Tuesday, February 26, 2013

Mountain Lion sharing and permissions: two things I didn't know

Didn't know, or forgot:

  • If you option click the permissions add icon, you can add permissions for System and the like but not Wheel.
  • The Groups defined in Contacts can be used to add permissions to sets of users. I think that's probably as old as OS X, but I forget it. It's odd because Apple seems otherwise to have forgotten Contact Groups exists. I wonder how it works ...

Saturday, February 23, 2013

Executing sudo as a non-admin user in macOS (OS X) and fixing "getcwd: cannot access parent directories" error

This is a weird one.

According to what I read online and in the Man pages, I should also be able to do something like this (where Fred is Admin account):
sudo -u Fred ls
That should ask for Fred's password then execute ls with Fred's privileges.

Except it doesn't. It runs against my non-admin account and fails. As though it were ignoring the -u flag. Instead I have to run
su Fred
to execute as Fred, then run sudo. [I think that su Fred sudo -u Fred ls should also work.]

I can't find anyone else who complains about this, so I assume I'm doing something wrong.
Note to test this you have to run from a non-admin account.

Update 8/23/2016: I can't get sudo to work at all in El Capitan for a non-admin users. Says: "error retrieving current directory: getcwd: cannot access parent directories: Permission denied."

Update 5/27/2018: I finally tried this in a different non-admin account. It works in Sierra in other accounts. So it wasn't El Capitan that broke this, it was something I did to my 18yo user account.

This is what I would see:
John-Air:~ myaccontname $ su Kateva
shell-init: error retrieving current directory: getcwd: cannot access parent directories: Permission denied
bash-3.2$ ls
ls: .: Permission denied
I searched around SuperUser for a while and got some hints. I deleted every user account Bash preference I could find. That didn't do anything. I repaired MacOS Sierra permissions using Onyx.app -- but as with every other time I'ver repaired permissions that produced many changes but no results. (It doesn't act on user folders.)

Eventually I realized the most likely explanation was the simplest one -- I'd somehow messed up permissions on the default account for Bash. By experimenting on my "good" non-admin user account I realized Bash default directory is the User account. So I compared User Account permissions and found this:

The problem directory was readable by 'everyone' but not by 'staff'. You'd think that 'everyone' would work ... but read this and weep. macOS permissions are a disaster. Don't even think about ACLs. It's a sign of the end-times really.

I couldn't see how to restore Staff. In the old days there was a utility for this, but that's long gone. Somewhere I found this advice to restore staff:
sudor chown $UID:staff /path/to/folder/modified/
chmod 644 !$
I ran it and staff was restored. When I logged back into my user account I was told macOS had to do something to enable me to run Applications! I entered my admin credentials and was asked again ... and again ... then I gave up and logged out. I logged back in and things .... seemed ... fine.

Now su works as it should.

Facebook's parental monitor page - aka Activity Log

For the moment, until the next state mandated revision, Facebook has a Page I can use to track #1 son's Facebook activity with a URL of the form <https://www.facebook.com/first_name.last_name.2345/allactivity>. [3]

It's currently called the 'Activity Log', if you poke around you can currently find it under 'Privacy Shortcuts' (lock icon by user name in title bar) / "See More Settings" / "Privacy". Look under "Privacy Settings and Tools" for the wee link 'Use Activity Log' [6].

As far as I know it's not intended for this purpose [4]; it's designed for users to edit their visible timeline [1] . It does, however, list most of the account owners save pages visited. There's a long list of activities including Posts, tags, hidden posts, likes, comment, friends, games, following, and, most critically for this purpose, Search. [2]

So the Activity Log is a very valuable resource for a parent or guardian who wants to track their 13+ [4] child, either because this is an exceedingly good idea or because they are that kind of parent or both [5]. A parent might, for example, schedule a weekly review of the Activity Log...

 - fn -

[1] You can hide and delete posts and change post dates. It's also available for Pages and supports viewing scheduled posts.

[2] It doesn't, however, show pages visited by link. It is, incidentally, a nice summary of a fraction of the information Facebook uses to sell you.

[3] Activity Log came with timeline, but I was unaware of it until today. It's available on Facebook.app for iOS as well.

