Skip to content
Thoughtful, detailed coverage of everything Apple for 33 years
and the TidBITS Content Network for Apple professionals
Show excerpts

TidBITS#953/10-Nov-08

Perhaps we’re secretly paranoid, but security is on our minds again this week. Glenn Fleishman reports on a weakness in WPA that opens a vulnerability in wireless connections, and he analyzes its actual threat level. Joe Kissell is more proactive with his review of PGP Whole Disk Encryption, which finally brings the capability to encrypt an entire startup disk – but with some important caveats. Fortunately, Kevin van Haaren isn’t paranoid at all (as far as we know), and is more than willing to share his experiences replacing his old Palm Zire with an iPod touch as a personal digital assistant. And in this week’s TidBITS Watchlist, we note the releases of Nisus Writer Pro 1.2, Sandvox 1.5.2, Envision 1.2, Apple’s Digital Camera Raw Compatibility Update 2.3, HistoryHound 1.9.6, and PopChar X 4.1. Finally, as Thanksgiving approaches, we’re giving away copies of “Take Control of Thanksgiving Dinner” with any other ebook purchase.

Glenn Fleishman No comments

A Crack in Wi-Fi Security and How To Fix It

News broke last week that German graduate students had uncovered and documented a verifiable flaw in Wi-Fi Protected Access (WPA), the method of encrypting a Wi-Fi connection between a computer or other device and a base station. WPA was designed to replace WEP (Wired Equivalent Privacy), a protocol that can be defeated easily using cracks that appeared starting in 2001.

WPA comes in two flavors: the earlier version is called just WPA. It was standardized in 2003 by the Wi-Fi Alliance, a trade group, and includes an updated and backwards compatible encryption standard (Temporal Key Integrity Protocol, or TKIP) that works with hardware released as long ago as 1999. The original Apple AirPort Card can be updated with firmware and drivers to handle TKIP; Mac OS X 10.3 Panther or later is required, however.

A second flavor, WPA2, was released later, with an additional, stronger encryption method; the gap was due to a delay in a standards group finishing a thorough revision of Wi-Fi’s security. WPA2 handles both TKIP and the AES-CCMP protocol (you really don’t want to know what that stands for).

The flaw that Erik Tews and Martin Beck have documented in a paper Tews will present in Japan next week involves a weakness in WEP that carried over into TKIP. TKIP was supposed to fix all of WEP’s problems, while still working with older hardware. Beck discovered, and the students tested and documented, that it was possible to examine short packets – lumps of data containing brief network messages, for instance – and extract the encryption data without violating any of the safeguards against that had been added to TKIP.

This isn’t a key crack – that is, you can’t use this method to recover a TKIP key and then decrypt all traffic over a network. Rather, it’s a very clever way to resend (or inject) a packet that appears valid into a network. The two researchers bypassed yet another TKIP protection using features added in Wi-Fi to ensure that data containing voice-over-IP and streaming audio or video wouldn’t be overwhelmed by data that didn’t need to arrive in a timely fashion.

(If you want the technical details, you can read my long article for Ars Technica, in which I interview Tews. You can also see a piece I wrote at Wi-Fi Networking News that has more technical detail than this article, but less than the Ars Technica feature.)

The good news is that this exploit is very tiny, and may be difficult for a cracker to pull off. The crack requires physical proximity, where someone can sniff your network data. It also likely won’t work with corporate Wi-Fi networks that are well designed, and which change some encryption properties every few minutes.

For home networks, if you’re the least bit concerned, you can modify a setting on your base station. The AES-CCMP method isn’t vulnerable to this exploit, and you can choose to use only that encryption method.

For Mac users to switch to AES-CCMP, you need at least Mac OS X 10.3 Panther, an AirPort Extreme Card (available as an add-on or built-in option for every Mac starting in 2003), and any Apple Wi-Fi base station shipped in 2003 or later (such as the original AirPort Extreme Base Station). Windows and Linux systems starting in 2003 should also include AES-CCMP support or be upgradable through firmware patches. (There are some add-ons from third parties, mostly free, to allow Windows 2000 to handle AES-CCMP if the underlying hardware is also compatible.)

Macs with the original AirPort Card can’t use AES-CCMP encryption; the hardware simply can’t deal with it. AirPort Extreme Cards released in 2003 were built to handle what was already known would be needed. Likewise, the pre-2003 AirPort Base Stations can’t use WPA at all: neither TKIP nor AES-CCMP is supported.

The iPhone and iPod touch, like all hardware shipped with a Wi-Fi label attached since November 2004, include full WPA2 support, which means they can handle both TKIP and AES-CCMP. Starting that month, the Wi-Fi Alliance required that companies support WPA2 for products that were to use the Wi-Fi name.

You can switch an Apple Wi-Fi base station to use only AES-CCMP by following these steps:

  1. Launch AirPort Utility. (It’s found in the Applications > Utilities folder, or can be downloaded for Tiger and Windows from Apple’s support site. See “Apple Releases Updated AirPort Utility for Tiger, Leopard, Windows,” 2008-03-11.)
  2. Select your base station in the list at left.
  3. Click the Manual Setup button.
  4. Click the Wireless tab under the AirPort view.
  5. From the Wireless Security pop-up menu, select WPA2 Personal. The text below changes to read “WPA2 clients can join this network using AES-CCMP.”
  6. Click Update to restart the base station with the new settings. This causes a momentary network interruption for any device using the base station via Wi-Fi or Ethernet. (Make sure you unmount networked volumes first.)

Please note that older computers that can’t use WPA2’s AES-CCMP to connect won’t alert you to that fact. In the office I share with Jeff Carlson, we originally configured our network to use WPA2 Personal, back in 2005. This was fine, because all the computers in the office were newer. When a visitor arrived with an older Mac, we couldn’t connect it to the network, but there was no specific error: just a message that it couldn’t connect. We eventually figured it out and had to back off to WPA/WPA2 Personal.

You may have seen early coverage of this exploit suggesting that the TKIP key or WPA encryption was broken. It’s not. This is a very interesting, very clever compromise that currently has no wide-reaching repercussions. But it’s also the first wedge that’s been successfully inserted into TKIP, and should help push a move to AES-CCMP by those who care about security.

Adam Engst No comments

Take Control News: Free Copy of Thanksgiving Ebook!

The days in November are flipping by ever more quickly, with the Thanksgiving holiday on 27-Nov-08 fast approaching in the United States. Although we will be hard at work publishing TidBITS and Take Control ebooks for the remaining weeks, we’re not worried by the extra effort necessary to prepare a full-fledged Thanksgiving dinner for my extended family, thanks to the schedules, shopping lists, and recipes in Joe Kissell’s “Take Control of Thanksgiving Dinner,” which we first published in 2006 and tweaked slightly last year.

Needless to say, the topic hasn’t changed at all, so the book is still entirely relevant. Although it’s one of our best in terms of clarity and utility, we’ve so far had trouble marketing what is essentially a holiday cookbook. We knew it was a risk when we started, but we’re still disappointed that the book hasn’t been able to help more people.

So, to help reduce cooking stress and increase the tastiness of Thanksgiving dinner everywhere, we’re giving away “Take Control of Thanksgiving Dinner” from now through Thanksgiving Day. Just purchase any other Take Control ebook and you can get the $10 “Take Control of Thanksgiving Dinner” for free. Use this link to load the necessary coupon code and start shopping at our alphabetized catalog page.

Joe Kissell No comments

Securing Your Disks with PGP Whole Disk Encryption

I’ve been using various incarnations of PGP (Pretty Good Privacy) encryption software for almost as long as I’ve been a Mac user. I won’t go into PGP’s long and interesting history (for that, see this Wikipedia entry), but since 2002, commercial Mac versions of the software have been available exclusively from PGP Corporation. PGP is commonly used for encrypting email and chat, and the PGP Desktop software can also create encrypted disk images that offer capabilities unavailable with Apple’s Disk Utility.

In addition, for some time PGP Desktop has been capable of encrypting an entire disk or partition – but until recently, you could do this only for non-startup volumes. Now, however, with the release of PGP Whole Disk Encryption for Mac OS X (also included with version 9.9 of PGP Desktop Professional for Mac OS X – though not with PGP Desktop Home), that limitation has finally disappeared. It may sound like a fairly trivial change, but this is something I’ve been waiting for since the days of Mac OS 9, and in my opinion it’s a Pretty Big Deal (PBD). I’ve frankly been surprised that this new capability has
received so little attention, so allow me to do my small part to rectify that.

Why Encrypting a Startup Disk is Interesting — Suppose your Mac’s hard disk contains sensitive information of some sort – confidential business plans, personal financial records, secret love letters, or whatever. You could put all that information on an encrypted disk image, which is plenty secure but potentially awkward to use; you must be careful not to store any private information anywhere other than that disk image, and every time you want to mount it, you must enter your password. Or you could use Apple’s FileVault feature, which encrypts everything in your home folder (including your iTunes music, your iPhoto photos, and so on). That should cover most of the bases, but FileVault introduces some
complications when it comes to backups (in particular, it’s only partially compatible with Time Machine), and the way it stores information makes it potentially susceptible to large-scale data loss from random disk errors. In addition, FileVault must periodically perform time-consuming maintenance to free up disk space, and it doesn’t protect any data stored outside your home folder.

Speaking of backups, I always recommend creating bootable duplicates of your entire startup disk – and, for extra safety, I suggest making two or more copies and keeping one offsite at all times (for example, at a friend’s house). You should do this, of course, even if you have no need to encrypt your Mac’s internal hard disk. But if someone happened upon that offsite backup, there’d be nothing stopping them from reading everything on the disk. Even if you’d used encrypted disk images or FileVault to protect part of the disk’s data, some private information could still be at risk. Although lots of backup programs offer encryption, they invariably do so by wrapping up all the data from your disk in a special archive file or disk image,
preventing the disk from being bootable. So, until recently, the only way to get bootable duplicates that were also totally encrypted was to use one of the few, and expensive, hardware-encrypted enclosures, which require a physical key to unlock your data.

Now suppose you could encrypt every last byte of data on your startup disk – any startup disk, even an external FireWire or USB bootable duplicate – all at once, without fiddling with disk images or FileVault, without any backup caveats, without any intrusive rituals to interrupt your work, and without any performance penalties. As a matter of fact, you could do just this, years ago, with any of several classic Mac programs that encrypted entire disks at the driver level. (My personal favorite was a component of FWB’s Hard Disk Toolkit – may it rest in peace.) But for a variety of reasons, none of these utilities made the jump to Mac OS X. That means ten-year-old Macs (not to mention brand new Windows PCs) could do something that modern
Macs couldn’t do. But earlier this year, for the first time, that changed.

The first company to introduce whole-disk encryption for Mac OS X was Check Point, which released Check Point Full Disk Encryption in May 2008. I haven’t yet tried Check Point’s product, but then, it’s not marketed or sold to individual end users; it’s designed for large-scale deployment in businesses and requires non-trivial setup procedures to be performed by a system administrator. Luckily, PGP released its Whole Disk Encryption products just a few months later, and they’re readily available to ordinary folks like you and me.

Incidentally, both PGP Whole Disk Encryption and Check Point Full Disk Encryption can work their magic only on Intel-based Macs. To be more precise, PGP’s products can run on PowerPC- or Intel-based Macs, and can encrypt entire volumes on either variety of Mac, but encrypting a startup disk requires a Mac with an Intel processor.

How PGP Whole Disk Encryption Works — To encrypt a whole disk (whether a startup volume or not), you open PGP, select PGP Disk in the program’s sidebar, and click Encrypt a Disk. The program then walks you through a few brief steps, such as selecting a passphrase, and begins encrypting the disk in the background using the AES-256 encryption standard. The process takes some time, depending on the speed of your computer, the size of the disk to be encrypted, and how much other work you’re doing. In my case, it took about 10 hours to encrypt a 250 GB disk on a 2.4 GHz MacBook Pro, but I was keeping the machine extremely busy with other tasks at the time (installing Windows in a VMware Fusion virtual machine,
for example). I didn’t find that the encryption slowed me down unreasonably, but if I had, I could have clicked a Pause button and resumed the encryption at my convenience.

When you encrypt an entire disk, you can normally choose between a manually entered passphrase and a public key (which could, for example, let someone else decrypt the disk without your having to know their passphrase). With startup disks, you must always choose a passphrase, but after the disk is encrypted, you can grant access to more users, each of which may use either a passphrase or a public key. (To access a disk encrypted with a public key, someone would use their corresponding private key; see Wikipedia for more on how public-key cryptography works.) If the need arises, you can change the passphrase for any user after the fact without decrypting the disk; you can
also re-encrypt an already encrypted disk in much less time than it would take to start from scratch.

Once your disk is encrypted, nothing special happens until you shut down or restart your computer (or, for a non-startup disk, unmount the disk). When you attempt to start up your Mac, you initially see a special PGP BootGuard Screen, where you enter your passphrase. Once you’ve done so, startup continues normally. (If you mount a non-startup disk while your Mac is running, you see a simple alert dialog with a field to enter the passphrase.)

After you’ve unlocked your Mac with your passphrase, Whole Disk Encryption is normally invisible as you use your Mac. I did not perceive any performance slowdowns in day-to-day use (even with disk-intensive activities), and for all practical purposes, everything behaved exactly as it did before.

You can mount an encrypted disk on another computer – even a Windows computer – as long as it has the appropriate version of PGP Desktop or PGP Whole Disk Encryption installed. If you’ve encrypted an external FireWire or USB drive containing a bootable duplicate, you’ll be prompted to enter your passphrase on any Mac when you use it as a startup disk (since the disk itself contains the PGP software, it need not be installed separately on other computers). Note, though, that because Whole Disk Encryption works only on Intel-based Macs, you can’t use such a drive to start up a PowerPC-based Mac.

If you were to forget your passphrase, your data would ordinarily be gone forever: this is strong encryption, and tricks like using data recovery software will be of no use. However, if (and only if) you’re using PGP Whole Disk Encryption in a managed environment – meaning an administrator centrally deploys and configures the software – there is a fallback plan. Your system administrator can issue a one-time, per-device token that gives a particular user an opportunity to recover data from a single encrypted disk. (That means the administrator could also potentially get at your data, but that’s to be expected in managed settings.) Individual users have no such back-door option.

Qualifications and Gotchas — As convenient and transparent as Whole Disk Encryption is, it comes with some limitations I wasn’t expecting, and which gave me pause. These may or may not be issues for you, but it’s important to be aware of what this software can and can’t do.

First of all, although all the data on your disk is encrypted all the time, it’s freely accessible from the time you turn on your Mac and enter your passphrase on the BootGuard screen until you shut down (or restart) the computer. You can’t turn off access manually without shutting down or restarting. Crucially, Whole Disk Encryption does not disable access to your data when your computer goes to sleep or require entering your passphrase when it wakes up. So, suppose you’ve encrypted your MacBook’s hard disk, but you normally put the computer to sleep when you carry it around. (Like most owners of Mac laptops, I do this to eliminate wasted time waiting for the computer to restart whenever I want to use it.) Now, the unthinkable happens
and someone steals your computer. As long as the thief doesn’t shut it down or restart it, the disk’s encryption is useless – any data on it can be freely accessed directly, or over a network.

You can minimize the risk by choosing a strong login password and by making sure you must enter it when your Mac wakes from sleep (check Require Password to Wake This Computer from Sleep or Screen Saver in the General view of the Security pane of System Preferences), because in order to reset your password without knowing it, an attacker would have to restart your Mac. Still, this situation bugs me because Whole Disk Encryption seems most useful for laptops, and laptops seem most useful when you employ sleep mode rather than shutting them down after each use.

Second, Whole Disk Encryption for startup volumes isn’t compatible with Boot Camp, at least not in this release. If you install Whole Disk Encryption while a Boot Camp partition is present, you’ll see a warning message to the effect that you can still encrypt whole disks, just not your startup volume. If you use Boot Camp Assistant to remove your Boot Camp partition, you can then encrypt your startup disk. But you have to choose between Boot Camp and having your entire disk encrypted.

Third, if your disk requires repair or troubleshooting, you’re going to run into problems. For example, with an encrypted startup disk, you can’t perform a Safe Boot. Holding down the Shift key while restarting normally disables some potentially problematic software, such as third-party kernel extensions, but since Whole Disk Encryption relies on such an extension to provide access to your disk, this won’t work. Furthermore, you can’t use disk repair programs such as Disk Utility and DiskWarrior on an encrypted disk; if you have disk problems, or suspect you might, you must first decrypt the disk and then start up from another volume (say, your Leopard Install DVD) to run disk repair software. Unfortunately, the process of
decrypting a disk is quite time-consuming – for me, it took considerably longer than encrypting the disk in the first place. So you could be looking at a 24-hour period to decrypt, repair, and re-encrypt a disk – not fun.

I also encountered a couple of less-serious annoyances. The first time I restarted my computer after encrypting its disk and tried to enter my passphrase, I had a moment of panic that Whole Disk Encryption wouldn’t let me in. I had chosen a 32-character passphrase, and as I typed it, the cursor in the PGP BootGuard Screen moved incrementally across the passphrase field (though without displaying bullet or asterisk characters, as is often the case). After I typed the 21st character, the cursor was all the way to the end of the field and didn’t move any further as I typed the remaining characters, so I got no feedback that my input was being registered. It was, and everything was fine after I finished blindly typing the passphrase, but I
didn’t like the fact that feedback is registered for a maximum of 21 characters when passphrases can contain up to 255.

I had also set up Carbon Copy Cloner to duplicate my Mac’s hard drive to a network volume on a daily schedule, and the first time this backup ran after I encrypted my disk, it failed. Consulting the logs, and cross-referencing them with the support material on PGP’s Web site, I discovered that the problem was an invisible file called PGPWDE01, which PGP stores at the root level of any encrypted volume. This file can’t ordinarily be read or written by backup software, so you must exclude it manually if your backup software complains (some backup programs, like Time Machine, already ignore the file).

Recommendations — When I first heard about Whole Disk Encryption, I allowed my excitement to get ahead of reality, and I pictured a complete solution to all my encryption problems; I had the idea that this product, by itself, would eliminate the need for all the other sorts of file encryption I’d tried. As it turns out, although it solves a couple of problems brilliantly, it’s still just one piece of the puzzle. It does indeed provide virtually bulletproof data protection in cases where a computer is shut down when it falls into the wrong hands, at least if you’ve chosen a good passphrase and taken care to prevent anyone else from learning it. It also eliminates the need to encrypt virtual memory separately
(which you can otherwise do in the Security pane of System Preferences by checking Use Secure Virtual Memory), because that happens automatically. And it makes encrypted bootable duplicates incredibly easy to create.

Nevertheless, PGP recommends continuing to use multiple layers of protection, such as encrypted disk images (whether generated by PGP Desktop or otherwise) and FileVault, depending on your needs. Part of the reason is that PGP’s whole-disk protection doesn’t help when your computer is running or asleep; another part is that even if a determined or clever attacker could find a way to get past one layer of encryption, getting past multiple layers is much less likely. Keeping especially sensitive information on an obscurely named disk image also makes it at least a bit harder to find in the event that someone did obtain access to a still-unlocked encrypted volume.

Obtaining PGP Whole Disk Encryption — You can buy PGP Whole Disk Encryption as a stand-alone product, which costs $119 for what PGP calls a “perpetual” license – that is, a license that lets you use the version you purchased indefinitely, but which only provides free support and updates for one year. All the capabilities of Whole Disk Encryption are also built into PGP Desktop Professional (which includes encryption for email and chat, as well as support for creating encrypted disk images). Two kinds of licenses are available for PGP Desktop Professional – the perpetual license
for $199, and a subscription license, which costs $83 per year. With the subscription license, you can only use the software for as long as you have the subscription. If you haven’t renewed it within 90 days after its expiration, PGP automatically decrypts all your encrypted disks (after alerting you that it’s about to do so), which is a potential security risk. PGP Desktop Professional 9.9 is available in a 30-day trial version, a 30.1 MB download; no trial version of PGP Whole Disk Encryption alone is offered.

Kevin van Haaren No comments

Confessions of an iPod touch Convert

I thought I’d steal Joe Kissell’s idea and write an article on my conversion to the iPod touch (see “Confessions of an iPhone Convert,” 2008-09-17). My usage needs were different from Joe’s so I went with the iPod touch instead of the iPhone. Since I have to use a work-provided BlackBerry for phone and email, I wanted to see if the iPod touch would prove more capable than other PDA-type gadgets I’ve relied on for other various tasks.

The second-generation iPod touch gains several features over the original model. The addition of physical volume buttons on the left side is the most visible change, but Apple also added a speaker and voice recording feature (the latter requires purchase of headphones that support it). These additions bring the second-generation iPod touch closer to the iPhone 3G, with the exception of the iPhone 3G’s phone, cellular data network, Bluetooth, GPS, camera, and – on the plus side – 2-year contract with AT&T (see “Apple Reveals New iPod nano and Updated iPod touch”, 2008-09-09).

