Google's two factor: Three weeks later

I implemented Google's two factor authentication about three weeks ago. It's mostly working, but there are a few issues:

1. Application-specific passwords are risky.
2. You can't de-authorize a computer from Google Accounts.
3. Authentication isn't working quite right with Google.app on the iPhone.
4. I've had to create more application-specific passwords than I'd expected

The big positive is that with two-factor and https I'm now willing to connect with an untrusted machine. By untrusted I machine a machine that has a reasonable chance of hosting a keystroke logger. That means any machine running XP and any machine I don't control. My work laptop, for example, is doubly untrusted.

A second bonus is that I'm now more comfortable with using my Google account as an OpenID/OAuth server.

The biggest problem is application-specific passwords. They behave like regular passwords, so if a keystroke logger captures the password one it can be used to, say, get access to your email from OS X Mail.app.

You really, really, really do not want to use an application-specific password on an untrusted machine. Google should provide more warning about their use. I use them on my iPhone and and my home Mac.

Use of application-specific passwords on an iPhone is a PITA. You can't generate these from an iPhone and they're a nuisance to type in. I've stored one in the encrypted 1Password database I use on my iPhone for reuse only on that device. (I'm taking this risk since if my iPhone is stolen and the 1Password database is hacked I'm in a world of pain anyway.)

Having this password on my iPhone is particularly important because Google.app's current behavior is obnoxious. In my case I entered a application-specific password and authenticated. Subsequently other iPhone Google App references (example desktop shortcut to Google Reader) requested a Google account password, not an Authenticator password and not an application-specific password. Every two weeks or so, however, Google.app makes me enter a NEW application-specific password.

The second shortcoming is that there doesn't seem to be a way to easily de-authorize a computer. When you first connect to a Google account from a new machine you're asked to enter your Google password [1]. Then, if you're using Authenticator.app, you're asked to enter your Authenticator token. At that point, if the machine authenticates, there's an option to authorize it for a month.

There should be a way to reverse that decision from your Google account. For example - what if the machine is lost? What if, as in my case, you make that choice from an untrusted machine and decide it was a bad idea? (In theory deleting cookies will undo this, but, perhaps due to user error, that didn't work for me. Of course that also requires physical control of the machine.) For now, be careful to only "authorize" your primary, secured, non-portable, home machine.

Lastly I've found I needed around 8-14 application-specific passwords, even when I reuse one - such as for IMAP and SMTP authentication from OS X Mail.app. There's no way around this one -- I use a lot of Google services from many devices and accounts.

Overall I'm pleased with Google's two factor authentication. They've given it a lot of thought, and I love that they've open sourced key parts of the infrastructure. We needed this years ago, but I'm grateful to have it at all.

[1] At that point, on a keystroke logger infected machine, your Google password is public knowledge. That's why I was willing to simplify my Google password. I now assume it is public, though I obviously haven't made it public.

See also:

• Implementing Google's two factor authentication
• Google's two factor authentication and why you need four OpenID accounts
• Firesheep, sidejacking, and SSH Tunneling with DreamHost
• Google's flawed security checklist -- and the right fix from Facebook

Bing and Parental Controls - worse than Google

Google's parental controls are pretty feeble, though there's a roundabout way to lock filtering to the most severe setting.

What about Microsoft's Bing? Bing starts out with one significant advantage -- the connections are not https encrypted so OS X domain filtering actually works.

Alas Bing's controls seem even weaker (emphases mine) ...

Block explicit websites

... Ensure that SafeSearch is always on when your kids search on Bing, choose what they see online, set time limits and game restrictions, and more. Windows users can install the free download, Windows Live Family Safety....

Ensure SafeSearch is on, I presume, by standing over your favorite teen! [3]

Interestingly in 2009 Microsoft had a better approach to parental controls ...

Bing Modified To Enable Porn Filtering - CBS News

... , "explicit images and video content will now be coming from a separate single domain, explicit.bing.net...

... Almost all third-party filtering tools can be configured to block specific domains or sites, as can the parental controls in Microsoft Vista and Mac OS X...

After this 2009 press release however, Microsoft removed all references to explicit.bing.net [1]. I wasn't able to find any explanation of what happened to it. [2]

My own tests suggest Microsoft really did abandon this scheme. The domain 'explicit.bing.net' brings up the usual bing interface, so the domain still exists, but there's no longer any redirecting to this domain. For example, a search on "Hot Babes" with OS X Parental Controls blocking explicit.bing.net brought up an impressive array of high resolution images.

Without the ability to lock Bing's parental control settings, and with the inexplicable demise of explicit.bing.net, Bing manages to come in 2nd behind Google's parental controls. The one advantage of Bing is that the lack of https encryption makes it easier to track pages visited.

