Thursday, September 30, 2010

Google URL shortening

When I'm logged in to my Google account, goo.gl/Ou0h Details tells me how often goo.gl/Ou0h (tech.kateva.org) is clicked and gives me visitor information as well.  The information page includes a two dimensional bar code that QuickMark.app decodes as a URL.

The URL shortening page is new, but the service has been around for a while. You can create it from any page using a Google Toolbar or from extensions for Firefox or Safari or from various bookmarklets.

The primary value of Google's service, of course, is that it is likely to be around for a long time, and it comes with a full set of security services. Of course if you ever lose control of your Google account ....

A free lesson in multi-user web apps – Google Docs collaboration

Google has published a 3 part overview of how their Document collaboration framework.

If you’ve ever wrestled with permissive locks and multi-user collaboration (ex: encounter based care) it’s a bit mind blowing. They must have a bucket of patents on this one, but the lessons are free for all to learn and apply …

  1. Working together, even apart
  2. Conflict resolution
  3. Making collaboration fast

If nothing else, these articles do lay out all the issues. They provide a framework for thinking about these problems.

I do love blogs.

Saturday, September 25, 2010

An iPhone 3G with unchangeable black wallpaper - solved (groan)

Skip to the end for the (sob) solution ...
--
Tim's 3G wallpaper was black. For him this was not a feature. He likes setting his wallpaper, though not always to my tastes.

I tried restarting his iPhone, but the problem persisted. Then I installed 4.1. That went oddly; it threw up a very cryptic and long error code about a firmware update failure, but then it completed. (Yes, I wish I'd noted the error code. These sorts of number codes are typically useless, but they're better than nothing.)

The phone seemed fine, but the wallpaper was still black. Interestingly it let me choose an image, but only the lock image changed - but there was no error code and no option to choose a background image.

After that I ran the troubleshoot gamut ...
The repeated firmware install went without an error, but even that didn't work!

I think next fix I can imagine would involve jailbreaking and browsing the file system to see if I can locate an odd image stored with some kind of permissions or lock problem. Or I could try an Apple store.

Or it could be a memory hardware error.

Puzzling.

Then I tried restoring the phone, and I got "an error occurred ... -402636802". I then looked at the app install and it was grayed out. I knew what that was due to!

I disconnected from iTunes, turned off restrictions (App Install), reconnected, and let iTunes finish the app restore.

Still can't fix the black background (missing background image really) problem.

Update:

I figured this one out.

Remember, it's been a while since I used a 3G.

The 3G never had changeable wallpaper. Only the lock screen could be changed. Tim misled me by phrasing this as a lost feature. In reality he just wanted me to make his phone work like his parents' phones.

Well, that was certainly educational. Embarrassing too. At least it was a cold gray day.

The phone is fine. The install bug is real though.

When Safari locks up - Kill Flash process

A #$!@ ad on Salon locked up Safari.

I started Activity Monitor, sorted by Process Name, and force quite Flash Player (Safari internet plug-in).

Safari lives again.

Death to Adobe.

Updating Emily's 3GS to 4.1 - crash

I waited until 4.1 to be safe, but when I tried to update Emily's 3GS it was a disaster.

The phone went into recovery mode. Of course I forgot to pull photos off it, so I fear any on the phone will be lost.

Stupid of me not to pull the photos off.

So how often does the 4.1 update bork a 3GS?

Update: I was wrong. Backup does include photo and video. iTunes did an initial restore of the firmware (to 4.1 actually) then it let me restore from backup and we have the photos. I can think of a few reasons why her phone blew up
  1. As it was doing the upgrade I plugged in another phone to iTunes. This is not normally a problem. iTunes can normally manage multiple connected iPhones. The upgrade pear shaped within a second, probably less than a second, of plugging in the other iPhone.
  2. I used to sync this phone with a different account with a shared .Mac ID. I'd moved it over (separate post why) to a family account with the same .Mac ID, but I hadn't bothered to replace the music.
Update: With Tim's 3G iphone, which has always been synchronized to this account, I got an "error occurred while restoring this iPhone" during the 4.1 update. I think there's another reason for that however.

Wednesday, September 22, 2010

Synchronizing iPhone to Google - a review

Nothing new here, just a summary of the different ways one can sync between an iPhone and Google (Personal or Apps).

Ok, some of these things (dual alarm) are new with 4.2. Also new in 4.x, I think, is that if you choose the default Gmail account sync in the iPhone you get an option to sync your calendar. I think that used to require some separate setup. Note "Exchange" means ActiveSync.

My impression is that Apple likes CalDAV/IMAP and Google likes ActiveSync; they call it GoogleSync.

Calendars:
Email
Notes
  • IMAP only - not sure this is worth anything anyway. Use Simplenote.
Contacts
  • Exchange only

Tuesday, September 21, 2010

Why the new look?

I'm trying a new template, and making some other changes with "carriage returns" to see if I can get slightly less awful results with Blogger's rich text editor.

Update 9/25/10: didn't fix the problems

OS X 10.6: Synchronizing Address Book to Google Contacts

The Help file for OS X 10.6.4 (Snow Leopard) Address Book sync to Google Contacts links to this oddly named Google page: Where can I find information about Contact Sync? - Contact Sync Help.

This is what we get.

I'm working up to trying this. Currently I sync my iPhone contacts like this:
  1. Corporate: to and from Exchange 2007 [1].
  2. iPhone Personal <-> MobileMe Contacts
There are two additional syncs
  1. MobileMe <-> OS X Address Book <-> Google Contacts (My Contacts)
The last of these is mediated by Spanning Sync.

