SSL, TLS and Alarmism.

Excerpt from an email I received this morning from Harbortouch, entitled "POS Systems Are Now Useless":

"Considerable changes are being made to PCI requirements in order to address a vulnerability with SSL encryption called POODLE. In short, SSL encryption, which has been the standard encryption method for decades, is no longer PCI compliant due to vulnerabilities in this protocol."

Ugh. The one thing more damaging to security than a breach is the perception of a breach. Now while that might seem a naive way of thinking about it, I'll make arguments to my dying day that it is, nonetheless, accurate. Fear-mongering in IT (where the stakes are often high) is a fast way to make a buck out of folks who are bent on staving off incursions. It's akin to yelling "Fire" in a crowded movie house and then trying to sell people buckets of water on their way out to the lobby. Yes, breaches happen from time to time and nobody is downplaying that or saying that they're a good thing, but nothing good ever comes of spamming out something designed to deliberately misinform and panic both vendors and end users.

Here's the real scoop. SSLv.2 & 3 and early versions of TLS (SSL's successor) are vulnerable to POODLE. This issue was discovered in 2015 and most reputable POS vendors looked at it, upgraded to TLS 1.2, and never looked back. End of story. But wait; there's more:

"SSL has been the standard encryption protocol for decades, so virtually every POS system older than a few months will likely require a costly security upgrade no later than June 2018 (with some deadlines as soon as this summer) or face a complete shutdown of credit card processing capabilities."

Yes, SSL has been the standard protocol since the mid-nineties, but the versions that are vulnerable to POODLE have been largely deprecated. They were outdated in 2015, and even further back responsible folks in the IT field were moving away from SSL and toward TLS 1.2. None of this is in anyway new news. The PCI bit is true as far as it goes; a few years ago PCI 3.1 was subsetted, with PCI 3.2 rolling up in June of 2018, but there's no "costly upgrade" involved at all; your POS vendor will simply implement TLS 1.2, which is functionally interchangeable with the older SSL technology. They both use certificates, and you don't need new or special certificates to use TLS.

Here's the most telling bit: "That means that this is the time for you to go on the offensive and capture more business!"

Pft. And there we have it, ladies and gentlemen. It never hurts to stay up-to-date with your PCI/security obligations, but it never hurts to take this kind of thing with an ounce of investigation and a liberal pinch of salt...

 

 

Ch-ch-ch-changes

Hi. This is Dave. Pleasedtameetcha.

 

I'm spending a lot more time doing behind the scenes, big-picture IT these days, and it's an odd change of pace compared to the more traditional, I'll-jump-in-the-car-and-fix-things approach. Not a bad change of pace, but an odd one. I seem to spend less time frowning at things while onsite with clients and a lot more time frowning at things remotely on a little screen, which is fundamentally the same experience with the notable exception that I can use saltier oaths now and mutter more.

 

A big part of what I'm doing could be categorized as future-proofing. It's an interesting time in the whole macOS/iOS ecosystem, and while the changes at foot aren't entirely sea changes they're nonetheless significant ones of a degree not dissimilar to the move from classic MacOS to Mac OS X. iOS 11 has peeked over the horizon and is approaching rapidly, and while High Sierra isn't on the surface a massive upgrade over Sierra there's a lot of stuff going on there that makes it prospectively challenging.

 

I like the look of iOS 11. I've always maintained that there's a clarity in reduction - doing less with more. I use a 2015 MacBook as my main computer because it's the smallest laptop I could get with a decent screen and battery life, and because I don't mind just having the one USB-C port. Hell, if I could get by with just using my iPhone as my work machine then I'd go with that, but failing that option I've always thought that an iPad would be an excellent laptop replacement.

 

Except that iOS, well, sucks. Okay, that's not fair: iOS is great for what it does, but my frustration with it is that it's historically walked right up to the line of being a true replacement for a work laptop and just sort of stopped there, toes on the edge, looking over into the abyss with a diffident expression. The approach of sandboxing each app is outstanding from a mobility and security point of view, but I hated the fact that you couldn't make elements from different apps interact (well, that and the lack of a native shell - but that's rather a lot to hope for and I've given up on that). I watched the WWDC keynote just like everyone else, saw what they'd done with the Files app and the *very* macOS-like dock, and then looked at my laptop as if it were some old, incontinent-yet-faithful dog. Maybe I could lose a pound out of my work bag, vastly increase battery life, and put Old Yeller out to chase rabbits. Which is how the book ends in my world.

 

But the really interesting thing to come out of WWDC was APFS. I'm playing around with it now and there's a lot to dig into; this is the first shift to a fundamentally new file system since 1998 brought us HFS+ and yes, that's nineteen years ago which makes me feel very old. It's in some ways a product indicative of where Apple is right now, and that's kind of interesting.

Back when the Mac first hove into view in 1984 it ran on the creatively named Macintosh File System (MFS), which was functional but limited enough that it was replaced with Hierarchical File System (HFS) a year or so later. HFS was a media-based upgrade over MFS in that MFS was designed to work great when you were running it from a floppy but didn't scale to larger storage like hard drives. Apple intelligently enough came up with a system of replacing the flat catalog of what-file-is-where (which worked well when you were dealing with a small storage device) with the vastly more effective approach of using a B-tree  structure to allow the fast storage and retrieval of file location data, making it massively easier to search files on a larger drive.

In the same mold, HFS+ was largely in response to increased data storage sizes. When HFS was put into commission it would work with the unimaginably vast amounts of storage offered by a twenty-megabyte external SCSI drive, but when you scaled up to volumes in the multiple-gigabyte range then it became almost untenably slow and the approach of having files occupy a logical block meant that even very tiny files could use up a disproportionate amount of space. HFS+ tore that all down by replacing those logical blocks with much smaller 32-bit sectors, as well as increasing the amount of characters you could name a file and offering support to an exponential degree. Later on we got Journaling tacked on top, and all was right with the world.

So, why move to APFS? Lots of small reasons and a few big ones. Based on the reading and poking around with the thing I think they can be reasonably divided up via the magic of bullet points.

• It's a media-driven update. Now that almost all (if not all) Desktop and Laptop Macs come from the factory with some kind of Flash/SSD/Fusion Drive bolted inside, it makes sense to accommodate that by replacing HFS+ with something that can accommodate the specifics of that new technology. APFS supports the TRIM command right out of the box, and it's approach of writing changes to files as opposed to physically copying files leverages the speed of the newer, non-rotational-disk technology to deliver a lot of speed and security.

• Getting Fusion Drives to work in prior versions of macOS was something handled by CoreStorage. HFS+ had no idea what the heck a Fusion Drive was, so CoreStorage stepped in to make it all nice; but now APFS understands all about Fusion Drives. This is a good thing, but I wonder how that will effect the old break-the-fusion-drive-to-get-two-mirrorable-devices trick. Time will tell.

• Time Machine is great in theory but in practice slow and beastly. Not that there's anything fundamentally wrong with Time Machine itself; rather that the process of writing out vast amounts of data and keeping track of the versioning and snapshots put a lot of overhead on a system - overhead that APFS will *drastically* reduce.

• APFS volumes will be shareable on a network via SMB and NFS. AFP over TCP is done, period. It's due for retirement, and I hope it gets a gold watch and a hearty handshake and enjoys its twilight years. It's earned it. Of course, that now means that if you're implementing a new Mac Server then you should probably give a lot of careful thought about your client machines and what OS they should be running; doubling down on SMB is great, but history has shown that differences in the implementation of the SMB stack between client and server machines has occasionally proven problematic - which is a nice way of saying that it can be slow and broken and hateful.

 

Those are (so far) my major takeaways from APFS. It's an update that I think is likely to change a lot of important professional/prosumer system designs in a lot of unglamorous but pretty essential ways - but it's way overdue and absolutely worth embracing...

SIP

I love my Tesla Model S. It's a fabulous car and there are many fabulous and ultimately very boring things that I could say about it. It's fast and quiet and makes you feel like you're sitting in the captain's chair of the USS Enterprise every time you get into the thing on your way to work in the morning. It has many commendable features, but after driving the thing for the better part of two years I've come to the realization that the main problem with the whole man-Tesla symbiotic relationship is that I am, in fact, an idiot.

This manifests itself in many ways, but most of them boil down to some variation on the theme of Oh-No-Where-Are-The-Damn-Keys. You see, as long as you have the keys somewhere about your person then you're able to waltz up to the drivers door and it'll unlock itself and let you in and away you go. However, when you get out of the car you need to push a button on the fob to lock up, which in my case results in a frantic patting of pockets, examining of bags, and occasional spelunking with a flashlight in the darker recesses of the cabin.

Systems and security are only good to a point, and that point is the one at which they're actually both useful and usable.

A couple of years ago Apple came up with the bright idea of SIP (System Integrity Protection), which scored lots of points on the useful scale but not so much on the usable side. SIP locked off access to a slew of places on your Mac that could ostensibly be targets for malicious code, and while the whole thing was a little Big-Brothery it was an undeniably good idea. If you wanted to circumvent it then you could do so relatively simply using the healing power of a relevant Google search, but it probably provided a lot of solid protection for a huge percentage of people who weren't going to fiddle around with the plumbing of their computers and who probably didn't even notice it was there. Like the whole Tesla key thing, it was a little frustrating but demonstrably pretty cool, and you took the former for the sake of the latter.

Which is why it's peculiar that it now--as of macOS Sierra--seems to be switched off by default. Don't believe me? Go on. Try firing up the Terminal and banging in "csrutil status" and see what you end up with.

SIP is a great doorlock, but leaving it wide open by default is at best puzzling and at worst unconscionable...

Things I Do Not Like About macOS - Get Off My Lawn Edition #443

Two things.

Thing one? This is the default setting in Finder Preferences:

That's right. Anything you leave in your Trash for more than thirty days will be deleted. By default. Good and responsible people always empty their trash on a regular basis, just as they brush their teeth after every meal and rotate their tires every ten thousand miles. Meanwhile, the rest of us chuck things out on a haphazard basis and then empty the thing out whenever guilt and self-loathing dictate we're supposed to. Most of the time that's just fine--after all, we pretty much all have massive internal storage with tons of space--so no harm, no foul. We don't, however, need our computers to do that kind of thing for us. If I had a nickel for ever document, screenshot, or .gif of a kitten having it's belly scratched that I'd thrown away and then decided I needed a couple of months later I'd have... okay, well, probably only about thirty-five cents. But you get my point. It's great to have options, but not to have them shoved down your throat by default.

 

Secondly, the Calendar.app in Sierra seems to be mysteriously unable to search anything back past October 2014. Either on Google Apps, Exchange, or CalDAV servers. It's not a spotlight issue, and it's not something that happens on El Capitan and back. Ostensibly there's a bug fix in the works, but until that makes a tangible appearance then you'll find me alternately glowering at my calendar or shaking my angry fists at a brooding and silent sky.

Airpods (or "Why Should I Pay A Hundred and Sixty Bucks for Wireless Headphones That Will Fall Out Of My Ears")

Today was Apple's big Fall 2016 New Product Introduction and Pancake Breakfast Jamboree. As is traditional, we got treats and surprises that are no less welcome for being predictable and indicative of solid - if relatively unremarkable innovation.

The Watch got an update to make it officially waterproof (as opposed to being unofficially waterproof) and it got a GPS chip, a brighter screen, and a faster processor. Great. I love my Apple Watch dearly because it's an extremely useful adjunct to my iPhone 6 - which on a very practical level is pretty much my default computer these days.

The iPhone 7 was introduced to a public that had known about it for weeks if not months in advance. To be honest, I didn't pay a lot of attention to the specs, so I'm going to play it safe and say that we probably got new colors, a better camera, more powerful processor and more storage. Oh, and a design tweak so that it doesn't look like the 6s.

Much ballyhoo has been made of the lack of a headphone jack, and I'd really hoped for some nice wireless headphones in the box. Nothing exorbitant; I have a few pairs of cheap Bluetooth headphones that are solid and dependable and have excellent audio quality and battery life. I think they cost me about $15 a pair on special at Amazon. That would have been great. Instead, we got these:

...for $159.

This in itself would be okay with me - after all, there are plenty of fancy bluetooth earbuds out there that are cheerfully in that price range, and these do feature some nice Siri integration and probably sound very nice indeed. Plus, there's a charging carry case for them that could be very handy. No, what I'm peeved about is what's missing; to whit - a wire connecting one to the other.

Let me explain. Apple thinks that everyone has a head like this:

Observe, if you will, the classical profile and proportional elegance of the noggin. This model has ears that can cheerfully accommodate the squished grape shape of the Airbuds/Apple Headphones, which are designed to fit snugly into your ear canal without any of those tacky silicone bits that other folks put on the outside. Where this all falls apart is when you're dealing with people like me, who have enormous, ungainly ears. If I put Apple headphones into my ears I can get about four steps without the things falling out, and the only way I can get them to stay is by corkscrewing them so deep into my ear canal that I run the risk of some kind of internal cranial bleed. 

Now, the falling-out-of-your-ear thing is a constant issue, but not really too bad considering that A) my super-cheap earphones have silicone tips which greatly ameliorate the problem and B) they're joined by a wire so if one falls out then it's not going to bounce away across the floor never to be seen again. Also, they cost $15. Meanwhile, the AirPods cost ten times as much, and if one of them falls out while I'm running/walking/mucking horses then I'm willing to bet that that'll be $159 I won't see again...

 

Two Step Verification and Two Factor Authentication

Two-step verification on the Mac has been a thing for a while now. It's a solid level of protection for your Apple ID that requires you to enter a code when accessing your Apple ID account information, signing into iCloud on a new device, using a service like FaceTime or making a purchase at the App Store or iTunes using a new device.

The process is fairly simple; simply go to your Apple ID account page and choose "Get Started" under "Two Step Verification". You'll be asked to register one or more devices as trusted devices that can receive SMS messages and you'll be given a recovery key that you should keep in a safe place in case you ever lose access to those trusted devices.

When you want to do/access one of the protected services then an SMS gets sent to your trusted device. If I want to sign into iCloud on a new iPad then I'll plug in my iCloud password and the four-digit code that gets sent to my trusted device (i.e., my iPhone). It's a simple and intelligent way to strengthen security; unless you have my iCloud password, my iPhone and/or the recovery key then you're out of luck.

So, two-step verification is awesome. What could be better than that? Enter Two-Factor Authentication.

On the face of it the whole Two-Factor/Two-Step thing looks like a semantic difference. In both cases you're trying to access a service on a device and using an authorized device to enable that. What, in so many words, is the big deal?

Two-Factor is an upgrade that came with iOS 9 and El Capitan, and it utilizes a lot of the security upgrades that came with those two OSes. Instead of pushing a four-digit verification code to one SMS-specific device, it pushes a six-digit code to all of your authorized devices; further, it pushes the geographical location of the request to those devices (although that doesn't seem to play nice if you're using a VPN service). It's a streamlined approach that ditches recovery keys and puts paid to app-specific passwords for anything that isn't an incompatible service.

Turning it on can be done in either iOS 9 (although the process seems to be broken in iOS 10 beta) by navigating to the iCloud System Preference pane, hitting "Account Details", then choosing the option from "Security".

These kinds of things are not panaceas, and reasonable caution is the piece of the puzzle that you have to engage in; however, Two-Step and Two-Factor authentication are an excellent protection for your AppleID and devices (provided you don't write your AppleID and user passwords down on a sticky note on your iMac and leave them unattended...)

Per-App Cellular settings

Quick/useful post (hopefully).

I have a friend - let's call him David because that is in fact his name - who dabbles in iOS app development. As we're been friends for about thirty years or so I often gamely volunteer to test out whatever he's working on. Not every app actually makes it all the way to completion (and even then only a couple have made their way to the App Store), largely because he has another actual job and has the kind of work ethic that would make Thomas Edison look like he was just phoning it in every day.

iOS is great about memory management and graceful resource use on well-written apps. It's not so great when you're running a very rough approximation of an app, and your battery life and cellular data bill can reflect that accordingly. Quitting an app in iOS isn't a big deal, but it can be advantageous to prevent an app from using Cellular data. It takes a little digging around, but can be done thus:

First fire up the Settings app:

...then scroll down and selectively turn on/off cellular data for each app:

Et Voila! My friends Apps are way down the list and not revealed (to protect the innocent and also myself from the endless barrage of abuse that he'd doubtless hurl at me), but since tweaking those settings I've noticed some appreciable bumps in battery life that have made my role as a test subject a little easier...