[1] Either that or their feeble Blog search doesn't work with Safari. Microsoft is falling apart almost as fast as it grew to power.
[2] I wonder if corporate lawyers advise against attempting to do parental controls. Microsoft probably has less liability if they do nothing than if they provide an imperfect solution. 
[3] Though it doesn't help OS X users like me, Windows Live Family Safety sounds relatively useful.

Stuck in Apple's photo management Limbo

I suspect there aren't many of us stuck in Apple's photo management Limbo. Maybe a few hundred geeks. Perhaps we should develop a secret handshake?

We are early iPhoto adopters who have our images distributed across several Libraries. Sometimes we did this deliberately because iPhoto was pretty wimpy in the old days; it couldn't handle large numbers of images. At other times Library multiplication was the result of travel or partnerships (ex: marriage).

We, the Lost, would like to put all the images together in one place. Once upon a time we thought Apple would add Library import to iPhoto, but about four years ago we realized that wasn't going to happen. Since then some of us have used iPhoto Library Manager to merge iPhoto Libraries but others are too chicken.

For years we thought we might join libraries in Aperture, or that Apple would create an 'iPhoto Pro' with Library management. By this time price had become irrelevant, but instead Aperture languished.

More recently Apple reinvested in Aperture, and dropped the price dramatically ($80 via App Store). It is clearly intended to be iPhoto Pro. iPhoto itself is becoming simpler and losing features.

The problem is, Aperture 3 doesn't really import iPhoto Libraries. Yes, I know it claims to do it. I know many people say it works. Wrong both times. The import process has not only been buggy in the worst possible way (indetectable loss of very valued data), it can't work correctly. Aperture 3.x doesn't even have a place to store some of iPhoto's metadata, such as comments on events. In other cases Aperture 3 does have a place to store iPhoto metadata but, astoundingly, the import process ignores this.

So we're in Limbo. Even if Apple tries to fix Aperture, it might be years before they succeed. I have a bad feeling they won't bother -- there aren't enough geeks like me. Most of us own Aperture anyway.

I'm guessing I'll have to stay with iPhoto and use IPLM's merge feature. I'll be approaching that with the same enthusiasm as juggling antimatter. Merging iPhoto's monstrous data structure would be a hard problem even if Apple tried to help ...

Elder Pad update: My mother's iPad continued

This post updates a prior article: Grandma's iPad - A user guide and review.

My son and I just spent a few days with my elderly parents. My mother's macular degeneration and rheumatoid arthritis continue their slow inexorable progress.  She is no longer able to use her Mac Mini, it's now primarily a sync service for her iPod, an image server, and perhaps a facetime connector [2][3].

She remains thrilled with her iPad, despite a need for a skill refresher [1]. I've just completed the OS 4 update; the added complexity of multitasking was offset by improved usability features we really wanted. Here's what I learned ...

• The big accessibility news with iOS 4 is really large font support for Mail (!), Contacts, and Notes. It's not perfect -- only parts of the UI are updated, but it's particularly well done with Mail. Mail messages now support scaling with finger gestures -- I'm pretty sure that's new.
• She never did get the hang of Voice Over and the triple tap to toggle VoiceOver. So we've switched to using the three finger double tap and three finger zoomed-image-scroll. It's probably my imagination, but it seems more readable than it once was. The UI for adjusting the zoom level is a bit occult -- triple double tap but hold on the 2nd tap and scroll 3 fingers up/down. She seems ok withe the adjustment I set.
• I turned scroll lock on, fixing it in landscape view. She liked the orientation swap -- but it introduces complexity. In some cases UIs change. I think a single UI set will help.
• I'm experimenting with putting some TV show episodes on her iPad.
• I wish I could turn off the rearrange / wiggling feature. It's a usability pain in the ass.
• Whatever happened to Retina-display friendly apps that were supposed to scale so well? Facebook.app sucks at double res an iPad and I thought it was retina display friendly.

These are the apps she uses -- they're all on Page 1. I've found very few third party apps worthwhile for her:

• Mail
• iPod
• Photos
• WeatherHD
• iBooks: still not using much, but maybe someday.
• Web page links saved as home screen icons (All support pinch/zoom)
  • BBC International
  • Montreal Gazette
  • Home page I made for her: links to family blog, British Royal Family news
  • Facebook: Most marginal web environment - way too complex
• Friendly: New. Not sure it's worthwhile. Does have scalable fonts, but wish I could turn off many of the features. Too many places to get lost.
• Checkers iPad (Paid app)
• Real Solitaire HD (Paid app, no ads)
• Virtuoso: 3 finger double tap can be tricky here.
• Videos: Until today I didn't realize that's where iTunes purchased TV shows and movies go. More useable than the iPod app.

