fred avolio's musings

It’s been over 3 months since I converted to (almost) exclusively using a Mac. I’ve talked about what moved me to make the change, why I chose what I did, my initial thoughts, my examination of browsers and e-mail clients. I am now looking at calendaring and the address book.


Let me remind you of my requirements (and/or desires). In August, I wrote, “Interoperability with a Palm handheld. I use it a bunch for everything it does including the obvious (calendar, etc.) and the less obvious (eReader, Documents to Go, Expense).” I really do us it, and did not want to abandon it for something else.

After some little research, I figured I had 3 choices: the Mac-resident applications iCal and the cleverly named Address Book; Microsoft’s Entourage; and, obviously, Palm Desktop for Mac.

Palm Desktop for Mac.
I really like Palm Desktop on Windows, so I had hoped the Mac version would be a slam-dunk winner. Not so. It is a completely different program. On Windows, I like its layout. I like how it supports everything standard with the Palm handheld. Also, it has a neat “find duplicates” feature, to look for exact or near duplicate entries. Very useful. Not in the Mac version. The layout for the contact list (address book) had multiple views. On the Mac, there was one view: ugly, with the each entry laid out as if you were viewing it in a spreadsheet. On Windows, you could add notes to calendar entries and contact entries. On Mac, you could by jumping through hoops and creating a memo note and attaching it to an entry. I do recall that years ago, Palm Desktop for Windows was lame. Palm then took Claris Organizer and for a while Palm for Mac was better. (See PalmPilot and Macintosh: together at last.) But, back in those olden days, great functionality was auto-formatting phone numbers, and auto-completing city names. As far as I can tell, little was done since then.

I found A wish list for the next Palm Desktop for Macintosh, which echoed many of my concerns. Another problem I noted: contact items that are tagged as email in my Palm computer are not in the email column on the Mac Desktop. That is to say, when I exported the address book to import into my email application most of the email addresses were missing. I guess they were not in the exact right place on the Palm handheld. But, they do export properly in the Windows version. So, I wrote to the author of the above-mentioned article.. and the email bounced. It was then I realized that it was from April, 2001! Not much hope of getting things in Palm Desktop changed.

iCal and Address Book
These come with the Mac. iSync, the Mac’s sync program, does a fine job of syncing with the Palm. But, there are some things missing. I use categories for calendar events. iCal does not. For example, on my Palm calendar I categories calendar events into Anniversary, Birthday, Business, Church, Conference, Holiday, Meeting, Personal, and Travel. I thought, if only there was a way to map categories into different calendars (iCal supports different calendars), I’d be golden. But, there was not. And Address Book also was simple. It had different address books but they did not convert to categories. And it did not seem that Birthday fields on i the handheld mapped to the desktop applications. In fact, when I synced, the birthdays in the contacts list were all lost. So, I gave up on iCal and Address Book.

Entourage
Next, I tried Entourage that came with Office for Mac. It has a very nice layout. I had no intention of using it for email, but it seemed to have everything I was looking for. It had categories in both the address book and the calendar. It had tasks. It had memos. It has birthdays. It just did not sync properly. The conduit supplied with Entourage for iSync lost all the categories. It supports categories but apparently cannot map them from the handheld. It, too, lost all the birthdays. And Entourage does not allow notes on calendar events. Arrg!!

My Solution
I went back and forth with some of these solutions, always going back to Palm Desktop, hating it, but not being willing to leave it for the things that were broken in the other possibilities. And then an Internet search pointed me to The Missing Sync for Palm OS. One thing that caught my eye: “Synchronizes iCal calendars to Palm OS calendar categories.” So, I downloaded it for US$39.95 and tried it. But, the documentation pointed out that I needed to make some preparations. If I wanted categories in my Palm to map to “Groups” in Address Book, and to “Calendars” in iCal, I needed to create groups and calendars with matching names. No problem.

It worked great. Absolutely wonderful. Missing Sync has conduits for Palm Desktop and Entourage. I only use one: it syncs Notepad to the separate Palm Notepad viewer. Since Mac does not have a Memos application (like the Palm Desktop and Palm handheld have), Missing Sync has a MemoPad application. It also will sync files (to store on the hand held) and photos from iPhoto. There have been a few glitches. In a previous version of the product, one sync took 7.5 hours! But, that has not happened with the latest version. Syncs take under 5 minutes, including synching photos, 2753 address cards, a few Documents to Go (from Dataviz) files, and some Adobe Reader for Palm documents.

I am now very satisfied with my Palm integration with the Mac, thanks to Missing Sync.

I am again leading Secure Email Day at Interop New York on Monday, December 12, at the Jacob Javits Convention Center.

Secure Email Day is a mixture of lecture, expert-lead group discussion, and a vendor panel. Again, Jon Callas, CTO and CSO of PGP Corporation will join me for part of the day. You can go to the interop link, above, to get a look at the schedule for the day, or visit my blog posted before Vegas at SecureEmailDay.html.

This caught my eye in the November 1 “Good Morning Silicon Valley”.

“The heart is unreliable because its affected by not only by your brain, but by many other factors, such as hormones. The gut has a mind of its own —literally. It has its own well-developed nervous system that acts independently of almost everything except your unconscious brain.”

Quoted is “Pankaj Pasricha, leader of a research team that thinks stomach activity may be a better indicator than heart rate in the iffy science of lie detection.”

It reminded me of an earlier statement made about the trustworthiness of the heart. It says, “The heart is deceitful above all things, And desperately sick; Who can understand it?” It goes on to say, “I, the Lord, search the heart and test the mind, to give every man according to his ways, according to the fruit of his deeds.” This is from the book of the prophet Jeremiah, chapter 17, verses 9 and 10.

(Actually, in the Hebrew it is “the kidneys” that the Lord “tests.” Know why?)

I’ve written and lectured many times about e-mail security. Sometimes, I discuss securing e-mail systems. I rarely discuss protecting e-mail against modification or eavesdropping, because it seems we just don’t care. See what I’ve written in the past at my Secure E-mail Collection. And recently, I blogged E-mail Security: We Still Don’t Bother

I also have written about my love affair with the Eudora e-mail client, but thoughts of moving over to Thunderbird.

But, I like Thunderbird’s interface. I like its being free. I like its older brother, Firefox. I recommend moving to Thunderbird to others. I almost moved a while back. But, there were some speed bumps, blogged here. But, recently I decided to slowly give it another try.

So far, things are working smoothly. I’ve not cut over to using it instead of Eudora, yet. But, I find some interesting security features. Recall, in the aforementioned E-mail Security: We Still Don’t Bother, my friend Dave wrote,

I am disappointed that I have to give up PGP but could not reasonably continue to purchase $100-200 worth of email and security software for the purpose of communicating with 9 people. What a sad indictment on the state of email security, huh?

Well, I’ve got Thunderbird with PGP and S/Mime now. It was fairly straightforward. First, S/MIME: Thunderbird comes with it. I followed the instructions for Getting an S/MIME certificate. I got mine from Thawte. Then I followed those for installing the certificate. And it just worked.

For PGP, I used the Thunderbird Enigmail plugin. But first, I installed GPG (in this case, for Windows), using the installer I found at www.gnupg.org. It installed smoothly.

if you are not going to install existing key rings you can skip the next step.

I then downloaded my secret and private PGP key rings, and used GPG from the command line to read convert them to GPG from PGP. (I did this in the GnuPG folder.) Once I did this, I installed the Enigmail extension to Thunderbird, restarted it and imported the key files using Enigmail’s key manager.

If you are new to all this, you’ll use Enigmail to create your first key pair and store it.

This will be your decryption and signing key pair. Since I had one already, I needed to fiddle with Thunderbirds configuration file to point to my key. Actually, I had created a keypair, and had a horrible time trying to get it to use my old one. But, finally I figured it out. So, go ahead and generate a new one. Ff you want to use the old one, edit the prefs.js file (in your Thunderbird identity folder), and edit the “mail.identity.id3.pgpkeyId” value to have your key ID. Mine looks like this:
user_pref(“mail.identity.id3.pgpkeyId”, “0x3521CEA0”);

A restart of Thunderbird, and everything is working. If only people actually used encrypted mail…

Okay, I spoke too soon. There are imcompatibilities I cannot figure out between GPG and PGP Personal Privacy 6.5.2 that I run. GnuPG can decrypt and verify a PGP signed and encrypted file. And GnuPG can handle one that GnuPG signs and encrypts. But, PGP cannot decrypt a GPG-encrypted file. I get the error “An error has occurred : encrypted session key is bad”. So, what is Mom and Pop supposed to do? Arrrrg!

