SIP

I love my Tesla Model S. It's a fabulous car and there are many fabulous and ultimately very boring things that I could say about it. It's fast and quiet and makes you feel like you're sitting in the captain's chair of the USS Enterprise every time you get into the thing on your way to work in the morning. It has many commendable features, but after driving the thing for the better part of two years I've come to the realization that the main problem with the whole man-Tesla symbiotic relationship is that I am, in fact, an idiot.

This manifests itself in many ways, but most of them boil down to some variation on the theme of Oh-No-Where-Are-The-Damn-Keys. You see, as long as you have the keys somewhere about your person then you're able to waltz up to the drivers door and it'll unlock itself and let you in and away you go. However, when you get out of the car you need to push a button on the fob to lock up, which in my case results in a frantic patting of pockets, examining of bags, and occasional spelunking with a flashlight in the darker recesses of the cabin.

Systems and security are only good to a point, and that point is the one at which they're actually both useful and usable.

A couple of years ago Apple came up with the bright idea of SIP (System Integrity Protection), which scored lots of points on the useful scale but not so much on the usable side. SIP locked off access to a slew of places on your Mac that could ostensibly be targets for malicious code, and while the whole thing was a little Big-Brothery it was an undeniably good idea. If you wanted to circumvent it then you could do so relatively simply using the healing power of a relevant Google search, but it probably provided a lot of solid protection for a huge percentage of people who weren't going to fiddle around with the plumbing of their computers and who probably didn't even notice it was there. Like the whole Tesla key thing, it was a little frustrating but demonstrably pretty cool, and you took the former for the sake of the latter.

Which is why it's peculiar that it now--as of macOS Sierra--seems to be switched off by default. Don't believe me? Go on. Try firing up the Terminal and banging in "csrutil status" and see what you end up with.

SIP is a great doorlock, but leaving it wide open by default is at best puzzling and at worst unconscionable...

Things I Do Not Like About macOS - Get Off My Lawn Edition #443

Two things.

Thing one? This is the default setting in Finder Preferences:

That's right. Anything you leave in your Trash for more than thirty days will be deleted. By default. Good and responsible people always empty their trash on a regular basis, just as they brush their teeth after every meal and rotate their tires every ten thousand miles. Meanwhile, the rest of us chuck things out on a haphazard basis and then empty the thing out whenever guilt and self-loathing dictate we're supposed to. Most of the time that's just fine--after all, we pretty much all have massive internal storage with tons of space--so no harm, no foul. We don't, however, need our computers to do that kind of thing for us. If I had a nickel for ever document, screenshot, or .gif of a kitten having it's belly scratched that I'd thrown away and then decided I needed a couple of months later I'd have... okay, well, probably only about thirty-five cents. But you get my point. It's great to have options, but not to have them shoved down your throat by default.

 

Secondly, the Calendar.app in Sierra seems to be mysteriously unable to search anything back past October 2014. Either on Google Apps, Exchange, or CalDAV servers. It's not a spotlight issue, and it's not something that happens on El Capitan and back. Ostensibly there's a bug fix in the works, but until that makes a tangible appearance then you'll find me alternately glowering at my calendar or shaking my angry fists at a brooding and silent sky.

Airpods (or "Why Should I Pay A Hundred and Sixty Bucks for Wireless Headphones That Will Fall Out Of My Ears")

Today was Apple's big Fall 2016 New Product Introduction and Pancake Breakfast Jamboree. As is traditional, we got treats and surprises that are no less welcome for being predictable and indicative of solid - if relatively unremarkable innovation.

The Watch got an update to make it officially waterproof (as opposed to being unofficially waterproof) and it got a GPS chip, a brighter screen, and a faster processor. Great. I love my Apple Watch dearly because it's an extremely useful adjunct to my iPhone 6 - which on a very practical level is pretty much my default computer these days.