[4] But it may be designed for this purpose. Facebook wants to support accounts for childre under 13 and this could be a part of any future support.

[5] If you can't figure out why this might be a good idea for some children and adults you have much to learn.

[6] Yes, that's mine - but if you can see it then I have a problem :-).

See also:

Legal Gmail for kids under and over 13 with Dreamhost Google Apps or Google Apps for Business

In the US, Google Account owners must be over 13, in the Netherlands it's 16 [1]. It's common to lie to get accounts for younger kids, but this can cause an account lockout and 30 day deletion. [2]

So how do kids under 13 get personal email? All services have similar rules.

The exception, of course, is Google Apps for Education. They provide Google services, including calendar and email for children of all ages. The trick is that this group is excluded from Google's predatory business model [3]; the services are paid for and the school district assumes liability.

Is there something similar that's available outside of Education?

Well, there are Google Apps for Business (and on-profits) of course. I was unable to find any age requirements for businesses that buy Google Apps for Business, nor any requirement that the business had to be, you know, a real business. Google isolates business data from its ads and data mining so I expect US laws on protection of children from being packaged and sold do not apply

At $50/user a year though, Google Apps for Business is a bit dear for a family of 5 (though the phone support is no little thing).

Unfortunately Google Apps for Nonprofits is not an option; you really do have to be a legal nonprofit.

Six years ago our family grandfathered into Google Apps through the now-defunct free option, and those users have since acquired full range of Google Services [4]. Alas, that's not an option any longer.

I think the cheapest legal option is to sign up with a hosting service that provides Google Apps for your registered domain. I can personally recommend Dreamhost for this, based on my 6+ years of experience and the (unusual) fact that they handle Domain registration for their customers [5].

At approximately $100/year ($50 for first year or $97 for two years if you use my code [7]) Dreamhost's Google Apps service for a family of five is less than half the cost of Google Apps for Business -- albeit without phone support. On the other hand, Dreamhost also provides other web services including web hosting, Wordpress (ex. kateva.org/sh), web apps, etc [6].

There are other hosting services that provide Google Apps for potential family use, but Dreamhost is the one I know.

 - fn -

[1] YouTube has an 18+ requirement for some videos, and Google Wallet is 18+. I don't believe either one is practically enforcable on most devices; maybe on Android or Chromebook depending on parental controls.

[2] It is noteworthy that Google's requirements for reversing account lockout are much more robust than their account recovery options. This says something about the power of laws and what Google could do to manage identity if they were forced to. The effective workaround is that a parent authorizes a credit card transaction on their own account, thereby technically committing fraud and assuming liability. The liability assumption is what matters.

[3] It's not that Google is particularly evil, this outcome is an inevitable outcome of their business model. They can no more resist this outcome than a species can resist Natural Selection.

[4] Not G+ though. It was once 18+ and is now 13+ regardless of Google Apps.

[5] Most hosting services have another party handle domain registration, and many of those deliver poor service.

[6] Admittedly more of a specialized interest these days.

[7] Just enter KATEVA when asked for a registration code. I set it up so users get the maximal $50/97 discount; I get a kickback but I set my kickback to maximize the user discount. Dreamhost supports Google's mutlifactor authentication framework, so I authenticate using Authenticator.app on my iPhone.

Friday, February 22, 2013

What I learned from from MacWorld's short Aperture tutorial

I got this ref from Clark, one of my favorite tech bloggers. MacWorld's 7-step edit in Aperture 3.4 is the best short Aperture tutorial I've seen.

The article is by Derrick Story; I used to read him religiously but I lost touch with him. He's got quite a few MacWorld articles - but there's no feed. There doesn't appear to be a feed on his personal business site either. [1]

(Pause while we weep silently into our keyboard.)

Maybe I lost touch with him because he developed an allergy to RSS?

