acl-tools-osx v0.1.1 and an Introduction ¬


Back in 2013, I hacked together (and silently released to GitHub) a set of command line utilities for working with OS X file ACLs (Access Control Lists) and ACEs (Access Control Entries), collectively named acl-tools-osx. Included are three utilities written in bash:

  • findacl – This is the main tool, a wrapper for the powerful find command which ads “primaries” for working with OS X file ACLs.
  • chgrpacl – Built atop findacl, this allows changing group ACEs in an OS X file’s ACL from one group to another.
  • chusracl – The same as above, but for changing user ACEs from one user to another.

While probably well written for a bash script, findacl is still a bit of a hack: it relies on find to build the initial file list, then it reads & matches against all ACEs for each file. Unfortunately, for the ACL/ACE matching, it’s not smart enough to handle any operators other the AND. As mentioned above, chgrpacl & chusracl are powered by findacl and reduce a task that would require a minimum of three commands (one to list a file’s ACL, one to delete the required ACE, and one to re-add the ACE with the new user/group name) to a single easy command.

I wrote these for Small Dog Electronics to resolve some user & group name conflicts by changing group names. With thousands upon thousands of files with ACEs for the group names being changed, I could either leave orphaned group ACEs around (they show up as raw UUIDs) and re-apply the ACEs manually, I remove all ACLs and manually re-apply all ACLs (yeah, right!), or—if there was a way—I could just find files with ACEs for specific user/group names, delete them, and re-add them in the new user/group name. The last option made the most sense, but few utilities other that ls and chmod can handle OS X ACLs, certainly not my beloved find. So, I put together something that worked, automated the process—which worked quite well—and only used them a couple of times afterwards.

Well, someone happened across them recently and reported an issue with parsing ACEs containing certain special characters (including spaces), so I’ve fixed that and now present the world with acl-tools-osx 0.1.1. You can now find the download in the development section as well as on GitHub. Hopefully someone else will find them useful as I and at least one other person have.

23 Years of the Newton ¬


It’s amazing how quickly the years flow by and that it’s been nearly 25 of them since the introduction of Apple’s Newton. Actually, it has been a full quarter century since John Scully, then CEO at Apple, was pitched the concept of a smaller, handheld device by Michael Tchao and decided to make it a reality. This week marks the 23rd anniversary of the MessagePad’s release on August 3rd, 1993, at MacWorld Expo in Boston, which Scully had initially previewed to press at CES in Chicago, back on May 29th of 1992. Crazier still, the release of the Newton came less than a decade after that of the Macintosh. Sadly, it never really got the chance to see its full potential.

Like every revolutionary product, there are many fascinating accounts of the development and release. Some of them documented in the book Defying Gravity: The Making of Newton, others in the Newton section of Andy Hertzfeld’s Douglas Luckie’s page covering the original Newton MessagePad is required reading on, and one can’t forget Landon Dyer’s account of the last minute ROM patching before the release! Luke Dormhel just wrote a nice little overview for Cult of Mac, and Benjamin Edwards had a more thorough piece for Macworld at the 20th anniversary.

While I personally can no longer fault Apple for cancelling the Newton in 1998, refocusing, blossoming, and developing a new generation of mobile computing with the iPhone and iPad, I still wish to see a future where Newtons had continued to be developed. While I still use my MessagePad 2100 every day and find it to be the best tool for many tasks—for me, at least, though I’m not the only one—it’s also a disappointing that it’s mostly stuck in 1998. I say mostly as a huge debt of gratitude is owed to all the individuals who have helped keep the Newton platform alive, producing patches, software, bits of hardware, and providing tons of support over the years, allowing it reach out into the future that Apple only imagined.

I look forward to the full 25th anniversary with my Newton. After all, what’s a couple more years?

iPad Pro — What’s a Computer? (Video) ¬


I’m sure Apple was hard at work making this commercial well before Michael Gartenberg’s piece for iMore which I linked to a little over a week ago, but it does seem to start addressing the issue he raised as to why more people aren’t buying the iPad Pro to use as a computer. The ad starts off:

“Just when you think you know what a computer is…”

Apple’s The new iPad Pro introduction video from back in March shows the iPad being used as a computer, but mostly rattles off the new features, leaving that point until the very end:

“The new iPad Pro gives everyone the ability to do amazing things. Things you thought you could only do on a PC and things you’ve never done before. It’s where we believe personal computing is going.”

This new ad tries to hit that point home a little more directly. It still feels more like an ad for the Smart Keyboard and Apple Pencil, to me, but they’re a part of the solution and it’s a step in the right direction.

[Via Rene Ritchie.]

Farewell Kagi ¬


Long time payment processor Kagi in their announcement of the closure of their company on 2016-07-31:

For the past ten years Kagi has been struggling to recover from financial losses due to a supplier fraud situation. We have reduced the debt but the recovery has failed and forced us to close.

We are sorry we failed you.

It’s sad to see the failure of a company that helped support so many individuals and small businesses over the years. They helped many early Mac and Newton shareware developers get off the ground and prosper, some of which are still around today. Sadly, their popularity was waning due to increased competition from newer payment options such as PayPal, Stripe, and others.


Security Experts Have Cloned All Seven TSA Master Keys ¬


John Biggs, writing for TechCrunch:

The TSA, as you’ll remember, offers a set of screener-friendly locks. These locks use one of seven master keys that only the TSA can use — until 2014. In an article in The Washington Post, a reporter included a shot of all seven keys on a desk. It wasn’t long before nearly all the keys were made available for 3D printing and, last week, security researchers released the final key.

The interesting aspect of the release of the final key is how they did it. One of the hackers, Johnny Xmas, said:

“This was done by legally procuring actual locks, comparing the inner workings, and finding the common denominator. It’s a great metaphor for how weak encryption mechanisms are broken — gather enough data, find the pattern, then just ‘math’ out a universal key (or set of keys),”

Frustratingly, the TSA cares little for consumer’s belongings:

“The reported ability to create keys for TSA-approved suitcase locks from a digital image does not create a threat to aviation security. These consumer products are ‘peace of mind’ devices, not part of TSA’s aviation security regime.”

Introducing "Free Agents" ¬


Jason Snell introducing the new Free Agents podcast he’s co-hosting:

For a long time Mac Power Users co-host David Sparks and I would meet when I was visiting southern California and we’d talk about how our jobs were grinding us down. Then all of a sudden, he and I were both out on our own and grappling with any number of issues involving being independent workers after 20 years of working in a traditional job.


If you’re interested in hearing us talk about the issues around being an independent worker, check it out. The show will be short and appear fortnightly, and we’re hoping to do two short topic-based episodes followed by an interview with an independent working person.

Naturally, this subject matter is now near and dear to me. The first episode was a good, solid, quick listen.

New attack bypasses HTTPS protection on Macs, Windows, and Linux ¬


Dan Goodin writing for Ars Technica regarding a web browser proxy protocol issue that can expose full URLs of webpages you’re browsing, even over HTTPS:

The attack can be carried out by operators of just about any type of network, including public Wi-Fi networks, which arguably are the places where Web surfers need HTTPS the most. It works by abusing a feature known as WPAD (short for Web Proxy Autodisovery) in a way that exposes certain browser requests to attacker-controlled code. The attacker then gets to see the entire URL of every site the target visits. The exploit works against virtually all browsers and operating systems. It will be demonstrated for the first time at next week’s Black Hat security conference in Las Vegas in a talk titled Crippling HTTPS with Unholy PAC.


With the exception of the full URL, all other HTTPs traffic remains unaffected by the attack. Still, in some cases, disclosure of the URL can prove fatal for security. The OpenID standard, for instance, uses URLs to authenticate users to the sites and services that support it. Another example is document sharing services, such as those offered by Google and Dropbox, that work by sending a user a security token that’s included in the URL. Many password-reset mechanisms similarly rely on URL-based security tokens. Attackers who obtain such URLs in any of these cases are often able to gain full access to a target’s account or data.

Good to be aware of and yet another reason to be especially careful when using public WiFi. Fortunately, web browsers could mitigate this:

Still, browsers can largely work around the vulnerability by following the lead of Microsoft’s Edge and Internet Explorer 11 browsers, which invoke the FindProxyForUrl function with URLs that are truncated to host names only, as opposed to full URLs, which may contain authentication tokens or credentials.