<div id="popup_box_thanks" style="display:none" onClick="close_popup_thanks('popup_box_thanks', 'ts')"><br>Thanks for submitting your tip! All submissions are moderated by an editor before appearing online. We've reset the form so you can enter another tip. Or you can close the tip submission box. <div class="x_close" id="thanks_upper_right"><a href="javascript:void(0)" onmousedown="close_popup_thanks('popup_box_thanks', 'ts'); return true;">Close</a></div></div>
<div class="tbf_row"><div class="tbf_wide_extra_top not_bold">Please submit only technical tips that will help other TidBITS readers better use their Macs, iPhones, and related software and hardware. All product announcements should be sent to <a href="mailto:releases@tidbits.com">releases@tidbits.com</a>.</div></div>
<div class="tbf_left">URL</div><div class="tbf_right"><input type="text" value="" name="tip_link_url" tabindex="3"><span class="tip_description"><br>Enter the URL to a Web page that supports your tip.</span></div>
</div>
<div class="spacer"></div>
<div class="tbf_row">
<div class="tbf_left">Linked text</div><div class="tbf_right"><input type="text" value="" name="tip_link_label" tabindex="4"><span class="tip_description"><br>Enter the name of the page linked above.</span></div>
<div class="tbf_wide"><input type="submit" value="Preview Your Tip" name="preview_tip" onClick="fill_preview('tipbits_enclosure_preview', 'ts', this.form); return false;" tabindex="7"> <input type="submit" value="Send Us Your Tip!" name="submit_this_tip" onClick="handle_tip_submission('ts', '', this.form, 'tip'); return false;" tabindex="8"></div>
</div>
<div class="spacer"></div>
<div class="tbf_row">
<div class="tbf_wide"><span class="fine_print">When you submit a tip, you give us permission to use it. Read <a href="javascript:void(0)" onClick="generic_show_hide('tip_terms')">our terms</a> for more details. All submissions are reviewed before publication.</span></div>
<div class="tbf_wide"><span class="fine_print">Our terms: By submitting a tip, you agree to assign TidBITS Publishing Inc., a non-exclusive, worldwide, perpetual license to reproduce, publish, and distribute your tip in connection with the TidBITS Web site and associated products in any media. You agree that you created the content you submitted, and that you have the right to assign us this license. You give us permission to use your name, but your email address won't be publicly displayed or shared. We review all submissions before publication, and reserve the right to select which submissions we feel are appropriate for our readers and to edit those we publish.</span></div>
<div id="comment_thanks" style="display:none" onClick="close_popup_thanks('comment_thanks', 'comm')"><br>Thanks for submitting a comment! Please check your email for a link that, when clicked, will verify that you're a real person and cause your comment to appear immediately. <div class="x_close" id="comment_upper_right"><a href="javascript:void(0)" onmousedown="close_popup_thanks('comment_thanks', 'comm'); return true;">Close</a></div></div>
<div class="tbf_wide"><span class="fine_print">Our terms: We reserve the right to edit or delete any comment, so please post thoughtfully. We use your email address <i>only</i> to send you a one-time verification message confirming that you posted this comment. We also store your address to allow you to verify using other Web browsers in the future. For more info, see our <a href="http://db.tidbits.com/privacy.html">privacy policy</a>.</span></div>
<li><a href="/feeds/tidbits.rss" title="Subscribe via RSS" class="gettb">RSS <img src="/images/feed-icon-12x12.gif" width="12" height="12" border="0" class="nav_img" alt="Subscribe via RSS"></a></li>
<li><a href="http://itunes.apple.com/WebObjects/MZStore.woa/wa/viewPodcast?id=276986548" title="Subscribe to the podcast" class="gettb">Podcast <img src="/images/feed-icon-12x12_podcast.gif" width="12" height="12" border="0" class="nav_img" alt="Subscribe to the postcast"></a></li>
