Saturday, May 11, 2013

Parental Controls after OS X 10.8.2: EXC_CRASH and changes to https handling

The kids don't often use my Mountain Lion machines, so I only learned recently that Apple made some significant changes to Parental Controls with the 10.8.2 update. I don't rememberer seeing any documentation at the time and there's nothing in the release notes.

I found out about the changes when I opened the Parental Control Preference Pane on my main Mac. It crashed. I rebooted, it still crashed, and crashed ...

The crash message looked like this one one from last year (I'm on 10.8.3):

Mountain Lion Parental Control time...: Apple Support Communities

Process: System Preferences [2658]
Path: /Applications/System Preferences.app/Contents/MacOS/System Preferences
Identifier: com.apple.systempreferences
Version: 12.0 (12.0)
Build Info: SystemPrefsApp-232000000000000~22
Code Type: X86-64 (Native)
Parent Process: launchd [488]
User ID: 502

Crashed Thread: 0 Dispatch queue: com.apple.main-thread

Exception Type: EXC_CRASH (Code Signature Invalid)
Exception Codes: 0x0000000000000000, 0x0000000000000000

Application Specific Information:
com.apple.preferences.parentalcontrols v.400 (Kindersicherung)
objc[2658]: GC: forcing GC OFF because OBJC_DISABLE_GC is set

I was able get around the crash by turning off parental controls for the affected user from the the User Preference Pane. Then I could open and close the Parental Controls Preference Pane; after that I could reenable PCs for the affected account.

I assume the my old preferences were not compatible with the 10.8.2+ version of Parental Controls, and Apple's code didn't handle this very well. Old bug, not fixed. Disappointing, but there's a workaround.

Which leads to the obvious question -- what the heck did Apple change in 10.8.2 Parental Controls? For sure they didn't fix any of the longstanding defects -- like an execrable UI for log review.

The answer is in a 12 page Apple Discussion Thread, pointing to a mislabeled Apple KB article (it says it's 10.6, but it was revised June 2012 and the change came with 10.8.2). Apple changed how they handle https sites when "Try to limit access to adult websites automatically" is selected in Parental Controls.

You see, Apple's Parental Control infrastructure has never worked with SSL encrypted (https) sites [1]. So they have to decide what to do when someone tries to access an https site. Since the https site is effectively invisible, Apple can either decide to trust it completely or distrust it completely. Prior to 10.8.2 Apple's "automatic" limits erred on the side of universal trust. After 10.8.2 they err on the side of universal distrust (which has always been the "Allow access to only these websites" behavior).

So this isn't a bug introduced with 10.8.2, it's Apple being a bit more honest about how crappy OS X Parental Controls always have been. I wonder if the change was made to avoid litigation, or if the transition to all SSL net access made it impossible to keep the old pretense.

In theory an admin user an approve all the https access requests that come up when a user tries to reach one of those sites, but in practice that doesn't scale.

Bottom line: Parental Controls was born lousy, but with 10.8.2 Apple is at least being honest about how bad it really is. [2]

[1] See  OS X Parental Controls: The https bug and our family Google Apps services back in 2010. I think this is related to my employers ability to block dropbox, but inability to block Google Drive without also blocking Google Search.

[2] Parental Controls are no better on iOS by the way -- thanks to the webkit back door. (Bob Tedeschi wrote about this back in 2012.)

Wednesday, May 08, 2013

Contaqs.app - A contacts.app replacement - with a flaw since fixed

I have about 2,200 Contacts, and if they could speak they'd all complain about iOS Contacts.app. The bizarre Groups implementation, the limited search options, the crummy search result display ...

Frustrating.

So I've been looking for an alternative. Most of the App Store alternatives failed the smell test, but Clark pointed me to a relatively good one - Contaqs.app. It looked good enough that I bought it.
My initial impression was pretty good. Search results show the company name. You can search on names, company names and phone numbers. You can edit group relationships (!). There's a smart-tag and geolocation function and you can create new tags. Seems fast.

Then I tried searching on my wife and didn't get any hits.

