Posts Tagged ‘google’

How TED’s introduction to Google Glass Really Happened

Friday, April 12th, 2013

Starts with a replay of the Google Glass commercial, but then an uncomfortable founder of an internet company rambles uncomfortably. 13:12 in he jokes about recording from the stage without people knowing. Strange times we live in.

FileVault 2 Part Deux, Enter the Dragon

Wednesday, January 30th, 2013

The Godfather of FileVault, Rich Trouton, has probably encrypted more Macs than you. It’s literally a safe bet, horrible pun intended. But even he hadn’t taken into account a particular method of institution-wide deployment of recovery keys: disk-based passwords.

As an exercise, imagine you have tier one techs that need to get into machines as part of their duties. They would rather not target-disk recovery partition boot(thanks to Greg Neagle for clearing up confusion regarding how to apply that method) and slide a valuable certificate into place and whisper an incantation into its ear to operate on an un-booted volume, nor do they want to reset someone’s password with a ‘license plate’ code, they just want to unlock a machine that doesn’t necessarily have your admin enabled for FV2 on it. Back in 10.7, before the csfde(Google’s reverse-engineered CLI filevault initialization tool, mostly applicable to 10.7 since 10.8 has fdesetup) command line tool, the process of adding users was labor-intensive as well. Even in fdesetup times, you cannot specify multiple users without having their passwords and passing them in a unencrypted plist or stdin.

In this scenario, it’s less a ‘get out of jail free’ card for users that forget passwords, and more of a functional, day-to-day let-me-in secret knock. How do I get me one of those?

Enter the disk password. (Meaning like Enter the Dragon or Enter the Wu, not really ‘enter your disk password’, this is a webpage, not the actual pre-boot authentication screen.)




How did we get here? No advanced black magic, we just run diskutil cs(short for coreStorage, the name of the quacks-like-a-duck-so-call-it-a-duck logical volume manager built in to 10.7 Lion and later) with the convert and -passphrase options, pointing it at root. We could encrypt any accessible drive, but the changes to login are what we’re focusing on now.

The end result, once the process finishes and the machine reboots next, is this(un-customizable) icon appears at the login window:


Remember that this scenario is about ‘shave and a haircut, two bits’, not necessarily the institution-wide systems meant to securely manage recovery options. Why haven’t you(or the Godfather) heard of this having been implemented for institutions until now-ish?  (Was he too busy meticulously grooming his links to anything a mac admin could possibly need to know, or composing the copious content to later link to? Say that three times fast!) (Yes, the disk password functionality has been around for a bit, but we’ve gotten a report of this being deployed, which prompted this post.) Well, there are two less attractive parts of this setup that systems like Cauliflower Vest and commercial solutions like Credant or Casper sidestep:

1. The password (for one or many hosts) needs to be sent TO a shell on the local workstations command line in some way, and rotating the password requires the previous one to be passed to stdin
2. It can be confusing at the pre-boot login window that there seems to be a user account called Disk Password visible

What’s the huge advantage over the other systems? Need to rotate the password? No decrypt/re-encrypt time! (Unlike the ‘license plate’ method.) Old passwords are properly ‘expired’! (Unlike the ‘Institutional Recovery Key’ method of using a certificate.) I hope this can be of use to the environments that may be looking for more ‘middle ground’ between complex systems and manual interaction. Usability is always a factor when discussing security products, so the additional method is a welcome one to consider the benefits of and, as always, test.

Regarding FileVault 2, Part One, In Da Club

Monday, January 28th, 2013


IT needs to have a way to access FileVault 2(just called FV2 from here on) encrypted volumes in the case of a forgotten password or just getting control over a machine we’re asked to support. Usually an institution will employ a key escrow system to manage FDE(Full Disk Encryption) when working at scale. One technique, employed by Google’s previously mentioned Cauliflower Vest, is based on the ‘personal’ recovery key(a format I’ll refer to as the ‘license plate’, since it looks like this: RZ89-A79X-PZ6M-LTW5-EEHL-45BY.) The other involves putting a certificate in place, and is documented in Apple’s white paper on the topic. That paper only goes into the technical details later in the appendix, and I thought I’d review some of the salient points briefly.

There are three layers to the FV2 cake, divided by the keys interacted with when unlocking the drive:
Derived Encryption Keys(plural), the Key Encrypting Key(from the department of redundancy department) and the Volume Encrypting Key. Let’s use a (well-worn) abstraction so your eyes don’t glaze over. There’s the guest list and party promoter(DEKs), the bouncer(KEK), and the key to the FV2 VIP lounge(VEK). User accounts on the system can get on the (DEK) guest list for eventual entry to the VIP, and the promoter may remove those folks with skinny jeans, ironic nerd glasses without lenses, or Ugg boots with those silly salt-stained, crumpled-looking heels from the guest list, since they have that authority.

The club owner has his name on the lease(the ‘license plate’ key or cert-based recovery), and the bouncer’s paycheck. Until drama pop off, and the cops raid the joint, and they call the ambulance and they burn the club down… and there’s a new lease and ownership and staff, the bouncer knows which side of his bread is buttered.

The bouncer is a simple lad. He gets the message when folks are removed from the guest list, but if you tell him there’s a new owner(cert or license plate), he’s still going to allow the old owner to sneak anybody into the VIP for bottle service like it’s your birthday, shorty. Sorry about the strained analogy, but I hope you get the spirit of the issue at hand.

The moral of the story is, there’s an expiration method(re-wrapping the KEK based on added/modified/removed DEKs) for the(in this case, user…) passphrase-based unlock. ONLY. The FilevaultMaster.keychain cert has a password you can change, but if access has been granted to a previous version with a known password, that combination will continue to work until the drive is decrypted and re-encrypted. And the license plate version can’t be regenerated or invalidated after initial encryption.

So the two institutional-scale methods previously mentioned still get through the bouncer unlock the drive until you tear the roof of the mofo tear the club up de- and re-encrypt the volume.

But here’s an interesting point, there’s another type of DEK/passphrase-based unlock that can be expired/rotated besides per-user: a disk-based passphrase. I’ll get to describing that in Part Deux…


Thursday, November 29th, 2012

It was our privilege to be contacted by Bizappcenter to take part in a demo of their ‘Business App Store‘ solution. They have been active on the Simian mailing list for some time, and have a product to help the adoption of the technologies pioneered by Greg Neagle of Disney Animation Studios (Munki) and the Google Mac Operations Team. Our experience with the product is as follows.

To start, we were given admin logins to our portal. The instructions guide you through getting started with a normal software patch management workflow, although certain setup steps need to be taken into account. First is that you must add users and groups manually, there are no hooks for LDAP or Active Directory at present (although those are in the road map for the future). Admins can enter the serial number of each users computer, which allows a package to be generated with the proper certificates. Then invitations can be sent to users, who must install the client software that manages the apps specified by the admin from that point forward.


Sample applications are already loaded into the ‘App Catalog’, which can be configured to be installed for a group or a specific user. Uploading a drag-and-drop app in a zip archive worked without a hitch, as did uninstallation. End users can log into the web interface with the credentials emailed to them as part of the invitation, and can even ‘approve’ optional apps to become managed installs. This is a significant twist on the features offered by the rest of the web interfaces built on top of Munki, and more features (including cross-platform support) are supposedly planned.


If you’d like to discuss Mac application and patch management options, including options such as BizAppCenter for providing a custom app store for your organization, please contact

The (Distributed) Version Control Hosting Landscape

Monday, March 19th, 2012

When working with complex code, configuration files, or just plain text, using Version control (or VC for short) should be like brushing your teeth. You should do it regularly, and getting into a routine with it will protect you from yourself. Our internet age has dragged us into more modern ways of tracking changes to and collaborating on source code, and in this article we’ll discuss the web-friendly and social ways of hosting and discovering code.

One of the earliest sites to rise to prominence was Sourceforge, which is now owned by the company behind Slashdot and Thinkgeek. Focused around projects instead of individuals, and offering more basic VC systems, like… CVS, Sourceforge became a site many open source developers would host and/or distribute their software through. Lately, Sourceforge seems to be on the wane, as it is found to be redirect and advertising-heavy.

When Google wanted to attract more attention to its open source projects and give outsiders a way to contribute, it opened in 2005. In addition to SVN, Mercurial (a.k.a. Hg) was available as an alternative VC option in 2009, as it was the system adopted by the Python language, whose creator is an employee at Google, Guido van Rossum. Hg was one of the original Distributed Version Control Systems, DVCS for short, and the complexity of such a system could feel ‘bolted-on’ when using Google for hosting (especially in the cloning interface), and its recent introduction of Git as an option mid last year brings this feeling out even more.

Bitbucket was another prominent early champion of Hg, and its focus, like those previously mentioned, is also on projects. Atlassian, the company behind it, are real titans in the industry, as the stewards of the Jira bug-tracking software, Confluence wiki, HipChat web-based IM/chatroom service, and have recently purchased the mac DVCS GUI client SourceTree. Even more indicative of the fast-paced and free-thinking approach of how Atlassian has done business is their adoption of Git late last year as an option for Bitbucket, going so far as to guide folks to move their Hg projects to it.

But the 900-pound gorilla in comparison to all of these is Github, with their motto, ‘Social Coding’. Collaboration can tightly couple developers and make open source dependent on the approval or contributions of others. In contrast, ‘Forking’ as a central concept to Git makes this interdependency less pronounced, and abstracts the project away to put more focus on the individual creators. Many words have already been spent on the phenomenon that is Git and Github by extension, just as its Rails engine enjoyed in years past, so we’ll just sign off here by recommending you sign up somewhere and join the social coding movement!

Munki’s Missing Link, the Simian Server Component from Google

Tuesday, March 13th, 2012

At MacWorld 2011, Ed Marczak and Clay Caviness gave a presentation called A Week in the life of Google IT. It included quite the bombshell, that Google was open-sourcing its Managed Software Update (Munki) server component for use on the Google App Engine (or GAE). Some began immediately evaluating the solution, but Munki itself was still young, and the enterprise-intent of the tool made it hard for smaller environments to consider evaluating. Luckily, the developers at Google kept at it, and just like GAE graduated from beta and other Google products got a facelift, a new primate now stands in our midst (mist?): Simian 2.0!

With enhancements more than skin deep, this release ups the ante for competing ‘munkiweb’ admin components, with rich logs and text editor-less manifest generation. For every package you’d like to distribute, only one run of the Munki makepkginfo tool is required – the rest can be done with web forms. No more ritual running of makecatalogs, just click the snazzy buttons in the interface!

Unlike the similarly GAE-based Cauliflower Vest, Simian does not require a Google account for per-client secure transmission, which makes evaluation easier. While GAE has ‘billable‘ levels, the free version allows for 1GB of storage with 1GB of upload and… yup, 1GB of download. While GAE may not be quite as straightforward to calculate the cost of as other ‘Platform as a Service’ offerings, it is, to use a phrase, ‘dumb cheap’. The only time the server’s instance would cost you during billable operation is when Admins are maintaining the packages stored, or when clients are actively checking in (by default once a day) and pulling packages down. As Google ‘dogfood’s the product, they have reported $.75/client per YEAR in the way of GAE-related costs.

Getting started with Simian is not a walk in the park, however: you must wrap your brain around the concept of a certificate authority (or CA), understand why the configuration files are a certain way based on the Simian way of managing Munki, and then pay close attention as you deploy your customized server and clients. Planning your Simian deployment starts with either creating or reusing an existing certificate authority, which would be a great way to leverage Puppet if it’s already running in your environment. Your server just needs to have its private key and public certificate signed by the same authority as the clients to secure their communication. Small or proof-of-concept deployments can use this guide to step you through a quick Certificate Authority setup.

When it comes to the server configuration, it’s good to specify who will be granted admin access, in addition to the email contact info for your support team. The GAE instance requires a Google account for authentication, and it is recommended that access is restricted to users from a particular Google Apps domain (free or otherwise). One tripping point is when allowing domain access to the GAE instance, you need to go to a somewhat obscure location in your GoogleApps dashboard (linked from above where the current services are listed on the dashboard tab, as pictured):

Ready to take the plunge? Once configurations have been set in the three files specified in the wiki, and the certs you’ll use to identify and authenticate your server, CA, and a client are stowed in the appropriate directories, go ahead and send it up to the great App Engine in the sky.