<li><a href="http://www.twitter.com/TidBITS" title="Get Article Updates via Twitter" class="gettb">Twitter <img src="/images/feed_icon_12x12_twitter.png" width="12" height="12" border="0" class="nav_img" alt="Get Article Updates via Twitter"></a></li>
<li><a href="http://www.facebook.com/pages/TidBITS/195314925519" title="Go to the TidBITS Page at Facebook" class="gettb">Facebook <img src="/images/feed_icon_12x12_facebook.gif" width="12" height="12" border="0" class="nav_img" alt="Go to the TidBITS Page at Facebook"></a></li>
<li><a href="javascript:void(0)" title="Sections" class="tabhead" onClick="return showhide('articleslist')">Sections <span id="articleslist_triangle"><img src="/images/nav_triangle_open.gif" width="9" height="9" border="0" class="navtriangle" id="articleslist_tri_image" alt="Click to show or hide the contents of this section."></span></a></li>
<li><a href="javascript:void(0)" onClick="return showhide('stafflist')" title="Staff" class="tabhead">Staff <span id="stafflist_triangle"><img src="/images/nav_triangle_closed.gif" width="9" height="9" border="0" class="navtriangle" id="stafflist_tri_image" alt="Click to show or hide the contents of this section."></span></a></li>
<li><a href="javascript:void(0)" title="Issues" class="tabhead" onClick="return showhide('issuelist')">Weekly Issues <span id="issuelist_triangle"><img src="/images/nav_triangle_closed.gif" width="9" height="9" border="0" class="navtriangle" id="issuelist_tri_image" alt="Click to show or hide the contents of this section."></span></a></li>
<li><a href="javascript:void(0)" onClick="return showhide('abouttidbits')" title="About TidBITS" class="tabhead">About TidBITS <span id="abouttidbits_triangle"><img src="/images/nav_triangle_closed.gif" width="9" height="9" border="0" class="navtriangle" id="abouttidbits_tri_image" alt="Click to show or hide the contents of this section."></span></a></li>
<li><a href="http://www.tidbits.com/about/support/contributors.html">Readers Like You!</a></li>
</ul><div class='sponsor_sidebox_bottom'> </div>
</div>
<!-- end sponsor_sidebox -->
</div> <!-- end leftcolumn div -->
<!-- end left column -->
<!-- begin centercolumn_border -->
<div id="centercolumn_border">
<div class="center_top">Thoughtful, detailed coverage of the Mac, iPhone, and iPad, plus the best-selling <a href="http://www.takecontrolbooks.com/?pt=TB-TAGLINE" style="color:yellow">Take Control</a> ebooks.</div>
<!-- begin centercolumn -->
<div id="centercolumn">
<!-- begin rightcolumn_container -->
<div id="rightcolumn_container">
<!-- begin rightcolumn -->
<!-- rightcolumn is embedded within centercolumn so featured text wraps around it -->
</div><!-- end tearoffbox_wide_container for watchlist items -->
<!-- begin tearoff box wide -->
<div class="tearoffbox_wide_container">
<div class="tearoffbox_wide_tips">
<div class="tip_display">
<div class="tips_sponsor_logo">
</div>
<h6>Use Shift to Compare Edits in iPhoto '08</h6>
<p><p>In iPhoto '08, while you're editing a photo, press the Shift key to see a "before" view; let it up to see the "after" view. It's much faster and easier than using Undo and Redo.</p></p>
<div class="tbf_wide_80" id="hc_rc_5136">To help us avoid automated posts and misuse of our site, please enter the words below.</div><div class="x_close_row" id="hc_upper_right2_5136"><a href="javascript:void(0)" onmousedown="HidePopupContent('hc_5136', 'hc', '5136'); return true;">Close</a></div>
<div class="featured_meta"><div class="meta_article">13 Aug 2001 | <a href="/article/6520?print_version=1">Print <span class="shift_up"><img src="/images/printer_icon.gif" alt="Printer-Friendly Version of This Article" border="0" width="9" height="10"></span></a></div></div>