These are embedded apps she doesn't use (all on page 2): Safari (uses via the web page links), App Store, iTunes, Game Center, Calendar, Maps, YouTube.

I'd love to buy more elder-friendly apps for her, but this is a largely untapped market [4]. So far Apple does the best, and even their best isn't so great.

[1] If she lived closer to me I'm sure she'd be a wizard at it, but she tends to lose skills since I'm not around to reinforce them.
[2] Upgrading to 10.6, which required a drive upgrade, cost us the mini's optical drive. Tip: If you take a apart a used Mini, keep the #$$$ dust out of the exposed drive slot.
[3] I've set Facetime to autoanswer, She has a lovely Logitech Pro webcam. We'll see how well this works, too early to report on.
[4] A tough market to reach. No interest to advertisers, has trouble buying software/apps, tends to have a limited lifespan as an active user. (A minimally-demented 75 yo geek is not in this market.)

See also:

• FaceTime: AutoAnswer, URL, desktop 1 click call
• iPad user guide: accessibility and more
• iPad for low vision elderly
• Gordon's Notes: Low vision iPad: Make the iPhone UI an option

Being the bug: Things I learned upgrading my mother's Mac Mini

...Sometimes you're the windshield
Sometimes you're the bug...
Mary Chapin Carpenter

I followed the iFixt directions to Install a Mac mini Model A1176 Hard Drive; now my Mother's Mini has more capacity and is clunk-free too.. I boosted the memory to 2GB as well; that's easy to do on the way to a drive replacement.. Blew out a tone of dust when I had the top off.

The last was probably my downfall ...

"seemed to succeed - until I discovered my optical drive had broken. Disks do not mount, after some tries they eject. There was a LOT of dust inside my Mini, I think some got in the optical drive. A cleaning DVD and compressed gas didn't fix it. I wonder if it would be wise to seal the opening to the optical drive -- certainly before cleaning...

The Super Drives in this model of Mini have a high failure rate. I'm not sure how to replace it, but I'll find out.

I wanted to get my mother's machine to 10.6 so I could try auto-answer Facetime with her, so I persisted. Along the way I learned ...

1. DVD sharing didn't work. I have no idea why. The 10.5.8 Mini couldn't see the Snow Leopard disk in my MacBook.
2. Putting the MacBook into Target Mode (firewire link) let the Mini see the drive, but Snowie wouldn't install.
3. Putting the Mini into Target Mode with 10.6 in the MacBook DVD worked ... until it froze. I have a hunch a locked user 'Applications' folder on my mother's mini [1] caused the installer to hang when it was all but done. This locked up both machines. I had to power cycle the Mini -- to my surprise it came up ok. I hand repaired the locked folder issue. My MacBook was stuck with a white screen; I had to restart it and hold down the mouse key to force eject the Snowie install disk (install disks are special - they don't pop out on restart).
4. iFixIt understates repair difficulty (I knew that from my iPhone repair).
5. At least if you're using MobileMe as your Facetime "address" you don't need Facetime running for it to answer.
6. Facetime is less reliable than I'd thought; at her home it failed frequently in testing.

[1] So she couldn't accidentally edit the folder.

Update 4/23/11: The replacement for this drive is ... nothing. Nobody sells replacements at anything like a reasonable price. Bugger.

Update 4/27/11: Mayer of iFixit provided a list of substitute drives:

Just about any 12.7 mm ATA/IDE/PATA drive will work. So before you spend the bucks decide what capabilities will meet your needs. Here's one that iFixit has: 12.7 mm PATA 8x SuperDrive (UJ-85J)

Here are some that will work:

• 661-3887 24x combo
• 661-3888 4x super drive
• 661-4442 24x combo
• 661-4421 8x super drive

As of April 2011 the $90 iFixit drive is one of the few I can find, they have 1 left. SATA has replaced IDE.

Bing maps: it's great to have an alternative when Google is unreliable

Google Maps is flailing tonight. Slow to load, pretty much worthless. Of course nothing on their status page, but I'm used to that.

I about gave up, then I remembered there's an alternative. I tried Bing Maps. It's been a while. Bing maps were always good, but they've gotten even better. Very impressive.

Google better get their reliability up a bit ...

Implementing Google's two factor authentication

I've been planning to switch to Google's two factor authentication once it was a few months old (time for bug fixing), so James Fallows recent experiences only confirmed my schedule. Interestingly he's not the only recent victim. I assume, based on my personal experience, James' wife was the victim of a keystroke logger infection (was she using a Mac client?) or password reuse.
It worked pretty much as per my notes. Google's setup process takes about 15 minutes, including installing the authenticator app on your iPhone or Android device (other phones get SMS authentication). A few things to note ...

