iPad Air 2 – wanna upgrade?

Comments Off on iPad Air 2 – wanna upgrade?

The iPad Air 2 is fresh on the market, so people are starting to ask me if they should trash their 1 (or even their original iPad).

Zibreg has this to say: http://www.idownloadblog.com/2014/10/16/ipad-air-2-vs-ipad-mini-3/

Fully laminated Retina display, Antireflective screen coating, Thinner, Faster, better Eyes, Burst mode pics, slo-mo video (120fps), Faster wifi, and a Barometer.

Often bypassed is the mention of “Apple SIM,” a nano SIM card that allows the cellular models to switch between multiple mobile carriers without changing the actual card (link).

Yosemite Upgrade VERY SLOW – frozen ?

Comments Off on Yosemite Upgrade VERY SLOW – frozen ?

Upgrading to OS X 10.10, from 10.9.5., is not as smooth as it could be. In the end, we booted the laptop (our test subject)(with encrypted SSD drive) in target-mode (through Thunderbolt) and ran the installer on the ‘external’ drive. After slowing to a crawl (again) the machine did ultimately complete successfully.

The initial steps preceding that were an upgrade that slowed to a crawl at the 99% point of the progress bar, and then seemed to freeze. Ultimately the machine went dark (crashed) and on booting, froze at the login screen. Once connected in target mode, we saw the leftovers of the failed upgrade.

This article may interest some: https://jimlindley.com/blog/yosemite-upgrade-homebrew-tips/

And remember that you can hit CTL-L during the install to track progress.

1. For the Munki rollout, pkg creation is here: http://managingosx.wordpress.com/2014/10/17/createosxinstallpkg-and-yosemite/
2. See Charles’s article on Profiles in Yosemite: http://krypted.com/mac-security/using-the-profiles-command-in-yosemite/
3. Read his share on enabling ARD & ssh: http://krypted.com/mac-security/configure-ssh-ard-and-snmp-in-os-x-yosemite-server/
4. Yosemite VolumePurchasingTokens : http://krypted.com/mac-security/add-your-vpp-token-to-profile-manager-running-on-yosemite-os-x-server/
5. Recovering from trashed certificates and configuration settings after a failed upgrade to Yosemite server: http://krypted.com/mac-os-x-server/reset-the-server-app-in-yosemite-server/
6. New ‘alert’ options in Yosemite server: http://krypted.com/mac-os-x/configure-alerts-in-os-x-yosemite-server/
7. Books on Yosemite by the Senior Editor of TidBITS and a Senior Contributor to Macworld: http://krypted.com/articles-and-books/three-new-take-control-books-titles-on-yosemite/
8. Proxying AppleSoftwareUpdates from Yosemite server: http://krypted.com/mac-security/using-the-software-update-service-in-yosemite-server/

Also.. WinClone, PushDiagnostics (and GeoHopper! think ProximityScripting) are all Yosemite ready (link).

Performance tweaks for OS X

Comments Off on Performance tweaks for OS X

My Macs boot fast, but then progressively slow down. Web browsers seem to have the biggest impact (burning CPU and chewing memory with Flash animations or JavaScript) but Microsoft Word & Excel can slow the CPU to a crawl. I’d like more control of which apps are allowed to ‘go dark (in the background) but continue working or not.

“App Tamer”, a utility that improves efficiency of CPU use and extends battery life, may soon become my ‘Go-To’ utility app.

For other ways to speed up your mac, check out my older article:

ShellShock love for OS X

Comments Off on ShellShock love for OS X

Bash Code Injection Vulnerability – CVE-2014-6271

The dangerous ShellShock ‘bug’ is here (#BashBug), following fast on the heels of the now-forgotten HeartBleed bug.  I’ve painlessly distributed it out to our 30+ macs and servers via Munki. This  newest ‘remote vulnerability problem’ is of concern to all OS X system administrators (read about how Chazelas discovered it).

In my situation (30+ macs and 3 servers) I just grabbed the packages (here) and rolled out using Munki. For my single Linux server I followed Steve’s blog (here).