I was unclear in explaining how I did some of the above. I used Firefox to get my certificate. Following Mozilla instructions, which say, “If you use Firefox to get your certificate and take the Netscape/Messenger option, a certificate silently installs into Firefox.” I got a Netscape/messenger certificate from Thawte. It works fine with Tbird.

I just got a PGP ecrypted message from a Thunderbird/Enigmail user, Jason Wyman. He wrote, Just wanted to let you know that I have PGP set up with Enigmail in Thunderbird and it is working GREAT for me. I’ve had a lot of time to fiddle with several different set ups as I’ve “converted” my friends and clients at work. With me using PGP Desktop 9.0 and Mail.app on my PowerBook, it decrypted and authenticated great. Thanks, Jason!

Jason wrote back: I just noticed you updated your blog with an excerpt from my email to you. I was going to suggest that you post this email address along with my PGP key for anyone who may need help…. I’d be happy to help. I believe it’s very important that more people begin to take their privacy seriously. This would be an opportunity for me to help others make their own lives a little more secure. You can contact Jason and get his public PGP key at http://home.comcast.net/~jason.wyman/ or at keyserver http://keyserver.pgp.com/.

I’ve meant to mention ths, and keep forgetting to do so. Early on when scoping out whether to go to the Mac platform, I found a terrific article, and implemented everything it said. It is 8 Ways to Protect Your Mac Right Now, by Kirk McElhearn.

I cannot believe anyone reading this has not heard of the “Nigerian Scam” (also called 419 after the Nigerian anti-fraud statute). The most common, that I receive every once in a while, has to do with someone — a widow or son of the recently assassinated political leader someone-or-other in some African nation. (I suppose they assume, rightly, that Americans especially won’t have a clue of this particular person exists, was recently assassinated, etc.) There are millions of dollars in a bank account and the sender of the email heard about your integrity doing an Internet search. They suggest a money laundering scheme for which the recipient gets %10 just for playing… er, helping.”

I just read a fascinating piece on this at news.yahoo.com/s/latimests/20051020/ts_latimes/iwilleatyourdollars describing this in interesting detail.

I promised I’d describe moving to Mac e-mail in this installment. I’ll cover what I tried, what I found, what I ended up using, and why. This is one in a series, the whole of which can be perused at blog.avolio.com/search/label/pc2mac. (In preparation for this topic, I blogged about e-mail systems I have known over the years.)

What I Used on the PC.
I have used Eudora for many years. I’ve liked its look and feel. I like the filtering and labeling. I like that the mailboxes are stored in ASCII format. This allows me to get at my e-mail on my system, even when connected from my Linux server. So, the easy thing would have been to just use Eudora on the Mac. For some reason —I do not know why—I decided I might try a change.

Apple’s Mail Application
I heard that Tiger’s mail application (cleverly called “Mail”) was slow. I played with it a bit, but then decided I’d try Thunderbird.

Thunderbird
I’d tried Thunderbird, the Mozilla client, few times before. I liked it and recommended it, so I figured, why not try it on the Mac?

I’d used it before to remotely access my e-mail from other day job. I’d migrated my wife and daughter at a Maryland university to it. But, I had never migrated from Eudora. That proved to be a problem. Although, Eudora mailboxes are easily readable, Eudora does non-standard things. I’ve written about problems with Eudora storing attachments differently, etc. before, as I mentioned. I found a terrific tool called Eudora Rescue, which did as it said and it allowed me to migrate.

I used Thunderbird for a few weeks. In this move, I made a a major change. My goal with e-mail has always been for availability. I want my email available on my mobile computer (my PowerBook, now), and on a server. In the past, I did the following:

• Read email to my computer using POP3
• Synchronize my notebook PC files with my desktop PC
• Remotely SAMBA-mount my desktop PC’s folder on my in-house Linux server

So, the e-mail was saved in two places, and I could access the mailboxes from any remote system if I had to, with an SSH connection to my Linux server.

As the Wikipedia entry says, “POP3 and its predecessors are designed to allow end users with intermittent connections such as dial-up connections to retrieve email when connected, and then to view and manipulate the retrieved messages without needing to stay connected.” This fit my needs very well, with the above-mentioned steps. This is known as “disconnected” mode. (Most POP3 clients have a “leave mail on server” option.)

The change I made was to move to using IMAP.

• Good—worked; flexible; fast; worked fine “disconnected;” though not as many “labels” as Eudora, good enough.
• Bad—Could not figure out how to just use the keyboard, though it may be my being new to the Mac (I like the mouse—but, really, why not have a 2 or 3 button mouse? —but, not all the time).

Mulberry
A friend, and former DEC colleague, Dr. Brian K. Reid, put me on to Mulberry. He cares as much about e-mail as I do, so, I figured I’d try it. In fact, it was this move that took me to using IMAP. See, I had a devil of a time importing from Thunderbird to Mulberry. Its “Import” function was greyed out. I used a conversion tool, but it did not work. A group of learned friends all basically told me the same thing: “Use Thunderbird to copy your mailboxes to an IMAP server. Then use Mulberry to copy them back from that IMAP server to your local computer.” So, I did, and started using Mulberry and IMAP. I set things up to work in “disconnected” mode, meaning that all the mailboxes stay on my email server (I put them in a hierarchy in my home directory on my Linux server, under a directory “Mail/”), and copies of all mailboxes get synchronized with/onto my Powerbook.

This meets me requirements mentioned earlier. I can always, if needed, SSH into my email server and read any of my email messages; they are stored in mailboxes in mbox format (so, I can use UCB Mail to read them if needed).

Mulberry had everything I wanted, including great filtering and labeling, but it was way too complex with way too little documentation. My friend who recommended it, had said, “Mulberry is not simple to configure. In fact, it has so damn many options and modes that it can be a big pain to learn.” He was right, and I gave up on it.

Mail.app
I’ve settled on the native email client, Mail. (One benefit of an IMAP client is there is no conversion step; the email on the server just reads in to the file locations of the new client.) I like it. Searchlight is integrated into Mail. Things just work. Rules for filtering are pretty good, although there are no labels to speak of. (I was used to labeling emails as, for example, “list,” for mailing lists, “save,” “read,” “action,” etc.) I miss that, but can live without it. I benefited from an article called Tweaking Tiger Mail, by Giles Turnbull. Right now, the only negative feelings I have towards the native Mail.app, is that I would like to do complex searches. Mail.app uses the ubiquitous Searchlight, and it allows Boolean expressions in a search, but you are limited to Booleans in one field. For example, I want to look for all messages containing “Joe” or “Mary” (easy to do) that are from my wife or from me and that contain one or more attachments. (Don’t ask me why, it’s just an example.) There is no way I can see to make such complex query.

Nevertheless, for now I happy with the native Mail application, and am sticking with it.

Other discovered coolness.
I keep finding more cool and useful things on the Mac. First, Mac OS allows one to remap or modify some of the keys. In “System preferences,” in “Keyboard & Mouse,” select “Modifier Keys…” I selected “No action” for the “Caps Lock.” This is the first time I had a computer that allowed me to do this.

It’s been a few month’s since I ditched my Windows PC for a PowerBook. I’ve no regrets. In fact, I am happy for the change. I do still sometimes use a Windows machine when I must (running my copy of QuickBooks for my business account or at my other day job). When I do that, my left hand usually hits the wrong keys for a while, but I do not consider this a problem.

Next time: calendars and address books.

Also, check out Interview with Tony Bove, Author of Just Say No to Microsoft.

Recently, I’ve been blogging about my move from PC to Mac (see PC2Mac. In my next entry, I’ll talk about selecting an e-mail client. E-mail is very important to me. (See what I wrote about this in Disconnect.) So, I started thinking about all the e-mail clients (user-end programs) I used over the years. At the risk of revealing my advanced years, here is the list.

West Hempstead High School, NY
I don’t remember the name of it, but it was the local e-mail system on the DEC-10 timesharing system to which we connected via an acoustical coupler using a Teletype teleprinter. (That’s a papertape reader/writer on the left.) Practically speaking, there was no one to e-mail (except the system manager). There was no Internet. (But, we were happy.) University of Dayton
I don’t recall e-mail. Maybe. We used a Univac Spectra 70/7 timesharing machine. (It is mentioned and pictured in this personal history from my classmate, Ken.)

NSA
/bin/mail on a (pre-TCP/IP) networked 6th Edition Unix system. This is essentially the same mail program on the command lines of Unix systems today.

Digital Equipment Corporation

• VMS MAIL, from the command line.
• ALL-IN-1 e-mail on VMS (an early Outlook- or Entourage-like character-cell e-mail program. (Like Outlook, it ignores standards.)
• Berkeley Mail on Ultrix
• MH, when I grew up.
• Emac mail, for a while
• xmh, when I got a workstation and X11

TIS
xmh Avolio Consulting

• Eudora
• Now, on the Mac… I’ll post something soon.

