Talk: Restoring a Prairie Haven with renewable power


July 1, 2016
For Immediate Release

Wings Over Alma welcomes Mike O’Connor to present:
Restoring a Prairie Haven with Renewable Power

Tesla at its filling station

Alma, Wisconsin   Wings Over Alma Nature & Art Center is featuring another facet of the O’Connors ‘unfarming’ restoration project in Buffalo County.  On Sunday, July 17, 2016 Mike will share how the farm (Prairie Haven) generates more electric power than it consumes.

Mike and Marcie O’Connor are in the process of returning an old dairy farm in Buffalo County back to the savanna and prairie that was there before the land was settled. As part of the “unfarming” restoration project they installed solar panels to meet their energy needs.

Mike’s presentation will describe their solar power system, how it works, why they installed it and preliminary financial results. The O’Connors heat their house and run their Tesla electric car, utility vehicles and smaller tools like chain saws with the solar power they generate. This is bound to be an informative presentation you won’t want to miss.  Be sure to bring your questions!!

Wings Over Alma will be hosting the presentation in their new location 110 North Main Street, Alma, WI.

The event begins at 1:00PM on Sunday, July 17th and there is no cost.


Leslie Wilkie
651 334-9407

WOA logo

About Wings Over Alma

Wings Over Alma, Inc. is a non-profit community organization seeking to enhance and promote awareness of the Upper Mississippi River environment and raise the level of regional arts and crafts appreciation.

Adding SSL to my OSX server

I decided it was time to make a little statement and add “always on” encryption to this completely innocuous site.  The online equivalent of moving a lemonade stand inside a bank vault.  Now when you read about refurbishing my car, or fixing a seed drill, you’ll be doing it over an encrypted connection.

This is another scratchpad post for folks who run an OXS Server and want to use a multi-domain UC (unified communications) SSL certificate.  The rest of you can stop here — this is probably the most boring post of all time.

UPDATE – May 2016 – Cloudflare Origin Cert on an OSX Server:

This section describes using Cloudflare Origin Certificates, the following section is the original post where I was installing a Godaddy cert.

I’ve taken to using Cloudflare for all my sites.  If you haven’t come across them, I heartily recommend you take a look — they’re a pretty nifty gang.  Somewhere along there they added SSL to all the connections from end-users to their servers but that left the link from Cloudflare to my sites unencrypted.

They now support several ways to secure that connection – most of which are free.  Free is good, since commercial certs to cover the 20 or so websites I host start to add up.  I decided to try implementing their preferred approach where they issue me an “origin cert” (rather than using a self-signed cert which wouldn’t give end-users as much confidence).

Doing that on OSX Server is dead simple.  Here are the steps

Create a new cert-request on OSX Server.


We’ll create one for my buddy Foo (at


Which results in a cert request that looks like this


Go to Cloudflare (I’m assuming the site is already established there) and submit the cert request.  Note that I’ve elected to submit my own CSR.  Cloudflare has a pretty interesting process to do it on their own but I decided I needed to generate the CSR within OSX Server in order to have a socket for the cert when it is issued.


Cloudflare generates the cert and provides it in a variety of formats.  I elected PEM format and the certificate appears in the window.  I copied/pasted/saved that text into a new text file (demo-cert.pem in this example) and saved it to the desktop of the server.


Back to OSX Server now.  The CSR shows up as a pending cert in the Certificates window.  Double-clicking it results in this screen.   Drag the newly-saved demo-cert.pem file into the Certificate Files box and all is complete.


Create a new SSL web site, use the newly-installed cert, point it at the same directory as the port-80 cleartext site, do a redirect to the port-443 site to complete the job.  Don’t forget to tick the “allow overrides using .htaccess files” box in Advanced Settings for the site so’s the permalinks work.

Original post – August 2014 – Godaddy Cert

I’m a happy Godaddy customer, so the examples in this post are Godaddy-oriented.  But the theory should apply to any Unified Communications (UC) cert vendor.

Single-domain cert

Here is Godaddy’s list of steps for installing a standard single-domain cert.   Click here to view the help page these came from.  The process for a multi-domain cert is almost the same, but let’s start with “vanilla.”

To Generate a CSR with Mac OS X 10.7-10.9

  1. On the Mac, launch Server.
  2. Click Certificates on the left.
  3. Click +.
  4. Click Next.
  5. Complete the on-screen fields, and then click Next
  6. Either copy the CSR that displays, or click Save and save the file locally.

After you have successfully requested a certificate, you need to install the certificate files we provide on your server.

To Install an SSL Certificate with Mac OS X 10.9

  1. Download your certificate’s files — you can use the files we offer for Mac OS 10.6 (more info).
  2. On the Mac, launch Server.
  3. Click Certificates on the left.
  4. Double-click the common name of the certificate you requested.
  5. Click and drag the certificate and bundle files into the Certificate Files section.
  6. Click OK.

This installs the certificate on your server. To verify its installation, you should see your certificate’s common name listed in the Settings menu.

Multi-domain Unified Communications (UC) cert

There are two things that are different when using a UC cert.

Change #1) Use one CSR to request the cert

  • Create one certificate signing request (CSR) in the OSX Server app, no matter how many domains are going to be covered by the UC cert.  The CSR is just creating a socket into which the certificate is going to be installed by OSX Server and only one such socket is needed.
  • All of the domains added through Godaddy’s “manage Subject Alternative Names (SAN)” process will work once the cert is installed.
  • Take care in choosing the domain name when creating the CSR.  This will be the “common name” on the cert and is the only domain name that cannot change later.  This is the apex of the hierarchy of the cert and is the only one that will appear if site-visitors view the cert.
  • The picture below is an example of the Godaddy management interface looking at a (prior version of) the cert that secures this page.  That cert appears in OSX Server’s list of Trusted Certificates as “” — that name came from the CSR I generated in OSX Server.
  • The alternate domains that will also work with this version of the cert are “” and “” but those names are entered at the Godaddy end, NOT through CSR’s from OSX Server.
  • To restate — just create one CSR and add the rest of the domains through the cert-vendor’s Subject Alternative Name process.  In my case, the domain in the CSR was for “”


Change #2) Add domains to the cert BEFORE downloading it to OSX Server

  • Don’t download the cert that’s created from the CSR just yet.  It will only have the Common Name and doesn’t yet include the other domains that the cert will cover
  • In the case of the cert shown above, the SANs “” and “” were added through Godaddy’s cert-management interface before I downloaded/installed the cert.

Follow the vendor-provided download/install steps. 

Now that the cert has the proper names added, it installs the same way a single-domain cert does (see above).

To recap Godaddy’s instructions: download the OSX 10.6 version of the files, unzip them, click on the pending cert request in Server, drag the two unzipped files into the CSR when it asks for them, click OK and wait a bit while the cert installs.

Verify that the cert covers the domain-names that are needed

Once the cert has been installed, review (double-click) the cert on OSX Server to make sure that all the needed domains are there.  The list of domains is in the middle of the cert, each entry is titled “DNS Name”  If they’re all there, jump ahead and start assigning the cert to web pages and services.

If the names listed on the installed cert don’t match what’s needed, add the missing domains before using it

  • Delete the cert from OSX server (it’s OK, it’ll be downloaded again in a jiffy)
  • Return to Godaddy and modify the Subject Alternative Names (SANs) to get the domains right
  • Create a new CSR on OSX Server – again, this is just a socket into which the cert will install.
  • Download/install/verify the cert

Note: The cert will install correctly as long as the domain in the new CSR matches one of the domains covered by the cert.  But it will always be appear under the common name on the cert, which confused me.  I surprised myself by installing this cert under a “” CSR — it installed just fine, but it’s name changed to “” on the list of Trusted Certificates in OSX Server.  Best to avoid confusion by creating the replacement CSR under the common name.

Once the cert is right, associate the cert with web pages and services.

  • Web pages and services will operate correctly as long as the domain of the web-page or service matches one of the domains on the cert.
  • It doesn’t matter that the common name of the cert ( in this case) doesn’t match the domain of the web page (

That concludes my report.  This web page is running under a later version of that cert — you can see what it looks like by double-clicking the “lock” in the URL bar of your browser.

Renew the cert

A year has passed and it’s time to renew the cert.  Here’s a checklist:

  • Launch the Server app, open the cert that is coming up for renewal, click the “renew” button, generate a CSR.
  • Renew the cert at the cert-provider, using the newly-generated CSR (this is a copy/paste operation at Godaddy)
  • Download the certs from the vendor once you have been validated
  • Open up the “pending” cert again in the Server app and drag the newly-downloaded cert files from the vendor into the box that’s displayed.
  • There should now be two certs in the Server app list — the current one and the new one.  Update the cert configuration to point at the newly-renewed cert.
  • Test with the new cert and once all is working and verified, delete the expiring one

Migrating from Snow Leopard Server to OSX Server (Mountain Lion)

Back in late 2011 I wrote this scratchpad post to document my efforts to move from Snow Leopard Server to Lion Server.  I ran into some configuration problems that stumped the 2nd-level folks at Apple and eventually I abandoned the project and stayed on Snow Leopard.

When Mountain Lion came out, and went through an update or two to iron the kinks out, I decided to have another go at it.  I’m crossing my fingers here, but I’ve been on OSX Server (the new/old name under Mountain Lion) for about a month now and things look pretty stable.  So here’s another scratchpad post to document what I did to put back a few things that were removed from the standard OSX Server environment.


Stability and Reliability

Upgrade memory

I found that the standard 4gByte memory that shipped with my server started to get very tight as I started turning on the various Python based services (Calendar, Contacts, Wiki, etc.).  In fact, by the time I had all those services running, the machine would lock up and crash after being unreachable for a while.  I upgraded the memory to 16 gBytes (not officially supported).  Looking at this memory-use graph out of Server, you can see why the server was having trouble with 4 gBytes but it looks like 8 gBytes would work OK as well.


Nightly auto-restarts

I know, real men are supposed to run their servers for decades without restarting them.  But I’ve found that having the server reboot itself every night in the wee hours of the morning clears out a lot of memory-leak cruft and, combined with the added memory, has made the machine quite stable.  System Preferences/Energy Saver/Schedule is the place to do that.


I hardly ever use it, but the idea of a completely-under-my-control VPN appeals to my tin-foil-hat privacy side.  Setting it up is a little tricky and I found this guide to setting up VPN on a Mac Mini server that’s running Mountain Lion to be really helpful.  I stepped through the process exactly as they described it and it worked.  I love that.

Replace features that were removed

Replace firewall capability

The nifty firewall in Snow Leopard (IPFW) was replaced with the newer packet filter (PF) firewall in Mountain Lion.  And all of the firewall-management features were removed from Server Manager.  Most likely because the presumption is that these servers are running on a network that is already behind a firewall — and because these rascals are tricky and hard for Apple to support.  But I needed to run the PF firewall on this machine.  Doing that by hand is Too Hard, so here’s what I did.

  • Consider using IceFloor, a PF front end —
  • Note: firewall logging gets turned on every time you reload the settings.  Logging can be disabled (once you’ve got a stable set of rules) by editing the config file from the main rules tree.

Restore MySQL

Apple dropped MySQL from their distribution (licensing issues would be my guess).  But all of the family web sites run WordPress on top of MySQL so I need to add that back.  Here’s what I did:

Webmail and email aliases

Webmail is in the “nice to have in travel emergencies” category.  But the Roundcube webmail is also the best place I’ve found to replace some of the email-forwarding, email-exploder capabilities that went away in the transition from Snow Leopard to Mountain Lion.  So I put it back.  Conceptually, it’s an email client running on the server that can talk to the mail server just like any other client.  It just happens to use the web as its user interface.  Here are useful links to get you started.

  • A useful step-by-step guide –
  • I had the devil’s own time getting authentication to work properly.  In fact the only scheme that works for me is by allowing “Cleartext” as an authentication option in Server, and using LOGIN as the IMAP_AUTH setting in the RoundCube config file (  Here’s a thread that gives more detail around this, although the fix in that thread didn’t work for me —
  • Here’s how to add the “filters” capability (the most important part, for me).  The only thing to keep an eye on is that the example changes are being made to the file rather than the file.  I think this is just an error — but there may be super-cleverness going on there.  In any event, I made the changes to the live file and it’s working.  ymmv
  • I had to do a lot of debugging on this one.  The log/error files (in the /webmail directory where RoundCube is installed) are of great help in figuring out what’s going on.

Once Roundcube is running, and supporting filters you can…

Replace “group” emails (in other words, create multi-recipient email aliases)

Here are the steps I would go through to create an alias

  • Set up the alias in Server Manager as a local user named “friends”
  • Use WorkGroup Manager (download here – to add additional email domains, if you need to.  In this example the “friends” user needs to have added because I host multiple email domains on this server and it would only answer to if I didn’t.
  • Log into Roundcube with the “friends” user credentials to establish the filter that will redirect the mail to the real recipients
    • Go to Settings/Filters
    • Create a new filter
    • Select the “all messages” option for the filter
    • Execute “Send message copy to” rule for each target address (there may be a limit on the number, I only use this for small lists)
    • Execute “Redirect message to” for the last addressee on your list if you don’t want to keep copies of the messages in the “friends” IMAP account on your server
    • Execute “Stop evaluating rules”

Replace mailing list (Mailman) capability

This was one of the hardest debugging jobs in the whole transition.  Now that I’ve been through the manual install of this system, I can see why Apple dropped it.  It must be a support nightmare for them.  But I host a couple of very active lists and I have to have this capability, losing it in the migration is a non-starter for me.

For most of you, you can stop here.  Your email lists will be working on your new server.

I wanted to run parallel lists under two domains, keeping the lists running under the old domain name until I had the new version up and tested on the new server and then cutting all the list members over to the new list.  If you have a low-priority list where participants can be down for a while, this is probably overkill.  Just let them know that things are going to be broken for a few days, take the lists across, redirect the domain when you change the main DNS MX entry for email and have done.  But I was trying for 100% uptime during the transition.  I bounced my users over a few rocks during this process, but we were up all the time.

To do email lists under multiple domains in Mailman, you have to pay attention to Alias Maps.

  • I used two different sources to piece together a working configuration:
  • The first page, from Apple, gives you the right syntax for the changes you need to make to the Mailman config file (  The rest of the steps are useful too, except they are pointing to an older location for the Mailman installation (the files are now in usr/local/mailman rather than usr/share/mailman).
  • Here are the key lines in my live file, using my real domains.  The main server domain is, the other three are used for testing or delivering mailing lists.  Every goofy quote and comma matters here.
    • ##################################################     
      # Put your site-specific settings below this line.     
      MTA = 'Postfix'     
      DEFAULT_EMAIL_HOST = ''     
      DEFAULT_URL_HOST = ''     
      POSTFIX_STYLE_VIRTUAL_DOMAINS = [ ‘’, ‘’, '' ]
  • Note: do not use <angle brackets> around any of these entries.  It took me a week to realize that all the documentation was trying to do is look pretty.  But putting <angle brackets> around some of those domain name entries breaks Mailman in a really subtle way.  It works fine at receiving and sending posts to the lists.  But notification-emails to list-owners and list-admins are malformed and get rejected by the SMTP server.
  • That second link, from the GNU documentation, got me to working entries in the Postfix files.  Again, here are the two real working entries from my server.  They’re buried in the file, but that second post explains what you’re about:
    • virtual_alias_maps = $virtual_maps hash:/Library/Server/Mail/Config/postfix/virtual_users,hash:/usr/local/mailman/data/virtual-mailman
    • alias_maps = hash:/etc/aliases,hash:/usr/local/mailman/data/aliases
  • Now that all the plumbing is in place to create email lists under multiple domains, there’s one more trick.  The web-based front end to Mailman is fine if you’re creating lists in a single domain.  But it doesn’t allow you to specify which domain the list will be created in, so if you want to create a list in a domain other than the server’s default domain name, you have to use the command-line command to create the list.  It’s not hard, here’s how.
    • Enter the command line
    • Go to the following directory — you have to be in this directory in order to launch the program.  It will fail if you try it from anywhere else.
      • $ cd /usr/local/mailman/
    • Launch the newlist program and follow the prompts.  The key thing is to include the domain name in the name of the list when you’re prompted — that’s the bit that’s missing from the web front end.  Again, I’ll use live entries that work with the config stuff above.  You type the stuff in bold.
      • sudo bin/newlist
        Enter the name of the list:
        Enter the email of the person running the list:
        Initial bgnws-testing password:
        Hit enter to notify bgnwstest owner...
    • To restart mailman
      • sudo bin/mailmanctl restart
    • Finally, once the new list is created, here are the steps I went through to keep people on the air during the transition period.  My goal was to have the old list keep working while the new one was being built, and then have it wind up that people could send notes to either the old or the new address of the list and wind up in the same place.  This may be needlessly complicated, but it’s the way I did it.
      • Create an email alias in WG manager on the old server – same name, but forwards to the new-server address.  This alias won’t work until the old list is deleted with the rmlist command, coming up in a second.  (note, different domain names are needed for this to work, because I don’t want to migrate all the email/lists at the same time – this would be much easier if you’re just cutting over from an old server to new)
      • Create a forwarding account on the new server – NOT the same name as the new list (so it doesn’t conflict with the new list) but with an alias to the OLD domain name.  Use Roundcube forwarding to push old-domain posts along to the new-domain address of the list.
      • Create a duplicate list on the new server, along with all members and settings
      • Delete the old-server list – now the alias on the old server will kick in and redirect mail to the new-server address.
      • Transition is complete when old-server DNS is moved to new-server – list continues to answer to either new or old domain name because of the forwarding done by the alias account on the new server.



Update, late 2013:  Preparing for the NEXT upgrade — the road to Mavericks

I’ve started a thread over on the Apple Support Community to see if there are any impacts to these additions with an in-place upgrade to Mavericks.  It took me a really long time to get from Snow Leopard to Mountain Lion (my attempt to get to Lion never succeeded).  I’m hoping that the road won’t be quite as bumpy this time, but we’ll see.  Here’s a link to the thread.

So far it looks like Roundcube may need to be updated, although the update looks pretty cool.  One of the appealing things is that address books may be available in the Roundcube environment.  That alone makes it intriguing.

DSSA — DNS Security and Stability Analysis working group

I’ve been spending a fair amount of time working on an ICANN cross-constituency working group that’s taking a look at the risks to the DNS.  Our gang just posted a major report today and I thought I’d splash this up here so I can brag about our work on Twitter and Facebook.

That first picture is a summary of the methodology we built (we had to build a lot of stuff in order to get our work done).  It’s basically a huge compound sentence that you read from left to right in order to assess risk.  By the way, click on the pictures if they’re too small/fuzzy to read.

This second picture shows where we, the DSSA gang might fit in a much larger DNS security context.  We also had a lot of stuff to puzzle through about where we “fit” in the larger DNS security landscape.

And that last picture is a super high-level summary of what we found.  There’s lots more ideas and pictures in our report — but these three give you kindof a taste of what we’ve been working on.  I think it’s darn nifty.

If you’re interested in the whole scoop, head over to the DSSA web site.  You’ll find links to the full report, a cool Excel worksheet that crams the whole methodology on to one page (complete with scoring) and more.



Grinnell Reunion 2012 — a life of happy accidents

I gave a talk at my Grinnell College reunion last weekend and decided to build this post to share a bunch of links to things that I talked about.  This ain’t a’gonna make any sense to the rest of you.  But the stuff is interesting.  🙂

This is a story of rivers of geeks.  I described the rivers that I swam in during my career, but these are by no means all of the species of geeks that ultimately built the Internet.  I was lucky to be a part of a gang of 10’s maybe 100’s of thousands of geeks that came together in the giant happy accident that resulted in this cool thing that we all use today.  But don’t be confused — it was a complete accident, at least for me and probably for all of us.  Here’s a diagram…


The opening “bookend” of the talk was to introduce the idea of “retrospective sense-making” which I first learned about from Karl Weick when I was getting my MBA at the Cornell business school

I talked a little bit about what it was like as an Asperger guy showing up at Grinnell in the fall of 1968 — when everything was changing.  We Asperger folks have a pretty rough time dealing with changes.  Several people spoke with me about this part of the talk later in the weekend.  The really-short version of my reply was “just give us more runway.”  Many of the geeks that built the Internet are Asperger folks.

Another giant gaggle of geeks is the “community radio” gang that I was part of.  That part of the talk opened with a discussion of Lorenzo Milam, one of the folks who inspired many of us community-radio organizers to go out and do ridiculous impossible things.

  • These days Lorenzo hangs out at Mho and Mho Works (and Ralph Magazine)
  • He put the word “sex” in the title of his handbook about starting a community radio station, Sex and Broadcasting, just to get your attention and this was the book that got a lot of us going

Which led into a discussion of my involvement with the community radio movement — Tom Thomas, Terry Clifford and Bill Thomas are all still very much involved in public and community radio these days.

Then there was a musical interlude (you cannot believe how much the music went off the rails — almost all the technology failed — oh well).

The next series of accidents revolved around the “learn my chops in brand-name consulting organizations” part of the saga.  Another of the rivers of geeks — many people of the Internet construction workers came from big firms like Arthur Andersen and Coopers and Lybrand, the two places I worked.  Probably the biggest things I learned there were Structured Programming and project management.  And this…

The next accidents ran this Forrest Gump type guy through a couple of now long-dead mainframe companies , another BIG source of internet-building geeks.  First ETA Systems, the hapless wannabe competitor to Cray.  Then Control Data, where I learned how to do mass layoffs in an imploding manufacturing company.  Ugh.

I was an early personal computer enthusiast as were almost all Internet geeks.  I live in the Midwest, so I missed out on the Homebrew Computer Club in Silicon Valley.  Dang.  But relatively cheap modems showed up about that time which led to the rise of the Bulletin Board System (BBS) movement which provided the gathering places for a lot of us Internet geeks. Boardwatch Magazine, published by Jack Rickard, was the glue that held us together — Jack inspired me much the same way that Lorenzo Milam did.  The arrival of FidoNet allowed email to flow beyond the local boundaries of a BBS and brought a lot of us geeks together for the first time.

Another giant pile of Internet geeks came from the ham radio movement.  My call is KZ0C and I’m completely lame — I hardly do anything ham radio related these days.  But a whole giant tradition of “makers” comes out of that gang.  We hams were darn early adapters of the packet networking protocols that underpin the Internet.  We turned that stuff into packet radio.

So there’s the list of pre-Internet geek communities that I was a part of in one way or another.  No wonder some of my friends call me a Forrest Gump of Internet technology.  So what happened next?  This is what happened next…


That’s a picture of the first four-node ARPANET network in the late 60’s.  The network grew slowly over the next couple decades and by the mid-80’s had been opened up to include institutions of higher education.  I worked at the University of Minnesota which, when I was there, was home to the Gopher protocol and the POP3 email protocol — another great gaggle of geeks.  I was a Dreaded Administrator, there to fix a financial system problem, but I loved those geeks ’cause they were the ones that turned me on to the Internet.

The next kind of geeks that still play a huge role in the Internet are the folks that work at Internet Service Providers (ISPs).  Ralph Jenson and I started an ISP in my basement and called it  That project grew into an amazing gang that eventually got rolled up as the ISP market consolidated in the late 90’s and thereafter.  Lots of the geeks I’ve described in this post were involved in starting those early pioneering ISPs — what a time…

The last geek that I mentioned in my talk is Hubert Alyea, the role-model for the Disney films about the Absent Minded Professor.  Professor Alyea was another great Asperger geek who was quite emphatic in telling me about lucky accidents, great discoveries and the prepared mind.  Click HERE to see movies of some of his lectures on Youtube — they’re astounding.

What are Mike and Marcie obsessing about now?

The rest of this post is a series of links to projects that I mentioned during the talk.

The final thing I need to throw into this post is three little graphs I made up to describe the half life of knowledge — in which I choose to view the glass as half full.  As the half-life shortens, it takes less and less time to become an expert!








Adding capabilities to Mac OS X Lion Server


I never converted to Lion Server.  You can sortof see things unraveling in the middle of this post.  I’m taking another run at it now that Mountain Lion Server (now renamed back to OSX Server) is getting stable.  I sympathize with what Apple is trying to do.  If you’re kindof the power user in the office, the newer version of Server is much better for you.  But for those of us who were using the server to do slightly more complicated stuff, it’s been a long hard road.

I’ll write another post pretty soon that summarizes how I put stuff back into Mountain Lion Server.  It’s still not easy, but it’s going better — at least so far.  For now, just ignore the rest of this post.  It’s out of date, and it didn’t result in a working server.



This is another “scratchpad” post as I make the transition from Snow Leopard to Lion on my little family cloud server.  Here’s why the struggle is worth it for me;

  • Staying with the current release means Apple is updating my platform, which in turn means…
  • Better security/stability
  • Better compatibility with the iGadgets
  • Ease of use

The design philosophy for Server changed just a bit from Snow Leopard to Lion.  Lion Server is built on pretty much the same foundation, but the user-interface has been dramatically thinned out with the aim of making Server something that regular people could use.  I get that, and thing it’s a rational decision by Apple.  I was astounded to learn however that I’m in the “advanced user” category and lost some capabilities when this happened.  Who’da thunk it??  🙂

So I’ve got to go looking for ways to “put back” some of the things I use the server for.  My goal is to either find work-arounds within Lion Server or find bits and pieces of software that I can run on top of Lion to do those things.

This post will be the place where I post my findings — both about installing and configuring Lion, and solving the little work-around problems.  Should be fun.

Installation puzzlers

Running Lion in a VMWare virtual machine

Turns out that VMWare 4 brought in support for running instances of Lion in a virtual machine.  Kewl!  So I ran off and bought Lion Onna Stick (USB flash drive) from Apple, plugged it into my MacBook Pro, pointed VMWare Fusion at it, accepted the defaults, took a nap and when I came back I had me a Lion machine running on top of Snow Leopard.  Things to do differently from just accepting defaults;

  • Give the VM at least two cores in the CPU (runs a lot better — I may bump it to four the next time around).  Once Server is installed, my little Lion VM runs just dandy on the 2009 MacBook Pro — consumes about 5% of the CPU when idle.  Sweet.
  • When building Lion (not server, just Lion) pick a user/computer name that’s not a real personal type name — I ran into conflicts with my personal name in Open Directory because I’d already used it for the core Lion account.
  • Pay attention to networking — you’ll be using the Ethernet adapter a lot more rigorously than the default NAT configuration in VMWare — I set mine to go directly to the gateway router rather than using the default virtual-NAT.
  • Since we’re configuring the basis for a server here (especially if you want it to run Open Directory), this is the best time to get the DNS stuff sorted out.  I waited until later the first few times and the Server install vacuumed up a bunch of wrong-settings as a result.  I think I’ll do a little “Networking and DNS” section about all that.  Open Directory’s auto-configuration/startup process will break badly if DNS isn’t set up right.  I never figured out how to fix it after the fact — clean install with proper DNS was my path to success.
  • Take lots of snapshots of the VM.  The basic Lion install was pretty clean (except for the wrong-DNS stuff, see below), but I had to fall back to it several times before I got Server settled in properly (especially Open Directory).  The nice thing is that the App Store was quite happy to let me re-download the Server stuff and re-install it once I’d bought it.  I don’t know if there’s a limit, but I’ve re-installed Server on top of my clean Lion at least five times so far.  The word “Doh!” covers the reasons-why pretty well.

Networking and DNS for Lion Server

One of the things that really caught me was installing Lion Server behind an at-home gateway router.  In the past I’ve always been using a data-center router as the gateway and DNS was a no-brainer — just set up an A Record pointing at the server in DNS and go.  But home routers have a different job to do and those differences got pulled into the configuration of the server in ways that I wasn’t expecting.  Here are lessons-learned.

  • I’d never paid attention to the network name of my home router because in normal circumstances it doesn’t matter.  But since I am now using it as a gateway out to the “real” internet, it does.
  • My router thought it was in the “lan” domain — which is fine for a NAT-providing home router.  The trouble came when Lion Server pulled that domain into the name of the server when it talked to Lion during install.  Lion had in turn pulled in that “lan” domain through DHCP during install and built the computer-name with it (Mikes-Mac.lan or somesuch).  Again, this normally doesn’t matter, but that’s not a good name for a machine that is going to be put out on the public Internet.
  • My solution was to pound the real domain into the home router ( in my case) before building Lion (yes Lion — don’t wait for the Server install — many headaches avoided).  That way all the computer-name bits and bobbins will have a real internet-routeable name instead of a non-routeable name.

Replacing Functionality

The good news about Lion Server is that it’s built on the same platform as all the earlier versions of Server.  The bad news is that the user interface has been redesigned with a different user in mind.  Not complaining, I get why they did this and it makes sense to me.  But I need to hunt around a bit to “add back” some of the tools that disappeared.  Here’s where I’ll take notes about that — my first pass will be based on scouring the Apple discussion-list for Lion Server and then I’ll see where I go from there.

Mail — Mail-forwarding and email-group accounts

My use of the mail server is pretty standard, but I have a few accounts which forward mail to a different address (mostly family members that retrieve their mail from their ISP’s server but want a consistent email address, or multiple people instead of just one).  I used the “Mail” tab in Workgroup Manager to do this on Snow Leopard, but that tab is missing in the Lion version of Workgroup Manager.

  • In Lion — build a filter using the webmail interface.  Once the account has been set up in the Workgroup Manager, log into the account with webmail and add filters that redirects messages to the downstream addresses.  One filter per address (rather than multiple addresses, separated by commas).  There’s a limit of 4 destinations per account, which is fine for me — most of mine are single destination forwarding accounts.  There’s a hack to expand that 4-destination limitation but I haven’t had to use it.

Mail — Hosting multiple domains for email

I use several domains for email.  Under Snow Leopard I would add them as as either Local Host Aliases or Virtual Domains in the Mail/Advanced/Hosting tab of Server Admin.  Doh!  They’re still there in the new version.  I was looking at Server rather than Server Admin.  Silly me.

Mail — Email aliases

These work the same as before — Workgroup Manager.

Web — SSL on sites

Initial post:

SSL encryption is pretty important to me, especially on web-based versions of wiki, mail, calendar, contacts, etc.  Don’t want people logging into those over an unencrypted connection, thank you very much.  So we gotta turn SSL on for some sites, but not all.

Argh.  I struggled with this for far too long. Did all kinds of fooling around with the files in the Apache “sites” folder, only to watch them get overwritten by Server each time I restarted it.  Worked all the way into the “readme” file in the Apache folder, on and on.  Terrible pain in the neck.  Nothing worked

Then I discovered the “Help” system in the Server app (not Server Admin, although the help system is fine there too).  SSL for virtual sites done in a different place.  Which Help told me.  Bah.  Went to the “Hardware/Server/Settings/SSL Certificate/Edit” menu, picked a certificate for the virtual site (and maybe restarted the web service) and it was set.  Does exactly the right thing too — when somebody goes to an SSL-enabled virtual site, they’re automatically redirected to the SSL version.


Unfortunately, this returns to the “open issue, broken” status.  I’ve managed to wedge the Server app so that there are two states:

  • State 1 — everything turned off in the Server app including “web”
  • httpd daemon is running (sites respond to external requests, but with the /var/empty folder)
  • no functionality
  • relatively quiet logs (sample: Jan  9 01:05:32–Jan  9 05:05:31)
  • something odd going on with MySQL, probably unrelated)
  • Jan  9 01:06:29 server SubmitDiagInfo[4016]: Submitted shutdown stall report: file://localhost/Library/Logs/DiagnosticReports/ipfwloggerd,mysqld,sh_2012-01-01-080056_localhost.shutdownStall
  • something odd going on with xscertd (once an hour)
  • 1/9/12 6:05:24.632 AM sandboxd: ([6369]) xscertd(6369) deny job-creation
  • State 2 — “web” turned on, but NO SSL certificates assigned
  • httpd daemon is running (sites respond to external requests, but with the /var/empty folder)
  • no functionality
  • quiet logs — check logs around 6:52;28 AM for startup messages.  here are interesting ones;

1/9/12 6:52:28.713 AM xscertd: Starting xscertd/1.0.0 (MacOS X Server)
1/9/12 6:52:28.721 AM sandboxd: ([6723]) xscertd(6723) deny job-creation
1/9/12 6:52:31.176 AM servermgrd: servermgr_web: waiting for pid, file /private/var/run/

  • State 3 — “web” turned on AND an SSL certificate is assigned
  • httpd daemon is NOT running (browser returns “problem loading page” and “unable to connect” errors
  • To get to this state — 1) shut down “web” in at 7:00:08 2) assign cert at 7:01:16 3) restart “web” at 7:03:46 4) shut off “web” again at 7:29:19 5) removed cert at 7:30:43
  • Here’s an extract of the interesting log messages:shut down “web” in Server app – 7:00:08Jan  9 07:00:08 server sandboxd[6807] ([6806]): xscertd(6806) deny job-creation
    Jan  9 07:00:09 server servermgrd[808]: servermgr_web: Disabling port forwarding for port 80
    Jan  9 07:00:11 server servermgrd[808]: servermgr_web: waiting for pid, file /private/var/run/
    Jan  9 07:00:12 server servermgrd[808]: servermgr_web: Enabling port forwarding for port 80
    Jan  9 07:01:10 server CoreCollaborationServer[6852]: [main.m:103 40a280 +0ms] HTTP server listening at loopback:4444
    Jan  9 07:01:10 server[6852]: Jan  9 07:01:10 CoreCollaborationServer[6852] <Warning>: [main.m:103 40a280 +0ms] HTTP server listening at loopback:4444
    Jan  9 07:01:10 server[1] ([6852]): Tried to setup shared memory more than once
    Jan  9 07:01:10 server wikiadmin[6858]: Updating schema…
    Jan  9 07:01:10 server[6852]: 2012-01-09 07:01:10.231 wikiadmin[6858:307] Updating schema…
    Jan  9 07:01:10 server wikiadmin[6858]: Schema updates completed.
    Jan  9 07:01:10 server[6852]: 2012-01-09 07:01:10.235 wikiadmin[6858:307] Schema updates completed.
    Jan  9 07:01:15 server servermgrd[808]: servermgr_notification[I]: External configuration change detected, re-loading: c2s.xml
    Jan  9 07:01:15 server servermgrd[808]: servermgr_notification[I]: External configuration change detected, re-loading: Jan  9 07:01:17 server[1] (org.apache.httpd[6892]): Exited with code: 1
    Jan  9 07:01:17 server[1] (org.apache.httpd): Throttling respawn: Will start in 10 seconds
    Jan  9 07:01:17 server servermgrd[808]: servermgr_notification[N]: jabberd service startup completed.
    Jan  9 07:01:18 server jabberd_notification/router[6886]: [, port=57627] connect
    Jan  9 07:01:18 server[6901]: http server appears to have started
    Jan  9 07:01:18 server[6901]: Connected to XMPP server
    Jan  9 07:01:18 server jabberd_notification/router[6886]: [, port=57627] authenticated as
    Jan  9 07:01:18 server jabberd_notification/router[6886]: [] online (bound to, port 57627)
    Jan  9 07:01:18 server jabberd_notification/router[6886]: [, port=57628] connect
    Jan  9 07:01:18 server jabberd_notification/router[6886]: [, port=57628] authenticated as
    Jan  9 07:01:18 server jabberd_notification/router[6886]: [] online (bound to, port 57628)
  • restart “web” at 7:03:46
  • Jan  9 07:03:09 server xscertd-helper[6808]: idle timer triggered, exiting
  • Jan  9 07:03:46 server servermgrd[808]: servermgr_web: enabling
    Jan  9 07:03:48 server sandboxd[6979] ([6978]): xscertd(6978) deny job-creation
    Jan  9 07:03:49 server servermgrd[808]: servermgr_web: Disabling port forwarding for port 443
    Jan  9 07:03:50 server servermgrd[808]: servermgr_web: waiting for pid, file /private/var/run/
    Jan  9 07:03:55: — last message repeated 3 times —
    Jan  9 07:03:55 server servermgrd[808]: servermgr_web: Enabling port forwarding for port 443
    Jan  9 07:03:55 server servermgrd[808]: servermgr_web: Cannot confirm Apache was started; missing or invalid pid file
    Jan  9 07:07:25 server xscertd-helper[6980]: idle timer triggered, exitingshut off “web” again at 7:29:19
    Jan  9 07:29:19 server servermgrd[808]: servermgr_web: Disabling port forwarding for port 443
    Jan  9 07:29:20 server servermgrd[808]: servermgr_web: waiting for pid, file /private/var/run/
    Jan  9 07:29:20 server[1] (org.apache.httpd[7792]): Exited with code: 1
    Jan  9 07:29:20 server[1] (org.apache.httpd): Throttling respawn: Will start in 10 seconds
    Jan  9 07:29:21 server servermgrd[808]: servermgr_web: waiting for pid, file /private/var/run/
    Jan  9 07:29:25: — last message repeated 3 times —
    Jan  9 07:29:25 server servermgrd[808]: servermgr_web: Enabling port forwarding for port 443
    Jan  9 07:29:25 server servermgrd[808]: servermgr_web: Cannot confirm Apache was started; missing or invalid pid fileremoved cert at 7:30:43
    Jan  9 07:29:19 server servermgrd[808]: servermgr_web: Disabling port forwarding for port 443
    Jan  9 07:29:20 server servermgrd[808]: servermgr_web: waiting for pid, file /private/var/run/
    Jan  9 07:29:20 server[1] (org.apache.httpd[7792]): Exited with code: 1
    Jan  9 07:29:20 server[1] (org.apache.httpd): Throttling respawn: Will start in 10 seconds
    Jan  9 07:29:21 server servermgrd[808]: servermgr_web: waiting for pid, file /private/var/run/
    Jan  9 07:29:25: — last message repeated 3 times —
    Jan  9 07:29:25 server servermgrd[808]: servermgr_web: Enabling port forwarding for port 443
    Jan  9 07:29:25 server servermgrd[808]: servermgr_web: Cannot confirm Apache was started; missing or invalid pid file
  • 1/9/12 6:52:37.981 AM setupThread failed rcode=-2147418111

UPDATE 12-Jan:

The road to recovery.  I spoke with Apple Support and worked my way up to a Tier-2 support person who helped me out a lot.  He gave me a bunch of great pointers which I’ll post here as I use them.  He was very careful to point out that some of this is for experienced folks only, your mileage may vary, if you break it you bought it and some of this may result in something that’s so broken that it falls outside the normal free telephone support.  Be careful!

The problem seems to be caused by the way I set the server up.  Y’see, I built the server at the farm and then moved it to the data center.  So the IP address changed.  That IP address gets “baked in” to a bunch of things, and especially the SSL certificate that gets created when the server is first configured.  Moving the server to a new IP-address puts it out of sync with the information in the certificate and that’s very likely what’s causing the problem.

Step 1 — Set the Web server back to defaults.

Here’s a link to the page in the Advanced Administration guide for Lion Server —

My sequence of steps was this;

  • Toggle off all the services in the Server application and turned off the SSL cert
  • Run “sudo serveradmin command web:command=restoreFactorySettings” (omit the quotes) repeatedly while at the same time watching the logs in Server.  The command failed several times because it couldn’t find copies of various default versions of config files in the /var/apache2/sites/ folder.  Fortunately, I have backup copies of those files so I just replaced them one at a time until the command ran to the end successfully.

Step 2 — Create a new SSL cert

  • Created a new SSL certificate in the Server application (Hardware/YourServerName/Settings/”Edit” SSL certificate/select the “gears” dropdown/select “manage certificates”/click the “+” button to add a new certificate/select “create a certificate identity”/accept the defaults/)

Step 3 — Cycle the server and cross fingers

  • Rebooted the server
  • Waited for the logs to quiet down
  • Started the Web service and watched it create it’s config files in the apache2/sites folder — logs were still quiet
  • Assigned the newly-created SSL cert (I wish I could delete the old one but I can’t) — logs are still quiet
  • Turned on the Wiki service — logs are still quiet
  • So far so good!  I think I’ll leave things like this for a while before adding back the other services and the custom web sites.  More updates to follow.

Web — MySQL

Lion switched from MySQL to PostGres (rumbles of ORACLE lawsuits no doubt) so I’ve got to start running a “real” version of MySQL so that all the little WordPress sites continue to function.

  • Hm.  MySQL only supports OS X through Snow Leopard — looks like we’re kinda out here on our own.  <shrug, what could go wrong?>
  • Downloads are here  – (roll down to the DMG file — way easier install)
  • Installation instructions are here –
  • Documentation is here – (haven’t used it yet)
  • PHP needs to be tweaked – (I only did the “change-sockets to /tmp/mysql.sock” thingy)
  • Installed Sequel Pro ( and tested the installation by creating and dropping a database.

Web – loading up a WordPress site

Let’s see how much of the Lion stuff I can use…

  • Point a domain at the server (an A record in DNS)
  • Create a new site in the Server app (using the same domain name)
  • Copy in WordPress files (download them from
  • Give ownership to _www user (CD into the folder *above* the folder for the site is and type “sudo chown _www your-site’s-foldername” in Terminal)
  • Transmit ownership to all files in the folder (Finder/Get info/Unlock/Permissions/Apply to enclosed items)
  • Create a database (I use Sequel Pro — create an empty database and a user that has full rights to the database)
  • Create the wp-config.php that points at the database

Web — point multiple URLs at the same site

I don’t do this often, but sometimes I point more than one variant of a domain at a site.

  • Lion way — create an addition site in the Server app — new URL, pointed at the same content directory as the first site.  Works fine  Ooops…  things get sticky when doing this — I wound up with a bunch of Apache site configuration files, and thus the opportunity of conflicts.  Better way…
  • Set the site up in the Server app with *just* the domain name (leave the “www” variant for the next step)
  • Edit the site configuration (file etc/apache2/sites/ip-address-stuff_port-number_domain-name.conf) and add ServerAlias records at the very bottom of the file, just before the closing </VirtualHosts> entry.
  • Like this:
  • ServerAlias
  • ServerAlias
  • ServerAlias
  • Restart the web server (and clear the browser cache) to check

Web — redirects

I like to throw redirects into sites from time to time.  In Snow Leopard, this was easily done through Server Administrator but that’s gone in Lion.  Adding them into the Apache files isn’t too bad though.  Here’s how.

  • Open the site file (etc/apache2/sites/ip-address-stuff_port-number_domain-name.conf — I like the TextWrangler editor for this kind of stuff)
  • Insert a section that looks like this (I lifted this from my file on the Snow Leopard file and stuck it into my test site);

<IfModule mod_alias.c>
Redirect temp “/rss.xml” “”

  • Only need one set of bracketed “IfModule” statements, and stick in as many “Redirect temp” statements as needed.
  • I’ll probably just copy these sections over from their files on the Snow Leopard server and see how they work out.
  • Restart the web server (toggle Web off and back on in the Server app)

Web — separate log files

Some of my domains get a lot of traffic and it’s handy to be able to strain out their stuff into a separate log file.  Not a show-stopper but handy.  Once again, the site files in Apache seem to be the place to do this.

  • Open the site file (etc/apache2/sites/ip-address_port-number_domain-name.conf)
  • Change the CustomLog and ErrorLog statements to point at a unique file rather than the default
  • Restart the web server
  • Check to make sure things are working by looking in var/log/apache2 for the new files after the restart
  • Best to open the log files with the Console app — lots easier to read the files (and get real-time updates)

Web — rotate log files

I like to have the log files break themselves up into weekly chunks so i can go clear out the old ones every once in a while.  In Snow Leopard, this was easy — just tick the little box and it did it.  Lion makes me work harder.

  • Open the site file (etc/apache2/sites/ip-address_port-number_domain-name.conf)
  • Change the CustomLog from this:

CustomLog “/var/log/apache2/example_access_log”

  • To this:

CustomLog ‘|/usr/sbin/rotatelogs “/var/log/apache2/example_access_log” 604800 -360’ “%h %l %u %t \”%r\” %>s %b”

  • Change the ErrorLog from this:

ErrorLog “/var/log/apache2/example_error_log”

  • To this:

ErrorLog ‘|/usr/sbin/rotatelogs “/var/log/apache2/example_error_log” 604800 -360’

One wonders if making these changes to the default version of the configuration file would drive this stuff in automagically.  Might just research that some day.

Web — permalinks in WordPress sites

WordPress has the ability to change the format of the URLs for posts and pages from the ugly PHP link to a prettier “permalink” structure.  Apache needed to be tweaked in Snow Leopard to make this work right, and it still does in Lion.  Here’s how.

  • The etc/apache2/httpd.conf file needs to be changed (only once, the first time through) so that the “AllowOverride” statement in the “/Library/WebServer/Documents/” section reads “AllowOverride All” (there are several AllowOverride statements in — pay attention to which one is being changed).  Note: I’m not sure this step is really required — my testing was a little horked up and I’m too lazy to repeat it to verify
  • Open the site file (etc/apache2/sites/ip-address_port-number_domain-name.conf)
  • Change the statement “AllowOverride None” to “AllowOverride All” in the “Directory” section
  • Create a .htaccess file in the site directory (use Terminal, CD to the site directory, “sudo touch .htaccess”)
  • Change ownership of the .htaccess file to the “_www” user (“sudo chown _www .htaccess”) — this lets WordPress modify the .htaccess file with the permalink rules.
  • Restart the web service in the Server app
  • When all else fails (I had a heck of a time getting the server to write the .htaccess file correctly — although restarting Finder [Apple-menu/Force-quit…/Finder/Restart] may have cured that problem) I manually edit the .htaccess file.   Here’s the code that needs to be in it:
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress


Well, none of this is real tough — so I think I’m about ready to start moving stuff over to the Lion environment.  I’ll probably wind up running it under a virtual machine until I’ve converted everything.  Then I’ll explore moving it out of the virtual machine back into a native Lion install on my tiny little server.  Or maybe not.  That’s for another day.

Online privacy tips

UPDATE March 2018: I just realized that I neglected to change this post to reflect my views about Facebook privacy.  Admonishment: delete the Facebook app on your phone – now.  Tip: turn off their apps, websites and plugins “platform” in their “Apps” settings section.  Don’t forget to use the tools listed below to block their pesky “share on Facebook” beacons and trackers on web sites — that’s how they collect personal data on people who aren’t Facebook subscribers.

UPDATE March 2016: This post was written in 2011, a more innocent time pre-Snowden.  I still run all this stuff, but recognize that these things won’t protect you from all the NSA attacks that have been revealed since then.  I’ve also added a broader workstation-security checklist at the very bottom of this post.

A friend asked Marcie about reducing her exposure to ads on Facebook and I decided to write up the answer as a blog post so it would be easy to send to others (and update with new stuff). So here is a list of stuff that I do — your mileage may vary.

I use Firefox as my primary web browser (and keep it up to date), mostly so I can add a gaggle of plug-ins.  Some of these are now available for Safari too.  Here’s the list (installing the first three will provide most of the benefit).

  • 1Password — a great way to manage a bajillion really-strong passwords on web pages, but costs (a little) money
  • NoScript — allows you to choose which pages you trust, and blocks Javascript on all the rest
  • Redmorph — my newest blocker, liking it so far [March 2018]
  • Privacy Badger — a good all-in-one blocker from EFF
  • BetterPrivacy — gets rid of “persistent” cookies that are used by lots of big companies (Google, Yahoo, etc) to track your behavior on the ‘net
  • Ghostery — same sort of thing that BetterPrivacy does, but gets rid of trackers that aren’t cookies
  • Adblock Plus — a plugin which, once you’ve subscribed to the EasyList USA filter, gets rid of all the ads on web pages
  • ShareMeNot — stops those Facebook/Twitter/etc. “sharing” buttons from sharing stuff until you click them
  • Web of Trust — take advantage of their huge database of “safe” and “unsafe” sites built by other Web of Trust users — like me.
  • HTTPS Everywhere — a project of the EFF to redirect to the SSH-encrypted version of popular web sites

I also have peculiar web-browser habits to further reduce the risk that corporations (or other bad-guys) are tracking me

  • I don’t log into any of the “big data” services (like Google, Yahoo, etc.) unless I absolutely have to and I log out when I’m done.  They track what you do while you’re logged in.  I just did a “What if Google Turns Evil?” podcast if you want to learn more about why I avoid Google services these days.  UDATE: See the “Divorcing Google” section below.
  • I don’t permit the web browser to “remember” any passwords — I use 1Password for that
  • I disable the “browsing history” feature, so the browser doesn’t remember where I’ve been in the past
  • I disable the “search” and “form” history features too
  • I allow the browser to “accept cookies” and “accept 3rd-party cookies” but I only keep them until I close Firefox, then all cookies are deleted
  • I have the browser open a blank page when it launches (just about every site plants a cookie when you arrive)
  • I disable Google and Yahoo in the “search” choices (they plant cookies when the browser starts)
  • I avoid putting cookie-planting sites (Google, Facebook, etc.) in the shortcuts bar (they plant cookies when the browser starts)
  • I elect to clear history when Firefox closes
  • I close and restart Firefox several times a day, especially after logging into Google, Yahoo, Facebook, etc.
  • I use the ICSI Netalyzr to check my DNS service-provider to see if they’re intercepting/redirecting some of my traffic (also good for all sorts of performance-improving stuff like identifying “buffer bloat”)

Facebook — DO NOT use their smartphone app.  If you have it, delete it.  It’s capturing all kinds of data about your phone calls and text messages on that phone.  I deleted that app almost immediately and have for years only used Facebook on my computer (and thus subject to all of the tips I’ve listed above).  Here are things you can do in your Facebook account.  As of this writing, these can be found in the “Privacy Settings” part of the “Account” menu — but they change things all the time, so look carefully.

  • I periodically run the “Scan for privacy” tool from
  • I’m pretty liberal with what people can see, but very conservative with what they can share about me with other people
  • I’m very aggressive in blocking applications — I try hard not to sign up for any applications and block them when they appear in my news feed.  UPDATE 2018: this is easier now — turn off the Facebook “platform” in Settings/Apps.
  • I am pretty aggressive about blocking “bozos” in my news feed.  I don’t unfriend them, I just block their inane posts.

Divorcing Google.  Inspired by this post about “Divorcing Google”, I decided to describe my replacements for all things Google — they’re very similar to his.  I too have pretty much completely weaned myself from Google, for the same reasons.  Here’s my “replacements” list.

  • Search — DuckDuckGo SSL
  • Mail/contacts/calendar — I run my own servers for these.  It’s a hassle but worth it to me.
  • Maps — Apple Maps
  • File storage — Dropbox

Broader topic: workstation security.  Tip of the hat to John Hoffoss for this link to a terrific workstation security checklist.

There.  That’s my list.

Fiber to the farm

Hooray!  Our local phone company, good old Nelson Telephone Cooperative, is plowing fiber into our house at the farm over the next few weeks!  You haven’t lived until you’ve seen me, an aging 60 year old geek, doing cartwheels in anticipation.  So here’s a post to document the process as it unfolds.

It started with this hint — marking up Highway 88 to show where the fiber leaves the right of way and heads over the wetland on its way to the house (no, that white building isn’t the house…).

Dale Goss of Nelson Telephone and Bob Travis of Finley Engineering came by this morning and took a look at the path the fiber will take from the road across the wetland.  We were a little worried, ’cause when they plowed in the phone line they had a pretty rough time getting across the sedge meadow that’s right behind them.  But this time we’re plotted a course that will bypass that stuff — all smiles.  Thanks guys!

Cones in a high-traffic zone


I gave the guy marking out the electric-wires a hard time about putting his cones out — he’s the only vehicle that’s been down our driveway THIS WEEK.  🙂


The plow is here!


The plow is coming!  The plow is coming!  This gizmo turned up at our neighbor Emmit’s place, just up the road.  I’m so excited I did my first-ever McPlank to celebrate.



Here’s a video of the Day of the Plough. It compresses a 10-hour day into 4 minutes. The lads did great — they avoided all the places we were worried about only got a little bit stuck in the mud. Way to go!

Domain-names — Develop? Park? Sit tight?

Photographer: Gregory Szarkiewicz

I have a gaggle of terrific domain names (,,, etc.) that I’ve had Since The Beginning.  Over the years I’ve pondered what to do with them and always come back to “sit tight” as my strategy.  I saw a great article today that lays out the reasons why.  Here’s the link:

Whit Diffie is the new VP of info-security and cryptography at ICANN! Kewl!

Very neat news today out of ICANN.  Whit Diffie is this monster figure in the crypto world — he’s one of the founding folks in that circle.  He worked at Sun for ages and now he’s joining ICANN.

Click HERE for the ICANN press-release.

Click HERE for a starter-page at Wikipedia.

Click HERE to watch him on an episode of Cranky Geeks (with John Dvorak) to get a feel for what’s he’s like in person.

I’m really glad to hear that he’s joining the ICANN gang.  It’ll give us some depth that we badly need in this area.

Why I returned my iPad after 3 hours

Actually the headline promises more than I can deliver.  I don’t really know why I returned my iPad after 3 hours.  I guess it just didn’t deliver $600+ worth of smiles.  But here are a few things that contributed to the decision…

  • I couldn’t figure out how to get my password-minding application (1Password) to work on the iPad, so the killer-long passwords I maintain were impossible to use.
  • What?  No plugins for Safari-mobile?  I saw web-page ads for the first time in 5 years.  Ugh.
  • Picture-intense web-pages like Marcie’s tour of the farm would only load about half the pictures and then would stall.  Maybe due to the WiFi problems.
  • I had a really tough time getting used to running one application at a time — it kinda took me back to my Apple II days.
  • The whole iTunes/Marketplace sandbox weirded me out.  Cory Doctorow’s piece spoke pretty loudly on this front.
  • The whole Flash thing and how it breaks so many web sites.  Aside from the conspiracy theories, here’s a Flash developer talking about why Flash is a problem on any tablet computer — the inability to mimic the “mouse over” behavior.

But mostly it just wasn’t fun.  So I returned it and took the 10% “restocking fee” haircut.  60 bux,  for 3 hours, so 20 bux an hour…

I think I’ll wait for the boatload of Android tablets that seem to be just around the corner.  Maybe they’ll make me smile more.  Take a look at this one, featured today on Engadget.  Not one but two cameras, SD slot, USB ports, etc. etc.


My goodness what a difference a year or so makes.  I now own an iPad 2, think Google is evil and completely disavow any responsibility for this article.  🙂


Consensus decision making — WORT-FM, 1975

This is a piece by Jeff Lange in Volume One, Number Three of “Spread the WORT” — the newsletter of WORT-FM (Madison, WI) just as it was going on the air in 1975.  I’ve always loved this description of the consensus decision-making process we used to run the station.  All due apologies to Pogo…

The big deal?  The sentence that really catches it for me is “we ad WORT don wanna tred up on the wee miroridy vuponts, so we jus wade undill eberyone am finely agreed.”  Still works for me today, some 35 years later.  Thanks Jeff!

Here’s my translation, since many of you aren’t native-English speakers and might find this pretty tough to read in Jeff’s native Pogo-style language.  Apologies to Jeff for any mistranslations.

Yes, it’s a curious fact, that nobody is ever able to quite explain, how decisions get made at this particular radio station.  But they do.  This is a grievous hard and ticklesum thing for newcomers to digest.  Take, for example, the familiar caller who, in a fever pitch of excitement, has phoned up the station with his or her (or “it’s” for that matter) idea for a program.   Rnnng.  He (let’s just say it’s a “he”) says “My dog can bark heavy metal rock n’roll — can he have 5 hours on Tuesday nights?”   Well, the person at the station (say it is a person) says “Isn’t that the same thing as what’s on WBRK every night?”  The caller replies “Yes, but my dog barks badder!”  Then that, says the person, is a question for the Program Committee.

The best thing then is if the caller hangs up, thinking all is well for the Program Committee will do its duty.  But if the caller says “Oh, what’s the Program Committee?” then the person has to explain: The Program Committee are all the people that come to the Program Committee Meeting.  You can come.  So can your mother.  It’s Friday at 8pm.  No, they never vote on anything.  Voting is against the rules.  So is parliamentary procedure. They just talk about things until everyone is agreed, and that is consensus — the highest form of unanimity.

Then the caller says “oh.”

Then the person at the radio station should continue: “Yes, it’s a curious fact, but it seems to work.  So far, at least.  We at WORT don’t want to tread on the wee minority viewpoints, so we just wait until everyone is finally agreed.  Nope, it’s never failed yet…  which just goes to prove: you can make some of the decisions all of the time, and all of the decisions some of the time…”

Then the caller says, “can you put me through to the general manager?”

“No, there isn’t a general manager.  Would you like to talk to Sarah-Gene?”

“She the owner?”

“Nope.  She’s just another volunteer.”

New volunteer job — 37-word long title

I’m thinking another fold-out business card may be required;

Vice Chair of Finance and Operations (of the)
Commercial and Business Users Constituency (which is part of the)
Generic Name Supporting Organization (which is in turn part of the)
Internet Corporation for Assigned Names and Numbers

Can you see why ICANN has a bafflegab problem?

I’m quite excited about this one — it’s got lots of tasty issues and it’s the ops and finance stuff that I love to do. 

I had another fold-out business card job back in the early ’90’s.  That fold-out business card read;

Temporary Interim Acting Assistant Associate
Vice President (supervising)
Administrative Information Systems
Business Operations
Quality Management
Operations Improvement (for the)
University of Minnesota

or…  Vice President of Stuff that is Busted.  This new gig is a lot less complicated than that one was.

Infrastructure security – some useful ideas

I was on a panel talking to a bunch of infrastructure-security type people yesterday and came away feeling like we didn’t deliver on our promise to provide practical hands-on stuff.  So I’m tossing a couple Powerpoint slide decks up in this post by way of making amends.

This first one is the deck we used in Saint Paul to rally people around the “get ready for Y2k” initiative.  It’s an example of how to do non-scary, what’s-in-it-for-me? conversation around a pretty tough topic.  Maybe some of this kind of thinking can help the security folks when they’re pitching to their customers.  Click HERE for the file (no warrantees — scan it before you open it).

This next file is a huge deck I put together when I was first briefing the Big Kids at MnSCU about their enterprise security initiative.  This was the basis of selling senior management that this was a Good Thing and showed them how security could make them more money, make them more nimble, improve quality and oh by the way reduce costs.  This is an “everything including the kitchen sink” deck that might have a few ideas for people to steal.  Click HERE for the file (same warrantee as above).

There.  I feel like I’ve lived up to my advance-billing now.  Hopefully some security mavens will find some useful stuff in these.