It’s been a while since I added anything here… oops.

Well, a few items of note:

• Yet another zero-day Flash exploit.
• Some useful notes from Apple about removing certain types of adware.
• Why avoiding MacKeeper is a good idea.

All of these relate to security matters, and sadly none of them are really new – it’s much of the same-old same-old.

I am firmly of the opinion that nobody in their right mind installs Flash on their computers – there is just too long a track record of security holes in that product to justify its existence. I don’t have it on any of my Macs – I do have an install of Chrome though, which comes bundled with a Flash install – so in Chrome I have a Flash-blocking extension installed! My default browser is Safari, but if I need to look at a Flash site I can fire up Chrome and then explicitly allow the specific Flash object to run. This doesn’t happen often, and it takes a lot to get me to do this. Apologies to those who sent me a Flash based Christmas e-card, but I didn’t actually look at them.

On a related matter to Adobe Flash, I’d not recommend installing Adobe Reader either. On the Mac Preview is mostly ‘good enough’, and on Windows Foxit Reader is free and excellent. The Adobe Reader web browser plugin is another gaping security hole which has been exploited time and again. Better to just not install it.

As for the adware/scareware field, these problems are generally self-inflicted. If you think there is a problem with your Mac, don’t install some random program – ask your computer support officers for assistance. And don’t install random browser plugins which offer to help you find downloads of Game of Thrones episodes (you know who you are!)

Continuing on the security thread, two final notes:

• With the release of Yosemite, Apple is now only supplying security patches for OS X 10.8 (Mountain Lion) and up. Anyone still on 10.6 or 10.7 needs to update, stat.
• I’ve been evaluating the campus copy of Symantec Endpoint Protection for OS X for a while. While anti-virus software remains of dubious use on OS X, the University has a sensible policy of requiring some sort of AV to be installed on computers. Typically I’ve recommended ClamXAV on OS X, since it’s unobtrusive and free. However SEP seems much less terrible than it used to be, and should it continue to not kill my Macs I’ll be less uncomfortable installing it in future. Please note my very purposely constructed statement!

Finally, in a day or so I’ll be updating my ‘recommended’ laptops list. Rumours about the future of the MacBook Air have had me thinking about the entry-level laptops.

OS X 10.10 Yosemite was released to the world yesterday, and enthusiastic installing started in M&P this morning. About 30 minutes later that enthusiasm was somewhat tempered by apparent disaster…

It turns out that the Yosemite Installer tries its best to preserve anything which has been installed into /usr/local/ on your Mac by (apparently) archiving it and then restoring after the Yosemite install has completed. But if you have a MacTeX install, with many many small files under /usr/local/texlive/ then it all goes wrong, leading to delays of many hours, or just a terminal hang. This behaviour has been seen on many machines and is a ‘known issue‘ with the MacTeX authors. The workaround is to move the folder /usr/local/ somewhere else, such as your home directory, before the install and then return it afterwards. However there are apparently several issues with MacTeX under Yosemite even after this, so if LaTeX is key to your existence you probably want to follow the updates on the MacOSX-Tex list before migrating.

This problem affects anything installed under /usr/local/ so it’s not just MacTeX but packages like Homebrew which trigger the problem; MacTeX is just the package most people likely have installed.

I have only used Yosemite a little (developer preview) and had a clean install on a new machine, so never saw this sort of problem. Lucky me. I will be waiting for a while to let developers catch up before I migrate my own systems!

A few known browser-related problems on Queen’s systems:

• Safari may save files with strange looking names from Exchange 2010 webmail
• Firefox version 30.0 and later will not connect to QOL as it has dropped support for the NTLMv1 authentication scheme used due to security concerns. Either use Firefox 24.0 LTS release or switch to another browser. On OS X Safari supports the secure NTLMv2 protocol. It is possible to set a hidden preference to re-enable NTLMv1 if you really must…
• Scrolling around the QOL home pages produced using Sharepoint is impossible in Chrome due to the “questionable” HTML Sharepoint produces. If you search for “Sharepoint Scrolling” in the Chrome Extensions store you can find a few third-party solutions.

The university is in the process of upgrading staff email servers from Exchange 2007 to Exchange 2010, and then onwards to 2013 thereafter. This is a positive move for non-Windows users as the more recent versions of Exchange have much better support for web browsers other than Internet Explorer, and also seem to fix issues such as the ‘mail attachments not showing in Apple Mail’ bug. However, as with any update there are issues. This one I found out about a few months ago while assisting a colleague in Medicine who had an account at their former institute, where they ran Exchange 2010.

The problem, as first reported to me, was “every file has the spaces in the filename replaced with % signs” which was indeed puzzling. On closer inspection it turned out that the problem did not affect every file, just those coming from the Exchange 2010 webmail client, and that the spaces were being replaced with %20. At this point I realised what was happening.

To explain this we need to step back a moment. Once upon a time filenames were typically something.txt or image.jpg – very simple and with no fancy characters. Then deviant Mac and Unix users started using other characters in their filenames, and soon Windows followed suit (hello Windows 95). This is fine in most cases, but gives a problem for web browsers which don’t deal well with spaces in URLs. For example, this won’t work:

http://www.example.com/documents/My Lovely Horse.mp3

as the browser will ask for the file ‘My’ instead of ‘My Lovely Horse.mp3’

Rather than have people rename all their files, web servers use percent codes to encode these characters. The % symbol is used to denote the start of an escape sequence, and is followed by the ASCII or Unicode number of the escaped character. In this case, space is ASCII character 20, so the URL above becomes

http://www.example.com/documents/My%20Lovely%20Horse.mp3

which is less readable for humans, but much better for computers.

Getting back to the point, when someone sends an email with an attachment whose filename contains spaces, the Exchange webmail client will present this file with the filename percent encoded. If you try to download the file via webmail then things get ‘interesting’. Some browsers, such as Safari, will literally save the attachment with the exact name presented, %20 and all. Others, like IE, Firefox, and Chrome, will convert the percent encoded characters to their normal equivalents. Which is the ‘right’ thing to do is a matter of opinion, but the latter is clearly more convenient for users!

If you’re struck with this issue you have a few choices:

1. Don’t use webmail
2. Don’t use Safari
3. Use Automator to create a droplet which does the necessary renaming

In most cases option 2 is the better one, with Chrome being my alternate browser of choice since Firefox currently chokes on QOL authentication. Option 3 is not that difficult but beyond the scope of this blog post!

I did some Googling around this problem and saw there were other possible solutions involving server-side configuration and hacking about with Safari extensions, but those all seemed too much effort for either server admins or users!

It’s a little known fact (amongst normal people) that encryption algorithms are considered to be munitions in law. Thus those little equations are governed by the same laws as exports of fighter jets, etc. Why should you care? Well, if you use a laptop for QUB work, you should be encrypting its storage to protect any sensitive content on it – and given that ‘sensitive’ is a loose term it’s best to encrypt under all circumstances. If, however, you go travelling then suddenly you have a dangerous item under your control.

While most jurisdictions permit the personal use of encryption, some forbid it without explicit permission. While unlikely, it’s possible that a border guard could insist on the machine being decrypted, and it could be seized. Thus the sensible approach is to *not* bring your laptop to one of these countries, but to bring a spare system which is unencrypted but contains nothing but the bare essentials for your trip.

The university is not aware of any staff being affected by this as yet, but it is best to be aware of the possibilities. I had a conversation about this last week with senior folks in IS.

You can find a list of the “difficult” destinations at http://www.cryptolaw.org/cls-sum.htm

The destinations which some of you may go to, which do require care, are:

• China – a permit issued by the Beijing Office of State Encryption Administrative Bureau is required.
• Hungary – an International Import Certificate is required.
• Israel – a license from the Director-General of the Ministry of Defense is required.
• Russia – licenses issued by both the Federal Security Service and the Ministry of Economic Development and Trade are required. License applications should be submitted by an entity officially registered in Russia.
• Saudi Arabia  – it has been reported that the use of encryption is generally banned, but inconsistent information exists.
• Ukraine – a license issued by the Department of Special Telecommunication Systems and Protection of Information of the Security Service of Ukraine (SBU) is required.

Especially in the case of Russia and China, given the known risks of state-sponsored (highly competent) hacking, it would be prudent to adopt maximum paranoia, use a loaner laptop which is erased on return, and change all passwords. Indeed, one might well set up a ‘burner’ email address to use for the trip, and not touch normal accounts in the meantime.

As Snowden has shown, you can’t be too paranoid these days.

I know I should update this blog more often, but I keep having to deal with problems which are blog worthy. There’s an irony. I have a lovely post coming up about problems with Mail.app and adding CRLFs to text files, for example. That episode is enough to have me looking at using Outlook for work email.

Anyway, this post is about the importance of backups. Plural. One backup is never enough, as I was reminded yesterday.

Our MSci iMacs are backed up to a QNAP NAS which offers Time Machine compatibility. The only officially supported network Time Machine clients are either Apple’s Time Capsule or else storage served up by OS X Server. Neither work well for us – Time Capsule is a home technology, and I’ve had enough problems with OS X Server (post Snow Leopard) that the proverbial wild horses would not get me back to using it again. I wanted to use networked Time Machine as we had a small issue with roof leaks which meant that machines and their USB-attached backup drives were getting soaked (fair play to Apple, one iMac has been rained on twice and still works fine), and the QNAP seemed like a reasonable choice.

On a local USB disk Time Machine works by copying files direct to the drive; simple and efficient. On a network disk, no matter the source, it creates what’s called a sparse bundle disk image. This is a directory which emulates a single file, sort of like an ISO CD image. The directory contains multiple smaller files, called bands, which sort-of correspond to sectors on the virtual drive. These are 8MB each, and the idea is that only sectors which are needed are created. The problem with this approach is that for large disk images, say around the TB level, you’re looking at maybe 120,000 of them, which might be a lot of overhead for the server to deal with.

A machine had a hard drive failure, so I brought up the spare and started to restore files from the Time Machine backup using Migration Assistant. All went OK apart from a 500GB directory, which would only copy at around 1-200 kB/s, and that on a gigabit LAN capable of up to 100MB/s. I tried many different options to get at the data and no matter what I did the machine was intolerably slow, and crashed entirely twice. At this point I was most unhappy, and found myself wishing for a second backup (which I had said we’d needed and been overruled on).

In the end, I managed to get the data off the machine by turning off all Apple file sharing, mounting the TimeMachine partition via NFS on my iMac, opening the disk image and copying the files out from there. That worked OK, giving me the expected 50MB/s transfers. So clearly the disk image was OK, it’s just that the QNAP could not serve it efficiently over the AFP protocol.

Lessons from this? Firstly, always have more than one backup. I’ve already ordered some USB hard drives and set up an rsync script to a remote server as a stopgap to a better networked solution. Secondly, I don’t think that networked Time Machine is a good idea, however it’s done. On my home network I’ve had issues with disk images getting corrupted on my Time Capsule, or just failing without an error, and that’s with 100% Apple kit. Relying on an unapproved third-party work-alike for important things is not worth the risk. In the future I think I’ll be using locally attached hard drives for Time Machine, and some other network arrangements for disaster recovery – either rsync or Chronosync are top of my list. Along with some proper ‘enterprise’ grade storage…

Now, back to playing with Outlook. Sigh.

I sort of forgot I should be updating this thing. Whoopsie.

It appears that Snow Leopard is officially dead to Apple now. Not that there is anything like an official statement of course.

In the continued absence of updates for Mountain Lion, as mentioned previously, it’s hard to avoid the feeling that Apple is pushing us to Mavericks, like it or not.

I’m running Mavericks on my main machines now, and it seems OK, though my own needs are quite mainstream. Anyone depending on third party software which is not yet ported to Mavericks or which requires paid upgrades is in a bit of a bind.

Bad Apple.

Stay on this channel…

A Zeroid. Image via Flickr – click for link.

Sadly this is not a post about the classic TV show Terrahawks, but instead about Thunderbolt docks and expansion devices.

Thunderbolt (TB) is an Intel/Apple standard for connecting high-speed peripherals to computers. With modern Macs having limited numbers of expansion options TB is quite important. While there are all sorts of things one can plug in via Thunderbolt, I’ll talk about the most commonly used option around QUB, which is the laptop docking station.

MacBook Airs are wonderful machines but when at your desk you’ll generally want to use a larger LCD, wired network connection, and external backup drives. Without a docking station you’re probably going to have to use your TB/Mini-DisplayPort socket to plug into an external monitor, and then run hard drives and even ethernet over USB. Rapidly you run out of USB ports, so you need a USB hub, and it all gets very tedious. Apple’s USB ethernet adapter only works at 100MBit, and while that’s better than many WiFi connections it’s still well down on the standard 1GBit connections we have on campus.

It’s technically possible to connect gigabit ethernet adapters and even DisplayLink video devices over USB3, on the Mac at least I emphatically discourage it. I have yet to find a USB3 ethernet adapter which worked well on the Mac, and Displaylink leaves a lot to be desired; under Mavericks it doesn’t really work at all. So, if you want significant expansion on your MacBook, TB is the only game in town.

There are now four ‘docking’ products on the market:

1. Apple Thunderbolt Display
2. Belkin Thunderbolt Express Dock
3. Matrox DS-1 Thunderbolt Docking Station
4. Caldigit Thunderbolt Station

Here’s my opinions on each of them, based on having used each at various times. Note that all of them will require you to purchase a TB cable (around £25 for a 0.5m one) to connect to the dock, apart from the Apple TB Display which has one built-in.

1. Apple Thunderbolt Display

This was the first TB docking option, and comprises a 27″ 2560×1440 display, MagSafe charger, speakers, FaceTime HD camera, FireWire 800, 3xUSB2 ports, gigabit ethernet, and a downstream TB port for adding additional devices. It costs about £750 for education customers.

Coming from Apple it’s a well built bit of kit, and if you need an external display and don’t mind glossy glass fronts then it’s a good choice. It has a few downsides though: obviously if you’re not in the market for a new LCD, or don’t like glossy glass, you’re not going to be happy; it only has USB2 ports; and adding an extra display is problematic – the Apple solution is to add another TB display, and plugging one of the standard MiniDP-DVI adapters into the downstream TB port won’t work (though from personal experience I know that adding a DS-1 to the downstream port will allow you to add another LCD).

In summary, elegant and well built, but may be a little limiting in some cases. Not the worst option though as the cost of a third party dock plus similar LCD will not be that different.

2. Belkin Thunderbolt Express Dock

The first third party dock on the market, the Belkin offers a downstream TB port, gigabit ethernet; FireWire 800; 3.5mm headphone and microphone sockets; and 3xUSB3 ports though these are only capable of 2.5Gbps transfers instead of the full 5Gbps USB3 is capable of. List price is £249.

This works well, though the lack of an onboard display connector means you will end up using the downstream TB port with a mini-DP to DVI adapter, making daisy-chaining additional TB devices difficult. No drivers are required (at least with OS X 10.8 onwards). Still, it’s expensive compared to more recent options and you’ll still need to obtain a display adapter. Reviews suggest you can use the Apple Dual-link DVI adapter kit to add high-resolution 27″ displays though.

3. Matrox DS-1 Thunderbolt Docking Station

This was the second third party dock, and comes in two variants – one with a DVI port and the other with an HDMI port. Both variants feature 1xUSB3 port; 2xUSB2; gigabit ethernet; plus 3.5mm headphone and microphone sockets. It costs around £200.

This is slightly cheaper than the Belkin, but lacks any downstream TB port, and only has one USB3 port – reviews suggest the throughput on this is not that of a full 5Gbps port though it’s still better than USB2. The maximum supported resolution from either the HDMI or DVI ports is 1920×1200, which means high-res 27″ displays are out.

So this is a compromised product – I’ve used one to add another LCD to an Apple TB Display, and as that was a 24″ unit the resolution limits were not a problem. But if you need a larger display and more USB3 you’re going to look elsewhere.

4. Caldigit Thunderbolt Station

The newest entrant to the market, retailing at £149, offers 3xUSB3 ports (full-speed with UASP mode for faster disk access, and capable of charging/powering USB devices); gigabit ethernet; downstream TB; 3.5mm microphone and headphone sockets; and HDMI capable of supporting resolutions up to 2560 x 1600. A network driver is necessary for OS X 10.8, but support is built in with Mavericks. The downstream TB port also supports video adapters and you can connect various combinations of displays depending on what your Mac supports.

I’m very impressed with this product so far – the price is good, the unit has excellent capabilities, and seems to work as described. I’ve ordered several for various people already. At this price you’re not so far away from the cost of a good powered USB3 hub, ethernet and display adapters.

And the winner is…

At the moment I’d go with either the Apple TB Display or the Caldigit TB Station. If you don’t need/like the Apple LCD then the Caldigit is an excellent solution, and I expect to be ordering them as my default docking solution for most MacBook Air users in the future.

Just to be clear, this is my personal opinion based on experience with each unit. It’s not an official QUB recommendation!