Detailed Information about Society And Culture, Sports and More

iLife ’09 hit retail shelves this past week, bringing with it perhaps one of the most anticipated additions to the suite of digital lifestyle apps—the Faces feature in iPhoto ’09.

As outlined by Apple at this month’s Macworld Expo, Faces incorporates face-detection and -recognition technology to allow iPhoto to identify faces in your photos, matching them with other faces throughout your photo library. You can read more about Faces in our preview of iPhoto ’09.

Of course, now we’ve had the chance to spend some quality time with iPhoto ’09, allowing us to answer some of the more burning questions we’ve been hearing about Faces: How does it perform? Will it recognize people—kids, say—as they age? And what about pets? Several Macworld editors have spent the week playing around with iPhoto; here are their initial impressions of the Faces feature.

How it works

When you first click on the Faces item in the iPhoto sidebar, iPhoto automatically analyzes all your photos. How long this process takes depends mainly on how many photos you have. If you’ve got several thousand photos, be prepared to wait quite a while. Jackie Dove reported that iPhoto took about eight minutes to scan 1,373 photos, for example. iPhoto estimates how long the process will take; in our testing, that estimate was pretty close to accurate.

Once you’re up and running, Faces will automatically scan any new photos you import and if it recognizes the faces, will automatically tag them properly.

After iPhoto finishes its facial analysis, you have to tell the application who is who. Select a photo and then click on the Name button at the bottom of the window. Boxes will appear around each face iPhoto has detected, along with a “name tag” below the photo—at this point, all photos will be labeled “unknown face.” Click on the “unknown face” text for a photo and enter the person’s name. In the background iPhoto will immediately try to find other photos containing the same person, and an entry for that person will appear in the Faces view.

If there are multiple people in a photo, you can identify them all at once. If iPhoto doesn’t automatically recognize a face, you can manually add a face box by clicking on the Add Missing Face button, positioning the box that appears over that face, and typing the person’s name. (You can also manually remove an automatically-generated face box—for example, for someone you don’t know or don’t plan on using with the Face feature—by clicking on the box and then clicking on the X in the upper-left corner of that box.) Once you’re done naming faces, click on the Done button to finish.

The Name view is also very easily navigated via the keyboard: you can press tab to move between faces and to confirm identities Faces isn’t sure about. When a particular face is selected, you can press return to begin typing the name of the person you’re identifying. By using the tab and return keys, along with the arrow keys, you can quickly tag a lot of faces in a lot of photos.

Faces will do its thing with just a single instance of each person, but the more examples of a person you label, the better iPhoto’s facial recognition feature will be—the more photos it will be able to find containing that person, and the more accurate its guesses will be. For example, after Dan Frakes named just a few photos of his wife, Faces found only 20 or so photos of her out of several hundred; once he manually labeled 30, faces found well over 100.

Once you’ve started naming people, the Faces view in iPhoto shows a tile—which looks like an old Polaroid snapshot—for each person. (Apple actually calls the Faces view the “corkboard,” because it looks a bit like a bulletin board with snapshots tacked to it.) Moving your mouse cursor over one of these tiles flips through all the photos it contains, similar to how you can quickly scan the photos in an iPhoto Event. Double-click a person’s tile to view all photos containing that person. (In this case, “all” means all those images you have manually labeled as well as all those iPhoto thinks contain that person.) View buttons at the bottom of the window let you toggle between viewing each photo in its entirety or zooming in on just the selected person. If you’ve got videos in your iPhoto library—for example, movies you’ve taken with your digital camera—Faces will even try to identify movies that include the person.

When you double-click a person’s tile, the ensuing view also displays, at the bottom of the list of photos, a section of images iPhoto suspects may include that person but that haven’t yet been confirmed. Click on Confirm Name and the view changes to display a zoomed-in view the selected person—or what iPhoto thinks is that person—for each photo, along with the label Click To Confirm. Click once on an image to confirm that it does, indeed, contain the selected person; click twice if it does not. When you’re done confirming and rejecting photos, click on Done.

Here’s a tip: Once you click on Done, go back and view the person’s Faces view again, as there’s a good chance that confirming and rejecting iPhoto’s previous guesses will have caused it to find more matches for that person.

The Faces training system could be a bit more straightforward, and it’s not as automatic as you’d expect. For example, we were hoping for some sort of batch-training mode, but you have to spend quite a bit of time manually confirming or rejecting each suspected match. You need to enter a collection of a person’s photos to get iPhoto started, then click Confirm Name and hope that there are some good candidate photos for you to train. (It’d be nice if the naming mode was the default for unconfirmed photos.) And, as mentioned above, once you’ve done a single training pass, you may discover more photos are available for training, so you can take another pass. Faces would benefit from an initial step-by-step training system to seed your library with a solid amount of data.

Here’s a little shortcut: Click and drag to confirm a whole group of photos; option-click and drag to dismiss a whole group of photos. You can also drag a photo above the dividing line between confirmed and unconfirmed photos to accept it. It would be nice if there were a way to just select the ones that aren’t the person in question and then confirm the rest without having to click on them all. We also wish that, when iPhoto comes up with a wrong suggestion, you could tell iPhoto who that person really is while in Confirmation mode, rather than simply marking them as “not [somebody].” But it doesn’t appear that there’s a way to do this.

When recognition fails

If you think Faces will automatically recognize everyone in your iPhoto library, you might want to recalibrate your expectations. It does learn and grow, but there’s still a lot of manual tagging involved, too. Of course, in many photos people are not looking directly at the camera—Faces needs to learn about faces from different angles before it can recognize a particular person at a particular angle. In several photos we tested in which people were looking straight at the camera, Faces detected no faces at all, requiring us to place a box over the person’s face and then name that person. (And Faces’ box control is a little weird—when you grab an edge and resize it, the entire box resizes, not just the corner you’re grabbing. So the right process is to place the face in the center of the box, then shrink to fit.) This manual-selection process also requires quite a bit of mousing around.

All our recognition stories were similar. Jackie Dove reported Faces recognizing pictures of her as far back as 10 years ago. But other photos were completely unrecognized. Jason Snell found that Faces recognized his daughter even with half of the photos in a sample library dating from her first year and the other half dating from her at age 7. By lumping both the baby and the second-grader under the name, Faces figured out that the two very different faces were part of the same person.

Kelly Turner was impressed with the range of faces iPhoto found, including in low resolution images, images with terrible color casts, underexposed images that are very dark, and slightly obscured faces. In only a few cases has it detected a face where there wasn’t one. And at least in initial training, face recognition was definitely a bit wacky. While trying to detect Kelly’s face, iPhoto repeatedly came up with an ex-boyfriend, lots of relatives (which makes sense), friends who look very different from her (including a very dark-skinned Jamaican friend) and Neve Campbell (a face it had detected in a poster on the wall behind one photo!). Kelly is actually flattered at that last one.

Dan Frakes was both impressed and disappointed by the extremes of success and failure he experienced with Faces. On the one hand, like Jason, he found that Faces correctly identified a wide range of pictures of his older daughter during her baby and toddler years—a period in which her face changed dramatically. And Faces successfully identified a good number of faces in out-of-focus pictures. On the other hand, Faces seemed to think every blonde-haired female in his photo library was the same person, even ones 30 years apart in age, and Faces occasionally “finds” faces in flowers, bottles, and other inanimate objects. On numerous occasions, Faces suggested pictures of a man as matches for a woman, and vice versa. (We’re talking men with short, brown hair for women with long, blonde hair.) And we all got a kick out of iPhoto suggesting that happy faces on toys in photos of his kids were matches for 40-year-old men.

And sorry, animal lovers—Faces didn’t work very well with pets in our tests. (Though others have reported mixed results.)

Limited access

Despite Faces’ new role as a marquee addition to iPhoto, the feature is largely sequestered in the Faces interface itself. Face information doesn’t seem to appear outside of the individual boxes overlayed on a photo. You can view keywords below all photos in the Photos view, but apparently not faces.

However, you can create Smart Albums that are targeted on a particular face or faces, by using the “Name is” rule.

Those who try to gain access to Faces data via AppleScript are also likely to be disappointed. We couldn’t figure out any way to extract face information from iPhoto via script.

Apple’s Safari, released for the Windows platform in June 2007, is the second newest browser on Windows, behind Google’s Chrome. (Naturally, Apple’s browser also runs on OS X, and on iPhone and iPod Touch devices in a mobile edition.) Safari leads the pack in anti-phishing filtering and pop-up blocking, but it also has many security weaknesses.

Safari can be freely downloaded from Apple’s Web site, and it is offered as a default option through Apple’s Software Update program, which is installed with other Apple software, including iTunes and QuickTime. Although the default Safari install is easy for end-users to unselect from Software Update, many critics assail Apple for installing potentially unwanted software during a process they believe should be used exclusively for patches and upgrades. Other observers counter that Apple’s automatically pushing an opt-out product is a perfectly legitimate way to offer a free browser alternative.

[ See also the security reviews of Firefox, Internet Explorer, Google Chrome, and Opera. For more on browser security and protection against Web-borne threats, see the Security Adviser blog and "Test Center: Browser security tools versus the evil Web." ]

The Safari installer also installs a service called Bonjour, which allows Apple programs to advertise themselves and discover other Bonjour-compatible programs on the local network. Bonjour is used to automatically configure printers, hunt for file sharing opportunities, and find instant messaging peers, and it allows Safari to discover additional Web pages on the local network. In general, most security experts are wary of auto-discovery programs like Bonjour, and Bonjour itself has been involved in at least three known exploits. Bonjour is not essential to Safari’s functionality and can be disabled.

Windows Safari
The Safari executable is not User Account Control (UAC)-aware on Windows Vista computers, but Vista automatically elevates permissions for the install because the word “setup” is in the name; this could pose a problem if Vista’s heuristics detection functionality is disabled. On Windows Vista, Safari runs as a single process (Safari.exe) with DEP (Data Execution Prevention) disabled, a security negative shared only by Opera; ASLR (Address Space Layout Randomization) enabled; and file system and registry virtualization enabled, all with a MIC (Mandatory Integrity Control) level of Medium. In comparison, the rendering processes of both Internet Explorer and Google Chrome run with the more secure MIC setting of Low. Apple’s Software Update checks for Safari patches once a week using a Task Scheduler job.

Safari is a full-featured browser, with common security features, including pop-up blocking, private session browsing, and an anti-phishing filter. The pop-up blocking is among the best, and the anti-phishing filter is the most accurate among the browsers I tested (Internet Explorer, Firefox, Google Chrome, and Opera). Java, JavaScript, and plug-ins can be turned off on a global basis. As with most other browsers apart from IE, Safari provides no security zones in which to place Web sites of varying degrees of trustworthiness, or to enable or disable functionality on a per-site basis.

Safari always automatically prompts for approval before downloading files, and in doing so, it prevents some high-risk files from being executed before downloading. Safari also has good default cookie control. It is the only browser among those I tested to prevent all third-party cookie writes by default, which is a nice privacy bonus.

On Mac OS X systems, Safari’s passwords are protected by Apple’s Keychain password management system. But even on Windows, Safari’s locally stored passwords are well protected. As in Internet Explorer, stored Web site passwords are never displayed. However, Safari takes last place in remote password handling, passing only 2 of 21 tests on the Password Manager Evaluator Web site.

Settings and ciphers
An optional menu called Develop (which replaces the previous Debug menu option) can be added to the menu bar to speed up Web page development testing, but it also has significant global security impacts. The Develop menu allows the user to quickly open a current Web page in another installed Web browser or to change User Agent strings on the fly (to see how the change affects Web page rendering). Installed plug-ins can be viewed — but not managed — via an option under Safari’s Help menu.

You can also disable local caching of downloaded content, thereby forcing all content to be re-downloaded when revisiting a Web page; disable images; disable CSS (which have been involved in more than a few exploits); and globally disable JavaScript. Disabling JavaScript prevents many malicious Web sites from functioning, but it’s no panacea. Even with JavaScript disabled, one of the most obnoxious malicious Web sites I tried still managed to kick-start more than 40 instances of Safari in a few seconds, resulting in a de facto DoS attack on the test machine.

