MacOS installer language setting

The other day I purchased an MBP13 from eBay. It was a great deal and it came from Italy. I should probably elaborate this point as it was kind of unique. I live in Spain, but I’m originally from the US, as such, I prefer a US keyboard (the Spanish, or even the UK English keyboard layouts are different, trust me). Anyway, on eBay I found an MBP13 with a US keyboard layout, that was originally purchased in Japan, but was being sold by a person in Rome, Italy, coming to an American living in Barcelona, Spain… funny no?

Anyway, I got the laptop and it was in very good shape. However, like all used pieces of software, I needed to reset it. However, the installer’s language (not the OS) was in Italian.

I looked online for changing the language of MacOS and I was always directed to the System Preferences –> Language and Region –> Set to English… change, but that is AFTER you have installed the OS.

So I gave my bad Italian a try and I ended up with a bad disk partition and a bad install.

2017-12-15 14.04.02.jpg

I then figured out the setting. To update the language on your installer (or BIOS, as some people referred to it), do this:

  1. Restart the machine by holding down the power button until it shuts off (around 5-10 seconds)
  2. Press the power button again
  3. Immediately after pressing the power button hold down command and r (command + r), just keep it holding down
  4. That will start the recovery cycle and it will try to connect to the internet. Wait for that to finish
  5. You’ll arrive at the Installer.
  6. Regardless of the language just remember to click on the second menu (not counting the Apple logo), the first option will be Change Language. Click and you are set 🙂 2017-12-18 19.44.37.jpg

Do you need a US phone number even while not in the US?

If you travel a lot and/or live outside of the US and require the appearance of being in the US, then Google Voice is for you.

Google voice is a VoIP service which works very similar to normal VoIP services plus you get a pretty reliable texting service too.

You can find more information on Google voice here. Below is a diagram to explain how the system works and how you can use to appear as if you are calling from a US number even while traveling.

The integration of the Google Voice App is very good in Android phones. On iPhones not so. On iPhones, your integration will be more like when you are traveling, where you need to use both apps (the Google Hangouts Dialer and the Google Voice App for individual functions).

There are a bunch of really good articles on how to use Google Voice and the Google voice dialer out there, so I will not plagiarize them. Instead here are some useful links.

 

 

 

 

Going more secure…

I have been trying to secure our digital life more and more these days. Most folks forget that it was until recently, think 2013, when Snowden revealed much of what we now know about various surveillance programs, most websites didn’t use HTTPS for anything other than purchases. Obviously, this this changed drastically and now you’d be hard-pressed to find a site which does not encrypt its communications with the user.

So for this reason I want to share our path towards evermore stringent security.

As a 21st century family, we make heavy use of Evernote. It’s a way to store and share information. And while communication between your device and evernote servers is encrypted, as you know, if a bad actor got access to your device he/she would have full access to all of your data, not to mention of Evernote servers were hacked. We used to keep (yes, pretty dumb) very sensitive information in Evernote. From passports to usernames, to passwords, you name it… everything.

So yes, dumb, but tell me what other service provides you the ability to store sensitive information in a secure way and the ability to share? We could encrypt it using GPG and store and share on Evernote, but that can get complicated amongst the entire family (GrandMa included).

The solution was LastPass family service. LastPass family is basically a water-down version of their enterprise offering. The best way to view it is as a discounted premium subscription at a cost of $0.66 per user (with a maximum of 6). For me, it’s costing me more like $1.00 per user per month because I only have 4 people in my family that can make use of it.

So why go with LastPass family vs just LastPass premium, other than the savings (I was already paying for two premium subscriptions), folder sharing.

Just like Evernote, you can create a folder/notebook, that you can use to share any type of data amongst users. You can share text and files (though the files needs to be enclosed as part of a note, just like on Evernote) and give access permissions to various members of the “family”.

Most people are used to LastPass on their browser, as an add-on, but they also offer an application for your computer, which makes the transition much easier.

So far, what I have moved over is anything that is sensitive. Passwords were already in LastPass since a few years back, but objects like passport photos, financial information, birth certificates, etc, have been imported into LastPass family.

Setup 2FA SSH on MacOS Sierra

For some time, I have been using 2FA for most of my sensitive logins on the Internet. From Google to FB to WordPress to Git. Any login with sensitive information is setup with 2FA using (FIDO U2F).

Anyway, the one setup that has been missing (don’t ask me why I had not done is sooner) was our home MacMini. Our MacMini stays on all of the time and serves as our home computer. We use it for everything, from a Plex Server to printer server, to file server, you name it.

I like to be able to access it remotely and as such I have setup SSH on it. However, until recently, it was pretty open. I looked online for support on how to setup 2FA and below are the steps I followed to get it to work:

Basic definitions

  • Server: This is the host to which you want to connect and on which you’ll be installing 2FA
  • Client: This is any host other the the server

Instructions

  1. You need to have xcode, command line tools and homebrew installed. You should do this from the
    1. Install xcode: That you need to do from the App Store. Just open the App Store,  look for xcode and install it
    2. Install command line tools:
      xcode-select --install

      That should bring up a prompt on the screen asking if you want to install command line tools. Click Installinstall xcode on mavericks step 1

    3. Install homebrew:
      /usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew install/master/install)"
  2. Get the latest release of Google Authenticator. Download and unzip.
  3. Build and install Google Authenticator:
    ./bootstrap.sh
    ./configure
    make
    sudo make install
  4. Update sshd to use Google Authenticator
    1. Make a copy of /etc/pam.d/sshd:
      sudo cp /etc/pam.d/sshd /etc/pam.d/sshd.org
    2. Make a copy of /etc/ssh/sshd_config:
      sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.org
    3. Update sshd to make use of the Google Authenticator shared object (pam_google_authenticator.so):
      //This will let you edit the file
      sudo vi /etc/pam.d/sshd
      //Add this line below the "auth" section 
      auth       required       /usr/local/lib/security/pam_google_authenticator.so
      //Save and exit 
      :wq!
      
      
    4. Update sshd_config:
      //Open the file for edit:
      sudo vi /etc/ssh/sshd_config
      //Look for #ChallengeResponseAuthentication yes and remove the hash
      ChallengeResponseAuthentication yes
      //Save and exit
      :wq!
  5. Restart sshd for the changes to take effect:
    sudo launchctl unload  /System/Library/LaunchDaemons/ssh.plist
    sudo launchctl load  /System/Library/LaunchDaemons/ssh.plist
  6. Setup Google Authenticator for the desired user
    1. Assuming you have performed all of the actions above logged in as the desired user, just continue, otherwise exit and login as the desired user.
    2. Setup Google Authenticator:
      //Locate the folder where you unzipped Google Authenticator and execute google-authenticator
      google-authenticator
      
      Do you want authentication tokens to be time-based (y/n) y
      https://www.google.com/chart?some-really-long-url-you-will-need-this
      Your new secret key is: ABCDEFGHIJKLMNOP 
      Your verification code is 000000
      Your emergency scratch codes are:
        00000000
        00000000
        00000000
        00000000
        00000000
      
      Do you want me to update your "/Users/<your-username>/.google_authenticator" file (y/n) y
      
      Do you want to disallow multiple uses of the same authentication
      token? This restricts you to one login about every 30s, but it increases
      your chances to notice or even prevent man-in-the-middle attacks (y/n) y
      
      By default, tokens are good for 30 seconds and in order to compensate for
      possible time-skew between the client and the server, we allow an extra
      token before and after the current time. If you experience problems with poor
      time synchronization, you can increase the window from its default
      size of 1:30min to about 4min. Do you want to do so (y/n) y
      
      If the computer that you are logging into isn't hardened against brute-force
      login attempts, you can enable rate-limiting for the authentication module.
      By default, this limits attackers to no more than 3 login attempts every 30s.
      Do you want to enable rate-limiting (y/n) y
    3. With a browser open the long URL. This will generate a QR Code. Scan the code using your favorite Google Authenticator App. I personally like Authy as it can sync between devices.
  7. Close all open SSH connections you may have with the server.
  8. From a client ssh into the host and voila, 2FA works 😀
    client.host:~ username$ ssh username@host.to.ssh
    Password:
    Verification code:
    Last login: Thu Dec  7 16:09:24 2017 from 192.168.2.1
    host.to.ssh:~ username$

References

The internet is nothing, if not for a bunch of really smart people that love to share their experiences and findings. I was able to get this to work thanks to these posts: