Previous Issue | Search TidBITS | TidBITS Home Page | Next Issue

TidBITS Logo

TidBITS#830/22-May-06

Is your iBook on its last legs? Apple completed its notebook line last week with the MacBook, a 13-inch widescreen laptop with an Intel Core Duo processor. Mark Anbinder and Jeff Carlson bring you their hands-on report. Also this week, Apple's lawyers stay busy fending off a lawsuit from Creative Technology over iPod patents (and countersue in return). Plus, Apple released Final Cut Express HD 3.5, speed-bumped the MacBook Pro, and we note both the release-candidate status of Parallels Desktop and two new Take Control ebooks that explain how fonts work - and don't work - in Mac OS X.

Topics:

Copyright 2006 TidBITS: Reuse governed by Creative Commons license
<http://www.tidbits.com/terms/> Contact: <editors@tidbits.com>

This issue of TidBITS sponsored in part by:


MailBITS/22-May-06

Apple Speeds Up MacBook Pro Models -- On the same day that Apple released the MacBook (see our coverage in this issue), the company shuffled the configurations on the MacBook Pro laptops. Both the 15-inch and 17-inch MacBook Pro models offer Intel Core Duo 2.0 GHz and 2.16 GHz configurations at the previous prices of the 1.83 GHz and 2.0 GHz models (2.16 GHz was previously a build-to-order option.) Apple also added a new build-to-order change to the MacBook Pro: both models can be configured, at no extra charge, with the glossy screen introduced with the MacBook. [MHA]

<http://www.apple.com/macbookpro/>

Parallels Issues Release Candidate of Virtual Machine -- Parallels Desktop, a virtual machine environment for Mac OS X that runs operating systems that require an Intel processor (such as Microsoft Windows XP) has reached the release candidate stage, a point where all bugs should be fixed or classified as not worth fixing. Thanks no doubt to the high profile it garnered following Apple's beta release of Boot Camp, the company said it had over 100,000 beta testers. The release candidate is available now as a 21.5 MB download. Although we normally don't cover pre-release software in TidBITS, it's worth noting that Parallels is still offering $10 off the $50 retail price for the product if you order before the actual 1.0 version appears.

<http://www.parallels.com/en/download/desktop/>

Whereas Boot Camp will install only Windows XP Service Pack 2, and a generic Intel computer might balk at older operating systems or have other limitations, virtual machines such as Parallels Desktop can handle almost anything, including IBM OS/2, Windows 95, various versions of DOS, and the parade of Linux, Unix, and BSD versions. [GF]

DealBITS Drawing: DoorStop X Security Suite Winners -- Congratulations to Bob Dain of mac.com, Charles Kinney of earthlink.net, and Steve B of macrepair.com, whose entries were chosen randomly in last week's DealBITS drawing and who each received a copy of Open Door Networks' DoorStop X Security Suite. And since Steve B entered this DealBITS drawing after being referred to it by Chris Harnish of mac.com, Chris too will receive a copy as a thank you. Even if you didn't win, you can still save $20 on the $79 DoorStop X Security Suite through 29-May-06. To receive your discount, enter "Tidbits0506" in the Comments field of the order form (the third link below). With 1,022 entrants, this was one of the most popular drawings of late; keep an eye out for future DealBITS drawings! [ACE]

<http://db.tidbits.com/getbits.acgi?tbart=08527>
<http://www.opendoor.com/doorstopsuite/>
<http://www.opendoor.com/order.html>


MacBook Fills Out Laptop Line

by Mark H. Anbinder and Jeff Carlson <editors@tidbits.com>

Since Apple's January introduction of the 15-inch MacBook Pro, the unspoken (well, maybe a little spoken) assumption has been that a MacBook without the "Pro" was on the way. Apple's introduction of the 13-inch MacBook last week fills that void, effectively replacing both the iBook and 12-inch PowerBook with a capable, affordable, Intel-based laptop - now available in white or black.

<http://www.apple.com/macbook/macbook.html>

Unlike the aluminum skin of recent PowerBook and MacBook Pro models, the MacBook comes in a white or black polycarbonate shell; the black model is available only on the high end for a $200 price premium that gives you black instead of white and a larger hard drive (80 GB instead of 60 MB). The case also sports a new latchless design, with magnets to hold the laptop firmly closed.

The MacBook features an Intel Core Duo processor running at 1.83 GHz or 2.0 GHz, with a 667 MHz bus. It includes a built-in iSight video camera, Apple Remote and infrared port, Gigabit Ethernet, AirPort Extreme and Bluetooth wireless networking, and Apple's innovative "klutz-proof" MagSafe power adapter, designed to separate easily from the laptop to avoid accidents. The Apple Remote controls not only the included Front Row media software, but also presentations in Keynote. (Apple has put together an informative chart comparing the various MacBook and MacBook Pro configurations.)

<http://store.apple.com/Catalog/US/Images/comparison_chart.html>

The stock configurations ship with 512 MB of memory, which unfortunately is configured as two 256 MB DIMMs. If you install more RAM (up to 2 GB), you should buy two chips of the same capacity to take advantage of better performance by upgrading RAM in pairs; which means you're stuck with those 256 MB DIMMs (and with people buying MacBooks, there may not be much of a market for used 256 MB RAM). Upgrading the RAM is fairly simple: remove three screws and a bracket in the battery bay, and flip two levers that eject the RAM. Macworld's Jason Snell created a short video showing just how easy it is.

<http://www.macworld.com/weblogs/macword/2006/05/macbookvideo/>

An exciting offshoot of this step is that the hard drive is easily accessible from the left side of the bay. The iBook and 12-inch PowerBook models required an almost complete disassembly to replace the hard drive, which made users (like Jeff) reluctant to upgrade old machines with more storage. No doubt this change makes it easier for Apple technicians to speed up repairs and upgrades.

The MacBook also comes with a 60W power adapter, which is the same physical size as the power brick that shipped with the last generation of PowerBooks and iBooks. The MacBook Pro models use a physically larger 85W adapter. You can use the MacBook Pro adapter to power a MacBook and charge its battery, but not the reverse: a MacBook's 60W adpater will power a MacBook Pro, but it won't charge the battery.

Graphics -- The included Intel GMA 950 graphics processor has 64 MB of video memory, and shares the MacBook's main memory as needed, depending on selected resolution and use of external display. This relatively weak graphics capability means you won't want to purchase a MacBook for playing high-performance 3D games, and limits the capability of running Apple's professional applications; for example, Apple confirmed that Aperture's performance is acceptable, but that the MacBook is not the first choice for running the photo-management program. As with previous PowerBook and MacBook Pro models, but not the iBook line, the MacBook supports mirroring or an extended desktop on external displays.

<http://www.apple.com/aperture/>

The built-in display's resolution is 1280 by 800, and the MacBook's mini-DVI port can support Apple's 20-inch or 23-inch Cinema Displays (or other displays up to 1920 by 1200 pixels) with the use of a mini-DVI to DVI adapter (available separately for $20). The 30-inch Cinema Display is not supported.

Like the 15-inch MacBook Pro, the new MacBook offers FireWire 400 but not FireWire 800, and its 4x SuperDrive lacks dual-layer write capability. The low-end MacBook includes a Combo drive (DVD-ROM and CD-RW) by default; the SuperDrive is optional. All versions include two USB 2.0 ports and optical digital and analog audio input and output; as with all of Apple's newest computers, an external USB modem is optional.

Gloss: Boss or Loss? The company says the new wide-format 13.3-inch MacBook display is 79 percent brighter than that of the iBook or 12-inch PowerBook, but people are more likely to first notice the new glossy screen. Windows laptops have sported glossy screens for a few years, but the MacBook is the first Apple product to do so (the glossy screen is also now a build-to-order option for the MacBook Pro). In a briefing following the announcement, Apple said that the new screen improves color and image quality (offering blacker blacks, whiter whites, etc.), and that the MacBook's display is less reflective than many Windows laptops.

