Author Archives: mike

Use the Command Key to Rearrange and Remove Menu Bar Icons

Is your Mac’s menu bar overwhelmed with icons? They’re helpful little critters, but finding one can be difficult when you have too many and they’re in no particular order. The hidden trick to cleaning up your menu bar relies on the Command key.

  • Rearrange the menu bar icons in an order that makes sense to you by Command-dragging them around. You can’t move the Control Center icon or put anything to its right, but every other icon is movable.
  • Delete unnecessary Apple-provided status icons by holding down Command and dragging them off the menu bar. (To put one back, select the “Show icon-name status in menu bar” checkbox in its System Settings screen.) You can’t remove the clock, Control Center, or the Siri icon this way, though you can turn off Siri in System Settings > Siri & Spotlight. Command-dragging to delete doesn’t work for non-Apple apps; instead, look for a preference in the app itself.

(Featured image by iStock.com/Valentyna Yeltsova)

Changing Passwords Periodically Doesn’t Increase Security

Does your organization or some financial website require you to create a new password periodically? This practice was recommended long ago, but some organizations haven’t kept up with current recommendations that discourage such policies. If you’re bound by a password expiration policy, you can use this article to encourage your IT department or financial institution to update its approach to password security.

The rationale behind password expiration policies was that if an attacker were to steal a password database and decrypt some passwords, they would work for only a limited period, lessening the risk of unauthorized access. Even if an attacker gained access to an account, they could remain undetected only if they didn’t change the password, and that access wouldn’t last indefinitely.

Over time, security experts realized that the problem wasn’t so much how long an attacker could remain undetected but allowing users to set weak passwords that could be decrypted. It turns out that users often choose weaker passwords when they know they will have to change them, perhaps by tweaking a previous password for easier memorization. This fact hasn’t been lost on attackers, making it easier for them to figure out future passwords. In other words, attempting to increase security by requiring users to change passwords paradoxically reduces security.

The National Institute for Standards and Technology (NIST) is a US government agency that develops cybersecurity standards and best practices for the federal government that large corporations and other institutions tend to follow. In 2017, NIST changed its guidelines to say, “Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically).” In a FAQ, NIST explains:

Users tend to choose weaker memorized secrets when they know that they will have to change them in the near future. When those changes do occur, they often select a secret that is similar to their old memorized secret by applying a set of common transformations such as increasing a number in the password. This practice provides a false sense of security if any of the previous secrets have been compromised since attackers can apply these same common transformations.

Of course, if there’s evidence of unauthorized access or a breach of the password database, all passwords should be invalidated and everyone should be required to create a new password immediately—that’s entirely different than requiring passwords to be changed on a schedule.

Interestingly, NIST also doesn’t recommend password composition requirements—such as requiring the password to contain a letter, number, and special character—because users tend to devise predictable techniques to meet such requirements, such as appending an exclamation point to every password. Instead, NIST encourages longer passwords because a long password that’s easily remembered and typed can be stronger than a shorter password composed of random characters. Password managers can generally create both types.

If you’re forced to change a website password periodically, it’s easiest to use a password manager to generate and enter a new strong password, and you won’t have to memorize the new password. For the very few passwords you must remember and type manually, aim for longer passwords that won’t trip up your fingers while typing or require numerous switches of iPhone uppercase and numeric keyboards. To aid memorization, perhaps consider choosing words for your password from categories with many possibilities. For instance, if your initial password is gouda-purple-1989-New-York, the next one could be cheddar-black-2011-Des-Moines. Both are strong in their own right, but only you would know the categories used for each portion.

(Featured image based on an original by iStock.com/designer491)

Send Photos in Messages Faster with This Hidden Shortcut

On the iPhone and iPad, to send a photo to a Messages chat, tap the ⊕ button and then tap Photos in the list that appears to reveal the photo picker. That’s not difficult, but it requires an extra step you can avoid with this tip. If you’re running iOS 17 or iPadOS 17, instead of tapping the ⊕ button, touch and hold it for a second to bring up the photo picker immediately.

(Featured image based on an original by iStock.com/oatawa)

For the Best Mac Webcam, Use Your iPhone

The near-ubiquity of videoconferencing is a lasting effect of the pandemic. The ease of gathering a group virtually usually more than makes up for the downsides. Despite that, many people still appear in video calls with low-resolution, poorly lit video that makes the call less effective.

A better webcam is an easy way to improve your video, and the best readily available webcam may already be in your pocket. That’s because you can use your iPhone and its high-quality cameras as a wired or wireless Mac webcam, thanks to Apple’s Continuity Camera technology.

Your Apple gear likely meets the Continuity Camera system requirements. You need an iPhone XR or later (all iPhones introduced in 2018 or later) running at least iOS 16 and a Mac running macOS 13 Ventura or later. Both must be signed in to the same Apple ID.

You’ll want a mount that holds your iPhone in landscape orientation (horizontally) at the top of your Mac’s screen, with its rear cameras facing you. The first such mounts for laptops and desktops came from Belkin, but numerous manufacturers now sell inexpensive alternatives that have different industrial designs and support iPhones that can’t use MagSafe. Continuity Camera can drain your battery, so it’s worth plugging in a charger cable or getting a screen mount that also holds a MagSafe charger; look on Etsy for options, such as this one.

Although the samples above show the iPhone’s cameras in the upper-right corner, you can rotate the iPhone to position the cameras in the lower-left corner, which may put them more in line with your eyes and improve eye contact.

(Technically, you can put the iPhone anywhere—a tripod behind your screen would also work—and it doesn’t have to be in landscape orientation. However, apps detect the iPhone as a webcam automatically only when it’s in landscape orientation, and if it’s below or to the side of your screen, the video angle will likely be problematic. You can also take your iPhone off its mount and walk around with it as long as you stay in Bluetooth range of your Mac.)

When the iPhone is locked and in position, its camera and microphone become available to videoconferencing apps like FaceTime, Zoom, and Webex. Your app may start using the iPhone as a camera automatically, but if not, look for a menu or icon that lets you choose the desired camera. Similarly, you can use the iPhone’s mic as your audio input for the call, although the Mac’s built-in mic, AirPods, or other mic may offer equally good or better audio quality.

For the most part, the iPhone acts like a standard webcam. After you end the call, remove it from the mount to use it normally again. Should you need to check something on your iPhone during the call, you can remove it from the mount and either tap the Pause button or just unlock it—your video (and audio, if you’re using the iPhone as a mic too) will pause. To resume, lock and remount your iPhone. You may want to warn the other people on your call first in case something goes wrong and you get disconnected.

Receiving a phone call is a similar situation. Answering the call on the iPhone pauses the audio and video for the videoconference until you end the call, lock the iPhone, and mount it again. You may also be able to answer the call on the Mac, but that also pauses the audio and video, and you may need to choose the iPhone as your camera again afterward.

Ultimately, using your iPhone as a webcam is remarkably easy—Continuity Camera just works in our experience. The only tricky part is finding the screen mount and charger that work best with your Mac and usage patterns.

(Featured image by Belkin)

Apple Announces New MacBook Air Lineup with M3 Chip

In November 2023, Apple unveiled the M3 chip in new versions of the 24-inch iMac and MacBook Pro, causing speculation about when other Mac models would be updated to match. If you’ve been longing for a MacBook Air with an M3 chip, your wait is over. (And we expect Apple to update the Mac mini soon.)

Apple has now announced M3 versions of the 13-inch and 15-inch MacBook Air. For most Mac laptop users who don’t need the additional speed of the M3 Pro or M3 Max chips in the MacBook Pro lineup, these new MacBook Air models combine excellent performance with low prices. The 13-inch MacBook Air starts at $1,099, and the 15-inch model starts at $1,299.

Nothing has changed regarding size, weight, and industrial design, and nearly all the specs remain identical to the previous M2 MacBook Air models. There are three notable differences:

  • The M3 chip: Although the earlier M1 and M2 chips are no slouches, the M3 chip provides even better performance. Benchmarks suggest a 25% to 35% improvement over the M1, and Apple cites real-world examples where the M3 is 35% to 60% faster than the M1. Compared to the M2, the M3 is probably 10% to 20% faster.
  • Support for two external displays: Previously, the MacBook Air could drive only one external display. These new models, however, can drive one external display at up to 6K resolution and another at up to 5K resolution, as long as the lid is closed. (Apple says a software update will enable the same capability for the 14-inch M3 MacBook Pro.)
  • Wi-Fi 6E and Bluetooth 5.3 wireless connectivity: These upgrades aren’t exciting, but they bring the MacBook Air up to par with other recent Apple devices and industry standards. Both provide faster, more robust wireless connectivity, but only when used with other compatible gear.

Should you buy one of these new MacBook Air models? It all depends on what you use now:

  • Intel-based Mac laptop: In terms of performance, the M3 MacBook Air will blow the doors off any Intel-based Mac laptop, and we strongly encourage you to upgrade. The main area where the MacBook Air might disappoint is in the number of ports. It charges via MagSafe 3 and has two Thunderbolt/USB 4 ports, which are sufficient for an external display and a Time Machine backup drive, for instance. If you need more ports, a Thunderbolt hub is probably in your future.
  • M1 or M2 MacBook Air or MacBook Pro: Although the M3 chip is faster than the base-level M1 and M2, our experience is that most people with those Macs aren’t suffering from performance problems. So no, don’t upgrade. If you need more performance, a MacBook Pro with an M3 Pro or M3 Max chip makes more sense.
  • No laptop: For most students getting their first computer or someone who’s adding a laptop to complement a desktop Mac, the M3 MacBook Air models are extremely attractive. We recommend the higher-end MacBook Pro models only for those who anticipate doing processor-intensive audio, video, photo, or development work.

Finally, if you’re pinching pennies, you can still buy the 13-inch M2 MacBook Air starting at $999, and even if you customize it with more memory or storage, you’ll save $100.

You have four decisions to make once you’ve decided to buy a new M3 MacBook Air. We’re happy to consult on your specific situation, but here’s our general advice:

  • Memory: The base amount of memory on the M3 chip is 8 GB (it’s on the chip and can’t be upgraded later), but you can get versions that come with 16 GB or 24 GB. 8 GB is acceptable for casual use, but 16 GB is safer if you want to run a bunch of apps or may have more involved needs in the future. Get 24 GB only if you use memory-intensive apps.
  • Storage: The base level of storage is 256 GB, which isn’t much. We know many people with photo libraries larger than that. You can upgrade to 512 GB, 1 TB, or 2 TB.
  • Processor: The M3 comes in two versions. Both have 8 CPU cores, but one has only 8 GPU cores, whereas the other has 10 GPU cores. The 8/8 version is available only in the 13-inch MacBook Air and only if you don’t expand memory beyond 8 GB or storage beyond 256 GB. Get the low-end version only if you’re sure you don’t need more memory or storage.
  • Screen size: You must choose a 13.6-inch or 15.3-inch Liquid Retina screen. The 15-inch screen is undeniably larger and displays more content, but the overall Mac is about an inch (2.25–3.5 cm) larger in both dimensions, and it weighs 3.3 pounds (1.51 kg) compared to 2.7 pounds (1.24 kg) for the 13-inch model. This decision is purely personal preference, and we recommend checking out each one in person before buying.

For most Mac laptop users, the M3 MacBook Air models are compelling and well worth a look.

(Featured image by Apple)

Loose Lips Sink Chips: Beware What You Say to AI Chatbots

Generative AI chatbots like ChatGPT, Microsoft’s Bing/CoPilot, and Google’s Gemini are the vanguard of a significant advance in computing. Among much else, they can be compelling tools for finding just the right word, drafting simple legal documents, starting awkward emails, and coding in unfamiliar languages. Much has been written about how AI chatbots “hallucinate,” making up plausible details that are completely wrong. That’s a real concern, but worries about privacy and confidentiality have gotten less attention.

To be sure, many conversations aren’t sensitive, such as asking for a recommendation of bands similar to The Guess Who or help writing an AppleScript. But increasingly, we’re hearing about people who’ve asked an AI chatbot to analyze or summarize some information and then pasted in the contents of an entire file. Plus, services like ChatPDF and features in Adobe Acrobat let you ask questions about a PDF you provide—it can be a good way to extract content from a lengthy document.

While potentially useful from a productivity standpoint, such situations provide a troubling opportunity to reveal personally sensitive data or confidential corporate information. We’re not talking hypothetically here: Samsung engineers inadvertently leaked confidential information while using ChatGPT to fix errors in their code. What might go wrong?

The most significant concern is that sensitive personal and business information might be used to train future versions of the large language models used by the chatbots. That information could then be regurgitated to other users in unpredictable contexts. People worry about this partly because early large language models were trained on text that was publicly accessible online but without the knowledge or permission of the authors of that text. As we all know, lots of stuff can unintentionally end up on the Internet.

Although the privacy policies for the best-known AI chatbots say the right things about how uploaded data won’t be used to train future versions, there’s no guarantee that companies will adhere to those policies. Even if they intend to, there’s room for error—conversation history could accidentally be added to a training model. Worse, because chatbot prompts aren’t simple database queries, there’s no easy way to determine if confidential information has made its way into a large language model.

More down to earth, because chatbots store conversation history (some let you turn off that feature), anything added to a conversation is in an uncontrolled environment where at least employees of the chatbot service could see it, and it could be shared with other partners. Such information could also be vulnerable should attackers compromise the service and steal data. These privacy considerations are the main reason to avoid sharing sensitive information with chatbots.

Adding emphasis to that recommendation is the fact that many companies operate under master services agreements that specify how client data must be handled. For instance, a marketing agency tasked with generating an ad campaign for a manufacturer’s new product should avoid using any details about the product in AI-based brainstorming or content generation. If those details were revealed in any way, the agency could be in violation of its contract with the manufacturer and be subject to significant legal and financial penalties.

In the end, although it may feel like you’re having a private conversation with an AI chatbot, don’t share anything you wouldn’t tell a stranger. As Samsung’s engineers discovered, loose lips sink chips.

(Featured image by iStock.com/Ilya Lukichev)

How to Avoid Head-Tracked Spatial Audio for FaceTime Audio Calls

If you listen to a FaceTime Audio call using AirPods and hear the other person’s voice moving annoyingly from side to side as you turn your head, the problem is likely head-tracked spatial audio. In general, spatial audio attempts to make sounds seem to come from all around you, and its dynamic head-tracking option adjusts the audio for each ear to simulate how the sound would change as your head moves. Dynamic head tracking may be desirable for music or movies, but with a FaceTime Audio call, having the other person flip back and forth between your ears can be highly disconcerting. To stop this behavior on an iPhone or iPad, open Control Center, touch and hold the volume control, and tap either Off or Fixed instead of Head Tracked. Spatial audio isn’t an option on Mac FaceTime calls.

(Featured image by iStock.com/1550539)

Too Many Windows Open? Close Them All Quickly with These Tricks

Have you ever selected a bunch of files and accidentally opened them all by double-clicking one? Or perhaps inadvertently pressed Command-I to get info, ending up with oodles of open Info windows? Here’s a quick way to recover. You can close all the windows in any well-written app with judicious use of the Option key. Press it while clicking the File menu and Close Window becomes Close All Windows. Command-W closes one window; Command-Option-W closes all of that app’s windows. If you’re a mouse person, Option-click the red close button in any window to close all the rest.

(Featured image based on an original by iStock.com/ANGHI)

Use iOS 17.3’s Stolen Device Protection to Reduce Harm from iPhone Passcode Thefts

Last year, a series of articles by Wall Street Journal reporters Joanna Stern and Nicole Nguyen highlighted a troubling form of crime targeting iPhone users. A thief would discover the victim’s iPhone passcode, swipe the iPhone, and run. With just the passcode, the thief could quickly change the victim’s Apple ID password, lock them out of their iCloud account, and use apps and data on the iPhone to steal money, buy things, and wreak digital havoc.

In essence, Apple allowed the passcode, which could be determined by shoulder surfing, surreptitious filming, or social engineering, to be too powerful, and criminals took advantage of the vulnerability. It’s best to use Face ID or Touch ID, especially in public, but some people continue to rely solely on the passcode.

Apple has now addressed the problem for iPhone users with the new Stolen Device Protection feature in iOS 17.3. It protects critical security and financial actions by requiring biometric authentication—Face ID or Touch ID—when you’re not in a familiar location like home or work. The most critical actions also trigger an hour-long security delay before a second biometric authentication. We recommend everyone who uses Face ID and Touch ID turn on Stolen Device Protection. The feature is not available for the iPad or Mac, but neither is as likely to be used in places like the crowded bars where many iPhones have been snatched.

