Sunday, May 31, 2009

Debugging network account lockouts: issues with Microsoft Active directory authentication

I recently experienced a personally new and novel set of computer network related issues. I'll have more to say on Gordon's Notes about my take on the implications and lessons of this experience, but on this blog I'll stick to measures end-users might take.

If you're reading this I'll presume you are a user on a corporate network and you are now unable to get at network services. If you request a shared drive or other network resource you are asked to provide your credentials (username and password). You may be unable to login to your workstation while you are connected to the network, though if you pull the network cable or disable wireless access you can login locally.

In this case it is likely that your network authentication is failing. Your credentials are not valid, you've been locked out.

There are legitimate reasons to be locked out of course, but most of the time this is an error. A Microsoft Active Directory group policy setting in your organization specifies an allowed number of failed authentication attempts in a certain time interval and "you" have passed that limit.

By "you" of course I mean whatever is trying to login with your username -- but not your current password. The problem, you see, is that many things may be doing that. Some may be on your machine, some may be on other machines you've used or use, and some may be in places you can't imagine. One of these things may be you, of course, entering your password incorrectly more than, say, five times, in a certain interval.

Ahh, but you say you only made one mistake? Well, maybe something else was trying four times in the key interval. Your one mistake was the last straw.

This is a big problem. You'll find many hits on the topic if you start looking. It's a Cloud problem (new tag today!). It's what happens when authentication starts to diffuse, and when you don't have a robust system for distributing authentication privileges. It's what happens when credentials are cached or distributed, and there aren't robust tools in place to monitor and track -- or when organizational structures block recognition.

Microsoft has tools for diagnosing active directory account lockout issues, but they are not accessible to end-users like you ...

As an end-user victim these are some things you may investigate once your help desk has unlocked you. Good luck ...

  • Change your network password, that may fix some caching issues.
  • OS level drive encryption software, bolted onto a decrepit XP infrastructure, can be a problem. These typically synchronize credentials with Active Directory -- and we all know synchronization is Hell. Look into any associated logs that might show how synchronization is preceding. See if you can change your password using the UI controlled by the encryption package and watch that propagate to the server.
  • Group policy updates may be failing, resulting in passwords failing to comply with standards and leading to rejection. Research use of the gpudate.exe /force command to update local copies of corporate policies.
  • Eliminate all drive letter mappings on all machines. I know longer do drive letter mapping on corporate networks. These can have cached credentials that fail to update.
  • If you use Remote Desktop, log in to every RD machine you use and make sure you are fully logged out again. You may need to apply all fixes and patches there as well.
  • Try shutting down your main workstation when you are not at working -- or disconnect it from the network. If you're locked out then you may suspect the problems are from other sources.
  • Do not use Windows Search to index mounted drives.
  • remove all IE stored information - cookies, passwords, etc. Used Delete All from the IE General/Delete settings tab. Note this is the ONLY option if you want to be sure to remove any stored credentials from IE Add-Ons.
  • Consider uninstalling any applications that authenticate with Active Directory, such as Office Communicator.
  • Evaluate all applications that might interact with Microsoft Sharepoint, because these require Active Directory authentication. This may include:
    • Windows Live Writer: Posting from WLW to a SP blog implies an authentication event
    • Lotus Connections: If you use Lotus Connections web-based feed reader against a Sharepoint feed there's an implied authentication event. (In my testing these subscriptions appear to fail, but does LC attempt to authenticate with its internal credentials? What about if the user IDs match between LC and SP but the passwords differ?)
    • Outlook 2007: Outlook 2007 is able to subscribe to SP Calendars and other Sharepoint Lists. All of these imply authentication. Prior to SP1 Outlook 2007's subscription/feed support was extremely buggy.
    • Any feed reader that works against Sharepoint authenticated feeds

Personally, this is the nastiest problem I've come up against in 25 years "behind the mast". I'll have more to say in my opinion-oriented blog about how this has changed my approach to personal and cloud computing and to the new approaches I'm taking to risk mitigation going forwards.

Update 6/2/09: Focus is now on a combination of a Sharepoint List synchronization that could not be removed from Outlook 2007, a possible configuration error on Sharepoint, Outlook configured to send only on manual send/receive, send/receive configured (by default) to include the unremovable SharePoint list, and Outlook offline caching of credentials.

Update 6/4/09: Microsoft Wireless PEAP always caches credentials. Could be a contributor in some situations.

Update 6/12/09:The saga continues. To remove the long stuck Sharepoint list in Outlook 2007 I had to remove reference to it in the Outlook send/receive group. In fact, I removed most things from that group. The NTLM account lock problem went away -- but I then had to manually authenticate the first time I used Outlook to access Exchange server. In other words Outlook was no longer able to deliver my credentials automatically. (The advanced security settings for Outlook did not have "manual credential" checked.)

After a week of this my laptop was refreshed. Using a brand new image I was again locked out. (I did have to install Retrospect Pro to restore data, but I think the first lockout was before I restored anything.)

This went on for a few days, then I did into an obscure option in Outlook 2003 (and 2007) properties and set Outlook to always require manual credential entry. The account lockouts stopped.

I'm going to study this for a few days, and see if I can get locked out by turning off manual credential entry. If I can confirm this does the trick, I'll try to bring very specific fix suggestions to our puzzled help desk and security services. I need to better understand the NTLM/Exchange/Outlook authentication procedure.

Update 6/12/09b: I've asked this question on serverfault.

Update 6/27/09: I post an answer to my own serverfault question:

... I've not been locked out for over a week even after turning re-enabling Outlook pass-through authentication, so even though there was no definitive cure I can report where I left things.

As a reminder, the last time I was locked out I'd just received a brand new laptop with a fresh corporate image.

The very last things I did were:

1. I found the brand new corporate image included two drive mappings. Sigh. (Sound of head hitting wall.) I'd removed them from my old laptop long ago, but they were back. I removed them again. It wasn't the only problem in the corporate image.

2. I experimented with switching Outlook 2003 authentication between "automatic" (default), Kerberos only (modern) and NTLM only (legacy). Switching to Kerberos only seemed to resolve problems, but I think that was a red herring. Switching back to the default didn't restore the lockout problem.

3. I use Retrospect Professional (EMC Retrospect) for Windows to backup my workstation to an external drive. (Corporate backup isn't bad, but restore takes about a week.) That software has an autolaunch feature. I'd set it to auto-launch using the logged-in credentials rather than the treacherous feature of providing credentials. I wonder though about an intersection between the mapped drives and the auto-launch. I turned off Retrospect Pro auto-launch for now.

I very much appreciate the link Neobyte provided to Microsoft's June 2008 troubleshooting page - Troubleshooting Account Lockout

I'm left with some psychic scars. Given the astounding variety of problems associated with Microsoft's authentication services and their pile of legacy hacks, and the intersection with distributed authentication and post-hoc security features like authentication lockouts, I'm now deeply conservative about my use of any new or novel corporate network or "cloud" initiatives. They need to be built on a far more robust infrastructure than what Microsoft provides, and they require both IT funding and IT reorganization to implement.
7/21/09: I found yet another potential contributor -- one I'd long forgotten about. I'd once set up my iPhone to connect to the corporate WLAN. To do this I had to enter my Active Directory login credentials. The iPhone connects automatically when the WLAN is in range. So what happens when my network credentials change and the iPhone tries to connect? I'm not sure. Maybe it fails once and doesn't try again -- generating only one lockout hit. Maybe it tries repeatedly. Who knows. The point is, we're screwed.

We need better ways to manage user authentication and privilege control, and we need them desperately.

As for the iPhone, there's no way to have it remember network credentials yet not automatically connect when WiFi is enabled. So I deleted my corporate WLAN credentials from my iPhone.

Federated authentication - Gmail and Facebook

Facebook now supports "linked" Gmail accounts, by which they mean OpenID 2.0 authentication.

I linked my FB and Gmail accounts, so now as long as I'm logged in to Gmail I can use FB without additional authentication. The link process also grants FB access to my Gmail address book -- for better or worse. Facebook will also accept an OpenID URL.

I swear I saw evidence of a Gmail specific OpenID URL recently, but I can't recreate it. Google has not yet officially released an official OpenID URL for Gmail accounts they are available, oddly, via Blogger.

This can't come fast enough. This kind of authentication means I can use a robust password with Google and not have to maintain a large number of complex passwords. It also means I can integrate account information without having to (unthinkable) share my Gmail/Google account password.

Now if Google would only accept more robust forms of authentication than mere passwords ...

Update 8/31/09: This only worked for a few weeks, then it stopped working. I also experienced a possibly unrelated increase in the need to reauthenticate. I'm not surprised this sort of thing doesn't work at first -- the cooperation requirements are very steep.

Saturday, May 30, 2009

OS X accessibility - radio shortcuts, shortcut cleanup, voice over and magnify

Continuing in the theme of OS X accessibility (see also VisiKey and magnify toolbars), I've several additional recommended modifications to add to my old OS X accessibility configuration document (one day):

  1. Keyboard shortcuts: OS X has numerous kb shortcuts. For many elders or persons with visual impairment they can be fumble finger traps waiting to confuse with unexpected behaviors. I turned off almost all of them on my mother's machine.
  2. Voice Over: The Leopard "Alex" voice is a good improvement, and Voice Over itself is one of the rare true improvements in 10.5 over 10.4. I configured it to use the new voice and the Caption Panel. I mapped Voice Over toggle to the F13 key on my mothers VisiKey kb (underneath the key reads something like Print Screen, but to OS X this is the F13 key). She has kb stickers for visually impaired persons, but they're not needed for the VisiKey kb. Instead I pasted the V letter on the F13 (for voice over). She can read that. She doesn't like using voice over, but I'm hoping she'll get accustomed to it.
  3. Shrink/magnify: I map these to F14 and F15, and pasted the - and + stickers on them. I set Zoom to a shade below the 2, it's easy to hold the key and zoom up. Minimum zoom is 0. She runs on a 19" CRT because they do far better than LCDs at displaying 1024x768 over a large surface. Obviously true scalable UIs would be a great benefit.
  4. Radio shortcuts: more below.
I'm very pleased with the radio shortcut. I rediscovered this myself, then found this explanation afterwards ...

How to create a radio shortcut using iTunes | sync :: the tech & gadgets blog
... while the built-in radio streamer isn’t much of a surprise to those who spent time navigating around iTunes, but what you might not be aware of a way to place an icon on your desktop that links you to your favourite station – and with added functionality...
1. Open iTunes and click on the radio tab on the left-hand side of the screen and select a station with the kind of music you like...
2. Once you have a station you like ... drag it onto your computer’s desktop (or copy and paste) and you’ll see an icon (shortcut) that immediately begins the audio stream when you double-click on it.
This is great, because iTunes, though improving now, is still hard for my mother to navigate. The drag and drop for stations (not, alas, for albums or tunes) creates .webloc files, which open in iTunes. I can mix these with shortcuts to BBC iPlayer stations (like BBC 3 and BBC 4 - there are some quirks there though) and with shortcuts pointing to the physical iTunes albums on her hard drive.

These are easy to navigate in the folder paradigm she's accustomed to.

Update: The radio shortcut has an odd side-effect. Each time you click on one of these it launches iTunes, but it also downloads a playlist file to the desktop from the source station. Kind of messy!

Managing a failing Canadian videotron cable connection

Many of the posts in this blog are of interest to very few people.

That's not an accident. There are some who subscribe to this blog, but it's really intended to be a set of references that work with Google. My most appreciated posts are often my most exotic. It's a big world now.

This post is very exotic. It will be of interest only to foreigners supporting a Canadian, well, maybe Quebecois, Videotron customer.

The background is that my mother, who lives in Quebec and is quite disabled, has an archaic Videotron modem. It was old when they installed it -- as a minimal-charge ($30/month for cable internet access) customer she may have been given a recycled model.

Her cable modem is now well beyond its service life; it's dropping connections every 1-2 weeks. The connection can be restored by power cycling, but it is very hard for her to get to the the power strip. More importantly, this is a typical way for a router/modem to fail. The connection drops will increase over time until the modem fails completely.

The device needs to be replaced. I thought I could just buy a new one during one of my periodic check-in visits. Wrong. This is what I learned ...

  • You cannot buy a replacement for a failing Videotron cable modem. Actually, I did buy one at Future Shop, but that was a bad mistake. What I bought appears to have been forgotten inventory. Happily Future Shop did accept the return. Videotron should contact their past resellers and ask them to return their inventory. (Amazon US, by contrast, sells DOCSIS-compliant cable modems that are reported to work with many American ISPs.)
  • Videotron has two sorts of retail outlets in Quebec. One sells movies and the like, the other sells services to new customers. Neither variety provides support, neither variety will accept an old device to exchange for a new one. I think if you discontinue Videotron service that it might be possible to return an old device to some of these outlets.
  • Videotron "rents" devices. I'm not quite sure what that means. There's some complexity about a $99 fee that might be charged if one leaves Videotron, but maybe that's not charged if you return the device.
  • Videotron's support model is entirely on their installers and onsite visits. You can do small things with their reasonably well staffed support people, but device problems require a visit. The usual routine is to call on one day, the service call is the next day. So someone has to be home. They will typically phone a brief time before a service call. I have a hard time imagining how people can arrange to be home like this.
  • Videotron has a well staffed support line but many of the staffers are very new. Even the managers are fairly new; they were all flummoxed by the Future Shop device I bought -- that was before their time. (Just to make things harder on Videotron's support staff, I am effectively unilingual English. Quebec is a French province/nation with a slowly shrinking English minority. All of the service people are speaking to me in an alien tongue.)
Update: When the Videotron service guy arrived, he confirmed all was well outside. He seemed at first mildly skeptical about replacing the modem -- until he saw it. He claimed it was 15 years old, which I think is impossible. Maybe 8. He put the tiny new one in place and started to leave -- until I showed it didn't work. Yes, dead out of the box. So we pulled another toy out, and that one works.

Friday, May 29, 2009

Can't select Jabber or Google Talk for iChat? Here's one reason.

I really felt like crying when I ran into this latest bit of Apple tragi-comedy.

I tried configuring iChat on my mother's managed account (protect the Dock from accidental deletions), but I couldn't use her Gmail credentials (Google Talk option). Jabber and Google Talk were grayed out.


Google tells us ..
Apple - Support - Discussions - Can't add jabber or google talk, ...
... Jabber [and Google Talk] and in Fact Bonjour over iChat are excluded in Leopard when Parental Controls are activated...
It doesn't matter that the Parental Controls have no restrictions on iChat or the web. If you enable parental controls, even if all you're doing is protecting the Dock from changes, then iChat can't use Google Talk.

Why not? Why this senseless, irrational, bit of blithering madness that's persisted, without documentation, through 7 point updates to 10.5.7?

Because Apple hates us.

There's a comparable mysterious "Gray out" in iTunes related to iPhone parental controls, but at least that makes a kind of sense.

I hate you too Apple.

Update 4/17/2010: An Apple Discussion post describes enabling Adium functionality even with Parental Controls:

By adding the above we were able to Adium to work while still having parental controls turned on.
See also: OS X Parental Controls: The https bug and our family Google Apps services.

Accessibility in 10.5.7 - the magnify toolbars and VisiKey

(See accessibility posts for prior tips.)

I've upgraded my mother's Mini from 10.4 to 10.5.7 and installed a VisiKey keyboard.

I made the move to 10.5 because 10.4 is nearing end of life, and I thought 10.5 was becoming reasonably well baked (wrong, wrong). I also wanted the option of using 10.5's mediocre iChat in place of Google's elder unfriendly Google Video Chat. Lastly, since I no longer have a 10.4 machine at home and I use LogMeIn to manage her machine I wanted her on the same OS as our family.

I installed the VisiKey because her macular degeneration has progressed far enough that the need to see the keys has overcome her fondness for the cool look of her Apple keyboard (she's not a geek, she really does like "coolness").

The VisiKey's not bad, but there's a bug in the driver installer. In a multi-user machine you have to manually add the VisiKey driver to each user's LogIn list. Without the driver most of the kb features work, but not the "Internet", Email, and Search buttons.

Although I'm no great fan of 10.5 (and believe me, I'm going to take my time with 10.6!), there are a few accessibility improvements. In several app toolbars (Safari 4beta, 3.0) there are Smaller/Bigger buttons like these (grayed out here so very murky):

Ok, so I lied. They're not automatically there, you have to customize the toolbars to get them (right click  on toolbar then choose customize). You have to modify the toolbars in for browsing, new message, reply, etc. In some cases, like "New message" you can add these controls but they don't seem to do anything [1]. In reading mode, however, they do work [1].
It helps.
I also found the album view in iTunes 8.1.1 isn't bad for low vision use.
So a few accessibility improvements, though so far they don't outweigh the misery of 10.4 to 10.5 migration for me.
Update 5/31/09: There are bugs here. In some modes they enlarge all text, in other modes you have to select the text first. Looks like the responsible dev teams weren't always on speaking terms.

OS X Printer driver problems with 10.5 (Leopard) - the HP 1012

I'm having just so much fun upgrading my mother's vanilla Mac Mini to 10.5. First it was the buggy update, now I find her Apple's 10.5.7 (Leopard) HP 1012 printer driver doesn't work. The printer worked perfectly with 10.4 (Tiger) - of course.

Print jobs pause for a time, then there's a printer response, then they hang, then they just ... stop.

Of course I have lots of company:
I've tried a few fixes, such as resetting the print system (right click on printer in print and fax preference display, choose reset). I also found that the printer was shared by default but that there was a "Printer Sharing is turned off" message; I turned off sharing.

I seem to have fixed the problem for the Administrator account, but not for a regular user account. I may try promoting the user to Administrator, seeing if I can fix it, then trying them again as a regular user.

Power cycling the printer, or clicking on hold/resume a few times, will restart printing. Neither is a good option for my mother of course.
This 10.5 update has helped me think differently about 10.6. I'll take a look at that one in 2011. Of course that means I'll need to buy my new machine while they're still shipping with 10.5 ...
I'll update this post if I'm able to fix the problem ...

Update 5/29/09: At the moment things are working. It is a weird situation, however.

To recap, I was able to print successfully from my admin account using the installed printer drivers, perhaps because (from my Software Update Preference Pane Installed Update history) Apple released an HP Printer driver update in September 2008. I couldn't, however, print from my primary non-admin account.

Here's where it gets tricky. In order to print from my admin account I'd had to reset the printing system.

Even after I did that though, I couldn't print from my mother's non-admin account on the same machine. My hunch is that with the 1.1.1 update if I'd also reset the printing system from my mother's account it might have worked.

Yes, reset from the separate accounts.

Why do I think that might have worked?

Because, instead of doing that I installed the Gutenprint drivers (per Apple). Hint: Don't waste time trying to figure out the install directions, reading the manual, etc. The current version has an installer that does all the work for you, and, for you Gimp veterans, there's no longer any need for Ghostscript, web configuration, etc. All the directions and tips you need are in the installer documentation folder (DO read the readme file).

After installing the Admin account worked fine -- but the user account still didn't. I reset the admin account (again), but still only the Admin account worked.

That's when I did a reset from the user account as well as the admin account. Then I could print from the user account and the admin account. (Interestingly other accounts I created on the machine were also able to print, without a reset).

I'll update this post again after I've had some more experience -- and to see if it still works post reboot.

To recap -- before you try the Gutenprint be sure you have the September 2008 Apple update and try resetting the printer on EVERY account that has trouble -- which means adding back the printer definitions multiple times.

If you still can't get the Gutenprint drivers to work, this post may help though it didn't apply to me.

My hunch is gunk in the queue -- like maybe permissions gunk.

PS. Early in this process I even "repaired permissions". As usual it did nothing but suck time. I think the OS X "repair permissions" utility is some sort of sick Apple joke.

Update 5/30/09: It's not really fixed, after a day or so I got only the infamous "PCL: Unsupported Personality" atop all printed pages. This time adding and removing printer while using Gutenprint had no effect. So I tried it with the Sept 2008 Apple HP drivers and they worked. I also turned on printer sharing, just for kicks.

Clearly we need a new printer. This won't work for long.

I'll probably buy the Brother HL 2140 for my mother. Neither Canon nor HP can produce OS X device drivers to save their shriveled little souls.

Update 9/3/09: Unsurprisingly, it stopped printing a week or so after I left my mothers. I replaced it with the Brother. Weirdly, this printer is showing as supported in 10.6 (CUPS)! I don't believe it, but if you have 10.6 and test it out please let me know in comments. I ended up buying the Brother HL-2170W for my mother -- the 2140 Amazon comments weren't that encouraging.

