Some Time Machine backup-volume trial and error

The Mac-maintenance task that has taken care of itself for most of the last four years brought itself to my attention Wednesday, and I wish it had not. Two days of troubleshooting later, I think I once again have a working backup routine–but I still don’t know what went wrong here.

My first hint that Apple’s Time Machine backup system had shifted out of its usual orbit was an error message Wednesday night reporting that my backup volume had become read-only, making further backup cycles impossible.

The drive in question, a 2-terabyte Seagate portable drive that I’d bought in 2018, seemed too young to be suffering from disk corruption. Especially since other partitions on this hard drive remained readable and writeable.

So I opened Apple’s Disk Utility, selected the Time Machine backup partition, and clicked “First Aid.” Several minutes later, this app returned an inscrutable, no-can-do result:

The volume Time Machine backups could not be repaired. 

File system check exit code is 8.

Well, then.

Disk Utility’s help was of no help, reporting “No Results Found” when I searched for that error message and shorter versions of it. Googling for “check exit code is 8” yielded nothing at Apple’s support site (a fruitless result confirmed by Apple’s own search) but did surface a data-recovery firm’s explainer that this was “one of the most frustrating file system errors to encounter, and it is difficult to know if you are experiencing a logical or physical fault on the hard drive.”

Trying to repair the volume a few more times with Disk Utility–a suggestion in a Stack Exchange thread that seemed worth testing–didn’t yield a better outcome. An attempt to copy the entire Time Machine volume to the partition that I’d created on this Seagate drive last year to usher my data from my old iMac to my current Mac mini stopped early; Shirt Pocket’s SuperDuper app was less informative than usual, saying it “Failed to copy files.”

Then I realized that I was looking right at a short-term answer: wiping that no-longer-needed iMac disk-image partition, then making it my new Time Machine backup volume while leaving the old Time Machine partition alone. After a timeout to unplug the drive and then plug it back in, without which Disk Utility would not reformat the partition, this fix seems to be working. But just in case, I’ve also plugged a 1-terabyte SSD into my Mac mini as a backup to my backup.

It would be great if Apple would provide clearer explanations and more usable fixes to disk errors like this. But considering that Time Machine’s starfield file-restore interface hasn’t changed since it debuted in 2007, I will not stay up late waiting for those updates.

Conference VOD: one half-decent thing we’ve gotten out of the pandemic

LAS VEGAS

The Black Hat security conference that wrapped up here once again left me wishing I could clone myself for a few days. Its info-dense schedule put as many as nine briefings in the same timeslot, requiring me to make some tough choices and hope that I’d picked a presentation that would yield enough news and insights to turn into an article.

(Spoiler alert: I did not always choose wisely.)

In the Before Times, the panels that I had to skip would have been lost to me until the event organizers uploaded video of them to Black Hat’s YouTube channel, often months later. But this year’s conference, run like last year’s as a hybrid in-person/online event, came with both streaming access to panels as they happened and video-on-demand playback 48 hours later for attendees.

This conference, unlike too many I’ve attended, also continues to post the presentations of speakers, so attendees don’t need to take pictures of every statistic-filled slide for posterity.

So I can treat my conference FOMO and see what I missed much sooner than I could have before. That’s one small side benefit of conferences having to make themselves open to remote attendees, a welcome democratization of events that in a better world would have happened without the pressure of a worldwide pandemic. It’s also personally convenient today because I’m already getting asked on Twitter about Black Hat briefings that I did not get to.

I do, however, still need to remember to catch up on these briefings before the 30-day window to watch them expires–the mistake I made last summer, when I had a much less busy schedule.

8/14/2022: I updated this to add a compliment to the Black Hat organizers for posting speakers’ presenations.

Black Hat pitches increasingly resemble CES pitches

When I’m spending a sunny Saturday in front of my computer, the usual reason is that it’s beastly hot outside. But today I have an additional, also seasonally-specific reason: I’m overdue to look over and make some decisions about all of the Black Hat meeting requests that have been piling up in my inbox.

A view of the Las Vegas Strip from the Foundation Room atop the Mandalay Bay hotel--a common event venue for both CES and Black Hat receptions.

