Wednesday, May 20, 2015

How I moved my daughters iOS Notes from school to personal iCloud account

Please don’t put data into iOS Notes. Really, it’s quite horrid [1]

If you do you may find it’s stuck there. We ran into this when my daughter’s school iPad had to be wiped and we needed to rescue Notes that were only stored on her iPad (school iCloud account doesn’t support Notes, neither does school Google Apps).

I did this:

  1. Used AirDrop to move notes one at a time from her iPad to my iPhone 6 (her 4s doesn’t support AirDrop).
  2. Since my iPhone 6 is configured to use iCloud, each time a note arrived via AirDrop it went via iCloud to on Mavericks [2]
  3. On Mavericks the notes appeared in my iCloud account. I added my daughters Google Account to my Mavericks User account. I could then select ALL notes (yay) and drag and drop them to the Google account.
  4. Then I created an OS X User account and associated it with her personal iCloud Account and added her personal Google Account. Then I did the drag and drop from her Google to her iCloud. 
I did something similar with her school Contacts. Interestingly the account drag and drop behaves differently — Notes are moved, but Contacts are copied.
- fn -

[1] I took a look at the folder where Apple stores data: ~/Library/Containers/ (Yes, the organization is bizarre). The data is in NotesV2.storedata-wal. I inspected the binary file in Mavericks [2] and found it contains text of Notes I deleted long ago. So if you had sensitive data in deleting it won’t remove it from your Mac. It seems the file is never purged.

More — in Mavericks, it only looks like you can drag and drop notes to the desktop. It doesn’t actually work.

More — Notes can sort of hold images and rich text, in some Apple OS but not in others. Definitely not in Google IMAP.

More — Notes was implemented unsung an oddball IMAP hack. It’s like nothing else.

More — Like Contacts Notes can have Groups / Folders in OS X, but in iOS you can’t do anything with these.

There’s still more…

[2] Yeah, I’m still on Mavericks. Yosemite has … issues. I’m waiting for a fix for the crazy network problem.

Wednesday, April 15, 2015

iCloud Family Sharing: you can mix old style and new style sharing, but there's at least one bug

My family does old school iOS media sharing.

Everyone has their own Apple ID for iCloud, but we all use my App Store ID [1]. So we can all share media, apps and the like.

Modern iCloud Family Sharing has advantages though, and Apple is already making old school sharing harder

Which leads to a question.

Say I configure Family Sharing for the 5 of us. [2] Can I mix-and-match old and new family sharing? If #2’s App Store ID is set to my current App Store ID, will he still be able to do old-school sharing?

I think Apple frowns on changing App Store IDs, there may be a limit…

- fn -

[1] Which is different from my iCloud Apple ID because of “.Mac". Don’t think about it too much.

[2] Max of 6 per family, which was once not an unusually large family.

Update 4/16/15 - Reports from

… You can change Apple ID's, download an app and change right back. I do this for apps that I paid for IAP’s with an old account before Family Sharing…

… we do both … although family sharing has not become relevant yet, the old way of sharing apps is more convenient…

When I setup Family Sharing I found that my personal iCloud account was the “Organizer” account, but after entering those credentials my App Store Apple ID was the default for the purchase account. So Apple keeps those two separate.

I did run into a problem — Apple doesn’t provide purchase controls for adults; they didn’t think of special needs or guardianship. Happily, if I leave my old shared credentials as iTunes and App Store old rules apply — the Family Member is asked for my pw to make a purchase. I think if I switched the iTunes and App Store credentials to the user’s iCloud credentials they’d be asked for their Password at time of purchase — but that still requires my help, the kids don’t know their Apple ID passwords yet. So this problem has a workaround…

Thus far the best part of Family Sharing is iOS 8.3 “Find My iPhone”. It now lists everyone’s devices — and several devices that are gone from this earth.

Update 4/18/15: Not working quite as expected.

To recap, the kids have their own iCloud accounts, but the App Store/iTunes credentials are my .mac credentials, which are not my iCloud credentials.

Yeah, this is problematic. We need a way to merge Apple IDs.

In this configuration when they try to buy something I need to enter the .mac credentials. Even when I do that, however, they get a notice that the transaction needs to be approved. That’s fine, but the approval request never gets generates a notification against my Organizer iCloud account. I have an OS X user account bound to the .mac credentials, but that doesn’t get a notification either. So for now I’ve disabled Ask to Buy.

Monday, April 13, 2015

iOS 8.3 took away one of my favorite parental controls

With iOS 8.3 Apple made an undocumented change that will make a few kids happy.

