Saturday, October 30, 2010

Firesheep, sidejacking, and SSH Tunneling with DreamHost

In the endless spy vs spy game of net security there have been two recent setbacks for the good buys.

One is the rise of the keystroke logger. That's how I suspect my Google account was hacked from an insecure machine - a corporate laptop running XP. The best response to the keystroke logger is either to carry the 11" MacBook Air -- or to establish disposable network services for use on untrusted devices.

The other setback is the very recent emergence of trivial sidejacking.

Sidejacking is the theft of network credentials, and particularly cookies, by intercepting unencrypted WiFi network traffic. It's been a commonly recognized and widely ignored problem for about three years, but now a security researcher has decided to make ignorance impossible. He's released Firesheep (my 11yo says it should be called "Firerat") to make Sidejacking a trivial task bored kids (emphases mine. He's yelling at Facebook here.)...

... When logging into a website you usually start by submitting your username and password. The server then checks to see if an account matching this information exists and if so, replies back to you with a "cookie" which is used by your browser for all subsequent requests.
It's extremely common for websites to protect your password by encrypting the initial login, but surprisingly uncommon for websites to encrypt everything else. This leaves the cookie (and the user) vulnerable. HTTP session hijacking (sometimes called "sidejacking") is when an attacker gets a hold of a user's cookie, allowing them to do anything the user can do on a particular website. On an open wireless network, cookies are basically shouted through the air, making these attacks extremely easy.
This is a widely known problem that has been talked about to death, yet very popular websites continue to fail at protecting their users. The only effective fix for this problem is full end-to-end encryption, known on the web as HTTPS or SSL. Facebook is constantly rolling out new "privacy" features in an endless attempt to quell the screams of unhappy users, but what's the point when someone can just take over an account entirely? Twitter forced all third party developers to use OAuth then immediately released (and promoted) a new version of their insecure website. When it comes to user privacy, SSL is the elephant in the room.
Today at Toorcon 12 I announced the release of Firesheep, a Firefox extension designed to demonstrate just how serious this problem is.
Sigh. I was hoping to ignore this problem, but now I can't. TUAW has an excellent review of our options: How to guard yourself and your Mac from Firesheep and Wi-Fi snooping. I summarize it as 3 options:
  1. Witopia VPN ($40/year for good-enough PPTP). I used them for twoyears, after I first worried about sidejacking in 2007, and they provided good service. I'm cheap though, and didn't need them that often, so I decided to wait until the sidejacking problem got worse.
  2. Various solutions that get you into your home network and let you use those presumably secure resources. Too much trouble for me, and too likely to be flaky.
  3. SSH tunneling - aka the poor man's VPN. This forces all traffic through an "SSH tunnel".

I tried Witopia VPN before and I'd recommend them (though I did have technical problems)  - but I'm feeling cheap these days. I decided to try SSH tunneling because I already pay for full service hosting through DreamHost; so I have what SSH needs.

(BTW, I love DreamHost. If you sign up with my promo code of KATEVA I get a $50 kickback and you get $50 off your 1st year fee. Today, however, they're offering $110 off -- a full year of service for $9.25. To put it mildly, this is unbeatable.)

This is how the DH wiki describes their SSH tunneling SSH Tunneling

Your Dreamhost account can be used to create a secure tunnel to circumvent firewalls that prevent access to particular websites. This isn't recommended as a replacement for a VPN or similar service, but if you need the occasional ability to reach sites that would otherwise be unreachable *or* need secure access because you are using an unsecured access point, this might be an appropriate solution for you.
SOCKS is the name of the protocol used. SSH is the name of the software used to create the tunnel. There are a number of GUI options available for Windows, Mac OS X, and *nix, but using SSH usually demands a command-line environment. This article will assume that it is installed and configured appropriately. Practically speaking, this information is not that important. You just need to know the magic incantations.
Note: This is a great temporary solution if you need to view something your ISP has blocked for unknown reasons. It should be considered a temporary solution, as it will definitely use bandwidth on your account. When you are on a shared server, it's nice not to abuse the system.

The wiki page provides some Windows instructions using Bitvise (Free!) Tunnelier, but Mac users can get by with the command line (though I will also test OS X Meerkat separately). Here's what I did at DreamHost to get the SSH tunnel working on my 10.6 machine:

  1. Using DreamHost Control Panel:Users:Manage Users confirm account has a user setup with a shell account.
  2. IN OS X Terminal type:  ssh -D 9999 jgordon@trafficante.dreamhost.com 
    • jgordon is not my true username, it's just an example
    • trafficante is my DreamHost server. Yours may be different.
    • 9999 is the port number
    • -D turns on compression
    • Some documentation says to use the N switch for non-interactive, so it would be ssh -ND 9999 jgordon@trafficante.dreamhost.com
  3. Enter this user's pw on request
  4. You now have an SSH connection.

