Apple is apparently alerting ALI forum members that Learning Interchange account passwords have been compromised. In a message forwarded to us by several TUAW readers, Apple warns that members who commonly use the same credentials on multiple sites may be at risk. If you are an ALI account user, please consider updating any accounts that use identical credentials. Here is the Apple quote that was sent to us.

We recently learned that the security of Apple Learning Interchange (ALI) members' names and passwords may have been compromised. These accounts are limited to accessing the ALI discussion board and do not contain sensitive information such as credit card or social security numbers.

While ALI member names and passwords are not linked to your Apple ID, our records indicate that your ALI member name and Apple ID are the same. For this reason we strongly recommend that you change your Apple ID password as well as any others that might have the same name and password combination.

At the time of posting, the ALI site (also linked to in the Source link) is unavailable. We do not have confirmation from Apple about this situation, although we have contacted them for a statement.

Recently, we reported on AT&T's push to make it easier for iPhone & iPod touch users to connect to their Wi-Fi Hot Spots. One of our readers, Jamie Phelps, pointed out on his blog that AT&T's Wi-Fi service is not actually a "secure connection," as is advertised in various places on their website; we had overlooked this, and mistakenly reinforced the company's shaky claim in our post.

This brings to light an important point about wireless networks and security, however. It's really easy (and sadly all too common) to hop on to an available wireless signal in your office, at the hotel, or your favorite coffee spot and not even think twice about logging in to your e-mail or checking your bank balance.

What many users don't realize is even though the server you are connecting to (i.e. your bank's website) may employ several layers of security, the connection between your computer and the wireless access point is very likely to be unsecured. Anyone who is within range of your computer can trivially monitor the traffic being sent between your computer and the access point, allowing them to see what websites you may be visiting or capture details about other services that you may be connected to. This isn't because of some gaping vulnerability or software bug, it's just an inherent part of how wireless networks work.

So, what can you do to protect yourself? Read on for a list of simple steps you can take to ensure that your wireless connection is safe and secure.

When I wrote about Pogoplug earlier this month, journaled HFS+ support was missing in action. That was a shame, since it's the most common drive format for Mac users.

Pogoplug is a network drive adapter coupled with a web service that allows you to access a personal drive from anywhere on the Internet without having to worry about firewalls and other security issues. You plug a drive into the Pogoplug, connect the unit to power, and you can securely access that data no matter where you are, from your laptop, another computer, or from an iPhone.

Today, Pogoplug has announced support for journaled HFS+ formatted drives. You can now plug in almost any drive formatted for use on the Mac and it'll work with Pogoplug.That's great, because the last few times I dredged up Disk Utility (from /Applications/Utilities), it was to re-format drives to use with the Pogoplug system. (You can also turn off journaling from the Terminal, if you're so inclined, via the 'diskutil' command.)

What's particularly cool is that Pogoplug is currently working on developing remote backup assistance. They don't support Time Capsule yet, but the Pogoplug developers say they're working on having "the Pogoplug play nice with [Time Capsule and other remote storage devices] and allow our users to back up to their home drives automatically and regularly."

Being able to set up off-site backup drives with just a simple plug-and-go sounds like an awesome business opportunity for anyone with a central router and a whole bunch of USB hubs. But even if you're setting up your off-site backup at your sister-in-law's ("Sure, go ahead and plug in that...um...thing. Can I take it out if I need to vacuum?"), that's a fine way to keep your backups physically remote from your primary computing space. At just $99 plus the cost of a hard drive (the lifetime service is included free), a bargain.

One of our readers has pointed out that even if you use a password lock on the new iPhone 3G S the voice dialing functions still work.

It's true. With the phone locked down you can still hold down the home key, and voice dial someone in your contacts list. Some will consider this a feature, and others a bug. If I wanted to make a quick call, it seems it would be nice to bypass the log in. If a thief had your iPhone, he'd have to know the name of someone in your contacts to call them, or just try a lot of guesses.

Then there is the matter of why a criminal would want to call someone on your contact list. "Hi Bob, I just stole this iPhone. Pretty neat, huh?"

If this issue does bother you, Apple has thoughtfully given you the ability to turn voice dialing off, and when you try it with the phone locked the computer voice dutifully warns you that voice dialing is non-functional.

