Most of the news this week revolves around Apple’s portable Macs, as the company releases new Core 2 Duo-powered MacBook Pros and a firmware update for the MacBook that fixes sudden shutdowns. Plus, Glenn Fleishman looks at a new Bluetooth-related security exploit that’s likely to affect only laptop users (if anyone at all). Also with an eye toward helping you improve your security, Joe Kissell contributes a look at the humble but essential login password; this is an excerpt from his just-released ebook, “Take Control of Passwords in Mac OS X.” In other news, Adobe releases a beta audio tool called Soundbooth, we announce a new sponsor, .Mac’s webmail interface receives a major makeover, and we release the second and third editions, respectively, of “Take Control of Buying a Mac” and “Take Control of Buying a Digital Camera.”
No product is ever perfect, even Apple’s wildly successful MacBook line. A number of vocal MacBook owners have been experiencing annoying random shutdowns, and fortunately, according to Apple, a fix is finally at hand. MacBook SMC Firmware Update 1.1 promises to fix the problem by adjusting the MacBook’s internal monitoring system. Apple recommends the 417K download for all owners of MacBooks, even those units that have already gone through a repair process. You need to be running at least Mac OS X 10.4.7. And because this is a firmware update, remember to back up your data beforehand in case something goes wrong.
Apple upgraded its entire MacBook Pro line of professional laptops last week, incorporating Intel’s new Core 2 Duo processor instead of the Core Duo processor introduced early this year (see “Intel-Based iMac and MacBook Pro Ship Earlier than Expected,” 16-Jan-06). The company says its latest 15-inch and 17-inch laptops are up to 39 percent faster than the previous models.
At the same time, Apple has doubled the memory and increased the storage capacity of the basic MacBook Pro configurations. Starting at $2,000, Apple’s stock models offer 1 or 2 GB of RAM, and a 120 GB or 160 GB Serial ATA hard drive. The machines can be custom configured with up to 3 GB of RAM and a 200 GB hard drive. New to the 15-inch MacBook Pro is a FireWire 800 port, previously available only with a third-party FireWire 800 ExpressCard (see “FireWire 800 ExpressCard for MacBook Pro,” 08-May-06). (Late-model PowerBook G4s and the 17-inch MacBook Pro offered FireWire 800.)
The company says Intel’s Core 2 Duo processor, with 4 MB of shared L2 cache, offers increased performance in such professional applications as Aperture 1.5 and Final Cut Pro 5.1, both released earlier this month. (We’re left wondering what Intel calls this chip in non-English-speaking markets, and whether the next revision will be the Intel Core 2 Duo Squared.)
The new 15-inch MacBook Pro is available now, and Apple says the 17-inch model will ship this week. The company also announced a new $60 Apple MagSafe Airline Adaptor, something sorely lacking to date. If you’re a frequent flier and your preferred airline offers EmPower and 20mm power ports, you can operate your MacBook or MacBook Pro in flight (though it won’t charge the battery).
Adobe has been burning the development oil lately. After garnering attention with its Photoshop Lightroom beta, last week it released a public beta of Adobe Soundbooth, an apparent competitor to Apple’s Soundtrack Pro that is “focused on creative professionals without audio expertise, or those who prefer an application focused on making short work of the most common tasks they handle every day. The tools in Soundbooth remove the mystery from editing while preserving superb sound quality.”
Due to licensing issues, the application doesn’t yet support MP3, MPEG-2, H.264, and FLV formats. Interestingly, Soundbooth works only on Intel-based Macs (and on PCs running Windows XP). The beta, a 59 MB download, expires in February 2007, and Adobe says that the final release version will appear sometime in mid-2007.
Halloween, at least in the United States, is upon us, and we’re pleased to welcome, along with the usual bunch of trick-or-treating kids, our latest long-term sponsor, Microsoft’s Macintosh Business Unit, more commonly known as MacBU and pronounced, at least for Halloween, as MacBOO! (Sorry, couldn’t resist.)
Microsoft has sponsored TidBITS at various times over our 16-year history, but I hadn’t known the current folks in the MacBU before the conversations that led to this sponsorship, conversations that started in response to their desire to make the MacBU a more active member of the Macintosh community. I was happy to discover that they were both clued into the Mac world in general and fully aware of how Microsoft as a company is often viewed, which is why they’ve been working on outreach efforts like more user group presentations, starting and maintaining a blog, and supporting publications like TidBITS. I expect they’ll also be gathering feedback in a variety of ways as they work on the next version of the Microsoft Office applications. (Not surprisingly, I’m lobbying for collaboration features that will simplify sharing files while tracking changes across versions and enabling commentary.)
In the end, it’s good to see the MacBU making efforts like this, since one way or another, Microsoft remains one of the most important software vendors for professional Macintosh users, and everyone stands to benefit if they become all the more invested in the world of the Macintosh.
Last week Apple rolled out a major overhaul to the email portion of the .Mac Web site. With the changes, the .Mac webmail interface looks and acts strikingly similar to Apple’s Mail application. In a dramatic departure from its previous design, .Mac webmail now uses Tiger Mail-style buttons and icons, supports drag-and-drop for moving messages, offers tighter Address Book integration, supports keyboard shortcuts, and features a three-pane interface – with mailboxes on the left, a message list at the top, and a preview pane at the bottom.
Among the nice touches are a Quick Reply button, to enable users to reply to a message without opening a separate window; an Action menu with commands for actions such as Delete, Move to Folder, Reply, and Mark as Read/Unread; and expanded preferences (you can turn off the preview pane, for example, control the appearance of mailbox icons, turn off the display of images in HTML messages, and even opt for Unicode [UTF-8] encoding for outgoing messages). Assuming you’ve synchronized your Mac OS X Address Book with .Mac, you can begin typing a contact’s name or email address in a message’s To, Cc, or Bcc field and use an auto-complete feature to fill in the rest (or choose among a list of partial matches). And, if you change a message’s Flagged indicator in the webmail interface, the change shows up in Mail too (and vice versa).
For all the spiffy goodness of the new Ajax interface, though, a few features are less useful than they could be. First, .Mac webmail offers a search field that looks just like Mail’s Spotlight search field. Unfortunately, unlike in Mail, .Mac webmail can search only From, To, Cc, and Subject headers – but not other headers or the content of messages. And searches work only within the selected mailbox.
Also missing from the toolbar is the Junk button, which in Mail can not only move a message to the Junk mailbox but also add a Junk flag and update Mail’s junk mail filter with information about that message. Unlike Mail, .Mac webmail does not have a learning spam filter. You can manually drag a spam message to the Junk folder, but doing so does not set its Junk flag (as that’s something Mail tracks locally, not a message attribute that’s changed on the server) and does not make .Mac webmail more likely to discard similar messages in the future. There’s no way to use .Mac webmail to help train Mail’s spam filter, and no way to affect the way the .Mac mail servers themselves filter out spam.
Finally, the .Mac webmail interface offers no filtering rules, which I find indispensable in Mail (explained in detail in my “Take Control of Apple Mail in Tiger” ebook). You can, as before, set up an automatic reply to all messages (as you might use when on vacation, for instance) or forward your mail to another account. But you can’t tell .Mac webmail to transfer all messages matching certain criteria to a specific mailbox, send message-specific replies, or perform any of the many other useful tasks offered by rules. (I’ll be covering all these changes in more depth in a future update to my “Take Control of .Mac” ebook.)
While the new and improved .Mac webmail is unmistakably prettier and easier to use than before, it remains much less capable than Mail (or indeed virtually any desktop email client), and is still less than ideal for regular use unless the quantity of email you send and receive through .Mac is quite small.
One of the most striking things I noticed when switching from Mac OS 9 to Mac OS X years ago was how frequently the operating system asks me for a password. I’ve gotten used to this by now, but it’s taken me a while to understand what all the different passwords are for, how they work, and how I should select them. Not counting the hundreds of passwords I have for Web sites, I must keep track of login passwords for each of my user accounts, a firmware password, a master password, a root password, and passwords for file sharing, wireless networks, and my keychains. Even a propellerhead like myself can often find that array of passwords confusing.