<div id="article_box_5136"><P>AirPort security is dead. Not the airline terminal kind, but the built-in variety found in Apple's AirPort technology and other 802.11b (also known as Wi-Fi) wireless networking hardware from many different manufacturers. Although security experts have warned for months that gaping holes in the Wireless Equivalent Privacy (WEP) protocol rendered it unsafe for serious use, two academic papers released this month put the nails in the coffin.</P><P><<A HREF="http://db.tidbits.com/article/06300">http://db.tidbits.com/article/06300</A>></P><P>WEP was supposed to ensure a first line of attack against data sniffing. Because 802.11b devices send traffic wirelessly, anyone within range can intercept this traffic. If the traffic is sent without WEP encryption, simple packet sniffer software can grab packets out of the air and turn them back into email messages, Web pages, and so on. (EtherPEG, a program developed at MacHack in 2000, sniffed graphics off Web pages being transmitted to Web browsing attendees.)</P><P><<A HREF="http://www.etherpeg.org/">http://www.etherpeg.org/</A>></P><P>If you enabled WEP by entering a passphrase (AirPort) or encryption key (most PC systems), only other systems with that key can access the network. It turns out, however, that WEP's underlying algorithm - the way in which the encryption system is implemented - is extremely weak. The two recent papers show that a key can be extracted with no knowledge of the networks after only a few minutes of watching network traffic. Encryption algorithms have to rely on a huge number of non-guessable, non-repeatable chunks of data passing by that would require either unreasonably large amounts of interception or impossible computation to break. The common algorithm used by WEP turns out to rotate a small number of combinations overlaid with an identical pattern of network headers.</P><P>The first paper was written by three authors including Adi Shamir, the "S" of the influential RSA encryption algorithm, an early approach that led to commercial systems. Their paper describes logical weaknesses that allow key cracking through passive sniffing of a network. (The paper is not yet online, but an EE Times story documents it well.) The second paper is a practical discussion of successfully implementing the attack; it came out just a week after a draft of the first paper.</P><P><<A HREF="http://www.eetimes.com/story/OEG20010803S0082">http://www.eetimes.com/story/OEG20010803S0082</A>><BR><<A HREF="http://www.cs.rice.edu/~astubble/wep/">http://www.cs.rice.edu/~astubble/wep/</A>></P><P><STRONG>What To Do</STRONG> -- Most serious wireless advocates, including the industry consortium WECA (Wireless Ethernet Compatibility Alliance, of which Apple is a member), have urged users with sensitive data to employ an additional encryption layer on top of the now-minimal protection offered by WEP. This advice also holds true for users or systems that use no WEP protection, including virtually all of the public networks (free and for-fee) spreading around the country, and now at over 500 Starbucks outlets.</P><P><<A HREF="http://www.mobilestar.com/starbucks_update.asp">http://www.mobilestar.com/starbucks_update.asp</A>></P><P>Corporations typically use virtual private networks (VPN) which use PPTP (Point-to-Point Tunnelling Protocol) or IPSec (Internet Protocol Security) to encrypt traffic and pass it seamlessly from a user's laptop or remote computer over the Internet through the company's firewall and onto the local network.</P><P><<A HREF="http://www.wi-fi.com/">http://www.wi-fi.com/</A>><BR><<A HREF="http://www.ietf.org/html.charters/ipsec-charter.html">http://www.ietf.org/html.charters/ipsec- charter.html</A>></P><P>Individual users may want to try using SSH (Secure Shell) and SSL (Secure Sockets Layer) products, both of which enable secure encryption of connections travelling over insecure networks. Only a few SSH- and SSL-capable programs are readily available on the Macintosh, though more may be coming for the Unix-based Mac OS X, such as Stalker Software's industrial strength mail server, CommuniGate Pro. We're all familiar with SSL from the Web: secure sites (like online retailers) use SSL to manage encrypted connections between your browser and the site. Less typical, but increasingly available, are SSL plugs into more familiar software like Eudora. With an SSL-equipped mail server, you can use Eudora without passing your name and password or incoming and outgoing email in plain text.