Apple & OS X

Thu - July 20, 2006

PGP Appears to Suck

Well, it's official. It looks like newer versions of PGP are just going to suck and there's nothing you can do about it. Their ridiculous new email (sorry - messaging) system is here to stay. The official word from a posting by Earle Lowe, a Dev Manager at PGP from June 11, 2006:

Obviously there is a philosophical (and fundemental) disagreement about the nature of email encryption. The current technology was felt as clearly the best path forward for PGP as a software product. It solves numerous issues with integrating into the various email applications that people want to use. It supports PGP/MIME. It supports centralized policy management. It enables a much simpler experience for the user (we have not yet achieved this obviously). The list continues.

The way you want PGP to work where you actually see the ciphertext was and continues to be simply not possible in any number of email clients. The old architecture was neither maintainable nor extensable. As an example, Outlook Express, for all its obvious faults is a popular email client. Prior to PGP 9, the PGP rip-in for this email client was a significant amount of tricky code requiring substantial developer expertise (and was prone to break frequently - particularly with MS updates). PGP 9, on the other hand, has zero specialized code to handle Outlook Express.

OK - I can completely understand the problems with keeping up with email clients. It's a pain in the butt. But removing security so it's easier for the end user? What a dumb statement. Why not just remove all encryption from the product? That will make it even easier. In fact, this is basically what they have now anyhow.

Their craptastic "easy to use" messaging proxy defaults to settings so you don't have to change anything in your email client to make it work. Seems like a convenient feature. All emails could be encrypted/signed on their way out. Except if the proxy ever fails, that email you just sent doesn't get encrypted - it just gets sent because your mail client doesn't know the difference. It just uses the same old settings it always did. This failure mode is completely unacceptable. I can't even believe they offer this as an option. Dumber than hell.

The really screwed up part about this is that their proxy does fail for non-obvious reasons, mostly because it's a pain in the ass to set up and get working properly, even with their auto detection running. In my case, emails from one account went out signed, another didn't - all because my SMTP port wasn't something they were expecting and were trapping (and there is no way to change this either, apparently.)

My advice? Don't even think to use this hunk of junk for email on the Mac (or anywhere else for that matter.) It's not worth it. Stick to using GPG. It actually does the right thing, despite lacking the nice key management front end. I didn't even test anything else in their software. What other crap doesn't work or is broken in non-obvious ways?

I feel sorry for all those n00bs out there running this crap and thinking they are secure in any way.

Update: I posted to their forums about these concerns. Despite tons of "views" no one has answered. Based on the posts they actually answer on their forums, it looks like their target market has changed to be those customers who think running something called "PGP" magically makes them secure.

Posted at 09:21 AM Permalink

Wed - July 19, 2006

PGP For Intel Macs

PGP just released a beta version of PGP 9.5 that has universal binary support. I used to use PGP back in the day on Windows, but didn't really keep up with it, eventually moving on to GnuPG for my encryption needs. However, after seeing the note about this new release, I thought I'd give them another shot. I always loved their nice key management (something GnuPG doesn't have a great front end for at the moment.)

I was browsing through their user's manual while downloading, and came across a paragraph titled "Memory Static Ion Migration Protection" in the "Special Security Precautions Taken by PGP Desktop " section. This thing goes on about how an attacker could theoretically retrieve key or passphrase information from your machines memory - after it's already been turned off - by reading the static charge left over from memory that has had the same information stored for long periods. This is some deep stuff here, and they go on about how they help to protect you against this remotest of possibilities. Cool stuff.

So the download finishes, and I install the thing, import my keys from GnuGP, and go to send an email, and realize that they've done away with the plugin model for mail, instead relying on a network proxy that intercepts mail and encrypts and decrypts it automatically, based on rules you set up. This works similarly to their Universal Server product. So now Mail.app (and any other mail client) sends mail to the proxy, where PGP will encrypt it. On the other side of things, incoming encrypted mail is automagically decrypted and then handed to the email client. Works OK (though with some pain trying to get everything set right.)

Then I realized that all the encrypted and signed email that I'd be receiving, would now be stored in PLAINTEXT in my freaking email folders, on a public IMAP server. In addition, there doesn't even seem to be a way to turn this off or any alternate mechanism aside from not using the email proxy portion of the product. This breaks about 90% of the functionality that I use PGP for.

Without storing the encrypted/signed version of incoming mail, I can no longer guarantee that someone hasn't messed with it on the server. All that's left is some text pasted at the top of the mail that says it was signed and verified at some point. No indication of what that may have been, of course. At that point, someone could just as easily change the contents to whatever they like, completely bypassing any security that at one time existed.

This also goes for sent mail - it's no longer stored in your sent folder encrypted - it's sitting there in plaintext too. Still worse, there's no indication of what you did to the email when you sent it. Did I encrypt it? Sign it? Who knows now - that information is gone now that we're not storing the encrypted/signed copy of the message.

And still worse, someone could easily - MUCH TOO EASILY - forge a message that now looks like it's been verified by the proxy, when it has, in fact, done no such thing.

They do still have a legacy mail plugin that permits decryption of older emails that you may have received and didn't pass through the digestive tract of their new product. But get this - on the message boards someone was complaining that the plugin didn't successfully decrypt messages from certain people. The response? "Oh, that plugin only works with some message types. Use the proxy."

What a junker.

Yes, they protect you from some arcane attack that requires an electron microscope and a clean room to make work, but they'll happily decrypt and store your email in the most unsafe way possible. What in the world were they thinking? This isn't even limited to the new Mac product apparently - this is an across the board product line change that screws everyone.

Posted at 01:30 PM Permalink

Tue - April 25, 2006

Free SubEthaEdit Licenses?

Well, maybe - in any case, they're cheaper than the normal $30. BLOGZOT 2.0 on MacZOT.com has SubEthaEdit from CodingMonkeys up as their subject for today. The price basically keeps dropping by a nickel each time someone blogs about it (like this!) or until 3000 copies are sold. If it gets to be free, so much the better! All the bloggers get theirs at no cost. Boo-ya. This amounts to MacZot and the Coding Monkeys giving away $105,000 in free software.

If you're not familiar with SubEthaEdit you're really missing out. It's got the best collaborative writing system in existence, as well as being just a plain nice editor. If you've never taken conference notes with five other people doing the same in the same document, you haven't lived.

Check it out and get yours for cheap.

Posted at 03:35 PM Permalink

Tue - April 11, 2006

New MacBook Pro

I've now fully converted to running everything on my new MacBook Pro. A few points:

1. Rosetta RULES: I can't believe how seamless and fast it is. I can run Quake 3 (ok, not the most recent thing, but still!) full screen with all options turned on, and I can't tell the difference from my 1.67 G4 PB. I want to run some FPS benchmarks to see what kind of penalty I'm getting.

2. World of Warcraft: 80 FPS with most graphics options turned on. Enough said.

3. You need 2GB of RAM. Period. Don't even think of running without it.

More in the coming days.

Posted at 11:47 AM Permalink

Wed - August 24, 2005

Textpander Rules

Ever use TypeIt4Me? This utility has been around for ages. Basically it allows you type abbreviations which are then expanded into full words, phrases, etc. So instead of typing your full email signature, you might just type fsig. You could even have the cursor repositioned in the middle of the expanded text with a little work. Nice time saver. Unfortunately, TypeIt4Me never really caught on with me - it was too slow, and I found myself pausing while it expanded stuff and moved the cursor around. If you typed while it was doing this, either the characters would be ignored or they would get stuck in the wrong places. Very annoying for me.

But along comes Textpander. This thing does what TypeIt4Me does and a whole hell of a lot more. It's blazing fast. Text is expanded and the cursor positioned instantly. No delay, no stray characters. Once you start using it, it just fits right in with your normal typing. And get this - you can include images as well. Want a nice signature on your documents? Just drop in an image along with your text and you're good to go.

And did I mention it's free? Well, the developer asks for donations via Paypal. I'm going to kick him a few bucks for this thing. It fixes all the problems of TypeIt4Me and does it with style.

Link to Textpander.

Posted at 10:47 AM Permalink

Wed - March 16, 2005

Why QuickSilver Sucks

I've always loved keyboard shortcuts. Using the mouse for me is a last resort in most cases. To that end, I've used two "small" utilities that help me navigate the huge number of files and applications that I use on a daily basis. I started by using LaunchBar v3, a commercial application that you can call up with a HotKey (usually Command-Space) and enter an abbreviated name, hit Enter and launch or switch to an app, open a document, Finder folder, etc. Cost me $20, but it worked great.

Along comes the new kid on the block: Quicksilver. It has a lot going for it, including some great graphical stylings, a very nice plugin architecture, and best of all: it is free. It works pretty much like LaunchBar, except it includes some new tricks. Use an abbreviation to find a document, right arrow and select mail and it dumps it in as an attachment to your favorite mailer. Nice. It has tons of stuff like this built in. So I switched. And I used it for months. Slowly, however, I discovered it's dark side: Slow and a memory pig.

I was getting irritated: My machine was running slower, I was swapping: I wanted to launch Activity Monitor to see what craptastic app was killing me. I hit Command-Space, and after a slight pause, up popped QuickSilver, and I started typing actm, my custom shortcut for the aforementioned Activity Monitor. Unfortunately, QS was responding so freaking slowly searching for what I wanted, the pause between the t and m resulted in yet another search for something starting with an "m", which gave me some random Word document and a whole instance of MS Word running. This is the first of the two failings with QS: searching, even under ideal conditions (on a 1.67GHz PowerBook) is ridiculously slow. I found that I was adapting my typing speed to accommodate the poor performance of QS.

When I finally did get Activity Monitor running, I discovered the second of QS's failings: It was using more memory than ANYTHING ELSE IN THE SYSTEM, INCLUDING PHOTOSHOP. It had over 160MB of resident RAM tied up. Not shared - this is specific to this app. That was 16% of my system RAM dedicated to slowly searching for documents. This pissed me off even more.

I went and downloaded the newest version of LaunchBar, 4.01. Installed it, and indexed everything. It searches instantly. When you type, it reacts. No lag, even under severe conditions. Yes, it doesn't do everything that QS does - but who the fuck cares? After running for a whole day, memory usage was a reasonable resident 40MB. It still finds what I need right when I type, and I don't have to screw around waiting for a "utility" to respond to my keystrokes. Yes - I paid the $9.95 upgrade fee.

The author of QS would do well to spend a little time optimizing the search functions of his app. Something is slowing it to a crawl (I even removed all the plugins to see if it helped) and get rid of the massive memory leaks. Spend time doing this instead of adding new incremental near-useless features. If I have to baby-sit a utility, it isn't a utility.

Posted at 11:30 AM Permalink

Thu - March 3, 2005

Nice AMS Demo

I just recently bought a new PowerBook. One of the new features Apple stuck in these new beasts is what they are calling AMS - the Apple Motion Sensor. Basically it appears to be some sort of accelerometer that can measure sudden changes in movement and automagically park the hard drive heads before something bad happens (like hitting the floor.)

However, it appears that it can also measure the attitude of your machine. That is, it can tell how "tilted" a machine is in all three axes. It uses this to unpark the heads when the machine returns to being level. It also can be used to do some really cool stuff, as this web site demonstrates. On this page, Amit Singh gives us some programs that retrieve the sensor values and do some cool things.

One is a small window with an OpenGL-rendered PB that rotates in conjunction with you're rotating the physical machine. Very, very cool stuff. Another is a bicycle wheel in a window. When the PB tilts, the window itself rotates to keep it level relative to your (physical) desktop. If you have one of these new PowerBooks, download the samples - there is some cool stuff there to show your friends.

Posted at 02:22 PM Permalink

Mon - February 28, 2005

More T-Mobile Details

Wired currently has an article that details what exactly was the fault of the T-Mobile system, at least for some of the crackers - a quite common application called WebLogic. In 2003, a vulnerability was found that would allow someone to read and write arbitrary files. A patch was immediately issued, but apparently no one at T-Mobile cared to actually apply it.

And so it goes. A cracker had access to complete customer records, SS numbers, the whole schmear, because someone didn't pay attention to patches coming from their vendors. This is probably a good indicator of the pervasiveness of this problem however. If a large company with a (presumably) huge IT department running their systems can miss this, I wonder how many more open systems there are out there. With your data on it. Just waiting to be cracked.

Posted at 09:16 AM Permalink

Sun - February 27, 2005

New PowerBook

So I finally gave in to the marketing hype and went and got myself a brand new 15" PowerBook to replace my aging 1 Ghz. TiBook from a couple of years ago. It was still working well, but with no 802.11g and other niceties, it was time to move. I settled on the fully loaded 15" w/superdrive, maxed memory (2 GB) and large hard drive. I skipped on the 128MB of VRAM and dual link DVI. Despite being a factory-only option, I really can't see myself needing the ability to hook up to a 30" flatscreen in the near future.

So I went over the nearest Apple store that had stock (in Denver) and plopped down some cash and walked out with an expensive black box. When I got home, I had the best computer upgrade experience ever. That migration tool that Apple now includes during setup completely rocks. It got all my apps and data - everything, moved over and completely running with only two exceptions - Stuffit needed reinstalling (and it even warned me that I had to do that step) and I had to reinstall the dev kit. Completely painless - I was up and fully running with all my stuff in under three hours - including the transfer of 69GB of data over firewire. Brilliant.

Posted at 01:46 AM Permalink

Tue - February 22, 2005

Popups/unders Getting Through Blockers

New "technology" from the advertising depths of hell was released in the wild over the past couple of weeks. You know that nice shiny pop-up blocker installed in your browser? Doesn't work anymore. Some troll selling ad space has come up with some Javascript that bypasses most of these filters resulting in - once again - a painful browsing experience.

Basic pop-up blockers work on the principal that pop-up windows aren't allowed, unless they are the result of your clicking. That is, unless you initiate an action (by clicking on a link/button) pop-up windows aren't allowed to be displayed. Well, through some ingenious trickery that will surely land the mystery-author in hell to be ripped apart by HTML <blink> tags for all eternity, it appears that they are now adding onclick handlers to some (or all) links so that when you click on something, ads appear. Quite simple in theory - but annoying in practice. What's more, they are doing this dynamically - a banner ad is navigating the DOM tree and adding these handlers - so that even if the original page doesn't have these "features", they get added by an advertiser.

I want to know who these assholes are. Why do they think that we somehow want to view their crappy little ads for casinos, herbal Viagra, and whatever product-of-moment they're hawking? I purposefully block these ads because they are annoying, as do many people. Why would I suddenly want to purchase their junk? Especially when they are annoying the piss out of me with their chosen advertising method.

These jerks should rot in hell. In my opinion, they are no better than spammers - they screw around finding loopholes to annoy people, in the hopes that enough gullible morons buy their junk to make it worthwhile. The difference is that seemingly reputable companies are being advertised here. For one, NetFlix seems to pop-up (literally!) a lot. I'm never going back to their service because of this. They have control over how they are advertising, and they don't seem to mind that the services they are using are only one-step above the spam I get in by inbox every day. So bye bye NetFlix.

There are some workarounds for certain browsers. For Firefox/Mozilla, there are plugins that work on whitelisting and regex blocking of suspicious code and known offenders. Unfortunately, this means going back to the bad old days of maintaining these things, but that may be where we're headed.

Link to MacFixit.com article about this. Good place for links to more information.
Link to Slashdot article.

Posted at 10:01 AM Permalink

Fri - January 28, 2005

More PowerBook G5 Rumors

MacRumors.com has posted an update to the G5 PowerBook rumor. I'd previously dismissed this as completely unfounded - that it was just a simple typo on a web bug. But according to this update, the French page for the Apple 17" Studio Display shows the PowerBook G5 with DVI connector as a requirement for use.

Could be another typo. Could be the real deal. Previous rumors have placed G4 PowerBook updates sometime next week. Could we be really surprised? I still am not holding my breath. But still...

Posted at 08:34 PM Permalink

Thu - January 27, 2005

A G5 PowerBook?

Oh, please let this be true. I've been waiting for new revisions before replacing my aging (but still going strong!) G4...

Link to some Slashdot commenting.

Update: As someone on Slashdot has pointed out, this was probably just a typo - the fact that there was a web bug with the name g5_powerbook on the view-tracking site doesn't mean much: any URL will do, it always just returns a 1x1 GIF for tracking purposes. So someone, when updating the Apple site probably just fat-fingered the name. Oh well - I'm still hoping for some sort of update - even if it's just a faster G4.

Posted at 12:31 PM Permalink

Thu - January 13, 2005

Motley Fool Take on the Mac Mini

Check out this article by Seth Jayson at The Fool. In the intro to the article he claims that Steve Jobs and Apple have officially jumped the shark with the introduction of the iPod Shuffle and the Mac Mini. Now, coming from a straight stock analysis viewpoint, it's hard to argue: Apple is ridiculously overpriced both before and after MacWorld 2005. Anyone considering a purchase would do well to smack their head against the wall repeatedly.

However, after some cogent monetary analysis, he veers off into hazardous territory for even tech stock analysts: Real technical evaluation of a product. Here, he comes up way short:

The Mac Mini -- I'm pretty sure Minimac is something you get from Kraft -- is a cute little device. Yes, it cribs mercilessly from PC-based mini-ITX designs that have been around for over a year now, but it does put low-end Mac guts into a smaller, stylish little Mac package.

Well, let's forget for the moment that not only is it ridiculously smaller than nearly all mini-ITX machines out there, it's also for the most part cheaper - especially once you consider the thing has a 40GB drive and a slick slot loading DVD player/CD-RW built in. He goes on to say:

Mac fans who've been sipping Steve's Kool-Aid have often claimed that price -- in addition to various Microsoft (Nasdaq: MSFT) conspiracies -- is the only thing keeping the masses from switching to their favorite brand, but take heed. Even if that were true, a quick online check shows you can get a comparable, full Dell (Nasdaq: DELL) system for $450.

Comparable? While puffing on the crack pipe, Seth seems to have forgotten that his $450 Dell is:

In a full tower case
Doesn't come with photo and video editing software (iPhoto and iMovie)
Doesn't have a complete office suite (Appleworks)
Doesn't have a functional browser (Safari - no, IE doesn't count)
Missing email with full SPAM filtering.
Comes with XP home

This last point, the OS, is probably the best thing that sells the Mac Mini the most besides the price. Sure, if this were a PC for $500 running XP, it wouldn't be worth a damn. But when you have an OS that actually doesn't require some poor sod to spend hours fixing his parents computer every few weeks, that's worth something, and apparently is totally lost on Seth. He completely misses the boat on who this thing is targeted towards: those that were thinking of switching, but price was a factor; for those who already have machines, that this could be a viable drop-in replacement. He dismisses this with one quick brain-dead sentence: "I think it's ludicrous to expect that someone buying a Mac -- and looking for Apple style, after all -- is going to want to plug in a pizza-stained, three-year-old keyboard and a mouse chock full of desk scum."

It's not about simply style, you moron - as a programmer and R&D manager, I switched two years ago because I can do things with my machines instead of spending countless hours keeping the machines themselves functional. It's about getting things done, period. If there's some style there, big bonus.

Well, we'll have to see how the Mac Mini fairs- by all accounts, Apple is selling a zillion of the things and they're already backordered for weeks. Seth, stick to stock analysis. Without some sort of lame-ass insight-less product "review", you can convince people to not buy Apple stock. I mean Seth - don't buy Apple stock because they came out with some new long-awaited products. Buy the products instead. You'll be much happier.

Posted at 02:21 PM Permalink

Tue - January 11, 2005

Mac Mini

I'm sure you've all heard the low down on Apple's new Mac Mini, but I can't help but spout off about it some more myself. The thing will, I predict, be the killer piece of hardware for the Mac line - they're going to sell piles of these things. I mean, the thing is the same price as a high-end iPod! Everyone has always complained that Apple's were too expensive, even the low end eMac with it's built in CRT was too much when you could pick up a cheap white box PC for 300 bucks and use your existing peripherals.

Well, now, those people for whom Mac's were too much can quit complaining. For $499, you can get yourself a nicely configured basic Mac with all the productivity apps for basic user, including the newly announced iLife '05 suite, email, browser, Quicken '05, and even the venerable AppleWorks. Use your old keyboard, mouse, and monitor and ditch that old spyware-laden Windows POS and get yourself a piece of heaven.

Plus the thing is positively dinky. 6.5 inches square, two inches tall and weighs less than three pounds. Smaller even than the cult-status Apple Cube from way back when. This thing is sized more like a peripheral than a whole machine. Hell, I have external DVD drives that are far larger. And this one comes with one built in. (You can even add on a Superdrive DVD burner for some extra cabbage.)

Now my parents don't have an excuse not to get rid of the half-broken down machine they're limping around on.

Plus: doesn't that thing look damn sexy?

Posted at 05:04 PM Permalink

Fri - December 24, 2004

Acrobat Reader 7.0 Released

Adobe has released Acrobat Reader 7.0. Included in this version is something that was lacking from the Mac for quite some time: An official browser plugin for viewing PDFs. Unlike the ridiculously priced ($69 - are they on crack??) PDF Browser Plugin, this one is official and allows basically all viewer functionality. This includes the newly-added ability to fill in and print/save PDF forms - something that was previously only available with the full version of Acrobat.

Something else you might find interesting - the load time has been dramatically reduced - it's almost usable now as a day-to-day reader of PDFs. Something that wasn't possible before. It's not as fast as Preview, but much, much better.

Posted at 11:26 PM Permalink

History Hound

A Newton 'Round the World

iTunes Canada Launches

SubEthaEdit 2.1 Released

Galerie 4.0

Google Desktop Search for OS X

New 2.2.0 Books Release

New Color iPods

CherryOS is (Not) Real

Photo Mosaic Software

Tiger Early Start Kit