A well done tutorial on swapping out a Mac Mini drive

There are a lot of these, but this one is particularly nice: DIY: Replace your intel mac mini's hard disk drive.

Is being unserviceable a part of Apple's design rules for some machines?

Unable to delete messages - a 3.0 bug

There's a bug (surprise!) that hits a few users when they upgrade from OS X 10.4 to 10.5.

I just ran into it upgrading my mother's ultra-plain Mac Mini from 10.4.11 to 10.5.2 and then directly to 10.5.7.

I did an update in place, not an archive and install. I didn't run Mail until the machine was at 10.5.7 and had gone through a post-update "safe boot" cycle to clean out old caches and debris. So I was surprised to find a very significant bug!

When I tried to delete an email from 3.0 I got this error message:
The destination mailbox “Deleted Messages ... " does not allow messages to be moved to it.
I found several posts on this topic, but they were all IMAP configurations. The associated fixes in those posts didn't work.

My mother's mail uses POP against her Gmail account, this 2008 post by "Davl" had the fix:
In finder I opened the folder containing the mailbox folders of my POP account. It was located at:
My User Home Folder --> Library --> Mail --> POP/account name --> additional POP folder
In this folder were the mailboxes folders with .mbox extensions.
  • Deleted Messages --> empty
  • Drafts.mbox --> Messages
  • INBOX.mbox --> Messages
  • Sent Messages.mbox --> Messages
Note my Deleted Messages doesn't have a .mbox extension like the others do...
This is what I found  in icon view. Clearly there's something wrong with Deleted Message!

This is what I did after confirming my Gmail POP settings were correct.
  • In I saw some "child" trash items. I deleted those and emptied the Trash.
  • I quite and moved the "Deleted Messages" folder to the desktop
  • I restarted Mail. app and then deleted a message. The Deleted Messages folder was recreated
This bug goes back over a year, so it's disappointing that even in 10.5.7 Apple hasn't fixed it.

Thursday, May 28, 2009

OS X internet bridging is WEP only

My parents don't have a wireless LAN at the moment, so I turned on Mac OS X 10.5 Internet connection sharing on my mother's Mac Mini. This is a bridging connection; it links my wireless clients with the household wired cable modem connection.
It works pretty well in their house -- I can work with my laptop and iPhone as needed. If you want to do mail, etc though you either have to turn off the firewall on the Mini or mess with ports.
There's one oddity -- unchanged from 10.4. When you set up "connection sharing" (bridging) the only available encryption is WEP (!). This is slightly better than nothing, but not much better; it's now trivial to hack WEP encryption. WEP also a pain to configure on a PC.
So why just WEP? Seems out of place, esp in 10.5.

Update 5/29/09: It's not only old-fashioned, it's also flaky -- like a LOT of things in 10.5. I find I have to periodically toggle it off and on again on the Mac Mini to get it working.

Monday, May 25, 2009

OS X 10.5.7 has a wireless problem?

We're on the latest round of OS X (10.5.7) and Airport Extreme (old, flying saucer model) fixes and something's gone downhill

No real mention on Google, so it's probably something with our older setup (Airport Extreme saucer station, Airport Express WiFi extender, 802.11g/b).

What we see is my MacBook on awake from sleep takes a while to get a connection, then it loses it, then it gets a lower power connection (maybe one of the stations) then it gets a full power connection.

Not lethal, but very annoying.

Friday, May 22, 2009

Blank an iMac display - instantly (Leopard only?)

For years I've wanted to be able to turn my iMac display off on demand. There's no on/off switch of course, that would hurt the vibe.

It's a common desire. I need my iMac running at night so it gets backed up, but I don't want the photo show ("screensaver") running all night. On the other hand, I do like to have it run when I'm around. Problem is, nobody knew how to do this two years ago.

The best solution I found then was one of the elegant "dockables", which have been recently revived and updated (get the whole set!). The screen off dockable was quite good, but it had a few drawbacks. It couldn't be activated when the screen was locked, but when activated it left the screen unlocked. That's a problem with my kids.

Tonight, on a whim, I looked for current solution, and found How to turn off the iMac display |

Control-Shift-Eject. Presto, the screen is dark. It even works on a locked screen running my slideshow. (Control-Eject brings up the shutdown menu.)

WTF?! Why couldn't I turn this up two years ago? It's trivial to discover today. Was it some secret addition to an OS release? Was it always there, but only discovered a year or two ago?

The answer appears to be Yes and No. It's new to 10.5 (Leopard) and it's never been officially documented by Apple.

It doesn't appear in this 2006 article on similar shortcuts and it doesn't work on my old 10.3.9 iBook. It really only gets mentioned after Leopard is out.


On the one hand, a great feature. On the other hand, would it kill Apple to document it? It doesn't appear on Apple's recently updated screen shortcut kb article.

For me it justifies almost 10% of Leopard's purchase price. Hell of a way to run a company!

Following the trail leads to some other obscure Mac tips:

Thursday, May 21, 2009

Why are all my Windows 2003 server folders read-only with a gray checkbox?

In the midst of a Kafkaesque episode of IT torture, I realized that all of my Windows 2003 server folders on every drive had a grayed-out (greyed-out) checkbox in the read-only attribute. The value of the checkbox could not be changed. (That is, it appears that it can be cleared, but on review it's set again. This is true even if one requests that changes propagate down the tree.)

In theory this means that somewhere in the tree of child folders there exists a read-only folder.

Was this related to the mind-crumbling miseries of my past week of IT hell?

Probably not, but the truth is dark enough. Microsoft has a kb article on this. I've cleaned it up, the original is poorly written. Emphases mine ...

You cannot view or change the Read-only or the System attributes of folders in Windows Server 2003, in Windows XP, or in Windows Vista

... Unlike the Read-only attribute for a file, the Read-only attribute for a folder is typically ignored by Windows ... you can delete, rename, and change a folder with the Read-only attribute by using Windows Explorer.

The Read-only and System attributes are only used by Windows Explorer to determine whether the folder is a special folder, such as a system folder that has its view customized by Windows (for example, My Documents, Favorites, Fonts, Downloaded Program Files), or a folder that you customized by using the Customize tab of the folder's Properties dialog box.

As a result, Windows Explorer does not allow you to view or change the Read-only or System attributes of folders.

When a folder has the Read-Only attribute set it causes Explorer to request the Desktop.ini of that folder to see if any special folder settings need to be set.

... if a network share that has a large amount of folders set to Read-only, it can cause Explorer to take longer than expected to render the contents of that share while it waits on the retrieval of the Desktop.ini files. The slower the network connectivity to the share the longer this process can take to the point where Explorer may timeout waiting for the data and render nothing or appear to hang.

Let's walk backwards to appreciate the horror of what Microsoft did here.

Suppose you want to display NTFS metadata like a file's name or comments in an Explorer view. This is a handy way to do what, millennia ago, we did using things like PC Magazine's utility. Well, it's easy to enter that data, but how does Windows know to display it.

Ahh, here's where the horror of the hack sets in.

The metadata directions are stored in Desktop.ini files for each folder. It would be slow, however, for Windows to check that file every time an Explorer view is to be shown. So Windows 2003 needs to know when to check.

Cue dramatic music.

Some poor benighted soul realized that Windows (95? 98? NT? 2000?) doesn't use the read-only attribute for much. So he (must have been) had a brilliant idea. He'd hijack that attribute, and use it as a way to tell Windows that it needed to check the Desktop.ini file.

We know how the play unfolds now. Once this data value had been used this way the meaning changed. The text says "read-only" but the meaning is "look at the desktop.ini file".

We call that semantic drift.

Of course there's no reason for an attribute that really means "look at desktop.ini" to change the UI for a parent folder attribute of the same name, but that was inherited from the original use of the folder "read-only" attribute. It's a hack side-effect.

Finally, since "read-only" now meant "look at desktop.ini" it had to be reserved for system use, so Windows Explorer can no longer change that attribute. Of course attrib. exe can still change it, but probably you don't want to -- you're really telling Windows then to "ignore desktop.ini".

The Horror, The Horror.

Tuesday, May 19, 2009

Ping.FM: a router for status updates ... with just one small problem.

There are some disadvantages to being a mid-western geek of a certain entropic state.

If something doesn't show up in my Feed stream, I don't hear of it from my peers.

Take Ping.FM - for example. It's not new, but a GR search shows none of my sources called it out (but they did mention it -- with the assumption that any reader would know what they meant).

I found mention of it in a corporate blog I track at work ...
lbenitez . Luis Benitez . Socialize Me 
"... allows users to update their status in the following services from any of the following clients...".
So will update my status on LinkedIn, Facebook and Twitter. Great! Just what I've been looking for.

Except ... needs my username and password for each of these accounts.


Ok, that's a FAIL.

Maybe that's why no-one I read is keen on Ping.FM.

I'll check back if they're able to implement on OpenID mutual authentication framework.

Update 9/14/10: A relevant xkcd comic.

Sunday, May 17, 2009

Address book Google synchronization weirdness

Now this is really weird.

Here are the OS X Address Book "General Preferences" on my 10.5.7 MacBook (where I sync my iPhone):

And here are the same settings on my 10.5.6 iMac

Right. The 10.5.6 iMac has an option called "Synchronize with Google".

How the #$! did that get there? Why doesn't the MacBook have this option? (By the way, Google Apps Exchange Sync still doesn't work in 10.5.7).

Lifehacker has the answer. Turns out this is quite old (I even sort of remember reading about it):
Mac OS X Leopard only: Today's release of Mac OS 10.5.3 added a juicy little tidbit to Address Book: the ability to automatically sync your Google contacts. After you've run Software Update and gotten 10.5.3 (and restarted your Mac), hit up Address Book's Preferences pane. At the button of the General tab, check off the "Synchronize with Google" box to get started. Be sure to back up your address book before you sync, and see the FAQ for more info. Update: Several commenters rightly point out that this capability only exists for iPhone and iPod touch owners by default, which is quite possibly a crappier move than forcing Safari onto Windows users on Apple's part. Time to switch to Linux. Update #2: Only a few hours later, a workaround surfaces. Non-iPhone/iPod touch owners, here's how to enable Google Contact sync.
Alas, I read through the comments on the hack to enable Google Contact sync without an iPhone/iTouch and it sounds problematic.

Based on a similar story with Exchange Sync this feels like a side-effect of iPhone synchronization. It's obviously disappointing that none of this stuff improved with 10.5.7. I'll take a look at the Google sync, fortunately it's easy to restore contacts. I'll just make sure I turn off MobileMe sync before I experiment.

Saturday, May 16, 2009

Plaxo - just not a good feeling

An informed comment on my latest Project Contacts windmill tilt led me to take another look at Plaxo. I ended up deciding to wait and see what happens elsewhere over the next few months.

Plaxo launched about 6-8 years ago, and had a very nasty reputation for quasi-spyware behavior about 4-5 years ago. They've cleaned up their act and since been acquired by Comcast.

Nowadays they're sort of a cross between LinkedIn and Facebook -- leaning more to the former. Their secret sauce is contact synchronization across Outlook, OS X Address Book, and some phones. It sounds like that's reasonably robust. They also provide some calendaring services, but there's no support for CalDAV, calendar subscription, feeds, etc. It's all proprietary. Their only outward link is to Facebook, and you can share status updates with FB (so a Tweet can go to FB and then to Plaxo).

They can authenticate with a Gmail or OpenID account -- so I didn't need a new un/pw to try them. Based on my Gmail address they suggested links to everyone who has that address in their Plaxo Contacts -- which turned out to be a lot of people I know.

So what turned me off for now?
  1. It's really unclear how they make money. Their premium services are pretty mediocre. I know how LinkedIn, Google and Facebook make money.
  2. The complete lack of standards support (ICS, CalDAV, Feeds, vCal, etc).
  3. No clear way to subscribe to calendars, just their sync.
  4. All their sync and import/export require that they get my Google un and password!! Huh? In Jeff Atwood's words, that's a total FAIL. I'd sooner give them my DNA.
  5. The stuff I care about seems to be an increasingly distant second thought to their Facebook-play.
  6. They are incredibly obnoxious and persistent about trying to get me to give them access to my Gmail and other accounts and the rights to invite everyone in those accounts to Plaxo using my name.
So I'll give this one a pass for now. Let's see if Google gets their Contacts act together in the next few months -- even if that means I have to shell out for a year of Apple's sub-mediocre MobileMe while the smoke clears.

Update: Faheem responds in comments. He avoids all the Google and other password issues, strictly deals with iCal and Outlook and Address Book sync. He avoids all the social stuff and Plaxo arm twisting and just concentrates on Contact sync. He sure is persuasive; I'm convinced he knows this turf at least as well as I do.

Blogger editing madness

Switching between editing posts using Windows Live Writer, Blogger in Draft with Safari 4, and Blogger draft/standard using Firefox 3.x leads, sooner or later, to bizarre line space problems.

Not to mention applying blockquote operators to Blogger in Draft text with Safari causes new space doubling.

I fear it's all tied up in the ancient wars between unix, mac and dos (yes, DOS) around CR, LF and CR/LF pairs.

Interestingly IE 8 behaves like Safari 4, so Firefox may be a bad actor.

Update: It's worse than I'd thought. I wonder if Google is screwing this up again, I remember a period about a year ago when the line spacing behavior went berserk.

Update 5/23/09: I've experimented further. It's fubared. I have learned that if one uses the rich text "remove formatting" tool the formatting becomes more predictable. It's the interaction between source text formatting and the rich text editor that makes things really messy. I wonder if Google is giving up on blogger.

Friday, May 15, 2009

Project Contacts: Now mixing Outlook/Exchange, PST file, Outlook/Home, MobileMe Sync, OS X Address Book and the iPhone.

A recent Apple Discussion Thread led me to take a new direction with Project Contacts.

To put it mildly, there’s a lot of complexity in this post. However initial results are very positive. This method will require me to purchase a MobileMe account, something I was hoping to avoid. (See below for a partial index to past efforts.)

The end result is that I have a single collection of work/home contacts across iPhone and OS X Address book at home. The work contacts portion of this collection is updated weekly. At this time the update is one way, from Work to Home.

For anyone who may be facing these challenges, I have provided a skeletal outline here of what I did and what I would do if starting from scratch. You will see how insanely complex this is. Note that as of this writing the care PIM data that was once in Palm/Desktop is now scattered across Google (Calendar and a detached set of Contacts), Outlook/corporate, Toodledo and MobileMe. Everything does come together in my iPhone. The current solution involves a wide variety of vendors. For example, Apple's MobileMe calendaring is pathetic; far weaker than Google Calendar and a joke compared to Outlook (which makes Apple's no-show on tasks even more crazy). On the other hand Apple's Contact framework is very robust, much stronger than Google and a rival to Outlook.

This ruddy mess is a real indictment of Apple and a fat opportunity for the PalmPre.

So much for prelude. Here’s the outline, strictly for the uber-geek:

Here’s what I actually did:

  • Copying contacts from Outlook/Exchange root to Outlook PST caused the EX (Exchange server x.500) email addresses to be updated to SMTP (standard internet) email addresses.
  • PST on thumb drive to home (simple)
  • Copy into Home Contacts
  • Sync to MobileMe
  • In MobileMe web assign all to a Group
  • Sync to OS X Address Book (small conflicts)
  • Sync to iPhone (ok)
  • Sync to Outlook Home: Each Group in OS X Address Book became a Contacts Subfolder in Office 2003. This means the cardinality relationship to Address to Group may have to be One to One.

Expected problem:

  • Contact belongs to two Groups in OS X Address Book (multiple inheritance)
  • Contact assigned to ONE Subfolder in Office 2003.
  • In OS X change Group assignments.
  • What happens in Outlook?

Here’s what I suggest doing (LOTS of backups of OS X Address Book as go along)

  1. Outlook/Corporate create PST file, copy work contacts. Do not copy lists or groups of contacts, only contacts.
  2. PST file to thumb drive
  3. Home Outlook mount PST data file. Make sure Contacts folder is empty
  4. Sync iPhone to OS X Address Book
  5. Create new group in OS X Address Book that will hold corporate contacts
  6. Sync to fresh MobileMe Account
  7. Sync fresh MobileMe account to home Outlook
  8. Now Outlook will have an empty subfolder. Dump the Contacts transported into the PST file into that empty folder.
  9. Sync from Outlook to MobileMe
  10. Sync from MobileMe to OS X Address Book
  11. Sync to iPhone

A partial index to past and related efforts at work/home Contact integration:

Update 5/15/09: Now that I've got this working I'm trying various optimizations. For example, my contacts don't change that often. It's easy to create a view in Outlook that sorts by modified date. It's fairly trivial to send out a few changed .msg in an email and let Outlook at home merge them in. I still have to think about how to work with Google's Contacts, but I'm seeing a few interesting options.

It's weird how powerful MobileMe contacts are, yet how feeble MobileMe calendaring is. We're due for a MobileMe relauch, so I expect some developments before September.

Lastly, I should probably mention why I took this route. The more I looked at the workarounds for getting Outlook/Exchange corporate contact data to Google or the OS X Address Book the worse they looked. Their are problems with data models, problems with the intractable horror of the Outlook Add-In architecture, problems with Exchange server and problems with corporate access. This approach is crude, but for me, once I figure it out, fairly painless. I think it will fly until we get something better.

In the meantime, I'm rooting for the PalmPre to humiliate Apple and make them reconsider the direction they're taking.

Update 5/15/09b: Now that I've got this setup working I can see weird new affordances. For example, one of my top 10 OS X frustrations is the inability of FileMaker to work with the Address Book SQLite data stores. Ahh, but now my address data is synchronized between Outlook/Home and Address Book, and I can use Microsoft Access with Outlook/Home. So I can clean things up there, and MobileMe sync will propagate my fixes. I think I'll find a way now to get my Google Contacts into the battlefront.

Update 5/16/09: Great comment by Faheem, who's achieved a similar outcome using Plaxo without paying for MobileMe. I took a look, but Plaxo didn't feel right for me.

Tuesday, May 12, 2009

Outlook contacts to OS X Address Book - 3 techniques

In 2006 MacWorld outlined 3 ways to move Outlook contacts to OS X Address Book. It's rather annoying that Microsoft doesn't provide a standards-compliant export from Outlook; they're usually a bit better about data mobility of this sort.

Outlook contacts to Address Book | Root | Mac 911 | Macworld

... Under Outlook 2002 you could simply open your contacts and drag them to the desktop to turn them into vCards. No longer. Try this and the contacts are converted to messages.

While you can select a single Outlook contact, choose File -> Save As and, in the resulting dialog box, choose vCard Files from the Save as Type pop-up menu, this works only for individual contacts—you can’t export a group of contacts this way.

You have a few options for eventually getting the things out of Outlook. The first is to select all your contacts and choose Action -> Forward as vCard. Outlook will create a new email message that contains all your contacts as individual vCard attachments. Send this message to yourself, pick it up on the Mac, drag these files into Address Book or Entourage’s Address Book and you’re good to go.

Or Sperry Software can lend a hand with its $20 vCard Converter Add-in for Microsoft Outlook. This adds a service that enables Outlook to export all your contacts as a single vCard. (Yes, it’s galling that OS X’s Address Book lets you do this for free.)

Or you can use a go-between application to get the contacts out of Outlook and into an application that offers more flexible export options. That application is the Windows version of the free cross-platform email client, Thunderbird. Within Thunderbird you’ll find the Tools -> Import command. Choose it, select the Address Book option, click Next, and in the Import window select Outlook and click Next to import your Outlook contacts into Thunderbird...

I tried the Action - Mail feature, but it doesn't work for 980+ contacts.

Next on the list is the now $25 vCard Converter Add-in for Microsoft Outlook, but I fear all Oulook Add-Ins. I think the Outlook Add-In architecture is 75% unstable antimatter. (Alternate source?)

It's not on this list, but a few months ago I tried the export to Google to Address Book route. It was "ok", but I ran into problems with EX style x.500 email addresses.

So this time I think I'll try the Thunderbird option first, and if that's not satisfactory I'll try the (currently) $25 vCard converter add-in.

Once I have the Work contacts in OS X Address book, then they'll go to my iPhone ...

Update: Thunderbird had the same X.500 (EXchange server) email address translation problem as CSV export. Also, I couldn't limit import to a single contacts collection, it brought them all in. Lastly, it was very slow. If the Sperry product can do the x.500 to internet standard email translation I'll give it a try.

