Fazal Majid's low-intensity blog

I never updated my home Mac Pro to El Capitan. To paraphrase Borges, each successive Apple OS release since Snow Leopard makes you long for the previous one. Unfortunately I have no choice but to run the latest OS X release on my work Macs as that is usually required to run the latest Xcode, itself required for the App Store.

I did not realize how bad El Capitan was until I upgraded my work iMac (27-inch 5K model) to Sierra last week. Previously, I would experience a mean time between crashes of around 3 days. I thought it was flaky hardware (the problems started from when I unboxed the computer), but couldn’t find the time to take it to the Genius Bar. I had also experienced the same problem with my old home 2009 Nehalem Mac Pro, which I had taken to the office, in fact that’s why I bought the iMac in the first place (and the first one I ordered had to go back because of defective pins in the RAM expansion slots). The Mac Pro had previously been rock-steady at home.

Since I upgraded to Sierra, I haven’t had a single crash. The only possible conclusion is that El Capitan bugs were to blame. The only thing unusual about this iMac is I upgraded the RAM from OWC, but the memory passes testing using Micromat’s TechTool.

I am not one to look at the Steve Jobs era with rosy-tinted glasses, OS X has never had the same level of stability as Solaris or even Linux, but Apple’s hardware and software quality has really gone to the dogs of late, something Lloyd Chambers dubs Apple Core Rot.

I am now starting to hedge my bets and am testing Ubuntu for my laptop computing needs, first by repurposing my 2008-vintage first-generation MacBook Air that is no longer supported by OS X anyway (works, but painfully slow) and soon with a shiny new HP Spectre on order.

I mentioned previously that I seldom shop for electronics on Amazon.com any more, preferring B&H Photo whenever possible. I now have another reason: avoiding counterfeit goods.

My company boardroom is in an electromagnetic war zone—dozens of competing WiFi access points combined with electronic interference from the US-101 highway just outside make WiFi reception tenuous at best, and unusable more often than not. To work around this, we set up a wired Ethernet switch, and since most of our staff use MacBook Airs, Apple USB Ethernet adapters purchased from Amazon. When I side-graded from my 15″ Retina MacBook Pro to a much more portable 12″ Retina MacBook, I wasn’t able to connect using the dongle, and the name of the device was interspersed with Chinese characters. At first I thought it was an issue with my Satechi USB-C hub, but I experienced the same problems via a genuine Apple USB-C multiport adapter as well.

Eventually I figured out the Ethernet dongles were counterfeit. The packaging, while very similar to Apple’s, was just a tiny bit off, like amateurish margins between the Apple logo and the edges of the card. On the dongles themselves, the side regulatory disclosures sticker was inset, not flush with the body of the adapter.

Counterfeiting is a major problem. By some accounts, one third of all Sandisk memory cards worldwide are counterfeits. In some cases like chargers or batteries, your equipment could be at risk, or even your very life. The counterfeit adapters we purchased from Amazon did not come from Amazon themselves but from a third-party merchant participating in the Amazon marketplace. To Amazon’s credit, we returned them for a prompt, no questions asked refund even though we bought them over six months ago, but it is hard to believe Amazon is unaware of the problem rather than willfully turning a blind eye to it.

My first reaction was to tell our Office Manager to make sure to buy only from Amazon rather than third-party merchants (pro tip: including “amazon” in your Amazon search terms will do that in most cases). Unfortunately, that may not be enough. Amazon has a “fulfilled by Amazon” program for merchants where you ship your goods to them, and they handle warehousing and fulfillment. These “fulfilled by Amazon” items are also more attractive to Prime members. One option Amazon offers is Stickerless, commingled inventory where the items you send are put into a common bin. Amazon still has the ability to trace the provenance of the item through its inventory management, but for purposes of order fulfillment they will be handled just like Amazon’s own stock. Some categories like groceries and beauty products are excluded, but electronics are not.

The implications are huge: even if the vendor is Amazon itself, you cannot be sure that the item is not counterfeit. All the more reason to buy only from trustworthy, single-vendor sites like B&H, even if shipping is a bit slower.

I use Dovecot as my mail server, with maildir format mailboxes. It is very easy to make the Sent folder be the same as the Inbox: just symlink the Sent messages folder’s cur subdirectory to be the same as the Maildir’s top-level new directory. This ensures any email placed in the Sent messages folder is magically a whisked off to the inbox.

starvald ~>ll Maildir/.Sent\ Messages/
total 85
drwxr-xr-x 5 majid engineers 11 Apr 20 13:01 ./
drwxr-xr-x 268 majid engineers 278 Apr 20 13:26 ../
drwxr-xr-x 2 majid engineers 2 Oct 14 2007 courierimapkeywords/
lrwxrwxrwx 1 majid engineers 6 Oct 30 2010 cur -> ../new/
-rw-r--r-- 1 majid engineers 33 Jun 15 2011 dovecot-keywords
-rw-r--r-- 1 majid engineers 54 Apr 20 13:01 dovecot-uidlist
-rw-r--r-- 1 majid engineers 400 Apr 20 08:38 dovecot.index
-rw-r--r-- 1 majid engineers 24K Apr 20 08:39 dovecot.index.cache
-rw-r--r-- 1 majid engineers 26K Apr 20 13:01 dovecot.index.log
drwxr-xr-x 2 majid engineers 2 Apr 19 09:43 new/
drwxr-xr-x 2 majid engineers 2 Apr 20 08:38 tmp/

This blog now supports the HTTP/2 protocol, courtesy of nginx 1.9.5 (PDF).

In the process, I was stymied by an “ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY” error from Google Chrome. HTTP/2 mandates TLS de facto, if not in the strict letter of the specification, and it also forbids a number of obsolete or weaker SSL/TLS ciphers to only permit ones that are truly secure. After some considerable digging, I found out the issue is Google Chrome on Mac and Android (presumably Windows as well) does not support 256-bit AES in HTTP/2, and my server was set up to only accept 256-bit encryption (only the best will do for my readers!). The error message was misleading: it’s not the server but Chrome’s crypto which is lacking.

It seems the cryptographers at Google feel 128-bit AES in Galois Counter Mode is good enough, and they did not want to be too far apart from Firefox (which does not support it either, and just fails without even the courtesy of an error message). In contrast, Safari on Yosemite supports AES-256-CBC (not ideal, I know, but that’s also what Chrome supports if HTTP/2 is turned off) and AES-256-GCM on El Capitan and iOS 9. Here are the settings your browser uses:

This is disappointing. AES-256-GCM is supported in hardware on most Intel hardware nowadays (all but lowest-end chips have the AES-NI instructions) and in the ARMv8-A architecture supported by most smartphones and mobile devices today, where the extra CPU load would matter most. I wonder how much of this is driven by Google’s fondness for Dan Bernstein’s ChaCha20+Poly1305 algorithms. Excellent as they may be, they are not implemented in hardware on the most common platforms, nor implemented at all in OpenSSL. It is quite disconcerting that my phone has better crypto than my desktop browser.

I ended up resolving the issue by loosening my cipher list from AES256+EECDH to EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH, but Chrome really should catch up and not let itself be hobbled by the increasingly irrelevant Firefox and its hoary NSS crypto.

I probably sound harsher than I intended towards the Google crypto team. The backward compatibility issues they have to deal with, from poorly designed TLS standards to broken web server software, intrusive anti-virus or corporate proxy servers mean a lot of their energy goes into exception cases, rather than implementing the latest and greatest in crypto algorithms.

Update (2017-01-18):

It looks like Chrome silently added AES256-GCM support last year, as it now negotiates the ECDHE-RSA-AES256-GCM-SHA384 cipher on aes256gcm.majid.org.

Professional Organizers will wax lyrical about label-makers, file folders, and the like, but one unheralded gizmo I have found surprisingly effective is a heat sealer, in my case the AIE-200C. It’s made right here in California, and very robust, although if I were to buy one again, I would probably spring for the 12″ version. You put stuff in a polyethylene bag (up to 6 mil or 0.15mm thick, but 4 mil seems like the optimum for robustness while remaining flexible and see-through), put the open end under the sealer, set the thermostat, press and cut the excess bag with the built-in cutter. It makes a 1mm wide heat weld in the bag, which is now airtight and water-proof. You can also buy rolls for massive capacity, but that seemed like overkill.

The great advantage of a heat sealer over ziploc bags is that you cut the bag to size, instead of having items floating around in an oversized bag, which means it’s much tidier, and also takes up less space. Cables are much more manageable when individually bagged so they cannot tangle together, for instance. They are also perfect for infrequently used supplies, random parts for the house or appliances, or infrequently used tools.

My current approach to organizing random stuff is to bag it, optionally include a description written on an index card if it is not immediately obvious what it is, seal it then dump it in a Rubbermaid plastic bin. When the bin is full, I will take an inventory in a spreadsheet (more specifically OmniOutliner and Delicious Library). In a year’s time, I will cull them as needed.

This system is close in spirit to my paperless workflow: do not exhaust yourself attempting to physically organize the long tail of stuff that doesn’t fit in an established category with a well-defined home. Just put them in numbered containers and keep an index on a computer where they are much easier to search. There are also smartphone apps to streamline this inventory task like Home Inventory Photo Remote.