Sunday, July 24, 2016

FileVault 2's Undying Guest User bug - the El Capitan edition.

Today’s post-El Capitan update bug is a ghostly Guest User account that appears only on restarting a El Capitan Mac with FileVault 2 enabled and Guest User disabled in System Preferences:Users and Find My Mac enabled. The configuration for this pre-decryption login is running out of the UEFI EFI system partition. The one thing this Guest User can do is run Safari; the primary partition remains encrypted. There are no Parental Control options (that’s a problem).

I’ve read claims that this a feature. Some misguided Apple engineer thought it would be a good idea — a kind of Honey Pot that would tempt a thief to go online and thus trigger Find My Mac.[1] It becomes a problem with kids who have issues with internet abuse; they get an open browser.

My own suspicion is that this is a partly-implemented undocumented “feature” that is buggy because it was never tested. Maybe it was partly pulled from the release. Not only does it appear unpredictably it has other associated problems. If you enable the Guest account in System Preferences there’s sometimes an option to  enable Parental Controls and sometimes not. Even when there is an option to enable Parental Controls it doesn’t actually work. I’m also unable to get a true Guest account to work — even when I don’t see the “safari only” warning in system preferences the Guest Account never decrypts the primary partition.

There may be more than one bug involved — perhaps something related to failure of new computer / upgrade to notify EFI infrastructure of a preference change. I suspect it’s the worst kind of bug — an undocumented feature that was partly pulled from a release and lurks in code.

It’s not new to El Capitan, it’s been happening intermittently since Lion. It may be more frequent in El Capitan.  I updated two FileVault 2 machines from Yosemite to El Capitan and only one has the ghost account. 

I reviewed 3 options on apple.stackexchange.com [2] dating as far back as Lion with updates for 10.11.

The fix that worked for me was edited as recently as 6/2016. Basically you turn off Guest Account and Find My Mac in System Preferences. Then you disable System Integrity Protection so you can “touch” a System EFI resource, that forces and EFI update, then reenable SIP. When I did that System Preferences had Guest Account enabled again, even though it wasn’t showing up. I disabled Guest Account and enabled Find My Mac and the ghost seems to have been exorcised.
 
I think reinstalling El Capitan from Combo Update would have worked too — it also forces an EFI refresh [3]. I wonder if one could even have used the reinstall operating system feature in the Recovery mode.
 
- fn -

[1] This has been seen as far back as Lion and there’s a good description in this Yosemite article in FileVault 2.

Ten Things You Might Not Know About FileVault 2 | Der Flounder - Dec 2014 ( - Yosemite)

One unusual feature of FileVault 2 is that sometimes a Guest User icon will appear at the pre-boot login screen.

Figure_4-Guest_account_appearing_at_the_FileVault_2_pre-boot_login_screen

When you log in as that guest user, you don’t get access to your hard drive. The only thing you get access to is Safari and a network connection. Quitting out of Safari will return you to the FileVault 2 pre-boot login screen.

Figure_5-Guest_account_restarting_to_Safari-only_mode

Figure_6-Guest_accounts_Safari-only_access

To my knowledge, Apple has never commented specifically about this guest user but it appears the guest user is an anti-theft measure. The guest user’s appearance at the pre-boot login screen is a feature tied to signing into iCloud and enabling the Find My Mac option.

Figure_7-Enabling_the_Find_My_Mac_option_in_System_Preferences_iCloud_preference_pane

One consequence of logging into the guest user is that, as soon as the Mac gets a network connection, it will immediately connect back to Apple and report its location information.

Figure_8-Computers_location_displayed_on_iClouds_Find_My_iPhone_website

If you don’t sign in with iCloud and then enable Find My Mac from that machine, the Guest User icon will not appear on the FileVault pre-boot login screen. That said, mobile device management solutions that track a machine’s location may also trigger the Guest User icon to appear.

[2] Apple has killed Apple Discussions with their latest update.

[3] Despite waiting a long time to do my El Capitan upgrade I ran into an unexpected behavior with an updated installer that wasn’t actually updated. So my main machine went to 10.11.2. I wonder if I’d actually gone to 10.11.5 if this problem would have shown up. It seems to be related to a bug with EFI partition updates.

Saturday, July 23, 2016

Aperture in El Capitan: Not showing the workspace? (and other known issues)

Here’s a partial list of known issues for Aperture in El Capitan from this an old discussion forum link [1]

  • The thumbnails in list view are upside down. (Apple has been intermittently screwing up EXIF orientation tags since iPhoto 5.)
  • If you add a Curves adjustment the straighten adjustment will not be visible in the exported images. The exported images won’t show straightening. (This is unpredictable behavior.)
  • When brushing adjustments, the position can be slightly off, one pixel or so.
  • The link to the plug-in page no longer works in the Aperture menu (this is Yosemite too)
  • You can no longer order print products from Aperture (Yosemite too)
  • Soft proofing is broken
  • When exiting app the progress window that’s displayed has no content

The levels/straighten export bug is the worst I’ve read about.

Except for what happened today. Aperture opened, but the workspace was somewhere else in space. It acted like it was off-monitor somewhere. Aperture worked normally in a different user account, so I figured it was something about my account. Removing preferences didn’t help.

I changed Mission Control so that Dashboard was no longer a space — and Aperture’s workspace returned. But reenabling Dashboard space didn’t affect Aperture.

Someone noticed in El Capitan beta that the workspace might vanish. In which case clicking on the Aperture icon in the Dock would restore it. If it happens again I’ll try that, and also the Aperture context menu Windows item.

[1] Apple’s new Discussion Forum software is amazingly broken. They really can’t do anything right any more. Fortunately I’d Pinboarded that link.

PS. Aperture has more trouble with El Capitan than most older software. Perhaps it’s more dependent on undocumented features than other software, or perhaps the code base is unusually problematic.

Update 7/24/2016: I’ve just seen iTunes lose its workspace. El Capitan really doesn’t want Dashboard to be a space. At least not the way I have Mission Control setup. I made it an overlay.

Update 9/22/2016: Apparently if you apply AutoEnhance first you can avoid the levels/straighten bug. 

Update 9/28/2016: Aperture is being tested in Sierra. It works well for relatively modern hardware, so there’s cautious optimism for good support by the .2 release (Feb 2017?). It crashes badly with older Sierra-supported Macs. freediverx01 reported on the status of known El Cap bugs in Sierra

  1. Thumbnail are upside-down in list view
  2. With a Curve adjustment and then a straighten adjustment - the exported image is OK
  3. Brush adjustments - seem OK - no offset
  4. Link to Plug-in menu is OK - I used BorderFX as a test
  5. Soft Proofing does not work
  6. Full Screen (f) is OK - does not freeze Aperture

Friday, July 22, 2016

Life with Satan's Own Backup: Synology Time Machine Backup goes bad

A few days after my carefully delayed update from Yosemite to El Capitan, Emily’s MacBook Air complained it couldn’t run its Time Machine backups to our Synology DS215j NAS. I can’t say if this was related to El Capitan or not, but I do wonder about El Cap’s relative deprecation of AFP (which Synology/Time Capsule needs).

The usual approach to this problem is to use the Synology web interface to run “File Station” and delete the .sparsebundle from there (don’t even think of trying to do this through the Mac Finder) then start over.

Instead I ran through a checkup of the NAS. I didn’t find anything — but did update my notes on the confusing configuration (every machine has a dedicated Synology username and quota). I tried various things to mount the old sparse bundle including disabling SMB, etc. Nothing worked, I couldn’t make use of the existing backup.

So then I installed a (long!) physical ethernet cable and tried Finder (AF) copying the .sparsebundle to a local drive so I could browse it efficiently. Every time I tried it quit at about 54GB with a message like “The operation can’t be completed because you don’t have permission to access some of the items.” A different 60GB file copied normally.

I figured that was a bogus error message from a corrupt file, so I used Synology to copy the 200GB directory internally. It copied well, no sign of a file system problem. I deleted the original and I was able to Finder copy the Synology copy to my local machine. BackupLoupe could even browse it, because, you know. you can’t use Time Machine to access a backup unless you’re on the original machine (which is why it’s Satan’s own backup).

All very occult.  It’s probably something to do with extended attributes, AFP, and some kind of El Capitan bug.

Oh. And I started over. Of course.

Update 8/29/2020: Backup also failed when I upgraded the old Air from Sierra to High Sierra. Good thing I have alternatives to this TM backup.

See also:

Thursday, June 30, 2016

iCloud MailDrop for distributing archival quality photos (sports teams, etc)

Inspired by an AWT post I did some testing to see how iCloud MailDrop handles a set of image attachments. I’ve blogged previously that archival/group distribution of large photo images is an unsolved problem.

It turns out MailDrop is a pretty interesting solution. You can use it to send 5GB of images at a time for a maximum quota of 1TB. Images are available for download for 1 month. That’s weirdly generous by Apple standards. Since iCloud accounts are now available to anyone this option is universally available. (Correction: AppleIDs are universally available, and they include access to Apple’s web based productivity apps, but non-Apple customers don’t get the rest.)

I tested using the iCloud web interface for Mail - Mail.cloud. I turned on MailDrop in preferences:

Screen Shot 2016 06 30 at 10 07 11 AM

With this enabled I selected about 60MB of images from a folder of Mac background images using the Mail.icloud attachment interface. After selection there was a note that they’d be sent by MailDrop. It’s hard to predict when MailDrop is used, Apple says it happens when the “ISP limit is exceeded”. I’m guessing 20MB or so [1]; but it would be preferable to have a manual way to activate AirDrop. (I’m pretty sure it’s 15 to 20 MB — and Apple doesn’t know what the cap is for corporate email accounts.)

