TidBITS#441/03-Aug-98 ===================== Want to control a PC? Read on for Kevin Savetz's review of VNC, a free remote control program. Want to protect credit card numbers and passwords? Adam looks at Web Confidential, a secure program for storing private information. Also, James Wilson relates how to place international phone calls from the Internet to normal telephones, and Geoff Duncan explains the hullabaloo surrounding security holes with email attachments. Topics: MailBITS/03-Aug-98 Security Issue with Email Attachments Internet Telephony: Worldwide Phone Calls from Your Mac Web Confidential: Securing Information of All Sorts A Free Program for Control Freaks Copyright 1998 TidBITS Electronic Publishing. All rights reserved. Information: Comments: --------------------------------------------------------------- This issue of TidBITS sponsored in part by: * APS Technologies -- 800/443-4199 -- -- How do you back up your APS hard disks? Try APS tape, removable, magneto-optical, and CD-R drives! * Northwest Nexus -- 1 888-NWNEXUS -- Internet business solutions throughout the Pacific Northwest. * Small Dog Electronics -- Special Deal for TidBITS Readers! MS Office 98 & 4.2.1, Grolier's, Blockbuster, and Dogs: $299! UMAX Astra 610s (refurb) flatbed scanner (Mac/PC software): $79 For Details: -- 802/496-7171 * Cyberian Outpost -- the Cool Place to Shop for Computer Stuff! <- NEW! PowerBook G3s starting at $2197; RAM, ZIP & DVD expansion too! Order online or call 860/927-2050 x228 * TERRY MORSE MYRMIDON Turns any Mac file into a Web page with one click! QuarkXPress, PageMaker, FreeHand, FileMaker Pro -- anything. FREE DEMO --> <-- FREE DEMO --------------------------------------------------------------- MailBITS/03-Aug-98 ------------------ **Tilery 4.0.1 Released** -- Rick Holzgrafe of Semicolon Software has released The Tilery 4.0.1, a maintenance release of his $15 shareware desktop launcher utility (see "The Tilery 4.0 Squares Off" in TidBITS-437_). Bug fixes solve crashes that could occur when using Desktop Printing and when selecting a new target for a damaged folder tile. In addition, users can now keep more than one application visible even when the Always Hide Others feature is enabled. The Tilery 4.0.1 is free to registered users of 4.0 and is a 427K download. [ACE] **Where Credit Is Due** -- Last week in "TidBITS Talk and the TidBITS Talk Archive" in TidBITS-440_, I mentioned "borrowing" an idea for a frame-based interface from a Web interface to a now- defunct discussion archive of the Frontier-Talk mailing list, developed by Acorn Software. It turns out the frame-based interface was originally developed by Kyle Jessup of Blue World Communications, makers of Lasso, the product we use to tie our FileMaker-based solution to the Web. [GD] **Conflict Catcher Rebate Update** -- Back in "Macworld Expo NYC Superlatives" in TidBITS-438_ we wrote that Casady & Greene's Conflict Catcher 8.0 will cost $79.95 when it ships in early September and will include a $30 rebate. That's true, but the rebate, good through 01-Jan-99, applies only to previous owners of Conflict Catcher - essentially providing a discount for those who upgrade. Our apologies for any confusion. [ACE] Security Issue with Email Attachments ------------------------------------- by Geoff Duncan A recent CIAC security advisory identifies a potentially dangerous flaw involving email clients processing MIME attachments with unusually long file names (more than 200 characters). The problem, primarily affecting Windows versions of Microsoft Outlook, Outlook Express, and Netscape Messenger, could cause a buffer overflow that could crash the email client or potentially cause code to execute on the client's system, even if the user does not attempt to open the message or the attachment. Microsoft and Netscape have issued security advisories for their products, along with patches for the Windows versions of their software. Historically, the way to take advantage of a buffer overflow is to craft the precise binary data that will get past the target program's bounds checking, then somehow cause that data to be executed as if it were code. If an email program were susceptible to this problem and encountered a message designed to exploit it, the most likely result would be a crash. (There's nothing new about email programs crashing while processing badly formatted messages.) To execute malicious code, the extraneous data must be designed to target a particular email program running on a particular operating system, so a Mac running Eudora would be immune to a message designed to execute code on a Pentium-based system running Windows 98 and Outlook Express. To date, there are _no_ known instances of this code-execution vulnerability being exploited. The general alarm about this problem stems from the wide deployment of potentially vulnerable Windows-based clients from Microsoft and Netscape. In addition, even if the code-execution vulnerability turns out to be purely theoretical, the discovery of a reproducible way of crashing numerous copies of heavily used email programs is concerning. Even though patches to those programs are available now, it will take several months for a substantial portion of the user base to upgrade, and for commercial products to ship with corrected versions. Users of Microsoft Outlook Express for the Mac version 4.0, and version 4.0.1 with build numbers