Saturday, November 21, 2020

Google's mysterious new blogging platform

Google Blogger has been largely forgotten, but over the past 1-2 years it's been receiving regular updates.

Mostly these have been improvements with a few odd regressions. Some of the regressions have been fixed.

It's kind of curious. Google still uses Blogger for some of their blogs on googleblog.com (ex: Scholar), but they also have a new platform - https://blog.google (KeynoteData Centers). On the Keynote blog page the RSS feed is hidden (but exists), on Data Centers and Photos blog there's a familiar feed icon top right. Data Centers articles date to 2012, but the .google domain was only registered in 2014. So they've migrated some old content, probably from Blogger.

I looked a the source from a Data Center post and it's surprisingly old school readable. There are commented out tags for handling IE 7 (!) and metadata for Open Graph and Twitter Card. Style sheets refer to "/static/blogv2/css/blog.min.css?version=4.4" />. 

I wasn't able to find any articles on "Google's new blog platform". That doesn't surprise me, Google search is fairly useless these days. Clearly they are up to something internally.

If they do make this a public blogging platform I'm sure it still won't handle paragraph spacing correctly.

Blogger will republish old posts with new dates but keep old URL

So I learned something today about Google's ancient blogger platform.

You can republish old content with new dates without breaking the URL. Today I revised a post I'd written in 2008, but I set the publication date to today's date.

The post republished with today's date and is ordered correctly on my tech blog page, but it kept the old URL embedded date: tech.kateva.org/2008/09/os-x-major-version-updates-my-approach.html.

It's probably always been that way, I just never tried republishing before.

It's something I'll do more often now.

Updating macOS - the paranoid approach (updated from 2008)

I wrote the first version of this on 9/13/2008. I was looking for it 11/21/2020 and decided to see if I could update it a bit in advance of going from Mojave to macOS Big Sur sometime in 2021 (I skipped Catalina entirely). I'm also experimenting with a revised publication date in Blogger.

For my own amusement I kept the original below. Here's what I do now for macOS updates:
  1. Make a fresh Aperture backup (still using it!) from within Aperture.
  2. Test both my Carbon Copy Cloner and Time Machine backups including a test file restore. I create two CCC clones and take one off-site. I don't usually make bootable clones but I do this time.
  3. Remove my backup drives.
  4. Disconnect everything.
  5. Reset SMC, reset NVRAM.
  6. Run hardware diagnostics, Onyx cleanup, and Same Mode boot.
  7. Turn off Time Machine backup.
  8. Update OS.
  9. Login to each user account on the machine and get iCloud working, check that Google services are connected (Mail, etc), run Notes, Contacts, Mail, etc.
  10. Do backup to fresh carbon copy cloner drive. Note Time Machine is still off.
After a day or so I have to decide what to do with Time Machine. I usually start over with a fresh TM backup rather than try to continue with the old one. My primary backup is CCC.

The original post from 9/13/2008

I prefer an OS update to petting a rabid wolf or getting a kidney transplant. Even so, they're not my favorite things. It was clear early on that Apple had botched 10.5 - a prelude to the MobileMe fiasco and the iPhone OS 2.0 fender bender. So I waited to 10.5.3 before updating our non-critical MacBook. That didn't go all that well; I'm still having problems.

On the other hand there's a lot to like about 10.5, and I imagine I know what to watch for.
After lots of experience with 10.5.4, I was read to risk an update to very important machine -- our trouble free PPC iMac G5 running10.4.11.

