I keep some directories synchronized between my notebook and desktop with rsync. After upgrading my desktop to Mac OS 15.4.1, I started getting errors:

[sjg@BigThud 2025-04-21 13:01:05] ~/Documents/Backup
$ rsync -auP . sjg@10.3.2.xx:Documents/Backup
(sjg@10.3.2.xx) Password:
rsync: failed to set times on "/Users/sjg/Documents/Backup/Whatever": Operation not permitted (1)

Interestingly, ssh also showed an error:

[sjg@BigThud 2025-04-21 13:04:29] ~/Documents/Backup
$ ssh sjg@10.3.2.xx "ls /Users/sjg/Documents/Backup/Whatever"
(sjg@10.3.2.xx) Password:
ls: /Users/sjg/Documents/Backup/Whatever: Operation not permitted

On the desktop, I look again at Documents/Backup/Whatever, and the permissions are fine. What gives?

To make a long story short, something in the latest update on the desktop changed sshd‘s full disk access permission. Looking at System Preferences > Privacy & Security > Full Disk Access, sshd-keygen-wrapper was checked, so it should have been enabled. I tried toggling that, but it didn’t help.

Apparently, the sshd-keygen-wrapper was pointing at an old version or something? I had to go into System Preferences > General > Sharing and turn Remote Login off then on again, then go into System Preferences > Privacy & Security > Full Disk Access and re-enable sshd-keygen-wrapper.

Et voilà, I could ssh and rsync again!

I don’t want to use biometrics on my phone. There are a lot of reasons, most of them not very good for a nobody like me. Still, I like reading about OPSEC and thinking about it.

Biometrics are not revocable like a code. That may seem like a strange concern, but if, say, your fingerprint gets reproduced on the internet, there’s no way to prevent its abuse. People have 3D-printed fingers in gelatin with a captured image and gotten past phone fingerprint sensors. Many years ago when I was in the aerospace industry, we’d joke about the Russians “borrowing” your head if they wanted to get through the retina scanner at a secure facility. Again, do I have this kind of security requirements? No, but I still don’t want to use biometrics.

For the longest time, I couldn’t find the way to get Apple to honor my preference. I get a daily pop-up telling me to “finish setting up your phone.” Naturally, it pops up when I’m in the middle of a phone call and trying to do something with my calendar or something, and it gets in the way. Furthermore, it’s disrespectful. I don’t want to set up Face ID. Stop bugging me, Apple!

I used to be able to click into Preferences > Finish Setting Up Your iPhone and clicking the “Set up later…” button on each feature I didn’t want. Now there’s only an “Enable” feature. But it turns out that you can click the “Enable” and then “Cancel” when it asks for your passcode. This stops the nagging.

Apple has always thought they know best how you should be using their products. I’m finding it increasingly annoying. Why should each update turn on Apple Intelligence? I don’t want “AI” just as much as I don’t want biometrics.

I don’t want to go full Luddite, but maybe it’s time for me to start thinking more along the lines of a dumber phone.

A long PDF was to be printed, but only the text was important. As it was full of images, it seemed like removing the images would save a whole lot of ink.

It turns out ghostscript has some very nice filters for removing classes of content from a file. You can very simply remove text, images, or vector objects without changing the rest of the layout.

For example, to strip vector and images from a PDF, you can use:

gs -o text-only.pdf -sDEVICE=pdfwrite -dFILTERVECTOR -dFILTERIMAGE pdf-with-pictures.pdf

If you don’t have ghostscript installed but use Docker, there are containers that make it easy:

docker run --rm -v pwd:/app -w /app minidocks/ghostscript gs -o text-only.pdf -sDEVICE=pdfwrite -dFILTERVECTOR -dFILTERIMAGE pdf-with-pictures.pdf

The Department of Water and Power is doing work near the office, and over the weekend, there was a sustained power outage. I came in Monday to shrieking UPSes and had to power up the firewall and a few other machines. It was the normal stupid kind of stuff.

We have a few virtual servers out in “the cloud,” and we use point-to-point VPNs to make them seem local to our network. Those VPNs also needed restarting.

Through the course of the day, however, one VPN connection kept unceremoniously disconnecting. Looking at logs on the various servers was unenlightening. Everything was running normally, other than the surprise disconnects.

In the evenings, I’ve been watching the old Grenada TV/Jeremy Brett Sherlock Holmes series, so I had to apply Holmes’ deductive process. The virtual servers had experienced no changes except being disconnected, so I needed to focus on the firewall. The firewall had experienced no change, except being restarted. What could have happened?

I finally found a configuration that was incorrect (it was a netmask that was insufficiently restrictive, allowing devices not on the VPN to collide with VPN IP addresses). I fixed the netmask, and the VPN has been up and stable ever since.

But how could this be? It had been running properly literally for years. It had to be something to do with the power outage. But if that had corrupted the configuration, it wouldn’t have been a single IP netmask changing. “[W]hen you have eliminated the impossible, whatever remains, however improbable, must be the truth.” The bad configuration file could not have been in use.

The best theory is that the configuration file had been (accidentally?) modified at some point in the past, but never loaded. When the firewall was restarted, it loaded this modified configuration for the first time.

This is a WordPress site, first created in 2003. Why I created a WordPress blog site when I was involved in the CMS Made Simple project back then, I don’t recall.

I maintain a handful of other sites running on WordPress too. It was a lot of work until I discovered the wp command-line tool (thanks Beau!). I was able to lock down permissions of the WordPress directories, and have a nightly script that would update WordPress and all of the plugins to make sure I was up to date and (moderately) secure.

One of these WordPress sites I maintain is for an organization. The site has gone through a lot of evolution. I originally built it with a Perl-based system called “Scribe” that I wrote in 2002 or thereabouts. It used a markup-based templating system, CVS to maintain versions, and published static HTML from CGI scripts. Later, I was working on the CMS Made Simple project as part of the core team, so I ported this site to CMSMS. Eventually, I left the CMSMS project, and in 2017 I decided to migrate the site to WordPress (based on the fantasy that other people would join me and maintain content on the site). I was busy, and paid an overseas development firm to port the site for $300. The language barrier made the project difficult, and I ended up rewriting a substantial portion of the code.

This morning a security update resulted in one of the site’s plugins throwing fatal errors and taking the site completely offline. I eventually had to manually poke around in the database and modify JSON strings to resolve the problem (and disable the broken plugin).

I started reflecting on the overall functionality of the site and how it’s used. Maybe it’s time for me to move away from WordPress and go back to some static generating strategy. I hear good things about Jekyll. Of course, this would also probably involve a site redesign too. Ugh. Well, more to evaluate and think about.