Tuesday, November 28, 2017

Google's phishing vigilance and the risk of blog comments

I got a notice from Google yesterday. tech.kateva.org had been quarantined as a phishing vector. Visitors would be warned away. I had a short time to fix the affected page that was listed below …

But there was nothing there. Same thing with a link to a downloadable spreadsheet of issues. That was empty too.

Elsewhere in the message a page was identified. It sure looked benign, the only link was to an Apple support site. It’s a (Google) blogger site and all the widgets were default Blogger. No extra HTML. No comments.

Also, despite Google’s warning, the blog was not quarantined.

A puzzle.

Oh, I left something out. The day before a published spam comment showed up in my comment tracking feed. I get a few spam comments every day or two, but this was the first published one in a while. I went to delete it … but by the time I got to Blogger’s post management menu the comment was gone.

This is what I think happened:

  • This blog was set to allow comments without approval from authenticated posters for posts less than two weeks old.
  • A bot created an authenticated identity and created a phishing attack comment.
  • Google spotted the comment, quarantined the site, and sent the notification email.
  • Blogger spam detection identified the comment author as a spammer and deleted all comments by that identity — including the one on my site (why it was gone).
  • Google rechecked my site and lifted the quarantine — but couldn’t retrieve the notification email.
  • The notification email was partly empty because that it was a query — that returned Null. It had one part that was written at time of email generation and that contained the link to the once contaminated page.

I changed comments on the blog to require authorization at all times — no two week window for authenticated users. Clearly authentication is no longer a sufficient barrier. I don’t want phishing attacks on my blog, and I don’t want to get quarantined.

This reminds me what a strange fish Blogger is. It works fairly well, though there’s a longstanding problem with CR/LF handling that reminds me too much of DOS 2.1. It gets very few, but still some, updates. Google has switched their blogs off Blogger, but they haven’t used their new proprietary RSS/Blog platform to replace Blogger. Blogger is neither dead nor alive, and Google RSS is similarly quantum.

Sunday, November 26, 2017

Apple's Apple ID fiasco is getting worse -- declining support for Apple Store ID that is not iCloud ID

Like many veteran geeks I have a different iCloud ID and Apple store ID. This used to be a supported configuration. In my case it was essential because of some complicated history with Apple’s .mac precursor to MobileMe and iCloud. (In an unrelated matter I have another 3-4 Apple IDs that aren’t connected to anything but, depending on the vagaries of Apple’s hacked together legacy databases, sometimes pickup Apple Store hardware purchases.)

This is what Apple’s support document says now (emphases mine) …

Sign in with your Apple ID - Apple Support

… We recommend that you use the same Apple ID for all Apple services on your device—including the iTunes & App Stores and iCloud …

… If you have multiple Apple IDs, you can’t merge them …

I went looking for this document because I think iBooks.app doesn’t work properly with an iCloud ID that’s different from the Apple Store ID that can be used to purchase iBooks. It looks like this will be a trend.

Note what Apple says here. Your Apple Store ID and iCloud ID should be the same. You also can’t merge them [1]. So you either need to abandon all your Apple Store purchases or your iCloud storage purchase.

Anyone remember when Cook promised to fix Apple’s original sin of  botched identity management system? Apparently the problem is harder than building spaceship headquarters.

Apple should bite the bullet and come up with a process to merge Apple IDs. I fear they aren’t going to bother though. I really miss class action lawsuits.

- fn -

[1] There is a possible workaround. You may be able to use your iCloud ID as an Apple Store ID and then make it a family member of the original Apple Store ID. This will run into rules about changing device Store IDs and constraints on family member size as well as issues with the total number of devices that are part of a family (10). It isn’t an official workaround and I suspect it has irreversible problems of its own.

Saturday, November 25, 2017

Podcasts.app - sync Stations between iTunes and iPhone via iCloud, not via iTunes sync

Apple removed playlists from iOS 11 podcasts.app. I loved playlists. They were a beautiful user friendly query building tool.

Instead we have Stations, which are more limited. I created some in iTunes and some on my iPhone. They didn’t sync even though I transfer podcasts from iTunes to iPhone via WiFi/Lightning cable.

It turns out Stations do sync — but only via iCloud even though files may travel via local sync.

Once I enabled podcast sync in both iTunes and iOS my stations appeared in both. 

This is good, because one advantage of stations is that podcasts play consecutively. At least I think that’s why mine started playing consecutively instead of stopping after each podcast as they did earlier in iOS 11.

There are lots of weirdnesses in iTunes when it tries to combine sync via iCloud/Store with local file based sync from iTunes. It will be interesting to see if Podcasts does better at this than Movies does.

Apple is clearly heading towards the world where we have all have 2TB iCloud Drives, a 256GB local machine store for frequently used data, and special folders in iCloud for personally owned files that sync separately from Store files (ex: personal images, ringtones, podcasts, PDF, etc). There’s no resisting this one.

Update: It is a mess. Of course. Stations need a setting to only show downloaded episodes. One problem with Stations is that while they can filter out Played stations, they only know a station is Played as long as the file is around. If the file is removed and the show is in the Cloud then it is treated as unPlayed.

Wednesday, November 22, 2017

Progress of sorts - integrating my simplenote memory extensions with gDrive

Nine years ago I wrote What my blogs are for: memory management and the Google-Gordon geek-mind fusion. It’s hard to believe now, but in those days we did not yet fear Google. Back then, we liked Google. Google was good.