• Emily pointed out that I need to add two factor recovery directions to our password database, so if I become abruptly dead or incapacitated she knows how to get my stuff. In particular I will put the backup verification codes into a piece of paper she has access to.
• I needed application-specific passwords created for OS X Mail, iOS Mail, Google Voice iPhone, Reeder.app, Spanning Sync (forgot that one) and probably a few more.
• It is a nuisance to enter the generated 16 character app-specific passwords on the iPhone -- but the white space feature is very nice. Would be great if the Authenticator app on the iPhone could handle assigning app-specific passwords. Google.app on my iPhone works with two factor; when I tried entering an application specific password it told me to use my two factor password. Just like my desktop, it can be configured to "remember me" for 30 days. (If you lose a device, you have to get access to Google to remove its credentials).
• I don't think you can copy paste the numeric codes to from Authenticator.app to Google.app. You have to load into short term memory and tap them in.

Two factor authentication means I'm willing to enter Google credentials on relatively untrusted machines (given https encryption). That means ...

• Whatever password I enter on those machines will be public (that is a keystroke logger will catch it sooner or later). So there's no sense using a complex or difficult to type password. The main value of the password is to protect me when my phone is lost. I've reverted to an easy to type password that I expect will become "public". In other words, a Level I password.
• I can now stop using the Google App identity I setup to facilitate access to shared resources from insecure machines (such as corporate/office laptops)
• As per Google's recommendations, I carry the verification codes in my wallet. I also have a printed set Emily can access.

See also:

• Gordon's Tech: RIP Password - Google's two factor authentication (2/2011 - how it works)
• Gordon's Tech: My Google (gmail) account is hacked - by ductus.com (9/2010)
• Gordon's Tech: After the Gmail hack - passwords and security (9/2010)
• Gordon's Tech: Google hack lessons - where the geek risks are (9/2010)
• Gordon's Notes: Google's two factor authentication and why you need four OpenID accounts (9/2010 - where we're going)
• Gordon's Notes: Thunder in the Cloud: Lessons from my hacked Google Account (9/2010) - most comprehensive post

Update 4/18/11: I've found a hole in the system. You can set any computer to save 2nd factor authentication for up to 1 month, but you can't revoke this remotely and there's no UI to undo the change locally. Since the extended authorization cert is saved as a cookie, you need to delete cookies on the machine to re-enable Authenticator requests. So you should really reserve extended authentication for trusted machines. A corporate laptop, for example, should not be considered a trusted machine.

Update 5/1/11: I'm surprised how often I need to generate a single use application specific key. For example, I just had to do one for the Google's iPhoto PIcasa image uploader. I'm up to about 13 of 'em. Bit of a pain really. I've contemplated storing one for general reuse in my password database but haven't done that yet.

Update 7/4/11: I still rely on two-step verification, but Google needs to do a lot more work on this.

Update 9/8/11: I rethink it all.

Google Fail: The Google Video download options

Google is terminating old content on mine on two services.

They're terminating pre-Google Blogger accounts that haven't migrated and they're terminating Google Video data. For various reasons I've data in both places.

Must be time from spring cleaning.

Personally, I don't mind losing the data. I'll say good-bye to the Google Video data; for one thing I don't think YouTube has the privacy controls GV had. I'm disappointed, however, with the way Google is doing this ...

... On April 29, 2011, videos that have been uploaded to Google Video will no longer be available for playback. We’ve added a Download button to the video status page, so you can download any video content you want to save. If you don’t want to download your content, you don’t need to do anything. (The Download feature will be disabled after May 13, 2011.)

We encourage you to move to your content to YouTube if you haven’t done so already...

.. Once a video has been downloaded, “Already Downloaded” will appear next to the Download Video link.

If you have many videos on Google Video, you may need to use the paging controls located on the bottom right of the page to access them all.

The classy approach would have been to provide a one click transfer from GV to YouTube.

Remember this as you migrate to the cloud.

Adding events to Google Calendar: generating quick add statements

Some parts of Google Calendar are pretty cool. Event import ain't one of 'em. I've gotten CSV import to work, but it's more than ugly. It's dumb [4]. Worst of all, if you make a mistake you can hose your calendar. There's event undo, but not import undo [1].

So when I had to enter 15 games from my son's calendar, I tried typing them in. That got tedious fast. I'm no good at data entry; I get bored. I make too many mistakes.

Instead I tried a middle-ground that worked pretty well. I dumped the event list into Numbers.app [2], then I wrote a simple Concatenate function [3] to construct Quick Add friendly statements like:

Baseball: LINWOOD MONROE - HIGHLAND PARK at HIGHLAND PARK on May 17, 2011 at 4:15 PM for 2 hours

I then pasted the statements into Quick Add one after the other [4]. Unfortunately Quick Add doesn't allow one to specify a target calendar, so they all went into my personal calendar. I had to do a search on "Baseball: " to find them all, then edit each one to move it to the shared family calendar. Even with that quirk it was relatively painless to enter data this way.

Which says something about how bad CSV import is!

[1] I though I'd read that Google was introducing a rollback option for calendars, but I can't find it. Must have been my imagination. 
[2] I bought it on the app store for a pittance, and I'm getting quite fond of it.  The font display is surprisingly bad, but that's not unusual in OS X (Mac Classic fonts were better, and Win 7 is best). Where it bests Excel is layout -- you can put as many table/spreadsheets on the work surface as you want.
[3] This doesn't work very well in Excel. In Excel a reference to date produces a date serial number in Concatenate. I believe this is a defect, and it's probably as old as time. I'm glad Numbers.app goes its own way. The function looked like this: =CONCATENATE("Baseball: ",E3," at ",F3," on ", C3 ," at ",D3," for 2 hours")
[4] A smart import function would use quick add style NLP to process any number of lines into events, then it would allow a user to correct the list, then it would import. With an undo option of course.

Picasa web albums and color management

[See the updates at end. My initial impression was based on dated material.]

I finally consolidated my images with Google's Picasa web albums: Migrating images from SmugMug to Google's Picasa image store - Lessons in data lock and business models.

It was a painful process.

After i was done I reviewed my newer images. They don't look nearly as good as they should. In particular they looked better on SmugMug.

Turns out Picasa web albums don't support color management (ICC, colorsync, etc). (See also - all these discussions get "closed to new replies" pretty quickly.)

Please cover your ears while I scream.

Ok, you can uncover now.

I used to use sRGB profiles, so the lack of color management was less apparent -- even with Mac/PC gamma issues (newer Macs quietly converted to PC Gamma). Now I use Adobe RGB color profiles, and I get to see how badly Picasa's color management sucks.

Sometimes you just can't win. I've started a newer thread on the online help forum, but I doubt there's any good news. I wonder if I'm going to have do my own image sharing and give up on the online services.

Update: A google support tech tells us that Picasa Web Albums will use the colorsync profiles of images uploaded with Picasa 3.8. I've a question pending on whether this is also true for Google's

Update 4/5/11: More from Google ...

Uploading via the Picasa Web Uploader should also preserve your color profile, and I tested this with Firefox 4 and Safari 5 on Snow Leopard and it's looking good on my end. Photos 1600 pixels or smaller are still color managed, but their thumbnails currently aren't (to help decrease load times)

Update 4/9/11:

your color profile is also preserved on photos 1600 pixels or smaller, but the thumbnails for these smaller photos (when you're on your album page, not a photo page) don't preserve your color profile. This only affects thumbnail previews, not the actual photos themselves.

If I understand this correctly, Picasa now preserves color profiles. Thumbnails for images smaller than 1600 pixels displayed on an album page are not color managed (how would the browser manage conflicting directions from hundreds of images?). A photo page should always use the preserved color profile.

See also:

• Mac OS X v10.6: About gamma 2.2: "Some images that do not contain color profiles might appear darker in Mac OS X v10.6 than they did in earlier versions of Mac OS X.  Adding the sRGB IEC61966-2.1 profile or Adobe RGB (1998) profile to these images lets them display correctly."
• Gordon's Tech: Smugmug: just use sRGB and be happy
• John's Digital Photography Page - color profiles (old)

Migrating images from SmugMug to Google's Picasa image store - Lessons in data lock and business models

Life is fractal. That is, sampled at scales small and large, it resembles itself. Sometimes I think this is profound, especially when looking at smoke rings of galaxies, but maybe I'm just having flashbacks.

So you don't need to spend 15 years in healthcare IT to understand why progress is slow. You only need experience migrating an address book between a PalmOS device to a Windows platform to OS X to Google Contacts (see also: synchronization is hell). That will tell you everything you need to know.

Similarly you don't need to be a corporate CEO to understand the strategic role of switching costs. It's very easy to switch between Subaru and Honda, not so easy to change checking accounts or move from Microsoft Office to Google Docs. Business strategies differ [2]; though this is never discussed in the sycophantic business book business. You only need to look at moving photo libraries from SmugMug to Picasa Web Albums [1] to learn this.

I am doing this now, and it's an interesting process. As expected, the switching costs are high. In most cases it's not worth the bother; if you have the original collections in iPhoto or a similar app it's best to abandon the old image libraries and start over. I'll explain first what you can move and what you can't, and what the implications are.

What you can move

• SmugMug will bundle all images into a single archive, hosted on Amazon's S3 servers, and allow download. This is commendable, and better than many vendors offer.

What you can't export from SmugMug (what you lose)

• Original file names.
• All metadata other than what's embedded in EXIF files (so you do get the image acquisition dates).
• Any titles, comments, notes.

This data lock story has interesting implications:

1. If you have the original albums/libraries in iPhoto/Aperture then you usually don't want to bother migrating albums. (In my case I have them, but for a few albums it's marginally more convenient for me to download and upload again even without metadata.
2. SmugMug is minimally useful for offsite image backup. Images without metadata are better than nothing, but you should not consider SmugMug to be any kind of alternative to image backup.
3. If you ever edit annotations online, then you deepen your data lock. Nobody, not even Google, allows export of this kind of metadata (likes, commentary, etc.). The business advantage of  "social," and "Cloud services" comes from the high switching costs created by data lock.

Fortune 500 corporation or photo hobbyist, fractal life means lessons are easy to learn.

[1] Why am I moving? SmugMug decided years ago not to invest in OS X support. I gave them a few years, but then I reluctantly migrated my newer images to Picasa web albums, which had significantly better OS X (and later mobile) support. Now, in the interests of simplifying my online life, I am consolidating and giving up my old collections.

FWIW, here's why I would start with Picasa today, though a professional photographer would certainly prefer SmugMug. My decision has nothing to do with price, SmugMug is $30 a year and if I promoted SmugMug I'd probably pay nothing (referral fees). In fact, since Google charges differently for storage, they might be marginally more costly.

1. Google's data freedom policy (data liberation team) is enough by itself to make my decision. Google supports full data sync, including metadata, to a cross platform app. No other vendor does this.
2. SmugMug's lack of support for metadata export means it's not a supplemental backup store. Google's data freedom means it is.
3. SmugMug has wisely focused on the professional photographer, but that means most of their services aren't useful for me.
4. SmugMug is vastly better for printing images, photo merchandise etc. I print about 3 images a year.
5. Picasa has far better OS X integration, though Apple is no help here.
6. Google's image sharing interface is easier for my mother to use.
7. I need to simplify my technological life. That means Google and Apple for me -- the right balance of coopetition. Between the two of them I get what I need.
8. I am very annoyed that SmugMug auto-renews my account, and offers only immediate cancellation rather than a non-renewal option.

[2] Companies with captive customers face terrible temptations, companies with mobile customers have different temptations. Think of the relationship between divorce laws and the status of women.

Update 3/26/11: I downloaded a few albums, but it was pretty tedious to connect what I downloaded to the album names shows in SmugMug. I have the originals, so I focused on a few albums for a group where I probably didn't keep every original. The rest I vaporized. One less vendor to deal with.

See also:

• Gordon's Notes: smugmug review: full res image sharing and photo printing (4/2004 - when I first became a customer. Back then my tech posts were in Gordon's Notes.)
• Gordon's Tech: Smugmug: just use sRGB and be happy (1/2006). Today we're still struggling with color profiles, but I with Windows 7, IE 9, Chrome, Safari and 10.6 maybe we're slowly getting to what we expected around 1998.)
• Gordon's Tech: SmugMug + PictureSync vs. Google Picasa Web Albums (9/2006). I thought SmugMug's future was limited. Wrong -- they seem healthy still! They found a paying market in professional photographers, and they took full advantage of high switching costs.
• Gordon's Notes: The rise of software rental (aka software as service) (2/2010). Another perspective on switching costs.
• Gordon's Notes: Cloud data: Should I trust (Simplenote) Simperium? (8/2010). Low switching costs make Simperium trustworthy if you assume all the data is public. Low switching costs make for honest and relatively ethical companies. This is, incidentally, why geeks love Dropbox.
• Gordon's Notes: Google has a Data Liberation team (3/2009). More than anything Google says, and more than anything else they have ever done, this has been their most important non-evil act.
• Gordon's Tech: Evernote's import/export test (updated) (7/2008). Evernote is better now, but I have not returned to study them. For them the data lock temptation must be irresistible.
• Gordon's Tech: data lock: All of my Gordon's Tech 'data lock' tagged posts.
• Gordon's Notes: data lock: All of my Gordon's Notes 'data lock' tagged posts. (Yes, I think data lock is interesting!)

