25 May 2016

Change your login background in OSX

A little something for my long-suffering OSX readers: a simple script to change your login background. Note that images must be in PNG format.

Copypaste the code above, save it as /usr/local/bin/set_login_background.sh, and execute like this (the first line is necessary only on first usage):

sudo chmod a+x /usr/local/bin/set_login_background.sh
sudo set_login_background.sh /path/to/my-new-image.PNG

14 March 2016

WebCrypto and GPG - yet another missed opportunity

(Preface: I’m not good at crypto. My brain is just not big enough to juggle the necessary math. What I can do, in most cases, is juggling the basic concepts (private/public keys, certificates, chain of trust, hashing, signing, salting, encrypting, ciphers, etc) and parsing crypto-jargon enough to get by. I like to believe I belong to the silent majority of web plumbers out there — as far as I know, the world of real cryptographers and crypto-developers is still very small. If anything I say here is wrong, by all means let me know in comments.)

I’m yet again dismayed at the stubborness of crypto-nerd in making things as awkward as possible for the rest of us.

I’m currently trying to setup a simple browser extension to verify signed data, given public keys. A fairly mundane problem, one would think; and sure enough, browser vendors recently started to implement secure interfaces for this sort of operation. Great!

So let’s import a public key to verify some data. What is the most popular key manager/generator out there, something that has been around for 25 years in various incarnations? PGP/GnuPG, of course. So I export a standard RSA key in the classic armoured format and… nothing. SubtleCrypto.importKey() does not support it. Most examples I got from googling (like these excellent ones) use JWK, yet-another-JSON-format-invented-yesterday. There are a bunch of tools out there to convert OpenSSL PEM keys to JWK (for Node.js, unsurprisingly), but nothing straightforward for PGP/GPG. No biggie: considering GnuPG is only at the core of software distribution for (almost) the entire world of Linux, it’s understandable that it could be overlooked... /sarcasm

In the end, one could probably get by using hacks like the one described here. To be honest, I’ve not tried — by the time I found it, the evening had gone and the level of frustration was too high.

Projects like Let’s Encrypt demonstrated very clearly that everyday cryptography is held back by inconsiderate and hostile interfaces; once you remove them, people adopt it extremely quickly. It is understandable that legacy implementations (X509 and so on) will be awkward; but brand new interfaces which are supposed to gain widespread popularity outside the small circle of crypto specialists, designed in the last decade, should be better than this.

21 January 2016

OSX Nostalgia

I have to say, I really don’t like the direction the OSX interface is going. All this flatness is tremendously boring. I’ve found myself very nostalgic of the old ”Aqua” interface several times in the last few months.

Unfortunately, Jony Ive’s iron grip is so tight, all theming/customization hooks have been removed from recent OSX releases. There is now no application (that I know of) which could reskin windows, toolbars and scrollbars.

The only avenue left to UI tinkerers is icons. You can still use LiteIcon to override system icons, and of course copy-paste on individual folders. I’m currently using icons from the classic Iconfactory World of Aqua series, and I just love them.

Some programs will thankfully allow you to customize them. There are plenty of Aqua themes for Firefox, I use a slightly cheesy one. iTerm2 has an ”Aqua” option for its tabs.

If you are an app developer — please consider some skinning support. For all the talk about ”consistency” from UI nazis, the first thing people do on a new computer is still to customize the desktop background...

09 December 2015

how to fix jEdit 5.3.0 on OSX with Retina screen

jEdit is a great little editor: very flexible, much plugins, such macros, so java.
However, for some reason jEdit developers strenuously refuse to fix their OSX package to support Retina screens. Three years since these screens started getting popular, you still have to repeat the following procedure after each jEdit installation or update, in order to avoid getting blurry fonts everywhere:
  1. quit jEdit if open
  2. in Finder, right-click on jEdit in Applications, select Show Package Contents
  3. go to the Contents folder, then edit Info.plist by adding these two lines at the end of the file, just before </dict>:
    <key>NSHighResolutionCapable</key>
    <true/>
  4. force OSX to re-cache the plist by executing the following command in a terminal:
    defaults read /Applications/jEdit.app/Contents/Info.plist
  5. Restart jEdit. Icons will still look crappy (the "classic" theme slightly better than "tango"), but the rest will be ok.
On a more positive note, jEdit 5.3.0 (running on Java 1.8.0_66) seems to have fixed the crashes I've had for a year. Welcome back, "little editor that could".

09 November 2015

HFM 11.1.2.4.102 still insecure

In the last few months, I've described how HFM 11.1.2.4 is not working in secure configurations (i.e. does not support encryption/SSL):
It looks like the recently-released patch .102 still does not fix this glaring omission. Clearly security is very low in Oracle's list of priorities (but I'm sure their cloud setups are really really secure, uh-uh...).

Anyway, in the previous posts I recommended to work around this problem by having all HFM components on one single well-firewalled box. This setup was already sub-optimal (it's a single point of failure, and of course it might not meet some workload requirements), but as I went through other items it became clear that it's even more untenable than I previously thought.

This is because 11.1.2.4 components integrating with HFM (Financial Reporting, Calculation Manager, OBIEE and so on) will talk directly to application and cluster processes, bypassing the Weblogic-based web-application. Because of the previously-mentioned bug, communication will be completely unencrypted.

This means that theoretically, if any component uses the HFM API to integrate, it would have to run on the same single box as HFM.

You're going to need a bigger boat

The only exceptions to this rule are:
  • the EPM Architect Dimension Server service, which will go through the web-app for its own calls (all related to metadata, like deployment, lookups etc). However, EPM Architect's own DataSynchronization service (which can automatically copy data across EPM products) will again go directly to appserver processes without encryption.
  • webservices-based products like Financial Close Manager, Tax Governance etc (i.e. products built on Oracle SOA). These integrate with HFM via its web service interface exposed by Weblogic, which can be easily secured with SSL.

Bonus: a teaser

If you feel adventurous, you can figure out why HFM does not work with SSL.

  1. Create the EPM Registry properties mentioned in logs as reported in my first post.
  2. Run Process Monitor while you start the HFM JavaServer process.
  3. In the resulting capture, look for "File Not Found" containing "user_projects" in path. One of these files should look familiar...