The iPhone 7 was introduced to a public that had known about it for weeks if not months in advance. To be honest, I didn't pay a lot of attention to the specs, so I'm going to play it safe and say that we probably got new colors, a better camera, more powerful processor and more storage. Oh, and a design tweak so that it doesn't look like the 6s.

Much ballyhoo has been made of the lack of a headphone jack, and I'd really hoped for some nice wireless headphones in the box. Nothing exorbitant; I have a few pairs of cheap Bluetooth headphones that are solid and dependable and have excellent audio quality and battery life. I think they cost me about $15 a pair on special at Amazon. That would have been great. Instead, we got these:

...for $159.

This in itself would be okay with me - after all, there are plenty of fancy bluetooth earbuds out there that are cheerfully in that price range, and these do feature some nice Siri integration and probably sound very nice indeed. Plus, there's a charging carry case for them that could be very handy. No, what I'm peeved about is what's missing; to whit - a wire connecting one to the other.

Let me explain. Apple thinks that everyone has a head like this:

Observe, if you will, the classical profile and proportional elegance of the noggin. This model has ears that can cheerfully accommodate the squished grape shape of the Airbuds/Apple Headphones, which are designed to fit snugly into your ear canal without any of those tacky silicone bits that other folks put on the outside. Where this all falls apart is when you're dealing with people like me, who have enormous, ungainly ears. If I put Apple headphones into my ears I can get about four steps without the things falling out, and the only way I can get them to stay is by corkscrewing them so deep into my ear canal that I run the risk of some kind of internal cranial bleed. 

Now, the falling-out-of-your-ear thing is a constant issue, but not really too bad considering that A) my super-cheap earphones have silicone tips which greatly ameliorate the problem and B) they're joined by a wire so if one falls out then it's not going to bounce away across the floor never to be seen again. Also, they cost $15. Meanwhile, the AirPods cost ten times as much, and if one of them falls out while I'm running/walking/mucking horses then I'm willing to bet that that'll be $159 I won't see again...

 

Two Step Verification and Two Factor Authentication

Two-step verification on the Mac has been a thing for a while now. It's a solid level of protection for your Apple ID that requires you to enter a code when accessing your Apple ID account information, signing into iCloud on a new device, using a service like FaceTime or making a purchase at the App Store or iTunes using a new device.

The process is fairly simple; simply go to your Apple ID account page and choose "Get Started" under "Two Step Verification". You'll be asked to register one or more devices as trusted devices that can receive SMS messages and you'll be given a recovery key that you should keep in a safe place in case you ever lose access to those trusted devices.

When you want to do/access one of the protected services then an SMS gets sent to your trusted device. If I want to sign into iCloud on a new iPad then I'll plug in my iCloud password and the four-digit code that gets sent to my trusted device (i.e., my iPhone). It's a simple and intelligent way to strengthen security; unless you have my iCloud password, my iPhone and/or the recovery key then you're out of luck.

So, two-step verification is awesome. What could be better than that? Enter Two-Factor Authentication.

On the face of it the whole Two-Factor/Two-Step thing looks like a semantic difference. In both cases you're trying to access a service on a device and using an authorized device to enable that. What, in so many words, is the big deal?

Two-Factor is an upgrade that came with iOS 9 and El Capitan, and it utilizes a lot of the security upgrades that came with those two OSes. Instead of pushing a four-digit verification code to one SMS-specific device, it pushes a six-digit code to all of your authorized devices; further, it pushes the geographical location of the request to those devices (although that doesn't seem to play nice if you're using a VPN service). It's a streamlined approach that ditches recovery keys and puts paid to app-specific passwords for anything that isn't an incompatible service.

Turning it on can be done in either iOS 9 (although the process seems to be broken in iOS 10 beta) by navigating to the iCloud System Preference pane, hitting "Account Details", then choosing the option from "Security".

