App.net - using Duerig's custom RSS feed to see only root posts from selected people

[See update below, Jonathon has revised his stream generator so you don't need to look up the userid any more.]

I enjoy app.net. I like the conversations, but I particularly like the 'root' or initial posts shared by a few of my followed appnetizens. Problem is, these posts are lost in the streams of the app.net clients I use - Felix (iOS), Kiwi or Wedge (OS X), and Alpha or NoodleApp (web). They are mixed with replies and conversations. Current app.net client UIs aren't a great fit for how I'd like to follow folks; they are best suited to recreational engagement. Thanks to Jonathon Duerig (@duerig), there's a better option. He's providing a special RSS feed that accepts parameters. For example, here's mine:

http://jonathonduerig.com/my-rss-stream/rss.php?user=6172&replies=0&directed=1

In this example

• 6172 is my app.net userid (I was #6,172 to sign up)
• replies=0 means I see only root replies
• directed=1 (just include this, don't ask why) [2].

To find the userid you can mouseover the official (shows all activity) RSS feed icon on alpha.app.net profile pages, like https://alpha.app.net/johngordon. It shows the userid. I've created feeds for several people who I particularly like to follow, and put those feeds into a Google Reader folder called App.net [1]. Now that Duerig has also removed an unnecessary username prefix from each post, the results display very well indeed. Each post comes with a link to alpha.app.net, so I can respond easily in that environment. It's really quite elegant, and should be an inspiration for app.net app builders. I'm looking forward to more like this; Duerig will probably make this to a custom domain and tidy it a bit. For now I've put the feed URL into my Profile Bio to make it easier for others to copy.

[1] I haven't settled on a Reader replacement yet, I'll start doing serious testing in May. I do want folders. [2] Duerig: "A directed post is a post beginning with a mention ... to anyone. .. the concept of a directed post is immensely confusing ... Just do replies=0 vs. replies=1 and you will be happy."

Update 6/30/2013: Duerig has a new format with new header and the ability to use a username instead of a user ID. For example:

rss-app.net/rss.php?user=@duerig&replies=0&directed=1 

I used a list of usernames scraped from the display of people I follow, and Numbers.app concatenate [2], to generate this list of feeds which I've been tediously [3] copy pasting into Feedbin. The current list is below, sorted by name [5]. 

This functionality makes app.net far more interesting for me. I really think it needs to be part of the API, a variation of stream. So we'd have two independent streams:

• Twitter-style conversational stream: see all posts by members of follow list.
• Prime stream: "Root" posts stream - akin to news, item share

For some people I want to follow conversations, for others just their initial item share, for others both streams. So these are independent.

Currently I do stream 1 from Kiki/App.net/Felix, stream 2 from Reeder/Feedbin/ReadKit[4].

- ffn -

[2] Numbers.app can't export as tab delimited, which tells one a lot about iWork. It also "escapes" quotes in CSV fashion when you copy to clipboard, so they're all doubled. Not a problem with this exercise, but very annoying when I tried to create OPML XML entries. iWork, not Apple TV, is a hobby.

[3] Feedbin has performance and reliability issues, especially on adding feeds, but those are improving. What's killing me is the extremely limited UI for manipulating feeds - review, sort, revise names, remove, tag. It doesn't scale past 25 or so feeds; I'm over 300. If this doesn't get fixed in the next few weeks I've gonna have to try something else. 

[4] Readkit is promising but obviously in early state for consuming Feedbin, etc.

[5] Full list -- if you're name isn't on here don't worry, I'm building it out. See [3]

(I had to add bullets due to a longstanding Blogger/MarsEdit formatting bug.