It's the procedure I follow with all major OS updates. I do all the work through my admin account.
  1. Check the backups are working so I know I have a current backup of data. I like to do a test restore of randomly selected file.
  2. Have another machine available in case the update runs into problems -- you may need Google.
  3. Don't do the OS update on a desktop machine during bad weather. This is a bad time to have a power failure. Make sure you can't accidentally pull a plug or turn off the power. (I once bricked a peripheral by hitting a power switch with my foot.)
  4. Do a safe boot to clean up the system and verify the drive.
  5. Disconnect all USB hubs and all firewire devices. Attach only an Apple keyboard and an Apple mouse.
  6. Pull the network cable (see below). You can plug it in when you need to get software updates. Nowadays there are all sorts of things a partly updated machine can destroy if it can get a the net.
  7. Restart then remove Preference Panes from admin account (ctrl-click then delete in preference view). Review and remove suspicious login items. Use Spotlight to find all apps or utilities with a date prior to 2004 - remove any that aren't needed.
  8. Uninstall known bad actors. I know, for example, that my copy of Missing Sync for Palm OS won't work with 10.5. I don't need it any more, so time to use the uninstaller. Remove Retrospect's client if present, that will need to be reinstalled.
  9. Turn off sync services, such as Spanning Sync. Don't turn them on again until you've run iCal, Address Book, mail, etc for the first time. I recommend turning off everything related to synchronization, including .Mac/MobileMe, anything in iTunes, any add-on services. To be extra sure, pull the network cable durign the update. Don't allow the machine to access the net without your control.
  10. I've already removed the evil Adobe Acrobat Reader and RealAudio.
  11. Copy the 10.5.4 Combo Updater to the desktop. I don't want to run 10.5.2 a moment longer than necessary. Confirm I have plenty of free drive space left.
  12. Review Mac OS X 10.4, 10.5: About installation options so I don't miss the 'Archive and Install' option [1] . (Made that mistake before!)
  13. Insert DVD and click the install button.
  14. Go walk the dogs, do the dishes, etc. Just the DVD verification takes an age and a half. (Yes, you can skip the verification. I prefer to let it run.) The update should proceed without any questions, so you can let it go.
  15. After the upgrade and reboot it can take a long time for the admin account to come up. Be patient.
  16. Restart again (to let caches be build properly) then apply the 10.5.4 compo updater. The machine will restart.
  17. Check all login items for all users. There's a bug in the 10.5.2 Archive and Install procedure that can cause login items to be applied across user accounts.
  18. Check for other updates. I was surprised I had to install iTunes 8 again -- it had been installed earlier. I imagine if I hadn't done this, and I'd tried to sync to my iPhone, the heavens would have fallen. You have to keep checking until no new updates are found.
  19. Run iCal and Address Book. Anyone else notice that 10.5 Address Book backup is under the export/archive menu now? Back 'em both up before any iPhones sync.
  20. Enable Spanning Sync and do an iCal sync with gCal.
  21. Run Keychain Access and Keychain First Aid.
  22. Run any app that iTunes works with or that intersects with the iPhone.
  23. Cycle through all accounts, looking for obvious trouble.
  24. Hook up the peripherals, download drivers for the MacAlly keyboard, etc etc.
  25. Expect Spotlight to suck CPU and drive the fan until the search indices are rebuilt. Let it run overnight.
  26. The long recovery begins.
There were a few curious things about this update:
  1. MobileMe didn't appear in software update, so it was only when I went to the old .Mac preference panel that I was asked to update to MobileMe. This might have caused some problems if I'd installed MobileMe.
  2. iTunes regressed to an earlier version. I had to update to iTunes 8 again. This would have caused serious problems if I'd missed this.
  3. Spanning Sync keeps telling me its deleting appointments from Google Calendar, but it doesn't say what it's deleting. I don't know why this is happening.
  4. The update resurrected a number of old apps and login items that I thought were long gone. They're reaking havoc on my syncs.
[1] Select this option if you want to install a "fresh" system on your computer. This type of installation moves existing System files to a folder named Previous System, then installs a new copy of Mac OS X. You cannot start up your computer using the Previous System folder. Archive and Install installations require the largest amount of available disk space because you need to have room to preserve your existing System and the new one you are installing. This is a good choice if you've already backed up your important files and are trying to resolve an existing issue. Mac OS X-installed applications, such as Address Book and Safari, are archived, and new versions are installed in the Applications folder. Some applications, plug-ins, and other software may have to be reinstalled after an “Archive and Install.” Fonts that were installed in the Fonts folder in the top-level Library folder can be installed in your new system by copying them from the Previous System folder.

macOS Mojave Safe Mode can take hours, the progress bar is no help. Also - Disk Utility and APFS

 TL;DR

What happened

When I'm doing a major macOS update I typically backup two different ways, unplug everything, do a Safe Mode start to clean caches and verify directory structures, run a hardware diagnostic startup, then I update. This time around I was just applying the latest Mojave update but I decided to do a safe mode start for the heck of it.

Safe mode's progress bar smoothly progressed to 100%. And then it sat there. For an hour or two. Finally I gave up and powered down. Clearly something was wrong.

I ran a hardware diagnostic (startup D). No problems.

I booted in Recover Mode and ran Disk Utility. It quickly finished. No problems. (But this was a mistake.)

I googled and found basically nothing (crank note below).

Finally ... something clued me to look more closely at Disk Utility. The partition that First Aid ran against was only a few GB. That made me look around a bit. I can't recall the exact sequence but I had to do something in the menu bar to show all possible partitions. Then I had to select a drive/partition thing to mount it. That required a password for at least one user (I gave it my admin user password). Then I could see the true 250GB data drive. Then I ran Disk Utility First Aid on that ... and it took about 15-30 min for each of 19 Time Machine snapshots. In all it took about 4 hours to run.