Unlike last summer, I actually am going to this information-security conference in Las Vegas. And many more infosec companies seem to have made the same decision, leading to a flood of e-mails from their publicists asking if I’d like to set up a meeting while I’m in Vegas. How many? Over the last month, I’ve received 134 messages mentioning Black Hat, a number that makes me think of the annual deluge of CES PR pitches.

(Sorry, the total is now 135.)

Just like at CES, accepting even half of these invitations would leave me almost no time to do anything else at the conference. But where at CES I need to save time to gawk at gadgets on and off the show floor–and to get from venue to venue at that sprawling event–at Black Hat I want to save time to watch this conference’s briefings.

In the two prior years I’ve gone to Black Hat, I’ve found that the talks there have an exceptionally high signal-to-noise ratio. And since a coherent and entertaining explanation of a vulnerability in a widely used app, service or device is something that’s relatively easy to sell as a story, I also have an economic incentive to hold off on taking any meeting requests until the organizers post the briefings schedule–which this year only happened barely two weeks ago.

In other words, now I’m out of excuses to deal with these pitches. Which I could have done this afternoon had I not waited until this afternoon to write this post…

8/24/2022: Fixed the typo in the headline that nobody seems to have noticed until my wife asked about it today.

Google-induced mail migration malaise

A week ago, I learned that one of my longest-running online freebies would end this summer. The seven days since haven’t been enough time for me to decide how to replace the no-charge Google account that’s hosted my home e-mail since early 2010–but they have allowed me to find a reason to dislike each obvious alternative.

Yes, I should have seen this coming. The Google that launched “Google Apps for Your Domain” as a free service in 2006 was a much scrappier firm that could not assume potential customers’ attention. Even in 2010, when I moved my home e-mail to a Google Apps account under a custom domain and set up (just in case!) a work e-mail address under a different custom domain at another Google Apps account, Google hadn’t risen to become an obvious choice for business collaboration.

The Gmail logo under an "Apps" banner, taken from a 2008 Google presentation.

Google did end signups for this free option in December of 2012, but it let existing Apps customers keep their free accounts. That grandfathered, privileged status continued as Google Apps became G Suite in 2016 and then Google Workspace in 2020.

The Google of 2022, however, is a different entity that’s been unplugging other free services. So I was not too surprised to learn that starting July 1, I’d have to pay to keep these two mail accounts hosted–just annoyed to read about this at the 9to5Google blog instead of in an e-mail from Google to me.

I’m fine with paying Google for my work account–make that, paying more on top of what I’ve been spending for extra storage since 2016. A Google Workspace Business Starter account will cost another $6 a month, which is reasonable considering how many other Google services I have tied to this account and how $72 a year would still rank among my cheaper business expenses.

But my home account is just an e-mail account. I don’t use it with Google’s other “workspace” tools; because I keep a separate, standard Gmail account for shopping, banking and other non-work stuff, my home account barely gets used as an e-mail service. Paying $72 a year makes a lot less sense, much less spending that much on addresses I’ve set up for family members who use them even less.

But the options I’ve evaluated first have their own issues:

iCloud+: Since my wife is already paying for extra storage on Apple’s cloud service, I could set up a custom domain there for free. But by associating my home e-mail address with iCloud, I would revive the problem of iPhone-using friends who think they’re using the Messages app to text me on my phone and instead have Apple’s iMessage system silently divert that to the Messages app on my iPad.

Microsoft 365: I already pay for Microsoft’s cloud storage to back up my Windows laptop, and adding multiple e-mail accounts by upgrading to Microsoft 365 Family would add only $30 to my yearly cost. Except Microsoft, for some inane reason that probably looked sharp on a marketing PowerPoint, limits this option to domains hosted with GoDaddy, and that’s not the registar I’ve been content with using for this domain. (One thing I don’t like about this registrar: Their own mail hosting only covers 1 gigabyte of storage per address, which is why they don’t make this list.)