The reflectivity is certainly noticeable, though looking at the display head-on reduces the effect, especially when the brightness setting is fairly high. We suspect that the glossy screen will invoke a love-it-or-hate-it reaction in Mac users; but since the screen is the only option for the MacBook, we may have to just learn to adapt.

The Keyboard and Trackpad -- Another significant change to the MacBook's exterior is the keyboard, which looks like an old chiclet type found on early PDAs or calculators. The sides of the keys drop straight down instead of tapering up from the bottom, making it appear as if the keys are spaced further apart, even though they're not. However, the key response is slightly firmer than the MacBook Pro and doesn't feel odd when touch-typing. The keyboard is also recessed into the case, giving the lower section of the laptop a flat plane that will hopefully reduce or eliminate screen smudges, a common irritant with Apple laptops for several generations.

<http://en.wikipedia.org/wiki/Chiclet_keyboard>

The trackpad is the wide variety found on recent Apple laptops, and features two-fingered scrolling. It also adds a new capability: click the mouse button with two fingers resting on the trackpad, or tap two fingers at the same time, to display a contextual menu (the same action as a right-click or Control-click); this feature needs to first be enabled in the Keyboard and Mouse preference pane. Apple confirmed that this is a software feature, not tied to the MacBook's hardware. (Another option is to install SideTrack by Raging Menace, which offers more trackpad configurability.)

<http://www.ragingmenace.com/software/sidetrack/>

Apple's new MacBook is available immediately from the Apple Store Web site and retail locations and Apple resellers, in configurations ranging from $1,050 to $1,500. Build-to-order options include up to 2 GB of RAM and hard drives ranging up to 120 GB.


Creative Hits Apple With iPod Patent Suit

by Geoff Duncan <geoff@tidbits.com>

Creative Labs, the company that has been struggling in the digital music player market longer than Apple has been making iPods, announced it has filed a patent infringement suit against Apple Computer over the interface to its iPod and iPod nano music players.

<http://us.creative.com/corporate/pressroom/releases/welcome.asp?pid=12405>

Creative claims Apple's products infringe on its "Zen" patent (U.S. patent 6,928,433), which it applied for in January 2001 but which was granted only in August of 2005. The patent covers the organization and navigation of music tracks on high-capacity portable digital music players. Creative claims it implemented and demonstrated its interface as early as January 2000; Apple's first iPods didn't ship until October 2001.

<http://patft.uspto.gov/netacgi/nph-Parser?patentnumber=6,928,433>

Creative's suit is filed in the U.S. District Court for the Northern District of California; the company has also filed a complaint with the U.S. International Trade Commission seeking an investigation of whether Apple's importing of iPods from Taiwan is a violation of the Tariff Act of 1930. Creative is seeking an injunction against Apple importing, marketing, or selling its current iPod and iPod nano music players: if granted, such an injunction would be a major blow to Apple's music business.

When Creative announced it had been awarded the "Zen" patent, industry speculation already had the company seeking license fees from Apple Computer; at the time, Creative merely said it was examining all options. Patent license income from a product as widespread as the iPod would certainly help a company which posted a $114 million loss in its most recent fiscal quarter. However, Creative's filing would indicate the companies were not able to reach an agreement, or Apple thinks Creative's patent lacks merit, or that it can keep selling iPods while weathering an undoubtedly long and technical patent lawsuit.

Apple has yet to publicly comment on Creative's suit, but actions speak louder than words: on the same day Creative launched its legal action, Apple filed suit against Creative in the United States District Court for the Western District of Wisconsin, alleging infringement on four of Apple's patents, then updating its complaint two days later to include a total of seven Apple patents. Such tit-for-tat legal maneuvering is common, and often the countersuit results in a settlement rather than both suits being followed to their ultimate end.


Final Cut Express HD 3.5 Goes Universal

by Jeff Carlson <jeffc@tidbits.com>

Apple released Final Cut Express HD 3.5 last week, an update that brings Intel compatibility and a few welcome improvements to the company's intermediate video editor. Until recently, the Final Cut family wouldn't run at all on Intel-based Macs; Apple released Final Cut Studio 5.1 in April, which includes universal versions of Final Cut Pro, Soundtrack Pro, DVD Studio Pro, and Motion, but Final Cut Express didn't make the jump to Intel.

<http://www.apple.com/finalcutexpress/>
<http://www.apple.com/pr/library/2006/may/18fcexpresshd.html>
<http://db.tidbits.com/getbits.acgi?tbart=08485>

In addition to Intel compatibility, Final Cut Express HD 3.5 adds Dynamic RT, which enables real-time streaming of effects and edits that previously would require rendering. Performance is dependent upon the capabilities of the hardware you're running, but even compatible machines at the lower end of the scale can use it; Dynamic RT dynamically adjust the quality of playback to render video on the fly, so a low-end machine might see degraded image quality instead of choppy playback. Also new is more powerful keyframing for creating effects and moving objects (such as a floating title or picture-in-picture clip, for example) with more control; keyframing used to be one of the differentiating features between Final Cut Express and Final Cut Pro.

This new version also includes the updated Soundtrack 1.5 for audio production and LiveType 2.1 for creating animated text. Soundtrack 1.5 is a big improvement over Soundtrack 1.2.1 (which comes with Final Cut Express HD 3.0): instead of updating the previous version, Apple took Soundtrack Pro and removed features to make it more in line with the package's intermediate focus. (Final Cut Express itself is basically just Final Cut Pro with some of the professional features disabled.) This new Soundtrack adds real-time audio effects processing, real-time crossfades, and enhanced multi-take recording. LiveType 2.1 includes 10 GB of type effects, including new vector-based Live Fonts which scale well for HD-sized content.

<http://www.apple.com/finalcutexpress/soundtrack.html>
<http://www.apple.com/finalcutexpress/livetype.html>

Final Cut Express HD 3.5 is available now for $300; owners of any previous version can upgrade for $100. (For more on Final Cut Express HD, see my review of version 3.0 in Macworld.)

<http://www.macworld.com/2005/06/reviews/finalcutexpresshd/>


Apple Reminds Us of Trusting, Verifying

by Glenn Fleishman <glenn@tidbits.com>

Apple's security team recently sent email to their security announcement list that they had updated their PGP public key. While this seems like an obscure or even unimportant announcement, it's worth looking at for two reasons. First, it highlights how seriously Apple takes security these days versus about four years ago; secondly, it's worth reviewing how you verify and use a public key to ensure the integrity of messages you receive from parties that use them.

<http://lists.apple.com/archives/Security-announce/2006/May/msg00000.html>
<http://lists.apple.com/mailman/listinfo/security-announce>

Four years ago, Apple became more serious about using encryption to allow validation of material it sends out after the BuqTraq security list posted a brief vulnerability report noting that Apple didn't verify the integrity of programs and patches released via Mac OS X's Software Update feature.

<http://msgs.securepoint.com/cgi-bin/get/bugtraq0207/49.html>
<http://www.cunap.com/~hardingr/projects/osx/exploit.html>

Apple fixed the problem by stapling on an encryption-based validation method that ensured that downloaded updates actually came from Apple before they were installed - and released that update about 10 days after the report.

Sharing Secrets without Revealing Them -- Public key encryption is an integral part of PGP (Pretty Good Privacy), a system that allows a strong encryption key for a single document or set of text to be exchanged between two or more parties over untrusted networks - i.e., the Internet or most local area networks! An untrusted network is one in which you can't be sure of the identity of the person you're communicating with - they could be an impostor - nor can you tell if someone is eavesdropping on your exchanges. That's the compromise we have in using any programs that move data over the Internet, within a local academic network, or even between parties using a free Wi-Fi network in a cafe.

<http://en.wikipedia.org/wiki/Pretty_Good_Privacy>

With PGP, each party to a message creates and maintains two encryption keys: one public, one private. These keys are related mathematically. The private key must be heavily protected and stored on a local hard drive or a removable USB drive; by contrast, the public key may and should be shared with anyone. Public keys are often published to a keyserver, or a directory of keys, and to Web sites, although that's problematic for reasons I'll discuss later.

The algorithms that drive public key cryptography make cracking the private key effectively impossible over epochal time, taking into account current cracking techniques, expectations in the advances in computation power and distributed computation, and the ongoing formal and malevolent testing that looks for flaws in these algorithms. In general, too, choosing keys that are longer - say 2048 bits instead of 512 - increases complexity without taxing anyone's computer, too.

The same algorithms make it impractical to attempt to forge a digital signature that would prove that an individual was the possessor of a given public key's private counterpart.

PGP's clever bit - now a common approach for all kinds of secure protocols - is that it doesn't use the slow-to-compute public key encryption to encrypt messages or files. Rather, it uses a public key to protect a strong symmetric key; data protected with a symmetric key is encrypted and decrypted with the same key, and this method is much easier for a CPU to process. PGP thus protects the vulnerable symmetric key with a very strong method. SSL/TLS (Secure Sockets Layer/Transport Layer Security), SSH (Secure Shell), IPsec (IP security often used with virtual private networks), and S/MIME (secure enclosures), among others, use similar methods.

A related benefit is that the same symmetric key can be separately encrypted for many different recipients of the same document. Rather than encrypt a 100 MB file 20 times, you can send a few thousand extra bytes for each recipient attached to a single 100 MB file.

By way of history, PGP was developed in 1991 by Philip Zimmermann, who faced a variety of legal threats from the U.S. government through the 1990s for illegal munitions exports due to how cryptography was classified and how he allowed the program to be disseminated. He went commercial with the software, and it passed through intermediate owners until ending up at PGP Corporation. PGP Corp. offers a free version of PGP Desktop Home 9 for non-commercial use; download the 30-day trial of the full-featured version and let it expire. There's also an open-source project called GPG (GNU Privacy Guard) that uses PGP principles and conforms to the OpenPGP specification.

<http://en.wikipedia.org/wiki/Phil_Zimmermann>
<http://www.pgp.com/downloads/desktoptrial.php>
<http://www.gnupg.org/>

Zimmermann's latest project, by the way, is an encrypted version of voice over IP that encrypts and decrypts sound packets from standard VoIP software that relies on SIP, or Session Initiation Protocol. His Zfone software is even simpler than PGP to use.

<http://www.philzimmermann.com/EN/zfone/>

Trust but Verify -- Public key encryption and PGP are typically used either for encrypting and/or signing a file to transmit or store, or for decrypting and/or validating a received or archived file. Encryption and decryption require that the sending party knows the receiving party's public key, which they obtain directly or from a directory. The sender uses PGP or GPG to encrypt the message with the public key, and the recipient then uses their private key - handled by their encryption software - to read the original message or use the file that was encrypted.

Signing lets the sending party use PGP to compute a relatively short series of numbers that provides a kind of fingerprint of the original message, a bit like a checksum but with much higher complexity. The message can't be reconstituted from the fingerprint - much like you can't produce a finger from a fingerprint - and duplicating the snapshot's number sequence from other text is almost impossible. PGP then uses the sending party's private key to create a signature from the fingerprint. The recipient can then verify the signed message hasn't been tampered with by using the sender's public key.

Apple signs messages sent via its security list and also signs files that are offered for download via Software Update. In the case of the security list, you're on your own for checking the validity of the message. If you use PGP Desktop Home 9 or similar software, you can use one of several methods to let PGP validate signed messages. (Software Update has a built-in method of checking signatures. You may even notice that Software Update itself occasionally downloads a new PGP key!)

Apple uses a similar method to help validate its security updates. If you go to a page, like the one for Security Update 2006-003 for Mac OS X 10.4.6 Client (PPC), you'll see a note at the bottom reading:

SHA1SecUpd2006-003Ti.dmg=f0dcb0dc51add2b51c297a8f416c4c23da67057c

That's the computed fingerprint of that particular disk image. To verify that a download of that disk image is identical to what was packaged up by Apple, you can follow instructions provided on a linked page. This requires the use of Terminal.

<http://www.apple.com/support/downloads/securityupdate2006003macosx1046clientppc.html>
<http://docs.info.apple.com/article.html?artnum=75510>

I use Bare Bones Software's Mailsmith 2.1 with PGP Desktop 9, enabling PGP to handle my email streams (an extra feature in PGP's commercial version). Any incoming signed message is automatically processed by PGP, checked against keys I have stored, and converted before it reaches Mailsmith so that I can see whether a trusted or unknown key signed the message, or whether the message can't be validated. The downside, of course, is that I now have the unencrypted messages stored on my computer; I'd have to re-encrypt them and delete the stored copies to achieve the same original security. (PGP Desktop and GPG work with other mail programs. PGP Desktop includes several plug-ins and scripts, and there's a GPG plug-in for Apple Mail.)

<http://www.sente.ch/software/GPGMail/English.lproj/GPGMail.html>

For instance, PGP inserted this message into the email received from Apple on 08-May-06, about their new public key: "PGP Signed by an unverified key: 05/08/06 at 15:56:15". This alert indicates that while the signing was valid, the key was unknown.

Within PGP, I can mark a given key as verified, once I'm sure that it's really valid. But how can I validate that a public key is valid without recourse to the same untrusted network from which I received the key? That's the next step.

Validating a Key -- For key verification, which I need perform only once per key, I have to find a method other than email - otherwise one interception could disrupt the trust for both the key and the verification of the key. This is where phone calls, faxes, and other information come in handy. You can validate that someone's public key is really the one that they created and distributed by checking its fingerprint with the owner of that key. For the best security, you call up the owner or use another out-of-band method - something other than the Internet, for instance - to get the fingerprint. A secure Web site would also work, though it has both advantages and disadvantages I'll discuss below.

In either version of PGP Desktop Home 9, after pasting in a public key sent via email or copied from a Web page or after importing a key from a public keyserver, you can reveal its fingerprint through these steps. First, select the key in the main PGP Desktop window. Next, press Command-I or select Show Key Info from the contextual menu. The middle of the Info dialog box shows the fingerprint.

If you and the other party use PGP 8 or later, you can use the hilarious Biometric tab, in which each number from 0 to 255 has been assigned a unique word. This is easier to read over the phone. For other versions of PGP or GPG, you'll need to click the Hexadecimal tab and read the short sequence of groups of four hexadecimal digits. If the numbers don't match, the public key you have isn't the one published or sent by the party you're talking to. Time to review your security, if that's the case.

If the fingerprints match, which they always have for me over a decade of using PGP, you've accomplished your out-of-band step and have a secure PGP key that can be used in the future.

You might ask: If Web servers use SSL/TLS to secure connections, and SSL/TLS uses public keys in a similar way to PGP, how do they perform this external verification? The answer is through what's called a certificate authority (CA), a third party that confirms some measure of the truth of identity expressed in an SSL/TLS certificate. These certificates contain a public key for the server using SSL/TLS that are signed by the CA. How does my Web browser then trust the CA? Browsers (and, for other purposes, operating systems) vouch for certificate authorities by embedding the certificates of the CAs - dozens of them - in the browser or operating system. You trust your operating system vendor or browser developer to pick trustworthy CAs, and then the CAs to identify correctly the organizations that are using the certificates the CAs have validated.

(If you need to use digital certificates for private purposes or within a company, and don't want to pay a yearly fee for a CA-issued certificate, you can create your own. These self-signed certificates put you in the role of CA by creating a special certificate that's separately installed on any computer with which you'd interact. Mac OS X has great tools for examining self-signed certificates when presented via a Web browser or as part of a kind of Wi-Fi network login called WPA Enterprise that also uses certificates. You can choose to trust a self-signed certificate once or always, along with other parameters. Apple includes tools for generating your own certificate and self-signing within Keychain Access. Choose Certificate Assistant from the Keychain Access application menu.)

Why Is Apple Updating Its PGP Key? That brings us to the issue I started with: Apple has updated its public PGP key for security messages - both messages it sends out on the list and messages you want to send them. Why? When you create a public/private key pair, you determine how long the keys remain valid. The expiration date is another way to limit the damages from a private key that slips into the wrong hands. (There's also a way to revoke keys, but it's unreliable and a bit complicated to discuss in brief.) Apple expires many of their public keys as a routine part of encryption hygiene.

Now, the one mistake Apple made with distributing their new key is that while they provided full information with their key, including the fingerprint, they provided no external validation method. The link included in the email they sent is for a plain HTTP transaction. Because HTTP transactions occur in the clear, it would be possible for an attacker at an institution - say a university or corporation - to modify both the email and the appearance of an Apple Web page that you view on your computer through a variety of well-known local area network exploits. You might see a different fingerprint and public key on the Web page served to your computer than Apple has on its.

Sure, this is extremely unlikely, but when you're working with a key that will last a year and a process that's designed to provide commercial-grade security for tens of millions of people, well, it's an oversight.

I did discover that Apple's SSL/TLS Web servers will let you request the same page through a secure transaction. If you enter "https" instead of "http" for the page containing their public key and fingerprint, your browser uses its certificate authority to ensure you're seeing a page Apple intended for you to see. (Your CA list being cracked within the browser is an unthinkably low probability unless this list were tampered with for millions of people or as a common exploit.)

When you load the page via SSL/TLS, you may receive one warning for a Web bug (tracking image) on the page that you can safely ignore; some colleagues didn't see that warning at all.

<https://www.apple.com/support/security/pgp/>

For most people, any step beyond viewing a plain, non-encrypted Web page at Apple is certainly unnecessary, but it's good to review the chain of trust. For those who favor the most stringent methods of external confirmation, Apple is just a mark or two below that. It's much more likely that any exploit would be an inside job - which has happened at some firms, but is an unlikely event - than from the outside.

I do have one rather off-beat suggestion. Provide an automated fingerprint reader by phone. Offer a telephone number that's clearly within Apple's known phone range and have a voice that says, "Here's is Apple's PGP security key fingerprint for the key expiring May 1, 2007," followed by the string of hexadecimal digits.

They could even use Talking Moose, for old times' sake.


Take Control News/22-May-06

by Adam C. Engst <ace@tidbits.com>

Ultimate Guide to Fonts in Mac OS X Now Available -- Wrangling fonts in Mac OS X can be difficult. What with six different types of fonts - some of which can contains thousands of characters - and more than six possible locations for font storage, it's tough to stay organized and work efficiently, and it's maddening when something goes wrong with your fonts and eats an entire afternoon.

We know all about how hard it can be, both from hair-pulling experience and because we've now spent over nine months writing, testing, and polishing a pair of ebooks about how to take control of fonts in Mac OS X. Both ebooks were written by Sharon Zardetto Aker, a veteran Macintosh author best known for her work in the early years of Macworld and MacUser, and on "The Macintosh Bible." Her first ebook, the 255-page "Take Control of Fonts in Mac OS X," helps you organize existing fonts, install new ones successfully, and use fonts like a pro (or more to the point, like a pro who knows fonts inside and out!), and it comes with over $80 worth of coupons for discounts on font-related products. Sharon's second ebook, the 120-page "Take Control of Font Problems in Mac OS X" helps you troubleshoot general font issues and solve specific problems with ease.

<http://www.takecontrolbooks.com/fonts-macosx.html?14@@!pt=TRK-0036-TB830-TCNEWS>
<http://www.takecontrolbooks.com/font-problems-macosx.html?14@@!pt=TRK-0037-TB830-TCNEWS>

"Take Control of Fonts in Mac OS X" starts with a look at where fonts are stored, why they are there, and how you can organize them to achieve harmony and useful Font menus. Special attention is paid to legacy fonts from Mac OS 9, fonts installed by Adobe and Microsoft applications, and fonts from iWork and iLife. Once that's under control, you'll learn where to find cheap new fonts and the ins and outs of a variety of font installation methods. Then Sharon turns her attention to using the fonts: how to find them in menus, type on a foreign language keyboard, and take advantage of the wealth of cool special characters hidden in modern Unicode fonts. She wraps things up with font-related advice for sharing documents with others, particularly people using Windows applications.

"Take Control of Font Problems in Mac OS X" begins with a look at the different types of fonts you may find on your Mac and where they are stored, gives you advice on preventative measures and a roundup of useful problem-solving tools, and gets you going by teaching you how to perform basic troubleshooting measures. Once that's out of the way, the ebook presents you with a table that helps you determine if you have a specific sort of problem or a general one. You'll find lots of solutions to specific problems, as well as a colorful flowchart that gives a visual overview of how to proceed with troubleshooting a general problem (you can also download the flowchart as a stand-alone flier; feel free to share it with friends). The flowchart links to specific instructions for carrying out each troubleshooting step. If you have a font problem, know people who have font problems, or want to be sure you'll be on top of things if a problem crops up, this ebook is for you. We expect that most people will want both ebooks, but if you plan to pick up only this one, note that it assumes you understand the basics of managing fonts and working in Font Book.

<http://www.takecontrolbooks.com/resources/0037/TakeControlOfFontProblemsFlier.pdf>

The ebooks are available separately for $20 and $10 respectively, or you can save $5 by buying them bundled together. We realize they're a bit more expensive than our other titles, but we feel the price is warranted given their technical depth and size (over 350 pages combined!) and the vast amount of work that went into them, and the coupons could easily be worth more than the purchase price. More to the point, this isn't a trend - the sheer amount of content we had required proportionally more effort than anticipated and caused troubles with our technology that don't occur with our shorter books, so our next few ebooks will return to the normal size and price range.


Hot Topics in TidBITS Talk/22-May-06

by TidBITS Staff <editors@tidbits.com>

The first link for each thread description points to the traditional TidBITS Talk interface; the second link points to the same discussion on our Web Crossing server, which provides a different look and which may be faster.

Garmin StreetPilot 2720 -- Adam's review of this GPS device prompts readers to share their own experiences with similar devices, plus news that Garmin is working on a Mac version of their software. (12 messages)

<http://db.tidbits.com/getbits.acgi?tlkthrd=2997>
<http://emperor.tidbits.com/TidBITS/Talk/828/>

MacBook Fills Out Laptop Line -- Readers share their opinions of the MacBook laptop, including the eternal question of whether to buy the new notebook or spend more money for the pro version. (13 messages)

<http://db.tidbits.com/getbits.acgi?tlkthrd=2998>
<http://emperor.tidbits.com/TidBITS/Talk/829/>

The War Over Neutrality -- Responses to Geoff Duncan's article on the Net Neutrality debate look at the power of content providers and bandwidth suppliers. (5 messages)

<http://db.tidbits.com/getbits.acgi?tlkthrd=2999>
<http://emperor.tidbits.com/TidBITS/Talk/831/>

TidBITS and ISIPP -- The recent closure of anti-spam company Blue Security brings up the Institute for Spam and Internet Public Policy. (2 messages)

<http://db.tidbits.com/getbits.acgi?tlkthrd=3000>
<http://emperor.tidbits.com/TidBITS/Talk/832/>


Non-profit, non-commercial publications and Web sites may reprint or link to articles if full credit is given. Others please contact us. We do not guarantee accuracy of articles. Caveat lector. Publication, product, and company names may be registered trademarks of their companies. TidBITS ISSN 1090-7017.

Previous Issue | Search TidBITS | TidBITS Home Page | Next Issue