You can't, by the way, turn off iPod voice control. So anyone could pick up your locked iPhone and say "play songs by Tiny Tim", wearing down your battery and offending everyone around them.

Thanks to Mike for pointing this out, but I don't think it's a big issue. Have I missed something? Weigh in with your thoughts.

TUAW reader Jim Carroll is worried: "It is crunch time for your site," he warned ominously in an email yesterday.

Jim is worried that security updates made available via the iPhone OS 3.0 updates last week will only be available to iPod touch users through the obligatory $10 upgrade. "Please use your power as an Apple site to raise the issue." Please, Jim. We're blushing.

"As a long time computer user I am unaware of a similar incident where a company would charge for security updates," he writes. Companies charge money for updates all the time -- operating systems and anti-virus software take time and energy to make, and companies want to get their investment back. Apple has been kind with free updates to Safari, but only because they gain revenue from it via the Search bar.

Apple has always charged iPod touch users for major updates, of course, but security updates have most often come free. 1.0.1, 1.1.2, 1.1.3, 1.1.5, 2.1, and 2.2 all included security fixes, but were free to iPod touch users. (The latter two cases were free for those who bought the 2.0 update.)

1.1.5 is an interesting case. It was released a few days after the 2.0 update, and included security updates that were wrapped into the 2.0 update.

My advice? Have patience. This coming week or next, I have confidence we'll see an update for 2.x (2.2.2 perhaps?) that leaves out the new features, but includes the same security updates found in 3.0 at about $9.95 less.

We're also beginning to hear whispers of a 3.0.1 update for the device to help resolve WiFi issues in the new release; a German iPod user reports being told by an AppleCare representative that an update is expected shortly. Take that with the appropriately sized grain of salt.

Thanks, Jim & Oboewan!

With all the excitement about iPhone version 3.0, there isn't a lot of help on how to set up one of the most unique features of the upgrade, Find my iPhone.

If you're having trouble, here are the steps. First, the service has to be turned on. You do that in your iPhone settings. Under email accounts, select your MobileMe info. You'll get to a page that has an on/off switch for Find my iPhone. Turn it on.

After that, you must be in your MobileMe web page. Sign in. At first glance, you won't see anything. You have to click on the accounts icon, and you should see a Find my iPhone icon at the bottom of the account settings. You can then decide to find your iPhone on a map, send it a message, or remote wipe it. I found the map pretty accurate, as I have a metal roof on the house that plays hell with GPS and cell signals. I sent a test message. That worked fine, and I received an email confirmation that the message was sent to the phone. I didn't try the remote wipe. I've spent enough time today downloading and uploading iPhone software and data.

Note: Apple MobileMe servers are a bit spotty today. It took me a couple of tries to get into my account options.

Find my iPhone is a powerful new feature. I hope I never need to use it.

Here's what the icon looks like on the MobileMe page:

It's been a long wait. Fire up Software Update and you should see Java for Mac OS X 10.5 (or 10.4) update 4. This update closes a vulnerability first discussed in August of last year; it was patched by Sun and most other JVM developers months ago.

Apple's sluggishness on fixing this security issue could have allowed attackers to run arbitrary applications or processes on your machine if you visited a webpage hosting a malicious Java applet. The vulnerability was pointed out in graphic fashion by security researcher Landon Fuller.

Fuller took the exploit code that was circulating in the wild and built a proof of concept page that would run an innocuous program (the command-line 'say' utility) from a rigged Java applet; after the ensuing publicity, less than a month later, we have a patch.

Once you've updated, if you took the precaution of disabling Java in your browser settings, you can feel free to go ahead and turn it back on... although, if you haven't missed it, no need to change anything.

Thanks to everyone who sent this in.

[via Glenn Fleishman / TidBITS]

There's a new patch in town. Microsoft Office 2008 was updated today to protect against two privately-reported vulnerabilities in the handling of Word files; these security risks could have allowed an attacker to execute arbitrary code on your machine. The update also patches Entourage 2008 to prepare for the Web Services edition of the mail and PIM app.

The 154 MB/268 MB (delta or combo) update is available through Microsoft's AutoUpdate tool or via direct download.