Both MobileMe and Spanning Sync cost money. I could easily live without MobileMe Contacts.

So I'm considering either  ...
  1. iPhone Personal <-> OS X Address Book <-> Google Contacts
  2. iPhone Personal <-> Google Contacts <-> OS X Address Book
Either way the Google Contacts to OS X Address Book would be mediated by Contact Sync.

Remember how easy this all way with the Palm III?

[1] This means my employer can wipe my iPhone at any time. This might or might not delete photos. Everything else is either synchronized or backed up, but a remote wipe would be a pain. Know your risks.

Speck PixelSkin HD for iPhone 4 - review

A month or so after I ordered it, I received my Apple funded case ...
PixelSkin HD for iPhone 4 - Black - Speck Products
.... Patterns and textures can turn “plain” into absolutely fabulous. PixelSkin HD has a shiny polished back with matte pixel overlay, creating an eye catching, sophisticated, and modern artful look. Light dances off the crisp, linear pattern of mathematical protection and perfection...
My iPhone feels obese. I had grown accustomed to the slender, almost imperceptible, naked iPhone 4. The case is great, but it is still a case. It is also black, which was the only option. Were I spending my own money, I'd have bought a case that's harder to lose on an airplane seat.

I've seen Apple's bumpers recently, and I think they'd be fine too. They may even be more shock absorbent. This Speck case, however, doesn't interfere with older iPhone connectors and, of course, it does protect the back half of the phone and the camera lens. If you're going to use a case, you might as well protect the back of the phone.

Now that I have the case, I'll be more relaxed -- so I'm sure to drop the phone. (Same phenomena is said to occur with bicycle helmets).

I'll get used to the obscene bulk. One day ...

Update 9/25/10: It has a thin rubber segment that crosses above the connector slot. I think that will eventually stretch, catch on my pocket and break. One day ...

The big problem with iPhone Gmail sync via ActiveSync (Exchange)

Google's recommended approach to Gmail iPhone synchronization is ActiveSync/Exchange.

This method has some advantages (push, simplicity) and some minor disadvantages (filing is awkward if you do that).

It also has a major disadvantage. If you delete in Mail.app, then Gmail archives.

Gmail doesn't delete it. It archives it. This appears to be intentional, and it's not configurable.

Update 9/22/10: I switched to IMAP.

Monday, September 20, 2010

Apple's iPhone parental controls are completely broken

I've ranted about how crappy OS X Parental Controls are, but I thought iOS did better.

Not.

My son specializes in hacking iOS. It's not hard. Even #@$@ PublicRadio.app has an $@$# embedded webkit browser function. Disabling Safari doesn't disable embedded WebKit access, and it's evidently extremely easy to incorporate WebKit into an app. So app developers do it -- because they can.

What the heck is wrong with Cupertino and parental controls? Is it the (bottled) water?

Update 10/2/2010: Martin in comments suggested a brilliant idea Apple could implement now. They could say that any app with unrestricted embedded webkit access gets an NC17+ rating. I'm sure PublicRadio and WolframAlpha would close their backdoors immediately.

Of course there are lots of things Apple could do in software, but that would take at least 6-12 months to do if it's not already done. I like Martin's suggestion.

Where OS X Chess Engine comes from ...

In case you ever wondered what powered OS X Chess ...
Sjeng - Wikipedia, the free encyclopedia 
An earlier open source version of Sjeng has been the engine of the standard Mac OS X Chess application since Mac OS X v10.4
There are far more powerful modern versions, but the price is right for the open source version.

Sunday, September 19, 2010

Installing from an ISO file for OS X VM hosted XP - use Disk Mounter

This is fun, but geeky.

I run XP in a Fusion 3.1 VM so I can use PowerPoint 2007 (PPT 2008 for Mac is a disaster,my dept requires PPT)  and a few other ancient Windows apps (Quicken, Access) with no Mac equivalents.

Recently I had to install from an ISO file. There are lots of ISO mounting solutions for Windows (not needed for Vista/7?), but I didn't need to bother. OS X Disk Utility (Mounter) will mount an .ISO file, just double click on the file.

I mounted the ISO file in OS X 10.6, then in Fusion I shared it into the Fusion environment.

Sweet.

[1]  OS X .DMG files are a form of .ISO file, and the simplest form of .DMG will mount with a Windows ISO mounter if the extension is changed.

Update: Andrew W, clearly in a party pooping mood, points out that if I'd looked in VMWare under "CD" I'd have seen it will mount an ISO image itself.

Google, please fire the team that's working on Blogger's rich text editor

I've finally cracked. I hate Blogger's broken rich text editor. It's time ... Please fire the team that's working on the Blogger rich text editor - Blogger Help.

GV Mobile is back - wait for the reviews

GV Mobile has returned to the App Store, presumably due to FTC pressure on Apple. Is the Battle of Google Voice entering a new phase?

It's now GV Mobile +. I bought it, but you shouldn't until you read some reviews. There are already troublesome signs
  • Sean didn't manage to update his web site prior to launch.
  • It's not an update to GV Mobile, so you pay again. I'm actually fine with that, but it does mean GV Mobile customers should wait for reviews.
  • It wasn't tested on the iPad.
  • It apparently doesn't run on 3.1 -- and there's no mention of that in the iTunes description! (Bad form.)
  • It's not compatible with Google's "Multiple sign-in" feature.
Basically the developer got caught out, GV Mobile + was not ready for launch. Give it time, read the reviews, and one demerit to Mr Kovacs.

Update 9/25/10: Working fine in light use. Probably coincidence, but the voice connections using this methods have been better quality than what I was getting dialing direct. It's faster and more reliable than setting up a long dialing sequence with pauses. I use it 3-4 times a week to call Canada.

Saturday, September 18, 2010

Reeder vs Byline: Battle of the iPhone Google Reader clients

I've used the Google Reader client Byline. app on my iPhone for over a year. The latest version is the best to date, but it's still has synchronization problems. It continues to show me articles I've read.

Reader itself has problems of this sort, but Byline is significantly worse. So lately I've been trying Reeder. I wrote this quick review for the app store ...
Bad news first. It crashes more than it should, but not more than Byline. Secondly it needs a manual, and it desperately needs a "reset" button to wipe its local store and force a reload from Google Reader. Thirdly it get its sync state confused, but no more than Byline. Lastly it doesn't precache the source pages, so Byline has a big edge there. There's no support for creating a Google Reader "Note" status update (Byline doesn't either).
Now the good news. The under-documented UI is elegant -- once you figure it out. (Programmers raised on games think life is a role playing adventure.) Readability is excellent. There's an option to open source pages in Instapaper Mobilizer - a vast improvement over Google Mobilizer. Services and configurability is excellent. Performance is great, so stability is now a bigger issue. It shows Following (Byline doesn't) - but here it gets counts wrong.
Bottom line - definitely worth the money, currently the best of breed, room for stability and synchronization improvements and, for the love of Binary, please add a reset option.
I think Reeder is a better app than Byline -- for the moment. It's not perfect though. If the developer doesn't fix a few bugs soon I'll take a look at Mobile RSS next.

See also (reviews found by search on [Reeder Byline "Mobile RSS"]:
Update 9/30/10: No contest. Reeder is much better. There are bugs (Followed count), and crashes, and I miss the original page pre-caching -- but it's still the clear winner.

Friday, September 17, 2010

The Cisco WebEx ARF Player for OS X - convert to MP4

Welcome to the world's only documentation on the Cisco WebEx ARF Player for OS X.

You have come here because you downloaded a WebEx ARF file. These are used by some training companies. You brought it home, and you want to put it on your Mac so you can convert the ARF to .MP4 and transfer it to your iPhone. Perhaps you know that the ARF Player for Windows will export to Flash, WMV and (takes @ 1 hour) to MP4.

You have downloaded the OS X version and completed the installation. Now you're ready to begin.

Except ... where's the application?

Sigh. I might as well tell you directly. The OS X version of the ARF Player has no conversion options. All it does is play the ARF file. The executables are installed in your User Library:
/Users/(user name)/Library/Application Support/WebEx Folder
There's no Application UI, but if you double click on an ARF file it will play. There's also a shortcut on your desktop

I suppose we should be grateful that they used an OS X installer with a log. I think the uninstall is deleting the Library Folder.

If you want to convert to .MP4 on a Mac, you'll need to run a VM.

Yes, Cisco does suck.

You can, however, play back the ARF file and use Audio Hijack to grab the audio as it plays and save it as an AAC or MP3 file.

Thursday, September 16, 2010

Resetting permissions from the OS X 10.5 and 10.6 Installation DVD

The Installation DVD has the ability to reset permissions using, oddly enough, the "reset password" utility. CNET Fix-It describes this tool in the context of moving files between user account and resetting their permissions..

How-To: Migrating to a new user account in OS X | MacFixIt - CNET Reviews:

Insert your OS X installation DVD (the gray restore DVD that came with your computer should work) and boot from it by restarting while holding the 'C' key down.
Select your language and choose 'Reset Password' from the 'Utilities' menu.
In this utility, you can reset the permissions on your home directory, so follow the instructions to do that on your new account.
When the permissions have been reset, reboot the system with the 'Shift' key held down (it boots to 'Safe Mode') and try logging in to your new account.
If everything is successful, then reboot normally.
Go to the 'Accounts' system preferences and remove your old account, choosing the option to delete the home folder for that account.
I'd never heard of this 10.5 (Leopard) feature. The utility can be used to cure a permission bug related to "apply to enclosed items" that afflicted me in 10.5MacWorld describes the permissions fix, and the bug, best ...
... the permissions problem ...  can arise if you make a change to the Sharing and Permissions listings in the Finder’s Info window for a folder in your Home directory, and then select the “Apply to enclosed items” option from the Info window’s Action pop-up menu. You’re especially likely to see these symptoms if you do this for the Home directory itself, but I believe the issue can also arise if you perform the action on subfolders...

... sudo chmod -RN ~ ... removes all Access Control List (ACL) modifications from all items in your Home directory. These modifications can come from certain changes made to the Sharing & Permissions section of an Info window.

Next, start up from a Leopard Install DVD and select Reset Password from the Utilities menu. Here is where the new feature appears. This utility has been around for quite awhile, certainly prior to Leopard. However, the Leopard version sports a new option—Reset Home Directory Permissions and ACLs.

... it’s not clear (at least not to me, with my limited UNIX background) why the Terminal command is even needed, as the Reset Password action appears to include what the command does. I could not find any documentation for the Reset Home Directory Permissions and ACLs action, so I could not confirm this for sure.

Second, it is not clear whether the symptoms are due to a bug in how “Apply to enclosed items” works, which Apple will hopefully fix—or if you are simply never supposed to use the command with your Home directory.
Is this a good time to mention that I hate OS X Permissions.

I checked my copy of the Tidbits book "Take Control of OS X Permissions" but they seem to have missed this one. I'll send in a reference to this post so they can add it with the next update.

Wednesday, September 15, 2010

Apple's support glitch - .Mac (dotmac) accounts don't work properly

I tried Apple's new support system - Express Lane. It looked ok until I tried their Support Profile feature ...
Apple - Support - My Support Profile
... We're sorry, you are signed in with an Apple employee or contractor account that cannot be edited with My Support Profile...
I've seen this before. Old timers with .mac Apple IDs are incompatible with Apple's customer database. It's been years, but they can't make the conversion.

Apple is probably waiting for us to die.

Google hack lessons - where the geek risks are

I've learned a lot about security risks since my My Google (gmail) account was (harmlessly?) hacked. I'm still learning, but I need to return to some of my recent posts and correct the mistakes I made.

Some impressions today ...
  1. Google is not working this problem well. Their ownership authentication strategies smell of stale desperation [1]. Do they have corporate progeria?
  2. The risks for non-geeks are different from the risks for geeks. We all know the non-geek risks: trivial passwords, dictionary attacks, phishing, etc.
  3. The risks for geeks are password reuse, password capture and careless "secret question" password resets. "Strong" (high entropy) passwords don't help with any of these.
  4. Password reuse risk comes from using the same password at multiple sites, one of which has weak security, or goes bankrupt and loses control of its data, or is a honeypot - either by design or by hack.
  5. Password capture risk comes from virus/trojan keystroke loggers (esp. at work), browser exploits (esp. at hacked sites), and, potentially, fraudulent apps (desktop, iOS, Android).
  6. Password reuse and password capture risks are synergistic.
  7. Security (secret) questions have traditionally been considered a security risk created by companies with accelerated dementia (see also), but, in a world in which passwords may be too easily stolen, they might be a good idea, assuming Google keeps a history of security questions and answers. (We don't know if they do. I assume they do.)
For a geek then, risk mitigation involves
  1. Do not ever enter your primary Google credentials on an untrusted platform. Never at work, never on an XP machine, never for a web site, never for an untrusted app. This means you need to create a secondary, personal, full Google account and grant it limited access to core Google services. The secondary account is used on untrusted platforms and is disposable.
  2. Don't use OAuth and similar technologies. No, they don't store your high end credentials. The problem is the whole point of OAuth is using strong credentials with the OAuth provider, but then you can't use those credentials on untrusted platforms.
  3. Don't reuse your high end (Google) credentials. This is a royal pain. Practically, it means you can only manage 2-3 high end memorized credentials (pattern based password versioning is high risk), so you can only have 2-3 high value services. Low value services get disposable passwords.
  4. In the unlikely event that you own a phone that doesn't reveal your gmail address, consider signing up for text message password-reset.
  5. Make the Security question your friend. Write your own question, and use either a passphrase you use nowhere else or just enter a GRC password. Write down the answer on paper and save it somewhere safe. Keep the question and answer in your encrypted iPhone password database.
I need to point out a few more things about the Security question [1]
  1. If your account is hacked you need to change your Security question. Why? Think about it. You can't read it. You don't know if the person who had control of your account changed it. You can set it to what you meant it to be.
  2. Since the Security question can be changed, we have to assume Google keeps a record of past responses. Otherwise it's worthless. On the other hand, if Google keeps a history of Security question/answer pairs then any weak Security question will be a problem forever.
  3. Make your security question response an unguessable password or pass phrase. Don't reuse it, this is a special account. Put it on paper and in your encrypted iPhone password repository.
    -- footnotes

    [1] I'd like Google to provide a unique secret account identifier visible only to persons with password access. This can then be a form of identity claim, with none of the weakness of the Security question or the history problems. The hacker would know it, but so would the true owner.

    Update 9/20/10: Ideas on how OpenID could be the solution, not the problem.

    Tuesday, September 14, 2010

    After the hack: A disposable Google Identity

    Aside from the tedious task of reviewing and upgrading a large number of passwords, the biggest change I've made after my Google account was hacked is that I no longer enter my important credentials on untrusted devices. That includes any machine that lives in the virus and Trojan infested world of the XP based American corporation.

    This is a bit of a pain. It would be less of a pain if my iPhone had a keyboard [1] and could drive an external display, but that's a few years away.

    For now I'm taking a two step approach when I work with devices I don't control (non-OS X/iOS).
    1. Using email as a transaction source.
    2. Creating a disposable alter ego - a full gmail identity with limited privileges.
    There's a lot of typing work I can do using email to "secret" addresses. I can mail tasks to Toodledo which in turn sync to Appigo's ToDo.app on my iPhone. I can mail drafts or posts to Blogger. I can mail invitations to my Gmail address that will turn into Calendar invites. I can't (yet) mail to Reader Shared Notes, but there are workarounds [2].

    Of course a keystroke logger will capture these addresses, but there's no money in abusing these and the damage potential is pretty small.

    The second task will be much easier when Google finishes the big project of integrating Google App identities with the Gmail/Google Account infrastructure. When that's done it will be easy to create disposable identities with shared access to calendar and contacts. That's many months away however, and based on some early testing a standard Google App account isn't quite good enough.

    So for now I created a full Gmail account to serve as a disposable identity. It will have access to our family calendars and will have read/write (but not admin) access to my blogs but minimal access to Contacts. If I lose control of that account, I'll remove its privileges and walk away.

    Annoying new world!

    [1] I'm hoping to buy a kb like the one I used to use with my Palm Vx ten years ago, but I get the sense manufacturers are waiting for iOS 4.2.
    [2] I mail to buzz.kateva.org which I follow in Reader. I Google Reader share from their.

    Saturday, September 11, 2010

    Some podcasts in smart playlist won't sync to iPhone after 4.1 update

    I am pretty sure this new 4.1 bug is related to an age old bug: Apple breaks Smart Playlists on iPhone and iTunes alike (yet again).

    Some podcasts referenced in smart playlists won't sync to my iPhone after the 4.1 update. If I force them to sync by manually adding them to another list they appear in the smart playlist, but they appear in the wrong order. They appear first.

    Looks like Apple doesn't understand the Smart Playlist bug. They fixed part of it, and broken another part.

    My ScanSnap S1300 document scanner review

    I bought this scanner because Joe Kissell loved it and Kissell is a good geek. By my standards it was a bit of a shot in the dark, but I'm happy. Even so, I only gave it 3 stars in my Amazon review -- the software is worse than Kissell described (he uses DevonThink Pro Office, $150, so he didn't get the full software experience).

    Read the Kissell review, then my own Amazon review. I'll probably do some updating here later, but I wanted to get this out (emphases added) ...
    Amazon.com: Customer Reviews: Fujitsu ScanSnap S1300 Instant PDF Sheet-Fed Mobile Scanner (PA03603-B005)
    I've been looking for this scanner for 15 years. It's good enough. It could be better, but it's good enough. If it lasts for two years I'll happily buy it again at the same price.
    The hardware is essentially perfect. It's a bit annoying that you need two USB cables if you want to avoid the generic (mediocre) power brick, but blame that on USB. We should all be using either old style firewire or never coming USB 3, but we're stuck with USB 2. It scans both sides of paper at once. Yes, DUPLEX.
    Although it's primarily a document scanner, I've used it scan color prints. The results were not professional quality, but they were darned good and fast.
    The 300 page user guide documentation is excellent.
    The software is mediocre. Some of the bundled OS X software is so old it's non-native on Intel machines, fortunately you can omit that install. Unlike the higher end machines you don't get Adobe's superb PDF/OCR combination (yes, once Adobe was competent), you get a much less efficient product called ABBY FineReader. Even so, it does produce PDF images with searchable OCRd text indices.
    Most importantly, OS X Spotlight WILL index the text associated with these PDF image files.
    The mediocrity extends to the ScanSnap Manager UI and workflow. Clearly this was a low bid contract. Don't expect much in the way of upgrades or future products. The scans, however, can be sent to products like DevonThink Pro ($150) for processing.
    The scanner uses proprietary drives. This is the biggest concern. If they're not upgraded we can be sure that within 3 years they won't work on OS X. Fujitsu, notoriously, does not provide new versions of ScanSnap Manager without a hardware purchase.
    There are other problems with the software, but so far it hasn't been unstable.
    In summary, 2 star software, 5 star hardware, gives a 3 star review. Surprisingly, I still love the product. If Apple were ever to produce a scanner, it would be a lot like this, though with a better power adapter and infinitely better software.
    If you prefer 200K OCRd B&W documents to 8MB grayscale/color you need to set and use Profiles. The software isn't smart enough to make that choice for you.

    It occupies a corner of my desk where papers used to pile up. It uses less room than the papers, which now live in the recycling.

    Update 9/14/10: various notes I really don't have time to assemble into a coherent whole, but will be of interest if you read this far....
    • There's a Carrying case offer
    • Scan Snap Manager includes an online update option from the Help menu
    • Uses a standard OS X Apple installer and documentation has clear uninstall directions
    • 1.2GB installation - watch carefully for the custom install option and disable Cardiris (143MB, needs Rosetta, not useful). ABBY is 526MB, ScanSnap Manager is 2576MB
    • Fujitsu sells consumables - cleaning kit, pad assembly (10,000 sheet or 1 year), Pick Roller 100,000 sheets or 1 year. Fujitsu is used to selling to the high end!
    • 1 year warrantte, no active exchange
    • Options like 1 page vs. multi-page are not obvious.
    • You can change options for a single scan without clicking Aplly (which is actually save) but the progress UI shows the saved settings, not the current modified settins
    • Profile Management has glitches with OS X Spaces and multiple monitors
    Update 9/28/10: OS X black screened on me. First time in a very long time. SSM has to be #1 suspect.

    Update 7/8/11: I can't recall what that 9/28/10 crash was, but it wasn't due to ScanSnap. Posting now because a comment on my Amazon review tells us Fujitsu has updated the S1300 drivers for Lion. Indeed, they seem to have updated all their current drivers. This was one of my concerns with the ScanSnap and I'm very pleased to see them do this. I'm not on Lion yet, so I'll hold off updating. I will download a copy however.

    Update 4/14/2013: Today, after one mangled page too many, I decided this scanner was a bad idea. The sheet feeder simply isn't good enough.

    Friday, September 10, 2010

    Twitter feed for my Google Shared Items

    Five months ago I started using twitterfeed to route my Google Shares to my (real name) personal twitter account. I pretty much forgot about it, I don't have much use for Twitter.

    So I was surprised one day to discover people follow that twitter stream -- including people I know. A stream that has my (c) real name on it! A discoverable stream!

    That won't do. The reason I changed all the names on my blog to my first and middle names (John Gordon) is so that my ideas and shares wouldn't be trivially discoverable. Trivial discovery is a poor match to my boring work life.

    So today I created a duplicate Twitter feed for my Google Shared items -- as  John Gordon (jgordonshare).

    If it keeps working I'll gradually promote that stream, and remind people following my true name Twitter feed to switch over. Then I'll turn off my true name stream.

    Identity management is a subspecialization of reputation management.

    -- My Google Reader Shared items (feed) (twitter)

    Wednesday, September 08, 2010

    After the Gmail hack - passwords and security

    My Google (gmail) account was hacked. Interestingly, I've yet to discover any consequences.