less than 297 (choose About Outlook Express from the Apple menu to see the build number of your copy) can download a 2.2 MB update from Microsoft to correct any potential vulnerability. Qualcomm confirms that current versions of Eudora Pro and Light for Macintosh and Windows are not susceptible to this problem; according to Netscape, no Macintosh versions of Netscape mail software are compromised. Bare Bones Software's Mailsmith also does not suffer a security risk from this problem. We don't have any information about Emailer, but, again, the potential vulnerability is extremely low. Internet Telephony: Worldwide Phone Calls from Your Mac ------------------------------------------------------- by James Wilson I still recall the arrival of my parents' first telephone a few decades ago - a ponderous object cast from the best of British brown Bakelite, it often seemed to hick and snicker rather than ring. However, it worked and suddenly the country became smaller and my family nearer. Luckily, both technology and I have moved on. I now spend most of my life in distant parts of the world, wondering how things are at home and inevitably confronted with wallet-emptying phone bills when it's time to find out. My recent discovery that it's possible to make Internet-based phone calls to normal telephones anywhere in the world sent me into a flurry of activity. After some work, I've finally been able to make a usable system work for a reasonable cost. The first important fact to note about Internet phone calls is that, unless you talk from one computer to another, they are _not_ free. Even so, they are _cheap_, especially for the likes of myself whilst in more distant corners of the world. By now your questions must be bubbling to the surface. How does it work? What must you do? How much does it cost? How well does it work? **Software & Service** -- VocalTec recently released Internet Phone version 3.5 for the Mac, featuring the capability to make phone calls from the Internet to the normal phone network. The program also enables you to talk directly to other users of the VocalTec's software who happen to be online at the same time - regardless of the type of computer they have. To use Internet Phone 3.5 you must have a PowerPC-based Macintosh (at least an 80 MHz PowerPC 601 CPU, or a 120 MHz PowerPC 603 or 604), Mac OS 7.6.1 or higher, at least 16 MB of RAM, an external PlainTalk microphone (even if your Mac has one built in), and preferably a set of headphones. (Internet Phone 3.1 is available for 68040-based Macs, but as far as I am aware it is only capable of calls between computers.) Internet Phone 3.5 is available as a free, time-limited download from VocalTec; after 14 days its functionality decreases unless you purchase a full license for $50. It takes more than just Internet Phone to make calls. VocalTec only writes the software; telephony services come from dedicated ITSPs (Internet Telephone Service Providers) who take your call from the Internet, connect you to the phone number you requested, and charge you (life's like that!). VocalTec has partnership agreements with a small selection of ITSP companies such as Delta Three, all of whom can be easily contacted through VocalTec's Web pages. Do some research before opening an account with an ITSP to make sure that they are the cheapest for the areas you expect to call. Prices vary between 10 and 15 percent among ITSPs, and some provide access only to limited geographic areas. Delta Three is global and through them it should be possible to call any telephone in the world. Opening an account with an ITSP (it must be prepaid with a credit card) provides you with a validation code for your copy of Internet Phone. **The Benefits of Patience** -- How well does Internet Phone work? Although VocalTec claims Internet Phone is compatible with virtual memory, "compatible" must be loosely defined since, in my experience, the person you call can't hear anything sounding remotely human if you use virtual memory. It's also a good idea to disable all extensions and control panels that can monitor your Mac's modem port, such as Global Village's GlobalFax and TelePort software. You must also be absolutely certain that the computer is listening to the microphone - Mac OS 8.1 seems to switch away from an external microphone at every opportunity. After all that, making a call is a simple as making a PPP connection, launching Internet Phone, filling in the recipient's phone number, clicking the call button, and being patient. The patience part is important: although sound quality is quite acceptable, there is a huge time lag in the system (probably only a second or so, but it seems like ages) reminiscent of a 1960's international phone call. The lag could be due to my distant calling location (Mozambique, in eastern Africa) - more localized calls (between the United States and the United Kingdom, for instance) might be significantly better. Once you have the hang of it, the system is certainly adequate for keeping in touch, though it wouldn't be up to serious business usage. Call quality, as expected, depends on Internet traffic and the country you try to contact; I have had good connections to the U.S. and the U.K., and Japan was reasonable, but Kenya was difficult, and India might as well have been on Mars. **The Costs of Conversation** -- Now the important bit: how much does it actually