I’ve done my fair share of podcasting appearances, and even run my own show with my friend Manton Reece. But lately things have been stepping up a bit.

A couple weeks ago I traveled from Boston to New York to take part in a panel presentation with my friends Buzz Andersen, Amanda Wixted, and Marco Arment. The show was organized by Larry Legend as part of the recurring New York iOS Developer Meetup.

Today, Larry announced the video and audio are both available for that discussion. There are a couple technical glitches in the recording, but it’s still worth a listen or watch if you’re interested in iOS development.

I am also very excited to announce a new episode of Core Intuition, marking the start of our decision to accept sponsorship for the show. We were extremely lucky to have Marco Arment’s Instapaper as our debut sponsor. It feels great having a motivation to record more frequently, and to start things off with a sponsor who is both a friend and himself a great developer.

By now you have probably heard about the extremely embarrassing LinkedIn password breach. If you have a LinkedIn account (or possibly, if you have ever had one), there is a good chance that your password, in a weakly encrypted format, is in the hands of a hacker in Russia. He published as proof a massive, 6-million password file that is now widely available on the internet. There’s even a service that guides you through the process of searching for your password in the file (link courtesy John Moltz).

I did what you did, or should have done: raced to LinkedIn and changed the password. But that doesn’t protect me from the real danger. LinkedIn isn’t anywhere near the most important site in the huge list of services I use or have used. What if I committed the foolish move of using the same password on LinkedIn as I did on another, more important site? Now a hacker with possession of my username and password for LinkedIn can make some very good guesses about my username and password on other sites.

Fortunately, I don’t tend to use the same password twice. But an event like this leaves me very curious to confirm that. I store all my internet passwords in Apple’s Keychain, which does a good job of keeping them from prying eyes. A little too good of a job, as it turns out. There’s no straight-forward way to ask Keychain Access on the Mac to find all the services that you used a specific password with. So if my LinkedIn password was “bugagoo,” to find out which other services I might have used that password for, I have to open each password item in the keychain and authorize Keychain Access to show me the password. 2,000 times, in my case.

This is a situation that screams for scripting. Surely I could come up with something, using the security command-line tool or AppleScript, to go trawling through my keychain looking for suspect items? I happen to have written an AppleScript helper called Usable Keychain Scripting, that makes a script like the following very easy to write:

tell app "Usable Keychain Scripting"
	get internet passwords of keychain 1 ¬
		where password is "bugaboo"
end tell

Unfortunately what you get when you run a script like this is an alert like this for every keychain item being searched. Like said, for me it’s more than 2,000 items:

The problem here is that permission to access keychain items is managed on a granular level. It’s possible to tell the security system to allow a particular app to always access a particular item, but you can’t tell it to always allow it to access the entire keychain. There are obvious security reasons for this, but I do think there should be way to enable this for folks like myself who really want to take control over my secure data and examine it programatically.

Fortunately, I do not give up easily. I could have clicked that Allow button 2,000 times, but then I wouldn’t have had the time to write this blog post. Instead, I delved into another avenue of scripting that takes advantage of Mac OS X’s accessibility infrastructure. Using GUI Scripting commands, the clicking of specific buttons can be automated. In this case, I came up with a script that runs in a loop, waiting for there to be a security window with a button called “Allow” in it, and indiscriminately clicking it. Obviously, this is very dangerous! I’m going to run this script only during a precise window of time where I know that the only security dialogs coming up should be ones that are provoked by my Usable Keychain Scripting script.

This trick worked. After 20 minutes or so of chugging through my keychain and automatically approving the accesses, the result came back. To my relief: the password was only used for LinkedIn.

You can use this trick, too. Just be careful. As I said above, the idea of an automated script that blindly approves security warnings is not for the faint of heart. It should go without saying that if you screw anything up in your keychain, it is unequivocally not my fault. Do not use these tools if you don’t understand how they work.

• Usable Keychain Scripting is my scripting extension, that expands AppleScript’s ability to efficiently query the keychain for information.
• PasswordSearcher is an AppleScript that asks the keychain for all the internet password items that match the given password, and displays the account names so you know which ones to look for.
• DangerousAllowClicker is the bad boy that just runs in circles until you cancel it, approving security clearances.

Click here to download the tools archive.

To use these:

1. Launch Usable Keychain Scripting, so it will be available to the scripts. You won’t see anything, it is a background-only app.
2. Open Password Searcher, change the password string to match the one you want to search, and run it. You should immediately see one of those security approval dialogs appear. Don’t bother clicking it.
3. Now open up DangerousAllowClicker and run it. You should see the security panel disappear, and successive panels disappear in turn.

Go get a coffee or something because this could take a while, and your computer is less fun to use with security clearances popping up constantly. When you get back, you should see a result. Hopefully your news will be as good as mine, and only LinkedIn will appear in the list. If for some reason you get tired of waiting, or nervous about the technique, you will need to kill the Usable Keychain Scripting application to interrupt its attempt to fulfill the scripting request:

% killall Usable\ Keychain\ Scripting

As I said, this technique is only suitable for the very technically adept, but I am glad to share it because I think some of you will find it useful for other purposes as well. You could theoretically use this trick to automate dumping your password information so as to import it into another management tool such as 1Password. A tool that, as it happens, does allow you to search all your items for a specific password.

I can’t stress enough how void of a warranty, guarantee, support, or any liability these tools are. You shouldn’t use them, but I hope that reading about them has been interesting.

Update: As luck would have it, mere moments after publishing this, I got word from the 1Password folks about another write-up that achieves something different (exporting for 1Password), but makes use of the very same approach of automating the clicking of that allow button.

One of my hobbies is poking around in the application bundles of software that I did not write. The extent of my curiosity ranges from aiming to find the identify of an uncredited developer, to disassembling and examining the technical approaches that were taken in the code. But usually I just like to take a quick survey and see if anything catches my interest.

For Mac apps, it’s as easy as control-clicking the application in the Finder and selecting “Show Package Contents.” For iOS apps, it’s a bit tricker, but easy enough when you realize that the “.ipa” files in your Music/iTunes/Mobile Applications folder are actually zip archives and can be easily unpackaged by first changing their names to end in .zip, or by direct command line invocation:

% unzip -d Goodies "MarsEdit Touch.ipa"
% cd "Goodies/PayLoad/MarsEdit Touch.app"

At this point exploration from the Finder or Terminal is similar to browsing a Mac application, except the structure for iOS apps is a little flatter and, blast it all, none of the images are viewable. That seriously dampens my enjoyment of the bundles.

The reason most PNG images in iOS apps are not viewable is because Apple applies special, non-standard optimizations to the images to improve performance on iOS devices. This renders the images useless to all other apps that normally work with PNG files, including the Finder’s Quick Look feature.

Years ago, I discovered a handy tool called iPhonePNG that was assembled by David Watanabe. Essentially, the authors of this tool figured out the optimizations that Apple were doing, and reversed the steps to convert them back into standard PNG images. The tool relied upon a compiled-in version of the libpng library.

Recently when I went to use this tool again, I noticed that it did not work reliably. It dumped lots of memory errors and complained of “extra compressed data” in the input files. I then proceeded to spend too many hours trying to fix it, bashing my head against libpng, before my friend Tom Harrington alerted me to an Xcode-bundled tool that can do the job reliably:

iPhoneOS.platform/Developer/usr/bin/pngcrush

This Apple-modified version of the pngcrush utility accepts a “-revert-iphone-optimizations” option to do exactly the chore I’m looking to have done. But remembering the path to this tool and the long option name was not working for me, so I threw together a handy pair of zsh functions. Now when I’m bundle-surfing and want to peek at an iOS-optimized PNG, it’s easy:

% fixpng ./RedSweater.png
Writing fixed PNG to RedSweater-fixed.png
% open RedSweater-fixed.png

Or if I want to browse a whole folder full:

% fixpngs *.png

If you use zsh, or would like to adapt the functions to your preferred shell, you can download them here. Enjoy!

Updates: I was alerted by Kelvin Owers to an impressive, free tool called ImageOptim. The author argues that his optimization technique for PNGs results in smaller, faster-loading images than Apple’s, while conforming with the PNG standard. I ran some of my PNGs through the tool and it shaved 30-40% off the size. I’m going to strongly consider using this tool, and disabling Apple’s PNG optimization for my projects.

I was also informed by Jordan Breeding and Clark Cox that the “xcrun” command line tool makes a nicer method of invoking the magic Apple-customized pngcrush tool:

% xcrun -sdk iphoneos pngcrush -revert-iphone-optimizations

From the point of view of making the whole bundle-browsing process seamless, Christopher Bowns pointed me to atPeek for examining app bundles, and the associated, free Quick Look plugin for automatically decoding the PNGs.

Thanks for all the useful feedback!

For the past few years, John Gruber and Dan Benjamin recorded an informal, off-the-cuff-seeming podcast called The Talk Show. I didn’t listen to every episode, but I listened from the very beginning, before Dan had even founded the 5by5 network that later became its home.

I see The Talk Show’s format as the prototype for many other successful 5by5 podcasts: Dan plays the cool, somewhat disinterested straight-man to a “star,” whose own temperament, philosophies and interests ultimately define the show. After the initial success of The Talk Show, Dan threw the net wide, inviting folks such as Marco Arment, Andy Ihnatko, Merlin Mann, John Siracusa, Horace Dediu, and Jim Dalrymple to indulge audiences with their own personalities and areas of expertise. I even had the pleasure of playing the star myself on one episode of Build & Analyze.

Last week, John announced matter-of-factly that The Talk Show would no longer air on the 5by5 network, and would be joining the lineup at the fledgling Mule Radio Syndicate. Dan does a great job at 5by5 of emphasizing that the star of each show is who makes the show what it is. Nonetheless, Dan’s personality is unavoidably material to the mood and progression of these shows, so it’s safe to say that The Talk Show’s departure from 5by5 marks the end of an era.

The good news for fans of John Gruber, is it doesn’t mark the end of The Talk Show. John’s obsessive, meandering, sometimes distracted personality lives on at Mule, and I think this promises to be another great era in The Talk Show’s history. Episode 1 featured John Moltz of Crazy Apple Rumors fame, and the two delved into all the kinds of topics I’d expect. I thoroughly enjoyed the show.

I enjoyed it so much, I decided to co-sponsor this week’s episode, along with my good friends from Bare Bones Software: 

The Talk Show Episode #2: Dare I Say, Kubrick? 

Much to my delight, the episode turned out to feature one of my favorite “internet stars,” Mr. Adam Lisagor of Sandwich Video fame. John literally can’t go wrong if these folks are representative of the stature of future guests. So, give the new Talk Show a try, won’t you?