To use this SSH connection you have to configure a proxy in OS X from the Network Preference Panel like this:

Screen shot 2010-10-30 at 7.44.42 PM.png

Of course you don't want to keep having to turn SOCKS on and off in Network Preferences depending on your settings, and you don't want to use SOCKS unnecessarily. That burdens DreamHost, and it slows your network traffic. I created a new OS X network "Location" that has the SOCKS Proxy turned on.

Also, when your done with your connection, please type "exit" in terminal to close it. That's just politeness.

Here's how you can test if the configuration is working:

  1. Change your "Location" to the one you setup with a SOCKS proxy (I call it Google DNS SOCKS).
  2. Try to open a web page. Nothing should come up, you'll get an error message.
  3. Now run the SSH command to create a connection.
  4. Retry your browser - now it should work.

I wonder if I should use a different DNS provider when I do this, currently I'm using Google DNS. For now however that seems to work.

Update: I tested Meerkat. It's a very powerful networking tool; it's not designed primarily for this problem. I can just barely follow the very sparse documentation. Really, a commercial product deserves a bit more documentation.

I think it's easier to just type the ssh command and change Location settings! If you want to try Meerkat as a sidejacking prophylactice, start with this vendor blog post. Note that in this example Meerkat uses 6666 for a proxy.

I'm going to stick with the command line and using OS X native Location settings.

See also:

Friday, October 29, 2010

Google: The Quick, the Sick and the Dead - 4th edition

It's been 4 months since the 3rd edition of Google: The Quick, the Sick and the Dead, so this edition is about two months early. It's time though -- because Google is changing fairly quickly.

Changing quickly, but not improving. In the list below I put in parens the prior QSD rating for each item and I've added a section for the official dead. I've decided to stick with only those Google products I personally use, so I've omitted Android.

Comments below.

The Quick (Q)
  • Google Scholar (Q)
  • Gmail (Q)
  • Chrome browser (Q)
  • Picasa Web Albums (Q)
  • Calendar (Q)
  • Maps and Earth (Q)
  • News (Q)
  • Google Docs (Q)
  • Google Voice (S)
The Sick (S)
  • Google Search (Q)
  • Google Reader (Q)
  • Google’s Data Liberation Front (Q)
  • Translate (Q)
  • Custom search engines (Q)
  • Books  (Q)
  • YouTube (Q)
  • Google Apps (Q)
  • Google Profile (S)
  • Google Contacts (S)
  • Google Mobile Sync (S)
  • Google Video Chat (S)
  • Google Checkout (S)
  • Orkut (S)
  • iGoogle (S)
  • Gmail Tasks (D)
The Walking Dead (D)
  • Chrome OS (S)
  • Buzz (S)
  • Blogger (D)
  • Google Groups (D)
  • Google Sites (D)
  • Google Base (D)
  • Knol (D)
  • Firefox/IE toolbars (D)
  • Google Talk (D)
  • Google Parental Controls (D)
The Officially Dead - since last edition
  • Google Desktop (D)
  • Google Wave (D)

Since the last edition there have been three escapes from Walking Dead. Two products are now officially dead and Gmail Tasks has been promoted to merely Sick (still uninteresting). There's been one promotion from Sick to Quick - Google Voice.

Seven products have moved from Quick to Sick - including Search. That's a big one. Google suggest is fun, but Google is losing the splog wars. Too many of the results I get back are splog noise. I love Reader, but the Notes/Comments silliness has to mark it as Sick. I also love the Data Liberation Front, but they're not getting traction any more. I suspect they've lost funding. Translate hasn't made progress on the non-Euro languages, so it's increasingly irrelevant.

Overall, this is a grim time to be a hard core Google user. Of course I don't use Android, and Android gets a lot of press. I wonder, however, given the rest of Google's recent record, how solid Android really is.

I wonder if this performance is ever going to show up in Google's  share price.

Thursday, October 28, 2010

The iPhoto 11 (v9.0) data loss bug: permissions again

The killer data loss bug in iPhoto 11 is ... wait for it ... Permissions related:
iPhoto 11: Avoid possible data loss - Mac OS X Hints

A possible bug in the upgrade process by iLife 11 causes a loss in one's library. Even more, some of the 'successful' upgraders are not even aware that they might too have lost some files!

The root of the problem lies in faulty permissions within the iPhoto Library. The solution is to fix the permissions. Repairing permissions in Disk Utility won't help because that doesn't affect user files, only installed programs with Receipts.