I’ve used a number of these devices over the last several years, including a BlackBerry 8830 from Verizon, a 60 GB iPod video, and, until I burned out its CPU, a Palm Zire 72. I didn’t bother replacing the out-of-warranty Palm because it died right when my job gave me the BlackBerry, which offered most of the same functionality.

Each device provided several functions I enjoy having at my fingertips. Other than the BlackBerry email, none of the functions are vital to my job or day-to-day productivity. The iPod video was obviously my media player. Until I got the BlackBerry, the Zire was my Web browser, ebook reader, small games machine, digital camera, and briefly, my calendar. The BlackBerry took over most of those functions, although I’ve never used it to read ebooks.

On 09-Sep-08, when Apple announced the second-generation iPod touch and dropped the prices on all models, I debated whether it was worth replacing the iPod video with the new iPod touch. At the time my iPod video held over 5,200 songs and 29 TV episodes (mostly Looney Tunes because they’re short and I can watch them over and over again without getting tired of them). I also had several games I’d purchased via iTunes before the App Store existed.

Pros and Cons — At first glance, the iPod touch posed several big problems for me. The 32 GB model still cost more than I wanted to pay even after the $100 price cut, and going with the 16 GB model would be a severe drop in storage space. Also, the games I bought wouldn’t move over to the iPod touch. My BlackBerry already had access to the Web and also had some games on it. It can play music and video as well, but I had only a 1 GB microSD card, which wasn’t sufficient for a decent music collection (the largest microSD card I’ve found is 8 GB, not enough space for me to consider giving up my iPod).

Fortunately, the iPod touch also boasts many advantages over these other devices. It has a larger screen than the others, and a higher video resolution. The iPod touch also has a lot more games available, many taking advantage of its better graphics and accelerometer. Its Wi-Fi support enables faster Internet access than the BlackBerry’s EVDO cell data connections. Finally, the iPod touch supports several applications that I really wanted, including James Thomson’s PCalc (despite being able to learn to use a mouse left- or right-handed, I am apparently incapable of learning to use a non-RPN calculator), the Iconfactory’s Twitterrific,
and Apple’s Remote app for controlling iTunes and the Apple TV.

Despite those pros, the iPod touch’s small storage space still bugged me, so I reviewed how I used my iPod video. I realized that I rarely synced the iPod. I have a charger at work and would just plug the iPod into that while listening to music. Because I seldom synced, my calendars were always out of date and I was constantly reminded about events I’d already changed or deleted on the Mac. I also lacked music that I’d purchased in the months since the last sync. Most importantly, I found that I was listening to the same playlists over and over, despite having a vast library on the iPod video’s hard drive. In the end, I decided – or perhaps convinced myself – that the iPod touch’s limited capacity would force me to sync more frequently,
thus rotating my music more often, maintaining calendars in a useful way, and keeping me up-to-date on recently purchased music and video.

Viewing the storage limitation in a positive light finally convinced me that I would benefit from replacing the functionality of the BlackBerry/iPod video combination with an iPod touch, so I ordered one.

Once my iPod touch arrived, I immediately linked it to iTunes, bought or downloaded several apps I wanted to try, and was off and running. So how does my new toy compare to the BlackBerry 8830, the iPod video, and, where relevant, the Palm Zire 72?

Display — The iPod touch screen is beautiful. I’ve been impressed with how small type can be and yet still be readable to my eyes. When I traveled with the iPod video, I used a portable DVD player with a built-in iPod dock to enlarge the image to a viewable size. I don’t need to use that DVD player with the iPod touch; on a recent business trip I found watching both movies and TV shows directly on the device to be acceptable.

The screens of both the Zire and the BlackBerry pale in comparison to the iPod touch screen’s level of clarity. Neither uses anti-aliasing for text, rendering the text on the iPod touch noticeably more readable in comparison, something I appreciate when reading ebooks on the iPod touch (more on that shortly).

Navigation — The iPod touch’s approach to navigation is overwhelmingly better than that in either the BlackBerry or the Zire. Even when using single-finger navigation the iPod touch beats the stylus-driven Zire. Scrolling with the Zire is pretty typical for small electronic devices: you use the stylus to slide the scroll bar up or down, and when you reach the bottom of the screen, you move the stylus back up to the top to continue scrolling. It works, but it’s clumsy at best.

Navigation on the BlackBerry is horrible. It has a small trackball, but it tracks directly, lacking the acceleration approach used by the Mac (where the distance the pointer moves increases with the speed of trackball motion). Scrolling while reading text is reasonable, but getting back to the top of a long page after reaching the end is painful. Many apps have keyboard shortcuts, but they aren’t standardized and can thus be difficult to discover and remember.

In comparison, with the iPod touch, you can flick a finger on the screen to “throw” the screen in the direction of your flick. The screen scrolls with inertia, as if it has weight, scrolling slower and slower until it stops. Flick again to scroll some more, or press down with your finger to halt scrolling immediately. In many applications, you can also tap the bar at the top of the screen to jump to the top of the document. It’s amazing how intuitive this is and how quickly you can move around within long documents. I’m doubly amazed at how terrible the same behavior is when scrolling long lists on the Apple TV via remote control; I guess this behavior really works only on a device that you’re manipulating directly.

Even after short use, it’s hard to live without multi-touch zooming and navigating. If there is free Wi-Fi around, the iPod touch is my first choice for navigating the Web when out and about. My only issue with its interface is that it very infrequently fails to register that I’ve touched the screen (or thinks I’m touching it somewhere there isn’t anything touchable). This mostly happens when I’m trying to tap links on Web pages or Twitterrific messages.

Character Input — The Palm Zire uses Graffiti for character input (it also has a virtual keyboard although it must be used with the stylus). Graffiti is a modified handwriting method that reduces most characters to a single stroke that largely resembles the character you want. Special strokes are also available to delete the previous character, enter spaces and line breaks, and so on.

Graffiti on the Palm is a decent input system, but not without its quirks. For instance, I never mastered the K character stroke due to having spent many years writing the K in my name a certain way. But Graffiti’s main problem for me is that you draw each character in the same spot, switching sides of the input area to enter numbers instead of letters. I had trouble training myself to avoid writing across the screen. The Palm also works only with a stylus. I lost three of them while using the Zire, something that was especially annoying while traveling without a spare.

The iPod touch eschews the stylus and Graffiti-like writing in favor of a virtual keyboard with a word guessing feature that enables you to avoid correcting many mistakes as you type. It’s passable, but not great. I’ve been using it for only a few weeks now, so it may grow on me, but at the moment I don’t much like it. It’s too easy to hit wrong characters, and the word guesser assumes you want to use its guess instead of what you typed. This latter behavior is particularly frustrating if you work in an industry where you use a lot of jargon that isn’t in the dictionary, or if you type a lot of cuss words that Apple left out of its dictionary. I work in the IT industry so I do both.

RIM touts the BlackBerry’s physical keyboard as a major selling point, and they’re correct to do so. Responding to email messages is much easier on the BlackBerry than on either the iPod or Zire. I wouldn’t want to write a book, or even this article, on a BlackBerry, but I have to correct mistakes far less often on the BlackBerry than on the iPod touch. Of course, the keyboard takes up space that could be used for a significantly larger screen, which is the tradeoff. It’s also possible that Apple could tweak the iPod touch’s virtual keyboard software to eliminate the BlackBerry’s keyboard advantage.

Applications — Although the overall system has been somewhat marred by boneheaded moves on Apple’s part as to what it will and won’t accept, the App Store remains the easiest method I’ve found for purchasing and installing apps on a PDA. It’s easy to find apps, and there are many (sometimes too many in any given category) to choose from. And in fact, the ease of finding and purchasing apps means that I did it, whereas I’ve stuck largely with included apps on previous PDAs.

I have downloaded some free games for my BlackBerry, but I couldn’t tell you where I got them or how I found them. The Opera Web browser was an easy install on the BlackBerry, but I had to know to go to Opera’s site to get it.

I didn’t install many applications on the Zire, in part because Palm apps suffer from needing to support too many widely divergent devices. For example, some apps are black and white at low resolution only because they were written for earlier versions of the Palm. Palm apps were also difficult to find and tended to be expensive. A quick Google search reveals several Web sites dedicated to listing and selling Palm software, but they suffer from being Web sites, and oddly, are laid out for computer browsing rather than browsing from a Palm – probably because you can’t install software from the Palm Web browser. In contrast, Apple’s dedicated App Store application provides the instant gratification of buying and installing an app, even
while away from your computer. Palm apps are also more expensive than iPhone/iPod touch versions. Bejeweled 2 for my iPod touch from PopCap Games costs only $7.99, but the Palm version from Astraware will set you back $19.95.

Mail, Contacts, and Calendars — The Palm’s contact and calendar capabilities are a nightmare. To be fair, the nightmare mainly comes in syncing and in attempting to work with multiple accounts. I initially thought the Palm would be a good way to keep my contacts and calendars from work and home with me at all times. Unfortunately, due to discrepancies in functionality (I seem to remember serious issues surrounding repeating events), attempting to merge everything together resulted in a huge mess of duplicate or missing entries.

A quick search through TidBITS Talk uncovers a number of people having problems syncing Palms with Macs. The best solution seems to be to use The Missing Sync from Mark/Space, but I never actually got that far. I gave up syncing with my Mac at home and just synced with my Windows machine at work so I could rely on the Zire to remind me of upcoming meetings. I did sync home calendars with the iPod video, but my infrequent syncing meant the alarms were often out of date.

The BlackBerry is considered the gold standard for dealing with enterprise mail, contacts, and calendars. It did a splendid job with my Exchange email account at work, but I couldn’t get it to work with my home IMAP server. (It doesn’t appear to like that my home server is accessible only via the IMAP SSL TCP port rather than the standard IMAP port.) Since the BlackBerry was provided to me by work, I wasn’t all that comfortable tying it to my home server anyway, so I gave up after an hour of trying.

The iPod touch’s mail and calendar capabilities are impressive. With little effort, I was able to set up three accounts: MobileMe, my home IMAP server, and my Exchange account at work. The iPod touch handles Microsoft Exchange email via an
encrypted connection to our Exchange 2007 Outlook Web Server. IMAP setup was equally painless, merely requiring I accept the self-signed SSL certificate I use on that server, and MobileMe was, as expected, easy as well.

I wirelessly sync all my calendars and contacts, work and home, to the iPod touch and it does a good job of keeping them isolated from each other. No more nightmares of merged calendars causing numerous duplicates. The only limitations I’ve found are that you can’t sync subscription calendars wirelessly or sync wirelessly with iTunes. John Gruber of Daring Fireball wrote a lengthy essay on calendar syncing that’s worth reading.

External Speaker — When the second-generation iPod touch was first announced, Apple made a big deal about adding a speaker. Initially, this feature seemed like a minor addition to me, but now I can see why so many complained about the first-generation model lacking this feature. Put simply, it makes it possible to listen to a YouTube video or podcast without plugging in earbuds. The quality isn’t great – you wouldn’t want to use it to listen to music – but it’s good enough.

The first-generation iPod touch did have a speaker, but it could play only the beeps and boops of timed alarms. Unfortunately, for alarm use the speaker’s volume is barely adequate. I can hear it in my pocket most times but not if there is a lot of background noise. On trips I use my BlackBerry alarm for an alarm clock instead of the iPod because I worry that I would sleep through the lower volume iPod alarm. A vibrate option – much as the iPhone has – would be a welcome addition.

Voice Recording — The other major new feature in the second-generation iPod touch is the capability to record from a microphone. Although I’ve never particularly wanted to use voice recording, many people find it useful. To record, however, the iPod touch requires an external microphone that’s not included in the package. Apple announced in-ear headphones that include a remote control and microphone for the voice recorder but hasn’t yet shipped them. The iPhone headset would probably work, but it has regular iPod ear buds which won’t stay in my ears, so I’m still waiting for the release of the new headsets. Once they are available, there are a variety
of voice recording apps for the iPhone that should work on the iPod touch as well.

Many PDAs offer voice recording capabilities, including the Palm Zire, which has a built-in microphone and a designated Record button so you don’t have to go into an app and then begin recording. The few times I tried recording on the Zire, it worked as expected.

The situation is fuzzier with the BlackBerry 8830. Supposedly, it can do voice recording, but I can’t seem to figure out how to do it. I don’t know if Verizon removed the capability (so as to force users to pay for a separate recording service), or if I’m just missing the functionality in an application I have. While trying to find the answer I found that RIM had released a firmware update that added voice recording capabilities to many of the BlackBerry models. The update is free; however, your provider must allow you to install it. This is one of the many provider lock-ins that drives me crazy in the mobile phone market. Fortunately, Apple has retained full control over iPhone software, instead of allowing AT&T to set the rules.

Ebooks — Reading ebooks was one of my favorite uses of the Palm Zire and I’ve missed it since my Palm went belly up. The BlackBerry screen is just too small for prolonged reading sessions. On the Palm, I used Plucker to read free ebooks from the Baen Free Library and Project Gutenberg. I found the desktop side of Plucker, used to download and convert content to the Plucker format, to be wildly confusing, but the reader on the Palm was nice and simple. It supported the basic functionality I expect from an ebook reader: a library that can hold many documents, adjustable text
sizes and colors, and bookmarks in multiple books at a time.

Prior to the 2.0 software release for the iPhone/iPod touch, Adam wrote an open letter to Steve Jobs commenting on how ebooks were overlooked on the iPhone and iPod touch (see “Open Letter to Steve Jobs: In Support of an iPod Reader,” 2008-01-01). He was right then and the situation hasn’t improved significantly, but with the addition of the App Store some third parties are trying rectify the problem with dedicated ebook reading software. A number of ebook apps are available now, and I’ve been playing with two of them: the $9.99 Bookshelf from Zachary Bedell, and the free Stanza from Lexcycle.

The two apps offer similar functionality but differ in user interface and document formats supported. Bookshelf supports the Plucker-formatted documents I still have from my Palm reading days, while Stanza supports the Kindle format. Stanza also supports PDF, but removes images and formatting which, for most of my PDFs, including my Take Control ebooks, makes them unreadable. Bookshelf doesn’t support PDF at all, so when I want to read a PDF I use another app or email it to myself. Even using a PDF viewer that maintains formatting doesn’t make PDFs easy to use on the iPhone, because most PDFs are designed for 8.5″ x 11″ pages, which require lots of side-to-side scrolling.

[The email attachment trick is a simple way to get our Take Control PDFs onto the iPod touch or iPhone. When you click an attachment to open it on the iPod touch, it displays the PDF. As Kevin says, it’s not an ideal display, but if you switch to landscape mode and zoom in just enough to eliminate the right and left margins, the text should be readable. -Adam]

Bookshelf uses a scrolling format for displaying text. It offers auto-scrolling, as did Plucker on the Palm, but I don’t particularly like the feature. In contrast, Stanza uses a page-at-a-time format, wherein it divides the screen into zones: a tap on the left goes back a page, and a tap on the right goes to the next page. A tap in the center brings up Stanza’s options. I find I prefer the scrolling method for one-handed reading. Neither app supports zooming text with pinching motions on the multi-touch screen; instead you must go into options and manually select a larger font size.

Neither app synchronizes via iTunes but instead relies on a program on your Mac for loading new titles. Bookshelf’s desktop program can make entire folders available to the iPod touch, whereas Stanza’s desktop reader lets you send only individual documents to the iPod touch. You can also download ebooks directly within the Stanza app on the iPod touch.

