Monday, October 21, 2024

Leaky macOS VPN After System Update

Mullvad VPN (Hacker News):

We have found that you could be leaking traffic on macOS after system updates. To our current knowledge a reboot resolves it. We are currently investigating this and will follow up with more information.

In this scenario the macOS firewall does not seem to function correctly and is disregarding firewall rules. Most traffic will still go inside the VPN tunnel since the routing table specifies that it should. Unfortunately apps are not required to respect the routing table and can send traffic outside the tunnel if they try to. Some examples of apps that do this are Apple’s own apps and services since macOS 14.6, up until a recent 15.1 beta.

Previously:

TCC and Gatekeeper Bypasses

Wojciech Reguła (September 2021, tweet):

I was looking for code injection opportunities that may allow reaching TCC bypasses. My simple shell script discovered a potential victim - /System/Library/CoreServices/Applications/Directory Utility.app. It had (and has) the following private TCC entitlement[…] This entitlement allows the Directory Utility to modify the user’s records stored in the /var/db/dslocal/nodes directory.

[…]

After some time I stumbled across the above-mentioned Matt Shockley’s article on how he was able to bypass TCC only by changing the $HOME directory via launchctl. I was really curious about how Apple fixed that vulnerability so I started reversing the TCC. Turns out that now TCC takes the information about the user’s home directory from the getpwuid function.

[…]

I was really shocked that Apple decided that this vulnerability is not eligible for the bounty. [They later changed their mind.]

Wojciech Reguła (March 2022):

This post shows how to bypass the macOS privacy framework (TCC) using old app versions.

[…]

Summing it up - there is no version information. It is exactly the same architectonical problem as the macOS Keychain has. In most cases it is possible to get an older version of the “donor” application (without the hardened runtime flag), inject to it, and thus abuse its TCC permissions.

Phil Stokes (March 2023):

The scourge of ransomware attacks that has plagued Windows endpoints over the past half decade or so has, thankfully, not been replicated on Mac devices. With a few unsuccessful exceptions, the notion of locking a Mac device and holding its owner to ransom in return for access to the machine and its data has not yet proven an attractive proposition for attackers.

However, the idea of stealing valuable data and then monetizing it in nefarious ways is a tactic that is now common across platforms. On macOS, threat actors will quietly exfiltrate session cookies, keychains, SSH keys and more as malicious processes from adware to spyware look to harvest data that can be recycled and sold on various underground forums and marketplaces, or used directly in espionage campaigns and supply chain attacks.

[…]

Session cookies can be stored anywhere, but typically they are in locations which can be accessed by the user or a process running as the user. Some locations, such as the User’s Library Cookies folder, may be restricted by TCC unless the parent process has Full Disk Access or uses one of the many known TCC bypasses. Real world attacks (e.g., XCSSET) and researchers have consistently shown that TCC, while often a nuisance to users, does not present a significant obstacle to attackers.

Mickey Jin (January 2024):

Last year, I discovered a full user TCC bypass issue in the macOS Sonoma beta version. There was a CVE number assigned at the beginning, but removed by Apple in the release of macOS 14.0. Instead, I got the credit in their Additional Recognitions.

According to the Apple Security Bounty program, this report should have been rewarded with an additional 50%. Unfortunately, the truth is that I was cut off 50%.

Wojciech Reguła:

This vulnerability was disclosed at Black Hat Europe 2022 in the talk Knockout Win Against TCC - 20+ NEW Ways to Bypass Your MacOS Privacy Mechanisms. The technique used an old Launch Services function LSSetDefaultRoleHandlerForContentType that allowed (without any restrictions) to register arbitrary applications for handling specified UTI handlers. After the UTI handling app registration, the exploit simply opens juicy files (like AddressBook or iMessages database) and TCC happily grants access to them. At that time TCC couldn’t recognize correctly if a file was opened by launch services or double-clicked by a user.

Wojciech Reguła:

The technique relied on an SQLite environment variable respected by libsqlite3.dylib which made apps using the standard SQLite system API log all the SQL queries. As such queries may contain sensitive user data normally protected by the TCC - I started researching all the problematic occurrences.

Unit 42:

Apple states that user-installed unarchiving tools preserve quarantine. As we can see in the following examples, there are some third-party archive tools that do not enforce that, which means that Gatekeeper won’t scan the extracted files.

[…]

In VMware Fusion, when copying a file from a host machine to a guest macOS virtual machine (VM) using VMware tools, the quarantine extended attribute will be dropped from the copied file as shown in Figure 4. This means Gatekeeper won’t scan any files copied into the virtual machine.

Microsoft Threat Intelligence:

The vulnerability, which we refer to as “HM Surf”, involves removing the TCC protection for the Safari browser directory and modifying a configuration file in the said directory to gain access to the user’s data, including browsed pages, the device’s camera, microphone, and location, without the user’s consent.

[…]

Our exploit involves the following steps:

  1. Change the home directory of the current user with the dscl utility, which does not require TCC access in Sonoma (At this point, the ~/Library/Safari directory is no longer TCC protected).
  2. Modify the sensitive files under the user’s real home directory (such as /Users/$USER/Library/Safari/PerSitePreferences.db).
  3. Change the home directory again so Safari uses the now modified files.
  4. Run Safari to open a webpage that takes a camera snapshot and trace device location.

Osama Alhour (PDF, tweet):

This paper seeks to provide a comprehensive technical analysis of how TCC works internally, how it interacts with other system components, and it’s impact on both how developers shape their applications as well as user control granting sensitive data to applications.

Previously:

Autoenshittification, YouTube, and Disenshittify or Die

Cory Doctorow (July 2023, Hacker News):

Forget F1: the only car race that matters now is the race to turn your car into a digital extraction machine, a high-speed inkjet printer on wheels, stealing your private data as it picks your pocket.

[…]

The car manufacturers got so desperate for chips that they started buying up washing machines for the microchips in them, extracting the chips and discarding the washing machines like some absurdo-dystopian cyberpunk walnut-shelling machine[…]

[…]

These digital systems are a huge problem for the car companies. They are the underlying cause of a precipitous decline in car quality. From touch-based digital door-locks to networked sensors and cameras, every digital system in your car is a source of endless repair nightmares, costly recalls and cybersecurity vulnerabilities[…]

Cory Doctorow (September 2023):

It doesn’t have to be this way. Enshittification occurs when companies gobble each other up in an orgy of mergers and acquisitions, reducing the internet to “five giant websites filled with screenshots of text from the other four” (credit to Tom Eastman!), which lets them endlessly tweak their back-ends to continue to shift value from users and business-customers to themselves. The government gets in on the act by banning tweaking by users - reverse-engineering, scraping, bots and other user-side self-help measures - leaving users helpless before the march of enshittification. We don’t have to accept this! Disenshittifying the internet will require antitrust, limits on corporate tweaking - through privacy laws and other protections - and aggressive self-help measures from alternative app stores to ad blockers and beyond!

Cory Doctorow (November 2023, Hacker News):

For example, when Google contemplates raising the price of a Youtube subscription, the dissent might say, “Well, this will reduce viewership and might shift viewers to rivals like Tiktok” (competition). But the price-hiking side can counter, “No, because we have a giant archive, we control 90% of searches, we are embedded in the workflow of vloggers and other creators who automatically stream and archive to Youtube, and Youtube comes pre-installed on every Android device.” Even if the company leaks a few viewers to Tiktok, it will still make more money in aggregate. Prices go up.

When Google contemplates increasing the number of ads shown to nonsubscribers, the dissent might say, “This will incentivize more users to install ad-blockers, and then we’ll see no ad-revenue from them.” The pro-ad side can counter, “No, because most Youtube viewing is in-app, and reverse-engineering the Youtube app to add an ad-blocker is a felony under Section 1201 of the Digital Millennium Copyright Act. As to non-app viewers: we control the majority of browser installations and have Chrome progressively less hospitable to ad-blocking.”

When Google contemplates adding anti-adblock to its web viewers, the dissent might say, “Processing users’ data in order to ad-block them will violate Europe’s GDPR.” The anti-adblock side can counter, “But we maintain the fiction that our EU corporate headquarters is in the corporate crime-haven of Ireland, where the privacy regulator systematically underenforces the GDPR. We can expect a very long tenure of anti-adblock before we are investigated, and we might win the investigation. Even if we are punished, the expected fine is less than the additional ad-revenue we stand to make.”

When Google contemplates stealing performers’ wages through opaque reshufflings of its revenue-sharing system, the dissent might say, “Our best performers have options, they can go to Twitch or Tiktok.” To which the pro-wage-theft side can counter, “But they have no way of taking their viewers with them. There’s no way for them to offer their viewers on Youtube a tool that alerts them whenever they post a new video to a rival platform. Their archives are on Youtube, and if they move them to another platform, there’s no way to redirect users searching for those videos to their new homes. What’s more, any attempt to unilaterally extract their users’ contact info, or redirect searchers or create a multiplatform client, violates some mix of our terms of service, our rights under DMCA 1201, etc.”

