Techradar

In Depth: How to get secret service grade security
In Depth: How social engineering works
Buying Guide: Mac mini vs iMac: which is the best value?
Review: Scrivener 2.0
Catch up: this week's most popular posts

In Depth: How to get secret service grade security

Posted: 12 Dec 2010 12:00 AM PST

You could be forgiven for thinking that spying is all about midnight parachute drops, Aston Martins and vodka martinis – shaken, not stirred. However, when you strip away all the fiction, spying can be reduced to one word: information.

Espionage is all about acquiring information, keeping it safe and transferring it securely. This makes spies and spying a valuable learning ground for anybody who takes PC and internet security seriously.

In this age of high-speed broadband and information overload, you might expect setting up a secure communications channel to be easy. You'd be wrong. Just look at the Russian agents – coyly dubbed 'illegals' by the FBI – who were unmasked in America this summer.

They all had rock-solid cover stories, wads of cash at their disposal and access to cutting-edge spy technology, yet they were unable to keep their messages safe from American counter-espionage teams. We can all become safer surfers by understanding the techniques and, more importantly, the errors made by real life spies.

Ciphers, for example, have been the mainstay of espionage for centuries. A cipher makes information useless unless you know how it works.

When in Rome

Julius Caesar is often cited as the first to use a mathematically-based system of obfuscation. His cipher system was simple: each letter in the alphabet was shifted forward a fixed number of places. A Caesar shift of three would turn 'A' into 'D' and 'PC Plus magazine' into 'SF SOXV PDJDCLQH'.

Even in Caesar's day, such a cipher probably wouldn't fox many people for long. Such shifts can now be solved in the blink of an eye, but that doesn't mean ciphers should be discounted. Indeed, modern ciphers have evolved to a point where they would take so long to solve that it's not practical to break them.

Cypher

Practically speaking, we should all use ciphers to encrypt sensitive data. A good choice for field agents is the free, open source TrueCrypt for Windows and Linux machines. This package uses some of the strongest freely available encryption algorithms, such as AES-256, the 448-bit Blowfish, CAST5 and Triple DES.

To give you an idea of its resilience, hard drives protected by TrueCrypt and belonging to jailed Brazilian banker Daniel Dantas were handed to the FBI for decryption in 2009. After four months of subjecting the software to intense attacks, the FBI gave up and returned the drives.

TrueCrypt isn't just useful for creating a virtual encrypted disc on your computer; it can also protect portable drives. This makes it ideal for 'brush passes' – a way of quickly handing over information as one spy walks past another in a public place. The process used to involve microfilm, but now a high-capacity USB key is the preferred medium – possibly why the FBI also calls brush passes 'flash meetings'.

A TrueCrypt USB drive has several layers of security. When set up properly, a TrueCrypt partition appears to consist of random data. Even if someone forces you to reveal the password (damn Jack Bauer and his rusty pliers!), you can create a partition to include a further hidden volume, or even an entire hidden operating system, containing sensitive information.

Take care when encrypting your files though, warns Steven Bellovin, Professor of Computer Science at Columbia University in New York. "Commercial cryptography software is so difficult to use that even experts find it challenging," he says. "Even really sophisticated people can get some subtle things wrong, and newcomers are likely to get a lot more wrong." Such as leaving the password for your encryption system written on a piece of paper at home for the FBI to discover, as demonstrated by clumsy illegal Richard Murphy.

Wireless networks

Even brief physical interaction has risks. If either spy is under surveillance, they risk exposing more of their network. A 21st century twist on the brush pass, then, is the wireless flash meet.

In New York, Anna Chapman, one of the Russian illegals, would hang out at a cafe or book shop with a laptop and create an ad-hoc Wi-Fi network: a private hotspot that requires neither a router nor an internet connection. A Russian government official carrying a smartphone would then approach the vicinity, join the network and exchange data as zip files. The spy handler never entered the building, and once completed the meeting while driving past in a minivan.

Wireless networks have their own problems, though. All wireless devices have a unique registration number, or Media Access Control (MAC) address, which is broadcast during a Wi-Fi data transfer. In the case of Anna Chapman, US law enforcement agents were able to divine her laptop's MAC address. This enabled them draw up a charge sheet showing that she'd visited certain places and joined ad-hoc networks, and sniff packets sent from her laptop in busy public network areas such as coffee shops.

If you're paranoid, you could change your network adaptor's MAC address. The 12-digit hexadecimal code is sometimes stored in an EPROM, which can be altered. Poke around the internet and you'll also find programs that enable you to spoof MAC addresses.