... Install BatChmod and run it...
Drag and Drop your iPhoto Library (usually located in your ~/Pictures folder) into the open BatChmod window. 
Change the Letters R, W and X under the Owner, Group and Everyone to a check mark. 
Also select the check mark for the following boxes: Change ownership and privileges, Clear ACLs, unlock box and Apply to enclosed folders and files.
Click Apply...
Have I mentioned I hate the OS X Permissions based security model? It's a botched implementation, and probably the worst part of using OS X. Adding the 10.6 ACL layer seems to have made a bad scene worse.

This bug is yet another example of why I never rush to install Apple products. Apple is a design company, not a quality company. They do this sort of thing routinely.

It's appalling that the installer doesn't check for permissions issues prior to installation. iPhoto has had lots of permissions related bugs in the past, and I've personally run into about a dozen permission related bugs in other parts of OS X. Apple should have tested for problems.

It's too bad there's no legal resort to pursue for these kinds of egregious quality problems.

See also:
PS. Google's blogger removed the paragraph spacing in more than half of the above articles. I hand edited each one. Blogger is proof that Google is made up of flawed humans.

Update: Apple has released the 9.01 fix.

OS X - the Dropbox, Drop Box and Public inversion mystery solved

Something weird was going on.

My 10.6 account had the old "Public" folder containing the familiar "Drop Box".

It also, however, had a "Drop Box" folder containing a Public folder! The Public folder had a document I'd never seen before ...

You can get a public link for any file in your Dropbox's Public folder.
Simply right click (or control click) on a file, click the Dropbox submenu,
and then click 'Copy public link.'

How strange. I don't remember that feature of OS X.

New feature? Inverted Public to Drop Box relationship? What's going on?

OS X hasn't really changed. There's still a "Public" folder containing a "Drop Box". The "new" folder wasn't actually another "Drop Box" -- I'd misread it. It is a "Dropbox" folder -- all one word. It was created by when I installed a cloud based file service known as Dropbox.

I'd stopped using it, and forgotten the double meaning. The folder was simply leftover. I deleted "Dropbox".

It is rather confusing ...

Wednesday, October 27, 2010

Why didn't the MacBook Air ship with USB 3?

I'm halfway to buying a MacBook Air, but I'm sticking with Gordon's rules of acquisition. I'm good with #2-#4, but working on really, really wanting it three separate times.

Thanks to the joy of a nearby Apple Store I've touched the 11". I am infected now. I verified that my 51 yo eyes can read the screen -- that was my main concern. I've also confirmed that it's no bigger than an iPad.

My decision would be easier if the Air had shipped with USB 3. That would more than compensate for the lack of Firewire or ethernet ports.

So why doesn't the lovely 11" come with USB 3? Will there be a USB 3 version out this fall?

This Wikipedia article explains ...
... Intel will not support USB 3.0 until 2011 ... These delays may be due to problems in the CMOS manufacturing process ... .... or a tactic by Intel to boost its upcoming Light Peak interface... Current AMD roadmaps indicate that the new southbridges released in the beginning of 2010 will not support USB 3.0...
This looks ominous. I'd be surprised to see USB 3 in an Apple product before mid-2011. I wouldn't be surprised if they took another path entirely.

Bottom line: USB 3 isn't ready now, isn't likely to be ready for a year, and may yet go the way of Bluetooth (basically dead).

PS. Incidentally, I tested in the Apple store. The MacBook's USB port has enough juice to charge an iPad.

Tuesday, October 26, 2010

Speeding up my sluggish XP Fusion VM

When I gave up my last XP machine, I created a VM from the disk image. It worked, but the performance was poor. My XP VM on an i5 iMac was quite a bit slower than a Windows 2000 VM on my much less powerful MacBook.

It took me a while to speed things up. I removed some custom settings for the Windows swap file and I gave the VM more cores. I upgraded my system memory that helped too; I gave the VM more RAM.

Even so, I could hear much more disk activity than I liked and file saves were often slow. I don't use the VM for much, so I took my time on fixing this.

More recently, I got some help from VMware KB: Troubleshooting Fusion virtual machine performance for disk issues.

I found the VM had inherited 35% fragmentation from the old disk (I'd also made it too large). I used XP's built in defrag to fix that. Then I ran VMWare Fusion's cleanup utility, and I flipped my VM from 2GB files to a single large file.

It's fine now; as fast as I need it to be (not much!).

Monday, October 25, 2010

Tweeting Google Reader Shares and Notes via feedburner

I've been using twitterfeed to tweet my Google Reader Shared Items for about a year (via jgordonshares now).

It's mostly worked, albeit with the limitations of Google's oddball Reader shared item feed. Recently, however, I've been concerned about Twitterfeed's understandable need to monetize their service. It's not the monetization I mind, it's that I'm a passenger wherever they go.

So I poked around a bit. I reviewed some services I'd looked at previously, including RSS Graffiti, but they didn't give me the warm fuzzies. Then I learned I could use a services I already know, Google's Feedburner, to tweet a feed ...
I configured feedburner to turn my Google Reader Generated Page feed ...
http://www.google.com/reader/public/atom/user%2F06457543619879090746%2Fstate%2Fcom.google%2Fbroadcast
into a Feedburner feed:
feed://feeds.feedburner.com/faughnanreadershares
It took several tries to get it to work. I repeatedly got an "internal error" message even when I provided the shared item web address (http://www.google.com/reader/shared/jfaughnan) and let Feedburner discover the feed. Just as I was about to give up, it worked.

The Feedburner version of the Google Shared Items feed has some interesting properties.  For example, my Reader shared item notes now appear as inline text. I can also get odd links to posted notes like this one:
http://www.google.com/reader/item/tag:google.com,2005:reader/item/4ba48c42d43b00ab
From Feedburner it was easy to link the output from this Atom feed to my jordonshares Twitter stream. I'm using the following services there ...
Optimize
- Title/description burner
- BrowserFriendly
Publicize
Socialize - Twitter
I wonder how long this will work, but for now I'm using Feedburner instead of Twitterfeed to post my Google Reader Shared items and notes to Twitter.

See also (lots of experiments!)

Migrating from Blogger to WordPress - a guide

I need to move from Blogger to WordPress (via Dreamhost).

I'm studying how to do this, starting with these guides:
Happily many have gone before me. I'll study these posts and make the move in a few weeks.

It will be a great pleasure not to have to deal with Google's paragraph, rich text editing, anf formatting problems any more.

Blogger's 3 year paragraph debacle - the case of universal line break conversion

(Post title revised to reflect updates.)

I'm increasingly running across old posts that I've not touched where paragraphs have now vanished.

Not content with ruining formatting on newer posts, Google (blogger) is is now blowing up older posts.

I need to find an alternative to Blogger.

Update: I ask at Blogger's help group, but, based on the questions there, I doubt it will get any attention. Here's a sample of the damage. I have hundreds to thousands of old posts like this ...

Update 10/29/10: This has been going on since 2007. Three years of screwing up.

Update 10/29/10b: I've figured out part of this, thanks to a hint in that 2007 article. Blogger has a feature in settings that turns out to have devastating side-efects:

I believe the default setting is "convert line breaks". I changed it to NO to see if non-conversion would help with Google Composer's longstanding paragraph and format mangling. It never occurred to me that I was changing a setting that would be applied to every post in my blog. I reversed this setting on tech.kateva.org and my old posts now have line feeds again.

On notes.kateva.org I'd never changed the setting, so it wasn't disrupted.

Incidentally, I have two new insights on what's wrong with Blogger's various editors. MarsEdit's HTML view illustrated the second bug:

  1. Blogger's rich text editor paragraph controls get confused when a paragraph begins with bold text. Frequently, but not always, this triggers an extra line feed.
  2. Blogger's editor sometimes inserts <div> tags when it should insert <p> tags. In the rich text editor these create paragraphs, but browser behavior is variable. To quote Jennifer KyrninThe <div> tag is not a replacement <p> tag. The <p> tag is for paragraphs, only, while the <div> tag defines more general divisions within a document. Others have been confused about this distinction.

Update 10/29/10c: It appears that the editor is inserting two <br> tags and a <div> tag instead of a <p> tag. Both the current standard editor and the draft editor do this, I think the old editor might have inserted a single BR tag and a DIV tag. This is a terrible practice. See this Stack Overflow discussion and this one.

Update 10/30/10: The MarsEdit forum has a 2008 post on Blogger's flailing about with paragraph breaks, there's a companion thread in the Blogger developer forum. The developer group is only moderately interesting, it's been invaded by desperate end users seeking support. There is a "new developer relations engineer", perhaps because his predecessor was last seen drinking heavily in an Alaskan bar.

I wonder if there's a fundamental flaw in Atom Pub 1.0 that somehow led to Blogger's twisted implementation of the paragraph.

Sunday, October 24, 2010

Annals of irritating design: Apple's auto-linking of iPhone contacts

When a computer / smartphone syncs to multiple address services, you will end up with multiple entries for some people.

It's easy to imagine clever ways to address this problem (though most are probably patented -- even though they are trivial to reinvent). That's not what Apple did.

Instead Apple "links" (merges when viewed in iPhone) based on matching first and last names. That's a formula for high error rates if you have a large number of contacts. (Though I admit it probably works for most people who have smaller number of Contacts.)

This rule is "sensitive" (will favor merges) but not "specific" (high number of false positives).

I ran into it today, and I deleted information before I realized what was going on.

Now you're warned. If you see a screwy looking contact in the Contacts.app, first look for the "unlink" button. It will appear when iOS has done its automated "merging". Click it before you start deleting apparently nonsensical information.

Saturday, October 23, 2010

iPhone HDR - why there are two pictures (and Apple's updated user guide)

I tried using the iPhone 4 HDR feature, but I couldn't understand why I got two pictures.

I expected one image made up of the merger of two images with different exposure levels.

Apple's web site explains ...
 Apple - iPhone 4 - About the 5-megapixel camera with LED flash
... After selecting HDR, just point iPhone 4 at your subject and shoot. iPhone 4 automatically captures three photos of the scene — each with different exposure levels. Then iPhone 4 layers the shots together to create a single photo that combines the best elements of each shot and more accurately represents the wide range of light in the scene. Both the regular shot and the HDR photo appear in the Camera Roll.
I assume the first picture is the standard exposure, the high and low are discarded, and the second is the merged image.

It would be "nice" to have some more documentation. There's nothing in my iOS4 user guide about HDR. However, it turns out, the Apple website has a different iOS4 user guide. It reads on page 121:
On iPhone 4, you can turn on HDR to take HDR (high dynamic range) photos. HDR blends the best parts of three separate exposures into a single photo. For best results, iPhone and the subject should be stationary.
Turn HDR on or off: Tap the HDR button at the top of the screen. The button indicates whether HDR is on or off. (HDR is off by default.)
Note: When HDR is on, the flash is turned off. With HDR, you can save both the normal-exposure version and the HDR version of a photo in the Camera Roll, or save just the HDR version. By default, both are saved.
Choose whether to save both the normal-exposure version and the HDR version of photos: In Settings, choose Photos, then turn Keep Normal Photo on or off. If the setting is turned off, only the HDR version of a photo is saved.
If you save both versions, [HDR icon] appears in the upper-left corner of the HDR photo when you view the photos in Camera Roll (if the controls are visible).
My June 23, 2010 iO4 user guide is 18MB and 243 pages, the one I just downloaded is 19.7 MB and 258 pages. The part numbers on the last pages are different

  • original: 019-1838/2010-06-22
  • latest: 019-1891/2010-09
So Apple updated the manual in September. The update included a new HDR section.

I wonder if I'm the only person who's ever noticed this.

Friday, October 22, 2010

Small discoveries in tech

Fragments of things ...
  • Some corporations have stopped paying for remote employee business phones. Employees are signing up for Google Voice. They get much better service for "free", and they now own their business number. When they leave they take it with them. These corporations are outsourcing a business function to Google. There will be unintended consequences.
  • In 10.6 QuickTime Player will trim video fragments. This is old news, but new to me. I hadn't noticed. It's a big help. Now I can take the 300MB videos Emily and the kids make and trim them in seconds to a fragment I can file in iPhoto. This is the kind of high speed video editing I can manage. AVI inputs are saved as QuickTime movie. One bug -- no date/time metadata! I need a utility that will change the file creation and modification time stamps to match the true video acquisition date. Metadata standards for video are a mess.
  • Yesterday I wanted to conference in a remote speaker to a lecture. In under 10 minutes I plugged external speakers into a WiFi connected laptop and called his cell from Gmail's Talk/Phone capability. He gave the 10 minute presentation from his airplane seat. Everyone could hear him easily. It was all a bit supernatural.
  • The latest version of iTunes does quite a good job simultaneously synchronizing multiple iOS devices. That's an improvement. It still has some problems when users accounts switch however.
  • Google Voice quality to Canada nose dived a few weeks ago, but is very good now. The improvement corresponded with switching from using the dial-up method to establishing a connection using GV Mobile+ on my iPhone. Could be coincidence, but the call setup is different. This service has saved me about $2,500 -- and cost AT&T that much. I'm now seeing non-geeks using Google Voice. I wonder when this will impact AT&T.
  • Apple killed the 5.25" floppy, the 3.25" diskette, the serial and parallel cable, and the CD (data and music). Now Apple is killing the DVD and the hard drive. I wonder if they're going to try to kill the unborn USB 3. Ruthless.
  • The power, value, and significance of Apple's FairPlay DRM is grossly underestimated. In technology as in politics some of the most important discussions are completely invisible. In my 50s I am more intrigued by what is not said than what is said.
  • Blogger's rich text editor paragraph/line spacing problems are getting worse, but maybe that's a sign of progress. At this point I'll take any straw.
  • FaceTime for OS X is a big deal. The big fight now is whether a future carrier will allow it over a 4G network (WiFi only now). Sprint?
  • Microsoft, Dell and HP are walking dead. That's shocking. Is Intel next?
  • The MacBook Air 11", iPad, iPhone and iPod Touch all provide overlapping value. The iOS devices have much better Exchange/ActiveSync synchronization services, the Air runs other software I prefer. I have an iPhone and I'm a geek, so the Air is under serious consideration.
  • OS X management of mounted drives on a WiFi network sucks.
  • First family trip with each kid one iPhone equivalent. I don't like it -- much better to have the kids watch one DVD. More on this in another post I think.

Wednesday, October 20, 2010

FaceTime for Mac - just about perfect

The artistic sociopath alternates cruel sadism with lovely gifts.

That's Apple.

The gift this time is FaceTime for Mac. It's just about perfect. Best of all, unlike the long dead iChat app it replaces, it's not tied to an OS release - it works for 10.6 and beyond. I dare to hope Apple is decoupling app functionality from OS release, but that's because I've got Stockholm Syndrome.

Seriously, OS coupling made iChat worthless. If Apple doesn't want to repeat that mistake, they have to maintain FaceTime outside of OS cycles.

On the other hand, there's not that much to maintain. It's pretty good as is. I'd like to see bigger buttons, but it's the kind of simple UI an elderly person with good vision can work with. (Apple is paying attention to demographics.)

During initial setup you can use your MobileMe account [1] or start a new apple account. You then associate it with ANY email address you own. After initial setup you can assign multiple addresses; they're simply unique identifiers that Apple assigns to your Facetime account identifier. You can choose one of these to be your callback email.

I love that "that you can also start a call from Mac OS X via URLs like facetime://appleid or facetime://email@address or facetime://phone#".

I tried this by embedding this protocol into a Google sites page. !It worked!

This means I can create a web page for my mother with a large clickable link target. That's far more useable for her than Google Video Chat or OS X iChat.

That's cool.

[1] Please do not make my MobileMe renewal mistake!

How to replace a $150 MobileMe family renewal with an $83 MobileMe renewal

A new Mobileme Family Pack costs $83 on Amazon.com. I thought my renewal through Apple would cost $99. Wrong, it cost $150; $99 for me and $50 for the family pack "extension".

That's wicked.

It turns out I could have renewed by buying the $83 family pack.

I'm going to see if I can get a refund. Don't make my mistake!

Update 10/20/10: I had a very satisfactory response through Apple's Express Lane. I have 45 days after payment to cancel for a full refund. If I then reactivate with a family pack key I get all the family accounts and data back -- Apple keeps it for a time (forever?).

So I'll order the renewal package from Amazon. When I have they key ready I'll cancel for the full refund, then immediately renew using the Amazon family pack key.

Update 10/28/10: This worked, with only a few surprises. Here's how to do it.

  1. Before you cancel, make sure you have every family members user name and password at hand.
  2. Cancel the account for a full refund (within 30 days).
  3. login again with the account owner un/pw. You get a note that the account has expired. Enter the MobileMe key you got from Amazon.
  4. You will see your account, but nothing about family members!
  5. Now add each family member back, one at at time. When the dialog comes up it will ask you if you want a new account or to migrate an existing account for a regular member. I chose the 2nd option. Enter the un/pw of the family member. It takes about 30 seconds for the accept button to appear if you've entered correctly. Errors get an immediate response.
As best as I can tell no data was lost. I could see all the synchronized contacts I expected to see.

iPhoto 11 and Aperture 3 - more bad news

Somewhere on the boring, insipid, new iPhoto 11 page is a link to an iPhoto to Aperture page with gems like ...
... While iPhoto is designed to work with one library at a time, Aperture lets you set up as many libraries as you want and switch between them instantly. And you can export a project — and all the related photos — as a new library. That makes it easy to do things like take a slideshow from your work computer to your home computer to finish it. Since the slideshow is a separate file, you can work with it directly — no need to import it into one of your home libraries. When you bring it back to your work computer, all the edits you made sync automatically...
I gave up two years ago on multi-library support in iPhoto, support that would let me edit my photos while I travel and then merge them into my home library. The iPhoto 11 non-event, this conversion page, and Apple's $50 price point for iLife should crush anyone's residual hope for a better version of iPhoto.

So why am I not happy to buy Aperture 3? I have Aperture 2. The upgrade price is reasonable.

Because (shocking!!) .... Apple lies.

The iPhoto to Aperture 3 conversion is not seamless. Large amounts of metadata, such as album and event comments, image tags, and book definitions and the like are lost. Apple doesn't tell you this. That's because Apple is made up of Satan-worshiping sadists...

Sunday, October 17, 2010

Suspicious Safari crashes - is it 1Password?

Safari 5.0.2 is being unusually crashy lately...
Date/Time: 2010-10-17 07:49:57.755 -0500
OS Version: Mac OS X 10.6.4 (10F569)
Report Version: 6

Interval Since Last Report: 239013 sec
Crashes Since Last Report: 40
Per-App Interval Since Last Report: 527842 sec
Per-App Crashes Since Last Report: 2
Anonymous UUID: 91CBE8C3-5174-44E4-89DA-EDE076DCAA1E

Exception Type: EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000079
I don't run any extensions, but I do have 1Password installed and I have the proprietary Fujitsu ScanSnap Manager driver on my system.

Based on this report I'm suspicious of 1Password. I'll try the enable/disable Safari support trick mentioned there.  I use 1Password, but grudgingly. I don't like hacky extensions, it really needs to use the official (but new) Safari extension framework.

Of course it could always be #$!@$@!$ Flash.

Saturday, October 16, 2010

Troubleshooting an OS X iOS device recognition problem

There's a bug in OS X 10.6 ("or later") that can make an iOS device unrecognizable: http://support.apple.com/kb/TS3540.

I'm sure a fix is coming. The tech note is worth tracking though because of the sequenced steps in the recommended fix. It's basically a full iTunes uninstall ...
  1. delete com.apple.usbmuxd.plist~orig
  2. delete iTunes
  3. delete AppleMobileDevice.kext
  4. delete MobileDevice.framework
  5. reinstall iTUnes
Might come in handy for future obscure sync related bugs.

Thursday, October 14, 2010

Downloading a shared Picasa web album in OS X

Despite Google's data freedom record, they've done a mediocre job freeing Picasa web albums. I know of only two ways to download an entire album.

You can use the Picasa Web Albums uploader tool to download albums that you own. I think this tool works with non-Intel machines.

If you have an Intel machine you can use Picasa for OS X to download albums you own - and, more importantly, shared albums from other people.

I've done the latter. It works - but it's a pain. Read the documentation: Downloading Albums and Photos. Here are a few additional notes to help out:
  1. When you install Picasa it starts indexing your drive. Go to Tools:Folder Manager and mark every folder as exempt. It will stop indexing.
  2. Don't bother looking for the option to download from an album URL. It's not there. Yes, this is very weird.
  3. Go to the shared album and look for the 'Download' menu item. Click on it. You may see that 'Download to Picasa' is unavailable -- grayed out. That's because you need to quit Safari and restart after Picasa is installed (and perhaps running). Now you should be able to see this option. Click it.
Picasa stored my images in Pictures\Downloaded Albums. I dumped them from their into iPhoto then deleted them.

MobileMe vs. Google Calendars

MobileMe Calendar now supports public read-only sharing using the webcal (.ics) format. There's no public display as an HTML page.

MobileMe users can be invited to view and edit a calendar.

There is no support for subscribing to a non-MobileMe calendar. There is a mechanism for importing from Outlook or (bizarrely) iCal. It's not documented, but I believe Outlook import requires installing some Apple software (iTunes?) and I am pretty sure it won't work with an Exchange based calendar.

It seems users can't share on both MobileMe and publicly! If you make a calendar public you lose the miniscule sharing icon to the right of the calendar name. Weird.

There's some iCal integration, but, judging from a flurry of tech notes, there are lots of bugs. I suspect Apple wants pre-10.7 users to use the web UI and forget iCal. I assume MobileMe Calendar has good iOS calendar integration, but there's no iOS support for editing calendar-associated tasks.

Overall, I'd give Apple a C+ for this effort. If they were to add subscription they'd graduate to B-. The significant advantage over Google Calendars is simplicity and, of course, a far more pleasant UI. The disadvantages are substantial -- no subscription, no web publication, no embedding, etc etc.

Update 10/16: See comments for additional drawbacks. There have also been recent posts from vendors that used to be able to synchronize transactions with MobileMe calendars -- Apple has removed functionality they relied on ...

  • Daylite: ... In the process of moving to the new calendar, Apple migrates your existing calendar and deletes the old calendar. In the process of deleting the old calendar, sync services propagates the delete to all sync services clients. Daylite obeys these delete commands (as it should) and moves your calendar data to the trash (lucky we have a trash).

    We've communicated with Apple during the MobileMe Calendar beta and we are looking into possible solutions.
  • Spanning Sync and the New MobileMe Calendars (Spanning Sync Blog): ... Spanning Sync can sync the new MobileMe calendars to Google, but changes made in Google won't show up on your MobileMe calendars. Unfortunately, Apple specifically disallows syncing of the new calendar format (called CalDAV) using its Sync Services architecture, which Spanning Sync is based on. Spanning Sync can read from MobileMe calendars so "one-way sync" is possible, but making changes to them is currently impossible... we're hopeful that Google will enhance Google Calendar so that it can sync directly with MobileMe without any intervening software. Google is tracking the request for this feature here ...
I imagine Daylite couldn't warn customers due to their beta agreement, but since Apple ignored their concerns their customers have been screwed. Spanning Sync suggests customers revert to the old format.

Apple is not a "nice" partner or vendor, but we already knew that. They are not the best of all worlds, only the best of our world.

I grumpily added my bit to the Google feature request list, though, in truth, I don't use MobileMe because I know Apple won't deliver what I need. I'm not their customer.

The only upside to this story is that MobileMe is using CalDAV, so there's a potential for a better future. I bet OS X desktop support will require 10.7 though, and that OS won't be safe for my use until early 2012.

There's been rumor of a rapprochement between Google and Apple. I hope that's true, because for geeks like me the best solution is combine the best bits of Google with the best bits of Apple (not including MobileMe).

Wednesday, October 13, 2010

Google's flawed security checklist -- and the right fix from Facebook

I've not seen any official Google admission that account hacking is out of control, but I'm betting my experience is not atypical.

The good news is that Google is doing a (slow) roll-out of two factor authentication; texting a texted pass-token. The bad news is that Google's recent security checklist recommends ...
5. "Use a secure connection to sign in. In your Gmail settings, select 'Always use HTTPS.' This setting protects your information from being stolen when you're signing in to Gmail on a public wireless network, like at a cafe or hotel."
I hope it hurt to write that; I hope the author isn't completely numb to corporate evil. Clearly they knew they were dissembling, because they carefully wrote ... on a public wireless network. 

It is true, https blocks most wifi hacking - but that's not what geeks need to fear. Google doesn't tell us (but I do) that ...
  1. The primary threat from untrusted machines is not wifi interception, it's keystroke logging.
  2. Any machine running XP, including a corporate machine running current antiviral software, is an untrusted machine.
It's obvious why Google is waffling, which is why they've bumped their evil score. (BTW, they do warn against browser plugins that request Google credentials. That's interesting.)

Ironically, Facebook is seriously evil, but this time they're being the good guy. Maybe that's because keystroke loggers are very common on the XP machines of Facebook's heaviest users. Whatever the reason, Facebook is rolling out a keystroke logger fix using a texted "temporary password" -- ahead of Google.

Facebook has the right fix now and Google has an inferior solution that's weeks away. Facebook is frank about their keystroke logger problem, Google dissembles. 

Mirror  world!

Sunday, October 03, 2010

Real world numbers: 802.11n 2.4GHz MUCH better than 5GHz

We've been all wireless at home for a while. It's worked better than I'd expected, but I think we have a particularly noisy microwave (too bad ConsumerReports doesn't rate microwave emissions). We also have 5.8GHz phones, though from what I read that's plenty of separation from 5GHz 801.11n.

I've been tweaking our AirPort Extreme location within the usual constraints of phone jack and outlet. The latest location seems pretty decent (corner of our bedroom closet), but I wanted to see how signal/noise "ratio" varied between 802.11n 5GHz, 802.11n 2.4GHz (Apple default) and 802.11n 2.4GHz plus microwave (5GHz is supposed to be out of microwave range).

The result surprised me. First, this discussion thread has some useful references ...
SNR is the signal level (in dBm) minus the noise level (in dBm). For example, a signal level of -53dBm measured near an access point and typical noise level of -90dBm yields a SNR of 37dB, a healthy value for wireless LANs...

SNR Guideline
o 40dB+ SNR = Excellent signal
o 25dB to 40dB SNR = Very good signal
o 15dB to 25dB SNR = Low signal
o 10dB to 15dB SNR = Very low signal
o 5dB to 10dB SNR = No signal...
My inital SNR results across the clients were
  • iMac 5i 802.11n 5GHz: 26
  • iMac G5 802.11g: 30
  • Macbook 802.11n 2.4GHz: 41
  • AirportExpress 802.11n 5GHz: 7
  • Nintendo Wii 802.11g: 40
Not bad, though it's surprising who good the Wii results are. It's in the basement. Oh, right -  the Airport Express results sucked. Even the 5i results weren't great.

So I switched the iMac 5i and the AirportExpress to 801.11n 2.4 GHz. The results were much better: 
  • iMac 5i 802.11n 5GHz: 36
  • iMac G5 802.11g: 30
  • Macbook 802.11n 2.4GHz: 41
  • AirportExpress 802.11n 2.4GHz: 40 (later tests weren't this good however, transcription error?)
  • Nintendo Wii 802.11g: 40
I turned on the microwave and the Airport Express dropped to 20, the iMac to 32 -- but even with the microwave on the 2.4GHz SNR was much, much better than the 5GHz SNR.

With the microwave off it's truly no contest. The 2.4 GHz frequency gives vastly better results in our home than the 5GHz frequency.

Obviously, your results will vary. I think I can see, however, why Apple makes 5GHz a non-obvious option on the Airport Extreme.

[1] AirPort Utility - Advanced:Wireless clients to get S/N by Mac address, DHCP clients to get machine name.
[2] Didn't used to work, but does with my latest base station location.