In this brief excerpt from my new ebook, “Take Control of Passwords in Mac OS X,” I look at just one of these password types: the login password. For many of us, it’s the password we’re asked to supply most frequently, and it’s one cause of significant confusion and grief among Mac users.
User Accounts — Every computer running Mac OS X has at least one user account – a means of identifying the person using the computer at any given time. Using the Accounts preference pane, you can set up additional users on your computer if you wish. Each user gets a separate virtual (and private) space in which to work; this includes access to the user’s own preferences, documents, and Finder settings. The password associated with a user account is called the “login password.” It’s what you use to log in, thus gaining access to your personal space, but it has other uses too (as I explain a bit later).
When you set up a new Mac or install Mac OS X for the first time, you’re asked to enter your real name, a user name (typically shorter than your real name; all lowercase and without spaces), and a password. In so doing, you set up a user account for yourself with administrator privileges – meaning that you have the authority to add and delete other user accounts, make changes anywhere on your disk, and install and run any application. Every Mac has one or more administrator accounts. The login password for such an account is also known as an “administrator password.” Mac OS X asks you for an administrator password when you take certain actions that can have far-reaching consequences – for example, installing or using software that makes changes to the /Applications, /Library, or /System folder.
Choose and Set a Login Password — Your login password not only identifies you but also protects a variety of resources (such as your personal files), so it’s clearly a security password. (I describe “security” passwords, as distinguished from “identity” passwords that serve merely to identify you, in full detail in the ebook.) This implies it should be at least 10 or 11 characters long and should follow the rules for secure passwords – using a combination of numbers and capital and lowercase letters, avoiding words in the dictionary, and so on. However, if you use a different password for your keychain, you can get away with a less secure login password – and you may wish to do this, because you’ll be entering it often and because administrator passwords can be circumvented so easily (see “Reset an Administrator Password,” ahead).
To change your login password, go to the Accounts preference pane, click the lock icon at the lower left to “authenticate” (to identify yourself with a user name and password), and select your name in the list on the left. Click Change Password, fill in the appropriate fields, and click Change Password again.
Use Your Login Password — You enter your login password when you log in to your Mac OS X account (which may happen automatically when you turn on your computer); this gives you access to all your personal files and settings until you log out or turn off your computer.
Entering an administrator password at login doesn’t unlock every protected resource for the entire time you’re logged in, as you might expect. You must, in general, enter it again every time you do something that makes changes outside your home folder (/Users/your-user-name). Note that if you’re currently logged in as a non-administrator and you’re asked to supply an administrator password, you must also enter the administrator’s real name or user name in the Name field.
The default settings for when your login password is required are not very secure. For example, if you walk away from your computer for a few minutes, someone else could sit down and access any of your files. If you live alone in a house in the country, that’s hardly a concern; however, if you do most of your work on your laptop in crowded city cafes, you probably want as much extra security as you can get. So, given the environment in which you use your computer, you should consider whether additional security is advisable.
Each of the following options that you change from the default will result in your being asked to enter your password more frequently, but with a corresponding increase in security:
- Sleep and screen saver: Normally, your login access remains active when your computer’s screen saver activates or when the computer goes to sleep; waking up the computer puts you right back where you were before. However, you can require entry of your login password when the computer wakes from sleep or when the screen saver deactivates, to make your data safer if you’re away from your computer for a while. To require a password in both situations, go to the Security preference pane and check Require Password to Wake This Computer from Sleep or Screen Saver. If you use your computer only in a setting where you need not worry about someone else walking up to it and accessing your accounts, leave this disabled; in other situations, I recommend enabling it.
- Keychain password: By default, your login password is also used as your keychain password, which means your keychain is unlocked automatically when you log in. To prevent this, you can change the keychain’s password. Because the keychain password is particularly valuable, I recommend that all users change it to be different from their login password. To accomplish this, launch the Keychain Access utility, select the keychain, and choose Edit > Change Password for Keychain “keychain-name”.
- Automatic login: By default, Mac OS X logs you in automatically when you turn on or restart your computer. If your computer is in a secure place where no one but you can access it, that’s probably fine; otherwise, it’s wise to disable automatic login (so that the login window appears every time the computer starts up). You can do this in the Accounts preference pane: click the lock and authenticate with an administrator password; then click Login Options and uncheck Automatically Log In As. Or, in the Security preference pane, simply check the Disable Automatic Login checkbox. In general, laptops should always have automatic login disabled; for other computers, the choice depends on whether anyone you don’t completely trust has physical access to your computer.
- Automatic logout: When your computer goes to sleep or the screen saver activates, you’re still logged in, and any applications or documents you had open remain so (even if a password is required when the computer or display wakes up); this can potentially increase your vulnerability to certain kinds of network-based attacks. To take security one step further, you can have Mac OS X log you out automatically after a period of inactivity; all programs running under your user account will quit. To activate this feature, go to the Security preference pane and check the Log Out After __ Minutes of Inactivity checkbox. Enter the desired number of minutes before automatic logout in the field provided. For most users, enabling this setting is unnecessary, but it may be useful for computers kept in highly public places.
- Secure system preferences: Several preference panes contain settings that affect all users’ accounts and potentially have security implications for all users. To make it harder for an unauthorized user to modify these settings, you can require that an administrator password be used to unlock each pane individually. (The default setting is that unlocking one pane unlocks them all.) This setting is useful primarily for computers shared by many people, such as in schools and libraries. To activate this feature, go to the Security preference pane and check Require Password to Unlock Each Secure System Preference. The affected preference panes are Accounts, Date & Time, Energy Saver, Network, Print & Fax, Security, Sharing, and Startup Disk (and some third-party preference panes).
- Login window as list: When the login window appears, it normally displays a list of all the computer’s users, each with an icon; you can click one of them and enter a password to log in. Alternatively, the login window can display two empty fields, one each for user name and password; this makes it harder to break in, because the intruder has to guess not only a valid password but a valid user name as well. To switch the login window from a list to name and password fields, go to the Accounts preference pane, authenticate if necessary, and click Login Options. Then select the Name and Password radio button. Displaying the login window as name and password fields is a good idea for laptops and for situations where more than a handful of people have user accounts.
- Password hints: After a user tries to enter a login password three times in a row without success, Mac OS X displays that user’s password hint (if one was entered). Because these hints can also help an attacker figure out someone’s password, you can disable their display. To do this, go to the Accounts preference pane, authenticate if necessary, and click Login Options. Then uncheck Use Password Hints. For even greater security, I suggest not using password hints at all.
Reset an Administrator Password — I have some good news and some bad news. The good news is that if you forget your administrator password, you can reset it without much difficulty; the bad news is that this very fact makes administrator passwords relatively insecure, because anyone else can do the same thing. However, you can minimize this risk by setting a firmware password and physically locking your computer with a security cable (both are described in more detail in the ebook).
If you know the password of the administrator that was configured when Mac OS X was first installed (the “original” administrator, which Mac OS X sometimes treats in subtly different ways from other administrators), you can change any other administrator password by following these steps (which work similarly for changing other login passwords, though it’s generally best left to other users to change their own passwords):
- Log in as the original administrator.
- Open the Accounts preference pane. If the lock icon is closed, click it and enter your administrator password to authenticate.
- Select an administrator and click Reset Password.
- Enter (and repeat) a password, and optionally enter a hint.
- Click Reset Password.
- Put your Mac OS X Install CD or DVD in your optical drive and restart with the C key held down (to boot from the optical disc).
- Click through the language selection screen. Then choose Utilities > Reset Password.
- Select your usual startup disk. Then, from the pop-up menu below the volume list, choose the user whose password you want to reset. (Do not choose “System Administrator (root),” which represents an entirely different account!)
- Enter (and repeat) a new password, and optionally enter a hint. Click Save, and then click OK.
