Apple is apparently alerting ALI forum members that Learning Interchange account passwords have been compromised. In a message forwarded to us by several TUAW readers, Apple warns that members who commonly use the same credentials on multiple sites may be at risk. If you are an ALI account user, please consider updating any accounts that use identical credentials. Here is the Apple quote that was sent to us.

We recently learned that the security of Apple Learning Interchange (ALI) members' names and passwords may have been compromised. These accounts are limited to accessing the ALI discussion board and do not contain sensitive information such as credit card or social security numbers.

While ALI member names and passwords are not linked to your Apple ID, our records indicate that your ALI member name and Apple ID are the same. For this reason we strongly recommend that you change your Apple ID password as well as any others that might have the same name and password combination.

At the time of posting, the ALI site (also linked to in the Source link) is unavailable. We do not have confirmation from Apple about this situation, although we have contacted them for a statement.

Recently, we reported on AT&T's push to make it easier for iPhone & iPod touch users to connect to their Wi-Fi Hot Spots. One of our readers, Jamie Phelps, pointed out on his blog that AT&T's Wi-Fi service is not actually a "secure connection," as is advertised in various places on their website; we had overlooked this, and mistakenly reinforced the company's shaky claim in our post.

This brings to light an important point about wireless networks and security, however. It's really easy (and sadly all too common) to hop on to an available wireless signal in your office, at the hotel, or your favorite coffee spot and not even think twice about logging in to your e-mail or checking your bank balance.

What many users don't realize is even though the server you are connecting to (i.e. your bank's website) may employ several layers of security, the connection between your computer and the wireless access point is very likely to be unsecured. Anyone who is within range of your computer can trivially monitor the traffic being sent between your computer and the access point, allowing them to see what websites you may be visiting or capture details about other services that you may be connected to. This isn't because of some gaping vulnerability or software bug, it's just an inherent part of how wireless networks work.

So, what can you do to protect yourself? Read on for a list of simple steps you can take to ensure that your wireless connection is safe and secure.

This is video from a fast-paced chat with Joe Michels of Software Ops, creator of several iPhone apps. His lineup includes several applications for secure storage of information, such as My Eyes Only (iTunes link) and ID Lock (a "lite" version of My Eyes Only). There's also Aerochive on the Mac desktop, which allows wireless archiving and visualization of the information stored in the iPhone apps, which can include credit cards, passwords and notes, among other things. With your data fully encrypted and password protected, Joe's stated mission is to keep your info safe and away from prying eyes.

Joe also mentions an upcoming application, called My Eyes Only Photo, which brings My Eyes Only security to photo storage and browsing. There are screenshots of the soon-to-be-released application up on the Software Ops site. Check out the video to hear the developer's take on these apps.

Do you remember the teaser ads for the iPhone 3G? Two uniformed guards carried a locked metal crate through a labyrinth of secure tunnels, keycard points at every door, and monitored by security cameras? Turns out the real Apple isn't too far from that, according to Brad Stone and Ashlee Vance at the New York Times.

They cite former employees and analysts who all agree that Apple, as Gene Munster put it, "a total black box." Apple, in an effort to guard their company's secrets until the day they're launched have instituted a culture of fear among employees: Loose lips sink ships.

Apple's campus is, according to the article, "a maze of security doors" where employees must swipe their badges and enter codes on numeric keypads -- presumably not only to restrict access, but to serve as a record of who was where if any information does leak out. Many work areas are monitored by closed-circuit TV. According to one unnamed employee, "workers in the most critical product-testing rooms must cover up devices with black cloaks when they are working on them, and turn on a red warning light when devices are unmasked so that everyone knows to be extra-careful."

I've worked in high-security areas before for the U.S. military, and the big difference between the military and Apple is fear. Lots of fear. A secure military workspace is comfortable, but formal: If you catch a glimpse of something you shouldn't, it's not a big deal, just forget what you saw. Apple employees on the other hand, according to the article, are petrified of losing their job, being sued, or both.

In Apple's quiver is another piercing arrow: Misinformation. Piper Jaffray's Gene Munster relates a story of how a high-ranking Apple executive lied to his face about having "no interest in developing a cheap iPod with no screen." Cut to a few weeks later, and Apple releases the iPod shuffle. Lying business executives are nothing new, and shouldn't be surprising in the least. But while many companies cultivate productive relationships with the media, Apple's is mostly antagonistic. "They don't communicate," Munster said.

Why bother? The thrill. Sure, they're protecting their intellectual property, but it's all about the thrill. They can create these spectacles where they literally unveil a new product in front of a salivating audience -- including Apple employees -- who have never seen anything like it before. It's thrilling. Apple's business hinges on creating products that excite and creating that excitement surrounding them.

They've found a secret formula that works. In the words of Steve Jobs, "there is no theory of protecting content other than keeping secrets."

"The problem, of course, is that there are many smart people in the world, some with a lot of time on their hands, who love to discover such secrets."

One of our readers has pointed out that even if you use a password lock on the new iPhone 3G S the voice dialing functions still work.

It's true. With the phone locked down you can still hold down the home key, and voice dial someone in your contacts list. Some will consider this a feature, and others a bug. If I wanted to make a quick call, it seems it would be nice to bypass the log in. If a thief had your iPhone, he'd have to know the name of someone in your contacts to call them, or just try a lot of guesses.

Then there is the matter of why a criminal would want to call someone on your contact list. "Hi Bob, I just stole this iPhone. Pretty neat, huh?"

If this issue does bother you, Apple has thoughtfully given you the ability to turn voice dialing off, and when you try it with the phone locked the computer voice dutifully warns you that voice dialing is non-functional.

You can't, by the way, turn off iPod voice control. So anyone could pick up your locked iPhone and say "play songs by Tiny Tim", wearing down your battery and offending everyone around them.

Thanks to Mike for pointing this out, but I don't think it's a big issue. Have I missed something? Weigh in with your thoughts.

If your iPhone was connected to an Exchange server for email, contact or calendar synchronization prior to your upgrade to the 3.0 software, you may have run into the same problem that was bugging me for a day or so: the timeout on the passcode lock gets set to "Immediate," forcing you to enter the code almost every time you pick up the phone. Secure, sure, but very annoying. Going to the usual settings location to adjust the timeout shows no choices other than the insta-lock; what to do?

A thread on the Apple discussions boards points to the answer. Since the ActiveSync link to the Exchange server controls some security policies on the phone, you need to refresh those controls; the easiest way to do that, short of deleting and recreating the Exchange account, is to turn off all three sync modes and the Push setting. Once that's done, you can go back to the passcode lock screen and disable the lock or adjust the timeout. Put your sync settings back the way they were and your changes to the passcode config should remain in place.

While this is an annoying quirk, it's not all gripes and grimaces in the Exchange support department. At long last, users of Exchange calendars can send meeting invitations (hallelujah!); Exchange 2007 users can even view the reply status of attendees. Users can specify additional mail folders for sync, and Exchange 2007 users can search server-side mail from their devices.

For a full rundown on the enterprise-friendly features of iPhone OS 3.0, check out the Enterprise Integration guide via Apple's enterprise features page.

Thanks to everyone who sent this in.

TUAW reader Jim Carroll is worried: "It is crunch time for your site," he warned ominously in an email yesterday.

Jim is worried that security updates made available via the iPhone OS 3.0 updates last week will only be available to iPod touch users through the obligatory $10 upgrade. "Please use your power as an Apple site to raise the issue." Please, Jim. We're blushing.

"As a long time computer user I am unaware of a similar incident where a company would charge for security updates," he writes. Companies charge money for updates all the time -- operating systems and anti-virus software take time and energy to make, and companies want to get their investment back. Apple has been kind with free updates to Safari, but only because they gain revenue from it via the Search bar.

Apple has always charged iPod touch users for major updates, of course, but security updates have most often come free. 1.0.1, 1.1.2, 1.1.3, 1.1.5, 2.1, and 2.2 all included security fixes, but were free to iPod touch users. (The latter two cases were free for those who bought the 2.0 update.)

1.1.5 is an interesting case. It was released a few days after the 2.0 update, and included security updates that were wrapped into the 2.0 update.

My advice? Have patience. This coming week or next, I have confidence we'll see an update for 2.x (2.2.2 perhaps?) that leaves out the new features, but includes the same security updates found in 3.0 at about $9.95 less.

We're also beginning to hear whispers of a 3.0.1 update for the device to help resolve WiFi issues in the new release; a German iPod user reports being told by an AppleCare representative that an update is expected shortly. Take that with the appropriately sized grain of salt.

Thanks, Jim & Oboewan!

One of the things that confused me the most when I switched to the Mac platform was the fact that there's no built-in way to lock the computer manually with a hotkey when walking away from it. This is something that was drilled into me from working in an office full of pranksters where leaving your computer unlocked was virtually a guarantee that you would be hosting a party for all of your co-workers that coming weekend.

It turns out that this is an oversight in Mac OS X, and a 3rd party utility is required to be able to lock your computer with a hotkey. For a simple solution I would suggest installing a very basic preferences pane called LockTight.

LockTight does exactly what you're looking for: assign a specific hotkey that when pressed will lock your Mac, requiring a password to unlock it if you have it configured to require a password to wake from sleep or screen saver (which you should).

Update: Reader Chad reminds us that if you actually want your machine to go to sleep with a keystroke (as opposed to simply locking the screen) you can use the Option-Cmd-Eject key combo.

[via Lifehacker]

Mel gave you the instructions for how to set it up... but dear reader, we're going to go in-depth into the features of using MobileMe's Find My iPhone to see how well it works in locating and securing your phone from a remote location -- including performing a voluntary wipe.

Locating where your phone is via map
When you bring up the Find My iPhone page in MobileMe, the first thing you will see is a map giving the approximate location of your phone. As indicated above, my phone is somewhere inside of my apartment. Because the map is powered by Google, you can toggle it among plain map, satellite, and hybrid views of the location. However, the feature won't give off an exact address. So, if you happened to leave your phone inside of a shopping center complex, you'll still have to visit each store to track down the phone.

Read on for more into Find My iPhone's features ...

With all the excitement about iPhone version 3.0, there isn't a lot of help on how to set up one of the most unique features of the upgrade, Find my iPhone.

If you're having trouble, here are the steps. First, the service has to be turned on. You do that in your iPhone settings. Under email accounts, select your MobileMe info. You'll get to a page that has an on/off switch for Find my iPhone. Turn it on.

After that, you must be in your MobileMe web page. Sign in. At first glance, you won't see anything. You have to click on the accounts icon, and you should see a Find my iPhone icon at the bottom of the account settings. You can then decide to find your iPhone on a map, send it a message, or remote wipe it. I found the map pretty accurate, as I have a metal roof on the house that plays hell with GPS and cell signals. I sent a test message. That worked fine, and I received an email confirmation that the message was sent to the phone. I didn't try the remote wipe. I've spent enough time today downloading and uploading iPhone software and data.

Note: Apple MobileMe servers are a bit spotty today. It took me a couple of tries to get into my account options.

Find my iPhone is a powerful new feature. I hope I never need to use it.

Here's what the icon looks like on the MobileMe page:

It's been a long wait. Fire up Software Update and you should see Java for Mac OS X 10.5 (or 10.4) update 4. This update closes a vulnerability first discussed in August of last year; it was patched by Sun and most other JVM developers months ago.

Apple's sluggishness on fixing this security issue could have allowed attackers to run arbitrary applications or processes on your machine if you visited a webpage hosting a malicious Java applet. The vulnerability was pointed out in graphic fashion by security researcher Landon Fuller.

Fuller took the exploit code that was circulating in the wild and built a proof of concept page that would run an innocuous program (the command-line 'say' utility) from a rigged Java applet; after the ensuing publicity, less than a month later, we have a patch.

Once you've updated, if you took the precaution of disabling Java in your browser settings, you can feel free to go ahead and turn it back on... although, if you haven't missed it, no need to change anything.

Thanks to everyone who sent this in.

[via Glenn Fleishman / TidBITS]

There's a new patch in town. Microsoft Office 2008 was updated today to protect against two privately-reported vulnerabilities in the handling of Word files; these security risks could have allowed an attacker to execute arbitrary code on your machine. The update also patches Entourage 2008 to prepare for the Web Services edition of the mail and PIM app.

The 154 MB/268 MB (delta or combo) update is available through Microsoft's AutoUpdate tool or via direct download.

I swear, getting old is not a lot of fun.

Last night, I taught a class in data security for home and small business users at our local community college. There were a lot of good questions from the community education program students, so the class ended quite late and I was still answering questions as I walked out the door.

This morning, I went to grab my MacBook Air out of my laptop bag and literally grabbed air instead. In my haste to get out of the classroom and head home, I had packed everything but the laptop. Fortunately, the classroom was locked and few classes are scheduled for early morning, so I called the campus police and had them rescue the MBA for me. Problem solved!

After actually losing an iPhone 3G a few months ago, I wrote a post about what to do to prevent data loss and identity theft when lose your iPhone, and included a few tips on how to hopefully keep yourself from losing the phone in the first place. In this post, I'll talk about the things that I do (or can do) to keep my MacBook Air and my data safe, even when my mind conspires against me to try to lose the computer.

Agile Web Solutions, developer of the 1Password secure password manager for Mac, has announced the release of 1Password touch 2.0 for iPhone and iPod touch. The app, which is available through Friday, June 5th as a free download, is much improved over the previous versions and includes new functionality as well.

I downloaded and installed 1Password touch 2.0 [App Store] yesterday and was pleased to see that some previous issues have been resolved. The app now launches much faster, and the user interface has been improved for adding logins, passwords, and notes.

One of the biggest improvements is in how 1Password touch handles wallet items. These are things like driver's licenses, bank account numbers, internet account information, or other information that you may need to have at your fingertips, but would like to have secured behind AES-128 encryption on your iPhone. Previously, you couldn't add or edit wallet items on your iPhone; now you can.

WiFi Sync is now available as well (replacing the previous sync functionality, which was branded differently). You need to be running 1Password for Mac version 2.9.16 or later, as well as 1Password touch 2.0 or later. The sync is very fast, and it makes moving password and wallet information between your Mac and iPhone a piece of cake.

If you don't currently have a secure password manager for your iPhone, or if you're not happy with the one currently installed on your device, be sure to download 1Password touch for free during the next few days. Check out the gallery below for some screenshots of the new version.

Thursby Software is a longtime Mac development firm (since 1986) that has always had a mission: integrating Macs as full players in mixed-OS environments. While Mac OS X has gone a long way toward improving the situation of Mac users in predominantly Microsoft environments, there are still situations where third-party software may be required. Thursby's ADmitMac line of software is specifically designed to ease Mac integration into Microsoft Active Directory (AD) environments.

Thursby's ADmitMac for PIV integrates US Government FIPS 201 Personal Identity Verification (PIV) with Macs. ADPIV, as the product is known, allows single sign-on with a PIV card. It verifies the PIV card against a centralized authority, obtains Kerberos tickets using PIV certificates and then makes those tickets available to Kerberized applications, and securely locks the Mac upon removal of the PIV card.

ADPIV also allows password-free access to Exchange servers by providing authentication to those servers. ADPIV is currently available at the introductory price of US$149, with discounts available for larger quantities.