Unfortunately this all happened a few months ago, so I don’t remember all the details about why I liked or disliked each of the products, but here are some brief thoughts on each one.

JungleDisk

I had been using JungleDisk for a year or so, and I liked that I could be confident that my data was being encrypted on my end and that no one else could decrypt the data. The security was my number one concern.

I didn’t particularly like the way the tool integrated into my life, but that’s a preference thing. You may like it just fine. JungleDisk essentially makes available to you a network disk that mirrors whatever you’ve specified that you want to back up. I did find it convenient when I was on my laptop and wanted to retrieve something from my desktop—I could just retrieve it from the network disk.

JungleDisk the software only cost me $20, but it uses Amazon S3 for the backend storage, so my monthly bill came from Amazon. Eventually it just got too expensive for me. My backups grew to 30GB then 50GB then 80GB, and I could see I would want more backed up in the future. The monthly bill was growing to $20. That’s when I decided to look elsewhere.

Carbonite

Because Carbonite was an advertiser on the podcast, I learned that they offered unlimited backup space for about $5 per month, or so they claimed. I checked out Carbonite. It makes me feel dirty. Everything about their business feels creepy to me, and ultimately they were disqualified because I was not satisfied with their encryption technique which, as I recall, involves them having the ability to decrypt my files.

Mozy

I had high hopes for Mozy, because people seemed to think it was Mac-like. Ha. Mozy was OK, but restoring files was a pain, and again I did not trust their encryption techniques.

CrashPlan

Somehow I stumbled onto CrashPlan, which doesn’t seem to be mentioned as often as Mozy and Carbonite. I use it on several of my computers, and I am paying for the family plan (all my computers, unlimited storage) for about $100 per year. Some things I like about CrashPlan:

• You can use it for free to back up to your own external drives, other computers, etc, so if you don’t want to pay for online storage, you can still use it as a nice backup solution locally. Near as I can tell, you could also install this on a friend’s (or your parents’) computer and have them backup to your computer for free remotely, if you’re willing to spare some hard drive space. You could have an arrangement with a friend so that each of you backs up each others’ data (encrypted, of course), so as long as your houses don’t both burn down simultaneously, you should be OK.
• You can encrypt your data locally with locally-controlled keys that cannot be decrypted by anyone else. You have the option to choose to have the keys stored with CrashPlan so that if you forget your password, you can still access your data, but that’s not what I wanted. How nice of them to offer both services.
• Truly unlimited backup space. I found people on various forums complaining with all these services (except JungleDisk/Amazon S3) that “unlimited” really meant 50GB or so, but CrashPlan’s stance is unequivocally, “Unlimited means Unlimited,” and I appreciate that.
• Easy interface, easy restore.

Conclusion

That was my adventure, trying all these backup plans. I now use my Macs’ built-in TimeMachine backup for local backup and recovering accidentally-deleted files, and I use CrashPlan to backup offsite.

Download

Here is what I compiled. I have not packaged it as a PKG file. You’ll get a generic-looking application (.app) and a symbolic link pointing to the executable within the application. I recommend copying both files to /usr/local/bin, if that is in your PATH, or somewhere else that is accessible.

Download CutyCapt.zip

Usage

Running CutyCapt without arguments gives us the following options:

-----------------------------------------------------------------------------
Usage: CutyCapt --url=http://www.example.org/ --out=localfile.png
-----------------------------------------------------------------------------
 --help                         Print this help page and exit
 --url=<url>                    The URL to capture (http:...|file:...|...)
 --out=<path>                   The target file (.png|pdf|ps|svg|jpeg|...)
 --out-format=<f>               Like extension in --out, overrides heuristic
 --min-width=<int>              Minimal width for the image (default: 800)
 --max-wait=<ms>                Don't wait more than (default: 90000, inf: 0)
 --delay=<ms>                   After successful load, wait (default: 0)
 --user-styles=<url>            Location of user style sheet, if any
 --header=<name>:<value>        request header; repeatable; some can't be set
 --method=<get|post|put>        Specifies the request method (default: get)
 --body-string=<string>         Unencoded request body (default: none)
 --body-base64=<base64>         Base64-encoded request body (default: none)
 --app-name=<name>              appName used in User-Agent; default is none
 --app-version=<version>        appVers used in User-Agent; default is none
 --user-agent=<string>          Override the User-Agent header Qt would set
 --javascript=<on|off>          JavaScript execution (default: on)
 --java=<on|off>                Java execution (default: unknown)
 --plugins=<on|off>             Plugin execution (default: unknown)
 --private-browsing=<on|off>    Private browsing (default: unknown)
 --auto-load-images=<on|off>    Automatic image loading (default: on)
 --js-can-open-windows=<on|off> Script can open windows? (default: unknown)
 --js-can-access-clipboard=<on|off> Script clipboard privs (default: unknown)
-----------------------------------------------------------------------------
 <f> is svg,ps,pdf,itext,html,rtree,png,jpeg,mng,tiff,gif,bmp,ppm,xbm,xpm
-----------------------------------------------------------------------------
http://cutycapt.sf.net - (c) 2003-2008 Bjoern Hoehrmann - bjoern@hoehrmann.de

Based on the example provided, try a simple test:

$ CutyCapt --url=http://blog.iharder.net --out=blog.png

I get a nice long capture of my blog as a PNG file.

The program does not seem to work if you use a tilde (~) in the path to represent your home folder.

Enjoy!

Of course they explain it better than I in two papers and an applet I copied here:

• Jam-Resistant Communication Without Shared Secrets Through the Use of Concurrent Codes, Baird, Bahn, Collins.
• Visually Understanding Jam Resistant Communication, Schweitzer, Baird, Bahn
• Visualization Applet further down this page

Baird has over a dozen papers published on the subject on his website.

First let’s understand the kind of attack we’re fighting. To fight jamming, you want to make your enemy work so hard or expend so many resources that the jamming is ineffective when on or not cost effective to even turn on. We cannot pretend to achieve “jam proof.”

Radio jamming adds energy to the spectrum, so a successful jamming adds energy at the specific frequencies that we are trying to read or at the specific moments in time we want to read them. With spread spectrum communication, as one example, successful jamming would require energy to be poured into many, many frequencies on the hope that the particular frequencies specified in the shared key will be covered. This is expensive for a jammer.

Note that a jammer cannot remove energy from the spectrum. This is an additive process, and this will be important.

Encoding

To encode a message, we step through the message, hashing each successively-longer piece, and we use the hash value to “place” energy in the spectrum. (You can use a time-based pulse method as easily). We scale the hash function (like a modulus operator) to an appropriate width (not discussed here).

Say we’re passing the (ridiculously-short) four-bit message 1011. We’ll arbitrarily set our hash width to 50. The hash value  of 1, I’m making this up, is h(1) = 37. We continue through the message as well as some padding bits on the end which are analogous to a checksum.

h(1) = 37
h(10) = 8
h(101) = 44
h(1011) = 23
h(10110) = 9
h(101100) = 17

We now have an encoded message that will have peaks at the points 8, 9, 17, 23, 37, and 44. Again this could be frequencies, timed pulses, etc. depending on your radio setup.

A jammer comes along but doesn’t have the energy to jam everything, so he jams points 1-5, 20-29, and 40-49 (for ease of illustration) by turning those points “on.”

Decoding

The listening end cannot distinguish between the original message and the jamming and so receives “on” energy at the points 1-5, 8, 9, 17, 20-29, 37, and 40-49.

We know a message must start with either a zero or a one, so the receiver hashes zero and one to see if their values appear in the received “on” list.

h(1) = 37 ON THE LIST
h(0) = 11 NOT ON THE LIST

So far we know the message begins with a one. The second bit must be zero or one.

h(10) = 8 ON THE LIST
h(11) = 28 ON THE LIST

Hmm, both 10 and 11 may be valid messages. We’ll continue our tree (imagine a tree) and consider adding a zero and one to both 10 and 11. At the end of the four-bit message we know that we add two zeroes, so messages that end with ones can be discarded.

With appropriately chosen hash widths, message lengths, and padding, we’ve successfully decoded the message, despite the jamming, and we’ve discovered that we can actually have multiple valid messages overlapping (protection against a sort of “friendly” jamming).

Visualization Applet

1. Type a short message in the Message box and hit Return.
2. See the Decoded Message at the bottom.
3. “Jam” the communication channel by drawing all over the message.
4. See how you can cover up to half the message before the message is degraded.

Conclusion

This new concurrent coding can provide keyless jam resistance. The papers linked above discuss other uses such as for RFID tags and even document searching. Since this is government-developed technology (and it’s not classified), it is free for use. Go forth and build more secure radios!

Atlas Shrugged Essay Topic #2: In Atlas Shrugged, the heroes want to “make” money while the villains want, on the surface at least, to “have” money. What is the difference between these two views of money? Explain your answer by reference to actual events in the novel.

Distinguishing between “making” money and “having” money is a key insight highlighted by Ayn Rand, however despite the rational selfishness that the main characters put forward, their view of making money necessarily requires the considerations of other people—that one person’s new idea has value only if someone else thinks it has value—whereas the view of having money pits one man against his neighbor where invariably the only way to have is to take. How ironic that the villains in the book who decry selfish ambition are actually embracing the more selfish of the two views of money.

Making money implies that one can increase wealth by work and mental effort. Strictly speaking this is not making money exactly, and Midas Mulligan even reverts to a gold standard for representing money in the Colorado mountains. In this sense the protagonists actually embrace the “having” money point of view, but Hank Rearden acknowledges that it is wealth that is made, and that is the meaning taken here. Gold becomes a means for value exchange enabling wealth to be “made.”

With the notion that wealth can be made comes hope, opportunity, and achievement. One can think of what no one has done or of doing something better, and this creates a value difference between what is currently available and what one proposes. Despite the main characters’ insistence that they follow a selfish path, their philosophy depends on other people and how one’s ideas and actions improve the lives of others. Regarding the desparately-needed new rails for the Rio Norte line, Hank tells Dagny Taggart, “I intend to make you pay for it,” and Dagny gladly does.

New ideas may also benefit the creator directly. John Galt explains to Dagny that such innovations give the inventor time, not money, and time can be redeemed to pursue what one desires. In this sense time is a sort of gold standard with oneself. One cannot pay oneself with gold for a new idea, but time—the ultimate limited resource—can be “saved” by innovation.

The value of a new idea is based on the improvement that it provides another person. It is the recognition of one person’s achievement by another, but it is not a hollow recognition for the benefit of the creator. It is the acknowledgement of one person’s genuine contribution to another. Richard Halley’s fifth concerto, John Galt’s motor, even Hugh Akston’s cooking—these have value because they improve someone else’s life, not necessarily that of the creator. Without this understanding, Hank’s wife Lillian cannot appreciate the significance to the world of the first pouring of Rearden Metal. Instead she offers sarcastically, “Shall we declare it a national holiday, darling?”

Allowing individuals to develop their ideas may lead to more good ideas, such as when Hank proposes his new bridge structure to Dagny. She asks if he invented the bridge in the last two days, and he replies, “I `invented’ it long before I had Rearden Metal. I figured it out while I was making steel for bridges. I wanted a metal with which one would be able to do this, among other things.” His desire to build a better bridge drove him to invent a better metal.

This view of money provides stability and correction because value can be verified, tempered, adjusted not by a single creator but by the people. In its selfishness, it gives power to the consumers to negotiate their futures and demand something better, but these demands come not in the form of declaring a right but proposing a counter-offer: “We will pay you more money for something better.” It respects the creator and creates a lasting relationship among people where respect, not force, is the key ingredient. Everyone benefits, and here the best way to maximize the common good and provide a positive future is to allow individuals to achieve and submit their efforts for peer valuation. In contrast when one views money as something to have, then one must necessarily look around for existing wealth and think of ways to get it, for unless more can be made, the only way to get more of something is to take it.

While it is possible to take money peaceably as with the case of selling goods and services, one might start looking enviously at another person with more money and quickly realize that it is much more efficient to take it by force. One might easily justify it as well, assuming that the person with more money must have in turn gotten it by taking it from someone else.

Without the insight to make money, some characters in the book apply their creativity to inventing ways to take money. Inevitably this leads them to force their ideas on others by law, a common theme among people with this view. Balph Eubanks’s negative view of humanity convinces him that, “We ought to place a limit upon their material greed,” and he suggests that no more than 10,000 copies of a book should be permitted to be sold. James Taggart pushes through the Anti-dog-eat-dog Rule in order to remove the “destructive competition” of Dan Conway’s Phoenix-Durango line. Orren Boyle uses Directive 10-289 and blackmail to force Rearden Metal into the government’s hands.

Even the fair exchange of money can be warped when one has the wrong view. Consider Hank’s mother and his brother Philip who decide it is not right that Philip exist only on Hank’s charity. Her solution is to have Hank give Philip a job instead, “but a nice clean job, of course, with a desk and an office and a decent salary.” Hank’s reply: “But he knows nothing about the steel business!”

The two views of making money and having money ultimately affect the value you place on other people. If you believe that you can make money, then you inherently acknowledge that other people have value and that your positive impact on their lives is what makes money, but if you believe that money can only be had, then other people become an impediment to your happiness, and you will seek ways to take from them as the “looters” in the book often did.

How To

For this example, we will create an animated GIF of us typing some text into a text editor. Preview sets the interframe delay to 0.1 seconds, and I have not seen a way to change that. That is a reasonable typing speed for this effect.

Open a text editor such as TextEdit, TextMate, BBEdit, etc. Resize the window so that it’s a nice, tight size that will look good on a web page.

The first thing you might notice between the screenshot above and the animated GIF at the beginning is that the shadow looks better on this screenshot. That’s because GIF images can only contain 256 different colors, and that’s not enough to see the subtle changes in the shadow.

Save this opening shot by typing Command-Shift-4. Release those keys and type Space. Now click on the text editor window. That creates a screen capture of just the window you clicked and saves it to the desktop.

Open that file in Preview. Choose Save As from the File menu. Select GIF as the file type. Name the file something meaningful like animation.gif. You can now delete the original screen capture image so you don’t accidentally duplicate it during the next steps.

We’ll want to see the sidebar so we can add images to the GIF sequence. Click the Sidebar button in the toolbar.

Let’s just add one character ‘A’ to the text editor, and add that to the sequence.

1. Type ‘A’ in the text editor window.
2. Type Command-Shift-4.
3. Type Space.
4. Click on the text editor window.
5. Find the captured image on your Desktop, and drag it onto the Preview window, directly over the “animation.gif” image in the sidebar.

Your Preview window should look something like this now:

Now let’s capture several frames at once to speed this along. After each character that we type in the text editor, we’ll type Command-Shift-4, Space, and click on the text editor window, creating many screenshots saved to the desktop.

Select all of these new screenshots on the desktop, and drag them to the Preview window as shown below so that you tell Preview to add the images to the sequence you began (as opposed to simply opening more files, which it will do if you drag too low on the sidebar).

You’ve got it now. Continue with more frames, and save your GIF. Drag the GIF image to Safari or other animated GIF-enabled viewer, and enjoy. Unfortunately I haven’t found a way to loop the animation in Preview.

#!/bin/sh
dns-sd -P "Home iTunes" _daap._tcp local 3689 localhost 127.0.0.1 "Arbitrary text record" &
PID=$!
ssh -C -N -L 3689:localhost:3689 myusername@blahblahblah.dyndns.org
kill $PID

Multicast DNS (mDNS) and DNS Service Discovery (DNS-SD) Test Tool

We need to trick iTunes into thinking our home computer is on our local network, because if you’re sitting in Starbucks, then your home computer is not on your local network (and if it is, then you need to address your caffeine addiction). For that we use a tool quietly sitting at /usr/bin/dns-sd that provides a command line interface to the DNS-SD libraries which is normally accessible to programmers via /usr/include/dns_sd.h. Like all good libraries, it helps to have a command line reference tool for scripters, and dns-sd works great for us.

iTunes uses Multicast DNS (mDNS) and DNS Service Discovery (DNS-SD) to announce its presence and to look for other iTunes instances. Apple calls this technology Bonjour (formerly Rendezvous), but it is also known as Zero Configuration Networking (www.zeroconf.org).

The dns-sd man page only gives a few of the many options available. Typing dns-sd at the command line shows you more options but without much explanation.

$ dns-sd
dns-sd -E                  (Enumerate recommended registration domains)
dns-sd -F                      (Enumerate recommended browsing domains)
dns-sd -B        <Type> <Domain>        (Browse for services instances)
dns-sd -L <Name> <Type> <Domain>           (Look up a service instance)
dns-sd -R <Name> <Type> <Domain> <Port> [<TXT>...] (Register a service)
dns-sd -P <Name> <Type> <Domain> <Port> <Host> <IP> [<TXT>...]  (Proxy)
dns-sd -Z        <Type> <Domain>   (Output results in Zone File format)
dns-sd -Q <FQDN> <rrtype> <rrclass> (Generic query for any record type)
dns-sd -C <FQDN> <rrtype> <rrclass>   (Query; reconfirming each result)
dns-sd -X udp/tcp/udptcp <IntPort> <ExtPort> <TTL>   (NAT Port Mapping)
dns-sd -G v4/v6/v4v6 <Hostname>  (Get address information for hostname)
dns-sd -V    (Get version of currently running daemon / system service)
dns-sd -A                      (Test Adding/Updating/Deleting a record)
dns-sd -U                                  (Test updating a TXT record)
dns-sd -N                             (Test adding a large NULL record)
dns-sd -T                            (Test creating a large TXT record)
dns-sd -M      (Test creating a registration with multiple TXT records)
dns-sd -I   (Test registering and then immediately updating TXT record)
dns-sd -S                 (Test multiple operations on a shared socket)

We’ll use the Proxy option -P to indicate that the service we’re advertising will be rerouted, in our case through an SSH tunnel.

dns-sd -P <Name> <Type> <Domain> <Port> <Host> <IP> [<TXT>...]  (Proxy)

Looking at the relevant line in our script we see how we match up the fields.

dns-sd -P "Home iTunes" _daap._tcp local 3689 localhost 127.0.0.1 "Arbitrary text record" &
  PID=$!

The Name parameter will show up in iTunes as the name of the iTunes library we’re sharing. It doesn’t have to be the actual name of the library, so we’ll just use Home iTunes as a convenient placeholder.

Port 3689 is the port used by iTunes for sharing music.

The “Arbitrary text record” is just that—an arbitrary chunk of text that’s required for dns-sd to properly process the command.

The next line of our command, PID=$! saves the process id of the command we just executed into a variable $PID which we’ll need in order to neatly shutdown the proxy when our SSH tunnel closes.

The SSH Tunnel

We use SSH to connect to our home machine and forward connections from our remote machine’s port 3689 (in Starbucks) to our home machine’s port 3689, where you left iTunes up and running before you left this morning (right?).

ssh -C -N -L 3689:localhost:3689 myusername@blahblahblah.dyndns.org

The -C option turns on compression, which may not do much good for streaming MP3’s but a) it doesn’t hurt, and processors are much, much faster than your bandwidth, and b) don’t forget that you’ll be receiving a description of your home iTunes library, which is probably a rather sizable XML file.

The -N option says we’re not executing an SSH command but rather just sitting here port forwarding until the connection is broken (like when you leave Starbucks).

The -L “listen” option is covered extensively in tutorials all over the Internet, but in short it says, “listen for local connections to port 3689 and forward them to the other end and try connecting to localhost on its port 3689.”

The myusername@blahblahblah.dyndns.org portion will be dependent on how you connect to your home computer over SSH. Again, that’s covered in detail all over the Internet. If you’re remote computer is secured, you might consider using SSH keys to allow automatic login. Then you can put this script in ~/Library/Scripts and launch it from the global scripts menu, if you have that activated.

Cleanup

When the SSH connection eventually closes, such as when you close your laptop or disconnect from the network, the ssh command will exit, and kill $PID will run which closes down the dns-sd proxy, so you won’t see it in iTunes anymore.

Packaging

I find it helpful to put this script in ~/Library/Scripts so that I can execute from my global Scripts menu in my menubar, but it’s up to you how you want to launch it. Good luck.

At some point Apple introduced QTKit, a new and oh-so-welcome abstraction bringing QuickTime programming into the 21st century. Nothing against die-hard ANSI C programming, but it fits awkwardly into what are otherwise clean Objective-C Cocoa programs.

Rather than provide a detailed tutorial about using QTKit (sorry if you wanted one), I’ll just point you to the ImageSnap code so you can take a look at a few useful things like starting a QTCaptureSession, capturing output with QTCaptureDecompressedVideoOutput, and saving an NSImage to disk.

rm -rf /Users/rob/Library/Preferences/Macromedia/Flash\ Player/\#SharedObjects
rm -rf /Users/rob/Library/Preferences/Macromedia/Flash\ Player/macromedia.com/support/flashplayer/sys

There are many ways to do this of course: launchd, cron, at, etc, but I thought it would be most elegant to tie into the Mac’s periodic maintenance scripts, and what a time I had debugging why I couldn’t get it to work.

The script at /etc/periodic/daily/999.local is supposed to execute all scripts residing in the $daily_local variable (set in /etc/defaults/periodic.conf) which is /etc/daily.local by default, but it doesn’t, and I had to change a line in 999.local from this:

for script in $daily_local

to this:

for script in $daily_local/*

Script junkies can see that the original for loop will iterate over exactly one item: the string /etc/daily.local.

With the change, I created a directory at /etc/daily.local and put a simple script in it.

$ sudo mkdir /etc/daily.local
$ sudo vi /etc/daily.local/delete_flash_cookies.sh
$ sudo chmod +x /etc/daily.local/delete_flash_cookies.sh

The script looks like this:

#!/bin/sh
echo ""
echo "Local Script: Removing Flash Cookies:"
rm -rf /Users/rob/Library/Preferences/Macromedia/Flash\ Player/\#SharedObjects
rm -rf /Users/rob/Library/Preferences/Macromedia/Flash\ Player/macromedia.com/support/flashplayer/sys

Summary

Edit /etc/periodic/daily/999.local (and similar scripts for weekly and monthly) to read around line 19:

for script in $daily_local/*

Create a directory at /etc/daily.local.

Add executable scripts to the /etc/daily.local directory.

Enjoy.

Two factor authentication can increase your security by requiring more than just your password (one factor) to log in. I like using Perfect Paper Passwords from Gibson Research Corporation (GRC.com). With this system after entering my username and password (even a wrong password) in an SSH session, I am then prompted for a four-digit passcode that I’ve previously printed out and stashed in my wallet. Each code is only used one time, and protects me even if someone manages to get my password. In the case where attackers are guessing my password, they cannot tell if the password or passcode was guessed incorrectly.

Sample PPP passcard (courtesy grc.com)

There’s only a little bit of trickery involved to compile it for Mac OS X 10.6 Snow Leopard, and if you had it working before in Leopard, you’ll need to recompile the PAM module (I know, it’s like “ATM machine”) for 64-bit mode.

How Perfect Paper Passwords (PPP) Works

The principle behind PPP (https://www.grc.com/ppp) is simple:

1. Pre-arrange for a list of random passcodes.
2. When a user authenticates, ask for the next passcode on the list.
3. If correct, grant access.
4. Remember where on the list of passcodes we left off.

The beauty of this system is that even if someone has your password, they cannot gain access to your system unless they a) also have your one-time passcode list or b) happen to guess the one of 17 million passcodes that is next on the list. You could log in to your computer with a full keyboard logger from the most evil hacking organization you imagine, and they still would not be able to log in without your passcode list (guard your wallet!).

I use PPP in my SSH subsystem, so that this two-factor authentication is enforced on the only service I expose to the Internet. PPP plugs into SSH using the Pluggable Authentication Module (PAM) system.

The PPP Pluggable Authentication Module (PAM) on Google Code

The PAM system (PAM article on Wikipedia) does what its name suggests: it allows new authentication systems to be plugged in to a service. In this case we’ll use the ppp-pam project on Google Code, an open source implementation of the PPP system developed by GRC.

The documentation for the project exists mostly in the form of comments made on the author’s original “Building” page. Two comments of interest here are these two recommended patches:

1. Don’t move to the next passcode until the proper one is entered.
2. Echo the passcodes as they are typed.

The first patch avoids a denial of service attack. Imagine an attacker repeatedly attempting a log in and having the passcode pointer move on each failed attempt. After some number of failed attempts, the attacker will have moved the pointer past the end of the passcode list you printed for your wallet! This patch also changes the nature of how an opponent would use a brute force attack, but brute force is still the opponent’s best attack strategy (we like that).

The second patch is a usability improvement. Since the passcodes are only used once, there’s no harm in echoing the character back to the screen, and it makes it easier to type in the obscure passcodes.

You’re welcome to leave out either of these patches.

Compiling for Snow Leopard

We’ll walk through the steps to get this set up for your Mac. The instructions are nearly identical for all other platforms. At the end of this post is a link to a shell script that performs all these steps for you.

Download

Download the source code from http://code.google.com/p/ppp-pam/. The latest version at the time of this writing is ppp-pam-0.2.tar.gz. Decompress in a convenient location and change to that directory:

rob@mbp:~/Downloads $curl http://ppp-pam.googlecode.com/files/ppp-pam-0.2.tar.gz | tar xz
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  597k  100  597k    0     0   443k      0  0:00:01  0:00:01 --:--:--  565k
rob@mbp:~/Downloads $cd ppp-pam
rob@mbp:~/Downloads/ppp-pam $

Patch Source Files

To include the patch that stops the passcode pointer from moving after failed login attempts, copy the following code and paste it in the Terminal (while in the ppp-pam directory):

patch -e ppp/ppp.c <<EOF
343,344c
        incrCurrPasscodeNum();
    }
.
341c
    if (strcmp(getPasscode(currPasscodeNum()), attempt) == 0){
.
EOF

This will patch the first file. To patch the second file, fixing both the missing header file problem and the echo preference, copy and paste the following into the Terminal:

patch -e ppp/pam_ppp.c <<EOF
90c
    message.msg_style = PAM_PROMPT_ECHO_ON;
.
47c
    #include "/Developer/SDKs/MacOSX10.5.sdk/usr/include/pam/_pam_macros.h"
.
EOF

You might want to check that you do in fact have that file:

$ locate _pam_macros.h
/Developer/SDKs/MacOSX10.4u.sdk/usr/include/pam/_pam_macros.h
/Developer/SDKs/MacOSX10.5.sdk/usr/include/pam/_pam_macros.h

Configure and Make

Now move into the build directory and run ../configure && make (we’ll combine to save time and space here):

rob@mbp:~/Downloads/ppp-pam $cd build
rob@mbp:~/Downloads/ppp-pam/build $../configure && make
checking for a BSD-compatible install... /opt/local/bin/ginstall -c
checking whether build environment is sane...
...and so forth

Install

If you get no errors, you can run sudo make install:

rob@mbp:~/Downloads/ppp-pam/build $sudo make install
Password:
/bin/sh ../mkinstalldirs /usr/bin
  /bin/sh ./libtool --mode=install /opt/local/bin/ginstall -c pppauth /usr/bin/pppauth
/opt/local/bin/ginstall -c pppauth /usr/bin/pppauth
cp pam_ppp.so /usr/lib/pam/pam_ppp.so
make[1]: Nothing to be done for `install-data-am'.
rob@mbp:~/Downloads/ppp-pam/build $

Generate Cards

Next we have to generate the pre-arranged passcode codes that our system will use. Will create a private key first, and then we’ll print out the first card to include in our wallet. The information is saved in the ~/.pppauth/> directory.

rob@mbp:~/Downloads/ppp-pam/build $pppauth --key

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
  A new sequence key has been generated and saved.  It is
  HIGHLY RECOMMENDED that you IMMEDIATELY print new pass-
  cards in order to access your account in the future.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

rob@mbp:~/Downloads/ppp-pam/build $pppauth --text --card 1
MBP.local                          [1]
      A    B    C    D    E    F    G
 1: 7oCA R4%W dxy5 aMNK r:pb Kcg9 Z%fh
 2: yFbs @2NZ @iUv UY:o eiRL Ea29 xMfc
 3: =CUS roUa x@Hf Fmg8 h2NT DF6o RXwS
 4: hHKx t3ia Tj3r +Jfz ?xwc usks zJjY
 5: 6GpN rFgx y3f5 kZoD XYGH v!yD 7Kx2
 6: d#y4 RVRi R66W !js6 6Wah qGSR D8TT
 7: zorX NuzH 3Wfq B@nk wm3v pgGS 2zfm
 8: ZFir ZpuJ d35S #9@G Wazd m#32 F#7s
 9: S@JM K%mt xJ3p NxD= S6By wWie e9:t
10: JEz: SKk? BBHb D!t! XyhK ZbJ# %jB3

rob@mbp:~/Downloads/ppp-pam/build $

# sshd: auth account password session
auth       optional       pam_krb5.so
auth       optional       pam_mount.so
auth       sufficient     pam_serialnumber.so serverinstall legacy
auth       required       pam_opendirectory.so
auth       required       pam_ppp.so
account    required       pam_nologin.so
account    required       pam_sacl.so sacl_service=ssh
account    required       pam_opendirectory.so
password   required       pam_opendirectory.so
session    required       pam_launchd.so
session    optional       pam_mount.so

ChallengeResponseAuthentication yes
...
UsePAM yes

rob@mbp:~/Downloads/ppp-pam/build $chmod 700 ~/.pppauth
rob@mbp:~/Downloads/ppp-pam/build $chmod 600 ~/.pppauth/*

# sudo: auth account password session
auth       required       pam_opendirectory.so
auth       required       pam_ppp.so
account    required       pam_permit.so
password   required       pam_deny.so
session    required       pam_permit.so

chkpasswd
cups
ftpd
login
login.term
other
passwd
samba
screensaver
sshd
su
sudo

In order to access a serial port in Java, you need the RXTX libraries compiled for your specific hardware. Java uses the Java Native Interface (JNI) to bridge between your platform-independent application code and the hardware-specific serial port drivers.

If you’ve tried this on an Intel Mac (perhaps to play with a Sun SPOT), you may be disappointed, since software keeps shipping from people that is either PowerPC only or isn’t compiled for 64-bit Intel. You’ve probably seen the UnsatisfiedLinkError message. Here you’ll find a librxtxSerial.jnilib file with support for both 32- and 64-bit PPC and Intel architectures, fitting the bill perfectly for both Java 5 and Java 6 on the Mac.

$ file librxtxSerial.jnilib
librxtxSerial.jnilib: Mach-O universal binary with 4 architectures
librxtxSerial.jnilib (for architecture x86_64):	Mach-O 64-bit bundle x86_64
librxtxSerial.jnilib (for architecture i386):	Mach-O bundle i386
librxtxSerial.jnilib (for architecture ppc7400): Mach-O bundle ppc
librxtxSerial.jnilib (for architecture ppc64):	Mach-O 64-bit bundle ppc64

The Need for the RXTX Library

Java’s “write once, run many” theory of operation works because the Java Virtual Machine (JVM), which must be made for each platform, abstracts away the underlying hardware. As a programmer you can draw circles, label buttons, and even play multimedia without specific knowledge of the host operating system.

A computer’s serial ports can be abstracted away in the same way, but the standard JVM does not provide a mechanism for this. Sun decided (reasonably, though regrettably, I think) that the serial port would not be a required component for a JVM, and so there are no built-in classes for working with serial ports.

Sun experimented, for a period of time, with a Java Communications API that would be a sort of plugin for working with things like serial ports (and parallel ports!), but the project and its javax.comm package died.

Thanks to the team at RXTX.org, we now have a gnu.io package modeled after Sun’s javax.comm package that is maintained and works. Thanks!

Why Doesn’t It Work for You?

If you’re reading this, it might be because you can’t get it to work on your Mac. Probably you have an Intel Mac and are using Java 6 or later which requires a 64-bit Intel processor. Perhaps you’ve seen error messages that say thinks like UnsatisfiedLinkError and so forth.

Software talking to the serial port must communicate with the host operating system, and so the underlying native library must be compiled per-platform. Presumably your librxtxSerial.jnilib file is not compiled for your platform. Here’s how to find out. Open the Terminal, navigate to the folder with a librxtxSerial.jnilib file, and use the file command. You’ll probably see this:

$ cd /Users/rob/SunSPOT/sdk/lib
$ file librxtxSerial.jnilib
librxtxSerial.jnilib: Mach-O universal binary with 2 architectures
librxtxSerial.jnilib (for architecture i386):	Mach-O bundle i386
librxtxSerial.jnilib (for architecture ppc7400): Mach-O bundle ppc

If you’re running Java 5 (which comes in 32- and 64-bit flavors on the Mac) you’re OK, but if you’re running Java 6, which is 64-bit Intel only, it won’t work.

A Library with the Right Architectures

No problem; all you have to do is re-compile RXTX from sources for your platform, right? I wish. I can’t even remember all the contortions I went through before I finally got it compiled.

You’re welcome to follow the various instructions online for compiling it yourself, but it gave me a lot of grief, so I’m placing a copy on this site (if you trust me not to insert nefarious code). I finally had to patch SerialImpl.c and SerialImpl.h (manually) based on the patch instructions here and blog posting here.

At the end of the day, we have a librxtxSerial.jnilib file that has 32- and 64-bit PPC and Intel architectures.

Find all instances of librxtxSerial.jnilib on your Mac and replace them with the one you downloaded from here (or compiled yourself). Try the command locate librxtxSerial.jnilib in the Terminal to find extra copies hidden in various Java applications.