September 2006
Mon Tue Wed Thu Fri Sat Sun
« Aug   Oct »
 123
45678910
11121314151617
18192021222324
252627282930  

Month September 2006

A note to MDJ PDF subscribers

We’ve installed StuffIt Deluxe 11 on the production system, and in preparing MDJ 2006.09.28 for distribution, we noticed that the new version no longer creates classic StuffIt (“.sit”) archives, the kind we’ve used since 1996 in distributing PDF files. This gives us a chance to start converting to ZIP compression as so many of you have requested.

Unfortunately, our distribution software was not expecting this, so we Zipped the issue and wrapped it in Binhex so the MIME type would still be correct. However, the enclosed file is not named “MDJ_20060928.pdf.sit”, but rather “Archive.zip”. This may affect some of your mail clients or automatic issue receiving scripts, for which we apologize. This is likely not the final word on Zip-based distribution, but we thought we should warn you of the change.

Update: We are getting reports from people who cannot unzip the archive in today’s E-mail delivery. If that happens to you, try the version in the secure RSS feed for your subscription – we’ve also heard that it works just fine, even though the two files were created by the same program (DropStuff 11). The file length on Archive.zip, once the binhex encoding has been removed, should be 159,666 bytes. The file length for MDJ_20060928.pdf.zip in the RSS feed should be 160,165 bytes. We’re not sure what difference the extra 499 bytes make, but obviously, we’ll attempt to fix E-mail delivery before our next issue.

Personal and work updates from Matt

Hi, folks:

As hinted in the previous entry, , I was hospitalized last week with what I thought was a breathing problem, but turned out to be congestive heart failure. My heart was pumping less than half the blood on each beat as it should have. This is why I’ve had no energy all summer, why walking from one session to another at WWDC exhausted me, and why even finding and eliminating allergens in the GCSF studio didn’t really solve anything. As it turns out, I did have pneumonia as well, but it was largely a complication of the heart problem, not the root cause itself.

I’d love to be a spokesperson and say “have such-and-such checked so this doesn’t happen to you,” but there’s really no one key to having avoided it – the doctors’ best guess, at present, is that I picked up a virus earlier this year that damaged my heart muscle and led to cascading problems. I’ll undergo tests early next month to confirm I don’t have blocked arteries, but none of the doctors believe I do, and there are no family signs for CHF at my age (I turn 40 later this year). I had been under medical care for the respiratory problems this summer, too, so it’s not like I was ignoring them. Apparently lots of CHF cases are mistaken for asthma or other breathing problems at first.

I’ve been home for close to a week, but it’s still an adventure adjusting to the new routine, the new diet, and so on. The doctors haven’t restricted my activities because moving around helps me heal, but sitting in an office chair tires me out as much as standing after a while. I’m getting stronger, but I’m not there yet. I’m going to be out being non-sedentary for much of the next few days, if I can handle it.

We hope to resume MDJ and MWJ production early next week. I’ve spent the energy I’ve had keeping up with what’s going on, and now I just have to find the energy to get it into print for everyone (not optimal, but you have to admit, it pretty much can’t work the other way around). We are still paying attention to what we see, like these things:

  • We were a bit surprised that StuffIt Deluxe 11 is an upgrade, since Smith Micro promised last year that the Mac version with StuffIt JPEG photo compression would be a free update. Then again, that’s probably why it is a free update to anyone who purchased StuffIt Deluxe after mid-August 2005. It remains to be seen if the new version fixes the annoyances and bugs of version 10 (we don’t have a review copy yet), but StuffIt is fighting an uphill battle.

  • There’s no reason to avoid Apple’s latest AirPort security updates, but you should rely on Software Update to tell you which of the four updates to install, since it’s a bit confusing to do it by hand. (AirPort Update 2006-001 applies only to the latest Intel-based systems with Mac OS X builds later than those generally available; everyone else needs to use Security Update 2006-005 for either PowerPC Panther, PowerPC Tiger, or Intel-based Tiger systems that aren’t so new that they need the AirPort Update.)

    We’ve uploaded the list of changes in all four updates in OPML format for your perusal, and if you look, you’ll see that they’re all small updates that are tightly focused on AirPort driver issues.

    According to Apple, as told to Macworld, the fixes in the updates came from Apple’s own internal code review, prompted by the public claims that MacBook computers could be attacked and controlled without requiring the user to do anything other than have AirPort turned on (MDJ 2006.08.30). Apple insists that researchers David Maynor and Jon Ellch did not provide any specific information allowing Apple to find any specific vulnerabilities, but the focus on the issue and on similar flaws in the BSD stack led Apple to find several places where such attacks might occur, even though the company has seen absolutely no evidence that any of them did occur.

    We’ll have more on this in the next issues of each journal, but for now, let’s point out that far from claiming victory, Maynor and Ellch have now lost any shot at credibility they had left. Now that descriptions and fixes of these potential exploits are in the wild, Maynor and Ellch could easily look at the fixes (even in the Darwin source tree) and say, “Oh, yeah, that’s what we found.” But when the researchers had two months to prove it, even to Apple Computer itself, they refused. They provided only vague, non-specific hints about “something bad,” refusing to let any Macintosh security experts see the exploit, and in fact refusing to demonstrate it live before anyone who might be expert enough to catch Mac hanky-panky in progress.

    They said both that they did and didn’t find a way to exploit a standard MacBook, and every time anyone asked for details, they either said they were withholding them for the common good, or made mysterious and completely unsupportable accusations that “Apple legal” told them not to talk about it. (Apple Computer, like any other entity, has no legal right to tell people who aren’t under non-disclosure agreements what they can talk about at any time, and any court order enforcing silence would be on the public record.) It’s possible that Maynor’s employer, SecureWorks, threatened him if he didn’t remain silent, but that’s neither Apple’s fault nor a credit to Maynor. It was he and Ellch who sought publicity by going to the press before showing video of their alleged hack at the public conferences Black Hat and Defcon, so if there’s fallout from making public allegations that they can’t back up, it’s on them, not on anyone else.

    If Maynor and Ellch had demonstrated it or shown code to just one Mac expert who could have verified their claims, they’d rightly be lionized for their work. Instead, they took credit for “hacking a MacBook” at security shows and in the international press while refusing to provide even the barest proof that they’d actually accomplished what they said they had, or at least what they wanted you to believe they’d said. Now that bugs and fixes are in the real world, there’s no way of ever knowing if what they say they found matches those bugs or not – when they had the chance to prove it, they refused. It’s like saying after the fact that you knew the answer to Final Jeopardy – you have to say it before it’s revealed to get credit for knowing it.

    Thus, for now, ends the tale of two hackers who sought the limelight and couldn’t handle it when they got it. There is no reason to believe that Maynor and Ellch found anything that could actually take over an unmodified MacBook computer, and now that Apple has publicly released fixes for unexploited bugs that might fit the bill, they’ll never be able to prove they found them first. There is zero evidence that Maynor and Ellch found what they said they found, and any rational observer has to treat their findings that way. If they wanted the credit, they had plenty of opportunity to provide proof instead of vague accusations, and they refused every time. If they get bitter, they can go commiserate with Fleischmann and Pons.

We’ll get all this in better order and out the door in the next few days. I’ve appreciated the cards and letters from those of you who had heard of my heart failure, and I thank you for realizing that replies to E-mail or voicemail may be delayed for several days while I focus my energies on more important stuff. I haven’t had a lot of energy for a long time, but it’s slowly coming back, and at least now I can breathe, so things are looking up.

You have my eternal thanks for your patience – had it not been for MDJ providing medical insurance, I might not even be here to tell you this. It’s all new for me, but I’m getting used to it, and look forward to a more normal schedule just as soon as I can make it happen. Thanks again!

Matt Deatherage
Publisher, MDJ & MWJ

An update on the publisher

MDJ and MWJ‘s publisher, as noted on Tuesday, is in the hospital. As recently as one week ago, the discovery of mold and algae in the GCSF Production Studio’s ventilation system gave us a working theory of “sick building syndrome,” but treatments were not effective. He went to see his doctor on Tuesday morning, and after an examination of his obvious respiratory distress, his doctor recommended immediate hospitalization and aggressive treatment of the respiratory problems.

In the course of that treatment, they found signs of an underlying cardiac problem that had been masked by the breathing trouble he’d had all summer long. He was transferred today to a leading heart hospital in the area, where aggressive treatment for that has already shown great results. He will still be sidelined for several more days, but he’s already trying to catch up – believe it or not, the hospital offers wireless internet access!

This is a serious thing, and it will require serious and ongoing treatment, but our present expectation is that he will be back in the office no later than the middle of next week. Thank you for your patience and support in this time.

A significant schedule setback

We were hoping it wouldn’t come to this, but after consultation this morning, Matt’s physician urges that he check into the hospital for “a few days” to treat what has apparently now devolved into pneumonia or other related conditions.

We’ll post more information as it’s available. Thank you for your patience.

A few answers to current questions

  • I last got MDJ or MWJ on such-and-such a date. Has there been an issue published since then?

    Our status page lists the current issues of both MDJ and MWJ, including issue sizes, and when distribution began – and it’s been there (and up-to-date) for more than five years. Unless your or our Internet connection is down, this information is always instantly available to you.

    As of this summer, subscribers can also get the same information in their secure RSS feeds. We sent this information to all current subscribers in June, and it’s been part of the “Welcome to MDJ” (or ‘MWJ’) letter for all subscribers since then. See here for more information about how difficult it’s proven to be to tell people about this.

  • Have you published anything since then?

    We published over 30 pages of on-the-spot information from WWDC 2006 right here, available to all MDJ and MWJ subscribers. See here for our attempts to tell people about this and how they seem to not have worked very well. We’ve also provided a few updates on this news blog, including an article on why E-mail is broken, and why we can’t use it to tell you things the way we’d like. It’s not a standard “issue,” but it’s still a significant amount of material that some of you didn’t seem to know about.

  • Where’s the next issue of MWJ?

    We’re sorry if we haven’t made this very clear somehow, but due to problems with the ventilation in our office, working here this summer has made staff members seriously ill. We’re talking emergency rooms, chest X-rays, heavy-duty prescriptions for weeks on end, significant respiratory distress, inability to sleep due to breathing problems, extensive coughing fits, multiple doctor visits – seriously ill.

    We haven’t been trying to emphasize this because, honestly, there’s really nothing more boring than stories about how other people are sick, is there? But from the questions we’re getting, we apparently need to make clearer that the fungus in our office this summer is not like a day of a hay fever attack – it was a continuous, slow-to-build, undiscovered source of poison in the air we breathe. At this point, we’re basically just extremely lucky that more staff members didn’t get even more ill than they did.

    The most distressing thing about it is that when it was just getting started in June and July, and we had no idea what was going on or how serious it was, we kept spending more time in the office trying not to fall behind. The symptoms were of allergy attacks (not infections), and it seemed perfectly reasonable to go slow in front of a computer instead of at home on bedrest, so we kept trying to get more work done – and every moment we tried, we were getting even more seriously ill and had no idea.

    This does not heal instantly. We’ve had the ventilation fixed for nearly a week, but the staffers who work here are still having severe coughing fits and other symptoms of the toxins clearing out. (This is similar to what Matt experienced near the end of WWDC, he says – after a week away from the bad ventilation, he felt like he was getting worse, but now he realizes his lungs were just trying to expel the last of the nastiness.)

    It really has been a nasty episode, and we’re still amazed that we managed to get MDJ 2006.08.30 out the door (now available to all MWJ subscribers in their RSS feeds). We’re hoping to get on a regular schedule next week, and we’re planning to spend time away from the studio Friday and Saturday to help make sure things are on track. (That is, if being outside for a long spell and then coming back to the studio makes us feel worse, it’s a good sign something is still wrong. We have felt significantly better this week, but a sanity check seems like an excellent idea. We have follow-up doctor appointments this month as well.

    There’s really only one thing we want to do more than get back to a June-style schedule around here – we hope you miss us for the same reasons we miss providing the high-quality information and reality check you expect from MDJ and MWJ. That one thing we want more? Unobstructed, regular, oxygen-rich breathing. Once that happens, the rest should be a cinch.

  • But how come I haven’t seen any traffic on the MacJournals-Talk (or, as some still call it, MWJ-Talk) mailing list?

    The discussion list has been unavailable for months due to abuses of the honor system, and with everything else going on, we have not had the time to try to complete the work tying it to the subscription database. If you didn’t know this, please let us know how we could have communicated it better other than trying to send E-mail to everyone, which has its own set of problems (again, see here for more information on those problems – basically, even if we put important news in the very front of an issue, a lot of people just don’t see it, and then ask us months later what’s going on). We’d really like to know how to do this better.

