Use a More Sophisticated IP Address Scheme on Your Network

Let's assume that your router's IP address is set as 192.168.0.1. Yours might be different and that's fine, I just need to assume something here for this post.

Generally, at least in home networking situations, routers are configured to have 255.255.255.0 for their subnet mask. So then, based on the previous assumption of 192.168.0.1 for your router's IP address, your router's local network is everything 192.168.0.x.

But in most routers, you're not constrained to that subnet mask of 255.255.255.0, you can use any valid subnet mask. I'll leave it to you to read up on subnet masks if need be, but I'll note that if you just change this to 255.255.254.0, now instead of your local network being just 192.168.0.x, you also have 192.168.1.x. What's cool about this is that now you can use 192.168.0.x and 192.168.1.x for different things and be easily able to tell at a glance what is what.

So what's a way you could utilize 192.168.0.x and 192.168.1.x separately? Well, for known devices on my network, I like to create DHCP reservations (as I detail in my post Use DHCP Reservations Instead of Static IP Addresses, you should use DHCP reservations, not static IP addresses). So then I could create DHCP reservations for all known devices with IP addresses in 192.168.0.x. And then I could set my DHCP server to utilize addresses starting at 192.168.1.1 and ending at 192.168.1.254. And at that point, I can tell at a glance if something is a known device (has a 192.168.0.x IP address) or an unknown device (192.168.1.x).

And if you like this idea, you can take it to the next level by using 255.255.252.0 as the subnet mask and now, using my previous 192.168.0.1 router IP address as the assumption, your local network is 192.168.0.x, 192.168.1.x, 192.168.2.x, and 192.168.3.x. And now you have 2 additional values available to use in the third octet. So now you could do something like this:

  • 192.168.0.x: use for DHCP reservations for your known devices (that don't fall into one of the following 2 categories).
  • 192.168.1.x: use for DHCP reservations for your known devices that need special access through the firewall. For WiFi calling, my experience is that you need an outbound rule for UDP ports 500 and 4500 (yes, you could turn on IPSec passthrough, but it's better to be more prescriptive about exactly what destination devices need that access).
  • 192.168.2.x: use for DHCP reservations for your known devices that should not have Internet access (for example, let's say you have a printer on your network that you want to be able to print to so you want to access it locally, but you don't want it exposed to the Internet). Then you create firewall rules to block Internet access to and from all of 192.168.2.x.
  • 192.168.3.x: make these the addresses your DHCP server utilizes.

And if you need to be able to use even more than 4 values in the third octet, just change your subnet mask and you can get 8, 16, 32, 64, 128, or even 256 of them.

And then hopefully your guest network can operate on an entirely separate set of IP addresses, maybe even use its own subnet mask so you can do this kind of thing for your guest network too and see at a glance what devices are known and unknown in your guest network (and yes, it can make sense to have known devices in your guest network; see my post Two Security Approaches You Should Be Taking on Your Network for more information on this subject).

Two Security Approaches You Should Be Taking on Your Network

Routers these days are very sophisticated in regards to what they can do and you should take the time to configure yours to provide robust security. While not meant to be in any way comprehensive as to everything you should be doing from a security perspective on your router, this post offers 2 security approaches you should be implementing with your devices and router(s):

  1. Use the guest network for anything that doesn't need to talk to other devices on the network.

    Actually, if your router supports VLANs, using a VLAN for anything that doesn't need to talk to other devices on the nework is even better than using the guest network. For more information on this, see this excellent post.. But that post points out, most home routers do not, as of this writing, support VLANs. As such, utilizing a guest network is your best option on most home routers.

    A guest network sounds like something you would use only for your guests' devices, but this is too limited a view of a guest network; instead, you should think of your guest network as the place to put any device that doesn't need to talk to other devices on the network.

    These days there are all sorts of IoT (Internet of Things) devices that we don't access directly but rather we interact with via a cloud services. Got a smart thermostat on your network? How about a smart plug? Maybe a smart scale? Chances are that you don't directly access these devices but rather you access a cloud services to interact with these devices. Well, if that's the case, why would you want these devices to be able to talk to other devices on the network? Put them on your guest network: they'll still have access to the Internet, they just won't have access to other devices on the network. Now, you may be thinking "well, just because I don't need them to access other devices on the network doesn't mean I care if they can access other devices on the network." Well, you should care: unfortunately, devices do become compromised from time to time and if someone gets into one of yours, you don't want him/her to use that access to gain additional access to network traffic and/or devices on the network. So: guest network for anything that doesn't need to be able to talk to other devices on the network.

    And you know what would make it even better? If the guest network were on a completely separate router from your main network! If you really want to isolate the devices on your guest network as much as possible from your main network then you use 2 routers and the first (the one connected to the outside world, which most commonly would mean to your router) has the guest network on it and the second (which is connected to the WAN of the first) has your main network on it. Then even if a bad actor gains access to your guest network or to a device on it, he/she would have to gain access from the outside to your second router in order to compromise your main network.

  2. Disable access to/from the Internet for anything that doesn't need it.

    This one goes right along with the one above: in the same way that you don't want to give access to other devices on your network to anything that doesn't need it, you don't want to give Internet access to any device that doesn't need it. Have a printer on your network? Does it need Internet access? Chances are that it does not: chances are that you only need to be able to send print jobs to it on your local network. In the last item, I pointed out that unfortunately, devices do become compromised from time to time and in that case the point was to protect everything else on the network from a device that becomes compromised; here the goal is to protect a device from becoming compromised in the first place, which is especially important considering that if you need to talk to it (in this example, send print jobs to it) then you can't put it in the guest network which means that if it does become compromised then it's that much easier for the attack to gain additional access to network traffic and/or other devices on the network. So: turn off access to/from the Internet for anything that doesn't need it.

    Okay, great! But how do you do that? Well, the mechanism will vary from router to router, but in general the approach to use is going to be to create firewall rules. You will likely need a firewall rule that blocks all access from all ports from the outside (that is, the Internet) to a device and then a second firewall rule that blocks all access from all ports from a device to the outside. And you'll need such rules for every device on your network, so it might end up being a lot of rules. However, if you follow the guidance in my post Use a More Sophisticated IP Address Scheme on Your Network, you can create (if your router supports it) a rule for the entire octet you use for these devices.

Use DHCP Reservations Instead of Static IP Addresses

I was in an online discussion recently in which the other party talked about using static IP addresses on his/her devices. And I told that person this: the only time I can conceive of there being a need to utilize a static IP address on a device is if the device doesn't support DHCP, which would be a very rare situation.

As long as a device supports DHCP, the best way to get that device to utilize a known and consistent IP address is to utilize DHCP with the device and a DHCP reservation in the DHCP server (which in most home networks would be a function of the router). You want to have the sever (in this case, the router) dictating to the clients rather than having the clients dictating to the server. In so doing, you centralize your IP address control in the DHCP server instead of decentralizing that control to the devices. There are so many reasons this is the best approach:

  • It allows you to change your network address scheme in one place should you want to do so. And it's all seamless for the clients: you make the change on the DHCP server and that's it, you don't have to change anything on the client side.
  • You can move clients to another DHCP-enabled network (which is pretty much any network) without reconfiguring them. If you take a device to another network, it will just pick right up and work because it's set for DHCP.
  • You don't have to track the IP addresses your devices are using, your router does that for you. This means you will never have IP address conflicts. With static IP addresses, you could put multiple devices on the same IP address which would cause network issues. Not only that, you have to account for the IP addresses of your devices using static IP addresses in DHCP anyway (that is, you have to make sure that your DHCP server doesn't give out these addresses to other devices), so why not just have your DHCP server give out those addresses in the first place?
  • With many routers, you can address your devices by hostname and not just by IP address because the DHCP server registers those hostnames. Then that gives you even more flexibility. For example, while I have no intention to ever change the IP addresses of the cameras on my network, I can if I want to because all my viewer apps address those cameras by hostnames and so a change to the IP addresses those cameras are using will be completely transparent to my viewer apps.

Adding a User to the Administrators Group on a Synology Router

Background

I am a huge fan of Synology products. I started with an ioSafe disaster-proof NAS powered by Synology. I bought it because I had a very typical NAS use case: I had some very important data that I wanted to safely store and make accessible via my network. And my ioSafe NAS is amazing at doing that job for me! However, once I got it, I realized it is so much more than just network-attached storage, it's an awesome little server that does a ton of great things for me.

But this post isn't about working with Synology NAS devices, it's about working with Synology routers. So moving on to routers: I've been through a bunch over the years. Quite some time back, I was all about installing DD-WRT onto Linksys routers because DD-WRT allowed the hardware to do so much more than the native firmware and that was useful to me. But when Synology announced they would be releasing their first router, the now-discontinued RT1900ac, I was interested in checking it out and I eagerly snapped it up as soon as it was available. And I loved it, and so when they released their next-generation router, the RT2600ac, I got it as soon as it was available, and I migrated to it from the RT1900ac to get even better range and performance.

One of the great things about Synology's management software for their NAS devices and their routers is that they let you create your own administrator account and give it any user name. This is huge because it means you can disable the default administrator account, which is a security best practice (if an attacker trying to login to a system has to guess at not only the account password but also the account user name, it's that much harder for that attacker to gain access to that system).

You can create a new administrator account on a Synology router using SRM (Synology Router Manager, the GUI for administrating Synology routers) during initial setup of the router. In fact, I believe you actually must set up a new administrator account during initial setup of the router; it's really great that they implemented it that way (though if I'm remembering correctly, it's still up to you to go disable the default administrator account). However, when I started with Synology routers, it didn't work that way: I don't believe that I even had the option to create an administrator account during setup and I certainly wasn't required to do it.

So for all these years that I've had these routers, I have been using the default administrator account. But recently, someone with IP addresses in Russia tried to gain unauthorized access to my Synology NAS (fortunately, they were unsuccessful), and thereafter I decided I needed to step up my security game. There were several measures I took, and one of them was to create a new account, add that account to the administrators group, and then disable the default administrator account on my router as well as on my NAS.

Creating a new account is easy in SRM as well as in DSM (DiskStation Manager, the GUI for administrating Synology NAS devices). Disabling an account (in this case, the default administrator account) is also easy in both SRM and DSM. However, administrating groups, while easy in DSM, is not functionality provided in SRM, which created a major snag in my plan. I was able to work around it by utilizing SSH, and that's what I will show you how to do here. As well as I can tell, no one else has both figured out how to do this process and commented about it on the web and that meant I had to dig in and figure it out, which was a time-consuming process, and I'm writing this in the hopes it can help you get it done a lot faster.

So let's get started!

The steps

  1. Create a backup of your router's configuration settings. If something goes sideways here, you're going to want to have a backup of your router's configuration settings. If you need more information on how to do this, check out this SRM Help Article.
  2. Create the account you want to add to the administrators group. That is to say, create your new administrator account, only it won't be an administrator account when you create it, it will just be a regular user account. But you have to create it and then after you create it, you'll be able to add it to the administrators group. Note that it's possible to create a new account via SSH, but since it's easy in SRM, I recommend you go the SRM route, but it's your call.

    To create a new account in SRM, launch Control Panel, choose User from the menu on the left, press the + button above the list of users, and then fill in the user form (provide values for Name, Password, and Confirm password) as shown in the following screenshot. It goes without saying (but I'll say it anyway) that the Password and Confirm password values need to be the same. But an important note: it's best if the Name value does not include spaces because if you include spaces, the SSH commands in the following steps won't work as written.

    Note that I'm using newadmin for the value of Name, but you'll want to instead use the value you want to use for your new administrator account. Also note that in this and many of the screenshots that follow, I have redacted the user name of accounts I have created on my router.

    When you have filled in the user form, press the Apply button and your new account will be created as shown in the following screenshot.

    You will notice that the new account does not bear the little gold medal with a red ribbon on the user icon like the default administrator account does, which means that the account is not at this time part of the administrators group (adding it to the administrators group is what we'll do next using SSH). Note that I have already gone through and created a new account and added it to the administrators group, so what I'm doing for this exercise is creating yet another account and adding it to the administrators group; as such, there are a couple of differences in my screenshot and what you'll see: the little gold medal with a red ribbon on the user icon isn't showing on the default administrator account because I've disabled that account, but you can see that it is showing on my actual new administrator account (the user name of which I have redacted in the screenshot).

    It's a good idea to press the Edit button to for your new account and then, in the dialog that appears, enter in a Description and Email for the new user (and then when you're done you'll of course need to press the OK button to save those changes).

  3. Enable SSH. Login to SRM using your default administrator account, launch Control Panel, choose Services from the menu on the left, and then choose the System Services section at the top. You'll see the first portion of the page is Terminal and the first option listed is a checkbox labeled Enable SSH service; you want to check this box (you can leave the port at the default value of 22) then press the Apply button at the bottom of the page.

    You will then most likely get a Firewall Notification dialog asking if you want to allow Internet access to SSH; for purposes of what we're doing here, you definitely do not want this as this creates a potential attack vector for those who may wish to compromise your router. So simply hit the Cancel button.

    Remember what you did here because in the final step you're going to come back here and uncheck this box and apply that change. Even if you found that SSH was already on, I recommend you come back and disable it at the end of this process unless you have a known need to have it enabled as this will preclude any potential security concerns.

  4. Launch your SSH client. If you're on Windows, I'm going to leave this to you to research for yourself how to do this. If you're on a Mac, you simply need to launch Terminal. If you're reading this post and you're a Mac user, you most likely already know how to launch Terminal, but if you don't, check out this information.
  5. SSH into your Synology router as the root account. On a Mac using Terminal, this is the command you need to use:

    ssh -l root xxx.xxx.xxx.xxx

    Where you replace xxx.xxx.xxx.xxx with the IP address of your router (you will see that in the screenshots that follow I utilize synologyrouter.local instead of the router's IP address; if you want utilize that approach, you'll need to use xxx.local where xxx is whatever name you have listed for your router in Control PanelSystemSRM Settings). The command to use might vary slightly with another SSH client.

  6. Enter the password for your default administrator account then press the return/enter key. In Terminal (I can't speak for other SSH clients), the keystrokes for your password won't be reflected on the screen in any way until you have fully typed in the password and pressed the return/enter key. By the way, you're actually entering the password for the root account here, but on Synology routers the password for the root account is the same as the password for the default administrator account. Note that even after you have disabled your default administrator account, the password for the root account continues to be the same as the password for the default administrator account.

  7. Retrieve the current members of the administrators group. Don't overlook this step!!! Ideally, you'd be able to simply add the account you created in step 2 to the administrators group, but that's not possible; rather, when you're modifying the membership of a group, you have to specify all of the accounts you want to be members of the group. So that is to say when you're modifying the membership of a group, it's always a complete overwrite of the existing membership of the group. Therefore, before making any changes to the membership of a group, you need to know what users are currently in the administrators group so that you can specify them, along with the account you created in step 2, as the members of the group. Okay, with that, here's the command to use:

    synogroup --get administrators

    After you enter this command and press the return/enter key, you get a listing of information about the administrators group, including its current members, as shown in the following screenshot. As I mentioned previously, I have already gone through and created a new account and added it to the administrators group, so what I'm doing for this exercise is creating yet another account and adding it to the administrators group, and accordingly my administrators group already shows my new administrator account (I've redacted the user name of this administrator account in the screenshot), but I expect yours will only show admin and SynologyCMS. But regardless of exactly what accounts are shown as members of the administrators group, I recommend that you keep them all as members of the administrators group going forward (meaning you include them all in the command you'll type in the next step).

  8. Write all the members of the administrators group. That verb "write" may sound a little wonky, but I can't stress enough that what you're doing in this step is overwriting the existing membership of the administrators group with the new membership you're specifying in this step. If you mess this up, it could be very bad for you (and this is why step 1 here was to create a backup of your router's configuration settings). You must specify each and every member of the administrators group in this single command. Here's the command:

    synogroup --member administrators admin SynologyCMS newadmin

    So in the synogroup --member administrators part, you're specifying that you're writing the members of the administrators group and then after that you're including each of the accounts you want to be a part of the administrators group. You can see in the screenshot below that I'm specifying all of the accounts returned from the command in the previous step and I'm adding in newadmin, which is the name of the new account I want to add to the administrators group (you of course will need to replace newadmin with whatever account you created in step 2). Again, remember that the redacted parts are my actual new administrator account so don't worry about those, you just need to list all the existing accounts that are members of the administrators group plus the account you created in step 2.

    Just as was the case with the previous command, after you enter this command and press the return/enter key, you will get a listing of information about the administrators group, including its current members, as shown in the following screenshot. As I mentioned previously, I have already gone through and created a new account and added it to the administrators group, so what I'm doing for this exercise is creating yet another account and adding it to the administrators group, and accordingly my administrators group already shows my new administrator account (I've redacted the user name of this administrator account in the screenshot) but you can see that beyond that I'm showing exactly what I expect and what I want here: I have admin, SynologyCMS, and newadmin as members of the administrators group. And this is what you want to see too, except of course rather than newadmin you want the list to include whatever account you created in step 2; if that's what you see, you did it! Now it's time to check things out and clean things up.

  9. Terminate the SSH connection. You might want to skip ahead to the next step and check to make sure that you're seeing the account you created in step 2 as being a member of the administrators group and then come back to this one, but I'm putting it here so that I'm not switching out of Terminal and then back into it. Anyway, all you need to do here is type this command and then hit the return/enter key:

    exit

    After you do that, you can also quit your SSH client as you see fit (you won't need it any longer for what we're doing here).

  10. Login to SRM with the account you created in step 2 and disable the default administrator account. When you created the new account in step 2, you could login to SRM, but you didn't have administrator rights nor did you have access to everything, but now when you login to SRM with your this new account, you'll have full administrator rights and access to everything. And you can visually check to make sure you're set by launching Control Panel, choosing User from the menu on the left, and then looking to see if your new account now bears a little gold medal with a red ribbon on the user icon as shown in the following screenshot (here again I have redacted the user name of my actual new administrator account).

    From the perspective of improving the security of your router, it doesn't do you any good to create a new administrator account if you don't also disable the default administrator account. Obviously you don't want to do this if you haven't successfully added the account you created in step 2 to the administrators group, so it's a good thing we just checked to make sure your new account has administrator rights, isn't it? Well, yeah, but SRM won't let you shoot yourself in the foot here: you can't disable the account with which you are logged in. But you can disable the default administrator account with your new administrator account by selecting admin in the list of accounts; then pressing the Edit button; then, in the dialog that appears, checking the Disable this account box and choosing the Immediately radio button; and then pressing the OK button to save the changes.

  11. Disable SSH. See the first step where you enabled SSH and use it as a guide to disable SSH. You enabled it before with the default administrator account, now you can complete the circle by disabling it with your new administrator account.

So there you go! Pretty straightforward, but like I said, not documented in a concise manner elsewhere, so I put this together in the hopes it would help others out. If it was useful to you and you're willing to take a moment to post a comment about it, I'll appreciate that.

Buy Your Nespresso Pods in Europe

We have a Nespresso Vertuo coffee machine. Well, technically I have it: Kendall bought it for me for my birthday. And it was a good gift because I do enjoy having an espresso from it from time to time. However, I could have made a nice espresso with an Nespresso Original coffee machine. But unlike the Original coffee machines, the Vertuo coffee machines can handle 5 different sizes of capsules, from a small 1.35 oz Espresso capsule all the way up to a 14 oz Alto XL capsule, and that means that Kendall can use it too since, while she will have an espresso from time to time, she generally prefers a regular-sized cup of coffee.

Now, when you have one of these machines, well, you gotta buy pods. And that's what brings me to post. Kendall and I were fortunate enough to be able to go on a trip to Europe recently and we brought back one particular souvenir I want to talk about today: 12 boxes of Nespresso VertuoLine coffee pods. You should do this too if you're a Nespresso machine owner and here's why: the pods are vastly less expensive in Europe. I have absolutely no idea why this is the case. Does Nestlé just have it out for Americans? Does the US charge a huge import tariff on coffee? As I said, I have no idea. And further, I don't really care because, while the reason behind this pricing discrepancy might be interesting, it doesn't really matter; all that really matters is that the pods, at least the VertuoLine pods (I'll leave it to you to do your own research if you're an Original coffee machine owner), are in excess of 35% less in Europe at the time of this writing (the exact price fluctuates with the exchange rate of course). 35+%?!? I told you the pods were vastly less expensive in Europe. It's just crazy.

A cool side benefit to buying your Nespresso pods in Europe: every time you drink one at home, it will serve as a reminder of your European trip. So rather than spending your money on some souvenir you don't even really need or want and that you'll just stick somewhere and never use when you get home, spend your money--and less of it at that--on something you were going to buy anyway, that you'll regularly use, and that will remind you of your trip. I think they call that a win-win-win. That's a pretty great side benefit.

Now, here's what you should know when it comes to bringing the coffee pods home to the US with you: as long as they're for personal use, you're good to go. However, in many countries, coffee pods are considered powders which are limited in carry-on baggage, so you'll need to check them if you're buying a good quantity of them like we did. So plan your luggage strategy accordingly! I researched the permissibility of bringing coffee into the US before buying the pods, but the powder situation caught us by surprise when we tried to check in at the airport; fortunately, we were able to go move things around to get the pods checked in a small roll-aboard bag we'd planned to carry on the plane with us.

A note here about waste: you're free to comment about the fact that coffee machines that use pods generate more container waste, at least at the time of usage, than traditional coffee preparation methods. But know that I already get it. And I care. But I'm still making the choice to use machines that utilize pods. The reason is that we don't consume a lot of coffee in our home: Kendall consistently has 1 pod per day and occasionally 2 while I have only about 2 pods per week. And so at that kind of consumption, the convenience of the pods is significant, yet the waste of the pods--not to mention the cost of the pods (pods are definitely expensive on a per-cup basis!)--is not significant. And while, sure, I can buy the opinion that the whole Nespresso pod recycling program is more of a PR move than anything else on the part of the company, I nevertheless do participate in it, for what that's worth.

How's that for a first blog post in years? ;)

Login Requirements for delta.com: Sometimes You Have To Use Last Name, Sometimes You Don't

Delta Air Lines operates their main website at https://www.delta.com. To the best of my recollection, for a long time the only way to login to delta.com (and before that, delta-air.com) was using a SkyMiles number and its corresponding 4-digit PIN (so you used SkyMiles number + 4-digit PIN). At a certain point, this changed such that the corresponding last name was also required (so you used SkyMiles number + 4-digit PIN + last name); presumably the reason for the change is that it was determined SkyMiles number + 4-digit PIN is too easy to crack using brute force methods and so it made sense in that situation to require providing also another piece of identification information. So that's all good.

But now using a 4-digit PIN to login has been eliminated completely; a password now must always be used when logging in. In addition, email address and user name have been added as alternatives to SkyMiles number for use when logging in. But what's strange is that while last name is not required when logging in with SkyMiles, last name is required when logging in using the 2 alternatives to SkyMiles number (so you can use SkyMiles number + password or you can use user name + password + last name or you can use email address + password + last name). I don't understand this: this implies that there is less security when using a user name or email address than there is when using a SkyMiles number and I feel that if anything, the opposite is true since a valid SkyMiles number is by definition easier to guess given that there are only 10,000,000,000 possible valid SkyMiles numbers whereas there are an infinite number of possible valid user names and email addresses. Of course, a legitimate concern is that an attacker wouldn't be guessing but rather would be using information he/she knew: an attacker may acquire information from another source (website, database, etc.) and that information may work as credential information on delta.com (users commonly reuse passwords on multiple websites). It seems that Delta can envision a situation where an attacker could gain access to user name/email address + password and not gain access to last name yet Delta cannot envision a situation where an attacker could gain access to SkyMiles number + password and not gain access to last name (if they could envision this latter scenario, they would surely require last name as a means of thwarting attackers, just as they do as a means of thwarting attackers in the former scenario). I suspect they are correct that the former scenario is more likely but the latter scenario is at least possible and since they're already asking for last name with a user name/email address and since SkyMiles number is by definition easier to guess than user name/email address, I just don't understand why, if they're ever going to ask for last name, they don't consistently ask for it. I'm loathe to call it arbitrary but it's certainly at the very least difficult logic to follow.

Fixing a Slow, Unresponsive, Crashing iPad by Restoring from a Backup

My pertinent experience for this blog post is with an iPad (specifically a "the new iPad" which is generally referred to as the iPad 3) but I expect that these same results would be experienced for any iOS device (iPhone, iPod Touch, etc.). No matter what your device, if you have direct experience with using this technique with a device that is slow, unresponsive, and/or crashing, please post a comment about your experience (whether or not it helped, anything you did different, etc..) as that will very much help other readers.

My iPad had become very unreliable: it crashed (or perhaps I should say it spontaneously rebooted) regularly and when it was running, it was very slow to respond and at times downright unresponsive. The condition got worse and worse to the point where I simply couldn't use it because it just wouldn't respond for more than a few seconds before automatically restarting of its own accord.

The good news is that I was able to get my iPad back working like new by restoring it from a backup; the bad news is that by the time I tried this approach, it had become very hard because the first step in the process is to do a full backup of the device and that was very, very difficult because of my iPad's propensity for spontaneous reboots (but fortunately, with a lot of patience and persistence, I was able to get my iPad to backup).

Now, to be clear, when the iPad was merely painfully slow, I had considering doing a restore from a backup but, though it's easy and straightforward enough, doing a restore from a backup does take a bit of time and so I was reticent to do it without some indication that it might help. For that reason, I searched for guidance and I wasn't seeing people prominently pointing to doing a restore from backup as a troubleshooting step to try and so I didn't jump to do it; as I said already, that that proved costly because things go so bad that I almost couldn't successfully backup the iPad. And that then is the reason I'm writing this post: my hope is that when others search in the future for what to do about extremely slow-to-respond (and even entirely unresponsive) iPads, iPhones, and iPod Touches that crash and/or spontaneously and automatically reboot, they'll find this blog post and be encouraged to try restoring from a backup--and then of course I further hope that those who do try this approach will get the same results that I did: iOS devices that work like new. Please let me know in a comment if it does or doesn't work for you.

Now as to the process of doing a backup and restore: I won't get terribly detailed here because you can find the key details on Apple's Support website. But some notes:

  1. As I mentioned, this process is easy and straightforward but it does take some time; accordingly, make sure you'll be able to dedicate your device to this task for an extended period of time (in other words, don't expect to start this and be able to then take your iPhone somewhere a half hour later).
  2. To do the backup and restore, I used iTunes, not iCloud and I recommend that you do the same as it will certainly be faster. However, I don't know any reason that it wouldn't work using iCloud.
  3. Since what you're going to be doing is reinitializing your device from a backup, the first thing you need to do is backup your device so that the backup you're using for the reinitialization is current.
  4. Then you need to erase your device; this is mentioned but not actually described in the link above. You can do this via iTunes or you can do it directly on the device. I believe these are not entirely equivalent approaches but rather a factory reset via iTunes is a more extensive reset than merely erasing the content and settings directly on the device. I erased the content and settings directly on the device and that worked great for me. Note that the information on erasing the content and settings directly on the device does not mention turning off Find My iPad (or Find my iPhone or whatever is appropriate for your device) but to keep yourself out of trouble, I recommend turning that setting off. I turned it off prior to doing the backup (step 2 above) so that Find My iPad was completely out of the picture and couldn't cause any issues.
  5. Once your device has been erased/reset, you need to restore it from your backup. This part will take the longest. Fortunately, you can just let it run while you do other things.
  6. Once you've restored the backup, if all goes well, you should hopefully be in really good shape with your device! Specifically, your device should work like new. If it doesn't then unfortunately, you are probably dealing with issues that this approach won't fix. But if your device is working well at this point, you'll want to go back and turn on Find My iPad (or Find my iPhone or whatever is appropriate for your device). In addition, if you're an iCloud Keychain user, check the iCloud Keychain setting (it's on the same screen as the Find My iPad setting): I found that it was off and needed to be turned on (but fortunately, so far that's the only setting I've found unexpectedly changed during this process).

So what exactly was wrong with my iPad that the backup and restore appears to have rectified? Well, I had thought all the issues I was seeing (in addition to the poor performance and reliability, I had one app update that just wouldn't finish, leaving the app in a sort of state of limbo; I couldn't remove it by clicking and holding and hitting the "x" to delete it, I had to delete it via the Manage Storage area of the Usage area of the General area of the Settings app) were perhaps because some of my iPad's solid state storage had gone bad (and I was hoping that upon the backup and restore, iOS would avoid using the bad parts of the storage) but after the restore I noticed that my iPad gained around 3 GB of additional free space. Interestingly, when my iPad was misbehaving so badly, the amount of free space reported for the iPad in iTunes did not match the amount of free space reported by the iPhone itself; however, after the backup and restore, the 2 reports matched. I checked my iPhone, which doesn't have performance issues, and the report of its free space in iTunes matches what the iPhone itself reports. This all leads me to believe that mismatches (at least significant mismatches) between the reports of the free space provided by an iOS device and iTunes may be a good indicator that something is seriously amiss with that iOS device. Certainly in the case of my iPad it seems there were some serious "cobwebs" in there that were cleared out by the backup and restore. But regardless of exactly what was going on, I'm just glad it seems to be better now and I hope it stays that way!

As they say, your mileage may vary but I very much hope your results are as good as mine have been!

Performing a Mail Merge with Google Docs (To Create Documents or Emails)

Google Docs is wonderful in many ways, however, there are a couple of areas where it has limited functionality that were issues for me recently and this is the second of a two-part series of blog posts (see the first part here) on what I did to work around those limitations.

A Google Docs mail merge is not a native capability of Google Docs. Said another way, Google Docs does not natively offer the ability to do a mail merge (that is, it does not offer the ability to use a template document with special data placeholders and create a set of documents from a set of data where the data is used to populate the values for the special data placeholders in the template document). Fortunately, Google Docs does natively offer the ability to use 3rd party extensions and the excellent DocumentMerge by PandaDoc extension will allow you to do mail merges.

The instructions for how to use DocumentMerge by PandaDoc to perform a mail merge using a Google Sheet as the data source for a template Google Doc can be found at https://www.pandadoc.com/google-docs-document-merge. I won't belabor things by repeating the instructions here; the reason I'm writing this post is that for me, the DocumentMerge by PandaDoc extension wasn't easy to find when searching for a way to do a mail merge with Google Docs and I'm hoping that this blog post will bubble up in search results in the future, making it easier for others to find the extension (if this blog post is helpful to you, please take a moment to leave a comment if you're willing). To be more specific, what I was looking for was the ability to do a mail merge that produced printable documents but all I was able to find was info on how to do mail merges to create emails (which the DocumentMerge by PandaDoc extension will do as well so if that's what you're looking for, it's good for that too).

Anyway, it's a great extension for doing a mail merge with Google Docs (though for some reason it's fairly slow). You'll see that it creates a Google Doc as the output of your mail merge and from there, that document is just like any other Google Doc (meaning you can download it, print it, whatever you need to do). In addition, DocumentMerge by PandaDoc has another capability as well: if you want to email out each of the merged documents as a PDF attached to an email, you can do that directly with DocumentMerge by PandDoc which is a great feature (albeit one I haven't used since in my case I just needed to print the merged documents).

Creating a Document of a Non-standard (Custom) Size in Google Docs

To give credit where credit is due: I became aware of this technique in the post at https://productforums.google.com/forum/#!topic/docs/m-hUu90ZGI0.

Google Docs is wonderful in many ways, however, there are a couple of areas where it has limited functionality that were issues for me recently and this is the first of a two-part series of blog posts (see the second part here) on what I did to work around those limitations.

Google Docs only allows you to create documents from a set of standard page sizes; it does not allow you to create a document of a non-standard page size (custom page size) of your choosing. Fortunately, there is a workaround that will allow you to create a document of any page size. If you're printing (in my case, I was printing envelopes), working from a document that properly represents the size of your print media is at the very least helpful, if not downright critical.

The workaround is to create a document outside Google Docs (yeah, that's bad but it's what you have to do) with the proper page size (and get your margins like you want them as well because if you try to change those in Google Docs, you'll also be forced to change the page size at the same time and of course you'll be forced to change the page size to one of the standard sizes). I had success uploading a Word-type document (both .doc and .docx worked for me) but not uploading a PDF or a Pages-type document. Note, however, if you don't have Word on your machine, you can get OpenOffice for free. In addition, if you have Pages, you can create the document there and export it as a Word-type document and that works (in fact, that's what I did; for more on how to do it, see this associated post of mine).

One special note here: I encountered a bit of a strange issue with pages with a width of 7.25" (my custom size also had a height of 5.25" but I didn't investigate whether or not that was relevant to the issue). The issue was that Google Docs for some reason was inserting a blank page between every actual page on print/download. Very weird stuff. By using a document with a width of 7.75" with an additional .25" margin on left and right, Google Docs did not insert that extra blank page and for my situation, this was a suitable workaround because what I needed to be able to do was print and on my Mac, the key for printing was the center of the content (if in your situation, you ever see an issue like this but the key for printing is the left of the content then add additional width to the page and instead of dividing the additional width evenly between the left and right margin, just add all the additional width to the right margin).

Creating a Document of a Non-standard (Custom) Size in Pages

Creating a document of a non-standard size (custom size) in Pages isn't straightforward: as pointed out at https://discussions.apple.com/thread/5501217, in order to create a document of a custom, non-standard size in Pages, you have to go the File menu and choose Page Setup and then in the dialog box that comes up, for the Paper Size option, you have to choose Manage Custom Sizes. Then you'll get another dialog box and it should be pretty self-explanatory what you do there to create your non-standard paper size. After you've created your custom paper size in that dialog box and pressed the OK button, you'll see that back in the Page Setup dialog box, the custom paper size you just created is listed for the Paper Size and of course you'll then want to press the OK button there and now your document in Pages should be of the size you want. To change the properties of the page (page orientation, margins, header, footer, and so on), you'll need to click the Document button in the upper-right corner of the Pages button bar at the top of the window) and then the Document button beneath that.

Lightroom Error Building Smart Previews

Well, apparently I'm the first one who has encountered this because there is absolutely no reference to it anywhere I can find on the World Wide Web (no one uses that term anymore but it's technically more accurate than Internet here so I'm using it!) and whenever I encounter a situation like that, I like to write a blog post about it so that the next person who comes up against the issue can find at least 1 result when he/she searches. Perhaps no one will actually ever search for information on this issue because there is a sense in which how to deal with this issue is pretty obvious once you understand what the issue really is, but if you're seeing the error and missing the underlying issue, you will find this post helpful.

Okay, on with it: I moved all my photos off my Apple MacBook Air to my incredible new ioSafe N2 (I did this from within Adobe Lightroom 5 so that the Lightroom 5 catalog would be kept in sync with the move; I followed the instructions in this blog post and it worked great, if slowly, for me but I'm not claiming it's the only or best way to go about making that kind of a move). Then my next step was to create Smart Previews for all the photos so I still have access to a version of them when the MacBook Air isn't on the same network as the N2 (as that link to info on Smart Previews states, to do this you need only to "Select the files for which you want Smart Previews, and then click Library > Previews > Build Smart Previews" and so I selected all the files and Lightroom started building away on Smart Previews). At the very end of the process, this dialog box popped up:

As you can see, it says "Some Smart Previews were not built" and then farther down it says "Photos failed to build" and it lists out one lone photo for which the Smart Preview was not built. Not shown but also present in Lightroom is a new entry under the Catalog listing on the left side (the place where you can find "All Photographs," "Quick Collection +," "Previous Import," etc.) that is titled "Photos That Failed to Build a Smart Preview." When I take a look at the offending photo in Grid View, I see that in the upper-right corner, it has an error indication icon and when I hover over that with my mouse, the tooltip message "Lightroom has encountered problems reading this photo" comes up; if I look at the photo in Loupe View, it has a banner across the top indicating "There was an error working with the photo"; given this, it is unsurprising that further attempts to build a Smart Preview for the image result in the same error dialog noted above. But knowing that the real issue here is that there is a problem with the image (it's a corrupt image I suppose) the course of action is clear: remove the photo from Lightroom and re-import it (of course this assumes you have another copy somewhere; hopefully you either directly kept the original or you had Lightroom save a backup for you or you backed up the photos yourself or something). The way I accomplished that was to remove the photo in Lightroom then copy the original version of the photo to the proper directory in Lightroom and then I right-clicked on the folder in the Folders section on the left side and chose "Synchronize Folder" and Lightroom found the photo and then I told it to import it--and the cool thing was that at the end of the import, Lightroom presented me with a dialog box indicating it had created a Smart Preview for the image so I instantly knew all was well!

Keywords for search indexing: Lightroom Photos That Failed to Build a Smart Preview, Lightroom Some Smart Previews were not built, Lightroom Photos failed to build, Lightroom Smart Preview Error, Lightroom Smart Preview Build Error, Lightroom Smart Preview Building Error, Lightroom Smart Previews Error, Lightroom Smart Previews Build Error, Lightroom Smart Previews Building Error.

Adios, Flash Player! (or How I Uninstalled Flash Player and Got Away with It)

When I worked at Adobe, people would often tell me they knew of Adobe because "that's the thing that is always telling me I have to update on my computer." Those comments have echoed in my mind of late after the release of 3 security updates for Flash Player in February 2013. Now here's the thing: I appreciate that Adobe takes pains to plug the security holes discovered in Flash Player and in this sense, these updates are a good thing. Additionally, I know that Flash Player is one of the most widely distributed pieces of software in the world and as such it makes sense that it would be a popular attack target for the bad guys out there. And finally, I know that making perfect software is simply impossible. Still, it's an unavoidable fact that if Flash Player didn't have these security holes in the first place, it wouldn't need all these security updates.

When I mentioned on Facebook my perturbation with having to install these frequent Flash Player updates on my MacBook Air (every time I install a Flash Player update, I have to restart all my browsers which is inconvenient), my friend John Mason suggested I simply remove Flash Player, saying "you'll be surprised how many sites have already moved on." And so I thought about it: I do a lot of web browsing on my iPad and I essentially never have issues with my web experience as a result of the lack of Flash Player on the device (and of course, it's worth noting that it is precisely this lack of Flash Player on iOS devices that is the reason why many sites have, in John's words, "moved on" from Flash content). So I realized maybe I could live without Flash Player on my MacBook Air--and when I thought about the fact that on my MacBook Air, Flash Player has a tendency to use up massive amounts of resources for no apparent reason (don't get me wrong: I know this issue isn't entirely Flash Player's fault but that in fact the developers of the Flash content delivered to my MacBook Air have a role in this issue too--but it doesn't matter who is responsible for the issue, what's pertinent is that the issue exists), it became pretty clear that John's suggestion seemed to have a lot of merit.

And so I uninstalled Flash Player. But I also have Google Chrome installed on my system and Google Chrome has its own built-in version of Flash Player so I had to disable that instance of Flash Player too (disabling Flash Player in Chrome is as easy as browsing to chrome://plugins and selecting the Disable link in the Adobe Flash Player listing on the page).

And how did my web experience change? For the most part, it didn't: as I mentioned was already the case with my iPad, by and large I can use the web just fine without Flash Player. Every now and then, I have to use a little deception to make that happen (don't worry: I'm only deceiving servers, not people!). Let me explain: I've noticed that YouTube will sometimes tell me that I have to have Flash Player to view a video (it's my understanding that this has to do with advertising but the reason isn't of any actual importance so I'm not going to look into it further)--yet these same videos work just fine on my iPad. Why is this the case? Well, without doing all the work required to be able to give a definitive answer, I'll give an answer in which I have complete confidence: YouTube knows that I could have Flash Player on my MacBook Air if I wanted to but on my iPad, Flash Player cannot be installed; accordingly, YouTube tells me on my MacBook Air to install Flash Player but on my iPad it simply serves up an alternative format of the video. So where does the deception come in? I installed the User-Agent Switcher for Chrome extension to Chrome and that allows me to set Chrome to "masquerade" as another browser; when YouTube tells me that I need to install Flash Player, I simply use User-Agent Switcher for Chrome to have Chrome masquerade as an iPad and I'm able to view the video I want to watch just fine in Chrome. So far I've only done this for YouTube but I expect I'll use this same trick from time to time for other video sites.

So great! But it's all well and good to trick a site into giving me another format of a video but let's say some part of a site's functionality is in Flash and there's no alternative functionality I can use; if I need to use that functionality, what do I do then? The great news is that enabling the Flash Player plug-in in Chrome is just as easy as disabling the Flash Player plug-in: you simply browse to chrome://plugins and select the Enable link in the Adobe Flash Player listing on the page; the changes take effect immediately without Chrome needing to be restarted. So if I need to view any Flash content, I just enable the Flash Player plug-in in Chrome and when I'm done with my need for the plug-in, I again disable it in Chrome. Since you can do this same thing for any plug-in, I recommend disabling other plug-ins in Chrome you don't expect to need frequently. On my MacBook Air, I disabled the Java plug-in Chrome in addition to Flash Player and I recommend you disable the Java plug-in in Chrome too: chances are slim that you'll have greater need for Java than you do Flash Player so you may as well turn it off and preclude it using resources and creating security holes (I'm not giving Java top billing here because I didn't actually go to the point of uninstalling it from my MacBook Air completely...yet!). If you're on Windows, the same holds true for the Silverlight plug-in in Chrome.

Let's say you don't currently use Google Chrome: what then? Well, install it! You don't have to use it all the time: you can keep it on "standby" and use it only when you need a browser with Flash Player. Now, I personally do use Chrome as my main browser because it won me over with its ability to sync bookmarks and open tabs across devices and perhaps you too will find this capability makes it worth giving Chrome a look.

One other thing I recommend you do while you're adjusting Chrome's settings is set the Plug-ins for "Click to Play" (browse to chrome://settings/content and choose the "Click to Play" radio button on the page); this option precludes any plug-ins from running content unless you specifically click on the area for the content (you can do a similar thing in many other browsers; I leave it to you to search out the details for your browser of choice). With this option on, Flash content, like all plug-in content, won't play even with the Flash Player plug-in enabled unless you click on an area for Flash content (thereby expressly indicating you want that specific content to play); this gives you granular control over Flash content at such times as you do choose to enable the Flash Player plug-in. So why not just use this and not disable the Flash Player plug-in? First, I just don't want Flash Player there at all where it can use up resources (though I suspect that with "Click to Play" set for plug-ins, Flash Player wouldn't use significant resources). Second, I want my browser to tell sites I don't have Flash because that way they'll send me any alternative content they may deliver to clients without Flash Player (and remember, all iOS clients are Flash Player-free so alternative content for Flash Player-free browsers is a very real and common thing for sites to deliver).

More Entries

BlogCFC was created by Raymond Camden. This blog is running version 5.9.002. Contact Blog Owner