Link

Fantastical 2 for Mac (Beautiful Pixels Review)

I love Fantastical for iOS and the new Fantastical 2 for OS X somewhat ironically manages to gracefully bring the small-screen experience of Fantastical to OS X terms. Calendar and Reminders on OS X are not weak spots compared to others (Contacts, for example), but yet I quickly fell in love with Fantastical in under 60 minutes before buying it in the App Store.

Beautiful Pixels has a good write-up that covers some of finer points of Fantastical especially the language processing that makes creating appointments so much easier:

Fantastical’s biggest feature in its iOS and Mac apps has been its Natural Language Parser (NLP) that lets you create new entries using common language. This has been greatly improved in this release, letting you enter strings like, “Remind me to Pay the Credit Card Bill on the 4th saturday of every month” and Fantastical 2 will know exactly what you want to be scheduled. There’s better support for iCloud reminders as well in this release, as Fantastical 2 lets you view your events and reminders together in a single list.

Fantastical 2 for Mac – Beautiful Pixels.

Link

32 Flavours and Then Some

Flavours is a Mac application that allow users to create, apply and share beautifully designed themes.

Years ago there was the Mac OS Appearance Manager in Mac OS 8 and 9, and then Shapeshifter for Mac OS X. Each of these allowed users to customize the Mac user interface by altering the appearance of window decorations, widgets, and colors for the purpose of changing the theme of their Mac. The Shapeshifter project fell by the wayside and there ceased to be a reliable way to manage the appearance of OS X, until recently.

It’s a little fiddly in that you can spend a lot of time browsing themes, and a bit of a time-sink for sure, but there are some  beautiful themes ready for your Mac. It probably won’t make you more productive, unless there are certain elements that you find infuriating about OS X that can be solved with paint. For support, I’ve found their support person (Nuno) to be very responsive and quick to respond to any bugs, the last of which that affected me were resolved this week with the release of version 1.0.9.

The changes Flavours makes are purely cosmetic, but in spite of that, it was money well spent; there are dozens upon dozens damn near hundreds of contributed themes already available, and they are available free of charge! There are some real gems in there too.

Thank you for Flavours, and well done, Pedro and Nuno. I’ve had a lot of fun with your software and am really happy to see you two take up this project and the Theme Shop is especially well executed.

videomerge.sh

In the process of encoding my LaserDiscs of the theatrical releases of the original Star Wars trilogy, I’ve ended up with multiple files for each film. This is because back in my day, there was no BluRay or DVD and a LaserDisc can only accommodate 30-45 minutes each side.

For my co-host and those under the age of 30: Yes, we flipped a movie over periodically to continue watching it. The 1% had their “auto flip” LD players that had a laser that could play both sides without such vulgar measures, but most of us flipped.

In the case of the Holy Trinity, this is really ugly because there are three “sides” for each of the original releases, so you’ll end up with three files that you’ve encoded. Now how to gracefully get them all into one file without using really stupid workarounds?

You’ll need a script (below) and

, which you can build from source or get binaries for at the mencoder download page. Ensure mencoder is in your $PATH, make this script executable, and merge your treasured videos into a single file.

Transmit and S3

Panic Software’s Transmit is a great Mac OS X FTP/SFTP client for sure, but I usually use the terminal for such things.

And then I noticed that they support Amazon S3 and sshfs-style filesystem mounting of every supported service. That’s pretty great. Still wish there was a good OS X GUI for duplicity though. That’s some good software.

launchd and Unison

I need to polish these up a bit before sharing, but I have a couple of little scripts that monitor my Documents directory and my .dotfiles directory and keeps them in-sync with the NAS at my house.

Yes, synced, not archived. This means if I change a file ~/Documents on my MacBook Air, it magically appears in ~/Documents on my desktop Mac at home.

I’m quite pleased with myself as you may imagine.

Link

PhoneView

PhoneView

Whole Disk Encryption and the dscl password bug in OS X

There has been some lively discussion at MacInTouch about a problem with Lion systems and being able to change the password of a user without verification via dscl(1), and what that means, and I’ve attempted to explain it.

I submitted this as a Reader Report but am archiving here as well.

Gregory Tetrault writes:

Lion’s whole disk encryption feature has a password-related security flaw that should be fixed ASAP.

Not at all.

From the article:

Key phrase is “currently logged in user”. You must be an authenticated user of the target system in order to leverage this type of attack. WDE is already invalidated at that point.

I dated in high school, what does this mean?

For the non-nerds out there who are wondering what we’re talking about:

When you log in to a Lion system running FileVault 2 WDE (whole-disk encryption), it uses your password and then opens the encrypted volume. You have to authenticate by logging in to do that.

Upon entering your own private Groundhog Day where Lion dutifully resumes your previous session and your home directory is available and your Farmville animals or Malcontent Avians are waiting for you, you have unlocked the whole-disk encryption. That encrypted volume (courtesy of the new Core Storage logical volume manager technology in Lion) has been mounted.

This means you have already unlocked the disk and already have access to the filesystem. Once you are logged in to a Lion system using FileVault 2’s WDE, you have unlocked the disk.

So at that point, you can leverage this bug/flaw what-have-you and dump hashes for other users of your Mac to crack later, or change the password on your account without knowing what it is. This would allow someone else to then login with that password that they have changed it to, BUT it requires them to have access to an active session with you logged in.

This doesn’t mean strangers can access your Mac if they steal it. It means if you are successfully logged you can change your password without knowing what it is.

Mitigation

Log out or shut down. Your disk isn’t locked unless you’re not holding it open. Once you’re logged in, any process can access the filesystem limited only by ACLs and file permissions. It is encrypted on-disk but the volume you open upon login is the unencrypted creamy center.

The real danger

The real threat or attack vector this presents is this:

  • Malicious software that you install (MacDefender) and provide your credentials to can then change your password and use that to escalate privileges via UNIX sorcery (i.e. sudo(8)) and do bad things without knowing your password because it can change it to something else, then use that to become the super-user with full permissions to do everything. This is a serious problem.
  • Unpatched and vulnerable software such as your Flash Player you haven’t updated since the Bush administration can be manipulated into executing code without you knowing about it. This is also a problem because it can do the same thing mentioned above — force super-user by forcing a password and then doing whatever they want.

When you read a vulnerability notice or security bulletin and see the phrase “execute arbitrary code”, that means “feed whatever malicious software we want onto the system”, and that is precisely what can happen on your Mac if you install software that is malicious (like MacDefender) or when you have exploitable software on your Mac.

How can I stay safe?

“Gosh, Emory, I want to be sure my browser isn’t back-stabbing me every time I play the Facebooks!”

Well you’re in luck! You can use a tool like the Qualys Browser Check[1] to ensure your plugins are all up-to-date.

If they’re not current, they’re likely vulnerable, and you’re leaving yourself open to miscreants and villains.

Staying current on software patches isn’t just for the enterprise. The majority of compromised systems on the Internet are small business, residential home users.

FWIW I strongly recommend (to everyone that listens) that if you aren’t going to stop using Adobe Flash entirely, remove every instance of it from your Mac (Internet Plug-ins folders in /Library and ~/Library) and install Google Chrome and use that for Flash sites. Google does a much better job than you do at keeping the Flash plugin current. Certainly better than Adobe does at any rate.

Hopefully I have managed to avoid the rage of my fellow neck-beards in the nerdery while still explaining to others the situation. It isn’t the end of the world, you do however need to follow best practices.

Log out when not in use. Require passwords. Disable auto-login. Install patches regularly. Practice good hygiene.

[1] https://browsercheck.qualys.com/