cost? Although the cost of Internet phone calls varies according to destination country and ITSP, you'll typically find per-minute charges in the neighborhood of: U.S. $0.13, U.K. $0.16, Japan $0.27, Australia $0.20, and Russia (Moscow) $0.27. Call charges are _not_ affected by where you call from, since all calls originate on the Internet. I'm unfamiliar with standard international call charges in the U.S., but I guess that for U.S. residents these rates may not be significantly below normal; however, for people further afield, these represent serious savings. From my current location in Mozambique, the normal charge to call the U.K. or U.S. is about $4 per minute. Using the Internet, I was recently endured a grueling 21-minute wait on Apple's U.S. technical assistance line without too much pain or financial suffering... but that's another story. [James Wilson is an errant fisheries economist. He is particularly interested in hearing from anyone who can get a G3 PowerBook modem to pulse dial.] Web Confidential: Securing Information of All Sorts --------------------------------------------------- by Adam C. Engst Back in TidBITS-279_ in May of 1995, I wrote "PowerTalk to the Rescue?", an article about how we needed the PowerTalk Keychain to help with authenticated Web sites. The good news is that the Keychain will return in a future version of the Mac OS for AppleShare and Internet passwords; however, better news is that those who don't want to wait, or who want a solution to storing sensitive information that will integrate with the Keychain, can now check out Alco Blom's $25 shareware Web Confidential 1.0.1. Despite the name, Web Confidential provides a mechanism for storing not only Web-related information, but also any confidential data, including user IDs and passwords, for a wide variety of general-purpose situations. Alco also makes the powerful bookmark utility URL Manager Pro, and it's no surprise Web Confidential works together with URL Manager Pro at every opportunity. **Confidential Cards** -- Web Confidential's interface resembles nothing so much as a HyperCard stack with simple, four-field cards holding information in different categories. The fields change by category, so a Web page card has name, home page, user ID, and password fields, whereas a credit card card has name, expiration date, number, and PIN code fields. A disclosure triangle provides a fifth field for notes. Next to the first field is the arrowhead-shaped pop-up navigation menu, which provides access to cards in that category. A checkmark pop-up menu enables you to control attributes for that card, and an eyeglasses icon next to the password field displays the password in a help balloon when you mouse over it. Since passwords appear as bullets in the password field (to prevent over-the- shoulder spying), the eyeglasses icon is a great reminder or typing check. It's also a security problem if you leave your file open when you're not at your computer, so be sure to close the file when you're not using it. An option in the next version will lock the file after a certain amount of inactivity. You switch between categories via a pop-up menu, and each category can have multiple cards. Arrow buttons help you navigate through the cards in each category. Categories include: * WWW Pages * FTP Servers * Newsgroups * Email Contacts * Login Accounts * POP Accounts * Bank Accounts * Software Keys * Credit Cards * ATM/PIN Cards * Personal Data * Serial Numbers * Membership Numbers * Password Manager A toolbar at the top of the window provides buttons for switching to other Internet applications, opening URLs, copying the current password, finding cards, changing your encryption key, saving, and adding and deleting cards. Menus duplicate these functions and add a few, such as sorting, moving to the first and last card in a category, and providing access to a few preferences. **Military Menus** -- While the Web Confidential application is running, it makes additional functionality available through three menus shared with applications that support menu sharing, such as Internet Explorer, Netscape Navigator, Eudora, Fetch, and Anarchie. * The Diamond menu mainly enables you to create a Web page card in Web Confidential using the current URL. Other menu items enable switching between various applications and refresh the shared menus with changes made in the Web Confidential application. * The Key/Lock menu provides access to cards that make sense in the appropriate application. So, if you're in a Web browser, the names of your Web page cards appear, whereas if you're in an FTP program, the Key/Lock menu contains the names of your FTP server cards. Choosing one sends you to that page or server and authenticates your user ID. * The Eyeglasses menu lists the names of cards from the Password Manager category, which provides details for Web pages that use forms for authentication or for any other password you want accessible in applications that support menu sharing. Choosing one of these items displays information from that item's card, plus provides commands to copy the password, and (for users of Internet Explorer 4.01) to enter information in user ID and password form fields - these commands may not work with all pages. **Extreme Encryption** -- So far I've described a simple flat file database with some nice features to improve usability. In fact, that's all Web Confidential is, well designed though it may be, and if you've kept a HyperCard stack, FileMaker database, or even text file of user IDs and passwords, you've duplicated much of Web Confidential's basic functionality. What sets Web Confidential apart from your efforts (and mine), is that it encrypts its files with the extremely secure Blowfish algorithm, or, optionally, PGP. The program notes that a computer that could test one million keys per second could require up to 7,000 years to guess a 10-character key by brute force. **Declassified Documentation** -- Although Web Confidential is easy to use, Alco deserves credit for working with writer Colin Brace to create an excellent manual. It comes in PDF format, and although it's designed to be printed, it works well on screen, thanks to search capabilities and many bookmarks to main headings. The manual provides background information, a getting started tutorial, and a reference section that includes a list of all command key shortcuts. It's one of the best shareware manuals I've seen, and my main suggestion would be to add a section explaining the different categories and offering suggestions for how to use the more general categories; for instance, I occasionally need Tonya's social security number, and it's a perfect item to put into a Personal Data card. Useful balloon help is available for most, though not all of Web Confidential's interface elements, although it gets a little confused within some of the dialog boxes. Concise online help is also available for both the Key/Lock menu and the Eyeglasses menu. **No Longer Top Secret** -- So, if you're looking for a secure repository for all sorts of sensitive information, you owe it to yourself to give Web Confidential a try. The program is fully functional for the first 30 days, but if you don't pay your $25 shareware fee, after 30 days you lose the capability to add new cards, plus you can't enable encryption (although previously encrypted files remain encrypted), which seems like a reasonable way to hobble it for evaluation purposes. Overall, Web Confidential is easy to use, secure, and, for Internet applications, well-integrated. Tune in next week for a cautionary tale of why I'll use Web Confidential seriously in the future. A Free Program for Control Freaks --------------------------------- by Kevin Savetz I walked into my office and was flabbergasted. My buddy Mitch, visiting from out of town, had been working at my Mac for a few minutes. When I saw the screen, I did a double-take. On my Mac's screen was a window that showed not the familiar Mac icons, but a Windows NT desktop. It was, in fact, the desktop of Mitch's computer some 350 miles away. Mitch was able to control his computer - running programs, switching between them, mousing around and typing commands - from my Mac. Because my jaw hadn't quite touched the floor yet, he accessed another computer running Linux: an X desktop appeared on the screen. The magic was due to a new tool called Virtual Network Computing (VNC) from ORL, the Olivetti and Oracle Research Lab. VNC is a free program that enables you to control an Internet-connected computer from anywhere else on the Internet. Remote control software isn't new. Netopia's Timbuktu Pro has long been the standard for Mac users, and additional remote control programs exist for other platforms. The main difference is that VNC is totally free, whereas Timbuktu costs somewhere around $50 per machine. There are two parts to VNC: the server, which runs on the computer that you want to access remotely; and the client, which creates your window to the remote computer. The server and client computers can be across the room or across an ocean, as long as both have an Internet connection. The server and client computers don't need to be running the same operating system. Server and client software are available for Windows 95/98 and NT, Linux, Solaris, and DEC Alphas. Clients are also available for Macintosh, Java, Windows CE, PalmPilot(!) and a handful of other platforms, some contributed by other programmers. Since there's no Mac server (one is planned but the makers of VNC have not committed to a release date) you can't access your desktop Mac while on the road. The Mac client is a fat binary that requires Mac OS 7.1 or greater, the Thread Manager, and either Open Transport 1.1.1 or later or MacTCP. VNC servers are protected by passwords, so make them good, because they're all that stands between complete access to that machine and free access by every would-be cracker. In general, when thinking of good passwords, make them relatively long, and use uppercase and lowercase letters, numbers, and punctuation. A hint: try using the first letter in each word of a memorable phrase for your password. "Frosty the snowman was a jolly happy soul" might become "FTSwajhs!" When you connect to a VNC server by entering its IP number, a colon, and a session number (i.e. 127.0.0.1:0), you're prompted for a password, and once you enter it, you're controlling the other machine. VNC is stateless, making it easy to pick up work from just about any other machine with an Internet connection. You can be typing a sentence at your office computer, hop on a plane to Rio, log in with your PowerBook and type the rest of the sentence on the office machine. This assumes, of course, that you've installed the VNC server on your office computer, and that it's turned