That night I boosted into Safe Mode before leaving the computer. When I got up it had completed without a problem.

Basically that progress bar is a bug. (macOS is infamous for missing and misleading progress bars.) In Mojave Disk Utility Safe Mode seems to run Disk Utility First Aid on all partitions/volumes at the very end of its execution when the progress bar is complete -- and that can take many hours. Even if there are no problems. If Safe Mode runs overnight and still hangs then you need to run Disk Utility First Aid to figure out where the problem is -- including running it on all partitions/volumes.

A crank footnote

Fifteen years ago when I ran into similar problems a quick Google search would have returned many blog posts and forum comments explaining the problem. In 2020 my searches turned up a single cryptic Apple Discussion post saying safe mode took a "long time" to complete. I figured an hour was a "long time", but it looks like 8 hours is conceivable. The modern web is decrepit. I doubt, for example, that Google will actually index this particular post. (Update 11/13/2023 - After the Aperture nightmare was done I started Safe Mode prior to doing a Monterey update. After an hour I googled on the problem and found my article. So now I'm gonna kill it and remove the snapshots with Carbon Copy Cloner then run safe mode. Anyway, Google evidently indexed this post!)

Sunday, September 27, 2020

Things I miss: drag and drop link creation

I've mentioned here a few times that progress is not linear. Howard Oakley has a piece on a related topic today. For example, no application has done text style management as well as Symantec's MORE 3.1 -- which died decades ago. I don't think we'll ever see the like of Apple's Aperture again -- an insanely ambitious app for professional image editing and especially image management. The iPhone is a bit of an improvement over the Palm III, but it took years to equal Palm's task, calendar and note management (yes, really).

Today I mourn one small example of lost progress. It used to be easy to create a link to a web page. You'd click on the something in your browser URL display and drag it onto your web page editor (MarsEdit, FrontPage, Word, some web client editors) and *bingo*, instant link. The page title was the link text, page URL was, well, the URL. I can't do that any more, at least for Blogger (which seems to be in some kind of resurrection lately).

One day ...

PS. Been a while since I thought of FrontPage/Vermeer - Microsoft's 1990s web site manager. It was the Aperture of its day. Very ambitious, buggy, often flawed, but nothing like it now. Parts of it survived into SharePoint Designer, but now that I've mentioned SharePoint I'm spiraling into PTSD ...

iCloud backup and my lost authenticator codes

When my local Apple store tech was unable to remove the battery from my iPhone 8 they gave me a new device -- which was SIM locked to AT&T.

Well, everyone has to start somewhere, including Apple techs. Hope they improve soon.

Anyway, between the initial restore and the factory reset to clear the SIM lock I've been through two iCloud restores in the past week.

iCloud restores kind of suck now. I think they worked better a few years ago. The good news is that my photos were restored (I don't use Apple Photos/iCloud so I needed that backup). The bad news is that so many apps needed credentials reentered or new certificates generated -- especially when doing a restore after a hardware change.

The worst news is that Google Authenticator lost my authenticator codes. As near as I can tell they are restored from iCloud if the hardware is unchanged, but not if the hardware changes. Or maybe it's a bug. Whatever the reason, I lost 'em. 

It was suspiciously easy to regenerate Authenticator codes for my Microsoft account. Not too hard for Google either, because  they've moved to preferring an Apple-like proprietary two factor authentication mechanism. It is a bummer for Dreamhost though -- so now I'm going through support to try to recover access to my domains and web content.

It's hard to reconcile security and backup/restore. For example, Google Wallet and your biometrics (finger/face) aren't backed up either. On the other hand your Keychain credentials are in iCloud, and anyone who can get into your iPhone can read all of your passwords (try: "Hey Siri, Show me my passwords" or see Apple's hidden password manager). So your 4 digit Apple device passcode is not a great idea.

PS. I'm storing Authenticator codes in 1Password now. Which, like most small company software, has its own security concerns, not least that it would be relatively easy for China, say, to acquire the company or insert a backdoor into the source code.

Saturday, September 19, 2020

ToDo apps: Microsoft's solution

I've used Appigo's ToDo app for about 12 years (with Toodledo at first). It's had problems over the years, but in general it's been a good subscription choice. There's a fairly hard data lock (maybe SQLite?) but manual reentry is feasible albeit annoying.

