Tiny Deathstars of Foulness

Ever since the kids from Silicon Valley went to TechCrunch, I’ve been thinking that at some point I’d want to put a piece there. Luckily, I recently got the chance. Today, 16 Apple Security Advances To Take Note Of In 2016 went up on TechCrunch. You can access the article here.

Screen Shot 2016-01-18 at 7.36.16 PM

The original article actually listed the year that each was introduced in order. It was a lot of work to go back in time and piece the timeline together, so since the years didn’t make it through editorial, I list them here (not that anyone actually cares):

  • 2002: Managed Preferences
  • 2003: FileVault
  • 2004: Require all software installers that need system resources to prompt for a password
  • 2005: Restrict setuid and setgid in scripts
  • 2007: Time Machine
  • 2007: Application Firewall
  • 2007: ASLR(Address Space Layout Randomization)
  • 2009: Application Sandboxing
  • 2009: XProtect, or File Quarantine
  • 2008: Antiphishing
  • 2010: The Mac App Store
  • 2012: Gatekeeper
  • 2012: Mobile Device Management
  • 2013: iCloud Keychain
  • 2015: System Integrity Protection, or SIP

And yes, since I was there for each of these, I did feel old writing this… :-/

And yes, thank you for asking, I did just publish another book on Mac Security, which you can buy here. :)

January 18th, 2016

Posted In: Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags: , , , , , , ,

Leave a Comment

One of the options thats a tad bit hidden in OS X is the Secure Erase option, which runs a multi-pass erase on a volume. Additionally, there’s no option to Secure Erase free space on a volume. But you can still securely erase whatever you’d like (other than you boot volume obviously), when needed. To do so, use the diskutil command along with the secureErase option.

Screen Shot 2016-01-07 at 7.44.07 AM

The format of the command to secureErase freespace is:

diskutil secureErase freespace [level] [device]

The levels are as follows (per the man page as not all of these are specified in Disk Utility):

  1. Single-pass zero-fill erase
  2. Single-pass random-fill erase
  3. US DoD 7-pass secure erase
  4. Gutmann algorithm 35-pass secure erase
  5. US DoE algorithm 3-pass secure erase

So for example, let’s say you had a volume called Seldon and you wanted to do a standard Single-pass zero-fill erase. In this example you would use the following:

diskutil secureErase freespace 0 /Volumes/Seldon

If you were to automate the command then you would want to dump the output into a log file. For example:

diskutil secureErase freespace 0 /Volumes/Seldon > /var/log/secureeraselog.tmp

You can also secureErase a volume itself. To erase a volume called /Volumes/Seldon, use the same structure of the command, but this time without the freespace option:

diskutil secureErase 0 /Volumes/Seldon

The latest update to Disk Utility removes a lot of options from the GUI, but overall, I have yet to find a scenario where a task I need to perform isn’t still available, if only from the command line.

January 7th, 2016

Posted In: Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags: , , , , , , , ,

I’m obviously experimenting with other venues to contribute content to. Just posted an article called: The Changing World Of Technical Writing And Publishing on Buzzed. Enjoy!

Screen Shot 2015-12-11 at 9.05.24 PM

December 12th, 2015

Posted In: Articles and Books, public speaking

Tags: , , , ,

My 14th book, The second edition of the Mac Administrator’s Guide is now shipping. This was a big, big rewrite, given the fact that the first edition was before the App Store, Gatekeeper, and many, many other technologies. You can buy this book here!

Screen Shot 2015-12-07 at 11.46.25 AM

Also, huge congrats to Bill Smith, for publishing his first book, and most notably for doing so much amazing work on this book!

Finally, we’re editing the second and third books I did this past summer right now, so look out for those announcements shortly!

December 9th, 2015

Posted In: Articles and Books, Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags: , , , ,

My first article on the Huffington Post is up on HuffPost here. I feel very lucky to have gotten to meet Arianna years ago when I did tech work for her company, publishing, and at her home. She’s a very special lady and, while it’s been a long time, I still recall a few very cool and sometimes odd conversations. She’s not connected to this, but I’m proud to be involved with anything she’s involved with. And, oddly there’s parity: we’ve both written 15 books. Not even remotely oddly, she’s sold far more than I have.

I hope this is the first of many articles, helping with tech and Apple and beyond. A very special thanks to all involved!!!


December 2nd, 2015

Posted In: Articles and Books, Bushel, Interviewing, iPhone, Mac OS X

Tags: , , ,

Someone hands you a USB drive. You put it in your computer and you can’t access anything on it. You are running an imaging lab and you want to backup or troubleshoot a device before you re-image it, but you can’t access certain files. Obviously, you can sudo. But, you can also simply disable permissions on that volume (which, like getting someone to make you a sandwich, requires sudo of course).

The command used to enable and disable permissions on a volume is vsdbutil, located at /usr/sbin/vsdbutil. And there’s a LaunchDaemon at /System/Library/LaunchDaemons/ that interacts with diskarbitrationd so that when a volume is mounted, it is marked as having permissions activated or deactivated (which is basically “Ignore Permissions” at the Finder).

To use vsdbutil to enable “Ignore Permissions”, use the -d flag followed by the path to the volume:

sudo /usr/sbin/vsdbutil -d /Volumes/Myvolume

To then enable (or activate, thus the a) permissions again, use the -a flag:

sudo /usr/sbin/vsdbutil -a /Volumes/Myvolume

You can also run the -c to see the status for a given path:

sudo /usr/sbin/vsdbutil -c /Volumes/Myvolume

And last but certainly not least if you’re working on a lot of volumes, the -i option will enable permissions on all mounted HFS and HFS+ volumes:

sudo /usr/sbin/vsdbutil -i

Overall, it’s very easy to send these commands using a positional parameter (e.g. $1) to a script, performing a mount, some operation (backup, reimage, restore, repair some corrupted data, etc).

Note: You can’t Ignore Permissions of FAT or FAT32 volumes using the command line or a Finder Get Info screen.

December 1st, 2015

Posted In: Mac OS X, Mac Security, Mass Deployment

Tags: , , , , , ,

I bet you thought this would be the article where I showed you how to make your computer curse more. Well, language can mean much more than that. In fact, Apple has dedicated a whole binary to switching your default language in OS X, in languagesetup. This command, located at /usr/sbin/languagesetup, is capable of changing the default language used by a system to a number of different languages. There are other ways to accomplish this, but none quite so easy. To get started, note that there are two ways to run languagesetup. The first is interactively, which I mostly use to figure out what I actually want to do with it. The second is using a standard command prompt, which I use for scripting.

Let’s start with the interactive. Simply run the command with no operators/verbs/whatevers:


This outputs a list of the languages that can be used in this way. Note that number 7 is Spanish.

WARNING: root access required to change system language
1) Use English for the main language
2) Utiliser le français comme langue principale
3) Deutsch als Standardsprache verwenden
4) 以简体中文作为主要语言
5) 以繁體中文作為主要語言
6) 主に日本語を使用する
7) Usar español como idioma principal
8) Usa l’italiano come lingua principale
9) Gebruik Nederlands als hoofdtaal
10) 주 언어로 한국어 사용
11) Usar português do Brasil como idioma principal
12) Usar o português europeu como idioma principal
13) Brug dansk som hovedsprog
14) Käytä pääkielenä suomea
15) Bruk norsk som hovedspråk
16) Använd svenska som huvudspråk
17) Сделать русский язык основным языком системы
18) Użyj polskiego jako języka głównego
19) Ana dil olarak Türkçe’yi kullan
20) استخدام اللغة العربية كلغة رئيسية
21) เลือกภาษาไทยเป็นภาษาหลัก
22) Vybrat češtinu jako hlavní jazyk
23) Magyar kiválasztása alapértelmezett nyelvként
24) Seleccioneu el català com a idioma principal
25) Odaberite hrvatski kao glavni jezik
26) Επιλέξτε Ελληνικά ως την κύρια γλώσσα
27) בחר/י עברית כשפה ראשית
28) Selectați româna ca limbă principală
29) Vybrať slovenčinu ako hlavný jazyk
30) Вибрати українську основною мовою
31) Gunakan Bahasa Indonesia sebagai bahasa utama
32) Gunakan Bahasa Melayu untuk bahasa utama
33) Sử dụng Tiếng Việt làm ngôn ngữ chính
34) Utilizar español de México como el idioma principal

At this point, you could just use the number 7 key (if we were root) and switch the default language of the system to Spanish. But, we’re going to go ahead and do that in a non-interactive fashion, using the langspec option:

sudo languagesetup -langspec 7

Or to switch it back, note that English is first:

sudo languagesetup -langspec 1

November 30th, 2015

Posted In: Mac OS X, Mass Deployment

Tags: , , , , , , ,

Click for lightning. Merge-your-damn-self.


But if you commit with a well written message (and not just a period to get past a sanity check), I’m happy. Tom Hardy likes it when you tell me wtf.


November 29th, 2015

Posted In: Mac OS X, Mac OS X Server, Mac Security

Tags: , , , , , , , , ,

Screen Shot 2015-11-18 at 6.13.02 PM

Repair permissions was unceremoniously removed from OS X in El Capitan. This staple of the Mac gurus toolkit disappeared. There was no 21 gun salute, there was no flaming casket sent out to sea and there was no sweet, sweet wake to get drunk at. Instead, there was pain. There was pain, because when the button disappeared, the need did not. Need proof? If you haven’t yet run it, let’s check your system to verify the permissions of the standard packages:

sudo /usr/libexec/repair_packages --verify --standard-pkgs --volume /

In the above command, we used the repair_packages binary, which has not changed in awhile. We then feed that the –verify option and the –standard-pkgs option, finally providing the volume of the current boot volume using –volume followed by the /. Pretty straight forward. Assuming there’s something to repair, the below will actually run that repair operation:

sudo /usr/libexec/repair_packages --repair --standard-pkgs --volume /

Where’s the sweet, sweet button? The rest of the screen is so darn lonely without it.

Screen Shot 2015-11-18 at 6.13.02 PM

And now that you know the command, feel free to throw it in your self service. That way users can do it without opening terminal or using an admin password!

November 22nd, 2015

Posted In: Mac OS X, Mac OS X Server, Mass Deployment

Tags: , , , , ,

I was going through Red Cross training recently, and one thing that was mentioned was whether we have Medical IDs setup on our iPhones. I do. I didn’t realize it at the time, but I’d set it up a long time ago. I then asked around and no one else had one setup. So I grabbed my testing iPhone and decided to write it up.

To get started setting up your Medical ID on your iPhone, open the Health app. From the Health app, tap on Medical ID and then tap on Create Medical ID.


At the Medical ID screen, enter allergies, medications you are on, add emergency contacts, provide your blood type, define if you wish to be an organ donor, and add your weight. Viola, you’ve now given all this information to first responders and medical professionals should they need it.


To then access a Medical ID on an iPhone, swipe to unlock the phone. From there, tap on Emergency in the lower left corner of the screen.


At the Emergency Call screen, you’ll see Medical ID. Tap here to see the information provided earlier, even when your phone is locked.


November 20th, 2015

Posted In: iPhone

Tags: , , , , , , ,

Next Page »