Archive for July 14, 2017

Friday, July 14, 2017

Fixing iCloud Keychains, and Backing Them Up

Howard Oakley:

iCloud Keychain is, in the words of the cliché, wonderful when it works. And it works a great deal of the time, unless it goes wrong. Even more unfortunately, it most often goes wrong when a user tries to solve another problem, by doing something which inadvertently messes iCK up. Then they are in trouble.


But with iCK turned on, your login keychain is in iCloud, and is not something which you can access as a file, as you can a local keychain. If you use iCloud for backups, then it is specifically excluded from those backups, because Apple argues that it is already stored in iCloud, therefore doesn’t need to be backed up. Unless of course something happens to it, like all its password entries get wiped: then you’re apparently stuck, contacting iCloud support to try to recover a copy of it before disaster struck.


When you turn iCK off, the current keychain held in iCloud is downloaded to your Mac (or iOS device), and used as its local keychain. So to make a backup copy of your iCloud keychain, turn iCK off, wait a little while, and back up login.keychain-db from your ~/Library/Keychains folder. Once you have made that copy, turn iCK back on, and it should carry on where it left off.

1Password Standalone Vaults and PasswordWallet

Dave Teare:

Now the thing is, I know it’s not realistic to expect everyone to be able to be able to join one of our memberships at this time. As great as 1Password memberships are, I know that our excitement for them can cause some people to become worried. After all, many have corporate policies or regional restrictions that prevent them from using a hosted solution like ours, and so they’re understandably concerned and want to know that there’s a future for them with 1Password.

These worries are compounded by the fact that 1Password 6 for Windows was designed from the ground up to support 1Password Teams customers only (and then later expanded to include family and individual plans), and we are unsure how this adventure will play out on the Windows side of the world, so we haven’t made any public announcements about when support for standalone vaults will be added, if ever. Many Mac users worry that the same fate awaits 1Password 6 for Mac, and that we will remove support for local vaults and force them to pay again.


We know that not everyone is ready to make the jump yet, and as such, we will continue to support customers who are managing their own standalone vaults. 1Password 6 and even 1Password 7 will continue to support standalone vaults. But 1Password memberships are indeed awesome and are the best way to use 1Password, and as such, I am going to continue to nudge you over when ever I can 🙂

This partial commitment is nice to hear, although it would have been nicer a few days ago when I asked about support for standalone vaults beyond version 6 and the response was:

I know it’s not the answer you want, but we will never publicly commit to Dropbox, iCloud, or local vaults for the future. Even if we bring local vaults forward in a hypothetical new version of 1Password which does not yet exist, that’s not to say that the subsequent version will continue that[…]

They seemed to be trying to thread a needle by specifically not promising continued support for local vaults, conflating this with not commenting on future product directions in general and the idea that all software eventually breaks, and then saying there was nothing to worry about because they have no plans to actively remove the feature. Reading between the lines, the strong implication was that they wanted at least the option to go cloud-only in version 7 without going back on their word.

I took this as a signal to start looking at other options, because the centralized cloud model, while very convenient for most customers and for AgileBits’ support people, seems inherently less secure to me and won’t work with Little Snitch blocking all network access. Additionally, it doesn’t work with 1PasswordAnywhere, doesn’t work with 1Password’s local backup feature, and maintains only a partial local cache (attachments not guaranteed).

So, by the time of Teare’s announcement, I had already investigated some alternatives, selected PasswordWallet (based in part on a recommendation from Wolf Rentzsch), and converted one of my vaults.

(Sidenote: During this process I learned that 1Password’s CSV export—with “All Fields” selected—does not actually export all of the fields, and that the 1PIF export format is undocumented. So migrating my nearly 2,000 entries would have been impractical if I hadn’t been able to write some code to massage the JSON-like 1PIF into a format suitable for PasswordWallet’s CSV/TSV importer. I feel stupid for having taken the time a few years ago to manually move my data from 1Password’s Notes field into custom fields/sections.)

For the near term, I will likely use a mixed setup. My main vault is in PasswordWallet, and I see no reason to convert it back. We also have a successful family setup that syncs multiple 1Password vaults via Dropbox, and that now seems like it should keep working for at least a few years. 1Password and PasswordWallet are both good apps, and I hope that both will be successful long into the future.

With that in mind, here are some advantages that I see with PasswordWallet:

And some things I prefer about 1Password:

Update (2017-07-16): See also: Rui Carmo.

Rene Ritchie:

To put it bluntly, AgileBits is moving to a more sustainable business model that will allow them to better develop and support 1Password now and into the future.


So, if you’re already a 1Password user, avoid all the FUD and take your own hard look at the new direction.

I tend to agree that subscriptions make their business more sustainable, so it’s interesting that Teare seems to deny that:

Please don’t think our excitement for memberships has anything to do with money. […] We were doing just fine selling individual licenses and AgileBits was already steadily growing before 1Password Teams was even introduced. We created 1Password Memberships because we had a vision for how 1Password could be even better and we followed our dreams. The result has been stupendously awesome and better than our wildest dreams! Today, over 95% of our revenues are coming from subscribers, which is truly mind blowing.

When you look at that 95% statistic and this comment from AGKyle a year ago:

That said, we don’t have any immediate plans to remove the standalone products. However, if a vast majority of our users switch to 1Password Family or 1Password Teams (and as of today, an Individual plan!) then it doesn’t make a ton of sense to keep the standalone product around. So, it’s probably one of those speak with your wallet kind of scenarios.

it makes perfect sense why they were reluctant to commit to supporting standalone vaults in version 7. They also made it really hard to “speak with your wallet” because in the last year there was no paid upgrade, and they removed the standalone version from their store. And they rewrote the Windows version of the app without support for local vaults (yet).

A lot of people are throwing around accusations of FUD, but it seems to me that the source of the uncertainty was AgileBits itself: actions like these and public statements from employees such as Kyle. I see Teare’s post not as a “correction” of misinformation but as an actual policy change. Before, they implied that standalone might be dropped and refused to commit to it. Now they’ve committed for at least one more version.

Update (2017-07-20): Tim Bray:

I understand, and I support AgileBits wanting to become a subscription biz. But I still want to keep my data and password away from their servers. This all seems fine to me. I pay my monthly rent to Adobe and it’s for Lightroom & Photoshop, not for their unexciting server-side offerings.

So AgileBits, why not? Please go ahead and start asking for subscriptions. But don’t ask paranoid people like me to go anywhere near

AgileBits has addressed the situation in Why We Love 1Password Memberships, but it’s really unsatisfying, totally ignoring the security concerns. And (I guess I shouldn’t be surprised) failing to acknowledge the business advantages for them in making this move.

Update (2017-08-02): AgileBits:

With this release, we finally have enough visibility to chart a course for the future, so we’re happy to announce that standalone vaults will be back on the menu in 1Password 7 for Windows. 1Password 7 will be free with your 1Password membership, but if memberships aren’t for you, paid licenses will also be available.


Mike Ash:

Reflection is not a particularly good solution to this problem. It’s easy to get it wrong and create security bugs. It’s less able to use static typing, so more errors happen at runtime rather than compile time. And it tends to be pretty slow, since the code has to be completely general and does lots of string lookups with type metadata.

Swift has taken the approach of compile-time code generation rather than runtime reflection. This means that some of the knowledge has to be built in to the compiler, but the result is fast and takes advantage of static typing, while still remaining easy to use.


The compiler generates a CodingKeys type nested inside Person. If we did it ourselves, that nested type would look like this[…] If we need different names, we can easily accomplish this by providing our own CodingKeys with custom raw values.

Previously: Swift 4: JSON With Encoder and Encodable.

Publishers and the Pursuit of the Past

Ben Thompson:

In short, aggregators are market makers […] Thus this solution: Chavern and the big publishers want permission from Congress to escape the perfect competition fostered by Aggregation Theory via collusion. The theory seems to be that, were the 2,000 newspapers party to this proposal able to present a unified front, they could force concessions from Google and Facebook that would make their businesses viable.


[The] truth is that newspapers made money in the past not by providing societal value, but by having quasi-monopolistic control of print advertising in their geographic area; the societal value was a bonus. Thus, when Chavern complains that “today’s internet distribution systems distort the flow of economic value derived from good reporting”, he is in fact conflating societal value with economic value; the latter does not exist and has never existed.

This failure to understand the past leads to a misdiagnosis of the present: Google and Facebook are not profitable because they took newspapers’ reporting, they are profitable because they took their advertising. Moreover, the utility of both platforms is so great that even if all newspaper content were magically removed — which has been tried in Europe — the only thing that would change is that said newspapers would lose even more revenue as they lost traffic.


In fact, this is the single most ridiculous part of this proposal: one of the issues Chavern wishes to collectively bargain with Facebook and Google about is “better support for subscription models”. In other words, Chavern wishes to bring in Facebook and Google as an aggregator in the one market — subscriptions — where newspapers actually have a viable business model.

Daring Fireball Display Ads

John Gruber:

What I finally decided was the most obvious replacement possible: selling Deck-like ads on my own, directly to advertisers, much like I do with the weekly feed sponsorships.


For sponsors, you get to be the only graphical ad on the page each time your ad is shown. And given DF’s visual style, most of the time the ad will be the only graphical element on the entire page other than the DF logo mark, and the only color on the page other than good old #4a525a slate gray. The ads are relatively small, but I am confident they are more noticeable in a non-objectionable way than ads on just about any other website in the world. The ads on Daring Fireball stand out without being the least bit obtrusive. That’s the sweet spot for ads, in my opinion.

For readers, these are ads that, again, are visually unobjectionable, and which offer the most privacy you could hope for. Not only is there no tracking involved, there is no JavaScript involved.

I wish this sort of approach—opting out of the arms race—could work for more sites. It’s really a win-win. There are some other sites that have good content but which I specifically avoid because they’re junked up with ads. So I miss their content unless someone specifically directs me to an article, and they miss my fractional eyeballs.

Previously: The Deck Shuts Down.