Also, this export utility has a 30 day trial.

Saturday, May 09, 2009

Make iTunes window more like a standard OS X window

iTunes started out as a pretty un-Mac like application, but over the years the platform and iTunes have grown together.

Except for one real oddity.

Every Mac application has 3 "ball" icons in the upper left side of the window - red, yellow, green. In Safari if you mouse-over they display a symbol as well.

Red closes the window. Yellow hides it. So far, so boring. But what about green?

Green is the expand window button. This isn't well documented, the OS X zoom window (expand window) behavior is quite different from windows. A well behaved app doesn't necessarily zoom to full screen, it zooms to the maximal logical size (which for many apps is full screen). It doesn't always work as expected, and I think apps are behaving more like Windows zoom over time, but I personally like this smart zoom.

So the green button is the expand button ... except in iTunes, where it instead launches the iTunes mini-player! How annoying.

Happily, there's a workaround, which I came across here  and have since added to an old post of mine on iTunes shortcuts and modifier keys...
Gordon's Tech: iTunes keyboard shortcuts, safe mode, prevent mounting, and more
.... option-click the top-left round green window (+) icon: instead of switching to a mini player, the iTunes window adjust to an optimal size for the current display. In other words, it behaves like the green icon on every other OS X app...
I'd prefer iTunes behave like a standard Mac app, but option-click is better than nothing.

Wednesday, May 06, 2009

Retrospect restore failing, network flaky – a hardware problem?

Maybe it’s the incipient dementia, but I’m having a hard time telling hardware problems from software problems these days.

It didn’t used to be this way. Even ten years ago if something went wrong, it was almost always a software problem.  The only exception was the slowly dying drive, but you could usually hear that going.

Now, who can say? Systems can run hot, solder isn’t what it used to be, and quality is an issue everywhere. Software is very complex now, and software changes can make latent hardware issues into active problems.

It’s also true that hardware is much older than it used to be. Moore’s Law failed a while back; my 6 yo XP box just keeps on being useful. I don’t ask much of it since we’re largely an OS X shop, but it’s good enough for basic work.

It all adds up. Oh, and the dementia too. Being an OS X shop means it’s been a very long time since I’ve had to think about BIOS age, memory maps, interrupts, and the like.

My latest experience is a case in point. It began when I replaced my old USB backup drive and enclosure with a LaCie 1TB drive/enclosure. My old XP box wouldn’t boot! It simply hung in early startup. I found I had to turn the drive off to boot, then turn it on again when XP was up. Then it all worked.


Next I started getting oddball network problems. I beat them back and things seemed to settle down, but then a Retrospect Professional restore of a 50GB iTunes Library failed with a typically cryptic Retrospect error code of "-519". I had to throttle my 100 gbps network back to 10 mbps to get the restore to work.

That got my attention. I can’t live with unreliable backup/restore.

In some earlier testing I’d eliminated cabling and my Netgear gigabit switch as contributors. So the problem lay in my 3 yo G5 iMac or my 6 yo XP box. Neither had had major software changes recently, so I bet on hardware. Since some network glitches had required power cycling the XP box I put my bet on that.

So I bought the Intel PWLA8391GT PRO/1000 GT PCI Network Adapter. It came from Amazon in about 2 days (free shipping!) in a plain package with a single DVD. Nothing fancy here.

So I swapped out the old 100 mbps SMC NIC for the Intel and rebooted and got a … turquoise screen.

Nothing. The drives were spinning, the CPU fan was spinning, but the system locked pre-BIOS! I pulled the card, restarted and things looked good.

So then in desperation, I moved the NIC to a different slot, and then rebooted and looked through all my BIOS settings. I made one change. The BIOS had previously been set to manage devices, now I set it to ignore PnP devices and let the OS handle them.

So I did two things at once – but I wasn’t trying to identify the root cause. I wanted the thing to work.

I then restarted with the LaCie 1TB drive attached and … it worked.

I’m really getting tired of figuring this stuff out.

The Intel adapter requires drivers, so I installed from the CD and … wait for it …. found a bug.


It’s a gift.

The installer bombed with a poorly written complaint about my “S:” drive.

Turns out I’d mapped the “My Documents” folder to a (now inaccessible) network share that I’d mapped to the “S:” drive. So of course there was nothing there. Even when I dismounted the “S:” drive, the installer still bombed. I had to reset “My Documents” to the default setting.

So, pretty dumb coding on the installer. On the other hand, once the install completed, I was impressed by the diagnostics suite. The NIC, cabling and network passed every test.

These hardware diagnostic tests are critical in the modern era, so this utility was a definite plus.

I then repeated the restore that had previously failed at the 200MB mark. This time it went easily past 1GB, with a throughput of about 830 MB/min (probably limited by the USB drive).

So I think my problem is solved. Was it really a problem with the IDE slot? Or the old NIC? Or the 1TB USD peripheral causing some problem with the 8 yo BIOS? Was the fix the new card, changing the BIOS settings, or moving to a new slot?

I don’t know.

Don’t care.

My network’s much faster now…

Why I'm downloading Windows 7 RC tonight ...

It works on VMWare -- and it's free ...

VMware: Team Fusion: Windows 7 on Mac with VMware Fusion: A Practical Guide Revisited

... More important, I am excited that the Windows 7 Release Candidate is the easiest way for you to try out Windows on your Mac for FREE (at least until the beta expires). That’s right, you can download Windows 7 Release Candidate through July 1st and it’s free to use until it expires on June 1, 2010...

The VMWare post has more details, but basically the RC works fine with some trivial and standard configuration options.

A very nice surprise for me. I've been tracking Windows 7 from a distance, but primarily as my way to avoid Vista (Windows 7 is Vista 2.0 of course, but I'm good with that). In the meantime I've had Parallels 1.x and Windows 2000 (!) running on my MacBook for about 2 years (man, does Win2K ever boot fast on that machine.) This setup worked for the handful of times I've needed it, and the two take up very little CPU or disk space. Windows 2000, of course, is essentially immune to modern viruses.

That's a good setup and it cost me nothing but Parallels 1.x since I have several unused Win2K licenses. It probably won't work on 10.6 though, and I'm about due for a new iMac.

So I'll put my unused VMWare license on the new machine, install Windows 7 RC, and be good for a year or so. Then I can decide if I want to buy Win 7 or regress to Win2K ...

(I wonder if I need to get more than one copy of Win 7 RC, in case I put it on two Macs ...)

5/26/09: Updated to remove a stupid mistake where I confused 2009 with 2010. The RC1 download is good for one year. That's just fine.

Tuesday, May 05, 2009

iPhone incompatible with old auto adapter? Salvation from Griffin

I like Griffin stuff, so I was willing to take a gamble on the just released Griffin Firewire to USB Charge Converter for iPod and iPhone 3G.

In short, it works. One of the truly infuriating iPhone aggravations has been ameliorated.

