Friday, September 09, 2011
iPhone calendar bug: list view one day off
Fix was to turn off google calendar sync to remove those calendars. Then turn it back on.
New one!
Thursday, September 08, 2011
Making the most of Google's alternative "2-step" verification model
It's been almost five months since I implemented what I then called Google's two factor authentication. My original enthusiasmwaned significantly as I better understood what Google had done, and how they'd stalled.
Now I'm in a more or less grumpy but stable relationship with Google's "1.4 factor" security model. I wouldn't call it "enhanced" so much as "alternative". If you're not careful, you may end up less secure than when you started. It is definitely not for everyone -- indeed, it's for hardly anyone who uses anything but Google's web UI to access Google services.
I'll share here how I currently live with what Google calls 2-step verification. First, I need to explain what it really is. Disregard Google's labels and descriptions; they're dangerously misleading.
To begin with, consider two kinds of access to Google Services (mail, calendar, documents, etc):
- Browser based access to Google's services (Ex: Google Docs, Gmail, Google account, Plus, etc)
- App based access to Google's services (Ex: IMAP/Mail.app, G+/Google Plus.app, Calendar/Calendar.app)
When you sign up for "2-step" you get two kinds of authentication for browser based access to Google services and one kind of authentication for App based access (including many of Google's iOS apps, such as the brand new blogger.app [1]).
Yeah, it's a mess.
There are two kinds of password/token access to Google's browser based services, including the ultimate service -- your Google account security controls:
- Combination of a standard user-defined password and a token (app created or SMS messaged)
- "Break the glass" emergency one-time use verification codes for when a token is lost
For App based access you use your Google Account to create one or more long (high entropy, secure if not captured) passwords. Contrary to Google's descriptions, these are not application specific. They're just alternative passwords for non-web services. You can create one and use it for fifty apps (iOS, OS X, XP, multiple machines, etc, etc) or you can create fifty. You can revoke these, but good luck figuring out which to revoke. In practice, if you think you've been compromised, you have to revoke them all. (It's possible that if Google thinks you've been compromised it would revoke only the password used. I'd still revoke them all.)
These Google-generated passwords are powerful. You can't use them for browser access, and you especially can't use them to get to Google Accounts, but you can use them for API access to all mail, all calendar, iOS access to Docs, etc. The more you create, the harder it is to keep track of all all of them, and the more vulnerable you are. Most of us, however, need these. Often.
So here is what I now do
- On my work machine, which is not a trusted machine, I use only web access and I require Google to ask for a token at all times. (There's a bug though. Unpredictably Google will decide to trust the machine for a month. As I mentioned, Google seems to have lost interest in 2-step! Even on a "trusted" machine, however, you need a token to mess with security settings.
- On trusted machines, including my OS X personal machines and my iOS devices, I use the same Google generated password for all apps. I create it once and store it in my encrypted 1Password database. (In the past, before I realized how this worked, I created many "app-specific" passwords. I'm gradually removing those to improve security and simplify revocation.)
See also:
- Gordon's Tech: RIP Password - Google's two factor authentication
- Gordon's Tech: Implementing Google's two factor authentication
- Gordon's Tech: The massive security hole in Google two factor authentication
- Gordon's Tech: Google's two factor: Three weeks later
- Gordon's Notes: Google's two factor authentication and why you need four OpenID accounts
- Gordon's Notes: Life with Google Two Step Verification - Sign-in Failed with Places.app
- Gordon's Notes: The New York Times' bad password advice - and what you should do instead
- Gordon's Tech: Google Chrome sync does not work with 2-step verification
- Gordon's Tech: Google's 2-step verification is the spawn of Satan - iPhone upgrade edition
-- fn --
[1] Wrong! It actually follows a newer practice. It uses a web UI for login. When you try a generated password it requests the browser password then redirects to a (crude) web UI for token entry.
Wednesday, September 07, 2011
Converting Email from Eudora OS X to a modern format - the TidBITS review
My Eudora archive is in PC format. So converting to OS X is even more of a pain.