What can we learn from all this? Never, under any circumstances, send anything of importance over a public network. There are too many points of failure: the passage of data between your laptop and the network's access point, the access point itself, and the traffic between the access point and the internet.

So Wi-Fi is iffy – what about the phone? Sadly, no self-respecting spy should consider it. In the UK, the Regulation of Investigatory Power Act (RIPA) and the Data Retention Directive force phone companies to keep records of calls and texts for a year, and give wire-tapping rights to dozens of government departments.

In the US, the Windows-based DCS-5000 system combines point-and-click monitoring of voice calls with location-tracking via mobile phone towers, plus DVR-like recording and playback. It can be set up to eavesdrop and track any landline or mobile phone in the country within seconds.

Don't think you can rely on new smartphone security apps, either. Philip Zimmermann is a computer security guru and the creator of PGP (Pretty Good Privacy), the world's most widely used email encryption algorithm. He says, "Mobile phone encryption only works up until the point where it hands over to the voice network. At some point, there's a gateway between the data and voice parts of the phone network, where a wiretap becomes possible."

Using voice over IP (VoIP) services may be more secure, but Stephen Bellovin says it depends on which service you use: "A lot of VoIP products don't encrypt, even though it's in the [widely used] SIP standard. However, Skype uses very strong cryptography and the best thing is that people don't have to worry about it – it just works."

Skype

Zimmermann is more sceptical. "Skype encrypts, but we don't know how, so it's hard to evaluate the quality of the encryption," he told PC Plus. "I don't hear a lot of complaints from governments about their citizens using Skype. The oppressive governments around the world seem fairly happy with it." Which is as good a reason as any for spies to avoid it.

Zimmerman has his own solution: an open source voice and video encryption protocol called Zfone that works with SIP VoIP systems such as Google Talk and Apple iChat. When Zfone is running on two computers, they negotiate a strong encryption key in a peer-to-peer fashion. This means there are no public keys, certificate authorities or trust models. When the call ends, the key is destroyed. A new version of the (free) Zfone software will be released shortly.

Digital forest

Secure phone calls can be handy for arranging to meet 'the swift hawk by the silent pond at midnight' (pre-arranged pass-phrases help confirm who you're talking to), but they're less useful for passing on gigabytes of data. And if you're venturing into the digital world, the smart spy knows that the best place to hide a tree is in a forest.

Every day, three billion email accounts send and receive over 300 billion messages. Surprisingly, email is fairly secure according to Philip Zimmermann. "Even if you don't encrypt your mail, your mail server might encrypt it when it sends it to another mail server. The two servers can have an SSL (secure socket layer) connection between them – the same protocol your bank uses to communicate with your web browser."

You'll want to bump up security, perhaps with Zimmermann's own PGP, although this can be tricky to use. Hushmail removes the hassle, enabling you to send private emails via SSL to other Hushmail users – or even to normal email addresses using a question and answer combination.

"The best public scientific knowledge suggests that it would be impossible to decrypt our emails with current technology," explains Ben Cutler, CEO of Hush Communications. "However, it's likely that Hushmail messages have been intercepted by other means. For example, a customer doing human rights work in Eastern Europe reported certificate warnings when accessing our website. We determined that someone was trying to eavesdrop on the connection between his computer and Hushmail by proxying his computer's network traffic. Fortunately, he heeded the warning and avoided the attempt."

Of equal concern to secret agents should be Hushmail's willingness to deal with law enforcement. Hushmail has been forced on several occasions to hand over plain-text copies of emails, including those of US National Security Agency (NSA) whistleblower Thomas Drake. Ironically, Drake was intending to show reporters details of two failed NSA programmes, code-named Trail Blazer and Thin Thread, designed to check billions of phone calls, emails and chats for potential espionage and terrorist threats.

Another problem with encrypted emails is that they stick out like sore thumbs amid the sea of spam, automated messages and Facebook updates that comprise most email traffic. Professor Bellovin sums it up:

"If the FBI or MI6 see encrypted messages going from the US or the UK to known addresses in Moscow, they'll get suspicious and start investigating."

Hiding in plain sight

What a shy spy needs is a way of communicating with handlers without it even looking as though a message is being sent. And here's where things get really interesting, because the Russian illegals in America were all supplied with custom steganography software.

Steganography is the art of hiding not just the content of a message, but the existence of a message itself. The Russian software enabled the agents to insert a hidden file into an innocuous-looking image, such as a photo of Anna Chapman in a bikini. That image could then be attached to a normal, unencrypted email or even posted on a website for the world to see. Only its intended recipient would be able to extract and decrypt its payload.

However, image steganography has its limitations. Steganographic communication only works as long as no one suspects its existence, and sending a large batch of stolen documents could mean a conspicuous series of photos flying back and forth to Moscow.

Forward-thinking spies should consider network steganography, where secret data is concealed in the ebb and flow of data online.

Elzbieta Zielinska is a researcher in the Network Security Group at the Warsaw University of Technology. Her team has succeeded in using VoIP services to hide a stream of steganographic secrets. "We've tested it and proved it to work," says Zielinska. "You can modify the delays between packets so that certain packets are dropped at the receiver. This might escape the attention of the people talking, but those dropped packets can carry just about anything."

The Warsaw researchers have found ways to inject steganographic information into everyday web traffic, potentially turning Flickr and Facebook into ultra-secure data channels. They even have a system called HICCUPs (Hidden Communication System for Corrupted Networks) that can embed concealed files in Wi-Fi networks by modifying wireless packets' check sum data.

Underground video

Surely tinkering with individual packets results in glacially slow bit-rates? Not so, says Zielinska. "We came up with the idea of using steganography at the physical layer of an Ethernet network, where packets are often padded out with zeroes," she says. "Introducing network steganography here gives data rates sufficient for a decent quality MPEG-4 video stream. There are no limitations." If only that were true.

The truth is that all 'secure' communications systems have one major limitation: you and your fellow secret agents. Any encryption technology is only ever as strong as its weakest user.

As Steven Bellovin says, "You don't go through strong cryptography – you go around it. If I want to read someone's email, I'm not going to try to break strong cryptography, I'm going to hack into their desktop and wait until they decrypt it."

Cutler admits that Hushmail users are rarely as reliable as his algorithms. "We've had people getting their passphrases stolen by Trojan horse programs, installed by users who are unaware of what they are or by computer viruses," he says.

Philip Zimmerman agrees. "Once a computer is compromised, all bets are off," he says. "Spyware can capture keystrokes while you type your pass-phrase or decrypt your key and send it to the mother ship. As long as you're using general purpose computers that can be used to download games, open attachments and visit porn sites, you're going to have this problem."

There's only one thing for it. Spies like us – and the hapless Russian illegals – are just going to have to disconnect from the grid, unplug our computers, break out the invisible ink and start studying cipher books. The condor will see you at the queen's castle.

In Depth: How social engineering works

Posted: 11 Dec 2010 04:00 AM PST

Social engineering means different things to different people.

If you're a conman on a street corner, social engineering is a way to get money out of unsuspecting punters and steal goods.

If you're in a pub, it's a way to ensure that you're served first. If you're a magician, it can form the basis of an act. If you're a salesman, it's a way to get more sales.

But if you're a hacker, social engineering is far more: it enables you to get whatever you want from people. You can have them give you passwords, credit card details, and even access to secure places.

Many other cyber-attacks require an element of social engineering, and the techniques used are as advanced as other areas of online crime. At their heart is the basic human tendency to trust authority, and that trust sometimes comes at a very high price, as increasing numbers of people are discovering.

Microsoft calling

There's a new social engineering attack doing the rounds, which is designed to get you to give away all the details required to use your credit card online. Interestingly, it doesn't exploit your use of your computer at all, merely pretending that there's a problem with it.

The attack begins with an unexpected phone call, and it's a great way to learn about just how devious social engineering attacks can be and arm yourself against it and similar approaches.

All successful social engineering hacks begin with a process called pretexting. This creates a believable reason for the attacker making initial contact. Fear and greed are major human motivating factors, so the pretext is usually designed carefully to set the scene by giving the person being attacked the feeling that they've either inadvertently done something terribly wrong, or that they're in danger on missing out on something of value.

The new scam begins with a call supposedly from your ISP or even Microsoft itself. It seems obvious in the cold light of day that Microsoft isn't about to begin calling individual home users, and won't necessarily know who those users are, but a carefully crafted pretext for the call can make everything seem to be innocent and entirely reasonable.

Simply calling a random number from the phone book and insisting you're from Microsoft isn't enough to make the scam work, however. The call needs to be set in a believable context. This is achieved by playing a recording of a busy office in the background while the call is being made. The victim naturally assumes that the background noise is real, perhaps from a large call centre, which lends the situation an air of authenticity.

The caller must also appear to be in authority. The caller explains that Microsoft has had complaints that the victim's computer has been sending out spam, or perhaps worse. He might even give some examples and ask the victim to state truthfully if he or she has any knowledge of what's going on. The fear that a statement like this can generate in the minds of those not well versed in online security can be enough to gain their complete compliance with whatever instructions follow.

Fear factor

After ramping up the fear of inadvertently doing something wrong, the attacker phrases his instructions to sound like an easy way out of the situation. He says that it doesn't matter because he can fix the problem almost immediately.

With the victim's permission, he can access the troublesome computer and remove the supposed malware, further explaining that to keep things legal, he needed to call to gain the victim's permission. In a situation like this, the naïve computer user is highly likely to accept this apparently easy and official way out of a sticky situation. To the attacker, however, this sign of compliance indicates that the victim is under his influence.

To further cement the belief in the authenticity of the call, and to deepen the control he exercises, the attacker may ask the victim to open a command line, display the machine's IP address using the ipconfig command, and to call it out to confirm that the right computer is to be accessed before proceeding. The fact that this IP address is local to the victim's ISP and cannot be seen by the wider internet further proves to the attacker that the victim is both clueless and compliant.

US department of homeland security

There are then a couple of minutes of apparent typing as the attacker claims to be accessing the victim's PC, possibly uploading anti-malware software, cleaning the system, and confirming that everything is in order. The attacker then gets to the real purpose of his call: the fee.

He explains that the victim will, unfortunately, have to bear the cost for the service he's just provided. After all, it was the user who let his PC get into such a terrible state. It'll be nothing expensive, just a few pounds for the engineer's time. However, he explains, the victim can make a saving on this bill by paying now, over the phone. All he needs is a credit card. You can guess the rest.

The victim believes his computer has been fixed and that Microsoft is wonderful for doing so – right up until he receives his next credit card statement. The assumption of trust in the person asking for information, established through careful attention to detail on the part of the attacker, allied to ignorance of the realities of online life, make this a social engineering attack that we're sure to see far more of over the coming years.

Indeed, one of the hallmarks of the information age is the way in which malicious activity evolves and develops over time. Old hacks never die, they simply evolve, and social engineering is no exception.

Call for help

Some social engineering attacks don't have to be so well planned, just carefully targeted. In Japan, one particularly successful form of attack is becoming big business by cynically targeting elderly victims with a blunt demand.

It begins when the victim receives a frantic phone call. "It's me! I'm in trouble and I need you to transfer some money quickly," is the type of call no parent or grandparent ever wants to receive. For an elderly relative, it can be horrifying.

As with the Microsoft phone attack, the attacker offers an immediate way out of the problem. Transfer several thousand Yen to a wire transfer service or bank account and everything will be fine.

Despite its bold simplicity, the 'Hey, it's me!' attack gains in popularity every year. According to Symantec, the Japanese National Police Agency recorded 20,000 cases in 2008 – up from 17,930 in 2007. In some areas, police officers have even been assigned to ATMs to warn people about the problem.

The Japan Times first reported the problem back in 2003. In that year alone, 2,768 victims parted with 2.26 billion Yen (about £17 million).

Social engineering is a kind of oil that lubricates the wheels of many online scams, from phishing to Ebay cons. By crafting a situation to appear as authentic and as urgent as possible, such techniques can be used to get whatever you want, and this extends to gaining physical access to areas from which you might otherwise be barred.

The key is to appear as if you're supposed to be there by preying on the assumption of others.

Direct access

The simplest method is simply to tailgate someone. That is, to have someone hold an otherwise secure door open for you while you follow them through it on the pretext of having left your security pass inside.

University of toronto students

A classic method of carrying out this attack is to find out where a company's smokers go to indulge in their habit. Simply hanging around holding a lit cigarette (no need to inhale if you don't smoke) can be enough to establish you as someone with a right to be there.

When someone makes a move to return to the building, simply patting your pockets, uttering an expletive and asking if they can let you in is usually enough to gain access. The lesson here is never to let anyone into a building who isn't personally known to you.

Give and take

Another social engineering attack, called a quid pro quo (Latin for 'something for something'), can offer instant access to a company's systems, passwords and other information – as long as the attacker seems to be giving something in return.

A very popular form of this attack is common in the US. The attacker, having discovered the range of direct dial numbers for the target company, will call each of them in a random order under the pretext of being from the IT department and returning a call to the help desk.

The idea is that eventually he'll stumble on someone who really does need help with an IT problem. The victim is more than happy to do whatever the caller says in exchange for the quid pro quo immediate fix – including turning off antivirus protection, then downloading and installing malware to their PC in the guise of setting up software patches.

Weeding out social engineers from legitimate callers is simple. The golden rule is: if what you hear seems too good or convenient to be true, it usually is. If you're in any doubt that you're dealing with a legitimate caller, especially if you received the call unexpectedly and the person at the other end is demanding a high level of personal detail, don't become angry or abusive, especially if you have caller ID and the caller has withheld their number.

A better idea is to say you're busy, ask for a phone number and say you'll call them back at a time convenient to you. If the person at the other end is making a legitimate enquiry, he or she will be more than willing to give you their contact details and a problem number as a reference. If the caller makes excuses, or insists on the required information being given immediately, you know you're likely to be talking to a social engineer.

In situations like this, state your suspicions calmly and clearly, then wait silently for a reply. It's likely that the line will go dead as the scammer realises that the game is up.

Buying Guide: Mac mini vs iMac: which is the best value?

Posted: 11 Dec 2010 02:00 AM PST

The price difference between Apple's cheapest and most expensive Macs is huge. The Mac mini costs £649, but if you've lots to spend and you configure your Mac of choice at the online Apple store, you could spend tens of thousands. We're not going that crazy here.

For this technological take on David versus Goliath, we're pitching the Mac mini against the iMac, the top-of-the- range 27-inch model with a 256GB solid-state drive alongside its off-the-shelf 1TB hard drive. It's an intriguing battle.

Both machines are consumer-oriented, unlike the Mac Pro which is more of a business computer. And although the iMac is obviously far more powerful, at £2,249, it's also a lot more expensive. If money was no object it would demolish the far cheaper Mac mini, but as it stands, it must work really hard to justify the £1,600 price difference. So which Mac offers better value for money?

The Mac mini, with its (relatively) low price and a performance that's fine for day-to-day computing, or the mighty top-of-the-range iMac, boasting incredible power, a gorgeous display and a solid-state drive? We devised a series of tests to put them through their paces.

Apple's entire iMac range has now moved to Intel's new Core-i series chips. The one on test here has an immensely powerful quad-core 2.8GHz Core i5 processor with some significant performance enhancing features.

Turbo Boost, which is lacking on the Core i3 chips used by the rest of the iMac range, shuts down inactive cores and boosts the power of active ones for increased clock speed. Also, an integrated memory controller limits the time the CPU spends waiting for data to arrive.

Unfortunately for the Mac mini, a legal dispute prevents Nvidia graphics chipsets from being integrated into Core-i processors, and the mini's small form factor makes it impossible to include discrete graphics. As a Core i3 processor without a discrete GPU would be a backwards step in graphics power, Apple was forced to stick with the older Core 2 Duo processor in the Mac mini, opting for a 2.4GHz version with the mid-2010 release.

For our first test, we used the popular benchmarking utility Xbench to see how the processors compared. Xbench can test a wide range of Mac ecosystems such as hard drives, memory, threads and OpenGL, but here we restricted it to benchmarking the processor.

Taking the average of three tests, the iMac scored 225.36, with the Mac mini coming in at 170.9. A convincing win for the iMac, but considering the price difference, the mini was far from disgraced.

Handbrake

Raw benchmarks can be a little nebulous, so we next tried a real-world test. After downloading the popular – and extremely processor-intensive – video conversion utility Handbrake, we encoded a five-minute test video using its Apple TV output settings.

The iMac managed it in 175.5 seconds, whereas the Mac mini took 520 seconds, almost three times as long. But given the iMac costs almost three and a half times as much as the mini, Apple's small form factor Mac once again held its own.

Glorious graphics

On paper, the iMac's graphical capabilities roundly trounce the Mac mini's. Its ATI Radeon 5750 with 1GB of onboard GDDR5 SDRAM is a significant step up from the HD 4850 with 512MB used by the previous generation's top-of-the-range iMac.

As the mini doesn't have room on the logic board for discrete graphics, it uses an integrated Nvidia GeForce 320M chipset. This isn't such a weak option. The 320M is currently the fastest integrated graphics solution available, and it's up to twice as fast as the Nvidia GeForce 9400M used before.

We tested with Cinebench 11.5, a tool that gives comparable ratings for 3D rendering. Again taking the best of three tests, in order to focus on the graphics card we recorded the OpenGL score rather than the CPU benchmark we use for our graphs in Mac reviews. This test renders a complex 3D scene using almost a million polygons and a range of advanced graphical effects.

