Sunday, August 17, 2014

Security is hard - where I realize my clone backups are browsable

I rotate my backups offsite, so I encrypt the drives using 10.9’s quite good drive encryption.

Which works fine — until I realized that every user on my machine can browse those drives. OS X provides drive access on startup, and it doesn’t have a concept of user-specific access for encrypted removable drives. So, again, every user can browse them.

So that means my if my kids login to my primary machine they can browse the Carbon Copy Cloner backups [1] on that encrypted drive. Which is not good, since the backups contain the holy grail — our credentials database (Still in FIleMaker, because I like the simplicity and flexibility.)

Happily the credentials database lives on a separately encrypted disk image. In my testing the child accounts cannot view that image, even when it is mounted from my account (because the physical image lives in a folder the kids don’t have access too). They can’t view the file in the backups either — because it’s not mounted from there.

Anyway, I decided to try double-encryption. I encrypt the CCC disk images as well as the drive. In my testing the kids can browse those only if they’re mounted, which is controlled from my user account. So that’s not too bad.

Damn, but security is hard.

[1] I use Time Capsule as well — backup should always be automatic, at least daily, and involve two completely different methods. The CCC clones are backups insofar as I rotate them every week or so, and because CCC puts changed or remove files into an archive.

Update 8/18/14: This wasn’t hard to fix. I just had to change the default settings on my encrypted external drives:

Original: Ownership was ignored and everyone had read privileges

Screen Shot 2014 08 18 at 8 20 37 PM

Revised: Enabled ownership, gave everyone no access but parents and admin read & write (System/wheel/staff stuff just happened, blame weird OS X permission behavior)

Screen Shot 2014 08 18 at 8 25 35 PM

With this configuration I can do backups and restores but the kids can’t open the drive — and they can’t see drives mounted from images on the backup drive. What about if I need to do a restore to a new drive? I believe anyone with admin privileges can change permissions or ignore ownership on an attached drive.

Wednesday, July 30, 2014

iPhone Cellular data -- how to get by on only 2GB a month (for two people)

Apple’s settings for controlling use of cellular data are a weird mess.

A mess because they’re scattered over many screens, and weird because one of those screens (“Cellular Settings”) starts out empty and only gets entries as various apps try to use cellular data.

Here are some screens to look at and a few changes to be sure to make if you want to control your data use (Tip: The fastest way to get to these screens is to ask Siri to take you there. For example: “Show my settings for Podcast”.

Podcast app: turn off use cellular data

(Not everyone has this Apple app installed. If you don’t see it in settings don’t worry.)

IMG 4510

iTunes and App Store: Turn off use Cellular Data

IMG 4509 

Facebook

IN Settings tap on “Settings” then look at VIDEO and set Auto-play to Wi-fi only (or off)

Background App Refresh

Siri might not find this one. Tap on Settings General and its in there.

Turn off most of these unless you REALLY want it running in the background. Few things need to do that.

IMG 4508

Cellular

This is the weird one that only shows an app AFTER it’s accessed cellular data. It also shows data used (I tapped the reset link on this page TWICE recently, so most aren’t showing anything.)

It’s weird, but it’s the most important of the bunch. Some of my big offenders are Photos, Videos, YouTube, Podcasts, iTunes Store, Hangouts, FaceTime, Evernote, Dropbox, Google Drive, Camera+, and App Store. I turn them all off for both Emily and I.

To configure this on a new phone you need to turn off WiFi, connect via cellular network, then launch every app on your phone. Then you’ll see a complete list you can edit. Every time you add a new app to your phone you have to repeat this. Yes, this is a terrible user experience. 

IMG 4511

PS. You can lock Cellular Settings in Restrictions — handy for kids on, say, Ptel. Other settings, like App Store cellular data use, can’t be locked.

iPhone cellular data - what is iTunes Accounts and why does it use so much data?

You know those people who buy a hybrid car and go crazy trying to maximize their gas mileage?