Safari is weaker than its competitors in several areas regarding digital certificates and SSL/TLS (Secure Sockets Layer/Transport Layer Security) traffic. Initially, in SSL/TLS negotiations, TLS with RSA and weak 128-bit RC4 keys are offered first and second in the cipher order. Worse, ECC (Elliptical Curve Cryptography), AES (Advanced Encryption Standard), and 256-bit keys are never offered as potential cipher choices; further, MD5 is offered first and more frequently than SHA-1, when it should be the other way around. It would seem that Apple hasn’t been paying attention to crypto developments over the last few years.

Safari does warn of invalid digital certificates, but it isn’t nearly as “in your face” as the other top browsers. It warns only once with a small pop-up message, whereas competitors alter the entire Web page with red or multicolored warnings. Come to think of it, maybe Safari has it right: better to display one warning than many for a single problem. But then Safari, unlike all its competitors, fails to point out Extended Validation (EV) certificates or, as Internet Explorer and IE do, to highlight the true domain name, making it more difficult to tell phishing sites from the real thing.

Hunting and phishing
Safari passed all of my browser and JavaScript security exams, negotiating my predefined lab trials, test suites on the Internet (including scanit and Jason’s Toolbox), and real-world exposure to known-malicious Web sites without allowing any malware to be automatically installed (Safari’s competitors fared just as well). The most malicious DoS Web site locked up Safari and the host machine, just as it did the other browsers, but Safari succumbed more quickly than the rest. Safari also fails to stop malicious URL moniker launches, used by attackers to automatically start helper applications they hope to exploit.

When Safari was first released, Apple touted the new browser as a secure alternative to Internet Explorer. As with all Internet Explorer alternatives, Safari’s lack of native support for ActiveX controls does provide users with some protection. Safari’s strong anti-phishing filters are also a plus.

But security is not Safari’s strong point. Unfortunately, 26 separate vulnerabilities have been announced since March 2008, one-third of which would allow complete system access. Plus, there simply isn’t a lot of security granularity to Safari. Security-minded users will have to decide if Safari’s poor cipher support, lack of security zones, and absence of enterprise features for mass deployment and control can be overcome by its aesthetic benefits.

Google Chrome was built from the ground up to be a more secure Web browser, and Google and its Chromium developers should be applauded for the attention they have brought to browser security. Google deserves much credit for the wealth of security information posted on the Internet and on the Google Chrome blog, and for making Chrome’s source code available for anyone to examine.

The security model Chrome follows is excellent. Chrome separates the main browser program, called the browser kernel, from the rendering processes, which are based upon the open source WebKit engine, also used by Apple’s Safari. The browser kernel starts with all privileges removed, the null SID (a security identifier in Windows Vista that denotes the user as untrusted), and multiple “restrict” and “deny” SIDs enabled. On Windows Vista, Chrome runs as a medium-integrity process.

[Tomorrow: "How secure is Mozilla Firefox?" For more on browser security and protection against Web-borne threats, see Security Adviser and "Test Center: Browser security tools versus the evil Web." ]

Every Web site is given its own separate rendering process, memory space, global data structures, access token, tab, URL bar, desktop, and so forth. Currently, Chrome will open as many as 20 separate processes, one for each Web site, and start sharing processes between Web sites after that. Rendering processes are highly restricted as to what they can and can’t do. On Windows Vista, Chrome’s rendering processes run with low integrity, much like Internet Explorer in Protected Mode. But Chrome actually uses Vista’s mandatory integrity controls more securely than Microsoft does. For one, Chrome attempts to prevent low-integrity browser processes from reading high-integrity resources, which is not normally prevented. (By default, Vista prevents lower to higher modifications, but not reads.)