• rss-app.net/rss.php?user=@adamlcox&replies=0&directed=1
• rss-app.net/rss.php?user=@adrianus&replies=0&directed=1
• rss-app.net/rss.php?user=@annatarkov&replies=0&directed=1
• rss-app.net/rss.php?user=@benubois&replies=0&directed=1
• rss-app.net/rss.php?user=@billkunz&replies=0&directed=1
• rss-app.net/rss.php?user=@clarkgoble&replies=0&directed=1
• rss-app.net/rss.php?user=@dalton&replies=0&directed=1
• rss-app.net/rss.php?user=@danfrakes&replies=0&directed=1
• rss-app.net/rss.php?user=@danielgenser&replies=0&directed=1
• rss-app.net/rss.php?user=@darnell&replies=0&directed=1
• rss-app.net/rss.php?user=@duerig&replies=0&directed=1
• rss-app.net/rss.php?user=@erikschmidt&replies=0&directed=1
• rss-app.net/rss.php?user=@fields&replies=0&directed=1
• rss-app.net/rss.php?user=@glennf&replies=0&directed=1
• rss-app.net/rss.php?user=@gruber&replies=0&directed=1
• rss-app.net/rss.php?user=@jdalrymple&replies=0&directed=1
• rss-app.net/rss.php?user=@johngordon&replies=0&directed=1
• rss-app.net/rss.php?user=@gruber&replies=0&directed=1
• rss-app.net/rss.php?user=@jdalrymple&replies=0&directed=1
• rss-app.net/rss.php?user=@marcozehe&replies=0&directed=1
• rss-app.net/rss.php?user=@martinsteiger&replies=0&directed=1
• rss-app.net/rss.php?user=@mfitz&replies=0&directed=1
• rss-app.net/rss.php?user=@mvp&replies=0&directed=1
• rss-app.net/rss.php?user=@prometheus&replies=0&directed=1
• rss-app.net/rss.php?user=@rikishiama&replies=0&directed=1
• rss-app.net/rss.php?user=@reederapp&replies=0&directed=1
• rss-app.net/rss.php?user=@brentsimmons&replies=0&directed=1
• rss-app.net/rss.php?user=@siracusa&replies=0&directed=1
• rss-app.net/rss.php?user=@sirshannon&replies=0&directed=1
• rss-app.net/rss.php?user=@snipergirl&replies=0&directed=1
• rss-app.net/rss.php?user=@spacekatgal&replies=0&directed=1
• rss-app.net/rss.php?user=@teawithcarl&replies=0&directed=1
• rss-app.net/rss.php?user=@thomasbrand&replies=0&directed=1
• rss-app.net/rss.php?user=@treestman&replies=0&directed=1
• rss-app.net/rss.php?user=@voidfiles&replies=0&directed=1
• rss-app.net/rss.php?user=@wickedgood&replies=0&directed=1
• rss-app.net/rss.php?user=@xwordy&replies=0&directed=1

WordPress attack - lessons from my personal security review

This week there's a  brute force password attack on WordPress sites. That inspired my security review, here are a few things I learned doing it:

• I again appreciated the FileMaker database I've used since 1997 to track my net credentials. I dump data from it to a now dated version of 1Password, but it's hard to beat the ease of searching and editing my own repository. It lives on an encrypted disk image on my local machine.
• It's easy to end up with orphan WordPress instances. I have one on Wordpress.com and two on my Dreamhost account, but I only use http://www.kateva.org/sh/. It archives my Pinboard/App.net shares; one day, if I figure out how to do it, I may append my old Google Reader shares (json).
• I had a strong password on the wordpress.com account, but only pretty-good on my other two and they had the same pw. I upped both to very strong but still typable. I will have to review how IFTTT connects to kateva.org/sh -- obviously there are big security risk with many uses of IFTTT. 
• I'd been keeping my WordPress blog software current (Dreamhost makes that easy!) but not the plug-ins and themes.
• I'd changed a theme on one blog recently, and today I learned it didn't include a log-in link! I was briefly shut out, but a bit of web research turned up kateva.org/sh/wp-admin.

The most important thing I learned is that it's not trivial to safely delete a self-hosted WordPress blog. Yikes! No wonder there are lots of vulnerable old blogs lying around for the taking. WordPress.com blogs have a delete tool, but not self-hosted sites. Things can get nasty here -- two WordPress blogs can share the same database, so deletion must be done carefully. Reading some Google hits this is a very unsolved problem with lots of confusion.

We need a fix WordPress.org and we need it very soon. Dreamhost, you could help too.

Google Reader: More like this

Sad moment in the last days of Google Reader -- I'd forgotten about the 'more like this' item in the Folder Settings (and Feed Settings) dropdown ...

Note the Translation services, and ability to create a 'bundle' (shareable set of feeds made of all the feeds contained in the Folder).

There's so much in Google Reader that most users never saw.

Today's Aperture bugs: Empty Projects, Repeated Facebook Albums (Bonus: fixed screensaver)

Aperture gave me two bugs today. Or maybe three.

One I've seen before. I move an Event, Aperture chugs along, and the Event shows no images. There's no way to make them reappear, but if I restart Aperture they're back. It happened several times today, so I ran "Select Repair Database". I don't know if this will help. 

This is, of course, a rather nasty bug. It would be easy to delete a seemingly empty project and lose all of its photos. [1]

My second bug concerned the drop down list of Facebook albums available from the Facebook publish dialog. Each album was repeated 4 or more times. That I fixed by deleting my Facebook account and restoring it.

There's a related Facebook bug, but this one came, I think, with a Facebook change. When publishing to Facebook Aperture's share settings are ignored. Albums are always private, you have to make them visible from Facebook. This has been broken for months, and Apple hasn't issued a fix, so I suppose it's a joint bug.

[1] Tip: If you configure Aperture to display the number of images in Project you'll at least see that number, even if none of the images can be seen. Still, I do wonder if I've deleted images in the past due to this old bug.

Update 3/17/2013: Subsequently I also ran permissions repair. I can't say whether it was upgrading to 10.8.3 or this work, but my OS X Aperture smart album based screen saver/slideshow has now worked for two days. I think that's a record.

It wasn't obvious at first, but I also discovered 60 thumbnail sized images in 'Rejected' folder with file names like: "4206_76697672461_1778151_n (1).jpg". They are assigned batches of dates that don't match the image date. I was able to find the five of them full sized in my Library, so I was reassured that these were truly garbage and I deleted them.

Clearly the repair process did something.

I've set a reminder in my calendar to do an Aperture database repair every four weeks as a routine preventive measure.

Update 3/21/2013: I think the library database repair MAY have helped my screensaver bug, but it didn't fix the empty folder bug. I just moved a project from one folder to another, and after the move Aperture wouldn't display its images. Again, having the image count display by the Project is a potential lifesaver. Nasty nasty bug.

iOS Contacts search annoyances

There are two things to be aware of about Contacts search in iOS:

• If you search from Contacts.app iOS will search both person name and business name.
• If you search from global (spotlight) search iOS will only search one of these, depending on Contact type.

This is sufficiently weird and inconsistent that it may qualify as a bug.

In general search on iOS is "annoying". PalmOS did a much better job in 1997.

Mountain Lion Recovery Partition Disk Utility Drive Repair - Unlock the Encrypted Drive with Admin Password

Even after I figured this out I couldn't find Apple's documentation on this. (Yeah, worrisome.)

I first noticed a problem after attempts to run VirtualBox on my 128GB SSD MacBook Air. We first tried a Win7 .vbox and ran into some network issues, then I tried a smaller sized XP .vhd image. The latter worked, though getting VirtualBox to use the .vhd was a bit odd; I think I did better ignoring the few web references I could find and simply telling VB to create a new XP image then selecting the .VHD when asked for drive.

After that process I checked available disk space, and the Finder said I had a 120GB drive with 228GB available.

Uh-oh.

So I ran Disk Utility and found I had about 58GB free but my drive was corrupted due to "incorrect number of file hard links". DU told me to boot into the ML Recovery Partition and run Disk Repair.

When I did that though, my OS drive appeared grayed out. I could see other non-gray items I could "repair" but that did nothing.

So why was it grayed out?

My guess was encryption. Even so, Google was no help. I did see that the Disk Utility toolbar had a new icon however, one called, I think, Unlock. I clicked on it and was invited to enter a password -- but not, curiously, a user name. I entered my admin pw and that worked. (This smells like a security hole btw -- not asking the un is weird. I suspect I could have turned off File Vault encryption first and avoided this mystery.)

After I did that my system drive was no longer grayed out. I ran Disk Utility repair and it said the drive was better; I ran verification twice to check.

On restart, however the Finder still has the wrong amount of Free Space -- though now Disk Utility says the drive is fine.

So I'm not entirely happy. But at least I've documented how Disk Utility Unlock works from the recovery partition.

Update: The VirtualBox VHD thinks it has a 127GB hard drive. Disk Utility says I have 69GB free. I'm suspicious that a hard link in the Virtual Box is messing up the Finder, but I can't find anything on this...

Tools for diagramming and sketching on Windows

Windows is a broken and barren desert of malware and spyware, but I still need to work in it. Alas, I can't switch at work (yet).

So, when I'm looking for better ways to diagram and sketch, I can't choose from the rich world of Mac alternatives, much less from iOS tools. I need something that will work on Windows -- or on a web platform our corporate software doesn't block (alas, Evernote).

I'm working on my options, but fwiw here's a list I'm assembling. I'll update it with whatever I like, while striking out those I've considered and eliminated.

Windows 

• OneNote 2010: popular, but tied to Office
• SnagIt Editor
• PowerPoint: Too awkward to just use for diagrams.
• Visio: Expensive, clumsy, overpowered, relearning curve with infrequent use.

Web

• Google Drawings: Current favorite
• Lucidchart (Google Drive/Apps): $$
• Gliffy Online
• Balsamiq Mockups (wireframe)
• Creately

Mac/Win

• Pencil Project - GPL, no documentation, no help file. Couldn't figure out rounded corner.
• Dia - GNOME Live! - Visio like
• yEd - Graph Editor
• ConceptDraw Pro $200

Apple's iCloud control panel enables iCloud Contacts within corporate Outlook

iCloud support is limited to relatively new Macs able to at least run Lion. Practically speaking, Mountain Lion.

Apple is kinder to the Windows world. The iCloud Control Panel will run on Outlook 2007 or later on any old OS.

I suppose they don't have the same sales incentives on the Windows platform. In any event, it seems to work very much like the old MobileMe Control Panel, at least when it comes to Contacts. I installed it on a Win 7 laptop running Outlook 2007 that syncs to Exchange Server and I now have full access to my iPhone/Mac Contacts.

It works by creating a new account, separate from the Exchange account. There are few install options -- you have to sync Calendar, Contacts and Reminders (but not Notes). Just like MobileMe [2] (I suspect some shared code). It also creates an IMAP account.

I had some glitches on installation and had to fiddle with restarting both the Control Panel and Outlook 2007, but now it seems stable. I didn't want the IMAP service so I canceled out of the credentials prompt and deleted the IMAP account.

There's no way to turn off Reminders, so I now sync my iPhone reminders in some puzzling ways -- basically via ActiveSync/Exchange for one set of reminders, via this method for the iCloud set. Weird.

Contacts is what I was interested in and it seems to work. Since Outlook allows only one Group per Contact, and iCloud allows many [1] there are potential problems related to Group assignment. In the case of MobileMe this didn't seem to break anything.

It's great to have all my Contacts at hand, and to able to quickly add to them. As an extra bennie, I get to use Outlook's Contact views. They are old and complex, but they are far more powerful than anything Apple gives me.

[1] Group relationships are kind of messed up between iOS and OS X, but Apple has bigger problems.
[2] At one time MobileMe Control Panel could work with Outlook/Exchange, but then it coulnd't -- which made things hard. This version can, perhaps because it creates a new local account.

Aperture: You can drag and drop Inspector attributes (fields, metadata labels) to rearrange their sort order

I discovered this by accident. Once I discovered it, I did find a bit of documentation. In the Help file, under "rearrange the metadata fields in a metadata view" it says you can drag the metadata labels around to change their sort order - like this:

I've long been annoyed by the default field order, but I had no idea I could fix it.

This helps.

Damn, but I do miss iPhoto's ability to click and quickly edit version names.

Mountain Lion sharing and permissions: two things I didn't know

Didn't know, or forgot:

• If you option click the permissions add icon, you can add permissions for System and the like but not Wheel.
• The Groups defined in Contacts can be used to add permissions to sets of users. I think that's probably as old as OS X, but I forget it. It's odd because Apple seems otherwise to have forgotten Contact Groups exists. I wonder how it works ...

Executing sudo as a non-admin user in macOS (OS X) and fixing "getcwd: cannot access parent directories" error

This is a weird one.

According to what I read online and in the Man pages, I should also be able to do something like this (where Fred is Admin account):

sudo -u Fred ls

That should ask for Fred's password then execute ls with Fred's privileges.

Except it doesn't. It runs against my non-admin account and fails. As though it were ignoring the -u flag. Instead I have to run

su Fred

to execute as Fred, then run sudo. [I think that su Fred sudo -u Fred ls should also work.]

I can't find anyone else who complains about this, so I assume I'm doing something wrong.
Note to test this you have to run from a non-admin account.

Update 8/23/2016: I can't get sudo to work at all in El Capitan for a non-admin users. Says: "error retrieving current directory: getcwd: cannot access parent directories: Permission denied."

Update 5/27/2018: I finally tried this in a different non-admin account. It works in Sierra in other accounts. So it wasn't El Capitan that broke this, it was something I did to my 18yo user account.

This is what I would see:

John-Air:~ myaccontname $ su Kateva
Password:
shell-init: error retrieving current directory: getcwd: cannot access parent directories: Permission denied
bash-3.2$ ls
ls: .: Permission denied
bash-3.2$

I searched around SuperUser for a while and got some hints. I deleted every user account Bash preference I could find. That didn't do anything. I repaired MacOS Sierra permissions using Onyx.app -- but as with every other time I'ver repaired permissions that produced many changes but no results. (It doesn't act on user folders.)

Eventually I realized the most likely explanation was the simplest one -- I'd somehow messed up permissions on the default account for Bash. By experimenting on my "good" non-admin user account I realized Bash default directory is the User account. So I compared User Account permissions and found this:



The problem directory was readable by 'everyone' but not by 'staff'. You'd think that 'everyone' would work ... but read this and weep. macOS permissions are a disaster. Don't even think about ACLs. It's a sign of the end-times really.

I couldn't see how to restore Staff. In the old days there was a utility for this, but that's long gone. Somewhere I found this advice to restore staff:

sudor chown $UID:staff /path/to/folder/modified/
chmod 644 !$

I ran it and staff was restored. When I logged back into my user account I was told macOS had to do something to enable me to run Applications! I entered my admin credentials and was asked again ... and again ... then I gave up and logged out. I logged back in and things .... seemed ... fine.

Now su works as it should.

Facebook's parental monitor page - aka Activity Log

For the moment, until the next state mandated revision, Facebook has a Page I can use to track #1 son's Facebook activity with a URL of the form <https://www.facebook.com/first_name.last_name.2345/allactivity>. [3]

It's currently called the 'Activity Log', if you poke around you can currently find it under 'Privacy Shortcuts' (lock icon by user name in title bar) / "See More Settings" / "Privacy". Look under "Privacy Settings and Tools" for the wee link 'Use Activity Log' [6].

As far as I know it's not intended for this purpose [4]; it's designed for users to edit their visible timeline [1] . It does, however, list most of the account owners save pages visited. There's a long list of activities including Posts, tags, hidden posts, likes, comment, friends, games, following, and, most critically for this purpose, Search. [2]

So the Activity Log is a very valuable resource for a parent or guardian who wants to track their 13+ [4] child, either because this is an exceedingly good idea or because they are that kind of parent or both [5]. A parent might, for example, schedule a weekly review of the Activity Log...

 - fn -

[1] You can hide and delete posts and change post dates. It's also available for Pages and supports viewing scheduled posts.

[2] It doesn't, however, show pages visited by link. It is, incidentally, a nice summary of a fraction of the information Facebook uses to sell you.

[3] Activity Log came with timeline, but I was unaware of it until today. It's available on Facebook.app for iOS as well.

[4] But it may be designed for this purpose. Facebook wants to support accounts for childre under 13 and this could be a part of any future support.

[5] If you can't figure out why this might be a good idea for some children and adults you have much to learn.

[6] Yes, that's mine - but if you can see it then I have a problem :-).

See also:

• Gordon's Tech: Legal Gmail for kids under and over 13 with Dreamhost Google Apps or Google Apps for Business 2/2013

Legal Gmail for kids under and over 13 with Dreamhost Google Apps or Google Apps for Business

In the US, Google Account owners must be over 13, in the Netherlands it's 16 [1]. It's common to lie to get accounts for younger kids, but this can cause an account lockout and 30 day deletion. [2]

So how do kids under 13 get personal email? All services have similar rules.

The exception, of course, is Google Apps for Education. They provide Google services, including calendar and email for children of all ages. The trick is that this group is excluded from Google's predatory business model [3]; the services are paid for and the school district assumes liability.

Is there something similar that's available outside of Education?

Well, there are Google Apps for Business (and on-profits) of course. I was unable to find any age requirements for businesses that buy Google Apps for Business, nor any requirement that the business had to be, you know, a real business. Google isolates business data from its ads and data mining so I expect US laws on protection of children from being packaged and sold do not apply. 

At $50/user a year though, Google Apps for Business is a bit dear for a family of 5 (though the phone support is no little thing).

Unfortunately Google Apps for Nonprofits is not an option; you really do have to be a legal nonprofit.

Six years ago our family grandfathered into Google Apps through the now-defunct free option, and those users have since acquired full range of Google Services [4]. Alas, that's not an option any longer.

I think the cheapest legal option is to sign up with a hosting service that provides Google Apps for your registered domain. I can personally recommend Dreamhost for this, based on my 6+ years of experience and the (unusual) fact that they handle Domain registration for their customers [5].

At approximately $100/year ($50 for first year or $97 for two years if you use my code [7]) Dreamhost's Google Apps service for a family of five is less than half the cost of Google Apps for Business -- albeit without phone support. On the other hand, Dreamhost also provides other web services including web hosting, Wordpress (ex. kateva.org/sh), web apps, etc [6].

There are other hosting services that provide Google Apps for potential family use, but Dreamhost is the one I know.

 - fn -

[1] YouTube has an 18+ requirement for some videos, and Google Wallet is 18+. I don't believe either one is practically enforcable on most devices; maybe on Android or Chromebook depending on parental controls.

[2] It is noteworthy that Google's requirements for reversing account lockout are much more robust than their account recovery options. This says something about the power of laws and what Google could do to manage identity if they were forced to. The effective workaround is that a parent authorizes a credit card transaction on their own account, thereby technically committing fraud and assuming liability. The liability assumption is what matters.

[3] It's not that Google is particularly evil, this outcome is an inevitable outcome of their business model. They can no more resist this outcome than a species can resist Natural Selection.

[4] Not G+ though. It was once 18+ and is now 13+ regardless of Google Apps.

[5] Most hosting services have another party handle domain registration, and many of those deliver poor service.

[6] Admittedly more of a specialized interest these days.

[7] Just enter KATEVA when asked for a registration code. I set it up so users get the maximal $50/97 discount; I get a kickback but I set my kickback to maximize the user discount. Dreamhost supports Google's mutlifactor authentication framework, so I authenticate using Authenticator.app on my iPhone.

What I learned from from MacWorld's short Aperture tutorial

I got this ref from Clark, one of my favorite tech bloggers. MacWorld's 7-step edit in Aperture 3.4 is the best short Aperture tutorial I've seen.

The article is by Derrick Story; I used to read him religiously but I lost touch with him. He's got quite a few MacWorld articles - but there's no feed. There doesn't appear to be a feed on his personal business site either. [1]

(Pause while we weep silently into our keyboard.)

Maybe I lost touch with him because he developed an allergy to RSS?

In any case, here's a short list of what I learned from his tutorial - despite many months of Aperture use:

• The control units are called 'bricks'.
• The White Balance Brick has a drop down for different kinds of white balance (skin tone, temperature, etc). I never $#@ noticed.[2]
• The relationship between the histogram and the Exposure brick sliders: "Exposure (highlights, right side of the histogram), Black Point (dark tones, left side of the histogram), and Brightness (middle tones). ... Once I set the Exposure and Black Point, I use the Brightness slider to adjust for taste.... always adjust Brightness after Exposure and Black Point.
• Post brightness move highlights slider to right to recover details. (This never seems to work for me though.)
• Color tweaking. This has always been a mystery to me. He picks a green 'swatch' then uses eye dropper to pick a green item and adjusts Hue, then tweaks with Saturation and Luminance. (Ok, it's still a mystery.)
• Definition over Saturation and Vibrancy. I don't know what the differences really are, but I also like Definition most. Nobody seems to use the Contrast slider.
• When he sharpens Edges he pushes Falloff and Intensity, not Edges. (I'd been doing Edges. Again, no clue.)
• To see original image push M key (I kind of knew that).

[1] Update: O'Reilly has a feed, but it doesn't include is MacWorld articles.
[2] It was new in 3.3. 

Java on the Mac is malware - and how to turn ALL of Java on or off as needed.

US-CERT recommend disabling Java in all web browser on all platforms

... This and previous Java vulnerabilities have been widely targeted by attackers, and new Java vulnerabilities are likely to be discovered. To defend against this and future Java vulnerabilities, consider disabling Java in web browsers until adequate updates are available. As with any software, unnecessary features should be disabled or removed as appropriate for your environment...

They don't mention removing Oracle Java [3] entirely, and they don't specifically address the Mac. By nature, they must be sober and governmental.

I am not so constrained. I can just say ...

DO NOT PUT ORACLE JAVA ON YOUR MAC ANYWHERE, ANYTIME. IT IS MALWARE.

Let me name the ways:

1. It always installs for all users. You can't install for a single user.
2. It installs with root privileges in System/Library, not /Library as it should.
3. There's no uninstaller for Oracle Java and Oracle's online instructions for manually uninstalling Java 7 only uninstall the browser plugin. Full Oracle Java uninstall requires sudo/root privileges.
4. The Preference Panel is merely a pointer to Oracle's ugly control panel, and that control panel disregards OS X Admin/User/Managed User controls. Any user can enable Java plug-in. You can't turn off all Java, just the plug-in.
5. You can disable the Java plug-in in Safari or Chrome, and in Chrome you can use Fretty's brilliant Click to Run Extensions in Chrome tip, but you have to do this for every user on a Mac, and they can all turn it back on regardless of privileges.

Even if we didn't know about Java's global record of frequent security failures, the implementation of Java on Mac reeks of hacks, bad design, and high risk.

This thing is bad, and most recommendations for managing the risks on a Mac are inadequate. There's really no way to make this thing safe even if:

• In Java control panel: uncheck run Java in browser
• In Safari: Security - uncheck Java
• In Chrome: Disable Java in PlugIn and also Click to Activate (Flash PDF)

I have to put Java on my MacBook Air for work reasons, but based on what I've learned I'm hunting it down to remove it from every machine at my home. Java-dependent Mac apps are unacceptable (Sorry Crashplan, Fugu, XMind and more).

 

Meanwhile, on my Air, I'm going to see if I can sudo into /System/Library/Java/JavaVirtualMachines/1.6.0.jdk/Contents/Home/bin/java and rename the Java Folder to Java_DIE to prevent it from running except when I absolutely need it. [1] [2] See Update below.

See also:

• Gordon's Tech: The post-Flashback era: removing Java and Flash from OS X 4/2012
• How to disable Java on your Mac | Macworld:
• JDK 7 Mac Install (Oracle)
• Mac Java FAQ (Oracle)

[1] su [admin_user_name], sudo mv Java java_die does the rename, but I think I need a permission fix.

[2] via GigaOM: Mac Apps that need java: Minecraft, Runescape, CrashPlan, Illustrator, OpenOffice, NeoOffice, FreeMind, Xmind, Gantt, Vuze, Screenr, Cisco and Juniper VPN Clients.

[3] - added 2/24/2013: I added the word Oracle here, because there's a big difference between Oracle/Sun's Java on the Mac, the Java JRE on the Mac, and the Java language. From a security perspective the language is no worse than most alternatives and better than many. The JRE is problematic because it bypasses the App Store/SignedCode framework that is our current best hope for the future of personal computing, but that's similar to distribution of any software outside of the App Store. The real crime is the installation of the JRE into System with root privileges.

Update 2/23/2013 (rewritten):

I asked on app.net about a way to turn ALL of Java on the Mac on or off as needed. alextrott replied and recommended these terminal commends to enable and disable (Since sudo -u doesn't seem to work on Mountain Lion, if you run from a non-admin account you have to enter "su YourAdminAccountName" first.):

disable

• sudo chmod 000 /System/Library/Java/JavaVirtualMachines/
• sudo chmod 000 /Library/Java/JavaVirtualMachines [on my machine this is unnecessary, there's nothing there]

enable:

• sudo chmod 755 System/Library/Java/JavaVirtualMachines/  
• sudo chmod 755 /Library/Java/JavaVirtualMachines [on my machine this is unnecessary, there's nothing there]

Alex tells me he's working on a small Mac app to toggle Java on or off as needed.

When I tried this on my Mac chmod 000 did disable Java. XMind wouldn't run. However my attempt to reenable failed; probably due to user error.

Which was when I realized I could easily do this in the Finder:

I can set JavaVirtualMachines to allow No Access or Read & Write. With No Access XMind won't run, with Access it will. I put a shortcut to the Java folder on my desktop for easy access to this JVM Folder.

Update 8/29/2013: With Mountain Lion as of 8/2013, if type 'java' at the command line OS X will download Apple's version of Java 6 and will remove the old preference panel. (It's not supposed to install a browser plugin). If you go to Oracle's site and install Java 7 you get their preference panel.

Oracle's Java 7 can be uninstalled -- albeit with difficulty. (Plugin is easy to uninstall, Java 7 is not easy.)

Apple's Java 6 cannot be uninstalled. It has permissions like this:

- system: read & write

- wheel: read only

- everyone: read only.

Curiously when I unwittingly installed Apple's Java 6 there was no option from a non-admin account to set Privileges to 'No access'. From an admin account I could set to "no access" or "write only" but command line java still ran. So clearly there's much of this I don't understand.