Holy cow! After I wrote this and I was re-reading it, I took a detailed look at the web page I point to above under University of Dayton. I had discoverd the site simply by Googling for “Univac Spectra 70/7.” So, I did not actually read it in detail. When I did I had a few “Whoa now!” moments. I noticed that my computing environment at the University of Dayton was similar to this guys. I mean even the picture of the CRT terminal. But, then how many of them where there? 1976… interesting. Then — yipes! He mentions one of my UD profs—the guy that taught my first programming class, Ed Krall. And then he mentions another guy I knew, Dr. Mike May. Then I looked at the bottom, the first time the author’s name appeared. Ken Koehler… he and I graduated together, used those same computers, and were in many of the same classes from freshman year on. Haven’t seen or communicated with him since gradutation…until now, when I dropped him a note.

No, not me. I did that ages ago. Slashdot pointed me to a really busy blog entry (Slashdot mention will do that) by a former IE developer, “ Why I switched to Firefox.”

An interesting discussion of the (parhaps mythical) Mac virus on Slashdot. As I said earlier, no system is immune from bad software and dangerous configuration. The comments are quite good.

I’ve neglected to mention that I am using the built-in Mac OS X firewall.

Larry Kettlewell, CISP for Kansas State Government’s Department of Administration has a terrific “perspectives” piece in the August 2005 Information Security, with the title “Paper Pushers”

I’ve written on the subject in Security Redux. In response to the question, “What is the value of a CISSP certification?” Ed Tittle responds, echoing my warning about just studying and receiving the certification with book knowledge but no practical experience. See his complete answer at Ask the Expert. I touch on it briefly in Paranoia: How Much is Too Much?, and tally up the possible points I have to get a Homeland Security Certification.

By the way, I don’t have one. Never had to have one for business. I just have 20+ years of experience in network security product development, information security management, teaching, training, lecturing, writing, and consulting with large and small companies (internationally), and government (US). But no certification.

Long-time friend and colleague Marcus Ranum has written an editorial worth checking out (that’s redundant). See “The Six Dumbest Ideas in Computer Security.”

This entry, I’ll discuss browsers and instant messaging. In my previous blog, I wrote that this time I’d talk about

• E-mail clients,
• Browser,
• Instant Messenger, and
• calendar, address book, etc.

I am going in a different order because e-mail clients and calendaring will take one blog entry each.

Browser.
The PowerBook, running Mac OS X (aka “Tiger”), as I expected, comes with with a browser: Safari. I did not like it at first, but that was before I learned my way around a Mac, in particular how to set preferences. I was used to using Firefox. I’ve been very happy with it. I like that it is fast. I like the tabbed browsing. I like that it is “open source,” but I’m not a fanatic about that. I really like that it is not Internet Explorer!

As I said, I did not like Safari much (because I didn’t know it had all those previously-mentioned things, except open source, going for it), so I installed Firefox. It works fine on the Mac, but I wondered about the otherMozilla browser for the Mac, Camino^TM. Since it has “Mozilla power. Mac style.” Firefox was fine, but just like when in a foreign country I don’t order the “American Breakfast,” I thought I should try something Mac-specific.

It was nice. Had the features I liked in Firefox. I did not like the way it did tabbed browsing. In particular, when I clicked on “open URL in another tab,” it displayed the new tab. Firefox opens a new tab in the background. (Maybe there is a way to do this in Camino.) I am used to, for example, doing a “Google-search,” and running down the page clicking items to open in another tab. Then I go through each tab checking them out.

I used Camino for a week or more. Then I had a “well, duh” thought: although it did not have “Mozilla power,” the native browser on the Mac probably has “Mac style.” So, I tried it again.

And in a short time I found I like Safari. It has RSS support, supports extensions, and tabs the way I like it. I modified some things, imported my Bookmarks and got rid of all the preloaded bookmarks I’d never use. And in playing it, I found another cool Mac-thing. (And this is not Safari-specific; it works with Firefox, too.) If you want to copy an image off of a web page, instead of selecting it, and selecting “copy image,” you can just drag it off and drop it somewhere else. Very neat.

Instant Messengering.
Tiger comes with iChat, which supports audio and video chats (as well as the normal typing variety). It supports AOL Instant Messenger and Jabber Instant Messenger. Of course, I want to use Yahoo. I have an MSN Messenger account, also, but don’t regularly use it. And when I use Yahoo Messenger, I want to sometimes do voice and video. So, while I am very happy with iChat, I also need Yahoo Messenger. Ah, well.

One minor disappointment: my Windows-capable webcam is not recognized by my PowerBook! No driver for it. Apple is big on firewire. They invented it. They also sell their own web camera, “iSight.” (Get it?) But, I have a USB web camera that works just fine and I don’t want to spend $150 for an iSight, no matter how elegant it looks. (And it does look elegant.)

Since I didn’t use Jabber, I got Adium, ” a free instant messaging application for Mac OS X that can connect to AIM, MSN, Jabber, Yahoo, and more.” Sorry to see that, “Adium does not currently have any Voice or Video (webcam) Chat functionality.” It is related to GAIM, which is built for UNIX and has a windows port.

It is okay. Even in the Windows world I was used to using multiple clients, or a single client (like GAIM or Trillion, which does not run on Mac.

Speaking of multiple clients, for pure voice conferencing, I’ve downloaded and use Skype.

Additional cool stuff I discovered.
Mac OS X has this really neat feature called Exposé. You know how on your Windows PC you can make all the windows disappear by hitting the Windows button and ‘M’? (You don’t? Try it.) Or on XP, you have a “Show Desktop” process that exposes the desktop (iconifies all of the windows) and puts them back again? It’s like that, only cooler, better. As the web site says, “Instantly access any open window with a single keystroke … Display all open windows as thumbnails, view windows of the current application or hide all windows to quickly locate a file on your desktop.” It is very useful when you’ve got a gazillion windows opened, and you need to find one particular one. Or, when you need to clear everything to get to the desktop. Or, when you need to copy an item in one window into another one, buried somewhere on your desktop. It’s useful. It’s cool.

Dashboard gives instant access to a set of widgets—small applets proving useful tools, such as real time weather, calculator, a dictionary, language translation, and a ton of others. Spotlight is a system search facility on steroids. (Oops… sorry. No longer politically correct. On… acid? Nope. On… adrenalin? Yeah. Okay.) It searches for whatever you type in… everywhere. In file names? Obviously. Inside documents? Yes. Songs in your iTunes library? Attributes of photos in iPhoto? Yes and yes. E-mail? Cut it out! Of course. And calendars, address books, System Preferences, etc. and so on.

Next entry: e-mail!

I received a warning about my Wells Fargo account the other day. Well, not me, really, but “error@avolio.com.” And, not really from Wells Fargo. It did refer to Wells Fargo. But, the letter started, “Dear Wells Forgo Customer.” And the “From:” line line said it was from “Wells Falgo.”

Really, why do people get tricked? It did have the Wells Fargo logo in the email. But, then, so does this blog entry. And this is not from Wells Fargo.

Summary: So far, so good!

I’ve already talked about the reasons that led up to pitching my Windows PCs (in Dude, You’re Getting a Mac!.) Then I discussed the processes I went through in determining “What next?” (in After Windows, What?). Today, we’re looking at my first impressions, the things that worked, and what did not.

Installation.
Installation was fairly quick and mostly flawless. Initially, I decided to connect to the Internet via the wireless access point, just for convenience. (My desk was crowded with other things.) It did not connect! I heard how it was almost automatic but after I entered the credentials for my WLAN, it refused my connection. So, I switched to wired. (Later, I found that I did not know Mac conventions well enough to realize when there is a pull-down list. Where it asked me for the WLAN password, I should have “pulled down” to select “128 bit WEP key” as the option, and then enter the key as HEX digits. I found that easily enough later. (And it is almost automatic, and does connect easily and without thought on my part, once set up.)

I was a bit disappointed to find no “Welcome to Mac-land” video, or something like that. Generic Windows XP had one. My Windows Viao had one. I found it helpful, and wished there was one on this PowerBook, as I was completely new to it. Maybe some people find it all intuitive, but not to me and my Windows-conditioned hands. Much later, I discovered that the first thing that starts up is “Finder.” Finder has “Help.” Help has “Mac Help.” And Mac Help has everything I needed. I found it, eventually. (“Humph! ‘Master of Science,’ indeed,” my wife would say.) I am learning my way around, and “Mac Help,” helped. I’m still learning new keyboard moves for things. Took me a long while to learn that while “Delete” is like “Backspace” on Windows. “fn-Delete” gets me a forward delete. And I’m still learning what+home gets me cursor-left, “home,” and “top of document” kinds of things. Old hands, new movements. Or old brain?

Exploring.
I poked around a bit. I figured out, with the help of Help, where to find applications. I fired up some applications. I found that there was a 30 day demo of MS Office. (More on that in a bit,) I opened up the Terminal. Sure enough, UNIX!. And There was ssh and scp! They were on my must have list. I have them, and the work. There were no X applications by default. (Later I found I could install them off of the installation disk, except that it will need more space than I have. I need to figure out what to do about that later (besides kicking myself for not getting a larger disk). I suspect what I will do is move all my photos off to a Linux server (the Shuttle I want) and perhaps get rid of some applications I don’t/won’t use.

I did install ClamXav, an open-source antivirus program. Viruses on Macs are not a problem. But, I don’t want a PC virus to get forwarded in a document from my PowerBook! And the price was right. So, I learned that I just drop the “.app” file where I want it to sit, I learned how to link to it from the Desktop or the Dock (like the Task Menu in Windows).

Mac Vulnerability.
That day, I received in e-mail “US-CERT Technical Cyber Security Alert TA05-229A,” which you all will remember (just kidding) declared, “Apple Mac Products are Affected by Multiple Vulnerabilities.” “Aha! Stinkin’ vulnerabilities on Macs, too!” you say. Well, yeah, It’s software. Remember. My dumping Windows was not because of security problems or how big a target Microsoft systems have become. It was usability, pure and simple. It took too much effort. (If you forget, go back and read “The Straw that Broke the Camel’s Back,” in Dude, You’re Getting a Mac!.) I clicked on the little Apple logo, which I had figured out pulls down a system menu), selected “Software Update,” and got the fix. I rebooted an was up and running again in short order.

I went to the Network and found “Workgroup.” Of course, I do not use that default, so I looked for and found “Avolio.” (Clever, huh?) I found my shares and copied over “My Documents”—the ones that I needed. Things, for the most part just worked.

MS Office.
I mentioned that it came with “Office 2004 for Mac Test Drive.” So, I tested it. But, I also listened to friends and colleagues. I really, really wanted to use Open Office. I mean it is just wonderful to think of using a free replacement for the very expensive Office Suite. Recall, in a previous installment I wrote, “Complete compatibility with MS Office.” Not “almost.” So, while I tried it, I also downloaded and tried NeoOffice/J. It is “a fully-featured set of office applications (including word processing, spreadsheet, presentation, and drawing programs) for Mac OS X… Based on the OpenOffice.org office suite…”

NeoOffice/J is great (and free), but when I opened one PowerPoint, somethings were just a bit off. A friend suggested that it was because it was based on OpenOffice Version 1 rather than 2. I believe him. I am just not sure I can wait. There us an additional reason to buy Office, which I’ll discuss next time.

Next time
And next time I’ll talk about

• E-mail clients,
• Browser,
• Instant Messenger, and
• calendar, address book, etc.

My friend and colleague Greg Shipley (CTO of Neohapsis and contributing editor for Network Computing magazine) offered his opinions: I made the same switch about a year and a half ago, when my Dell laptop keyboard broke for the gazillionth time (I literally lost count). I’ve always liked *NIX under the hood, but like you noted I can’t turn my back on the applications. And the window manager / GNOME / KDE wars on Linux have made my head hurt. Everyone does something different. Back to the applications: in my world, that’s Word, Excel, Visio, and Powerpoint. And I do mean those apps – not an equivalent. Every year I play around with OpenOffice, and every year I think “wow, cool!” until I get a file that uses some advanced Word formatting or some Excel trick, and it just doesn’t work right in OpenOffice. But Office on OS X? While it has not been flawless, it does almost everything I need it to do. Plus, anyone who spends anytime behind the wheel of Powerpoint will kick it to the curb after 30 minutes with Keynote (the Apple presentation package). It’s not even a contest. I’ve now had my Powerbook for a little over a year, and it’s been flawless. It’s easy to patch. My applications work. Hardware just works. My corporate VPN client works fine, and I can run the MS remote desktop client to get into our terminal servers at work. Keynote makes my ridiculous speaking schedule seem less ridiculous due to the HOURS it saves me (not to mention my presentations look better!), and when I get lonely I can still fire up gcc and do stuff in a shell. nmap and p0f don’t have problems compiling. Heh. And the UI smokes everything out there.

One quick postscript on QuickBooks. I decided that for now I would leave it on my wife’s (my old) PC and just use it from there. Later, if and when I get Microsoft Office for Mac, it will come with “Virtual PC,” which I can use to access my old copy of QB.

I’m a few week’s into abandoning Windows for my PowerBook and I am doing just fine. I talked about what led up to this step in Dude, You’re Getting a Mac!

In this installment, I will discuss my requirements, and initial thoughts and recommendations from others. In later blog entries I will talk about my initial purchase, first time use impressions, software I added (and what I did not), surprises (good and bad), what I like about my new platform, and anything I do not.

I tried to do a requirements analysis. Knowing that people tend to think of desires as requirements, I was careful to ask myself questions. For example, when I thought, “I need Microsoft Office,” did I really mean, “I need a word processor, spreadsheet, and presentation system,” or, “I need something that can read Office documents”?

First, I wanted a listing of all software on my computer. “System Information” (under Accesories, System Tools) gives you this information. A much nicer tool is Belarc Advisor.

I like it better because its html-formated output and organization makes for easier reading. I used it to make sure I didn’t forget anything. If you are like me, you have a whole bunch of software that you used to use and no longer do. Next,

I made my list. Requirements.

1. It just works. What I mean is, I want it to work consistently without heroic efforts on my part. An example, which—I didn’t mention as one of my reasons for ditching Windows, but it was, is problems I had with my Sony Vaio notebook PC. Four out of five times when I shove in my Orinoco Gold wireless card it just works. But, one in five times (and I am just guessing here, but being generous) the “New hardware found” message comes up and even if I point it at the working driver it does not know what the device is so does not know what to do. I unplug and replug the card. I restart the computer. And finally it works again. I just want it to work. I also do not want to scour the Internet for drivers to get the system working. I want it to just work.
2. Not Windows. No, really, for the reasons I mentioned in the previous blog entry. The registry is too easily corrupted. It gets too big. It is a terrible idea. There are too many mystery processes running for me to be able to trust Windows ever again.
3. Complete compatibility with MS Office. I need to be able to exchange documents of all kinds with clients, all who use MS Office. I am not willing to go back and forth trying to find a common exchange format. That common exchange format is not PostScript. It is not PDF. It is MS Office.
4. Interoperability with a Palm handheld. I use it a bunch for everything it does including the obvious (calendar, etc.) and the less obvious (eReader, Documents to Go, Expense). (I will talk about trying iSync vs. Palm Desktop, in a future entry.)
5. Secure Shell (SecSH) and Secure Copy (SCP). I have Windows clients for these (SecureCRT® from VanDyke Software and freeware WinSCP). I use them to maintain my web site and to send e-mail from networks that block port 25 (such as hotel networks).
6. QuickBooks, which I use for my company books. My account wants me to and I want to keep my accountant.
7. PGP. Maybe. I’ve talked about this many times before. I use it for encrypting email and securing files. Virtually no one I email to cares about securing email. But, somehow I cannot give in on this. I think I need it.
8. A backup mechanism. But not what I was doing. I was doing incremental backups every night using an automated process copying onto CDRs. It worked very well and I was able to restore files I needed to recover. But, I have a large pile of CDRs now. I now need to purchase a shredder that does CDs. (But, that is not part of this requirement list.)

I think that was it. Oh, I use iTunes for my iPod, but that’s free. I don’t need to list “DVD player,” though I suppose I have three on the PC. I also use Total Recorded Pro from High Criteria, to record streaming audio. I’ll have to find something else. It only runs on Windows.

Possibilities. It seemed to me that I had two possibilities.

• Linux notebook and Linux server (for back-ups, file storage, etc.)
• Mac notebook and Linux server.

I asked for opinions from friends. “MS Word, Exel and Powerpoint have worked under Wine for quite a while now. The Xandros distribution has Crossover in it, so it is “guaranteed” to work. A friend of mine bought a Vaio the other day and is very happy with Linux on it.”

“I am fully satisfied with the ShuttleX. Anything that’s going to be close to my head has to be quiet, and i know of no quieter box.”

“I may be the newest Mac convert here, so I should speak up, perhaps. I got a 15” powerbook back in March, and I am still amazed by how wonderful the whole experience is. For me the key items have been:

• “Suspend and resume—close the lid, open the lid. It always works. I’ve never had that experience with a linux or windows laptop. Suse Laptop suspend support actually does seem to work well though.
• “Wireless support—always works, and it is not confused by, say, resuming in a different network environment. Close the lid at home, open the lid at work. Open the lid at gymnastics while watching the kids, finds a nearby net. I always had to fiddle with strange scripts to convince Linux to switch networks, and XP couldn’t hold on to a single network while sitting on the table.
• “Printing—just works. You say ‘print’ in a new network environment and you get a popup of available printers. It even seemed to know which ones were duplex capable. (To be fair, it didn’t know about the duplexer on my HP1320 until after I installed Tiger).
• “Software—I have not yet learned great Mac skills, although I am starting to like the Finder. …
• “I have Office:Mac. You know what? It doesn’t give me the creepy feel I get from using Office on a PC. I can’t explain why, but it seems fairly sensible and pragmatic. You have to work with people who use Powerpoint or send you Word documents. It just works. (To be fair, I have had fairly good luck with OpenOffice as well, on Linux.)”

Final Decision I finally decided on “Mac notebook and Linux server.” Looking back at my requirements, here’s why.

1. It just works. As far as I can tell this is something the Windows strives for and Apple gets. This may be subjective, but this is what people report. I did not hear this about Linux notebooks. Understand, I am not saying Linux systems do not work. They do, and keep on working. As I said earlier, I don’t want to ever again have to wrestle with a notebook PC to have it work. I just want to use it.
2. Not Windows. Okay, this was an easy one for either a Linux or Mac notebook.
3. Complete compatibility with MS Office. The jury was still out as to whether I use MS Office on the Mac or OpenOffice. I am attracted to OpenOffice version 2, but do not have a version for the Mac.
4. Interoperability with a Palm handheld. Palm Desktop runs on a Mac and iSync, I was told, will support Mac.
5. Secure Shell (SecSH) and Secure Copy (SCP). I “back-burned” this, but have since found that both are already on on the Mac under a terminal window. It’s UNIX. It works.
6. QuickBooks. There is a version for Mac. It will cost money. I can run it under Microsoft Virtual PC 2004, which also costs money. I need this, but may come up with a “Plan B.”
7. PGP. There is a version for the Mac.
8. A backup mechanism. There will be a way to do this, I assure myself. I will wait.

While I have a Linux system at home—running on an old used-to-be-Gauntlet platform PC my friend Allen sold me 5 years ago— I figure I need something quiet enough to put in my office (the other is in the basement), and one with larger disks. Boy, I would really like a Shuttle. For under $500 I can get a system with a big disk on which to put Fedora. I might even need one.

Meanwhile, someone suggested I just buy a large 300 GB disk to stick in my existing Linux box, or just get a USB/Firewire external disk. I may buy a new Linux system in the future, but for now I am sticking with the old reliable one and I did purchase a large external drive for backups and synchronizing files. I’ll not talk more about this, as this is really about the bigger step of moving to a Mac.

Which Mac?
I went a bit crazy for a few days comparing iBook and PowerBook. I compared and compared. Money was important, but so was weight. The 12″ PowerBook is 3 ounces lighter than the iBook. That was not the only reason, but I went with the PowerBook G4. I found it in stock at the local CompUSA at a decent price, and picked it up along with a 250 GB LACE external disk.

Next time I’ll talk about my initial setup and use, what I found, and my initial migration.

Side note: I noticed that I referred to this computer as “my PowerBook.” Little things like that are telling…

I am going to write a series of blogs discussing how it is I now use an Apple PowerBook G4 (12″) and have essentially pitched my Windows PCs. Herein, I want to tell you what led up to it. In later blogs I’ll discuss the initial thoughts and recommendations from others, my requirements, the software I needed, and what I like about my new platform, as well as anything I find I do not.

But, first, some funniness. As I sat down to write this, I wondered, “In what category should I put this?” My blog has four categories. “Security?” Well, maybe, but that is too easy a poke in the eye of Microsoft. “Theology?” Yes, it does comes down to a “religious argument” for many, MS vs. Apple, but “theology” is not about religion. Really, it is not. Not “E-mail,” and “Misc” seemed like a cop-out. So, I created a new topic area, “pc2mac.”

By the way, colleague Winn Schwartau went through a similar move chronicled in “Mad as Hell” – Switching to Mac Chronology.

Background.
For years I have used a Windows desktop, a synchronized Windows notebook, and a Linux server for … well, Linux stuff and to keep my sanity. Also, I stage my website on my in-house Linux system before deploying. I used Windows for the same reason that many used VMS back in my DEC-days: that’s where the applications were. And because of that, most all of my clients require Office compatibility from my computing environment. I’ve known people who bucked that system— and arguably it is not a Windows-thing, but an Office-thing—with the resulting back-and-forth of trying to exchange documents that display on one machine the same way as they did when created. Life is too short for that.

The Straw that Broke the Camel’s Back.
One day a few weeks ago I was happily working away when my Norton Antivirus—which I regularly keep updated—crashed. It raised its hand and said, “Sorry about this… I need to crash. Be so kind as to uninstall and reinstall me please.” No, not really, but if I had known I’d be fixing it for over 8 hours, I would have written down the error message. I never saw the message again.

I tried restarting. No joy. I uninstalled and reinstalled. Over and over again. It would not let me get very far. It seemed like the MS installer was broken. At first it complained that some components were still installed. I went into a Windows Explorer window to search for a file, and…. Search Assistant did not work. The left hand side of the Explorer window that should have had search options (and a cute little helper doggie, or a wizard, if you’re that kind of person) had nothing, just a bluish background.

Craziness. I decided to go to a restore-point. I clicked on “Help and Support” and nothing happened. I ran the restore-point executable resulting in a big empty window and nothing else. I went to the Symantec web page time and again. I tried their web-based system check. I was lost somewhere in ActiveX or JavaScript hell. Firefox problem? I tried IE to no avail. Nothing that might help will run. I try to install SystemWorks 2005. It claims one of the Norton Utilities is already running. It was not. I got the same result with almost nothing running. I started turning off everything I was sure I didn’t need in the “startup” list, including an Epson program and a Lexmark program… left over from printers I’ve not had for years.

At this point I was thinking “really insidious virus or really corrupted registry.” But, I am really, really careful about opening attachments, about keeping AV software current, about firewalling. But, who knows? Though it could be the registry. So, I started poking around the registry. It was filled with the the crude of 5 years of installations and removals of hardware and software. I got more and more disgusted, especially since nothing worked and everything takes a reboot.

I scanned for viruses from a remote computer. Clean. I installed a 30-day trial of some other AV software. It claimed that no viruses were found. But, if good friends tell you that you have a mental illness and your brain tells you that you are sane, you better listen to your friends. In other words, how did I know if I have “supervirus?”

I turned off the computer and started looking for advice. The best people could offer was, “Better just reinstall everything on a clean system. Shoot, your should do that yearly anyway, because the registry gets so messed up.”

Basically, that did it. I didn’t know—I don’t know—if it was an unheard of virus or a corrupted-beyond-repair registry. It didn’t matter to me. I must have put in 20 hours or more of trying to figure this out. I know UNIX systems didn’t have these problems. (And when I write “UNIX,” I don’t just mean Solaris. I’ve used UNIX since 1979; By “UNIX,” I’m including “Linux.”) UNIX systems just keep on running for days, months, years. You don’t need to reboot them when you install new applications. But, I also heard good things about Macs. So, I had decided to leave the Windows world if I could. And you know what? I felt happier than I had in days.

Next time I will write about my initial thoughts and questions I asked.

On Monday, Luís Rei sent the following note: A while back I experienced similar problems with windows search (and other windows applications that rely on javascript). It was not caused by uninstalling Norton but by uninstalling Kapersky.I managed to fix it after googleing for the problem and finding the following: Fix: Start->run regsvr32 urlmon.dll regsvr32 jscript.dll regsvr32 wshom.ocx (I made a blog entry on the subject: http://neacm.fe.up.pt/~rei/archives/javascript-troubles/) Thanks, Luís! This repaired the desktop computer that my wife is still getting.

My RSS server pointed me to this securitypipeline article, entitled, “Hackers Break Into Two Universities, 100,000 Identities At Risk.” Same old stuff, but it referred to a an interesting site tracking “Data Breaches Reported Since the ChoicePoint Incident.”

A securitypipline article caught my eye today. It is well-written and covers the need for a vulnerability assessment scanner. It is a good general survey, and goes well in enforcing some things I’ve discussed in the past, including Using Network VATs for Verification, Beyond the VA Scan, and Basic IP Router Security.

But, I wonder if the article is not a verification itself of what I said in Security Redux?

A former collegue at Trusted Information Systems, Tommy Ward, writes, “If your company is like many others, you have put a lot of effort into securing your information systems. You’ve implemented technology and procedures at great expense, but you may be omitting an important last step: secure off-site storage.”

This is the opening to a compelling whitepaper, “Security of Backup Data.” Check it out

Another “ground-breaking column” in Network Magazine, (do we still say “in” when it is “on” the web page?). No, I am being unduly sarcastic. As I will suggest, it is not their problem, but ours. The column, by Art Wittman is Security Is an Architecture, Not an Appliance. The premise: “The idea that security starts and ends with a prepackaged firewall is simply misguided.” His column is right on target. But, don’t we know this already? (And I suppose we do, but many people do not.) A search for “Firewalls are not enough,” turns up 649 hits, including a paper I wrote that originally appeared in the Proceedings of the 17th National Computer Security Conference… in October 1994 and another I wrote—the cover story—for Information Security Magazine, “Firewalls: Are We Asking Too Much?” That was in May, 1999.

What new information does Wittmann’s add? None, really. And to be fair, it is really just meant to be a lead-in to the magazine’s current (not sure what month—I cannot tell from their web page) current issue that discusses host-based IPS technologies.

This seems to me to be part of the trends I related in “History Lost” and “The Same Old Drum Beat.” Yes, application-specific controls are needed. Yes, firewalls are not and never have been enough. Nevertheless, we apparently have and continue to communicate to those with less clue than we have (see Seven Things to Help Keep Sanity and Equilibrium) that they are. I suspect, as I have for quite a few years, that the problem stems from the dilution of the network security clue-pool with those who took a course or two, got certified, and hung out a “security” shingle. As I rapidly approach a half-century of life, I am not suggesting anything radical. Just that the lack of practical experience may be part of the problem, and—as I suggest elsewhere—may be what leads us to repeatedly cover the same ground. I am not just ranting here, but I have no solutions to offer except that people do their homework. Some of our latest discoveries were already discovered many years ago.

Erling Jepsen wrote from Denmark with these observations and pointers: I’m doing my masters thesis on security aspects of Service oriented architecture (SOA) and this is one thing that I’ve started to wonder myself. SOA introduces a new set of challenges to security. One is that organizations can not anymore tie themselves down behind a DMZ, because the people who are accessing our data could be sitting inside or outside the organisation and because there would be external partners also requesting information – a whole new. The Jericho Forum calls this de-perimeteriazation. In order for security to properly match the extra abstraction layer, which SOA has adhered to, it will itself have to rise – so I think formulating a security architecture would be interesting. Just my 5 cents of comments (or 25 re as the equivalent is here in Denmark) Thanks for the pointer, Erling. I never heard of The Jericho Forums before.

If you read any Internet-technology-based news, you know that a recent security breach may have exposed 40 million credit card numbers. The actual number is probably smaller. And I suspect that the so-called “security vulnerabilities in the processor’s systems,” according to MasterCard, will provbably turn out to be well-known vulnerabilities or practices considered less-than-best.

So, what’s a person to do? Do you stop using MasterCard and use Visa? That is hardly practical. But, we can start demanding that credit card companies enforce high security standards with the companies that support them.

Bruce Schneier writes about it in his blog.

The Register’s story is here and InfoWorld does here.

Pete Lindstrom from Spire posted a terrific column on Credit Card Numbers vs. SSNs.

Read Matthew Friedman’s comments and analysis in his securitypipeline column.

Are file-sharing programs a security matter? Today, the Associated Press reports “Confidential Data From Japanese Nuclear Plants Leaks Onto Net”. The culprit was a virus-infected PC “loaded with file-swapping software.” It included “photos of power generation facilities and workers’ medical files–data that should not have been loaded onto a personal computer…”

No duh, as they say.

Have a policy about what is on your PCs, know what is on them, and deal with infractions.

Axel Eble blogged the following (at balrog.de/security/archives/2005/06/24/99_re-audit-those-pcs): While I agree with what he says about having policies and dealing with infractions current viruses and worms bring their own file sharing software. It’s not even necessary to have something pre-installed. True, of course. I dashed the original off before leaving the office. I neglected to add, that this is yet another example of where egress filtering in the firewall might have helped. Also, perhaps some of the things we discussed in January 2005 in Malware—the threat is real would help.

I (almost) never read the extra pages included in my credit card bill. This is the case now when I get electronic notifications as before with paper bills. But, I guess after the latest MasterCard news (mentioned here), I was doing more reading.

The company adds the following:

SECURITY/ PROTECTING YOURSELF ONLINE
There are simple steps you can take to protect yourself from fraud while online, such as never sending personal or financial information by email. (We’ll never ask for it.) For more information, please review the recommendations of the U.S. Government and others at the following sites:
http://www.nipc.gov/warnings/computertips.htm http://iisw.cerias.purdue.edu/home_computing/topten.php

Now, the NIPC one no longer works. NIPC disappeared (as far as I can tell) into the Department for Homeland Security. CERIAS is always a good bet for anyone interested in computer security. So, while I wish their list was more up-to-date (and I wish they pointed to my site :-)) I’m glad they are thinking about this. But, then, most people do what I do and throw away those “extra” pages.

Colleague and friend Marcus J. Ranum is interviewed in this SecurityFocus piece.

At a recent Institute for Applied Network Security Forum, I handed my PDA to my friend and colleague, Robin Roberts of Cisco, to show her some family photos.

“You don’t use an encryption program?” she asked. I just looked at her sheepishly. “PDA Defense,” she said.

So, I went and downloaded a trial version of PDA Defense.

PDA Defense provides access control for your PDA (in my case, a Palm Computer®), as well as strong encryption to protect. You can control what files or applications are encrypted (my calendar, contacts, and email, yes; my Bible and photos, no). You can set what applications or ata bases get wiped (destroyed) if there are too many wrong password attempts, as well as to destroy all records if there are too many at initial “login.” (“That is just a loaded gun aimed at my head,” Robin said.)

It also allows you to set a password an any and all application launches. So, for example, if my company policy was to password protect my corporate email records on my PDA with a password, I’d need a password to access my PDA, and would have to provide it again to get at my email.

It works, it is useable, and fairly painless. Does your organization have a policy that covers the security of PDAs

slashdot points to this Computerworld story that says, “A Minnesota appeals court has ruled that the presence of encryption software on a computer may be viewed as evidence of criminal intent.”

Maybe we have no one to blame but ourselves. Encryption software on a PC should be as commonplace as AV software. The technology has been around, and “products” available for almost 20 years. But, it is still rare enough that a jury can be convinced that only criminals have something to hide. I’ve no sympathy at all for people who prey on children. (See A Really Ugly Side of the Internet.) But, when will crypto be ubiquitous?

For some background on the availability and use of crypto on computers, see:

• From arms violations to gathering dust: The strange history of PGP
• PGP Corporate milestones
• PGP Timeline

I just checked my Vitae — I’ve been doing this (computer and network security) full-time since 1992, and part-time for a few years before that. As may be evident from recent blog postings, such as The Same Old Drum Beat, I’ve become more curmudgeonly. As charming as that might be in me, it is in no way a desirable attribute. So, I wondered, just what is it that bugs me about this field in which I’ve (sort of) made a name and (sort of) made a living? I came up with a list of the five reasons I hate computer and network security.

• There’s no way to get to a solution. It is a moving target! There are always more and bigger threats. Or, more precisely, there are similar threats manifested in bigger and badder ways.
  
  On the other hand… Ecclesiastes says (1:9.10), “What has been is what will be done, and there is nothing new under the sun. Is there a thing of which it is said, ‘See, this is new’? It has been already in the ages before us.” So, we can use variations of what has worked in the past, in new ways perhaps. Rather than making it frustrating, that should be what makes the job interesting. No?
  
• With users, everyone does what he or she wants anyway. The apostle Paul — not specifically referring to our topic — wrote, “As it is written, ‘none is righteous, no not one: no one understands… all have turned aside… no one does good, not even one.'” (Romans 3:10 ffl.) Even earlier than that, the writer of the Book of Judges wrote, “Everyone did what was right in his own eyes.” (Judges 17:6.) So, the security person is always the bad guy to the users. On the other hand… in Matthew’s gospel, we find this: “When hs saw the crowds, he had compassion for them, because they were harassed and helpless, like sheep without a shepherd.” Hmmm. Okay, they really do need a shepherd. Think of what the users would do without some direction, some guidance, some tempering of their destructive tendencies. Yes, they are smelly, but they sure do look cute. And they do need help.
  
• With upper management, it’s the same old battles.They have a short attention span when it comes to technology. Unless they are technologists, and then they won’t stop suggesting tweaks. And all they care about is making money.
  
  On the other hand… it really is about making money. Put another way, “security” is about managing risk which is short-hand for “managing risk and maximizing business.” So, in an annoying way, they are just doing their jobs.
  
  
• Those darned users are never satisfied. They just want more, more, and more. They don’t listen to reason. As I said in Seven Things…, “We ask for requirements, they give us solutions,” and their “requirements are wants or desires in disguise.”
  
  On the other hand… as I said later in the same blog entry, “It is the responsibility of the clueful to clue in the clueless.” And, remember, they need a shepherd.
  
  
• Security practitioners keep going over the same ground, sometimes reinventing solutions, but under a different name. We’re also enamored with analogies. Recently, I read a reference to a post to a mailing list I usually read. The mailing list post referred to four critical attributes of security that are likened to the four legs of a stool. A great analogy? Well, sort of. It works perfectly as an analogy if we’re talking about a three-legged stool (which won’t stand at all if one leg is missing). But, four legs minus one? Or a five-legged stool? I suppose it is weaker. (Though, I guess, I really mean the analogy.) We want to make analogies between the network world and the physical world. We draw bricks and moats, castles and draw bridges. We forget about history in our own discipline.
  
  On the other hand… No. No, there isn’t an “other hand” for this one.

Axel Eble, CISSP, comments on this in his own blog, I don’t hate security. Thanks, Axel!

A few week’s ago at Interop, Marcus Ranum penned (okay, he ‘keyed?’) an editorial, “What is ‘Deep Inspection?'” Well-written, of course, and more detailed than anything I’ve recently written, of course. I commend it to your reading.

In March 2004, in less detail, I wrote about the subject of forgetting history in our discipline, under the title Security Redux. In it I discussed the security of firewalls coming back, but never quite getting all the way back, to the things that Marcus and others taught in the early 1990s. In September 2003, I wrote an Information Security Magazine column, Debunking the Firewall Hype.

My question is… why are we still writing about this? Why is Marcus? Or, better yet, why don’t we get it? He writes, “Customers need to understand their objectives and requirements, so they can best select technology that facilitates their mission.” Absolutely true. But, that could have been written in the late 1980s. Heck, it probably was — by Marcus.

Then this afternoon I got some spam sent through my Information Security Magazine mailbox (I guess I keep it in case they ever want me back :-)). It was an invitation from a PR firm to interview the president of one of their client companies. According to this email, he is a “‘White Knight’ professional hacker. A world-recognized expert in security issues…” I’d never heard of him, but I’ve only been doing this for 20 years. “The Hook” to the proposed interview — “Security is an ongoing process, NOT just a product.”

Well, stop the presses!

And another new and revolutionary idea: “Continued awareness and prevention is the mantra that is being evangelized by” the White Knight guy. They go on to say, in this enticement to call him for an interview, “The Facts: Companies and individuals are too passive, even complacent, when it comes to safeguarding their networks and PCs.” Brilliant, eh? They invite me to speak to him “to gain a 360 degree perspective about the ongoing challenges of security breeches and fixes faced by organizations and individuals.”

I don’t know whether to laugh or cry. No, that is a lie. I laughed.

When are we going to get it? When can we move on to other things?

This is just a friendly reminder… not to you, but to the people you know who are not technical. According to this article in The Register, phishers are trying harder. Remind your aunt, your mom and dad, your grandmother—remind anyone who has a bank account or credit card—that financial institutions have phone numbers and web addresses (well, most of them). Never click on a URL in an email message from your bank or credit card company, at least not an one you don’t expect. Open a browser and retype it in yourself. “But,” you say, “I can’t waste such time. Time is money!”

Exactly.

Last week at Interop, at Secure E-mail Day, one of the discussion topics was spam. I’ve written on the subject, for example here, here, and here.

Bruce Schneier writes about e-mail spam and VoIP spam in Combating Spam.

As I mentioned here, “it is traditional, at the faculty-hosted ‘Gala Dinner’ of the Institute for Applied Network Security Forum, for the faculty to be the entertainment. It is also traditional for faculty-member Marcus Ranum to come up with the assignment.” This year it was almost limericks. Instead it was a version olf “Mad Libes.” I did one, but using a limerick.

To “get” the limerick’s references, you need to read this history of the Firewall Toolkit.

The limerick:

There once was a manager, Fred,
who to his best programmer pled,
“Make me a SEAL,”
and so with great zeal,
“It won’t be a PIG,” Marcus said.

Why won’t we learn? Why isn’t disk encryption standard on notebook PCs? Oh, I know. Because when you forget your password, you cannot access your computer. But, there are products that will allow for emergency access. I talked about it before and pointed to previous columns I wrote here. On March 28, 2004, securitypipeline had this article, Stolen Laptop Exposes Data of 100,000.

I’ve been haunted by a song recently. Okay, that is so cliché. But, it sounds bad to say it’s been bugging me. The song, “The Catcher in the Rye,” is on Bryan Steel’s debut CD, Of Roots & Restlessness. (You can hear 2 minutes of the song by clicking on “store” URL on his website.)

See, I’ve been playing this CD over and over again in my car, wanting to let the words sink in and stir up. And my mind hit a speed bump with this song, on the meaning of the title of Salinger’s book. I think I get a feel for what Steel is saying in this song, because I read the book (I think everyone my age had to in junior high), and I remember Holden Caufield. What I don’t remember is to what did the title of the book refer? So, I used the Internet.

First, I found that the book is still taught, at least in Long Island public schools. Elsewhere, I found the reference. In chapter 16, Holden hears a little boy singing, over and over again. “If a body catch a body coming through the rye.” This is a kid’s misquote of the Robert Burns Poem “Comin Thro’ the Rye,” which — no surprise, it’s the Internet — you can read and listen to here. There’s even an explanation of the reference in the book.

Okay, this has been way off course. Check out Bryan’s CD. It is a winner.

I just posted a review on the “store” site: Haunting, real, troubling in a good sort of way. Steel’s words leave me thoughtful and sometimes troubled. His music carries me along as I listen. Like a section of a really good book that I enjoy rereading, I find my hand going to the “replay” button. I think… “I wonder if he was thinking of this person when he wrote that?” And then, “But, it is me. How did he know?” Hey. It hurts. Hey. Don’t stop. I need it.

You would think that notification of big winnings in an international lottery (for example, the HEMALOTERIJ NL,/INTERNATIONAL PROMOTION PROGRAMES.NL) would come in something more official than an email message.

The burning question I have is not why it took so long to get these “long awaited results.” Nor, do I wonder why it slipped through my spam filter (scoring a measly 3.6 — though it did end up in my “Maybe Spam” folder). No, I wonder why these lottery people — why not one of them — know how to correctly punctuate a sentence. I know English is a second language to the officials in the “INTERNATIONAL PROMOTIONS DEPT.” But, in most languages — at least western ones–doesn’t everyone leave a space or blank after a period or comma and between words? And doesn’t everyone capitalize the first word of a sentence?

Anyway, I guess I won’t care once I claim my prize of “1,000,000.00Euros (ONE MILLION EUROS.) in cash” (in cash?!?!) using my claim number and contacting “MR MARK DUFFMAN Foreign Transfer Manager.” Hmmm, I’ve already written too much. I would not want someone to claim this prize! Thank you, “Mrs. Liliana Remoud!”

I wonder how much 1 million Eurodollars in cash weighs

As I mentioned earlier, I am leading Secure Email Day at N+I in Las Vegas on Monday, May 2, 2005. Here is how the day looks:

As when it first began as the ARPAnet, the Internet’s killer-app is still email. Nearly everyone has and uses it, and businesses depend on it. Because of it’s ubiquity and ease of use, it is also the most popular and successful threat vector for network and computer attacks from viruses, worms, spam, and protocol attacks, in addition to run-of-the-mill network eavesdropping. The good news is that techniques for taming email as “threat” while still permitting email as “tool” exist and the tools, if used correctly, keep getting better. Email Security Day is all about presenting the best methods and mechanisms to keep our email flowing and useful. It will also give you an opportunity to hear from and speak to some of the leading solution providers in this space.

Program Format:
Secure Email Day is a mixture of lecture, expert-lead group discussion, and a vendor panel.

Prerequisite:
A basic understanding of email and cryptography terms

Program Agenda

• Introduction and Problem definition
  • Why email is insecure
  • Why it should be
  • Challenges we face
  • Overview of solutions
• Cryptography
  Almost everything we talk about today will build on this and how it this is applied to email. This will be enough to bring the crypto-beginner up to speed without boring the crypto-knowledgeable.
  • Authentication, non-repudiation, integrity, and confidentiality
  • Keys both public and secret; and terms
• Email Security Solutions
  • Commercial and “home-grown.”
  • What have you tried, what worked, what didn’t, and why (Group discussion)
• Public Key Infrastructures (PKI) and Email
  PKI should be an enabler, and for some it is. For others it has been a stumbling block. Jon Callas, CTO of PGP Corporation will discuss the pluses and minuses and present “Improving Message Security With a Self-Assembling PKI.”
• Spam Control, Part 1: Methods, mechanisms, services, and solutions.
• Spam Control, Part 2: What have you tried, what worked, what didn’t, and why. (Group discussion)
• Grill the Experts
  Will secure email ever be ubiquitous? How do we sell the concept into our organizations? What are the hurdles to use and deployment, and when will we surmount them? This panel will answer these questions and more.
• Protecting and ensuring the integrity of information is not just a good idea. For some of us, it’s the law.

At the faculty-led round-table discussion at the recent Mid-Atlantic Network Security Forum, my discussion topic was “Keeping your sanity while positively influencing your enterprise security posture” (or maybe it was a bit less wordy).

These are some of the things we came up with.

• Consistent, regular, targetted communication is important. “Targeted” as in speaking the executive language to the execs, and technical language to techies.
• Sometimes a grown-up with a customer-service orientation and an MBA who is also technical is an asset.
• Hold security forums aimed at the security people plus everyone else.
• Demonstrations of what can happen — in a controlled, demo environment — are useful.
• Build community. The security staff should know people and be known by them.
• Face-to-face, one-on-ones break down walls between countries, organizations, and levels in an organization.
• Before any changes: educate, educate, educate, and warn that they are coming.
• Keeping up with the change, maintaining a gradual improvement in the security posture is often just fine (i.e., good enough).
• “Old school” security management — “Because I said so” — just does not work anymore.
• Ask “what makes sense in our environment and our corporate culture?”
• Remember, those in power — and maybe others — may always ask, “But, why?” Or, “Prove it to me.” Or, Which government regulation?”
• Ba patient, wait for the business case, take it one step at a time. But, stay the course, and stick to the plan.
• Oh, yeah. Plan.
• Sometimes the user is his/her own worst enemy. He/she doesn’t need another.
• Concentrate on protecting your most important assets. Do the best you can with the rest.

In addition to these things, remember my blog Seven Things to Help Keep Sanity and Equilibrium.

The background: it is traditional, at the faculty-hosted “Gala Dinner” of the Institute for Applied Network Security Forum, for the faculty to be the entertainment. It is also traditional for faculty-member Marcus Ranum to come up with the assignment. In the past, we’ve had to come up with our (individual) favorite pet-peeve or rant in the area of computer and network security.

At the recent Mid-Atlantic Network Security Forum the assignment was to come up with a haiku (at least structurally) based on a real network security story.

First the abbreviated story:

Not liking to make fun of current clients, this is something that happened back in 1993. My team and I were connecting a high-profile government site onto the Internet for, they believed, the first time. We were goign to install a firewall that we built special for the occassion. We suggested a review of the existing physical network to make sure we and they knew to where they were already connected. The review turned up an already-existing connection to the Internet through another organization. In fact, at the time this other organization was well-known for getting broken into.

The haiku:
Plan for firewall
Why should we even bother?
Dead ends at Goddard.

InfoWorld reports “U.S. agencies receive D+ cybersecurity grade.” And we’re not talking about some insignificant agencies. (No offense meant.) Problem agencies include the Department of State, Department of Homeland Security (gasp!), and the Department of Commerce. Most improved were the Department of Transportation and the Department of Silly Walks. (I am joking about the latter.)

Today in my RSS newsfeeds were a few items that got my stomach churning and my blood boiling. I’ll add no other comments, except to point to a few of the on-line articles. The topic is child pornography.

Information Week‘s article The Privacy Lawyer: The Pain Behind The Pictures, is an introduction to why child-protection advocate Parry Aftab got involved in this fight. (WARNING: contains graphic descriptions).

Raising Public Awareness discusses a public awareness campaign.

These articles— Technology And The Fight Against Child Porn, Picture This: Should Google Filter Its Image Database?, and (via securitypipline) The Problem Is Getting Bigger—discuss the issue from various angles.

Learn more what you can do about it at

In reading the Firewall-Wizards thread under the subject VPNmadness gets more support, I thought of a paper I wrote almost 5 years ago, entitled The Rise and Fall of Internet Security. Still relevant, and not just because I am lazy, I repost “The Seven Things to Help Keep Sanity and Equilibrium” here. No one needs to tell us how to play this tug-of-war. If we are security professionals, we are already engaged in it. How do we stay in the game, while providing security and providing usability in a way that occasionally permits us to relax? Security professionals must remember (at least) the following seven truisms.

1. We ask for requirements, they give us solutions. It is very important to listen carefully and ask questions. When someone states “We need to allow the H.323 protocol through our firewall,” they have given you a solution. You might not know whether it is the best solution, but you must recognize it for what it is and gently push back. “What is your requirement?” You see, the requirement is probably something along the lines of this: We need to easily and inexpensively audio or video conference between groups X and Y.” By giving you the “solution,” you might be forced into opening up more (perhaps insecure) services through your firewall. Their proposed “solution” might not even be the best one for the application they truly wish to employ.
2. Many requirements are wants or desires in disguise. Sometimes you may be in a position to “grant wishes,” but it is important from a security point of view to understand what are business requirements and what are not. “We need you to open up UDP port 2092.” Might really mean, “I want to play Descent3 on the network with some of my buddies.” Once you know the want or desire, if it is contrary to a security or acceptable use policy, you can explain why this request cannot be satisfied. While it won’t make Descent3 users happy to know they cant play this RPG at work, treat the user as an adult by explaining a vulnerability, threat, and consequence that gave birth to the policy (see 3 as well).
3. It all has to do with numbers. The fewer the numbers of {supported services, permitted connections, outsiders allowed in, insiders allowed out, cluelessness}, the easier securing the network will be. If every sales person (lets say 100 of them) needs access to the entire inside network (500 computers), utilizing any possible Internet service (65,000), we end up with a level 9 problem (3.25E9). If every sales person actually only needs access to send and receive e-mail and web access to the sales web server we end up with a level 2 problem (6E2). Which would you rather have to deal with, a level 2 or level 9 earthquake?
4. The more granular (specific) we can be in our security measures, the easier it will be to secure the network at least, in the long run and the easier to provide services. This follows from number 2. Many corporate interoffice firewalls are configured to allow unlimited access from one site to another. It is far better to allow open access (if required) for only the required services between the offices. This is because…
5. If you have mistakenly disabled a required service, you will hear about it. If you allow an insecure service over which someone can launch an attack, you may never know about it. This is a corollary to the axiom, “that which is not expressly permitted is prohibited.” When unsure about a service, better to disable it and incur the temporary wrath of service users than to expose your network to attack.
6. It is the responsibility of the clueful to clue in the clueless. We must remember that the clueless may and should make good and proper use of the Internet: this is a Good Thing. Simply put, it is a benefit for our jobs and our society that computers are accessible to almost anyone. People are not stupid just because they do not know that “macros” in a document running in word processor are actually programs and to be treated with suspicion. They do not have to know what is behind a web page in order to use it, but they should have enough security education your job perhaps to know when to stop and think (“Click here to infect your machine”).
7. Equilibrium is more than just good. Equilibrium is winning.

Vulnerabilities were announced in two of my favorite computer tools on the same day. As slashdot reports, The Shmoo Group showed off a “nasty browser exploit … works in every browser *except* IE”.

All the other browsers support International Domain Name (IDN) characters. Check out the demo.

The funny thing is, I had seen this just last week in an email message that was supposed to come from (uh oh) paypal. [See addendum below] I slide my mouse over the URL and… what-ho! It still said it was taking me to the real paypal site. But, being the bright guys I am, I told Eudora to show me the message source (in a text editor) and I saw that it was actually going to take me to — well click on the URL above and look at what you see and display the html (the source) and you’ll see.

The good news is that it is easy to fix without a new version of Firefox. The workaround, according to mozillaZine is

by disabling IDN support. To do this, you will have to edit compreg.dat, which is located in your Firefox profile directory ( Common profile locations).

Open this file with a text editor which understands the line endings in it, such as Wordpad (or your favourite text editor on other platforms), and comment out all lines containing IDN by adding # at the start of the line.

A simpler way — entering “about:config” in Firefox’s URL window, finding “network.enableIDN,” and changing the value to “false” — did not work.

I read about the Eudora problem in my WatchGuard news feed. It requires an upgrade to Eudora or a switch to another e-mail client, such as Mozilla Thunderbird. I decided I would try to migrate to Thunderbird. I write about it here.

The suspect URL in my email was http://www.paypal.com@aida-fans.de/phpkit/index.htm

Eric Johanson of The Shmoo Group wrote and corrected me: This was using the ‘username@domain’ trick, which has been around for a while (and most of the browsers block or warn users these days).