Scrivener, BibDesk, LaTeX, and symlinks

June 30th, 2014


  • Writing in Scrivener on OSX
  • Using BibDesk for bibliography
  • Writing several different articles or books using the same BibDesk database
  • Getting the database into the local folder tree so that it is included in version control

Assume the database is at:


In Scrivener, use the following in the meta-data page, which is the first page in the manuscript:

Base Header Level: 1
Title: Rethinking the EHR
Author: Martin Wehlou, MD, CISSP
BibTeX: ../BibRef
mycopyright: 2014 Man in The Middle AB, Sweden.

Then, in the base folder of your book or article, create a symbolic link to the real BibDesk database file:

ln -s ~/Documents/BibDesk/Database/References.bib BibRef.bib

The “base folder” is the folder where your .scriv file is. Scrivener creates the .tex files in a subfolder, so that’s why you need the “..” before “BibRef” above. By the way, I called the link “BibRef” just to make it clearly different from the actual database name, but you can use anything you like. As long as it doesn’t contain blanks or strange symbols.

Now everything works and life is good.

Rethinking the Electronic Healthcare Record

June 24th, 2014

As mentioned before, I’m writing a book about how the EHR should be built and why. The latest, and possibly last, draft is available at:

This draft is significantly shorter and more focused than earlier drafts. I’ve also incorporated the “combinatorial matching” idea from L.L. Weed, and modified it to be more scalable. With that, I have a knowledge-based support and documentation system, with a complete flow from first patient contact to treatment. It goes way beyond what any current EHR systems do, and would be the help we need as doctors, instead of the drag of the current generation.

Any comments are welcome. My email can be found under the section “Draft Versions” in the manuscript. You can also comment on the blog itself, of course. At least during the first two weeks, then they’re closed (due to spam).

Swift, missing idea #1?

June 3rd, 2014

Going through “properties”, I’m not finding anything about private and public properties, or protected. I’m also not seeing anything about header files and class files, so at first blush it seems we can’t hide properties from other classes. How do we stop people from using the wrong properties?

That can’t be good. I must be missing something.

Swift, good idea #1

June 3rd, 2014

There’s a lot of good stuff in Swift, of course, but adopting Ruby’s block syntax seems a really nice idea. It’s called “trailing closures” in Swift, but it’s the same thing, as far as I can see. An example from the text:

let strings = {
    (var number) -> String in
    var output = ""
    while number > 0 {
        output = digitNames[number % 10]! + output
        number /= 10
    return output

Everything between braces is the block, um.., trailing closure.

Excerpt From: Apple Inc. “The Swift Programming Language.” iBooks.

Swift, bad idea #3

June 3rd, 2014

Function types are declared like:

var mathFunction: (Int, Int) -> Int

In this example: mathFunction is a variable that can hold any function that takes two Int as parameters and returns one Int. Fine, so far.

Functions can take such functions as parameters and also return them. For instance, a function taking a function like the above as parameter would be declared as:

func printMathResult(mathFunction: (Int, Int) -> Int) 

A function returning a function taking a Bool as parameter and returning an Int could look like:

func chooseFunction(choice: Bool) -> (Int) -> Int

Notice how the two pointer operators (->) mean to entirely different things. The first indicates a return value, the second is part of the function signature of the returned value.

Let’s imagine what a function type would look like if it takes a function of an Int, returning an Int as parameters, and returns a similar function:

func confusingFunction(number: Int) -> (Int) -> (Int) -> Int

I may very well have written that wrong, but can you tell? This is totally different from old school C declaration of function prototypes, but I’m far from sure it’s any easier to understand. Maybe judicious use of “function types” (or “typedefs” as we used to call them 30 years ago…) could make this clearer.

Swift, bad idea #2

June 3rd, 2014

Function parameters now have distinct “internal” and “external” parameter names. The simplest form does away with named parameters when calling functions, that is, we can now do:

mysteriousFunction(15.2, "yeah, right", "only on a sunday", -1)

…just like in the good(?) old days of plain C/C++. Yes, you can force naming of parameters on the caller’s side, but it’s more work than the sloppy old way. Guess how often we’ll see that now? So, simple, inscrutable, and bug prone is the new default.

Swift, bad idea #1

June 3rd, 2014

Looking over the “Swift” language Apple presented during the WWDC keynote. First off, declarations using “var” and “let” made me think of Basic, and had to stifle a gag reflex.

I’m reading the iBooks book on Swift. When I got to closed and halfopen ranges on page 100, I thought this was a big mistake. It’s very hard to see at a glance which is which. We’ve been trained for so many years to see ranges in for loops as closed, and react immediately if that expected “-1″ as in “(0 to n-1)” or equivalent, is missing.

Sure enough, go to page 135 in the same book, and the example given is clearly wrong, where the author of the book confused the two. Two dots is a halfopen interval, three dots a closed interval, and the example is:

“shoppingList[4...6] = ["Bananas", "Apples"]”

(Excerpt From: Apple Inc. “The Swift Programming Language.” iBooks.)

This is not going to end well.

Update: I was wrong. See the comments.

Next draft

April 1st, 2014

I just uploaded the next draft (v10) of my book on EHR systems. I included a chapter on business cases, and expanded quite a bit on the document tree structure.

You can find a diff file for version 10 there as well, if you want to focus on the changes.

Update May 13, 2014: I stupidly linked to a particular draft in the above post. A much better link is this:

…which always points to the most recent draft. Currently I’m on draft 15 and will upload 16 later today.

Sorry about that piece of bad information.

EHR, the book

March 25th, 2014

Back in January, I began writing a book on the Electronic Healthcare Record. Not how they work (they don’t), not just what’s wrong with them (most everything), but mainly going back to basics and figuring out what they are really for. Or should be for, more accurately.

Current systems are a marvel of bad design and misunderstandings of purpose. I’m trying in the book to figure out why, and what to do to improve on things. The contents range between the medical and the technical, taking side roads into politics, both the office kind and the real kind.

The contents are mainly based on the Swedish situation, but I welcome any input on how it is elsewhere. If I can be made to understand the differences, I’ll only be too happy to take that into account in the text.

I’m hoping with this book to make the stakeholder ask the right questions, else there is no hope we’ll ever get the right answers.

From today, I’ll publish my latest draft weekly (if I can keep it up) at:

I’ll welcome any comments in any form, but you’ll have to email them to me at, or even better, post them as messages on our forum. You can register for the forum at:

The intention is to have it ready for publication sometime in June 2014. I’ll publish it under our own name through one of the publish on demand sites.

SRX100 Junos dynamic VPN, Win7, OSX, VPNTracker

March 3rd, 2014

(Update March 6, 2014: The Junos “standard” proposal actually includes 3DES in both phase 1 and phase 2, still making it hard for VPNTracker to connect. What we need to do is create a custom proposal for each phase with only AES in it. I updated the text to reflect that.)

(Update November 11, 2014: VPN Tracker 7 failed for me if there were multiple remote networks configured. VPN Tracker 8 works fine with multiple remote networks, though, but you have to switch off the option under “advanced” that says “Establish a separate phase 2 tunnel for each remote network”. That option is new with VPN Tracker 8. I added that step in the text, but I didn’t update the screen shots. They’re all from VPN Tracker 7 still.)

So this is what I needed to accomplish: get one single SRX100 running Junos 12.1X44D20 to have a site-to-site VPN to another SRX100, while also having a dynamic VPN working with both Windows 7 clients and Mac OSX 10.9 clients. And I succeeded, except not for free. I’m not mentioning the site-to-site setup in what follows, since it does not interact with dynamic VPNs.

The SRX100 has a Windows VPN client built in, such that if you connect with a Win7 machine, it lets you log in using a web interface, then offers you a download of the Junos Pulse client, already completely configured for that SRX100. This works like a charm. The problem is that there is no Junos Pulse client for OSX, which I think is really weird. I love Juniper, but man, what’s up with this?

The client everyone recommends for this is VPN Tracker, a pretty expensive piece of very nice software from Equinux. But, of course, even though VPNTracker supports a truckload of firewalls, the SRX series is not among them. The software is very configurable, however, so even though there’s no guide, there’s a way.

First, take the lazy way and fire up the J-Web interface to the SRX100 (yes, I know, I lost all cred by doing this, but having to choose between self-respect and actually having a life, I finally crumbled, left the command line and took to the browser). To my defence, the J-Web interface is actually pretty darn good, at least compared to the Netscreen interface on the SSG5.

From experiments and a lot of searching on the interwebs, it’s clear there is a problem somehow with the DES and/or 3DES algorithms with the SRX100 and/or VPNTracker. They just can’t negotiate a phase 1 proposal, with VPNTracker failing in phase 1. The solution is to set the SRX100 to not use DES or 3DES, by selecting “Standard” in both “IKE Security Level” and “IPSec Security Level”.

The solution is to create a custom phase 1 proposal and phase 2 proposal that does not include DES or 3DES. In the SRX configuration, do:

set security ike proposal ike_prop_aesonly description "reduced proposal for vpntracker"
set security ike proposal ike_prop_aesonly authentication-method pre-shared-keys
set security ike proposal ike_prop_aesonly dh-group group2
set security ike proposal ike_prop_aesonly authentication-algorithm sha1
set security ike proposal ike_prop_aesonly encryption-algorithm aes-128-cbc
set security ike proposal ike_prop_aesonly lifetime-seconds 86400

set security ike policy ike_pol_wizard_dyn_vpn proposals ike_prop_aesonly

Don’t forget to remove the policy-set standard you had from before. The “ike_pol_wizard_dyn_vpn” can have another name on your system, of course.


set security ipsec proposal ipsec_prop_aesonly description "reduced proposal for vpntracker"
set security ipsec proposal ipsec_prop_aesonly protocol esp
set security ipsec proposal ipsec_prop_aesonly authentication-algorithm hmac-sha1-96
set security ipsec proposal ipsec_prop_aesonly encryption-algorithm aes-128-cbc
set security ipsec proposal ipsec_prop_aesonly lifetime-seconds 3600

set security ipsec policy ipsec_pol_wizard_dyn_vpn proposals ipsec_prop_aesonly

Also, choose group 2 in IPSec Perfect Forward Secrecy (I haven’t experimented with other values here). With these choices, there’s no use of DES or 3DES. Note the IKE Preshared key and Remote Identity values. In the next screen, you choose users and stuff, and I’m not going to show you mine. Nothing there has a bearing on this description anyway.


So, with this set, first try to log in using Win7, download the Junos Pulse client and connect. This should work without anything else but your login credentials that you set in the screen “Remote Users” (that I didn’t show) in the VPN Wizard on the SRX100.

Now, back to VPNTracker. In the “Basic screen” of your connection setup, you enter the following:

VPN Tracker 7ScreenSnapz002

And in the second, “Advanced”, you enter the following:

VPN Tracker 7ScreenSnapz004

Notable items in the first of the two screens (“Basic”) are:

  • Network configuration: “Mode Config”
  • Identifiers, local: “FQDN”, with the “shoehorn” name you entered in the SRX100 VPN Wizard as “Remote Identity”
  • Identifiers, remote: “Don’t verify”

Notable items in the second (“Advanced”) screen, where we take care to only select the algorithms included in the Junos SRX100 “Standard” set, which is AES-128, SHA-1, and DH Group2 in both phase 1 and phase 2, and DH Group2 for PFS in phase 2:

  • Exchange mode: Aggressive
  • Phase 1 encryption: AES-128 only
  • Phase 1 hash: SHA1 only
  • Diffie-Hellman: group 2
  • Phase 2 encryption: AES-128 only
  • In VPN Tracker 8, there is here a checkbox “Establish a separate phase 2 tunnel for each remote network”. This should be off.
  • Authentication: HMAC SHA1 only
  • PFS: DH Group 2

There’s one last, hard to find, little detail: you have to change the ike-user-type on the SRX100 from “shared-ike-id”, as the wizard generated it, to “group-ike-id”, through the commandline on the SRX100, assuming your SRX100 VPN Wizard generated the gateway name to be “gw_wizard_dyn_vpn”, which it probably did, like so:

set security ike gateway gw_wizard_dyn_vpn dynamic ike-user-type group-ike-id

Interestingly, you don’t have to change your remote identifier in any way, neither in the SRX100 or the VPNTracker. From now on, you can connect.

Now, amazingly, you can connect with VPNTracker from OSX 10.9 while at the same time using the Junos Pulse client from Win7. All you have to do now is cough up $100 or $200 for VPNTracker (depending on version).

The SRX100 comes with a default two simultaneous dynamic VPN connections. You can get five connections with an extra license (SRX-RAC-5-LTU) for around $150, but I don’t know if that leaves you with a total of five or seven simultaneous connections.