Lately, however, ToDo has been more ragged. A recent server side change induced a date bug (time zone?) that in turn showed me I was using a macOS app last updated in 2016. It appears to have been abandoned on the Mac App Store. When I went to Twitter I found Appigo's account was closed years ago for violating TOS. Eventually I found I could download a current version of their other App Store app from their web site.

At the moment the app is more or less working again, though parts of the macOS app UI are kind of weird. I figure there was some violent ownership transition with lost dev passwords in Appigo's history (maybe they got ransomwared?).

I decided to go shopping again. I'm looking at:

  • Apple Reminders: hard data lock and I have to upgrade from Mojave to get to latest version (not happening).
  • Google Todo: this is one hell of a weird product. WTF is their web strategy? Tied to Gmail? Tied to Calendar? At least there's data export.
  • Things
  • OmniFocus: poor Omni is in some disarray ...
  • Microsoft To Do
Today I dug into Microsoft To Do. Of course it's a mess, but this is 2020 so we expect that. The mess starts with Microsoft reusing product names. To simplify a bit:
  • There are classic Outlook Tasks. I'll call these TasksClassic. TasksClassic was excellent in many ways, including, once upon a time, great import/export options and lots of view flexibility (I like to sort by last modified!). Unfortunately it's dead, just barely hanging on in the current desktop app with some degree of synchronization with the new product.
  • There's the new Wanderlist-based product variable called Microsoft To Do and ... Outlook Tasks (name reuse!). I'll call these TasksW for Wanderlist.
If you open the Help screen page for macOS TasksW (To Do) it takes one to a page on Outlook synchronization that's obsolete -- because the Outlook.com version of Tasks has switched from TasksClassic to TasksW. On the other hand the version of Office 365 on my Mac still has TasksClassic, and it does synchronize with TasksW as displayed on macOS and iOS Microsoft To Do.app.

Are you still with me?

This gave me a brief moment of hope that there was some data freedom here. I remember the import/export options of old Windows Outlook. Alas, the only import/export from macOS Outlook is Microsoft's PST format. There might be some way to do things with Outlook Windows or with 3rd party tools but I don't have the energy for that.

At this time I think TasksW is probably a decent enough product, but this has reminded me how screwed up Microsoft is. So I'm setting this one aside for the moment.

See also:

Sunday, August 16, 2020

Can you do a Time Machine backup to a USB flash drive (thumb drive)?

 I'd wondered if it was possible to do a Time Machine backup to a cheap Flash Drive. My daughter is going to college and probably doesn't have a great need for backup (iCloud Document/Desktop, iCloud Photo, Google Docs, etc) but I'd still like to do something.

So I wondered about a compact Flash Drive. In the twilight of the web Google couldn't find me an answer, so I ran my own test. I used an old San Disk Ultra Fit 128GB USB 3.0 Flash Drive in an old USB 2 MacBook Air running High Sierra. I formatted the Flash Drive as encrypted HPFS and let Time Machine run the backup.

It took about 4-5 hours to do the initial 80GB backup but it seemed to work fine.

I doubt these Flash Drives are super reliable, but I think this is an option. I can see taking advantage of it while traveling for example. Unfortunately her 2020 Air doesn't have an open USB slot where an Ultra Fit could live, but it could be a part of her Anker 7-1 USB-C docking station. A modern San Disk Ultra Fit USB 3.1 is $33.

Friday, August 14, 2020

Chrome malware: Managed by your organization

I think my son installed a "managed by your organization" chrome malware extension when he was trying to find Flash. This one showed in Chrome as "searches.network"

The obsolete Federal government website required for his US census enumerator job probably directed him to get Flash. I wouldn't be shocked if he got the malware directly from the Federal site. US government web sites are notoriously insecure. [1]

This class of malware now works by installing an unsigned profile on the user's Mac that activates Chrome's "managed by your organization" mode. It locks the home page and search page so traffic is routed through the malware's server and it prevents a Chrome reset. (It may do other things as well of course.)  For some reason it locked him into Bing, which was a dead giveaway. Smarter malware wouldn't have changed the default search engine.

Once upon a time a quick Google search would have explained how to remove the malware. This is 2020 though, so Google's search results on this topic are mostly garbage. I found one result on a garbage site, however, that must have been partly based on a real site. That clued me to the profile. Once I deleted it then I could do a full Chrome reset. Once I knew the fix I found this guide, which covered the territory. (I can't tell who manages the site, I hope they make money by malware app referrals rather than anything more ominous.)

Before I did this I followed advice from a trusted source and installed the free (but suspiciously marketed) Malwarebyte antiviral. It found nothing. I'll try running one or two more antivirals (AVG, Sophos). Malwarebyte is an easy uninstall, so points for them.

