Apple has focused a lot of attention on making Leopard more secure, and security analyst Rich Mogull looks at each of the promised features to explain how it will keep your data, your online communications, and your Mac safe.Show full article

Hide full article

With the release last week of the feature list for Mac OS X 10.5 Leopard, the security world is buzzing about some extremely important updates that should, if they work as expected, significantly improve Mac security and will make me less nervous about connecting to wireless networks in Internet cafes.

Time Machine -- Before we dig into Leopard's advanced anti-exploitation technologies, we need to start with the biggest security feature that's not listed with the rest: Time Machine. Information security is based on the principles of CIA. No, not the Central Intelligence Agency or the Culinary Institute of America. In the security world, CIA stands for Confidentiality, Integrity, and Availability. While we tend to focus on keeping people from seeing things we don't want them to see (confidentiality) and changing things we don't want changed (integrity), having our data and systems available to us is just as important.

With Time Machine making it easier to back up for all users, especially individuals not already protected by some corporate backup system, Apple is doing more to improve security than any upgrades to firewalls or Safari ever could. If you want to improve your security, I highly recommend you get an external hard drive with your copy of Leopard (Adam tells me that "Take Control of Customizing Leopard" will offer basic help for Time Machine, and a future edition of "Take Control of Mac OS X Backups" will provide even more detail). My backups have saved me three times already this year, and I'm excited that I can finally make backups more accessible to my mother and sister.

Stopping Buffer Overflows -- The most significant security update in Leopard is one that you'll never notice, but that will cause the bad guys no end of frustration. It's an anti-exploitation technology Apple calls Library Randomization (also known generically as Memory Randomization and as Address Space Layout Randomization in Windows Vista). To understand Library Randomization we need to take talk about vulnerabilities, exploits, and buffer overflows.

Buffer overflows are the class of vulnerability that are responsible for most of the successful attacks on computers today. Most malicious programs (worms and viruses) rely on buffer overflows to take control of your system. In security, we define a vulnerability as a flaw or defect that could allow someone to violate confidentiality, integrity, or availability. Think of it as a weak lock or a broken window the bad guy can use to get in. Buffer overflows are a vulnerability where an attack enters more data into an input than expected; if the programmer who wrote the software forgot to limit that input field, the data can flow past the expected limit and overwrite other parts of memory. Since memory on most of our computers is just a big stack of commands mixed with data, if you know exactly how much extra data to put in, you can trick the computer into running an arbitrary command by overwriting a spot where it expects a legitimate instruction with your new instruction.

You might be asking yourself why programmers don't just cap any program input to prevent buffer overflows. Why not just limit all those fields so this can't happen? I often ask myself the same question, but modern computing systems are so complex, with so much reused code, that it isn't that simple. For example, the iPhone 1.1.1 software was cracked because it used some common code (the libtiff library) for reading TIFF image files. That code had a buffer overflow vulnerability in it, allowing hackers to create special TIFF files that let them take over the iPhone. This is what we call an exploit - when you can take advantage of a vulnerability and actually do something with it.

As an aside, buffer overflows first appeared around 1988 and were used in the very first Internet worm - the Morris worm. In 1996 an exceptional paper was published detailing how to exploit buffer overflows.

This is where Library Randomization comes in. Pushing those bad commands onto the stack is more complex than saying, "Open sesame!". The attacker is attempting to subvert the guts of the operating system and has to play around with memory directly and point to different instructions in different parts of memory to get the computer to fail in a useful way. Until recently, most operating systems stored their own internal commands in known, static locations in memory. Thus the attacker could just point to those commands with his malicious instructions, and use the tools of the operating system itself to take over. Library Randomization randomly distributes those commands throughout memory every time the operating system loads. Thus, even if an attacker finds a buffer overflow vulnerability and pushes his commands onto your system, it's extremely difficult for him to turn that into a working exploit.

That's why we call Library Randomization an anti-exploitation technology - even when the bad guys find vulnerabilities (and they will) it will be much harder for them to exploit your system. This is a big move, since instead of relying on programmers to write perfect code, Apple - following the lead of Microsoft and some Unix/Linux variants - is hardening the operating system to make exploitation itself more difficult. Apple actually started down this road with Mac OS X 10.4.7 when they enabled Data Execution Protection, a feature available on some processors to let programmers mark memory locations as data only, limiting the ability of an attacker to push a command in.

I'm sure security researchers will eventually figure out a way around it, but early signs from other operating systems indicate that Library Randomization is a serious obstacle for an entire class of attacks. I've spent a lot of time on Library Randomization because, following Time Machine, it's probably the most significant security update in Leopard, but those two are far from the only improvements.

Identifying and Defanging Evil Apps -- As firewalls become more ubiquitous it's becoming harder for bad guys to attack computers directly over the network. Many are switching over to what we call client-side exploits - getting malicious code onto your system via malicious email, Web pages, and file downloads. While Apple can't prevent people from downloading dangerous stuff, Leopard has a new feature to tag downloaded applications as coming off the Internet.

The first time you run a downloaded application, your Mac will ask you to approve it and tell you when it was downloaded, what application downloaded it, and where it came from. This is another great feature that should help limit malicious software from downloading and executing programs without your knowledge. The one potential weakness I see is this warning could be used to trick you into visiting a malicious Web site, and I hope Apple is taking that into account.

Apple has also added application signing. Apple, and any developer that wants to participate, can affix a digital signature to their applications. Digital signatures are valuable because they certify both where an application came from and, more importantly, that it hasn't been modified. If a bad guy tries to subvert a signed application on your system, the modified application will no longer match its signature, and Mac OS X won't allow it to launch.

Leopard's next important feature is "sandboxing." Sandboxing is a technique of restricting specific applications so they can't perform certain kinds of actions, like limiting the files they can touch, the other applications with which they can communicate, or what they can do on the network. Some applications will always be at a higher risk than others for compromise, and sandboxing helps prevent those applications from being used to take over other parts of your system. The Leopard Web site lists Bonjour, Spotlight, and Quick Look as being sandboxed. This is interesting because those are all services that look at arbitrary files or network packets, making them more vulnerable to a popular type of attack called fuzzing, where the attacker plays with input (like files and network packets) using automatic tools, looking for a data stream that will choke the recipient service. The infamous Wi-Fi hack (see the TidBITS series "To the Maynor Born: Cache and Crash") was discovered using fuzzing, as were most of the bugs in the Month of Apple Bugs (see "MoAB Is My Washpot," 2007-02-19). I'll be curious to see the entire list of sandboxed applications, and if Safari and QuickTime are included since they are also exposed to this type of attack.

Other Notable Improvements -- While perhaps not as significant as the updates we've already talked about, Leopard also includes a bunch of other security improvements. The Mac OS X firewall, based on the open source ipfw program, has been improved and now includes the capability to block network access to individual applications. I've heard rumors that Apple's default firewall rules are no longer user accessible, which would be a major step backwards, but letting the firewall control individual applications is a long-desired feature for us security geeks.

The Keychain has been enhanced to manage multiple user certificates for email encryption and digital signatures better, which will be welcome for those of us with multiple email accounts. Encrypted disk images now use 256-bit keys instead of 128-bit keys (much more than twice as strong), and although I don't know anyone who can break a 128-bit key, thanks to the way AES functions, performance should be essentially unaffected.

A few changes help improve compatibility for those of us using Macs in corporate environments. Native VPN support has been updated, and Windows SMB packet signing is now available, to provide compatibility with encrypting Windows file servers. Apple also enhanced file sharing with more granular access control lists, enabling more control over who can access your shared files. (Glenn Fleishman's "Take Control of Sharing Files in Leopard" has all the details there.) While useful in any environment, I suspect some of these improvements were added to help with sharing in corporate environments and to complement the access controls in Windows environments.

Apple hid a few security features in other parts of the Leopard. One I'm really looking forward to is the guest account that purges itself entirely after the guest user logs out (for details, check out Kirk McElhearn's "Take Control of Users & Accounts in Leopard"). While I don't let many people touch my MacBook Pro, there are occasions when I want to allow temporary access so someone can copy a file from me, check email or look something up online. A temporary guest account is a great way to enable this safely and without leaving even a trace on my Mac afterwards.

We'll also now get to see the encryption status of wireless networks right from the menu bar, so you can avoid even bothering to connect to protected networks. Those of you with kids gain improved parental controls that include Web filters, activity monitoring, and even a built-in filter for Wikipedia. Finally, with the inclusion of DTrace and a new instrumentation interface, we security geeks can really dig into the system internals and see what's going on. I expect to see more than a few security tools that take advantage of this capability.

One open question I'll be checking the moment my copy of Leopard arrives is whether Input Managers are still part of Leopard. Input Managers are a valuable feature to enhance applications, but they are also unfortunately a serious security risk (see Matt Neuburg's discussion of this in "Are Input Managers the Work of the Devil?," 2006-02-20). Apple has hinted that Input Managers might be restricted in Leopard, and despite the cries from some in the development community, I believe Input Managers need to be changed to improve our security or eliminated altogether.

Overall, Mac OS X 10.5 Leopard is perhaps the most significant update in the history of Mac OS X - perhaps in the history of Apple - from a security standpoint. It marks a shift from basing Macintosh security on hard outside walls to building more resiliency and survivability into the core operating system. We still need to see how these features hold up once security researchers get their hands on them, but the security future looks promising and I'll sleep better at night knowing my mother can still safely bank online.

[Rich Mogull currently works as an independent security consultant and writer through Securosis.com after having spent seven years as an analyst with Gartner.]

Hide full article

MacTech Conference, for IT Pros and Apple developers, is Nov 3-5,
in Los Angeles. The 3-day event is packed with sessions & evening
activities. Learn from the best. Meet and spend time with peers.
TidBITS readers save $50 at <http://macte.ch/conf_tidbits>!

If you're still hanging on to Classic, and to fonts that exist only in Classic, this might be a good time to straighten out any old font suitcases that you want to bring forward into Leopard.Show full article

Hide full article

[With the word on the Web being that Mac OS X 10.5 Leopard doesn't support the Classic environment, we asked Sharon Zardetto, author of three Take Control titles about fonts, including the soon-to-be-released "Take Control of Fonts in Leopard," to give TidBITS readers the low-down on how to make sure old font suitcases from Classic are successfully packed for their trip to the future with Leopard. -Tonya]

If you're planning to upgrade to Leopard but are still hanging on to the Classic environment, it's probably time to let go: reports indicate that Leopard won't let you run it, even on a PowerPC-based Mac (Intel-based Macs can't run Classic even under Tiger). But before you go bravely out into the Leopard world, take stock of your fonts - because if you have old ones hanging around, this could be your last chance to straighten out your font suitcase files for free, using Apple's ancient Font/DA Mover utility, which you can still run under Classic.

Two types of font files that predate Mac OS X are still totally useable, but possibly prone to problems: Mac TrueType suitcases and PostScript Type 1 suitcase files (the "screen font" companion files to the "printer font" files). Both of these suitcase-type files have icons that are stamped FFIL and are identified as "Font Suitcase" as their Kind in the Finder.

These elderly font files might have inherent internal problems (for the most part, those can be identified, although not fixed, by Font Book's automatic validation process), but the problems I'm referring to here are user-introduced ones.

Pack Your Suitcases for Leopard -- To use old fonts in Leopard without trouble, make sure that your suitcase files are:

• Limited to a single type of font. An older suitcase might contain both Mac TrueType and older bitmapped fonts; you should have the TrueType fonts alone in one suitcase, and the bitmapped fonts alone in another if they're serving as the companions for PostScript Type 1 fonts.
• Confined to a single font family, but with all its faces. Wolfson, Wolfson Bold, Wolfson Italic, and Wolfson Bold Italic all go in one suitcase; Wolfson Gothic is a different family and goes in a different suitcase file.
• Named for the font family within. Don't succumb to "MyFavorites" because that's just not helpful, even if your taste won't ever change.

In addition, although pre-Mac OS X systems allowed "loose," non-suitcased font files (a single TrueType face, for instance), Mac OS X can't use that kind of file, and it must be put into a suitcase.

If you remember the ease with which you could manipulate fonts and suitcases under Mac OS 9, you'll be disappointed that you can't do that under Classic - because Classic isn't really an operating system, it just pretends to be under pre-Leopard systems. But what you can do is download Font/DA Mover 4.1, last updated for System 6 (no, that's not a typo!) and run that under Classic to clean up your old suitcase files.

Sometimes you just have to go back before you can go forward.

If You Don't Have Classic Already -- If you don't have the option of working under Classic, you needn't scrap your old suitcase files. Two utilities that run under Tiger - Smasher ($50) and FontDoctor ($70) - let you manipulate suitcases, and they will, presumably, be updated for Leopard. Both are quite pricey if all you need to do is shuffle suitcase contents. FontDoctor, which is available as a standalone program or with the font manager Suitcase Fusion ($100), also fixes corrupt font files.

Hide full article

Dragon speech recognition software for Macintosh, iPhone, and iPad!
Get the all-new Dragon Dictate for Mac from Nuance Communications
and experience Simply Smarter Speech Recognition.
Learn more about Dragon Dictate: <http://nuance.com/dragon/mac>

What is (or are) Spaces? Will it actually make your life better? Could it be the coolest thing since unsliced bread? Could it be a major reason for upgrading to Leopard? This article introduces the concepts behind Spaces and gets you started using it.Show full article

Hide full article

When Apple posted its list of 300 features that are new in Leopard, your eyes may have glazed over. Many of these new features won't mean anything to you until you've tried them, and, in Apple's list, you can't readily distinguish something small and cute from something massive and profound. (Let's face it, the "Arabesque Screen Saver," while pleasant, is hardly on a par with being able to "Back Up Everything" with Time Machine.) Furthermore, some new features are just hard to describe in a sentence or two, so a proper sense of their implications doesn't come across to the reader. In my view, Spaces is one of those features: It's massive and profound, but Apple's own explanation fails to do it justice. If someone asks you, "Why upgrade to Leopard?" the three little words, "To get Spaces," could be a sufficient reply. For sheer productivity potential, making your computer easier and slicker to work with, Spaces may be the single most important benefit of upgrading to Leopard. In this article, I'll try to help you see why.

So... what is Spaces?

Well, it's a "virtual desktop" implementation. Now, all you Unix X Window virtual desktop users can stop reading right here, or at least skip the next few paragraphs. Those of you who have tried VirtueDesktops (abandoned early in 2007) or the commercial CodeTek VirtualDesktop also have a sense of what Spaces is about (though these, to be clear, were effectively hacks; the only clean way to implement a virtual desktop feature is to integrate it at system level into the windowing system, as Apple has now done with Spaces). Right now, I want to talk mostly to the virtual desktop newbies who haven't a clue. You others, stick your fingers in your ears and go "La la la," okay?

Okay, clueless newbies - we're all alone together. Come closer. Closer! Good. Here's the deal.

Spaces is all about straightening out the clutter of windows on your screen. What is the biggest problem with windows? It's that there are always too many of them, and most of them are covered by other windows. Thanks to Mac OS X's great memory management, you can run lots of applications at once, and you can have lots of windows open at once; but, no matter how big your screen is, you usually can't actually see all of more than one or (at most) two windows at the same time. Everything else is just a big overlapping mess. And on Mac OS X, as opposed to earlier Macintosh systems, it's even more of a big overlapping mess because the windows of different applications can end up all intertwingled with one another.