A pain I'll have to face sometime. As Eudora fades away conversion options narrow. So sometime soon ...
Today Adam Engst published the comprehensive conversion guide based on his experience with a million message archive. It's not pretty (emphases mine) ...
TidBITS Networking: Converting Email from Eudora: Why I No Longer Live at the P.O.
... Before you get started converting your Eudora mail, there are two cleanup tasks I recommend taking first (and another that I discuss in the Eudora Mailbox Cleaner section below). ... Before you convert your mail, you should compress your mailboxes, to make sure that any deleted messages that haven’t yet been removed from the actual mailbox file are not exported with the rest...
Second, if your Eudora Folder is anywhere near as old as mine, it dates to the classic Mac OS, where the / character was perfectly legitimate in filenames. If, like me, you used / in some mailbox names, you’re going to want to rename those mailboxes before converting them, since some utilities will see the / and create a new mail folder, thinking it’s a Unix directory...... Apple Mail features a built-in Eudora importer that provides the most obvious approach for importing your Eudora archive. If it were the only option, it might be acceptable, but in my testing, it missed converting at least some very old mailboxes. In those it did import, it failed to bring in attachments, messages status, and labels. Worse, in many mailboxes, it appeared to duplicate messages...
... Apple Mail can also import Unix mailbox files, so the question becomes, how do you convert Eudora mailbox files into Unix mailbox files (the two formats are similar, but not identical)? There are a number of options here, including the standalone program Emailchemy and a utility called EudoraExport that’s embedded in Eudora OSE. I had good luck with Unix mailbox files created by EudoraExport...
... now that I have my entire Eudora archive in Apple Mail, I think I’m going to leave it there as well, in case I ever want to move it somewhere else. I’ll stick with either the version of my Eudora archive created by Eudora Mailbox Cleaner (which maintained some message status, along with attachments) or Eudora OSE’s EudoraExport (which didn’t maintain message status, but did bring in attachments and which seemingly found about 120,000 more messages). I’m not a fan of Apple Mail, but its future is guaranteed and I don’t need to use it for anything but access to this email archive...
I'm surprised Apple Mail can handle an archive this large, though Adam tells us search is very slow.
See also:
- Gordon's Tech: Migrating mail from Outlook Express to OS X Mail.app: Using Eudora
- Gordon's Tech: Converting Eudora email: 6/2009. Obsolete now, Adam covers same topics
Tuesday, September 06, 2011
Usenet 2: StackExchange and apple.stackexchange.com
- OnStartups - Stack Exchange
- SharePoint (Yech. But, for me, useful.)
- Photography
- Home Improvement
- Bicycles
- Travel
My MacBook Air case is a Ziploc baggie
Sunday, September 04, 2011
Back to the future: OS X Parental Controls, DVD Encyclopedias, and MacKiev
I was born into a world of progress. Things were supposed to get better, the old would fade away.
That was then. Now we live in a whitewater world. One year we get the iPhone, another year movie viewing fails. Bits and pieces of solutions come together then fall apart again. Cloud services come and go with bewildering speed (fear the cloud).
In this world all-but-forgotten DVD Encyclopedias are making a return to our home. That's weird.
They're coming back because OS X Parental Controls have failed me [1]. Lion's PC "bug fix" was the last straw.
Sure, I blame Apple -- but it's not their fault alone. For reasons both good (bypass tyrants) and bad (involuntary marketing) the web fights controls. I can't win this fight.
So, in addition to the child accounts we monitor by log tracking (%$$# OS X Log Viewer), I've created a completely open account on one of our machines. That account can be open ... because it has no net access. None at all.
This account has old-school local apps like iTunes (access to our media server, App Store and Ping disabled) and AppleWorks. The machine is old enough to also include a 6+ yo copy of World Book encyclopedia.
That old encyclopedia could do with a tune up. So I took a look at what's available in DVD land. Amazon has the 2011 copy of EB (Mac/Win) for $23. That's a good end-of-year deal, but I'm skeptical about the quality of their OS X software.