The Mac mini achieved an average running speed of 11.57 frames per second, which is pretty good considering the complexity of the scene being rendered. The iMac, however, scored a smooth 32.07FPS – almost three times the rate offered by the mini.

Doom 3

It's a similar story with our test game, Doom 3. After setting the screen resolution to 1024x768 pixels and cranking graphical effects to Ultra Quality, the Mac mini ran it at an average of 54.2FPS, which is far from shabby. But the iMac managed a scorching 185.3FPS, almost three and a half times as quick as the mini.

This figure is on a par with their comparative costs, but hard-core gamers will appreciate the super-speedy frame rates offered by the iMac. Everything feels snappier and more responsive.

So the Mac mini is no slouch in the graphics department, but for high-intensity tasks such as gaming and rendering, you likely want an iMac.

A study in storage

The Mac mini has a standard 320GB hard drive, with the iMac offering a 1TB hard drive and an extra 256GB solid-state drive used as the boot volume. This SSD is the main reason our test iMac costs so much, adding £600 to the price of the off-the-shelf, 2.8GHz Core i5 machine. Clearly it's not cheap, but is it worth it?

We fired up a copy of QuickBench to test the speeds of the two Mac's boot volumes – in other words, the Mac mini's 320GB, 5400rpm hard drive, and the iMac's 256GB solid-state drive. Unsurprisingly, the iMac's SSD proved faster, but the degree by which it outpaced its rival was aggravated by the Mac mini's relatively slow hard drive. At 5400rpm, it's substantially slower than the secondary 1TB 7200rpm HDD used in the iMac.

QuickBench

The iMac's solid-state drive outpaced the Mac mini's hard drive by over 250% in the sequential read and write tests. In the random read/write tests, which are more relevant to the real world, it was 830% and 628% faster respectively.

Naturally, applications launched a lot faster on the iMac, with the iWork apps bouncing only once in the Dock before opening. On the mini, they took between two bounces (Pages) and 10 (Numbers).

To test the iMac further, we tried opening iPhoto, iCal, Address Book, Safari and all three iWorks apps simultaneously. They opened just as quickly. Watching seven icons bounce once as the screen fills with windows is surreal. You see a lot less of the dreaded beach ball when using the iMac, especially if you regularly have lots of applications open at the same time.

On display

When comparing monitors, you might expect a clear win for the iMac, as the mini doesn't have one. But could this be an advantage?

The 27-inch iMac's screen is a gorgeous IPS display, with excellent viewing angles and a 16:9 aspect ratio. Its pixel resolution of 2560x1440 is beyond HD, and its LED backlighting brings it to full brightness as soon as you switch it on.

But the mini has a HDMI port, and is supplied with an adapter so you can connect it through DVI instead if you wish. This means it can be connected to pretty much any modern display. It can be any size – as cheap or as expensive as you like – and if you don't like glossy screens, you can opt for a matte display.

The iMac is only supplied with a glossy screen; there isn't even a custom option for matte, which is especially galling considering every MacBook Pro except the 13-inch model has an anti-glare option.

There's nothing wrong with the iMac's screen; quite the opposite, in fact. But if it isn't to your personal tastes, or if you already have a monitor going unused, the Mac mini's lack of a supplied display could work in its favour.

Wired for sound?

Both of our machines have built-in audio, but they're both pretty bad. Using iTunes on the iMac, our test music sounded tinny and lacking in bass and depth. There was no great stereo separation, and it did nothing to shape the sound. It was the same story on the Mac mini, just with no stereo separation at all.

Naturally, if you're only going to use your computer for web surfing, email and basic computing tasks, the internal audio might be sufficient for your needs. But if you plan to put your machine to any sort of multimedia use such as music or video, you should invest in external speakers.

A host of extras?

The iMac offers everything you need to get your computer up and running, but the mini only gives you a base Mac – you must add any required peripherals yourself. And some of them are definitely required. You won't get far without a keyboard and mouse, and unlike the iMac, the mini has no built-in iSight webcam.

Yet what we said about monitors also applies here, perhaps even more so. You might well have a spare mouse or keyboard lying around unused, and even if you do need to go out and buy something, with the Mac mini, you get to choose what you use.

Apple keyboards and the Magic Mouse are, of course, available from your local Apple store, but you don't have to go down the Apple route – not everyone likes the Magic Mouse. If you'd prefer a more traditional design with two buttons and a scroll wheel, chances are you can find one for less than half the price of the mouse that's bundled with the iMac.