That was a long time ago. Google has since transcended mere human morality (Galactus is a much better name than Alphabet btw). Unfortunately I haven’t transcended my need for artificial extensions to my working memory. To the contrary, that need has grown. Now in addition to my old technical expertise a change in employment means I manage more organizational and political knowledge. Oh, yeah, and I’m back to being a practicing doctor. So now I need to know adult male ambulatory internal medicine. Also, I am old and my brain is crud.

So, yeah, I need those memory extensions. I still use Google’s tools, though the Custom Search Engine I rely on to integrate my blogs with my link share stream and my ancient (hidden) web pages is all but forgotten. Since 2008 though I’ve moved away from the Google dominated web back to files and file systems as a memory store. Carrying a connected computer in my pocket made 1980s style files useful again. I rely in particular on plain text Simplenote to carry around fragments of memory. For regulatory/security reasons I have one Simplenote account for work memory and one for non-work memory — with some notes shared between both using Simplenote’s (simple!) sharing mechanism.

Spotlight indexes simplenote files on my iPhone — sadly only for one account. On my Mac nvAlt syncs to my personal simplenote account — so the text files are indexed by Spotlight there too. Today, guided by a @simplenoteapp tweet I installed Simplenote Electron (which Automattic is abandoning for a future fully native Mac upgrade [1]) and tied that one to my work account. Then I used the improved text export to create a local read-only copy of that memory store — which Spotlight Mac now indexes. So the stores are in one search space at last.

The last twist is that Simplenote local text stores are in a Google Drive folder, so synchronized to gDrive with appropriately stored folders such that appropriate text stores are searchable on both devices. Sadly gDrive does not support “Available offline” at the folder level — so when I don’t have data access I also lose some memory access. (I’m hoping Google will fix this.)

The gDrive integration is important because there are limits to plain text - particularly for medical topics. I have PDFs, Word Docs, Google Sheets and other detritus of decades of notes. I can put all of that in gDrive alongside the text notes and let search figure it out. (This is what Evernote is supposed to be good for but they don’t have a clear exit strategy. It’s trivial to walk away from Simplenote. I need that exit strategy [2].)

It’s all one heck of a kludge, but so is my memory. So kind of fits.

See also:

- fn -

[1] It has the same search bug as Simplenote/Mac!

[2] For example - if they don’t fix that damned search bug [1].

 

Saturday, November 11, 2017

Selling or retiring an iPhone -- I hope you disconnected Google Authenticator and Google Prompt first.

Wipe that iPhone to give to your child or sell? I’m sure you remembered to launch Google Authenticator and remove the device from your trusted device list before you erased all …

Using a new phone to receive 2-Step Verification codes - Google Account Help

… On your old phone, open the Google Authenticator application…

Oh, you forgot about this step? You are clearly inadequate.

There’s hope though. Assuming you have a computer, there’s another option hidden away …

Add or remove trusted computers - Google Account Help

… Under “Devices you trust,” select Revoke all...

Except that’s not a bit misleading. There are more options once you sign into you Google Account and dig through the “Sign-in & security” section, select Signing in to Google, and Choose 2-step verification.

There you can remove the “Google Prompt” iPhone that manages authentication via Google App. That flips authentication to an Authenticator app (OTP authentication with RFC 6238 and 4226). The Authenticator app might be Google’s, a 3rd party, or 1Password or another password manager. I use Google’s because I started with it and I’m lazy.

You can also “change phone” on Google Authenticator. Authenticator is working for my new device though — which was restored from a 6s backup. So I didn’t do that immediately. 

Instead I removed the Google Prompt device, since that was still going to my (since erased) 6s. Then I added it back to my new iPhone 8. Google had the 8’s name so I authenticated there. 

Then, because I’m a paranoid sort, once I had Google Prompt working, I went into Authenticator on my i8 and removed my Google account then setup authenticator again from the 2-step verification page (scan barcode).

I’m sure everyone knows to do this. Otherwise why would pundits keep telling us to enable 2FA on every service we care about?

PS. I think when you authenticate within Safari for iOS Google can’t identify the host device. So my https://myaccount.google.com/device-activity list shows both “John8” (my current iPhone) and “Apple iPhone” — even though I believe they are the same thing.

PPS. I think if you want to be very careful you really should do the “Revoke all” as I suspect the old device Safari authentication can still be an issue (except I erased it, but if you’re paranoid …)

See also

Saturday, November 04, 2017

The Internet Lied: Apple's 3.5 mm to lightning adapter does support audio in -- for Apple's EarPods.

I was deceived.

Prior to buying my iPhone 8 I read that Apple’s 3.5mm to lightning adapter didn’t support audio in for earphones with a microphone. Not so! It works quite well with Apple’s EarPods.

It probably doesn’t work with other earphone microphones though. Apple’s EarPods have a different arrangement for the audio-in connection from some other earphones. I looked into this years ago and it wasn’t clear to me how much of a standard there really was. I dimly recall that Apple, shockingly, was different from most.

Friday, November 03, 2017

Did iOS 11.1 (partly) fix iTunes photo sync?

I’m back to wired sync for photo transfer after giving up on iCloud Shared Albums. The simplicity is a relief — except with 11.0 it wasn’t working well. Out of 8300 images in Aperture I was lucky to get 6200 to sync. Sometimes repeated sync brought over a few more, other times I was stuck.
With 11.1 I got them all.

I still can’t get iTunes WiFi sync working though.

PS. I finally found some use for my iPad Air 2. I set it up at work without a network connection and play on device music and randomly display family album images using LiveFrame.app. I use MindNode.app to organize projects. It’s still marginally useful but that’s progress.

Update 11/3/2017: I think WiFi sync is working now.

Update 6/9/2018: I had to do a restore to my iPad and the bug is back again. I might try iOS 4.