On the other hand, MacKiev, a Ukranian OS X dev shop that did a great job resuscitating Mavis Beacon Teaches Typing produces the Mac version of World Book Encyclopedia. It runs on both legacy and Intel machines all the way from 10.3.9 (!) to Lion. It's more money ($40) but I'll give it a try once the 2012 edition comes out.
I've really got to hold onto my old software going forward.
[1] Incredibly, iOS is even worse.
Friday, September 02, 2011
Migration of metadata from Aperture to iPhoto and Google's Picasa web albums
There can't be more than one person in a million who cares about this.
This post is for you. Please comment so I know I'm not alone. (Just joking, I know I'm alone.)
I've been curious about how metadata (title, comment, etc) passes between Aperture 3 and iPhoto 8.1.2 [8]
I ran an experiment today to find out. I started with a RAW image. I exported a JPEG version to the desktop then dropped it into iPhoto. I also, for the heck of it, used iPhoto's Aperture browser and dropped an image in that way. [5]
Here's what I found (see [6] below for a note on the table).
- n/d means not displayed
- e- means it can be seen in the EXIF details on Picasa Web album
Aperture Attribute Name |
iPhoto Name |
Picasa [4] |
|
File |
Media browser |
File |
|
Version Name |
n/d [3] |
title |
n/d |
Caption |
description |
[2] |
n/d |
Rating |
none |
n/d |
n/d |
Keywords |
keyword |
n/d | Tags, e-keyword |
Title |
title |
n/d |
Caption, e-object name |
Event Name |
n/d | n/d | n/d |
Image Location (text) |
n/d | n/d | e-location |
State/Province (text) |
n/d | n/d | e-state |
Image Location using Places |
n/d [1] |
n/d |
yes [1] |
So if you, for some strange reason [7], edit in Aperture but store in iPhoto, don't bother rating photos. You can, however, use the following attributes and see useful information in iPhoto 8:
- aperture.Title -> iPhoto.title
- aperture.Caption -> iPhoto.description
- aperture.Keyword -> iPhoto.keyword
- aperture.Version Name -> file name if specified during export
- aperture.Places -> not rendering for me in iPhoto 8, but it's stored correctly and Picasa Web Albums can use it.
When exporting from iPhoto to Picasa only iPhoto.title and iPhoto.keyword are used.
Based on this experiment, I crated a custom Aperture metadata set that included Title, Caption and Keywords. I also customized my Grid View - Expanded metadata (cmd-J) to include Title, Caption, Keywords and Version Name.
Update 9/7/11: It appears that the Aperture Project Name is written to JPEG EXIF during export and read by iPhoto during import. Most surprising.
-fn-
[1] This really surprised me. In the past this metadata had been preserved. I wonder if an Aperture update made it incompatible with my older version of iPhoto. Although iPhoto 8 couldn't read the location metadata, it was in the EXIF header because Picasa could read it.
[2] Something odd happened here. I'd assigned a Caption on Import and that's what showed up in iPhoto. I suspect it was IPTC metada from the RAW image.
[3] This can become part of the file name on export from Aperture. The iPhoto.title attribute can be set equal to the file name by batch update. So there's a way to pass this to iPhoto if desired.
[4] Exporting from Google to Picasa Web Albums using Google export
[5] This isn't something you'd normally do. It just saves a @500K JPEG Aperture uses as a preview images. Still, it's interesting to see what happens with the metadata.
[6] When I tried to create this table I again mourned the passing of FrontPage, Windows Live Writer (all but gone) and the great wysiwyg editors of old. Neither MarsEdit (this tool) nor iWeb do tables. So I downloaded SeaMonkey (88MB - once that was a lot). Since I remembered Netscape Composer I had a major flashback with fascinating visuals.
[7] I'm stuck in iPhoto until Apple changes Aperture's iPhoto import to include more metadata. Also, I don't trust RAW for archival storage. I save JPEG and discard RAW.
[8] I haven't updated to iPhoto 9, the dead fish smell has been offputting.