a large corporation primarily supporting Windows computers, with the occasional Mac call thrown in to make the week more interesting. This has prepared him well for the job of herding his two cats.]

PayBITS: If Kevin’s article helped you, he asks that you

consider a donation to the EFF, which works to keep encryption

systems legal for everyone. <http://eff.org/support/>

Read more about PayBITS: <http://www.tidbits.com/paybits/>

Take Control of Now Up-to-Date & Contact Released — Late last year, around the time I was finishing up "Take Control of iKey 2," our first manual in the form of a Take Control ebook, Randy Murray of Now Software contacted me to see if we were interested in writing the manual for the next version of Now Up-to-Date & Contact. I’ve used the software for over 10 years and have known John and Sheila Wallace of Now Software for ages (they and Randy were responsible for creating my action figure during the Power On Software incarnation of their company), but I knew I didn’t have the time to write it. My thoughts then turned to Joe Kissell, who has done a bang-up job on five Take Control ebooks. Joe was interested, so we worked out the business details and once Now Software started delivering betas, Joe jumped into the project. Randy had provided us with the previous manual, an overly wordy tome that checked in at nearly 500 pages, but as Joe and I started to go through it, we realized that it would be easier and more effective to work from scratch.

<https://tidbits.com/getbits.acgi?tbart=07899>

<http://www.nowsoftware.com/>

<http://homepage.mac.com/adamengst/ iMovieTheater15.html>

To make a long story short, Joe did a fabulous job at documenting the ins and outs of Now Up-to-Date & Contact. Unlike our ebooks, manuals have to be (or at least should be) comprehensive, and by the time Joe was done, "Take Control of Now Up-to-Date & Contact" had hit 249 pages. That’s nearly 100 pages longer than our longest ebook, but it’s still far more concise and focused than the previous manual. Despite the size, the large number of links and bookmarks make the manual easy to navigate. But don’t take my word for it – you can download "Take Control of Now Up-to-Date & Contact" for free from our Web site.

<http://www.takecontrolbooks.com/nudc.html>

In part because of the expected size of the manual, we decided to do a few things differently than in the past. Most notably, Joe used Microsoft Word 2004’s fields to provide automatic numbering of figure and automatic internal reference links. Word’s fields are fragile and persnickety – I had to update many of the figure reference fields manually, and in several situations, a field simply wouldn’t work, forcing me to revert to a hyperlink. Unsurprisingly, Word’s interface for creating fields and bookmarks is terrible; the entire process wouldn’t have been possible at all without some macros that Matt Neuburg wrote for us. Nevertheless, it was the right decision in the end, in large part because we ended up swapping two major sections around at the last minute, and the fields mostly updated properly. It makes one long for an updated version of FrameMaker, not that FrameMaker didn’t suffer from other deal-breaking problems.

As an aside, I had to drop back to Word X to be able to finish editing and production on "Take Control of Now Up-to-Date & Contact." With 249 pages, 103 screenshots, and numerous inline graphics, the file ballooned to 7.3 MB, and Word 2004 slowed to a crawl in Page Layout mode on my dual 1 GHz Power Mac G4, thanks to the constant repaginating. I don’t know what Word X does differently, but it was downright snappy in comparison. Plus, Word 2004 suffers from a known crashing bug related to generating a table of contents within a table; that one bit me once before I gave up on Word 2004 for the duration of the project.

We’re also trying to make it easier for readers to comment on the manual and see what others have said about it as well, thanks to a service called QuickTopic Document Review. In essence, I uploaded an HTML version of "Take Control of Now Up-to-Date & Contact" (exported from Word and heavily munged via a BBEdit Text Factory that I’ve developed), and QuickTopic Document Review put a "comment dot" after each paragraph. Click a comment dot and you can leave a note about the associated paragraph, and everyone else who comes in can see your comments in one of three views: inline in the document, in a forum-like display, or in a comment review mode that shows an excerpt of the original text before the comment. QuickTopic Document Review is brilliant, and we rely on it heavily for group technical editing. Although we’ve subscribed to QuickTopic Document Review Pro so we can password-protect drafts about NDA products (normally, randomly generated URLs provide only security by obscurity), this document review is open to everyone, so feel free to check it out at the second link below.

<http://www.quicktopic.com/cgi-bin/ docreviewintro.cgi>

<http://www.quicktopic.com/32/D/zTvDUkXyy9p6? inline=1>

Of course, we’ll be doing updates to the manual along with a Windows version (nearly identical other than screenshots) to keep pace with new releases of Now Up-to-Date & Contact from Now Software, so be sure to click the Check for Updates button and sign up for notifications if you want to keep your copy current.

The second URL below each thread description points to the discussion on our Web Crossing server, which will be faster.

Japan’s iTunes Music Store — The opening and initial success of iTMS in Japan had some people in other countries excited about the possibility of purchasing electronic versions of music available only in Japan. Unfortunately, due to licensing issues, you must have a Japanese credit card to buy those songs. (7 messages)

<https://tidbits.com/getbits.acgi?tlkthrd=2670>

<http://emperor.tidbits.com/TidBITS/Talk/522/>

Expanding the View with a Dell LCD Display — Jeff Carlson’s experience with the Dell 2005FPW 20-inch display reveals how many people have taken advantage of Dell’s special offers and brings up other interesting tidbits, such as the fact that the screen appears to be the exact same one used in Apple’s 20-inch Cinema Display. (13 messages)

<https://tidbits.com/getbits.acgi?tlkthrd=2671>

<http://emperor.tidbits.com/TidBITS/Talk/523/>