I wrote last time about how updates to Operating Systems never fail to arouse the deepest passions in the bosoms of their users. Tears of joy vs gnashing of teeth, wearing of sackcloth and so forth. Any time you take something fundamental that people build their workflow off and make any kind of change you’re always going to court disaster and heartbreak, but very, very occasionally there’s a change that people are pretty much universally going to applaud.
Sometimes those things are the result of careful design or listening to the needs of the clamoring public. Sometimes those things are happy mistakes. Sometimes those are things that are just in the spirit of trying something new. And sometimes – just once in a while – they’re the result of looking at a prior change and then rolling that back. Big Sur (as of it’s current Public Beta 10) has a bunch of all of those – both large and small – but the one that I’m most excited-slash-relieved about is probably the most trivial: they fixed Show Original.
For anyone who doesn’t use file aliases (and yes, I’m including directories as being files because we could get into a useless syntactic discussion about that but this is my blog, dammit) an alias is a link to a file that lives at an alternate location. Maybe – like me – you have a bunch of folders that you regularly use but that you don’t want to have actually live on your Desktop. Or on your computer at all, for that matter. Maybe they live on an external drive, or a file server, or a NAS. There are lots of reasons for going that route, after all; shared access, retention, backup strategies – but it’s also just a lot more convenient to have the things you want to access close at hand. Now and again, though, you might want to know where the original file is or navigate to it, and in macOS Catalina that meant either scouring Finder menus or memorizing a bunch of keystrokes designed to break your own left hand. Here, this is what I mean:
I mean, look at that key combination. It’s… well, I don’t really have the words. “Bonkers” seems like a decent shot, though. I think what I’m aiming for is something more puzzling than rage-inducing; after all, decisions on this kind of thing aren’t made by accident because they are, after all, decisions. At some point, some bright, eager software engineer scratched his or her chin and said “You know what? There are too many people who are inadvertently attempting to find aliases of their files, and yes, Bob, I know that we’re talking about a fringe number of cases where someone has to select the alias in the Finder and then hit a keystroke or two to reveal the location of the individual file, but it’s still a risk that’s not worth taking, dammit. After all, nobody in their right mind wants to live in the kind of world where you can puncture the fragile illusion of how the file system works. Something must be done, so I think we should immediately implement a series of keystrokes that are difficult if not torturous to perform so that this eventuality never comes to fruition and so that we can sleep at night secure in the knowledge that we’ve demonstrably done something with our time. Sushi, anyone?”
(At least, I’m guessing that’s more or less how it went based on the small amount of time I’ve spent working for huge corporations and the much, much smaller amount of time I’ve spent at Infinite Loop eating Sushi at Caffe Macs.)
Just to make really, really sure that this was as unpleasant as possible, they then decided to use all the modifier keys on the keyboard that I – David Ball – have a hell of a time remembering.
Now, I might be alone in this one, and if that’s the case then – if you’ll pardon awkward metaphors – I’ll hold my hand up and take it on the chin. I’ve been working with Apple and macOS in a professional capacity for the better part of a quarter of a century, and while I’m comfortable with what the Command key looks like (⌘), the other two – Option (⌥) and Control (⌃) are things that I have to sneak a peek at the keyboard for (which in the case of Control is particularly inexcusable because I’m always in the Terminal and am constantly hitting that key on a daily – if not hourly – basis). And so, this is me; and if I – someone who ostensibly knows his way around the macOS – am reduced to making confused, whining noises when trying to find the original of an alias then it’s a decent bet that other people are, too.
Of course, adding insult to injury is that the non-modifier key involved is the “A” key, which is smack dab in the middle of the three modifiers and up two rows, so no matter whether you hit the modifiers with whichever combination of fingers you’d care to go with you either end up twisting a finger around or doing some kind of wrist contortion to hit all four keys at once. It’s hard to take this as anything other than some kind of deliberate assault (albeit, a low-stakes one).
It didn’t use to be this way. Prior to macOS Catalina you could hit Command-R in the Finder while selecting an alias, which was simple and easy to mnemonically accommodate (“Command-R means… find ‘riginal?), and thankfully this is something that they’ve re-implemented in Big Sur, thus:
So, all is right with the world. We can all go back to our daily lives secure in the knowledge that this travesty has been resolved, that this great iniquity has been cast aside, and that once again we are free as a people to stand in the light of the sun and eat breakfast under newer, better skies. Okay, there might be the slightest hint of an over-reach in that sentiment; after all, many other things are still in assorted states of brokenness, but the point has enough legs to stand on (albeit in a highly qualified fashion).
The lesson here is not that you need to make a lot of changes to the way that you think about how operating systems work; it’s that there’s value in doing something right the first time, then having the clarity to appreciate and acknowledge that value. I’m not mad because Apple changed a keystroke combination that, let’s face it, most people would go to the appropriate pull-down menu to access anyway. I mean, that’s a fairly small hill to die on. No, the thing that concerns and annoys me is that while most good designers make decisions based on forethought and conceptual understanding, there’s always the pitfall of thinking that you’re going to do something better, and that the work that has been done before lacks value and needs to be remedied.
And it’s not something unique to Apple. I’ve seen that tendency in code that I’ve written and revisited, and I imagine that a lot of people in my shoes have had the same experience. Sometimes you’re so eager to improve something that you fall into the trap of thinking that everything you touch needs to be changed, and you end up throwing up roadblocks to productivity that didn’t need to be put there. You can measure twice and cut once as often as you like, but if the thing doesn’t need to be cut at all? Well. The next best thing you can do is to have the humility to undo your mistakes.
Today I shall be writing about macOS Big Sur, which is even as we speak wending its way through both the Public and Developer Beta programs while the good folks at Apple either glue bits on or hack them off with what we hope is some kind of grand design in mind.
New Operating Systems are polarizing things, and that’s the kind of attitude and behavior that I enjoy, nay, encourage. I like the seasonal nature of disgruntlement; the perennial moaning and scowling and disapprobation that people inevitably kick into high gear whenever what is – on a fundamental level – the single most important thing they use on their computer is improved. Or reimagined. Or… well, changed. There’s some kind of metaphor in there for the nature of man; we all come into the world fresh-faced and brimming with optimism, and then get stuck in our ways and end up grey-haired and angry at progress and prone to using words like “whelp” and “whippersnapper” in cold blood.
It’s freeing to realize this, because it’s a realization that sets you free. You’re not going to like change, and you’re not going to welcome it because you’re older and wiser than you used to be – and that’s okay. The measure of character is not how well we accommodate change, but how well we tolerate it. The test of your maturity lies in rolling with those punches and – instead of trying to change the world – realizing that you’re not infallible, and that maybe you should consider working on changing yourself.
Huh. That got real profound real fast. And I was only here to bitch about the menu bar clock. Let’s get back to that, shall we? Yes? Good.
The menu bar clock in macOS Big Sur is irrevocably stupid. Oh, it’s fine if you want to know what day of the week it is and what the time is, thus:
…but it’s not useful if you, say, want to know what the date is. Or (and this is admittedly rather less likely) know what the month is, just in case you’ve really overslept or have sustained some traumatic and untreated cranial injury.
In the good old days – before whippersnappers like you whelps were running around with your iPhone 12s and your Billie Eilish records and whatnot – you could happily go and jump into the Date and Time System Prefpane and change the way the menu bar clock reported the date and time, specify whether you preferred 24 or 12 hour time, whether you wanted such bizarre indulgences as flashing time separators or the ability to observe seconds as they ticked by. You were probably also able to go and buy shoes for a nickel, but these days that Prefpane shows you this instead:
This will never do. Now, I’m happy to let a lot slide in the name of progress, but I’ll go to the mat for the Date. I’m forty-seven, which is a fact that never ceases to surprise me and induce mild existential horror when I’m confronted by it. I’m forty-seven and my left knee is in a constant state of betrayal of the rest of my body and I wear glasses and I forget what the date is about thirty-thousand times a minute. My options extend to either getting the date tattooed on myself afresh each day or finding a way to get the date back into the menu bar. And I hate needles.
Fortunately, this turns out to be doable because while Apple doesn’t have a convenient button in there to allow you to specify clock options, the fundamental wiring for said clock options is still extent in the OS. To get to what they’ve done we’ll use the defaults command to read what’s going on with the menubar extra, thus:
Behold.
So, if “Fri 15:43” equates to “EEE HH:mm” then it’s a pretty solid bet that EEE = day of the week, HH = hour, and mm = minute. With that in mind, we can use defaults to write back some other options for the OS to look at. If you turn everything on and then look at the defaults read for the same plist under macOS Catalina then you’ll get this:
Right. So, it doesn’t take much to come to the conclusion that MMM = Month, ss = seconds, and (be still my beating, arthritic heart) d = date.
With that in mind, we’ll write all the above back into Big Sur, thus:
defaults write com.apple.menuextra.clock DateFormat -string "EEE d MMM HH:mm:ss"
…which magically turns into:
Ah. That’s much better. Change is a wonderful thing; particularly when it happens to other people.
This is another one of those posts where I wear my heart on my sleeve about how great Synology is. A lot of that has to do from spending many, many years in an abusive relationship with OS X/macOS Server, which was good during the good times, but when it was bad it was very, very bad. In this time of global apocalypse it’s increasingly important to be able to get remote access to vital data resources, and Synology’s DSM has a really convenient way of doing that in their QuickConnect product, which simply gives you a convenient portal to access your DiskStation from anywhere in the world and administer it through a browser. Sounds good?
No. No, that isn’t good. I mean, I get it; it’s an intelligent and functional way of remote access and administration, but it isn’t ideal. Convenient? Sure. But problematic.
Come on in. Sure, you can steal all my data!
The thing with QuickConnect is that the nature of the thing requires remote access, and the thing about remote access over the internet is that, well, it’s remote access over the internet. And the internet isn’t exactly famed and noted for it’s utter infallibility and ironclad invulnerability.
Tangible example (don’t try this at home and I’m certainly not going to get into specifics because this is ethically problematic territory): it took me about five minutes and some well-crafted Google searches to find, build and install the tools and methods to pull a list of every single subdomain on the internet in the quickconnect.to domain. It’s a big list, and I’m willing to bet that most of those Synology QuickConnect setups are legitimately and intelligently setup with clever usernames and passwords and lots of security. But, statistically, there’s a likelihood – a decent one – that a lot of those have “admin” as the username and “admin” as the password. Or “Password”. Or, I don’t know, “12345678”.
Were I interested in larceny and mischief then I could script the means to run down that list and try the most common usernames and passwords against each of those entries. And I’m pretty sure that I’d end up with, well, a healthy handful of hits. That translates to complete, unfettered access to the files and data of the respective companies and institutions, along with usernames and emails and passwords, VPN access credentials and so on.