That’s how I’m getting with our AT&T data use ever since Emily and I switched to the AT&T Mobile Share + “Next” plan. It has been saving us about $50 a month [1] but our typical usage is pretty close to our 2GB limit. (If we hit the limit we pay $15 for the next GB, we’ve never used more than 2.1GB so we don’t like this.)

So we’re paying attention to data use. I’ve a post pending on the various settings to adjust [3], but in the process of researching that I ran across a mystery that’s not addressed in Apple’s documentation on their bizarre [2] cellular settings panel or the iPhone documentation. The mystery shows up in the top rank of the almost-hidden Cellular System Services list.

There you see “Exchange Accounts” — you can’t disable cellular services for these. There’s also “iTunes Accounts” - which can use many MBs of data even when you don’t buy anything on the iTunes Store and you don’t listen to iCloud Music or Podcasts over cellular. 

IMG 4514

So what are iTunes Accounts — really? 

My best guess, based on a process of elimination and occasional rumors (Google failed me on this one), is that “iTunes Accounts” is a misnomer. I think this is referring to everything in “Mail, Contacts, Calendars” that is NOT Exchange Accounts and doesn’t have an entry on the Cellular menu. On my phone that includes my iCloud Contacts, Reminders, Safari settings, Notes, Passbook, and Keychain. Like “Exchange Accounts” these can’t be set to avoid use of cellular data, you can only tweak data use in “Fetch New Data”.

So why doesn’t Apple document this? My theory is they’re too embarrassed to cop to calling this stuff “iTunes Accounts”. 

I wonder if it’s renamed in iOS 8 or if these services can have cellular data use disabled.

[1] For many people this plan is moderately more expensive than the prior plans. We’re unusual, with our usage pattern it’s a savings even after we account for the lost subsidy and all of our future phones will be unlocked.

[2] Bizarre, yeah. This menu is empty on a new phone, entries appear when data is used. You tap TWICE on the reset link to reset the data records.

[3] I think those settings are going to keep us well below 2GB by the way.

Saturday, July 26, 2014

Aperture to Facebook: making images visible to Friends by default

I’d long wondered why, when I shared to Facebook from Aperture, my images were shared as ‘Only Me’.

Looks like one can change that from Facebook’s app settings:

Screen Shot 2014 07 26 at 10 30 30 AM

“Visibility of app” in this case seems to be default visibility of the item shared by app…

PS. If you turn off Facebook platform to restrict misuse of data, you also turn off all app integration and lose all app settings. Ahh, Facebook, you are at least consistent.

Sunday, July 20, 2014

iPhone with sync error: restore from iCloud fixed when restore from iTunes failed

On the eve of a big road trip my daughter’s 4S was unable to sync more than four movies - despite having 15GB of free space. As is customary with iTunes sync failures, the process completed without an error message (there are no system logs for iTunes). Despite the lack of any error notices, on the iPhone only 4 movies appeared.

When I used iTunes to view iPhone contents I saw several movies with dotted circles and faded fonts - signs of an incomplete or corrupted transfer. I couldn’t sync tv either. It looked a bit like this:

Screen Shot 2014 07 20 at 9 02 47 PM

I tried all manners of fixes to no avail. Finally I wiped the phone and restored from backup — but the behavior persisted. An Apple Store hardware diagnostic didn’t show any problems or error codes.

When I wiped and restored as a NEW phone I had no problems syncing movies. So the problem was being propagated in my backup.

I really didn’t want to set her up as a new user. Lost game data, lost local files, lots of configuration…. ugh. So as a last ditch measure I switched from backing up to iTunes to iCloud backup. Then I did a wipe and restored from iCloud backup. Which worked until it got to installing apps and media, then told me I had to do that from iTunes. 

After this two stage restore, from iCloud then from iTunes, I could sync movies normally.

I still suspect there’s also something wrong with the phone’s hardware, but for now it’s working normally and it does appear that a serious defect was being propagated by the iTunes backup — but not an iCloud backup.

iTunes 11.3: In Our Time podcast isn't working

I’m not sure this is a 11.3 thing or an In Our Time podcast (rss) bug - but episodes after 6/27/2014 aren’t downloading to iTunes (“The Sun” and “Mrs Dalloway” so far). I suspect an 11.3 bug related to renewal of a subscription following auto-unsubscribe; the bug was probably triggered because I was traveling for two weeks.

After having walked through the problem I suspect I could have restored functionality by toggling this setting the newish “Subscribed Off/On” setting. I suspect there’s a usability bug related to the older way of Subscribing/Unsubscribing and the newer Subscribed Off/On setting:

Screen Shot 2014 07 20 at 3 30 16 PM

I didn’t do that though. Instead, as described below, I reduced my exposure to Apple’s bugs by creating an external archive of the IOT Podcasts that I want to keep around.

First I showed that 11.2.2 could subscribe and re-download the new episodes, it’s easy to find these in the iTunes store:

Screen Shot 2014 07 20 at 1 04 21 PM

Fortunately I also track the same IOT feed in Feedbin: http://downloads.bbc.co.uk/podcasts/radio4/iot/rss.xml. So I was able to download the missing episodes and manually add them to iTunes. Of course these didn’t show up when I synced to my iPhone — I’d have been disappointed if they had. Apple’s routine screw-ups are rarely so easy to work around. That’s because when one adds a Podcast mp3 file by drag and drop iTunes assigns a media kind of Music:

Screen Shot 2014 07 20 at 1 25 01 PM

and 

Screen Shot 2014 07 20 at 1 25 53 PM

That worked, they now show up in my “unplayed” Playlist on both iTunes and Podcast.app. Changing Media Kind to Podcast also moves the physical file by the way.

Not surprisingly if I use Podcasts.app on my iPhone and inspect the Feed for the IOT podcast the episodes are available there for cloud download. Which suggests it is an iTunes problem.

On the iTunes side I tried resubscribing — the Subscribe button shows as available. It didn’t work though — and neither can I unsubscribe. So my iOT podcast is stuck in limbo.

I could try waiting for a new fix, but I’ve grown accustomed to Apple’s genial incompetence — it’s a kind of longstanding congenial senility [1]. It makes me feel better about the corporate setting I work in. It’s because of this pattern that I expect the first year of Photos.app (Aperture/iPhoto replacement) to be a drug-addled disaster. So instead of waiting I moved all the IOT files I could find into my file system - just as I had to do with the iBooks debacle. I did this by looking for IOT episodes in the iTunes-managed Finder folders, and also dragging and dropping from smart playlists. I made a few extra copies just to be on the safe side.

In the process of marshaling my archives I found 39 episodes I once owned and had listened to, but that Apple had kindly turned into iCloud only references somewhere along the way. Oh, Apple you are just soooo bad [2]. There’s no UI method to force download of an arbitrary set of podcasts, so I clicked the odd (UX nightmare) hidden options box 39 times (I’m sure there’s an AppleScript for this but it didn’t take long to do by hand):

Screen Shot 2014 07 20 at 1 57 55 PM

When all was done my external archive had 411 Podcasts over 8GB of storage. I’m reasonably confident this is the complete set, less all that Podcast/iTunes has deleted. Next I deleted my current and older IOT podcasts (BBC changed podcast attributes a few years ago) — interestingly this was a 2 step delete process, I had to delete to remove the Podcast subscription, then delete to remove the files. Then I had to track down residual files using Smart Playlist and delete those. When I was all done, however, iTunes still had dangling and invalid references to 125 IOT podcasts. I used Doug’s Super Remove Dead Tracks to clean those up. (I’m glad Doug has found a way to charge for these super scripts.)

After all of the above iTunes was cleaned up, so I then synced my iPhone. I found I was still subscribed to IOT (various flavors actually) in Podcasts.app, but I expected that. So I removed those from the iPhones and synced again. Everything was gone.

And… I still couldn’t subscribe to IOT from the Apple Store. So I manually entered the Feed (http://downloads.bbc.co.uk/podcasts/radio4/iot/rss.xml) the old way:

Screen Shot 2014 07 20 at 3 27 42 PM

That gave me a working podcast subscription in iTunes. I turned download episodes off (since I had my archives) and delete episodes off.

Screen Shot 2014 07 20 at 3 30 16 PM

When I dragged in my 411 archive files iTunes recreated the old Podcast entries (presumably based on metadata I can’t easily edit), so I made sure to turn off the deadly “Delete Played Episodes” feature and leave “Subscribed” turned off.

Screen Shot 2014 07 20 at 3 30 16 PM

When all was done, and various duplicates removed via Finder (iTunes would not delete them) and dead tracks recleared, I had 411 files in an iTunes smart playlist restricted to only local files:

Screen Shot 2014 07 20 at 5 42 58 PM 

Somehow (iCloud strikes), during all of this process, iTunes retained “Last Played” dates for many of the IOT podcasts I had listened to (though Play Count was not retained). So I created another Playlist:

Screen Shot 2014 07 20 at 6 32 29 PM

There’s no way to test for “Last Played” is NULL, but it turns out that NULL is > 99 months as far as iTunes is concerned.

From this list I drag and drop selected files to my IOT Next Up Playlist, which I sync to my iPhone. I also created a “Partially Played” playlist that’s populated by a manually run Doug’s AppleScript. That’s where I keep note of podcasts I’ve started.

So how does it all turn out in Podcasts.app on my iPhone? 

I’m so glad you asked. Because the newest episode wouldn’t sync there. It had a “media kind” of Music. There’s no iTunes list column for Media Kind, so I created another Smart Playlist:

Screen Shot 2014 07 20 at 6 42 02 PM

Out of my 411 episodes, 16 appeared in this Playlist. Since they all shared a Media Kind of music iTunes Get Info let me change them all to Podcast.

After that I did another iPhone sync and ….

… The newest episode still wouldn’t sync! My guess is that Podcasts.app is trying to match it with something on the IOT server, and there’s a bug there that prevents display. So I deleted my local copy from iTunes, and downloaded fresh copies from the current Podcast subscription on iTunes. Then I did another sync and this time…

… They all #$#@$@ showed up. So that’s yet another bug - and for now another workaround. Tell me again how Photos is gonna be wonderful.

Just as I do with ePubs and iBooks, I’ll maintain a podcast archive outside of iTunes — while both iTunes and Apple continue their long journey into complete dementia. 

PS. My iPhone is again accumulating “Other” space — an old CloudAssets cache bug I thought was fixed but has since recurred on several of our devices.

- fn -

[1] Apple is incompetent, Google is Evil, and Microsoft is dead. Long live the 21st century!

[2] I think this happened because Apple added the “delete played episode” feature to all of my Podcasts, including those that no longer had a subscription option. I knew to fix it on current IOT subscriptions. That wasn’t good.

Apple ID associated purchase records have jumped again: partly back to my old Dev account

Every year or so I like to check which of my four known Apple IDs has my many Apple hardware purchases associated with it. Two years ago, for example, they all jumped from one Apple ID to another. I assume Apple has a very broken distributed database system, and they try to associate records based on metadata like phone number, mailing address, email addresses, etc. Move a key around, or change the matching algorithm and purchases hop.

Today I’m pleased to report that they’ve now settled into two accounts. For a while they were all with the Apple ID I use for iTunes purchases (but not for iCloud — due to technical bugs/issues with Apple’s id infrastructure). Before that they were with an old dev account. Today 3 purchases are associated with my iTunes Apple ID, zero with my iCloud Apple ID, and 17 with the old Dev account. There’s no obvious logic for which purchase has gotten which Apple ID. Note that the old dev account is never used for anything; it’s completely inactive.

I guess I better tighten up password security on the dev account. I’ll try associated a phone number with it, that ought to really mess Apple up.

If you want to know when Apple lapsed into incompetence, just track their identity management issues. (Hint: well before Cook took over.)