These kinds of things are not panaceas, and reasonable caution is the piece of the puzzle that you have to engage in; however, Two-Step and Two-Factor authentication are an excellent protection for your AppleID and devices (provided you don't write your AppleID and user passwords down on a sticky note on your iMac and leave them unattended...)

Per-App Cellular settings

Quick/useful post (hopefully).

I have a friend - let's call him David because that is in fact his name - who dabbles in iOS app development. As we're been friends for about thirty years or so I often gamely volunteer to test out whatever he's working on. Not every app actually makes it all the way to completion (and even then only a couple have made their way to the App Store), largely because he has another actual job and has the kind of work ethic that would make Thomas Edison look like he was just phoning it in every day.

iOS is great about memory management and graceful resource use on well-written apps. It's not so great when you're running a very rough approximation of an app, and your battery life and cellular data bill can reflect that accordingly. Quitting an app in iOS isn't a big deal, but it can be advantageous to prevent an app from using Cellular data. It takes a little digging around, but can be done thus:

First fire up the Settings app:

...then scroll down and selectively turn on/off cellular data for each app:

Et Voila! My friends Apps are way down the list and not revealed (to protect the innocent and also myself from the endless barrage of abuse that he'd doubtless hurl at me), but since tweaking those settings I've noticed some appreciable bumps in battery life that have made my role as a test subject a little easier...

Backblaze Q2 reliability

Ask a dozen IT folks what they recommend for internal storage and you'll probably hear a dozen different answers. Most of us have - at one time or another - been burned by one particular company more than another (I've had some truly horrendous luck with Seagate drives but others swear by 'em), so it's always fascinating to read some tangible, unbiased real-world breakdowns about drive models and reliability.

Backblaze (an online backup service that those same dozen IT folks will probably unanimously endorse) is - as far as I can tell - the only company who shares details of their storage infrastructure and the uptime/failure of their drives. It's well worth a read - they publish their current information on a quarterly basis, and it's always fascinating to check in and see what brands and models are holding up over time (and which aren't)

Certification Uncertainty

Seth and I have been lax in keeping up with our shots of late. We've been busy (which is a good thing) and thus only just got around to taking the El Capitan ACSP tests (which - while not bad - certainly isn't *great*). Neither of us has really been sweating that though; my certifications stretch back to 10.4 and his go even further back to 10.2, and one of our most significant office decorating problems is finding frames and wall space for all the certifications we've accrued over the last few years (currently twenty-nine, although there's also the matter of the six that are so old that we can't get copies any more).

Still, while it's fun to humblebrag about how well-qualified you are and to moan about how you don't have room for all your awards, there is a genuine issue looming. The way we were able to accrue all those certifications was by taking courses for both OS X client *and* OS X Server. The OS X client exam (the ACSP) is designed to demonstrate a high level of technical competency in the fundamentals of understanding and troubleshooting OS X. The OS X Server exam (the ACTC) built on that and delved into the Server product in a deeper and far more comprehensive manner.  The ACSP certification was a prerequisite of the ACTC, and if you had the two of them then it was pretty clear that you Knew What You Were Doing.

This was all very well until earlier this year, when Apple quietly phased out the ACTC test. Nobody I've talked to seems to have a concrete explanation for this; the best that I heard was straight from a fairly senior person at Apple who opined that in the spirit of openness there would be an effort to encourage different, wider ranges of qualifications and use those as a means of demonstrating expertise. That actually made a lot of sense, but so far that doesn't seem to have appeared in any tangible form.

What has appeared is the Server Essentials 10.11 course material and book - which is, in effect - everything that you would have expected out of the old ACTC certification materials. It's pretty rad, and while there's nothing massively different there from 10.10, it's a great book and does a good job of catching up the thousand and one small differences that Server 5.0 brought to the table. 

All that's needed is a certification to go with it. I don't really need any more certificates on the wall (see earlier whining re: frames and space), but it'd be nice to be able to have something to demonstrate that we've reached a proficiency in the server version of the operating system.

And so we wait...