No, not the post-update dialog that will lead many parents to unwittingly enable 15 minute authentication lifespans for purchases. Apple documented that feature. Here’s where you undo any mistakes by they way:


The real change is that users no longer need to enter the App Store account password to reinstall any app that’s been previously purchased with that account on any device. There’s no setting to revert back to the old behavior of managing a reinstall very much like an initial installation (respect password settings as above).

Why does this matter?

Well, let’s assume you install YouTube on the KidPhone and late find some highly educational porn. In the old days you could just delete YouTube and be done — assuming your user doesn’t know the App Store account password. Now users can simply download it again.

Now imagine the problem if you do old school App Store/iTunes credential sharing like we do — we each have our own iCloud accounts, but our FairPlay DRMd material is all associated with my App Store credentials. Yeah, everything can be installed. It’s a good thing I’m not into S&M apps.

I don’t know how this works with Family Sharing, the change is too new to see much commentary. For old-school families like ours there are 4 options based on this screen …


Your options are:

Install AppsDeleting AppsResult
Off On App Store disappears so can’t install or update. You can’t update from iTunes either, so this setting is a pain in the butt. You need to go through the restrictions dialog to do app updates. User can delete apps which is convenient.
On Off suggested this one. User can download anything, but they can’t hide contraband. So if they install forbidden apps they get banished to “Install Apps Off” which is painful for everyone.
Off Off As option 1, but can’t remove apps. I can imagine limited use cases.
On On The default.

For now I’m going with Install On and Delete Off, with the warning that forbidden fruit will lead to App Store removal.

I’d love to see a fix from Apple but it’s going to take a lot of complaining. I’m not holding my breath.

Saturday, April 11, 2015

How to upgrade to Yosemite Aperture when migrating from Mavericks

Via Macintouch:


… if you’re upgrading from Mavericks to Yosemite, the previous versions of Aperture (3.5.1) and iPhoto (9.5.1) for Mavericks won’t run at all on Yosemite, and you can no longer update them from the Updates tab of the App Store - because they've been removed from the store.

The only way to obtain the Yosemite versions of Aperture (3.6) and iPhoto (9.6.1) is to delete the old versions and then re-download the full applications from the Purchases tab of the App Store."

I guess I’d better hurry up on my Yosemite migration, but at least there’s still a way to do this.

Fortunately I think it’s fairly easy to “steal” Aperture, which, in this case, is probably legitimate.

I have Aperture on both my laptop and my desktop. I’d rather upgrade laptop to Yosemite first, but that will take Aperture there to 3.6. I suspect 3.51 (Mavericks) can’t import 3.6 Libraries. Interesting times.

Update: I tested this on a Mavericks machine I just updated to Yosemite. Even though the “Purchases” list shows Aperture with an “update” button, the update doesn’t work. You do have to delete and redownload. I wonder if this is actually a bug.

Sadly, while it’s still possible to download Aperture, there’s no way to download iPhoto for Yosemite, and iPhoto for Mavericks won’t work. Turns out you can download iPhoto the same way. Delete it then Install from purchased.

Thursday, April 09, 2015

iOS and OS X Reminders can be shared among family members

We need a way to remind #1 of certain tasks he has trouble remembering. 

Yeah, a lot of kids have trouble remembering things, but #1 has a very different mind. Some things are hard for him to hold on to.

Thinking about how to do this I dimly saw, somewhere in the cluttered and drafty attic of my memory, something about shared reminder lists in iOS.

I remembered correctly …

iCloud: Share a reminder list

You can share a reminder list with other iCloud users. You might want to do this, for example, to keep all the members of a sports team apprised of what needs to be done for the next game. As the owner of a shared list, only you can add and delete list participants.

Participants in the shared reminder list can view and edit the list (mark items as complete, add items, and delete items), and see who else is sharing the list using these apps: iCloud Reminders, Reminders on an iOS device, Reminders on a Mac, and Microsoft Outlook on a Windows computer.

Outlook? Really? I wonder if that’s true. This is old stuff.

Old enough that it works on Mavericks as well as iOS and iCloud/web. I created a shared Reminder list named after #1 that includes me, Emily, #1’s personal iCloud address and #1’s school/iPad iCloud address. Any of us can interact with reminders.

It was pretty easy to setup. Despite the reference to email in the documentation I was able to accept invitations by using Emily and #1’s iCloud/Web Reminder app. (Though, for some reason, on #1’s 8.3 4s I did have to accept the email invitation. Maybe just a sync issue.)

I suspect we’ll all get alarms, I don’t see a way to target a reminder/alarm to a specific person. 

This will be quite useful.

Saturday, March 14, 2015

Google password works on Gmail but nowhere else? Congratulations. You're enrolled in Google Advanced Security.

Ugh. File this on under #FirstMilleniumComputingRIP or #YosemiteRequired or #iOSForEveryone or #aWatchFuture.

A friend got an email a few weeks ago from Google, warning her that some had tried logging into her account from Galati Romania and somewhere in Kyrgyzstan. I didn’t see the original email, but I gather Google recommended she change her password. I don’t know if Google said anything about other consequences. The implication was that Google blocked those accesses [1], much as your credit card company routinely blocks the Moscow charges you never hear about.

By the way, if this happens to you, walk through the Gmail security checklist.

I don’t know if Google mentioned anything in the email about additional security measures, but what she noticed was that she couldn’t use Gmail on her home computer. It said “password incorrect” though she was using the right password.

It took me 30-40 minutes to figure out what was going on. I created a new user account to confirm it wasn’t anything on her Mac running OS X Lion [2]. Then, guessing that Google had enrolled her in some new enhanced security program, I went looking around Google’s security settings and I found an “Access for less secure apps” setting [4]


I also found this notice …


and I could see where our legitimate logons had been blocked (but marking those as legitimate did nothing) …


I can’t find Access to Less Secure Apps controls on my own Google accounts [3]; I think it’s automatically enabled after an account hack or if you click the “Secure your account” link in “Notifications and Alerts” or in the “Devices & activity” above. (Maybe this was mentioned in the email from Google? That would be nice.)

If Access for less secure apps is on, then this article applies:

Allowing less secure apps to access your account - Accounts Help

Google may block sign in attempts from some apps or devices that do not use modern security standards. Since these apps and devices are easier to break into, blocking them helps keep your account safer.

Some examples of apps that do not support the latest security standards include:

The Mail app on your iPhone or iPad with iOS 6 or below
The Mail app on your Windows phone preceding the 8.1 release
Some Desktop mail clients like Microsoft Outlook and Mozilla Thunderbird …


To help keep your account secure, we may block these less secure apps from accessing your account, and you’ll see a “Password incorrect” error when trying to sign in. If this is the case, you have two options:

Upgrade to a more secure app that uses the most up to date security measures. All Google products, like Gmail, use the latest security measures.

Go to Allow less secure apps and choose “Allow” to let less secure apps access your Google account. We don’t recommend this option because it may make it easier for someone to gain access to your account…

Yeah, all you get is a “password incorrect” error. Which is wrong of course, your password is fine. Problem is, for OS X isn’t designed to say “Google doesn’t like me”. It tries to connect, gets rejected, and renders this as “password incorrect”.

Once I figured out the problem I found Google’s April 2014 security blog announcement:

Google Online Security Blog: New Security Measures Will Affect Older (non-OAuth 2.0) Applications

… beginning in the second half of 2014, we’ll start gradually increasing the security checks performed when users log in to Google. These additional checks will ensure that only the intended user has access to their account, whether through a browser, device or application. These changes will affect any application that sends a username and/or password to Google.

To better protect your users, we recommend you upgrade all of your applications to OAuth 2.0. If you choose not to do so, your users will be required to take extra steps in order to keep accessing your applications.

You do know what version of OAuth OS X uses, don’t you? Oh, wait, does even use OAuth?! It appears so as of 10.0.3 (Yosemite); I suspect Google considers any OS X app (Mail, Calendar, Contacts) prior to Yosemite to be less secure.

There’s a bit more useful information in this April 2014 article. I’m sure you read that one regularly to keep your Google services working smoothly! As noted in the article, you can enable Access for less secure apps [5]. That took care of my friend’s problem.


My friend asked me what regular people do. My answers was, unfortunately, they don’t/can’t. The writing has been on the wall for a few years — civilians should not own “computers”. They should a single iOS device [6] and do everything through Apple [7]. This kind of thing is only going to get worse.

- fn -

[1] But what about the accesses Google might not have blocked? Google Account security now lets you see what devices have signed in from where over the past 28 days as well as review your security notifications. Between those and reviewing your Account Permissions you can get a rough idea if an unsophisticated attacker got by Google’s secondary defenses.

[2] I also have a Lion machine the kids use a bit. It’s no longer being updated of course, and I should probably retire it.

[3] I checked both my 2FA and non-2FA Google Apps/Google accounts and didn’t see it on any of them.

[4] First I went through her access history and authorized a number of them. Turns out that’s pointless, Google just provides that to keep us confused. 

[5] Or enable 2FA. Google 2FA is less of a PITA than it once was, but it’s not ready for civilian use. Too many ways to go wrong, especially when a device is stolen.

[6] I don’t think Android is a good choice. Sorry. The single best choice for most is probably an iPhone 6+. There’s an unmet need for an flip-phone-like compact device that provides simple phone services to a companion iPad. Maybe Apple Watch version 3 will do that.

[7] if Apple doesn’t do it, then give up.


Tuesday, March 10, 2015

H2O Wireless - getting a nano SIM for your upgraded phone - and keeping your old H2O number.

H2O Wireless is a rock bottom ultra-cheap AT&T MVNO. We use it for the 3 kids and their iPhones, with very minimal data services (Find Friends, email, Find My Phone — everything else is more locked down than even Emily and I).
Child #2 costs us about $40 a year - the minimum to keep his account open. He doesn’t talk or text much and is almost always on WiFi. He plays games. #1 costs about $10 a month — he does SMS, iMessage, and a few other apps. His data usage is primarily Apple’s utterly mysterious “iTunes Accounts”.
#3 runs through $10-20/month — she might end up on our AT&T plan. Lots of texting.
Our total child cellular service bill with H2O is about $25-$30/month. Hard to beat for 3 kids. In theory there are no data services with the H2O per minute plan, but we installed the H2O Profile and we get “4G” data. (Though on #2’s i5 if I enable LTE the tower boots us off the network)
Of course there’s a downside to the low end of the network. Although H2O’s web site has improved significantly over the past few years, service can be tricky to get. Some things are hard.
Things like … getting a Nano SIM so my son could go from a dying 4 to a used 5 [2].
The first time I called H2O Support (1-800-643-4926) I was told I could use the number transfer request screen and transfer the number from H2O to H2O, providing a fresh SIM number and an IMEI. Warning: this does not work (at least, not entirely, and not for us).
On a second call I was told that only H2O reps can do the transfer. You have to buy a fresh H2O Nano SIM and call them with the “ActFast” code. They will then try to activate the phone with the new SIM. Sometimes it works, but for some numbers/SIMs it doesn’t. (Life at the low end.)
In our case I ordered an H2O “Smart SIM” on Amazon for 0.01 [3]. I called support with the SIM in the phone; surprisingly there was no wait. The support person was able to activate the phone, interestingly he didn’t need the IMEI. The initial signal was very weak, he told me to “dial”  ##21# — that supposedly requests service from the tower. It did seem to boost the signal.
I’d already installed the H2O profile, but I deleted the old one and reinstalled. I found he could get “4G” data (not bad), but when I tried to enable LTE the tower cut us off. (H2O says per-minute plans get no data, so I can’t complain.)
After the transition the web site says #2’s balance is intact. Which is pretty good, because after years of paying for the number with minimal use he has quite a nice balance.

[1] not backed up by the way, so you need to reinstall if you do a restore

[2] I actually cut down his old Mini-SIM to nano-size and it worked, but I’ve never been able to get data on his SIM. So I wanted a fresh Nano.

[3] I’ve ordered several Amazon SIMs. The first time I did it I assumed it was a scam. It doesn’t seem to be, I think the sellers get money from H2O and the like every time a SIM is activated. They’re $15 from the H2O site.

Saturday, March 07, 2015

Transferring eNom domain with associated Google Apps services to Dreamhost: 2015 Edition

It’s hard to imagine now, but once upon a time Google gave big stuff away. Until Dec 2012 anyone could get extended family Google Apps services and a companion domain for a pittance — $10 a year.  Today I still have most of the features of Google’s $50/user/year ’Apps for Work’, but I only pay for domain registration. [4]

Naturally I acquired quite a few Google Apps services, either directly from Google or through Dreamhost (referral link) [1]. Today I still have 10 Google Apps suites. 

The ones I got directly through Google were registered with eNom. This worked reasonably well until Google ended their first generation payment systems, so each eNom account had its own payment data and was completely independent from all others. Since then I’ve been slowly migrating accounts from eNom to Google.

Very slowly! I last moved a Google Apps associated eNom domain in 2009. Yeah, six years ago. [2] Over the past few weeks I’ve moved two more, enough that I’m getting the hang of it. The process is similar to what I wrote about years ago, but there are some added security steps.

I’m going to try to document what I did here — as much for me as for anyone else. Don’t trust what I write though — read Google’s documentation as well, they include registrar specific advice as well:

Key Concepts 

If you understand these concepts things are a lot simpler:

  1. There are 3 independent services involved in this process:
    1. Google Apps services
    2. DNS services (primarily CNAME and MX, the latter is email specific and is particularly old and crotchety).
    3. Registrar services (ex: management of, including pointing to DNS services for wherever they might be.)
  2. One business could provide all 3 services [3] or each service could be with a different service. Throughout the process below Google provided Google Services, but I started out with eNom providing both DNS and Registrar services. Then I moved DNS services to Dreamhost. Seven days later Registrar services completed their move to Dreamhost.
  3. The things that connect a Domain to Google Apps are…
    1. Google stores the name of the domain in its records
    2. DNS entries that point to When you enter a URL the Domain Name Server sends the request to, it looks up the domain name and handles it. (Similar magic for MX records).

Steps to follow

This assumes you’re paying for full featured Dreamhost hosting [1]. Quick steps here, more notes below.

  1. Go to eNOM domain settings on Google Apps. Confirm contact information email works. Don’t use contact email that belongs to the domain you’re moving.
  2. Go to Dreamhost, add the domain you’re going to move per DreamHost CNAME record instructions as a fully hosted domain under your Dreamhost username. Yes, you can and should do this before you actually move the domain. You’re setting up DNS services at Dreamhost and soon you’ll tell eNom to use those instead of eNom’s native services.
    1. Go to Manage Domains and “Add Hosting” choose Fully Hosted. I put everything under my one username.
    2. Click the box for Google Apps. Dreamhost will configure standard CNAMEs and especially MX records.
    3. Add additional CNAMEs as needed: calendar, docs, drive, blog based on what you see in your eNom records. Don’t need to repeat DomainKey entry used to verify with Google (?). The A record that Dreamhost creates is used to redirect the naked domain to ‘www’.
  3. Go to eNom settings and change eNOM DNS information to use Dreamhost. (, etc) Once you do this eNom is now only your registrar.
  4. Confirm DNS still works and can send email to address in domain. I’m not sure how long this takes, 
  5. NOW, Request unlock of the eNom domain by email (see example below. Yes, by email and include your eNom password!). Once this is processed you’ll get two emails from Google, one with authorization key (EPP key).
  6. Go to Dreamhost Reg Transfer, request transfer, and complete form. Pay for transfer. Initiate transfer. You’ll see a notice that a 7 day countdown has begun.
  7. About 30-40 min later you’ll get an email from Dreamhost at your official domain email contact that you verified above. Click the link. Go to approval page. Agree. See “your response has been recorded”
  8. Receive notice from Google in 1-2 hr (no action required unless wish to cancel)

    DOMAIN NAME TRANSFER - Confirmation of Registrar Transfer Request

  9. Receive notice after 7 days that is complete. Now go to Dreamhost. Lock the domain. Enable auto-renewal. Test email and google services. (Fees used to be $9, then $10, now $12)
  10. LAST: Google tries to renew registration, fails, sends note domain moved. However, Google never fixes up its Domain settings on the legacy account, they always show “enom” (sic) as registrar.

Sample of eNom letter

Please unlock this domain, disable Google ID Protect, and send authorization code. Thank you!

Domain :
Password : u5yhtt5p965965 (your eNom pw, not your Google pw. Get this from Google Apps Domain Settings.
Customer service PIN : (if you know it, optional)

This is what eNom sends if you ask how to proceed.

 Greetings ,

To transfer your domain, you're going to need the domain to be unlocked and the authorization code for the domain. I can assist you with both of those if you can give me the domain password that Google supplied you. (Note: this is NOT your Google Apps login password.)

When you registered the domain, Google set up a privacy protect service and I will disable that in order for the transfer to be successful.

Also, please be aware that in order to transfer the domain, it needs to be 60 days after registration. This isn't an eNom-specific rule - this is a rule for all registrars set by ICANN.

Please e-mail me back with the domain name and password and I can get started on getting you the information you need.

If you don't know your domain password, follow these steps to find it:

Enter your domain name at the access login screen (, with AAA as the password, then copy the verification code. Click "Log In" to submit the information.

Put the name in again and then click on the "forgot password" link and it will be emailed to you at the address on file with Google for your domain name.

***IMPORTANT: Remember log into your domain manager at to ensure your Registrant and Administrative contact information is valid BEFORE transferring the domain name***

Alternately, IF YOU DID NOT CHANGE THE PASSWORD, you may also recover your Google domain password using the following steps:

To access your Advanced DNS settings, please follow these steps:

Log in to your account at
Click on the Domains icon on your Admin console dashboard. You may need to click on More controls at the bottom of the screen to find the Domains icon.
Click on the Advanced DNS settings link associated with your Primary Domain.
To make changes to your DNS settings, sign into your DNS console with the login information provided on this page.
When you access Advanced DNS settings, you'll be directed away from Google, and to the domain registration partner that registered your domain name. This is currently available in English only.