</P><P><<A HREF="http://www.eudora.com/email/">http://www.eudora.com/email/</A>><BR><<A HREF="http://www.stalker.com/CommuniGatePro/">http://www.stalker.com/CommuniGatePro/</A>><BR><<A HREF="http://developer.netscape.com/tech/security/ssl/howitworks.html">http://developer.netscape.com/tech/security/ssl /howitworks.html</A>></P><P>SSH was designed to replace Telnet, by allowing remote, secure access to a command line on a Unix or similar system. The free NiftyTelnet 1.1 SSH and MacSSH support SSH for Telnet-style connections, and F-Secure offers a $120 SSH Macintosh client that can communicate securely with Internet services tunneled through the F-Secure SSH Server for Unix or Windows NT/2000. Under Mac OS X, the free OpenSSH has already replaced standard Telnet access to the Unix shell with SSH, but SSH could also be used more broadly to "tunnel" traffic to POP mail servers or through proxies that would offer end-to-end encryption from your machine to the destination server.</P><P><<A HREF="http://www.lysator.liu.se/~jonasw/freeware/niftyssh/">http://www.lysator.liu.se/~jonasw/freeware/ niftyssh/</A>><BR><<A HREF="http://www.macssh.com/">http://www.macssh.com/</A>><BR><<A HREF="http://www.stepwise.com/Articles/Workbench/2001-05-02.03.html">http://www.stepwise.com/Articles/Workbench/2001 -05-02.03.html</A>><BR><<A HREF="http://www.openssh.org/">http://www.openssh.org/</A>><BR><<A HREF="http://www.f-secure.com/products/ssh/client/">http://www.f-secure.com/products/ssh/client/</A>></P><P>All of these security concerns are predicated on the idea that someone wants your data, either indiscriminately (such as a sniffing in a public place with wireless access) or specifically (breaking into your home or company network). Most home users have nothing to fear, because even though the attack is fast and relatively simple for someone with the appropriate hardware, software, and networking skills, it's unlikely to be employed indiscriminately against private individuals in their homes. Quite simply, the standard email and Web browsing activities that comprise the majority of normal Internet traffic just aren't sufficiently interesting, so the bad guys aren't going to have much interest in sniffing wireless network traffic.</P><P>The biggest concern of working on an open wireless network (or one someone has cracked) is that passwords you send for email, FTP, Telnet, or non-SSL Web sites - such as those stored in the Keychain or Internet Explorer's password management system - can be swiped relatively easily. Having passwords stolen not only puts your data at risk, it also potentially opens your computers up to be used as zombies in denial of service attacks or as relays for hiding the attacker. The best protection for your passwords is to use programs that encrypt passwords whenever possible, to change passwords frequently, and to use different passwords for different services (using the same password for your POP email as your Unix login makes it more likely someone could break into the Unix account).</P><P>Stay tuned, since I plan to look into the topic of security on the Macintosh in a future issue of TidBITS. If you're dying to know more right away or want a book-length discussion, check out Peachpit Press's just-published Internet Security for Your Macintosh by Alan Oppenheimer and Charles Whitaker.</P><P><<A HREF="http://www.amazon.com/dp/0201749696/?tag=tidbitselectro00">http://www.amazon.com/exec/obidos/ASIN/ 0201749696/tidbitselectro00A/</A>><BR><<A HREF="http://www.peachpit.com/macsecurity/">http://www.peachpit.com/macsecurity/</A>></P><!-- Wireless Fishbowls Glenn Fleishman --></div>
<!-- end article text -->
<!-- PayBITS -->
<p> </p><div class="sponsorbox">
<div class="sponsortext"><A HREF="http://macte.ch/conf_tidbits"><IMG SRC="http://db.tidbits.com/images/badges/mactech-twitter-icon-48x48.jpg" ALT="" HEIGHT="50" WIDTH="50" BORDER="0" ALIGN="left"></A>MacTech Conference, for IT Pros and Apple developers, is Nov 3-5,<br />in Los Angeles. The 3-day event is packed with sessions & evening<br />activities. Learn from the best. Meet and spend time with peers.<br />TidBITS readers save $50 at <<a href="http://macte.ch/conf_tidbits">http://macte.ch/conf_tidbits</a>>!</div>