[1] I am the solo family geek, my digital-age children seem to prefer the 18th century. My theory is the latest generation has the same take on computers that, at the same age, I had on automobile engines. It should just work, and if it doesn't work an old person might understand it.

Monday, July 20, 2020

Blogger (draft) supports mobile

If you are using Blogger Draft you will find that it works fairly well in Safari.app and Chrome.app for iOS.

The new interface is responsive. 

I’d prefer a different font for writing on mobile but it’s very doable. Competitive with WordPress mobile app but expect some rough edges.

(Eons ago there was a mobile app for Blogger, but it was discontinued. I doubt it will return.)

Sunday, June 28, 2020

Carbon Copy Cloner was quietly excluding 1Password stores from backup (Corrected: app, not data stores)

This morning's heart attack:

"CCC no longer excludes 1Password by default."

What the fork were they thinking?!

-----------
Update: OK, looks like they did this briefly in 5.1.18 and, even though their language is sadly unclear, it was the the 1Password app rather than the 1Password credentials that were not being backed up. That link lists all the files not backed up, though as of today it's not been corrected for 5.1.19.

So I still have chest pain, but not a heart attack.

Wednesday, June 24, 2020

Python macOS environments for learners in 2020

My daughter is auditing Coursera's Intro to Python class. It's pretty standard stuff, but I was surprised by the development environment. For macOS there's a non-trivial Python install that requires some unix knowledge, use of the Homebrew package manager, dealing with admin vs non-admin user issues, consideration of pyenv, editing the path, and finally installing Python.

That's a long way from the ease of, say, TurboPascal circa 1983.

I figured there had to be a better way, but Google only found me some pro-level IDEs. It fell to Twitter to clue me in to the modern scene. The 4 good modern options turn out to be:
  • Google Colab: absolute easiest and least painful. I believe the Python code executes in the browser, so it's substantially slower than execution directly in macOS.
  • Microsoft Visual Studio Code for macOS: this does require the traditional Python install with Homebrew, but it's a very beginner friendly environment. The Python plugin provides Jupyter support.
  • Homebrew Jupyter: similar to Colab but like Visual Studio is part of the Homebrew/Python path.
  • Azure does Jupyter Notebooks (via @jhovland) at notebooks.azure.com.
Years ago I ran into iPython as a novice environment; turns out it morphed into Juypter.

It's a sign of the times that Google search didn't turn up a blog post with these options. (It won't find this one either, I'm way off Google's radar now.) Once I'd identified the above options however I could do a Google search to find an educational resource that did mention then:

There are many ways to write and execute Python code:

Python tutor (online, visual debugger)
Python interpreter (command line)
Visual Studio Code (editor, good debugger)
Jupyter (notebook)
Google Colab (online, collaborative)
 
During this lab we see all of them and familiarize with the exercises format. For now ignore the exercises zip and proceed reading.

That site is the University of Trento's data science lab course, updated 2019/2020.  The U of Trento was founded in 1962. Reading the wikipedia page it seems to have started out focusing on sociology (and, given the era, was likely a wee bit Left) but now seems to be very tech.

The course material is presumably translated from Italian. It's quite readable though it would benefit from a native speaker updating the GitHub content. Judging by my little test it may be one of the best resources of its kind.

See also:

I came back to Python for course on working with the OpenAI ChatGPT LLM. This time around I used Visual Studio Code with the Jupyter support. I use the default Python PIP package manager but I think Microsoft favors Conda. As of 2024 CoPilot is an option but it is not free.

Sunday, April 12, 2020

Facebook still has RSS (iCal) feed for Calendar Events but it is insanely obscure

I thought Facebook had removed the link we used to have to see the feed URL for a Facebook "calendar". (A Facebook calendar is the set of all Events one has responded to as "going" or "maybe".) I couldn't find it anywhere even though I was pretty sure I'd use it as recently as 6 months ago.

Facebook only documents exporting a calendar file. (In the mobile app there's a simpler way to add a single Event to a system calendar.)

I couldn't even find any mention online of the Facebook calendar feed. Just sad comments on Facebook's removal of RSS feeds about 7 years ago.

I was just about to give up when a last search found a Business Insider article from Dec 2019. Some Facebook dev has kept it alive in the most obscure location possible.

You can't find it by looking your Facebook Calendar: https://www.facebook.com/events/calendar
You can't see it by looking at your Facebook Events: https://www.facebook.com/events/

The only way to find them is to use the web UI and inspect the ... context menu for any single Event.

Beneath that you will see "Export Event":

Do not be deceived. Export Event is a form of misdirection.