Google Advanced Domain Support

Provided by eNom, Inc.

and this is what you get from eNom after you unlock:

Thank you for proper verification of domain ownership by supplying the domain password.

The domain has been unlocked, ID Protect has been disabled for transfer and your authorization code has been sent to the following email address in a separate e-mail. Please check your spam folder or filters as this is often captured.

***IMPORTANT: Remember log into your domain manager at to ensure your Registrant and Administrative contact information is valid BEFORE transferring the domain name***


If the above email address is invalid, please log into the access control panel ( and update the contact information. Once the email address has been updated please reply back at your earliest convenience so that we may resend the EPP/ Authorization code.

Your domain is ready for transfer.

As a note: the transfer process does take 5-7 days for the domain to arrive at the gaining registrar. Once started by you, there is nothing you need to contact us about again. You can however ask us to confirm if the domain is pending transfer should you need to check.

DNS Result after setting up in Dreamhost as fully hosted with Google Apps services

Screen Shot 2015 03 10 at 8 34 37 PM

Additional Custom CNAME (copied from eNom) that I added (some, like ‘sl’ are really exotic. Don’t worry about it.)

Custom cname

Miscellaneous artifacts

Dreamhost shows this after you initiate the transfer

 Screen Shot 2015 03 10 at 9 11 24 PM

Some sample email excerpts:


We have requested your to be transferred to DreamHost! First, your admin contact will receive an email with a link to approve the transfer from us. They will then receive another email from the current registrar with instructions on how to approve the transfer from their side. Typically, transfers take about 7-10 days to go through. You will receive an email from us when we've learned if the transfer has been approved or denied. Note: If you'd like to also host with us, please visit "Manage Domains" now.


Domains must be "unlocked" at their current registrar or the transfer will fail. Domains may not be transferred within 60 days of their initial registration or their most recent transfer! You should do any name server changes (e.g. to, etc) before transferring! You must make sure you have access to the admin contact email currently listed for your domain! You will receive an email from with instructions on how to complete the transfer to DreamHost. If you do not receive it in a few hours, please check your spam filter. The entire process may take 7-10 days or longer before it is complete!

- fn -

[1] Dreamhost has worked well for me for many years. I you sign up and use my PROMO code of KATEVA you get $50 off the 1st  year (I get $47.)

[2] That freaks me out a bit, I vaguely remember when 6 years was more than yesterday. 

[3] Recently Google began providing domain services itself, but i don’t know much about it.

[4] Ok, so you can still get Google Voice (thought it’s a bit trickier than it once was). That service has saved me thousands of dollars on mobile phone calls to Canada.

Fixing Google Chrome Mac Update Error: 12 - success after years of failure.

I’ve been waging a desultory war on a Google Chrome Mac Update Error 12 bug for years. I can’t remember when Chrome updated itself correctly on my Mac, but I didn’t really dig into the bug. I figured Google would fix it sooner or later, in the meantime I’ve been manually downloading Chrome installers every few months (not a great idea obviously).

Today I gave up on Google and started work on the bug. The key to finding the answer was logging into my admin account, starting Console, clearing the log, then watching what showed up as I started Chrome and opened the About screen while Chrome tried to update and generated the usual error: 12 message. I saw something like this:

 …. CODE SIGNING: cs_invalid_page(0x1000): p=809[GoogleSoftwareUp] clearing CS_VALID …

Searching on that string I found an old AskDifferent post on a related topic. That pointed to 


where, like Daniel Azuelos, I found these file dates. 

Screen Shot 2015 03 07 at 11 35 16 AM

Yeah, 2012.

The fix is to quite Chrome, delete  /Library/Google/GoogleSoftwareUpdate (root Library, not User), reinstall Google Software Update Installer and restart. Then you get something like this:

Screen Shot 2015 03 07 at 12 02 44 PM

Yeah, 2014. A bit better.

Then, still from my Admin Account, I ran Chrome and stepped through several versions of the Chrome About screen:

 Screen Shot 2015 03 07 at 11 35 50 AM


Screen Shot 2015 03 07 at 11 37 41 AM

Do the relaunch, then ..

Screen Shot 2015 03 07 at 11 37 57 AM

Setup up Automatic Updates for All Users (I’ll be impressed if this actually works!):

Screen Shot 2015 03 07 at 11 38 08 AM

First automatic update in my memory.

I suspect this problem arose from years of several intersecting bugs — some belong to Apple’s famously buggy permissions infrastructure, some related to how Google interacts with people who run OS X as non-admin users, some related to how Google Chrome/Updater manages install errors, some related to how Google mangled OS X Library structures over the years.

Once I’d fixed the problem I read Google’s tech support note more carefully (with Mavericks/Mountain Lion their sudo instructions only work if you run as admin, they kind of left that out). This is the relevant bit:

Run the following command. Be careful to enter the command exactly as written:

~/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Resources/ --uninstall. It may result in a "No such file error"; the next command will address that.

Now run this following command. Again, carefully enter the command exactly as written:

sudo /Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Resources/ --uninstall

The first command runs against the User account library. Google acts like there’s ONE user account on the machine, instead of say, an Admin account and many user accounts. Anyway, I didn’t have anything like that in either my Admin or Non-Admin account.

The second is closer to the real fix, but look back at 2012 files. There’s no file there. The answer was to delete parent folder in /Library, not to try to run a non-existent installer.

PS. MarsEdit image upload really needs a lot of work. Hope the new competition from Blogo will help. Also, this is relevant.

Thursday, March 05, 2015

Work around for the Lion Connect As bug

There’s a bug in Lion that causes all network connections to Connect As the current user. You can’t Disconnect and then get a username/password prompt; if you click Disconnect you’ll briefly see the “Connect As” button flash by. Then you’re back as the current machine account.

I think the bug hits when the username on the Lion machine matches the user name on the remote machine.

There are several workarounds, but this is the easiest for me.

Go to Finder:Go:Connect to Server. Look for something like: 


Now put the username you want to use on the remote server in there:


Now you’ll be asked the password.

(Yeah, still have a Lion machine. Old dual USB MacBook with a swapped drive. Won’t die.)

Sunday, March 01, 2015

How to find the damned MAC address for an Airport client so you can configure access times

There is such a thing as too few features. 

Apple stripped a lot out of Airport Utility between v5 and various v6 iterations. Among other things they made it much harder to find the MAC address for a connected device. You need this address to control access times.

The trick is to Option-double-click the base station to get the Summary tab, from which you can see the MAC address. You can’t copy paste that address however. To do that run the terminal command [arp -a]. Look up the IP and MAC address, that you can copy paste.

Of course you may find copy-paste isn’t all that useful. I tried a copy-paste operation into the MAC address field of Airport Utility 6.3.2 and the “Save” button stayed unclickable. I had to type the MAC address in character by character to enable the Save button.

Dumb. Really.

Thursday, February 26, 2015

iTunes Cloud videos not showing up? Maybe you're over the device limit Apple is now enforcing.

Recently Apple revised their US family sharing policy … "… up to 10 devices per account, only five of which can be computers … Not all products, including In-App Purchases … eligible for Family Sharing. “

Recently I think I ran into the policy limits. All of our family devices use a single iTunes account, but I’ve not run into trouble before. I think Apple has changed more than the Family Sharing policy. I think the new limit applies to wise old timers who’ve always used a single iTunes ID for the entire family (though everyone has their own iCloud account).

There’s no error message, instead my son’s iPhone 5 simply failed to show our Cloud video resources (TV/Movies). It would only show what was on the phone.

This happened after we introduced an i6 to the family. Emily doesn’t want anything bigger than a 5, so she got my 5s. Most importantly #2 finally got rid of his dying 4 in favor of a fairly fresh 5. 

Except the 5 wouldn’t show his Cloud video. They simply weren’t there. Signing in and out of the store did nothing.

So I pulled his old 4 out of the reserve bin and logged out of iTunes there. A few minutes later the videos showed up on his 5.

Looks like we went over the (new) limit. Turns out it’s not simply for Family Sharing, it’s for devices associated with an iTunes account.

In our case we have 6 active iPhones, 1 Apple TV and 3 Apple computers. We seem to be right at the 10 device limit, so #2’s old 4 pushed us over the limit.

It’s not documented but the iTunes App Store account information now provides some info. According to Account info we had 4 authorized computers and 10 devices. The device detail list provides some policy information:

Screen Shot 2015 02 26 at 10 45 36 PM

There’s no additional information on the 4 authorized computers. I know of 3 and an Apple TV. I could reauthorize them all and reauthorize but that’s a bit of a pain.

Interestingly the 10 devices includes 2 computers (should be 3) and doesn’t include the Apple TV or my own phone! It does, however, include several devices no longer in use. I removed all of those, but I needed to figure out why my new iPhone 6 wasn’t on the list.

Poking around with Apple ID on my own phone I saw this: “Enabling Automatic Downloads … or downloading a previous purchase … will associated this device with your Apple ID for use with iTunes in the Cloud”. So I launched a video and updated an app on my iPhone 6 Sure enough, I now show up on the list.