    My 58,000 email seem intact. There are no obvious changes to my documents. Passwords were not changed. Spam was not sent. Our financial accounts do not appear to have been hacked.

     It's curious.

    So what am I doing differently?

    I've always followed Schneier-approved security practices. That is I've calibrated my security measures to the value of what I was protecting, and balanced the cost and benefit of security. Since the hack I've not made any radical changes, but I have adopted somewhat more restrictive practices. I fear the cloud more than ever.

    I have no reason to expect that my password database, stored in 1Password on my iPhone and dektop, and in a FileMaker 7 database on an encrypted disk image at home, was exposed, but of course control of my email account would facilitate password resets. I'm gradually going through passwords and updating those I care about. That's probably less than 30 of the 1,500 or so entries in my password database. A gmail search of my email for the string "password" did not find much of interest.

    Here's what I do now:
    1. I revised the passwords on my Gmail account (obviously) and all of our Google accounts. I used the free Password Assistant utility to invoke OS X password assistant to help choose good passwords. I use mostly "readable" passwords or, where needed, the number/letter options. I store these in two places - 1Password and FileMaker Pro [1].
    2. I'm incrementally working through the passwords on all of our financial accounts. That's worth doing anyway. Fidelity used to require weak passwords, now they allow reasonably strong passwords. In one case that will go unnamed, their security remains appallingly weak. In several cases the security arrangements remain, essentially, insane.
    3. We are storing less in Google documents. We didn't store much, but I'd considered putting some shared material in spreadsheets there.
    4. I'm deleting email more. No sense keeping what I don't need. I might send myself a password to enter into my password database, but why keep that around?
    5. I printed all password modified in the past two years for Emily and wrote on that directions on how to use the encrypted shares. That's non-electronic and stored in a secured place she controls. If I kick off, she has all she needs to get at the complete set - no passwords required.
    6. I don't enter my Gmail/Google credentials on machines I don't control.
    The last is the biggest change. It's doable now that I carry an iPhone around.

    These are the changes I'm considering and will probably implement:
    1. Move my email archives off Gmail. 58,000 emails is a rich attack surface. I may decide to keep only a few hundred emails there.
    2. Create Google Apps/Gmail accounts that have limited access to things like my contacts, calendar, blogs and so on. Use these primarily, and limit use of my core Google account. Think of these as perimeter defense that can fall to the enemy.
    [1] I don't trust 1Password completely, but there's no easy way to put FileMaker data on an iPhone in a robust encrypted store. So I end up using FMP as my source of truth, and 1Password more or less updates itself and serves as a backup. Both are included in my routine backups, including the encrypted backup I take offsite. I've used both of these for some time.

    Update 9/13/10: xkcd on why having a robust password is not enough - creating honey pot services to attract passwords (Ping.FM?). iPhone/Android apps can do the same thing. This could be considered a form of social engineering/phishing. In my case I didn't reuse the Google password.

    Tuesday, September 07, 2010

    Operators in Windows Search and Spotlight - Common and Similar

    This is a narrowcast post. It's of interest to someone who ...
    1. Is a serious geek.
    2. Has to routinely find things in very large document and email collections.
    3. Uses both Windows Search (built into Vista/7, add-on for XP) and Spotlight for OS X.
    If you're still reading we need to go out for a beer the next time you're in MSP. There are only 2-3 like us on earth.

    In an earlier post I discussed operators in Spotlight. When I first posted I complained about the difficulty of reconciling Windows Search operators and Spotlight operators. It's tough enough to learn one set, but learning two is kinda painful.

    My first impression was wrong though. It turns out that several operators work in both Spotlight and Windows Search. Below is a list of common operators, followed by a list of differing operators and conventions. I'll update both lists over time. I'm only including the ones I use, there are many more.

    Common operators (work in both Windows Search and Spotlight)
    • author:
    • kind:folder
    • kind:contacts
    • kind:email
    • kind:music
    • date:>7/4/1776
    • Boolean rules with parens (AND, OR, NOT)
    Differing operators (W|S)
    • Windows uses () to contain phrases, Spotlight uses quotes
    • kind:docs | kind:document
    • not available | kind:application
    • modified:3/7/08..3/10/08 | modified:3/7/08-3/10/08 (hyphen might work in Win)
    I think Windows Search accepts a number of variations, so I'm going to try more OS X Spotlight operators and syntax with Windows Search and document what works. Even now, however, it's impressive how much commonality there is.
    --
    My Google Reader Shared items (feed)

    Monday, September 06, 2010

    Archiving email

    In the 90s Slashdot was hot. There were no blogs, no feeds, just Slashdot and their commenting system.

    Even at its peak, however, you could see the problems. There were hordes of comments on stories, but most were worthless. Good comments often arrived late, and were never ranked so never seen. Realtime before its time, and flawed in the same way realtime is now.

    Slashdot is still around, but I rarely find anything novel there. Today was different. Someone asked a question I've wondered about for years ..
    Ask Slashdot | Best Way To Archive Emails For Later Searching? (Anonymous)
    ... I have kept every email I have ever sent or received since 1990, with the exception of junk mail (though I kept a lot of that as well). I have migrated my emails faithfully from Unix mail, to Eudora, to Outlook, to Thunderbird and Entourage, though I have left much of the older stuff in Outlook PST files. To make my life easier I would now like to merge all the emails back into a single searchable archive — just because I can. 
    But there are a few problems: a) Moving them between email systems is SLOW; while the data is only a few GB, it is hundred of thousands of emails and all of the email systems I have tried take forever to process the data. b) Some email systems (i.e. Outlook) become very sluggish when their database goes over a certain size. c) I don't want to leave them in a proprietary database, as within a few years the format becomes unsupported by the current generation of the software. d) I would like to be able to search the full text, keep the attachments, view HTML emails correctly and follow email chains. e) Because I use multiple operating systems, I would prefer platform independence. f) Since I hope to maintain and add emails for the foreseeable future, I would like to use some form of open standard. So, what would you recommend?'... 

