Reader Comment: macOS Ventura Fails to Mount Camera Cards For Some

re: Apple Core Rot
re: The Anxiety Inducing Experience of Updating macOS Monterey

I have run macOS Ventura so far only in a Parallels virtual machine, so I cannot confirm. No way I am installing this new Apple crapware “upgrade” on any of my machines. Any company that releases a major OS update on a calendar schedule is by definition irresponsible; it’s not possible to do so with quality.

MacOS Monterey is now reasonably stable, so it’s OK for most users.

Professionals or those who rely on their Macs for getting work done should:
(1) Always “upgrade” a test system first and thoroughly test it, never the primary machine;
(2) Delay a minimum of 6 months before attempting to “upgrade”.

Reader Jack Z writes:

I've upgraded from the Ventura 13.1, which killed the QNAP External RAID manager, to 13.2 hoping they fixed the bug, and now it doesn't mount the CF and SD cards. The Disk Utility doesn't see them either, so I can't download any files. Only the CFExpress B cards are working.

Is there a Terminal command to mount those cards?

I find each new macOS release worse then its predecessor, invasive, with annoying and nagging prompts to sign to the iCloud, which I wouldn't touch, and with zero respect for user privacy.

I tried everything: verified cards & readers using 3 different OS (Ventura, Snow Leopard, Ubuntu) and everything works on the other systems but Ventura. 

The CF and SD cards NEVER mount, under any conditions, on the Ventura 13.2 and the Disk Utility doesn't see them either, even after formatting in the camera. Only the CFEx cards work.

I think they lost control over this 15GB monster and badly need the "Vista moment" to wake up.

UPDATE: Jan 31 2023: looks like som weird security issue, acrroding to Jack Z

Required schlepping the box to the store, to clear the highest level of security lock, and authorization from Apple.

I'll be unable to verify if the CF & SD cards fail to mount under the Ventura 13.2. The Apple Store in my location uses the Big Sur which I also requested to be installed.  I didn't feel I was ready for more ventures like this after proposed re-installation of Ventura.

MPG: for a long time now, inserting camera cards while the machine is logged-out or sleeping would mean the cards never, ever mount. The solution to that is to remove and reinsert. But what is reported above is far worse, unworkable in fact.

As for Terminal, that gets hairy with /dev/dsk* stuff and more and it might be that the OS doesn’t even show the cards at the /dev/dsk level either.

I agree on the last points. MacOS is degenerating into an impudent and disrespectful dilettante operating system. I first noticed this about 9 years ago, and the trend is only worsening.

Reader Peter J writes:

I have been a long time reader of your blog and find it insightful and helpful. Your observations concerning the depressingly poor quality of current Apple software products are indeed very sad. The idea that a product should not be delivered until works rather than aim for a specific time for a release irrespective for the state of the software has indeed resulted in some significant fails.

With respect to this observation that SD etc. cards do not mount with Ventura (I am using 13.2) I would like to point out that it works flawlessly on all my machines: 2020 i9 27” iMac, 2017 i7 27” iMac, 24” M1 iMac, 2019 i9 16” MBpro,, M2 MBA, M1Max MBPro (internal and external reader). 

I use the ProGrade card reader and a USB C connection, just in case that makes a difference. I have seen issues with some of the Sony readers at times and wonder whether this might not be part of the problem. Note that I use SD cards and CFExpress type B cards exclusively.

I am not sure whether this helps but it does show that the problem is not endemic. 

MPG: good to know that failures cited by Jack Z might involved some specific situation eg card reader or similar.

The Anxiety Inducing Experience of Updating macOS Monterey

re: Apple Core Rot

I ran the macOS Monterey 12.6.3 updater tonight, on my 2019 Mac Pro.

OMG, what a horrible experience!

The machine powered on/off 30 times or so, rebooted umpteen times, etc. I thought it was in an infinite crash-reboot cycle. My phone (plugged in) was bonging on and off dozens of times as the Mac Pro powered off/on over and over.

It made me physically tense to think that my main work machine looked like 'toast'. I bet my blood pressure rose 20 points just watching this Apple clusterf*ck in progress.

It took so long that I thought my machine was bricked. I was ready to pull the power cord. But in the end after maybe 40 minutes, the Mac Pro finally booted up one last time.

All this for a 0.0.1 update from 12.6.2 to 12.6.3. WTF.

Who designs this shitty experience? No progress, no status, no nothing. It just looks like a machine that is a goner. You have to sit there and hope like hell that it’s all going to work out.

Apple and their engineering suck these days. There is never any pleasure in the experience of some new and useful feature. Invariably it is something worse, something degraded, something made stupider than ever, or some new security theatre “feature” that makes getting anything done hard or outright breaks stuff. Like all the warnings popping up that my installed kernel extensions would all be incompatible soon.

Don H writes:

I know your latest entry at MPG might seem like a mere gripe, but it reminds me of what to expect when I eventually upgrade my own machine. I’m still sitting on 12.6.2 and got an update nag this morning.

I had forgotten how far into the realms of voodoo we have drifted with this process (made even worse with Apple Silicon machines that took away the option of at least following the progress of verbose boot messages). So when I install the update I’ll be sure to do so when I have no expectations of using the machine for an indefinite period while MacOS lapses in and out of its self-induced comas.

...

Regardless of speed, the complete lack of progress indictors remains concerning, to say the least. I remember in some previous software install the screen remained black for what seemed like an hour, so finally I did a hard shutdown expecting that I would have to perform all sorts of remedial work when I got it booted again. Instead, the Mac simply started up and there was no shutdown alert and the update seemed to install fine. I have no idea if I happened to kill it just as it was about to shut down itself, or if it was hung in some unknown state after a successful install but would have sat there indefinitely with a blank screen.

And as I said, the new M* [Apple Silicon] Macs don’t allow any kind of verbose booting so you can’t even see where it might be hung. “Trust us” is the best that Apple has to offer these days.

MPG: it’s a gripe for sure, but a legitimate one when you understand my recent experience—the macOS Monterey update bricked my 2019 iMac 5K back in October while 1000 miles from home. Only because I had a fully bootable clone of macOS Mojave could I recover without having my iMac be a useless paperweight for the next 5 weeks of my trip. That experience was fresh in my mind.

BTW, if your car fails to start until it warms up for an hour in the sun, is that a gripe? Same class of worry/concern. I think it is a legitimate criticism of a very poor user experience. But I won’t argue with anyone who thinks that indeterminate failure-like operation of anything is just peachy (not that Don H is doing that).

I am not certain, but it seems that the 2019 iMac Pro takes longer and takes more reboots than prior Macs. Maybe the update is faster/cleaner on older Macs? Or maybe it’s just a false impression.

IntegrityChecker (icj) Java Release 3.0 fc9

re: IntegrityChecker Java
re: data integrity

See previous notes on IntegrityChecker 3.0. IntegrityChecker Java supports Mac, Windows, Linux, etc—anything with Java, an unrivalled cross-platform data integrity solution.

Get IntegrityChecker Java

No photographer or videographer or other professional should be operating without data integrity validation. Whether bit rot or malware or software bugs or hardware problems, can you afford to remain unaware of data corruption?

icj version 3.0fc9 (version 3.0, final candiate 9)

Tested and working on macOS Ventura. Download page for existing customers.

• 2023-01-22 Fixed bug where if a folder entry for the top level folder in an icjh file lacked an ID, then the hierarchy could not be processed.
• 2023-01-11 Fixed ANOMALY_REAL_PATH_UNEXPECTEDLY_DIFFERS message occurring when a change in capitalization occurred for a file. An ANOMALY_FILENAME_CHANGED_CASE is now issued instead, and an 'update' will record the correct file name in both the icjh file and the xattr for the file.
• 2023-01-10 Fixed bug when 64-bit file IDs (inode values) exceeding 32 bits of actual value could not be handled.
• 2022-10-14 Fixed bug in which @os_ directive was not reset after every prefs section. This bug's effect would "bleed" the previous @os_ directive into the subsequent prefs section. Platform/os scoping is now reset prior to processing any prefs group.
• 2022-10-14 modified certain prefs patterns for macOS to not use /Users/ portion, so that if home dir is backed-up the patterns still apply.
• 2022-09-22 Fixed installer bug that failed to copy over current icj_prefs.txt
• 2022-09-22 Modified installer to save icj version 2 into icj2/
• 2022-09-21 Fixed assertion in assignIDsIfAbsentOrIncorrect() that occured with oddball cases of not finding file info.
• 2022-09-21 Fixed erroneous error count and non-writable file reporting when the files in question do not exist.

# icj 3.0fc9 2023-01-22 11:20
# (c)2022 DIGLLOYD INC. All Rights Reserved. Valid license required.  https://diglloydtools.com
# 2022-09-18 20:28:39 USER=lloyd HOME=/Users/lloyd OS=macOS i386 12.5.1 JAVA=18.0.2.1

Available commands:
verify      verify hash values
options: --optimize=HDD|SSD --threads=num --iterations=num

status      summarize files that are new, or of changed size or date
options: --ignored

update      update new and date/size changed files, forget missing items
options: --save=prompt|yes|no --hmode=icjh|both --optimize=HDD|SSD --threads=num

update-all  update hash values for all files, whether or not they already have hashes
options: --save=prompt|yes|no --hmode=icjh|both --optimize=HDD|SSD --threads=num

update-new  update only files lacking hash values
options: --save=prompt|yes|no --hmode=icjh|both --optimize=HDD|SSD --threads=num

sync        syncs hash info to com.diglloyd.icj.HashInfo file attribute
options: --kind=all|missing|existing --save=prompt|yes|no

clean       remove hash data files and/or remove file/folder extended attributes
options: --kind=ic|icj|icjh|all|attr

compare     compares two folders for equality

dupes       show duplicate files, emit remove or cloning commands
options: --size=size --types=type[,type]* --emit=rm|clone|symlink|nop

empty       show empty files

info        show any combination of empty, non-writable, size/distribution, hard links, dates
options: --kind=all|empty|nowrite|dist|hard|dates

prefs       open preferences eg open ~/.icj_prefs

matches     show globbing matches
options: --kind=all|files|folders|hier|attr

sha         test hashing speed
options: --size=size --repeat=num --sha=SHA-512|SHA1

version     display the version and other information

help        show help summary, or show help for specific command eg 'help verify'


Options that apply to more than one command:
--optimize HDD|SSD
--threads num
--purge  # unix only, requires sudo
--attr enable extended attribute usage if available
--noattr disable extended attribute usage
--output normal|verbose|debug|terse

Manual at https://diglloydtools.com/manual/IntegrityCheckerJava.html

Apple MacBook Pro M2 Max

re: Apple MacBook Pro
re: Apple Silicon

If I can get a loaner, I will review the new Apple MacBook Pro M2 Max.

There is a lot to like with the Apple MacBook Pro M2 Max, price excepted, which will keep me from buying one anytime soon.

Apple MacBook Pro M2 Max at B&H Photo

Macs wish list • Deals on Apple

$3099 Apple 14" MacBook Pro (M2 Max, Space Gray) IN STOCK in Computers: Apple Macs

$4299 Apple 16" MacBook Pro (M2 Max, Silver) BACK IN STOCK in Computers: Apple Macs

$3699 Apple 16" MacBook Pro (M2 Max, Silver) PREORDER in Computers: Apple Macs

$4699 Apple 16" MacBook Pro (M2 Max, Silver) PREORDER in Computers: Apple Macs

$5299 Apple 16" MacBook Pro (M2 Max, Silver) PREORDER in Computers: Apple Macs

$6499 Apple 16" MacBook Pro (M2 Max, Space Gray) PREORDER in Computers: Apple Macs

$3499 Apple 16" MacBook Pro (M2 Max, Space Gray) IN STOCK in Computers: Apple Macs

2023 Apple MacBook Pro M2 Max

The key features that I value as a photographer are:

• Desktop replacement — while my 2019 Mac Pro with 384GB memory and 24TB internal SSD is darn nice, I pine for more processing power. I would actually consider hooking up my two displays to the MacBook Pro M2 Max as a desktop replacement, just so I could have one computer for home and travel combined. It would raise the issue of a larger display for travel in my Sprinter van, but I have a solution in mind.
• Memory — unprecedented at least for Mac laptop is option up to 96GB. This makes working with my large Photoshop files, focus stacking, etc much more viable than 64GB (my minimum RAM for a desktop is 128GB). The unified memory system of the Apple Silicon chips suggests that 96GB will get my jobs done 98% of the time without running short, whereas 64GB was iffy.
• CPU cores — only eight performance cores are not ideal, but adequate (the 4 efficiency cores are mostly worthless for intensive work). And maybe the M2 Max will do better enough so that it is like 10 performance cores of the M1 Max Past testing of the Apple Mac Studio shows that 16 performance cores is substantially better than 8 performance cores of the MacBook Pro M1 Max, but I could live with the compromise since in most cases those cores outperform my 2019 Mac Pro. Apple’s claim 20% faster performance than M1 Max, which at best means those 8 cores are equivalent to 9.6 M1 Max cores—pretty good.
• 8K HDMI 2.1 port — don’t have an 8K display, and I am not a fan of HDMI vs DisplayPort/Thunderbolt, but it means there is a way to get an ultra high resolution display attached. Of which there are very few available as yet, but it’s coming.

Yawners

For some these might be meaningful. Not to me.

• Long battery life — for travel especially this seems pretty awesome — 22 hours nominal life... except in my Sprinter van it has no value, since I’ll have need a dock and external display running off AC power anyway.
• WiFi/Bluetooth — improved/faster = nil value in practical terms unless really more reliable.

Disappointments

There isn’t much to criticize since the feature set and capabilities of the MacBook Pro M2 Max far exceed that of most desktop computers. It’s mainly about what you can plug in (or can't‚ and the hassles that creates.

Having only three Thunderbolt/USB ports means the practical need for the OWC Thunderbolt Go Dock or at least the OWC USB-C Travel Dock E to be able to plug in things like card readers, external SSDs for backup, etc. Increases complexity and the crap one has to carry when traveling.

The cost of (non-upgradeable) Apple memory and SSD remains extremely high. And you are forced to buy the high-end M2 Max CPU in order to get to 96GB memory.

But at least for the SSD, there are cost effective high performance solutions, such as the OWC Envoy Pro SX and OWC Envoy Pro EX USB-C up to 8TB, perfect for clone backups of the internal SSD, or for additional storage. By all means if cost is not an issue or it’s your only system, go for the internal 8TB SSD. Otherwise the 4TB internal SSD buys you enough savings for two external 4TB SSDs.

B&H Photo will have most configurations available within a few weeks. THANK YOU for ordering through these links.

Thunderbolt and Related Accessories

Port Expansion wish list • Deals on OWC

$240 SAVE $30 = 11.0% OWC 256GB OWC Atlas S Pro SDXC UHS-II V90 Media Card in All Other Categories	$79 SAVE $16 = 16.0% OWC Thunderbolt Dual DisplayPort Adapter in All Other Categories	$399 OWC Thunderbolt Go Dock in All Other Categories	$60 OWC USB-C Travel Dock E - Space Gray in All Other Categories	$679 OWC 4.0TB OWC Envoy Pro SX Thunderbolt Portable NVMe SSD in All Other Categories	$3279 OWC 16.0TB OWC ThunderBlade Thunderbolt External NVMe SSD Storag… in All Other Categories
$2049 OWC 48.0TB OWC ThunderBay 4 RAID Four-Drive Thunderbolt 3 HDD Ex… in All Other Categories	$4379 OWC 144.0TB OWC ThunderBay 8 Thunderbolt 3 RAID External Storage… in All Other Categories	$280 OWC 14-Port Thunderbolt 3 Dock with Cable - Space Gray in All Other Categories

One Strong Reason (Literally!) that 1Password is the Best Choice for a Password Manager for most of us

re: security
re: 1Password
re: How to Create a Password System You Can Live With

Reader Christopher C writes:

After noting that LastPass had been hacked, I was curious as to whether 1Password (which I have used for years, and see that you do too) had a blog post that mentioned it. They do, and it has a very interesting section about the advantages of optimizing the security of passwords by maximizing randomness — something I hadn’t thought through previously.

MPG: I hadn’t realized how incompetent some password managers are, like LastPass. OMG.

I worked in security (encryption, Pretty Good Privacy aka PGP) years ago as an engineering manager, so I consider myself competent in evaluating the general security approach of a product*, and it sure looks like 1Password does things right.

It had not crossed my mind that some companies would be so incompetent and careless as to not use the secret key approach that 1Password uses. There are a dozen other concerns I have about security, but when a company does a key thing right, it raises my confidence that they got the other things right too. And vice versa.

* I am no cryptologist, but I can understand whether a system design is done right or not, and my professional background gives me a strong base for that too, along with the time spent engineering encryption productions.

1Password: Secret Key: What is it, and how does it protect you?

A unique feature of 1Password’s security is the Secret Key, but its value is often misunderstood by users and security experts alike. Instead of thinking in terms of “is it like a second factor” or “is it like a key file” it’s best to explain it in terms of what it actually does: It protects you if we were to be breached.

...If we didn’t have the Secret Key built into 1Password, some user data on our servers would be decryptable if the attacker threw enough resources at cracking verifiers. But because the Secret Key makes such cracking futile, the encrypted data that we hold is far less valuable to an attacker. Why try to steal stuff that you can’t crack or decrypt?

...Unlike some of our competitors, our service has never been breached. There are many things one could attribute that to, including luck. But I believe that the 1Password Secret Key plays a role. Sure, attackers try, and we do defend against such attempts. That is the nature of running any service...

MPG: let me simplify this down to its essence.

Your encrypted stuff on 1Password servers is decryptable only with a radically robust passphrase that consists of your chosen password plus a long string of gibberish ("Secret Key"). And neither of this is ever know to the servers—it stays on your device.

Since Secret Key resides only on your devices and not their servers, an attacker that compromises the 1Password website could not decrypt your stuff using all the computing power in the universe multipled a trillion trillion times over.

The key to this is that these secrets (your chosen password or the Secret Key) are never transmitted across the internet; they never leave your device. Rather, protocols (PAKE) is able to exchange encrypted messages and this does not require knowing the secrets.

Twitter Data Breach: Hack Put 200 Million Users' Private Info Up For Grabs

re: security

Apropos How to Create a Password System You Can Live With and Why Passkeys Will Be Simpler and More Secure Than Passwords.

Twitter Data Breach: Hack Put 200 Million Users' Private Info Up For Grabs

2023-01-06

The hacker had demanded $200,000 to return the breached data back in December but warned that if their conditions are not fulfilled, they will release the data for free.

200 million Twitter users’ private information, including their email addresses, was put for sale after a breach exposed 400 million users’ private information in the last week of December 2022.

The hacker behind the December breach had earlier demanded $200,000 from Twitter in a bid to return the stolen data and warned if the demand is not fulfilled, the data will be released for free. The latest set of data posted on the hacker forum has been traced back to the same breach from December 2022.

...

Researchers at Privacy Affairs confirmed that the leaked data set on the hacker forum is the same from December. The 200 million number, in this case, resulted from the removal of duplicates. The released data set doesn’t contain phone numbers. The researchers warned that these data sets could be used to initiate social engineering or “doxing” campaigns.

...

MPG: “including their email addresses” solving half of the difficulty in hacking user accounts at web sites all over the internet. Yet so many web sites today demand you use an email address for your login—a terrible security design.

Why Passkeys Will Be Simpler and More Secure Than Passwords

re: security

For many users, passkeys might in fact be the best thing ever, depending on how passkey access is secured. They really do look like a good idea.

But... the reality might differ for some of us.

Why Passkeys Will Be Simpler and More Secure Than Passwords

Apple has unveiled its version of passkeys, an industry-standard replacement for passwords that offers more security and protection against hijacking while simultaneously being far simpler in nearly every respect.

You never type or manage the contents of a passkey, which is generated when you upgrade a particular website account from a password-only or password and two-factor authentication login. Passkeys overcome numerous notable weaknesses with passwords:

• Each passkey is unique—always.
• Every passkey is generated on your device, and the secret portion of it never leaves your device during a login. (You can securely sync your passkeys across devices or share them with others.)
• Because passkeys are created using a strong encryption algorithm, you don’t have to worry about a “weak” password that could be guessed or cracked.
• A website can’t leak your authentication credentials because sites store only the public component of the passkey that corresponds to your login, not the secret part that lets you validate your identity.
• An attacker can’t phish a passkey from you because a passkey only presents itself at a legitimately associated website.
• Passkeys never need to change because they can’t be stolen.
• Passkeys don’t require two-factor authentication because they incorporate two different factors as part of their nature.

After a test run with developers over the last year, Apple has built passkey support into iOS 16, iPadOS 16, macOS 13 Ventura, and watchOS 9, slated for release in September or October of this year...

MPG: see also the Apple developer video on passkeys.

I have my doubts about just how well this will work in reality. Note the “built passkey support into iOS 16, iPadOS 16, macOS 13 Ventura...” thing: what about macOS Monterey, and macOS Mojave and older/other OS versions? Doesn’t exist.

How exactly can you adopt passkey technology without “upgrading” every last one of your computers and devices? The slick Apple video does not speak to that. It seems like a lie of omission.

The whole discussion neglects the reality of devices that are not running the latest and greatest operating system eg devices that have no passkey support. Simple: buy all new Apple devices and computers, throw away all your old software, and you will be Happy. Not.

Here are my concerns, many stemming from Apple’s repeatedly proven disdain for backward compatibility:

• What happens if you misplace your phone? How would you login at all?
• Major inconvenience across my Macs without submitting to iCloud syncing, which I loathe for its past unreliability. But maybe it will work great 100% of the time?
• Apple has in the past destroyed interoperability by requiring "upgrades" to the current macOS for iCloud syncing. How can I sync when I have various macOS versions which demand an upgrade and I don’t want to upgrade?
• What about the future, will passkeys suddenly fail to work because I have not performed some required upgrade? Or just cannot sync because iCloud won’t sync with an older OS?
• The QR code based compatibility mode (about 4:42) looks misleading—that capability does not exist on older Macs such as my 2019 iMac 5K running macOS Mojave. It seems to be a case of “upgrade everything and see how great it works”. But I don’t want to “upgrade” many of my Macs—ever.
• I keep notes and such with various accounts; passkeys don't have that from what I see.
• I dislike the idea of having iPhones and iPad the center of my security life.
• I dislike syncing security info to a cloud server no matter what claims are made about it, see for example LastPass Shares Details of Connected Security Breaches. And when Apple cannot get its act together on VPN.

Anon MD writes:

First, Happy New Year!

Second, I could not agree more with your comments about the feckless morons who design the website security theater. Your username is your active email address??!?!? I mean, come on. So that’s a free one for the opposition. And then the questions, like what city were you born in? Well, that’s available on the internet without much effort. Same as half the other stuff. Things like what’s your favorite movie might seem difficult, but there are a finite number of movie titles out there and it would take maybe a couple of milliseconds to attempt all of them in a brute force attack.

One thing I do like with my bank is their requirement that you select an image as part of your security package. So that image is projected back at you when you log in. Presumably the bad guys can’t phish that image because it does not reside on your computer. But who knows? Even that probably has security flaws.

The worst is the stupid password bullshit I have to put up with for access to my medical office computers, our server farms, and the electronic medical records software (all mandated by the US government, of course). When I go to work I have to do UN and PW just to access the individual workstation (and the UN and PW are different for every workstation in the office), then another UN/PW to access the server farms (one EMR system is on one farm and the other older EMR that actually has useable patient info that was never able to be ported over to the new EMR is on another server farm), then another login to access each EMR program itself. Only everything logs you out after ten minutes and then you have to go through the whole fucking exercise of 4-5 UN/PWs all over again all day long. To make it even halfway workable all our staff knows the doctors’ UN/PWs. Otherwise we would never get anything done. 

And then even worse, the software “engineers” who are so bad they can’t get a job with Amazon or Google think they are brilliant because they require you to change your password every 90 days. So to have any hope of ever remembering anything and actually getting any work done, you just recycle your passwords like this: “Cl@sterF@ck1”, "Cl@sterF@ck2”, "Cl@sterF@ck3”, etc. So when staff can’t log in to my portal they know to just increment the current password by +1 and they are usually good to go.

The only saving grace is that one program will accept a fingerprint scanner to log you in, and that actually works really well. Of course all the other programs will not work with the fingerprint scanner, for unknown reasons.

This is so bad as to be a not so funny joke.

And forget being able to use a password manager program on a shared office computer where all the workstations are shared.

So in order to get any real work done other than documenting in the electronic medical record, if I have to do a medical search or a calculation for say intraocular lens implant power calculations, all that happens on my personal laptop with my own personal memorized login and my personal websites whose passwords are all 20-24 random character passwords stored in 1Password.

And my master passwords are only on paper in a location known only to my executor and one other family member.

So I personally feel pretty secure in my own computing environment. God help the office environment, though. They are a gnat’s eyelash away from being phished or hacked or whatever, mostly due to their asinine “security” requirements.

Passkeys could bring an end to this catastrophe, but first they would have to be accepted by the federal government and then the feds would have to change policy to allow them to be used in the medical arena By which time I will probably be dead and besides, the feds would probably require the process work only with Internet Explorer 6.

Maybe 2023 will be better.

MPG: I so enjoyed reading this. :)

How to Create a Password System You Can Live With

re: security

You could lose your life savings by being sloppy with passwords. So maybe it is worth some effort to improve your security?

Start by improving upon your own current practices, and keep doing so over time. You can make things a billion times better with little effort—literally.

The simplest advice I can give is this: think of a password not as a word, but as a multiple words or a phrase hence the term passphrase. That alone tends to generate far superior passwords, if nothing else, longer. A simple example is "tomatoes-are-not-a-vegetable".

Below, this is an outstanding article, albeit too long for many to deal with all at once. Accordingly, parts of it are quoted here with some of the best ideas called out.

The world's BEST password advice

By Michael Horowitz.

...We all need hundreds of passwords that need to created, stored and retrieved. When creating them, they need to be reasonably long and reasonably unique...

...Long passwords (12 characters is probably a minimum length, the exact number is debatable) defeat brute force guessing attacks...

PAPER HAS ITS PLACE... keep your most important passwords away from any type of computing device.

... a password formula is a great solution. It solves three problems: it makes retrieving passwords easy and it helps create reasonably long and reasonably unique passwords.... consider a password as a two part thing.

One part never changes, its something meaningful to you that you will never forget. The other part does change but can be very simple and also meaningful to you. That's it. A constant and a variable. This should help you create dozens of unique, yet easily remembered, passwords.

...speaking as computer nerd, I cannot stress enough how important it is to not re-use passwords...

...ARGUING AGAINST PASSWORD MANAGER SOFTWARE: knee-jerk reaction of techies, is typically to use a password manager. I think a formula is often a better option...

...The best way to deal with security questions was to treat them like a second password. When asked the name of a person, give the name of a place. When asked the name of a place, use the name of a person instead...

...LIE TO YOUR PASSWORD MANAGER...

...PASSWORDS CAN BE TOO SECURE...

...BEWARE OF BROWSER EXTENSIONS...They see everything on every web page...

 

MPG: note the first comment “We all need hundreds of passwords...”. I’d bet that most people have fewer than 5 passwords, heavily re-using them.

I do use a password manager, but I agree it is largely for techies and has a significant learning curve for ordinary users to master, even setting aside the other issues with one, which demand additional techie knowledge because of the “all eggs in one basket” approach. For such users, paper passwords using a password formula approach may be the best idea.

I hadn’t realized how incompetent some password managers are, like LastPass. I worked in security (encryption, Pretty Good Privacy aka PGP) for years and it sure looks like 1Password does things right.

If you use paper for passwords, do append a prefix and/or suffix to all of them, but do NOT write that down. Then even if your paper is obtained, they won’t work without that additional prefix/suffix.

I also incorporate a formula approach along with extra rules. And I use gibberish passwords intentionally for some sites, so that even *I* cannot remember them—perfect for a password manager. I mix various rules to suit, depending on the importance of the login. And I use 2FA (two factor authentication) in some cases (password plus a one-time-use code).

Anti-security web-site design

Most web sites force us to use an email address to login. Not only does this mean it has to be an active email (which might later go dead), it defeats security in a big way, since the user login name is now known in advance. This hugely simplifies the job of hackers breaking into accounts across services, particularly those that re-use the same password! Stupid beyond belief, but that’s how sites are designed these days—by morons. These same morons often prohibit various characters for passwords and/or length of passwords—unbelievable. These same morons make you provide answers to fixed security questions—terrible idea.

Anti-security iOS

Apple iOS makes it such a pain in the ass to enter a complex password, that most users (including me) choose mediocre passwords. It’s a total fail in every way. Shame on Apple for making it so hard.

For example, I cannot use a complex password because I often mis-type it, which I cannot see, because Apple hides the typed text from me as I type it! Then if I get it wrong more than a few times, some sites lock me out. You cannot win with such a stupid design. Accordingly, I just do not use my phone or iPad for things that require a password—I refuse the two shitty choices of poor security or difficult-to-use.

Passkeys

See also: Why Passkeys Will Be Simpler and More Secure Than Passwords.

Reader Comments

Reader Christopher C writes:

After noting that LastPass had been hacked, I was curious as to whether 1Password (which I have used for years, and see that you do too) had a blog post that mentioned it. They do, and it has a very interesting section about the advantages of optimizing the security of passwords by maximizing randomness — something I hadn’t thought through previously.

MPG: I hadn’t realized how incompetent some password managers are, like LastPass. I worked in security (encryption, Pretty Good Privacy aka PGP) for years so I consider myself competent in evaluating the general security approach of a product, and it sure looks like 1Password does things right.

Reader Tait S writes:

I had been a theoretical believer until I checked this website: https://haveibeenpwned.com/

Now I have password religion!

MPG: that's a good site to check. It has some connection to 1Password password manager, which I use, and as far as I know has proven secure over the years—so far so good. But you can never really know how good code is; assurances are worth little because the programmers themselves by definition are unaware of the security flaws they do not know about.

For years I got "pay us bitcoin" emails and still do because of one incompetent web site that stored unencrypted passwords in their database.

zzz

Apple VPN Leakage Goes Unaddressed

re: security and VPN

A leaky VPN (virtual private network) can get you imprisoned or killed in some repressive countries if information is leaked to authorities*. That’s as serious a bug as it gets.

Mac Rumors: iOS 16 VPN Tunnels Leak Data, Even When Lockdown Mode Is Enabled

...Speaking to MacRumors, security researchers Tommy Mysk and Talal Haj Bakry explained that ‌iOS 16‌'s approach to VPN traffic is the same whether Lockdown mode is enabled or not. The news is significant since iOS has a persistent, unresolved issue with leaking data outside an active VPN tunnel. 

In August, it again emerged that third-party VPNs for iOS and iPadOS routinely fail to route all network traffic through a secure tunnel after they have been turned on – an issue that Apple has purportedly known about for years.

Typically, when a user activates a VPN, the operating system closes all existing internet connections and then re-establishes them through the VPN tunnel. In iOS, security researchers have found that sessions and connections established before the VPN is turned on are not terminated as one would expect, and can still send data outside the VPN tunnel while it is active, leaving it potentially unencrypted and exposed to ISPs and other parties.

According to a report from privacy company Proton, an iOS VPN bypass vulnerability had been identified in iOS 13.3.1, which persisted through three subsequent updates. Apple indicated it would add Kill Switch functionality in a future software update that would allow developers to block all existing connections if a VPN tunnel is lost, but this functionality does not appear to prevent data leaks as of iOS 15 and ‌iOS 16‌.

Mysk and Bakry have now discovered that ‌iOS 16‌ communicates with select Apple services outside an active VPN tunnel and leaks DNS requests without the user's knowledge:

...

MPG: a class action lawsuit seems appropriate.

* Such as in China, where Apple cozies up to the CCP and carefully avoids any criticism of the regime whose horrific abuses of its people (concentration camps, organ harvesting, etc) should sicken anyone of consience. All while being plenty woke here in the USA. Follow the money. No one seems to notice.

Michael A writes:

To the VPN scam on iOS:

This guy has a very actual site on the topic:
https://www.michaelhorowitz.com/VPNs.on.iOS.are.scam.php#wherestands

and also a very good security advice site

https://defensivecomputingchecklist.com/

worth reading ;-)

MPG: for Apple to let this issue sit for so long is unconscionable. And maybe intentional, who can say for sure?

OWC End-of-Year Holiday Savings

See also:

• OWC wishlist pages...
• New and pre-owned Macs...
• Memory...
• Thunderbolt...
• Memory Cards and Readers...

Click through for a wide variety of specials...

Got an iMac 5K? Load it up with 128GB memory for only $320.

Examples

External SSD wish list • Deals on OWC

$919 SAVE $580 = 38.0% Apple 13" MacBook Pro Retina Touch Bar (2020) 8-core Apple M1, S… in New and used Macs: MacBook Pro

$319 SAVE $49 = 13.0% OWC 128.0GB (4 x 32GB) OWC 2666MHz DDR4 PC4-21300 260-Pin SO-DIM… in All Other Categories

$40 SAVE $29 = 42.0% Audio-Technica ATH-S200BT Wireless On-Ear Headphones - Black in All Other Categories

$6 SAVE $12 = 65.0% Apple 1.0 Meter (39") Apple Genuine Lightning to USB Cable in All Other Categories

$24 OWC 0.7 Meter (28") OWC Thunderbolt 4/USB-C Cable in All Other Categories

$79 SAVE $16 = 16.0% OWC Thunderbolt Dual DisplayPort Adapter in All Other Categories

$8 SAVE $7 = 46.0% OWC USB-A to USB-C (USB 3) Adapter Cable in All Other Categories

iPhone Call Audio Routing

Funny how a simple question from a parent can make you go look something up that has been irritating for years—brings it to the level of consciousness.

So I finally went digging into the convoluted garbage heap of iPhone settings*, and answered my question for myself too.

Buried 3 levels down is Call Audio Routing. For my father, this matters because of a Bluetooth hearing aid, so he wants Speaker.

Settings > Accessibility > Touch > Call Audio Routing

* Remember iPhone v1, the first and best implementation? iOS is now a vast plain strewn with complicated settings, usability land mines, hidden features, hidden but “must know” shortcuts, nagging harasment for updates, etc.

iOS: Call Audio Routing