Fastmail: This mail-first service isn’t tied to any larger cloud platform, a simplicity of mission that I appreciate. I also like how I could use this with 1Password to generate “masked,” disposable e-mail addresses for individual services. But with pricing for a custom domain starting at $50 a year per user for 30 GB of storage, this, too, feels like overkill for my own little use case.

Meanwhile, Google may have realized the foolishness of treating every user as one type of business customer. Wednesday afternoon, Ars Technica’s Ron Amadeo flagged an addition to Google’s support note inviting input from people who don’t use legacy Google Apps accounts for work.

Will Google offer a cheaper tier for personal use, and how long will we have to wait to find out? The May 1 deadline Google set for ex-Apps users to choose between upgrading to Workspace or moving their mail elsewhere leaves plenty of time for the indecision-making process to grind on at this company. And among perplexed customers like me.

Android phone migration has gotten easier–except for Google Pay and Google Voice

Moving from my old Pixel 3a to my new Pixel 5a provided my smoothest Android phone-migration experience yet. I had much less home-screen housekeeping to do on my new device than two years ago, and one key Google app showed a particularly dramatic improvement. But then I had to deal with Google Pay and Google Voice.

Overall, Google’s instructions get across how easy process has become. Tap yes in the “Copy apps & data” button on the new phone, unlock the old phone, connect the two with a USB-C cable, tap yes in the old phone’s “Copy data to new phone?” dialog, then wait–about 21 minutes in my case.

A Pixel 5a showing the "Transfer accounts" screen in Google Authenticator sits atop a Pixel 3a showing the same screen in the same app.

Google’s Android-transfer system accurately reproduced my app-icon layout (the contrast with upgrading to iPadOS 15 did not escape my attention) and wallpaper, with the only missing item being a home-screen icon for Android Auto.

I did still have to wait for most individual apps to download off Google’s Play Store, and their new-phone user experience varied awkwardly. Some, such as Feedly, LinkedIn and FlightRadar24, didn’t need me to log back in; most demanded a new entry of usernames and passwords (made much easier by 1Password); a few required extra bouts of authentication.

One Google app pleasantly surprised me, given the sensitivity of its stored data. Google Authenticator previously required renewing each two-step verification code securing a site login as if your old phone had fallen into the ocean, an experience that Google security chief Stephan Somogyi in 2017 apologetically described to me as “a complete, total and unmitigated pain.”

But in 2021, an old phone’s Google Authenticator can generate a catchall QR Code for its saved accounts; scan it with the new phone’s copy of Authenticator, and you’ve got your one-time passcodes for those accounts ready there. Great!

And then two other Google apps showed how awkward this process can remain. Google Pay–not the mobile-payments app that debuted as Google Wallet, but the new release that shipped this spring and then required some non-trivial settings restoration–landed on the new Pixel 5a as if I had never used it before.

I had to start by typing in my cell number because this Google service relies on that for authentication instead of a Google account. As Ars Technica’s Ron Amadeo explained/warned back in March, this setup resulted from Google electing to build a new Google Pay off code optimized for the Indian market, where SMS authentication apparently reigns supreme. And then I then had to add back my saved credit cards, one at a time.

The last hiccup, I hope, came with Google Voice. The oft-neglected Internet-telephony app that I use for my work number seemed to be configured properly on the new phone, but then a journalist trying to reach me for a radio interview had her call go to voicemail. Eight times in a row. The answer turned out to be that Google Voice’s account settings had my number associated with two smartphones and two copies of the same number, a level of confusion that the system evidently resolved by not patching calls through to the newest device.

But now that’s squared away, and I think I can make it through the rest of this trying year without further mobile-app troubleshooting. I hope that’s the case for everybody reading this too.

Android 12 early impressions: improvement via imprecision

Two weeks after I installed Android 12 on my aging, yet well-maintaned Pixel 3a smartphone, the biggest selling point of this release is not the self-tinting interface colors that Google talked up this summer. Instead, I’m appreciating a new option to leave apps a little fuzzier about my whereabouts.

In adding the ability to deny an app access to your precise location, Android 12 returns to the earliest days of Google’s mobile operating system, when an app could ask for either “fine” or “coarse” location. But it also reflects what we’ve learned since then about how location-data brokers will embed location-tracking code in other apps, often without disclosure, and then exploit that harvested info to build vast databases.

Photo shows the Android 12 Settings app open to a page denying the Today Weather access to my precise location; in the background, the print edition of the Nov. 12, 2021 Washington Post reveals a bit of the weather forecast.

So my first move after my phone rebooted into Android 12 was to take the GPS keys away from some apps. I started with one I already paid for, Today Weather. Why bother depriving a paid-for and therefore ad-free app of my exact location? Because the forecast shouldn’t change that much between here and a mile away–but keeping my precise coordinates from a third party means they can’t get exposed if that firm suffers a data breach later on.

My second move was much less exciting, in that I swapped out some of the default screen widgets: I like scallops and I like having a large display of the time on my home screen, but I don’t like the scallop-shaped clock widget that comes standard in Android 12.

My first software-update-induced moment of confusion, meanwhile, came a day after I installed this update when I mashed down the power button to invove the Google Pay shortcut to choose a different stored credit card for a purchase–and nothing happened. That’s because Android 12 moved that from the power-button menu to the Quick Settings menu. Broken muscle memory aside, I get that relocating this setting from a non-obvious spot to a menu that people use all the time should make it more discoverable.

Finally, one Android 12 detail that’s gotten less attention than the others in press coverage just might save me from waking up with a phone at 10% of a charge: When you plug a phone into a charger, a wave of sparkles washes up the screen to confirm that current is flowing to the device. Considering my own record of inattentive device charging, that’s a feature I could have used 10 years ago.

Keeping a Facebook page would be less work if Facebook were less tolerant of scammers tagging my Facebook page with other Facebook pages impersonating Facebook

Living a public work life on social media can be tiresome under many conditions, but my occupational outpost on Facebook–facebook.com/robpegoraro–has been feeling especially tedious lately.

And I can’t even blame random Facebook commenters for that! Instead, it’s the random Facebook scammers that have been nibbling away at my social-media attention span by staking out fake Facebook pages that impersonate Facebook itself, and which then tag my page with grammatically-iffy posts threatening to have my page suspended (for example, “someone has reported you with non-compliance with the terms of service”) if I don’t click/tap to verify my page ownership at a site that is obviously not at Facebook.

(Pro tip: Facebook is an American company and, AFAIK, does not have any substantial presence in Vanuatu that would require it to point users to a .vu domain name for terms-of-service compliance.)

I resent being treated like an idiot and I resent having my time wasted, but I also resent seeing a gigantic social network with country-sized resources fail so badly at stopping its own tenants from impersonating it. Every single time, the scam page has a big blue “f” icon matching Facebook’s and calls itself something like “Pages Identity Policy Issue,” which combined should seem like easy bait for a company with Facebook’s machine-learning capacity to quash or at least quarantine.

Instead, I get to play Whac-a-Mole with these idiotic impostors, and Facebook doesn’t even make that efficient.

Here’s the workflow on my iPad if I want to report the tagging post itself: Tap the ellipsis menu at the top right, select “Find support or report post,” select “False information” from the menu (“impersonation” isn’t an option), select “Social Issue,” (other choices being “Health,” “Politics,” “Something Else”), confirm that the post goes against community standards, then tap “Submit.” That last step doesn’t remove the tag, which takes another tap or two to zap.

If, however, I tap the fake page itself (which, in the most recent incident, had been set up for a construction firm in 2013 and then renamed this week, presumably after a hack), I tap the ellipsis menu at the top right, select “Find Support or Report Page,” select “Scams and Fake Pages,” then choose “Misleading Page Name Change” (had I not seen that switcheroo, I would have picked “Pretending to be Another Business” or “Fake Page”). Then it took another tap to block the page’s tag from my own page.

My gripe here isn’t so much with the number of clicks Facebook required but with the gap between its apathetic enforcement against con artists ripping off its own identity and its aggressive and punitive reaction against the New York University researchers who invited readers to install a browser extension that would track which ads Facebook served them, so that we might learn a little more about how that advertising gets targeted. What’s the priority at Facebook?