- Choose Reset Password > Quit, and then Installer > Quit Installer. Click the Reset button to restart from the hard disk.
Login’s Run — It’s important to understand how the login password works, because it’s typically the first line of defense against unwanted access to your private data, misuse of your computer, and installation of malware. But the login password is only one of numerous passwords that affect your daily Mac usage. I cover the rest, along with full discussion of how keychains work, the Keychain Access utility, third-party password utilities, and ways to generate secure passwords in “Take Control of Mac OS X Passwords,” a 96-page ebook available now for $10.
Security software developer Intego last week issued a press release about a significant proof-of-concept Bluetooth exploit that has been dubbed “Inqtana.d Bluetooth.” This exploit works via a flaw in the Bluetooth short-range wireless networking standard, and could affect only Macs running unpatched versions of Mac OS X 10.3 Panther and Mac OS X 10.4 Tiger (which is why we recommend installing Apple’s security updates!). However, unlike earlier known variants of this exploit, the “D” version requires no user interaction to create an account with root privileges, which can then be accessed via Ethernet or Wi-Fi to carry out any tasks that are allowed by an administrative user – that is, any action whatsoever. The exploit was demonstrated at hack.lu last week, and the code released following that.
If you are running Mac OS X 10.3 Panther, make sure Security Update 2005-005 is installed; it was released in May 2005. Mac OS X 10.4 Tiger users need at least 10.4.7 installed, which was released in June 2006. If affected by the exploit, Mac OS X 10.3 users would be compromised only after a restart; Mac OS X 10.4 users would be compromised immediately.
Intego has a history of trumpeting their curatives for concept viruses and exploits that are either relatively trivial or never seen in the wild. And, according to “KF,” the otherwise unidentified operator of the Digital Munition site that released the exploit code, this “D” variant involves just a minor change – with major effect – to code that was disclosed on 02-Feb-06 by KF to Intego. Intego’s press release says you should have their latest virus definitions to protect against this variant but doesn’t say that earlier virus signatures would be ineffective. I haven’t seen any alerts about this variant from Apple, CERT, or other software developers, which may reflect the assessment of the number of potentially exploitable computers.
However, this is among the most severe attacks ever developed against Mac OS X, and as such, I can’t fault Intego for alerting people to its existence at the same time as they promote their anti-virus software. But while it’s serious, that doesn’t mean it’s actually going to be a problem for anyone. The Wi-Fi patches that Apple released last month (see “AirPort Updates Stop Wi-Fi Exploit,” 25-Sep-06) resolved a problem with equally bad consequences, but Apple stated there was no known exploit code available, and no specific vector, only a general approach for attack.
With Inqtana.d Bluetooth, no user interaction is required, and thus a machine could be quickly and quietly taken over at its fundamental level. Firewall software might prevent remote access to the root account that’s created, but that’s not a guarantee, especially if the attacker were on your local network.
The good news is that virtually all Panther users and most Tiger users that would be at risk could reasonably be expected to have updated their computers with patches that already protect against this exploit. And the vector for exploitation is rather tricky. The code is out there, but I see little likelihood that it will be developed into a simple-to-use package like KisMAC, which is a Wi-Fi vulnerability assessor (or a pre-built cracking engine, depending on your world view).
In order for your machine to be compromised, an attacker must install code to perform the compromise and find locations with Mac users, and those Mac users must have Bluetooth turned on and be out of date on patches by months… or by more than a year! Bluetooth’s short range means that it would be difficult to hack a fixed computer located more than an apartment wall away, and thus mobile Macs would be at the greatest risk.
I imagine most Mac laptop owners are in the universe of people who frequently install patches, too, because they probably expect they’re at greater risk. The odds of actually being hacked in this manner are thus vanishingly small. Even further, once compromised, the attacker needs to be able to access your computer, and, if you’re a mobile user, you would likely have walked away by that point, never to be seen again.
This is just another sign that increasing scrutiny is being paid to Mac OS X by security researchers; it’s not yet proof, however, that virus and worm writers give a darn.