So we are again under the limit — for the moment. Buy some iPads though, and we’ll be in trouble. I think we’re done buying iOS devices for a while. We need to stay under the limit. The limit is likely to fall; the RetinaLock [1] screws are tightening…

… patent pending 2040) RetinaLock™ (Palladium Inside!™). The RetinaLock™ prevents any access to DRMd material by control of visual inputs. BrainLock does the same for auditory, tactile, and olfactory inputs. BrainLock Enhanced™ (mandatory upgrade 2045) makes it impossible to consider any action that would circumvent the workings of the BrainLock™ (thereby ending the trickle of death sentences related to violations of the DMCA amendment of 2043). 

[1] Incidentally, Google couldn’t find that 2005 blog post. Duck Duck Go had it #2 on the list.

Update 2/27/2015: I wonder now if the syncproblems I saw four months ago were related to bugs with Apple’s implementation of this device cap.

Wednesday, February 25, 2015

Aperture 3.5.1 empty project bug - a workaround

Maybe this is fixed in 3.5.2 — but I doubt it. This bug has been around for years.

Periodically Aperture will show a project as empty on opening — event though an image count is displayed and images scroll if you mouse over the project. It’s a dangerous bug, with some configurations it would be easy to accidentally delete an image filled project.

The usual fix is to restart Aperture.

The only other fix I’ve found is to create a truly empty project, then drag the apparently empty project into it. All the images reappear.

Saturday, February 21, 2015

Clearing thousands of Star tags from Gmail - two techniques and notes on Star support in OS X, iOS and Airmail.

Remember Inbox Zero?

Perhaps you’re there. Maybe, by dint of filters, of carefully constructed responses, of terror induced in potential correspondents, you’ve finally achieved productive nirvana.

You’re feeling good about it. Proud perhaps.

I’m here to ruin that. Because beyond Inbox Zero lies Sentbox zero.

In Outlook Sentbox zero means the “Sent” folder has no emails in it save those awaiting a response. They may have a flag that goes red 2 days after initial send. All other Sent emails have been deleted or (most often) dropped into the “keep” bin [2].

In Gmail things work differently. I don’t have/use folders; I make sparing use of a handful of tags. So I need a different way to tag sent emails that are awaiting a response.

There are several ways to “tag” such emails. I could use a Gmail tag/label, or a star, or a priority flag. The Star option is quick and synchronizes well across Google Gmail desktop, on OS X, and on iOS and OS X (alas, Airmail doesn’t quite work [1]). So I went with the Star.

The problem was that I had 4,500 stared emails in Gmail - largely from 2007 and prior. Maybe in those days I used the star? Maybe Google automatically set it? Long ago, but I needed to clear them out.

My web searches for a quick way to clear 4,500 flags failed. using an undocumented? Gmail keyboard shortcuts (edited here):

If you use desktop web UI with shortcuts, search is:starred or whatever and then *a to select all. Gmail then provides a link/offer to select all results, not just those on page. 

Once you’ve selected hitting ’s’ will toggle starred status.

I couldn’t test however, because I’d already used OS X to clear the Stars. In Mavericks maps the Star to a “red” (Default) flag — so I elected all of those and cleared the flag. then updated and cleared the Gmail flags.

No that my Flags are cleared, I can create and clear flags on my Sent emails that are awaiting a response. So now I can implement Sentbox zero-equivalent on Gmail.

- fn - 

[1] My copy of Airmail did not have a STARRED folder mapped to Gmail Star status. I had to create one using an obscure method. Pick any email and “star” it. Assuming preferences has Automap enabled, a new starred folder is created. On restart Starred now shows in the Folders section of the app title bar. Unfortunately it does’t work correctly, items starred in Gmail web app don’t appear in Starred folder — updates are one way from Airmail to Gmail. Fail.

[2] Not filed of course. Subject line is precisely correct and has key words used by search, retrieval will be by metadata search.

Tuesday, February 10, 2015

You can delete Facebook ID and Google ID, but Apple IDs are eternal (also iCloud).

My mother died on Dec 14, 2014. She was fortunate to live in Quebec, which manages the dying process far better than anywhere in the US. It went about as well as it could, and, thanks to all that socialism stuff, she left her family the estate she was determined to pass on. Points for a stubborn woman.

Dying is a complicated business, and I’m only now getting around to cleaning up her online accounts. They are a bit simpler than mine — I had only 3 identities to remove - Facebook, Google and Apple.

Facebook and Google were simple.

Apple — not so much. There is no way to remove an Apple ID, or to remove the associated iCloud data. Apple IDs are eternal.

Sigh. Oh Apple, you get away with so much.

The best I could do was to change her password to something awesomely strong by today’s standards and hope it doesn’t get hacked around 2040 or so.