993 words on Mac OS X
I had a nice post mostly written with a bit of Twitter bashing in it. Not because of the service’s amazing unreliability but because you can’t do a step on the internet these days without people screaming that OMG! their life is ruined because Twitter was offline for an hour. Get a phone if you need to communicate with people. Somehow I had managed to bring Mr Scoble into this thanks to this text. And, just like Twitter, I don’t think that Mr Scoble is to blame for anything. The people taking him seriously are. In fact, I had forgotten he existed before reading that text. So my theory ended up being that perhaps Mr Scoble could cure Twitter by simply not sending any messages. Sounded like a win-win situation to me. And perhaps he could even end up as a hero after this. Perhaps we’re not quite ready to give out Nobel prizes for saving web-2 sites yet, but we’ll never learn if he doesn’t try.
Then I managed to write down the good old Beatles → Oasis → Travis → Starsailor → Keane line of musical descent and dodgily compared it to the descent Speak → Phone → Instant Message → SMS → Twitter of communication, where each new member of the series requires more elaborate technology to communicate less. In fact, with Twitter we must have arrived somewhere in the inane quarters (I’m just queuing for a coffee, btw, and they’re playing an interesting CD, must remember) and – just as with Keane – the scary question is of course what will come next? [I suspect the answer should be Hot or Not, but that has been around for years and cleverly reduced user interaction to a yes/no decision, can we beat that?]
But before I could elaborate on that, I found myself in kernel panic land and my text gone. At first I hoped chances to recover the text aren’t too bad. After all that study that RAM isn’t completely erased when a machine restarts or is shut down made the rounds recently. The question was just whether the crucial bit of RAM would be overwritten by the time I could access it. It was, which is why you have to make to with this text.
Thus, I restarted the system taking the 1:8 (256MB:2GB) chance of OS X overwriting my text just to boot. I’m fairly sure that my machine’s memory had been shaken through well at the time of the panic (PIDs in the 40000 range, 10days of uptime, 5GB of swap files, WTF ‽), so stuff could have been anywhere. But the next problem was to actually access that darn RAM. Let’s just say that OS X doesn’t come with a convenient way to do that and – naturally – nobody quickly replied to the question I asked on the topic on Twitter, because that might have been useful.
And the web wasn’t too useful either as most search queries with what looked like relevant terms on this issue to me returned regurgitated versions of the story of those geeks managing to read the RAM and encryption keys of a machine they quickly turned off. As web sites, and particularly computer web sites, go not a single one of them did any original research on this or even contained any clue that the writers tried to reproduce this on their own machines. Naturally none of them contained a clue on how to read out the machine’s memory – all that while reading web pages in Safari ate up my precious RAM.
At some stage I had ‘lucky’ search terms which led me to the site of the inimitable Amit Singh – a site that from my point of view suffers from the problem many others should envy it for: it has so much good content that it’s difficult to find the bits that are relevant for you – who mentions the problem in a sidenote. To quote:
As a trivial alternative to the kernel extension described in this document, you can try using the
kmem=1boot-time argument. If your kernel supports this argument (the Apple kernels at the time of this writing do), setting it will reenable the kernel memory device.
Now I wonder how many of the people writing mouthfuls about hacking computers by reading out their RAM would know this
trivial bit of information? Anyway, the upshot is that Apple decided that their users ‘don’t need’ to be able to easily access their very own machine’s very own RAM if they want to and simply turned off the
/dev/mem file people know an love from other systems. But running a command like
sudo nvram boot-args="kmem=1" will enable the
/dev/mem file again after the next restart [and delete other settings you may have had for boot arguments].
The rest was an exercise in copying a file and looking at it. Searching for some rare words from my text (Starsailor!) in both ASCII and UTF-16 encodings didn’t find it, which as far as I can tell suggests that the text had been overwritten already. This is a good point to laud the HexFiend tool. While it could do with a better search feature (e.g. Unicode Text Entry, NSStrings love UTF-16 if I’m not mistaken), it has amazing performance. Even on my slow laptop drive it gets through 2GB in around a minute, reading almost 30MB/s. I have never seen other applications achieve this. Even better, all this is done without discernible CPU usage or performance degradation.
So in the end I lost, but I came out of it with another story to tell.
Homework: Inspect your swap files with HexFiend to see whether they really are encrypted when you’re using that option of the OS. Also find out whether your system will display the contents of the swap files to you or whether you have to forcefully shut it down to look at them.
It’s hard for me to be too critical of Twitter when it is a completely free service. You get what you pay for!
Trivia note: my company had a product that relied on the /dev/mem device when running under OS X and needed a fairly important bit rewritten when it went away (it was turned off by default in Tiger.)
d.w.: So how do you get to access memory without it. I would have imagined that it should still be possible (judging what the VMWare guy in that C4-video said you can play rather dirty with the right privileges…) and would just be a few dirty Unix calls away for the programmer who is so inclined.
Received data seems to be invalid. The wanted file does probably not exist or the guys at last.fm changed something.