In any case, here's a short list of what I learned from his tutorial - despite many months of Aperture use:

  • The control units are called 'bricks'.
  • The White Balance Brick has a drop down for different kinds of white balance (skin tone, temperature, etc). I never $#@ noticed.[2]
  • The relationship between the histogram and the Exposure brick sliders: "Exposure (highlights, right side of the histogram), Black Point (dark tones, left side of the histogram), and Brightness (middle tones). ... Once I set the Exposure and Black Point, I use the Brightness slider to adjust for taste.... always adjust Brightness after Exposure and Black Point.
  • Post brightness move highlights slider to right to recover details. (This never seems to work for me though.)
  • Color tweaking. This has always been a mystery to me. He picks a green 'swatch' then uses eye dropper to pick a green item and adjusts Hue, then tweaks with Saturation and Luminance. (Ok, it's still a mystery.)
  • Definition over Saturation and Vibrancy. I don't know what the differences really are, but I also like Definition most. Nobody seems to use the Contrast slider.
  • When he sharpens Edges he pushes Falloff and Intensity, not Edges. (I'd been doing Edges. Again, no clue.)
  • To see original image push M key (I kind of knew that).

[1] Update: O'Reilly has a feed, but it doesn't include is MacWorld articles.
[2] It was new in 3.3

Java on the Mac is malware - and how to turn ALL of Java on or off as needed.

US-CERT recommend disabling Java in all web browser on all platforms

... This and previous Java vulnerabilities have been widely targeted by attackers, and new Java vulnerabilities are likely to be discovered. To defend against this and future Java vulnerabilities, consider disabling Java in web browsers until adequate updates are available. As with any software, unnecessary features should be disabled or removed as appropriate for your environment...

They don't mention removing Oracle Java [3] entirely, and they don't specifically address the Mac. By nature, they must be sober and governmental.

I am not so constrained. I can just say ...


Let me name the ways:

  1. It always installs for all users. You can't install for a single user.
  2. It installs with root privileges in System/Library, not /Library as it should.
  3. There's no uninstaller for Oracle Java and Oracle's online instructions for manually uninstalling Java 7 only uninstall the browser plugin. Full Oracle Java uninstall requires sudo/root privileges.
  4. The Preference Panel is merely a pointer to Oracle's ugly control panel, and that control panel disregards OS X Admin/User/Managed User controls. Any user can enable Java plug-in. You can't turn off all Java, just the plug-in.
  5. You can disable the Java plug-in in Safari or Chrome, and in Chrome you can use Fretty's brilliant Click to Run Extensions in Chrome tip, but you have to do this for every user on a Mac, and they can all turn it back on regardless of privileges.

Even if we didn't know about Java's global record of frequent security failures, the implementation of Java on Mac reeks of hacks, bad design, and high risk.

This thing is bad, and most recommendations for managing the risks on a Mac are inadequate. There's really no way to make this thing safe even if:

I have to put Java on my MacBook Air for work reasons, but based on what I've learned I'm hunting it down to remove it from every machine at my home. Java-dependent Mac apps are unacceptable (Sorry Crashplan, Fugu, XMind and more).
Meanwhile, on my Air, I'm going to see if I can sudo into /System/Library/Java/JavaVirtualMachines/1.6.0.jdk/Contents/Home/bin/java and rename the Java Folder to Java_DIE to prevent it from running except when I absolutely need it. [1] [2] See Update below.

See also:

[1] su [admin_user_name], sudo mv Java java_die does the rename, but I think I need a permission fix.

[2] via GigaOM: Mac Apps that need java: Minecraft, Runescape, CrashPlan, Illustrator, OpenOffice, NeoOffice, FreeMind, Xmind, Gantt, Vuze, Screenr, Cisco and Juniper VPN Clients.

[3] - added 2/24/2013: I added the word Oracle here, because there's a big difference between Oracle/Sun's Java on the Mac, the Java JRE on the Mac, and the Java language. From a security perspective the language is no worse than most alternatives and better than many. The JRE is problematic because it bypasses the App Store/SignedCode framework that is our current best hope for the future of personal computing, but that's similar to distribution of any software outside of the App Store. The real crime is the installation of the JRE into System with root privileges.

