TidBITS#602/22-Oct-01 ===================== Apple kicked off last week with faster and more flexible iBooks and PowerBook G4s before announcing a $66 million profit for the last fiscal quarter of 2001. Also in this issue, Adam investigates a few security concerns in Mac OS X 10.1, Matt Neuburg looks at the rebirth of CE Software's venerable QuicKeys under Mac OS X, Dan Kohn examines the future of digital content in a peer-to-peer world, and we note the release of BBEdit 6.5. Topics: MailBITS/22-Oct-01 Apple Speed Bumps iBook and Titanium Mac OS X 10.1 Security Issues Fixed QuicKeys X: The Return of the Ghost Steal This Essay 1: Content Is a Pure Public Good Copyright 2001 TidBITS Electronic Publishing. All rights reserved. Information: Comments: --------------------------------------------------------------- This issue of TidBITS sponsored in part by: * READERS LIKE YOU! You can help support TidBITS via our voluntary <- NEW! contribution program. Special thanks this week to Dick Esler, Damien Debril, and Hearts of Space for their generous support! * APS Tech -- 800/395-5871 -- Burn a full CD in less than five minutes with the APS CD-RW 16x10x40 FireWire Plus. FireWire and USB ports let you easily connect to all recent Macs. Order at: * WinStar Northwest Nexus. Visit us at . Internet business solutions throughout the Pacific Northwest. * Small Dog Electronics: New iMacs on Sale! <------------------------ NEW! 400 MHz CD Indigo: $699; with AirPort: $775; 1 Year Warranty CD-RW Drives: 500 MHz Dalmatian or Flower: $849; 600 MHz: $1049 AirPort Base Station: $229! 802/496-7171 * Bare Bones Software BBEdit 6.5 -- New version adds CSS markup <---- NEW! and syntax coloring, even more powerful grep engine, integrated Unix shell features on Mac OS X, and much more. Buy, upgrade, or try the demo at our Web site: * Share Your Internet Connection! IPNetRouter turns almost any Mac <- NEW! into a powerful router. Share network connections with Macs, Windows, Unix, and Palm OS devices. UPDATED to v.1.6.1 from Sustainable Softworks! Just $89! * Customized ON-SITE TRAINING! Let MacAcademy come to your <--------- NEW! location and train your group. Expert instruction available on the Mac or Windows, FileMaker Pro, or MS Office. Visit us at 800/527-1914 --------------------------------------------------------------- MailBITS/22-Oct-01 ------------------ **Apple Posts $66 Million Profit** -- Apple Computer beat analysts' expectations by announcing a $66 million profit (18 cents per share) on $1.45 billion in revenue for its fourth fiscal quarter, despite the weakening U.S. and world economies and the aftermath of the 11-Sep-01 terrorist attacks. However, Apple cautioned that the current quarter - its first of 2002 - will be leaner, with CFO Fred Anderson estimating $1.4 billion in revenue and earnings of 10 cents per share, even though December-ending quarters are typically buoyed by holiday sales. Those estimates would beat Apple's holiday performance last year, however, when Apple lost $247 million in the holiday quarter, not counting one-time investment income. For the 2001 fiscal year, Apple lost $25 million on revenues of $5.36 billion; in 2000, Apple earned $786 million on $7.98 billion in revenue. Apple's fundamentals remained relatively strong: the company shipped 850,000 Macs during the quarter (including 250,000 iBooks - iBook sales to education tripled) with gross margins at 30.1 percent, and the company has over $4.3 billion in cash. Approximately 41 percent of the quarter's revenue came from international sales, and Apple is still on track to open its planned 25 retail stores in high-visibility shopping areas by the end of 2001. Anderson also added that while Apple is trying to keep its headcount roughly flat, it doesn't anticipate substantial layoffs. [GD] **Grep Better with BBEdit 6.5** -- Bare Bones Software has released a major new version of their invaluable flagship text editing program, BBEdit. Version 6.5 is now a unified "Fat Carbon" application, running natively on Mac OS X and back through Mac OS 8.6 (with CarbonLib). The internal regular-expression search engine, which was previously somewhat quirky and non-standard, has been replaced by a new search function based on the Perl- Compatible Regular Expression (PCRE) library, adding new features and standardizing its behavior with standard Perl and Unix expressions. BBEdit 6.5 also adds syntax coloring and contextual markup support for Cascading Style Sheets, a long-requested feature. (The Check HTML Syntax feature still differs significantly from the W3C validator over what constitutes legal HTML, though.) Integration with Mac OS X is particularly impressive; BBEdit can now be invoked from the Unix shell (for example, command output can be piped to it), and, the other way around, BBEdit can run shell scripts, as well as Perl and Python scripts. BBEdit 6.5 is $120, or $40 to upgrade from a previous version (free if you purchased 6.1 recently), and comes with complete documentation plus amusing release notes. A launch- limited demo is available from the Bare Bones Web site. [MAN] Apple Speed Bumps iBook and Titanium ------------------------------------ by Adam C. Engst The day before reporting its fourth quarter financial results last week, Apple introduced enhanced models of its hot-selling iBook (Dual USB) and PowerBook G4 Titanium laptops. (For additional details, see "The Incredible Shrinking iBook" in TidBITS-579_, "PowerBook G4 Titanium Burns Bright" in TidBITS-563_, and "iBook or TiBook?" in TidBITS-583_.) The iBook's improved specs include a choice of the original 500 MHz PowerPC G3 processor using a 66 MHz system bus or a new 600 MHz PowerPC G3 processor using a 100 MHz system bus. 128 MB RAM is now standard (but realistically still not enough, and Apple's RAM prices are far more expensive than you can find elsewhere); the 10 GB hard disk is gone in favor of 15 GB, 20 GB, or 30 GB hard disks; and there's a new square power adapter that promises increased ease-of-use. Base pricing remains in the same range, from $1,300 to $1,700, depending on optical drive configuration. The Titanium picks up new processors as well: 550 MHz and 667 MHz PowerPC G4s with 256K of level 2 cache on the chip. The 667 MHz model also sports a 133 MHz system bus (up from 100 MHz in the existing 500 MHz model and the new 550 MHz model). Graphic support in the Titanium has improved with an ATI Mobility Radeon graphics accelerator and 16 MB of DDR video memory enabling full-frame-rate DVD video playback. A slot-loading CD-RW drive joins the DVD-ROM drive as an option, gigabit Ethernet is standard, as is more RAM (using new PC133 RAM, instead of the PC100 used by the original model), and the new square power adapter is included. Apple claims that the new models have improved AirPort access range, which was disappointing in earlier models. Base pricing ranges from $2,200 to $3,300. The improvements are especially welcome for the Titanium, which has been in need of additional differentiation from the tremendously popular iBook. It's less clear why Apple chose this moment to beef up the iBook, though it does make the iBook even more attractive for the upcoming holiday buying season (and perhaps the students who realized during the fall semester that they really needed one), which undoubtedly played a part in Apple's recent release of the new low-end iMac as well. Mac OS X 10.1 Security Issues Fixed ----------------------------------- by Adam C. Engst Mac OS X 10.1's significant improvements in performance and usability may have plenty of people considering a switch from the reliable workhorse of Mac OS 9, but it seems clear we can never go home again with regard to the issue of security. A number of security issues, most with Mac OS X's Unix underpinnings, have surfaced since the operating system's initial release, and although the Mac OS X 10.1 release offered fixes for a number of concerns that had arisen, three more cropped up almost immediately. One affected Internet Explorer 5.1, another dogs WebDAV and iDisk, and a third enables any application to run with root privileges. Apple reacted more quickly than in the past, publishing a workaround for the Internet Explorer problem within days and offering fixes for the Internet Explorer and root access problems on 19-Oct-01, less than three weeks after Mac OS X 10.1 shipped. That's good, but other aspects of Apple's approach to addressing security issues remain problematic. After an initial quiet period following the release of Mac OS X 10.0 during which many (including TidBITS) called for Apple to make public statements about security breaches, Apple finally created a security announcement mailing list and a set of related Web pages, one of which lists security updates to Mac OS X. Unfortunately, the mailing list has been used only once since it was created in May of 2001, and then only to tell subscribers to visit the Security Updates page. Worse, that page has not yet been updated to explain the 19-Oct-01 fixes. Even if it's not completely up to date, it's worth visiting that page periodically to see at least those security concerns Apple has acknowledged and addressed. Let's look at the three recent issues, including the concern with WebDAV and iDisk, which remains outstanding. **Mac OS X Easily Rooted** -- Although we generally think of crackers taking over machines remotely over the Internet, local exploits are becoming a concern to some users given Mac OS X's Unix underpinnings and multi-user capabilities,. In previous versions of the Mac OS, anyone who could sit down at a Mac unprotected by third-party software (or in Mac OS 9, Apple's built-in file encryption) could access any data on the Mac. The old Multiple Users feature was helpful for keeping kids from messing up a Mac, but wouldn't stop anyone who wanted to break through. With Mac OS X, though, there's more of an assumption of security, so it was troubling to discover that there was a trivially easy way to gain root access for anyone at the desktop, even if you've never enabled root access. All you had to do was launch certain applications that always run as root (like NetInfo Manager, Disk Utility, or Print Center), then launch another application from the Apple menu's Recent Items menu (or from anywhere in the Apple menu). Apple fixed this problem with Security Update 10-19-01, available via the Software Update preferences panel (choose About this Mac from the Apple menu, then click "Version 10.1". If "Version 10.1" is replaced with "Build 5L14", you have the fix.) You may still find it interesting to read Stepwise.com's explanation of how this breach worked. Why was this a concern? From the Unix perspective, root access is a big deal, since it gives someone complete control over the machine despite any previous restrictions. But from the perspective of a normal Mac owner, who likely has only a single user and has that user set to login at startup, this security hole wasn't a major concern. I'm far less worried about someone gaining root on my iBook locally than stealing it, which seems a lot more likely given the need to have physical access to the machine. To be fair, the discovery of this exploit also points out the need to be careful with remote control programs like Netopia's Timbuktu Pro and the various VNC servers and clients. For an additional bit of perspective, remember that anyone can reboot a Mac OS X system using a Mac OS installation CD or a copy of Mac OS 9 installed on the hard disk. Afterwards, this person has full control of the system, since Mac OS 9 doesn't recognize or honor Mac OS X file permissions on local disks. Apple is working on securing Open Firmware to close these holes, but Open Firmware restrictions can still be bypassed by resetting Open Firmware or transplanting the disk to another computer. As a result, this local root exploit is best thought of a reminder that anyone with physical access to a machine effectively has full control over it, despite any _software_ security short of an encrypted filesystem. **Internet Explorer 5.1 Automatic Execution** -- By default, Microsoft Internet Explorer 5.1 is set to decode MacBinary and BinHex files automatically during download. Nothing new here, and that's not a security concern. But for some reason under Mac OS X 10.1, Internet Explorer 5.1 automatically launched at least some applications that were encoded in MacBinary or BinHex without being compressed by StuffIt as well. With normal applications, that wouldn't be a problem, but if someone posted a Trojan horse - a malicious application that masqueraded as something benign - damage could result. It's not entirely clear what types of applications (Classic, Carbon, Cocoa, etc.) would be automatically launched or why, but it's moot now that Apple has released Internet Explorer 5.1.3 via the Software Update preferences panel. If you aren't able to update right away for some reason, the problem is easy to work around. In the Download Options pane of Internet Explorer's Preferences window, turn off "Automatically decode MacBinary files" and "Automatically decode BinHex files." Changing these settings has no functional liability; all it does is cause Internet Explorer to hand off decoding tasks to StuffIt Expander rather than performing them internally. **iDisk via WebDAV Exposes Passwords** -- In Mac OS X 10.1, Apple modified the Finder so it accesses your iDisk via WebDAV rather than the older Apple Filing Protocol (AFP). Unfortunately, as Alan Oppenheimer of Open Door Networks has pointed out, Mac OS X's WebDAV implementation sends your password as unencrypted text across the Internet. This is a violation of the WebDAV specification and basic security principles. Someone who could monitor your Internet connections could discover your password and use it to access your iDisk and mac.com email account (and since many people reuse the same password many times, other services could be compromised as well). AFP remains secure, but to use it you must access your iDisk by choosing Connect to Server from the Go menu and then typing "afp://idisk.mac.com" (after which you can make an alias to the iDisk or add it to your Favorites for easier future access). FTP also sends passwords as unencrypted text, so your level of concern here should match your level of concern over exposing passwords via FTP. If you must use FTP or iDisk via WebDAV, common sense would dictate not reusing passwords used for those services with more sensitive services. As an alternative for FTP, try Interarchy 5.0.1 or RBrowser, both of which can use SSH encryption (built into Mac OS X 10.0.4 and later) for secure connections. As far as we can tell, this WebDAV security hole was not fixed in the Security Update 10-19-01, although Apple is aware of the problem. A related discussion on TidBITS Talk indicated that Mac OS X 10.1's WebDAV implementation may support only Basic authentication, which eliminates one of the significant advantages of WebDAV over FTP. The moral of the story is that it's definitely worth letting Software Update look for updates regularly, since that will almost certainly be the fastest way to receive any updates that Apple releases. In the meantime, if you're interested in learning more about some of the basics of security in relation to Mac OS X, Roland Miller has posted a report about 10.0 that applies in large part to 10.1 as well. QuicKeys X: The Return of the Ghost ----------------------------------- by Matt Neuburg With the advent of Mac OS X 10.1, I'm using Mac OS X nearly all the time, but many of my long-standing work habits have become useless. That's because those habits rely on third-party utilities that haven't made the transition - and, one fears, may never do so. In Mac OS X, after all, the system works in a whole new way, and developers must learn entirely different methods to hack into it and modify its functionality. Still, it's far from clear what the limits ultimately will be, and we should never underestimate the ingenuity of Macintosh developers. Even as Mac OS X first shipped, I was wondering what in particular would become of macro utilities, those "ghosts in the machine" that perform preset actions by fooling your computer into thinking that an actual user is typing keys and wielding the mouse. So it's with some joy and relief that I find that CE Software's QuicKeys has followed me down the rabbit-hole and into the garden of Wonderland - but alas, only, like Alice, by drinking from the bottle that makes you smaller. In Mac OS X, QuicKeys X is an ordinary application that must be running for you to trigger any shortcuts, so you'll probably make it a startup item by way of the Login preferences panel. Being an ordinary application, QuicKeys X now has ordinary windows and menus, which means that its interface is much improved. Gone are the impenetrable layers of modal dialogs. Indeed, CE has made QuicKeys's windows wonderfully Mac OS X-like, with splendid use of drawers, customizable toolbars, and drag & drop. It's so easy and intuitive that you probably won't even have to read the manual. However, there's still no straightforward list of all your triggers, and there's no way to learn what sequences or floating palettes an action is used in; these are problems I've pointed out for years, and it would have been nice to see CE take this opportunity to tackle them. A QuicKeys action can have various triggers, and these can be universal or confined to a particular application being frontmost. The possible triggers for an action are: a keyboard combination or sequence of keyboard combinations; an absolute time, a time interval after startup, or a repeated time interval; clicking in a QuicKeys floating palette; or choosing from the QuicKeys menu (at the right end of the menu bar or in the Dock). The narrow range of available actions suggests the limitations imposed upon QuicKeys by Mac OS X. QuicKeys X can type; it can move and click the mouse; it can sleep and shut down the computer; it can send a command to the Unix shell. These are invaluable. The remaining things that QuicKeys can do are achievable in other ways, and are notably less interesting, though welcome for enhancing sequences of actions. QuicKeys can open a file or folder, run an AppleScript script, switch among applications, open a URL, change the Finder's view of a folder, and switch between folders in an Open or Save dialog. But QuicKeys can no longer click buttons or choose menu items by name, switch or scroll windows, access the clipboard, or send a raw Apple event. Also, QuicKeys X is now unable to "see" the screen, so it can't make decisions based on a certain window being frontmost or a certain menu item being enabled. QuicKeys's scriptability is also greatly curtailed; basically, it can run an action that you've previously created and named, and that's all. QuicKeys X is a welcome and pleasant release, and I'm already putting it to good use. I've stocked it with some boilerplate phrases to be typed into any application, and I've made certain menu items accessible through keyboard shortcuts (though these are slow and unreliable, because instead of choosing the menu item directly, QuicKeys must move the cursor to the item's location). But QuicKeys is only a part of my bag of tricks. I don't wish to sound overly negative about QuicKeys X - it may not yet measure up to the full capabilities it provided under Mac OS 9, but it is essentially a 1.0 release because everything it knew how to do in the past has changed with Mac OS X. Just as it's taking us all some time to learn new ways of interacting with Mac OS X as users, so too it's taking time for Apple to expose the innards of Mac OS X to the depth necessary for CE's engineers to write a tool as downright magical as a macro utility. CE has said they will be extending QuicKeys X's capabilities in the future; we wish them luck in ferreting out the secrets to automating Mac OS X's internal workings. CE will have to move quickly, since a number of small utilities are coming out for Mac OS X that replicate some of QuicKeys's features. Typing text into applications can be handled by Selznick Scientific Software's Typist or Michael Kamprath's Keyboard Maestro; programs like DragThing, LaunchBar and Sig Software's Drop Drawers offer ways of opening and switching between applications, and launching AppleScript scripts; and I'm sure utilities I haven't yet run across are nibbling at other QuicKeys features. QuicKeys X costs $60, and a 30-day demo version is available for download. Steal This Essay 1: Content Is a Pure Public Good ------------------------------------------------- by Dan Kohn Steal this essay, or, why these sorts of essays represent the future of all publishing. Hint: I'm not getting paid for them. "Freedom of the press belongs to those who own one." - A.J. Liebling If you or anyone you know has ever or will ever produce content (writing, music, video, etc.) and hopes to get paid for it, you should be afraid. To see why, start by downloading (for free, of course) one of the numerous peer-to-peer file sharing systems such as Aimster, LimeWire, and eDonkey2000 that have emerged hydra-like to take the place of Napster, whose head was cut off this spring by the Recording Industry Association of America (RIAA). You will find that much the same selection of MP3 music that was on Napster is still available for free, as well as being accompanied by more and more movies ("ripped" directly from DVDs), and nearly all other forms of content, from Shakespeare's works to hard core adult materials. What you will not find - even if you are the RIAA - is anyone to sue. Because unlike Napster, there are no companies underlying the software infrastructure, no servers to confiscate, no officers on whom to serve papers. The next generation of peer-to-peer clients relies on no central infrastructure whatsoever, and is being developed by a loose knit group of developers spread around the world, all donating their significant efforts without any real hope of getting paid for their work. All of the developers are men - or teenage boys - and though not following the typical societal track toward prestige, they are just as competitive as any rival athletes or entrepreneurs. Many are distributing their software as open source, so anyone else can fix bugs and make improvements. What this means is not just that the RIAA is applying makeup to the corpse of the music industry as we've known it. In fact, it heralds an even larger change about how all content is created and distributed, and raises serious questions as to whether content creators (such as the author of this essay) will ever be compensated for our work. Read a few dozen articles by top technology analysts, and it is often difficult to find one that doesn't breathlessly declare how this or that new technology represents a sea change, an inflection point, or the end of history. In fact, while the Internet's growth rates have been quite high, other technologies such as radio and gas cooking have actually been adopted faster. It may be, though, that all of the hype surrounding the digital duplication and peer-to-peer distribution of content actually underestimates the impact on the authors and publishers of music, movies, and written works. Put simply, in a world where there are essentially no costs to replicate content and it is effectively impossible to stop anyone from doing so at will, the current economic model underpinning content creation will be dead. Despite the protestations of lawyers, (certain) rock bands, and legislatures (all on the same losing side, oddly enough), we are entering that brave new world. If, as this hard technology determinist viewpoint suggests, content is destined to be free - i.e., the content creators and publishers will not be directly compensated the way they are today when you make a purchase from your local CD store - then the real question is what system could replace the content compensation system that has worked quite well for the last 300 years. However, implementing revenue models for infinitely redistributable goods is not an entirely novel question, and there are several economic models that can support the creation of content. What there may not be is _enough_ revenue to support the publishers of that content in addition to the authors, which helps explain why the RIAA is so eager to thwart digital distribution. When an ecosystem undergoes severe environmental changes, certain organisms that were previously essential - like the cyanobacteria that originally converted carbon dioxide to oxygen, or the record companies' A&R men - may recede to minor ecological niches. Economists have a term for what digital goods have become. Items are "nonrival" when we can all make use of them without anyone having to give them up. If I copy your CD, you're none the worse for it (nonrival), but if I steal your car, you will probably be upset (rival). Goods are "nonexcludable" when it becomes impractical to stop everyone from making use of the item, once one person can. It is infeasible, for instance, to stop additional viewers of broadcast television (nonexcludable), while it is very feasible to stop additional moviegoers from entering a theater (excludable). Economists call nonrival, nonexcludable items "pure public goods," although the name does not imply that public goods can be provided only by the government. Lighthouses are a classic pure public good. They are nonrival because each additional ship does not reduce the light available to the others. They are nonexcludable because any ship sailing by can see them. There are cases in New England two centuries ago of shipping guilds building privately managed lighthouses, even though the services couldn't be withheld from non-members. Most medical research and nearly all basic scientific research today is a pure public good, although for exactly this reason it is often financed (at least indirectly) by the government. Other textbook public goods are national defense, mosquito control, and public radio. In each case, the cost of providing the item to one consumer is the same as providing it to any number of consumers (nonrival), and it is impractical to stop anyone from making use of the good (nonexcludable). The table below provides some examples. | EXCLUDABLE | NONEXCLUDABLE -----------+--------------------+-------------------------------- RIVAL | car, Walkman | unmanaged fishing rights -----------+--------------------+-------------------------------- NONRIVAL | movie in a movie | lighthouses, national defense, | theater, concert | mosquito control | in a large hall | If content is becoming a pure public good, it will necessitate a radical rethinking of the recording industry's claim that copying content is stealing. We as a society react very differently toward the unpaid use of rival versus nonrival goods. Think of the punishment inflicted, for example, on those who steal cars versus those who listen to public radio without contributing to the fund drives. Of course, whether a good is rival or not is beside the point if you can successfully exclude people who don't pay. (Ask Microsoft, whose cost for selling one copy of Office is approximately the same as selling 100 million copies (nonrival), but which has used informant tactics and large legal penalties to make their software very excludable, at least for businesses.) The lawyers representing the recording and movie industry are well aware of the threat to their business models of digital content, and they believe they have already developed the answer: encryption. Encryption represents the music industry's last, best hope of maintaining their product as excludable. Why they are wrong, and content protection is doomed to failure, will have to wait for the next essay. [Dan Kohn is a General Partner with Skymoon Ventures. His writings are announced through and can be discussed through .] $$ Non-profit, non-commercial publications may reprint articles if full credit is given. Others please contact us. We don't guarantee accuracy of articles. Caveat lector. Publication, product, and company names may be registered trademarks of their companies. This file is formatted as setext. For more information send email to . A file will be returned shortly. For information: how to subscribe, where to find back issues, and more, email . TidBITS ISSN 1090-7017. Send comments and editorial submissions to: Back issues available at: And: Full text searching available at: -------------------------------------------------------------------