This test explains the problem:
Contact: John Paul Jones
Search in Contacts.app on John Jones: 1
Search in Contaqs.app on John Jones: 0
Search in Contaqs.app for John Pau: 1
The sound you here is my head repeatedly hitting the wall.

Instead of what's called 'starts with word search' the authors of Contaqs.app implemented phrase search. This means that you need to include the middle name if your Contact has one.

I'm sure they had some reason for this, but it wasn't the right choice. If Contaqs.app were to implement 'starts with word search' they'd be a 4-5 star app. As it is I'm tempted to rate them 2 stars, but that's frustration speaking. I'll give 'em 3 for now. I might use it to clean up Group relationships, but it doesn't replace Contacts.app.

Darn it.

Update 6/11/13: They've fixed the search problem. Confusingly they call the new search 'phrase search', but it's starts with word search. The middle name problem is gone. Performance is a bit sluggish on my i5, probably why this feature is only for newer devices. Still, it's a great improvement.

Wednesday, April 17, 2013

Forget ICE: put your contact information on your iPhone lock screen

After mass emergencies I often read Facebook posts on about the "In Case of Emergency" (ICE) program:

It encourages people to enter emergency contacts in their mobile phone address book under the name "ICE". Alternatively, a person can list multiple emergency contacts as "ICE1", "ICE2", etc. The popularity of the program has spread across Europe and Australia, and it has started to grow into North America.

Of course this only works if you leave your phone unlocked. That's kinda risky in the era where our smartphone is the key to our lives. In any case business phones have mandated locks.

A much better policy is to have your iPhone (or Android) lock screen display your contact and emergency information in a note. Then if someone taps the power button they see it all. You can organ donor status if you like. Of course this also means that if someone finds a lost iPhone you'll probably get it back.

Here's how I do it on my iPhone:

  1. Create a note with the information to display.
  2. Press home-power button to take a screenshot.
  3. In Settings choose Brightness and Wallpaper. (See how to set your iPhone lock screen).
  4. Tap on the Wallpaper image and make the screenshot you saved your lockscreen, but not your wallpaper.
It takes a minute. I keep the note around in case I want to revise it sometime.
 
I include
Name 
Address
Home phone
Emerg phone (Emily's cell)
My email
My organ donor status
Thanks!

If you have a significant medical condition, you could add a line that with the URL for a web page with key advice, or you could type it in. (On the i5 there's lots of room.) Don't bother adding your blood type, nobody would rely on that.

You can do something similar with Lion and later to help recover a lost laptop: Lost and found: putting contact info on iOS and OS X login screens.

Sunday, April 14, 2013

Apple's two-step verification: Multiple Apple IDs and mac.com Apple IDs?

I like the idea of "two-step verification" for my Apple credentials (aka two factor authentication).

Problem is, I have no faith in Apple's ability to get this right, especially given their many years of unresolved Apple ID problems [1]. In particular I wonder about two things:

  • Can I do two-step verification for my core Apple ID that's tied to all of my App Store and iTunes purchases? That is a mac.com address, and when I tried setting one I wasn't given that option. I think the answer is no -- I'd have to change the email address first. But I know I can't change it to one of my 3 other Apple IDs.
  • Can I do two-step verification from an iOS device for an Apple ID that's not the same as the Apple ID tied to the authenticating device? (iOS: iTunes and App Stores)
Until I get answers to those questions, I'm afraid enabling two-step verification will lock me out of my core Apple ID services

- fn -

[1] Examples below. Their Apple ID failures are one example of why I think Apple's mind-boggling successes of the late 00s may have also broken the company. There are so many things small and large that Apple can't seem to manage. I'm hoping Cook is doing recovery work.

App.net - using Duerig's custom RSS feed to see only root posts from selected people

[See update below, Jonathon has revised his stream generator so you don't need to look up the userid any more.]