Here we go again with the hidden meanings

Our publisher is still ill, thanks in no small part to him having spent lots of hours at work while sick earlier this summer, not realizing it was the building making him more ill with every breath. But we’ve already noticed the hoopla over Apple’s upcoming 2006.09.12 media event – a card that says “It’s Showtime” is now all but universally assumed to indicate announcements about digital movies.

And, for all we know, that may be exactly what happens. But, we asked ourselves, didn’t we go through some similar readings of the tea leaves not too long ago in an incredibly similar situation? Why, yes! Yes, we did. From MDJ 2006.03.15:

On 2006.02.28, Apple held a “media event” for reporters to “see some fun new products.” Even though that’s all the invitation promised, speculation immediately began that Apple was about to introduce everything from Intel-powered iBooks to the mythical “touch-screen video iPod,” inexplicably referred to by some as the “true video iPod.” Some people even obsessed over the iCal-style illustration on the invitation, wondering what it meant. (It meant “28 February 2006.”)

In other words, “Apple watchers” turned Apple’s simple media invitation to a product announcement on its own R&D Campus (not at Moscone Center, not at Flint Center, not at a trade show) into huge expectations for the reinvention of all forms of computing and entertainment. Then, when Apple did exactly what it said it would do and announced two “fun” products – the Mac Mini (Early 2006) with better entertainment features and the iPod Hi-Fi speaker system, these same “Apple watchers” were “disappointed” that Apple did not meet the expectations for products they had made up out of whole cloth.

We have no insight as to what Apple intends to announce in six days – but neither do any of these people trying to discern answers from the design of the invitation, especially given how far off they were last time. We’re just saying.

Good ideas spread like daring wildfire

Here’s a section from MDJ 2006.08.30:

Given the secrecy, duplicity, and inconsistency that has marked Maynor and Ellch’s presentation, starting with going to the press to take on that Mac user “aura of smugness” before Black Hat and continuing through the next month, there are only two easy ways for the pair’s credibility to be restored. One would be for Apple to release a patch for the problem they found, describing it and fixing it so that everyone would be free to talk about it. That, of course, presumes the bug exists and affects Apple’s hardware, not just third-party drivers.

The other way is trivial. Maynor or Ellch (or both) need to perform their demonstration attack not in front of people like Krebs who don’t know the platform well, but in front of recognized Macintosh security and networking experts who do. We’d nominate Glenn Fleishman, but Alan Oppenheimer at Open Door Networks or Macworld Labs would be just fine, too.

The task is simple: Maynor or Ellch would bring whatever tools they wanted to use for their attack, but the target machine would be a stock, unmodified, black MacBook computer (though extra RAM might be allowable), with AirPort turned on and a valid network available if the researchers need it. They would then be free to do whatever they wanted to attack the MacBook except physically touch it.

If they can repeat the demo feat of logging into the MacBook, with or without root privileges, and create and delete files on the desktop, they are redeemed. If they can’t do it in, say, two hours, then they withdraw their claims about MacBook vulnerabilities and apologize to everyone involved. The experts who monitor the test would have to agree not to divulge details about how the vulnerability works, of course, but that’s a small thing – if the vulnerability is real, Mac experts won’t want it in the wild any more than Maynor and Ellch would.

Less than two days later, John Gruber took this upon himself!

I’m issuing the following challenge to David Maynor and Jon Ellch:

If you can hijack a brand-new MacBook out of the box, it’s yours to keep.

Gruber’s version of the challenge doesn’t allow extra RAM in the MacBook, nor does it require a black MacBook as seen in the demo, or stipulate the presence of known Macintosh security experts like Fleishman, Oppenheimer, or the Macworld Labs folks. Still, if either Maynor or Ellch demanded these things, we suspect Gruber might acquiesce – and you have to admire him stepping up and putting his own money at risk for it.

Third-party monitors might make Maynor and Ellch feel like they’re not being railroaded, but if Gruber wants to pay for the MacBook, we say he has the right to watch the attack succeed or fail – provided no one tries to snoop on the network packets as Maynor and Ellch have always said they feared.

But especially now, with a stock machine ready for the demonstration any time this week that they want, Maynor and Ellch either need to put up or shut up. Either they can compromise a MacBook’s internal AirPort Extreme hardware with no additional user requirements, or they can’t and have just enjoyed the attention from almost publicly claiming that they could. They need to do it and be revered, or note the end of their 15 minutes and go away.

If the duo will not demonstrate this attack under controlled conditions now, a full month after demoing it at Black Hat, no reasonable person should be expected to believe the vulnerability ever existed.