I swear, getting old is not a lot of fun.

Last night, I taught a class in data security for home and small business users at our local community college. There were a lot of good questions from the community education program students, so the class ended quite late and I was still answering questions as I walked out the door.

This morning, I went to grab my MacBook Air out of my laptop bag and literally grabbed air instead. In my haste to get out of the classroom and head home, I had packed everything but the laptop. Fortunately, the classroom was locked and few classes are scheduled for early morning, so I called the campus police and had them rescue the MBA for me. Problem solved!

After actually losing an iPhone 3G a few months ago, I wrote a post about what to do to prevent data loss and identity theft when lose your iPhone, and included a few tips on how to hopefully keep yourself from losing the phone in the first place. In this post, I'll talk about the things that I do (or can do) to keep my MacBook Air and my data safe, even when my mind conspires against me to try to lose the computer.

Thursby Software is a longtime Mac development firm (since 1986) that has always had a mission: integrating Macs as full players in mixed-OS environments. While Mac OS X has gone a long way toward improving the situation of Mac users in predominantly Microsoft environments, there are still situations where third-party software may be required. Thursby's ADmitMac line of software is specifically designed to ease Mac integration into Microsoft Active Directory (AD) environments.

Thursby's ADmitMac for PIV integrates US Government FIPS 201 Personal Identity Verification (PIV) with Macs. ADPIV, as the product is known, allows single sign-on with a PIV card. It verifies the PIV card against a centralized authority, obtains Kerberos tickets using PIV certificates and then makes those tickets available to Kerberized applications, and securely locks the Mac upon removal of the PIV card.

ADPIV also allows password-free access to Exchange servers by providing authentication to those servers. ADPIV is currently available at the introductory price of US$149, with discounts available for larger quantities.

If you work from non-secure networks (coffeehouses, airports, hotels, etc.), or if you've ever wanted to bypass a firewall (YouTube or TUAW blocked at work?) you may be familiar with SSH tunneling. It's come up more than once here on TUAW. It allows you to conduct your Internet business through a secure proxy and makes the process transparent (once you set it up, you don't have to think about it). It's typically handled via a shell command, but some GUI-based programs can make life a lot easier -- both for the less technically-inclined, and for those who want to handle multiple tunnels and automation.

Enter Meerkat, the SSH tunnel tool with the friendly face. I mentioned Meerkat about a year ago, and apparently things have been busy at the Code Sorcery Workshop since that release. The latest version of Meerkat -- version 1.2 -- sports an array of new features, from AppleScript support to a command line utility, as well as improvements to existing features like Bonjour sharing and the tunnel editing interface. I've been using the previous version for quite some time now, and I can say that this version adds some great features to an already great application.

AppleScript support means automation, and Meerkat plays well with location managers like NetworkLocation (a plugin is available on the Meerkat page), or any location manager which can run AppleScripts or shell commands. With such a setup, you can have your system automatically detect a change in networks and set up specific tunnels depending on your location. I won't go into the details of location managers right now, but it's something to look into for laptop owners on-the-move.

Additional features, including Application Triggers, Bonjour support and automatic reconnect for dropped tunnels all make Meerkat a valuable tool. At a current price of $19.95US, Meerkat provides features for a spectrum of users, from the Tunnel Setup Assistant for newbies, to advanced automation possibilities for veteran SSH'ers. I'd be negligent if I didn't mention at least one similar app in the freeware realm: SSHTunnel is a nice, easy-to-use GUI for setting up and managing tunnels. It lacks some of the automation and integration capabilities, but is a definite must-see if you're not ready to fork out for something more full-featured.

A trial of Meerkat is available for download, and a license can be purchased for $19.95US.

You know, it's fine to make the argument that "Macs are safer than Windows-based PCs," because in real-world usage, this is generally true. Nothing does more to undermine that argument, however, like a five-month old unpatched Java vulnerability.

As Landon Fuller has pointed out, a potentially nasty Java exploit remains unpatched in Mac OS X, including last week's OS X 10.5.7 update. Essentially, this exploit can allow malicious code to run outside of the confines of Java, and run arbitrary commands with whatever user permissions the logged in user has. So just by visiting a website, you could be allowing malicious software access to running commands on your system. Not cool. Not cool at all.

Although the exploit was initially discovered and filed back in August of 2008, Sun issued its own fix addressing the exploit back in December.

So, five months, two point OS updates, one Java update in February and stil, Apple hasn't patched the exploit on their end.

Can I just say, "WTF?" I mean, seriously, get on the ball Apple. You only have $20 billion in cash, maybe investing in a bunch of full-time security patchers for your operating system would be a worthwhile investment!

Julien Tinnes has some excellent commentary on the exploit here. As Landon says on his blog, all users are advised to disable Java applets in their browsers and disable "open safe files after downloading" in Safari. You should also consider using a SSB (site-specific browser) for any Java-crucial web work (see below).

Of course, being forced to disable Java applets just so one can ensure safety kind of puts Mac users who, I don't know, use a web-based SSL VPN client to connect to work systems or e-mail in a bind.

And, let the flogging from the Apple-haters commence.

Several TUAW readers have contacted us about a MobileMe phishing scam. These readers are getting an email that looks surprisingly official (see below). When they click on the Log In button, they're going to a page that has already been shut down. That might not always be the case.

Twitter tipster Rich Mogull of TidBITS provided us with a ping pointing to ZDNet's Zero Day page, where blogger Ryan Naraine broke some good news today.

The news? The ex-director of security architecture for the One Laptop Per Child project, Ivan Krstic (at right), has gone to work for Apple. He'll be focusing his attention on core operating system security.

Krstic's innovative Bitfrost security specification, part of the overall OLPC initiative, essentially negates the effect of any virus by running every program on the computer in its own virtual operating system. By doing this, no malware can spy on user keystrokes, futz with files, or steal data.

According to a 2007 article by Naraine, Bitfrost has five primary goals, all of which are targeted at making the OLPC one of the most secure platforms available:

• No user passwords -- the security of the device cannot depend on the user's ability to remember a password
• No unencrypted authentication -- no cleartext passwords, no use of Ethernet MAC addresses for authentication
• Out-of-the-box security -- The device should be secure out of the box, without the need to download security updates if at all possible
• Limited institutional Public Key Infrastructure -- Don't rely on public keys to validate the identity of device owners
• No permanent data loss -- Information is to be replicated to some centralized storage place so it can be recovered if the device is stolen, destroyed, or lost

While we may not know what the far-reaching implications of Krstic's work at Apple may be for a while, we can only hope that his hiring points to much more secure Apple products in the future.

Back in December, online backup company Backblaze launched a private beta of its service for Mac users. Like its Windows counterpart, the Backblaze subscription service is $5 US a month (or $50 US a year) for unlimited backup space. Today, the company is officially launching its service for Mac users, along with an updated client, better support for external drives and enhanced recovery options.


Configuration and setup

Just like in the beta, Backblaze remains extremely easy to set-up and use. You just install the program (by default it will run in the background, though you can change this), enter in your e-mail address and password, and it will start backing up your files. The default setting has Backblaze running any time it finds an available internet connection. The backup process is constant and Backblaze stores multiple versions of a file for 30 days (so if you are frequently changing a document or spreadsheet, 30 days worth of revisions are saved to Backblaze).

If you want to remove Backblaze, the company has made the uninstall process easier and more intuitive. There is now an uninstaller built into the install DMG image, just double-click on Uninstall (right next to the install option) and you can take Backblaze off your system. If you trash the DMG, just download it again off the Backblaze web site for easy removal.

Backblaze won't backup your Applications (thought it WILL backup stuff in your User/Library folder, so many of your application settings will remain backed up), but it will backup your photos, movies, audio files as well as things like your iPhoto or Aperture database, various documents, and more. By default, .ISO, *.exe and *.DMG files are excluded from the backup file type list, but you can remove most of those extensions (*.ISO cannot be removed) if you want to backup that information.

The maximum single file size is still 4 GB, but keep in mind this doesn't mean your iPhoto or Aperture databases won't be safe. Those databases are actually just folders with lots of smaller individual files, that's fine. If you have individual files over 4 GB in size, those won't be backed up with Backblaze. You'll need to split the files into smaller segments or make alternate arrangements.