Sunday, April 18, 2010

OS X Parental Controls: The https bug and our family Google Apps services

OS X has a longstanding bug with parental controls and https connections. In my home with a 10.5 machine I need to use https for Parental Controlled Wikipedia, but other times it doesn't work.

Even things that do work can stop. My son has open access to a tightly locked account. I wanted that access to include his email (hosted on our family domain Google App services - now managed via Dreamhost) so I put our family domain on the allowed list. About two weeks ago it stopped working; I got the inane Apple "couldn’t establish a secure connection to the server" error message.

I'd run into Apple Parental Control's notorious https minefield. Consider this discussion thread that began in 2005 and is still alive in 2010!
Apple - Support - Discussions - Secure Connections and Parental Controls ...

... I have Parental Controls turned on....

The problem that I'm experiencing is that when I try to connect to some secure sites, sometimes Safari complains:

Safari can’t open the page '...' because it couldn’t establish a secure connection to the server “...”."
In 2009 "Mango Buzz" commented ...
... I finally got a fix that seems to work, however, it may be cumbersome. It involves finding the IP address of the websites you are wanting to add...

... I added both the web address with the prefix http and https for both the domain name and the ip address. So far this has worked.
Matt Wagner had some interesting background in 5/09, though he's wrong about the fix. Adding https sites to the allowed list doesn't always work ...
According to http://support.apple.com/kb/HT2900 , the problem that we have been experiencing is by design. Secured connections are encrypted (obviously). This means that the contents of the website are unreadable by the content filter. Because of this, Apple decided to block all connections to secured connections. Just like zuciello explained above, the only way around this problem is to add secured sites that you do not want blocked to the list of allowed sites.
In Aug 2009 biovizier suggested something odd enough to be credible ...
.."I've got a user that is managed, but allowed unrestricted access to web and applications.[...]If access is unrestricted, the parental controls should not interfere with web communication at all."...

When "parental controls" are enabled, whether web restrictions are in place or not, it somewhat stupidly by default enables logging for internet traffic, passing requests through an internal proxy server to do so. It is at this stage that secure connections are being interfered with.

In your situation, since you don't appear to be interested in restricting web use, just turn the logging off as a workaround, eg.

/usr/bin/sudo /usr/bin/dscl . -mcxset /users/username com.apple.familycontrols.logging web always -bool false

Enter the command using "/Applications" > "Utilities" > "Terminal.app" while logged in to an "admin" account, substituting the managed users "short name" where it says "username".
In March of 2010 Sidney San Martin contributed a monster post ...
We ran into this problem, and a wonderfully helpful Apple technician dug up a solution brought down from engineering ... The problem is that https, by design, keeps the hostname you're trying to access (apple.com, mail.google.com, etc.) secret. The computer can't determine directly whether the connection should be allowed. It does know the IP address, and performs a reverse lookup on that IP address get the hostname it checks against your list of allowed sites.

So, the solution is to add as an allowed site the hostname associated with the IP address. It's not too difficult, but does require that you dive into the Terminal.

As an example, let's try to allow access to the Apple store. Start with the hostname you know: store.apple.com. Head into Terminal, and type:

host store.apple.com

You should get back something like this:

store.apple.com is an alias for store.apple.com.akadns.net.
store.apple.com.akadns.net has address 17.251.201.32
store.x.com.akadns.net mail is handled by 10 cbox-ember01.apple.com.
store.apple.com.akadns.net mail is handled by 10 cbox-ember02.apple.com.
store.apple.com.akadns.net mail is handled by 10 cbox-ember03.apple.com.

You can ignore everything except the address line. Now we know that the Apple Store's IP address is 17.251.201.32. Let's use host again:

host 17.251.201.32

Which returns

32.201.251.17.in-addr.arpa domain name pointer cup-store.apple.com.

Which is the information that we're looking for. The reverse DNS name of the Apple Store's only IP address is cup-store.apple.com. You can add this to allowed sites, or just add apple.com.

Head back over to the store page, reload, and see if everything's loading. You can use the Activity window (in the Window menu) to see what is and isn't loading successfully on the page. In some cases, you may find content that's not loaded from the same domain — in this case, static content like images is coming from a248.e.akamai.net. You can follow the same steps to find the reverse DNS names of these other domains.

If a domain resolves to multiple IP addresses, check a few of them. If you're lucky, they'll all point to the same or similar domains, and you can just add the second level domain to allowed sites. If you're not, they may not have reverse DNS records at all, and you'll get a response like this:

Host 153.234.138.207.in-addr.arpa. not found: 3(NXDOMAIN)

In this case, you may have to add all of the IP addresses individually to allowed sites.

If you're having trouble with this method of finding reverse DNS, try to load a problematic site and check the Parental Controls logs. The site should show up under Websites Blocked. Open one of the history entries in a browser. It should just show up as a hostname or IP address, with nothing after the slash. That's the address you need to add

Finally, if you just want to allow access to GMail, I did the work for you: most of Google's IP addresses resolve to a .1e100.net address. If you add google.com and 1e100.net to allowed sites (Google has lots of IPs, it's not worth trying to add them individually), you should be all set.
I tried several of the above fixes (but not disabling logging - I need logging) and more, but I had no luck [1]. Note that I wasn't trying to provide access to google.com or gmail.com -- just family domain Google Apps.

I did finally get something working. I had to ...
  1. Switch from OpenDNS to Google DNS.
  2. As per San Martin add google.com and 1e100.net to the list of approved sites.
  3. Instead of using the URL "mail.myfamilydomain.com" I had to use https://mail.google.com/a/myfamilydomain/#inbox .
I would have preferred not to enable access on this account to www.google.com, but I really did need to have google.com as an authorized site.

I didn't used to have to do all this, so it feels like Google and/or OpenDNS or both of them changes something about two weeks ago.

[1] It's so incredibly tedious. You have to log out of the account, make changes from an admin account, log in again, etc. It saves a bit of time if you remotely manage the parental control prefs rather than use a local admin account. If you look at blocked sites in the logs you can get a clue what's going on and you can right click on blocked sites to enable them. When doing remote admin you need to force a write of your changes by switching tabs - I keep forgetting to do that.

Update:
  • A series of Google discussions in 10/2009 suggested adding the Google.com IP address to the permitted site list: https://74.125.45.100. I believe this is the "secret sauce".
  • Another user was dealing with "try to block adult content automatically" problem of all https being blocked. They used a pattern template in permitted sites: [https://*.*.gmail.*.*]. I am skeptical that this adds anything.
Update 5/5/10:
  • From a google help forum Jawl's Dad wrote: I opened a terminal ... and typed the command host mail.google.com. The first four addresses [see San Martin, above] I added to the 'Allowed sites' with https://a.b.c.d and it works fine now....
Ahh, yes. The Host file. Slowly the memories return. I used to edit host files back when we had to make our own electricity. I'd forgotten about using it to block domains, but that method goes back to the very dawn of the net. It was once used to block advertisers, but I think they got around that. Note that editing the Host file impacts ALL users on a machine, and you may need to worry about permission related side effects.

Searching on Parental Controls and "Host file" brought me a few references.
Update 6/9/10: After a bitter battle, and a review of 3rd party parental control solutions that suggested this was a dying market, I again restored https access to google. So I had to walk through the above post.

I can't say it's the only thing one has to do, but the addition of https://74.125.45.100 to the Parental Controls whitelist did the trick. It resolves, by the way, to a beta trial of encrypted search services. I need to enable this google.com access even when my son is using our Google Apps site -- the authentication step requires an https Google.com connection.

Update 2/7/11: I gave up on using Google web tools. Not at all family friendly. Did come across a tip to add to this thread ...

One more step is required: after adding https://74.125.45.100  which actually only took me to the google home page (though Parental Controls still restrict any browsing from there) THEN ALSO ADD https://mail.google.com/mail - so the combination of the two additions in the allowed websites does the trick - then when attempting to access Gmail go to gmail.com and the Gmail homepage opens
See also:
--
My Google Reader Shared items (feed)

Sunday, April 11, 2010

Integrating game consoles, computers: go RCA cable

I love the 70 year old RCA connector.

It was the perfect invention, but the internet does not know who the inventor was. Those were the days when "RCA" was as Apple is now, but companies got credit rather than people. (RCA died in 1986, the name is just a trademark now.)

I renewed my RCA connector appreciation when I decided to move the kids Wii console from the basement to the family room. Downstairs we plugged the Wii into my 1986 stereo receiver, but upstairs we didn't have anything. Somewhat impulsively [1], I bought a Logitech z313 computer stereo to share between the iMac and the Wii.

Since my sound system knowledge ended in 1976 this "sharing" took a bit of figuring. There's no "receiver" to manage the different audio sources; the amplifier function is built into the computer speakers. There's also some mystery about how to connect things; my iMac and the z313 use 3.5 mm stereo connectors, the Wii uses RCA.

The answer is to covert the 3.5 mm connections to RCA, then use a simple RCA A/V switch. Instead of pushing buttons on a complex receiver you need to use a much simpler analog AV switch (I'm not sure this is progress actually).

A prior post reviews the cable connections. You use some mixture of "Y" RCA stereo cables with either male or female 3.5 mm plugs (and an optional 3.5 mm plug join) to convert the 3.5 mm stuff to a nice RCA connector standard.

For a switch you can use something like the RCA VH911 Video Switch Box or the SONY Game and Video Selector (#1 in "selector boxes" - see[2]).

Once you know the above, the rest is easy.

See alo:
[1] I violated Gordon's Laws of acquisition. I could have made this work with a battery powered speaker I already own. I did penance by reorganizing the computer area, donating several items, and tossing more things out. The Logitech sounds much better than I'd expected; for this result I should have paid more to get something that might last longer. It's much better sound that what my old stereo produces at reasonable volumes.

[2] Amazon doesn't have a consistent classification (ontology) for these devices. If you start with this list the "what do customers buy" section should provide good coverage:

Friday, April 09, 2010

Stereo cable voodoo: Connect game console output to computer speakers

I need to connect a game console to a computer speaker system. This requires some cable voodoo.

Specifically I need to connect a Wii (composite RCA plug output - 2 stereo sound, 1 video) console stereo output to my Logitech (3.5 mm male) computer speakers. This is a fairly common problem, Amazon has two different solutions:
2 x RCA Female / 1 x 3.5mm Stereo Female Adapter (CableWholesale)
or
I ordered the second one because I needed a bit more versatility.

Now I'd also like to use my computer with the same speakers. I'm going to try using a headphone splitter in reverse -- so the sound sources will plug into the headphone jacks and the speaker will plug into the input jack. I think it might work ...

PS. The mess of a adapters and cables cost half as much as the Logitech computer stereo system. The profit margin on cables is impressive.

Tuesday, April 06, 2010

How to disable lateral (horizontal) scrolling on a Magic mouse

Things that seem like a good idea at the time but aren't really:
  • auto-orientation on my iPhone: Mostly it guesses wrong.
  • horizontal scrolling surface on the magic mouse: Mostly it guesses wrong.
There is a way to disable the Magic Mouse horizontal scrolling:
Apple - Support - Discussions - Magic Mouse - Disable horizontal ...
... This worked for me. It's a relief to disable horizontal scrolling. Just to clarify the previous post:

To turn horizontal scrolling off:

defaults write com.apple.driver.AppleBluetoothMultitouch.mouse MouseHorizontalScroll -bool NO

To turn horizontal scrolling on:

defaults write com.apple.driver.AppleBluetoothMultitouch.mouse MouseHorizontalScroll -bool YES

These commands are entered on the command line of the Terminal utility application.
You must either restart your computer or connect and disconnect your mouse for these changes to take effect. To connect/disconnect you power cycle the mouse; it's helpful to have the OS X mouse pref pane open to see when it's disconnected and reconnected. Reconnection can be slow.

It's beautiful to have lateral scrolling disabled. Just beautiful.

Update 6/17/10: Even with lateral scrolling disabled, I still came to despise the Magic Mouse. Finally I gave up on it.

Monday, April 05, 2010

Killjoy review: I so wanted to like the T1i

Amazon reviews can be so cruel.

I really wanted to get a Canon EOS Rebel T1i this summer, but the Amazon reviews are a buzzkill. Like this one.

Too many megapixels. Damn. If only they'd gone for more light sensitivity and 10 megapixels.

PS. I rarely bother with the 4-5 star reviews. The best reviews are always in the 2-3 star range.

Snow Leopard 10.6.3: still not ready for primetime

Apple is having a very hard time getting rid of the really big 10.6 bugs (emphases mine) ...
Macintouch - Snow Leopard: Updates - Matt Neuburg
... Applied the 10.6.3 combo updater to two computers. No issues on either ...
One minor annoyance: I noticed on both computers that my display's custom ColorSync profile setting had been forgotten. I had to go into System Preferences - Displays - Color and select the correct profile.
Please see also the report concerning the three Snow Leopard bugs originally identified and reported in TidBITS. Two of them are fixed by this release (great, that only took 7 months), but one, a serious bug where attempting to Finder-copy a file bundle via File Sharing, is not fixed. http://db.tidbits.com/article/11123"
The Tidbits article link reports fixes to an Apple events bug and a Preview bug.

I still can' recommend upgrading to 10.6 from a happy 10.5 machine. At this rate, it won't be respectable before 10.6.5. Apple is struggling to keep all their balls in the air.

There's been no mention of a fix for the USB/firewire external drive system lockup bug.

See also:

Monday, March 29, 2010

Virgin mobile - Sprint for your laptop, no contract

For $100 it appears you can sign up for Virgin Mobile Broadband Service. From the fine print it looks like they're reselling Sprint, but there's no contract, you pay on demand ...
$10 10 Days 100 MB 5 hrs Web Browsing Or 25 minutes
Video Or 10,000 Emails (without attachment)
$20 30 Days 300 MB 15 hrs Web Browsing Or 1 hour Video
Or 25,000 Emails (without attachment)
$40 30 Days 1 GB 50 hrs Web Browsing Or 4 hours
Video Or 100,000 Emails (without attachment)
$60 30 Days 5 GB* 250 hrs Web Browsing Or 21 hours Video
Or 500,000 Emails (without attachment)
I'm interested. Anyone with any customer experience?
--
My Google Reader Shared items (feed)