Sunday, September 23, 2012

Prepare Your iPhone For When You Lose It

Today I lost my iPhone at the fair when it fell out of a hole in my pocket. I was prepared to find it in a hi-tech way, which is what this article will teach you how to setup. But I actually got it back low-tech: someone turned it in to Lost and Found.

I never even considered the idea of looking for a lost item at the closest “Lost and Found” booth and only went in that office looking for a computer with internet. So, if you lose your phone, don’t overlook it. Lost and Found is what people did before there was iCloud and Prey and it still works.

To prepare for the day you lose your iPhone, setup iCloud on it. It’s free, but requires at least iOS Version 5. Verify this on your phone by going to:  Settings, General, About, “Version.”

If you meet the minimum requirement above, then you should see an “iCloud” menu item in the 3rd group of items under “Settings”

Tap on “iCloud” and if you haven’t set this up before, you’ll see the screen to enter your Apple ID credentials that associate your phone to an iCloud account.

If you don’t know your iCloud username (an email address) and password, try the username and password that you use to buy stuff from the iTunes store. Your “i-life” will be a little easier if you use the same Apple ID for iCloud as what you use for iTunes, though they are allowed to be different. Mine are the same.

What you definitely do NOT want to ever do is buy content from iTunes using different iTunes accounts or you will have a nightmare trying to to play/use the content that you bought. Aside from the following situation, I’m not sure what other advantages and disadvantages there are of using different iCloud and iTunes accounts on the same device.

One case in which I do setup a device with an iCloud account different from the iTunes account is when I setup an iPad, iPhone or iPod Touch for a child. In that case, I setup iCloud on the device (following the instructions given below) using the parent’s Apple ID, and create a separate iTunes account for the child to use in iTunes. To do this, you have to lie to Apple about the iTunes account owner’s birthday when creating that account to make sure it comes out to at least 18 years old. With the separate iCloud account that belongs to the parent, the parent has an overview in her own iCloud account of all devices (computers, ipods, phones) belonging to herself and all the children and can track them all without the kids messing them up, disabling the settings, or losing the passwords. Then each kid has her own Apple ID for iTunes, knows her own iTunes password, and so can independently buy content from the iTunes store on an “allowance,” gift cards, or credit card if you left one in the account (required to create an iTunes account). I would delete the credit card from the iTunes account after the account is created. To do that, from iTunes on the computer, go to “iTunes Store” in the left left panel, then “Account,” make sure you are logged in as the child, using the child’s iTunes account info, which is an email address (you had to lie to about their age, too in order to get this email address) and iTunes password (which you should not have made the same as the password used to access the email itself). Then you’re at a screen that lists the iTunes account info and there will be an “Edit” link next to the credit card number. Click that and you’ll get to the screen to change the credit card. At the top of that are little picture icons of credit card and payment logos, and at the end of that is a rectangle that says “None.” Click “None” and your credit card data will go away, then click the “Done” button at the bottom of the screen to save the deleting of the credit card. When you return to the “Account” screen, the credit card should be gone and your child won’t be able to incur a giant bill.

So, get an Apple ID to make an iCloud account if you don’t already have one, or if you want to make a new one that is different from the iTunes account that will be used on this phone. If you need to create a new Apple ID account, do it on a computer to save yourself the hassle of typing on a phone. They will ask you for a username/Apple ID in the form of an email address and a password. It is best if you do not make the Apple ID password the same as the password you use to access that email, even though you will be tempted to re-use that password. Do yourself a favor and use a different password here, write it down and save it and the answers to the Apple ID security questions someplace safe.

Now that you have an Apple ID, which comes with an iCloud account, enter those credentials into the iPhone under Settings, iCloud, then “Sign In.” Click “Merge” if it asks you about that. Click “OK” if it asks you to allow location services.

Now under the iCloud settings, you should see a whole lot of things turned on. The most important is “Find My iPhone.” I personally turn off “Photo Stream,” “Documents and Data” and “Storage and Backup” but that is up to you.

Once that is setup, you can find this device on a map anytime by going to in any web browser, and logging in with your Apple ID and password that you used in the iCloud settings.

If you lost your iPhone in your house, you can click an iCloud button to “Play Sound” and your phone will start squeaking so you can find it in the laundry room. If you lost it in a public place and don't want someone who picks it up to start reading your email or making phone calls, click the iCloud button to “Lock” and it will prompt you twice for a lock code and offer you the ability to display a message on the lock screen of the phone.

To turn off the lock, on the phone go to Settings, General, Passcode Lock, type in the passcode, then tap “Turn off Passcode,” and type the passcode again.

Last, if there is something on the phone that you cannot risk getting uncovered (by brute forcing unlock codes or using other special cracking software), you can click the “Remote Wipe” button and totally erase the phone right now before the phone is turned off, SIM card removed, or it’s otherwise taken off network where you can’t see/control it anymore.

Before the next step, let’s also go grab the free “Find My iPhone” app from the App Store so that you can easily check on the enabled-ness of tracking on your own phone and so that you can easily help a friend in the field who has lost an i-device or Macbook. Open “App Store” from one of your Home Screens and click “Search” and type “find my iphone.” Tap the "Find My iPhone" result made by Apple that looks like this:

“Find My Friends” is also a good app made by Apple that shows you where your and your friends’ phones are on a map when you share locations with each other. If someone who lost her phone didn’t install iCloud but did install “Find my Friends” and shared location with someone, that someone could help her find the lost iPhone on a map. When you login with Find My Friends, login with your iTunes account username/password (in many cases that might be the same as your iCloud username/password). If you think Find My Friends would ever be useful to you, tap to install it now in addition to Find My iPhone, before we get to the next step.

If you are running an older iOS version that doesn't support iCloud, or you want a backup method of tracking your phone, or want an app with more features concentrating on tracking and tracing stolen and lost devices, including taking pictures of the person using your phone, install Prey on your phone now. After it’s installed, you can get an overview of all your devices being monitored with Prey (it does laptops and desktop computers, too), set them as missing to start getting reports, and other actions through a web based control panel. You can read all about Prey at

Now that all the apps you need to track your phone are installed, you should configure your phone so that someone who finds your phone and is not nice can’t easily disable or uninstall them. Do this by enabling “Restrictions” on your phone.

Go to: Settings, General, Restrictions and tap “Enable Restrictions.” It will prompt you for a 4 digit code to use to alter these settings. Pick one and don’t forget it. Enter it again for confirmation. Now verify the following settings in here should be set this way:

Deleting Apps: off

Location (tap on this and on the next page, set : "Dont allow changes” after turning on all the following),
    Location Services: On
    Find Friends: On
    Google: On
    Maps: On
    Prey: On
    Reminders: On
    Safari: On
    Urbanspoon (or other local recommending app): On
    Find My iPhone: On -> Find my iPhone: “On”, Status Bar Icon “Off”

Accounts  (tap on this and on the next page, set : "Dont allow changes”)

When you finish, the Restrictions settings main page looks like this:

Doing that prevents someone from just deleting your iCloud account from Settings or uninstalling Find My Friends or Prey, which would cut you off from finding your phone. When you want to delete apps from your phone, you can either do it from iTunes on your computer and then sync, or on the phone itself, enter the code to temporarily disable the restriction.

Now if your phone is lost or stolen, you can do any of the following to find it:

a) Borrow someone’s iPhone/iPod Touch/iPad to run “Find my iPhone” (install it if they don’t have it). Login with your iCloud Apple ID and password.

b) Borrow a computer, smartphone or anything with a web browser and login to with your iCloud Apple ID and password.

If you installed Prey, go to and mark your phone as missing. Within minutes, you should start getting reports about where it is, possibly with photos of any person handling the device. Consider upgrading your free Prey account to a paid one to get a few more features that may help you recover your device faster.

If you borrowed a device for internet access (a public computer or asked a bystander to use their phone in order to track yours), make sure you logout of your iCloud or Prey account before handing it back to them.

If your phone doesn’t have a passcode lock on it and it is setup to be able to get into accounts you care about (like email) without having to type a password, I would use iCloud to lock it and set a message like “Reward, $50 for returning my phone, please bring to XYZ or call ABC.” Really, $50 is a cheap compared to how much hassle and expense it would be to replace a phone. Pay it gladly if you get the chance.

If you’re a Gmail or Google Apps user and use Google Two-Step Authentication with this phone as the authenticating device, you’ll want to break that connection and remove it as an account recovery contact point from Gmail and any other important online service like your bank. If this phone accesses any Google services using “application specific passwords” then you may want to revoke those also.

If you've been using the Gmail webmail in the iPhone's mobile Safari browser, you should login to Gmail with a browser and click the "Details" link at the bottom of the page and then the button to "Sign out of all other sessions."

If you use Google Voice, Vonage, or another service that is redirecting calls to your lost cellphone, go back to that provider and change settings to redirect those calls to another number that you can answer.

Happy phone hunting.

Saturday, September 01, 2012

Expunging Criminal Records with an Idaho Withheld Judgment

In many states, there is a disposition of criminal cases called a "withheld judgment" or "deferred sentence." In Idaho it is authorized by Sections 19-2601(3) and 19-2604. Its legislative purpose is to keep the existence of the case off the record for most uses and to let the defendant go on as if it never happened. Idaho courts describe the "withheld judgment" this way:
to provide an opportunity for rehabilitation and to spare the defendant, particularly a first offender, the burden of a criminal record.
State v. Branson, 128 Idaho 790 at 793, 919 P.2d at 322 (1996). Unless you follow the advice in this post, that is not what is going to happen in your case.

In most states, if you are lucky enough to have your case resolved this way, all you do is wait out the probation period, then apply to the court at the specified time, and the arrest, charge, and conviction comes off your record. However, in Idaho, what actually happens in practice is that all the details of the case remain part of the public record for anyone to find. The only thing that changes when one applies for and is granted the order for withheld judgment, is that the label on the case changes to "conviction reversed and case dismissed."

The problem is that all the rest of the information, the original charges (if they were trumped up to leave the prosecutor room for plea bargaining), and every play by play of the case that was part of the public record is still there. The online Idaho Repository can deliver all details of this case instantly to any journalist or interested person if the withheld judgment is carried out in the typical way.

So, you need to make sure it is not carried out in the typical way. You want to make sure your withheld judgment results in the case being expunged from your record. From what attorneys are saying, this is "notoriously difficult" and "not going to happen" in Idaho.

Don't settle for that advice. Your attorney is probably busy and has financial incentive to re-cycle the same paper he used on the last client. The fact that you even have a withheld judgment says that the court thinks this case is relatively unimportant, too. Really, this case is only important to you and no one else, so if you want it sealed, you're going to have to do a little extra work.

