1. You’ve Been Warned

    Did you know that by simply signing into most web services like Facebook, Google+, iCloud, etc., they have access to your cleartext password each time your login?  Sure, your password is sent over SSL so only you and the service (and perhaps the NSA and your employer) would know what it is.  I assumed that most services were using some form of Challenge-Response based on the browser encrypting some data with the user’s password (perhaps in javascript) before sending it to the service.  Poking around on the web form of Facebook and other services, it *looked* like the unencrypted password is posted in form data just like any other data.  However, I wasn’t sure.  So I did what anyone else would do and grabbed HTTPFox Firefox add-on that lets you see the traffic sent over SSL, then headed over to some common sites.  I logged into each using the password “xyzzy” and you can see the services I checked all posted the unencrypted data:



    AWS Web console










    Even though the data is sent over an encrypted channel via SSL, it still seemed to me a bad idea to send the cleartext password to the service unless the user is creating an account or changing their password. I am not the first one to notice this.  My major concern is two fold:

    1. Most people have 4 or 5 passwords that they use for most services, and if the first one fails, they try the others.  This gives the services you are authenticating to a trail of all the common passwords you use. You may trust the larger sites, but what about for services that you are not that familiar with?  Just giving them your “standard” password may be risky, but giving them all of your previous and common passwords seems like a bad idea. It is also possible that those services log each of your password attempts and may even capture the data to a database.

    2.   In some corporate environments, users are forced to use HTTPS proxies.  This means that data is only sent in an encrypted channel between the proxy and the service, and IT would be able to see your cleartext password if you used one of these services.

    It looks like the solution would be to use something like SJCL , jCryption or NoSSL.  It seems that for compatibility-sake, this is common practice.  

    This does highlight using OAuth with smaller web services.  If you already trust Facebook or Gmail with your password(s), and you use OAuth to log into these smaller sites, your password is never shared with those services.  Your OAuth provider would still require authentication on their web form and would have access to any password you type in the login form, but at least you would not be sharing that information with unknown services. Recently, I have stopped using OAuth from Twitter or Facebook due to a service that required the ability to post to those services on my behalf as well as posted ads to that service without asking me first.

    The bottom line: this password situation is not so great.  Users need to figure out who to trust,even though that keeps getting more and more difficult. Also know, the should be basic fact that your trusted service might not really be about authentication but about social and sharing.

    NOTE: Updated with copy edits for grammar on 14 April 2014.

  2. A New Era of Proximity in Mobility

    Macworld 2014 in San Francisco was nothing short of a great time and the interest in beacon-related technology was inspiring. While there were a few people that stopped by our Twocanoes booth that had not heard of iBeacons before the conference, most attendees already established ideas about how iBeacons could be used. They were excited to discuss these ideas as well as the scavenger hunt and the check-in process, as this was the first year Macworld used beacon-enabled registration.   

    Everyone we talked to had received their pre-registration Passbook pass and had used it to check-in to the conference.  Those who did not have Bluetooth turned on were still eager to use their iPhone to get through the registration process. Macworld attendees we spoke to thought it was an intuitive process that streamlined the normal check-in dance and we couldn’t agree more. We expect to see iPhones and iBeacons used in a wide range of conferences in the future with various functions. These functions will improve the attendee experience and can range from finding areas on the show floor, check-in at sessions, communication with attendees during the show, and sharing of contact information.

    With all of the iBeacon buzz at Macworld I was still able to take the short trip across the venue to present at the MacIT conference breakout session. The topic being “iBeacons and Proximity in Your Organization (you can view my slides here). MacIT runs in parallel to Macworld/iWorld but is more directed at large institution and system administrators. About 100 people showed up to talk about iBeacons and iBeacon-technology. The interest in using beacons ranged from home automation to campus tours and museums. I heard stories from people who were using both iOS Geohopper and Mac Geohopper in interesting and creative ways. The general consensus from the session was that iBeacons represent a new era of proximity in mobility and great possibilities. There were some great discussions on privacy, security and best practices for deployment. I get the sense that we are moving from the assessment phase of this modern technology to a new phase where people are starting to build solutions on top of proximity and iBeacons. It has been very interesting to see this transition take place and I am anxious to see what comes next.

    Also, during the events, I was able to talk with some great podcasters on the show floor (see list below). I love the fact that this isn’t an area that they are just looking at, but actively integrating into their lives. We have already seen the use of Geohopper and Bleu Stations on our discussion forums and support questions. It was great to connect with these folks.

    Macworld 2014 was one of the first beacon-enabled events and we were happy to help make history! The process was fun and seamless. I am looking forward to Macworld 2015 as well as many other conferences in the coming year. I have no doubt that in a year’s time we will all look back and be amazed at how beacons have become part of every conference and a majority of apps.

    If the buzz around iBeacons during the Macworld and MacIT events are any indication of the future, the future looks bright for Bleu Station. 

    Podcasts at MacWorld/MacIT
    MacCast with Adam Christianson
    NosillaCast/Mac Podcast with Allison Sheridan
    Mac OS Ken with Ken Ray

  3. Notes from the floor of Macworld/iWorld 2014

    We had a great time at Macworld/iWorld 2014 and had a good time talking about iBeacons.  There was tons of interest in iBeacons and in the scavenger hunt, and we had a lot of good discussions.  We should have brought out Bleu Stations to sell, as people really wanted to jump into the technology and start using it.

    I wanted to share some of the interesting sights at the show.  There was some really cool booths and some really cool technology, and I took some photos on the show floor that I wanted to share.

    Double Robotics

    I saw these on The Good Wife, but had no idea that they were available for sale.  Interesting use of tech in real life but I suspect it would take a bit of getting use to in our office.


    Very cool looking iPad charger cabinet.


    Henge Docks

    The booth for Henge Docks was covered with wood planks.  Gave a very unique look.


    I had to buy this one since it was such a unique spin on a iPhone case.  Like a swiss army knife without the knife but with stuff like pens, screwdriver, and tweezers.

    Scavenger Hunt

    The scavenger hunt signs looked great!

    We had a constant flow of folks and lots of good discussions about Bleu Station beacons, Geohopper, and all of our proximity solutions.

    Had a great show and looking forward to next year!

  4. Enabling Macworld/iWorld with iBeacons

    We were asked by IDG World Expo to help showcase iBeacons at the Macworld/iWorld 2014 expo that is going on this week in San Francisco. We make small USB powered beacons called Bleu Stations and have been involved in proximity on iOS for the last couple of years supporting geofencing and iBeacon technology with our apps on iOS and the Mac. We were excited to see what we could do with iBeacons at the show. We focused on using iBeacons in a way that was both exciting and appropriate for the event.  We settled on check-in to speed up people getting their badges and a game to help people investigate the show floor and highlight how beacons can help explore large environments.

    Check-in process

    One of the key areas was to Beacon-enable the check-in process.  Macworld/iWorld has tens of thousands of participants that check in over a very short period of time, and making that process smooth is critical to a successful event. In preparation for this event, all the people that registered for the conference were sent out a customized link to a Beacon-enabled Passbook pass. The pass contains information on the event and barcode that is specific to their show badge.  We installed our Bleu Station beacons in the pre-registration area and set them up to match the settings on the Passbook pass. When a person walks in the front entrance for Moscone North, the pass is automatically shown on the lock screen of their iPhone (assuming they have an iPhone—it is Macworld after all—and have bluetooth turned on).  A quick swipe on the phone and a barcode scan at the pre-registration station and you have your badge.  The check-in process took me 45 seconds to get through registration.  It was fast and painless.

    The range on the beacons was surprising far. In these large open areas, Bluetooth signals travel a long way.  Our Bleu Stations have a range of about 150 feet and we had to reduce the power on them to make sure the coverage was just in the main check-in.  As more people arrive, this might need to be adjusted since high density of people can lower the signal range. I used our Bleu Setup app to reduce the power to adequately cover the registration areas.

    Scavenger Hunt

    We also wanted do something fun and engaging on the show floor.  Working with Tom Benson of PassJoy and IDG, we came up with the idea of a Mac-themed scavenger hunt. Since it is the 30th Anniversary to the Mac, we decided to celebrate it with signage that shows all the different Mac case types over the last 30 years, and spread the signs out throughout Moscone and base the scavenger hunt on those signs. We collected Mac case information and photos from Wikipedia, and IDG made some amazing displays that really celebrate the Mac. We created 63 different passes, one for each case type of the Mac. The passes were created on PassMarket from iMobile3 using their pass creation web interface.  PassMarket also has a full web API to create passes, but we stuck with the web interface for this event. (Note: we are a PassMarket partner that helps beacon-enable their loyalty program).

    It was fun to remember all the different case types and play the “what was I doing when I had that Mac” game. I also had some interesting discussions on Twitter on correct identification and name of Macs over the years.  I got so excited about it, I made a video of the Mac cases (completely unrelated to the scavenger hunt, but I couldn’t help myself).

    For the scavenger hunt, we selected one Mac case type per sign (there are four signs) to be the “winning” Macs. Each sign is iBeacon-enabled and has about 16 Mac case types shown on the sign.  The participants start out by scanning in a beacon-enabled Welcome pass that explains the rules of the game.  The pass is downloaded from PassMarket’s web service and installed in the person’s Passbook on iOS 7. We decide to use Passbook passes since passes are beacon-enabled and don’t require installing an app. The front of the pass gives them a clue to the location of the first sign.   Passes in passbook also have a feature to specify a message that can be displayed when in range of a specific iBeacon.  When the participant finds the first sign, a hint message is triggered by the nearby beacon and shown on the lock screen. For example, a hint might be “A Geometrically Named Mac” (meaning the Mac Cube), and the person would scan in the barcode for the PowerMac G4 Cube on the sign.  Note: We didn’t use that hint, so it isn’t a spoiler!  

    The participants repeat this process for 4 signs, collect four passes that have “stars” on them, and then go to the Macworld LIVE check-in desk for the prizes.

    A couple of key areas are important in this game and the way it uses iBeacons.  The game can’t be completed prior to arrival, since the first pass only has a clue to the first sign, and that first sign is only available once the player is on the show floor. Aside from preventing spoilers, it highlights that iBeacons should be used as a reference, and not something that protects a private resource. iBeacon should be used in tandem with other ways to verify the person’s location and access. iBeacons are not a form of security, but a way to improve and further engage a user. We wanted to highlight that type of interaction.  

    Someone playing the game could scan in all the passes to find the winning passes, but that would still accomplish the goal of the scavenger hunt of going through the show floor and engaging with the 30 Years of the Mac. Using iBeacons makes it more fun and engaging since people have to know some Mac trivia to proceed quickly.

    Also, passes can be shared from Passbook, but since each pass has a unique code each time it is added to passbook, a shared pass is only valid of the first person that uses it. PassMarket has a quick and easy to redeem passes since it is key to their loyalty program.

    Tuning to the environment for the game

    Since Moscone is a large venue with thousands of people attending Macoworld/iWorld, we had to tune our beacons to the environment.  Even though the beacon-enabled signs are pretty far apart, we didn’t want any overlap between the beacon signals causing confusion and displaying multiple passes on the lock screen.  We walked through the game areas and tweaked the power settings and placement to avoid this.  

    Visit us

    Macworld/iWorld 2014 starts tomorrow and we are excited to see how folks react to using iBeacons in both the check-in and the scavenger hunt. Tweet with the hashtag #MacworldExpo2014 as you experience the game, and visit us at booth 1209 on the show floor if you have any questions or just want to chat about iBeacons.

  5. 30th History of the Mac Video

    Over the past couple of weeks, we have been busy beacon-enabling Macworld/iWorld 2014 and creating a scavenger hunt for the show to demonstrate iBeacon technology.  The scavenger hunt goal is to identify specific Mac models based on hints that only appear when you are near one of our Bleu Station beacons.  

    To make it more fun and to celebrate the 30 years of the Mac, we created some displays that show all the different case types through the 30 year history.  We had a great time assembling the photographs and descriptions, and had some great discussions (arguments?) over such important topics such as “Is an Xserve a Mac?” and “Should the Macintosh XL come before or after the first Mac?”  If you follow me on twitter, you may have seen (or been part) of this discussion.

    Once we collected all this data for the game and for the signs, I played around with it a bit.  I thought it would be fun to put it into timeline format using the awesome app Timeline 3D.  I asked my brother to do the audio (he is a sound engineer for TV, video games and film), and I think we came up with something pretty neat.  Check it out and leave a comment or share a Mac story.  I think of something new every time I watch it.


  6. Bootcamp on the “New” Mac Pro

    We got our hands on a new Mac Pro to make sure that Winclone and Bootcamp all work as expected.  We ordered it the day it was released, but didn’t receive it until 2 months later.  We didn’t have any reports of issues with the new Mac Pro, but we were still interested in seeing how it all worked.

    On unpacking the Mac Pro, it has a standard EFI partition table:


    And no MBR:


    So no surprised there.  Time to crank up Book Camp Assistant:


    No surprises there.  Onwards to the next screen.


    Only Windows 8 or later!  That is new and interesting!  


    Time to partition:



    OK, that was easy.  Now let’s see what the partition table looksimage

    Next we installed Windows, and it set it up to boot with EFI (consistent with the behavior of new Macs).  Next we cranked up Winclone 4.4 and restored an image:


    Reboot, and it worked great.

    So no big surprises except for the Windows 8 and later requirement.  

  7. iBeacon enabling a native app

    One of the cool ways that you can use iBeacons is to incorporate them into your native app so that a customer is engaged from the moment they enter your store.  To demonstrate this, we created a sample app, released some sample code, created a tutorial, and even uploaded a video!  Check them out at:

    Video: https://vimeo.com/85952650

    Tutorial: http://twocanoes.com/bleu-station/support/native-app-beacon-demo

    Source Code: https://github.com/twocanoes/ProximityDemos

  8. My favorite Winclone support email

    I received this email from a customer years ago, and refer to it often.  I wish I was this clever.
    From: <redacted>
    Date: November 1, 2007 9:14:28 AM PDT
    Subject: Winclone killed my hamster.
    I was in the middle of using Winclone on my Mac Pro last night when I discovered my hamster Bob had passed on. Checked out. Departed. Was no more. Running on that great wheel in the sky.
    Prior to downloading and starting Winclone he was perfectly fine and even well underway constructing a new aspen-shavings house in the northwest cage for weekends and holidays.
    Now that I think about it maybe it was actually a mausoleum.
    Maybe you should rename it “Murderinghamstersforfreeclone” (misleading since it won’t actually clone a dead hamster).
    Otherwise it worked perfectly, thank you.
    I’d attach instructions for donation to Bobs Memorial Fund but as Winclone is free you probably can’t afford it anyway.
  9. Creating a Beacon Enabled Passbook Pass on iOS with Bleu Setup

    Bleu Setup is the configuration app for Bleu Station, the iBeacon compatible Bluetooth hardware from Twocanoes Software. This video shows how to use Bleu Setup to create a Beacon Enabled pass for passbook that can be shared with others. When someone with a iBeacon enabled pass gets in range of your Bleu Station, the pass will automatically be displayed on the lock screen. Bleu Setup also has the ability to read bar codes that have been encoded into a pass with Bleu Setup.

    Check out the video here.

  10. EFI and Windows on Option Boot Screen

    Have you ever noticed that sometimes when you hold down the option key when booting up your Mac, you’ll see both a “EFI” and a “Windows” volume listed?  Why do both show up?  Which is the correct one to select?

    Turns out that the first question is easier to answer than the second.  If there is a Windows boot folder on the EFI partition (usually /dev/disk0s1), you’ll see an EFI boot option.  If there is a master boot record partition map and a flagged partition, you’ll see the “Windows” option to boot via the MBR method.  If you have a new Mac with the latest firmware, it won’t show EFI but will show “Windows” since these new Macs can boot Windows in native EFI boot.

    This helps to answer the “which one to select” question.  If you have the latest MacBook Air, MacBook Pro, or iMac, and you are booting off the install drive to install Windows, you will see both a EFI and Windows option.  If you select EFI, Windows will boot into EFI mode and set the machine to EFI boot.  This results in faster boot times and more flexibility (like external drive booting and windows on multiple partitions).  If you don’t have a latest Mac, select the “Windows” option and windows will install in the more compatible MBR mode.

Google Analytics Alternative