I received the images in Gmail. The result was surprisingly attractive …

Screen Shot 2016 06 30 at 10 06 32 AM

The email was composed of thumbnails, if you click on an image you get …

Screen Shot 2016 06 30 at 10 06 13 AM

Since there’s no authentication one can send the message to oneself and forwards. I don’t normally use iCloud mail, but I could use it for distributing sports team images by sending the email to my gmail account then redirecting it.

If you want to provide a package of images that can be downloaded all at one time you need to compress them first and upload the archive. When I use this feature to share sports team photos I’ll probably do both — attach the images separately and include an archive. I may also share the archive URL in a team web page.

Apple has been curiously quiet about this feature. It may be the best way to distribute archival images available anywhere.

Here’s an edited example of an image URL, emphases mine:

https://www.icloud.com/attachment/?u=https%3A%2F%2Fcvws.icloud-content.com%2FB%2FAZOlwq83HR6i_J8Iqv1ETh96sCvWAQH591dTXxiV9rUgQPlOMjcbZQpT%...b2db-9ff6a7f032be-1%26ckc%3Dcom.apple.largeattachment%26ckz%3DApple-Webmail%26y%3D1%26p%3D42%26s%3DmfAJoJBJFepF6jaBPKqUJmnFHhI&uk=Oz_h26l5GHgaU53IUocfzg&f=NaturePatterns06.jpg&sz=5581904

- fn -

[1] It’s 20MB and there doesn’t seem to be a stable technique for lowering the threshold. This would be much nicer if it were manually adjustable. I’ll create a 15MB “filler file” to attach to emails I send to my gmail account, then I’ll resend from there stripping the filler file.

Wednesday, June 29, 2016

Photos 1.0.1 bug: Export Unmodified Original includes deleted images

Pretty simple bug: “Export Unmodified Original” includes deleted images. You have to empty trash to avoid this one. Happens when I select all images in “All Photos”.

Apple’s software quality continues to explore new lows. I’m still on Yosemite, it’s possible this doesn’t happen in El Capitan.

Tuesday, June 28, 2016

Microsoft OneDrive does archival photo sharing better than I thought (with one bug)

Yes, I’m being cautious.

In testing, however, I can do this:

  • Create a folder that I can upload full resolution images to and ALSO make it shareable so other OneDrive registered users can upload to it.
  • Create an album that is based on that folder.
  • Share the folder-based album to people who do NOT have a OneDrive account.
  • Update that folder-album using the web UI. (Switch to Files, choose Create Album from Folder. If folder actually exists then it updates - including deletes.

Unfortunately there’s a bug with the undocumented update feature. In addition to updating the album it creates duplicate albums with an iterating integer suffix. The duplicates are easy to delete. I can’t see how to submit a bug report for One Drive unfortunately.

The current behavior is very close to what I want for sharing images in our sports team. There are also album share to Facebook options.

I haven’t tested whether any ICMP metadata will be used by the albums. There don’t appear to be any Photos.app uploader plugins but I’m still using Aperture so I’d be exporting.

I have 1TB of OneDrive data thanks to my Office 365 subscription. That subscription, which supports installs of Mac apps as well as Access on my Win10 VM, has been a great purchase.

Thursday, June 16, 2016

You cannot reclaim a personal email address used by a stranger's Facebook account.

I think Facebook knows this very well. They closed a discussion thread on this that’s over a year old, and you can’t start a new thread — Facebook will say the answer already exists. 

Their help documentation is incorrect:

Screen Shot 2016 06 16 at 10 16 21 AM

If you try to do this you’ll be told the email is claimed, there’s no way to reclaim. You can use a password reset to lock the other person’s out of their account (assuming you don’t know the attacker’s password) but you will still be unable to reclaim your email address. (In my wife’s case Facebook messages were being set to her spam folder, so she probably missed the notification that the email address was being used.

We ran into the same problem with Skype, but there it is possible to take the account back.

Update: this is a very old problem - 2012. The abuse page links simply redirects to the email notifications that doesn’t belong to me page where the advice doesn’t work. I’ve tried Facebook’s “report a problem” page but I’m not optimistic:

Fb report

Update 6/17/2016:

I found another Facebook page for this issue that has a different workflow:

https://www.facebook.com/help/contact/255904741169641

It at least does not fail immediately.

Or, you can pretend you don’t already have a Facebook account. Use an incognito window and try this one:

https://www.facebook.com/help/contact/537325953055459

Looks like every Facebook engineer has their own independent process…