The process is this:
  1. At your sentencing, the judge ordered a Withheld Judgment along with a period of probation, and maybe fine, or requirement to complete some kind of re-education program.
  2. Now the probation time is close to expiring and you have fulfilled every other requirement of the original judgment, including your not ever violating any term of probation.
  3. You have to file the following 3 papers all together in order to get the benefit of the Withheld Judgment:
  • Affidavit of Compliance with Withheld Judgment. This is a notarized paper in which you testify and sign that you have complied with all terms of your probation. Kootenai County has a pre-printed form that is used specifically for this purpose and the clerk at the desk will hand it to you and notarize it for you for free. Just don't let her take it from you and file it by itself, as she will try to do. Tell her you will bring it back to her in a little while.
  • Motion to Dismiss Withheld Judgement and Expunge Records. This is a court motion in which you ask the court to activate the withheld judgment based on the fact of your compliance with all the requirements of the judgment. It is signed by either you or your attorney. Here is a sample for you to edit and use.
  • Proposed Order Granting Motion to Dismiss and Expunge Records. This is a court order that you write, and that you are asking the court to sign. It contains reasoning based on Title 19 (withheld judgments) and ICAR 32 (sealing cases where individual privacy outweighs public disclosure). It is also specific enough that if a state or local agency does not expunge this record, you can point to this Court Order that they are violating, and if that is not enough, file a Writ of Mandamus to force them to comply. You do not sign this, you leave it blank and hope the judge will use it verbatim and sign it. Here is a sample for you to edit and use.
Normally in Idaho,when trying to make use of a Withheld Judgment, the government machinery turns on just Title 19, and all the automatons do nothing to protect your criminal record. What is different about your motion is that it involves Idaho Court Administrative Rule 32(i), which allows the court to protect and seal a record if it makes a fact finding that certain material is not subject to public disclosure. The primary case that outlines how ICAR Rule 32 works is State v. Turpen, 216 P.3d 627 (2009).

In order to qualify for the extra protection of sealing your case (achieving expungement), the court has to make a written finding that satisfies just one of these:
  • The material contains highly intimate facts that, if published, would be objectionable to a reasonable person, or,
  • The material contains facts that, if published, would reasonably result in economic or financial loss to a person with interest in the material (you), or physical harm to anyone.
Submitting the 3 documents listed above is your application to the court to activate your Withheld Judgment. Before you file these documents in your case with the Court Clerk, mail a copy of each to the prosecutor so that your "Certificate of Service" on your motion is valid. After a few days, the prosecutor will either object or not to your motion and you'll find out by mail. If they object, then the judge may set a hearing to argue the matter. More likely, they will not answer or not object, and in that case the judge should issue an order granting your motion within a week or two.

With luck, the judge will just sign your proposed order, which will seal the case and close off information leaks from the Idaho Repository, Idaho State Patrol criminal history background checks and other sources that obtain data from public information. Then you can honestly report that you were never convicted of this crime. Although background checks that search public records will not turn this up, investigations conducted by law enforcement agencies will. This means background checks conducted by a private firm, such as for a job application, should be clear. But if you're trying to join the military or FBI, the case will be found. If you have money and are curious about what might be found, wait a couple of weeks and then order a pre-employment/criminal background check on yourself from a service like Intelius, US Search or another. Contrast that result with one conducted directly through the FBI.

Also be aware that the withheld judgment is still considered a conviction for purposes of "3 strikes" type of laws and counting DUI priors, and can disqualify an application for an Idaho concealed weapon permit made within 3 years.

Monday, July 30, 2012

Mountain Lion Brings Encrypted Backups to Network Drives

Starting with OSX 10.8 (Mountain Lion), the "encrypt backup" checkbox in the Time Machine preferences is no longer disabled when you're looking at a network volume like a share on a Time Capsule. It's about time.

Before this, only directly attached volumes (like USB, firewire, eSATA) had this option. This bugged me endlessly because all the beauty and ease of Time Machine was dangled in your face then taken away.

Anyone on 10.7 or lower who really wants to use Time Machine but wants it backed up to network shares and encrypted will have 2 choices.  First choice is to follow advice mentioned in the previous post about putting the unencrypted Time Machine backups into an encrypted sparseimage that resides on the network. The down side of this is that you have to mount the disk image before Time Machine will be able to back up to it. Even with Keychain memorizing the password to the encrypted disk, it still takes some manual intervention or custom Applescript automation to get it mounted.

Second choice is to find a NAS that supports iSCSI (just about all of them except the DroboFS) and configure the backup volume as an iSCSI target. This works to because to the operating system, an iSCSI volume looks like direct attached storage, not a network share. So the "encrypt backup" checkbox in Time Machine options is not grayed out, it is enabled just as if you had plugged in a Firewire external drive. The down side of this is that for 10.7, the cheapest iSCSI initiator is about $80, and the other one is $200. For 10.6, there is a free iSCSI initiator. Aside from having to buy software that costs more than OSX itself, iSCSI shares get forcibly ejected when your computer wakes up from sleep or your network connection goes away. This is the same as yanking the cable of an external drive out of your machine without properly "ejecting" it first. It can corrupt data.

So, this fix in 10.8 is welcome, and is the only reason I upgraded from Lion (which I was almost immediately sorry for last year). Now with Mountain Lion I can set and forget Time Machine to make encrypted backups to network attached storage.

As long as you are making backups, you might also think about keeping a copy off-site in case your house burns down or your stuff gets stolen. Crashplan has a nice way of letting you make backups onto your friends' computers. But suppose you have no friends and need to buy storage? Look at these annual prices.

5G 10G 20G 25G 50G 100G 200G 500G 1TB Unlimited
Google Drive free $29.88 $59.88 $119.88 $599.88
Amazon Cloud free $20 $50 $100 $200 $500 $1000
Apple iCloud free $20 $40 $100
Dropbox free $99 $199 $499 $795
Crashplan $24.99 $49.99

Biggest rip-off is from Apple. The best deal for a place to put your backups is Crashplan, who allows unlimited data storage. Its competitors like Carbonite also have unlimited storage for a slightly higher price, but I didn't bother to list them here because their programs have such strange restrictions like not backing up video files or files larger than 4GB unless you specifically ask for them, and not allowing data from external drives unless you pay more. Crashplan, on the other hand backs up everything you have unless you say not to, including all the external disks you can plug into your computer. Plus, Crashplan gives you the option to backup to local storage (your USB drive) and to your friends' computers, not just to the online service they sell. It's clearly the best deal. When digital stuff is so important in our lives, how is it not worth $4 a month to keep it safe?

The unavoidable downside of online backup service is that your hard drive is probably hundreds of gigs, if not terabytes, and so will take a very long time (days or weeks) to upload your first complete backup. Then, if you have an emergency and need your data back, downloading that much data can still take days. (You are also allowed to cherry-pick files to recover, you're not required to download everything.) To alleviate these delays, Crashplan offers a service for $125 in each direction where they ship you an external drive and you send it back when you're done. 

I'm not subscribing right now because I prefer backing up to my own external drive at an off-site place with good internet access, but if that went away, I'd sign. They even have a "family" plan for about twice as much that allows everyone in your house to pile on to make sure their funny-faces from Photo Booth will be safe forever. 

Saturday, July 14, 2012

Still chasing automatic encrypted backups

Apple disables the "encrypt backup" checkbox for any network volume.

The only way to have an easy encrypted Time Machine backup is to use a directly attached storage device (Firewire, USB, Thunderbolt). That works fine for a desktop computer that stays in one place and you can just leave it plugged in all the time. But if I have to plug an external drive in to my laptop before starting Time Machine, it's not going to get done.

Time Machine volumes are supported on my NAS, but I don't want unencrypted backups so that anyone who steals the backup hardware has total access to all my files. That would be an especially ridiculous result for any who has bothered to enable Filevault (full disk encryption) on a machine. To make it clear, Time Machine backups are not encrypted, even when Filevault is enabled, unless you check that little box to make them so, which you can't if they are on a Time Capsule, NAS or any network volume.

The workaround is to create an encrypted disk image with a special filename, mount that, saving the password in your keychain, and use the "tmutil" terminal command to make Lion accept your Time Machine disk. Even this solution is still wanting, because you have to first mount the sparse bundle before Time Machine will do any work, and if the backup plan relies on me to do anything, it's not going to be reliable or regular.

Until I figure out whether something like iSCSI will work, I'll just keep doing intermittent Crashplan offsite backups (things copy only when I connect to a VPN) and the bi-monthly SuperDuper! disk clone, which is really inconvenient on a Macbook Air whose USB ports don't have enough bus power for a 500G external drive, forcing me to also haul out and get tethered to an AC adapter for the duration.

Friday, July 13, 2012

Faster wifi for NAS or bust

The DroboFS has always been so slow that I never use it. It's just a big waste of $600. Now that I have last year's Macbook Air, there are no fast Firewire 800 (800 mbps) ports, so am stuck with USB (480mbps) for any directly attached external drives. I hate having to plug anything into the laptop, and am enamoured with the idea that Time Machine backups can happen automatically without me having to do anything or think about it.
Because I never actually get to use the massive storage in the DroboFS (because it's so slow it is unusable), I got the biggest internal SSD drive available for the Air. Now that space is running low, so I am ready to fight with the Drobo again to try to get some value out of it.

A fairly nice mechanical (as opposed to SSD) SATA hard drive may be able to read/write at 100MBs (megabytes per second).  To put that into network throughput terms, which are measured in megabits, multply by 8 because there are 8 bits in a byte. So you need at least 800mbps of network bandwidth to work a decent SATA hard drive to its limit. I'm parenthesizing megabits per second (mbps) and megabytes per second (MBs) throughout this post to relate network speed to hard drive speed (measured in MBs), since the point is answering why Network Attached Storage (NAS) like a DroboFS is slow on a slow wireless network.

Recent computers with a "SATA II" bus are capable of moving data at 3 gigabits per second (3000mbps, about 6 times faster than USB speed). Machines made after 2011 probably are "SATA III," and can drive 6 gigabits per second (6000mbps). A "SATA III" machine like my 2011 Macbook Air can work a hard drive up to 750MBs. The fastest SSD drives available right now go only 500MBs, 5 times faster than a decent mechanical drive. Is it starting to be clear that if your network has only 54mbps (54/8 = 6MBs) of bandwidth, there is no way you can take advantage of what even a crappy hard drive can do? That is my problem. Disk access to the DroboFS is only like 5MBs = unusable.

In the DroboFS are a bunch of 2TB Western Digital WD20EARS energy saving "SATA II" hard drives. The lowest benchmarks on these individual drives are around 80MBs. When added to the Drobo, though, they become part of its disk array, and how fast is that? I need to measure from the DroboFS itself, not from my Mac, because I want an answer that does not include any slowdown caused by accessing the device over a network. I just want to know what the Drobo is capable of, and then try to see how close I can get to that when accessing the device as a NAS.

So I get a root shell on the Drobo (DroboApps Dropbear) and ask how long does it take to write a 2,048 megabyte file ("8" * 1024 byte blocks, written "256" * 1024 times)

# time sh -c "dd if=/dev/zero of=/mnt/DroboFS/output.img bs=8k count=256k && sync"
real 0m 54.97s

Now I flush out any filesystem cache that might exist in the Drobo's memory by writing another file that is at least as large as the amount of Drobo's memory, so that when we read the first file back in, it will be a full read, with no "cheating" from the use of any cache. This Drobo hunk of junk has only 128MB of RAM, so 16000 * 8000 should wipe anything.

# dd if=/dev/zero of=/mnt/DroboFS/flush.img bs=8k count=16k 

After any caches are flushed, how fast can it read the first file we wrote?

# time dd if=/mnt/DroboFS/output.img of=/dev/null bs=8k
real 0m 33.70s

Thanks to this blog for the commands, info about sync time and filesystem caches.

write: 37MBs (2048/54.97)
read: 60MBs (2048/33.7)

Now I see that the maximum potential disk speed on the DroboFS is only 40-60% of what the bare drives have benchmarked when connected directly to a computer with a SATA cable. Even though I know from internet chatter that the processor and memory components of a DroboFS are cheap and under-powered, this performance loss is still a surprise. RAIDed drives add spindles, which should increase performance. But the Drobo is not RAID, it is a proprietary "Beyond RAID." Whatever.

The true performance that I will see in real world use will actually be even less than the result from the test above because those tests are done with "dd" which doesn't really consider the overhead of filesystem format.  So, real world maximum potential will be worse than those figures, let's say 30MBs, which is what most people who are giving the DroboFS favorable ratings say that it can do.

Botom line: You take a 80MBs drive, put it in a DroboFS, and now it is a 30MBs drive. Boo.

30MB/s should still be usable though for Time Machine and other backups, iTunes and iPhoto Libraries, which are the things that are taking up all the space that pushed me to external storage in the first place. Except that when I access the NAS over wifi, I'm getting only like 5MBs.

In my last post, I said I thought the slowness was due to the network, related to my Airport Extreme Base Station being from 2008 when the 802.11n spec (the fastest wifi) was still in draft. Looking at my wifi connection settings on my Air, I was always seeing slow transmit rates like "30" or "54" (megabits per second), which, divided by 8, works out to those slow MBs disk speeds on the NAS.

So I bought a new Time Capsule (instead of a cheaper diskless Airport Extreme, hedging against getting rid of the stupid Drobo at some future time) to see if that would boost my wifi speed from 50mpbs to something closer to the maximum potential of 802.11n wifi, which is 300mbps (37MBs).

I also bought an Apple USB-to-Ethernet adapter made for the Macbook Air without realizing that it has a maximum throughput of only 100mbps. I thought it was GigE (1000mbps) and just expected it to be capped at USB's maximum of 480mbps. It's not, and I've only been able to get about 80mbps out of it. That's still not fast enough (10MBs) to do anything useful with the Drobo, so it will just be an extra part I have lying around.

With the new Time Capsule, I saw my wifi Transmit Rate jump up to 130, almost triple what I was getting with the old Extreme.

But I'm sitting right next to the Time Capsule, and the maximum "n" speed is 300, so it should be faster. Then I notice that it is connecting to the 2.4Ghz band. A nice thing about the new Airport Extremes and Time Capsules is that they broadcast on both the 5Ghz and 2.4Ghz frequencies (so 2.4Ghz-only "n" devices like iPhones and iPads can still join). I wanted to connect at 5Ghz, expecting it to be faster, but the laptop always ended up on 2.4.

I fixed this with Airport Utility by setting the 5Ghz frequency to get a different SSID under the Wireless tab, then the Wireless Options button.
Then I could force the Macbook Air to connect to the 5Ghz network by clicking the Menubar's wifi fan icon, Join Other Network, and entering the distinct SSID. After that it connected to the 5Ghz network with the full 300mbps Transmit rate.

Now my wifi is 6 times faster than when I started. It's still nowhere near the 1000mbps of a wired GigE network, where a NAS would work fine because there's more than enough bandwidth to get full performance from even a 100MBs (800mbps) hard drive. But accessing the same drive at maximum wireless speed, 300mbps, still cuts off about 60% of the drive's performance (300/8 = 37.5MBs). Even so, 30MBs should at least be usable, not like 5MBs. Or 2.5MBs, as experienced by this person whose DroboFS review I enjoyed.

I'll tell you whether any of this saves my DroboFS from the garbage can as soon as my Time Machine backup to the Time Capsule finishes.

* * * *

After my new Synology DS412+ arrived, I took 4 WD20EARS 2TB drives out of the DroboFS and put them in the new NAS configured in a RAID10 set.

RESULTS from "dd" tests at DS412 shell:
write: 273MBs (2048/7.49)
read: 218MBs (2048/9.36)     <-- wow, is that crazy fast for "green" disks?

RESULTS from "dd" tests at Mac shell writing to DS412's AFP share over Wifi
read: 24MBs (2048/85.76)
write: 27MBs (2048/74.68)

RESULTS from "dd" tests at Mac shell writing to Time Capsule (4th gen) share over Wifi
read: 19MBs (2048/108.82)
write: 12MBs (2048/175.14)

Summary: Time Capsule passes (it's just backups and doesn't need to be very fast). DS412+ fileshare over 802.11n wifi is in the usable range. Numbers directly on the DS412 made me recheck my math 3 times.

This tells me that, yes, the DroboFS was about the worst network attached storage device available on the market when I bought it in 2010. They still sell them today. Garbage.

Sunday, July 08, 2012

DroboFS, so slow. NFS Slower.

Two years ago I got a DroboFS because I wanted extra storage accessible to the whole family, a place to keep Time Machine backups, easy hotswap maintenance, and no hassle with plugging in any directly attached storage devices. The Drobo FS can do all this, but it is so slow, I hardly ever use it. Whenever I do try to use it, it is such a slug, I almost always get sidetracked starting to research something to replace it so I can get rid of it. Like this guy.

Using the DroboFS over 802.11n (2.4Ghz, n-only) wireless, it reads and writes at about 5MB/s (megabytes per second). This is under OSX 10.7.4 Lion, the most recent Drobo firmware 1.2.4, and all Western Digital 2TB EARS "green" drives. It's about the same speed when the base station is set to n plus b/g compatibility. In my house, the n-only 5Ghz was worse.

I have read that the best DroboFS will ever do is about 30MB/s (megabytes per second, or 240 megabits per sec), which is 6 times faster than what I am getting out of it over wifi. Sometimes I would be willing to plug in to ethernet to get things moving faster, but that's not very convenient on a Macbook Air with no ethernet.

The Apple Airport Extreme Base Station that I have is from 2008 and can do "802.11n" according to the draft specification that there was at the time. That should mean wireless speeds of up to 160mbps (20 megabytes per second). However, I have never seen it go faster than "g," which is a maximum of 54megabits/sec (6.75MegaBytes/sec). I know this because iStat Menus gives me nice little speedometers in the menubar that I am always checking. If my base station is too old to get real world "n" speed, then I am within 1MB/s of what the hardware can push and it's not Drobo's fault that it's  practically unusable over wifi. But, assuming that I can get "n" wifi speed, there are 15 more megabytes/second (3 times faster) that I should be able to read from/write to it.

While trying to find out whether there was any way to make it faster, I read that some people found some performance gain using NFS, as opposed to the built-in AFP protocol. In order to try it, you have to enable DroboApps, and install the unfsd. I did that and found NFS is even worse than AFP, losing about 1MB/s in both read and write speed.

In order to get NFS to even work at all, I had to read a lot of blog posts. The default exports file that comes with the unfsd app offers to share every share created in the Drobo Dashboard:


and uses the "no_root_squash" option, which means that files created over NFS get done on the Drobo system as the root user. That is usually not good, and usually the opposite of how any software would generally come by default.

In order to connect to this NFS export you can either get to the Finder and choose "Go, Connect to Server" from the top menu (Command + K) and type:

nfs://[IP address of DroboFS box]/mnt/DroboFS/Shares/

(Notice that the path on the end of that connection string is the entire full path to the share from the perspective of the Drobo box. It won't work if you put the share name alone after the IP address.)

Or you can manually mount the export from a shell prompt. Before mounting this way, you have to make an empty directory as the spot that you will mount it on top of. So, first:

mkdir ~/myDroboshare

sudo mount -w -t nfs /Users/[your username on your Mac]/myDroboshare

all the above has to be typed on 1 line.

If you do one of the above, then you'll find the share accessible to OSX and can see it in Finder windows, and from a shell prompt you will be able to write in there. But from the GUI, everything will appear as a read-only filesystem. GUI apps will think they cannot write in there and give you error messages.

In order to fix this problem, you need to get back to the Drobo box and edit the file that is in the same directory as the exports file (/mnt/DroboFS/Shares/DroboApps/unfsd/) and add in a "-s" for "single user mode" to this line:

${prog_dir}/unfsd -s -e ${exportsfile} -i ${pidfile} >> ${logfile} 2>&1

After editting the file, you want to restart the nfs service on the Drobo box. The best way to do that is by running that script from a shell prompt on the DroboFS box:

/mnt/DroboFS/Shares/DroboApps/unfsd/ restart

In order to do it that way, you will have to have installed the Dropbear SSH app, and ssh into the box as root. Otherwise, the only way to restart any of these DroboApps is to restart the whole DroboFS box, by turning it off and on, or using the "restart" button in Drobo Dashboard under the "Tools" menu.

Wednesday, November 09, 2011

Fun with Applescript, VPN and Proxy

I have a lot of digital pictures and home movies, and I'm supposed to be smart enough not to lose them by mistake or hardware failure. So part of my backup process is to backup files off-site across the internet using Crashplan.

This worked fine at first, but over time something happened and my computers just couldn't see each other unless I connected over a VPN. Bringing up the VPN is a manual step (enough of them and you won't have backups anymore), and so is restarting it when it drops, which happens at least once an hour.

If I don't have too much data, then I can start the VPN, nudge Crashplan to notice it right away, and get my files sent off-site. But if there is a lot, home broadband upload speed is slow, and not much will be done before the VPN gets knocked down. Then the backup will stop until I come back and fix it, which probably won't happen. Usually when I see that I have hundreds of megs or more of stuff not finishing, I will just bring my computer to the other site, plug it into gigabit ethernet LAN where it can finish pretty quickly.

After staying up too late on the internet the other night, I found out how to automatically restart the VPN when it falls down. So now I can just leave the computer on at home and bigger backups get farther without babysitting.

It's just an Applescript, created with "Applescript Editor" that comes with every Mac, "Saved As" format "Application," with the checkbox for "Stay Open" checked. I saved it under my Home directory in ~/Applications/

on idle
    tell application "System Events"
        tell current location of network preferences
            set myConnection to the service "WHATEVER THE SERVICENAME IS"
            if current configuration of myConnection is not connected then
                connect myConnection
            end if
        end tell
        return 60
    end tell
end idle

The "WHATEVER THE SERVICENAME IS" is whatever the VPN service is called in the list of services under System Preferences, Network. If it's a long name, it might be shortened in the list with an ellipsis but you can see the full name by either hitting the "Advanced" button and looking at the top of the next pane, or by checking the "Show VPN status in menubar," then clicking that menubar icon.

Under Lion, if you need to add routes for the VPN, you put them in /etc/ppp/ip-up

if [[ "$5" == "123.456.789.253" ]]; then
/sbin/route add -net 123.456.789.253

Now whenever I start the VPN connection, I also invoke Spotlight (Command+Spacebar), start typing "" and after a couple of letters, when that result jumps to the top of the list, hit the Enter key and the will app run until I quit it. With VPN disconnections of less than 60 seconds, Crashplan can keep uploading to the other side for as long as the machine is on.

Hungry for more Applescript, I thought about how many manual steps there are to setup system wide proxying through an ssh tunnel. First, open Terminal, run "ssh -D 9999 me@somewhereelse" to connect to the other host (using ssh keys) where I want my tunneled traffic to come out. Then System Preferences, Network, click my current servicename (typically Wi-Fi), Advanced, Proxies, then enable checkbox for "SOCKS proxy" ("SOCKS proxy server" on that pane should have "localhost:9999"), then "OK" and then finally "Apply."

What a hassle, but then, SOCKS aware apps like Firefox will automatically send their traffic through the tunnel, so my IP address while browsing will be the IP of the place I ssh'd to, not the IP assigned by my Internet Service Provider at home. However, not all programs are SOCKS aware. Transmission, uTorrent and wget are not. When they connect to places on the net, they do it with your real, not proxied, IP. Safari, Vuze and Xtorrent are: TCP only reveals your proxy IP to those you connect to. Curl can do SOCKS, but you have to ask it special, and even when the tunnel is down, it still acts like it is there, which was confusing to me and I didn't spend much time trying to figure it out. 

So, to automate setting and unsetting the system wide SOCKS proxy,  here's a bash shell script. It scans to see if it's already on or not. If it's on, it turns it off. If it's off, it turns it on, kills any ssh process that looks like a leftover from an old tunnel, creates a new ssh tunnel, and prints the current status and my IP address as seen from the other side of any tunnel in a Growl notification.

The script uses "osacript" in order to run some Applescript to launch Safari and read a webpage to figure out the IP address I look like on the internet. The Applescript is because Safari will use the tunnel if it is there -- wget cannot (and curl was just weird).



function myip {
osascript <<

property myURL : ""

tell application "Safari"

    if (count documents) = 0 then
        make new document with properties {URL:myURL}
        set URL of document 1 to myURL
    end if 

    repeat until exists (window 1)
    end repeat

    repeat with w in (get every window)
    set miniaturized of w to true
    end repeat

    tell window 1
        delay 1
        set mySrc to source of the current tab
        return mySrc
    end tell

end tell

if [[ `scutil --proxy | grep SOCKSEnable | awk '{ print $3 }'` == "1" ]]; then
    networksetup -setsocksfirewallproxystate "$device" off
    networksetup -setsocksfirewallproxy "$device" 9999 off
    kill `lsof -i 4TCP@localhost:9999 -P -sTCP:LISTEN -a -c /^ssh$/ | awk '{ print $2 }' | tail -1`; 2> /dev/null
    ssh -N -D 9999 me@somewhereelse &
    sleep 5

if [[ -e /usr/local/bin/growlnotify ]]; then
       /usr/local/bin/growlnotify -m "IP: `myip`." "SOCKS Proxy: $proxyState"
    echo "SOCKS Proxy $proxyState. IP: `myip`."

This shell script could just be run from a Terminal window, but I decided to turn it into an "application" with so that I could invoke it with a Quicksilver keyboard shortcut. That is Command+Spacebar, type "automator" (click it or hit Enter when "Automator" jumps to the top), then Command+N, click "Application" and "Choose" from the "Choose a type" dialogue, then drag the "Run Shell Script" action into the big empty workflow area, erase the default "cat" text from the input box and replace it with the full path to where you saved the shell script, like /Users/whoeveryouare/ then "File", "Save" as format "application." I saved mine as under the Applications directory below my home directory.

Then go get really frustrated trying to remember how to set a Trigger for a keystroke combination in Quicksilver while Lion acts buggy and freezes Quicksilver or makes it disappear. The keystroke should "open" /Users/whoeveryouare/ or wherever you saved it. Alfred or regular OSX Keyboard Shortcuts could also launch it.

So now I can do Command+Shift+p and a little Growl notice will popup on my screen telling me "Proxy Enabled; IP address [other side of my tunnel]." Do it again and Growl shows "Proxy Disabled; IP address [given by my ISP ]."

I also found to be helpful in telling you whether your torrent client is going through your tunnel or not, since I just found out that a checkbox setting I enabled months ago in Transmission preferences for something about "SOCKS proxy" only referred to trackers, not to peers, and that setting is now gone and feature removed in the current version.

All this took way more time to get working than could possibly be justified, so please make some use of it.

Monday, April 04, 2011

Stop form input from capturing/ignoring certain keypresses

Too many web forms have some stupid javascript that tries to limit what keys you can press while you are focused in a certain input element. For example, in my bank billpay system, they have javascript that makes it so you can only type numbers while you are in the "Zip Code" field. When they do that, it disables me from using the CMD+v to paste a zip code in the field, because "CMD+v" is not a number.

Here is a sample of the javascript they use:

function numbersonly(myfield, e)
    var key, keychar;
    if (e) key = e.which;
    else return true;
    // allow control keys
    if ((key==null) || (key==0) || (key==8) ||
         (key==9) || (key==13) || (key==27) )
        return true;

    // numbers
    else if ((("0123456789").indexOf(keychar) > -1))  return true;
    else return false;

Then they have HTML like this:

<input onKeyPress="return numbersonly(this, event)" type="text" />

So, if you are a Windows user, you probably are allowed to CONTROL+v to paste a zip code. But Mac users just see the "Edit" menu flicker for a moment and their paste command (keycode 118) is dropped on the floor. Neither can you "CMD+," (keycode 44) to get Application Preferences, or use the metakey to do any other Firefox action while in that form field. It should validate only when the user is ready to submit, not while typing.

Install Greasemonkey and rip that crap out with this script:

// ==UserScript==
// @name           Get Off My Keypress
// @namespace
// @description    stop websites from setting event handlers to capture your keypresses
// @include*
// @require
// ==/UserScript==

$(document).ready(function() {
    // unsafeWindow.console.log("testing firebug after jq");     
    $("input").each(function(i, elem) {
        // unsafeWindow.console.log(i + $(elem).attr("name"));
        var h = elem.getAttribute("onKeyPress");
        // might return "return numbersonly(this, event)"
        if(h) elem.setAttribute("onKeyPress", "return true");

Having to use Greasemonkey is really more complicated than it should be. We should be able to use the new CAPS (capabilities) security policy settings built into Firefox 4 to grant noAccess to specific websites to set onkeypress events or read what keys you are pushing on. I tried several iterations using the "Control de Scripts" extension to block these:


but none worked. I think this is because I don't really grasp what an event handler is or where it is in the DOM. Maybe someone else can comment to get a solution that is native to the browser, without needing a whole extension just to do this one simple thing.

Saturday, March 26, 2011

Review of OWC 480G SSD laptop drive

After waiting for SSD notebook drives to get big enough that I could fit everything on it that I carry around on my Hitachi 500G 7200 rpm mechanical drive, OWC finally came out with a 480G SSD last summer that was over a thousand dollars. Just recently, they lowered the price a lot and I got mine for a total of $908, including Fedex 2 Day shipping and a $25 rebate for using Amazon Checkout when I bought it through their website.

I think the price change is related to recent Sandforce chip changes and maybe also that the next rev Sandforce 2000, reportedly twice as fast as these, may be only 8 weeks away.

I got the drive on time from OWC and, unlike the Seagate that just came in an antistatic bag like a McDonald hamburger, this one came in nice retail packaging. Since I mention the Seagate, I should also say that this Hitachi that I eventually replaced it with was slightly slower, but without the confidence eroding clicking, and maybe less pinwheels until recently.

Before installing the new SSD drive, I ran some crude benchmark tests, then used SuperDuper! to clone my old internal drive to my external backup, a firewire 800 G-Drive Mini, which are the nicest bus-powered enclosures I have seen. After making a bootable backup, I opened the laptop to install the new SSD drive, then booted from the firewire backup.

Upon logging in, OSX offered to "initialize" the unrecognized/unformatted internal SSD drive. When I said yes, it opened Disk Utility, where I clicked the disk, named it, and erased/formated it as MacOS Extended (Journaled). Then I launched SuperDuper! and told it to restore everything from the external backup drive that I had booted from onto the empty internal SSD. That process read data off the 5400rpm backup drive and over the firewire at about 50MB/s (according to the "Disk Activity" graph in Activity Monitor). While 300 gigs went from here to there I did laundry and played with my baby.

Once my backup was restored to the internal SSD, I rebooted and here is the comparison:

Boot time comparison
7200rpm OWC SSD
Apple logo 38 sec (but probably with unset startup drive system preference setting) 4 sec (after setting startup drive in system preferences)
Login Window +30 sec +13 sec
Boot Total 68 sec 17 sec
Login and launch all startup items, including Firefox +80 sec +9 sec
Usable Total 148 sec (2.5 minutes) 26 seconds

I was pretty impressed with how fast it launched all my stuff after I logged in. The OWC website linked above has a graph showing powerup to desktop in 19 seconds. Mine's not doing that, but I am still happy with it.  Correction on March 28,2011: Thanks to the article on macperformanceblog that tells you to set your startup disk after upgrading a hard drive, my machine really does go from off to login window in < 20 seconds! If I can type my password fast enough, my machine is totally ready to use in a total of < 35 seconds!

Here are 2 more before/after comparisons.


dd test
Writing to /test on the 7200 rpm drive:
#sudo time dd if=/dev/zero of=/Volumes/Macintosh\ HD/test bs=1024k
[waited a while, then CNTRL+c]
97679048704 bytes transferred in 1565.832047 secs (62381562 bytes/sec)

Reading /test on the 7200 rpm drive:
#sudo time dd of=/dev/null if=/Volumes/Macintosh\ HD/test bs=1024k
[waited a while, then CNTRL+C]
39557529600 bytes transferred in 543.910842 secs (72727967 bytes/sec)
#sudo rm /test

Writing to /test on the SSD:
#sudo time dd if=/dev/zero of=/Volumes/Macintosh\ SSD/test bs=1024k count=16384;
17179869184 bytes transferred in 66.070450 secs (260023493 bytes/sec)

Reading /test on the SSD:
#sudo time dd of=/dev/null if=/Volumes/Macintosh\ SSD/test bs=1024k
17179869184 bytes transferred in 61.126414 secs (281054753 bytes/sec)
#sudo rm /test

So that tells me compared to the 7200rpm Hitachi writing 59MB/s and reading 69MB/s, the SSD's 248MB/s writes and 268MB/s reads are about 4 times faster. Plus, the battery runtime that the battery monitor is reporting now looks about an hour longer than it would have been with the mechanical drive.

This and the cheap 8 Gig RAM upgrade also from OWC put an end to any other hardware upgrades for this computer.

Wednesday, January 20, 2010

BoA Nickname Payees Greasemonkey Script

Bank of America does not let you create "nicknames" for your payees on its Quickpay online billpay webpage. This means that if you have more than 1 account with the same entity, or different individuals with the same bank, it is very hard to tell your payees apart when you go to make a payment. This can result you sending a payment to the wrong payee.

You may end up with identical looking payees if you pay utility bills to the same company for more than 1 address, or if you frequently send money to family members who use the same bank as each other. In these cases, the way BoA's Quickpay page is now, you would have to memorize which account number goes with which payee in order to tell them apart and make a payment to the right person. See the screenshot below for how confusing it is:

In the screenshot above, the first "BANK OF AMERICA CHECKING" in the payee list is for one person, and the second one is for someone else, who also happens to bank at BoA. I wrote this Greasemonkey User Script in order to let people who use the BoA billpay create useful nicknames for these payees, since the BoA system doesn't allow it.

After you install the Greasemonkey script, you'll be able to create and edit nicknames for your payees by clicking the link to "create nickname" or by clicking the nickname to edit if you already created one. All other items display on the QuickPay page as usual. After you've made some nicknames, the billpay screen will look like this:

Now you can tell your payees apart without having to remember which account number is which.

Here is the script:

You can also download it from