Fortunately, there are some pretty basic things you can do to somewhat lock down QuickConnect and the DSM in general. And when I say “somewhat” that’s because hey, this is the internet and no, there’s no such thing as secure, but yes, there is such a thing as making breaking into your stuff difficult and expensive and time-consuming, and yes, that’s your best shot at what we’re euphemistically calling cybersecurity these days.
The best tool in the arsenal is to enable two-step verification to the DSM, so that when you connect via QuickConnect you’ll also have to have access to an authenticator app on your phone in order to retrieve a six-digit code. It is, thankfully, a pretty simple operation.
Sign into your Synology DSM as per usual, then navigate to the person-shaped icon at the upper-right corner of the window and choose Personal, and then choose Account. You’ll see a helpful box marked “Enable 2-Step Verification” that will mostly likely be greyed out if you haven’t set up your Synology with an email account that it can use for notifications. If that’s the case then click on the “Email Account” tab and hit “Add”. You’ll be prompted to add either an Outlook, GSuite, or other email account thus:
Choose the appropriate option, hit Next, then follow the prompts to connect your email Account with the Synology Personal Notification service. If you’re using GSuite (like I do) then it’s as simple as clicking “Allow” at the next window. Seriously.
Once that’s out of the way you can go back to the “Enable 2-Step Verification” box and check it, then walk through the Wizard, which will ask you for an email address to use as an emergency backup. It’s probably best to use a different email address than the one associated with the Notifications setup in the last step. After that you’ll be given a QR code to scan into the authenticator app of your choice (I use Google Authenticator).
What? You think I’d put a legitimate DSM QR code in a screenshot on the internet? Go on. Scan it. I dare you.
Log out of the DSM, and when you log in again you’ll be required to enter the six-digit verification code found in your authenticator app, and can then breathe a little easier. It’s no VPN, but it’s a lot better than just leaving everything open and hoping that you remembered to change the default user name and password…
I’ve not been shy about wearing my love of Synology Diskstations on my sleeve. As an IT Consultant it’s fairly common to establish a set of tools or recommendations that are go-to options you regularly put in front of clients, but the true test of whether or not those tools and recommendations are worth considering is to turn to your IT person and ask them if they use those in their own businesses. Some things don’t make that cut because they don’t necessarily apply (for example, I have no need of an Okta setup) and others are either cost-prohibitive or simply recommended due to a paucity of options. The NAS space falls into all of those prohibitions, but it says something that a lot of consultants I regularly work with eat their own dog food when it comes to Synology. I know I do. I’ve bought two of the things, after all, and they were both purchases that not only fail to fill me with regret, but that make me quietly relieved. They’re the kind of thing that you put in place, configure, and then leave alone knowing with absolute certainty that they’re doing their job, and that you don’t have to worry about them.
It’s the configuring part that’s kind of interesting, though. There are options in that area that you can go with out of the box that hit the essentials of whatever you’d like to do, security-wise; either keep the thing off the internet entirely, use Synology QuickConnect, or use a VPN.
QuickConnect is fine, but it’s not exactly bullet-proof. Any time you’re opening up a device to the internet at large you’re painting a target on its back, and yes, QuickConnect offers some reasonable protections but it’s fundamentally a way for remote users to connect to specific services, and as such requires exposure of those services. There are times when it’s the only option (when, say, your NAS is hosted at your office behind a captive portal), and there are a lot of things you can do to beef up security to compensate (locking down ports and services, setting up a reverse proxy, using your own domain name, extensive 2FA usage and so on).
Fortunately, setting up a VPN on your Synology box is easy to the point of trivial (provided your DiskStation has a routable connection to the internet that you have some kind of control over. You’ll need to be able to open the appropriate ports for VPN.)
Synology VPN Server is freely accessible from the Package Center of your DSM – once downloaded, open the VPN Server package and click on OpenVPN to configure it. Doing that is terribly simple; just check the “Enable OpenVPN Server” box, choose the maximum number of connections you want to enable.
Note the port that’s opened (1194), and if you want to allow users to connect to other devices and services on the target network then you’ll need to check the box marked “Allow clients to access server’s LAN”.
Synology can do a lot of the heavy lifting for you if you’re lucky enough to have a router that its router configuration (Control Panel -> Router Configuration) can talk to. If you’re in that group then the wizard can walk you through configuring port forwarding; if you’re not then you’ll have to go get access to your router and manually set up port forwarding for port 1194. Going into that is somewhat out of the scope of this article. I mean I can’t see your router model, or write directions for every single one. I’d be here all day.
“But,” I hear you ask, “doesn’t this only apply if you have a static IP address? How will the internet know where my Synology is? My internet provider is terrible and only gives me static addresses if I sign up for their exorbitant business account that’s vastly slower than a residential account despite the fact that it’s on the same exact line and using the same exact modem!”
This is a good point (although oddly specific). Happily, Synology DSM makes it extremely simple to set up DDNS. In the Control Panel, choose “External Access” and then click the DDNS tab. If you have an existing DDNS setup (mine is hosted with dyndns) then you can enter your credentials here, or else opt to use Synology’s included DDNS solution (synology.me). The DDNS client on the Synology DSM runs out and talks to Synology’s DDNS server and updates its current address.
After that, it’s simply a matter of configuring your VPN Client to connect to your newly-created VPN. Handily, you can do a lot of the work by clicking on the “Export Configuration” button at the bottom of the OpenVPN configuration window. This will download a text file and a certificate that you’ll need to install onto your computer to work with your OpenVPN client – Synology includes a helpful read me file that details exactly how this process works and recommends an OpenVPN client for each major platform.
So, there you have it; a simple way to connect to your own network when traveling or working remotely, safe in the knowledge that you’re protected from man-in-the-middle attacks and able to access your critical data in a secure and safe manner.
This, ladies and gentlemen, is what Apple thinks is an iMac Pro:
Behold. (Please ignore the horrible rug.)
Now, for those of you who don’t pay a lot of attention to Apple’s product line (and who probably have better things to do) it should be made clear at this point that this is not, in fact, an iMac Pro. Or any kind of iMac for that matter. iMacs have the computer and screen built into one slim, stylish, power unit, whereas this is a massive, forty-pound hunk of scratched and scarred Aluminum hewn into something resembling a giant cheese grater, and then covered in faux-wood because its owner had a bunch of faux-wood wrap kicking around and was sick of looking at a lot of scratches. More precisely, this is a 2009 Mac Pro, and even more precisely, it is my 2009 Mac Pro.
I love this machine because it is, not to put too fine a point on it, completely bonkers. While there’s every reason for it to exist, there is no reason whatsoever to be using an eleven year-old computer in a world where the massive leaps in processor and design technology make this akin to an abacus. A computer from 2009 is slow, has terrible graphical abilities, and lacks the modern conveniences that we take for granted in terms of interfaces and technologies. Using one is to obey the same impulse for anachronism that makes young men grow ironic beards, smoke pipes, and ride penny-farthings.
Except, actually, this is none of these things. Because while old computers are slow, a lot of them are also expandable, and a lot of those expandable bits are not slow and terrible, but are fast and decent. I bought this thing for about two hundred dollars and augmented it with bits of dead computers and assorted projects I’ve accumulated over the years, and now it’s chock full of fast storage, has oodles of memory, and two six-core Xeons. That’s twelve Xeon cores. Twenty-four threads! I feel that I’m not sufficiently making this accessible to people who don’t know or care about Xeons or cores, but think of it this way; imagine if you woke up one morning, had got dressed, had breakfast, bid farewell to your nearest and dearest, got in your car to go to work, turned the key in the ignition and instead of hearing the modest, pedestrian burble of an inline six you were presented with the sound of a Furious Titan Roaring A Battle Cry Unto The Gods And Breaking His Fists Against The Firmament?
Yeah, so, it’s basically that.
So, this thing isn’t slow and awful and ugly and stupid. Okay, yes, it’s ugly, but none of the rest is true. The video card in it is equivalent to the one that comes in the new Mac Pro. It has a lot of slots to put cards and upgrades in, has the wireless bits from a newer, dead MacBook Pro so that it can do all the wireless things that modern computers can do, and you can even plug your fancy USB-C peripherals into an expansion card in the back.
What you can’t do is use it with macOS Catalina or macOS Big Sur.
Now, I kind of get that; if you’re Apple then there are some very solid reasons not to support a machine of this vintage. While those Xeons are mighty they’re prone to some security flaws that make this machine a bad fit for some very specific niches and industries, and Apple’s not in the habit of issuing software updates that are going to open up customer data to any kind of intrusion. Still, a lot of people (like me) aren’t going to be using their computers in any kind of situation that might make that threat remotely likely, and would really like to continue using their big, ugly computers.
Happily, this is technically possible with only a modicum of headache because those Xeons I keep rattling on about are also the types of processors that run in Apple’s current iMac Pro and Mac Pro computers. Admittedly the processors in my stylish, mock-oak Mac Pro are somewhat slower and older in vintage, but they’re basically the same creature, so technically they should work, Right?
Right. And, it turns out, the process is fiddly but not as horrible as you might expect.
(Note: If you have a Mac Pro 5,1 (or a 4,1 upgraded to 5,1) then the following will probably work for you as written. If you have neither of these machines but your computer is of an older vintage and you want to try and run a newer operating system than you technically should, then you can read along and take in the general points and input, but I’m in no way guaranteeing that any of this will work. Also, back up before trying any of this, and if you’re even remotely concerned about this just back away now. This is the kind of thing that would violate your warranty if there was the remotest possibility that anyone of sound mind would warranty an eleven year old computer, but still, beware. Your Mileage May Vary. Caveat Emptor. Cave Canem. Don’t Walk On The Grass.)
First, some provisional considerations. You’ll need a metal-capable graphics card and to upgrade your Mac Pro to macOS Mojave in order to upgrade the BootROM to 144.0.0.0.0 (which will also allow you to use NVME drives) and once that’s done boot into Internet Recovery and disable SIP by typing csrutil disable in the Terminal.
Secondly, you should look at this thread on macrumors.com. It’s enormous and where I got a lot of this information from, but be warned; there’s a lot to trawl through there – which is why I’ve put this more concise walkthrough together.
Next, you’ll need to download the latest version of OpenCore from this GitHub repository. Once downloaded, open the OpenCore folder, where you’ll see something like this:
Next, copy this and paste it into a new non-rich text document. Warning: this is very long:
Take this new document and save it as “config.plist” (check again that it’s plain text and not rich text) and then drop it into the /EFI/OC directory, thus:
This file is a copy of the config file I’ve been playing with and using, and is set up to allow OpenCore to identify itself as an iMac Pro and allow it to get actual Apple updates. Again, this works fine for me, but I make no warranty that it’ll work for you.
Next, it’s time to engage in some command-line trickery pertaining to EFI – the Extensible Firmware Interface. EFI is a partition on a disk that the computer looks at when powering up to get an idea of what hardware is running on the computer, and once it has that information the computer uses that information to boot the operating system. In editing that config.plist file we’re telling the Mac Pro at the very lowest and most fundamental level that it is something that it isn’t, and also supplying some additional bits of code to allow it to function accordingly.
In order to do any of that we have to get at the existing EFI partition so we can tinker around with it, so fire up Terminal and enter the command diskutil list – you’ll end up looking at something like this:
Yes, my Terminal is set up to look like MS-DOS. I’m easily amused.
What you see here is a list of every disk and volume on the computer, but we’re only interested in the EFI volume at disk0s1. In order to get your hands on that, enter this command to mount the volume in the Finder:
sudo diskutil mount /dev/disk0s1
Once that’s mounted, take your new and improved EFI folder that you got from OpenCore and put it into the top level of your disk’s EFI volume, thus:
Finally, cross your fingers and reboot your Mac Pro.
All things being equal you’ll be able to use your computer as per normal (with the exception that if you’re using a non-Apple video card you’ll now have a boot picker that you didn’t have before). I’ve actually tried this file on two Mac Pros – one of them worked perfectly the first time and the other failed to see the startup disk, but I was able to boot into Internet Recovery and choose the existing startup disk, and then reboot into that disk without further incident.
You should also be able to install macOS Catalina or (as of this writing) the latest beta release of macOS Big Sur. As an amusing side benefit, you might also be given a notification thanking you for the purchase of your iMac Pro and offering you a guided tour of the computer that you don’t actually have…
I don’t think I wrote anything last week, which is something I feel low-grade anxiety about. One of the things I’ve been trying to do as some sort of Psychic-Goat-Sacrifice-To-The-Apocalypse-Gods is to knock out a few words of wisdom now and again so that I can tell anyone who cares that I’m trying to put some positive energy out in the world or somesuch. It’s a lie, of course; I’m just writing things down because I have more free time to bang my head against problems these days, and if I don’t record that stuff then I’ll just forget.
I’m good at forgetting things. Not maybe-I-should-seek-professional-help good, but definitely in pro-am territory. Happily, technology has solutions for people like me, and those solutions tend to be the common-sense, regular solutions that I’ll cheerfully recommend to anybody who’ll pay me to have an opinion; keep your data safe and accessible, and back it up. A lot. Equally handily, there’s a relatively simple thing for doing that – a NAS. Specifically (in this case) a Synology DiskStation 220+, nestled discreetly in a bookshelf:
Brad – I still have your Negroponte book. Sorry.
I love Synology DiskStations. They’re an excellent piece of kit, striking the line between full-featured and accessible, allowing you to do pretty much anything you want with data without making the process utterly incomprehensible. They’re the perfect $300-if-you-have-your-own-drives solution for the enterprising young IT consultant on the go, and while the latter part of that sentence seems unduly optimistic, the three hundred bucks part rather does the heavy lifting, value-wise.
The problem with having one of these in my office is that they don’t support WiFi, and the only internet I have in the office is WiFi, and there’s literally nothing that I can plug anything into to get internet via the customary physical route, i.e., a cable.
So, a problem. What I really needed was to find a way to bridge the wireless connection in the office (via Cox Wifi and their Captive Portal) to the Synology box, and at first blush this seemed pretty simple.
When you first sign a new device onto the Cox Hotsports Captive Portal (which I’m going to call “WiFi portal” from now on to save a lot of typing) it prompts you for your credentials, and once you’ve entered those you’re able to stay logged in to the network for as long as you might possibly want, because what the WiFi portal does is capture your MAC address, checks to see if it’s authorized to use the network, and then if not gives you a prompt for your username and password. If you have a web browser installed on your computer (which you do because otherwise I’d be intrigued to know how the hell you’re reading this) then most of this is done for you. But the Synology DiskStation has no web browser, and even if it had one it has no WiFi hardware that would allow it to connect to the WiFi network in the first place.
Oh dear.
So, I have no ability to use the Synology with WiFi, but I do have a number of large boxes filled with cables and assorted bits of networking gear of assorted vintages. Trawling through those boxes yielded one part of the answer in the form of an Apple Airport Express.
These are little puck-sized wireless boxes that were mostly designed to extend existing Apple Airport networks, but also did decent duty as simple routers that you could use to create wireless networks. One of the great things about them is that the built-in Airport Utility software in macOS gives you the option to Join A Wireless Network, which effectively turns the Airport Express into a little wireless bridge. In English: you select this option, choose a WiFi network to connect to, WiFi goes into the box, and internet comes out via a cable. Perfect. Except that there’s no web browser installed on the Airport Express so you can’t sign it into the WiFi portal, which was the same problem we had when we started.
Except no, it really isn’t. What’s happening when you use your web browser to sign into the WiFi portal is that – as I mentioned before – the first thing that happens in the process is that the portal looks at your MAC address and decides whether or not you’ve connected before. If you can tell the portal that the MAC address its looking at is one that it’s seen before then the portal will simply allow the device that bears that MAC address to connect to the network, no questions asked.
So, let’s start lying to the WiFi portal about who we really are. To do this we’re going to temporarily change the MAC address of your computer so that you can use it to connect to the WiFi portal, and then once that’s done whatever device that actually owns that MAC address will be able to connect. This is done via the command line with the following command: sudo ifconfig en0 ether 00:11:22:33:44:55 (where 00:11:22:33:44:55 equals an actual MAC address and not a lazy placeholder). You’re going to do this more than once, so if you’re like me and enjoy tinkering with your whole Terminal environment then you can add it as an alias to your .zprofile, thus:
alias mac='sudo ifconfig en0 ether'
The first step is to make sure that the Airport Express is able to join the WiFi network. To do that we’ll have to find the MAC address of the Airport Express, which is easy if you have the original box that the thing came with but not so easy if you dug the infernal gadget out of a large, dusty cardboard box of junk and knotted cables that resides in your haunted garage. Happily, there’s an undocumented way of finding the MAC address of an Airport router; simply hold down the Option key on the keyboard while clicking on the icon for the router in the Airport Utility, and instead of the default view (this):
Note the clever Airport-themed name. I’m quite proud.
…you get this:
Mmmm. MAC addresses. Delicious, delicious MAC addresses.
The next step is to take the MAC address of the Wi-Fi interface on the Airport Express and then clone that onto your computer. I chose the 5GHz MAC address, but you may have to do either the 2.4GHz or the 5GHz or both depending on the WiFi portal you’re connecting to. The first thing to do is to connect to the WiFi portal normally, then open up the Terminal and either use the handy alias from earlier on or go ahead and type in sudo ifconfig en0 ether followed by the MAC address of the appropriate wireless interface that you got from the Airport Utility. After a moment you’ll be prompted to sign into the WiFi portal again, and once you’ve done so then that MAC address will then be accepted and useable. Reboot your computer to reset the MAC address to it’s original state. No, I don’t like rebooting either. Yes, you should probably do it.
Once you’re back up and running, turn off WiFi and connect an ethernet cable to the network port on the back of the Airport Express. All things being equal you’ll now be able to connect to the internet. If not then go back a step or two and try the MAC address for the other interface on the Airport Express (2.4GHz or 5Ghz).
Next, you’ll need to go snag the MAC address of your Synology NAS. This is a lot easier; simply open the Control Panel on your DiskStation, click on Info Center, and then the Network tab, thus:
Again, do the same trick: connect your computer to the WiFi portal, fire up Terminal and enter sudo ifconfig en0 ether followed by the MAC address of the DiskStation. Reboot your computer, then shut down the DiskStation, connect it to the network port of your Airport Express, then fire it up again.
This has, I must say, worked flawlessly, but there are caveats. For one thing, there’s no guarantee that you’ll retain the same IP address if there’s, say, a power outage, so if you’re planning on connecting to the Synology remotely then you’d better enable the QuickConnect feature and/or sign the thing into some kind of DDNS (I like dyndns.org, but the Synology supports a lot of options in that space). Finally, I’d encourage the use of Synology Drive to keep data synced between your Synology and your computer, as having the thing safely store and serve important things to your computer is rather the whole point of the exercise, and this makes that considerably easier…
Apple’s Configurator application (now Apple Configurator 2 because it’s an irrefutable rule that adding more numbers to things makes them intrinsically better) is an essential tool in the enterprising Mac IT persons’ toolbox. Initially it was designed as the way to build profiles that you’d put onto iPads, but it’s increasingly become a sort of multitool that you can use to build configuration profiles on an ad hoc basis, and even to resuscitate dead T2-enabled Macs.
It’s great, except that (as is the way of things) updates not only introduce fixes but occasionally add new and interesting problems. More specifically (and the reason I’m writing all of this nonsense) is that I spent a frustrating hour or two this week trying to work out why in the name of all that’s good and true Apple would see fit to remove the Shared Secret field from the VPN configuration portion of the Configurator. I’d been building config profiles to post on an intranet for a client, so imagine my surprise when instead of seeing a field where I could pop in the Shared Secret I saw… well. Nothing. Nothing at all. And that was a problem.
Do you see a field for the Shared Secret? No. You do not. Neither do I.
So, a problem. But every problem is a solution waiting to be discovered, and happily enough this one is the most enjoyable kind of head-scratcher; the kind that can be solved with a modicum of common sense and only minor trickery. Happier yet, the .config files generated by Apple Configurator are basically just Property List files that can be opened by a text editor and tweaked. It’s just a case of knowing what tweaks to make.
First, figuring out what to add to the .config file. The mysterious removal of the Shared Secret field showed up with the most recent version of Apple Configurator (2.12.1), but prior versions allowed you to set that configuration, so digging out an older .config file and opening it allows you to see what’s different, thus:
One of these is not like the other.
The older .config file (on the right), includes this text:
So, copying that into the new, non-shared-secreted .config file should theoretically add the shared secret into the configuration. Great! There’s just one more piece of the puzzle – encoding the shared secret itself. There are websites out there that will allow you plug in text and covert it to Base64, but it’s simple enough to do it via the Terminal. Let’s say your shared secret is… well, let’s just call it sharedsecretpassword:
echo -n 'sharedsecretpassword' | base64
Which will translate sharedsecretpassword to c2hhcmVkc2VjcmV0cGFzc3dvcmQ=
…hit “Save”, et voila. You’ll now have a functional VPN config file that can be deployed with the shared secret (even though Apple Configurator doesn’t seem to want you to).
One thing that’s become abundantly apparent during this long, disease-vectored sequester we all seem to be on is that this time represents a wonderful opportunity to get the kind of frank, honest feedback about ourselves that only our nearest and dearest can bestow. And when I mean “bestow” I mean “crush all illusions about how you are perceived by the people who are around you the most.”
Two things that I’m being educated on of late are that I am not as amusing as I think and I am I’m also fussy about things in ways that are frequently incompatible with other people. Not in big, interesting ways (I mean, I’m not a monster), but in small, frustrating ways. I like my coffee very specifically made from one very specific coffee shop that my coffee friends look down on as being The Bad Coffee Shop, and will ruthlessly subvert and hijack plans so that said Bad Coffee Shop ends up being our ultimate destination. Being masked and gloved and PPE’d and socially distanced hasn’t changed that – it’s just made it more apparent and troublesome.
It’s nothing personal. It’s just that I know that the Bad Coffee Shop is secretly the Best Coffee Shop. I’m capable of sustaining the position that my way is really the only correct way, even while cheerfully acknowledging that said position is, in fact, tangibly incorrect. I call it the “Grand Irrefutable Theory of Self Deception™” because it’s my flaw and the very least I should be able to do is name the wretched thing.
Take Finder views, for example. I like them when they look like this:
This is the way you should be.
…because the Column view is clearly superior, and everyone should look at their files that way. It’s so much better! You can zip up and down directory hierarchies quickly and simply! I’m right!
Not everyone feels that way – mostly because of the afore-mentioned “Grand Irrefutable Theory of” etc. Some people (philistines and malcontents in the main) prefer the old fashioned icon view, thus:
Why?
It’s unfortunate that some of us have to work with these poor, misguided folks, but there’s no reason why you should have to put up with their ham-fisted insanity when there’s a better way.
Your Mac knows how you like your files positioned and your preferred view and retains that information in tiny, invisible files that it creates in each directory you access. These files are .DS_Store files, where “DS” stands for “Desktop Services”. They’re difficult to open and inspect, but once you crack one open and took a look it’s clear that they contain information about the window’s position on screen, the window view, icon size, relative position inside the window, the status and visibility of the window bar icons, the sidebar, backgrounds, snap-to-grid, stacks and so on and so forth. Whenever you change view or move something around those changes are update in the .DS_Store file so that next time you open that window it appears exactly the way you left it.
Which is great if it’s your computer, but not so great if it’s a share on a server that is also accessed by nincompoops and dunderheaded ne’er-do-wells who prefer icon view for some insane, incalculable reason, because the moment they open that window they see your (superb, intelligent, morally-superior) layout and not their stupid mess. And then they change it to reflect the way they like to do things and then when you open it again it’s all awful and you have to step away and go lie down in a dark, cool room for a while.
Happily, there’s a way to tell your computer to not make those .DS_Store files, which locks in as default the nonsensical, asinine way that your idiot colleagues and co-workers like to use their stuff – simply fire up the Terminal and enter the following:
Once you’ve done that then your colleagues will be able to set up the way they view those files according to whatever the inchoate voices in their heads tell them to, and you won’t have to put up with that. Instead, the next time that you access that folder you’ll be able to set the view appropriately. Like the misunderstood genius that you are. Right? Right.
Here’s fun. Back in the Halcyon Days of 1982 one Richard McClintock made an interesting discovery – the origins of Lorem Ipsum (you know, the filler text you occasionally find padding out web pages and anywhere requiring placeholder material), thus:
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.
Mr McClintock – in a letter to Before & After magazine in 1994 – pointed out that the full passage was originally an excerpt from Cicero’s ethical treatise “The Extremes of Good And Evil” which was the number one hot bestseller of 45 B.C (probably). At some point in the sixteenth century – so the theory goes – an annoyed typesetter threw Cicero’s text into his press along with some filler, nonsense words in order to pad out enough text to mockup different types and fonts for a book, and then due to tradition and institutional laziness it stuck around for the next five hundred years and is still popping up today whenever You Just Need To Put Something There.
The thing is that it turns out there’s enormous value in having something on tap that you can use as a quick, reliable placeholder. It makes your life easier, you don’t have to constantly reinvent the wheel and go find new material to put into place, and it’s widely recognized for what it is; not actual content, but something to fill empty space until actual content can be substituted and you can go back to work.
But this isn’t my typeset blog; this is my macOS IT blog. And I’m not here to talk about placeholder text; I’m here to talk about placeholder processes. Hmm? What’s that? Well, I’m glad you asked. Meet kernel_task – the Lorem Ipsum of the macOS world.
When your Mac is running something particularly demanding then the chances are that whatever the “something” is will be using a lot of the CPU. You can see this in the Activity Monitor.app – sorting by % CPU will show you which apps or services are using the most system resources. The more CPU a process or program uses the more power it consumes, and the more heat it generates. And that’s fine; well-engineered computers and devices are built with heat tolerance and dissipation in mind (well, most are. I had a colleague who blew through three – yes, three – cheap PC laptops that all melted while my slightly more expensive PowerBook kept on ticking in support of the Sam Vimes Theory of Boots). Still, there are times and circumstances where it pays to have a way to throttle the activity of your computer to allow it to cool down – and this is that kernel_task does.
Simply put, it’s a process that the computer fires up whenever it decides that it’s running too hot, specifically to block other processes and applications from using the processor. Google Chrome wants to use a hundred percent of your CPU? Sorry; it’ll have to wait. kernel_task is using that right now, except all it’s doing is twiddling its thumbs, waiting for the computer to cool down while the fans run. Once things are back to an acceptable operating temperature then kernel_task frees up more and more resources until finally it all but disappears…
It probably says something about mildly disturbing about my character that I’m borderline obsessed with online security. That might sound like a setup for some kind of epic humble-brag (“I suppose my greatest weakness is that I’m too dedicated to doing this thing that is awesome” etc), but honestly, if you want to distract me from anything useful then start talking to me about IT security and I’ll break out the grey beard and pocket protector and suddenly turn from the dapper bon vivant my clients know and love into an utter, utter adenoidal bore.
Freudian theory would dictate that I’m clearly hiding some terrible, dark set of secrets that make me preternaturally concerned with discovery and deceit, but I’m frankly baffled as to what they could be. I mean, my greatest flaws are that I lie about going to the gym, play Dungeons and Dragons over Zoom with other nerds on Thursday nights and my secret addiction is about thirty-five dollars a week in espresso and not opioids or persons of negotiable value. It’s distressingly low-stakes stuff. My midlife crises are of the existential variety and not the acting-out type. I’m… well. I’m pretty dull.
And it’s probably that inherent, unrelenting dullness that makes me interested in security, simply because a lot of it so cerebral and complex, and scratches all the itches that speak to philately and not philandery. Still, there are nuances that are potentially interesting to people who don’t lick their chops when they hear about end-to-end encryption and start banging on about said subject while their loved ones roll their eyes at the dinner table and exchange just-let-him-get-it-out-of-his-system looks, and those nuances also happily seem to fall into the category of things-I’m-sometimes-asked-about, and so here we are in paragraph three and I’m about to talk about masking your IP address. I’ll try and make this painless.
Practicing safe browsing is common sense in this day and age. It’s not simply a case of hiding your location and details from the authorities out of (probably justifiable) paranoia about The Man nor is it about using anonymity to go and do illegal things on the internet. Okay, it’s partly about those things, but it’s more about the value of privacy in an age where the commoditization of the individual has become the chief form of currency. Advertisers track you, build profiles of you, push products and content at you, increasingly crafting narratives and information designed to feed their ideas of who you are economically and demographically. Andrew Lewis put it concisely into this quote: “If you are not paying for it, you’re not the customer; you’re the product being sold.” It’s an unfortunate condition of using the internet, and it’s kind of gross. But there are simple, easy, legitimate ways to take yourself off the market.
VPNs and Proxies are a simple and effective way to mask your location and presence on the internet, and Tor is a technology that essentially uses an alternate network altogether. There are pros and cons to each.
A VPN creates a Virtual Private Network – an encrypted channel between you and the endpoint you’re accessing on the internet.
Pro: When you connect to a VPN you’re essentially telling your computer that it has a special network interface, and that when data is sent out via that interface it is encrypted and protected and – as far as the world is concerned – you’re actually at the end point. A prime use for VPNs is connecting from a remote location – coffee shop, airport, home – to an office network. You host a VPN at the office and connect to it remotely, and as soon as you do so then your office network thinks that you’re on its local network and in your office and not using the Shake Shack™ guest Wifi network in Irvine, CA. The sketchy guy at the table near the door can’t eavesdrop on the traffic going into and out of your computer, and you can access all the resources you have in the office (servers, printers etc) just as if you were actually on the office network – because in a very real sense, you are on the office network.
Con: VPNs don’t always work. Oh, sure, they mostly work just fine, but it’s entirely possible for VPN traffic to be blocked or throttled by ISPs and local networks – particularly if you’re running your own VPN out of your office/remote location. If you don’t run or roll your own and prefer to use a commercial VPN solution (you know, the kind you pay ten bucks a month for) then you need to read some fine print and do some research. Sure, any data you send to and from those VPN providers is securely encrypted, but there’s nothing preventing them from logging what you access on the internet once you’re connected to them. Some VPN providers will swear blind that they don’t keep logs, but that’s not always factually correct.
Proxies are much like VPNs in that traffic you send or receive goes is handled on your behalf by a third party.
Pro: Proxies are reasonably fast, and proxies are flexible; where a VPN sends everything out of your computer as encrypted traffic to a remote location, a proxy can be set up for a particular service or program. Want to use one proxy for web traffic on Safari and another for gaming? Fiddly, but doable. Also, proxies are relatively simple to set up and inexpensive.
Con: Proxies are not as fast as VPNs. And they do a miserable job of securing your data. That guy at Shake Shack™ might as well be like that kid John Ellison when you were in eighth grade who you had pass a note to Hannah Davis during math class to ask if she’ll go out with you. Yes, he’s going to be able to read everything, and No, she was never going to date you with that haircut.
Tor is the one I get asked about least. I think that’s because Tor doesn’t really use the internet as we know it; instead it routes traffic through multiple volunteer networks.
Pro: Tor is secure. Like, really, really secure. It’s less a product and more a system of stripping your data of identifying information, adding layers of encryption and then funneling your data through multiple networks. To use Tor you’ll need the Tor browser (based on Firefox).
Con: The Tor browser is great and allows you to use the Tor network, but on the other hand it’s not infallible. You have to trust the operator of the exit node you’re connected to, who can potentially track your information and activity. Additionally, the Tor browser only protects data on that browser – anything else sent out on your computer is something that your ISP can track, and additionally your ISP can see that you’re using Tor.
So, what does this all get you? Well, it’s clear that there are pros and cons to proxies, Tor and VPNs. But can you mix and match to get the best of all worlds?
Sort of. You can combine a Tor and a proxy by connecting to Tor via a proxy – which isn’t a great idea because then the connection between you and the Tor network goes through an unencrypted proxy. The other way round is marginally better – if you connect to a proxy through Tor then your traffic would end up finally exiting through a proxy and thus the ISP would have no proof that you were using Tor. But it’d be slow. Like, slow.
No, the better move is to combine VPN and Tor. Using those two together isn’t what you’d call fast, either. But if you’re using a VPN to encrypt your traffic to the Tor network then you’re getting the best of all possible worlds; route obfuscation and end-to-end-encryption. Your data is encrypted when it enters the Tor network and your origin IP address is likewise protected…