Why cropping an 18 megapixel image isn't as good as an adequate telephoto

An 18 megapixel image has twice the data as an 9 megapixel image.

So does that mean a 135 mm telephoto and an 18 megapixel sensor can do as well as a 270mm telephoto and a 9 megapixel image?

No.

Why not?

Because when you crop the 18 megapixel image, and double the apparent size, you also double the image noise.

Blogger's text editor: I make another plea for a rational approach to paragraph formatting

It took considerable restraint for me to write this so politely.

Please stop using div tags to define paragraphs - Blogger Help

My blogs start around 2002, when Blogger used carriage returns to delimit paragraphs. They extend through the time that Blogger used <br> tags with or without hidden carriage returns.

These days, with either the "new" or legacy editor, it's unclear to me what Blogger does. I only know that when I use MarsEdit, Ecto or the native editor I see pairs of div tags. This causes a mess. Depending on which editor I use paragraphs vanish or spacing doubles. If I open older posts with the editors I get no paragraph spacing.

If I go into preferences I see:

"If Yes is selected, single hard-returns entered in the Post Editor will be replaced with single <br /> tags in your blog, and two hard-returns will be replaced with two tags (<br /><br />))."

Of course br tags are no longer used, so this language is simply wrong. If set it to "No" my old posts format incorrectly. To put it mildly, this is a mess.

I would like Blogger to use tags to, you know, delimit paragraphs. I would like Blogger to convert older posts to use <p> tags. Please Blogger, stop using <div> and <br> to define paragraphs, it's not what they're made for.

It's hopeless (yes, I've tried changing templates). Alas, I don't think there's really any way to move my blogs and keep any sort of reasonable formatting across 5,300 or so posts.

See also:

• Blogger's 3 year paragraph debacle - the case of universal line break conversion (10/2010). There have been years of complaints, until most everyone who cares has moved to WordPress. (Spammers don't care.)
• Gordon's Tech: Migrating from Blogger to WordPress - a guide

How I made Gmail and OS X 10.6 Mail.app into a grumpily married couple

There's no way to make Gmail and OS X Mail.app [1] into a happily married couple.

The Google Label (very shallow acyclic graph) vs. IMAP Folders (tree, single inheritance) models cannot be reconciled. If you use Gmail as an OS X Mail.app IMAP server, messages with multiple labels (Inbox, All Mail, Baseball, Work, etc) will be replicated in OS X. A single Gmail message may produce several OS X messages; Label-crazed geeks may find dozens of duplicates. Searches are a mess.

I'm happy to say, however, that I have found a way to make this dysfunctional couple settle down. I used How to make Gmail work well with Mail | Macworld as a guide. It claims too much, but the advice is still useful.

If you follow the articles advice, however, you will lose all your email archives from Mail.app; they will be only on Gmail. I inverted the advice. Using the advanced IMAP controls I turned off IMAP sync for all labels except for these four:

• Inbox
• Drafts
• All Mail
• Trash

This means that my tagging/organization pseudo-folders exist only on Google. None of that is exposed to OS X, the Google "labels" are gone [1]. On the other hand, I still have Spotlight Search and Smart Mailboxes, and my only duplicates are with All Mail and Inbox/Priority Inbox:

These duplicates go away when I move mail from Inbox to All Mail (archive).

Note I don't see the Sent folder (that would create All Mail/Sent folder dupes), but I have no use for the separate Sent folder (I can recreate an equivalent with Smart Search). I prefer the All Mail folder.  I don't bother exposing my Gmail Spam label/folder -- it's immense.

I followed most of the rest of the articles advice. Turns out I wasn't saving OS X Mail.app Sent messages on the server -- I thought I was.

With this configuration Mail.app looks like this:

It ain't a match made in heaven, but it's no longer Hell. Purgatory maybe. Maybe Apple will fix this in Lion?  [1]

[1] The fix is to stop treating Gmail tags as folders, and treat them as, you know, tags. Then support tags in Mail.app and use smart search to create additional derived folders. Who files email any more anyway? I stopped doing that years ago, and it's added years to my life. (By the way, I give a great lecture on email management.)

Update 3/17/2011: Alas, I can’t seem to eliminate the Sent folder. Even though I have the Label turned off on Gmail’s advanced IMAP control, it still produces dupes with the All mail folder. This is a more annoying problem than the small number of dupes in the All Mail folder. Maybe I need to move all my email from Gmail’s “Sent” folder to a new label.

Digital cameras plateau - from my 2005 XT to my 2011 T2i

I bought my Canon G2 in October 2002 [1] and my Digital Rebel XT in Nov 2005. A few days ago I picked up the Canon Digital Rebel T2i (550D) body for $650, about $150 less the minimally improved T3i (same sensor, same processor, some improvements for videographers).

I'm happy with my purchase, though it's not the camera I've been waiting for. I've been waiting for a 12 megapixel camera that could produce quality images at ISO 3200. Instead I got an 18 megapixel camera that can produce quality images at ISO 1600 and occasionally useful images at ISO 3200. I gave up when I saw the paltry improvements from the Canon T2i to the T3i. It feels like digital photography is nearing the limits of current imaging technology; I decided I wouldn't gain much by waiting another year. So my daughter got the XT and I got the T2i instead of the T3i.

Progress is nice, but there are worse things than living with a dSLR that can take good pictures at ISO 1600 and that, after I crop, effectively doubles my image stabilized zoom range. The technology plateau means I'll get more years from my purchase;  it might be 8-10 years before I switch to the MILC future. Although this technology halt isn't all bad for me, for Canon it must be very bad. For camera shops, who've struggling to stay alive in the post-film era [2], this may be a terminal arrest.

I won't bother with a full review of this 1 year old device; there are many good reviews of this camera, as usual Amazon's amateur reviews are among the best. I was surprised by how familiar it is; it feels very much like my six year old XT -- which is quite fine with me. I've never understood complaints that the Rebel body was "too small" -- I have large hands and it feels great to me. The shutter feels softer with less vibration. Of course the video is all new, but the manual focus in video mode makes it a poor fit for many settings [3].

As with the old XT, there are many features of the camera that are aimed at the "JPEG" photographer. Several of these are new, such as ways to manage dust spots, to adjust dynamic range, etc. Similarly there are several features for image management and printing from the camera. None of this interests me. I photograph RAW, review and edit in Aperture 3, then save JPEGs to iPhoto for archiving [4].

The new "Quick" menu and the "auto ISO" are good additions. I live having easy access to the ISO button. On the other hand, I'm seriously bummed that Cannon sacrificed my exposure "meter" control (weighted, average, etc) in favor of the 'picture style'  control. (For "Picture Style" I use Portrait, because it uses a 'level 2' sharpening and no other camera mods. I might drop to 'level 1' sharpening or Neutral/Faithful style -- let Aperture do the rest. Still experimenting.)

The biggest change, other than image quality and light sensitivity (yay) is the SD card. It works with SDHC, SDXC or SD. For video work a "class 6" card is required. I bought a Transcend Class 10 SDHC 16GB for about $24 or so. It is a fine size for me; 300 images use about half the card. Individual RAW images are about 28-30 MB each, the JPEG produced after cropping and processing is about 2.8 to 4.4 MB.

As to the images, they are rather fine. I don't think the T2i's ISO 1600 images are quite as good as the XT's ISO 400 images, but they are much better than the XT's ISO 800 images. The T2i's ISO 3200 images resemble the XT's ISO 800 -- meaning they're only for desperate times. I didn't try ISO 6400, those would have to be grayscale only (so an option, but not for color.) The images do stress my monitors; they don't look nearly as good on my old Dell as on my 27". Curious.

Aperture 3 on my 8GB iMac 5i does well with individual images; I think the GBs of RAM are coming in handy.

Good camera, I'm loving being able to take hockey pictures at 1/125!

[1] I boxed it up recently and left it, with a note at the office. It found a home within minutes!
[2] I visited National Camera with a friend today. The retail display included darkroom gear and a wide variety of picture frames; much of the floor space was film and print focused. 
[3] The T3i has a Canon G2 style flip out LCD, which is handy for tripod videography. If I do any video with this camera though, I'm likely to be handholding. There is one major point in the dSLR's favor though -- unlike the mad zoomers of today's dedicated camcorders the T2i has many affordable wide angle lenses. 
[4] Crazy eh? There's a method to this. If Apple ever provided a true upgrade path from iPhoto to Aperture I'd archive in Aperture, but I'd still archive JPEG and delete the RAW originals. I'm much more interested in image longevity than small quality improvements. After an initial adjustment in Aperture (esp. dynamic range) the JPEG gives me enough room to tweak as needed.

See also:

• Digital cameras 2011-2017 (12/2010 - my predictions. The MILC will rule the high end market by 2017).
• Gordon's Tech: Time to switch to Nikon? (1/2008)
• Gordon's Tech: Nikon has Canon in a headlock ... (1/2008)
• Gordon's Tech: New Canon Digital Rebel: light sensitivity yes! (2/2005 marketers claimed the 350D could shoot at ISO 1600. In reality, results about ISO 400 were very poor)
• Gordon's Tech: Gordon's Digital Rebel XT review (11/2005 - I bought the 350D)