The $20 device is a bit bigger than the proverbial postage stamp, about an inch square. It's quite light. The standard iPhone/iPod adapter is the modern friction-only style, no lock feature. (I'd prefer the positive lock for this use, but Apple has moved away from them.)

I plugged one end into my SONY car stereo with iPod adapter cable and the other end into my 3G iPhone. The iPhone began charging. More importantly, the kludgy but useful iPod control software works, and the sound quality really is better through that cable than through the AUX in mini-jack connector.

I did get an error message from my iPhone saying the device was not compatible with the iPhone and offering to reduce audio interference by putting my phone into airplane mode. This is not related to the Griffin converter, I get this message without it. It's different from the "can't charge" message -- it's saying that the radios built into the iPhone can cause interference with many devices not built for the 3G iPhone. In my case there's no hum or other problem in standard mode.

The adapter does make the cable to iPhone connection long and somewhat fragile. It would be easy to whack the end of this longish lever and injure a connector. It would be best used when the iPhone is securely mounted.

It's probably not worth buying this device to extend the utility of a firewire charger -- it costs almost as much as a Griffin USB charger and cable. It's really made for an automotive head unit, and it works on mine.

Note that Griffin makes no claims that the automotive head unit controls and audio inputs will work -- only that charging will work. I took a chance that everything would work, and it did.

Lost phones: advice for everyone

Although this article is written about a lost iPhone, it's really applicable to all phones: Six things I learned from losing my iPhone 3G.

Be sure to read the comments as well. I'd already followed most of the recommended practices, but I hadn't checked with my home owner's insurance to ask what it would cost to insure the phone against loss. One comment mentioned their policy increase was only $10 a year, another said the deductible was prohibitive. Note that most high end phones cost about $500 to replace unless your contract is nearing its two year renewal date. (I think for AT&T in Minnesota they'll provide the new phone subsidy if the renewal date is less than 4 months away).

I didn't realize that under some conditions AT&T will mark a phone as stolen, and may be able to retrieve it if someone tries to use it with a new account.

I photographed a business card and turned it into my wall paper. Dull, but effective. I also implemented the "delete data on 10 password retries", but some of us have young children who may try to hack a phone. If you implement this be sure to have sync regularly.

Monday, May 04, 2009

Apple's iPhoto and MobileMe photo blunder: when full quality isn't.

Adam Engst is far too kind to Apple in this article (emphases mine) ...

TidBITS Media Creation: How to Share Full-Quality Photos via iPhoto

A reader recently sent me email asking why sending a photo via email using the "Actual Size (Full Quality)" option in iPhoto resulted in a photo that was significantly smaller than the size of the photo within iPhoto...

A quick test on my system confirmed his results. My Canon PowerShot SD870IS's test photo started out at 3.1 MB and 180 dpi before dropping to 1.7 MB and 72 dpi. When I opened both the original and the reprocessed photos, Preview's inspector window showed the change in dpi and file size, though the dimensions of the photos were indeed identical.

... iPhoto always compresses photos sent via email to reduce the file size...

... posting the photo to your MobileMe Gallery won't help either, since iPhoto compresses uploaded photos there as well, even when you use the Actual Size option in the Advanced preferences for a MobileMe Gallery album...

... is an EmailCompressionQuality key in the file that's set to 0.75 ... When I bumped it up, the size of photos sent via email did increase, but when I set it to 1.0, the file size nearly doubled from the original....


Adam is glossing over some key points in an understandable effort to be sweet to Apple.

The problem is not that "iPhoto [always] compresses photos", it's that iPhoto is decompressing the original JPEG (SD870 is JPEG, not RAW), then recompressing it at a severe .75 JPEG compression factor. The decompression/recompression factor is why, when Adam moved the quality index to 1, the resulting JPEG was twice as big as the original. (You'll see the same thing with any image managed this way.)

This is a big deal for photo geeks. Try putting an image through four sequential JPEG 0.75 save/edit cycles and you'll get a mess. When I put "full quality" images on Picasa Web Albums or SmugMug one of the things I get is a high quality backup of my image. We now know that's not true of MobileMe -- it only looks that way.

The discovery that "full quality" images posted on MobileMe are being put through the same decompress/recompress cycle, while being sold as "full quality", ought to be red meat for a lawyer. Anyone know of a hungry lawyer taking charitable contributions for yet another Apple lawsuit? I don't care about winnings, I just want them to suffer.

For my part I'm going to give this a try with Google's Picasa Web uploader and see what I get back. I don't use MobileMe, and I'm not likely to start now.

Incidentally, a more subtle version of this stupidity occurs in Aperture. If you import a JPEG image into Aperture, don't apply any edits, then export it from Aperture using a standard JPEG setting with quality 1 you'll see the same (pointless) decompression/recompression at work.

Update 5/26/09: Apple doesn't apologize, but it effectively confesses to the blunder. No promises of a fix, however.

Sunday, May 03, 2009

Yikes! Disastrous iTunes 8.1.1 AppleScript bug!


This iTunes 8.1.1 bug is probably the nastiest bug that's bitten me in years.

I have long used an AppleScript to delete the first 'n' characters from an iTunes column string for all selected columns.

In iTunes 8.1.1 it ignores the selection, it processes all the items in a playlist.

So about 300 items have lost the first few characters of their name.

I'll have to restore from backup.

Update: Well, isn't that sweet. My backups appear to be good, but my restores are failing with a Retrospect error code of "-519", which means network error. I have reason to suspect this is actually a hardware error on the old Windows XP machine that runs my Retrospect Professional backup server.

Looks like this is going to be one of those days.

Update b: I dropped the XP to 10mbps and rebooted the XP box and the iMac. The backup is now crawling along; it will take about 12 hours (!) to complete if it continues. I'll delete all the AppleScripts associated with iTunes and see if can figure out if this is a known bug.

As for the networking issue -- it's not the first odd networking problem I've seen lately. Sad thing is this is just as likely to be hardware (switch, XP box, iMac) as software! If Retrospect 8 were in better shape (still no PPC version!) I'd probably buy a modern iMac and get rid of the XP box.

Update 5/4/09: The 45GB restore at 10 mbps took about 12 hours, but it worked. Interesting lesson about modern apps -- the script bug only knocked out a few bytes of data distributed across about 300 MB of music, but I had to restore all 45GB.

So now I have to address the network problem that blocked restores at 100 mbps. In the past I'd have been confident this was a software bug in either the iMac or the XP box. Nowadays nothing's so simple. It could be an emergent bug. It could be an XP BIOS problem triggered by the 1 TB external USB drive, a drive that's far out of spec for that old system. It could be a subtle motherboard problem on the iMac -- the G5 iMac line is notorious for mb failures (one of Apple's crappiest products).

I've already ruled out switch or cable problems.

I'm going to take a semi-informed gamble and install a new 1 gbps Intel NIC in the XP box and retest. If that doesn't work I'll have to start testing the iMac for a motherboard failure.

Update 5/6/09: New NIC worked, but not exactly sure why.