on and connected to the Internet with a known IP number. **Speed Demons** - Using VNC isn't quite like being there. The chief difference is speed of screen updates. Every time something on the remote computer's screen changes, the VNC server must send that information to the client computer. When it sends lots of screen changes, especially over a slow connection, the result is a sluggish interface. VNC works well with programs that display windows that don't change quickly - word processors, command line windows, even Web browsers work well. But, neither VNC nor other remote control software can keep up with fast-changing screens from games and screensavers. The speed of the Internet connection of both computers is the biggest factor that affect's VNC's usability. Mitch has been using VNC for months to telecommute. He uses a computer running Linux at home to communicate with his Windows NT machine at work. Over a 28.8 Kbps modem, Mitch calls the system slow, but usable. "It would be painful to work on all the time, but it's great for those times when there is some utility on my computer at work that I just don't have at home. It's certainly better than a one- or two-hour commute." Over a high bandwidth link like ISDN or my beloved cable modem, VNC is sluggish but bearable. If both computers are on the same Ethernet LAN, access is swift, though screen updates are still perceptibly slower than normal. My home office has two computers, a PC and a Mac, that share one monitor. Rather than switching cables or messing with a fussy monitor switch, I now use VNC to access the PC via from the Mac. [Editor's note: After upgrading my PC to Windows 98, Timbuktu Pro for Windows 95 1.5 stopped being able to work with Timbuktu Pro for Mac OS 4.0. The only solution, according to Netopia, is to upgrade to Timbuktu Pro 32 for Windows NT and Windows 95/98, but that costs at least $70, just to return to the same level of functionality I had before. I've run into this situation with Timbuktu before, where the only way to get it to work was to buy an upgrade, so Kevin's article arrived at just the right time. I'm now happily using VNC to control my PC instead of Timbuktu Pro, with which I still control my remote Mac servers. -Adam] The trick to squeezing the speediest screen updates from VNC is to set things up so VNC has to send as little information as possible. This means foregoing desktop pictures in favor of plain color backgrounds, setting the display to 256 colors rather than millions, and using a screensaver only to black the screen. **Not a Perfect Solution** - There's no denying that VNC is a kludge, albeit an elegant one. If you print within a VNC session, it will print - on the remote machine's printer. If you copy something to the clipboard in the VNC window, the program is supposed to copy that information to the clipboard on the client machine, although this doesn't always seem to work with the beta version of the Macintosh client. VNC doesn't make it easy to move information from one computer to another; unlike Timbuktu, it has no file transfer capabilities. The best solution I've found is to mail files from the remote computer to myself at the local one; swapping files back and forth on an FTP server could work equally as well, and perhaps someone could contribute code to integrate an FTP server and client into VNC. One problem Mac-based remote control software faces is in handing multiple mouse buttons under other operating systems. In Windows, you need to right-click many things for basic functionality. VNC solves this problem by mapping Option-click and Command-click to emulate a two-or three-button mouse. Timbuktu Pro also uses the Command key to simulate the right mouse button in Windows, but VNC seems to simulate right-click and drag actions better. [Plus, if you have a multiple-button mouse or trackball, you can define a second button as Command-click, which works flawlessly in VNC. -Adam] Finally, VNC lacks some polish. It doesn't remember its window position on your Mac, nor does it remember the IP numbers of machines you control, or enable you to save bookmarks to control specific machines. Occasional video glitches do occur, and rarely certain events like mouse clicks aren't registered the first time. Nonetheless, VNC is an extremely convenient tool that can give you access to an otherwise inaccessible computer. Even better, it does it for free, and that's a winning combination unless you need the additional features offered by a commercial program like Timbuktu Pro. [Kevin Savetz writes about Macs and the Internet for Computer Shopper, MacAddict and other magazines. An avid collector of vintage computers, Kevin is as likely to be playing with an Atari 800 or Timex-Sinclair as with his Mac.] $$ Non-profit, non-commercial publications may reprint articles if full credit is given. Others please contact us. We don't guarantee accuracy of articles. Caveat lector. Publication, product, and company names may be registered trademarks of their companies. This file is formatted as setext. For more information send email to . A file will be returned shortly. For information: how to subscribe, where to find back issues, and more, email . TidBITS ISSN 1090-7017. Send comments and editorial submissions to: Back issues available at: And: Full text searching available at: -------------------------------------------------------------------