It’s yet another reason–on top of of the recurring nags to spend money on Facebook ads–to make me wonder why I keep up that Facebook marketing output when it’s so much more work than my other social-media presences. And yet if I want to see how the advertising machinery works, I feel like I have to stick around, scammers and all.

Not cool: freezing my credit after yet another data breach

The text message I was especially uninterested in receiving hit my phone Sunday morning. “T-Mobile has determined that unauthorized access to some business and/ or personal information related to your T-Mobile business account has occurred,” it read. “This may include SSN, names, addresses, phone numbers and dates of birth.”

T-Mobile’s texted non-apology for a data breach affecting tens of millions of subscribers went on to note that “we have NO information that indicates your business or personal financial/ payment information were accessed,” as if those data points were the ones I couldn’t reset with a phone call or three.

Instead, I got to spend part of an evening at the sites of the three major credit bureaus to freeze my credit, just in case any recipient of the stolen T-Mobile data was going to try to go to town on my data. In the exceedingly-likely event that you, too, will have to clean up after a corporation’s carelessness with your data, here’s how that went down.

At Experian, at least I didn’t have to clutter my password manager with another saved login. After providing my name, address, complete Social Security Number, birth date and e-mail, the site asked me to verify my identity by answering a personal-data pop quiz (for example, picking previous cities of residence or a cost range for my monthly mortgage payment). After passing that test and starting the credit freeze, Experian generated a 10-digit PIN I could use for subsequent access.

Things were not quite as easy at TransUnion. I had to create an account and provide almost as much personal information as Experian demanded, except that TransUnion only required the last four digits of my SSN. On the other hand, the sign-up workflow included a tacky invitation to sign up for marketing spam: “Please send me helpful tips & news about my service, including special offers from TransUnion and trusted partners!” The site asked me to pick a security question from a preset menu, none of which would have been too difficult for a stranger to research had I answered them truthfully, and then verify my identity in another personal-data quiz.

The company that had itself lost my data before, Equifax, offered the easiest on-ramp. After coughing up another mouthful of personal data–including my full SSN as well as a mobile number–I was able to create an account and, after clicking through a link sent in an account-confirmation e-mail, put a freeze in place. I did not have vouch for my identity by picking a ballpark figure for my mortgage payment or identifying a phone number I’d used before… and I’m not sure that’s a good thing.

I do know it’s not a good thing that T-Mobile kept information like Social Security Numbers that it could not have needed after checking my credit–a failure its apologies have yet to acknowledge. Firing them for that data hoarding, compounded by weak security, might offer a certain emotional closure. But I have no reason to think that switching to AT&T or Verizon and then handing over the same personal data wouldn’t open me to the same risk, because I’m struggling to see anybody at the giant telcos who gives a shit about data minimization.

My next in-person tech conference will have to wait a little longer

Next week was going to feature a conference badge and triple-digit temperatures, and now the only way I’ll get any of those things is if the forecast for D.C. turns out to be completely off.

Barely a month after I’d booked flights and a (refundable) hotel room for the Black Hat security conference, convinced that this security gathering in Las Vegas would represent my first in-person conference since February of 2020, I cancelled those bookings this week. Instead of flying to Nevada to take notes in the middle of a physical audience and then network in person at a series of receptions, I’ll follow the briefings online and then connect with nobody new as I have dinner at home.

It wasn’t any one thing about this conference happening in the middle of a not-yet-over pandemic that led me to bag this trip, even though I’ve been fully vaccinated since late May; it was all the things.

First, while I would expect most information-security professionals to evaluate their risks intelligently and therefore have gotten vaccinated long ago, there’s always going to be the exceptions.

Second, Black Hat is like everything else in Vegas in August in that it must exist in a series of air-conditioned bubbles. And while I wouldn’t have a problem wearing a mask while watching briefings, staying masked-up is a lot harder at a conference reception.

Third, Vegas has a giant tourist demographic that self-selects for poor risk management, raising the odds of me sharing an elevator or check-in line with some hard-partying idiot who has made pandemic denial part of his personal political brand.

Fourth, the city itself has a depressingly low vaccination rate, with only 41% of Clark County residents fully vaccinated. Seeing that many people spend that many months declining to use the best tool we have against the pandemic does not make me want to go to their city and spend my money.

The odds remain pretty low, as I understand them, that I would pick up the Delta variant of the novel coronavirus over those two days and change in Vegas. But when one of the people I’d see afterwards would be my not-yet-vaccine-eligible 11-year-old daughter, I can’t justify the risk posed by what strikes me as an especially bad scenario compared to any of the events I’m contemplating for later this year.

So even while I have resumed some business travel, it’s going to be a little while longer before I come home with a new conference badge to add to the collection that’s now been collecting dust for a year and a half.

Secondary thoughts on working yet another primary election

Tuesday had a lot in common with the four days I spent last year working as an election officer for Arlington County. Just as in March, June, July and then November, I staggered through a sleep-deprived day that started with a 5 a.m. arrival at the polling place and didn’t end until around 8:30 p.m. As in all of those elections except last March’s Democratic presidential primary, the day left me with a fair amount of downtime to fill with reading a book and chatting with my fellow poll workers. And once again, it felt deeply fulfilling to help my fellow citizens do their part to hire candidates for temporary, taxpayer-funded jobs.

Lillies bloom in the foreground, while the background shows election signs in front of a community center in Arlington, Va.

But since November 3, the subject of election security–a topic I’ve been covering on and off for most of the last two decades–has fallen prey to fever-dream conspiracy theories among Donald Trump followers who refuse to believe that the former president was fired by the largest electorate in American history.

I am tempted to give this post over to yet another rant denouncing those advocates of Trump’s Big Lie–as well as the sedition sympathizers in Congress who kept pandering to those dead-enders after the deadly riot at the Capitol January 6.

But instead, I will talk about my workday Tuesday. Here are some things you should know about how we did our part in Virginia’s primary elections, which I hope map with how elections are run wherever you may read this:

• Trust paper. Arlington uses hand-marked paper ballots that each voter feeds into a scanner that will read the ballot if it’s upside-down, right-side up, forwards or backwards. (We also have ballot-marking devices for voters with disabilities.) That paper trail then becomes part of the risk-limiting audit that Virginia now conducts after each election; the audit run after November’s election (but not reported out until March) confirmed that the votes as scanned accurately recorded how people marked their ballots. If your state is among the minority to still use “direct-recording” machines that leave no paper trail (hello, Texas), direct your ire at the elected officials who haven’t fixed that problem.

• Don’t confuse voter identification with TSA Pre. I checked in one voter who did not have a Virginia driver’s license but did appear in our poll-book app as a registered voter, and I saw other voters show up with the same scenario. That was understandable, as the Virginia DMV is struggling to catch up with a pandemic-inflicted backlog. It would be unconscionable to kick those people out of polling places when one government bureaucracy can’t issue ID cards fast enough while another has already confirmed their eligibility. I should note here that this voter brought their voter registration card; should you get stuck in this situation, bringing that other piece of paper will save a tired poll worker a little time.

• Expect software to fail; design for resilience. The most reassuring paper product I saw Tuesday was the printout of the entire pollbook for our precinct, which meant that we did not have to rely on our pollbook app to stay up all day. Fortunately, that software did work, by which I mean it functioned aside from the feature that was supposed to scan the bar code on the back of a Virginia driver’s license but instead failed at least nine out of 10 times in my experience.

• Check everything at least twice. My day started with opening packs of ballots and counting them, 10 at a time. Each shrink-wrapped pack should have held 100 ballots and did, but we checked that anyway–so that there would be no discrepancy between the number of ballots handed out and the number of voters checked in. We also verified each total at the end of every hour; each time, there was no surplus of voters or ballots. And then we made one last check after polls closed to confirm that we had handed out exactly one ballot per voter.

If the above sounds inefficient, you read this right. Election administration has to suffer some inefficiency to accommodate the conflicting demands of allowing voters secret ballots and yielding an auditable paper record. Deal with it.