Update 2/23/2013 (rewritten):

I asked on app.net about a way to turn ALL of Java on the Mac on or off as needed. alextrott replied and recommended these terminal commends to enable and disable (Since sudo -u doesn't seem to work on Mountain Lion, if you run from a non-admin account you have to enter "su YourAdminAccountName" first.):


  • sudo chmod 000 /System/Library/Java/JavaVirtualMachines/
  • sudo chmod 000 /Library/Java/JavaVirtualMachines [on my machine this is unnecessary, there's nothing there]


  • sudo chmod 755 System/Library/Java/JavaVirtualMachines/  
  • sudo chmod 755 /Library/Java/JavaVirtualMachines [on my machine this is unnecessary, there's nothing there]

Alex tells me he's working on a small Mac app to toggle Java on or off as needed.

When I tried this on my Mac chmod 000 did disable Java. XMind wouldn't run. However my attempt to reenable failed; probably due to user error.

Which was when I realized I could easily do this in the Finder:

Screen Shot 2013 02 23 at 10 55 26 PM

I can set JavaVirtualMachines to allow No Access or Read & Write. With No Access XMind won't run, with Access it will. I put a shortcut to the Java folder on my desktop for easy access to this JVM Folder.

Update 8/29/2013: With Mountain Lion as of 8/2013, if type 'java' at the command line OS X will download Apple's version of Java 6 and will remove the old preference panel. (It's not supposed to install a browser plugin). If you go to Oracle's site and install Java 7 you get their preference panel.

Oracle's Java 7 can be uninstalled -- albeit with difficulty. (Plugin is easy to uninstall, Java 7 is not easy.)

Apple's Java 6 cannot be uninstalled. It has permissions like this:

- system: read & write

- wheel: read only

- everyone: read only.

Curiously when I unwittingly installed Apple's Java 6 there was no option from a non-admin account to set Privileges to 'No access'. From an admin account I could set to "no access" or "write only" but command line java still ran. So clearly there's much of this I don't understand.

Sunday, February 17, 2013

Flickr has a Snapfish problem

I've been hearing reassuring sounds on app.net about Flickr's resurrection. Since I've been unhappy with Picasa Web's disinterest in Aperture/iPhoto the app.net support meant I gave Flickr a try. Not least because Aperture has built in Flickr sharing features.

I signed up for the 3 month pro service. It auto-renews, but if you "cancel" you effectively turn off the auto-renewal and continue the term of your subscription.

I liked the Aperture integration, but Flickr felt old and clumsy. Worse, the sharing settings are difficult to revise for Sets, and there's no true equivalent of Google's share-by-unguessably-large-unique-URL.

I could live with that, more or less, but Snapfish did me in. 

Twice I sent "Sets" to print via Snapfish, and twice a few photos were "unavailable" (all seemed well in Flickr). Worse, when I tried to delete my new Snapfish account, I learned terminating a Snapfish Account isn't easy. That's a flagrant violation of clause 1 of Gordon's Laws for services.

Since I couldn't delete, I set a very long password, removed all my photos, and tried to change my email to my spam account. Alas, now I was forced to enter a (fake) postal address. 

Sorry Flickr, that's too many problems; I'll suffer with Picasa a bit longer. Call me back when you have a different print partner.

Saturday, February 16, 2013

Pre-Lion Macs: Go iCloud or Google?

It's been a while since I reviewed the PIM world [1], but a post on CardDav sync between MacOS Mountain Lion (10.8) and Google Contacts brought me up to speed. In particular, I thought about the special case of a pre-Lion Mac user (Snow Leopard and Leopard especially - 10.6 and 10.5). I'll assume for the purposes of this post that every Mac users also has an iOS device.[2]

Every Mac/iOS user has to choose between Google and Apple for Calendar and Contacts (and thus Email). On Mountain Lion (or Lion) the choice is more difficult; those operating systems can work directly with Apple's iCloud. So it's not a slam dunk decision [3].

On pre-Lion Macs however, the choice is fairly easy. Older Macs can't use iCloud sync or data services at all; they can only access the web interface to iCloud Contacts and Calendars. On the other hand, even old Mail.app can use Google's (troublesome) IMAP services, and old versions of iCal can more or less interoperate with Google Calendar. Google's web interface to Contacts is crude, but their Calendar web services are much more robust than iCloud calendar. If there were any doubt, Gmail and Google Docs would seal the deal [7].

So, if you're an iOS/Snow Leopard user you can (mercifully) forget about iCloud. You need to use Google; for maximal Google compatibility SL users can even install Chrome [5].

You still have one choice though. You can:

  • pay for Google Apps ($50/year) and use ActiveSync [4] on your iPhone and web UI on your Mac with optional user of iCal (CalDAV) and Mail (IMAP) on the desktop [6]
  • use ad-supported Google Services and use web UI on Mac and the standard sync services for iPhone or Mac: CalDAV (calendar), IMAP (Mail), CardDAV (iPhone, not Desktop alas).

I don't think ActiveSync is necessarily superior to CalDAV/IMAP/CardDAV any longer -- but it is simpler to setup on the iPhone. Still, that's not enough to choose between paid and ad-supported. The main thing you get for your $50/year is freedom from ads and phone support. The last isn't a small thing.

Snow Leopard users used to feel abandoned and left out. No longer! Sometimes lack of choice is a feature. Apple has spurned you, Google awaits with open arms. What are you waiting for?


[1] PIM: Personal Information Management. Always includes Calendar and Contacts; since PalmOS usually tasks and notes (or equivalents). In the 90s it was mostly PalmOS and Palm Desktop for me, in 2013 it's a bit more complex:

  • Contacts: iOS/iCloud/MacOS/Win7OutlookExchange via ActiveSync + Google/MacOS via CardDAV
  • Tasks: Todo.app/Toodledo via proprietary + iOS/Win7OutlookExchange via ActiveSync
  • Notes; Simplenote/Notational Velocity
  • Calendar: iOS/Google via ActiveSync + iOS/Win7OutlookExchange via ActiveSync

I've simplified a few of those connections. I think we're starting to hit the boundaries of human cognition.

[2] If you're Mac/Android you have to Go Google. Mac/RIM or Mac/Microsoft -- you're on your own and you're used to being hard core.

[3] I've largely gone Google myself.

[4] I don't think Google offers free versions of Google Apps any longer. I'm from the early generation when it wasn't hard to end up with a half-dozen App/Domain combinations all of which were grandfathered in to ActiveSync support.

[5] Real old Mac users may want to try Camino.

[6] It's not clear to me that Google Apps users can use CardDAV services.

[7] iCloud can still be used for iDevice backup and media services, but trusted friends tell me the backup is unreliable.

Google Contact Sync on Mountain Lion and iOS - CardDAV (Project Contacts 2013)

I'm rather late to this party [6], but around the time Google ended ActiveSync support for unpaid accounts [1] they added vCard 3 (1998) based CardDAV support [3]. Up until then one could sync iOS and OS X mail and Calendars via IMAP and CalDAV, but Contact sync was only via Active Sync. [2]

TUAW has some details and Google's iOS CardDAV instructions are here.

As we all know, synchronization is hell. Even if Apple and Google actually used the same vCard spec (probably vCard 3, 1998), and even if they agreed on newline characters, they still have to deal with distinctions between their internal data models and vCard. Some of those data model gaps are non-computable. [5]. Even thought Google and Apple have similar 'Group' models that relationship metadata is ignored [8].

That said, at least CardDAV is relatively Apple friendly. Most importantly, this standard means, for the very first time I know of [7], there's a somewhat supported way to synchronize Contacts between Google and OS X Contacts and iOS contacts.

I've begun using it on Mountain Lion. Since I use Google two factor authentication I had to use one of their totally-defeats-the-purpose-giant-security-hole-not-single-use-god-i-hate-passwords-humans-are-losing-the-battle alternative passwords. There was some kind of transient authentication glitch but on a second try it worked. After a few minutes I had all 634 of my Google "My Contacts" on my Mac. Because of the long history of my Google/Apple Contact sync efforts (See Also, below) these largely duplicate my Address Book/iCloud contacts -- but Mountain Lion Contacts.app seems to merge the duplicates when I search [9].

This looks promising in a terrifying sort of way. You can drag and drop contacts between the iCloud and Google Contact lists; they'll be copied.

So what about Snow Leopard? Many fine machines run Snowie (and should not upgrade to Lion even if they theoretically can). They're (more or less) cut off from iCloud. Does CardDAV sync work with Google now? I wonder about adopting Hsiaio's technique, but so far the answer is no (same with Yahoo CardDAV). I didn't find much research on this question, but I suspect it's a combination of 10.6 bugs and SSL requirements. [9]. There is some limited Google Contacts sync on Snow Leopard that some still use.

- fn - lots

[1] Google grandfathered my half-dozen Google Apps accounts and recently extended the termination date for non-Apps users.

[2] Google says Google Apps accounts should use "Google Sync", which is their implementation of Microsoft's Exchange Server derived ActiveSync (with different bugs one assumes).

[3] vCard over HTTP/WebDAV. vCard has been Apple's Contact/Address Book export option for as long as I can recall, so it may be a good match to their Contact data model. CardDAV is also used by Apple's ancient Address Book Server. vCard 4 2011 has old-style and XML representations, but I suspect Apple, like Google, is more or less on 1998's vCard 3.

Google's vCard implementation has limits; worse the only partly implement the 1998 vCard 3 spec: "why did Google move the ADR extended address "Oak and Pine" into the street address component? And worse still, why did it separate the two using an '\r\n' (CRLF) sequence? The VCard 3.0 specification clearly states that CRLF must be escaped by the single escape sequence '\n', not by '\r\n'".[4]

[4] Reading the last line of [3], by the way, a penny dropped. Apple changed the way they handled CRLF and vCard between MobileMe and iCloud, with near-disastrous consequences for my OS X Contacts. By Darwin, I hate the ancient DOS/unix/mac line newline debacle.

[5] Meaning data loss is inevitable, transferring a Contact between systems won't return the original. Incidentally, under my TrueName, I've spent 15 years dealing with interoperability issues in healthcare - from HL7 to TermInfo to SNOMED/RxNORM and back again via cCCD and the like. If you understand why CardDAV is hard, then you have a glimmer of a smidgen of a hint of an idea why we don't have true interoperability between EpicCare and Cerner -- and why we won't for decades.

I think the people who trudge away on vCardX are heroic figures who should be carried upon our shoulders. Forget Ive, these people do the work I rely on.

[6] The marketing/interest problem is unsolved -- largely because of the spam/advertising counter-current. I'm very interested in productivity software and I follow a number of related feeds; but I still miss news like this.

[7] Check out "See also" - lots of history here.

[8] Looking at Apple's braindead implementation of iOS Contacts and Groups I'd pin this failure on Cupertino and Apple's corporate silos.

[9] A friend of mine has a 10.6 MacBook and needs to use Google's world (as do we all). I think the easiest way to manager her Contract migration will be to get them to iOS/Google and then use Gmail web on Mac. I may put them on an account on my ML machine to help with cleanup.

[9] So which gets edited when one clicks "Edit" in Mac Contacts.app? Don't ask those questions. OS X doesn't say.

See also - via Gordon's Tech

Yeah, I've been fighting this war a long time. February 2009, almost exactly 4 years ago, was a big series of battles, but the 2008 PalmOS to iOS migration was probably the worst (later there were tools). I've read recently that Apple is an intensely siloed company -- that explains why iOS and OS X contract integration is so very bad.

Thursday, February 14, 2013

Facebook albums: How to choose which photo will appear on the timeline view of the album (primary photo, key photo)

I don't put that many albums on Facebook, but whenever I do I spend at least five minutes trying to remember how to change the album picture that appears on the timeline when the album is published.

The problem is there are many edit menus associated with Facebook photos. There are menus that appear on the photo, menus for photo descriptions, menus for editing albums and so on. The one you want is the edit menu associated with the timeline item, not with the album or the photo:

19+ Facebook Timeline Features and Resources You Should Know!

... To switch it with another photo, click at the pencil icon and select ‘Change Primary Photo’. You can then use ‘Reposition Photo’ if your selected picture doesn’t fit in properly."...

Now I might remember.

Thursday, February 07, 2013

Brother HL-2270DW out of toner workarounds and admin screens

I just bought an HL-2270DW to replace a 2140 at drum end-of-life. This review is excellent (here is my short one), Wirecutter recommended it as best cheap laser printer and Brother drivers seem better behaved than most. User manuals are here.