You could even forego the mouse altogether and opt for an alternative navigation device, such as a trackball, Magic Trackpad, or even a graphics tablet and stylus!

Mac mini

So is a Mac mini better value than an iMac? Ultimately, yes. As our tests showed, on a price-to- performance ratio, Apple's small form-factor machine certainly holds its own against a high-end iMac with a costly solid-state drive. It's very capable for its size, and more than powerful enough for day-to-day computing tasks such as email, web surfing and word processing.

The mini enjoys a couple of key advantages over the iMac too. It has a HDMI-out port, making it ideal as a living-room media centre Mac, and its size means it's extremely portable, especially now the power supply is built into the casing. If you really wanted you could set up a monitor and keyboard at home and at work, and carry the mini between them with ease. You certainly wouldn't want to do this with a 27-inch iMac!

Yet if you crave that all-in-one experience, or you really want to play the latest 3D games then the iMac is clearly the machine of choice - the mini just can't complete as a games machine. Whether you buy a Mac mini or a top-of-the-range iMac or something in between is entirely up to you.

We hope we've gone some way towards making up your mind. Don't discount the mini just because it's small. And don't forget the MacBook range, too! All Macs have their strengths and weaknesses, and their own role to play in Apple's Mac line-up.

Review: Scrivener 2.0

Posted: 11 Dec 2010 01:30 AM PST

Plenty of writing tools exist, but few are specifically designed for writers. Even fewer are developed by a writer, but Scrivener is a rare exception, designed by Keith Blount to plug a perceived gap in the market.

Rather than joining Pages and Word in the headlong rush towards desktop-publishing-style layouts within word processors, it instead arms you with powerful tools that prove hugely beneficial for dealing with complex and lengthy writing projects.

Although you can use Scrivener to bash out reams of copy in a linear fashion, doing so misses the point. The application is also good for cobbling together articles, scripts and essays.

Built-in templates get you started with various kinds of projects, each providing a structural overview in the Binder sidebar; here, you can add further folders and text files, rearranging them by drag-and-drop. When you're done, your masterpiece can be exported in various formats, using Scrivener's initially baffling but nonetheless powerful Compile sheet.

Templates

With the writer in mind

At this point, Scrivener probably sounds like a user-friendly outline view in Pages or Word, but its other features take it far beyond those products when it comes to project management. You can dump all manner of research into the Binder, including images, text files and web pages.

Furthermore, the folders within can have context-sensitive icons applied (characters, locations and so on).

Scrivener's views are also well-suited to the process of writing – you can pick between composite, outline, corkboard or Page views. The last of those is new, and is particularly useful for scriptwriters.

Outline and corkboard have been upgraded; the former now boasts sortable columns, which offer more than a dozen titles (such as Progress and Status) and the corkboard – a digital index board for sub-document synopses and other notes – now provides a free-form mode. This alone will justify Scrivener's $25 (£17) upgrade fee for many, since it provides a wonderfully tactile way to rearrange a project's documents.

Also a new Collections feature in the Binder provides further scope for experimenting with alternate structures, without affecting your main project.

The more you explore Scrivener 2.0, the more you find. Often, you'll think "I wish there was a writing app that could do…" and you'll find Scrivener does it: snapshots with revision comparison; automated backups and sync with mobile apps such as Dropbox; a full-screen mode; quick reference panels (think Quick Look, but with editable content); splitpane viewing; user-definable count targets. It's all there, and, amazingly, it's generally pretty easy to access and use, along with being really robust and stable.

Essential app

As with the original Scrivener, the latest version is perhaps an acquired taste – more so with the new features adding another layer of complexity.

But then this app has never been about appealing to the masses – if you're looking to bang out a letter, stick with Pages; but if you want the best tool around for organising thoughts and writing projects, Scrivener is a no-brainer purchase.

Related Links

Catch up: this week's most popular posts

Posted: 11 Dec 2010 12:00 AM PST

It's all been a bit Android crazy this week, with Google revealing the Nexus S and detailing Android 2.3.

Meanwhile, in the Apple world, details of iOS 4.3 slipped out along with the news that iPad 2 stocks will head to warehouses in February.

Read on for this week's most popular stories on TechRadar…

Top five news stories

Apple iOS 4.3 details leaked by the Guardian

The Guardian is to drop its current iPod application in favour of a subscription-based one, with details of the change posted on the newspaper's website.

