Saturday, November 21, 2015

Sledging the drives

Obsolete and dead hard drives have been piling up for 7 years in a wardrobe I want to empty. Here they are ready for execution; one had to be dug out of a Time Capsule:

IMG 9055

The ones that I know held sensitive data (unencrypted backups mostly) I wiped via cradle mount.

Then it was sledgehammer time. The lawn was a bad idea — even by my neglectful standards it made a mess.

The best results came from angling drives on concrete, and using short strikes to fold the drive:

IMG 9056

A one pass wipe and a sledgehammer might not stop the NSA, but it should suffice for Best Buy recycling.

Thursday, November 05, 2015

Thunderbolt Dock: Eject all disks prior to undock

My new Elgato TB2 dock comes with an installer for an undock utility, but it also installs a kernel extension for some other function. I need a kernel extension like I need a meth habit.

So I was looking at 3rd party Mac App Store solutions like Mountain.app when @clackgoble on app.net said to just do AppleScript. Google found one then I added Clark’s eject line. I saved it as “Undock.app” and I launch by Spotlight (Cmd-spacebar “und”).

FWIW:

-- http://irwinkwan.com/2013/06/27/eject-all-mac-os-x-disks-with-a-script/

try

tell application "Finder"

-- Original: eject the disks

-- Clark Goble version:

eject (every disk whose ejectable is true and local volume is true and free space is not equal to 0)

display dialog "Successfully ejected disks." buttons {"Close"} default button "Close"

end tell

on error

display dialog "Unable to eject all disks." buttons {"Close"} default button "Close"

end try

Update 7/23/2016

The above version may not be reliable in El Capitan (presumably an OS bug). I’m told this works:

tell application "Finder" to eject (every disk whose ejectable is true and local volume is true)

Comcast's xfinity wifi and XFINITY.mobileconfig

The coffee shop’s WiFi was flailing. Periodically my MacBook popped up an xfinity wifi option. I vaguely remembered reading of this when I signed up with Comcast (the Devil we know), so in a fit of recklessness I connected. 

It required my comcast credentials, which I don’t use for anything else. I balked when the install asked for admin privileges but it turned out I didn’t need the install — my connection worked anyway.

So what the heck was going on? And what was a I recklessly installing? Why did I get a connection anyway? (Note I had no proof I was truly dealing with a Comcast site. The less crazy thing to do is to go to Comcast’s web site from a secure network and do any installs from there.)

The install, it turns out, creates a configuration file for Mac OS X Profiles called XFINITY.mobileconfig. It’s a binary file that contains your Comcast credentials in plaintext. (Yep. Delete after use.) The admin privilege escalation is needed to update OS X preferences. (If you run as admin you won’t see this; you really shouldn’t run OS X as an admin user IMHO.)

Oh, you’ve never heard of OS X Profiles? You’ve only heard of iOS Profiles? Profiles is a hidden Preference Pane introduced with Lion and only visible when you install a Profile (rather like iOS actually). "Configuration profiles can be created with the Profile Manager feature of Lion Server. They can configure accounts, policies and restrictions on iOS and Lion clients. The APN settings are iOS only.”

System Preferences will display the profile information (note it’s “verified”, this is via Yosemite):

Screen Shot 2015 11 05 at 12 26 00 PM

After installation my Preferences have a new Apple pane, i can delete from there.

Screen Shot 2015 11 05 at 12 27 56 PM

So what does this profile do? I was hoping it might enable VPN support, but of course it’s not that useful.  It’s actually configuring my machine to auto-join XFINITY WIFI even if it’s not even WPA encrypted. I hope I’m wrong about that, but this is Comcast we’re talking about.

Their FAQ doesn’t explain what’s happening, but this page suggests that the profile is needed to connect to the “XFINITY” SSID networks. (I was able to connect without using the profile because I was using a “xfinitywifi" SSD.). That makes sense because the profile contains an Enterprise Profile ID. (See iOS directions here.)

Which leaves the question of what’s evil about XFINITY WiFi, because, you know, Comcast. I mean, besides the auto join non-encrypted networks.

Don’t worry, it’s evil. Comcast turns customer’s routers into WiFi hotspots by enabling a kind of “guest network” (my Comcast modem doesn’t have WiFi. Smart I am.) Comcast assures customers Homeland Security will knock politely when visiting for tea to chat about your network use by local ISIS affiliates.

Comcast also enables XFINITY WiFi for business customers, who might be well informed and fine with this. I don’t think there’s any way to tell what you’re connecting to though. Can a provider tap the data stream? This is Comcast, so I would assume so. I also assume Comcast monitors the data stream and sells whatever it learns to various businesses and criminals. Lastly, with auto-join unencrypted networks seemingly enabled, I figure Comcast is getting kickbacks from the honeypot industry.

Caveat emptor.

Saturday, October 31, 2015

Time Capsule & Time Machine: "Browse Other Backup Disks" doesn't let you access backups from a different device

One day your iMac dies. It’s old, but not old-old. Sucks. Good thing you are paranoid about backups. You have onsite backups. You have offsite backups. You have Time Capsule backups. You have Synology NAS backups. You have Carbon Copy Cloner “Backups” (clones). You have …

Ok. I’ve made my point. Anyone this paranoid ought to feel good. Problem is, they’re paranoid for a reason. Data just wants to die.

The “you” is “me” and I’m here to tell you that one small bit of my data almost didn’t make it. One folder full of almost-deleted images got lost, I had to pick it up from a last minute copy of the iMac’s user folder. 

I had to do that because when I tried Time Machine’s “Browse Other Backup Disks…” feature (option key)  …

Screen Shot 2015 10 31 at 11 50 45 AM

… it didn’t actually work. That is, I got the right list of disks ...

Screen Shot 2015 10 31 at 11 36 11 AM

but when I selected one of them Time Machine showed me only data from my current Device’s current state — and no past data.

I did this first using a Synology NAS backup replacement for my died-young Time Capsule. I thought I’d run into a Synology limit, but I got the same results from older Time Capsule backups. It turns out that “Browse Other Backup Disks” really means “Browse Other Backup Disks … for the current device”…

 Yeah, I hate Time Machine too. OS X Help has some entries on Time Machine, but there’s no real documentation. There’s nothing on “browse other backup disks”.

So, if you don’t have access to your original mac, you are sort of doomed. That’s what happened to me.

I say “sort of” because there are weak options. You can open the disk image and navigate Time Machine’s base storage. You don’t have access to the File System Event Store or hard links though, so things are hard to locate. EasyFind.app might help. Or you can use Migration Assistant, the official solution, and move large pieces of the backup to a local store (only most current versions of course). Maybe OS X Server has some special options …

You can also try Backup Loupe ($10). It doesn’t replace Time Machine’s time-slice views of data, but it does let you browse snapshots and search for file instances. I’m not sure it’s a big improvement on EasyFind, but I bought a copy for emergency use.

The bottom line? Time Machine is a sucky backup solution — just good enough to eliminate strong alternatives. But you knew that. If you don’t have a machine (Device) that “owns” a backup you can use Migration Assistant to copy the latest state of a large amount of data, or if you know a file name you can use EasyFind or Backup Loupe to browse.

Sure, Apple should fix this. They should fix a lot of things.

"Unable to contact iMessage server": try restoring from iCloud instead of iTunes

I picked up Emily’s SIM-Free [1] 64GB silver 6s from the Mall of America Apple store Friday night. I’d used Apple’s reservation system so that, in theory, I’d be in and out. Alas, Friday night at the Apple Store is a zoo — it still took 30 minutes. The staff were so stressed they didn’t try to up-sell AppleCare or setup a contract — just dropped the box in my hand and ran.

There’s an AT&T store in the MOA and it’s not incredibly busy, so we did our SIM swaps there [2]. My son was going from a 4s to Emily’s 5s, so he needed a new SIM.

I restored both phones from iTunes backups. Emily’s worked, though it was a bit choppy. I had to unlock the phone 1-2 times as it went from 9.0.x to 9.1. 

My son’s restore didn’t work. I completely erased the 5s before starting, but there was still an odd feeling about the way the restore proceeded, perhaps because the 5s was still on 8.x (I didn’t realize it had never been updated).  Yes “odd feeling” isn’t very helpful, but I wasn’t paying that much attention. I’ve been down this road a few times.

Prior to the backup I’d removed iCloud, iMessage and FaceTime from his account, planning to put them on post-restore. I had some trouble restoring iCloud — the phone hung on credential entry. I restarted and it seemed to work — but then iMessage and FaceTime weren’t activated. When I enabled them I got a very cramped non-iOS 9 dialog for entering username and password.

I’ve seen that dialog before. It’s something very old — I suspect it’s hard coded for non-retina screens and dates back to the dawn of the iPhone, pre-iCloud. It’s a bad sign, it exposes Apple’s still broken iOS credential management problems [3]. When I did enter my son’s credentials the dialog hung, waiting for a response. I could kill settings; iOS wasn’t frozen. I let it sit for 15 minutes and it eventually responded with something like “Unable to contact iMessage server”. I don’t think there’s a problem with the iMessage server, I think that’s a misleading error message meaning “something went wrong”.

I called AT&T phone support to confirm the IMEI/ICCID relationship was correct at their end. I’ve had my issues with AT&T, but they must give their support staff very good coffee. They are remarkably pleasant and helpful. AT&T’s configuration looked good.

So either the phone was having hardware issues or something had gone wrong with updating one or more of Apple’s configuration systems. There’s lots of evidence that Apple wants iTunes to “die in a hole”, so I decided to try it Apple’s way. I did an iCloud backup, wiped the phone, and restarted with an iCloud restore.

That went smoothly. During the restore I had my son’s Mac account open for Keychain share confirmation, and I got the usual “FaceTime is using..” dialogs. I didn’t have to enter any extra credentials. iMessage and FaceTime activated immediately.

I suspect the combination of iTunes and iOS 8 to 9 and my removing FaceTime/iMessage/iCloud prior to backup exposed a nasty bug in Apple’s frail authentication systems. The real lesson though is that iTunes backup is seriously deprecated. I’d been moving to all iCloud backup and just doing a manual backup to iTunes every few weeks; that’s obviously the way to go.

- fn -

[1] We are currently AT&T customers, and there’s a case to be made that an unlocked AT&T 6s has the best set of antennae and band coverage for AT&T and even international use. You can’t, however, buy an unlocked AT&T iPhone directly, you have to buy it on plan then pay the plan cost to unlock it. Our AMEX purchase protection and extended warranty only work when the full purchase price is on the card. Hence SIM-Free.

[2] In theory you can move a compatible AT&T SIM from phone to phone yourself, but in practice I’ve seen some odd things. AT&T reps tell me their systems don’t update the ICCID (SIM)/IMEI relationships automatically, or at least not immediately. I think this causes some iMessage/Facetime activation delays.

[3] There are separate credential stores for iMessage, FaceTime, iCloud and the App Store — and perhaps for 1-2 other items. If you migrated from me.com to iCloud.com some of these systems require two sets of credentials. Apple tries to hide this from users, but any number of bugs will expose it.

[4] To fit into the iCloud 5GB limit I routinely delete obsolete backups of old phones and I move Photos.app data to our local machines. I see that with 9.1 there are now more controls on what’s part of an iCloud backup, though they are a bit hard to find.

Thursday, October 29, 2015

File sharing for the all-MacBook home

Lifehacker’s guide to home file sharing was written in 2010 for Windows users. Excluding a traditional server/file share the options back then were Dropbox, a NAS, and, peer-to-peer sync solutions. Things haven’t changed much since then.

Now that I’ve retired our iMac and gone all-MacBook, I need one of those solutions for a small number of files (MBs, not even 1 GB). Our home’s options are Dropbox, Google Drive, Microsoft’s OneDrive, a Synology NAS with or without Synology Cloud Station, Mac LAN based sync solutions (ex: ChronoSync, note MSFT bundles this with Windows), and an Airport Extreme external flash drive.

There are lots of options, but nothing is quite perfect. Dropbox, Google Drive and OneDrive all move our family data into the Cloud — and I’d like to not worry about that. Sync solutions mean new software, but perhaps only on one machine.

I’m going to stick our unused $20 SanDisk Ultra Fit 64GB flash drive in back of the Airport Extreme. I already use Carbon Copy Cloner as part of our nightly backup, I’ll just back the AE Flash Drive up to disk image on one of the my OWC Thunderbolt 2 dock drives. They in turn are backed up by both CCC (to removable drives) and Time Machine (to the Synology NAS).

That should be good enough. Keep it as simple as possible…

Update: oops. "When you use Airport Utility to change AirPort Extreme Shared Disk(s) security it *seems* to wipe out everything on the disk. Except free space shows data is still there.”  The AE has an operating system with some kind of file system support and access controls, but we have very limited access to it.

This Apple article partly explains what is supposed to happen. From Airport Utility we can create username/password “accounts”. Say “Parent” and “Kids”. When a client connects you are asked username/password, that gives access to the Folder of the same name as well as a “Shared” folder. So Emily and I connect as “Parents” and see the “Parents”  and “Shared” folder, but we don’t see a “Kids” folder unless we connect with that username password.

There’s no way for me to connect with to the AE shared disk (partitions?) and see everything.

When I insert the flash drive into my MacBook I can see how it’s organized, including the folders that were on the flash drive when it was “password” access rather than “account” access.

Screen Shot 2015 10 29 at 1 16 43 PM

When I switched “Secure Shared Disks” from “With a disk password” to “With accounts” it didn’t wipe my data, it created a Users folder containing the “Parents” folder and hid the existing folders. I thought I also created a Kids user, but I don’t see that Folder. Bug?

Hmm. This is a bit weird. I could experiment with partitioning the thumb drive on my Mac, but I think I need to look more at the Synology.  The AE’s file sharing security model seems to make backup impossible.

Update 2: I’ll rewrite this when I finalize things, but it looks like the Synology NAS gives me the permission controls I need. I’ll put the shared files there, then use CCC to put them back on an image on my laptop. That image will in turn go back to the Synology NAS Time Machine backup as well as to my local CCC backups.

Update 11/21/2015: I ended up enabling Synology Cloud Station, including installing the Mac client for both Emily and I. So our relatively small (1.5GB) of shared data exists on the Synology NAS (not baked up) and on both of our machines (so multiple backups). It is a strange outcome for the old file sharing/NFS/WebDav model and it doesn’t seem the most elegant solution, but sync seems to be the current technology direction. (Dropbox would be simpler, but we wanted to keep the data local and, of course, Dropbox costs money. The Synology NAS also supports a BitTorrent sync package but the Cloud Station seemed to have more users.

Configuration was a bit odd — you do need to read the documentation. The default setup is within one’s “Homes” folder, so if you want to share with two users (workgroup) you need to create a folder outside that NAS hierarchy and choose to that for sync.

Update 8/23/2016: Synology Cloud Station / Cloud Drive (it has many names) has stopped working reliably with El Capitan. I’ve given up on it. Emily’s MacBook is largely home so I’m moving these files to her machine and making them a file share. Sometimes I won’t have access, but I’ll move some things to a Google Drive we share.

Tuesday, October 27, 2015

iCloud Settings: remove devices, restore some iCloud content (but not Notes)

An Apple World post on El Capitan’s iCloud device management tools led me to check out what iCloud Web Settings supports. It has similar functionality

Screen Shot 2015 10 27 at 8 30 09 AM

From this web UI, as in El Capitan, you can remove devices from your iCloud account — including a machine that’s died or been sold.

There’s also a “restore files” option — the beginning of a backup solution for Apple’s iCloud services. It’s limited to iCloud files, Contacts and Calendars — there’s currently no support for restoring Notes.app files (sadly). I didn’t see any way to accelerate deletion of files — once data goes to the Cloud it is beyond our control.

Restores are all or none — you can’t restore only some Contacts.