At the October 2019, Strait Macintosh User Group had a brief demonstration of how to securely configure macOS Catalina. However, as the meeting was only an hour long, and there were lots of questions, most of those in attendance emerged dazed and confused. This included the person giving the presentation, but Lawrence Charters promised to publish a guide to the major points covered. He implied it would be published soon. He was wrong.
But the configuration document is now complete, and can be found at this link:
The October 15, 2019 meeting of Strait Macintosh User Group focused on macOS Catalina 10.15. The meeting was held at the Sequim Library, 630 N. Sequim Ave., Sequim, WA. Notes by Secretary Kathleen Charters.
Meeting called to order at 7 p.m. by President Sabrina Davis. Sabrina welcomed three new visitors. Treasurer Annalis Schutzmann reported the treasury stood at $386.75. In response to a question, Annalis said dues are $24 for 12 months, per family.
The November meeting will be November 19, and the December meeting will be December 17, both at the Sequim Public Library.
Before the meeting started, Vice President Lawrence Charters explained the confusion over the email meeting announcement. Sabrina asked him to repeat the story…
Wave Broadband and Google Mail in conflict
Wave Broadband, the leading Internet Service Provider (ISP) on the Olympic Peninsula, had a surplus of problems in October. Lawrence has a Fingbox which, among other things, performs network security functions, and also checks for Internet slowdowns and outages. In the first two weeks, his Fingbox recorded six complete outages of an hour or more, and dozens of slowdowns and mini-outages.
One of these outages occurred late Friday, October 12, just as he sent off a message to the 293 addresses in the Strait Mac mailing list. This one message did make it to Wave Broadband, where it was expanded into 293 messages — which were held for four hours. When they were eventually delivered to Google (the straitmac.vicepresident account is on Google Mail), Google generated a bunch of cryptic error messages and bounced them back because they were suspiciously delayed. Google Mail only allows 500 messages in a 24 hour period, and the 293 outgoing messages and 293 incoming messages effectively shut down the account for a day.
Unaware of the problem, Lawrence was surprised to get a message from Sabrina on Monday, October 14, asking about the meeting. Lawrence did some research, found out about the 500 messages a day limit, and decided to send out a second message — just as Wave had a six-hour outage. The 293 outgoing messages and 293 bounces again shut down the account.
On Tuesday, October 15 (the day of the meeting), Lawrence sent out a message from his personal (not SMUG) account, and that one, thankfully, did reach everyone.
This story prompted a number of questions about Internet connectivity on the Olympic Peninsula, none of which have particularly encouraging answers. Except: do not have your only mail account on Wave, or Olypen, or any other local ISP (Internet Service Provider).
And now for the presentation —
Securely installing macOS Catalina
Security professionals recommend the following steps to securely install an operating system:
Do a full backup of your system.
Erase your hard drive — completely.
Do a “clean install” of your operating system (i.e., do a full install by downloading macOS Catalina directly from Apple, without any remains of a previous operating system, data, preferences, or anything else).
Do a “clean install” of all your applications.
Restore your data from your backup.
Except in government and corporate environments, hardly anyone ever does this. It is a lot of work.
macOS Catalina for Real People
Most living, breathing people should do this. It is less work. It is also less secure, but not that much less.
Before anything else, run Disk Utility (you can find it in Applications > Utilities) and use First Aid to check the health of your hard drive. If your hard drive displays any problems, correct them before upgrading.
What does First Aid check? For one computer called Portacray, it checked a whole bunch of things. An “exit code” of 0 (zero) means everything was normal:
Started file system verification on disk1s5 Portacray
Verifying file system
Volume could not be unmounted
Using live mode
Performing fsck_apfs -n -l -x /dev/rdisk1s5
Checking the container superblock
Checking the EFI jumpstart record
Checking the space manager
Checking the space manager free queue trees
Checking the object map
Checking the APFS volume superblock
The volume Portacray was formatted by diskmanagemen (1422.214.171.124.1) and last modified by apfs_kext (1412.11.7)
Checking the object map
Checking the snapshot metadata tree
Checking the snapshot metadata
Checking snapshot 1 of 2 (com.apple.TimeMachine.2019-10-19-074436.local)
Checking snapshot 2 of 2 (com.apple.TimeMachine.2019-10-27-120314.local)
Checking the extent ref tree
Checking the fsroot tree
Verifying allocated space
The volume /dev/rdisk1s5 appears to be OK
File system check exit code is 0
Restoring the original state found as mounted
Finished file system verification on disk1s5 Portacray
After confirming the disk drive is in good shape:
Do a full backup of your computer. The easiest, cheapest, most thorough way to do this is through Time Machine. It comes with your Mac, it is easy to use, and as long as you don’t futz with it, it does an excellent job.
Update or remove all applications that are not 64-bit.
It doesn’t hurt to leave them as-is, but since they won’t work with Catalina, you might as well clear them out.
Got to Apple menu > About This Mac > System Report
Scroll down to Software > Applications
[Wait for the list to build then] Go to the extreme right column, 64-Bit (Intel) and sort the list by clicking on the heading. Update or remove anything important listed as “No.”
A good way to remove applications, plus their preference files: Appcleaner from FreeMacSoft. It is free.
If using the System Report is too much trouble (and it is awkward), an alternative: go to St. Clair Software, https://www.stclairsoft.com/Go64/ and download Go64. It produces a nice, annotated report, and yes, it is free.
Empty the Trash.
Clean out everything from your Downloads folder.
Empty the cache from your browsers. All of them (Safari, Firefox, Chrome, whatever).
Clean up everything from your Desktop.
Update any existing applications that need updates.
Upgrading to Catalina is relatively simple
Make sure your computer is plugged into power, your Internet connection is solid, and the weather isn’t going to futz with power or Internet access.
Download macOS Catalina directly from Apple. Under Mojave, you would do this through System Preferences > Software Update.
Once downloaded, it should take anywhere from 15 to 30 minutes to install Catalina, answer all the startup questions, and log in again.
After you are finished and log in, you may see a curiously named folder on your desktop, Relocated Items.
This folder is really an alias (a pointer) to information that used to be in your System folder (operating system directory), but is not allowed under Catalina. In years past, developers (Adobe, Microsoft, zillions of small developers you don’t remember, and even Apple) stuck things in the System folder, but under Catalina’s vastly expanded security, this stuff is no longer allowed there. Nothing in the folder is active or useful; Apple stuck it there in case you recognize something, and want to ask the program’s developer for an update, or advice on what to do with it. Or (most likely), you find it is no longer useful, and you just toss it.
The folder, if it is produced, has a PDF file that (sorta) explains why it exists:
During the last macOS upgrade or file migration, some of your files couldn’t be moved to their new locations. This folder contains these files.
These configuration files were modified or customized by you, by another user, or by an app. The modifications are incompatible with the recent macOS upgrade. The modified files are in the Configuration folder, organized in subfolders named for their original locations.
To restore any of the custom configurations, compare your modifications with the configuration changes made during the macOS upgrade and combine them when possible.
You can delete the alias from your desktop; it doesn’t need to be there, and deleting it doesn’t delete anything else.
Securing macOS Catalina
This isn’t very difficult, but the process requires quite a few screenshots and has been moved to a stand-alone page. Most of the material applies to previous versions of macOS, too, though the screenshots used are from Catalina. Click the link below:
Q: You mentioned you use 1Password for storing passwords. Does that mean I can get rid of Keychain?
A: 1Password is a commercial password manager for Macs, iPhones, and iPads. It has a much more user-friendly interface than Keychain Manager, or the Keychain Access management utility (located in Applications > Utilities). No, you can’t get rid of Keychain; it is the part of the Mac and iPhone and iPad operating systems that handles passwords. 1Password is essentially an easier to use editor for Keychain than Keychain Access.
Q: When you tell your browser to automatically log into a website, is that safe?
A: If the website is not something that handles your identity or reputation, or financial records, sure. But if a site deals with your reputation (Facebook, Twitter, LinkedIn) or finances (IRS, Social Security, credit unions, banks, credit card companies, etc.), no, you don’t want your browser to automatically log in. Anyone sitting down at your computer, or anyone who steals your computer, could automatically log into any of those websites.
Q: If upgrading to Catalina is a hassle, why should I?
A: It isn’t that much of a hassle. If you have a bunch of out-of-date applications that can’t be upgraded, it means they are already security threats to your machine. Current and future software vendors will not support anything except 64-bit applications, and not upgrading won’t really do you any good.
For a variety of technical reasons, 64-bit applications are genuinely more secure, as well as faster. They will also take up less space on your hard drive, since the software companies will no longer have to wedge both 32-bit code and 64-bit code into their applications.
A: Yes, but keep in mind that the way it works, it is scanning for malware constantly, even though your Mac may have never run into a piece of malware. Government agencies, teachers, accountants, lawyers, and certain other professionals should use an always-on malware scanner, but I prefer on-demand malware scanning. The one I use is called Bitdefender, available through Apple’s App Store, and it runs only when I tell it to run. I have a calendar entry to tell me to run it once a month.
Lawrence also showed the hidden, zippered pocket that he has in his polo shirt for holding his iPhone. The shirt was made by ScotteVest, which has a wide range of vests, coats, sweaters, shirts, skirts, shorts, etc., with “invisible” pockets for holding electronics. Lawrence explained that when he goes to the airport, he puts everything he wants into various pockets of a ScotteVest vest (watch, keys, wallet, passport, earphones, etc.) and, when he gets to the TSA screening area, takes the vest off and puts it in a bin. Then he picks it up on the other side of X-ray. Some of the men’s and women’s coats and vests have pockets large enough to hold a 10″ iPad.
November meeting: files
The November 19, 2019 meeting will have as the topic: organizing files. Apple tries hard to make organizing files easy, but life doesn’t necessarily easily separate things into Documents, Downloads, Movies, Music, Pictures, etc.
Other topics for future meetings mentioned were: Introduction to Google Drive (Google Docs, Google Sheets, Google Slides, Google Forms, Google Maps, Google Sites, Google Photos, Google Keep, etc.), iPadOS (and integration with macOS), health care devices and apps, WordPress, and support alpacas. (It is possible that support alpacas don’t exist, and only Lawrence seems interested, and they probably have nothing to do with Macs or iPhones or iPads.)
Web browsers continued as the meeting topic at the June 18, 2019 Strait Macintosh User Group meeting. In a change from the past, the meeting was held at the Sequim Library, 630 N. Sequim Ave., Sequim, WA.
While President Sabrina Davis and others set up the room for the meeting, Vice President Lawrence Charters hosted a Q&A (Question and Answer) session. The overarching rule: the question had to be about Apple devices, and the question had to be something that could be asked and answered in three minutes or less.
Q: I have a new iPhone, and am having trouble moving photos from my old phone to my Mac to my new phone.
A: Once upon a time, you used iPhotos or iTunes or some combination of the two to move photos. Today, by far the best solution is to use iCloud. Every Apple ID account offers 5 gigabytes of space in iCloud for photos, messages, email, and documents. This is not enough for most people, so buy some more space (it is inexpensive, and you can do that through the iClouds pane in macOS System Preferences or through Settings > Apple ID (click on your name at the top) > iCloud > Manage Storage in iOS). This will allow you to move photos around between your iPhone, iPad, and Mac seamlessly, as long as you have an Internet connection.
Q: What do you think of the new Mac [introduced at the June World Wide Developers Conference].
A: The new Mac Pro coming out in Fall 2019 will have a minimum of 8 Xeon W core processors, 32 gigabytes of memory, and 256 gigabytes of solid state disk (SSD) storage. If this is too little, you can configure it with up to 28 Xeon W core processors, 1.5 terabytes of memory, and 4 terabytes of SSD storage. It will start at around $6000, The accompanying Apple Pro Display XDR for the machine (optional) will cost $5000 or $6000, not including the $1000 stand. One person mentioned that it justified getting a bumper sticker that said, “My other car is a Mac.” Highly configurable, very powerful, and not intended for the average user.
Q: I have not upgraded since Sierra; and am reluctant to upgrade. How vulnerable am I to security issues?
A: macOS Mojave, the current operating system, is faster and more secure on your existing hardware. It is like getting a rebuilt engine for an old car, for free, with new tires, airbags and seat belts. You may have to upgrade some software, but you gain a currently supported, secure operating system, much more capable of protecting your computer and your data.
Every time Apple patches their software, they release notes on what was patched and why. Hackers use these notes to discover and exploit weaknesses in machines that have not been patched so: upgrade your system, and stay current. Don’t delay.
Q: Do I need Flash?
A: Flash is a security vulnerability and Mojave tries to keep you from using this; it is not installed by default. Adobe stopped development of Flash in 2017, and will completely abandon it in 2020. If you use something that requires Flash, stop using it. Find an alternative.
Q: My computer is warning me that an application is not optimized for my system. What does that mean?
A: macOS is warning you that the application is not a 32-bit native application, and will not work with future versions of macOS. Apple, and Microsoft with Windows, is pushing 64-bit operating systems and applications as the standard, for security reasons. (iOS has been 64-bit only since iOS 11.) The next version of macOS, macOS Catalina, will not run 32-bit applications.
While some companies, chiefly game companies, have sent out messages warning users that their software will stop running if using macOS Catalina, the real problem is that the game companies aren’t upgrading to their software. If you really think life will end without some obsolete software package, buy a used Mac, put the game or other application on it, and don’t let that machine ever touch the Internet.
Think of that warning message as: “I am a piece of obsolete software on your computer. I’m making your computer vulnerable.”
Note that the move to 64-bit-only is not unique to macOS; iOS moved to 64-bit-only several years ago, and Windows 10 is now moving to 64-bit-only. Intego has a nice blog entry on why 64-bit is better.
Fire Fox, Chrome, Safari, Edge popular Web browsers; 2B androids in use but may not have working browser, 70-80 malicious software per device; iOS does not have malicious software because can upgrade devices; 1 Android (Pixel) gets Google updates but not many devices; may see warnings that an app not optimized for new OS; game manufactures warn if upgrade to OS Catalina games may not work anymore; 64bit processors since 2003/4; can move more data at one time so more efficient, better memory management; 32bit vulnerable to hacker code but 64bit makes memory not used as reserved so hackers cannot exploit; a 32bit OS is less secure; the programs will not run; if run without Internet can use older machines with older OS
Officers, equipment and funds
President Sabrina Davis gave a brief overview of some changes in Strait Macintosh User Group, starting with: equipment and funs.
Sabrina was elected President in October 2018, with Lawrence Charters elected Vice President. They presided over the December 2018 meeting, and had planned out a meeting for February 2019, which was canceled due to a major snow storm.
Sometime in March 2019, some former members discussed, via an email exchange, dissolving the group. As far as we know, none of these individuals attended the October or December meetings, or had standing as officers, but they decided Strait Macintosh User Group was no longer functioning, and gave the treasury (roughly $2,800) and all equipment to Shipley Center, in Sequim. They did this without the President or Vice President calling a meeting, or a vote of the membership attending a meeting. Shipley informed us the funds and equipment are not recoverable.
The June 2019 meeting was moved to the Library because, without funds, we could not pay the room rental at the previous location. One limitation: we can’t book a room more than three months in advance, and can’t guarantee a date. We also do not have control over the old web site or forum, so created this new site, https://straitmac.wordpress.com. For a list of the current officers, see https://straitmac.wordpress.com/contact/.
Our membership list is three years old, and needs to be updated. If you receive a message from us, and don’t want to, please just use the contact page to request we stop. We will be sending out notices to our mailing list of meetings and any other interesting events, and a volunteer will also post announcements on NextDoor.
We will be hosting monthly meetings for a while, to regain momentum. The next meeting will be the third Tuesday in July, July 16, 2019, at 7 p.m., at at the Sequim Library, 630 N. Sequim Ave., Sequim, WA. We can only reserve a room at the library a few months in advance; we can’t have a standing meeting for the entire year.
Several people were asked what do we do for money, since the treasury is empty. If we wish to have a custom domain for this website (straitmac.org or something that does not include “wordpress.com” in the name), and get rid of the advertising, we need $130-150 per year. If we wish to use another meeting space, and have a projector for presentations, we need considerably more. We will talk about options at future meetings.
Presentation: web browsers, continued
If it seems that much of the talk about web browsers involves security, there is a good reason: it does involve security.
The major current web browsers, in order, are Safari (on a billion and a half iOS devices, plus Macs), Chrome (on iOS devices, Android devices, Macs, and Windows), Firefox (on Macs, Windows, Linux, Android, and iOS devices), Microsoft Edge (on Windows and, now in beta, on Macs), and Internet Explorer (completely abandoned by Microsoft, but still used on almost a billion compromised machines).
Almost all Mac and iOS compromises involve something download over the web, so it is important to keep all your iOS and Mac devices running the current operating system and a current browser. If your device is too old to support a current operating system, don’t connect it to the Internet.
Your day-to-day account on your Mac should be a non-admin account. Why? An admin account can accidentally authorize a piece of malware to be installed by simply clicking an “OK” box in your browser. Non-admin accounts cannot install software and, therefore, are far more secure from accidental compromise.
The big reason over a billion Windows machines are infected with malware: they are running obsolete versions of Windows, and the user account is an admin account. In the U.S., the government is as guilty as this as anyone else; the U.S. Navy, for example, is still in the process of retiring thousands of machines running Windows XP and Windows 7, instead of the current Windows 10.
If you think you, the “average user,” are not vulnerable — you most definitely are a target, and are vulnerable. Thieves are attacking not only adults and teens, but even taking out credit and home loans in the names of one year olds, confident that it will be a decade or more before the child learns their credit has been ruined. Even if they scam you out of only a couple hundred dollars, this is still a tempting target for thieves, as they can attack hundreds or thousand of accounts a day.
To protect yourself, avoid unencrypted sites. The old Strait Macintosh User Group Site, straitmac.org, is unencrypted. If you visit with Safari, Chrome or Microsoft Edge for Mac (now in beta), the location bar will flag the site as “Not Secure” because it does not have a valid security certificate. The SMUG Forum is also not encrypted, which means that user names and passwords entered on the site are sent in clear text and can be intercepted and exploited. This is, by the way, why you should use unique passwords for every account, as otherwise, all a hacker has to do is compromise one site and they can use that password on any and every site that you’ve reused that password.
To keep track of all the unique passwords, use a password vault, such as 1Password. The iPhone and the Mac versions of 1Password sync, allowing you to use 1Password on your iPhone when away from Mac. 1Password can do more than store passwords; you can also use it to store credit cards, your license plate number your VIN (Vehicle Identification Number), or anything else that is associated with you as an individual and is difficult to remember.
Someone asked if 1Password was different from Keychain, Apple’s built-in technology for storing and syncing passwords. The short answer is that they accomplish the same goals, but Keychain tends to confuse most users, whereas most users have no trouble at all properly using 1Password. Take Control Books, by the way, has electronic books on how to use 1Password, specifically, and how to manage Your Passwords, generally.
straitmac.wordpress.com– shows a lock; secure site; has valid certificate from a 3rd party; has been audited; Browsers recognize this as a legitimate site; the machine has a valid certificate for the site so can encrypt the information exchanged; Chrome shows green icon if very secure e.g., banks;
Safari, Chrome, and Firefox were briefly demonstrated, with brought up two interesting questions:
Why would you need more than one browser? The answer is: there are sites that might not work with Safari that will work with Chrome, or Firefox. Since the browsers are free, there is no “cost” to having all three. Another important consideration: Apple tends to update Safari, on the Mac and in iOS, with new operating system releases; Chrome checks to see if it needs to be updated every time it launches, and doesn’t bother to even ask you about updates. Firefox is somewhat in the middle; it checks every time, but asks you before updating.
The second question: is it possible for a site to be secure with one browser and not secure with another? The literal answer is: no. A properly secure site should be secure with all browsers, and if it is insecure with any browser it should be considered insecure with all. However, it is possible for a site to be secure and not work properly with a given browser. Again, this is a good reason to have Safari, Chrome and Firefox.
July meeting, third Tuesday, July 16, 7 p.m.
The July meeting topic will be an open-ended Q&A (Question and Answer) meeting. There are simple rules: the question must be about an Apple product, or something that runs on an Apple product, and the answer must be something that can be reasonably handled in a three to five minute answer. Questions do not need to be answered by a SMUG officer; if you know the answer to a question, feel free to chime right in.
Apple’s World Wide Developer Conference (WWDC) was held earlier today, and Apple made a number of announcements:
iOS 13 is aimed at being much faster, even on existing hardware, and is bringing Dark Mode to the small screen, along with outstanding security and privacy;
iPad software is being split off from the iPhone to a new iPadOS, with features that take advantage of the vastly larger screen;
the Mac Pro returns, in a powerful 28-core monster;
Apple returns to the display business with an exotic Pro Display XDR;
watchOS 6 will add new health and fitness metrics and capabilities, and new watch faces;
tvOS 13 will allow multiple user profiles, so you can watch what you want, and listen to what you want;
macOS Catalina returns to the California coast, and splits iTunes apart with separate apps for Apple Music, podcasts, and Apple TV;
another huge change to macOS Catalina is Sidecar, a built-in capability to use your iPad as an additional screen of your Mac, and use iPad capabilities — such as the pen — with your Mac;
accessibility changes, to macOS, iOS, and iPadOS, promise to vastly expand what can be done by those with vision, hearing, or mobility limitations, including both the very young and the very old.
You can watch the keynote (a bit more than two hours) here.
Most people will never own a Mac Pro; fully equipped with the new Pro Display XDR, you could buy a decent car — a new car — for the same price, or less. But almost everyone with an Apple device will benefit from iOS 13, iPadOS, tvOS 13, watchOS 6, and macOS Catalina. In particular, the accessibility features, and the vastly expanded iPad capabilities, are worth a long, thoughtful look. And the security and privacy features built into the new operating systems — all the operating systems — are extraordinary.
The programming tools will roll out immediately, with the finished iPhone, iPad, watch, TV, and Mac operating systems coming out in the fall. The Mac Pro and Pro Monitor will be out “this fall,” but you can sign up to be notified when they are getting close.
Since this is the World Wide Developers conference, there was also a presentation on coding, and it was impressive. While GUI (Graphical User Interface) programming has been touted for a couple decades, the reality is that complex programming is almost entirely based on thousands, or millions, of lines of text-only code. But with the forthcoming Xcode 11, you really can drag-and-drop large chunks of graphical elements, and large chunks of code, into your application code. And Apple has vastly reduced the code barriers between macOS and iOS apps with new technology that lets you very quickly, and fairly painlessly, transform an iOS app into a Macintosh application in just a few days.