Thursday, November 18, 2010

Why you may want to wait on the new Google Apps services - identity collisions

Google is making most of the apps that were once available only to gmail accounts available to Google Apps accounts.

Behind the scenes, what this means is that they're consolidating identities across the Google enterprise. They'll force the transition in early 2011, but at the moment it's optional.

Sounds great, but there's a catch for some users. The catch is that for some users there will be an identity collision, and reconciling that collision won't be pretty. These users should let others go first.

The users who are in trouble are those who used their Google Apps email address to register for Google services. For example, they used jgordon@kateva.org as the email address to create a Google Account. (Yes, it's confusing. Not all Google Accounts are associated with Gmail addresses.)

After doing this, it's possible to use Blogger (for example) with the user name "jgordon@kateva.org". The password may or may not the same as the Google Apps password associated with jgordon@kateva.org; until this transition the accounts were completely separate.

Next year though the accounts will merge. In this case "jgordon@kateva.org" will be belong to only one identity, an identity managed through Google Apps.

Merging identities is difficult. For example ...

Early adopter phase FAQ - Google Apps Help

...If your users used Picasa Web Albums with personal Google Accounts, they will not be able to reuse their old Picasa Web Album display usernames. They will have to sign up for new display usernames....

... The following Google products don't work with Google Apps accounts that have transitioned:

  • Google Extra Storage
  • Health
  • PowerMeter
  • Profiles

Review the options for transferring data between accounts.

At this time, these options are limited. Your users can transfer data in some applications from their personal Google Accounts to their Google Apps accounts after the conversion. There are no administrative controls for data transfer at this time. Each user will have to decide what to transfer and initiate the process. Learn more about transferring data in the Google Accounts Help Center.

Learn how to access two accounts at the same time in the same browser.

Users will no longer be able to access multiple Google accounts in the same browser unless they add an optional feature called multiple sign-in. See Using multiple accounts in the Google Accounts Help Center for more information.

Make sure your users complete the readiness checklist for users before they transition their accounts.

Note: After the transition, sign in to your admin control panel using your Google Apps account (example@domain.com). You might also need to use a separate browser. See Signing in to your control panel for more information.

and

Resolve conflicting accounts - Google Apps Help

Users with conflicting Google Accounts can easily resolve their conflicts by renaming their personal Google Accounts, and the data in their personal accounts will remain safe and accessible to them. Here’s how a user can rename their personal Google Account:

  • Step 1: Visit www.google.com/accounts and sign in with your personal Google Account
  • Step 2: Click ‘Change email’ under ‘Personal Settings’
  • Step 3: Enter a different email address where you can receive mail, enter your password, and click ‘Save email address’
  • Step 4: Check your other email address and click the link in the verification message from Google to confirm your change

Yikes. This smells real bad. I remember how badly Google botched the transition from "Pages" to "Sites". Reading through this list I can see all kinds of bad news.

I will start the "renaming" process with the some of the problem accounts my family has, but we'll be going slow.

Saturday, November 13, 2010

The loathesome Apple Magic Mouse and the MagicPrefs salve

I have only one dysfunctional relationship.

It's with my Apple Magic Mouse. I hate it, but I can't leave it. I don't swear, but today my son heard me drop the F bomb. Thanks to the Magic Mouse from Hell.

There are two parts to the curse of the Magic Mouse. One is that Apple, the company that's never made a decent mouse, was too clever with their latest failure. The other is that Apple, the company that hates its geeks, has steadfastly ignored our screams. All we want is an option to make scrolling require two fingers, but instead we get accidental scrolls that wipe work and lose context.

I have an order for a $35 Logitech Bluetooth mouse in my Amazon cart, but before I pull the trigger I'm trying the last refuge of Magic Mouse users -- the MagicPrefs menubar and preference pane. (Better Touch Tool is a similar product, but seems to have less recent development).

I don't like to install this kind of tool -- they're usually playing in illegal APIs. Indeed, I've seen rumor that MagicPrefs has trouble with 10.6.5. I've done it though, which shows my desperation.

So far all I've created one preset. All I've done is reduce touch sensitivity a bit, and change scrolling behavior:

  • disable one finger scrolling (also disables scroll momentum - I miss it)
  • two finger scrolling: vertical axis only
  • three finger scrolling: horizontal access only
  • four finger scrolling: disabled

I'll see how this works before I add more features or gestures. I have seem some atypical clicking and scrolling behaviors and I want to see if those settle down.

If MagicPrefs saves my Magic Mouse relationship I'll forgive it some minor system glitches.

Now if only Apple would fix its own $##% Magic Mouse Mess.

Instapaper: editor's picks and more

I've succumbed to the elegant web page reformatter and offline reader Instapaper. I was a late adopter, but I've drunk the Kook Aid now.

It's the technology, it's the service, it's the quality, it's the versatility, it's the content and it's the developer(s). Classy.

Instapaper works beautifully with over 130 iPhone apps including the best Google Reader client: Reeder.app .

You don't need an iPhone to use Instapaper (currently only the iPhone app generates revenue, that may change). It's great on the desktop too - it makes the most ad laden, Flash infested, page broken content a pleasure to read (and breaks business models too, but that's another story).

It also solves a problem that you might have too.

You know you do it. Sitting in a boring phone meeting**. Browsing web sites on your corporate box (or iPhone* or iPad). All's fine until you see something you really want to read. That's crossing the line though. I can't read something good and pay attention to a dull meeting. Worse, I might continue when the meeting is done -- when I should be doing real work. (I assume everything I do on a corporate machine is monitored of course.)

Instapaper solves the problem. I click the Read Later bookmarklet and put the browser down. I'll read the article, elegantly formatted, on my iPhone later. If you don't have an iPhone, you can read it with any web client through your free Instapaper account.

Instapaper is $5 on the app store with a fine free version if you, like me, distrust reviews.

Oh, and don't miss the Editor's Picks. I'd like to know where the #$! they come from. Great list of readings, and anyone can browse this list -- even if they never use Instapaper.

*iOS browser bookmarklet integration of Instapaper is painful. Apple needs to fix this one, the developer can't. It's simple to use the mail article feature though.

** My meetings are not boring. For one thing I get 60 minute meetings done in 15, for another I round-robin attendees for comments q5-8 minutes.

PS. Instapaper got top grades on every cloud service test I use.

Tuesday, November 09, 2010

iPhone silent in VoiceOver mode

My iPhone was silent in VoiceOver mode. I couldn't figure out the problem. The UI behaved as expected, and I could record and play back over the speaker, but when I tapped on a word nothing happened.

VoiceOver wasn't working.

I thought my phone was in silent mode, or that the volume was too low. It wasn't in silent mode thought, and pushing the volume up set the ringer to max. Still no VoiceOver though.

The trick was to try playing something on iPod.app. No sound came out, but in that mode I could change the play volume. That brought VoiceOver to life as well.

The volume mode VoiceOver uses is the same one iPod.app uses, but you can't set volume from VoiceOver; in that app the volume controls only change ringer volume. You can set it from iPod.app.

There must be another way to set VoiceOver volume, but even knowing the above I can't find it.

I don't see a lot of posts on this issue, so there's probably something else going on here ...

Update 4/17/11: Apple added a separate app/iPod volume control to a recent release of iOS 4. It's well hidden though. First get the multitasking icon list (tap home twice). Then swipe right to show the iPod controls. Then swipe right again. You will then see a volume control that is separate from the ring volume control.

Saturday, November 06, 2010

Creating Google events from email and SMS

In Outlook you can drop an email onto a Calendar icon to create an event. It's one of Outlook's better features.

Toodledo customers get an email connection for task creation. Send an email and Toodeldo creates a task. There are even rules for writing subject lines to facilitate task creation.

Unsurprisingly, Google has something similar - albeit with a bug that makes it less useful than you'd think.

The SMS submission feature is poorly documented; before you can use it (US only) you must register your phone using the Calendar Settings Mobile Setup tab. It worked in my testing, I received a confirmation email that the event had been created. The SMS submission feature, and some related  SMS calendaring services,  are most useful for non-smartphone users. I think it follows the same language recognition rules as email (below):

There's no exact email analog [1] to the SMS feature, but Gmail processing comes closes. You can create an event from any email; the secret is the More Actions drop-down menu and the Create Event entry (I need to pay more attention to that menu!).

Google Calendar tries to parse the email subject line to set times and dates for the new event. I couldn't find any documentation on what phrasing works best, but I assume Google uses the same rules as the "Quick Add" entry box in Google Calendar ... (rewritten below, the page is a mess).

If you're sending an email to your Google Account to facilitate event creation you should use the following rules tge recipe for events is to enter 'what,' 'who,' 'where,' and 'when'. I can't remember that, I prefer the acronym SNAD:

  • Subject (what): This can be any text; the event title is created from this.
  • Name (who, optional): Anything preceded by the word "with".
  • Address (where,  optional): Preceded by the word "at", use quotes if the place name could be confused with a date/time.
  • Date (when): Preceded by the word at. Almost anything will work, colons in times can help reduce ambiguity and military time works.

The classic example is: "Dinner with Michael at "Friday's" at 7pm tomorrow".

So far, so good -- but there's a nasty bug/limitation. When you use the create event feature in Gmail, you can only create it on your personal calendar -- even though you may have privileges to write to many calendars. After you create the event you can move it the correct calendar.

Very annoying.

[1] Don't confuse this with what happens when you send an invitation to a Gmail account for an Outlook or similar appointment. That sends an ICS attachment and, think it automatically creates a calendar entry.

Retrospect 8.2 for OS X fails my latest review -- because it's been abandoned

I'm not happy with the state of OS X backup software. I've been hoping for a year or two that Retrospect 8, now owned by Roxio would be a real contender. In particular, I hoped it would replace my use of SuperDuper for backup. I particularly like the file version strategy, the client management, and the built-in encryption. (Encryption is required for offsite backup.)

I also use Time Capsule, but I insist on two completely different and independent backup solutions for our home data.

In my ongoing quest for a Time Capsule/Time Machine complement I recently installed and began to test Retrospect 8.2. I know the app from past OS X and current Windows versions, so the complexity wasn't a problem. I was pleased by some of the things I found, and it passed some initial tests.

Then I ran into an installation permissions bug. Only the Admin account I used to install could open the Readme and User Guide documents. It's an odd permissions bug -- I can't fix it even using TinkerTools. There are workarounds of course, but this is a worrisome sign of poor quality control.

So I visited the (still dantz.com with EMC relabeling!) forums and read this thread response from a current user who wants Retrospect to succeed (emphases mine) ...

Really Disappointed in 8.2 update - Retrospect Backup Forum - Powered by FusionBB

... I got support responses to online tickets 10 days following the opening of the tickets. I had solved two of the three tickets by then (thanks to the forum). It's been a struggle...if it takes 10 days to respond to my responses then I may have to shake some people by their lapels.

And yes, 8.2 has been pretty buggy, and no word on an incoming patch. The blog went quiet, and so is every other means of end-user communication. Hopefully Roxio will figure things out, but for such a critical piece of software this isn't good...

I can confirm that Roxio has gone silent on Retrospect. They have various communication channels, and they're all black. This is a robust indicator that Roxio isn't funding further development. Retrospect OS X is, not for the first time, abandonware.

I can happily use abandoned software when the output is in a standard format. For example, I still love Microsoft's Windows Live Writer, even though it's been abandoned. It produces blog posts other tools can work with. When it finally dies, I'll say a sad goodbye.

That's not an option for backup software. The cost features and functions doesn't matter -- I can't use backup software that's not being actively supported. Even if Retrospect 8.2 were bug free today, even Roxio sold it for a buck, I couldn't use it.

Retrospect has failed. Again.

Now I'll see if the undocumented installer (in the Retrospect folder in Applications) actually works. (Correction: Installation is documented in the readme PDF. The installer does work. Both would have been strong points in my evaluation -- if I'd been able to justify continuing it.

Saturday, October 30, 2010

Firesheep, sidejacking, and SSH Tunneling with DreamHost

In the endless spy vs spy game of net security there have been two recent setbacks for the good buys.

One is the rise of the keystroke logger. That's how I suspect my Google account was hacked from an insecure machine - a corporate laptop running XP. The best response to the keystroke logger is either to carry the 11" MacBook Air -- or to establish disposable network services for use on untrusted devices.

The other setback is the very recent emergence of trivial sidejacking.

Sidejacking is the theft of network credentials, and particularly cookies, by intercepting unencrypted WiFi network traffic. It's been a commonly recognized and widely ignored problem for about three years, but now a security researcher has decided to make ignorance impossible. He's released Firesheep (my 11yo says it should be called "Firerat") to make Sidejacking a trivial task bored kids (emphases mine. He's yelling at Facebook here.)...

... When logging into a website you usually start by submitting your username and password. The server then checks to see if an account matching this information exists and if so, replies back to you with a "cookie" which is used by your browser for all subsequent requests.
It's extremely common for websites to protect your password by encrypting the initial login, but surprisingly uncommon for websites to encrypt everything else. This leaves the cookie (and the user) vulnerable. HTTP session hijacking (sometimes called "sidejacking") is when an attacker gets a hold of a user's cookie, allowing them to do anything the user can do on a particular website. On an open wireless network, cookies are basically shouted through the air, making these attacks extremely easy.
This is a widely known problem that has been talked about to death, yet very popular websites continue to fail at protecting their users. The only effective fix for this problem is full end-to-end encryption, known on the web as HTTPS or SSL. Facebook is constantly rolling out new "privacy" features in an endless attempt to quell the screams of unhappy users, but what's the point when someone can just take over an account entirely? Twitter forced all third party developers to use OAuth then immediately released (and promoted) a new version of their insecure website. When it comes to user privacy, SSL is the elephant in the room.
Today at Toorcon 12 I announced the release of Firesheep, a Firefox extension designed to demonstrate just how serious this problem is.
Sigh. I was hoping to ignore this problem, but now I can't. TUAW has an excellent review of our options: How to guard yourself and your Mac from Firesheep and Wi-Fi snooping. I summarize it as 3 options:
  1. Witopia VPN ($40/year for good-enough PPTP). I used them for twoyears, after I first worried about sidejacking in 2007, and they provided good service. I'm cheap though, and didn't need them that often, so I decided to wait until the sidejacking problem got worse.
  2. Various solutions that get you into your home network and let you use those presumably secure resources. Too much trouble for me, and too likely to be flaky.
  3. SSH tunneling - aka the poor man's VPN. This forces all traffic through an "SSH tunnel".

I tried Witopia VPN before and I'd recommend them (though I did have technical problems)  - but I'm feeling cheap these days. I decided to try SSH tunneling because I already pay for full service hosting through DreamHost; so I have what SSH needs.

(BTW, I love DreamHost. If you sign up with my promo code of KATEVA I get a $50 kickback and you get $50 off your 1st year fee. Today, however, they're offering $110 off -- a full year of service for $9.25. To put it mildly, this is unbeatable.)

This is how the DH wiki describes their SSH tunneling SSH Tunneling

Your Dreamhost account can be used to create a secure tunnel to circumvent firewalls that prevent access to particular websites. This isn't recommended as a replacement for a VPN or similar service, but if you need the occasional ability to reach sites that would otherwise be unreachable *or* need secure access because you are using an unsecured access point, this might be an appropriate solution for you.
SOCKS is the name of the protocol used. SSH is the name of the software used to create the tunnel. There are a number of GUI options available for Windows, Mac OS X, and *nix, but using SSH usually demands a command-line environment. This article will assume that it is installed and configured appropriately. Practically speaking, this information is not that important. You just need to know the magic incantations.
Note: This is a great temporary solution if you need to view something your ISP has blocked for unknown reasons. It should be considered a temporary solution, as it will definitely use bandwidth on your account. When you are on a shared server, it's nice not to abuse the system.

The wiki page provides some Windows instructions using Bitvise (Free!) Tunnelier, but Mac users can get by with the command line (though I will also test OS X Meerkat separately). Here's what I did at DreamHost to get the SSH tunnel working on my 10.6 machine:

  1. Using DreamHost Control Panel:Users:Manage Users confirm account has a user setup with a shell account.
  2. IN OS X Terminal type:  ssh -D 9999 jgordon@trafficante.dreamhost.com 
    • jgordon is not my true username, it's just an example
    • trafficante is my DreamHost server. Yours may be different.
    • 9999 is the port number
    • -D turns on compression
    • Some documentation says to use the N switch for non-interactive, so it would be ssh -ND 9999 jgordon@trafficante.dreamhost.com
  3. Enter this user's pw on request
  4. You now have an SSH connection.

To use this SSH connection you have to configure a proxy in OS X from the Network Preference Panel like this:

Screen shot 2010-10-30 at 7.44.42 PM.png

Of course you don't want to keep having to turn SOCKS on and off in Network Preferences depending on your settings, and you don't want to use SOCKS unnecessarily. That burdens DreamHost, and it slows your network traffic. I created a new OS X network "Location" that has the SOCKS Proxy turned on.

Also, when your done with your connection, please type "exit" in terminal to close it. That's just politeness.

Here's how you can test if the configuration is working:

  1. Change your "Location" to the one you setup with a SOCKS proxy (I call it Google DNS SOCKS).
  2. Try to open a web page. Nothing should come up, you'll get an error message.
  3. Now run the SSH command to create a connection.
  4. Retry your browser - now it should work.

I wonder if I should use a different DNS provider when I do this, currently I'm using Google DNS. For now however that seems to work.

Update: I tested Meerkat. It's a very powerful networking tool; it's not designed primarily for this problem. I can just barely follow the very sparse documentation. Really, a commercial product deserves a bit more documentation.

I think it's easier to just type the ssh command and change Location settings! If you want to try Meerkat as a sidejacking prophylactice, start with this vendor blog post. Note that in this example Meerkat uses 6666 for a proxy.

I'm going to stick with the command line and using OS X native Location settings.

See also: