The iPhone doesn’t support a start/home page. Every time you open a new Safari page (equivalent to a tab) it opens to a new page, unless you open it from another page with a "target" attribute. Fortunately, its MobileSafari browser is very smart about suggesting recently visited sites; typing one or two letters typically brings up the site I want as a suggestion. Email addressing works the same way — it appears to prioritize recently used addresses, so if you visit the same sites (or email the same correspondents) repeatedly, it’s usually right.

On the other hand, sometimes you want a “link farm” (bookmarks page). I keep one with a bunch of links, both for use on the iPhone itself and also for visiting on Macs for working with the iPhone: http://www.reppep.com/~pepper/iphone/. I’m a big fan of tabbed browsing on desktop computers (ever notice how, in relation to iPhones and other handheld computers, laptops become “desktops”?). On the iPhone, I prefer to keep my bookmark page open, and open new tabs off it. There’s a JavaScript bookmarklet to make every link open a new window, but it doesn’t do the trick for me.

Instead I keep my iPhone bookmarks on a simple page containing a few lists of links. Since this page changes frequently, I have a BBEdit GREP Pattern to do the necessary. It converts a plain URL, into a proper <a> tag with a unique target attribute (the hostname), and wraps the whole thing in a <li>/</li> pair; this gives me a readable and clickable link that opens in a new window. I tried target="_new" and target="_blank", but no joy. Here’s the pattern, to save time for future link farmers…

Search for: ^(https?://)([^/\r]+)(.*)$

Replace with: \t<li><a href="\1\2\3" target="\2">\1\2\3</a></li>

It’s worth pointing out that iPhones are not designed to be highly secure. Apple has quite deliberately designed and marketed them as consumer devices, declining to officially enter the “enterprise” market. This lets Apple ignore several of the thornier security features of devices like BlackBerries, such as remote erasure of data. A 4-digit PIN is obviously not intended for high security, and even that is awkward if you use the iPhone many times a day (as I do).

Unfortunately, it also means Apple sees no need to provide strong security on the iPhone. At this point, the thing I miss most from my Treo is the Palm version of Web Confidential. One possibility is to create a web page of passwords, protecting it with SSL/TLS and a strong password (and likely IP restrictions to my home and work networks as well). For ease of adding/updating passwords, it could be a private wiki. Hopefully Web Confidential or something else will be available for iPhone (and Apple won’t effectively block it) before I find myself installing a wiki on www.reppep.com.

Since there’s no cryptographically protected keychain, I seem to be stuck without IM. Apollo IM, at least, stores the password in its binary configuration file, so Apollo IM is no longer on my iPhone. In addition, hahlo.com, itweet.net, & ipheedr.com all stored my password in plaintext in ~/Library/Cookies/cookies.plist on the iPhone. I deleted the cookies and won’t be going back to them. Fortunately twitter.comand m.newsgator.com at least avoid plaintext passwords in cookies…

One of the most important things the iPhone hacker groups provide (since I’m fine with AT&T service) is Nullriver’s AppTapp Installer.app, and two of the most important packages it provides are terminal emulators (I currently use Terminal-vt100 because it if you drag on the top of the screen it provides a donut with arrow keys and a few Control keys). I certainly hope AppTapp isn’t destroyed as collateral damage when Apple attacks the non-AT&T activation efforts.

Does anyone know how to get generic control keys out of any of the iPhone terminal emulators? Obviously Apple doesn’t provide a Control key on its stock keyboard layouts…

I was surfing around furbo.org and found Craig Hockenberry’s Hacking Quicker. I noticed it doesn’t match what I see, and realized this is apparently because earlier versions of the “OpenSSH” package installed by AppTapp were not actually OpenSSH. Now that this has been cleared up, the procedures for conveniently sshing into the iPhone are different than Craig described — note that you should not start by installing the OpenSSH package, as this makes your iPhone vulnerable to miscreants:

On the Mac

1. From the Mac, install AppTapp if necessary.
2. On the Mac (or Linux system, etc.), if you don’t already have an ssh keypair, create one with “ssh-keygen -t rsa” — this creates ~/.ssh/id_rsa & ~/.ssh/id_rsa.pub. For convenience, use anssh` keychain program to avoid re-entering your private key’s encryption passphrase on every use, such as SSHKeychain.

On the iPhone

1. From Installer (AppTapp), install a terminal program (I use Terminal-vt100).
2. Launch the terminal program.
3. In the terminal, type “passwd root“. Then enter the new password twice. If it doesn’t work, try again.
4. In the terminal, type “passwd mobile“. Then enter the new password twice. If it doesn’t work, try again. Note that you can use the same password for mobile and root.
5. From Installer, install OpenSSH now.
6. “ssh YourMacIPAddress“. Log into your Mac, and type “echo $SSH_CLIENT“; this is your iPhone’s IP address. Setting up your iPhone to get a consistent IP address is beyond the scope of this article, but makes connecting to it much easier. If that’s not feasible, you can either hit an unused URL and check the web server logs to find the client IP.

On the Mac

1. “ssh root@iphone” (substitute your iPhone’s IP address from the previous step for iphone). This will take a while the first time (~~35 seconds)
2. Enter the root password you set previously.

From the Mac keyboard, logged into the iPhone

1. Browse around the iPhone — isn’t it easier with a full keyboard, and Copy & Paste?
2. mkdir ~/.ssh
3. chmod go-w / ~
4. This one must be exactly right, or you could trash your sshd_config — note the double greater-than symbols: “echo AuthorizedKeysFile .ssh/authorized_keys >> /etc/sshd_config“.

On the Mac (in a new Terminal window)

1. scp ~/.ssh/id_rsa.pub root@iphone:.ssh/authorized_keys
2. ssh root@iphone

If everything worked right, this last command will provide a root shell on the iPhone based on your ssh keys, not your UNIX-style password on the iPhone (it can be difficult to tell the difference if you use the same passphrase for your ssh private key as for the iPhone’s root account). If you use an ssh keychain, you shouldn’t need to provide a password each time you ssh into the iPhone.

Daring Fireball mentioned Orbicule’s Undercover, and so did TUAW. After reading Orbicule’s recovery stories, I’m a bit creeped out, though.

Undercover is spyware. It records your IP, takes screenshots, and (if an iSight is available) takes photos (presumably the green activity LED on built-in iSights flashes in use — I don’t think they can defeat it in software); sending all this across the Internet to Orbicule. It reminds me a lot of location tracking tools for cellphones, initially developed to track commercial fleets, but also useful to keep tabs on children, spy on spouses, and track government targets.

All that said, it’s undoubtedly cool technology and a useful service, but I’m too uncomfortable to use it — Orbicule’s How it works page says “Undercover can not be disabled by the thief.”, which raises my suspicions further.

Orbicule promises that Undercover doesn’t emit any information unless the Mac is logged as stolen. This assumes you trust Orbicule’s assurance, you and Orbicule trust Orbicule’s programmers, and that your Mac doesn’t get accidentally added to their list of stolen computers.

I hope no plain criminals get the source (or just the inspiration) and use it to spy on Mac users more effectively…

The iPhone comes with nice iPhone earphones, but they’re not ear-blocking like my old Shure E3cs or my Ultimate Ears. This makes hearing TV dialog of video on the subway significantly harder, and the UEs don’t fit the iPhone’s headset jack. Now, of course, there are many 3rd-party headsets with iPhone-style stereo + microphone connectors, but they were rare (nonexistent?) when I got the UEs for my birthday. Ouch!

I used the UEs with the Treo 650, using a $5 Radio Shack 2.5mm-3.5mm converter to connect the 3.5mm earphone plug with the Treo’s 2.5mm phone jack. Rather than un-wedge the UEs, plug in a standard single-ear-plus-microphone voice headset, make a phone call, then remove the phone headset in favor of the UEs, I just moved the connector from my iPod (for music) to my Treo with the adaptor (for video or voice). Now I wear one headset and it does everything without switching. This is good. It’s also nice that I can hit the mic bump on the cord to pause the music/video playback in favor of answering the cellphone, and when the call ends playback resumes.

It will be good when I replace these earphones with a louder/noise-blocking set, but in the meantime I’m appreciating the convenience, and using the mic bump to pause video playback whenever there’s loud subway noise or glare prevents me from seeing the screen.

Tuesday, I got a new SIM from an AT&T store (they’re all over — the AT&T rep on the phone apparently just randomly picked Fulton Street, rather than one nearby). The card didn’t help.

Then I went to the Apple Store, where they rushed me through (in only half an hour!) before I had to get back to a staff meeting (reorganizing our group, so I did not want to be late). Tuesday afternoon I activated my new iPhone via iTunes. After a brief period where it was configured with a brand-new 646 number, AT&T correctly assigned my cellular number to the iPhone.

Tuesday night I plugged it into my home Mac and restored my configuration & data. This missed a bunch of minor things it should have restored, including alarms, audio settings, time zone, and “Ask to join networks”, but these are all easy to fix.

Hooray!

Since I got the iPhone back on the Internet, I have concluded that all the established “Web 2.0″ social networking sites have put their existing work on hold to focus on iPhone (and more generally mobile) interfaces. Vineel countered with Facebook, but that appears to be a different group of mostly unknown people & projects trying to break through, using Facebook as a venue. Different than the iPhone-friendly sites like:

• http://m.newsgator.com/ (nicely optimized for iPhone)
• http://iphone.facebook.com/
• http://m.flickr.com/
• http://www.reppep.com/~pepper/iphone/ (my iPhone link farm)

It’s great that Facebook can automatically import ExtraPepperoni posts as news items, but why can’t it automatically pick up my status from Twitter (even with the Twitter app installed)? RFE filed @ Twitter.

I have been delighted to discover that after I moved all the web sites I regularly read from Safari on my Macs into NetNewsWire, and synched that with NewsGator, I can read news on a Mac or the iPhone, avoid reading stuff twice, and get more fresher content than Plucker. Plucker was much faster because all the content was already on the Treo, and it worked on the subway, but the Plucker project is not too active right now. Newsfeeds without full content are now quite annoying — I may look for full-content feeds with similar coverage (specifically a Register replacement — I really like their sense of what to write about, but The Register has many serious problems).

I really want Copy & Paste for responding to what I read on the iPhone!

I have been carrying a stylus daily since the Original MessagePad (Newton). I haven’t yet adjusted to doing without.

Saturday, AT&T told me (twice) that they would have iPhone activation back online by 4am. At 8am NYC time (5am Pacific) my iPhone still hadn’t activated. I called AT&T (this was my 4th call, and at least the 4th AT&T rep I have spoken to so far on this issue) today (Monday), and was told that it should have activated after 7am, but if it didn’t I need a new SIM. When I asked where, she suggested an AT&T store at Fulton St. I explained this is halfway across Manhattan, and not near my subway line, and asked if I could take it to the Apple Store where I bought the iPhone a week ago. Sure. So I made an appointment with the Mac Genius for 5:45, left work 15 minutes early (not having a cellphone or pager is a big problem), and got to the Apple Store at 5:30. They were “only running 8-15 minutes late” when I signed in to wait.

At 6:22, I finally spoke to an Apple iPod Genius, who listened to my 2-minute summary and told me I need an AT&T SIM. No, they don’t have any SIMs — they are supposed to get them from AT&T, but AT&T hasn’t delivered any. No, he doesn’t know where I can get one from AT&T. No, they can’t just replace my iPhone. He’ll lodge a complaint with AT&T, as they should not have sent me to Apple for a SIM.

At this point I’ve spent an hour or two troubleshooting the iPhone myself. I’ve called for support 4 times, speaking to 1 Apple rep and at least 4 AT&T reps (who have had little, or no, or wrong, information). These calls have been averaging about 45 minutes apiece — some are over an hour, so call that at least 3 hours on the phone. I’ve registered on a website for an appointment with the Apple iPod Genius, and waited 35 minutes past that appointment time, only to be sent away without anything to show for it, about an hour after I arrived.

I called AT&T tonight, but their customer service line is closed. I called Apple, but they know nothing about which AT&T locations might have SIMs.

“Fed up” doesn’t cover it. “Thoroughly disgusted” with incapable AT&T and impotent Apple is more like it. FUBAR, in the original sense.

Just finished Harry Potter (thanks, James!). We’re looking forward to reading them to Julia in a few years.

Friday night, as I was getting home, I noticed the iPhone had no service. I waited a bit, turned it off (hold the power button, then swipe to confirm), then rebooted it a few times (hold down power & home buttons, but Settings:General:Reset All Settings would have been easier). Both before and after I let iTunes Restore everything, the iPhone failed to activate.

Activation is critical — without AT&T activation, the iPhone blocks access to most of its features. This is why people are so interested in non-AT&T activation hacks, and one reason the iPod touch is interesting for so many folks — lots of people asked for a non-AT&T iPhone, and due to AT&T’s 5-year exclusive contract for iPhones in the US, you can’t even (officially) use an iPhone’s non-cellular capabilities without paying AT&T. This is part of Apple’s contract with AT&T — there’s no reason you couldn’t do everything except voice calling & SMS purely over 802.11, and those could be managed through gateways and VoIP. This exclusive contract may also be why Apple has restricted the touch’s access to “iPhone” features like email — either due to restrictions on what communications features Apple is allowed to put in pocket-sized devices, or as a concession to AT&T while the touch cannibalizes some iPhone sales and AT&T revenues.

Anyway, I wondered how both cellular and 802.11 radios could have gone out at the same time — I normally have 5/5 bars for AT&T + E for EDGE and 3/3 for WiFi in our apartment, and now I had “No Service” in the wireless status area. I couldn’t figure out how this could happen. It couldn’t be a software problem, because a fresh Restore of the same 1.0.2 image I activated on Monday night was not working. Reading about “No Service”, I discovered the 802.11 radio is disabled because the phone isn’t activated.

I called AT&T Customer Service Saturday morning. They transferred me to Apple (automatically, for iPhone support), and the Apple rep told me AT&T’s activation server was down. Apparently they knew about this, but did not have an ETA for it coming back up. He suggested I call AT&T, and I declined. So the Apple rep called AT&T, and failed to get an ETA for repairs.

I called AT&T again Saturday afternoon, and spoke to 2 AT&T reps. The first was quite nice, but quite surprised their “activation server” was down, and that she hadn’t heard about it. She tried to walk me through downloading Apple’s Activation QuickTime movie, telling me to click “Go Pro” to get QuickTime Pro, etc. I explained that I didn’t need a tutorial on how to activate (I had already done this — the only thing for to do at this point was plug it into the Mac) and asked her to call Apple to find out what was wrong with the activation server (since they seemed to have a handle on the problem, if not a timeframe for resolution). After a while, instead of conferencing in Apple, she transferred me to a second AT&T rep.

The second rep was also nice, but no better informed. She did call Apple, but didn’t really understand what was going on. From what she relayed to me, I believe all iPhones are activated by iTunes (which would make sense — it shouldn’t be substantially tougher than DRMing AAC tracks). Obviously the iTunes system needs to tie into an AT&T database to access the customer records, since AT&T handles billing, phone numbers, porting, etc. Apparently AT&T scheduled some downtime starting on Friday afternoon, and was caught unprepared when they discovered that Apple was depending on this unavailable service to process iPhone activations. I was told AT&T expected it to be back up by 4am Monday morning. It took me a while to understand why the AT&T rep kept telling me that a) activations are handled by Apple, and b) AT&T (as opposed to Apple) expected to have the systems back online by 4am.

She asked if I had gotten email from AT&T, saying I might have gotten a manual activation procedure via email. I explained that I’d gotten a few emails welcoming me to AT&T, and telling me my number started with 347 (that was true for less than 24 hours — I got the phone Monday evening and got my RU cellular number ported Tuesday afternoon) and one offering me a free ringtone through AT&T MEdia Net (which the iPhone cannot use). There was also a message from “Cingular” in my spam folder, but it wasn’t about activation. She then told me she’s just confirmed I never got any manual activation message, and wasn’t going to.

The sad irony here is that a wipe and reinstall is supposed to be the guaranteed fix. In this case, due to the way Apple implemented their exclusivity clause, the “fix” created an officially insurmountable problem — nobody at Apple or AT&T can activate my phone right now, and the various third-party efforts are likely to be blocked in the future and might fall afoul of the DMCA (although I believe the cellular companies managed to disgust the US government enough to earn a special exemption for cellphone unlockers).

I definitely had a strange (non-activation) problem Friday night, but at this point my iPhone could be perfectly fine and useless because activation (AT&T’s equivalent of copy protection) is broken. I probably won’t know until Monday — hopefully I won’t have to get the iPhone replaced at an Apple Store.

On a side note, I’m displeased that Nullriver’s excellent AppTapp Installer.app and all its packages are now missing after Restore from iTunes. I don’t know if my configuration changes are there, just not the software. Since I’m likely to have to wipe the iPhone again, it’s not worth re-hacking & re-configuring the iPhone yet — and it’s pretty useless without network connectivity.

I realized that I want to be able to watch videos all the time, without always adding an iPod to the cellphone on my belt.

I realized that I wanted the smarter phone offered by the iPhone.

I realized that another 8gb is important (8gb on the iPhone is tight for me), but less valuable than cellular service, SMS service, data service (EDGE seems faster than my Treo 650’s 1x RTT), Bluetooth (probably missing from the touch), and one less device to carry. Aside from that additional 8gb and some irrelevant size/weight discrepancies, the iPhone doesn’t seem to have any disadvantages compared to the iPod touch.

I realized that the iPod touch appears artificially limited. If it’s got WiFi and Safari, why not Mail?

I cancelled my iPod touch and picked up an iPhone at the Apple Store. I hadn’t been to their 5th Avenue location — it’s really cool architecture. The people there were very nice, including Giovanni who came by the long line asking if we were all paying by credit card. When I said I was getting an iPhone, he pulled me out of line, grabbed an iPhone, and did the whole thing on a Symbol handheld — with an embedded barcode reader, running Palm OS (they ran on Newtons until Apple dropped them). It would have been slightly faster than the (excellently run) cash register line, except the time it took for them to finally decide there is no educational discount on AppleCare for iPhone

That was an irony — Apple actually thought I was a Newton VAR for a while. I still have VHS tapes of the conference they brought us to at Cupertino, including me in the audience. We have no VCR, and I never watched the tapes, except perhaps once to verify I was visible in the audience…

The porting process was not too bad, although there were a few steps:

1. Talk to Telecom.
2. Send email to IT office manager.
3. IT office manager sends approval to Telecom.
4. Telecom calls Verizon to release number.
5. Telecom, Verizon, and AT&T agree to port the number.
6. Telecom calls me with AT&T on the phone. Telecom hangs up.
7. AT&T rep tells me we’re ready, and transfers me to another AT&T rep.
8. Second AT&T rep asks me if RU has a password on he account.
9. I say “I certainly hope so, but I don’t know it. Didn’t you guys get this during the setup?”
10. She says she has no password, but we can hope it goes through. Submits the port request, and starts explaining that my number will be in limbo for a while during the port, due to finish within 3 hours. Reminds me to clear my voicemail.
11. She gets approval — I can now make calls from my iPhone using my own number.
12. She asks if they can help with anything else. I ask about my SMS email address, and get transferred to a 3rd AT&T rep in Customer Service.
13. While waiting, I attempt to send an SMS from my iPhone to my email address. This is how I discovered my Verizon SMS email gateway address, which we use for Systems Admin paging (very important!). This doesn’t work — the iPhone doesn’t allow ‘@’ in SMS recipients, only numbers and limited punctuation.
14. I ask AT&T rep #3, who tells me it’s my 10-digit number followed by @txt.att.net (nice short address).
15. I explain that I had a custom alias (@vtext.net) for the Treo, and ask how I can set this up with AT&T.
16. The rep suggests http://www.cingularme.com/, a pre-merger Cingular site for setting these aliases up. Service is down, and it’s pre-merger anyway, so wouldn’t be likely to work.
17. He starts surfing through the AT&T Wireless website, attempting to find the new location of the stray webapp.
18. After a few fruitless minutes, and some conversations with his co-workers, the (very nice) rep apologizes for my wait and says he’s going to need some more time. We agree he will call me back.
19. A few minutes later, he calls to tell me that the Cingular site was taken down (supposedly in response to a security problem) even before the merger, and although people are still asking for this service, he has no information about if or when it will return. Apparently the forwarding is working fine, but there is no interface to change these forwards.
20. I explain that I was getting a significant amount of spam to my old Verizon address, so I really want to be able to use a changeable address — not my cellular number, which has been stable for years, and hopefully will remain so.
21. He understands, but doesn’t seem able to do anything about it.

Altogether, it took about an hour and half, during which I got a phone call and a few questions from co-workers (I spent much of it on hold), and conducted a brief iChat (video) session to show off the iPhone, and fixed an email account.

Anyway, my number is ported, Visual Voicemail is nice, and I set up a sieve rule to forward page emails from work and family to my cellular address.

I’m pleased to note that when I get a longer message, AT&T breaks it up into 2 SMSes. This is in contrast to Verizon, where I often only got the headers and very beginning of SMS emails, leaving me wondering what was wrong. Of course, I had unlimited SMS with Verizon, while each such message counts as 2 (or more) for my 200/month SMS service. It should be fine…

Since I haven’t had time to get an iPhone case yet, I’m carrying it around in my Treo beltcase. It swims! I think I could keep 3 iPhones snugly in this case!

Walking to work this morning (in the rain), my new iPhone asked if I wanted to join a network. When I looked, it offered me 4 pages of networks. Note that this was not in an apartment building — I was under an overpass on E 61st Street, between 1st & 2nd Avenues. A new kind of urban density…

I then turned this feature off — it’s too distracting when walking around. Instead the iPhone uses my home network or Rockefeller’s public network (iPhones cannot handle WPA Enterprise, so it cannot join the IT Staff WLAN).

I got a very interesting (and unexpected) email today. Apparently Apple is in the process of certifying Mac OS X to Federal Information Processing Standard 140, which is used to validate encryption and security technologies — it’s commonly associated with SSL/TLS hardware and software; I know OpenSSL was being validated against FIPS too, but haven’t kept track of that progress. I had no idea Apple was working on this, but if and when it’s completed, it should be a useful credential for Apple in security-sensitive environments. Note that I make no claims as to the meaning of FIPS certification, but it will be used as a simple checkbox for trustworthiness, so can’t hurt Apple to have this particular tick-mark.

From: "Shawn A. Geddis" <geddis@>
To: Fed Talk <fed-talk@lists.apple.com>
Date: Mon, 10 Sep 2007 04:57:51 -0400
Subject: [FIPS 140-2] Mac OS X - Implementation Under Test (IUT)

It’s Official — Mac OS X is now in “Pre-Validation” for FIPS 140-2 Level 1 (Software) Conformance Validation

Everyone has been eager to know the status of FIPS 140-2 Conformance Validation for Apple’s Mac OS X and we are happy to finally announce that as of Friday September 7, 2007 the Apple Cryptographic Service Provider (CSP) Module is officially now in “Pre-Validation”.

Listed on NIST (CMVP) Pre-Validation List

You will now find the Apple “Cryptographic Service Provider (CSP)” on line 5 of page 2 on the Pre-Validation List (PDF) posted on the NIST CMVP website. To view that list now or reference it in the future, use the following link to download the PDF document:

http://csrc.nist.gov/cryptval/140-1/140PreVal.pdf

What will be covered by this validation

A Cryptography Architecture is built into Mac OS X and is the foundation for services critical to the protection and privacy of data. The key Apple Cryptographic Services which will be covered by this validation are:

FileVault (Encrypted Container - User’s Home Directory)

Encrypted Disk Images (Encrypted Container - Stored on any accessible media)

Keychains (Credential Storage)

The FIPS 140-2 Conformance Validation Process

For those who are not familiar with the process and requirements, they can be found on the NIST website at:

http://csrc.nist.gov/cryptval/140-1/preval.htm

1. Implementation Under Test (IUT)
2. Validation Review Pending
3. Validation Review
4. Validation Coordination
5. Validation Finalization

When it will be done

Many have asked when Mac OS X’s cryptographic algorithms and cryptography conformance validation against FIPS 140-2 Level 1 will be complete. Apple is unable to provide you with a more specific timeframe than the first half of 2008 due to the extensiveness of the process. Apple will make every effort to post status updates on the Federal website [ http://www.apple.com/itpro/federal/] as well as occasional updates posted to the Fed-Talk Mailing list [ http://lists.apple.com/mailman/listinfo/fed-talk ].

Meeting OMB Recommendations (M-06-16)

To assist Federal Agency IT Staff in understanding how Apple’s Mac OS X Operating System can help them meet OMB guidelines, the Apple Enterprise Team had developed and presented the “Meeting OMB Encryption Guidelines with Mac OS X Today” briefing to a large Federal IT Staff on August 17, 2006. Many additional Federal Staff had indicated that they were unable to attend the all day briefing and technical discussion due to scheduling conflicts, but said they were extremely interested in getting access to the presentation.

“Meeting OMB Encryption Guidelines”

http://idisk.mac.com/geddis-Public/security/Meeting_OMB_Encryption_Guidelines.pdf

Background on FileVault

FileVault provides full 128-bit AES encryption of the User’s Home Directory where the user has full, direct access to read and write their data. The underlying Encrypted Disk Image architecture also provides services to create, manage and store the encrypted containers on any accessible storage media. This storage includes external volumes such as thumb drives, CDs/DVDs, USB/FireWire HDs and even network accessible volumes.

Background on Apple’s Cryptographic Architecture

The Cryptography and PKI Services within Mac OS X and Mac OS X Server are provided through the CDSA - Common Data Security Architecture . The CDSA architecture is the core part of Apple’s Security framework which is available from The Open Group and available as open source for review, use and modification.

Open Group - CDSA: http://www.opengroup.org/security/l2-cdsa.htm

Apple source can be found at: http://developer.apple.com/opensource/security/

If you have any additional questions at this time regarding the FIPS 140-2 Level 1 Conformance Validation of Mac OS X , please contact me directly via email at: geddis@

I reversed over 10 years of history today, moving my Eudora Folder off my iPod. I’ve been carrying my email around with me for a long long time.

I will now reply upon IMAP to keep my mail in sync (as many people do — this is much of the purpose of IMAP). Two main issues kept me carrying around my email after I switched Eudora from POP (which it does wonderfully) to IMAP (which it does less well):

1. Message Status. I know there are messages I have read and marked as such in Eudora, but where the server has the messages marked as unread. I suspect in some cases this is because Eudora lost connectivity to the server and was unable to update the read/unread status immediately, but I’ve been shielded from this by carrying my mail (and the ToC files where Eudora keeps read/unread status) with me on disk for years.
2. I use open Eudora messages as a To Do list, and each copy of Eudora will keep its own independent list of open windows. I don’t know if I’ll use saved searches or how I’ll keep track of messages that require attention yet.

I have (and needed!) several reasons to make the switch:

1. I no longer have to carry around an iPod all the time. To and from work isn’t too bad, since I was often listening to it, and the iPod is much less obtrusive on a belt clip than my VST 10gb 2.5″ FireWire drive was, but it’s still something else to carry/remember/worry about losing.
2. I can now once again use my iPod. Previously it was really only available when travelling, because the rest of the time the iPod was plugged into a Mac in FireWire Disk Mode. To take and use the iPod required first quitting Eudora and unmounting the iPod, and later plugging it in and letting Eudora relaunch and open all its windows.
3. I am getting an iPhone (rather than the iPod touch I ordered last week), and don’t want to give up 1.5gb of its 8gb for email.
4. I cannot leave my iPhone tethered to a computer in disk mode when I walk away from my desk.
5. I can now easily run Eudora on my work laptop (the iPod was always plugged into my work desktop). I actually started doing this a while ago, and my head did not explode due to IMAP sync discrepancies.
6. Moving my laptop around our apartment will be more convenient — I won’t have to carry the iPod around (plugged in) on top of the keyboard as I walk up and down stairs.

This is a BFD for me.

I just finished RH401: “Red Hat Enterprise Deployment, Virtualization, and Systems Management”. It’s a 4-day course, given Tuesday-Friday of this week. The course is normally Monday-Thursday, with an assessment exam (EX401) on Friday. Had I known this, I probably would have taken the course with the exam — I’d like to have that certificate. There are 5 tests (including EX401) to earn the exalted title of “RHCA”, Red Hat Certified Architect.

The course covered several major areas:

• Net booting (PXE, DHCP, & TFTP)
• Kickstart (automated installation of RHEL)
• Red Hat Network (rhn.redhat.com, a service hosted by Red Hat), Satellite Server (a local version of the service, which includes and installs net boot services), and Proxy server (a customized caching webserver which saves bandwidth and download time — a subset of the full Satellite)
• Building RPMs
• Xen virtualization

Xen is very cool — it’s perhaps halfway between VMware and Solaris zones (containers), so more efficient than VMware but less than zones. Xen offers live migration between servers and supports RHEL 4.5 as a guest OS. With appropriate hardware (preferably recent Intel or AMD CPUs with hypervisor instructions), Xen can also virtualize Windows and earlier versions of RHEL. VMware is much more mature, but very expensive (easily more than the hardware it runs on for standard 2-socket systems), so this was a useful preview, even if we don’t expect to use Xen much during the next year — perhaps for Rockefeller’s multi-user webserver, where we would like more isolation between users.

I was really there, however, to find out how to build custom RPMs for Rockefeller, manage them with custom RHN channels, and kickstart from a net boot server to streamline and automate installations.

Unfortunately this turns out to be surprisingly expensive, compared to what we pay to run RHEL. We normally pay $50/host/year for RHEL Academic Server, which is basically the Update & Management entitlements. This enables us to download patches from rhn.redhat.com (Update), and do a little bit more advanced stuff such as group systems in the RHN website (Management).

To use all the custom channels and kickstarting discussed in the class, we need a Red Hat Satellite Server (which costs about as much as all our RHEL Academic seats combined), and a $96 RHN Provisioning add-on Entitlement for each server. Combined, these would quadruple the amount we pay Red Hat annually for our servers, and I’m not at all convinced it would be a worthwhile investment.

We may instead get a Red Hat Proxy Server, which provides custom channels and costs much less than the full Satellite, and build our own kickstart server, forgoing all the Satellite features. This would be a shame, but might turn out to be the best compromise.

Another problem is that the RHN/Satellite back-end is RHEL4AS only — it doesn’t run on RHEL5, and it doesn’t coexist well with any other services. This is a larger Red Hat problem, rather than specific to the class, but it meant the class was a mixture of RHEL4 and RHEL5, and made things more complicated.

It’s enough to make one seriously consider CentOS, is a rebranded free version of RHEL. We don’t want to do that, though.

Paul, our instructor, was full of excellent tips on better ways to work with RHEL. Unfortunately, I avoid many of these (decidedly useful) techniques, since they only work on Linux (or only RHEL), and I generally stick to things common to Linux, Solaris, and Mac OS X. The neat stuff Red Hat has added recently, which he was excited about, would make my RHEL work more efficient at the expense of having to keep track of the RHEL way and the non-RHEL way. Those commonalities are essential for me.

Still, I learned a lot of useful stuff about RHEL, and now just need a chunk of time to set up a kickstart server and decide how to do DHCP — our DHCP scopes are managed by the Network Group, and we need a way to set up and manipulate kickstarting without asking them to make multiple DHCP & VLAN changes. I have some ideas for how to automate and customize the kickstart process, which I’d really like to test and implement.

Earlier this week, Lyman mentioned he was hooked on Questionable Content, a web comic. I told Sam (late of Rockefeller IT), who was immediately hooked. I have just now finished reading the whole strip (964 epsodes). A most enjoyable way to spend hours I did not have free!

It combines aspects of Hothead Paisan, Dykes to Watch out for, UserFriendly, and a whole music scene I know of only from The Onion A.V. Club. I’m sure there are many other references I’m not even aware of — my comic tastes generally ran more to The Badger, X-Men, and Dynamo Joe.

It’s interesting to see how the drawing and dialog have evolved over time. The art has gotten better (it was good to start with), and there has been less focus on music, with more and more sexual hijinks. I assume these have helped make QC so popular.

I’ve been waiting for an 80gb+ iPod with a larger screen since the 80gb iPod video came out in October 2005, shortly after I got the 60gb iPod photo — which has been full since then. Today Apple presented me with another dilemma:

• $350 160gb iPod classic
• $400 16gb iPod touch
• $400 8gb iPhone (with 2-year contract)

I ruled the 160gb iPod out because I watch a lot of video (mostly from the TiVo) on the subway, and I really want a better screen than the Treo 650’s 320×320. Both the iPod touch and the iPhone offer 480×320 — so twice as many usable pixels as the 320×240 iPod classic or Treo (movies aren’t square, so 1/4 of the Treo’s pixels are completely unused for video) — with H.264 support. I expect quality to be three times as good as what I currently watch.

Then it was down to the 16gb touch vs. the 8gb iPhone, for the same purchase price. Fortunately, I spend most of my time at home or on campus, where I have 802.11g available — EDGE is useful for lunch and walking between the train and home/office, or road trips (less than once per month). If Rockefeller didn’t own my Treo 650 and pay for Verizon service, I might have gotten the iPhone, but instead I opted for the 16gb iTouch.

Actually, more than dealing with Rockefeller about the phone, it came down to the fact that replacing my iPod is much easier than replacing my Treo — I use Plucker a lot, and Vindigo, Web Confidential, TomTom Navigator & Google Mobile Maps not infrequently. The real flaw with the iPod touch compared to my 60gb iPod is storage capacity, and I’m not willing to wait any more for a super-iPod with the large screen and large hard drive. I don’t know why Apple won’t sell it, but after 2 years it’s time to move on. I still keep my music on home and work systems via rsync, and I just decided to bite the bullet and deal with having a subset of my music when I travel.

The reality is that I will listen to / watch the iPod more than I have been doing, because it’s currently tethered to a Mac in FireWire Disk Mode most of the time, with my Eudora Folder mounted. I can’t take it with me when I walk out without quitting Eudora (which can take a while to close windows and purge the Junk folder), unmounting it from the Desktop, waiting to get the all-clear, and then removing the Dock cable. As a result, I only use the iPod for music when traveling. I briefly tried using a flash drive (first-gen iPod Shuffle) for this purpose, but writing was way too slow.

I’ve been carrying a single Eudora Folder with me since my PowerBook Duo 230 (33MHz, 640×400 greyscale 1992-1994), which I carried around to have a consistent mailbox, even after the keyboard and screen broke (I used it with an external keyboard and monitor). I switched to carrying a Zip disk (and perfected my backup system — Zips were notoriously unreliable), briefly to Orb disks, and back to Zip when it became clear that Orbs were even worse. I switched to a portable 10gb hard drive until I got a 10gb iPod. Now I will have to find a new way to keep track of to-do email — time to try out Eudora 8!

It will be great to escape Apple’s broken Palm HotSync support. iPod touch sync should be much more robust, since it uses different versions of the Mac apps, with the same data formats.

I was surprised to notice that the iPod touch’s home screen looks different than the iPhone’s — the touch uses a Leopard-style shelf, while the iPhone’s is Dashboard-inspired. Likely this will be resolved in the next iPhone update. It’s somewhat more puzzling that the iPhone supports Audible formats 1, 2, & 3, while all current iPods support formats 2, 3, & 4

In my Bug Hunting post, I mentioned my goal of reporting 1,500 “bugs” to Apple by the Leopard (Mac OS X 10.5) release. Obviously some reports aren’t Apple bugs — some are enhancement requests, some are my fault, etc.

Today I hit 1,300, so I think I have a decent chance of reaching 1,500 by 10.5’s release (announced for October, but obviously it wasn’t done when that date was decided).

Update. 2007/09/22: I am at about 1,400 bugs, but ADC only shows 1,000 bugs total. As I report new bugs, they show up as Open; with each one since I hit 1,000, my count of Closed bugs goes down by one. All the counts I can see (including one non-ADC project where reports are not visible online, so I had to tabulate email confirmations) total to 1,390, and I know there are at least a few more I’m not seeing.

Eudora 8.0.0b1 has been released.

This is the open-source package of the Thunderbird engine with the Penelope plug-in to add various Eudora features onto Thunderbird. I (like many others) have tried several times to switch from Qualcomm Eudora 6 to a different mail client with better IMAP support. I have tried Thunderbird (more than once), Mail.app (more than once), and Thunderbird+Penelope, but none of them were acceptable replacements for Eudora 6. Both Thunderbird and Mail.app are heavily mouse driven, while Eudora does an excellent job (especially with function keys and the toolbar) of supporting keyboard control.

It looks decent, but I think it was a bad idea to use “Eudora.app” and the same icon as Eudora 6. Once they have a release version this might make sense, but for now I run both Eudoras, meaning I had to change the name to avoid a conflict, and I can only tell them apart when Command-tabbing because the new Eudora has no actual icon — just a green unread-messages badge over a missing icon. So telling them apart isn’t difficult right now. Perhaps they can flip the Eudora icon left-to-right, and we could remember that the pencil pointing down-left is Qualcomm and pointing down-right is Thunderbird-based.

Now I have to try it out and figure out what’s missing, and file bug reports.

Toolbar customization seems incomplete — I can’t yet figure out how to remove the Print button from the toolbar, although presumably this is just my own ignorance.