The result is that when you're trying to get anything done that involves working in more than one window at once, things get difficult. There's a window in front, and then there's everything else, little corners and title bars sticking out here and there, like the aftermath of a wild game of Fifty-Two Pickup. Where is the precise other window you need to be able to see at this moment? You have no clue.

Notice, please, that I keep talking about windows - not applications. When you come down to the nitty-gritty, getting complex stuff done on your computer is not really about applications; it's about particular windows. Those windows might come from any applications: they could be different windows of the same application, or windows from various different applications.

That's why the simple tools available to you for switching between applications are never quite enough. For example, you can simplify the display on your screen by choosing Hide Others from the frontmost application's menu. Now only the windows of this application are showing. But perhaps you really want to see just one of this application's many windows, plus one window from some other application. So first you might scurry around minimizing the windows from this application that you don't want to see. Then you have to switch to the other application, making it visible, and find its desired window and bring it to the front and position it. Then you have to switch back to the first application. Now you can work in both windows. Great, but what happens when you suddenly need a different window from the first application? You have to hunt for it in the Dock, and when you expand it, there it is, blocking everything and complicating the picture. Or perhaps you need a window from a third application: you bring that application to the front, and presto, all of that application's windows are plastered all over the screen, blocking everything and complicating the picture. Is it any wonder tabs have become so popular?

Spaces is all about this problem. It lets you work with sets of windows. That's all a space is - a particular set of windows. When you are "in" this space, just this set of windows is visible. When you switch so that you are "in" a different space, a different set of windows is visible. In the previous paragraph, I was trying to make two points: (1) it's hard to arrange things to see just the small set of windows you need for Task A, and then, (2) when you want to perform Task B, bringing different windows into play complicates the whole picture. With Spaces, Space A could consist of just the windows you need for Task A, and Space B could consist of just the windows you need for Task B. You can then switch between spaces, meaning visible window sets, and everything stays simple: you are always seeing all and only the windows you want to see.

So the main thing Spaces is about is switching spaces. In fact, you can turn Spaces on and never switch spaces, and then you won't even know or care that Spaces is on! You'll be living in exactly the same world you always lived in. In fact - oh my gosh! We'd better actually turn Spaces on, or all the rest of this discussion is going to be pointless! So, do this:

Choose Apple Menu > System Preferences. Click Exposé & Spaces. Click Spaces. Check "Enable Spaces." Whew! Now Spaces is on.

So how do you switch spaces? There are four (count 'em, four) ways:

• All Spaces mode. This is what you get when you press F8, or click the Spaces icon in the Dock. (If you don't see the Spaces icon in the Dock, drag it in from the Applications folder.) It behaves a little like Expos├⌐, in that it provides a reduced, schematic version of the world: all your spaces are shown at once, in a grid, and now you can click one to switch to that space. This is nice because you can sort of see what windows are in each space. Plus, if you want to get really cool, while you're in All Spaces mode you can press F9 to enter Expos├⌐'s All Windows mode, and now each individual space shows each of its individual windows (which are getting pretty tiny at this point) and you can click a window to pick a space and a particular window all at once! (Note: I'm saying "F8" and "F9", but those might not be your actual shortcuts for these actions, because they are customizable.)
• Use the Spaces menu. If you don't see the Spaces menu, check "Show Spaces in menu bar" in the Spaces preference pane in System Preferences. It displays nothing but numbers: the numbers of your spaces (1, 2, and so on). Choose one to switch to that space.
• Use a number. By default, the number shortcuts for switching between spaces involve the Control key. So, press Control-1. Now press Control-2. Congratulations, you just switched spaces.
• Use an arrow key. This is trickier, because it relies on a concept I haven't introduced yet. You see, your spaces are imagined as lying in a grid. You can see this imaginary grid in the Spaces preference pane where we just were a little while ago. By default, there are four spaces, and the grid is a 2-by-2 rectangle. (This grid is customizable - you can change how many spaces you have and how the grid is arranged - but for this example I'm pretending you haven't yet departed from the default.) So if you are in space 1, you can switch to space 2 by pressing Control-Right arrow, because space 2 is imagined as being to the right of space 1; but, again, if you are in space 1, you can switch to space 3 by pressing Control-Down arrow, because space 3 is imagined as being below space 1. Feeling a bit seasick? Maybe it would better not to use this way of switching between spaces until you are a certified expert (or just plain certified).

There is one more elementary concept connected with Spaces that we need to get clear on: How does a window come to be in a particular space to start with? Well, there are two ways:

• You created the window while you were in that space. For example, you are in space 2, and you start up TextEdit. TextEdit wasn't running before, and when it launches it creates a new window. So you are in space 2 and you are creating a new window, and therefore that new window will be in space 2. Of course there are many other ways to create a new window in various applications.
• You moved the window from one space to another. Huh? Since you can only be in one space at a time, how can you possibly do that? Well, if you're in All Spaces mode, you can actually drag a miniaturized window directly from one space to another. Or, while you are in one space, hold the mouse down on a window's title bar and switch directly to another space with a keyboard shortcut; the window will travel with you to the new space. Or, drag the window to the edge of the screen and pause with the mouse still down and at the screen's edge; you'll switch spaces automatically, bringing the window with you. Keen, eh?

That's all there is to know about elementary use of Spaces. I'm not going to talk about "application bindings" right now; it's too advanced for this discussion (you can learn more about that by experimentation, or you can check out my new ebook, "Take Control of Customizing Leopard," for more info). But there is just one point that I want to leave you with as you start experimenting with Spaces, and it's this: Spaces is complicated but simple. It's complicated because there are lots of different scenarios, but it's simple because Spaces always does "the right thing."

For example, let's say you've opened TextEdit in space 2, and that's the only place where any TextEdit windows are. And let's say you're now in space 1. And let's say you use the Dock, or Command-Tab, to switch to TextEdit. What will happen??? Well, what's the right thing? TextEdit's windows are all in space 2, so the only sensible thing is that you should automatically be switched into space 2 so you can see them. And sure enough, that's exactly what does happen. I could go on and on positing various scenarios of greater and greater complexity, but that's pointless; all you need to know is that Spaces will behave sensibly and simply, and that you'll catch on to its logic almost immediately with a little experimentation.

So, congratulations: You are no longer a clueless newbie. You're a clued-in newbie! With a little practice, you will soon find ways to use Spaces that will make your computer life simpler and easier. I can't tell you what they are because I don't know what kind of thing you do. Perhaps you'll usually have a space for all your Internet apps and another space for all your writing apps. Perhaps you'll have spaces for certain particular tasks that you typically perform. It's all up to you. I do have one piece of advice, though: Try it, you'll like it! Whether you've got a big multi-monitor setup or a tiny portable screen, Spaces has the potential to make your life a lot easier. You simply have to remember to use it. With a little practice, you will.

Hide full article

With ChronoSync you can sync, back up, or make bootable backups.
Sync or back up your Mac to internal or external hard drives, other
Macs, PCs, or remote network volumes you can mount on your Mac.
Learn more at <http://www.econtechnologies.com/tb.html>!

Leopard overhauls file sharing for services like AFP (remembered fondly as AppleShare), Samba, and FTP, while bringing back the long-missed shared folders options. The new approach makes it much easier for any user to share files over a network or the Internet. Show full article

Hide full article

I'm a jaded Mac OS X user. Since 10.2, when Apple made a host of basic functional improvements over 10.1, I've expected mostly incremental changes with each new system release. iChat AV and Spotlight - but, for me, not Dashboard nor ExposΘ - were notable marquee exceptions. So it was with a heavy heart that I prepared to work on "Take Control of Sharing Files in Leopard" with a beta of Leopard obtained through my membership in the Apple developer program a few months ago. I expected that Apple would refresh interfaces and add a few new items, but nothing more.

I was pleasantly surprised. Apple not only consolidated file sharing options for Apple Filing Protocol (AFP), Samba (or SMB), and FTP into one place, but they added back folder sharing, a feature never seen in Mac OS X, even though it was widely used in Mac OS 9 and releases before that.

Apple's changes allowed me to cut more than 30 pages from the book while improving its utility: no longer do you need to edit text configuration files and change obscure settings. It's mostly check a box, click a button, and choose a value from a pop-up menu. As Steve Jobs would say, boom.

Major Streamlining -- Let me give you a quick overview of what has changed in file sharing.

• AFP, Samba, and FTP are all controlled from one place. In Tiger and before, Apple gave its own names to AFP and Samba (Personal File Sharing and Windows Sharing), and assigned them to three separate checkboxes in the Sharing preference pane's Services tab. In Leopard, there is a single File Sharing service in the Sharing preference pane that consolidates access for all three services.


• Folder sharing. It's a blast from the past! You can take any folder or mounted drive and share it as though it were a volume. Share like it's 1999! Or 1997.
• Granular access permissions. The File Sharing service lets you assign specific read and write permissions for users and groups to each volume.
• Sharing Only accounts. Apple neatly added a way to create accounts that are enabled only for sharing, and lack a home directory or permission to log in via SSH.
• Guest account. There's a guest account that has a separate choice for allowing password-free server access to specific folders. It has some limits that I'll discuss later.
• Finder access to sharing. Apple rejiggered how servers appear and how volumes are mounted in the Finder to make life much better for average users and power users alike.

Let's look at how this works for setting up file sharing.

File Sharing Setup -- With File Sharing selected in the Sharing preference pane, you might be briefly baffled as to where you go to turn on any of the three sharing protocols. Click the Options button, and you'll find a checkbox for each of AFP, Samba, and FTP, which can be enabled in any combination. Samba access is enabled for specific accounts due to concerns about its method of storing passwords being easier to crack than Apple's very strong method. (This is unrelated to AFP, Samba, and FTP passwords being transferred over a network; only Samba passwords are encrypted by default.)

The main File Sharing dialog linked previously shows two lists: Shared Folders and Users. Any mounted volume or folder that you're sharing as a network volume appears in the list at left. To add a folder to that list, either drag it in, or, in the Finder, select a folder or volume, choose Get Info, and check Shared Folder. You can also click the + sign below the list and then navigate to and select folders or volumes.

When you select a shared folder - you can only select one at a time - the associated access rights show up in the Users list. The Unix users already assigned to a folder appear, and you can add or remove users and groups.

For each user or group, you can choose one of three types of access: Read Only, Read & Write, and Write Only (Drop Box). With the write-only option, Leopard creates a Drop Box folder in the volume to which the specified remote user or users with access can copy files, but whose contents they can't view - it can't be opened. (The special Everyone user, which encompasses all users including the Guest account, has an extra status of No Access. It's a way to disable access without removing the folder from the Shared Folders list.)

To add users, you click the + sign below the list, and then choose named users under Mac OS X or people in your Address Book. For Address Book selections, Leopard prompts you to create a password, which it uses to then make a Sharing Only user account, if you haven't already done so.

The File Sharing options all take effect right away - you don't need to restart anything or click other buttons to make the changes available immediately. Shared volumes can be accessed by any other system - with AppleTalk enabled on the appropriate network interface, you can even discover shared folders from Mac OS 9. (See the postscript at the end of this article for a discussion on AppleTalk.)

Making the Right Kind of Drop Box -- There's one multi-step process worth walking through: Creating a drop box. A drop box is a folder with special permissions that lets a remote user with write-only privileges drop files into the folder, but not open the folder to view or copy its contents. (This can be used among users on the same computer; it is what each user's Public folder's Drop Box folder is partly for.)

You can set user permissions for a shared folder to be Write Only (Drop Box), but that makes the entire volume write-only. When a user mounts that volume, they're told that they can't read the contents, which could be confusing.

Instead of making the volume a drop box, create a nested folder, inside which you put the drop box. First, create a folder that will be the volume; let's call it "Put Files Here". Next, share that folder by dragging it into File Sharing's Shared Folders list. Select it in that list, and choose Read Only for all the users who need access. Don't put any files in that folder.

Now create a new folder called "Drop Box" inside "Put Files Here". Select "Drop Box" in the Finder, choose File > Get Info, and in the Sharing & Permissions section, set all the users you want to limit to Write Only (Drop Box) access. (You may need to click the lock icon and enter an administrator password to make this change.)

When users mount "Put Files Here" as a volume and open its window in the Finder, all they'll see in that window is the "Drop Box" folder with a downward-pointing arrow indicating it can only be written to.

Finder Tune-up -- The way that volumes are mounted in the Finder and appear on the Desktop has hardly changed since we moved from the Chooser in the classic Mac OS to the often-problematic network browsing in Mac OS X. Leopard reworks this, partly by combining some of the aspects of the Chooser with Mac OS X - no kidding!

You can still use Go > Connect to Server in the Finder to type in an AFP name, an IP address, a domain name, or the name by which Windows identifies a shared volume, or to pull up a server you've added to favorites. But the browsing option is what's new and improved in Leopard.

In any Finder window, you can now see available network servers and connected servers in the sidebar. You can choose whether servers visible over the network and connected servers appear in the sidebar by selecting Finder > Preferences, clicking the Sidebar button, and unchecking Connected Servers or Bonjour Computers. (The list of Bonjour Computers includes Windows servers advertised via NetBIOS servers, too.)

Select a server in the sidebar, and Leopard automatically tries to connect as Guest using AFP, and shows you the available volumes in such a case. Click the Connect As button in the upper right of the window, and you can use a standard server login dialog to enter a username and password. If you store your login details in the Keychain, the server automatically logs on the next time you click it after unmounting.

Networked volumes no longer appear on the Desktop by default unless you use the Finder's preferences to make them appear. Choose Finder > Preferences, click General, and check Connected Servers. Otherwise you will, like me, be scratching your head, wondering where those volumes went to!

In an extremely welcome change, Apple has added a bit of underlying magic called AutoFS to eliminate the Finder lockups (complete with the spinning pizza of death) that we've all grown to loathe when mounted network volumes become inaccessible for some reason. With AutoFS, Leopard spawns a separate thread - a separate thought process, as it were - to handle mounting the volume. You no longer wait for it to mount, and your system shouldn't lock the Finder if the volume suddenly becomes unavailable. I have yet to test this extensively, but AutoFS has worked in this way on other Unix systems for quite a while.

Administrators and File Sharing -- Mac OS X has always had an issue with the relationship between users who had been granted administrator privileges in the Accounts preference pane and file sharing. Until Leopard, if you turned file sharing on, an administrative user could access all mounted hard drives, and any folders within those drives that they had permission to access. That typically included everything but the contents of folders in other users' home directories.

Leopard doesn't share anything automatically except the Public folder in each user's home directory, which is typically empty. To share your startup drive, for instance, you add the drive to the Sharing Folders list and its default permissions are pre-filled in the Users list.

Here's where it gets tricky. Three entries appear in the Users list: System Administrator, which is the Unix root account, set to Read & Write; Administrators, a group comprising all users on the system with administrator access, set to Read & Write; and Everyone, a Unix group comprised of all user accounts on the system, set to Read Only.

You might think, well, I'd like to remove administrative users' access, so I'll just select Administrators in the User list and click the - (minus) button below the list. Wait! You can hear the spooky music starting as you move toward that button. Removing Administrators from the Users list doesn't affect just the sharing permissions attached to the shared volume, but also the underlying file permissions used for local access.

In my test, my startup volume's icon shifted from a hard disk to a folder with a red circle icon on it with a horizontal line. If I'd restarted the machine at that point, I would not like to think about what might have happened. Adding the Administrators group back in restored the drive's icon and access.

My advice? Don't share entire drives or partitions unless you're sure you want all administrator-level users to have access to the files they would if they were sitting in front of the computer with direct access.

What's Missing -- While Leopard is a big step forward, Apple made a few choices I hope to see improved upon or at least explained in future updates:

• The Guest account can't access FTP. For some reason, the Guest account can access only AFP and Windows servers. This might be a security feature, but I've not yet found a way to override this limitation; I'm still looking. (It probably requires a configuration change, but Apple has changed how it creates configuration files for services in Leopard, too.)
• Secure FTP (SFTP) isn't integrated with File Sharing (nor has it been in the past). The encrypted FTP server option requires that you turn on Remote Access in the Sharing preference pane. SFTP is technically a component of SSH, a way of securely connecting to remote systems for command-line sessions. So SFTP honors Mac OS X accounts, but doesn't honor the shared folders you've set up. Any Mac OS X user can connect via SFTP to any drive or mounted volume that they have permission to access, which typically means almost every one outside of system resources and individual users' home directory contents. It would be nice to see SFTP more fully integrated with File Sharing, although Apple is working with constraints that are designed into SSH.
• AFP login options have disappeared. Most of these options had to do with secure logins, and my colleagues in the worlds in which secure AFP was used say that setup was always somewhat wonky. TidBITS friend Chris Pepper reports that they aren't available in the Leopard Server administration tool, either.

More Information -- If you're looking for more information about sharing files in Leopard, check out my new book on this topic, "Take Control of Sharing Files in Leopard." The 89-page book is full of step-by-step instructions for working with everything mentioned above, plus a detailed section on sharing iTunes and iPhoto libraries among users on the same computer or users connecting across the network. The book starts with a set of sections on how to figure out what kind of file sharing best fits your needs and the challenges that face you - along with their appropriate solutions.

A Postscript about AppleTalk and AFP -- AppleTalk has a tricky history relative to AFP. While Apple enabled AFP-over-IP or AppleShare-over-IP using Internet networking instead of AppleTalk as the transport mechanism starting with Mac OS 9, it didn't disable AppleTalk as an option until Tiger. Further, the way that AFP volumes are advertised on the local network under Mac OS X since 10.2 isn't backwards compatible with earlier system versions. In brief, and I believe I now have all the nuance in here:

• Mac OS 8 can access Tiger and Leopard AFP-shared volumes and see those volumes in the Chooser if AppleTalk is enabled on Leopard on the network interface feeding the network that the Mac OS 8 computer is connected to, such as an Ethernet network.
• Mac OS 9 and Mac OS X 10.1 to 10.3 can access AFP-shared volumes via either AppleTalk or AFP-over-IP. (Mac OS X 10.0 doesn't allow AppleTalk connections, but I can't imagine anyone in their right mind still running 10.0.)
• Mac OS 9 and Mac OS X 10.0 to 10.1 can't discover AFP volumes that are shared without AppleTalk on the network they're connected to, but they can connect by IP address or domain name.
• Mac OS X 10.2 and later can use Rendezvous (10.2, 10.3) and Bonjour (10.4, 10.5) to discover AFP-shared volumes.

Apple's technical note on the matter has quite a lot of additional detail that should help people using networks with different versions of the Mac OS sort it all out.

In short, if you're still using a variety of older versions of Mac OS on your network, you should enable AppleTalk. Tiger and Leopard can't connect to an AFP server via AppleTalk, but they can serve it up for older machines.

To enable AppleTalk in Leopard, open the Network preferences pane, select the interface - like Ethernet - and choose the AppleTalk tab. Check the Make AppleTalk Active box. You can have AppleTalk active on only a single interface at a time under the regular version of Leopard; the server version lets you activate AppleTalk on multiple interfaces.

Hide full article

StuffIt Deluxe 2011 has everything you need to backup, encrypt,
share, and compress all of your photos, audio and documents.
Compress it. Secure it. Send it. Try StuffIt Deluxe 2011 today!
Click here for a free 30-day trial: <http://stuffIt.com/tidbits/>

When Leopard arrived, I couldn't resist slipping into something more comfortable... picture included!Show full article

Hide full article

When the FedEx delivery truck arrived around 11 AM today with my pre-ordered copy of Mac OS X 10.5 Leopard from the Apple Store, I quickly slipped my feet into my trusty new leopard slippers in order to go outside and sign for the box. I learned that Apple had warned FedEx ahead of time to expect a lot of Leopard packages today and that FedEx had been asked to try to deliver them as early as possible. He said that for the Ithaca-based FedEx branch, there were about 150 boxes. (Thanks to Adam for taking my photo.)

Hide full article

Pear Note 2: More complete, understandable notes on your Mac.
Typed notes are blended with recorded audio, video, and slides
to create notes that make more sense when you need them most.
Learn more at <http://www.usefulfruit.com/tb>!

You'll be reading about Leopard in TidBITS for some time, but for significantly more detail about Apple's new operating system, check out the five ebooks we've just published - over 650 pages all told!Show full article

Hide full article

Mac OS X 10.5 Leopard is finally here, and we can now share with you the fruits of an incredible amount of work over the last few months: five of our most popular ebooks completely updated for Leopard, all available right now. You can get help upgrading to Leopard, customizing all of Leopard's new features, sharing files much more elegantly than in the past, managing your fonts with Leopard's new font activation capabilities, setting up user accounts, and much more.

To the thousands of you who pre-ordered our Leopard ebooks, thanks! You can now click the Check for Updates link (or red starburst) on your pre-order PDFs to download the full versions. If you haven't yet ordered, we have three options for you:

1. Buy just the ebooks you want individually. They're all $10, except for the 217-page "Take Control of Fonts in Leopard," which is $15. If you've bought the Tiger or Panther versions of any of these ebooks, click the Check for Updates button in your copy to save 20%.
2. Buy our core "Take Control of Upgrading to Leopard" and "Take Control of Customizing Leopard" titles for $15, saving 25%. This bundle is linked on the left side of these books' pages on the Take Control Web site.
3. Buy our "I Love Leopard" bundle of all five ebooks - over 650 pages in all! - for only $38.50, saving 30% off the cover price. Again, the bundle is accessible from the left side of each book's Web page.

You can read more about each of the ebooks on our Web site, but in short:

• "Take Control of Upgrading to Leopard" is the latest edition of the title that launched Take Control back in 2003 with Panther. In it, Joe Kissell shares his hard-won advice about the best ways to install, test your installation, troubleshoot problems, get going in Leopard, and more.
• "Take Control of Customizing Leopard" provides a tour of new and revamped features in Leopard by the ever-opinionated Matt Neuburg. Matt demystifies Time Machine, shows you how to use Spaces effectively, and explains why Spotlight in Leopard is so much improved over Tiger.
• "Take Control of Users & Accounts in Leopard" describes different types of accounts in Leopard, which ones are right for the different people who use your Mac, how to share files between accounts, and what you can limit with new features in Leopard's parental controls. Kirk McElhearn also explains how to create and use a troubleshooting account should problems crop up.
• "Take Control of Sharing Files in Leopard" makes file sharing easy between two Macs, among a mixed-platform office workgroup, or between far-flung computers on the Internet. Wi-Fi guru Glenn Fleishman explains each of Leopard's file sharing technologies and helps you connect to file servers from a variety of major operating systems.
• "Take Control of Fonts in Leopard" explains everything you need to know about how fonts work in Mac OS X and what has changed with Leopard. In particular, veteran Mac author Sharon Zardetto looks at Leopard's new and updated fonts, along with Leopard's new font activation capabilities, font previewing via Cover Flow, and font sample printing.

Hide full article

WebCrossing Neighbors Creates Private Social Networks
Create a complete social network with your company or group's
own look. Scalable, extensible and extremely customizable.
Take a guided tour today <http://www.webcrossing.com/tour>

Six things about Leopard I just can't stand. I've been dying to talk about these, and now I'm going to.Show full article

Hide full article

Let's all do the Leopard Moan. Yes, Time Machine is cool, Spaces is neat, but oh (moan!), the interface! What were these people thinking? Yes, you've got a rant inside you, waiting to howl to the moon, and so do I; it's a full moon right now, so let's take this opportunity to get it out of our systems (pun intended). Herewith, then, some things I just can't stand about Leopard.

The Dock -- The Dock now expresses itself as a silly reflective shelf. My objection to this is not merely the business of "wasting CPU cycles drawing trendy 3D junk." In order to accommodate the reflection, the Dock icons have to sit considerably higher than before, robbing the user of valuable screen real estate. Even worse, the indicators of an icon's status, in particular the marker that tells you that an application in the Dock is currently running, are darned near invisible, lost in the reflective shelf's shiny suckitude. Luckily, at the last minute, after the last seed but before the Golden Master, Apple relented and provided an alternative mode of Dock display; this alternative is now the default if you move the Dock to the left or right side of the screen, and can be applied even to a Dock at the bottom of the screen by using some Terminal trickery. In short, issue these two commands in Terminal:

defaults write com.apple.dock no-glass -boolean YES
killall Dock

The Grey -- Remember when your Mac had a 9-inch screen and every pixel was either black or white? It looks like Apple does, too, with nostalgia. This system declares war on color. The result is just plain ugly. That's right, folks, you heard it here: the "unified textured look" of windows in Leopard, for which iTunes was evidently the incubation laboratory all along, is ugly. The title bar of a window is big and grey. The title bar of a window that isn't frontmost is a lighter grey, which is backwards: surely it's the frontmost window which should light up, not all the background windows? In the Finder, they've also slapped a grey background behind the sidebar; since the text and icons in the sidebar are also now tiny (with no preference to make them any larger), they are both ugly and illegible. An empty folder icon is no longer a lovely shaded three-dimensional-looking blue filing folder; it's a flat grey rectangle. Plus, standard folder icons, as for the Applications, Library, Users, and other built-in folders, are now uniformly blue-grey as well; there does seem to be some kind of icon drawn on each of these folders, but it's tiny and in another grey, so it's virtually invisible. I had no idea how much I relied on the subliminal cues of the large, colorful icons on these folders, until they vanished and I found myself lost in a uniform Finder.

The Menu Bar -- The menu bar is now somewhat transparent. So if your desktop picture is purple, the menu bar is also slightly purple. If your desktop picture has stripes or bright dots, the menu bar has stripes or bright dots. Menus that drop down from the menu bar are also somewhat transparent; they were before, too, but the native stripes that used to mask that fact are gone, so they inherit the problem. The result is that the menu bar, along with the menus themselves, is less prominent, harder to read, and has a somewhat unready or disabled look, entirely inappropriate to its function.

The Stacks -- Let's pause to remember how a folder in the Dock used to work, as we kiss it goodbye forever. In Tiger, the story is like this. You have a folder in the Dock. It looks like a folder. Click it and it opens in the Finder. Command-click it and you view it (in its containing folder) in the Finder. Control-click it and you get a hierarchical menu of its contents, the contents of its folders, and so on. Just about all of that is now gone. Gone! What was wrong with it? Nothing! It was great. But now, a folder in the Dock, if it has any files in it, doesn't look like a folder; it looks like a file (in particular, it takes on the preview of one of the files it contains). The hierarchical menu of the folder's contents is completely missing. Worst of all, clicking on the folder icon doesn't open the folder; instead, it pops up a lot of icons representing the contents of folder. That's okay, I guess, if any of those preview icons represents a document that you wanted to open, and if you can tell that from the preview icon; in that case, just click it. But I can't usually tell anything from preview icons, and anyhow, the main thing I want to do with a folder is usually not to open a document within it. What I want is a Finder window listing the folder's contents, so I can study that list, or sort it, or navigate further into the hierarchy, or whatever. In Leopard, arriving at such a Finder window is now a two-step process: first click the folder icon in the Dock; then find and click the "Show in Finder" button. Or, hold the mouse button down on the folder icon in the Dock to make the menu appear; then click the Open menu item. Yeeesh! Talk about making something hard that should have been easy.

The Help -- When you choose something from the Help menu in any application, what opens is no longer the Help Viewer application. It's an orphan window that floats over, and blocks your view of, everything else on the screen. It belongs to no application, so you can't hide it or switch away from it. Now, what's the most common thing to do while you're reading an application's help documentation? You read something in the Help, you switch to the application to try it; you see something in the application, you switch back to the Help to learn about it. No more. Now, as soon as the help window opens, you're stuck: you're in the help window and that's the only place you can be, until you close the window (or minimize it into the Dock). I suppose this is no problem at all if you have massive tracts of screen real estate, as in Al Gore's triple Cinema Display setup; but for most of us, it's horrible. This is going to be a disaster for professional authors of online help, such as, uh, me, because it makes our carefully written documentation effectively unusable. I've already started to make plans for writing my own alternative help application that will act like an ordinary application. The irony is that it took from Mac OS X 10.0 right through to 10.3 (Panther) before Help Viewer even started to become a pretty good application; now Apple has thrown all of that progress right out the window. The floating window, that is.

The Classic -- Apple might not like to condone or even to believe this fact, but there is a large installed user base out there consisting of people who, every now and then, have to run a Mac OS 9 application. Some of us have data in a Classic format, such as a HyperCard stack, and now and then we like to peek at that data. Some of us even make a living out of running a Classic application, as I do with FrameMaker. (It's still the best way on earth to create first-rate PDFs, or large structured documents; it's also an absolutely brilliant XML editor.) I was able to accept, when I acquired my first Intel-based Mac a few months ago, that it wasn't going to run Classic; I can well believe that there might be something about an Intel processor that inherently makes Classic emulation prohibitively difficult. But there is nothing about a new system version, running on a PowerPC-based Mac, that blocks Classic from running; Apple's decision not to support it in Leopard is arbitrary (and feels not a little spiteful).

There, I've done my screaming. The Great Moan is over. I had to do it, just this once. I've said what I had to say, and now I won't have to mention any of these things again. And maybe, just maybe, Apple will see fit to address some of these complaints in a forthcoming update to Leopard. I'm not holding my breath, but you never know.

Hide full article

Pear Note 2: More complete, understandable notes on your Mac.
Typed notes are blended with recorded audio, video, and slides
to create notes that make more sense when you need them most.
Learn more at <http://www.usefulfruit.com/tb>!

Leopard lets you share and share alike, offering your system up for remote viewing and control, as well as letting you take control of others' systems (with their permission). But Tiger can play nice, too, through built-in Mac OS X support and Chicken of the VNC.Show full article

Hide full article

Screen sharing is the nifty new craze sweeping the nation - but Leopard users only need apply, right? No! You, too, if you're a Tiger user, can hop on the electric funk train. (Yes, I'm punchy following Leopard's release.) All it requires is a checkbox and maybe an extra piece of free software.

Screen sharing enables remote control of another Mac OS X system running Leopard. You turn the feature on in System Preferences by selecting the Sharing preference pane and checking the Screen Sharing box. (You can choose to limit access to certain users, too.) You can access a remote screen in one of four ways with Leopard - and a fifth trick works for Tiger:

• With iChat, any other iChat user running Leopard can share your screen with your permission (just as though they were initiating video chat), although you can control that behavior, too. Screen sharing via iChat can automatically traverse NAT gateways that handle private addressing for networks created by Wi-Fi and broadband routers; NAT otherwise stymies access from outside the local network.
• With the Screen Sharing program, which you can find hidden in the /System/Library/CoreServices folder (a folder chock-a-block with other nifty doodads, too). Launch Screen Sharing and then enter the IP address or domain name for the computer you want to connect to. With this method, the system you're trying to reach must have a routable IP address.
• On the local network via the new Sharing section on the Finder's sidebar. Select any server in the list, and then click Screen Sharing in the upper right, to the left of Connect As, if file sharing is also enabled on that same server, or by itself if just Screen Sharing is turned on.
• With a .Mac account that you use on multiple computers, the Back to My Mac feature provides access to both network volumes (via File Sharing) and remote control. (Back to My Mac, in turn, is activated in the .Mac preference pane in the Back to My Mac tab.) Back to My Mac, too, can handle NAT traversal.

The fifth approach couples Leopard's Screen Sharing feature with Mac OS X 10.4 Tiger. It turns out that you can make it possible to control a Mac running Tiger remotely from a Leopard-based Mac by turning on the Apple Remote Desktop service in the Sharing preference pane's Services tab on the Tiger Mac. That enables just Tiger-from-Leopard control.

For the Leopard-from-Tiger direction, you need a separate, free application. Screen Sharing is based on, and compatible with, VNC, a widely used remote-control protocol. You can thus use a VNC client under Tiger to connect to Leopard systems. First, on the Leopard Mac, in the Sharing preference pane's Screen Sharing item, click Computer Settings, and then check the VNC box and enter a password; note that VNC doesn't rely on or integrate with Mac OS X user accounts. Back on the Tiger Mac, install the free Chicken of the VNC, and use it to connect to and control the Leopard Mac. (A VNC client on Macs running older versions of Mac OS X or computers running other platforms can also work with Leopard's Screen Sharing.)

Chicken of the VNC can discover local systems, including those running Leopard, that are sharing screens by using Bonjour; or you can enter a remote, routable IP address.

Screen Sharing plus NAT traversal simplifies having remote access to your own system or systems, as well as providing tech support to colleagues and your family members.

Hide full article

StuffIt Deluxe 2011 has everything you need to backup, encrypt,
share, and compress all of your photos, audio and documents.
Compress it. Secure it. Send it. Try StuffIt Deluxe 2011 today!
Click here for a free 30-day trial: <http://stuffIt.com/tidbits/>

As Leopard rolls out around the world, we're hearing more and more about what third-party applications work, or don't, in the new Mac OS X. FileMaker, Inc. has posted an article in their knowledge base about known problems with FileMaker 9.Show full article

Hide full article

As the scramble to install Leopard spreads across the globe, we're learning more and more about what software works, and what doesn't, in Apple's eagerly awaited new operating system.

Lots of applications seem to work fine, though most developers are holding off on official statements of compatibility until they've had an opportunity to test their software with the final release version of Mac OS X 10.5, which most developers could first obtain last Friday, along with the rest of us.

A few applications have known problems running under Leopard, and the folks over at FileMaker, Inc. have posted an article in their knowledge base on FileMaker's compatibility with Leopard. The company says FileMaker Server 9 and FileMaker Server 9 Advanced don't currently "deploy properly on Leopard," and they're working on a compatibility update. FileMaker Pro 9 and FileMaker Pro 9 Advanced "generally run on Leopard," with two known issues:

• Instant web publishing doesn't work
• FileMaker only works if its language version matches the region set in the Mac's "International Formats Region" preference under System Preferences. (The English language version, for example, only works when the Mac is set to the United States region.)

The company says it has not tested versions of FileMaker prior to FileMaker 9 under Leopard, and has no plans to update earlier versions.

Hide full article

MacTech Conference, for IT Pros and Apple developers, is Nov 3-5,
in Los Angeles. The 3-day event is packed with sessions & evening
activities. Learn from the best. Meet and spend time with peers.
TidBITS readers save $50 at <http://macte.ch/conf_tidbits>!

Now that Mac OS X 10.5 Leopard is released, we're starting to see an expected set of updates and incompatibilities. Login and Keychain Update 1.0 corrects issues with accounts created in early versions of Mac OS X; the new Back to My Mac feature could allow someone with access to your .Mac account to take control of your machine; Apple warns Aperture users not to run the software while Time Machine is performing a backup; and a slew of compatibility updates are also available.Show full article

Hide full article

Leopard may be the sixth release of Mac OS X, but it's important to remember that it's also a dot-zero release, the first version of a major update of the operating system. There are bound to be some incompatibilities and fixes that Apple is aware of but didn't get a chance to fix before the discs had to be pressed, or that have cropped up since hundreds of thousands of people started running it.

Here's a rundown of some current important issues with Leopard.

Login and Keychain Update 1.0 -- This update resolves an issue caused by using an account that was created in Mac OS X 10.1 or earlier, which used a different login authentication method. It also addresses connecting to some 802.11b/g wireless networks and changing the password of an account with FileVault enabled. The update is available via Software Update or as a 10 MB download.

Application Enhancer and Blue Screen After Installation -- Many people who run Unsanity's Application Enhancer utility are ending up stuck with a blue screen after performing an upgrade installation. Apple has posted an article with recommendations on how to recover from the problem (though your best bet is to make sure all of your utilities are disabled before upgrading as Joe recommends in "Take Control of Upgrading to Leopard," and that's especially true of system-level "haxies" like this). Unsanity claims the problem stems from people using versions of Application Enhancer earlier than 2.0.3, and that they're working on ensuring Leopard compatibility. (Most third-party developers didn't receive their final release versions of Leopard until after the retail copies shipped on Friday, which puts some of the blame for incompatibilities squarely on Apple's shoulders.)

Back to My Mac Security Warning -- Alan Oppenheimer and Open Door Networks are cautioning Leopard users to turn off the Back to My Mac feature due to a security vulnerability that enables anyone with access to your .Mac account password to control your Mac remotely. Back to My Mac is located in the .Mac preference pane, and is enabled by default. [Open Door has now posted more details.]

They write: "The problem came in when we selected the server Mac in the client's sidebar. Instead of either connecting to that Mac's File Sharing as a guest, or asking us for that Mac's password, Back to My Mac automatically connected to the server Mac's File Sharing as that Mac's owner without ever asking for the owner's name and password. Worse yet, the same thing happened when then clicking on 'Share Screen...' giving us full remote control of the Mac without ever entering its password."

Aperture and Time Machine -- Apple is advising users of its professional photography software that the Aperture database could become inconsistent if the program is running during a Time Machine backup (which occurs every hour). Apple's wording is interesting: "If you use Time Machine with Leopard, be sure to set your computer up so that Time Machine only does manual backups." Presumably this refers to being able to customize the Time Machine backup schedule, a feature Apple demonstrated but which didn't appear in the released version. Or, I could be reading it wrong and Apple just means that you manually switch Time Machine on in the Time Machine preference pane to trigger a backup.

Speaking of Aperture, Apple has also released Aperture 1.5.6 Update (a 130.6 MB download), which provides Leopard compatibility and addresses issues with iPhoto, the iLife Media Browser, and recovering an Aperture Library from a Vault.

Stability Updates from Apple -- Each of the following Apple software updates provide improved stability and compatibility with Leopard (and don't mention much else): iLife Support 8.1.1 (6 MB), iDVD 6.0.4 (6.5 MB), GarageBand 3.0.5 (14.4 MB), and Backup 3.1.2 (6.3 MB).

FileMaker Pro Has Known Glitches -- FileMaker Inc. has posted an article in their knowledge base on FileMaker's compatibility with Leopard. The company says FileMaker Server 9 and FileMaker Server 9 Advanced don't currently "deploy properly on Leopard," and they're working on a compatibility update. FileMaker Pro 9 and FileMaker Pro 9 Advanced "generally run on Leopard," with two known issues:

• Instant Web publishing doesn't work
• FileMaker works only if its language version matches the region set in the Mac's "International Formats Region" preference under System Preferences. (The English language version, for example, only works when the Mac is set to the United States region.)

The company says it has not tested versions of FileMaker prior to FileMaker 9 under Leopard, and has no plans to update earlier versions.

We'll write more if and when other notable problems arise.

Hide full article

WebCrossing Neighbors Creates Private Social Networks
Create a complete social network with your company or group's
own look. Scalable, extensible and extremely customizable.
Take a guided tour today <http://www.webcrossing.com/tour>

Leopard's new backup feature finally brings easy backups to the masses. But is it really all that? And when is that backups book of Joe's going to be updated, anyway?Show full article

Hide full article

In "Take Control of Upgrading to Leopard," I spent a few pages talking about how to turn on and configure Time Machine, but I didn't go into much detail because I already have another book, "Take Control of Mac OS X Backups," which is all about backups and is therefore the proper place to put a full explanation of if, when, why, and how to use Leopard's new built-in backup feature. I am at this very moment working hard on a new version of that book that will tell you everything you want to know about Time Machine, and though I can't project an exact release date yet, we will certainly make it available as soon as we possibly can.

However, my work on the new book has been slowed down considerably by having to take time out, on at least a dozen occasions in the last few days, to answer email messages about what I think of Time Machine, how well or poorly it accomplishes some task, whether it's appropriate for enterprise backups or a suitable replacement for Retrospect, and so on. (The messages usually start, "I know you're probably going to cover this in an update to your backups book, but...") I am, of course, always happy to answer messages from readers, but I never dreamed Time Machine would turn into such a drain on my productivity! So, in the interest of heading off more inquiries for a few more days so that I can actually get the book finished, I'd like to take a moment here to offer my initial impressions of, and suggestions regarding, Time Machine. For more information... wait for the book!

Out of Time -- First, some bad news. At the Worldwide Developers Conference in June 2007 - just four months ago - Steve Jobs announced that Time Machine would work with an AirPort Disk (a USB hard drive attached to an AirPort Extreme N base station). As recently as two weeks ago, the same claim appeared on the Time Machine page on Apple's Web site. But then it mysteriously disappeared, and sure enough, the shipping version of Leopard offers no support for AirPort Disks. For whatever reason, presumably technical difficulties of some sort, Apple dropped that feature at the last minute. So, while it's still possible to back up multiple Macs in your home or office over a network, even wirelessly, doing so requires a host Mac (running Leopard or Leopard Server) - a step backward in convenience. The same limitation applies to NAS (network-attached storage) devices from other vendors. Although it may be possible to work around this problem, I wouldn't trust my backups to an unsupported hack, and I strongly discourage you from doing so as well.

That's not the only missing feature. Apple had previously claimed that Time Machine would support encryption, but it doesn't. It does keep FileVault archives encrypted, but the cost of doing so is not being able to back them up until you're logged out of your account - a significant inconvenience. Yet another missing feature is the capability to specify a time limit beyond which older files will be deleted from your backup disk; now Time Machine simply keeps going until it nearly fills up your disk, and then starts purging older files - with an optional warning, but without an option to offload those older files to other media for long-term storage.

Apart from things many of us expected because Apple had told us about them, Time Machine lacks numerous important features common in other backup programs. A biggie: it can't make bootable duplicates; if your hard drive dies, you'll spend long hours restoring your Time Machine backup to a new drive before you can get back to work. It doesn't let you schedule times when it won't run, though you can manually turn it on and off whenever you want. You can't specify more than one destination disk and switch between them automatically (as you might want to do, for example, to keep an extra backup offsite - something I recommend). (It is possible to work around this in various ways, but I have to do more experimentation before I can provide reliable advice.) You can't back up to an iDisk or to optical media. You can't compress your backups - you're going to need, at a bare minimum, free disk space 1.2 times the size of the data you want to back up. And although you can manually specify files, folders, or volumes to be excluded from your backups, Time Machine offers no intelligent filtering (for example, excluding all disk images or all downloaded videos).

Go Forward to Go Back -- I started with the bad news not to diss Time Machine or persuade you that you shouldn't use it, but to put it in perspective. It's the very first version of a brand-new technology. It has limits and bugs (such as a problem with Aperture - see "Leopard Early Fixes and Warnings"), and seemingly lost some features just before its initial release. So despite the one-click setup (very nice) and the groovy 3-D interface for restoring files (extra super nice), it is not the Ultimate Mac Backup Program. At least, not yet.

On the other hand, I can think of at least one excellent reason you might want to start using Time Machine right now: it's guaranteed to be compatible with Leopard! Some of your existing backup software may not be. For example, the developers of SuperDuper are working hard on a Leopard update, but it's not quite there yet. EMC has announced that a Leopard compatibility update for Retrospect will be available within 30 days, and Prosoft says that they're preparing an update to Data Backup 3. Among the backup software already working under Leopard is CrashPlan, thanks to an update on 27-Oct-07. A new version of Carbon Copy Cloner released last week appears to work with Leopard, but may have a few glitches left. And Apple's own Backup just had a minor update for Leopard compatibility (among other things). If you're using any of the dozens of other backup utilities out there, check with the developer for information on its support for Leopard.

Time Machine Impressions -- I've been using the final version of Leopard on my main Mac for the past few days, and based on what I've seen so far, Time Machine appears to work approximately as advertised. It does back up and restore files correctly when I ask it to. However, a few things are not quite as I expected:

• Hourly backups, even to a fast external hard drive with a FireWire 800 interface, often take as long as a half hour! So basically, Time Machine is actively copying files at least half the time. Why does it take so long? It appears that several factors are involved. First, I have .Mac Sync turned on, which results in quite a few files being modified (and therefore, marked as needing backup) every time it runs, whether manually or on a schedule. Ditto for iDisk Sync - since I have a local copy of my iDisk, every time I modify a file there, Time Machine wants to back up that (very large) disk image again. Also, I have Mail checking six IMAP accounts, and every time I get new mail, not only the messages themselves but also Mail's envelope index file and junk mail filter statistics are updated. A number of other background processes on my machine also change files fairly frequently. The net result: on my Mac, Time Machine backs up tens of thousands of files, totaling hundreds of megabytes, every single hour.
• Disk images are a bit of a problem. If you use Parallels Desktop or VMware Fusion, you probably have a very large disk image to hold your Windows installation. Every time you change even a tiny file in Windows, Time Machine is obliged to back up that entire huge file again. The same goes for PGPdisk or even an encrypted disk image you create with Disk Utility to hold confidential files: any small change marks the entire large file as needing to be backed up again. This results in a tremendous waste of space on your backup disk, not to mention a longer time spent performing each backup. Several newer backup programs, including CrashPlan and QRecall, can back up just the changed portion of a large file, but Time Machine's approach makes doing so fundamentally impossible.
• If I activate Time Machine while in Mail, I immediately see dozens of spam messages in my Inbox that were never there before! Mail's junk mail filter intercepted them as soon as they arrived and routed them to my Junk mailbox, but apparently Time Machine doesn't care; Junk is, in fact, the only mailbox that's dimmed when in Time Machine's restore mode, so I can't look at how just that one folder was in the past. I think Apple is trying to be helpful here by highlighting the fact that a "missing" email message may not be missing at all but merely mistakenly filed in your Junk mailbox. But I don't want Time Machine to second-guess me like that.
• Third-party support for Time Machine is still lacking. It's great that I can restore individual items from Mail, Address Book, iPhoto, and so on. But I'd like to restore individual keychain items from 1Password, individual snippets from DEVONthink Pro Office or Yojimbo, and individual records from FileMaker Pro databases. So far, very few non-Apple applications support Time Machine at the record level. If and when they do, Time Machine will become vastly more useful.

Ultimately, I expect I'll continue using Time Machine, but only as one part of a broader backup strategy. Time Machine is pretty good at what it does, and may get even better over time. Even in the best case, though, I'll need some other software to make bootable duplicates, an additional strategy to deal with offsite backups, and probably some fiddling to deal with problem areas like disk images and never-ending hourly backups. And now, if you don't mind, I must get back to my testing, so that I can explain exactly how to do all these things in that book I'm writing!

Hide full article

CrashPlan is easy, secure backup that works everywhere. Back up
to your own drives, computers, and online with unlimited storage.
With unlimited online backup, this is one resolution you can keep.
Back Up Your Life Today! <http://crashplan.com/ref/tidbits.html>

The Leopard installer is even better than the Tiger installer was. That's good news, but some oddities and frustrations remain. Perhaps I can interest you in a little book I wrote on the subject.Show full article

Hide full article

Right after Tiger shipped, two and a half years ago, I wrote an article here about my impressions of the upgrade procedure (see "Evaluating the Tiger Installation Process," 2005-05-02). I began by saying that the installer was much better than its predecessor, so much so that I might not be able to sell as many ebooks about upgrading as I had when Panther was released! Nevertheless, I found enough surprises that I could say, with all sincerity, that the average Mac user is likely to have an easier and more successful upgrading experience with a bit of expert guidance.

Well, today I'd like to sing another verse of the same song. Yet again, Apple has made substantial improvements to the installer, and in general, the Leopard installation is easier and more reliable than the Tiger installation was. Also, yet again, some aspects of the upgrade process can cause unexpected problems. Based on the feedback I've received from readers of "Take Control of Upgrading to Leopard," the many additional pages of advice and instructions I added about preparing your Mac to run Leopard - and solving problems before, during, and after upgrading - have been more than worthwhile.

System Requirements -- Apple always increases the minimum threshold for hardware compatibility when they release a major upgrade to Mac OS X. But most people assumed Leopard would run on any Mac with a G4 or better processor. Not so: if you have a G4-based Mac, it must be faster than 867 MHz. A question I've heard numerous times is, "What about my dual-800 MHz Power Mac? Isn't that faster than 867 MHz?" The answer, as far as the Leopard installer is concerned, is no. It doesn't matter if your computer is almost fast enough, or if it has multiple processors, each of which is almost fast enough. If the installer doesn't see an 867 MHz or faster processor, it won't let you install. I have heard of some hacks that could let some users of older Macs run Leopard, but I can't recommend them because Apple won't have tested Leopard on those machines, so you may encounter other problems, such as video card incompatibilities and software update failures.

Installation Methods -- Apple has made some improvements to the Archive and Install upgrade method. Specifically, it copies many more folders and files from your old /Library folder to your new one, meaning you'll have less work to do afterward to restore everything to its proper place. The net result is that if you use Archive and Install, with the Preserve Users and Network Settings option selected, you'll get virtually the same result as if you use Erase and Install along with the option of transferring old files from a backup drive at the end. I still think Erase and Install is better, because even if the sets of files you end up with are the same with either method, Erase and Install can wipe out lots of random disk gremlins, as well as reducing disk fragmentation (for what that's worth).

Most people, of course (at least those who don't read my book) will stick with the default Upgrade method. It works reasonably well - in fact, it seems to be more robust than the same method in Tiger. However, as ever, it isn't smart enough to disable all of the innumerable doohickeys you may have installed that could conflict with Leopard. I've read reports, for example, of old versions of Unsanity's Application Enhancer causing blue screen hangs after an Upgrade installation; a variety of other system add-ons, especially those that hack Mac OS X in ways Apple officially discourages, could also cause problems. As long as you have a fresh, bootable duplicate, though, you risk little by trying the Upgrade method - except the expense of time to redo the installation if it fails. Speaking of which...

Make a Backup -- Do not under any circumstances even consider thinking about upgrading to Leopard without a complete, recent, and verified backup of your drive, preferably a bootable duplicate. (Two backups would be even better.) You should do this not only in case something goes wrong during the upgrade itself, but so that you can go back to your previous system, later, if you find out in a few days or a week that something simply isn't working for you in Leopard. Even for people who have no trouble with Leopard at all, a bootable duplicate is extremely helpful in that it lets you use the Erase and Install method without losing any of your old data or applications.

AirPort in the Installer -- For reasons I can't comprehend, when you're running the Leopard installer from the DVD, the AirPort status icon appears in the menu bar. Initially it indicates that AirPort is off, but you can turn it back on and join a wireless network right there, in the installer. I can't think of any reason why you'd want or need to do this, Apple doesn't mention it in their documentation, and I've read several reports of people having difficulties with the installation process after attempting to join a wireless network while booted from the DVD. Why would Apple include this seemingly useless feature, which can only tempt people to take an unnecessary action that might actually cause problems?

Differently Disabled -- When I wrote about the Tiger installer, I complained that it didn't automatically disable login items on the disk you're upgrading, an obvious source of potential conflicts. The Leopard installer has the same problem, regardless of which upgrade method you choose. On the other hand, it may in some situations disable certain software (such as Now Up-to-Date & Contact) without giving any explanation of why it did that, or what components specifically were affected.

Boot Camp Drivers -- Now that Boot Camp is officially part of Mac OS X, Apple includes the latest version of their Boot Camp Windows Drivers on the Leopard DVD itself. So if you're using Boot Camp, you should reboot in Windows right after installing Leopard, reinsert your Leopard DVD, and let the installer run to update your Apple drivers to the latest version.

You Can Take Control -- The Leopard installer isn't bad; it's definitely an improvement over the Tiger installer, and nicer even than the much-improved installer Microsoft offers for Windows Vista. Nevertheless - and I'm speaking as someone who has installed Leopard dozens of times, using many different options, on several machines - that "just-run-it-and-it-works" experience that Apple wants you to believe in may or may not be a reality. If you have a relatively clean system, it could be just that simple. But the more modifications you've made under Tiger or Panther, the greater your chances of glitches when upgrading. And, even the most scrupulous Mac user could fall victim to random disk errors or other unforeseen problems. So although upgrading to Leopard is not difficult, and is not something you should fear or avoid - not even in the initial, 10.5.0 release - make sure you do it right. For detailed guidance in getting your Mac ready for Leopard, performing that crucial full backup, choosing an upgrade method, and working through problems you could encounter in the process, read "Take Control of Upgrading to Leopard," a 125-page ebook that spells out everything you need to know to make the transition as smooth as possible.

Hide full article

Get more productive with software from Smile: PDFpen for
editing PDFs; TextExpander for saving time and keystrokes while you
type; DiscLabel for designing CD/DVD labels and inserts. Free demos,
fast and friendly customer support. <http://www.smilesoftware.com/>

Spotlight on Leopard is so much better than Spotlight on Tiger, it could be a major reason for upgrading. It's full of power user tricks you might not realize are there - until you read this article, that is!Show full article

Hide full article

In earlier articles, we've talked about some of the great new features of Leopard that might make an upgrade worthwhile. I wrote an article about Spaces, Glenn Fleishman explained how File Sharing is light years better than it used to be, and Joe Kissell gave us the low-down on Time Machine. (The best way to reference that coverage is from our "Leopard Arrives" series.) In this article, I want to tell you about what I think is the last big piece of the Leopard improvement puzzle - the all-new, all-singing, all-dancing Spotlight.

In order to explain why Spotlight in Leopard is so good, I have to talk briefly about why Spotlight in Tiger was so bad. If you already know that, or if your teeth can't handle any gnashing, you might want to skip this next section, where I recount a bit of regrettable history.

Tiger Spotlight: The Good, the Bad, and the Ugly -- When Spotlight was introduced in Mac OS X 10.4 Tiger, it was touted as a major improvement for users, and it's not hard to see why. Finding things on your hard disk(s) has always been hard - my mother can't find a newly created Word document five seconds after she's saved it - and now that your hard disk is really big and you've got lots of files, it's getting harder. The old-style Finder Find involves searching through the hard disk, file by file and folder by folder, so it's slow; and besides, it requires that you know, with a fair degree of correctness, the name of the item you're looking for, which is often exactly what you do not know.

Back in the old System 7 days, on the other hand, a lot of us were crazy about a wonderful utility called ON Location, from ON Technology. It generated an index of the names of your files, so searching for a file by its name was very fast. What's more, it used third-party translators to look inside your files (regardless of their format), read their content, and index that as well, so you could do a fast search for a file based on some words used inside the file. Well, Spotlight promised to bring that kind of technology to Mac OS X, only even better. ON Location had to build its index, and to keep the index up to date, it had to rebuild it periodically. Spotlight, on the other hand, once its initial index was built, would always be up to date, because every time you made any change to the hard disk, Spotlight would be notified right then and would modify the index accordingly. Small wonder that Glenn's article introducing Spotlight to our readers was so hopeful ("Spotlight on Spotlight", 2005-05-02).

Right from the beginning, however, there was trouble. Some features didn't work; for example, there was an option to search for invisible files, but no invisible files were ever found. Some areas of the hard drive were excluded from the index, so files in those places couldn't be found, even by name; this exclusion was hard-coded into Spotlight (it wasn't a preference the user could access), so there was no way even of learning what the problematic places were. Files of certain types were not found properly; I experienced this particularly with some font files, and Apple confirmed that this was a bug (perhaps caused by the distinction between a file's visible name and its "display name," which was sometimes a weird string to which the user had no access). The indexing would mysteriously stop working, and would have to be restarted using the Terminal command line.

Worst of all, however, was the interface through which you actually performed a search and viewed your found results. There were three such interfaces: the Spotlight menu, the Spotlight window, and the Finder search window.

• The Spotlight menu didn't act like a real menu, it often froze up as you were typing your search, and it displayed only a limited number of results. To see all the results, you had to open the Spotlight window.
• The Spotlight window was annoying in every conceivable way. It belonged to no application; it just hung there mysteriously on your computer, refusing to come to the front when you cycled through your windows or your applications. Its interface was unlike any other window; if anything, it seemed like something out of a Web browser, or a Windows machine. Results were clumped by default into annoying categories; getting information about found results (such as, "Where is this file?") required a great deal of clicking; results could not be easily manipulated; and the search could not easily be refined (beyond the simple default refinements listed down the right side of the window).
• The Finder search window had one big advantage: a search could be refined though a Location Bar and multiple Criteria Bars that could be summoned to describe in detail what you wanted to look for. However, you were inconveniently forced to do this even for something as simple and common as searching for a file by name; you could use the Finder search window only to look for files (not, for example, iCal events); and things were still clumped into groups (mysteriously, not the same groups as in the Spotlight window), though you could ask for a flat list. When you did ask for a flat list, the Finder search window became almost downright good: it started acting quite like a normal Finder window, a familiar and effective interface for working with your results.

The upshot was that none of Apple's Spotlight search interfaces was very pleasant, and none of them gave you access to anything like the full power of Spotlight as implemented through the "mdfind" command-line syntax. For example, mdfind lets you specify wild cards, case sensitivity, and sophisticated Boolean criteria combinations. That's why a host of third-party alternative Spotlight interfaces sprang up, including my own NotLight. But even these were restricted in what they could do by the underlying Spotlight indexing technology (for example, NotLight couldn't find invisible files, because neither could Spotlight); and many users preferred to revive the pre-Tiger search behavior with a free utility such as EasyFind.

A New Deal -- In Leopard, Spotlight is faster, less biased, and far more compliant. Under the hood, the index is both constructed and consulted more quickly, so you spend less time listening to your hard disk thrash and more time looking at search results. Everything within the scope of your permissions is indexed and searchable (or if something isn't, I've yet to hear about it). Searches that are supposed to work (like searching for invisible files, or searching for a file by the name the user believes it has) do work. And the search interface is so good that it might just put third-party interfaces out of business.

The Spotlight window is completely gone. If you want to move quickly and see the top results, you use the Spotlight menu; if you want to see all results, or get some interface assistance in constructing elaborate search criteria, you use the Finder window. Those are your only options. The Finder window is now really close to being a normal Finder window: it comes in all the normal Finder views except Column view (though, unfortunately, in List view you can't ask for extra columns of information, such as Size), and you can do in it nearly anything you can do elsewhere in the Finder, so you'll hardly know you're in a special Spotlight-oriented world. And yet, you are in a special Spotlight-oriented world, as is proven by the fact that you can search in the Finder search window for things that aren't files or folders, such as iCal events and Safari history items. (The main difference I've noticed so far between what you can search for in the Spotlight menu versus the Finder search window is that only the former lets you look up a word in the built-in Dictionary.) Plus, the Finder search window's criteria-construction interface lets you say nearly anything you'd be able to say using mdfind in the command line.

So, for the rest of this article I'm going to explain how to construct a search. There are actually two different "languages" for doing this: there's the textual language of what you type in the search field, which works either in the Spotlight menu or in the search field of a Finder window, and there's the more gestural, interface-based language of manipulating the Finder search window's various options.

The Search Term -- When you type "tonya" into the Spotlight menu's search field, that's a search term. Spotlight interprets this as a request to seek matches in a fairly broad way. Capitalization is ignored, so a document containing "Tonya" will match. Diacritical markings are ignored too, sort of; a document containing "T├╢nya" will match, but if your search term had been "T├╢nya" then the document containing "T├╢nya" would match but documents containing "Tonya" would not, as if your use of a diacritical in the search term had indicated a kind of diacritical wild card. You're doing a word-based search, but what you're searching for is the start of a word; so, you'll also match a document containing "tonyatastic", though not a document containing "retonyafication". (To specify that you want to match entire words, put "tonya" in quotes; now you won't match "tonyatastic". Quotes can also be used to search for exact multi-word phrases.) But the notion of a word includes camel-cased word components, so you'll also match a document called "HelloTonya". Oh, and the search is performed over every kind of metadata, so you'll match documents with "tonya" in their names, in their contents, in their Spotlight comments, and so on.

Two kinds of modification permit to you restrict the search term's application. First, you can specify the kind of metadata you're interested in searching. This is done using a colon-based syntax. For example, to find files that have "tonya" in their Spotlight comments in the Finder, but not files with "tonya" in other types of metadata, you'd put "comment:tonya". The Help documentation gives several other examples of this syntax, some of which are surprisingly powerful. For example, you can ask for files modified on or before a certain date by saying "modified:<=8/10/2007", or files created in a certain range of dates with "created:8/10/2007-8/12/2007". The trouble, though, is that as usual Apple spurns the notion of stooping to provide you with any real documentation: there is no complete conspectus or systematic explanation of the syntax, or even a list of the metadata terms you can specify in this way. (The way I found out about "comment:" in the first example was by trial and error.)

Second, you can combine terms using the Boolean operators AND and OR (in capitals), and modify a term with NOT; a minus sign before a term, with no space, means "and not". The default operator, supplied if you use multiple words without quotation marks or an intervening Boolean operator, is AND. Thus, on my machine, searching on "tonya tidbits" finds 103 items, those that contain both terms; "tonya OR tidbits" finds 530 items; "tonya -tidbits" finds just 15 items, because it's so rare on my computer for Tonya to be mentioned without also mentioning TidBITS.

The Finder Search Window -- To summon the Finder search window, click Show All in the Spotlight menu after a search, or press Command-Option-Space, or (in the Finder) choose File > Find (Command-F), or just start typing in a Finder window's search field. You can use the search term syntax I described in the previous section, but you can also use the Location Bar and the Criteria Bars to restrict and specify your search in a more graphical fashion.

The first question to ask yourself is whether you want to restrict the search location to one particular folder. If you do, then you must start by being in that folder in the Finder before starting the search by pressing Command-F or typing in the search field. When the window changes to a Finder search window, the Location Bar will display the name of the folder you started in; click that name to restrict the search to that folder.

Another nice feature of the Location Bar is that it offers an option to restrict the search to the "File Name", as opposed to the "Contents" - the latter being a misleading term which actually means the default of searching all the metadata at once. These two choices, search by name or search by all metadata, are the two most common forms of search, so it's very sensible of Apple to provide some simple, up-front interface for choosing between them.

To tweak your search further, click the + button at the right end of the Location Bar. This reveals a Criteria Bar. Here you can choose a metadata type in the leftmost pop-up menu. By default, there are just six sorts of metadata listed here: Kind, Last Opened Date, Last Modified Date, Created Date, Name, and Contents. (Here, "contents" really does mean contents.) When you choose one, other operators, fields, and pop-up menus appropriate to your choice appear. So, with "Contents" the only operator is "contains" and you get a text field for typing some text. With "Name" you get a pop-up menu of five operators: "matches", "contains", "begins with", "ends with", and "is". (The difference between "matches" and "is" is that "matches" is word-based; thus, "tonya" matches a file named "Adam and Tonya" using "matches" but not using "is".) With "Kind" you get a pop-up of subtypes, and some of those subtypes have subtypes of their own; thus, the "Kind" called "Music" can be "All", "MP3", "AAC", or "Purchased".

There is also a seventh item in the leftmost pop-up menu of a Criteria Bar: Other. This is where things really start to get good. When you choose Other, you get a dialog listing all the kinds of metadata the Spotlight index knows about. You can just pick one to use it; you can also select a checkbox to specify that that option should appear in the menu from now on, so you don't have to pass through the Other dialog to access it. I recommend that you immediately check two items that I think you'll be using quite a lot:

• System files. When set to Include, files are sought even in special locations such as /Library/Caches and ~/Library/Preferences. For example, if you search on "com.apple" you won't find much, but if you include system files, you'll find hundreds of preference files.
• Spotlight items. When set to Include, searches are expanded beyond files and folders to include other sorts of entities, such as iCal events, Safari history items, and preference panes.

A huge power user tip: When you summon the Finder search window with Command-Option-Space, or from the Spotlight menu, Spotlight items is set to Include. When you summon the Finder search window with Command-F or by typing in a Finder window's search field, Spotlight items is not set to Include. This is actually quite brilliant. Spotlight is making a very reasonable distinction and assumption here: if you started in the Finder, you probably just want to look for files and folders, but if you summoned the search window in a more global way, you probably want to look at all kinds of entities. Of course you can always summon a Criteria Bar and change the setting if the initial default isn't what you intended.

You specify additional criteria by showing and configuring additional Criteria Bars; to do so, just click the + button in any existing Criteria Bar. But here's the real trick: if you click the + button while holding the Option key, you get a special Boolean Operator Criteria Bar. The pop-up menu here says Any, All, or None (the equivalents of the Boolean OR, AND, and NOT operators), and it applies to the Criteria Bars that are grouped just after the Operator Bar and indented to the right. Such groups can themselves include a Boolean Operator Criteria Bar, and so you can form Boolean expressions of any depth and complexity (the equivalent of using parentheses in a logical expression). The default operation, used if you simply set multiple criteria without grouping them, is AND (that is, all the criteria must be true at once to get a match).

Conclusions -- Spotlight in Leopard is what Spotlight in Tiger should have been but wasn't. (Don't get me started on a rant about why Apple has so much trouble getting these things right the first time out.) How good is it? Maybe not quite good enough to put NotLight completely out of business. NotLight will need modification in order to take advantage of some of the new features of Spotlight's underlying technology, but it has three features that the built-in Spotlight interfaces do not:

1. With NotLight, the search is not live, so things don't keep flashing and bogging down while you're typing a search term; you type until you're ready, then do the search.
2. The Finder Path Bar is great for determining where a found item is by selecting it, but with NotLight you know where every found item is, without having to select it.
3. NotLight lets you choose between case-sensitive and case-insensitive term matching; sometimes that's actually useful.

Nevertheless, the improvement in Leopard's Spotlight is very, very dramatic - so dramatic that, whereas, in Tiger, once I'd written NotLight, I never used any of the built-in Spotlight interfaces, but used NotLight exclusively for all searching, in Leopard it is quite probable that I will very rarely turn to NotLight. Coming from me, that's big praise. The fact is that the difference from Tiger to Leopard is like night and day: from being a pain and a trial to use, Spotlight is now a joy; from a wretched, ill-advised interface, we now have a model of how interface ought to be, a gorgeous, easy-to-use graphical expression of a powerful and complex underlying syntax. In short, Spotlight could be another major reason for upgrading to Leopard.

Hide full article

CrashPlan is easy, secure backup that works everywhere. Back up
to your own drives, computers, and online with unlimited storage.
With unlimited online backup, this is one resolution you can keep.
Back Up Your Life Today! <http://crashplan.com/ref/tidbits.html>

Apple touted Leopard's firewall as an improvement over Tiger, but security consultant Rich Mogull found significant problems with how it works and makes some suggestions for better security.Show full article

Hide full article

An improved firewall was one of the 300-plus features Apple touted before the release of Leopard, but a mix of design choices and functionality changes reduces its effectiveness compared to the firewall in Tiger, something I had heard only rumblings about when I wrote "How Leopard Will Improve Your Security," 2007-10-22. While it's not concerning enough that you shouldn't upgrade, it is something Apple will need to address fairly quickly with an update.

What's a Firewall? For you non-security-geeks out there, a firewall is a tool that blocks traffic to a system or network based on rules (for a more-detailed description, see Chris Pepper's "What's a Firewall, and Why Should You Care?," 1999-02-22). Firewalls have existed since the late 1980s and were developed in response to the first Internet worms, particularly the Morris Worm, as a way of protecting systems and networks by blocking any unwanted traffic. Before firewalls, if you placed a computer on a network (including the Internet), anyone else on that network could remotely probe your system for open connections and send you traffic directly. Since all computers tend to have some vulnerabilities, and some of those vulnerabilities are remotely exploitable over a network, this gives attackers an easy way to play on your network and potentially exploit your systems. Some of these attacks are self propagating - where malicious code takes over a system and then uses that system to take over other systems. This is what distinguishes a worm from a virus - a virus needs user interaction, while a worm "worms" its way through the network from system to system. Some of you might remember the Code Red worm from 2001 that took down major portions of the commercial Internet by hopping from computer to computer.

In the information security field we use many different kinds of firewalls. The most basic is a network firewall, typically a stateful packet inspection firewall, installed in a router. That's a fancy way of saying we use network firewalls that are a little smarter and can track inbound and outbound connections. The way Internet protocols work is that when you make a connection to a remote computer, you do it over a port. These ports are standardized, such as FTP on port 21, HTTP (the Web) on port 80, and SSH on port 22. The remote system needs to communicate back to you, so when you set up the initial connection your computer gives the remote computer an arbitrarily high port number for the return traffic. Otherwise, you would be limited to talking to only one Web site or FTP server at a time. A stateful packet inspection firewall keeps track of all these connections so it can allow traffic back to your system only if you have an open session, on those seemingly random ports that would normally be blocked.

Another kind of firewall, the one on our Macs, is a host-based firewall. Since our computers aren't always behind big network firewalls, it makes sense to build a firewall into our computers to protect us from attack as we wander between different networks, something that's increasingly common thanks to laptops. If you connect a laptop to any public network, such as at a wireless hotspot or a hotel, some person or automated program will almost certainly be scanning you.

The Tiger Firewall -- In Mac OS X 10.4 Tiger, Apple used a good open-source firewall called ipfw. ipfw is software that sits deep inside Mac OS X and filters network traffic before it makes it to the rest of the operating system, providing the same protection on the road as we have at home. When you opened the Firewall view of the Sharing preference pane in Tiger, that was just a graphical front end to ipfw. Tiger didn't let you adjust the really granular settings without writing your own configuration files, but the available controls were reasonably effective. When you enabled the firewall you could select which network services you wanted to let run. For example, if you had enabled file sharing, the Firewall view would show that file sharing was enabled and that you had to disable it in the Services view. The firewall functioned in a "deny all" mode that blocked everything except ports you specifically enabled, and it offered some advanced options to block all UDP traffic and ignore requests to filtered ports (what's called "stealth mode").

This approach wasn't perfect, but was good enough for the average user. It lacked any outbound filtering - a nice feature that lets you lock down your system to ensure that unapproved services on your Mac can't connect to the outside world, and a good technique to help limit attackers or talkative applications. It also lacked application control, a useful feature common in most host firewalls that lets only approved applications talk to the outside world, no matter what port they use.

Firewalls in Leopard -- Leopard still includes ipfw, but it's no longer the default firewall. Instead, Apple has replaced it with a black box - a firewall program that is unknown to security researchers - that behaves a little oddly. From what we can tell, Apple developed the new firewall themselves to add application control. The firewall now lives in the Security pane of System Preferences and now has three options for the firewall: Allow All Incoming Connections, Block All Incoming Connections, and Set Access for Specific Services and Applications. Apple made the decision to move the firewall in an entirely new direction, which isn't necessarily bad, but makes it more difficult to understand what's being filtered, and seems to leave some potential holes open.

The first problem with the Leopard firewall is that it's difficult to tell what the Set Access option does. It starts the new application-level firewall and lists in the Sharing pane any services you've opened, but it doesn't indicate if they are allowed or blocked. There's also no option for you to add your own open services or ports anymore. Instead, you can add or remove individual applications, but not network services. Stealth mode is still available in the Advanced settings, but the UDP blocking, useful to stop port scanning and some other attacks, is gone.

Worse yet, when you install Leopard, the firewall is turned off, even if you're upgrading and the firewall was previously enabled. Say what you want about Windows, but the firewall is enabled by default. Finally, the firewall can actually break your applications, which I'll explain more about shortly.

Further investigation revealed some really strange (for a firewall) behavior. Some applications ask for permission to access the network the first time you use them, like Safari, Firefox, and Cyberduck, while others are ignored, like Colloquy and Twitterrific. If you have a service enabled in the Sharing pane, but select Block All, it still appears open to the outside world when you scan the ports, but you can't connect to it. Some services seem to be open all the time, no matter what you do. If you ever connect to another computer for file sharing, TCP port 88 (for Kerberos authentication) is opened and stays that way until you reboot, no matter what you set on the firewall, even if you enable stealth mode. Bonjour (mDNS) is hidden in stealth mode but available even if you select Block All. Finally, the firewall is a black box - the only way I could learn what was opened or closed was to scan it from the outside using networking tools (such as Nmap, the same tool Trinity used in "The Matrix Reloaded"). Unlike in previous versions of Mac OS X, you can't check settings by looking in a configuration file.

There's one behavior that caught me completely by surprise and calls for an immediate fix. If you have the firewall set to control applications, those applications that don't already have their code signed are signed by Leopard when they access the network. (Code signing is the process of affixing a digital signature to an application, such that the operating system can tell if the application has been modified by malware, because the application's checksum would no longer match the checksum in the signature.) If the application changes itself while running, as Skype does (and as some other applications do too), it won't match the signature the next time you go to run it and your application won't launch. There are no warnings or errors, and the average user might assume something is seriously wrong with their system. I experienced this myself when I was recording a podcast with Glenn Fleishman: Skype failed to launch; I reinstalled, and it launched. The next time I tried to launch it, Skype failed again, and a reinstall fixed it. I looked in my console and saw a weird error. A quick Google search provided the answer.

All of these behaviors are considered "bad" on the whole firewall good/bad scale. Leopard breaks a number of conventions. First, if you select Block All, no network services should be enabled, even if you've turned them on somewhere else. Apple either needs to relabel that setting to "Block All Except...", or change the behavior to block all traffic, especially Bonjour. Application control behavior also needs to be more consistent - having some active applications appear in the settings, but not others, is confusing and could lead to wrong assumptions. I may think I'm only allowing a few applications, when, in reality, all sorts of applications are accepting network connections without my permission. More seriously, Kerberos shouldn't linger on an open port just because you connected to another computer. Having a firewall arbitrarily break approved applications is also unacceptable. Finally, firewall rules need to be user-accessible to allow customized configurations or just to allow the more-advanced users to understand expected behavior.

I've listed some of the more technical details I've discovered on the firewall on my blog at Securosis.com

These are all problems Apple is perfectly capable of fixing and I'll be surprised if they don't address them sooner rather than later. Until then, I still recommend you activate the firewall in Block All Incoming Connections mode so you don't break applications. If you need to enable file sharing or other remote access, you'll need to either select the Set Access method, or turn your firewall off. One last option is to use ipfw and manually configure firewall rules, or use a GUI tool like the free WaterRoof, and skip the Leopard firewall completely. In WaterRoof, just click Rules Sets to pick your rules, and then go to Tools > Startup Script and install a startup script to run those rules when you reboot.

The good news is that I don't know of any active remote exploits for the Mac, and if you have to take the risk you should be OK for now even without your firewall running, especially if you avoid AFP for file sharing and use SMB instead (selectable with the options button in the Sharing preference pane). This isn't ideal, but it does give Apple a little time to fix up the firewall so it protects users without breaking applications.

Hide full article

WebCrossing Neighbors Creates Private Social Networks
Create a complete social network with your company or group's
own look. Scalable, extensible and extremely customizable.
Take a guided tour today <http://www.webcrossing.com/tour>

With PGP installed, upgrading to Leopard can produce hard-to-pinpoint slowdowns, as I saw with a beta of email program Mailsmith. But uninstalling the software or upgrading to a Leopard-compatible beta solves the problem.Show full article

Hide full article

I don't like being kept waiting. And the 10 to 15 seconds it was taking for a beta of Bare Bones Software's Mailsmith 2.2 to preview each email message in Leopard was far, far too long. Bare Bones head and founder Rich Siegel is a pal of mine, so my quality assurance email report was full of detail and umbrage. Rich suggested that Spotlight under Leopard might be engaged in some activity - Mailsmith 2.2 uses Spotlight quite effectively - and that I might see an improvement after a couple of days.

Drat the man, he was right, and he's a gloater. He sent me a tweet via Twitter: "@glennf Stay after class and write on the board a hundred times: 'I will never doubt @siegel again.' Hm. Might make a good 'Simpsons' intro."

But after installing QuickTime 7.3 and restarting the PowerBook, the problem recurred. I sent Rich some more troubleshooting data - a Sample Application report available with a button click via Leopard's Activity Monitor that pulls in tons of low-level detail about what a program is doing - and he saw the problem: PGP Desktop.

Although I didn't have PGP Desktop 9 launched, the pgp-agent process was still running. I disabled the item in the Login Items portion of my account setup in the Accounts preference pane and restarted. No good. Terminal showed me that when Mailsmith launched, several pgp-agent daemons would also appear. Mailsmith works directly with PGP's encryption tools; other mail programs tend to rely on AppleScript for integration.

I was unable to find instructions for uninstalling all the PGP components, and the company confirmed for me via email that I should have taken the wise step of uninstalling the program and its pieces via the PGP application before upgrading to Leopard if I was worried about compatibility.

Rich suggested I upgrade to PGP's Leopard-compatible beta of Desktop 9.7 to see if that solved the problem. Of course I did, and the problem went away. (See the tweet above.) With this version installed, I can also now easily uninstall the software through the application. The folks at PGP also said that their support group can provide an uninstaller script for those who don't want to run or even install a beta.

Upgrading PGP seemed to solve a host of mysterious other slowdowns that might have been related to Mailsmith's interaction with PGP, and my PowerBook no longer feels nearly unusable under Leopard. In fact, Mailsmith 2.2 (build 227) is notably zippier under Leopard than in Tiger.

I'd like to believe there's a moral to this story. Check all your software for upgrades and compatibility issues before moving to a new operating system? But I didn't think I was "running" PGP as the obvious application portion wasn't running. Perhaps the moral is "have a revert position in case of failure." Or just, "I will never doubt @siegel again."

Hide full article

READERS LIKE YOU! Support TidBITS with a contribution today!
<http://www.tidbits.com/about/support/contributors.html>
Special thanks this week to John & Nichola Collins, Chris Williams,
John K. Lilley, and Honeymoons By Sunset for their generous support!

Apple releases Mac OS X 10.5.1, the first update to Leopard, and fixes problems with Back to My Mac, Mail, and Finder data loss when moving files among partitions and networked volumes. It also makes one cosmetic change to the application firewall while fixing a problem that bit Skype users and adding more security.Show full article

Hide full article

Apple has released the first update for Leopard, Mac OS X 10.5.1, with a laundry list of fixes for widely reported problems among early users. It's available via Software Update in Leopard, with the downloads under 40 MB for both PowerPC- and Intel-based Macs; oddly, the standalone versions for the desktop and server versions of Leopard weigh in at 110 MB.

One significant improvement is Apple's statement that 10.5.1 "improves the reliability of Back to My Mac-enabled Macs appearing in the Finder's Shared Sidebar." In our experience and that of colleagues, Back to My Mac has worked erratically or not at all, but early signs are promising; see "Punching a Hole for Back to My Mac" (2007-11-17).

The 10.5.1 update also reportedly fixes problems in storing wireless network passwords and using Disk Utility, and it addresses five Mail flaws. A bug that resulted in "potential data loss issue when moving files across partitions in the Finder" has been corrected; this issue cropped up when using Command-drag to move, not copy, files in the Finder across local hard drives and mounted volumes. Most other fixes are cosmetic and minor.

One missing fix in this release is a solution for the progressive Wi-Fi performance degradation experienced by some AirPort users.

The update also fixes some security and usability issues with the firewall, some of which we have previously covered (see "Leopard Firewall Takes One Step Forward, Three Steps Back," 2007-11-05). The label for the Block All option has been updated to read "Allow Only Essential Services." In other words, the firewall behavior hasn't changed, but the label now more accurately represents how the firewall functions.

The most notable other changes are in the application firewall: Skype and other applications that modify themselves when they run are no longer rendered unusable when the application firewall is selected. In 10.5.0 the application firewall would digitally sign the code of any application you authorized for network access and refuse to run the application if the application changed (a technique to protect your computer from attackers). Now, instead of just stopping the application from running without notifying the user, 10.5.1 prompts you to allow network access again if the application has been modified.

The application firewall now also enables you to block programs running under the root user, giving you much better control over your system. These don't completely fix all of the problems with Leopard's firewall, but they're good steps in the right direction.

Hide full article

With ChronoSync you can sync, back up, or make bootable backups.
Sync or back up your Mac to internal or external hard drives, other
Macs, PCs, or remote network volumes you can mount on your Mac.
Learn more at <http://www.econtechnologies.com/tb.html>!

Frustrated by how Spaces uses meaningless document icons in the Dock? Rich Mogull points you to the solution.Show full article

Hide full article

I am, shall we say, prone to a lack of organization. As a child it reached such an extreme level that when my sister took over my room after I departed for college she commented to our mother that she had absolutely no previous memory of seeing the color of my carpet. This was only after the two of them shoveled my remaining belongings into a bunch of boxes that still sit in a storage unit someplace that I've never visited.

Needless to say such a profound lack of placement skills is clearly not limited to the physical world. Some people file every email and document into hierarchical folder structures for rapid recall at a moment's notice. Me? It's a good thing I see my wife every night since her face in the photo on my Mac desktop is often covered with various downloads and documents in progress.

That's why I was looking forward to Stacks in Leopard. Combined with Spotlight, it seemed an interesting way to help organize my desktop and keep my needed files at my fingertips. Spotlight, now that it works (see "Spotlight Strikes Back: In Leopard, It Works Great," 2007-11-01), will allow me to sort through my fairly massive repository of old research, documents, and presentations without having to worry about sorting things into highly organized folders. Stacks, on the other hand, seemed ideal for organizing my current projects and keeping them on my Desktop while deceiving any shoulder surfers into thinking I was some zen master of file management.

When I first installed Leopard I was pleased with the two new stacks on my Dock; one for my Documents folder, and one for a new Downloads folder where all downloads were automatically placed. Sure, some of the features Steve Jobs demonstrated in his Leopard preview keynote seemed missing (dynamic stacks), but I was happy enough with being able to put a few small folders on the toolbar and getting one-click access to my current projects.

But Stacks quickly disappointed. Rather than keeping the clean folder icons I saw immediately after installing Leopard, Stacks defaults to the icon of the last file added. This instantly destroyed the zen balance of my Dock and I was surprised that something so simple could be so darn annoying. Suddenly I couldn't tell stacks apart, and the fact that their icons kept changing made a bad thing even worse. Then, thanks to TUAW, I found an easy solution to make Stacks much more useful.

A Mac user in Japan created a series of beautiful drawer icons. Instead of just displaying the latest icon in the Dock, it turns out that Stacks really displays an overlaying stack of the icons for the files in the folder. By simply dropping the semi-translucent drawer icon into the folder the stack is based on, it appears as a drawer holding the icons for the files in the stack.

Installation is simple. First, download the icon sets. Then, drop the icon you want to represent the stack into the stack. Next, right click the stack and choose Sort By: Date Modified. The stack icons are pre-modified with a date out in 2010 so they'll always appear as the first icon in your stack, at least until 2010. (When this hack was first posted you had to adjust the date yourself from the command line, but the icon author updated the files so they are already configured for you).

Zen balance is now restored to my Desktop and Dock, and I find myself once again using Stacks to organize my current projects. For smaller folders the single-click access to the stack is surprisingly more convenient than right-clicking was under Tiger. And sorting by date modified makes even large directories useful as stacks, since I usually want to access the most recent files anyway.

Stacks still needs some work, and I'm looking forward to some of the dynamic features Steve Jobs demonstrated before Leopard was released, but this simple hack turned a disappointment into a useful feature. Now I might have to try the Mac OS X Hints trick for making a Recent Applications stack too...

Hide full article

WebCrossing Neighbors Creates Private Social Networks
Create a complete social network with your company or group's
own look. Scalable, extensible and extremely customizable.
Take a guided tour today <http://www.webcrossing.com/tour>

The transparent menu bar has fallen, a victim of hackers' ingenuity. Users, rejoice!Show full article

Hide full article

Without speculating on precisely what flavor of Suck they were drinking in Cupertino the day Apple decided to make the Leopard menu bar transparent, can we just stipulate that for some users, at least, the imposition of this unwanted "feature", without the courtesy of being granted any sort of choice, is so annoying that we'd be willing to pay $100 just for the satisfaction of reaching down the back of Steve Jobs' jeans and giving him the biggest wedgie of his reality-distorted life? It is with a sense of indomitable smugness, therefore, that we observe that the nut has been cracked, the Gordian knot cut, and the ravelled sleeve knitted up. Someone has found the magic setting that restores to the menu bar its rightful and peacefully solid opacity.

The place to look is Steve Miner's blog. There are two approaches listed here, one rather dangerous and tricky, the other much easier and simpler. The first involves editing a .plist file, which can be difficult, not least because serious permissions issues can arise that can render your Mac unusable. The second, which you'll see if you scroll down the comments a little, proposes that you do the very same thing by a simple command in the Terminal.

Here's what to do. Copy the following into TextEdit and rejigger it so that it appears all on a single line (that is, delete any Return characters):

sudo defaults write
/System/Library/LaunchDaemons/com.apple.WindowServer
'EnvironmentVariables' -dict 'CI_NO_BACKGROUND_IMAGE' 1

Now copy that line. Start up Terminal, wait until you see the prompt, and choose Edit > Paste. If what you copied didn't include a final Return character, you will now have to press Return. In any case you'll be asked for your password. Nothing visible will happen afterwards, so you must now restart the computer to see whether the menu bar has turned opaque. (Don't bother logging out and in; that isn't enough. You really must restart the computer to get the change to "take".)

Your menu bar will now be very, very opaque - and very, very white, and very, very flat-looking. To fix the whiteness and the flatness, you have two choices.

One possibility is to turn the menu bar grey, as in Tiger. To do so, enter the same command in the Terminal that you gave before, but put "0" instead of "1" at the end. Or, as one reader over at MacOSXHints has suggested, try a value of "0.63"; apparently this is the most Tiger-like setting of all. Remember, you'll need to restart the computer again afterwards. This is the solution I am currently using, and I really like the way it looks.

The other possibility is to place a dash of color tinting over the white menu bar. To do so, turn to the redoubtable Peter Maurer. In his blog, he reveals that he had in fact already written an application for conquering the menu bar's transparency, but when Leopard went final, it stopped working, so he withdrew it. When combined with Steve's .plist trick, though, it does work, so he has re-released it under the name Menu Bar Tint.

Download Menu Bar Tint, install it somewhere useful, and start it up. Menu Bar Tint must actually be running in order to operate, so immediately go to the Login Items in the Accounts preference pane and drag Menu Bar Tint into the list from wherever you installed it.

You now have Menu Bar Tint's preferences window showing on your screen. (If you don't, double-click Menu Bar Tint in the Finder.) You must now set three color preferences that will be used to generate a gradient of color over your menu bar. For each one, click the color rectangle to summon the Colors dialog. In the Colors dialog, pick a color, and (this is important) don't forget to set some opacity using the Opacity slider at the bottom of the dialog, because if you don't, your colors will be completely transparent and therefore you won't see anything happening. The painting of color over your menu bar is live, so you can experiment and view the results in real time. Menu Bar Tint also has some settings for making the overall transparency of your colors different when the mouse is over the menu bar, but I don't like that effect, so I set the two sliders in the Menu Bar Tint preference dialog to the same value.

Menu Bar Tint is very clever, but it doesn't know enough to shut itself off when some application (such as DVD Player) goes into full screen mode, so I prefer to run without it for now.

And what if we change our minds and want to undo our settings entirely? In the Terminal, the following will restore the dreaded menu bar transparency:

sudo defaults delete
/System/Library/LaunchDaemons/com.apple.WindowServer
'EnvironmentVariables'

Again, you want that all on one line, neatly arranged in TextEdit, before you enter it into the Terminal. And you want to be really, really, really careful, because if you get this wrong you will hose the WindowServer .plist file completely and your computer will be unable to start up (though I suppose the file must be backed up in Time Machine, so presumably you could fix things somehow, in a pinch, from the backup).

The really big question that remains unanswered at this time is: what else might be the consequences of the setting that we've changed here? Will Core Image behave differently in any other ways, apart from changing the manner in which the menu bar is drawn?

Hide full article

WebCrossing Neighbors Creates Private Social Networks
Create a complete social network with your company or group's
own look. Scalable, extensible and extremely customizable.
Take a guided tour today <http://www.webcrossing.com/tour>

Back to My Mac can work with a little firewall configuration help, and Apple's provided some more detail that we explain how to use. Also, Apple confesses Back to My Mac's security weaknesses - at either end of the connection, not in the middle.Show full article

Hide full article

[Editor's note: Since this article was published, Glenn Fleishman has written two interrelated books about Back to My Mac use and troubleshooting, and Screen Sharing in Leopard. The ebooks are $10 each and $15 for both of them. You can read excerpts and purchase the books for immediate download.]

If you're a Mac OS X 10.5 Leopard user dying to use the new screen- and file-sharing service called Back to My Mac, Apple has released some new information that's helped me get the service to work and may help you too. In brief, Back to My Mac requires a full .Mac account and connects through secure tunnels all the computers on which you have both entered your .Mac account information and turned on Back to My Mac in the .Mac preference pane. (You can read a full rundown of the service in an article I wrote for Macworld.)

Back to Which Mac? I had difficulties getting Back to My Mac to function correctly. It first worked between two of my computers set up with Leopard; one computer was at home, the other at my office. The home computer could access the screen and files of my work machine, but not vice versa. I knew that a firewall might be in the way because of a Qwest-supplied DSL router that was problematic to configure. Back to My Mac requires either NAT-PMP (Network Address Translation Port Mapping Protocol) or UPnP (Universal Plug and Play) to open a static incoming port via which remote computers can connect.

(The router crashed whenever I attempted to connect it via its Web interface, but I discovered that if I used a URL path (like /home.html), and not just the IP address of the router, I was able to configure it successfully. This is apparently a bug in the 2Wire DSL router that manifests itself for Mac users, but not apparently for other users.)

After a few days of using Leopard, I was unable to get Back to My Mac to work at all. Fellow TidBITS editor Jeff Carlson had the same experience. When 10.5.1 was released, my home machine could once again see my work machine but not vice versa. Jeff and I did some testing, and found strange problems. When we used the same .Mac account details at one of his computers and two of mine, one machine would show the other two computers in the Back to My Mac set, one would show none, and another would show just one. We were stymied.

However, after overcoming my Qwest DSL router problems, I was able to test information provided in a Knowledge Base article about Back to My Mac security. Apple notes that the service uses UDP over port 4500 and TCP over port 443. While I had already known that, I hadn't tried to set up my DSL router's firewall. (Apple also links from this note to a page I'd forgotten that describes all the ports its operating systems use for common and Apple-specific services. This is very helpful when configuring a firewall.)

Turning on Incoming Access for Two Ports -- Because the router crashed when I was configuring it, I had disabled its Wi-Fi capabilities and attached an AirPort Express Base Station to an Ethernet port on the router. NAT-PMP was turned on for the AirPort Express, but that apparently didn't enable the right kind of punch-through for Back to My Mac via the router.

I determined that the Qwest DSL router lacked UPnP, which is a shame, but it had some very fine-grained controls for enabling incoming access to specific services by name for computers on the local network. (It seems to pick up the Samba sharing name of those computers to identify them by IP address, even when the address changes; or I could assign a static private address, too. It's a little complicated, but well implemented and explained in the router Web interface.)

I turned on incoming access for the two ports mentioned in the Apple tech note, and now Back to My Mac works as expected. If you're in the same boat, it's worth digging out the manual or calling technical support to figure out how to enter the port information you need to allow incoming access. Some devices don't offer the level of control that my 2Wire DSL router has, and you would have to either open incoming access for all computers on given ports, or map those ports from the outside world to a particular computer on your privately addressed network.

Apple's Lacunae in Security for Back to My Mac Documented -- It's worth mentioning that the Knowledge Base article I mention earlier explains briefly many of the security concerns that I mentioned in my Macworld article. Notably, Apple points out that Back to My Mac's linchpin is your .Mac password. While the password is protected when you log into .Mac and Back to My Mac uses strongly encrypted tunnels, the password itself is the only key needed to enable this feature. Thus, if you have a weak password or if it can be easily guessed, other people could gain access to any Back to My Mac-enabled system, too. Picking a strong password provides a greater defense against a password being compromised through guessing or social engineering.

Apple suggests that you use the screen locking feature that's available with the Leopard screen saver; that you use Keychain Access to enable a menu item that lets you manually lock the screen; that you disable automatic login for any user account with Leopard that has a .Mac account pre-filled in the .Mac preference pane; and that you consider the physical security of any Mac for which you've entered .Mac password information.

All of this is laughable, because Apple could have provided a simple assistant and/or a checkbox for Back to My Mac that would have guided you through picking a stronger .Mac password and turning on the various features it mentions. It's not rocket science.

Apple's note amounts to a statement like this: "Back to My Mac is very secure between locations and doesn't disclose any private information; but the endpoints are very weak and we didn't provide any help to you to make the endpoints stronger automatically."

It's a big admission, couched as advice.

Do you have experiences with Back to My Mac, for better or for worse? I'd like to hear them. If you can't get it to work, I'd like to offer some advice. Contact me at glenn@tidbits.com. I'm working on a book on the subject of remote access, and learning more about Back to My Mac problems will help me better help others in the book.

Hide full article

Get more productive with software from Smile: PDFpen for
editing PDFs; TextExpander for saving time and keystrokes while you
type; DiscLabel for designing CD/DVD labels and inserts. Free demos,
fast and friendly customer support. <http://www.smilesoftware.com/>

Curious about what programs have been updated for Leopard? Look inside for a list of the important or interesting programs that specifically claim Leopard compatibility.Show full article

Hide full article

Rather than write oodles of short articles that mostly note that a new version of some utility adds compatibility with Mac OS X 10.5 Leopard, we're going to take advantage of our new TidBITS Publishing System to create a list of important or interesting software that has been updated. (Our definition of "important or interesting" largely revolves around products that we've covered in the past or plan to cover in the future; there's no way this can or should be a comprehensive list.) It's important to note that this list also doesn't include software that runs fine in Leopard without needing an update - don't infer anything if a program isn't included on the list.

We'll add new items to the top of the list, blog-style, and we'll tweak the modification date each time so those reading via RSS will be alerted when there are changes. We won't be publishing this article in an email edition of TidBITS, since it will continue to grow over time. Eventually, of course, Leopard compatibility will no longer be interesting, and we'll let the article remain static after that point. Until then, though, here's what we know. For releases that are purely for Leopard compatibility, we won't go beyond listing the name, version number, and link; for those releases that are more significant, we'll toss in some notes as appropriate.

19-Dec-07 -- It's starting to be more difficult to find Leopard-specific updates, so we'll probably continue this list only through the end of the year.

• GraphicConverter 6.0.3 from Lemkesoft
• The Missing Sync from Mark/Space: Updates now available; the company recommends not using previous versions with Leopard.
• Data Backup 3 from Prosoft Engineering
• Default Folder X 4 from St. Clair Software
• MaxMenus 1.5.1 and LiteSwitch 2.6 from Proteron
• Canto Cumulus 7.5.2 from Canto
• Smart Scroll X 2.7.5b2 from Marc Moini (for Cocoa applications only)
• Daylite 3.6 from Marketcircle

11-Dec-07 -- The updates continue, albeit at a slower pace.

• PowerMail 5.6 from CTM Development
• Norton AntiVirus 11.0 for Macintosh from Symantec
• Adobe Photoshop Lightroom 1.3.1 from Adobe
• Captain FTP 5.2017 from Xnet Communications
• Smasher 1.6 from Insider Software

06-Dec-07 -- We've been busy trying to finish things off by the end of the year, and lots of Mac developers apparently have the same idea.

• Yojimbo 1.5 from Bare Bones Software
• SubEthaEdit 3.0.2 from TheCodingMonkeys
• FileMaker Pro 9.0v3 and FileMaker Advanced 9.0v3 from FileMaker Inc.
• Perfection scanner drivers from Epson
• Logitech Control Center 2.4 from Logitech
• Rumpus 5.3.4 from Maxum Development
• PithHelmet 2.8.2 from Mike Solomon
• Summary 3.0.8 from Summary.Net
• Life Balance 4.0 from Llamagraphics

02-Dec-07 -- With the first serious snow here in Ithaca, we have the first Leopard updates in December.

• TechTool Pro 4.6.1 from Micromat
• Coda 1.1 from Panic
• MPFreaker 1.7.2 from LairWare Software

30-Nov-07 -- As November comes to a close, we're nearing 100 Leopard-specific updates in the list. Keep 'em coming!

• iListen 1.8 from MacSpeech
• DEVONthink 1.3.4, DEVONagent 2.3, and DEVONnote 1.9.11 from DEVONtechnologies
• Suitcase Fusion 12.1.7 and Font Doctor 7.3.1 from Extensis
• Data Rescue II 1.2 from Prosoft Engineering
• Skype 2.6.0.182 from Skype

29-Nov-07 -- Just when we think the Leopard compatibility releases might be slowing down, a bunch more appear.

• LaunchBar 4.3.3 from Objective Development
• ChronoSync 3.3.6 from Econ Technologies
• Docktopus 1.0.3 from Startly Technologies
• VueScan 8.4.48 from Hamrick Software
• Keyclick 1.1.9 from Sustainable Softworks

28-Nov-07 -- Please do let us know if we're missing anything important - there's only so much hunting we can do.

• Typinator 2.1 from Ergonis

26-Nov-07 -- Back in the saddle again after Thanksgiving!

• QuarkXPress 7.31 from Quark. The update also corrects capitalization errors, finds and corrects duplicate words, corrects spacing errors after punctuation, ignores URLs when checking spelling, and ignores words with numbers when checking spelling.

25-Nov-07 -- Here are a few that we've missed along the way.

• SpamSieve 2.6.5 from C-Command Software
• Seasonality 1.5 from Gaucho Software

20-Nov-07 -- Catching up after yesterday's issue. We've moved a few items up from previous days if the changes are again related to Leopard compatibility.

• Nisus Writer Pro 1.0.2 and Nisus Writer Express 3.0.1 from Nisus Software
• Saft 10.0.2 from Hao Li
• Eudora Internet Mail Server 3.3.5 from Glenn Anderson
• Chax 2.0 from Kent Sutherland
• NoteBook 2.1 v262 from Circus Ponies
• RapidWeaver 3.6.5 from Realmac Software

16-Nov-07 -- Apple hit us with a ton of updates yesterday, so we'll point you at our coverage of those updates for the Leopard-specific stuff along with rounding up a crop of third-party updates.

• Mac OS X 10.5.1 from Apple
• iPhoto 7.1.1 from Apple
• Final Cut Studio 2 suite from Apple
• DiscLabel 5.0 from SmileOnMyMac
• PhoneValet 5.3.1 from Parliant Corporation
• Ovolab Phlink 3.6.1 from Ovolab
• DropDMG 2.8.2 from C-Command Software
• BBAutoComplete 1.5.1 from C-Command Software
• Reunion 9.06 from Leister Productions

14-Nov-07 -- The updates continue to flow in, with the most notable release being Fetch 5.3.

• Fetch 5.3 from Fetch Softworks. This is a major release that offers full Leopard compatibility, a redesigned look-and-feel to integrate better with Leopard, support for moving files via copy and paste, and a host of other fixes and enhancements.
• REALbasic 2007 r5 from REAL Software
• Curio Professional 4.1 from Zengobi
• Path Finder 4.8.2 from Cocoatech
• Garage Sale 3.4.1 from iwascoding
• Lingon 2.0.2 from Peter Borg
• Netflix Freak 2.6.1 from The Little App Factory

13-Nov-07 -- After a hiatus over the weekend and a busy Monday putting out the issue, we find...

• NovaMind Express, Pro, and Platinum 4.0.14 from NovaMind Software

09-Nov-07 -- A quick check today reveals...

• iSync Phone Plugins 5.0 and FoneLink 1.2 from Nova Media

08-Nov-07 -- Just a few new things today.

• Art Text 1.2.4, Live Interior 3D 1.4.1, and Mail Factory 2.5.4 from BeLight Software
• Keyboard Maestro 2.1.3 from Stairways Software
• TinkerTool 3.8 from Marcel Bresink Software-Systeme
• Butler 4.1.3 Transient from Peter Maurer
• CPU upgrades and more from Sonnet Technologies

07-Nov-07 -- The updates continue apace, although a few of the ones listed below have been out for a few days and merely made it onto our radar today.

• PDFpen and PDFpen Pro 3.3.1 from SmileOnMyMac
• CrashPlan v10.27.2007 from Code 42 Software
• Sandvox 1.2.4 from Karelia Software
• Synchronize Pro X 5.1.3 from Qdea
• NoteTaker 2.0.0 and NoteShare 1.6.0 from AquaMinds
• TextSoap 5.7.1 from Unmarked Software
• Preferential Treatment 1.1.8 from Jonathan Nathan

06-Nov-07 -- Things are settling down a bit with Leopard-specific updates, but be sure to let us know if we're missing something that has been discussed in TidBITS.

• EMC Retrospect 6.1.138: Minor changes for Leopard, which include an important note that this version is needed for Intel-based Macs with Leopard installed when you handle a full system restore or duplication.
• FileMaker Pro 9.0v2 and FileMaker Pro 9.0v2 Advanced Updater from FileMaker Inc.
• VMware Fusion 1.1 Release Candidate from VMware
• QuickBooks Pro 2007 (latest software patch) from Intuit
• Teleport 1.0 from Abyssoft
• Quicky and nQuicky wireless drivers from QuickerTek
• DoorStop X 2.2 and Who's There Firewall Advisor 2.2 from Open Door Networks
• GoodPage 1.3.1 from TARI

05-Nov-07 -- Just one today, not because there weren't others but because we were working on the TidBITS issue all day.

• Sound Studio 3.5.5 from Freeverse and Felt Tip Software

02-Nov-07 -- Lots more updates today as we work our way back through our press release list.

• Snapz Pro X 2.1.2 and WireTap Studio 1.0.1 from Ambrosia Software: The Snapz Pro X update includes a variety of other minor fixes and enhancements. The WireTap Studio update adds an export drop zone for the iPhone, provides more granularity for the VU meters, and includes various other bug fixes and enhancements.
• Parallels Desktop build 5540 from Parallels
• Interarchy 8.5.4 from Nolobe
• OmniWeb 5.6 from The Omni Group: Includes a new WebKit-based browser engine for faster rendering performance, the capability to view PDFs in browser windows, a new automatic software update mechanism, improved plug-in and JavaScript performance, and more localizations.
• PasswordWallet for Macintosh 4.2 from Selznick Scientific Software: Also enables you to export your passwords to your iPhone with the $10 PasswordWallet for iPhone (and iPod touch) add-on.
• 1Password 2.5 from Agile Web Solutions: A significant update that also adds a refined look-and-feel, a new Wallet feature for credit cards, the capability to export passwords to the iPhone, and more.
• DragThing 5.9.1 from TLA Systems: Also includes optional icon reflections, Leopard-related themes, display of EXIF photo data in previews, and the capability to insert and rearrange items by dragging.
• PopChar X 3.3 from Ergonis
• Phlink 3.6 and GeoPhoto 1.6 from Ovolab
• EyeTV 2.5.1 from Elgato: EyeTV 2.51. goes beyond Leopard compatibility to add specific support for Cover Flow, Quick Look, iChat, and Spaces.
• SOHO Organizer 6.5.2, SOHO Notes 6.5.2, SOHO Business Cards 2.5.1 from Chronos
• Simon 2.3 and Caboodle 1.1.2 from Dejal Systems
• Freeway 4.4 from Softpress: Also adds support for Quick Look.
• iDive 1.8.6 and PulpMotion 1.4.6 from Aquafadas
• Merlin 2.5b2 from ProjectWizards: Also includes supports for Quick Look.
• ConceptDraw Mindmap 5.2 from CS Odessa: Includes support for Quick Look and Cover Flow, and can export to iCal in Leopard only.
• iPresent It 2.0 from ZappTek
• Synk 6.3 from Decimus Software

01-Nov-07 -- We're mostly catching up with the entries so far.

• Timbuktu Pro 8.7 from Netopia: A $4.95 upgrade from previous 8.x releases to obtain Leopard compatibility. You need the serial number and the activation code to purchase the upgrade version.
• TextExpander 2.0.3, BrowseBack 1.4.1, and PhotoPrinto 2.1.1 from SmileOnMyMac
• Macaroni 2.1 from AtomicBird
• CSSEdit 2.6 from MacRabbit: Added Leopard compatibility and the capability to open CSS files whose names don't end in ".css", in addition to bug fixes.
• KeyCue 4.0 from Ergonis: Major release that also makes it possible to click the keyboard shortcuts revealed by the utility's cheat sheet.
• Miro Public Preview 3
• Hazel 2.1 from Noodlesoft: Also includes several new actions for creating aliases and revealing files.
• Radioshift 1.0.3 and Fission 1.5.2 from Rogue Amoeba
• Audio Hijack Pro 2.8 Preview and Airfoil 2.1 Preview from Rogue Amoeba : The Instant Hijack component is not yet supported on Leopard.

Hide full article

CrashPlan is easy, secure backup that works everywhere. Back up
to your own drives, computers, and online with unlimited storage.
With unlimited online backup, this is one resolution you can keep.
Back Up Your Life Today! <http://crashplan.com/ref/tidbits.html>