Overall, I prefer Bookshelf, but I’m not sure its few advantages are worth $9.99 more than the free Stanza. So while many of Adam’s criticisms about the lack of a good ebook solution for the iPod touch still apply, the iPod touch ends up being about as good an ebook reader as the Palm Zire, with better text rendering.

Summary — Overall, I’ve found the purchase of the iPod touch as a PDA to be well worth the money. I ended up with a better media player than the iPod video, and I gained easy access to apps that are significant improvements over my BlackBerry and Palm applications. I did give up instant access to 5,000 songs, but I’ve found that I don’t miss it, since more-frequent syncing means that I can rotate the set of music I store on the iPod touch more frequently than I ever did on the iPod video.

Although the iPod touch comes out well ahead of the BlackBerry, Palm Zire 72, and iPod video as a PDA, the comparison isn’t quite so clear cut for those considering replacing a BlackBerry with an iPhone. Leaving aside any unanswerable (for this article) questions of cellular reception and battery life, the major difference comes down to how much typing would be necessary, since for me at least, typing on the iPhone’s virtual keyboard is slower and less accurate than on the BlackBerry’s physical keyboard. If Apple were to open up the iPhone to Bluetooth external keyboards for typing longer email messages and notes, I would have no qualms recommending the iPhone over the BlackBerry in almost every situation.

TidBITS Staff No comments

TidBITS Watchlist: Notable Software Updates for 10-Nov-08

  • Nisus Writer Pro 1.2 from Nisus Software is a fairly major update to the increasingly powerful word processor. The most significant change is a new importer that Nisus Software claims greatly improves file translations, especially for Word’s .doc files. Other new features include the capability to export Word .doc files and the Open Document .odt format, new ways of rearranging entries in a table of contents, Flesch and Kincaid reading ease scores, automatically updating time stamps, additional backup options, a Macroize menu that makes it easier to create macros based on the contents of the Find & Replace window, and additions to the Nisus Macro Language. Plus, Nisus Writer Pro 1.2 now includes
    the Sparkle automatic updating framework so manual downloads will no longer be necessary. For even more detail on the huge number of other changes and bug fixes, see Nisus Writer Pro’s release notes. ($79 new, free update, 100 MB)
  • Sandvox 1.5.2 from Karelia Software updates the template-based Web site creation tool with new features and under-the-hood enhancements. Changes include smoother media handling and various improvements to pages and pagelets, as well as “updates to page archives, contact forms, collection indexes, Amazon lists, photo grids, sitemaps, raw HTML editing, and QuickLook previews,” according to Karelia. Also included is the latest version of the Karelia iMedia Browser featuring enhanced library updating capabilities and improved media search and insert features. The update has also reworked the program’s insides, increasing speed of file handling and achieving greater overall stability. ($49 new, free
    update, 25.9 MB)
  • Envision 1.2 from Open Door Networks is a minor update to the Web image browsing software that has seen a significant surge of interest since the iPhone versions appeared (they’re good for flipping through editorial cartoons, for instance). Changes in Envision 1.2 include publishing of shows from the Mac to the iPhone (via MobileMe), improvements to help create shows that display well on the iPhone, many new built-in shows, improved transition effects in Mac OS X 10.5 Leopard, and bug fixes. ($39 new, free update, 6.2 MB)
  • Digital Camera Raw Compatibility Update 2.3 from Apple adds raw file compatibility to Aperture 2 and iPhoto ’08 for the Canon EOS 50D, Nikon D90, Sony DSLR-A900, and Nikon Coolpix P6000. According to Apple’s Web site, “It also addresses issues related to specific cameras and overall stability.” The update is available via Software Update (the easiest way to get it) or as a standalone download. (Free update, 4 MB)
  • HistoryHound 1.9.6 from St. Clair Software is a valuable update to the Web history search utility. The new version now enables users to search WebArchive files created by WebKit-based browsers such as Safari, OmniWeb, and Shiira. The update also fixes a bug that had been causing sporadic crashes for some users. Other smaller changes include an improved error log that now saves between launches and a fix for a bug related to searching for file URLs. ($19.95 new, free update, 3.3 MB)
  • PopChar X 4.1 from Ergonis Software updates the long-standing tool for finding and inserting special characters with several new features and some minor bug fixes. Changes include improved compatibility with OpenOffice and NeoOffice, the capability to detect the current font in MultiAd Creator Pro, and a new technique for adapting to the particular quirks of certain applications. The update also fixes several bugs, including one that caused the memory allocation of PopChar to grow over time. ($29.99 new, updates are free for 2 years after purchase and then 14.99 euros, 1.9 MB)

Jeff Carlson No comments

Hot Topics in TidBITS Talk/10-Nov-08

Congratulations, Adam — Readers congratulate Adam on running the New York City Marathon and wonder what’s next: the Iditarod? (6 messages)

Anti Virus or Not? Is it worth running anti-virus software on the Mac just in case, even though there are no viruses in the wild? (39 messages)

MacBook Pro and WiFi Problems — AirPort signal strength seems to be waning in a reader’s MacBook Pro, leading him to wonder if there’s some inherent flaw with that model’s implementation. (4 messages)

Confessions of an iPod touch Convert — Since the new iPod touch now supports audio recording (using a compatible microphone), can it be used for voice-over-IP (VoIP) calls? (16 messages)

Getting Finder info of many files into text format — Need to print a list of Finder folders and their documents? Turn to a Web browser, of course! (13 messages)