I enjoy app.net. I like the conversations, but I particularly like the 'root' or initial posts shared by a few of my followed appnetizens. Problem is, these posts are lost in the streams of the app.net clients I use - Felix (iOS), Kiwi or Wedge (OS X), and Alpha or NoodleApp (web). They are mixed with replies and conversations. Current app.net client UIs aren't a great fit for how I'd like to follow folks; they are best suited to recreational engagement. Thanks to Jonathon Duerig (@duerig), there's a better option. He's providing a special RSS feed that accepts parameters. For example, here's mine:

http://jonathonduerig.com/my-rss-stream/rss.php?user=6172&replies=0&directed=1

In this example

  • 6172 is my app.net userid (I was #6,172 to sign up)
  • replies=0 means I see only root replies
  • directed=1 (just include this, don't ask why) [2].

To find the userid you can mouseover the official (shows all activity) RSS feed icon on alpha.app.net profile pages, like https://alpha.app.net/johngordon. It shows the userid. I've created feeds for several people who I particularly like to follow, and put those feeds into a Google Reader folder called App.net [1]. Now that Duerig has also removed an unnecessary username prefix from each post, the results display very well indeed. Each post comes with a link to alpha.app.net, so I can respond easily in that environment. It's really quite elegant, and should be an inspiration for app.net app builders. I'm looking forward to more like this; Duerig will probably make this to a custom domain and tidy it a bit. For now I've put the feed URL into my Profile Bio to make it easier for others to copy.

[1] I haven't settled on a Reader replacement yet, I'll start doing serious testing in May. I do want folders. [2] Duerig: "A directed post is a post beginning with a mention ... to anyone. .. the concept of a directed post is immensely confusing ... Just do replies=0 vs. replies=1 and you will be happy."

Update 6/30/2013: Duerig has a new format with new header and the ability to use a username instead of a user ID. For example:

rss-app.net/rss.php?user=@duerig&replies=0&directed=1 

I used a list of usernames scraped from the display of people I follow, and Numbers.app concatenate [2], to generate this list of feeds which I've been tediously [3] copy pasting into Feedbin. The current list is below, sorted by name [5]. 

This functionality makes app.net far more interesting for me. I really think it needs to be part of the API, a variation of stream. So we'd have two independent streams:

  • Twitter-style conversational stream: see all posts by members of follow list.
  • Prime stream: "Root" posts stream - akin to news, item share

For some people I want to follow conversations, for others just their initial item share, for others both streams. So these are independent.

Currently I do stream 1 from Kiki/App.net/Felix, stream 2 from Reeder/Feedbin/ReadKit[4].

- ffn -

[2] Numbers.app can't export as tab delimited, which tells one a lot about iWork. It also "escapes" quotes in CSV fashion when you copy to clipboard, so they're all doubled. Not a problem with this exercise, but very annoying when I tried to create OPML XML entries. iWork, not Apple TV, is a hobby.

[3] Feedbin has performance and reliability issues, especially on adding feeds, but those are improving. What's killing me is the extremely limited UI for manipulating feeds - review, sort, revise names, remove, tag. It doesn't scale past 25 or so feeds; I'm over 300. If this doesn't get fixed in the next few weeks I've gonna have to try something else. 

[4] Readkit is promising but obviously in early state for consuming Feedbin, etc.

[5] Full list -- if you're name isn't on here don't worry, I'm building it out. See [3]

(I had to add bullets due to a longstanding Blogger/MarsEdit formatting bug.

  • rss-app.net/rss.php?user=@adamlcox&replies=0&directed=1
  • rss-app.net/rss.php?user=@adrianus&replies=0&directed=1
  • rss-app.net/rss.php?user=@annatarkov&replies=0&directed=1
  • rss-app.net/rss.php?user=@benubois&replies=0&directed=1
  • rss-app.net/rss.php?user=@billkunz&replies=0&directed=1
  • rss-app.net/rss.php?user=@clarkgoble&replies=0&directed=1
  • rss-app.net/rss.php?user=@dalton&replies=0&directed=1
  • rss-app.net/rss.php?user=@danfrakes&replies=0&directed=1
  • rss-app.net/rss.php?user=@danielgenser&replies=0&directed=1
  • rss-app.net/rss.php?user=@darnell&replies=0&directed=1
  • rss-app.net/rss.php?user=@duerig&replies=0&directed=1
  • rss-app.net/rss.php?user=@erikschmidt&replies=0&directed=1
  • rss-app.net/rss.php?user=@fields&replies=0&directed=1
  • rss-app.net/rss.php?user=@glennf&replies=0&directed=1
  • rss-app.net/rss.php?user=@gruber&replies=0&directed=1
  • rss-app.net/rss.php?user=@jdalrymple&replies=0&directed=1
  • rss-app.net/rss.php?user=@johngordon&replies=0&directed=1
  • rss-app.net/rss.php?user=@gruber&replies=0&directed=1
  • rss-app.net/rss.php?user=@jdalrymple&replies=0&directed=1
  • rss-app.net/rss.php?user=@marcozehe&replies=0&directed=1
  • rss-app.net/rss.php?user=@martinsteiger&replies=0&directed=1
  • rss-app.net/rss.php?user=@mfitz&replies=0&directed=1
  • rss-app.net/rss.php?user=@mvp&replies=0&directed=1
  • rss-app.net/rss.php?user=@prometheus&replies=0&directed=1
  • rss-app.net/rss.php?user=@rikishiama&replies=0&directed=1
  • rss-app.net/rss.php?user=@reederapp&replies=0&directed=1
  • rss-app.net/rss.php?user=@brentsimmons&replies=0&directed=1
  • rss-app.net/rss.php?user=@siracusa&replies=0&directed=1
  • rss-app.net/rss.php?user=@sirshannon&replies=0&directed=1
  • rss-app.net/rss.php?user=@snipergirl&replies=0&directed=1
  • rss-app.net/rss.php?user=@spacekatgal&replies=0&directed=1
  • rss-app.net/rss.php?user=@teawithcarl&replies=0&directed=1
  • rss-app.net/rss.php?user=@thomasbrand&replies=0&directed=1
  • rss-app.net/rss.php?user=@treestman&replies=0&directed=1
  • rss-app.net/rss.php?user=@voidfiles&replies=0&directed=1
  • rss-app.net/rss.php?user=@wickedgood&replies=0&directed=1
  • rss-app.net/rss.php?user=@xwordy&replies=0&directed=1

Saturday, April 13, 2013

WordPress attack - lessons from my personal security review

This week there's a  brute force password attack on WordPress sites. That inspired my security review, here are a few things I learned doing it:

  • I again appreciated the FileMaker database I've used since 1997 to track my net credentials. I dump data from it to a now dated version of 1Password, but it's hard to beat the ease of searching and editing my own repository. It lives on an encrypted disk image on my local machine.
  • It's easy to end up with orphan WordPress instances. I have one on Wordpress.com and two on my Dreamhost account, but I only use http://www.kateva.org/sh/. It archives my Pinboard/App.net shares; one day, if I figure out how to do it, I may append my old Google Reader shares (json).
  • I had a strong password on the wordpress.com account, but only pretty-good on my other two and they had the same pw. I upped both to very strong but still typable. I will have to review how IFTTT connects to kateva.org/sh -- obviously there are big security risk with many uses of IFTTT. 
  • I'd been keeping my WordPress blog software current (Dreamhost makes that easy!) but not the plug-ins and themes.
  • I'd changed a theme on one blog recently, and today I learned it didn't include a log-in link! I was briefly shut out, but a bit of web research turned up kateva.org/sh/wp-admin.

The most important thing I learned is that it's not trivial to safely delete a self-hosted WordPress blog. Yikes! No wonder there are lots of vulnerable old blogs lying around for the taking. WordPress.com blogs have a delete tool, but not self-hosted sites. Things can get nasty here -- two WordPress blogs can share the same database, so deletion must be done carefully. Reading some Google hits this is a very unsolved problem with lots of confusion.

We need a fix WordPress.org and we need it very soon. Dreamhost, you could help too.

Sunday, March 17, 2013

Google Reader: More like this

Sad moment in the last days of Google Reader -- I'd forgotten about the 'more like this' item in the Folder Settings (and Feed Settings) dropdown ...

Screen Shot 2013 03 17 at 6 03 11 PM

Note the Translation services, and ability to create a 'bundle' (shareable set of feeds made of all the feeds contained in the Folder).

There's so much in Google Reader that most users never saw.