On a blog, the Guardian explains: "The new app will have a new price point: £2.99 for six months and £3.99 for 12 months."

This type of subscription-based app is not something that's currently available on the App Store, so it seems that it has outed a feature which will be an update to Apple iOS 4.3.

HTC confirms Desire HD Android 2.3 update?

TechRadar contacted HTC earlier today about the recently announced Android 2.3 update and whether or not it will be coming to its flagship phone: the HTC Desire HD.

Although HTC didn't namecheck the phone, it did confirm that a number of its handsets will be given the update.

Google Nexus S - first Android 2.3 phone unveiled

Google has finally lifted the lid on the barely-secret Nexus S, complete with Android 2.3 at its core.

The new phone is made by Samsung and features a whole host of next generation technology, including a 4-inch Super AMOLED display (which is apparently four times better for viewing in bright light), a 1GHz processor and a front facing video camera for video calling, although third party software is needed.

Report: Apple iPad 2 stockpiling will start in February

Apple will begin to stockpile its new iPad 2 tablet by the end of February, according to anonymous sources within manufacturer Foxconn.

The rumour of a shipping date for Apple's warehouses and not consumers comes from Digitimes which by no means guarantees its veracity.

However, the time frame does not look too far away from what you might expect, given that Apple is widely expected to unveil its next generation iPad a year down the line from the original.

Facebook revamps your profile page

Facebook is set to revamp the look of your personal profile page in the very near future.

Mark Zuckerberg, speaking on primetime US TV show 60 Minutes over the weekend, explained and previewed the forthcoming design changes to host Lesley Stahl, in what is sure to be seen as a major PR coup for the social network.

Top five in-depth articles

Google Nexus S vs HTC Desire HD vs iPhone 4 vs Samsung Galaxy S

The Google Nexus S has been announced and has a UK release date of 20 December.

We've pitched the key specs of the Samsung-built handset against the key smartphone rival Apple's iPhone 4 as well as Samsung's own Galaxy S (which, as you'll see, is strikingly similar in spec). It's time to see how your next phone stacks up.

Google Nexus S: 10 things to know

Google's promise to retire the Nexus brand after the Nexus One was a lie – the Google Nexus S has now been officially announced.

Featuring a glut of new technology and the latest unfettered Android platform, it certainly looks like an early headliner for 2011.

So check out our run down of all you need to know about the Google Nexus S, including when you can get it, how much it will cost, and which new tech-toys you'll get with it too.

Android 2.3: what you need to know

The Android 2.3 update has now been officially announced by Google, along with the first Android 2.3 handset.

The new mobile OS was first shown off at the Web 2.0 summit on 15 November by Google CEO Eric Schmidt.

12 best gifts for iPad owners

Looking for iPad gift ideas? You've come to the right place. We've got 12 cool iPad add-ons, gadgets and accessories to suit a range of price points and purposes. From stocking fillers to more serious investments, we've got you covered.

3D TV without glasses explained

Analysts at Futuresource Consulting predict that by 2011 the UK will have more 3D TVs than the current front-runners, France and Germany, with one in three homes 3D Ready by 2014 - and a staggering 50 per cent by 2015.

That's an awful lot of 3D glasses - and at £100 a pop, it's a serious complaint about the 3D home experience. The solution, of course, is a 3D TV without glasses.

Top five reviews

Palm Pre 2 review

There's an absolutely world beating phone sitting somewhere in the Pre 2's DNA, but it hasn't revealed itself here. It simply doesn't stand up to the iPhone 4 or HTC Desire Z.

Nvidia GeForce GTX 570 review

Not content with bringing out a card that knocks its previously top-spec GPU into that special bin of obsolescence, Nvidia has brought out a more mainstream card that beats it too.

Hands on: Google Nexus S review

If you're into Android and looking for a new phone, there's very little to find fault with here. The UI is quick to understand and slick under the finger, and there's features galore.

ExoPC Slate review

If you've been waiting for a usable Windows 7 slate, the ExoPC Slate is close to what you've been waiting for. There are some rough edges, but the company is busy smoothing them out.

LG 50PJ350 review

Down at the 50PJ350's level, it's all about price. That LG has created a 50-inch plasma – for so long a high-end proposition – for under £500 is a giddying achievement.

Also reviewed this week

Asus Eee PC 1215N review

Sharkoon SATA Quickport Home review

Blockmaster SafeStick 4GB review

Asus O!Play HD2 review

CoolerMaster CM Storm Inferno review

Technisat SkyStar USB HD review

Triax T2-HD 115 review