Apple has released Security Update 2007-002, the second security update of the year that addresses bugs identified by the Month of Apple Bugs (MoAB) project. None of the bugs offered any chance for user action other than standard Internet precautions, so it’s good to see Apple solving these problems in the Finder, iChat, and the UserNotificationCenter process. It’s a bit more important than it normally is to install this security update because of the MoAB’s publication of the exploits before informing Apple. As always, the update is available via Software Update most easily, though stand-alone downloads are available for PowerPC- (3.8 MB download) and Intel-based Macs (6.6 MB download) running Mac OS X 10.4.8 (Client or Server) and for anyone running Mac OS X 10.3.9 (1.4 MB download). (For more thoughts on this situation, see Glenn Fleishman’s “MoAB Is My Washpot” later in this issue.)

Anyone who has helped a complete novice learn how to use a Mac, especially during a stint in a help desk environment, simply must watch this hilarious video, which demonstrates well that all interfaces must be learned. The audio is reportedly in Norwegian, with English and Danish subtitles.

Apple last week released a set of updates which reflect the changes in Daylight Saving Time that go into effect this year in the United States and elsewhere (for additional information, see my article “Daylight Saving Time May Bite the Out-of-Date,” 2007-01-29). The very welcome update for Mac OS X 10.3.9, Daylight Saving Time Update (Panther), updates the time zone and ICU data files, such that the system now correctly handles the new Daylight Saving time rules for 2007. The update for Mac OS X 10.4.8, Daylight Saving Time Update (Tiger), likewise contains a complete set of time zone and ICU files; it adds several new cities and various world-wide changes to the time zone information included with the previous Mac OS X 10.4.5 and 10.4.6 updates.

I’m pleased to see Apple do right by their customers who are running Panther. There was some discussion online of the “Y2K7” problem in late January, with Ian Ward Comfort’s patch appearing on 28-Jan-07 at AFP548.com; a variety of other patches and methods have appeared in blogs and mailing lists. (I hope the authors of those patches will vet their solutions against Apple’s updates, and indicate whether folks who have installed the former have any cause to worry from the latter.)

People still running Mac OS X 10.2 Jaguar are out of luck in terms of an official Apple patch. However, a modified patch for those users is also available at the AFP548 Web site.

At the same time, Apple released Java for Mac OS X 10.4, Release 5, which updates J2SE 5.0 to version 1.5.0_07, and Java 1.4 to version 1.4.2_12. The update primarily fixes handling of Daylight Saving Time in Java, but also delivers improved reliability and compatibility. For Panther users, Java for Mac OS X 10.3 Update 5 brings Java 1.4.2 to version 1.4.2_12, includes Java Advanced Imaging and Java 3D support, and also fixes a problem where some Java applications wouldn’t open after installing QuickTime 7.0.4 or later.

It’s impossible to draw a causal relationship between my original article and the appearance of these updates, now two weeks later, but I’d like to think I played a small role in their appearance.

Microsoft last week released the Office 2004 for Mac 11.3.4 Update. In addition to providing improved spam detection in Entourage, this update “fixes vulnerabilities in Office 2004 that an attacker can use to overwrite the contents of your computer’s memory with malicious code.”

This update requires that you have already installed the Microsoft Office 2004 for Mac 11.3.3 Update, released last month. This latest update is a 12.3 MB download, available either as a stand-alone updater or by using the Help > Check for Updates command in any Office application.

Apple has released Final Cut Pro 5.1.3, a maintenance release that adds some missing commands to the default keyboard layout, makes render files work properly on PowerPC-based and Intel-based Macs, and fixes an issue where cross dissolves in nested sequences would not appear correctly. The update is a 42 MB download, requires Final Cut Pro 5.1 or later under Mac OS X 10.4.8, and is also available via Software Update.