(MWJ subscribers: This issue of MDJ is now in your MWJ RSS feed per our previous policy of providing MDJ issues when MWJ is delayed – enjoy!)

Sick building syndrome

Ugh! Our publisher has been getting sicker and sicker, to the point of nuclear antibiotics and chest X-rays, all without any discernible reason. Despite that, he took some time on Friday to go to a nearby town – and after about 2 hours, felt noticeably better. Based on what he knew, that really didn’t make any sense.

So, as usual, it set the gears in motion, and Friday night, we took another look at the production studio’s standalone cooling, mentioned before here and here. In fact, that second instance had a rather revealing note:

(And trust us, you haven’t lived until you have to interrupt a conference call to drain the results of massive dehumidifying from a heat pump with a turkey baster, and repeat it every 4 hours for several days.)

One reason the studio had been so hot was because the heat pump was not properly draining the water it extracted from the air as part of its air conditioning. When the thing got full, it couldn’t dehumidify effectively, and it pumped humid, warmer air into the studio. So we’ve been draining it by hand where we could (the unit weighs about 200 pounds and can’t easily be removed by one person, and calling it “easy” for two is a bit of a stretch).

On Friday night, we took the case off and looked at parts of it we normally don’t mess with, and sure enough: mold! Right where we had noticed some water dripping when the thing needed to be drained. This, of course, was exceedingly disgusting. We wiped it all down with disinfectant cloths, sprayed every flat surface we could find (not the computers) with disinfectant, and left the studio alone for a while. Our publisher stayed away all day Saturday, too, and while he wasn’t cured, his months-long condition did not worsen.

Today we came back into the studio and looked again, and found: mold! Not as much, but in the same places. This appears to be the explanation we’ve been seeking. The drainage problem is not just a cooling nuisance; it’s causing mold to grow in the heat pump, which then puts it into the air in the studio. The more time you spend in the studio, the sicker you get. That’s why our publisher, who usually spends at least 12 hours a day in the studio, has been sick to the point of getting emergency chest X-rays – but other staff members, who have been here this summer for a maximum of 40 hours per week, leave the studio and only feel like there’s some kind of small allergy issue.

So with family and friends today, we got serious about it – we took the cursed appliance out of the studio and found enough crud inside it to make you think it hadn’t been cleaned in a year – instead of four weeks ago, the last time we did it. (We would have posted pictures of this disgusting thing, but we remembered that we like you to much to make you look at them.)

The unit was new in 2001, replacing a 20-year-old model, and upon very close examination, it appears to have been designed for a slightly different carrier housing: unless it’s tilted backward on at least a 20° angle, there’s just no way water can drain from it. When the weather didn’t make the air conditioner work so hard, it never came up. This summer, with it extracting gallons of water per day from the surrounding air, its collection tray became full and stayed that way – warm, wet, and dark. No wonder critters grew!

Last time we had it out for inspection (and the time before that, with the certified repair person here), we thought we just weren’t seeing the holes in the bottom where the water should drain out. Today, we confirmed: there are no drainage holes. So we made some, right at the bottom, right where the water should be draining out anyway. In our test with clean water, they seemed to work fairly well. (No heat pump or A/C drains bone-dry, but neither should it have 3 gallons of standing water in it 24/7.)

We thoroughly cleaned every surface (including a previously-hidden filter), disinfected everything, and have reinstalled it in the studio. Meanwhile, since the temperature today in the Crossroads of America is a balmy 72°, we’re taking the opportunity to air out the entire building, front to back and side to side. Since it rained most of yesterday, there’s not a lot of crud in the air to replace the mold, so it’s a good day for fumigation.

Our publisher is cautiously optimistic, especially since he thinks he was about two days away from hospitalization. We’ll be checking carefully for drainage and recurrences of mold for the next few days, and he’s constantly monitoring to see if he’s feeling any better. But this theory, at least, fits all of the available facts as we know them. The only one that seemed odd was that a week in San Francisco didn’t seem to help the publisher much, but he says that his hotel room kept sneaking in “luxurious down” pillows and comforters even after he asked them to be removed. When you have 15 pillows in a room, figuring out that one of them is making you sneeze is non-obvious. (He says, “15 pillows in a room is not luxury. It’s just annoying.”)

So, we may have our building fixed. Cross your fingers for us.