If you want to know if you are vulnerable, try the following :

> env x='() { :;}; echo NOK vulnerable' bash -c 'echo hello'

Alternatively, use this: http://www.shellshocktest.com
Related vulnerabilities can be tested (read here):>curl https://shellshocker.net/shellshock_test.sh | bash

I’ve gathered a few resources here as notes to myself.

Move slowly; Some admins have lost access to Terminal by applying the wrong solution doing so incorrectly.

Patching may not be enough; The official Apple patch may still be vulnerable to environment clobbering of executables (aka ‘GameOver bug’:  @ake_ on twitter – rebuilding your own version of Bash against 3.2.55 is probably more secure than relying on Apple’s patch.).

Removing your web-server service is not sufficient. Although the most prevalent attack vector is through a web server (scripts in /cgi-bin or via SSI’s) other attacks may be via SIP, SMTP, FTP and TELNET.

Configuring your shell (for system or for accounts) to something else (like zsh or tcsh) does not preclude patching /bin/bash since any process can launch bash if it is there. Disabling Apache does not preclude patching (3rd-party apps my also use bash).

The bug is exploitable by a malicious DHCP server (e.g. WiFi hotspot) attacking your computer… but only if the DHCP client uses Bash scripts, which the OSX implementation does not (tx. AlBlue). If you’re a Hamachi user, beware, the DHCP client weakness may be buried inside that (tx. Bryan).


      • OS X Mavericks has a 1.0 Update you should install (here) for 10.9.5 or greater.
      • Other installers pkg installers from Apple are available for 10.7, 10.8 and 10.9.
      • Snow Leopard (10.6.8) Solutions
        1. Back up your system.
        2. Sit back and wait for Apple to come out with a fix for 10.6.8 <– not likely.
        3. Use the Missing Bash Update Installer for Snow Leopard – Jorge Chamorro – link.
        4. Possibly, the /bin/bash from a fixed Lion system can be dropped into SL.
        5. Re-compile your own /bin/bash replacement – link. – You may need to grab XCode 3.2.2 from the Apple developer downloads section – link (or from the AppStore – link) – search for Xcode 3.2.6 for 10.6.8 systems. You may run into these problems: ‘An unexpected error occurred.‘ or ‘Hunk #1 FAILED at 26.‘. Others have suggested that we can ignore the warnings ‘incompatible pointer type‘ and ‘format not a string literal and no format arguments‘.Remember that the version downloadable from the Apple opensource page has custom changes to make it work on OSX. So if the readline library included with the bash source you are compiling is not compatible with 10.6 you may need to install the GNU readline (kudos to Seth)(link) and hack the bash makefile to use it. In bash, after doing configure, in Makefile, set READLINE_LIB = /usr/local/lib/libreadline.a and do a clean compile. Then strip and copy the new bash binary on top of /bin/bash and /bin/sh. It is also necessary to set HISTORY_LIB = /usr/local/lib/libhistory.a. Otherwise bash will be dynamically linked to the /usr/local version of libhistory.When following this excellent walkthrough (link) you might encounter this error:
          * BUILD FAILED * PhaseScriptExecution ostype.h build/bash.build/Release/ostype.h.build/Script-59DC3C521120DC9C00B033EC.sh
          – You may only be missing some dependencies.
          – You may be forgetting to ‘sudo’ the xcodebuilt command.
          – You may be working in an external volume. Try working out of /tmp.
        6. Download the LION patch (link) and install it on SL with a trial of Pacifist (link). This has worked for many people
      • Tiger users (10.4) for G5 systems for example,..  look here: link and here: link.
      • MACPORTS gets you a bash version 4.3.28(1) which patched both vulnerabilities (CVE-2014-6271 and CVE-2014-7169) as well as some subsequently discovered ones but does not solve the issue of standard OS scripts as the have #!/bin/sh or #!/bin/bash.
      • HOMEBREW installs do this:
        Some users on 10.6.8 trying @AlBlue’s solution, had to give up because or these two errors:
        CodeSign /Users/bas/bash-fix/bash-92/build/Release/sh
        CodeSign /Users/bas/bash-fix/bash-92/build/Release/bash
        See the comments by CousinCocaine here – link.
        In his words, “this is the only comprehensible method for upgrading BASH on OS X 10.6.8 Snow Leopard.”
        ruby -e “$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)”
        brew doctor
        brew update
        brew install bash
        sudo mv /bin/bash /bin/bash_old
        sudo mv /bin/sh /bin/sh_old
        sudo chmod a-x /bin/bash_old /bin/sh_old
        sudo ln -s /usr/local/Cellar/bash/4.3.25/bin/bash /bin/bash
        sudo ln -s /usr/local/Cellar/bash/4.3.25/bin/bash /bin/sh

Also consider that most Routers (and even some printers) have Bash installed in them. OUCH. For example, the NAS’s from QNAP just got a new firmware pushed out from QNAP, so it’s not just OS X we need to be worried about. Most LINUX distros already have patches out.

Have fun.

p.s. In my case upgrading our 30 Mac clients and 3 servers was frictionless. I populated our Munki-server with the installer packages collected from Apple. Managed Software Center on each client quietly implemented the patch.

DropBox alternatives for Swiss Users – OS X

Comments Off on DropBox alternatives for Swiss Users – OS X

Many people use DropBox, for many excellent reasons.
idem. for other public cloud-drives like GoogleDrive, Amazon, OneDrive.

Remember that “dropbox-style syncing” hard to implement. Hiding the complexity from their users to the point at which nobody knows there even is any complexity, is amazing.

Some of my Mac-friends want an alternate security-choice more resistant to the failures of public-server-based Cloud-storage in our post-Snowden era of stolen-credentials, hacked accounts, flawed security, nude photos of dozens of celebrities, and government authorised snooping. They’re not totally confident that their encrypted virtual drive (thanks DiskUtility) will resist an HPC decryption attempt. Outside of those concerns are other friends wish for mobile access to +500GB of their own data without breaking their wallet.

  • OwnCloud – Unlimited data via your own server (or use SWITCHdrive).
        • Allows ‘undelete’, External storage integration (DropBox, Swift, FTPs, GoogleDocs, S3 and external WebDAV servers).
        • Supports useful plugins (e.g., tracking GeoIP logins to your directories).
        • UseCases: a) 400GB all synced between home and work. b) 2TB of music you want to play at home and while in your favourite Internet Café.
        • Blog – https://owncloud.com/blog/
        • NOK: Syncs can fail over completely and fails, or get confused and create a copy of every single file with “conflict” appended to the file name. These due to (??) evolving implementation code structure and newly-introduced frameworks and APIs.


  • SWITCHdrive (OwnCloud Instance)https://drive.switch.ch – 25GB of DropBox-like storage
    EPFL participants (Swiss Federal Institute of Technology) can have their cloud data stored on Swiss soil (contrary to Dropbox , Google Drive ou OneDrive). The folder-sharing model is NOT as nice as DropBox.
    This is just instance of OwnCloud (you can use the OwnCloud clients with it rather than the SwitchDrive client).
    Also think about SWITCHfilesender – http://help.switch.ch/fr/filesender/
    [M.Nguib] : “toutes les données uploadées sur SWITCHDrive sont enregistrées dans des centres de stockage situés en territoire suisse (à Lausanne et à Zurich). De ce fait, le traitement de vos données sera fait en accord avec les lois helvétiques. C’est-à-dire que vos données ne seront pas utilisées sans autorisation (comme le fait Dropbox) et qu’elles ne sont pas sous la loupe du projet PRISM (comme le sont OneDrive de Microsoft, Google Drive, Apple ou Facebook. Révélé par The Guardian du 12 juillet 2013) “.
  • Wualahttp://wuala.com/en
    This used to be free, but no longer is.
    Data is stored in Switzerland (Europe) and not the USA. It is encrypted on the client-side so not event the swiss company can see it’s contents. It the swiss government wants access to it, swiss citizens have recourse to oppose such access contrary to data stored on the other side of the ocean.
  • PydIO (aka AjaXplorer)
  • BTSync : eur100/yr


Fixing your MAC/Apple hardware

Comments Off on Fixing your MAC/Apple hardware

I help many people fix their Macs. Beyond the software problems and configuration problems there are a few easily solved hardware issues :

  • Trackpad no longer ‘clicks’ – it seems ‘stuck’ in clickmode.Solution: adjust the set screw located on the underside of the trackpad.
    Here’s how: If you don’t care about voiding your warranty (AppleCare), start by finding 3 screwdrivers (Philipps 00, TriWing, and a T-6 Hex). Remove the back of your MacBook Pro (10 screws). Then unscrew those holding the battery. Unplug the battery and remove it. Finally, slightly tighten (sometimes loosening is a better option) the screw on the trackpad.
    The problem may have come from battery swelling.

Hostnames, IPs, DHCP on my Macs – OS X

Comments Off on Hostnames, IPs, DHCP on my Macs – OS X

Here are a few quick reminders of network related things for my new mac installations.

  • The shell and the hostname utility disagree with that shown in SystemPreferences>Sharing. This problem also rears its head when using ARD and seeing a misreported mac client name.
    SOLUTION: Configure reverse-DNS lookup to return the correct hostname:

    sudo scutil --set ComputerName "newname"
    sudo scutil --set LocalHostName "newname"
    sudo scutil --set HostName "newname"
    dscacheutil -flushcache

    now restart

‘Running Package Scripts’ freezes

Comments Off on ‘Running Package Scripts’ freezes

 “Running Package Scripts” stays forever at the same state, when updating or when installing on 10.9.5 OS X Mavericks.

Some people encounter this with updating Safari (Software update). I first encountered this while trying to install Adobe Illustrator and Adobe Photoshop. I noticed that the Software update had stalled on the Safari update.. could my problem be related?

  • boot in recovery mode and fix any disk related or permission errors (Onyx had reported that my disk was fine, so I didn’t do this).
  • delete the contents of /Library/Updates (kudos to Jonathan for this, from here) – this fixed the stalled Safari update. Once the Safari update finished, the Adobe installs carried on fine (but slow)(be patient!) – THIS SEEMS TO BE WHAT WORKED FOR ME.
  • ensure there isn’t a headless Safari process running: ps auwwx | grep Safari
  • be patient – The message says ‘Install time remaining: About 2 minutes” but it took 10min before the progress-bar unstalled and carried on.
  • unplug external hard drives first before going into library updates folder
  • disable Time Machine (System Preferences) during the update/install
  • re-run Software Update




wget on OS X – 10.9

Comments Off on wget on OS X – 10.9

  1. xcode-select --install
  2. curl -O http://ftp.gnu.org/gnu/wget/wget-1.14.tar.gz
  3. tar -zxvf wget-1.14.tar.gz
  4. cd wget-1.14/
  5. ./configure --with-ssl=openssl; make; sudo make install


Configuration favs for OS X Clients

Comments Off on Configuration favs for OS X Clients

I enjoy using these tweaks to my OS X client macs:
(thanks go to Paul for all of these).

  • defaults write com.apple.dock persistent-apps -array-add '{"tile-type"="spacer-tile";}' ; killall Dock
    Places a spacer icon in the dock
  • defaults write com.apple.Dock showhidden -bool YES; killall Dock
    Makes hidden App icons Translucent in the dock
  • defaults write com.apple.mail AddressesIncludeNameOnPasteboard -bool false
    Makes copying email address stick to that, rather than adding names.
  • defaults write com.apple.finder QLEnableTextSelection -bool TRUE;killall Finder
    Allow text-selection from Quick-look.
  • defaults write com.apple.finder CreateDesktop -bool false; killall Finder
    Make all icons on the desktop invisible (they can still be seen in the Desktop/ folder).
  • sudo defaults write /Library/Preferences/com.apple.loginwindow AdminHostInfo HostName
    Set system-info to show on the login screen.
  • chflags nohidden ~/Library/
    Stop hiding the Library folder.

  • Enable ADMIN access through the Users’ screensaver lock:
    Edit/etc/pam.d/screensaver : comment out the line mentioning pam_group.so no_warn deny

See also: Terminal tricks on OS X. http://furbo.org/2014/09/03/the-terminal/
Think too: GeekTool, NerdTool, and Übersicht.

Older Entries Newer Entries