Monthly Archives: March 2011

Business iPhone

iPhone, NFC & A Few Hundred Billion Dollars

Many of us now use our phone to check our email more often than we use our computer. Our phones go everywhere with us (although please hang up when you’re in the can as few things are more disgusting than listening to someone talk to their mom when they’re droppin’ the kids off at the pool in the stall next to you or hearing someone you’re talking to dropping’ a deuce in the pooper on the other end of the line). Many no longer have land lines and some have even dumped desktop and laptop computers in favor of smart-phone or tablet based digital lives. Few skipped the computer altogether as pundits thought, but then the globe hasn’t fully been digitally meshed.

Technology has connected us to a wireless world. But it’s also changed how many of us view and use money. Many of us forgot what cash looked like a long time ago. We live on plastic. We use mint.com, Quicken or some other online aggregator to access our financial lives much as we manage our servers: using a single pane of glass. With our transactions securely accessible in the cloud and our bills on auto-pay we are able to realize how great, or how bleak, our financial picture is, both short-term and long-term.

Maybe we grab cash to pay for parking (less and less) or maybe we hit the ATM on the way to buy something we found on sites like craigslist (the final frontier of the cash and carry economy). But increasingly, people in developed economies are moving away from cash. In this scenario, banks charge merchants percentages of the transactions taken. Visa, Mastercard, Barclays, American Express, Discover, etc.

According to the latest numbers from the Department of Commerce, $300 billion in consumer transactions occurred on the internet in 2008. Not a lot compared to $3.7 trillion total going over the internet (the other $3.4 trillion were business to business transactions). But a lot considering that telco companies in the US combine to rake in about the same at $300 billion.

The US economy is worth around $22 trillion a year, meaning that there’s still a little more than 83% of the economy that we computer nerds would just love a piece of. We have our phones with us, and like a Widespread Panic song we’re more and more fond of Travelin’ Light (MacBook Air, smaller iPad, etc). So it makes sense that our phone would be able to act as a credit card. And if that happened then there would be a cut for someone. Banks want that cut, but then, so do the wireless companies. And of course, the makers of cell phones wouldn’t mind a taste too while we’re at it. I can understand why they’re arguing over a piece of the action as it will result in more fees than the entire amount of money spent on products online.

It seems as though momentum is picking up for Near-Field Communications (NFC), which allows for phones acting as wireless credit cards. NFC runs on the 13.56 MHz frequency and allows vendors, such as Starbucks, who have support for NFC to swipe your card without it ever leaving your hand (by the way, companies like IBM won’t mind selling their clients all new cash registers). Google is pretty hip to NFC, with the Samsung Nexus S, with Nokia and RIM on their way with products. And NFC is accepted about 200,000 locations in the US already. Oh, and most banks are testing it out now (but then they’re probably testing a lot of other stuff too)…

The Payment Card Industry Security Standards Council sets rules for both (e.g. PCI compliance). Up until earlier this year, they had approved a few applications that allowed people to make mobile payments using phones. These included VeriFone for iPhone. But with VeriFone leaving the table there is nothing else for the iPhone. Therefore, many project that the future of the iPhone will include NFC.

I don’t like to prognosticate, but something is going to happen with this whole use-your-phone-as-a-credit-card thing. If Apple jumps on board with NFC (both AT&T and Verizon are on board with Discover under the ISIS banner so wouldn’t be a surprise) then NFC will truly be the next big thing. If all (and I mean all) of the other wireless carriers do this without the iPhone they’ll leave Apple behind and Apple will have to play a little catch-up. Or Apple will bring out something cooler than NFC as “one more thing”. Or of course it could all be a crock of crap and no one will actually care about replacing their credit card with a phone. I remember when RFID was supposedly going to replace credit cards according to pundits. That hasn’t really happened, so maybe this won’t either.

PS – Don’t forget to charge your phone before you head out to dinner or you might spend the evening washing the dishes!

Mac OS X Mac Security Mass Deployment

mDNSResponder, mDNS and dns-sd

The process that makes Bonjour work is mDNSResponder, located in /usr/sbin. /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist invokes mDNSResponder on boot. One of the easiest ways to troubleshoot issues you think are related to Bonjour is to temporarily disable the mDNSResponder:

launchctl unload -w /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist

To enable it:

launchctl load -w /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist

In addition to basic starting and stopping of the mDNSResponder, when troubleshooting any service, one should always look at logs. Log events are logged to the standard syslog facility and so are available via Console. These are locate at /var/log/system.log. Searching for mDNSResponder errors in system.log can also be done from the command line using:

cat /var/log/system.log | grep mDNSResponder

Or interactively so you can watch errors as they appear:

tail -f /var/log/system.log | grep mDNSResponder

To see more information in system.log, send a SIGUSR1 to mDNSResponder using killall:

sudo killall -USR1 mDNSResponder

To then see packet-level information in system.log, send a SIGUSR2 to mDNSResponder:

sudo killall -USR2 mDNSResponder

To dump the state into system.log:

sudo killall -INFO mDNSResponder

mDNSResponder uses Mach port 5123. Each service that is Bonjour-enabled will register itself with mDNSResponder at that port and can be queried. These are similar to DNS records where they have a prefix for the service and a suffix of the TCP/IP type. For example, IPP Printing is _ipp._tcp, Remote Apple Events is _eppc._tcp., Remote Frame Buffer is _rfb._tcp., SSH is _ssh._tcp., SFTP is _sftp-ssh._tcp., Apple’s Home Sharing is called _home-sharing._tcp, iTunes Music Sharing is _afpovertcp._tcp. and AFP is _afpovertcp._tcp. As an example of UDP traffic, ARD is known as _net-assistant._udp.

To see which services are registered (and register services if you build a network service that needs one), use the mDNS command. The -B option for mDNS can be used to query a given namespace. For example, the _afpovertcp._tcp namespace can be queried using the following command:

mDNS -B _afpovertcp._tcp

This would result in the following output, showing all live instances that the system sees:

Timestamp     A/R Flags Domain                   Service Type             Instance Name

18:29:40.771  Add     0 local.                   _afpovertcp._tcp.        Krypted MacBook Air

To register services with Bonjour, use the -R operator and to lookup information about a given service instance, use the -L operator. The -L operator allows you to get a lot of information about a given object. Once you have found the object using the -B option you’ll have the Domain and Instance Name. These can be supplied to mDNS to get IPv4, IPv6, port number, and TXT records, which provide a bevy of options, such as information about printers and other services or objects. For example, Mac OS X automatically generates information about printers based on built-in OS information about those printers, such as staple support (Staple=F), collate support (Collate=T) and CUPS admin url’s (adminurl:http://<computer name>:631/printers/<printername>. Other services such as Home Sharing might make heavy use of Machine Name’s or iTunes Database IDs.

To use mDNS to obtain this extended output, use the mDNS command, along with the -L option, followed by the Instance Name (the instance name is defined by the service registering the instance and can be a printer name, a computer name, a GUID or whatever the vendor chooses to use. After the Instance Name, provide the address space (Service Type) and then the domain from the -B output. For example, to look at an HP 8565 shared from Krypted MacBook Air called “HP 8565 Krypted MacBook Air”, I would use:

mDNS -L "HP 8565 Krypted MacBook Air" _ipp._tcp local.

Other operators not in the man page, but available, include -E for finding recommended registration domains, -F for finding information about browsing domains, -A to test updates to records, -U to test updates to TXT records, -N to test updates to NULL records, -T to test adding big records, -M for multiple records and -I for immediately updating records rather than running through cache. Also available for querying is dns-sd, using identical syntax as mDNS and with the same output. Data regarding systems doesn’t always change dynamically. To reload information following changes, use the -flushcache option of dscacheutil:

dscacheutil -flushcache

When I have a chance I’ll try and look at multiple domain name spaces and registering text records as a part 2 of this article, but for now there’s a 2 year old who just woke up and is wanting a little attention (and deservedly so).

Mac OS X Mac OS X Server Mac Security Mass Deployment

Disabling Periodic Scripts

Mac OS X does a little housecleaning in batch processes that run daily, weekly and monthly. These are kicked off by LaunchDaemons that reside in /System/Library/LaunchDaemons and are called com.apple.periodic.daily.plist, com.apple.periodic.weekly.plist and com.apple.periodic.monthly.plist. These need to run and so should not be disabled outright. However, they can disabled temporarily, as when you need a somewhat process intensive script to run for a few days. Therefore, we need a way to disable these and re-enable them.

One could just move those files, but there’s actually a more graceful way. Running defaults read against one of the property lists can be done as follows:

defaults read /System/Library/LaunchDaemons/com.apple.periodic-daily

We could use defaults to go ahead and disable the script by adding a “Disabled=1″ key. Or we could unload them using launchctl. You can also do all of this without touching a terminal command. To manage launchd items graphically, look to Peter Borg’s Lingon, available on the App Store or at SourceForge at http://sourceforge.net/projects/lingon. When you open it, simply use the System Daemons in the sidebar and scroll down until you see the com.apple.periodic jobs. Then, uncheck the Enabled checkbox.

When you’re ready to turn ‘em back on, re-check the Enabled box. If you don’t re-enable these things though, your computer will get very dirty over time. Similar to how if you never clean your house it will eventually turn on you. So imagine your beautiful pristine Xserve or MacBook Air looking like this:

You have been warned.

Mac OS X Unix Windows XP

Subversion Cheat Sheet

I’ve done a few articles in the past on different tasks in svn and git, but I have a little cheat sheet of sorts I’ve been using for awhile for Subversion on Mac OS X and thought I would share it. Before you get started, check your version. I use 2.0 but I seem to remember all of these are about the same as they were previously:

svn --version

To get started, Subversion uses a repository to store projects. Each client needs a repository and these should be on direct attached drives. The repository hosts a Berkeley database a folder per project you check out, or import. To create a repository in a folder called Repository that lives in your home folder, you can use the following command, which uses the svnadmin command (svnadmin is used for most admin tasks in Subversion and the svn command itself is used for most user operations) and then the create verb, followed by a path:

svnadmin create ~/Repository

Note: These commands are mostly the same in Windows, except you use a drive letter rather than a fully qualified path. They are identical in Linux.

Within the Repository directory, each project will have a folder. Within these, you would then create folders for branches, tags and trunk, where trunk is the directories and files you will be working with. Then, we’ll import our first project. To do so we’re going to use the svn command, along with the import verb and then in the second position, we’ll use project to define the type of import. Next, we’ll define the location. The location could be http:// or file:///. In this case we’ll use an existing, mounted AFP file system at /Volumes/myserver/sharedrepo/projectname. Next, we’ll just put a message in there using the -m option, indicating “Initial Import”:

svn import project file:///Volumes/myserver/sharedrepo/projectname -m "First Import"

That wasn’t so bad. To see a list of the projects stored in a repository, use the svn command along with the list verb. When I do this, I like to use the –verbose option (optional, thus an option). YOu would also provide the path to the repository:

svn list --verbose file:///Users/cedge/Repository

To update the repository:

svn update

We now have a local copy of the project we imported earlier (creatively called projectname) and can work on it. Before we start working on it though, we want to check it out. To do so, we’ll use the svn command, along with the checkout verb. We’ll then provide the path to the project and name of the project:

svn checkout file:///Users/cedge/Repository/projectname/trunk projectname

When you’re done working on things, let’s look at what’s changed using svn’s status verb (btw, a writing point, by making svn possessive there, did I give it a personality? If so, then it’s certainly cranky at times so I suppose that’s fine):

svn status

You’ll invariably want to add things to a project, which uses the oddly named add verb (bad grammar pun, sry):

svn add filename

Removing files is a similar process:

svn delete filename

Adding, deleting and changes all need to be committed once you’re done working on the project. To commit changes, use the commit verb. Here, we’re going to provide a message explaining what we did (Added a method for handling invalid file names and bad grammar puns) and then the path:

svn commit -m "Added a method for handling invalid file names and bad grammar puns" file:///Users/cedge/Repository/projectname/trunk

I didn’t include tagging, getting releases (list verb), using preshared keys (ssh-keygen, ssh-copy-id, ssh-agent, ssh-add), resolving conflicts (resolved verb), so feel free to add comments with your examples if others read this and would like to add more!

Mac OS X Mac Security

Arbitrary Registered URIs

Zack Smith did a post on his website about using TextMate’s URI links (at http://www.wallcity.org/2011/03/textmate-uri-links ). This prompted me to feel like checking to see which arbitrary strings would be followed from within the major browsers of Mac OS X. See for yourself:

file:///Applications/iTunes.app/Contents/MacOS

help://test

vnc://127.0.0.1

ftp://127.0.0.1

smb://127.0.0.1

smb://127.0.0.1/myshare/my%20file.txt

afp://127.0.0.1

afp://127.0.0.1/myshare/mydmg.dmg

nfs://127.0.0.1

Note: The following command still stops HelpViewer.app from opening AppleScript:

defaults write /System/Library/CoreServices/HelpViewer.app/Contents/Info NSAppleScriptEnabled -bool no

Mac OS X Server Mac Security Mass Deployment Windows Server

Article in March 2011 MacTech

This month, for MacTech Magazine, I wrote an article called “Implementing File & Print Services on Windows Servers for Mac OS X Clients.” The article, written with the Enterprise Desktop Alliance, focuses again on replacing Xserve hardware in rack dense environments with services running on Windows. In this article I focused on ExtremeZ-IP and using Centrify to publish shares as automounts. It’s another step in a step-by-step technical approach at deploying Mac OS X clients in Windows environments. Hope you enjoy!

Articles and Books Mac OS X Mac OS X Server Mac Security Mass Deployment public speaking

MacSysAdmin 2011

For those of you who need to get out and do something interesting this upcoming October, check out the European Macintosh System Administrators Meeting 2011 (aka MacSysAdmin 2011). It will be October 5-7th and it’s sure to be a blast as in years past. This year, myself and Zack Smith from 318 will both be speaking, as well as Arek Dreyer, Ed Marczak, Nigel Kersten, Duncan McCracken, Greg Neagle, Rick Wylie, Andrina Kelly, Alan Gordon and most notably, Andy Ihnatko!

It’s a pretty awesome lineup and my favorite part about MacSysAdmin is always the fact that the attendees are amongst the highest caliber of system admins I have the chance to work with every year. So mark your calendars for April, when registration is slated to open up!

For more details, see:
http://macsysadmin.se/2011/Home.html

Mac OS X Server Mass Deployment Network Infrastructure Windows Server

Using the ExtremeZ-IP Command Line

When you are configuring ExtremeZ-IP as a print server, you will need to set up and configure each printer. However, if you already have setup and configured printer queues for the Windows server, you can import existing queues into ExtremeZ-IP. This can be done programatically via the ExtremeZ-IP EZIPUTIL command line tool.

EZIPUTIL has a number of options, whereby the SERVER option is used to configure global settings for ExtremeZ-IP, VOLUME is used to create, edit and delete print queues and PRINT is used to manage shared print queues. Each of the options also has a number of switches for the feature(s) that are being managed. These are structured as standard switches that are used in Windows batch scripting. The /IMPORT switch can be used to import print queues. By defining the WINDOWS setting for the import, you will recreate all printer queues from Windows. This command would look like the following:

EZIPUTIL PRINT /IMPORT:WINDOWS

Once the command has been completed, you can then list printer queues using the /LIST switch:

EZIPUTIL PRINT /LIST

Once you have created printer queues you will often end up needing to remove a queue or three. To remove a printer queue, you will use the /REMOVE switch along with a /NAME switch to specify the printer queue that you are removing. For example, to remove a queue called Accounting_499 you would use the following command:

EZIPUTIL PRINT /REMOVE /NAME:Accounting_499

The VOLUME option has a similar feature in the /REPLICATE_SMB switch, which allows you to replicate existing SMB/CIFS shares:

EZIPUTIL VOLUME /REPLICATE_SMB

The /REMOVE switch can also be used with the VOLUME option. If you have created volumes you can also remove those from the command line. For example, to remove a shared volume called Accounting_Files, you would use the following command:

EZIPUTIL VOLUME /REMOVE /NAME:Accounting_Files