Both the browser kernel and rendering processes run with DEP (Data Execution Prevention) and ASLR (Address Space Layout Representation) enabled, and with virtualization disabled. Any supplementary browser add-ons are run in a separate, medium-integrity (or higher-integrity) process. This screen image shows the various browser processes and their security settings, as enumerated by Process Explorer on Windows Vista. Chrome even has its own Task Manager and internal page to show memory and CPU statistics. With respect to the base security model, Chrome is leading the pack. It’s beautiful.

Interesting innovations
A slightly questionable choice is Google’s decision to allow Chrome to be installed without requiring Administrator-level access. This can make Chrome installs difficult to manage in an enterprise environment, but Microsoft is encouraging this sort of behavior in all vendors (to prevent Windows system modifications). Chrome is just one of the first major apps to follow Microsoft’s advice.

Chrome also installs the Googleupdate.exe application, scheduled to run automatically in Windows Vista Task Scheduler, which frequently dials home (although only when the user is logged on and the computer is idle) and checks for browser (and other Google application) updates, and silently installs them. This is a great way to keep the browser up to date (patches are currently applied more frequently than once a week), but it riles many security administrators because there is no notification of the outward-bound search, no notification of pending patches, and no approval requested for patches to be applied; plus, this behavior cannot be easily changed.

Another interesting concept is Chrome’s virtual JavaScript machine, called V8. Google’s Chromium team built its own virtual environment for all JavaScript execution. V8 even converts JavaScript code into native machine language (to speed up Web-page loading) and has its own memory garbage-collection processes, source-code inspector, and debugger. V8 significantly limits what can be accomplished by JavaScript against the user’s system, including preventing the normal JavaScript pop-ups. In testing, Chrome did pretty well against pop-up ads but suffered from UI problems and slowness on some of the JavaScript modal tests.

Chrome has many standard security features, including a browser-session privacy mode (called Incognito); anti-phishing capability (called Google Chrome’s Safe Browsing); one-button setting resets; forced file saves before launching; moniker handling (which helps thwart attempts to fool the browser into launching helper applications that can be exploited); and MIME content-type sniffing (which helps thwart attempts to fool the browser into downloading malicious content). Chrome actually has many more security features that I could go on about; so far, so good.

Questionable controls
But then reality hits hard. One of the most glaring lapses is the inability to disable JavaScript. Because JavaScript is involved with most malicious Web attacks, all of Google’s competitors allow its use to be disabled globally, or per site or per zone (albeit Firefox requires a third-party add-on, NoScript, to be site-specific). The world has yet to create a virtual machine that was not able to be breached, so despite all the cleverness that went into V8, I cannot understand how Google committed such an oversight, even if the company is trying to promote JavaScript-enriched applications and sites. If a large JavaScript exploit happens against Chrome — or rather, when it happens — the only recommendation Google will be able to offer, it seems, is to stop using it.

Most user-selectable security settings are under an option tab called Under the Hood. It’s when you first go here that you realize how little Chrome offers in the way of fine-grained security settings. The options are very sparse and often lack a secure default. For example, all cookie types (both first- and third-party) are allowed by default. This isn’t surprising for a company that makes its living from ads. But even the third-party-cookie restricted mode allows the reading of any third-party cookie, which is almost as bad as allowing modifications. In another example of a poor default, HTTP data is allowed to commingle with HTTPS data in the same view, without warning to the user.

Another critical security feature that’s missing is the ability to place different Web sites into separate security zones or domains. Most browsers provide at least two zones (Internet Explorer has five) or the binary ability to whitelist or blacklist sites. Chrome is also glaringly absent of enterprise management features. SSL/TLS (Secure Sockets Layer/Transport Layer Security) server revocation checking is enabled by default, but Chrome does not support the more efficient OCSP (Online Certificate Status Protocol) revocation-checking protocol, though all of its competitors do.

Google has also washed its hands of responsibility for the security of add-ons. Reviewers are very mixed on this approach. While it is true that browser vendors should not be ultimately held responsible for others’ add-ons and applications, Chrome offers no add-on management. You cannot easily determine which add-ons will render particular content, nor easily disable them.

Many users are perturbed by the treatment of their own saved passwords. Chrome allows the current user to reveal the saved log-on names and passwords in plaintext with a few clicks of the mouse. This is convenient for the user — and for anyone else who wants to learn all of the user’s passwords and finds the computer left unattended for a few seconds. Internet Explorer doesn’t allow this at all, and Firefox and Opera at least have the ability to assign another password to protect the saved passwords. On the Password Manager Evaluator testing Web site, Chrome scored the worst among all of the browsers I’ve tested (including Firefox, Internet Explorer, Opera, and Safari), passing only 4 of 21 tests.

Bugaboos
Chrome has a very limited feature set and relatively moderate complexity. This might help it avoid some security issues in the long run, but so far it hasn’t. Chrome has had 10 exploits in the five months it has been released (you can search on keyword Chrome at milw0rm.com to see the individual exploits). They have been patched. Most were simple denial-of-service exploits, but at least one allowed complete system compromise and another allowed malicious redirection.

On a good note, Chrome passed all of the browser security tests I threw at it and prevented the automatic installation of any malware. These tests included dozens of predefined tests made in the lab, several browser-security tests on the Web (including scanit and Jason’s Toolbox). I sniffed traffic looking for information leaks, tested the browser’s handling of XSS (cross-site scripting), tested privacy features, confirmed digital certificate handling, and surfed to more than one hundred malicious Web sites. With less than 2 percent market share, Chrome isn’t yet the popular target of hackers. That gives its users additional insulation compared with its competitors.

One key feature simply doesn’t work as promised. Google repeatedly makes the claim that Chrome’s rendering-process isolation prevents one browser session from bringing down another or affecting the whole browser. Yet, vulnerability after vulnerability has proven that Chrome’s process separation isn’t nearly as perfect as it sounds on paper. Malicious Web pages of all kinds have caused DoS problems, lockups, and complete system failure. I and every other Chrome user I know have experienced complete browser lockups while browsing ordinary, legitimate Web pages.

Far more indicative of systematic problems is that the initial vulnerabilities found in Chrome were very simple, well-known exploits. Initially, Google shipped its beta with a known vulnerable version of the WebKit engine, for which a patch had been issued months before. I realize it was only beta code, but how embarrassing. The buffer overflow attacks that were soon discovered were often simple string overflows, a vulnerability that any normal security code review or fuzzing tool should have found. Most of the other vulnerabilities were flaws that had been widely reported in other browsers and should not have been present in Google’s first try. Google should have known better.

This is the security paradox of Chrome. It begins with a beautiful idea and an excellent security model but then compromises the vision with questionable decisions, a dearth of granular security controls, and the obvious failure to perform a serious code review. This may be Google’s first version of its first browser, but it has more experience with browsers and malicious content than any of its competitors. Why introduce yet another new Web browser and not blow away the competition?

Chrome’s excellent security model and newness give it a chance to quickly improve in areas where other vendors must tread more slowly because of backward-compatibility issues. The real challenge is that the bigger flaws are human- and process-oriented, and cannot be solved with fast patching. They are systematic and will require a serious paradigm shift within Google to achieve.

Nintendo sold 10.17 million Wii consoles in the United States in 2008, setting a new video game record despite dismal economic conditions gripping the country, according to NPD Group statistics.

Nintendo’s DS handheld game devices sold nearly as well, with US consumers snatching up 9.95 million of them last year, the NPD figures released Thursday indicate.

“There is no longer a question that if you offer consumers an expanded definition of what a video game can be, and deliver that idea with quality and affordability in mind, millions of new people will start playing video games,” said Nintendo of America executive vice president of sales and marketing Cammie Dunaway.

“Concepts like ‘Wii Fit,’ ‘Guitar Hero,’ and ‘Rock Band‘ never would have seemed feasible just a few years ago, and now they’re driving growth for our the entire industry.”

NPD reported that 55 percent of new-generation video game consoles sold in the United States last year were Wii devices, known for motion-sensing controllers and family-style play.

The four top-selling video games last year are Wii titles, and Nintendo’s retail success is credited with helping video game industry revenues in 2008 rise 19 percent from the previous year.