Move to a New Mac with Adam’s Latest Ebook — Last week, we released the second edition of my “Take Control of Buying a Mac,” which now features complete details about the Intel-based Macs that have taken over Apple’s product line. The ebook continues to provide detailed advice for how to determine which Mac you need and how to buy it without wasting money, but now it also includes a significant new section that explains the best ways to move user data – documents, applications, and settings – from an old Mac to a new one. That task has become easier of late, thanks to Mac OS X’s Setup Assistant, but I include an explanation of exactly how it works, along with advice for what to do if the old Mac lacks a FireWire port.
Up-to-Date Help for Holiday Camera Purchases Now Available — The third edition of “Take Control of Buying a Digital Camera” is also out, updated especially for anyone looking to buy a digital camera for the holiday season. Written by professional photographer and instructor Larry Chen, the ebook helps you sort out the latest camera trends and marketing jargon in order to find a camera that matches your budget, needs, and style, whether you want an inexpensive snapshot camera or a professional digital SLR camera system. Goodies in the ebook include a printable, customizable shopping checklist, specific model suggestions for different types of cameras, 25 color photos illustrating important concepts, and tips for taking better photos.
Owners of previous editions of the ebook should click the Check for Updates button on the cover of the ebook for more information or check their email for how to upgrade.
Create and Manage Passwords without Taxing Your Memory — If you’re feeling confused or distressed by the many times your Mac asks you to enter or create a password, help is at hand with our latest ebook: “Take Control of Passwords in Mac OS X“. Written by Mac expert Joe Kissell, the 96-page ebook helps you assess your risk factors and prepare a plan for generating different types of passwords, using a special system that enables you to create strong passwords that are easy to remember but virtually impossible to crack.
Once that’s done, Joe sets about helping you create and use the many different passwords on your Mac, including the login password, the master password, the firmware password, and the root password, plus your email, keychain, and AirPort passwords. But even more boggling are all the passwords that many Web sites require to protect your personal data, ranging from the trivial (your New York Times Web site account) to the truly important (the PayPal account that’s directly linked to your credit card and bank account). Joe explains how to deal with each, and how to use Apple’s Keychain Access password manager to ease the tasks of wrangling all these different passwords. For those who want to go beyond Keychain Access for additional features or cross-platform capabilities, the ebook suggests several other password management utilities and provides money-saving coupons for two of Joe’s favorites: 1Passwd ($5-off) and Web Confidential ($10-off). “Take Control of Passwords in Mac OS X” costs $10, and is available in a discounted bundle with “Take Control of Your Wi-Fi Security” for $17.50.
HTML email digression — Does HTML belong in email? Should text-only messages be the norm? Like it or not, HTML-formatted email is here to stay, and readers discuss the implications. (30 messages)
MacBook Pro on DC power? A reader is looking for a MagSafe-compatible power adapter that can be run on an airplane or in a car without bulky inverters. (14 messages)
Email client wish list — Following news that Eudora was going open-source and being built upon Mozilla Thunderbird, readers started throwing out ideas for features that would make for an ideal email client. (7 messages)
Dual Intel Laptops & Naturally Speaking — Dragon’s Naturally Speaking software may be the best solution for voice dictation software, but it still runs only on Windows. But how does it perform on an Intel-based Mac running Parallels or Boot Camp? (4 messages)
Bluetooth root exploit & “out-of-date” Macs — The recent Bluetooth security vulnerability only affects unpatched Macs, but not everyone updates their computers religiously. Readers discuss ways of flagging software updates that are more important than others. (3 messages)
Green My Apple — The environmental group Greenpeace has garnered much attention lately by targeting Apple for its campaigns. Are they going after a large obvious target for the publicity? And how did their behavior at Mac Expo in London get them kicked out of the event? (5 messages)
Why not Mailsmith? The Bare Bones email client gets specific attention in the aftermath of the news about Eudora becoming open source. (5 messages)
Telephone Messaging Software — Remember those quaint days when you’d answer the phone and “take a message” for someone who wasn’t around? Now, a few software products let your Mac do all that for you. (3 messages)