How Stolen Device Protection Works

The location aspect of Stolen Device Protection is key. When you’re in a “significant location,” a place your iPhone has determined you frequent, you can do everything related to security and financial details just as you have been able to in the past, including using the passcode as an alternative or fallback.

However, when you’re in an unfamiliar location, as you would likely be if you were out in public where someone might steal your iPhone, Stolen Device Protection requires biometric authentication to:

  • Use passwords or passkeys saved in Keychain
  • Use payment methods saved in Safari (autofill)
  • Turn off Lost Mode
  • Erase all content and settings
  • Apply for a new Apple Card
  • View an Apple Card virtual card number
  • Take certain Apple Cash and Savings actions in Wallet (for example, Apple Cash or Savings transfers)
  • Use your iPhone to set up a new device (for example, Quick Start)

Some actions have even more serious consequences, so for them, Stolen Device Protection requires biometric authentication, an hour security delay—shown with a countdown timer—and then a second biometric authentication. The delay reduces the chances of an attacker forcing you to authenticate with the threat of violence. You’ll need to go through the double authentication plus delay when you want to:

  • Change your Apple ID password (Apple notes this may prevent the location of your devices from appearing on iCloud.com for a while)
  • Sign out of your Apple ID
  • Update Apple ID account security settings (such as adding or removing a trusted device, Recovery Key, or Recovery Contact)
  • Add or remove Face ID or Touch ID
  • Change your iPhone passcode
  • Reset All Settings
  • Turn off Find My
  • Turn off Stolen Device Protection

There are a few caveats to keep in mind:

  • The iPhone passcode still works for purchases made with Apple Pay, so a thief could steal your passcode and iPhone and buy things.
  • Although Apple says it’s required, you can turn off Significant Locations to require the extra biometric authentication and security delay everywhere. That would eliminate the worry about a thief using Significant Locations to go to your most recent familiar spot in an attempt to sidestep the extra authentication.
  • If you plan to sell, give away, or trade in your iPhone, make sure to turn off Stolen Device Protection first. Once it’s out of your physical control, no one else will be able to reset it.

Turn On Stolen Device Protection

Before you get started, note that Apple says you must be using two-factor authentication for your Apple ID (everyone should be anyway), have a passcode set up for your iPhone (ditto), turn on Face ID or Touch ID, enable Find My, and turn on Significant Locations (Settings > Privacy & Security > Location Services > System Services > Significant Locations), although this last one doesn’t actually seem to be required.

Then, go to Settings > Face ID/Touch ID & Passcode, enter your passcode, and tap Turn On Protection. (If it’s enabled, tap Turn Off Protection to remove its additional safeguards.)

Once Stolen Device Protection is on and you’re in an unfamiliar location, the actions listed above will require either biometric authentication or two biometric authentications separated by the hour-long security delay.

There is one group of people who should not turn on Stolen Device Protection: those for whom Face ID or Touch ID don’t work. Most people have no trouble with Apple’s biometric technologies, but some people have worn off their fingerprints or have other physical features that confuse Touch ID or, less commonly, Face ID.

If that’s you, stick with our general recommendation for discouraging possible iPhone thefts: Never enter your iPhone passcode in public where it could be observed.

(Featured image by iStock.com/AntonioGuillem)

After “Mother of All Breaches,” Update Passwords on Compromised Sites

January’s big security news was the Mother of All Breaches, the release of a massive database containing 26 billion records built from previous breaches across numerous websites, including Adobe, Dropbox, LinkedIn, and Twitter. It’s unclear how much of the leaked data is new, but it’s a good reminder to update your passwords for accounts on compromised sites, especially those you reused on another site. Cybernews has a leak checker that reports which breached sites include your data. More generally, password managers often have a feature that checks your passwords against the Have I Been Pwned database of breaches and helps you change compromised passwords—1Password’s is called Watchtower, shown below. You can also search Have I Been Pwned directly. Don’t panic if your email address appears in numerous breaches because some of the theoretically compromised accounts may be defunct sites, trivial sites you used once 10 years ago, or duplicate password manager entries for a site whose password you already updated.

(Featured image by iStock.com/Prae_Studio)