Thursday, February 10, 2011

RIP Password - Google's two factor authentication

Google is rolling out comprehensive mobile phone based two factor authentication to regular Google accounts ...

Official Google Blog: Advanced sign-in security for your Google account

... If you like, you can always choose a 'Remember verification for this computer for 30 days' option, and you won't need to re-enter a code for another 30 days. You can also set up one-time application-specific passwords to sign in to your account from non-browser based applications that are designed to only ask for a password, and cannot prompt for the code....

Some notes from the help page (emphases mine, square parens my comments)

... Soon after you turn on 2-step verification, non-browser applications and devices that use your Google Account (such as Gmail on your phone or Outlook), will stop working. You'll then have to sign in using your username and a special password you generate for this application...

... If you have an iPhone, iPod or iPad, [3G or later, needs iOS 4] we recommend you use the Google Authenticator application to generate verification codes. The application doesn't require an Internet connection or mobile service to generate verification codes. If you would prefer to receive your verification codes by text message or phone call, follow the directions for Text or voice message below....

... Adding a backup number ensures you can receive a verification code to sign in even if your primary phone isn't available or working. ...

... After you set up your phone to receive verification codes, you will be given 10 backup codes. These backup codes can each be used once each to substitute for a verification code. These could be useful whenever you don’t have access to your phone (for example, while you are traveling)...

... If you've lost access to your phones, you can always sign in using one of your printed backup codes [and then turn off two factor authentication?], which you generated when you first turned on 2-step verification. If you've lost your phones and don't have your backup codes, you'll need to fill out an account recovery form...

... An application-specific password [revocable] is similar to a verification code in that you don't have to memorize it. However, application-specific passwords are longer than verification codes and you do not enter them into web browsers. In addition, you do not get application-specific passwords from your phone -- instead, to generate an application-specific password...

Visit the Authorizing applications & sites page (pictured below) under your Google Account settings...

Soon it will be safe to use my Google services on untrusted (keystroke logger possible) machines -- like my office XP box. I'll configure my trusted machines to remember verification. My iPhone will run an RSA-token like authentication code generator. I will keep at least one backup code in my wallet - albeit in a permuted form.

Of course I will wait several weeks before I switch over. I'm no fool. I'll let the brave and inexperienced take the arrows of early adoption.

The traditional password isn't quite dead yet, but it has one (rotted) foot in the grave.

Thanks Google. Special credit for making Google-authenticator open source and standards based ...

The Google Authenticator project includes implementations of one-time passcode generators for several mobile platforms, as well as a pluggable authentication module (PAM). One-time passcodes are generated using open standards developed by the Initiative for Open Authentication (OATH) (which is unrelated to OAuth).

These implementations support the HMAC-Based One-time Password (HOTP) algorithm specified in RFC 4226 and the Time-based One-time Password (TOTP) algorithm currently in draft.

See also:

Thursday, February 03, 2011

10 Minute Mail - a disposable email address

10 Minute Mail gives you a temporary email address on demand. Good when you're forced to provide an email address for product registration or to deal with some other marketing-inspired blackmail. I suppose it's also useful for criminal activity.

Personally I have a yahoo.com address that is purely used for junk mail. That works fine; I set the spam filter to the highest setting and it still seems to work. Makes the marketing droids happy, they think it's worth something. If 10 minute mail really caught on then email traps would refuse to accept it.

Saturday, January 29, 2011

Using OS X Spaces, Expose, Minimize and Hide - best practices 2.0

I'm an old dog. It takes work to change my habits. A year ago I took a look at how I use my OS X workspace: Using OS X Spaces, Expose, Minimize and Hide - best practices.

Since then I've switched all my machines to 10.6. This is what I do now (I use two displays):

  • I've given up on Spaces. It almost works, but some multi-window apps get scattered across Spaces. Even when it works, it's not quite right. Even in 10.6 it fits poorly with Expose, Minimize, and Hide. I think Apple has given up too; the newest keyboards have a labeled shortcut key for Expose, but not for Spaces. I now use Spaces only when I'm running Fusion -- it gets its own Space.
  • I love 10.6 Expose. There are four things you need to know
    • If you click-hold on an app's doc icon Expose shows only that app's windows
    • If you show all windows in Expose, then click on an app's doc icon, you see only that app's windows
    • With 10.6 minimized windows show up in expose in their own row
    • Hidden windows do not show up in Expose -- unless you click on the app's doc icon. Then they are forced to appear.

With 10.6 I recommend ...

  • Learn Expose.
  • Use minimize and the "grow" button [1]
  • Don't use Spaces except for unusual cases such as running a VM. I might try using my 2nd Space just for Aperture.
  • Don't use Hide and Hide Others. They are legacy functions left over from Mac Classic. They don't mesh well with Expose.

[1] The "grow" button is problematic. iTunes is completely non-standard for minimize and grow (need to hold opt key to get correct behavior), and many apps simply expand to the entire screen instead of following the "grow to best size" algorithm.

Saturday, January 22, 2011

Reeder and Reader change how I read the NYT

My Google world editions experiment has a B grade so far. It's not bad, but Google's news algorithms underrate the NYT and the Guardian. I get too many 2nd and 3rd tier news sources.

Fortunately, my favorite Google Reader iPhone client [2] has changed the way I access the NTY. Reeder.app has integrated Arc90's Readability.

Why does this matter? It matters because the NYT's feed posts are not full text. They're simply pointers to the web articles and they are not mobile-optimized. Byline, my previous iPhone GR client, used to cache these articles [1] so they were fast to display, but Reeder doesn't. Until recently I used Reeder's integrated Google or Instapaper mobilizers to read NYT articles, but that stopped working.

I could use the NYT's iPhone app to read the NYT, but that's a source-specific workflow. Worse, the NYT iPhone app doesn't integrate with my Google Reader shares.

Now, however, Reeder with readability works perfectly with the NYT. To the NYT it looks like I'm fetching pages via a browser, but Reeder's readability function post-processes the page so it renders perfectly on my iPhone.

Screen shot 2011-01-22 at 2.41.30 PM.pngMy NYT workflow starts with the NYT RSS resource page. From there I added about 10 feeds to Google Reader. Individual feeds belong to any of several "folders", but they all belong to an "NYT" folder.

In Reeder.app the articles show as short titles and introductions. By tapping a small icon, or using a spread-finger gusture, I tell Reeder to load the entire article using Readability. From there I can share via Google Reader Shared Items or add notes. Those shared items, in turn, go into my twitter stream. (Typically with truncated annotations. I'm not among those who praise Twitter's insane string length limits).

It's a far better workflow than using the NYT iPhone app. Recommended.

[1] I'm not sure the NYT allows this any more.
[2] There's an iPad client too. A Mac OS X client is in beta, but on the desktop I typically use Google Reader's native web interface.

Sunday, January 16, 2011

The surprisingly quiet OS X App Store: I buy iWorks' Numbers.app

I'd been considering buy iWorks for a while. I've been particularly interested in Apple's Numbers.app, as I don't have a desktop spreadsheet on my Macs and I don't want to install Office. I've been using Google Spreadsheet for a few years, but that's an annoying experience. I've also considered Mariner Calc, but it seems a lost (noble) cause given the growth of iWorks [1].

I was going to wait for the next version of iWorks, but with the OS X (Apple) App Store launch Numbers is sold separately for $20. I decided to combine a Numbers purchase with a visit to the App Store. Along the way I picked up Spanning Sync's Contact Cleaner for $5 (recommended). Here's what I learned.

I'll dispense with Numbers first. On initial testing, Numbers feels like an OS X version of AppleWorks' spreadsheet. Some of the UI elements are bizarre. It includes data filters, for example, but the data filter checkbox is grayed out until you click the "+" control to the right of the criteria entry fox. Clearly this was not built by Apple's A team.

Numbers will import from Microsoft Excel, AppleWorks 6, CSV, tab delimted and Open Financial Exchange (OFX) format. It exports as Excel and CSV (amazingly, not Apple's longstanding tab delimited format). The installer does not include a user guide, but there's a help file link to Apple's user guide download site. I expect the DVD version of Numbers has more templates and examples than the App Store version.

Numbers is probably worth about $20, especially if it works for Emily. It's not worth more than that given its proprietary file format.

Numbers is worth $20, that is, depending on its DRM. This is the interesting part of the Apple Store. How does the DRM work?

You purchase an app from the Apple OS X App Store using your iTunes account. You don't get an installer. Installation is managed by "App Store.app". There's no "uninstall" documentation in the associated help function or anywhere on Apple's site (drag package to trash basically). If you change machines you're supposed to authenticate to the App Store using your iTunes credentials and reinstall. If you want to install on multiple machines (apparently supported by the DRM, Darwin knows what the EULA says) you authenticate and install on each.

The installer has no progress indicator. It feels like it's a very early beginning, which is typical of new Apple products. If you click on the "Purchases" icon you will see a progress bar (137MB download) [2].

The installer places the app into the Global "Applications" folder, not the user Applications folder. It is available to all accounts on the host machine. I don't know if vendors can change this. As an experiment, I zipped up the Numbers.app package from my Applications folder and copied it to a 10.6.5 machine that didn't have App Store installed. It ran there without complaint.

I also tried copying to a G5 running 10.5. It didn't work on this machine. Whereas iWorks '09 supports the G5 (universal app) the Numbers.app downloaded from the App Store is Intel only. This isn't an Apple problem of course -- Apple doesn't license these apps to be installed outside of the App Store, much less on a G5. Still, there are, for now, some advantages to buying Numbers on the DVD.

For the moment then, the app store Numbers.app DRM is light. Even if Apple vanished next year, you could still use Numbers. Unlike, say, what happens to Google's Documents when Google vanishes someday. Of course this is likely to change, and there are probably options to make the DRM controls tighter even with the current store.

In bullet form, some further impressions of the Jan 2011 App store

  • Vendor pricing is largely unimpressive. It's usually identical to retail. Yes, I'm looking at you, Omni Group! Considering the DRM uncertainties and installer absence most geeks will want to buy direct. Of course since Apple takes a 70% cut ...
  • Apple's prices are price competitive. Apple's 70% overhead goes to, you know, Apple. I like the unbundling of iWorks and iLife. Since Apple doesn't offer upgrade discounts on most products the App Store versions are interesting. Of course there's no installer, no universal apps, probably fewer templates, etc. Still, for Apple products the App Store is interesting.
  • The $80 new user price of Aperture is aggressive (it's about the upgrade price for current users). Be warned, however, that Aperture is not iPhoto Pro. Apple is slowly turning Aperture into iPhoto Pro but there are still missing data structures. If you migrate, for example, you lose all your Album and Event annotations. At Apple's current lethargic pace they are probably 3 years away from turning Aperture into a true iPhoto upgrade. (Sure, they market it as an iPhoto upgrade. Did you know Apple lies?)
  • I did see a few interesting utilities and, of course, small games. We all expect to see more OS X versions of iOS apps distributed this way, but there aren't many yet.
  • In general the app store felt sparse and quiet.

What's in the App Store?

  • Apple's consumer products and Aperture (which used to be "Pro" but is slouching towards being, maybe one day but not yet, iPhoto advanced).
  • Printshop 2 by Broderbund (Wow. Still exists.)
  • World Book encyclopedia for $30
  • Omni Group products, all at list price
  • MarsEdit
  • TextWrangler and BBedit
  • Yojimbo
  • Spanning Sync utilities (I bought Contact Cleaner for $5)

Apps that aren't there (yet)

  • Rogue Amoeba: Their wonderful apps help us do things like capture streaming audio. Not supported by Apple!
  • Apple's professional market products
  • Mathematica: Probably too expensive
  • Filemaker apps: Pro and Bento. This surprised me. Are they just not ready? Do they violate guidelines? Is the 70% cut too harsh?
  • Nisus Writer Pro: It's on the way, but not there yet.
  • Most of Mariner's software
  • Adobe products
  • Microsoft products
  • Many of the interesting niche market information management apps

I suspect that the smaller vendors are going to come along, but the price advantage for Apple products is harsh. Few will be able to compete with that. [3]

[1] iWorks, of course, has completely proprietary file formats. The only saving grace is that many files embed PDF in the package structure, so perhaps we can dig out the PDF and interpret the data after Apple disappears in 2027. I fear the battle for open file formats has been lost. Sometimes the good guys go down, but there will be many replays in years to come. For documents I use Nisus Writer Professional, despite its clumsy handling of images (no $#@! compression?!) and worthless HTML export. The default RTF output is as close to a standard file format as 2011 provides.
[2] I've read that the file that download is an installer, but it's hidden and deleted after installation. It doesn't go the trash.
[3] Eventually this may get them into European antitrust issues.

Update 1/30/11: There is more to Numbers that I realized. One of the big limitations of Excel is that you your print surface is your worksheet. In Numbers worksheets are distributed on the print/view workspace. That is a big improvement. I need to do a separate post on Numbers.

Saturday, January 15, 2011

How I synchronize OS X Contacts with Google Contacts and my iPhone

Abandon all hope, ye who enter here. Dante.

This one is for Martin.

I have synchronized my OS X Address Book entries with Google Contacts and MobileMe/iPhone for over a year. It mostly works. This is how I would do the Google Calendar part of it if I were starting out today. The MobileMe stuff is relatively easy [1] and I won't describe it further.

Before I begin, however, I require any reader to pass through three gates of informed consent ...

Gate 1. “Do I feel lucky?” Well do ya, punk?

If there's anything in this post you don't understand, you shouldn't try this. It could blow your Address Book apart. You might spend months reassembling it.

Gate 2. Read my 2011 resolution on managing complexity.

This is on the premature adoption end of things. It's taken about twenty years of boring, career destroying committee work to develop an incomplete and flawed standard sharing calendars and invitations. We're ten years of pain away from a similar standard for exchanging contact information.

Gate 3: Scan my Synchronization is Hell post.

Ok, you're informed. If you proceed, as a fringe benefit, you may come to understand why healthcare, a trillion dollar industry, seems stuck in the dark ages of IT. If it's hard to get address books to communicate, how much harder is it to send patient records from system A to system B? You may start to understand things like Halamka's post on a "Universal Exchange Language" for healthcare (heavens, but he's an optimist).

I use OS X Address Book as the "source of truth". That's where I add new addresses, and that's where I define what gets pushed to Google. If most of your contacts are in Google you would take a different approach.

Step 1: Buy Spanning Sync's Contact Cleaner ($5, App store) and try Spanning Sync ($25 a year, $20 if you use my referral code NXC8PS, 15 day free trial). I don't use it sync calendars, just contacts.

Step 2: Back up Address Book. Then use Contact Cleaner to clean it up; note warnings about unusual suffixes and the like. Sync works best with a first name, last name for individuals (no spaces) and a string (with spaces) for "companies".

Step 3: Define a group in Address Book that you'll sync to Google Contacts. Start small and build up. I call mine "Google Sync. Configure Spanning sync to only sync that group:

Screen shot 2011-01-15 at 11.00.46 AM.png

Step 4: After sync used Contact Cleaner again. Try a few reps until you're no longer getting duplicate or messed up contacts.

Step 5: As you use Google, keep an eye out for duplicates. Use Google's merge tool opportunistically. It works well, better than OS X Address Book merge.

Step 6: Over time add more names to the Address Book Google Sync group. Until you've got every address you care about synchronizing.

- fn --

[1] Apple controls both data models and they're roughly congruent, at least if you're on 10.6.6. I don't sync via iTunes because I already own MobileMe and it lets me sync to my accounts on multiple machines. The rest of my family can't sync directly because we all share one iTunes account, they have to sync to MobileMe and separately to their OS X accounts on multiple machines.

Spanning Sync contacts cleaner - a quick review

I bought Spanning Sync's Contact Cleaner for $5 from the OS X App Store.

I've used their flagship product for years to sync my OS X Address Book to Google. It's relatively expensive ($25 or so a year) but it mostly works. Since synchronization between differing data models is an impossible problem, "mostly works" is excellent.

So I was willing to give this utility a try.

Briefly, for an early product, it works pretty well. It has a few bugs, but it's definitely worth $5. The app offers to make an Address Book backup on 1st use -- that's a good idea.

I'm a pretty good test case because

  • I sync my OS X Address Book to both Google (Spanning Sync) and MobileMe
  • I have over 800 cards in my personal book (more in my separate corporate directory)
  • I routinely define a "Family" as a "Business" to get around the first name, last name problem.
  • For individuals I often link them into "Families" by use of the "Business" field to hold a family name (or, in my case, the domain name for our family)

These are the bugs I found:

  1. If you choose open in Address Book, then change type from individual to business in Address Book, Contact Cleaner will crash
  2. Details view for "one name" errors omits email addresses
  3. Details formatting not always optimal
  4. Can't manage the individual to company conversion

I'm also a bit suspicious about how it manages group memberships when it merges or alters contacts. This may just be my paranoia coming out.

Some advice on using Contact Cleaner

  • Turn off all other sync while using this tool. I sync my OS X Address Book to both MobileMe (and thus to my iPhone) and to Google Contacts [1]. Just disable your network connection.
  • If you edit in the Address book, save your changes (click out of edit mode) then Rescan in Contacts Cleaner. Otherwise it won't pick up your edits.
  • I like to make changes in Address Book then rescan - gives me more control and I can see the full results
  • Be wary if you use non-default Address Book fields. This kind of cleanup is a very hard problem.

[1] I sync a selected subset of my entire Address Book to Google Contacts. I create new addresses in OS X and then let them sync to Google. Once they sync I can safely make smaller edits on either side (esp. email address updates). I can also do merges safely on the Google side. Group assignments are independent. I define a "Family" entry as a type of "Business", that seems to work.