I've have preferred the lower print costs of a higher grade printer, but the Brother model I considered draws too much current for many overloaded home circuit breakers.

Like most Brother printers (all printers?) it will stop printing when toner is "low" -- typically a few hundred pages short of an empty cartridge. With the 2140 I could cover an optical sensor and order a new ($$) cartridge. That doesn't work on the 2270; this page provided 3 options which I've revised here:

  1. The unscrew and rotate method
  2. Press the GO Button 7 times (quickly). " All of the LEDs should flash twice, and the Ready LED should turn on." Repeat to revert.
  3. Use the web GUI to change the Replace Toner printer setting to "continue" instead of "stop"

I like the last one. I used Bonjour Browser to find my printer's IP address, but I don't recommend this [2]. Instead read the Network guide/manual. In OS X  I used Open Print Queue I clicked a button called "Show Printer Webpage ...". That did the trick; OS X resolves the Rendezvous URL to the correct network address.

Click printer settings (un/pw is user/access) then change the Replace Toner settings. There are other settings  and reports of interest as well [1].

I left the settings on Stop -- when the printer stops I know to order a new cartridge; I can change the settings then.

PS. The printer is supposed to come with an optional sticker that explains various flashing lights. I found mine floating about the floor. Watch for this when unpacking.


  • Drum Unit is rated for 12,000 pages, memory size is 32MB.
  • The Administrator pw is admin/access. You can use this to change both the Admin (admin/access) and User (user/access) credentials if you wish.
  • You can give the printer a static IPv6 address (good luck)
  • It has NetBIOS support (brings back nightmares)
  • BRAdmin uses the printers SNMP services
  • It has an FTP and TFTP server with mDNS and LLMNR (who needs all this in a home printer?!)
  • It has an SMTP service and a POP3 Server?!! - presumably for notifications (but why POP3?). You just know that this would feature in some evil network hack.
From the Network Guide supported protocol list:

(IPv4) (IPv6) 1 10/100BASE-TX IEEE802.11b/g (Infrastructure Mode / Ad-hoc Mode) ARP, RARP, BOOTP, DHCP, APIPA (Auto IP), WINS / NetBIOS name resolution, DNS Resolver, mDNS, LLMNR responder, LPR / LPD, Custom Raw Port / Port 9100, IPP, FTP Server, SNMPv1 / v2c, HTTP Server, TFTP Client and Server, SMTP Client, ICMP, LLTD responder, Web Services (Print) NDP, RA, DNS Resolver, mDNS, LLMNR responder, LPR / LPD, Custom Raw Port / Port 9100, IPP, FTP server, SNMPv1 / v2c, HTTP Server, TFTP Client and Server, SMTP Client, ICMPv6, LLTD responder, Web Services (Print) APOP, POP before SMTP, SMTP-AUTH WEP 64/128 bit, WPA-PSK (TKIP/AES), WPA2-PSK (AES), APOP, POP before SMTP, SMTP-AUTH Wi-Fi Certification Mark License, Wi-Fi Protected Setup (WPS) Identifier Mark License, AOSS Logo

I wonder if it's running Linux.

[2] After I ran Bonjour Browser ML persisted in showing the Rendezvous identifier for the printer as a "SHARED" item in the Finder left bar. I had to run BB again, and twiddle with reload services, to make it go away. I think BB might need an update -- in one config screen it refers to "Jaguar".

Update 2/21/2013: I had to do this when the "starter" toner ran out and the real cartridge didn't arrive. First times I tried setting the web config to 'continuous' instead of 'stop' it failed with a 'printer busy' message. I paused the queue and restarted the printer and I was able to change the setting.

Update 4/4/2013: I bought a TN-450 2,600 page extended cartridge, and after 200 pages I have a toner light. I wonder if it was a counterfeit -- though I did buy it through Amazon direct. Alternatively it or the printer may be defective. Alas, it's 4 days past the return period so I'm stuck.  Looking at the 1 star reviews I'm not the only user to run into this. 

Update 5/21/2013: These aren't counterfeit cartridges, we really are only getting 600 or so pages per $55 cartridge. See: Gordon's Tech: Is Brother running a scam with its HL-2270DW printer and TN-450 toner cartridge?

Saturday, February 02, 2013

Sharing a credential store for a family (or small business) - and the end of the personal database

I have managed family credentials and web site data in a FileMaker database since 1996 [1]. That database now holds over 1600 records, of which at least 1200 are historical (dead accounts, obsolete urls). The historical items don't get in the way as much as one might think, and I kind of like this mini-history of the net.

This repository has survived many technology transitions. Over the past 10 years it has more-or-less synchronized with credential stores running on PalmOS and iOS. At some times I've used FileMaker sharing (web publishing and the IP based fmnet: protocol) to allow my wife to access and edit both of our credentials too. (I am too boring to have any secrets, and it's critically important that she have credential access if I'm unavailable -- as in dead.)

Alas, all things must come to an end. FileMaker and its half-baked replacement "Bento" are both dying. Filemaker Go, which I'd like to use on my iPhone, doesn't support true synchronization. Bento is supposed to have some synchronization capabilities with iOS clients, and there's some form of encryption on the desktop version, but I don't know of anyone using this product. Bento feels stillborn.

So while I could probably cobble together a solution using some combination of FileMaker licenses ($180+ each) and or FM 12 web sharing (Mountain Lion broke FM 11 web sharing [2]) -- but then I'm investing in a dead technology niche.

There are other issues with the way I use this credential store. I've been maintaining it in FileMaker and exporting to 1Password for iPhone access, but that means my iPhone repository is read-only. The update loop is slow; sometimes I don't have credentials on hand.

It's time to move.

After consultation with appnetizens there appear to be 3 solutions:

  1. Use 1Password with Dropbox. (I'm still on iPassword 2, but it works similarly. I don't mind upgrading anyway.)
  2. Use some other Cloud solution, such as shared Google Doc or Spreadsheet, Simplenote, etc.
  3. Use 1Password on her iPhone only (see below). [1Password 2 only - see update.]

The first two require the Cloud. I don't like that - for several reasons [3].

That leaves option 3, and that only works because 1Password runs constantly on my always-active account and 1Password on the desktop can support multiple iOS clients. It's not perfect as it gives her credential access only via her iPhone; but since we do use Google Sync that's less of a problem than it might be [4].

I think we'll try option 3, which implies I'm going to treat 1Passwords as the "source of truth" and slowly archive my last FileMaker database -- and then FileMaker itself.

RIP old friend.


Well, that's interesting. Technology transitions are rarely smooth. It's not clear that there is a non-Dropbox solution any more. I think I'll keep Filemaker on life-support a bit longer.
Incidentally, There's something disturbing about how 1Password syncs. Watching the behavior it's almost as though it replays every transaction that's every occurred on 1Password desktop; implying it still keeps fully deleted credentials. When I updated the cache 10,000 records were processed for 1,500 credentials. Looking at my backup history the agilebits keychain file is growing at a rate consistent with retention of deleted credentials. I think the only way really clean it out is to delete the keychain and start anew.


[1] FileMaker is a survivor from the pre-net era of software, when geeks used personal databases for address books, recipes, PDF based document management, record and CD collections,  archives of thousands of stapled paper medical journal article archive indexing with pre-web "Grateful Med" MEDLINE metadata (Grateful Med), club memberships, and much more. With a relatively large user base FileMaker was then quite affordable.

I will now interrupt this post to admit that review of those web 1.0 pages, and particularly the data store transformations of the past 8 years, has given me a dose of old-guy future shock. When I started researching this topic I didn't realize I was also writing an obituary for the personal database!

It has been one hell of a ride from my 1990s FileMaker article file to Google and the Strata conference I'll be attending in Santa Clara this month.

[2] I tried reenabling Apache on ML using a freeware pref pane. Apache ran, but FM web sharing still didn't work. Looking at the FM 12 writeup I think it barely works even there.

[3] Example: An encrypted database store is forgotten in the cloud. Six years from now, when Dropbox's assets have been acquired by the Russian mafia, 2012 encryption is trivially broken. I don't want this store public even in 2019. Not to mention the LastPass breach.

[4] So why do I allow that form of Cloud use? Good question.