In fact the resulting dialog, in addition to allowing saving of a single event, also provides the secret URL for a Calendar feed (RSS, iCal) including the Facebook UID and a "key" for access:

In Google Calendar web here's where that URL goes:

It can take hours for the feed content to appear and updates are likewise slow to show.

Sooner or later Facebook will expunge this last vestige of usefulness, but I do want to thank the dev that hid it away and let it survive for so long.

PS. I do appreciate so many Facebook page URLs are readable, persistent, and meaningful. I rely on that given the ever changing menu and navigation structures.

Monday, February 17, 2020

Canon's dSLR lens -- upgrade program for out of service lenses

The Canon EF 28-135 lens I bought in 2006 (!) for $420 died recently. The autofocus stopped working.

I can't complain too much -- I got a lot of use from it. The EF series is Canon's low end and it's not a great lens. (My Canon 50mm 1.8 is a famously cheap and great lens. With modern sensors it works very well for both portrait and for things I'd have used a 100mm zoom for. It's not image stabilized though.)

It turns out Canon doesn't service EF lenses of that generation. They will give 15% off a new similar lens (not sure what qualifies) or 10% off a refurb lens. Amazon's Canon prices are the same as Canon's list prices.

I think their modern equivalent of the old 28-135 is the Canon EF-S 18-135 (list $600, refurb $440) and EF-S 18-200 ($700). The 28-135 was a full frame lens on my 1.6 EOS body, these are S type lenses so the ranges are quite different. My old 28-125 was equivalent to a 45-200 S lens. After quick scan of review sites the 18-135 might be the better lens.

So a bit more money but a refurb with a 15% discount isn't too bad.

Would be nice if they still serviced old EF lenses. Maybe they do service old L lenses. Given the time it lasted the discount is nice (esp. on refurb) but not sure it's worth the hassle compared to an Amazon purchase. (If I buy I'll use KenRockwell.com referral link.)

Update: I did end up ordering the 18-135 EF-S as it has had a recent upgrade and sounded generally better than the 18-200 for my uses. So less zoom, but lot more wide angle. I took the 15% discount. Canon didn't want my old lens, only the serial number. They didn't have a refurb in stock.

Canon has the worst voice routing system I've used in years -- I had to keep repeating "representative" and on one attempt was booted off with a tedious and even condescending dialog. The automated system couldn't handle lenses.

Sunday, February 02, 2020

My advice for managing online credentials

I wrote this up for a book project on special needs iPhone users (Explorers), but it's also my recommendation for non-geek iPhone users. Credential management is definitely an unsolved problem ...


Every Explorer online identity involves, at the least, a “username” for the Explorer, a password and  either an iOS app name or a web address (URL). Most online identities also require an email address for communication, password resets and (alas) marketing. They may now require a mobile number and the answers to “secret questions”. All of this information makes up an online “credential”; but we often use the word “password” as a shorthand for the whole bundle

It’s hard to manage online credentials. I’m pretty technical, but I still find it a tough problem. Lots of people get locked out of their online services and need to do password resets or even start over with a new account. One day I think Apple will provide a full solution[1], but to date they’ve been reluctant to take this on. 

The good news is that most Explorers can get by with maybe 10-30 credentials and they don’t need to know most of them (more on this below). The key is to use as few online services as possible. Remember, every online service is another credential to manage!

I’m going to suggest three-and-a-half ways a Guide can manage an Explorer’s credentials. Each has advantages and disadvantages. For all of them I have two strongly held recommendations about passwords:

  1. Don’t reuse passwords for these important sites. If a password is captured (happens!) it becomes part of hacker libraries and will be applied to other Explorer accounts.
  2. Don’t follow the usual advice to create long random passwords. You’ll go insane trying to tap them out on an iPhone when you can’t see the password characters. Instead combine random pronouncable words, letters and symbols that you can tap. The password should be at least 14 characters. Flip through a dictionary to pick words randomly. This is good enough. You aren’t protecting nuclear launch codes.

Option One: Pencil and Paper

You may remember being told not to write down credentials on paper. That’s like the old advice to treat back pain with bed rest. We were wrong when we said that. Writing credentials on paper and saving them with your home paperwork is super secure. That’s what hard core security geeks do.

This does require good handwriting, but it works for a small number of credentials assuming you follow my password advice. If you need the credentials when you travel you can take a photo and keep it with your personal iPhone photos (be careful not to share it though!).

You do need a backup! You could copy by hand and mail the copy to a trusted friend. In theory public photocopiers are not secure, so I’d say just take a photo and keep it in your iCloud photos (not shared).

Option Two: Use an iCloud Secure Note on a Guide’s iPhone

I recommend this for the passwords my Explorers manage for themselves. An iCloud Secure Note  is protected by both your iPhone’s unlock passcode and by a special Secure Note password. The iOS User Guide explains how to create a Secure Note.

An iCloud Secure Note is automatically backed up and you can review old versions of the note. It can also be shared with an Explorer who is able to manage their own credentials.

This method is less secure than paper and pencil but is also less work — and you can copy/paste passwords from the Note rather than type them on iPhone, Mac, or a web browser[2].

The main risk of this method is accidentally deleting your credentials! Be sure to print out the Note periodically and store the paper copy at home. You can also restore a prior version but this is less reliable. Just print.

Option Three: Use 1Password or another reputable password manager

This is what most computer experts recommend, but true security experts are more cautious. When you use a password manager you are placing a great amount of trust in the vendor. There are so many ways a password manager vendor could steal credentials. Even if a vendor is honest and technically skilled, their products can be acquired by someone less scrupulous.

Of all password managers 1Password is most often recommended for the iPhone. It’s what I use, though I don’t use their Cloud service[3]. The Cloud service is obligatory for most people though, and it costs about $40 a year.

If you’re just managing a few Explorer credentials Paper and Pencil is simpler than a password manager and definitely more secure. If you use a password manager for your own credentials then it may be a good place to store an Explorer’s credentials.

Option Three and a half: Use Apple’s semi-secret password manager

Apple would take over credential management for their customers. It hasn’t happened yet, but they have partial solutions. You can part of Apple’s solution it you have enabled Keychain in Settings:Apple ID:iCloud and you’ve accepted Safari’s offer to save web site passwords. Just say “Hey, Siri, show me my passwords”. You can also go to Settings:Passwords & Accounts: and tap on “Website & App Passwords”.

Another part of Apple’s solution is “Sign in with Apple”. Apple wants iOS apps to support this and there’s a way for web sites to use it as well. This method never shows a password, it works with Face ID or Touch ID[4].

Both of these solutions are a work in progress. We will know Apple is serious if they create a separate App for managing credentials instead of hiding things away in Settings. Not all iOS apps store credentials in the keychain and “Sign in with Apple” is just beginning.

They are convenient for web sites and apps that aren’t important enough to be properly tracked. Just let the iPhone suggest a password and then forget about it. The iPhone will manage the password and if something goes wrong nothing much is lost.

These three-and-a-half options cover Guide management of Explorer credentials. In my next section I’ll go over which an Explorer will need to manage themselves and how to transition from Guide management to independent management.


[1] Apple has a partial solution for web sites but nothing for passwords entered in apps and elsewhere. Their longterm solution is called “Sign In with Apple” but it’s unclear if it will succeed or how serious Apple is about this.

[2] Browsers are not very secure though, so viewing readable passwords in a web browser is not ideal.

[3] 1Password still supports an old local storage method. It requires a very technical user to setup, it’s not well supported any more, and it’s not super reliable.

[4] Since Apple doesn’t support a guest/parent/Guide Face ID this could block Guide support for an app or site. More on this in the final chapter on political action!

Saturday, January 04, 2020

Apple's Family: The many surprises of creating an Apple ID with age 13 or under

(You can skip the rant to get to the tech details)

<rant>I frequently berate Apple for the radioactive-feces-infested-dumpster-fire that they’ve built out of Family Sharing and Parental Controls / Screen Time / Restrictions [1] … but my latest experience has added a note of sympathy for the engineers who offend Tim Cook and are HR assigned to work on this prior to leaving Apple.

Apple has built something insanely complicated. The intersection of user interfaces, regional rules and restrictions, content licensing, DRM, functional requirements, iOS, macOS, iCloud, sync, multiple OS versions … heck, there probably time zones in there too. At this point they might as well give up and throw a neural network at it.

Whatever your day job, be grateful this isn’t what you work on.

Things are almost as bad on the consumer side. There’s a reason I seem to be the only person alive trying to make remote Screen Time work. (It’s a book project, I don’t have a choice.) With some effort I’ve come up with practical recommendations for caregivers (example) — but they assume the software actually functions. In practice I have run into a wide range of bugs and weirdness, particularly since iOS 13 was released.<rant>

Among the many complications Apple contends with into are rules about how many devices and how many users can be a part of a Family for the purposes of both DRM management and remote Screen Time. These are poorly documented, but as best I can tell the limit is 5 family members and somewhere around 10 devices (it’s not clear how multi-user accounts on macOS are treated or Apple TV). Our family has five members so we’re pretty much at the limit and I think we’re at the absolute device limit as well.

I say “think” because it’s not clear that there are error messages, I think things simply break.

So the baseline situation is pretty bad, even before one runs into bugs with handing down devices between family members.

I made things worse though. For a book project I added a test account — sphone4all@icloud.com. That pushed us up to six family members and probably hit or exceeded our device limit. Since my test phone is an iPhone 6 [2] it can’t upgrade to iOS 13 and is no longer useful for the book project. So I decided to try to remove it.

That’s where my next set of problems began. I’d make the mistake of creating the book account with an “age” less than 13. Ages are important in Apple’s Screen Time world. Basically:

Age 18 or more: independence, controls stop working, can purchase ad lib, can be Organizer. (Basically at age 18 you need to remove children from Family.)

Age 13: non-vulnerable status but subject to controls, cannot be Organizer. Age 13-18 is the range for Screen Time and content sharing. If you are the caregiver for a vulnerable adult (ex: cognitive disability) and need Screen Time support you need to periodically adjust their birthdate so they are over 13 and under 18. (We need legislation so Apple supports cognitive disabilities they way they support visual disabilities.)

Age 12 or less: vulnerable status. See below for the special rules.

I’d blundered by creating an iCloud ID for a “child” account with a current age of < 13. These vulnerable user accounts are special:

  • They cannot be deleted by users. Only Apple can remove them. They can only be shifted between Family Organizers (supports divorce, parental death remarriage, etc). If a child should die, the grieving parents will need to work with Apple support.
  • The birthdates cannot be changed. (Of course.)
  • Since they cannot be deleted the Organizer iCloud ID they are associated with cannot become a non-Family ID.
  • Since the Organizer ID must stay a Family ID the payment method cannot be removed from it.

That last bullet point is important. It’s a bit weird, but Apple documents how to create an Apple ID that doesn’t have a payment method. You can use it to buy free apps and tunes.

You can’t, however, turn that Apple ID into a family organizer:

If you're the family organizer for a Family Sharing group and want to share purchases with your family, you're required to have at least one payment method on file. A payment method is also required to set up accounts for children.

If you have an Apple ID like that, and you try to make it a Family Organizer in macOS Mojave iCloud despite the warning, you’ll get this helpful error message:


“There was an unexpected error”. Yeah, Apple was serious about that “requires a credit card” warning, they just didn’t code the error handler response for those who ignored it. I figured given the kludgy workaround Apple documented that the warning was obsolete. Wrong.

Why does Family Sharing require a payment method? I suspect Apple’s hacked together back ends can’t prevent some purchases even when there’s no payment method — and Apple doesn't want to get stuck with the tab. Another possibility is that it’s needed as part of Organizer identity tracing in case a vulnerable child family member is at risk.

So, what do you do when you have too many kids and you need to dump one that’s under 13?

The only recourse, short of phoning Apple support, is create another full Apple ID (age over 18), make it a Family Organizer, and transfer the sub-13 to that “Organizer”. You need hardware to create a full Apple ID, but if you have a Mac you can do it just by adding a system user. I did that to upgrade a limited Apple ID I’d created long ago to a full Apple ID. I then tried to use this fake parent/Organizer without a payment method, which is how I got the “unexpected error”.

After I added a real payment method and confirmed iTunes could see the account change I tried to again make that Apple ID the Organizer for a new family. This took a while. At first the macOS Mojave iCloud Preference Pane would simply display a blank window. After about five minutes it worked. I presume a back end system got updated.

From there I hopped through the transfer process between the macOS account for my new Organizer Apple ID and my iPhone that currently managed my faux 11yo. Some of the screens i saw are illustrative:

I got an error message during the process saying the request had expired, but it went through anyway. I think I got that errant error message because I backed up a screen to do a screenshot. Yeah, this stuff is fragile.

So it appears for now that I’ve moved my fake 11yo from my true Family to a new fake Family where it will sit for another 2 years. Then it will turn 13 and I can vaporize it (I’ve created a future task :-) and then I can remove the payment method for the fake Organizer.

Once I get my strength up I may try to contact Support about some of the other problems with our Family Screen Time, like that handed down device still stuck to my daughters account (or I can just wait until she’s 18 and exits).

Now I need some Scotch, but it’s still a bit early here ...

- fn-

[1] Extending the existing Family Sharing to enable remote Screen Time management was a fatal error.

[2] The iPhone 6 can’t move beyond iOS 12, but Apple is still supporting iOS 12 on it, and since iOS 12 is superior to 13 in several ways the 6 is arguably now a better phone than the 6s.

See also: