Recently I moved Jasonian.org from the Mac behind my DSL line to a “real” webserver at Dreamhost. For some reason I don’t remember, this required me to make a change in Ecto, the tool I use to write and publish to Jasonian.org, and in doing so, I lost all the drafts of articles or ideas I’d written but not published.

Aarrgh!

I searched the Ecto forum and found many others complaining about lost drafts. The only solution presented was by the developer, suggesting we send him a pair of files and he’ll try to reconstruct the missing entries. Although appreciated, it didn’t sound promising.

Ecto had made a backup of the “working” file when it created the new file (thank goodness for small favors, it turns out). Simply renaming the file from “entrydata_backup.plist” to “entrydata.plist” didn’t work, even though when I opened the .plist file in BBEdit I could see all the drafts there. I decided to poke around the files a bit.

I tried copying an entry from the backup to the main file, and it didn’t show up. It took a couple of minutes of poking around but I eventually did notice that some of my draft entries were listed in one tag as

<<key>url</key> <string>http://jasonian.org/</string>

while others were listed as

<key>url</key> <string>http://www.jasonian.org/</string>

Hm. Could a simple “www.” make a difference? Yes! If I copied an entry to the main file with “www.jasonian.org”, it didn’t show up in Ecto, but did show up as “jasonian.org”! A few more minutes in BBEdit finding and replacing appropriate entries, and voila, all my drafts were back!

This method may not work universally, but if your drafts disappear, check to see if your url key is set to something other than what you expect.

Technorati Tags: Ecto, Mac OS X, Macintosh

MacLockPick is a $500 USB flash drive from SubRosaSoft. It claims to be

a valuable tool for law enforcement professionals to perform live forensics on Mac OS X systems…. with as little interaction or trace as possible.

You insert the USB drive into a Mac, run some software, and it will copy a bunch of sensitive information to the flash drive. Among the information copied:

• the user password of the logged in user
• passwords for encrypted disk images, iTunes music store and iChat login
• login and passwords for web sites, email accounts, online stores and .Mac accounts
• a list of all the key user folders, with their creation dates and date of the most recent access
• paths to files opened in the Preview application
• recent applications, documents and servers
• contacts stored in Address Book
• search terms from Safari’s Google search bar
• Safari bookmarks
• web cookies, which may include login information to secure sites
• web browsing history

Wow. That’s a phenomenal amount of sensitive information available. Is it possible that you can thwart such a device with two mouse-clicks?

The device “is not for sale to the general public” and anyone buying it must prove they “are a licensed law enforcement professional”. No word on what proof is required. (I got to the point in the order process where I was asked for my eBay payment information, without any request for some kind of proof.)

From what I can tell (there is understandably little detailed information on SubRosaSoft’s website), much of the application (all the password stuff) works by taking advantage of Mac OS X keychain’s default settings. You, Mr. or Ms. Mac user, have a “keychain” that stores all of your logins and passwords, and an application (called, intuitively enough, “Keychain Access”) to manage those items. You only have to remember one password (the keychain’s) instead of dozens or hundreds of individual ones, and application developers don’t have to write dozens or hundreds of different ways of storing secure information: they just use the keychain.

By default, when you log in, your default keychain is unlocked for you. It re-locks automatically after your computer’s been idle for some time. The keychain resets to the default “unlocked” setting when you wake your computer from sleep. This means if the keychain happened to be locked when you put your computer to sleep, it will, by default, be unlocked upon wake.

This is meant as a convenience to you: when you’re actively using your computer and an application needs a stored username or password, the application gets that information from the keychain without interrupting your work. When you’re not using the computer actively, the keychain is locked, protecting your secure information from casual attackers.

This convenience appears to be the vector SubRosaSoft uses for MacLockPick:

Once awakened a Mac will return its keychain access levels to the default state found when it was initially put to sleep. Suspects often (and usually) transport portable systems in this sleeping state.

If my assumption is correct (I’ve asked SubRosaSoft to confirm or deny this; I’ll let you know if I hear back), thwarting MacLockPick is as simple as checking two boxes in the Keychain Access (found in /Applications/Utilities):

You’ll find these checkboxes in Keychain Access under the Edit > Change Settings for Keychain “login” menu.

The first checkbox (“Lock after # minutes”) will lock your keychain after the set period of time. After five minutes (in this example), any application needing access to your keychain will result in a prompt for your keychain password.

With the second checkbox (“Lock when sleeping”), applications needing access to your keychain after your machine’s awoken from sleep will likewise prompt for your keychain password.

Both items make it more likely that at any given period your keychain is locked, and therefore unaccessible to applications without your direct intervention. What you lose in convenience you gain in security. (And yes, actually setting this to five minutes will certainly drive you batty if your applications need stored passwords a lot.)

Why would I write about a way to potentially thwart a supposed law enforcement device?

First, the default settings for Keychain Access are less secure than they could be. Clearly Apple made a conscious choice here, coming down on the side of user convenience in leaving the two options off by default. That’s probably the right choice, one I’ve never had the need to rethink until now.

Second, I’m merely pointing out two checkboxes Apple has included in Keychain Access. They’re clearly there for those who wish to enhance their computer’s security. In fact, the National Security Agency (NSA) Systems and Network Analysis Center (SNAC) have this very recommendation in their “Mac OS X Security Configuration For Version 10.4 or Later, Second Edition”.

If this method prevents covert access via MacLockPick to sensitive information (and I still don’t have confirmation that it does), law officials will still have other methods of accessing the information, while I have some piece of mind that MacLockPick won’t be misused on my machine by some unscrupulous guy sitting next to me in a coffee shop.

Unfortunately, this would still leave much of your sensitive information ripe for the picking. Enabling OS X features like Safari’s Private Browsing, or the use of encrypted disk images come to mind immediately. I would suggest a thorough reading of the NSA/SNAC security configuration guide. I’ll write about some of my security escalation plans in the next couple of days.

Deeper-geek aside: The piece I’m unsure about is how MacLockPick has access to your keychain information without you giving it access. Any application can write to an (unlocked) keychain, but requires permission (in the form of asking for your password) to access any keychain item other than its own. It’s possible SubRosaSoft is bypassing the keychain APIs and using a much lower-level set of functions (the open source Common Data Security Architecture (CDSA) and the Common Security Services Manager (CSSM), which the keychain protocols are built on).

I’ll be looking into this detail using Apple’s Developer Connection website, where documentation on reading and writing to and from the keychain is available for application developers.

Update: A comment on Digg pointed me to another author’s take on this, along with that author’s suggestions for further securing your Mac.

Technorati Tags: Apple, CDSA, CSSM, Keychain Access, Law enforcement, Mac OS X, Macintosh, MacLockPick, Privacy, Security, SubRosaSoft

Curious of AAPL’s progress over the years, I did a quick review of Apple’s last five 2nd quarter financials:

• N/A: Information wasn’t available in the press release for that quarter.

Every recent AAPL quarter has blown me away. This quarter, Apple sold 1.5 million Macs and 10.5 million iPods, and made $5.26 billion, with a profit of $770 million ($0.87 a share). That’s three months of sales. Last year at this time, Apple had sold 1.1 million Macs and 8.5 million iPods, and made $4.36 billion and a profit of $410 million ($0.34 a share).

Wow.

AAPL reacted after hours, shooting up to $103 a share, before settling down to about $100 a share. Thursday’s opening and trading session should be very interesting. Will it open over $100? Will it trade higher, or lower?

I can’t wait to find out!

Dear Website Owner:

Your musical taste sucks.

I don’t want to hear your crappy choice of songs when I visit your site.

If you’re going to force me to listen to your music, to the point where you won’t even offer a mute button, I’m not going to spend much time on your site.

That means I’m not going to buy your product or use your service.

Are you listening, EverBank? Your web tour, with its GarageBand-y pop-synth soundtrack, stopped me from seriously considering you as a replacement for my banking needs.

Do you hear me, Canto Do Brasil? I won’t be bringing 20 people to a celebratory dinner thanks to your 17 tracks of midi music.

If you want to give me the option of listening to your music, that’s fine, but put a god-damned mute button on your site!

Sincerely,

Jason.

E*Trade is starting to work my last nerve. Yesterday I got an email from them:

Fri Apr 20 06:30:35 2007 – Funds Transfer Failure

Dear Valued Customer

Your payment request (Reference Number:########) of $### to E*TRADE Bank XXXXX from your XXXXX could not be completed.

Their website was equally unhelpful.

I sent in a customer service inquiry:

Can you tell me why this transfer failed? There is certainly enough money in the account.

A few hours later, they responded:

Dear XXXXXX, Thank you for your recent message in regards to a transfer from your XXXXX account to your XXXXX account. I would like to inform you that there was an error during the transit of the funds on 04/18 which caused the transfer to be cancelled. I apologize for any difficulties or frustrations this transaction may have caused. Please resubmit this transfer for further crediting to your XXXXX account. Please feel free to contact us if you have any further questions or concerns. Thank you for your valued and continued business. I hope this information has been helpful. Please let us know if we’ve addressed your questions and concerns satisfactorily by taking a 30-second survey at the following web address:

At which point they helpfully provided a survey.

They didn’t score high.

After fuming for a few minutes over the non-answer response, I replied back:

Hello, “There was an error” is understood by the error message I received. I would like to know why I received it, and why the $### to be credited to my ##### appears to have been deducted. Did the transaction fail or not? I show a $### deduction on 4/19 (“Etrade Bank Debit”). My XXXXX shows a “Last Payment Received” on 4/18 of $###. I’m extremely concered about the system’s behavior, and I’m extremely concered that my accounts are being incorrectly managed. This is not the first time I’ve received error messages for problems that seemingly didn’t happen. I need an exact explanation of what happened, and why.

And it’s true: it’s not the first time E*Trade has told me a transaction didn’t complete, that I didn’t have enough money in my account, or some other error that turned out to be utterly false. The last time it happened, it was an overdraft notice (when I had significantly more in the account to cover outstanding debits), and I was told

Please note that this is not an isolated incident. We have been upgrading our systems in order to provide the best services for our customers. The technical team is working assiduously to correct these issues. We appreciate your patience. We value your business very much.

If you really valued my business, you wouldn’t be rolling out new systems that cause known problems.

If it weren’t for the fact that my company uses ETrade to manage its Employee Stock Purchase Plan, I doubt I’d remain with ETrade much longer. Do you know of a good online bank? It needs the following features:

• Free, unlimited and automatic ATM refunds. The other big reason I’m with E*Trade still. I can use any ATM in the world, and be refunded the access fee (even the $4.50 I was charged in Vegas!). Other places have a similar plan, but some limit the number of refunds in a month, while others require you fill out a form of some type.
• Great online banking. I don’t do physical banks anymore, except to deposit the occasional paper check, so an easy-to-use and comprehensive functionality is important. That means easy transfers between internal and external accounts; recurring payments; a smart calendar that tells me when a payment will be delivered; and various reports.

Any suggestions for a great online bank would be much appreciated.

I love hot dogs. Meat, bun, mustard. What’s not to love? And growing up in New York, it was easy to indulge: there’s a hot dog stand on every street corner in Manhattan. These “dirty water dogs”, as New Yorkers are wont to call ‘em, aren’t great food, but they’re most certainly good. And they’re convenient: they’re nearly perfect walk-and-eat food. When you’re done, you have a tiny wrapper to toss. You’d be hard-pressed to find a New Yorker who hasn’t eaten a ton of these.

Much better than the dirty-water dogs are the various “Papaya” hot dog locations: Papaya King, the original; Gray’s Papaya, my favorite, and others like Papaya Dog. Many post-alcohol-binge late nights of my youth have been spent downing two or three of these, with or without various juice drinks the stores serve.

After I wrote yesterday about wanting to buy a hot dog broiling machine, Y suggested I open a hot dog stand, as a way of justifying such an extravagant and otherwise useless purchase. Since I’m always looking for some business I can run, I figured I’d look into it, if only to know what it would take.

Alas, Gray’s Papaya doesn’t even have a website (it’s “under construction”), so I’m sure they don’t have any franchise opportunities. Papaya King does have a website and franchise opportunities, so maybe I’ll dig into them a bit more just to see what it might cost.

While I was doing the various Google-based searches¹, I came across the requisite discussions on which hot dog is better, Gray’s Papaya, Papaya King, Nathan’s, etc. Many of the reviewers stated similar sentiments: the hot dog situation in New York is pitiful.

Why?

Because the hot dogs are long, thin, and don’t come bacon-wrapped, covered in avocado, or slathered with chili. It struck me: if you need that stuff on your hot dog, you’re really not there for the hot dog. Either you love the taste of a well-made hot dog, preferably grilled on one of those rotating ‘dog cookers, or the ‘dog is merely a conveyance for the various toppings you can stack on it.

I say: a really good ‘dog needs nothing but a thin stripe of spicy brown mustard. Anything else is uncivilized.

When Y and I were in New York for a few days last week, we stopped by a Papaya King late one night, since there wasn’t a Gray’s close to our hotel. While the ‘dog was good, it wasn’t great. I regret that Y’s first NY hot dog wasn’t the best example of what it could be.

Our next trip will have to include a jaunt to East 72nd Street and Broadway to visit Gray’s Papaya.

1. Forgive the double-speak; I’d hate for Google to sue me for verbing their noun. ↩

For some unfathomable reason, Y won’t let me buy this fantastic hot dog maker (and bun warmer). I don’t understand the problem. It will cook 48 hot dogs at once, and warm 36 buns at the same time. It can broil up to 150 hot dogs an hour. And it’s a mere $759.

Sometimes I don’t get her.

The fine folks at Kaspersky Lab have claimed they have created a “proof of concept” virus for the iPod. Here’s how you might get this virus:

1. Have an iPod
2. Install Linux on your iPod
3. Install the virus on your iPod
4. Run the virus

Oh, and the virus doesn’t spread between iPods.

Please.

First of all, who the heck’s putting Linux on their iPod? And anyone who’s doing that probably knows not to install viruses and run them. And if they install something and it installs this “virus” then it’s a trojan horse, not a virus. And if it doesn’t spread automatically, it’s not a virus, it’s a worm.

Suggesting this is an iPod virus is like suggesting you can blow up your car by replacing the engine with a stick of dynamite and lighting the fuse: well, yeah, it’s still a car in the strictest sense, but it’s a stick of dynamite: of course you might blow up your car. And who the heck’s replacing engines with dynamite anyway?

A transparent attempt at publicity?