Congratulations to Ron Gillmore of victoria.tc.ca, Lorne Chapman of shaw.ca, and Ben Maiden of hawaii.rr.com, whose entries were chosen randomly in last week’s DealBITS drawing and who received a copy of Rogue Amoeba’s Fission, worth $32. But don’t fret if you didn’t win, since Rogue Amoeba is offering TidBITS readers a $5-off discount on Fission, dropping the price to $27. To take advantage of this offer, which is good through 28-Feb-07, use coupon code FISSIONDEALBITS when ordering. Thanks again for entering this DealBITS drawing, and we hope you’ll continue to participate in the future. Thanks to the 1,333 people who entered, and keep an eye out for future DealBITS drawings!

I introduced last week’s DealBITS drawing for Rogue Amoeba’s Fission audio editing program by talking about how good it was to see simple, focused programs returning to a field after the major applications had become more complex than was desired by many early users. The same is true of A Sharp’s Opal, the successor to the popular Acta outliner of yesteryear. While many outliners now feature multiple columns, style sheets, notes, and a wide variety of other fancy features, Opal remains focused on just one thing: outlining. It’s small, friendly, and for many people, I suspect, all that an outliner should be (for more details, see Matt Neuburg’s “Acta Reborn as Opal,” 2006-10-23).

In this week’s DealBITS drawing, you can enter to win one of three copies of Opal, each worth $32. Entrants who aren’t among our lucky winners will receive a discount on Opal, so be sure to enter at the DealBITS page linked below. All information gathered is covered by our comprehensive privacy policy. Be careful with your spam filters and challenge-response systems, since you must be able to receive email from my address to learn if you’ve won. Remember too, that if someone you refer to this drawing wins, you’ll receive the same prize as a reward for spreading the word.

In TidBITS, when we link to pages elsewhere on the Web, we hope they’ll remain accessible indefinitely, much as we’ve taken pains to do with all of our articles from the very beginning. Alas, not all links will survive forever, but I’ve learned a trick for ensuring that links to articles in the New York Times do remain accessible for free, even after the articles themselves have moved into the NYT Archive. At that point, reading an article normally costs $5, or you can subscribe to the TimesSelect service for $8 per month or $50 per year and have access to 100 articles per month. (TimesSelect also provides access to Op-Ed pieces and certain columnists whose articles are never available for free online.)

However, because the New York Times considers itself as the newspaper of record, it worked out a deal in 2003 with Dave Winer of UserLand Software to provide permanent free links in RSS feeds generated through the Radio UserLand RSS aggregator. But the New York Times is apparently running its own RSS feeds now, so there’s no obvious way to find a permanent link to an article you’re reading on the New York Times Web site. There is a Permalink feature, but after an article has migrated into the NYT Archive, its permalink points to a TimesSelect abstract from which you can purchase the full text, rather than to the full text of the article.

So although neither the problem nor the solution is new, they’re new to me (and apparently to plenty of other people, to judge from the number of no-longer-free links to New York Times articles that I see on the Web). The trick – to which I was alerted by occasional TidBITS contributor Derek Miller – is to use the New York Times Link Generator, written by Aaron Swartz of the social bookmarking site Reddit. Just feed it a link to a New York Times article and it returns a version of the link that will remain free for the foreseeable future, though of course the Times could always change their policy. There’s also a bookmarklet you can use to generate a permanent link from the current page when you’re on the New York Times Web site.

Google has at last opened up its well-regarded Gmail email service to all comers, eliminating the need to receive an invitation from an existing user before signing up. It’s been two years since the service launched, and it’s still branded beta. The primarily Web-based Gmail remains free to use and currently offers over 2.5 GB of storage for each user, an amount that grows every day as Google brings more storage online.

Gmail provides POP3 access for people who prefer using traditional email clients over the Gmail Web interface, but still lacks IMAP, a popular alternative to POP3. The service has good spam filtering that accepts reports from its users, attachment viewing within the Web interface, and support for mobile phone email – you can read and reply to messages. Google Talk, the company’s instant messaging and voice chat program, can be used within the Web interface, too.

Gmail can also forward incoming mail to another email address, send messages and replies using another return address, and fetch mail from up to five other non-Gmail accounts via POP.

What sets Gmail apart from other email services and clients is how rapid-response searches sit at the core of message archiving and organizing. Instead of filing messages in a folder, you apply one or more labels to incoming messages that exist in a general archive. The labels are the search equivalent of folders, and show up in a list in the left navigation bar. It’s very much like the Smart Mailboxes feature in Apple Mail, only faster. You can also search quickly through your entire message archive; Gmail provides a list of matches with search terms highlighted, and messages threaded across an entire set of conversations so you can easily follow what was said and by whom.

Gmail funds itself through what text ads that are theoretically relevant to the content of the message you’re reading – a behavior that can be a little disconcerting. The ads are never inserted into the body text of either incoming or outgoing mail, however, unlike free mail from other firms.

Since I run my own mail server, I have only dabbled with Gmail. But reports from friends and colleagues who rely entirely on the service are highly positive, with them experiencing minimal downtime and speedy access. The main reason I haven’t looked more seriously at Gmail is that I already have 2.3 GB of stored email, and I don’t want to lose access to that archive. Gmail does enable import of contacts to provide access to laboriously created address books.

(The only way to import mail into Gmail that I can see is to redirect to the Gmail account, which isn’t practical with hundreds of thousands of messages. Although utilities like Mark Lyon’s free Google GMail Loader and Cheah Chu Yeow’s free gExodus exist to automate the process, date stamps are lost in the transfer, rendering them useless for an email archive that spans 15 years.)

Because Gmail is an extremely interactive Web application, it works only in a subset of common Web browsers, including (all version numbers are the earliest supported version) Safari 1.2.1, Firefox 0.8, Mozilla 1.4, and Netscape 7.1. Web-based chat requires Firefox 1.0 or later. Gmail does offer a basic HTML view for other browsers, but, honestly, there’s not much point in using Gmail if you can’t take advantage of the full interactive interface.

If you’ve been looking for another email service, it’s worth giving Gmail a try. You can even set up multiple addresses using your own domain using the Google Apps for Your Domain service. In particular, if you’ve been having trouble receiving TidBITS due to overactive spam filtering or other delivery problems, Gmail could be a good alternative. (Our new bounce processing code sends you warnings when your account has bounced too many messages, and you can manage your subscriptions and addresses with our new Manage Mailing List Subscriptions interface.)

Two hackers wanted to show the world that Apple’s much-vaunted operating system wasn’t as secure as it was cracked up to be. The Month of Apple Bugs (MoAB) ran from 01-Jan-07 to 31-Jan-07, with the final day promising a future serious bug. Instead, they may have turned the Mac smugness dial up a notch.

MoAB backers “lmh” (who does not reveal his or her real name) and Kevin Finisterre appeared to want to tweak Mac users, who often revel in the so-far absence of attacks on Mac OS X that are plausible, persistent (not quickly patched), and spreadable. In particular, the pair appear to take issue with the zealots and “fanboys” who, when presented with credible information that shows Apple or Mac OS X in a bad light, reject it out of hand. But lmh and Finisterre also seemed to have a chip on their shoulders before, during, and after MoAB.

The coincidence of the abbreviation MoAB and the biblical figure of the same name led me to Jeremiah 48:29-30: “We have heard of the pride of Moab, pride beyond bounds: His loftiness, his pride, his scorn, his insolence of heart. I know, says the Lord, his arrogance; liar in boast, liar in deed.” (More famously, the poetry of Psalms disses the people of Moab by stating, “Moab is my washpot,” Psalm 108:9, indicating a thing of low esteem, fit only for holding water that has cleaned one’s feet – it’s also the title of Stephen Fry’s excellent autobiography.)

Now that seems a little harsh. The original Moab was a problem, no doubt, but this MoAB wanted to shake the Apple tree a bit, perhaps with too high an aim. I suspect the developers had a set of exploits up their sleeves, but hoped that other folks would come forward with goodies they’d been saving up, and no such luck emerged.

The zealots and fanboys that lmh and Finisterre railed against aren’t strawmen. They exist. In fact, we at TidBITS occasionally get email from them, too. But it’s clear that the vast majority of Mac users have better things to do than violently defend the platform and company against legitimate criticism. If anything, the average Mac user may have perhaps too great a belief that Mac OS X is completely secure, especially in contrast with Windows XP.

However, it seems that MoAB may have unintentionally given more ammunition to the extremists in the Mac faith, while making the larger community even more blase. None of the bugs released had any real potential of a vector – spreading from computer to computer as a worm through an Internet- or LAN-exploitable flaw – and as far as I have seen, no in-the-wild exploit was released for any of the bugs, despite the fact that MoAB refused to notify Apple or third-party developers before releasing the bug details to the public.

As of last week, Apple and the other developers who had exploits posted against their products had updated all but one matter. Timothy Luoma posted a rundown of his disappointment with the outcome of MoAB. The Macalope weighs in with his own, slightly surprised discomfiture at not seeing more serious attacks released. (The remaining Apple flaw relates to Software Update, which could be exploited by a local user or a malicious Web site visited via Safari with default download options checked.)

In fact, MoAB revealed one of the best aspects of the larger Mac developer community: generosity. Landon Fuller took it on himself to release patches to the vulnerabilities revealed at MoAB and ultimately received help from many others. While he couldn’t fix every problem completely, nor do so on the same day the exploit was released, he and his colleagues had a remarkable track record.

MoAB received the most criticism about its disclosure policy – the authors said that typically no notice was given to Apple or affected companies before they posted the details of their exploit. They wrote, “‘Responsible disclosure’ exists when the vendor doesn’t deploy any harmful tactics against the source of the vulnerability reports, and requires confidence by all parties involved. At the moment, we don’t trust Apple on these matters due to the track [sic] of incidents and unpleasant situations surrounding their policy on product vulnerability handling.”

(Oddly, they offered to give only Fuller a heads-up each day in advance of the public; he declined, in a transcript the MoAB backers posted, to avoid the “appearance of collusion,” since he enjoyed demonstrating that exploits could be fixed without any insider or advance knowledge about them.)

Apple has, at times, been criticized for its lackluster response to serious exploit reports, or its long delays in responding to known problems. But I haven’t heard that criticism lately, with one exception. The MoAB project is clearly referring to how Apple allegedly treated David Maynor and Jon Ellch, two researchers who seem to have gotten stuck in a trap partly of their own devising. (We covered this in a series of articles we dubbed “To the Maynor Born: Cache and Crash” from August 2006 to January 2007.)

The short story is that Maynor and Ellch appeared to have said that they had a successful root exploit for Mac OS X, relying on a flaw in Wi-Fi handling that required a proximate user to launch the attack. Maynor and Ellch were apparently never allowed to release their proof directly, and Apple patched flaws similar to those described, but which Apple claimed were not based on any specific information provided by the two. In the security note accompanying the Wi-Fi fixes, Maynor and Ellch weren’t acknowledged.

It’s unclear whether the facts will ever be untangled in that case, and it appears that few people outside of Maynor, his employer, Apple, and Ellch have all the facts to make a judgment. Thus it’s always frustrating to me to see unrelated parties make the assumption that Apple “deploy[ed] harmful tactics” when what happened is rather ambiguous.

In contrast to the Maynor/Ellch situation, even with no disclosure, Apple apparently decided lmh and Finisterre played by the rules, and MoAB and the two were credited in the several bugs that Apple has patched (see related story, “Security Update 2007-002 Squashes MoAB Bugs“).

What did the “pride of MoAB” lead to? Not much. I, for one, am fully aware that the possibility of a true, widespread, system remote exploit of Mac OS X remains. And almost all MoAB’s exploits required either (or both) an attacker with local access or a computer owner who engaged in unusual behavior, such as downloading and opening an unknown file.

It’s a testament to the Mac community as a whole that MoAB’s irresponsible disclosure, coupled with childish taunts and tactics, was met with quick, civil responses by Apple and the other Macintosh developers. Generosity and cooperation will provide far more overall security than a bunch of ill-mannered hackers.

The pool of Macintosh software has become incredibly deep over the years, containing a vast number of applications for nearly every imaginable purpose. I was pondering that fact the other day when I started wondering just which of Apple’s many technologies were the most important to the developers who create the programs we use on a regular basis. Rather than mull over this question in a theoretical fashion, I decided to ask a select set of developers: Which Apple technologies had proven the most important for your business, and why? (Some of these developers are current or past TidBITS sponsors; I chose them not because of that fact, but because I knew them well enough to ask them to respond on short notice.)

I wasn’t looking for what someone might think was particularly cool. Instead, with this one question I hoped to find the technologies that have actually enabled the creation of new tools, new ways of working, or even new ways of thinking about what’s possible. You may not recognize the names of all of these people, but I’m certain you’ll recognize their products.

Paul Kafasis — CEO/Lackey, Rogue Amoeba Software (Products: Audio Hijack Pro, Fission, Airfoil, Nicecast)

Although it’s perhaps too obvious, Cocoa has had a big impact on our work, and the Mac world in general. All of Rogue Amoeba’s products are built with it, and it has worked quite well for us. Cocoa has made it an order of magnitude (or more) easier to create software for Mac OS X, which has led to rapid development of new products and updates. That’s very important for a small company with limited resources.

But more interestingly, I’d like to nominate the iPod. We don’t make any software that works specifically with the iPod, nor iPod hardware, so how can it be so important to us? The trick is that the iPod has brought music to the masses and turned everyone into an audio user. The more people use audio, the more relevant our products become to them. If a user has an iPod and he wants new content, he can use Audio Hijack Pro to record just about anything. Fission will let him edit that audio before it goes on his iPod. And if he’s playing audio around his house, Airfoil will be useful for enabling playback through the AirPort Express. As audio use becomes a bigger part of users’ lives due to the iPod, our products gain potential users.

Julian Miller — President, Script Software (Products: ChatFX, CopyPaste, iKey, iClock, iWatermark, KnowledgeMiner)

Cocoa is essential, but the most entertaining and useful technology from Apple for us at the moment is Quartz Composer, which is included for free with Apple’s Developer Tools. It is a visual programming language for video, and deserves to be better known. Quartz Composer is embedded deep within Mac OS X, and it relies on OpenGL, Core Image, Core Video, and other core Apple technologies. With it anyone can create various Quartz Compositions that can perform magic on various types of video input. We use it in ChatFX, our video special effects software for iChat (and soon for Skype, Yahoo Messenger, MSN Messenger, iMovie, etc.), to add bluescreen, Photo Booth-type effects, 3D, and more to video conferencing. It is powerful, useful, and whole lot of fun even if you’re not a developer. In fact our next fun application (unannounced) will also use Quartz Composer extensively.

Jayson Adams — VP of Technology, Circus Ponies Software (Product: Circus Ponies NoteBook)

For us, the most important technology is definitely Apple’s Cocoa Frameworks. The Cocoa Frameworks are collections of objects – everything from numbers and lists to buttons and windows – that application writers can use to build their Macintosh software products. These objects are so well written and well designed that one person can write an application that would take 10 programmers to cobble together on another platform. This leverage also means that in the end, developers have more time to focus on the code that makes their applications unique.

Jim Matthews — President, Fetch Softworks (Product: Fetch)

Fetch wouldn’t be the same program without any of at least a dozen Apple technologies, from AppleScript to Open GL (for the animated progress donut). But if I had to pick one essential technology it would be the Core OS networking services, from the AirPort and Ethernet drivers up through the TCP/IP stack and CFNetwork. All of our user interface work is aimed at making it easier to move data from one computer to another, and that effort is wasted without a robust networking infrastructure to put the bits on the wire (or radio waves). Apple was the first personal computer maker to build networking into their systems, and the first to have a standardized TCP/IP programming interface for accessing the Internet. In Mac OS X the networking infrastructure is more efficient, reliable, and flexible than ever before, and that’s critical for applications like Fetch.

Greg Scown — Founder, SmileOnMyMac (Products: PDFpen/Pro, PageSender, DiscLabel, TextExpander, BrowseBack)

Apple’s adoption of PDF as the standard imaging model for Mac OS X has been the most important technology for our business. Enabling users to create a PDF of anything they can print makes it possible to share documents across platforms with great ease. It also creates a market for PDF manipulation and markup tools, such as PDFpen. Recently, we were even able to stretch the limits of the PDF’s nature as a read-only format to offer our new Correct Text feature, which lets users actually replace existing text within a PDF.

Rich Siegel — Founder and CEO, Bare Bones Software (Products: BBEdit, Yojimbo, Mailsmith, TextWrangler)

Our products are more illustrative of your “deep and vast” premise, rather than a demonstration of using a single “most important” technology. We select from the system API sets (Carbon, Cocoa, or POSIX) that allow us to address our customers’ needs most effectively (based on our assessment of a performance/scalability need or specific user-experience goal).

Cocoa’s Core Data subsystem provides the crucial data storage reliability for Yojimbo, our information organizer. Yojimbo also uses various Cocoa UI services to create its effortless user experience, and Sync Services to implement synchronization of data across multiple computers (through the use of .Mac or Mark/Space’s new SyncTogether).

BBEdit and TextWrangler rely on ATSUI (Apple Type Services for Unicode Imaging) to put the text on the screen – where the rubber meets the road, so to speak. Both products’ performance and scalability didn’t originate with Apple-provided technology, but we used Core Foundation and the Multiprocessing API (basically, a wrapper on the POSIX threads API) to improve the user experience.

Our pro products are known for setting the standard in automation support, and to achieve this they rely on the AppleScript and Apple Event APIs, and Automator and the POSIX programming interfaces for running AppleScript scripts, Unix scripts, filters, and powering BBEdit’s Shell Worksheets. Finally, many of BBEdit’s features sit atop Cocoa APIs for doing the heavy lifting: spell checking, the Font panel, and live HTML previews.

So, as you can tell, our technology choices cut across a wide swath of technology disciplines – sometimes even within a single product – to address an equally wide range of customer needs.

Month of Apple Sales #3: Tame the Tiger — Working with big cats requires skill and knowledge, and Mac OS X Tiger is no exception. Hone your technical chops with this carefully chosen collection of our most in-depth ebooks about tricky Mac OS X issues. You’ll find detailed background information and help with sending and receiving email in Apple Mail, fighting spam, working with fonts, understanding and managing permissions, and sharing files over networks. Buy these 6 ebooks (over 800 pages!) today for only $26, and you’ll save 60 percent off the list price of $65!

• Take Control of Fonts in Mac OS X
• Take Control of Font Problems in Mac OS X
• Take Control of Sharing Files in Mac OS X
• Take Control of Permissions in Mac OS X
• Take Control of Apple Mail in Tiger
• Take Control of Spam with Apple Mail

To take advantage of this discount, just purchase from the Month of Apple Sales #3: Tame the Tiger page.

And yes, if you want the bundle but already own one of these books, feel free to give your extra copy to a friend. One more sale coming up next week! (And don’t worry – there’s no overlap.)

Database Syncing — Our Macworld Expo superlatives article mentioned SyncDeK for synchronizing databases, but a reader points out that fmSQL Synch has done similar work for years. (1 message)

HD movies and the Mac — Now that HD video capture is starting to trickle down to consumer-priced levels, what’s available for the Mac? Are we stuck with MiniDV tapes still, or is there hope with the new hard-disk-based cameras? (4 messages)

The Grouch — Remember when your Mac’s Trash had the capability to sing to you? You can do it under Mac OS X, using a few different methods. The original author even weighs in! (8 messages)

Daylight Saving Time May Bite the Out-of-Date — Could the problem of time synchronization with the adjusted Daylight Saving Time have been averted by more diligent Macintosh software engineering? (1 message)

Article on carpal tunnel — An article about carpal tunnel syndrome leads to discussion of similar repetitive strain injuries (5 messages)