Wednesday, June 22, 2011

OmniDiskSweeper finds 247GB in my OS X Volumes directory (Aka: Disappearing drive space)

OmniDiskSweeper is a free utility from the superb OMNI group. I run it periodically. Today it showed me:

  • 1Password is storing 177MB of 1Password backups in Library\Application Support.
  • All my iPod and iOS backups come to 2.1 GB. That's a lot, but not bad for five iPhones and a few iPods (who uses iPods any more?)
  • iPhone software adds up to 1.6 GB (3.1, 2.1, 1.2, 1.1)
  • Caches runs 1.7 GB
  • ITunes Library has swollen to 70GB, mostly due to movies
  • Pictures (Aperture, iPhoto) runs to 80 GB
  • I had 500MB of tunes in Music\Amazon MP3 that were also in iTunes. Not sure how that happened, but obviously I don't need both.
  • I had FileMaker Pro 8 (!) installed once in my Applications folder and once in shared applications
  • Volumes, a "hidden" root unix directory, had 247GB in it. [1]

I freed up a GB or so in minor cleanup, but then I had to decide what to do with Volumes. I'm used to Volumes holding Unix aliases, not folders.

Volumes held two folders named after my Time Capsule backups. One held 227 GB, the other a mere 41GB. They were both created within one day of one another in Jan 2011. The smaller one is a copy of a portion of my drive, the bigger one was the entire drive.

Google couldn't explain these findings, but I found this one reference that sounded interesting ...

Another tip is to look in your /Volumes directory. I once found 100's of megabytes there. It seemed to be a mirror of what had been on a firewire drive that had been unplugged before ejecting. Some program had tried to write to '/Volumes/FireWire/data/'. However since the firewire drive had been removed suddenly, it just created a directory called FireWire/data and wrote it there...

Except I didn't find 100s of MBs, I found 100s of GBs. I am pretty sure Time Machine put them there, and I wonder if it had to do with Time Capsule being offline.

After due consideration I deleted these 600,000+ files. I do, after all, have redundant offsite backups in addition to Time Machine.

[1] You can view it in Terminal, but it's easiest to use the Finder's "Go to Folder" feature and just enter "Volumes".

See also:

Update 6/25/11: Through an Apple Support Group discussions I learned that this isn't terribly rare, and that it's particularly seen with disk cloning software -- probably because of the volume of data they manage. It smells like a deep OS bug -- the OS loses the connection to the "virtual" target in /Volumes and starts writing to the local disk. I wonder if this is more common in 10.6. I am surprised I didn't find more about this on Google, perhaps this post will help. Through the discussion thread I learned of these posts ...

  • Tiger Problems - Disappearing file space: Francine Schwieder wrote this several years ago, but I believe it's all still true. Suggests this is not a new OS X problem.
  • TidBITS Adam Engst: Dealing with Doppelganger Folders in /Volumes: Adam wrote this in 2008. He ran into trouble when using Crashplan ... 
    ... Needless to say, applications should notice the disappearance of a disk, and Matthew Dornquast of Code42 Software said that they had spent nearly 100 hours trying to prevent CrashPlan from writing to a folder in /Volumes if the disk disappeared. However, I received reports of a wide variety of applications suffering from this problem, including the BitTorrent client Azureus, the Perforce version control system, Apple's Xcode development environment, and Mac OS X itself...

    ... More generally, this is an architectural problem in Mac OS X that Apple needs to fix. Although applications bear some responsibility for creating folders in /Volumes when they shouldn't, the operating system should protect itself from such an obvious misuse. Unfortunately, a vast amount of code, both from Apple and other developers, assumes that /Volumes is writable, which means that fixing the problem would require lots of other changes, and Apple hasn't had the fortitude to force such an unpalatable solution on developers....
  • Apple Tips Where did my Disk Space go?: James Pond on multiple causes of disk space loss, including the /Volumes bug.

I've suggested that Onyx add a check for these files in its cleanup process.


Saturday, June 18, 2011

G5 iMac Blue Screen on logout and startup - and a review of G5 debugging

[See the update. I don't think it's safe to use a 10.5.8 machine with AirPort Wifi and Epson HL-2140 printer drivers as a print server.]

Back in the days of Quarterdeck Extended Memory Manager and DOS Carousel/DesqView/Sidekick debugging was simple. Our one machine crashed many times an hour, and there were only a few things to relentless tweak in the hopes of getting a bit of work done. Hardware problems were extremely rare; my original Panasonic 8086 was vastly overengineered [1].

Despite vastly more security threats, life for a modern Mac household is much improved. We currently run 3 OS X machines (two 10.6, one 10.5) and five iPhones for five users. My life as network admin is mostly focused on porn control (which is a lot like fighting with QEMM really).

Software has come a very long way. Hardware is less robust than it once was, but Apple gear isn't as bad as it could be. Overall we're ahead.

When problems hit though, they can be really tough. This is the story of one of those problems. Like my Troubleshooting MacBook wake from sleep problems of 12/2010 I think I've got it under control, but I'll probably never know the precise cause. I think that's because, barring obvious hardware failure [2] and malware infection [3] most modern tech problems are multifactorial. Multiple software bugs interact with occasionally flaky hardware to produce bad outcomes; curing the problem often means fixing several contributors and thus reducing, but not eliminating, crashes.

In other words, modern computer reliability has quite a bit in common with murder rates in Manhattan and diseases in humans [4]. Chaotic and multifactorial causes and fixes.

Today's example involves our old G5 iMac, (introduced 2004, got mine @2005). These were among the last G5 machines Apple made, and like all the G5 line they were plagued by heat problems. And more heat problems. Heavens, but the G5 chip sucked. [5]

This machine has been pretty stable, though noisy, but yesterday it hung on the login screen. I did the usual first OS X troubleshooting step -- I did a power-cycle restart holding the shift key. This forces cache cleanup and a directory structure integrity check. That seemed to work, but soon I was seeing blue screen on logout, particularly with my son's parental control managed account -- and blue screens on login -- just before I'd expect to see the user select screen on this multi-user machine.

There was no obvious software explanation, so in today's world the next step is to test hardware. I booted the (Mac Classic OS!) hardware test disk for the G5 and ran it in loop mode. Surprisingly the machine passed. This would have been a good time to inspect the G5's notoriously shortlived capacitors, but in fact I only did that the next day. The capacitors were fine, and I vacuumed the machine [6].

At that point I could have started rooting around with Verbose login and Console looking for blue screen errors but this is an old machine with a lot of software cruft. Since the hardware looked good I did a 10.5 archive and install [7] and let it run overnight.

This morning it booted up nicely -- right into a foul 10.5.1 bug with Admin account passwords [8]. I was amazed, I never thought to see that one again. After I did the tortuous unix command line fix [9] password reset I updated to 10.5.8 and rebooted into a clean Admin account that logged out to a blue screen. About then I realized the problem hadn't gone away and I had to do real troubleshooting.

I'll skip the tedious details. Instead I'll enumerate what I think the contributing factors were, then I'll describe what worked.

My best guess is that it was not malware related, but involved several of these items;

  • An AirPort network problem. I could see the iMac was showing up on the network with different network machine names, such as BigMac, BigMac-2 and so on. It eventually got up to BigMac-4. I suspect a hardware problem with our Time Capsule/AirPort Extreme router. [10]
  • A software issue with OS X 10.5 Location - there were some odd behaviors when I tried changing Location settings. Maybe a corrupted preference file.
  • An Epson printer driver issue interacting with WiFi shared printer access. The drivers on this machine are a few years old and they didn't come from Apple (in 10.6 they do). I found some curious print jobs dangling in the printer queues on different accounts as I cleaned up accounts.
  • Something funny with Parental Controls. Several controlled accounts had password failures, even after the Archive/Install. However resetting the account passwords to the original password still matched the login keychain password.
  • Spotlight and turning off Spotlight indexing of a network mounted Time Capsule backup drive.
  • Network shares connecting on startup
  • Time Machine backup to a Time Capsule external drive's disk images.
  • Flash - which is the source of all evil on a Mac
  • MacAlley external keyboard driver

This is what I did to get things working, beyond the archive and install (if I could have I would have switched to wired connections to our router):

  • I removed all Locations except Automatic (I could have also simply deleted the appropriate preference file)
  • I created a new Location and set it to fixed IP address rather than request via DHCP (so no hang if there's an IP request issue)
  • Turned off Time Machine
  • Turned off Spotlight (drag and drop the internal drive icon to the Privacy list)
  • Installed the Click to Flash Safari extension to reduce Flash activity when my son is using the machine (ads mostly)
  • Reinstalled printer drivers but didn't reinstall the MacAlley external kb drivers. It works without them.
  • Created a new Admin account and trashed the one that hit the 10.5.1 bug. Incidentally, the best practice for admin accounts is to use a 6 letter Sentence case string. Then the short name will be a lower case version of the long name and you can use either when typing.
  • Reviewed and refreshed all the parental controls.
  • Removed all login items, esp. network drive mounts, from all accounts.
  • Restored the original Apple kb instead of the MacAlley I was using (eliminates 1 driver, I did this after things were working but it's a good stabilizing move)

It's now working. I wouldn't be surprised if there is a hardware problem in the G5 and the problem returns, but it is clearly much improved. I think any hardware problem is more likely in the Time Capsule.

With Click To Flash, Spotlight disabled, and no Time Capsule backup this machine is quieter than it's ever been. I'll wait a while before I reenable backup [11] and I think Spotlight is a goner (love it on 10.6 though).

If I had to put my money on a single fix, I would wonder about the fixed IP and perhaps redoing Location settings (removing would have been better).

Update: I can't say it's cured, but it's clearly far better. No more blue screen today. The only device driver I've installed is for the printer, there's no native support in 10.5. It's also astoundingly quiet. It hasn't been this quiet in memory, the fans barely run. Coincidentally I just now came across mention of Tiger (10.4) kernel panics with newer AirPort base stations. I wonder if there's a relationship ...

Update 6/18: It came back. I was stunned. I can't imagine hardware errors behaving this way. My son had used the computer, but we monitor him closely. All he'd done was print ...

and print ...

and ....

He likes to print. We hardly ever print. Sometimes he was printing from a 10.6 laptop.

The only driver I'd installed yesterday was the Epson 10.5 printer drivers. They're older of course, and the OS has been patched since they were current.

I tried several things, but this, dramatically, worked when multiple other things (PRAM reset, SMU reset, hold shift to start in safe mode, etc) didn't. I swear this was an occult geek ninja move.

  1. Startup in single user mode (cmd-S on startup)
  2. Run the command that allows me to modify the file system (you see it on startup prompt)
  3. Navigate to where OS X stores the CUPS printer spool (I knew the driver was CUPS): ~\var\spool\cups\cache (to use the unix cd command to navigate here while in single user mode, you have to do sudo -s first to get a root shell).
  4. Delete all the files - rm *
  5. exit

The machine started up normally. I then turned off print sharing and deleted the Epson printer driver.


Update 6/27: I reinstalled print drivers but made a 10.6 machine my print server. No further problems. I posted on this to Apple Discussions ... Leopard login blue screen fixed by...: Apple Support Communities

- fn -

[1] After years of use, during a marathon debugging session managing DOS interrupt conflicts, I pulled a board with the machine running. It shorted out only half the bus, the machine continued to work for years. Panasonic must have lost money on each of these monsters. They left the market when the US Congress, rightly fearing the disemboweling of the US computer industry by superior competitors, used plausible threats of protectionist intervention to save the US hardware and software industry from Japanese competitors. Nobody remembers this.
[2] Hardware failure can be very hard to spot. I had a series of issues with my 27" iMac that were vexing, but not bad enough to really investigate. Finally my Kensington USB hub got flaky enough to be replaced. With the new hub the seemingly unrelated system issues vanished. Wireless routers are famous for failing in flaky and hard to diagnose ways.
[3] Not yet a real issue for our Macs, but it's clearly coming. I suspect that's why Apple is delaying their hot new MacBook Air so it ships with Lion. They want to move us to signed code platforms within the year, so they need to kill 10.6.
[4] How many physicians think humans get only one viral infection at a time? I've believed for years that a lot of "viral syndromes" are the result of multiple simultaneous viral infections. I bet that meme makes it the med schools in my lifetime.
[5] Remember the liquid cooled G5 towers? Apple was desperate. Miracle they survived the Intel transition. That's when we learned how good Apple was.
[6] I used to blow dust out with compressed air. That was fun! Then I killed a Mac Mini optical drive in a dust cloud. Now I carefully vacuum using a mini-shop vac. The machine looks archaic now -- huge capacitors, everything enormous. Especially compared to working on the Mini, much less an old iPhone.
[7] No longer available in 10.6, which I think does the equivalent on every install.
[8] In the old days you could trade up from the equivalent of 10.5.1 to 10.5.6 at Apple stores. No more. Disappointing.
[9] Yes, password reset is easy to do on any account. You can also just mount drives in firewire target disk mode. Passwords exist for other reasons, not to secure the drive. For physical security you need encrypted images.
[10] The generation I have are notorious for power supply failures with extended flakiness prior to total collapse.
[11] There's very little data stored on this machine. It may not be worth backing up.

See also:

A series of mostly 2004 and 2005 posts about the heat and fan problems that plagued iMac G5 buyers, though the rev 2 machine I bought had fewer of the capacitor and firewire and fan issues. These posts predate Twitter and Google Reader Share, back then my posts were more tweetish.

Friday, June 17, 2011

PDF services and Send to iPhoto - an album of JPEGs

I recently enjoyed this 2010 article on using OS X PDF services to send websites and docs to iBooks (Mac OS X Hints). All Mac geeks should give it a read, and the excellent comments as well.

Reading the hint made me take another look at the options on the handy PDF menu found at the bottom left of every print dialog. The list includes Save PDF to iPhoto, which is a bit odd since iPhoto won't import PDFs. (I have a memory that it once did, but Google disagrees). If you drop a PDF into iPhoto, you get a not supported dialog.

So I gave it a try. The results are interesting - iPhoto gets a JPEG for every page of the PDF. It's even documented ..

Mac OS X: About the Send PDF to iPhoto feature

... This feature uses an Automator workflow to create a PDF printout, and then convert that PDF to a JPEG. The JPEG is then sent to iPhoto. This workflow is installed by Mac OS X and is stored in /Library/PDF Services/...

It's an obscure but handy feature. Alas, Automator never lived up to its 10.4 promises, it's languished ever since, despite the best efforts of Nyhthawk Production's curious site ... Mac OS X Automation (curious because it's not an Apple site, but Automator links to it).

Connecting devices to WPA Airport Extreme base station without authentication - including guests

This isn't new, but it's new to me. I ran across it in my Airport Extreme menu
AirPort Utility 5.1 Help: Adding a wireless client to your 802.11n network
... If your base station supports it, and your network is password-protected using WPA Personal or WPA/WPA2 Personal, you can provide wireless clients access to your network without requiring them to enter the network password...
... Choose Add Wireless Clients from the Base Station menu...
This is different from the "guest network" base station configuration. The most obvious use is for visitors, but I assume it can be used for WPA devices that don't support password entry (do such exist?).

It works by creating a hole in network security -- a device is allowed on the network based on its MAC address without a password. This is spoofable of course, but I imagine you'd have to know the magic MAC address. Based on the article title it's 802.11n only.

Access can be limited to 24 hours, which makes sense for most uses. Easiest configuration is first device to try gets the privilege. If you don't use the 24 hour limit access is forever, unless you edit the Airport Access Control list.

Sunday, June 12, 2011

Spotlight will index your Time Machine backup disk

I caught my MacBook's fan noise, so i looked to see what was sucking CPU.

It wasn't, surprisingly, Flash. The MacBook was trying to index the backup drive attached to my Time Capsule upstairs, even as it did its routine Time Machine backup to the remote image.

I'd seen that on other machines, so I knew the fix. I added the remote mounted backup drive to my Spotlight Preferences Privacy tab. The fan spun down a few minutes later.

It's a surprising behavior. Does Spotlight also try to index a TM backup on a physically attached drive? Obviously this kind of indexing is pointless, just a waste of bandwidth, storage, CPU and power. I'm surprised it's not been fixed.

Update 6/22/11: There are odd consequences with doing this, esp. in 10.5. This 2008 discussion is interesting -- TUAW Tip: exclude your Time Machine disk from Spotlight indexing and 10.5: Spotlight and the Time Machine disk - Mac OS X Hints

OS X Parental Controls Review - State of the art in OS X 10.5 and 10.6

Apple has recently updated their OS X Parental Controls documentation for 10.5 and 10.6. It will be interesting to see if they improve Parental Controls with 10.7(Lion).

The only good thing I can say about the current generation of OS X Parental Controls is that they're an improvement on the non-existent Parental Controls in iOS.

Below is a summary of the current controls documentation, followed by notes of my own. I appreciate the irony that, as the father of a vulnerable child, I share the same agenda as China's totalitarian Party (emphases mine) ...

Mac OS X v10.5, 10.6: About the Parental Controls Internet content filter

The Internet content filter can operate in three modes: unrestricted, automatic, and whitelist.

When "Allow unrestricted access to websites" is selected, the Internet content filter logs websites that the account visits but does not restrict Web browsing. Visited websites are still logged and can be examined in the Logs tab of Parental Controls preferences.

When "Try to limit access to adult websites automatically" is selected, the Internet content filter does its best to block websites with inappropriate content. To do this, the Internet content filter uses the same technology that the Mail application uses to identify "junk" mail. The Internet content filter can identify, with a high degree of accuracy [!], whether a Web page is safe or not by examining various properties of the website including text and structure.

Additionally, the Internet content filter will block a website if the website identifies itself as adult-oriented using RTA ( or SafeSurf ( rating systems, as well as forcing "safe" searches with some search engines.

In this mode, the Internet content filter logs all visited and blocked websites, and flags them as such in the Logs tab of Parental Controls preferences.

In certain situations, the automatic Internet content filter may mistakenly block a safe website or allow an adult-oriented website. For example, if the website uses an uncommon language or if there is very little text on the page. These websites can be identified in the Log tab of the Parental Controls preference pane and added to the "Always Allow" or the "Never Allow" lists. These lists can also be accessed by clicking the Customize… button in the Content tab of Parental Controls preferences. Websites that are mistakenly blocked can also be allowed by clicking the "Allow…" button on the blocked web page and authenticating as an administrator user.

https note: For websites that use SSL encryption (the URL will usually begin with https), the Internet content filter is unable to examine the encrypted content of the page. For this reason, encrypted websites must be explicitly allowed using the Always Allow list. Encrypted websites that are not on the Always Allow list will be blocked by the automatic Internet content filter.

If "Allow access to only these websites" is selected in Parental Controls, the Internet content filter blocks any website which is not on the list. When the blocking web page is presented, a list of allowed websites is also shown. If using Safari, allowed websites are displayed as bookmarks in the bookmarks bar.

Note: For most websites, the Internet content filter considers the domain name and not the path. For example, if is added to the list, then will be allowed, as will

In whitelist mode, visited and blocked websites are flagged in the Logs tab of Parental Controls preferences and can be added or removed from the whitelist there.

The documentation is incomplete (I gave it a rating of "2"). Some additional notes and references:

  • Safari history cannot be deleted in the most restrictive mode and in that mode preference changes are limited as well. It can be deleted and preferences can be edited in other modes.
  • The documentation false claims about the accuracy of content blocking, and of course images cannot be managed (emphases mine).
  • A user account must be closed (user logged out) for content rule updates to be applied.
  • Because of the various measures Google takes to evade censorship by authoritarian governments their services are a poor match to Parental Controls. Bing is much more dictator friendly, so I block all Google services and allow Bing.
  • OS X Parental Controls settings and logs can be managed from a remote admin account (see references below).
  • It is most convenient to allow and block sites while reviewing the log file records.

It's easy to find problems with OS X Parental Controls, but I don't expect much improvement -- even with all the world's dictators on my side. For example ...

  1. There's no customer demand for improvements. I think most parents are quite unaware of what most adolescent males do on the web, and I think they prefer to remain unaware. This is not necessarily a bad solution for most adolescents and parents; not all children are equally vulnerable.
  2. Technologies for evading monitoring, ensuring security, and protecting privacy also block Parental Controls.
  3. Engineers without young children don't like Parental Controls, not least because of how the technologies can be misused. Working on Parental Controls is unlikely to be a career move at Apple.
  4. These are hard problems because of the way the Internet is structured, and because content providers are actively trying to evade Parental Controls either because they want to facilitate adult access or because they are seeking vulnerable people to exploit.

See also (mostly Gordon's Tech):

Update 6/15: Nothing illustrates Apple's disdain for Parental Controls better than this screenshot:

Screen shot 2011 06 15 at 8 25 16 PM

The log display can extend vertically, but not horizontally. It's fixed width. So you can't actually view the URLs. The poor engineer must have taken pity on his users however, if you let your mouse rest on a URL for a while a popup will show you the full text.

This is third rate work.

Wednesday, June 01, 2011

Mac Mind mapping software: Inspiration, OmniOutliner and MindNode

I've used several mind mapping tools over the past few years, including, most recently, MindManager for Windows. I like the tools well enough, but it's a niche market. The leading vendors like Mindjet and NovaMind typically charge $250-$400 for their products; that feels a bit much when Aperture sells for $80 on the Mac App store.

All of the commercial products use proprietary, closed data formats -- so there's a severe data lock problem with this domain. It's tough to switch vendors. Some, like NovaMind, have quite good import/export features -- but that doesn't change the fundamental data lock issue. Many of the products, including some respected freeware apps, are Java based. That's a big negative for a Mac user.

Which is why it's nice to see that Inspiration is back. It was never actually gone -- but they stopped marketing it for adult and business use (schools only). Visiting their web site today they seem to be taking another stab at a broader market. Inspiration isn't nearly as pretty as MindManager, and it doesn't have MM/Windows deep Office integration, but it's much less expensive. I'd give it a try (it used to import MORE 3.1 documents btw!), but the trial software registration form is ridiculous. I'll wait until they get a clue on that front.

Inspiration is nice, but what I really want is for the OmniGroup to deliver a mindmapping solution. They could extend OmniOutliner, OminGraffle, OmniFocus or do a new app -- but my preference would be to extend OmniOutliner. They'd do a beautiful job, and perhaps they'd consider opening up the file format.

Update: The ever reliable "Martin" mentions MindNode in a comment. I loved this part of their web site description:

No file format lock-in. MindNode and MindNode Pro support a variety of file formats. You can import and export FreeMind and OPML files (a file format used by many outlining applications) or export the mind map as PNG image, TIFF image, PDF, RTF or HTML document.

MindNodePro is sold on the App Store for $20 and by direct download. MindNode is quite limited by free. There's an iOS version that currently has its own file format, but the developer promises it will migrate to the MindNode format.

MindNode is a small OS X and iOS developer product ...

... MindNode and MindNode Pro are applications designed and developed by Markus Müller. Based in Vienna, Austria, Markus is an independent software developer whose focus lies on designing intuitive and useful software for the Mac and iPhone platform...

This on is my todo (Toodledo/ list to try.

Update 6/4/11: There's a free trial version of MindNode Pro - limited to 20 nodes. That's what I'm experimenting with. It's simple, but elegant. If you drag and drop a file to MindNode it creates a resizable icon shortcut (default size is too big). I like how it works. If you want to create documents, you create then externally and relate them using MindNode. For example, I could related a set of SimpleNote text notes. The documentation is unclear, but i can confirm node names are indexed by Spotlight.

See also: