Archive for the ‘General’ Category

Using Mac OS X FileVault 2 Whole-Disk Encryption with Long Passwords

Thursday, November 29th, 2012

I’ve been using KeePass for years to store my passwords for all the various sites, servers, etc. that I need to access. As such, I have liberated myself from having to remember any of them and can therefore choose entirely unguessable, randomly-generated passwords for highly-secure things like, for instance, accessing my online back accounts.

I tried to use such a password on an external disk I recently attached to my Mac running OS X 10.8. I generated a 128-character password and let the corestorage framework get started on the multi-day effort of encrypting a 3TiB drive. Then I disconnected the drive to relocate it and when I plugged it back into my Mac, I was asked for the password in a dialog. No problem: drag-and-drop from KeePass into the password-entry dialog.

That didn’t work: the password-entry dialog isn’t a text-drop-target.

Okay, no problem: copy from KeePass and paste into the password-entry dialog.

That didn’t work, either: the password-entry dialog doesn’t allow text-paste actions.

Boo.

So I hand-entered the enormous password. Three times. All three times I must have screwed-up something. Maybe I thought an I was an l or a 1 or whatever. It doesn’t matter. It’s not going to work long-term: I’m simply not going to hand-enter a huge password whenever I want to access that disk.

Fortunately, a bit of Googling found this excellent post by Rich Trouton: http://derflounder.wordpress.com/2011/11/23/using-the-command-line-to-unlock-or-decrypt-your-filevault-2-encrypted-boot-drive/. His post describes all the things you can do from the command-line with corestorage including mounting encrypted volumes with a password entered through a Terminal window instead of a password-entry dialog.

Both drag-and-drop and copy/paste work with the command-line.

Sure, I have to go through the extra step of going to the CLI to mount that external disk (after dismissing the passsword-entry dialog when first attaching the device) but a) I’ve got the CLI open all the time anyway and b) I get to use my super-secure password without having to hand-type it.

Firefox Sync Non-start

Thursday, October 14th, 2010

I’ve been using the Firefox 4.0 betas recently, and I just noticed that Firefox Sync is available without a plug-in. I had never used Firefox Sync before, but I currently have 32 tabs across 4 windows currently open in my 3.6.10 install and it would be nice to be able to open them all in ff4 and see how the performance is, relatively speaking.

Firefox Sync seemed to be the best way to do it.

So, I installed the plug-in into 3.6.10 and restarted Firefox. I clicked on the sync button in my status bar and I was asked to fill-out the registration information. I always use KeePass for everything, so I created a new entry in KeePass and had it auto-generate a password. I tried dragging-and-dropping the password from KeePass but the “Next” button in the registration wizard remained grayed-out and unclickable. Weird. I tried typing a few things and got “too short” and “mismatched password” messages, so I tried good-old copy-and-paste and finally got it working. :(

I created an encryption key and appeared to get everything sync’d with the server. It’s tough to tell that it worked, because there is no feedback. Oh, well. The proof will be when ff4 grabs all those tabs and loads everything.

So, I go over to ff4 and click the sync icon in the status bar. I choose “I have used Firefox Sync on another computer” and it asks for my username and password. I enter my email address as my username and the password from KeePass, and get an error: Incorrect username and password.

Boo.

I check everything out, and I haven’t made any mistakes: I copy/pasted everything and it’s still not working. So I get smart and navigate to about:config in both browsers. I search for keys like ‘sync’ in both and notice that there are a bunch of non-default values in 3.6.10 that aren’t set in 4.0b. Not surprising. I start to read through them. I tried to set ‘services.sync.account’ to my email address to trick ff4 into thinking I had set up sync so I could just go in and modify whatever I wanted using the “Sync Preferences” interface. No luck.

I noticed further down that there is a ‘services.sync.username’ key (the last one alphabetically, so I didn’t notice it at first’ and the value is some crazy thing I’ve never seen before. So, I copy that thing from Firefox 3.6.10′s about:config into the username field in the setup wizard in 4.0b, click “Next” and it accepts the password. Next question: what should happen on first sync? I choose “replace this computer with the sync server’s contents”: I want to get all my 3.6.10 stuff into 4.0, and I don’t care what I have already in 4.0.

I press the sync button and I get a message: Error while syncing. Looking in the Error Console, I can see it says “2010-10-14 17:53:54    Service.Main         WARN    Upgrade required to access newer storage version”. Fantastic. I evidently have the latest version of the Add-On in 3.6.10 and the latest built-in in beta (4.0b6) and they are incompatible.

Again, Boo.

So, I start looking at about:config again. services.sync.lastversion=”@weave_version@” in 4.0b. That looks like an RCS replacement string. In 3.6.10, it’s set to “1.5″. I try manually setting it to “1.5″ in 4.0. No dice.

I start Googling for all kinds of things and wasn’t finding much (ever search for “XYZ doesn’t work”?). Finally, I stumbled onto these pages: http://groups.google.com/group/mozilla-labs-weave/browse_thread/thread/eb5ca48e5cd54713/69c68e11b85f2a38?hide_quotes=no and http://snarkfest.net/blog/2010/09/28/using-sync-on-the-bleeding-edge/

Evidently, since I’m using Portable Firefox, I’m a version behind and therefore incompatible with the version of the Add-On I just installed into 3.6.10.

Sigh.

I’ll see about upgrading. At least it didn’t completely toast all my tabs, etc. Just in case, I’ve already made a backup copy using the Session Manager add-on which has saved my digital life several times over.

Update: So, Firefox 4.0b7 didn’t ship at the same time as Firefox Sync 1.5, so the beta is now out-of-date. Looks like an upgrade to the add-on should work? Sounds counter-intuitive.

Update (2010-10-15): I installed the Firefox Sync 1.5 plug-in into ff4.0b and restarted the browser. I re-configured the sync (which looked a lot like the process built-into ff4b6 already, and not the process that I went through with the plug-in over in 3.6.10) and I’m still getting the same error. All advice I can find online is to install the plug-in into 4.0b6, but it appears that the plug-in doesn’t get used. Still waiting for 4.0b7. :(

SVG external stylesheet fails to load in MSIE and Adobe SVG Plug-in

Tuesday, August 31st, 2010

I recently because aware of a problem in CHADIS where our SVG images weren’t styling correctly in print previews: everything was black-and-white, except for a particular image that seemed fine. This was observed in MSIE 8 with the Adobe SVG plug-in, and also in Microsoft’s new MSIE 9 platform preview. Actually printing the image had the same problem as the print preview: no color.

The difference appeared to be that the working image had a completely in-line set of styles, while the broken images were referencing an external stylesheet. We confirmed that moving all the styles into the main image resolved the problem. That defeats the whole purpose of having an external stylesheet: sharing. At least we had a workable solution that we could implement if absolutely necessary.

I checked-out Adobe’s FAQ, and they claim to support external CSS files for SVG files. Weird. I looked at the files, again, and noticed that we were using a stylesheet that didn’t have a fully-qualified URL: it was a relative one:

<?xml-stylesheet href="/path/to/stylesheet.css" ?>

On a whim, I hard-coded a hostname into the stylesheet’s URL and, lo and behold, the stylesheet was loaded. This trick works on both the MSIE 9 preview as well as MSIE 8 with the Adobe SVG plug-in.

It’s unclear to me whether this is an MSIE problem (that the base URL isn’t properly set during printing) or an Adobe problem. Given that it occurs in both MSIE 8 with the Adobe plug-in, and MSIE 9 without the plug-in, I suspect it might be a fault in MSIE in general. In either case, only MSIE requires the Adobe plug-in these days, anyway, so it doesn’t matter whose fault it is. The solution, however, is to fully-qualify the URL for the stylesheet:

<?xml-stylesheet href="http://host/path/to/stylesheet.css" ?>

Once that’s been done, everything works, again.

Trapped DVD after a failed Snow Leopard Install on a Mac Mini

Wednesday, December 2nd, 2009

Yeah, that’s a long title, but I want it to be easily searchable on the web.

I have an Intel-based Mac Mini running Mac OS X Tiger. I recently procured a Snow Leopard DVD and read that you can, in fact, upgrade from Tiger to Snow Leopard. Snow Leopard has some cool new features that I thought I’d like, so I gave it a shot.

I inserted the DVD and the finder window came up showing me the “Install Mac OS X” option and I double-clicked on it. It told me it had to reboot in order to perform the installation, so I said okay and it rebooted.

(Note that I didn’t care what happened to my existing installation, files, etc… this machine is used for web application testing, so I don’t care if I wipe everything or not).

After a few minutes, the installer came up and asked me what language I wanted to use (English) and I continued the install. It thought about things for a while and then told me:

Mac OS X cannot be installed on this machine because it does not have enough memory.

My options at this point were: Restore from Backup and Reboot. I chose the latter, thinking that the DVD would eject and I’d be back to using my old Tiger install.

Instead, the DVD stayed in the drive and, after the reboot, the whole process repeated — basically, I was asked what language I wanted and then told that my computer didn’t have enough memory to install Snow Leopard. :(

So, I tried the most obvious thing any Mac user would do: I pressed the eject button on the keyboard. No dice. I held the eject button down for what must have been 2 minutes. Nothing.

I tried Googling for answers. Lots of people giving various suggestions, none of which was working for me. CTRL-COMMAND-O-F apparently doesn’t work on Intel Macs. Holding OPTION during boot did nothing. Holding EJECT did nothing. Holding the mouse button down did nothing. I was seriously contemplating cracking open the machine to extract the DVD.

Someone suggested plugging the mouse button directly into the Mac, because some USB hubs don’t work quite right at initial boot. I have a Mac keyboard with my mouse plugged directly into that. That’s about as directly-plugged as you can get, right?

Well, apparently not. I moved by USB mouse from the keyboard to the back of the Mac Mini and held down the mouse during boot. Voile! Out popped the DVD.

So, anyone having similar problems can try this trick. It may save you from tearing-open your Mac Mini, or tearing-out your hair.

LiveHTTPHeaders in Firefox 3.5

Wednesday, May 13th, 2009

One of my favorite Mozilla Firefox add-ons has always been LiveHTTPHeaders: you can observe the HTTP headers being sent to and received from the server when a web page is requested. You can even have it record a bunch of requests as you click through a site to see the entire series of transactions.

One of the problems I’ve always had with LiveHTTPHeaders is that the project owners take their sweet time when it comes to new releases. For example, Firefox is currently on its 4th beta release of version 3.5 and yet LiveHTTPHeaders only works on versions 3.0.x.

I keep checking the project site for that magical “works with 3.5 beta”, but it never comes. The top comment on the addons.mozilla.org project page is currently

Does all I expected it to do—and does it wonderfully. Wish it was compatible with FF3.1.

Today, I decided to do something about it. I’ve never poked inside a .xpi (“zippy”) file (the file format for product Mozilla add-ons) so I did some reading on Wikipedia. Turns out it’s just a ZIP file. If you open the ZIP file, you can see a series of files including install.rdf. RDF is just XML, so I checked out the contents of that file. The install.rdf file contains a bunch of information about the package itself, including the list of supported versions of various products (including Firefox, Flock, and Seamonkey). The setting for Firefox was

<em:maxVersion>3.0.*</em:maxVersion>

On a whim, I simply changed that to

<em:maxVersion>3.5.*</em:maxVersion>

and installed the .xpi into Firefox.

A quick ff restart later and it’s now working, apparently without any problems. Woo hoo!

Thanks, old hippie lady (seriously)

Friday, September 21st, 2007

The other day, I was driving around and I saw a long-white-haired old woman carrying a hub cap and what looked like several small bags of garbage. Around here, this is usually an indication of some kind of pathology, and is accompanied by a shopping cart, inappropriate stocking-cap hat in the middle of summer, a horrendous smell, or all of the above.

Such was not the case this time.

This woman appeared to have been picking up trash on the side of the road for the purposes of actually disposing of it, rather than using it to pad her nest.

She had the very confident air of a woman who burned her bra in the 60s and who has been wearing hemp clothing and eating granola and hydroponic vegetables ever since.

That description is not intended to be disparaging. On the contrary, I wanted to roll down my window and call out to her “you go girl” and thank her for making my community more beautiful by removing some of the unsightly and unsanitary garbage that literally litters the streets around here. Since I was not only moving but actually driving, I wouldn’t have had enough time to actually say all that, and I would have come across like a dick (“thanks a lot“) or like a maniac (“thankyouforpickingupallthattrashtheroadlooksmuchbetterduetoyourefforts”). So, I chose to be silent, and I have to say, I feel bad. I should have said something.

Hopefully, this woman will one day search for “hippie lady” in an effort to locate interesting stories about her online and will come across this post, and she’ll see that at least one person noticed her efforts, and appreciated them.

Thanks, old hippie lady. Seriously.

Finding a decent laptop

Friday, September 21st, 2007

I’m tech geek, but I’m a cheap one. I’m willing to pay or quality, but I also am not one of those people who waits overnight in front of stores to get the latest Shiny Thingâ„¢ so I can show all my friends how cool I am. I casually look for things all the time, and get excited by them, but I rarely
actually buy.

Witness the (somewhat) recent release of the Apple iPhone, over which I have lusted since I first read reliable descriptions back in January. As the release date got closer and closer, the inadequacies of the platform became more and more pronounced (crappy EDGE network, only AT&T plans, can’t use your own SIM card, can’t install your own software, phone costs $600, etc.) and Apple failed to get me as a customer. Fortunately for me, I didn’t pay the $200 “aren’t I cool?” tax like a lot of folks did. Oh, well. At least those folks helped Apple beta-test their platform.

Recently, it’s become more and more clear that I need a replacement for my computer(s). My recent canine acquisition has effectively moved my home office from our actual office to my couch, since it offers superior surveillance capabilities. I had always worked nearly exclusively on my desktop computer, a great AMD Athlon XP workhorse that has been reliable and stood by me lo these many years since I bought it for my wife so she could play Diablo II with my brother-in-law and me (at which point I decided to take the new computer for myself because hey, what does my wife need with all that processing power?). When I was out and about, I used my somewhat less-trusty 17-inch HP electric blanket notebook, but it never really felt right, since I’ve always been a desktop kinda guy. Using the laptop more and more (on the couch) has made it clear that both computers need to go: I need a laptop, and this one is falling apart; if I need a laptop, why do I need a desktop at all — as long as I can have a nice, big screen to plug into when I’m actually at my desk.

Thus begins my quest to find a suitable laptop to take over all my computing needs.

Don’t forget: I said I was willing to pay for quality, but I also said I was cheap. I also didn’t say it, but I’m not going to lug around 10 pounds of laptop anymore. No, sir.

My actual needs are few: anything that can outperform my existing 3 GHz hyper-threaded processor without setting my legs on fire is adequate. I also need lots of RAM since I like to run a thousand things at once. The games that I do actually play are old in terms of graphics requirements, so I don’t exactly need a top-of-the-line gaming platform.

Given my requirements, why is it so hard to find a decent laptop these days? Apparently, my requirements are more strict than I had first let on. What I really want is:

  • 800-MHz FSB with matching-speed memory
  • A high-resolution screen (WSXGA+ would be preferred)
  • Discrete graphics memory on a good mobile graphics board
  • Gigabit Ethernet
  • Digital video output
  • Low weight
  • Reasonable price (less than $1500 including 1-yr warranty)

Actually, I’m willing to sacrifice a little weight to meet the other criteria. Ideally, I’d like to make it under 7 pounds including the power brick, but that appears to be difficult to accomplish in the 15-inch screen size.

So, what are the problems?

  • Many companies will allow you to select the new 800MHz FSB processors, but they won’t give you matching-speed memory. So much for a faster FSB.
  • I have been able to find WSXGA+ on only a few laptops. I realize this is pretty expensive, so most vendors don’t even give you the option. I can give this up if necessary, especially since I’ll mostly be using higher-resolutions on my external monitor, anyway.
  • Mobile graphics cards just suck in comparison to their desktop-based brethren: it’s a fact. It still shouldn’t stop me from getting something nice in the graphics department. Every single laptop in these price ranges should have the option of discrete graphics memory (with reasonable on-board memory sizes: 128MB is not enough these days, guys!).
  • Virtually nobody has gigabit Ethernet. Why? I can’t even imagine. You can get a desktop gigabit card for five bucks. I should be able to get a mobile one for fifty. It’s sad that the wired options for laptops are faster than the wired ones these days.
  • Many companies (Dell, I’m looking at you) don’t support HDMI or even DVI video output yet. Why? Especially Dell: they sell these big, fat displays that all have DVI and HDMI inputs on them, and their laptops need special adapters to utilize the superior-quality digital signals.
  • Weight is always a problem: sturdy construction plus lots of components equals many pounds. I get it. Why can I get the same components in 3 different systems and have the weights all be wildly different? Sigh.

I can get various combinations of the above on different units from different manufacturers (except gigabit Ethernet), but I can’t find the one unit that has all of them. It’s always a trade-off: do I want proper speed-matched memory and CPU or do I want a decent graphics card? Do I want a slick hi-def screen or do I want HDMI output? It’s maddening.

I have given up the laptop search for this month. Maybe around Thanksgiving, when hardware manufacturers completely lose their minds just so they can move inventory regardless of the cost, I’ll be able to get something whose flaws I don’t mind accepting because I’m getting such an insane deal on the price.

I Got a Dog, B

Friday, July 13th, 2007

Paddy

This week, Katie and I got a new dog. He and his littermates (8 brothers!) were born on Saint Patrick’s day, so we decided to give him an Irish namd: Paddy. His mother was a rather large Puggle, which is a mix of a Pug and a Beagle, and his father’s breed is unknown. He looks much more like a Beagle than a Pug, but he’s got a slightly smaller muzzle than a regular Beagle would normally have.

We got Paddy from Homeward Trails Animal Rescue, which is a small-animal rescue organization which gets many of its dogs and cats from other rescue organizations in areas which are more rural and maybe don’t have as many potential adopters around. If Paddy looks cute to you, maybe you want to adopt one of his brothers (this link may no work after a while).

Paddy Loving

We’re expecting him to grow maybe 10 lbs heavier (he’s about 20 lbs right now), so he’s the perfect size for our apartment and lifestyle: not so small he’s a fashion accessory, and not so large that he needs a lot of space.

He is very friendly, and has a long tongue that will find your neck and face quicker than you can say “good boy!” He’s kind of a scardy-cat right now; we’ve had him for fewer than 72 hours, so he’s still getting used to his new surroundings, the new schedule, etc. I’m hoping that he’ll become more outgoing as time goes on, but right right now he’s a complete angel.

Interesting new WWW attack vector

Friday, February 23rd, 2007

While I suppose that using javascript for evil purposes isn’t exactly a new idea, Bruce Schneier has written a piece (also covered on Slashdot and, I’m sure, other places) about three guys who have developed an attack that royally screw most users’ ability to use their Internet connection again.

AJAX, the magic pixie dust used heavily on sites like Google Mail, is really just javascript with the ability to make HTTP requests and parse the results of those requests. Javascript has been available in browsers for years and is recently enjoying some interest by web developers because of that last (somewhat) new capability. The use of this technology for evil is nearly indistinguishable from legitimate use, so it’s hard for any software to detect it and prevent it.

Basically, the attacker sets up a web site with some javascript code (see below) and tricks you into visiting that site. It’s not all that hard to get people to look at a rogue site: you can either spam the entire world and expect that a certain percentage of email readers are suckers who will click on the links in those messages, or you can hack a major site (such as Dolphin Stadium) and insert the exploit into it.

Now, the fun begins. This piece of javascript code (which, as I mentioned earlier, is pretty much impossible to identify as evil) attempts to make a connection to your router. If you are like most home users, your router is still sitting there with it’s default, factory-set password (probably something stupid like “admin”). That means that this piece of javascript code can login to your router and start playing around. This particular attack is designed to change your DNS settings such that all requests for named Internet addresses go to malicious servers. Those requests will be answered with fraudulent IP addresses which can be used to either emulate your favorite website or simply serve nothing but pop-up ads and porn. This little hack could even change your router’s password, locking you out of your own hardware.

Imagine if you were to fall victim to this exploit… the next time you tried to access, say, www.bankofamerica.com, the rogue DNS server sends you to what really is www.evilbankofamerica.com. The site looks like Bank of America’s real site, and you fall for the bait. You enter your username and password for online banking, and bang! – the bad guys have your online banking credentials.

SSL certificates might save you, since VeriSign (and others) are unlikely to issue an SSL cert for “www.bankofamerica.com” to an entity that is not Bank of America. But what do you think most people do when they get a security warning these days? My guess is that most people do whatever they have to do in order to get the security warning to go away and let them look at their website. That is a recipe for disaster.

Since we’re talking about folks who have never changed their router’s password, they probably wouldn’t know how to recover from this problem, either. If the attack included changing your router’s password, you’ll have to reset it to factory defaults in order to get back up and running again.

I’m guessing most home users will ask friends what to do if every site they visit is just porn and popups. The advice they are going to get is to reinstall their operating system (statistically it will be Microsoft Windows, which has a bad reputation for becoming easily infested). Many users aren’t willing to do that, and will pay someone else to do it. Re-installing the OS won’t work, so those users are likely to do the next best thing: go out and buy a new computer. That won’t work either.

What a pain in the ass.

What a great exploit.

Blog moved to virtual host

Tuesday, February 13th, 2007

The whine of my rack server has finally gotten to me.

So, in spite of the home heating advantages, after more than 2 years of hosting my own website, blog, and mail server in my home, it’s time to get it out of here.

I found a relatively low-cost virtual hosting plan where I have free reign of my own virtual machine. Sadly, I couldn’t use Gentoo – my preferred Linux distribution – so I had to settle for Debian, whose package manager is absolutely maddening to me.

At any rate, we’ll see how things go. So far, the MySQL upgrade (Debian’s latest stable version of 4.0? WTF?) and WordPress installation (no stable version available through Debian?!) have been relatively painless. Let’s just hope that everything else goes well.