Jonathan Hue concludes his firewalls article from last week, we report on another expiring program, and discover a new source of Internet provider information. Mark Anbinder looks at a potentially dangerous bug in older Hard Disk ToolKit versions; Apple gives Cool Tools Awards to eleven worthy individuals and organizations; and David Herren offers help on using System 7.5 with the Chinese or Japanese Language Kits (and a tip on System 7.5 installations).
This issue of TidBITS sponsored in part by:
"A" is for "Expire" -- Bill Fleischmann <firstname.lastname@example.org> reports that yet another company whose name starts with "A" has announced a problem with a shipping commercial program expiring. ACI US announced that 4D Calc 1.2.1 stopped working on 01-Oct-94. ACI US has placed a fixed version with the name 4DCALC.121 in the 4D Modules library on CompuServe (GO ACIUS). No word on Internet distribution. [ACE]
ACI US -- 408/252-4444
Paul Celestin <email@example.com> writes:
The Providers of Commercial Internet Access (POCIA) Directory contains hundreds of entries for Internet providers, which include addresses, telephone numbers, email addresses, and pricing. It is indexed by area code (for the U.S. and Canada) and by country (for the rest of the world). POCIA is available at the following Web and FTP sites:
If you are an Internet access provider and would like to be listed, email Paul Celestin at <firstname.lastname@example.org>.
[Note that rather than duplicate effort, I gave Paul the information Internet providers sent me for the second edition of Internet Starter Kit for Macintosh, and although I'll continue to work with him on the list, please send Internet provider information to Paul. -Adam]
RSI Redux -- A recent experience reminded me of my repetitive stress injuries. I participated in a Wired online conference on America Online, and after typing rapidly for an hour, my left hand hurt for several days, so much that I wore my wrist brace in bed for a few nights. It's more or less back to normal now, but it was scary to fall back so quickly, and those of you experiencing problems or recovering, please, be careful. There's a new Web page with good RSI information, along with pictures and even a few MPEG movies - perhaps this is a good time to check it out.
And of course, the RSI Newsletter continues to provide useful information each issue. To subscribe, send email to <email@example.com> with "subscribe rsi" in the body of the message.
Also, to read more about RSI, check out TidBITS-134 (carpal tunnel articles) as well as TidBITS-199 and TidBITS-200 (Handeze gloves information - APS <firstname.lastname@example.org> now carries them, so sizing information is in the APS catalog). [ACE]
Need more toner? Apple has introduced the LaserWriter Pro 810 Extended Capacity Toner Cartridge (item M3602G/A) to replace that printer's original cartridge, offering smaller toner particles, improvements in the charging area, and longer page life. (The cartridge prints an average of 13,000 letter size pages at five percent coverage, as opposed to 12,000 pages for the original.) When Apple took the LaserWriter Pro 810 off suspension earlier this year (see TidBITS-233) the company announced plans to offer an improved toner cartridge at a later time; it should be available by the time you read this. [MHA]
New versions of Quicken -- Quicken 5.0 for Macintosh should be available on shelves on 13-Oct-94. New features noted in the Intuit propaganda include a Financial Calendar, which helps with entering repetitive expenses and scheduling recurring transactions, such as computer loans and car payments. Other emphasized features include an Iconbar (yet another program has become a barfly), easier account reconciliation, better online help, better QuickFill (automated typing), and QuickMath (a calculator by any other name), as well as improved tax planning and investment tracking.
To run Quicken 5.0, you need a hard disk and 2 MB RAM under System 6 or 4 MB under System 7. The new version runs on Power Macs in emulation, and the native version should be ready in 1995. It's refreshing to see a new version of a popular program which does not require truck loads of RAM, but I'm disappointed that the native version isn't out yet and that the nifty sounding Quicken Deluxe CD-ROM is only for Windows users. The CD includes the new Quicken 4.0 for Windows, Quicken video tutorials, financial advice, and various high-end financial tools. Quicken costs $49 list, approximately $39 mail order, and upgrades are $29.95 through Intuit or through a $10 rebate coupon in specially marked packages. [TJE]
Intuit -- 800/624-8742 -- 415/322-0573
by Adam C. Engst <email@example.com>
Some time ago, I was telling my grandfather about TidBITS and my books and all the stuff I do on the nets, and he asked, "So is Apple paying you for this?" I admit, I was a bit taken aback. No, they don't pay me, they've never sponsored TidBITS, and there's been little acknowledgment that the work I and every other Macintosh fan does is in any way appreciated, or even noticed. Despite Apple's general ingratitude, many of us continue to support the Macintosh merely because we believe it's the right thing to do.
Thus, it gives me great pleasure to tell you that Apple has recognized some outstanding members of the Macintosh community. On 03-Sep-94, Apple's Advanced Technology Group (the group chartered with driving long-term technology research and development) announced eleven "Cool Tools" awards. Rick LeFaivre, vice president of the Advanced Technology Group, said, "Through the creation of these 'Cool Tools' awards, our goal was to recognize the work of some of these unsung heroes who have made very significant contributions in making it easier to navigate the Internet."
Lest this seem like mere public relations posturing, each undoubtedly snazzy certificate comes with a Power Mac 7100 attached. And, according to John Norstad, it's a loaded 7100 as well, with 16 MB RAM, 500 MB hard drive, Apple Adjustable Keyboard, and 14-inch color monitor, not to mention System 7.5 and SoftWindows.
Without further ado, congratulations are in order for:
The Internet Society, Reston, Virginia, for its efforts to foster a global environment conducive to the easy exchange of information and the rapid development of standards and new software.
Steve Dorner of QUALCOMM Incorporated, San Diego, California, for Eudora, an electronic mail client for Internet users.
Chuck Shotton, Houston, Texas, for MacHTTP, a World Wide Web server for the Macintosh.
Peter Lewis, Perth, Western Australia, for FTPd - an anonymous file transfer server, and Anarchie - an FTP client to search for and retrieve public files on the Internet.
University of Michigan - Weather Underground, University of Michigan, for Blue-Skies, a Gopher client for browsing, viewing and reporting real time weather and environmental information in an interactive graphic and text format. Key contributors include students Alan Steremberg, Derek Price, Chris Schwerzler, and Michael Kamprath. The Weather Underground is directed by Prof. Perry Samson with technical direction from Jeff Ferguson.
John Hardin of EINet, Austin, Texas, for MacWeb, a hypermedia World-Wide Web client for the Macintosh. [And let's not forget MacWAIS]
National Center for Supercomputer Applications in Urbana, Illinois, for Mosaic for the Macintosh, the crossover application that has helped to spur interest in the Internet for many commercial and non-commercial users.
Aaron Giles of Cornell University Medical College, New York, New York, for JPEGView, a graphic utility that allows the user to view compressed images on the World-Wide Web, Gopher or those retrieved from anonymous FTP servers on the net.
John Norstad of Northwestern University, Evanston, Illinois, for NewsWatcher, a Usenet news reader.
Cornell University, Ithaca, New York, for CU-SeeMe, a conferencing tool that is being used by elementary schools, individuals, and other organizations around the world for low-cost video communications.
University of Minnesota, Minneapolis, Minnesota, for the TurboGopher client and GopherSurfer server. Internet Gopher is a distributed system for campus and world information which includes local information as well as links to other Gopher servers.
Anarchie author Peter Lewis said in comp.sys.mac.comm, "I'd like to thank Apple for the Cool Tools award, and I hope they get a tonne of good press from it. It's great to see Apple realizing the importance of the Internet, and hopefully some of the cool MacTCP apps will make the Mac the platform of choice for connecting to the Internet, something that will quite possibly become a major factor in buying a computer - and I think we'd all like to see more Macs in the world, right? I also hope Apple will make eWorld a full Internet gateway so that their customers can use all the neat programs. And I'm really looking forward to getting my 7100. :-)"
I'd like to echo Peter's sentiments. It's fairly obvious that the future lies in connections between people facilitated by connections between computers. Apple has always recognized this (hence the inclusion of LocalTalk in every Mac and the ease of setting up Ethernet networks), but it's pleasing to see the company recognize the importance of the Internet in terms of communications and computers. From what I've seen (and I've seen a fair amount), the Mac is the best Internet client machine today, thanks in large part to the MacTCP programmers at Apple and to the people and organizations listed above.
Although any finite list must exclude someone, I and many others were surprised not to see Dartmouth College, home of Fetch and InterNews, included. Although Fetch is a bit elderly, it's still one of the standard Internet programs everyone should have, and many people prefer InterNews's interface over others. And, since Apple gave awards to both Mosaic and MacWeb, it's not as though they needed to limit the awards to a single FTP client or Usenet newsreader. I can't give Dartmouth a Power Mac 7100, but I would like to extend the same congratulations to the fine programmers there for their contributions to the Macintosh Internet community.
Finally, as much as my cynical side wants to say that this is a freak occurrence, I sincerely hope that the attention and positive press these awards provide for Apple encourages the company to periodically continue in the same vein. Apple's most powerful allies are its loyal users and developers, and it can only help Apple to give them a quantifiable nod every now and then.
by David Herren <firstname.lastname@example.org>
Despite reports, we have been happily using the Japanese and Chinese Language Kits, as well as Arabic, Cyrillic, and Hebrew with System 7.5. To make them to work for you:
Install a clean version of 7.5. That is, don't install it on top of an older system. As a tip, press Command-Shift-K once in the main Installer window. If you choose Install New System Folder, your old one will be renamed Previous System Folder and you'll get a new clean one.
Don't install QuickDraw GX.
Remove the WorldScript Power Adapter file from the Extensions folder. This should be rev 7.5.1.
Install version 1.1 of the Japanese Language Kit (JLK). Then install Chinese Language Kit (CLK) 1.1. These two kits install the older version (7.2.1) of the WorldScript Power Adapter which seems not to cause any problems.
We've done testing so far on the Quadra 650, Centris 650, Quadra 660AV, Quadra 840AV, PowerBook 520c, and the Power Mac 6100. On the 6100, we're not having any difficulties even with the 7.5 release of the Power Adapter.
The 1.0 releases of the CLK and JLK do NOT work with 7.5, but 1.1 works as expected. Apple recommends the 1.1.1 release, but I've been unable to locate those versions and they certainly haven't appeared on any of the developer CDs.
by Mark H. Anbinder, News Editor <email@example.com>
Users of hard disks and removable cartridge drives with FWB's Hard Disk ToolKit (HDT) driver software version 1.3.1 or earlier should be aware of a potential data loss problem while using disk optimization software or other programs that move or access data in chunks larger than 32 MB. This specific problem does not occur with HDT 1.5.0, 1.5.1, and the current version, 1.6.0; FWB fixed the problem in 1.5.0 without any reports of data loss up to that point.
Data loss only occurs in a limited set of circumstances, in which very large amounts of RAM are available to the software moving data. The problem cannot occur on a Mac with less than 32 MB of RAM, and is unlikely even on systems with considerably more than 32 MB of RAM.
Most programs, even when using large files, read and write them in small pieces. (For example, Photoshop moves data in pieces no bigger than 32 kilobytes, not megabytes.) It's not a good idea for developers to attempt to transfer 32 MB in a single pass, anyway. Assuming a SCSI bus could transfer data at 3 MB per second, a 32 MB read would freeze the Mac for over ten seconds, which would confuse or concern most users. In addition, such freezes could cause network time-outs, especially if virtual memory was involved.
Instances of data loss that may be attributable to this problem have reportedly occurred while using Symantec's Norton Speed Disk 3.0 or 3.1, part of the Norton Utilities for Macintosh package. (This is NOT related to an earlier problem reported with Norton Speed Disk 3.0 in TidBITS-243. The earlier problem is fixed in 3.1.) Two other programs have been identified that might run into this problem - SpeedyFinder 7 users should turn off the option that allows the program to use all available RAM and Maxima users with large RAM disks should turn off the option to use the image transfer method and should use file-by-file instead.
If you have a hard disk or removable cartridge drive and are running a version of HDT earlier than 1.5.0, I strongly recommend upgrading to a later version (such as 1.6.0) to avoid potential problems. If you have a version of Hard Disk ToolKit earlier than 1.5.0, you must order the update directly from FWB. The price for the full version upgrade is $39 plus shipping and handling (and sales tax if in California). Shipping and handling is $4 in the U.S.; $10 outside. You may order by phone, fax, or email with a Visa, MasterCard, or American Express or by mail with a check or money order. Please be sure to include your serial number when ordering. Hard Disk ToolKit Personal Edition customers can upgrade for $29 plus shipping and handling, etc. If you have version 1.5.0 or later, you can upgrade free of charge if you fax FWB a copy of your original invoice, with your serial number written on it. Finally, upgrades are free for those who purchased Hard Disk ToolKit or Hard Disk ToolKit Personal Edition after 01-May-94.
If you use a hard disk or removable cartridge drive with formatting or driver software older than a few months, check with the software's developer to verify that the driver is up to date. According to Casa Blanca Works, their Drive7 software (and versions 3.0 and later of APS Power Tools, which uses the same code) does not suffer from this problem. Although we don't have specifics, other drivers may suffer from similar bugs, so to be safe, make sure you have the latest version of your driver software and avoid the operations mentioned above which may attempt greater-than-32 MB transfers, if you have more than 32 MB of RAM installed in your Mac.
HDT comes with hard disks and removable cartridge drives manufactured by FWB. It is also sold as a retail software package and used to format third-party hard disks. If you are not sure whether HDT has been installed on your hard disk, select the icon for the disk and choose Get Info from the File menu in the System 7 Finder. If HDT formatted the disk, the Where line will include "FWB" and the drive's SCSI ID (which is not relevant). The Where line will end with HDT's version number.
Given the recent problems Symantec has had with Speed Disk 3.0, I would like to stress that this is not inherently a problem with Speed Disk, but with an older version of FWB's driver software. Speed Disk 3.1 is safe to use (with proper backups) in the vast majority of user configurations. I commend Symantec for their quick analysis and response to the situation.
FWB -- 415/474-8055 x656 -- 415/775-2125 (fax)
by Jonathan Hue <firstname.lastname@example.org>
In Part II of our article on firewalls, we look at some of the most popular Macintosh Internet applications and describe a few of the ways you can make them work from behind a firewall. We also look at how you can get through your firewall from the outside with your Macintosh. Many of the terms used in this article were explained back in Part I, so if you haven't read Part I, check out TidBITS-246 first.
Note: Always check with your network manager before you run a new application which accesses the Internet through your firewall. Your company may have a security policy in place and you might accidentally violate it by trying to "punch through" your firewall with a new program.
Working with a packet screening router -- Packet screening routers are usually the most friendly towards Macs, since they don't favor any particular operating system (the mechanisms employed by other firewall components are generally easier to work with from Unix clients). It is always possible to configure a router to permit a particular Mac client to pass its traffic through the router, although some network managers prefer more restrictive filtering on their firewall routers, and end up blocking the ports which your applications use. In general, if you have a good enough reason to pass a certain type of traffic through the router, your network manager can configure the router to allow it.
If a firewall uses a packet screening router in conjunction with an application-level gateway, you need to worry first about the more restrictive of the two components, the application-level gateway. However, you may still need to open a hole through the router after you get your Mac client to work with the application gateway.
Working with application level gateways -- Application-level gateways are available for most of the popular Mac Internet applications. HTTP (HyperText Transfer Protocol, used by Web browsers such as Mosaic and MacWeb), Gopher, FTP, and Telnet are fairly easy to support, and free gateways are available.
The most common HTTP gateway is the CERN HTTP server operating in proxy mode, which also supports FTP and Gopher. The most secure way to run this is to put the proxy server inside your firewall, and have the server use SOCKS to get through the firewall. This method is more secure because the CERN HTTP server is a large, complex piece of code, and one of the basic rules of firewalls is that you should not run large, complex pieces of code on them. Mosaic 2.0a8 for the Mac supports the CERN proxy server, as does MacWeb 1.00A2.2 .
An additional benefit of the CERN proxy server is that it can be configured to cache documents you retrieve, thereby reducing the network load on the Internet, while at the same time speeding future access to the files.
FTP and Telnet can be proxied with the FTP gateway and Telnet gateway from Trusted Information Systems' freely available Firewall Toolkit. Although both require slight changes in the way you use FTP and Telnet clients, they do work with existing Macintosh FTP and Telnet clients, such as Fetch, Anarchie (the TIS ftp-gw FTP proxy requires a small modification to work with Anarchie 1.3.1), and NCSA Telnet. For instance, with Fetch, instead of putting the remote host name in the host field, you enter the name of your firewall, and instead of "anonymous" for the user, you enter "email@example.com", where <ftphost.domain.org> is the name of the remote FTP server you are trying to access. Similarly, with the Telnet proxy, you always connect to the Telnet proxy on the firewall first, and then give the proxy a command to connect to the remote host. This may sound as though you are first logging onto the firewall, and then running the client, but in fact, the proxy method is much better. Except for making the initial connection, the proxy is transparent to the Macintosh client. Furthermore, actual logins onto the firewall do not occur (allowing users to log onto the host running an important part of your firewall is considered very bad).
Commercial firewalls based on application-level gateways provide similar functionality. Some make the gateway completely transparent to the user.
The most Macintosh-unfriendly firewall is one which uses the SOCKS circuit-level gateway. Few Macintosh applications have been "socksified." NCSA Mosaic 2.0a8 supports the use of a SOCKS gateway, as does the latest version of Peter Lewis's Anarchie. SOCKS support is planned for MacWeb as well, but these are the only applications I know of which support a SOCKS gateway. As mentioned in Part I, it is easy to "socksify" a Unix application (source code is not even required on some platforms), but there is currently no easy way to support SOCKS on the Macintosh. For more information on SOCKS, see:
The only consolation in this is that the Web browsers support multiple protocols, so you can still get to Gopher and WAIS resources through a firewall via a Web browser.
Anarchie merits special attention, since Archie clients are a bit different from most other Macintosh clients. Archie uses the UDP protocol, rather than TCP. Because of this, an Archie client cannot be "socksified," or relayed by a generic TCP relay program such as "plug-gw" from the TIS Firewall Toolkit.
Fortunately, there is a solution in the form of a program called "udprelay", which is very similar to plug-gw, except it works with programs that use UDP. It also provides a SOCKS-like replacement library, which is not terribly useful to the typical Mac user, although it is useful for those who wish to get Unix UDP clients to work from behind a firewall.
Accessing your network from outside the firewall -- If you have a firewall, you may find you want to access to your network from the outside. For example, you might travel to a customer site which has Internet access and find you need to FTP a file from your desktop workstation. Since the Internet is an untrusted network, you should not use reusable passwords when accessing your network from the Internet; instead, you should use a strong authentication method, such as a challenge/response using hand-held authentication tokens or single-use passwords. One way to incorporate these devices into a firewall is to present the user with the challenge before access to the gateway is allowed. If the user does not provide the proper response, access to the gateway is denied. Support for this type of authentication is not supported in Anarchie or Fetch, so you must use NCSA Telnet for Telnet and FTP access when a challenge/response system is used.
More information about firewalls -- There are many excellent sources of information on firewalls available on the Internet. Two of the best are the Firewalls mailing list (available in regular and digest format, subscribe by sending email to <firstname.lastname@example.org> or <email@example.com>) and the Web site and FTP archive at:
The recent book by the architects of Bellcore's firewall ("Firewalls and Internet Security" by Bill Cheswick and Steve Bellovin) should be required reading for anyone who works with firewalls. Trusted Information Systems also maintains Web and FTP servers that have good information on firewalls.
 Currently, you must use ResEdit to enable MacWeb to use the CERN proxy HTTP server. Edit STR# resource number 803 (entitled "Proxy Info"). Strings are of the form: "<protocol>;<http_proxy_url>"; one per protocol. For example, using host <proxy.foo.com> for gopher would be declared as:
Other examples include:
Commercial Firewall Products
by ANS -- <firstname.lastname@example.org> -- 703/758-7723
by Checkpoint Software Technologies -- <email@example.com>
by Trusted Information Systems -- <firstname.lastname@example.org>
JANUS Firewall Server
by Border Network Technologies Inc. -- <email@example.com>
by Raptor Systems -- 302/996-3331
Companies That Offer Firewall Consulting
Trusted Information Systems
3060 Washington Road
Glenwood, MD 21738
Great Circle and Associates
1057 West Dana Street
Mountain View, CA 94041
Non-profit, non-commercial publications and Web sites may reprint or link to articles if full credit is given. Others please contact us. We do not guarantee accuracy of articles. Caveat lector. Publication, product, and company names may be registered trademarks of their companies. TidBITS ISSN 1090-7017.