    I think I might still have my NCMail (Norton Commander Mail) archives, back before the public internet, when MCIMail was a great services. That was, by the way, one of the best email clients ever written.

    Here are some of the suggestions, with my comments:
    • Run an IMAP server and host them there
    • Notmuch (Linux)
    • Gmail
    • MailSteward for OS X: Uses SQLite or MySQL and process mbox files from Eudora and Endourage. Works with Mail.app I'm going to see if this can process my PC Eudora files.
    • Maildir storage format uses system directories for mail folders and is indexable. It's used by Dovecot IMAP sesrver.
    • mairix - email index and search tool (unix)
    Sadly, most of the comments are as worthless as I remember, except they degenerate to mod disputes faster than ever.

    Incidentally, Sarbanes-Oxley means CEOs can go to jail for corporate malfeasance. This is inspiring corporate rules around email retention and especially email deletion. So the email archive management industry is spinning up.

    Update: MailSteward failed Gordon's Law of Software Acquisition #4:
    Inspect the uninstaller. The best apps don't need one - just delete the app. After that look for something built into the app. Then look for something that downloads with the app. If there's no installer stop immediately.
    MailSteward has an Apple installer, but neither the FAQ or the Manual seem to discuss uninstallation.

    That ended my MailSteward evaluation.

    Google Apps aliases can stop working

    I don't think this is related to recent password changes, but I just learned today that the email address for this blog wasn't working (jgordon@kateva.org).

    It was configured as an alias on a Google Apps account at kateva.org. I removed the alias then restored it, now it's working again. So Google Apps aliases can stop working.

    Sunday, September 05, 2010

    Better Spotlight in 10.6: search current Finder folder and more

    This is new in 10.6. I just read of it. For me it's one of the very best things about Snowie ...
    TidBITS Problem Solving: Find Files More Easily in Mac OS X
    ... you can restrict Spotlight to search the current Finder folder by default, instead of This Mac. To do this, choose Finder -> Preferences, click the Advanced button, and choose Search the Current Folder from the pop-up menu. From then on, when you invoke the Finder's Find command by choosing File > Find (Command-F), searches will be limited to the current folder showing in the frontmost Finder window....
    The search window in the Finder menu will also default to searching the currently selected folder.

    Drives me crazy that the best features of 10.6 are bloody secrets.

    Now if I could only search by file name instead of all contents...
    ... you can make sure the Search bar at the top of the Finder window is set to File Name without requiring an additional click. Hold down the Shift key, and choose File > Find by Name (Command-Shift-F). This command is available in both Mac OS X 10.5 Leopard and 10.6 Snow Leopard...
    Auggghhhahaha! Now they tell me. I just did it. It works.

    Wow. Search scoped by folder context, default to file name.... It doesn't get better than this. If only this were the default behavior ...

    Yeah, search by file name can be mapped to Cmd-F -- but it requires a logout and login to work. You can also tweak the search results window layout and add a "Last Modified" column to the list view. Please read the original article and send TidBITS some love.

    Oh, one last thing. Suppose you've done all of the above but you want to restrict your search to only folder names and modified after 1/1/2010. That looks like this:
    kind:folder date:>1/1/2010
    Yes, you can use the same sort of operators with Spotlight that you can use with Windows Search. Alas, they aren't identical, so if you do both you are more or less doomed. (I was wrong, they do overlap.)

    These operators are usually described as "undocumented", the including in this excellent 7/10 CNET article. That article gives us examples like:
    "Apple Computer" kind:pdf OR "Apple Computer" kind:text NOT (Google OR Yahoo OR "Microsoft Corporation")
    In fact in 10.6 these features are documented in the little known OS X feature known only as "Help". (It's still not as good as Windows Help, but it no longer sucks.). Search Help on "Spotlight" and look for these Help articles:
    • Performing a Boolean or metadata search
    • Searching for specific types of items

    Saturday, September 04, 2010

    My Google (gmail) account is hacked - by ductus.com

    9/20/10: I've updated this post to fix some errors. For example, I originally misread whois and thought tucows owned the hacked domain, they are the registrar. My longer term evaluation and responses are in a separate post.

    My Gmail/Google account has a robust password. So this notice surprised me:

    It showed up when I connected to Gmail. I was told my account had been accessed from an atypical location 1 day ago. The next thing I saw was that it was accessed from ductus.com (WA, IP 63.83.70.14), a domain that belonged to a software company in the 1990s. [1]

    I followed the advice and changed my password. I looked into my Google store account but didn't see any new transactions or sent email.

    After my password change things got a little odd. My new password wasn't recognized. I had to do a password reset (fortunately I'd followed Google's password reset advice). That worked, but it's like going to the reserve parachute. It's a very bad thing. Not to mention that I now need to change my stored Gmail/Google password in about 30 places.

    Clearly something bad is going down.

    The best answer is that this is a false alarm. That's bad enough.

    The less best option is that either my Google password has leaked or Google has a global security issue. A dictionary attack wouldn't work on my prior password; I don't change my Google password very often (like most security professionals), but it's a robust non-word five letter four number sequence. (Now, of course, every string in my 58,000 + emails is potentially part of a dictionary attack. I will eventually need to change every password I and my family use.)

    Assuming my Google password leaked, how did that happen?

    I don't store my Google password with online services, but I can't rule out a leak from an old forgotten online account or a wifi intercept. I very rarely log-in on public sites, but I do log-in from work. My employer could certainly be logging my keystrokes, but it is very unlikely that my large corporate employer would take the risk of hacking my Google account via an abandoned domain (though HP did do something like that to its board members). On the other hand, we do get virus infections every few months, and I don't think we catch them all.

    I do store my Google pw in several iPhone apps. Any of those could steal that password but they are all pretty high profile apps.

    For now I'm redoing all my passwords everywhere. This will take weeks, but I'll start with the highest security sites. I discuss the implications and possible attacker profile in a later post.


    footnotes

    [1] Ductus was a company in 1998:  "Ductus, Inc. is a Mountain View, California-based company that develops and markets 2D graphics software and hardware http://www.ductus.com". So this domain was abandoned.

    See also:
    Update: If Google doesn't limit the number of login attempts, then my old password would be vulnerable simply because it was only 10 characters. That will fall to a brute force attack. Interestingly I can't locate any documentation on this. From my own testing I think the first time you access Google from a new location you have to enter a CAPTCHA as well as a password. If the password fails you keep getting a CAPTCHA.

    Update 9/14/10 - useful links

    CrashPlan Fail - you still can't remove an account

    Is it obvious how to delete your account and all data and services?
    This rule is always important, but it's critically important for a Cloud backup service. Do you really want to forget or lose control of a complete backup of all your unencrypted data?

    CrashPlan failed this test, and others, seven months ago. Back then, during a trial period, I had my backup data on their servers. Their FAQ then didn't describe how to delete it.

    I was later told you could delete it by logging in to the CrashPlan account web site, then choosing CrashPlan Central -> Destinations>Online, then selecting "Remove Backup Destination". There was no way to remove an account however.

    Today I checked. My account still remains, but now that the trial period ended I don't see an option to remove my data from their servers. Perhaps the data is gone, or maybe if I paid up I'd see it reappear. I wouldn't be surprised by either option.

    There's still no way to remove an account from the web site. I also noticed that "My Profile" includes "Receive promotional emails from CrashPlan.com". Hell freezes over the day I opt-in to promotional emails, so that was a sneak play.

    CrashPlan is on course to crash landing. When they go into receivership their creditors will own your data. Creditors who need to recover some of their losses.

    Update: See comments from CrashPlan. They tell me the data is likely overwritten, and is not recoverable after the promotional period ends. They have no plans at this time for an account removal feature, that requires email (seems a risky practice). Maybe that will change. Comments underscored the importance of client-side encryption.

    See also:

    VMware Virtual Machines - the backup problem

    It's times like this that I really miss Byte (or BYTE?) magazine. They would have had great coverage of VMWare VMs - how they work, and what the risks are. Now that's specialist knowledge. Knowledge that, when I use Google, is obscured by a haze of marketing material.

    The best we non-specialists can do is share our limited experience in blog posts, like this one sharing my experience with VM backup. That's been a problem for me.

    First - my experience. I've used VMWare Fusion on my Macs for a few years. I need it less than once a month, typically to launch XPSP4 and run Access or (yech) Quicken. On the other hand, I configured and use a VMWare Workstation on a 64bit Win7 machine at work. That VM is running a Windows 2003 Server environment with terminal server and I use it very frequently.

    Both my Fusion and Workstation VMs are configured to store the VM data as many files rather than a single monolithic file. Both are about 80-100 GB in size and store as little of my data as possible; on the Mac the individual .vmdk files vary in size from about 200 to 500 MB. I don't have the Workstation VM at hand but I think its files are all a fixed size.

    The host OS X machine is backed up using Time Capsule (sigh) and SuperDuper! (sigh). Neither give me the warm fuzzies of Retrospect at its best. The Windows 7 machine is backed up using (Dantz -> EMC -> Roxio) Retrospect Professional.

    I configured both VMs to use multiple files because of the VM backup problem I knew about.

    The obvious backup problem for these machines is that if you configure a VM as one monolithic file, then every time you touch it the host system backup software has to backup a 100GB backup event. That will overload Time Machine (Capsule) or Retrospect pretty quickly. (More sophisticated backup software can manage this differently, but I don't think TM or Retrospect can.)

    That's why I went with separate files. Backups would only have to manage the files that changed. (Ahh, but how does the backup software know what's changed - esp. if the files are a fixed size?)

    I think that approach does work when the VM is shut down. I think it works on my Mac. It doesn't work with Retrospect Professional on the Windows 7 machine where our VM is always running.

    I learned that the hard way when we tried to do a restore. The restored VM seemed good at first, but it was soon clear that we'd somehow ended up with different time slices. We had to kill the VM. Fortunately, because I'm justifiably paranoid about backup, we also had a file system backup that was only a few weeks old. Since we don't keep data on the VM we lost very little.

    This is a nasty problem. As best I can tell, at least on Windows, Retrospect Professional can't do a reliable backup of a running multi-file VMWare VM. The limited VMWare marketing material I could find suggests this isn't just a Retrospect problem. The solution is, of course, to buy their costly backup software. You can also do backup from within the client OS, but that adds a new level of cost and complexity to overall backup. Retrospect Professional, for example, won't install on Windows 2003 server. For that you need their much more costly server backup.

    Now you know what I know. If you know any more, or can point me to anything that's not marketing material, I'd be grateful.

    I do miss Byte.

    --My Google Reader Shared items (feed)