See our follow-up article

Technical Overview of Mac Business Encryption methods

Friday, March 2nd, 2012

For a more in-depth look at security on the Mac, we’ll contrast the technical features (and limitations) of Mac full disk encryption methods. A balance that always needs to be struck when implementing a highly complex system is between maintainability and features. Employees need an easy to use yet reliable solution, and support personnel need to be able to consistently ensure that everything is functional and able to be audited. To understand the changes to encryption features leading up to the present, we’ll start by describing the implementation used by one of the most popular vendor’s, Symantec, and their PGP product.

PGP has a very long history in data encryption, and since Apple moved to the Intel processor platform (and EFI), they have been able to provide many features that were previously only fully supported on Windows. In an ideal situation, they and other vendors (like Sophos and McAfee) construct a way to tie your directory service to a keyserver, and therefore have authentication stay in one central place. Client software performs the local encryption on each workstation, and after completion users are granted secure access to a pre-boot environment, so only after authentication succeeds does the actual system boot. The encryption itself is based on a key that is independent of the user, multiple users including the admin can be added, and there is even a feature called the Recovery Token in case someone forgets their password (which gets regenerated after a single use, once the laptop then connects back to the keyserver).

The changes Apple made during its build-up to Lion jeopardized PGP’s pre-boot environment, which caused serious side effects. From Snow Leopard 10.6.6 on, Symantec had to be vigilant to insure their product was updated in a timely fashion, and many customers began to doubt the future viability of the solution. Businesses still wanted the features products like PGP offered, so a balance needed to be struck.

Apple released FileVault2 with Lion, and has since documented one method of achieving some sort of centralization: generating and storing the FileVaultMaster.keychain. A drawback of this process is many of the workflow steps surrounding it require custom, secure methods to be devised for implementing and auditing this process. Further, since support personnel need access to the single key that will unlock any machine encrypted with this process, the fact that the key cannot be easily reset and never expires becomes a prominent flaw.

Cauliflower Vest, as discussed previously, instead utilizes the recovery key. This reduces the risks associated with storing and retrieving the unlock mechanism centrally, as it is tied to each employee’s Google Apps account. It is sent and stored securely, and access controls can be put in place to grant access to support personnel. The csfde tool that is bundled with the project can also be used independently, if another data store or authentication mechanism to secure the transport and storage is preferable. Deployment and enforcement were priorities of the project as well, and a graphical interface to guide employees through setting up their encryption in a self-service manner round out the salient features. It can still be considered a compromise when compared to the functionality offered to businesses previously, but Google’s Macintosh Operations team should be commended for making available a feature-rich and flexible open source solution.

Lion’s New Security Features, Manageable for Businesses with a Solution from Google

Friday, February 24th, 2012

The big cat, Lion, has been out of the bag for a while, and even with Mountain Lion slated to come out this Summer, many are still devising strategies to tame it. In particular, there’s been uncertainty about the update to Apple’s encryption solution, FileVault. In the past it wasn’t as fully featured as encryption solutions from Symantec (PGP) and others, but the functionality of those third party products has been faltering due to ‘plumbing’ changes Apple’s made in order to accommodate, new with Lion, FileVault2 – their higher-performance, whole disk encryption solution.

From a security and ease-of-use perspective, when you encrypt the entire hard drive (or ‘disk’), your documents are much safer if your laptop should happen to be lost or stolen. Only user accounts granted access to un-encrypt the computer (which happens just by logging in with your user name and password like normal) can get at the files. However, there is a ‘get out of jail free’ card provided, just in case you forget your password – the Recovery Key, which is a 24-character code that Apple can even store for you.

When using FileVault 2 in Lion, businesses lose several features they would otherwise have with 3rd party whole disk encryption solutions: we’d like to store that key centrally for our company, keep an inventory on which computers are encrypted, and not worry what user account encrypted the computer when we need to re-deploy it for someone else. Apple’s consumer-focused, manual process for storing the Recovery Key doesn’t help us, so Macintosh Operations at Google have stepped onto the scene with a solution: Cauliflower Vest.
Yes, the name is… distinct, but really it’s just an anagram (same letters, different words) for FileVault Escrow, which means storing the FileVault Recovery Key centrally. A big caveat of using this solution is that it relies on a Google Apps account for every employee whose machine you’d like to use FileVault with. Generously, Google’s Mac Ops team took the time and went the distance to allow us to adapt their tool for use with other centralized systems.

Adjusting to the new changes in Lion can be a considerable amount of work for many administrators. 318 has been a reseller for Google Apps and can also build custom solutions that adapt open source products to your businesses needs. For assistance, please contact your 318 Professional Services Manager, or if you are not yet a customer.

The Tech Journal is now on Google Currents!

Thursday, December 8th, 2011

We’ve created an edition in the new Google Currents app listed in the iTunes App Store and the Android Marketplace. It’s a great and easy way to get the latest Tech Journal articles in an easy to read format that is available for offline viewing.

You can download Google Currents for your device here.

To add the Tech Journal to your library in Google Currents, follow this link in the browser on your device.

Happy reading!

Setting Up Additional Google Apps Calendars on an iOS Device

Monday, April 18th, 2011

Syncing and Managing Additional Google Apps Calendars on your iOS Device

Google Apps allows users to easily setup multiple calendars in their account and access other uses calendars via a web browser or calendar client such as iCal or Outlook. Duplicating this functionality on iOS devices requires some additional configuration steps:

1. Configure your device(s) with Exchange Active Sync for your Google Apps account. See for instructions.
2. On your iOS device (iPad, iPhone or iPod Touch) use the Safari web browser to navigate to
3. Scroll to the bottom of the page and tap the Google Apps user? button.
4. A popup will appear prompting you to Enter your Google Apps domain. Enter your domain (everything after the @ in your email address) and tap Go.
5. Sign into your Google Apps account if prompted.
6. A Google Mobile page will load, with buttons for various services. Tap the Sync button.
7. A Manage Devices page will load. Tap to select the device you would like to add/delete calendars from (i.e. your iPhone).
8. Tap to check the box next to each calendar you want to sync. Tap to uncheck any calendar you wish to stop syncing.
9. Click Save.

The calendars for which you enabled sync should now be displayed in the iOS Calendar app. You may have to tap Calendars to return to the calendar selection and turn on the additional calendars if they are not displayed immediately.

Note: these instructions differ slightly from the published Google instructions pertaining to generic Gmail accounts (primarily skipping steps 3 and 4). If you would like to setup additional calendars for your personal Gmail account please follow the steps here:

Use Microsoft Office With Google Apps

Saturday, November 27th, 2010

Google Docs live on Google’s servers and are edited in a web browser. One of the most challenging aspects of leveraging this type of a cloud environment is workflow. Looking at every users workflow before making institutional changes is so daunting a task that it is rarely performed, resulting in users being left out of the process and at times also resulting in a breakdown in adoption from these “edge cases.”

Luckily, Google is wise to this predicament and has acquired DocVerse, which has resulted in a new option from Google: Google Cloud Connect for Microsoft Office. Cloud connect was announced last week without much fanfare. But the Cloud Connect toolbar for Microsoft Office is one of the more important new features of Google Docs in a long time, because it bridges the gap between the cloud and the client. In so doing, Cloud Connect breaks down some of the more critical arguments against adoption in the enterprise: retooling the entire workforce, redesigning workflow and working with documents while offline.

At 318, we have been working closely with many of our customers on transitions of data to cloud environments. Whether you are using Google or a competing vendor, please feel free to contact your 318 account manager or our sales department to discuss how this announcement can help to ease a transition to the cloud for your environment.

Sandboxing Chrome

Friday, April 23rd, 2010

Thanks to Google for referencing our post introducing sandbox in their sandboxing design document for Chromium at:

Their use of sandbox is really over and above what we’ve seen from any other vendor. Each installation contains 3 distinct sandbox profiles (currently I have and version 5.0.342.9 although mileage here may vary according to updates), each profile allowing access to only files and resources that are absolutely necessary to complete the task that the process that leverages them requires. You can see the specific resources that are accessible by looking at these profiles. The profiles are located at:

  • /Applications/Google Chrome Framework.framework/Resources/
  • /Applications/Google Chrome Framework.framework/Resources/
  • /Applications/Google Chrome Framework.framework/Resources/
You can view them easily using a simple cat command:

cat /Applications/Google\\ Chrome\ Framework.framework/Resources/

You can then edit the profiles easily. For example, if you want to enable debug logging for sandbox, etc. This allows you transparency into what Chrome is doing but also allows you to further tighten security. Although, they have really taken their time to secure Chrome well and locked things down, so we doubt much further restriction is necessary or really possible. Overall, Chrome provides a great example of taking sandbox to the next level and extending it much more into the applications with graphical user interfaces than we’ve seen it extended to thus far.

Safari Shortcuts

Sunday, September 23rd, 2007

Some useful shortcuts for Safari users: Command-N opens a new Window Command-T opens a new tab Command-Option-V – views the page source Command-Up Arrow scrolls to the top of a page Command-Down Arrow scrolls to the bottom of a page Spacebar – scrolls down Command-Shift-+ Zooms in Command-Shift– Zooms out Command-W closes the current tab Command-Q quits Safari Command-M minimizes Safari Command-R reloads a page Command-Shift-H takes you home Command-Shift-D bookmarks the current page Command-K enables or disables the pop-up blocker Command-Option-V views page source Command-Shift-A autofills forms Command-Option-F takes you to the Google box Command-Option-K marks a page Command-} takes you to the next tab Command-{ takes you to the previous tab Command-Option-P returns to a marked page Command-Shift-N creates a new Bookmarks folder Command-[ goes to the previous page Command-] goes to the next page (if there is one)

The Google You Don’t Know About: Discover Google’s Many Hidden Features

Friday, May 26th, 2006

Google is a key tool for just about every Web user these days, and it remains the most popular web search engine in use today. But many of Google’s coolest features often get overlooked. Here are some of Three18′s favorite Google tools:

Google Toolbar ( Windows users can save themselves the step of navigating to Google’s homepage by adding the Google Toolbar to their Internet Explorer browser. In addition to fast access to web searches, you also get a history of your most recent searches, bars indicating relevance of your searches, and links to other Google resources. But its most welcome bonus is its built-in, intelligent Pop-up blocker.

Google Desktop ( Ever wish you could just Google your entire computer to find that long lost document or e-mail message? Well, now you can with Google Desktop. It installs Google’s powerful search engine capabilities into your PC, so you can instantly search your entire hard drive for e-mails, Word, Excel, and PowerPoint documents, IM chats, and even cached web pages you’ve visited. It’s currently only available for PC, but Google has announced plans to build a version for Mac OS X.

Google Local ( Confine your search to your neighborhood (or any other location in North America for that matter). It’s a simple matter of entering your search terms and a location, be it an address, a ZIP code, or a City/State combination. You’ll get not only your list of search results in the standard Google format, but you’ll get a map of the results as well.

Froogle ( Shopping for the best price is easy with Froogle. Just tell it what you’re looking for, and it searches a seemingly infinite number of online retailers. Sort your results by price, or within a price range, or by category (this comes in handy if you’re doing a brand search such as Sony, Apple, or Craftsman). A great tool for bargain hunter’s shopping during the holidays!

Google News ( The ultimate fix for news junkies. Browse and search over 4,500 online news publications from all over the world. Then combine it with Google Alerts ( to give yourself customized news alerts in your e-mail inbox as often as you want: either as they happen, once a day, or once a week.

Google Directory ( Billed as “the largest human-edited directory on the web”, the Google Directory leverages the deep database of the Open Directory Project ( and the powerful Google search engine. You can browse categories or just run a search. Either way, your results are going to be based on categories and information that is organized by human beings, not crawlers, spiders, or bots (which can be easily fooled into incorrectly boosting the relevance of web pages).

GMail ( Google’s long-anticipated (and hotly sought-after) free e-mail service is still in limited Beta test mode, but those users lucky enough to score a GMail account have been wowed by the results: over a gigabyte of mail storage, all instantly searchable with Google’s familiar search engine technology. Keep an eye on Three18′s newsletter for updates on when Gmail goes “live” for use by the general public.

These are just some of the tools Google has available right now. They’re all free, powerful, and unlike anything else on the web. Google is currently in a dramatic growth phase, with numerous projects and technologies in the works. And the great thing is, you can test them out as they’re developed. Go to Google Labs ( to see what they’re working on now.