OS X: Creating a "parents only" shared folder

It began innocently enough.

I needed to move the family share off an old XP box and onto our iMac. We needed a Parents-only folder that would be shared on the network and accessible for each Parental-unit on the iMac. Print services are via a networked Brother MFC and the 802.11b/g Airport Extreme, they would not change.

The journey passed through dark places. Along the way I learned:

• Mac Classic, and Windows 95, 98, ME, NT and 2K, were all better designed for small network file sharing than OS X. I'm not sure even XP Pro isn't better designed than OS X for this particular task. The Users and Groups functionality of Mac Classic is only available in OS X server. (Same thing happened to that function between Windows 98 and XP.)
  
  
• You can't share the Shared Folder. (!) (Unless you use SharePoints, see below.)
  
  
• The NetInfo Manager is largely undocumented and the user interface is broken (are you sure you know what you're deleting? Do you know when there's a confirmation dialog and when there isn't). (The only documentation I could find was Apple's PDF. [1]
  
  
• The 10.2 edition of David Pogue's Mac OS X The Missing Manual has dangerously incorrect advice for using NetInfo Manager
  
  
• SharePoints is a bit crude and it's dangerous, but it works well for adding a Parent group. When I donate I'll suggest some UI tweaks. The author's web site has an Amazon donation box.
  
  
• If you want to do this the authorized way you either need to buy OS X server (!) or, maybe, you can buy the new Airport Extreme and a USB share (slow, slow, slow).
  

This is what I thought I'd do:

• Create a Group called "parents" and add the two parental users to it using NetInfo Manager per Pogue's explanations
  
• Create a folder in the Shared Folder called "Parents" and change the Group access to Parents with read/write privileges.
  

This is the next best thing I came up with:

• Created a folder called "Parents" in the Public folder associated with my wife's account on the iMac
• Used SharePoints to create a Group called "parents" with two user members.
• Used Get Info to give the group "parents" read/write access to the folder "Parents"

To access Parents I need to authenticate with the iMac using my wife's username and password. That would be a problem if she wanted control over her own password. In that case I'd have to either use SharePoints to create a new common networked share (point) or I'd have to create a new user with a password we could share and make the Public folder read/write.

Ugly.

BTW, here's the problem with the 10.2 edition of David Pogue's Mac OS X The Missing Manual. In that edition he recommends duplicating the Administrator group as the starting point for a new share. The problem is that the Administrator group has some extra attributes associated with it that, I suspect, are used by AFP file sharing. They aren't part of a standard Group created by SharePoints or OS X server. The result is that any user member of the new, derived, group has occult admin privileges. If they try to access a denied folder, they have the right to authenticate as an admin. This is bad. Of course maybe it did work safely in 10.2, I don't have the 10.4 edition of his book. I'll write and ask him if it's been fixed.

[1] I've been reading through the PDF. NetInfo Manager is an antique. It uses sequential integers as user IDs rather than GUIDs (globally unique identifiers) and advises strategies like "reserve range". Brrrr. Reminds me of Disco. I've read blase responses to Apple's 10.5 shipping delay, but I think the reactions are too complacent. OS X still has one foot firmly stuck in the 1970s, it needs some serious upgrades.

Update 4/14/07: It was nasty to setup (thank you SharePoints), but it is sweet. The Mac clients connect pretty seamlessly to the server, with no sleep/wake connection issues. I enabled SMB sharing for my OS X account (only) and that works very well. Interestingly OS X 10.4.9 Sharing specifies an IP address for the iMac, but while I was playing around with browsing the workgroup from my XP box the server appeared as if by magic. I'm not quite sure how that happened. The iMac shows up as \\BIGMAC\jfaughnan, probably because I'd installed Apple's Bonjour on the XP box. (Note I'd previously set the Mac to use my SMB workgroup name, using the obscure setting in the extraordinarily obscure Directory Access utility.

Microsoft OneCare dies: XP hangs by a thread

About seven months ago, when Norton Antivirus came up for renewal, I switched to Windows/Microsoft Live OneCare. I was tired of quality and performance issues with NAV. I figured Microsoft, since they owned the OS, would manage the performance/reliability issues better. I thought Microsoft couldn't screw it up.

Wrong. First, the sign-up process was amazingly buggy. Then, from the first day of use OneCare flagged many benign files as suspicious. More recently an update failure uncovered a disturbing number of red flags. Yesterday, OneCare went over the edge.

I'd seen an update notice when I shut down the day before. When I restarted yesterday morning I received the dreaded "memory could not be read" svchost.exe startup message. This is Microsoft's singularly unhelpful way of saying something is wrong with deep in the bowels of the services that underlie XP. In the past it has appeared after I've installed an Office update (due to an egregious and longstanding bug in the Office updater).

This time the problems were deep. I could only use the machine for a few minutes before it became unresponsive. On a power down and restart I couldn't get past the 'applying settings' part of a login, I had to do a soft boot to get further.

I suspected a drive error, but a drive scan was clean. I though of rolling back to a prior system restore, but I discovered I'd disabled system restore when fixing up an old XP problem and forgotten to restore it. I didn't want to reinstall the OS, so my next step was to try uninstalling badly behaved software.

Two applications were at the top of my list. Windows Live OneCare and Adobe Acrobat Professional (AAP has a famously badly behaved updater). I started with OneCare.

That did the trick. Once I'd uninstalled OneCare every problem went away. I purged Windows Defender for good measure.

I didn't like NAV, so what should I do for antiviral software now?

Well, let's assess the risks. I'm the only user of this machine and my email is filtered by an average of three different layers of antiviral filtering (spamcop, gmail and visi). I don't install any new Windows software of any sort on this machine, I do almost all my work on one of our ultra-reliable trouble-free OS X machines. I have an automated nightly backup system. I use Firefox, not IE. My network is behind two different NAT router/firewalls with different vendors and my wireless network is WPA2 with a strong password.

Screw it. OneCare is a far greater risk to me than the world of viruses and NAV is in the same league. I'm going "bare".

Meanwhile, I'm going to start moving the file sharing function off this old box onto the iMac. I run Parallels/Win2K on my MacBook for the rare Windows app I need (Microsoft Access a few sundry others), it might be time to donate my one remaining PC use the MacBook as my desktop.

Update 4/13/07: There's one other bad actor in my software collection -- Dantz (now EMC) Retrospect Professional for Windows. If I had to guess what went badly wrong in my XP install, I would look first at some interaction between Retrospect, OneCare, Microsoft Update and maybe one or two other variables. Mercifully, I don't need to bother pursuing this one any further. Retrospect Pro is the main reason I keep the XP box running, so when I eliminate the box I'll dump Retrospect Pro as well. (EMC, somewhat tardily, has begun offering trial versions of Retrospect. I will test their Retrospect Desktop for OS X network backup product and report on my experiences. I'd hoped to test EMC's mettle by seeing how well and quickly they supported OS X 10.5, but the delay to that release means I'll have to try them on 10.4 instead).

Update 4/21/07: It's one thing to uninstall OneCare, another to kill the OneCare account. The account auto-renews forever. You can't change this online, you have to phone Microsoft to cancel. I tried this tonight. The phone rang a bit, then came a voice .. "Microsoft is closed". Click.

I'll try calling @10am PT Monday. I wonder if there's money in shorting Microsoft ...

Update 4/22/07: OneCare support has the world's most obnoxious hold music. They alternative up-tempo elevator music with two repetitive sales pitches spoken in a cheerfully grating tone. I got to listen to a lot of that today. After a half-hour I went to lunch, when I returned the line had gone dead. So the wait time was probably 40 minutes. I'll try again tomorrow. Has Microsoft imploded?

Update 4/24/07: Waited 30 minutes on hold. Called back and pushed 9,9,9. Got a support-referral person. They suggested I try option 2 for tech support. Got someone there. They said hours for the account services are 5am-10pm M-F PST and 5am-5pm PST Sat/Sun. They also suggested calling Microsoft's Money-Back-Guarantee line at 888-673-8624. They put through to another tech support number. They said I can't stop the account renewal process without support giving me an "ASIS" number. They transferred me to fee-based technical support where I listened to hold music. Then I gave up. I'll try calling billing at 5am PT tomorrow.

Update 4/25/07: I ignore the "get an ASIS number first" advice and and call the billing number again at 8:45am PT. Got through immediately -- but that was a false alarm. I'd hit option 3 twice, and errant key presses bring up a human router. She laughs maniacally when I mention OneCare and sends me back to the accounts line. I decide to wait 10 minutes. After seven minutes of the insanely irritating hold music and repetitive marketing patter I decide Microsoft owes me a copy of Macintosh Office 2007 and I contemplate piratical acts. At minute eight the phone picks up. I'm asked why I want to dump OneCare. "Because it has caused far more damage to my system than any virus I've seen". There are no further questions, and to my disgruntled surprise I get a prorated credit of $32. End of story, except, of course, for a post to Gordon's Notes.

Option Airport: find strongest

Again, the option key.

TidBITS: Find Strongest Wi-Fi Networks Easily: "If you hold down the Option key when dropping the AirPort status menu, it lists available networks in order of signal strength, rather than the usual (and useless) alphabetical sort.

Daring Fireball on AAC, MP3 and WMA licensing

DF has the first public comparison of MP3, AAC and WMA licensing fees I've seen. Emphases mine.

Daring Fireball: Some Facts About AAC

... The rights to MP3 in most countries, including the U.S., are held by Thomson Consumer Electronics, and companies must pay them licensing fees for any hardware or software product that plays or encodes MP3 audio. Audio playback in hardware costs $0.75 per unit, for example; encoding costs $1.25 per unit.

... AAC is not “unique” to Apple. It’s not even controlled or invented by Apple, or any other single company. It is an ISO standard that was invented by engineers at Dolby, working with companies like Fraunhofer, Sony, AT&T, and Nokia. Licensing is controlled by Via. For up to 400,000 units per year, AAC playback costs $1.00 per unit; for more than 400,000 units per year, the price drops to $0.74 per unit.

[jf: DF doesn't say what AAC encoding costs ...]

In terms of licensing costs, patents, and openness, AAC is very much comparable to MP3. MP3 does have the advantage of near-ubiquitous support in consumer electronics and software; AAC has the advantage of slightly better audio quality at the same encoding bitrate. Additionally, MP3 requires a royalty fee of 2 percent for “electronic music distribution”, AAC requires no royalty fee for distribution.

... it is true that WMA licensing is significantly cheaper: $0.10 per unit for playback of two or fewer channels of audio, $0.20 per unit for encoding. But WMA is not an industry standard. Unlike AAC, it is controlled by a single company: Microsoft. And in for a penny, in for a pound: once you license WMA audio, you’re also on the hook to Microsoft for licensing fees for Windows Media DRM (if you need support for DRM) and Windows Media Video.

The .DOC (Word) file format made Microsoft, along with extreme (and illegal) ruthlessness (back in the day) and the ability to break Lotus at will. Even in its current, seemingly senile, state I dread the thought of Microsoft owning a music file format. I even get twitchy at them owning HD Photo despite their standardization claims.

FileMaker 8: dumbest software ever?

This is rich.

Imagine you have a FileMaker database that's configured to login using the guest account.

Now create an admin account and reduce guest privileges to read-only.

Exit.

Now you're locked out of the database. It won't ask for a un/pw because it's configured to login using the guest account. You can't change the settings because you don't have access privileges.

Wow. What a rotten piece of junk.

Fortunately I'm geeky enough to try starting up holding down the option key. As I'd guessed, that forces FM to ask for a un/pw despite the startup setting.

Update: If you change the startup account you do get a warning about login (shift for windows, option for Mac), but you don't get this warning if you reduce privileges for an existing guest account.

Update: Now that I've calmed down, here's what FileMaker could do to fix this:

1. Include a menu option in a logical place for requesting a change in privileges/login.
2. If the structure of FM is such that this cannot occur without a restart, then FM should provide a dialog saying (in essence) 'Close and restart required, is that ok?'
   

iSquint: Pod Video Made Easy.

I missed this one: iSquint. I've been using another app to burn DVDs to the iPod, I'll have to try this one. There's a commercial version for the whimsical price of $23.32.

Bringing the ease of AppleTalk to wide area IP

Nice review by ars technica ...

Have your Mac say Bonjour to tout le monde

By now, most Mac users are probably familiar with the magic that is Bonjour (formerly known as Rendezvous). A decade or two ago, when local networks emerged, many computer vendors came up with their own network protocols—AppleTalk in Apple's case. Unlike TCP/IP, AppleTalk works completely automatically: addresses are selected without user intervention or even a DHCP server, and the network makes sure all hosts know about all the network services that are available. Since the demise of the vendor-specific network protocols, Apple has been working hard to add the same level of seamlessness and ease-of-use to today's IP networks. On local networks, this has worked very well for a number of years: you can automatically detect other people running iChat, iTunes, and iPhoto, as well as detect local file, print, and web servers. All of this works by virtue of multicast DNS, where all the systems on a local network listen for mDNS requests and reply if they can answer the request. Unfortunately, this mechanism can't work across the Internet: before long, the only traffic we'd see would be mDNS requests.

It turns out that the Bonjour that we all know and love has a little-known sibling that does work across the Internet: Wide-Area Bonjour. And it's part of Mac OS X Tiger. It works like this. When you get an IP address from your friendly neighborhood DHCP server, the DHCP server usually also supplies a domain name. Wide-Area Bonjour looks up a couple of special DNS names under the supplied domain name. In most cases, these lookups fail and nothing

My oddball Brother MFC has Bonjour (mDNS) support. I recommend not buying any networkable device that lacks support for mDNS, though it's very hard to learn which devices do this. (Heck, most product descriptions don't even identify which devices have Ethernet ports!)