We've been poisoned by free

Reading a bunch of articles about how apps, including supposedly-reputable weather apps, like Accuweather and Weather Channel, harvest location data and sell it to data aggregators, who then sell it to advertisers, it occurs to me that the trajectory of the Internet itself led us to this. I mean, normally we’d be very suspicious of free things, right? Somebody’s making money off of these things, and if you don’t know how, you might not like the means. And that is, indeed, how things are working. But the thing is, it didn’t start out this way. In the beginning, there was a lot of free stuff on the Internet, because people were hoping that the free services they were creating would lead to real jobs some day. After that, companies made neat free services for promotional purposes, to draw people to their sites, and then as loss leaders, to persuade people to buy other products if they released something useful for free. Plus, even before the Internet, there was freeware and shareware, with developers making things either genuinely out of the goodness of their hearts, for experience and exposure, or in the hope that enough people would pay to make it worthwhile. And then there was a lot of free stuff powered by ads. And don’t even get me started on Web browsers, which have never (with occasional exceptions) had any visible means of monetization, and yet have high development and marketing costs.

 

The point is that for a very long time, free things online were both ubiquitous and innocuous, so we all became conditioned to accept free stuff without questioning it. That tendency is now being exploited to, well, exploit us, to use our information in ways that could possibly damage us someday, without us ever knowing about it.

 

I don’t necessarily object to my information being used to provide me free stuff; I participate in store rewards plans, after all. And if I can get free services on the Internet by allowing my location data to be used in aggregate so that retailers can better cater to their customers, why do I care?

 

Well, the answer, as the articles linked above describe, is that it’s fairly trivial to use that “aggregate” data to determine exactly who is doing exactly what, and that’s a major problem. Anything that could be used to blackmail you, or as evidence in a criminal investigation against you, should at least be something you’re aware other people have.

 

I don’t have an easy answer to this, except that, as Adam Grossman notes, Apple should set clear policies for data collection, instead of relying on privacy policies that no one reads or understands, to force app developers to make clear to users just exactly what their data is being used for. I don’t agree with Adam that such collection should be banned, just that it should be put explicitly in the user’s control. If that means that the app doesn’t work if permissions aren’t granted, fine! That’s my choice.

 

I just thought it was interesting to note that this state of affairs wasn’t necessarily inevitable, but followed from how the culture of the Internet developed. Institutions, history, and expectations matter.

Create Your Own Personal VPN with Algo

(updated—Fixed links, updated instructions for macOS Mojave, and added instructions for Google Compute Engine)

 

I have known for some time that browsing on public Wi-Fi nets without using a VPN (Virtual Private Network) was a bad idea, because a hacker can easily sniff all unencrypted traffic, possibly compromising all manner of personal data. For this reason, I have had a free TunnelBear account for years. It was great, because it offered 500MB of free data per month (+1GB if you tweeted about them, which I often did), and I essentially never needed more. On those rare occasions I did, I switched to cellular, or just gave up and turned off the VPN.

 

The problem with this approach is that I had to manually connect to TunnelBear every time, which I often forgot to do, or even didn’t know was necessary, as the iPhone automatically connects to known Wi-Fi networks every time unless you specifically tell it not to. And even when I did remember, connecting manually leaves you open to security leaks. So I have for some time wanted a free or cheap way to make my iPhone auto-connect to a VPN whenever it connected to an untrusted (i.e. other than home or work) Wi-Fi network. Cloak VPN (now known as encrypt.me) would do it, but it was expensive, at $10/month (although I now see that they have a limited plan for $3/mo; not bad), for something I needed only occasionally. I used their free trial, then uninstalled it. Then I tried using Activator when my iPhone was jailbroken. This worked, but drained my battery life like crazy, so I gave up on it and went back to TunnelBear, which, though it was either always-on or manual-connect, had the advantages of being free, user-friendly, and gentle on my battery.

 

Still, I would occasionally get frustrated and Google around looking for a better solution. I did run across something, but it looked too technical to try using my iPhone alone, and of course I never thought of it when I was at my computer: custom profiles. Well, today I finally got fed up enough that I remembered to do it once I got home (well, alright, I ran across an iPhone browser tab that I had left open), and decided to give it a shot. In the process, though, I found an even better way than that article described: Algo (named after Al Gore). It’s not (nearly) as user-friendly to set up as TunnelBear, but it will automatically connect on untrusted networks, it’s free(ish), and it lets you set up your own VPN, so you don’t have to trust some faceless VPN company.

 

Edit: In the process of setting up Algo, I discovered that TunnelBear had added the ability to add trusted networks, which is what I had wanted all the time. So if you don’t plan to regularly use more than 1.5GB of data per month while connected to public Wi-Fi networks (or are willing to pay $10/mo for unlimited VPN data), and you trust TunnelBear not to misuse/sell/accidentally compromise your data, just use that. It’s free, easy, and works great (though be warned that, like any commercial VPN, TunnelBear is not without flaws).

 

However, if you’re interested in setting up your own, personal VPN for cheap, and aren’t averse to getting your hands a little dirty in Terminal, read on!

 

First, a warning: VPNs are not a panacea. They don’t make you completely anonymous (use Tor for that…though it comes with its own problems). They don’t protect agains the fact that just connecting to a Wi-Fi network can identify you. Heck, even having Wi-Fi on means that you can be tracked, and VPNs can’t do anything about that (although iPhones, at least, have been immune from this particular problem since iOS 8). What it can do is ensure that your data cannot be sniffed out by local hackers, and it can also prevent unscrupulous ISPs from seeing/modifying/selling your data. Note, however, that your VPN service can do all of those things, whether or not they choose to. That’s true to a degree even with Algo; whatever hosting service you’re using theoretically has access to all of the data you transfer over the VPN. However, Amazon (or whoever you use) probably doesn’t know (unless someone goes and checks) that you’re using a VPN on their service, so they have little incentive to snoop. Don’t expect any of this to protect you from a warrant from the FBI, however; that’s a whole ’nother level of security, that we won’t be dealing with here. Maybe if you set up Algo your own Ubuntu server on an encrypted disk on a computer you own, the FBI couldn’t easily find out what you had been doing with a warrant. Maybe. Just recognize that everything has tradeoffs, and there’s no perfect solution.

 

Following is a step-by-step list of instructions to get Algo installed on Mac and iOS devices. These instructions can be easily adapted for other systems, but I’m focusing on Apple boxes. None of this is my own invention; I drew from various instruction sets around the Internet, particularly MacObserver’s and, of course, Algo’s. For simplicity, these instructions assume you’re doing this on a Mac running macOS Mojave (though the instructions will likely apply to any proximate version of macOS) and using Amazon EC2 as a host. Amazon EC2 is free for a year (if you stay within Amazon’s rather expansive limits). I’ll try revisit this with more info after that year expires; I don’t mind paying a small amount for on-demand VPN, but I’d really rather not pay $10/month for something I use only occasionally.

 

Update: My Free Tier has expired; for the first month since, my bill was $9.10. This stacks up well with other services like Tunnelbear. If it’s that much every month, signing up for a Tunnelbear annual plan would be cheaper; we’ll have to see if that’s the case. || Eep! Looking more closely at my bill, I see that most ($8.20) of that bill is for 720 hours of computing time—in other words, continuously, whether I’m actively using the VPN or not. So no, this isn’t cheaper than an annual plan from Tunnelbear. DigitalOcean, another Algo-compatible host, is only $5/mo, so that could be a better option than Amazon EC2. However, I’ve heard that Google’s cloud platform, GCP, doesn’t charge for computing hours for VPNs the way that Amazon and DigitalOcean do, so that could be a nearly free option (and Google Cloud also has a 1-year free trial, so at least I can get another free year). I’ll include instructions for GCP below.

 

The reason I’m doing this is that the instructions I’ve seen are not clear or detailed enough; I had trouble figuring out what I should do at several points and had to research it, so I’m transmitting the benefit of that to you. The settings I chose are for securing public Wi-Fi connections, not your home network, though making a different choice is a matter of not setting one option. As noted above, these instructions are for Amazon EC2 or Google GCE; if you want to use another host, instructions can be found elsewhere, including in the previously-mentioned MacObserver article.

 

How to set up Algo using macOS

 

Note: Any text in fixed-width font is intended to be entered into Terminal.app. You should be able to triple-click on the listed command, choose Copy, switch to Terminal, and choose Paste. Done right, that will even press Return for you! Or, you can just type them as displayed.

1. Set up a Cloud Services account.
   • Amazon EC2:
     • Create a free account at Amazon Web Services. They’ll ask you for a credit or debit card number (that has at least $1 on it) to verify your identity and charge you if you actually spend any money; that’s fine. If you stay within Amazon’s limits, this account is free for a year, and likely cheap thereafter. (I had trouble logging in after I created my account using Safari, so I used Google Chrome.)
     • From your Amazon Web Services Console page, choose IAM from the Services menu.
     • Select the Users tab.
     • Click “Add User.”
     • Enter your desired user name, then choose “Programmatic Access” below. Click “Next.”
     • Select “Attach existing policies directly.”
     • Choose “AdministratorAccess” in the list below. Click “Next.”
     • Review your choices, then click “Create User.”
     • Click “Download .csv.”
       • In Safari, this brought up a tab with the information in it, instead of downloading a .csv file. If this happens, Select All, Copy, Paste it into your text editor of choice, then Save it (as plain text) as credentials.csv.
     • Click “Close.”
   • Google GCE:
     • Install gcloud:
       • Make sure that Python 2.7 is installed on your system. Launch Terminal.app and type:
         python -V
         and press Return.
       • Download the 64-bit installer from the gcloud Quickstart page.
       • Expand the archive by double-clicking on it. You may need to install an expander such as The Unarchiver first.
       • Move the resulting “google-cloud-sdk”folder into your Home folder.
       • In Terminal, type
         ./google-cloud-sdk/install.sh
         and press Return. It will ask you a few questions.
         • Whether you want to send data back to Google is up to you.
         • When it asks if you want to continue, hit Return.
         • When it asks you to enter a path, hit Return.
       • Close that Terminal window.
       • Open another Terminal window.
       • Type
         gcloud init
         and press Return.
       • Accept the option to log in using your Google user account. This will open Chrome and allow you to log into your Google account and authorize Google Cloud.
       • Choose No when it asks you if you would like to create a project.
     • Log into Google Cloud and accept the license agreement.
2. Download Algo. Unzip the resulting archive if Safari hasn’t done that for you already. You should have a folder in your Downloads folder called “algo-master.”
3. Open the Terminal app.
4. Type cd and then drag the “algo-master” folder into the Terminal. Its directory path should show up after “cd.” Hit Return.
5. Now we enter a few commands in Terminal. If you receive any errors in this process, I’ve found that closing the Terminal window, making a new one, and starting from Step 4 usually works.
6. Type
   python -m ensurepip --user
   and press Return.
7. Type
   python -m pip install --user --upgrade virtualenv
   and press Return.
8. Type
   python -m virtualenv --python=`which python2` env &&
   source env/bin/activate &&
   python -m pip install -U pip virtualenv &&
   python -m pip install -r requirements.txt
   and press Return.
9. If you’ve never installed the cc command line tools, you’ll be prompted to do that. Go ahead and agree, it’s perfectly safe and required to move forward.
10. After everything completes, type
    sudo nano config.cfg
    and press Return. You’ll be asked for your administrative password, and then a text editor will open. Under the section called Users in the file, replace the existing user names with whatever usernames you wish to use (you’ll have to use the arrow keys instead of the mouse to navigate around the screen). These are the people who will have access to your VPN. Once you’ve added your users, press Control-X to save your changes and exit the text editor.
11. Now we install Algo itself.
    • If you’re using Amazon EC2:
      • Stay in Terminal, and type
        ./algo
        and press Return.
      • Algo will ask you what provider you’re going to use. We’re using Amazon EC2, so choose “3” (and press Return of course; I’m not going to mention that for every option).
      • Now it asks for the aws_access_key. Go back to your Downloads folder and open the “credentials.csv” file you downloaded earlier. Copy the Access Key ID and paste it into the Terminal. Press Return.
      • Do the same for the Secret access key.
    • If you’re using Google GCE:
      • Follow the instructions for Creating a project.
12. Name your server. You can name it whatever you like, though I presume there are some limits on what characters you can use and how long it can be. I just hit Return to accept the default option in brackets (“algo”).
13. Choose a Region. It’s likely better to choose the one nearest where you’ll usually be, for speed reasons (this question may come after the others if you’re using GCE).
14. It asks “Do you want macOS/iOS clients to enable "VPN On Demand" when connected to cellular networks?” For our purposes, choose No. Choose Yes if you want your VPN to protect your cellular connection as well.
15. It asks “Do you want macOS/iOS clients to enable "VPN On Demand" when connected to Wi-Fi?” Choose Yes.
16. Look up the exact name of any trusted Wi-Fi networks (all of your remembered Wi-Fi networks will be in System Preferences→Network→Advanced… Sadly, you can’t Copy from there, but you can carefully type them into Terminal, separated by commas but not spaces (there can be spaces in the network names, though). Only select those networks you personally trust; i.e. not Starbucks! These are usually your home and work Wi-Fi networks. If you want always-on VPN, don’t add any networks here.
17. Whether you want your personal VPN to block ads is up to you; I prefer the more fine-grained control of an ad-blocker.
18. SSH tunneling is for tricking firewalls and such, and so isn’t useful for our purposes. Choose No.
19. I only intend to use this VPN for macOS and iOS clients, so I chose No to Windows 10 and Linux Desktop compatibility.
20. It says that doing so would create an insecurity, so I said no to retaining the CA key. Note that this means that you can’t create more users later without starting all over from Step 3 (which isn’t that hard).
21. Now go grab a sandwich or something, while Algo installs itself to your Amazon EC2 or Google GCE instance.
22. The confirmation screen gives some valuable info. I would recommend copying and pasting the final screen into a text file for future reference. At the very minimum, you absolutely need the password it shows after “The p12 and SSH keys password for new users is”. Save that in a safe place, like a password manager.
23. Now we get to configure the your Macs and iOS devices to use your brand-new VPN service. First off, uninstall any existing VPNs. We don’t want any conflicts. This involves deleting VPN apps from Mac and iOS devices, and checking System Preferences→Profiles on the Mac, and Settings→General→Profiles in iOS for VPN profiles (including old Algo profiles) and deleting them.
    • Note: I am not including instructions for using Wireguard, because I’m using older Macs, and because I want to pre-configure the Wi-Fi exceptions, and because frankly it’s simpler not to use Wireguard on all-Apple installations. If you want to use Wireguard, see the "Apple devices" section of the official instructions.
24. Go back to your downloads folder in the Finder, and open the “algo-master” folder. Inside it is a “configs” folder (~/Downloads/algo-master/configs), and inside that is a folder named for your server’s IP address, and inside that is a folder named “Apple.” Open the “Apple” folder, and you’ll see files named .mobileconfig.
25. Open the .mobileconfig file that corresponds with the correct user on any Mac you want to use your newly created VPN on (just double-click it).
26. Choose “Continue.”
27. If using Amazon EC2:
    • Choose “Continue” again.
    • Enter the password you hopefully saved from the Algo confirmation screen in Terminal. If not, it should still be there in the Terminal window.
28. Click Install, and enter an administrator username and password for this Mac.
29. If you included your current Wi-Fi network in the list of trusted Wi-Fi networks in Step 28 above, you won’t have any way immediately to test your install. Connect to an untrusted network (perhaps go to Starbucks; you deserve a coffee after all this work. Or just enable the Guest network on your router), and go to https://whoer.net/ to see if you did everything right. If you did, Mr. Whoer should report your ISP as “Amazon.com" or “Google Cloud,” depending on which cloud service you’re using. If it doesn’t, try going to System Preferences→Profiles, deleting the profile you installed earlier, and starting again from Step 24.
30. If it worked, congrats! Send the file via secure means (Airdrop for instance, or iMessage) to any other Macs you wish to secure, and go through Steps 23–28 again. Then Airdrop (or use some other secure means) that file to every iOS device you want to VPN with. If you specified different users in step 10, make sure to send the right files to the right devices.
31. Open the file on your iOS device (whether by tapping it in Messages, receiving the Airdrop file, or whatever)
32. Tap Install, then enter your device password.
33. If using Amazon EC2:
    • Tap Install again, then a third time.
    • Enter the password you saved in Step 22. Tap Next.
34. Tap Done. That’s it! It should be working. Again, connect to an untrusted network and visit https://whoer.net. The IP address should be the one in your profile.
35. Now you can delete the “algo-master” file from your Downloads folder. You may wish to keep the “configs” folder, or at least the .mobileconfig files, along with the “credentials.csv” file, the “config.cfg” file, and the Algo confirmation details, somewhere safe. You may be tempted to hold on to the entire algo-master folder, and that’s not a terrible idea, but remember that they will probably make improvements in the future, so remember to download a new copy if you want to start over sometime.

Now, you may want to change things in the future, such as the list of users, or the trusted networks (perhaps you decide you like this VPN thing so much you want to use it all the time).

• If you chose to save the CA key in Step 20 above (and you held on to the “algo-master" folder), changing the user list is fairly simple. If not, you’ll have to destroy your instance (see below) and start over (from Step 2), which is not really that much work.
• To change the list of trusted networks, open the .mobileconfig file in a text editor (PlistEdit Pro is an excellent tool for this task), navigate to your current list of trusted networks (under SSIDMatch), and add or remove networks as you please. Make sure you keep the exact formatting as shown for any new or changed lines. Then redistribute the file according to Steps 26–37.
• To destroy the instance you created,:
  • For Amazon EC2: Log into Amazon Web Services, select EC2 (under “Compute”) from the Services menu, choose Instances, and click on Actions→Instance State→Terminate. That will allow you to start over from Step 2.
  • For Google GCE: Log into the GCE console, select Compute Engine in the sidebar, then select VM instances (it’s probably already selected). Click the three dots to the right of your “algo” VM instance, then select “Delete.” That will allow you to start over from Step 2.

Enjoy your new, personal VPN! Let me know how it goes, or any difficulties you have with these instructions, in the comments below!

OpenPGP key transition statement

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Date: October 16, 2013

For a number of reasons[0], I’ve recently set up a new OpenPGP key, and will be transitioning away from my old one.

The old key will continue to be valid for some time, but I prefer all future correspondence to come to the new one. I would also like this new key to be re-integrated into the web of trust. This message is signed by both keys to certify the transition.

The old key was:

pub 1024D/BB9EC476E934D755 1998-09-22
Key fingerprint = CD29 354E 5C51 E528 0E0E 19DF BB9E C476 E934 D755

And the new key is:

pub 4096R/BEB8C013FCC700F3 2013-10-16
Key fingerprint = 0AA7 230B 8C3C 2C2E 12E9 525D BEB8 C013 FCC7 00F3

To fetch the full key from a public key server, you can simply do:

gpg --keyserver hkps.pool.sks-keyservers.net --recv-key BEB8C013FCC700F3

or if you’re using GPGTools for Mac[1], choose “Retrieve from Keyserver…” from the Key menu in GPG Keychain Access and paste BEB8C013FCC700F3 into the “Key ID” field.

If you already know my old key, you can now verify that the new key is signed by the old one:

gpg --check-sigs BEB8C013FCC700F3

or with GPGTools, choose “Show Info” from the Key menu in GPG Keychain Access when the key is selected, choose the “User IDs” tab, and review the Signatures field.

If you don't already know my old key, or you just want to be double extra paranoid, you can check the fingerprint against the one above:

gpg --fingerprint BEB8C013FCC700F3

or view the fingerprint in the Key tab of the Key Inspector in GPG Keychain Access.

If you are satisfied that you've got the right key, and the UIDs match what you expect, I'd appreciate it if you would sign my key. You can do that by issuing the following command:

**
NOTE: if you have previously signed my key but did a local-only signature (lsign), you will not want to issue the following, instead you will want to use --lsign-key, and not send the signatures to the keyserver
**

gpg --sign-key BEB8C013FCC700F3

or choose “Sign…” from the Key menu in GPG Keychain Access while my new key is selected.

I'd like to receive your signatures on my key. Once you’ve signed it, please upload the signed key to a public key server:

gpg --keyserver hkps.pool.sks-keyservers.net --send-key <my email address> [sorry, I don’t post my email online to avoid spam]

or choose “send public key to Keyserver” in the Key menu of GPG Keychain Access when my key is selected after you’ve signed it.


Additionally, I highly recommend that you implement a mechanism to keep your key material up-to-date so that you obtain the latest revocations and other updates in a timely manner. You can do regular key updates by using parcimonie[2] to refresh your keyring. Parcimonie is a daemon that slowly refreshes your keyring from a keyserver over Tor. It uses a randomized sleep, and fresh tor circuits for each key. The purpose is to make it hard for an attacker to correlate the key updates with your keyring.


I also highly recommend checking out the excellent Riseup GPG best practices doc, from which I stole most of the text for this transition message ;-)

https://we.riseup.net/riseuplabs+paow/openpgp-best-practices

Please let me know if you have any questions, or problems, and sorry for any inconvenience.

Jim Syler

0. https://www.debian-administration.org/users/dkg/weblog/48
1. https://gpgtools.org/
2. https://gaffer.ptitcanardnoir.org/intrigeri/code/parcimonie/
- -----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org

iEYEAREDAAYFAlJfF5AACgkQu57Eduk011W5GwCbBKey8PSFuuNf0IkfZ+J+cPFH
8iUAoOOXH6aPtqoxkwXpDipA88n0C9Ck
=7aSL
- -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCgAGBQJSXxfSAAoJEGETEFCb6rLz5aIP/inydzeTZSaTnHpx1v8489QY
yxVDxg6DdPZ33HqFsGR5GScV5oop3b/bUCEsTbK81CS0HnJshli7WUD+p2xC22a7
YkM9LBqsHua0xSb0YSTFrye/saqAOySXw3Ww48O73Xoc0/S+CHQLNrzaZ2F+T6bi
sW787OelaPjag1jKClEQIlEIuntQtNTPjiznfPt/z599uzE1oAo7BrpV7CAKdpJW
vMhAv7bQXWN8U45iV9nD2JgCha4x6aOZtcsvztgum5zhYdzKDxW0y585j02YPOaq
aaFU4vNM50zibo2svvVksguQ/lXAe9GAy4RCb1/RQkWDpQo/+vyJ1CnrBwVqnAr0
oyeNhow5NGdgBDhIp6nQc+vm0YrBxHlAbvgc0HCrXJatO94eSNQeCnGcu12ca+kT
P3hneNMr9Gc1jilo5GdM3znA86SVJchW3OB+4bOa8+0DAUQ+s35cn4CcwVX5Wqqv
LcviLrzzgDVfg3Ixrr9+Z3ZiPwBZo+CpQVfgwgLR/Hx+7aF6ITiZXnYi/85LibIH
TxpG0XQXJ+gVfDm6G0TeuNrNBwv6x9m7x2ed1HOLNej0nLDjVdo765/fLjnzB5sm
DoXjVuqWNciWAI73ZPL69E8vzsH8xJIkGHHD4/U1pJ8vNennJ5xjLU2ODby7gVZx
vEQNld5Td1InA6Lne+7A
=FOPC
-----END PGP SIGNATURE-----

Leopard=Windows?

(updated below)

Screenshots

There are some very interesting “screenshots ” that have recently been released purporting to be of the next version of Mac OS X, 10.5 “Leopard.” The most tantalizing thing about these supposed screenshots is that apparently, Windows applications (in this case, Internet Explorer 7) can run natively on a Mac under OS X in Leopard.

If true, this is revolutionary. Windows and OS X applications running concurrently on a Mac? This is the Holy Grail of computing. Now, I don’t know if these screenshots are real or not. If they’re fake, they’re superbly done. But here, it doesn’t matter; I just want to talk about the idea, not whether or not Apple is actually doing it.

Explanation

Now, there are positives and negatives to this idea. Before we go into them, let’s examine exactly what we’re talking about here. The new Macintoshes (as of 2006) are now based on Intel processors instead of the old IBM/Motorola/Freescale PowerPC processors. Since Intel (or Intel-compatible) processors power all Windows (and Linux, for that matter) PC’s, that introduces a potential level of compatibility between Macs and PCs impossible previously. Already, Apple has released software called Boot Camp that allows the new Intel Macs to boot into Windows XP. Now, this is a separate boot situation: You can turn on your computer and have it be a Windows PC, or turn it on and have it be a Mac. While this is useful (for more details see my previous post on the subject) for occasionally running Windows-only software like games, it’s anything but seamless, and there’s almost no real benefit besides saving desk space over just buying an actual PC. The recently released Parallels software is another option for running Windows on your Mac: It provides an environment similar to the old Virtual PC , where Windows, and Windows applications, run in a window on your Mac. This is better than a dual-boot situation; you may lose a tiny bit of speed, but not much, because Parallels on an Intel Mac is not an emulator like Virtual PC on a PowerPC Mac; it’s a “virtualization machine” and therefore runs at near-native speed. The problem with it is that it’s still not seamless. Parallels is one application on your Mac; all your Windows applications run within that application, in a window with the Windows desktop in it. Functional, but ugly, and a bit of a pain to work with.

The ideal solution is something called a “compatibility layer.” This will allow Windows applications to exist side-by-side with Mac applications—completely seamlessly. Done right, the only way you’ll know which kind of application you’re running is by how it (the application itself) looks and behaves. Instead of being like having a Windows machine on your Mac, it would be like simply running Windows applications in the same way you run Mac applications. In a perfect world, Windows apps would exist on your hard drive right next to your Mac apps and documents and files, with the only distinguishable difference being in the icon. Mac OS 9 (Classic) applications work exactly like this on PowerPC-based OS X machines now. There is currently no way to do this, but the Darwine project is working on it, and this is what is promised by the Leopard screenshots mentioned above.

Consequences

What are the ups and downs of this last method? Well, the ups are obvious. Being able to run any Windows application natively on my Mac without having to deal with the horrid Windows operating system is, as mentioned above, the Holy Grail of computing. There have been many times where some service or game or function that I wanted to access or use was only available for Windows, and I didn’t have a Windows machine or emulator, so I and my beloved Mac were left out in the cold.

The downs are a little more interesting. Viruses are obviously the biggest threat. I don’t need to describe here how horrible the virus situation is in the Windows world. Running Windows on your Mac obviously exposes you to virus risks that are currently nonexistent for OS X. Dual booting is no more or less risky than simply using a Windows box. Your Mac is a Windows box then. The situation is similar running virtualization software; whatever partition of your hard drive is dedicated to Windows is vulnerable to Windows viruses. The virus risk for compatibility layers is an unknown; we’ve never seen one in the wild, so it’s hard to tell. There’s reason to hope, for solutions like Darwine, that the virus risk would be somewhat lessened, as you’re running Windows applications, but not Windows itself. With the hypothetical Leopard version, however, it doesn’t look like that would apply, as the screenshots imply that Windows is running in the background (just like Mac OS 9 does for Classic now). It could even increase your Mac’s exposure to viruses if, as I suggest above, Windows applications reside on the same logical drive that your Mac applications do…which is why it won’t be done that way.

But there’s a much more important potential “down,” that I mentioned in detail in my previous post on the subject: That the ability to run Windows software on your Mac will serve as a serious disincentive for developers to write new software on the Mac. This was my biggest fear before, and is echoed by others, for instance this comment on MacRumors : “[Running Windows apps natively]= the end of native Mac development as we know it.”

I certainly understand why people might think so, but I no longer do. See, my Economics classes have finally started to have some effect in my brain, and I think the process will work itself out quite differently from the “Those Macies can just fire up Windows if they need to use our software. Ha ha ha (evil laugh)” scenario. In fact, given the insights from my Economics classes, I suspect it might be just the opposite: The ability to seamlessly run Windows apps on the Mac will attract millions (yes, millions ) of new Mac users. This will increase the Mac’s market-, user-, and mind-share dramatically. These new converts from Windows will run their old Windows software, sure, but as time goes on, they will gradually migrate to Mac OS X applications (exactly as happened during the transition from OS 9 to OS X via Classic), because of the greater esthetic value, interoperability, compatibility and functionality of Mac software on the Mac platform vs. Windows software on the Mac platform. Besides (and this is really the killer point), it doesn’t matter if they migrate or not. Maybe they will all keep using the old software they’ve got until it’s so old that it’s useless. Still, when they go to buy new software, they will look for Mac software first. If they can’t find any at wherever they’re looking, sure, they’ll buy Windows software and use that. No big loss. The point is, though, that a developer that offers a Mac version of their software has an opportunity to make a sale that the developer of Windows-only software will miss out on. This will provide a powerful incentive for software developers to program for the Mac. No, this won’t cause every single Windows publisher to put out a Mac version. Not by a long shot. But, if Leopard does include native Windows support, and if that in fact causes a boom of Mac switcher sales, expect the amount of Mac software (and, possibly, even Mac-only software) to increase, not decrease.

Gavin Shearer of Microsoft has an interesting article with a similar perspective on this issue.

---

Update: June 17, 2013

The screenshots turned out to be fake, and Darwine never quite materialized, but Wine came to the Mac, and, more importantly, has been polished and published as Crossover . However, sadly, the seamless experience I envisioned has not yet come to pass. Crossover is an application that runs (many) Windows programs. While those programs run in their own windows and not in some Windows environment, compatibility is spotty, and Windows programs don’t even have their own Dock icons (though that is changing). As it turned out, the virtual machines—Parallels and Fusion —came to be the most seamless methods. While they are running a full copy of Windows in the background—and Crossover/Wine doesn’t—they can launch Windows apps in what Parallels calls “coherence mode” which works essentially the way Classic did: You don’t see Windows, only whatever program you’re running, with its own Dock icon and everything. The benefits of using Crossover (which is all I use to run Windows programs on my Mac) are twofold: It’s a lot cheaper ($40, with no need to buy a Windows license), and you’re not running Windows on your Mac, which greatly reduces the threat of viruses and is probably faster (I haven’t done any testing). But the price you pay is a lot of tweaking and troubleshooting to get the programs you want working properly—and sometimes they won’t work at all.

Macintel????

(updated below)

So Apple has decided to ditch IBM and ally with Intel . What's the world coming to? Has Hell frozen over ? It's going to be a tough transition , regardless.

I'm not sure I have any new wisdom to add to what is said at the pages linked above, except to make a few minor points. (A lot of this is laid out very nicely in an (as usual) excellent Ars Technica article . Takeaway quote: “It's yet another little thing that Macs used to do, if not always better, then at least differently than Windows PCs. Macs are now slightly less special.”)

• Forget running OS X on Non-Apple PCs. It's just not going to happen, folks. At least not in a sanctioned way. Despite what some people have said in the past, Apple is not an OS developer that happens to sell computers. Apple's bottom line is and always has been mostly CPU sales.
• The idea of being able to run Windows natively on a Mac is a neat idea, but ultimately mostly useless. Presuming the technical difficulties (motherboard differences, hard drive format, etc.) are overcome, all you've gained is a little cash and a little desk space (and, admittedly, a prettier office) over just buying a PC. And you lose the advantage of being able to use both at once.

• What excites me more is the prospect of a really good Windows emulator on my Mac. Since no processor emulation is necessary, Windows apps should positively hum, making buying a separate PC pretty much unnecessary, even, hopefully, for games. And if you just have to have the latest and greatest game and it won't run fast enough under emulation, well, that's when you fall back on the dual boot model mentioned above. This might just work out really nicely. Especially for PowerBooks. Imagine being able to haul around one machine and run any program, play any game…this might be fun.

• Neat as all this is, this is still not the CHRP platform we were promised ’lo these many years ago. As I recall, CHRP was supposed to allow the running of multiple OS's simultaneously. But perhaps I'm misremembering. I do recall having great hopes for the CHRP platform, and am still sorry it died. Consistency has not exactly been Apple's strong suit. I could probably write a whole website devoted to promising technologies Apple has abandoned (oh, OpenDoc, I miss you so!).

• I do have a couple of fears, however. As well as the Mac has been doing lately, I worry that Apple has been slowly watering down the distinctiveness of the Mac platform. For years now, Apple has been doing little things here and there to make the Mac more PC-like. You can trace it as far back as Apple changing floppy drive vendors so that the drive no longer sucked your disk out of your hand when you inserted it. OS X has several PC-like features in the interface, not least the requirement that all filenames have a damned TLE on the end. And now Macs will actually have Intel Inside . At what point will consumers decide that it's not worth paying a couple of hundred extra for a PC with a prettier case? It's been really nice (especially since the G5 was released) gloating to all my PC friends about how much faster, particularly megahertz for megahertz, Macs are than PCs. I don't like having my gloating turned back on me. Could this trend lead to the homogenization—nay, the commoditization—of the PC industry? The prospect doesn't frighten me as much as it once did. Admittedly almost entirely thanks to Apple, Microsoft seems to have released its first decent GUI OS ever—Windows XP Pro. I've used it (though not extensively), and it's not half bad. Not good enough, no, but it seems consumers are finally starting to demand something resembling elegance in their mainstream OS's. Add that to the downright cool-looking boxes companies like Alienware are putting out, and though I would still be crushed if Apple vanished or sold out, I would no longer see it as the end of the (computing) world.

• My biggest fear, though, was summed up by phjones on MacFixIt [dead links]:

"Whilst I think Steve Jobs and the Apple crew would only act in the best interests of Mac users, I still have a knot in the pit of my stomach. From my point of view, the big question is whether Macintel machines will be able to run Windows at full speed. If they do, it's the beginning of the end for MacOS. At the moment, software producers have an incentive to produce MacOS-compatible software because it gives them access to a market that would be otherwise unavailable - admittedly some companies feel the market is too small but that's their decision. If Macintel machines are capable of running Windows, there will be absolutely no incentive for new companies to produce MacOS versions of their software: ‘Those Macies can just fire up Windows if they need to use our software. Ha ha ha (evil laugh).’ Inevitably, less new software will be written for MacOS and existing software will slowly drift away.

I hope this doesn't happen."

        So do I.

• Lastly—there's something that has been bugging me for years. When the PowerPC processor first came out, basically the entire computer industry was saying that CISC technology was dead. Intel was going to be able to crank out maybe a generation or two more by cramming circuits a little tighter and running a little hotter, but eventually was going to be forced to switch to RISC like the PowerPC or die. This apparently didn't happen. Does anyone know what actually did happen? Let us know.

---

Update: June 17, 2013

Updated or added few links, in particular changed the Ars Technica link back from archive.org to live—apparently they had taken it down, but have now put it back up. Sadly, they have removed the accompanying discussion forum (that was still up after the original article was first taken down); there was a lot of good stuff on there, and archive.org only has the first page. Also: Ausmac is dead? ☹

I have somewhat more to say on some of the issues raised in this post in Leopard=Windows? In particular, my understanding of Economics has matured.