Cory Doctorow (August 2024, transcript):

The enshittification of the internet wasn’t inevitable. The old, good internet gave way to the enshitternet because we let our bosses enshittify it. We took away the constraints of competition, regulation, interop and tech worker power, and so when our bosses yanked on the big enshittification lever in the c-suite, it started to budge further and further, toward total enshittification. A new, good internet is possible - and necessary - and it needs you.

Previously:

Friday, October 18, 2024

exit(173) Receipt Fetching Deprecated on Sequoia

Jeff Johnson (Mastodon):

[If] you compile your app with the macOS 15 SDK in Xcode 16, and your app exits with the status 173—the traditional way to handle Mac App Store receipt validation failure—then macOS 15 Sequoia will show the user an alert[…]

The alert is terrible for at least two reasons. First, the text is total nonsense to end users and meaningful only to app developers. Second, the text is inaccurate. Exiting with status 173, for example returning 173 from the main() function, still works! A new, valid Mac App Store receipt will be fetched, if possible. In this respect, the only difference between Sonoma and Sequoia is that Sequoia shows the annoying, confusing, inaccurate alert to the user.

As far as I’m aware, the new macOS 15 behavior has not been documented by Apple anywhere.

The WWDC session only says:

If your app still uses the Original API for In-App Purchases, I have an important update to share with you. Beginning with iOS 18 and aligned OS releases, the Original API for In-App Purchase is deprecated, including the unified receipt. Your existing apps will continue to work, but the legacy API won’t receive any enhancements or new features in future operating system releases.

But this doesn’t mention the scary alert, and it’s not obvious that exit(173) is part of the IAP API because it was introduced for up-front purchases before IAP even existed.

Johnson has investigated the documentation history. Apple no longer mentions exit(173) at all, never saying that it was deprecated, and the current documentation recommends using StoreKit 1, which is is deprecated.

According to the WWDC session, Apple wants apps to switch to StoreKit 2, which is a Swift-only API. Apps targeting older versions of macOS would need to bundle the entire Swift runtime just to download the Mac App Store receipt.

It’s not yet clear to me whether Sequoia shows the alert for apps (linking with the macOS 15 SDK) downloaded from the App Store or only when testing such apps. I presume it’s only the latter because I have not seen a huge outpouring of users mentioning the alerts. However, it’s also possible that few apps have been shipped using Xcode 16 so far, e.g. because doing so will make apps that use Quick Look crash.

Previously:

Update (2024-10-21): Alexander Blach:

Mona (@MonaApp) seems to be a Mac App Store app compiled with the macOS 15 SDK (DTSDKName is “macosx15.0") that does call exit(173) on launch when the receipt is not present in its app bundle.

It does not show the deprecation alert for me and successfully refreshes the receipt.

So it looks like calling exit(173) in the production environment still works as before.

Click-to-Cancel

Thomas Claburn (MacRumors):

The US Federal Trade Commission on Wednesday announced a final “click-to-cancel” rule that aims to simplify the process of ending unwanted subscriptions to products and services.

[…]

“Too often, businesses make people jump through endless hoops just to cancel a subscription,” said FTC Chair Lina Khan in a statement. “The FTC’s rule will end these tricks and traps, saving Americans time and money. Nobody should be stuck paying for a service they no longer want.”

FTC (Hacker News):

The final rule will provide a consistent legal framework by prohibiting sellers from:

  • misrepresenting any material fact made while marketing goods or services with a negative option feature;
  • failing to clearly and conspicuously disclose material terms prior to obtaining a consumer’s billing information in connection with a negative option feature;
  • failing to obtain a consumer’s express informed consent to the negative option feature before charging the consumer; and
  • failing to provide a simple mechanism to cancel the negative option feature and immediately halt charges.

While it was good that in some cases customers could get easier cancellation by paying for an additional layer such as the App Store, I think it makes sense to just make these bad practices illegal.

Karl Bode:

Cemented by AOL in its heyday, and perfected by everybody from the Wall Street Journal to your broadband and wireless phone provider, corporate America loves to make it as annoying as possible to simply cancel services, often actively hiding any way to do so.

[…]

Most of the FTC’s new guidelines will go into effect in 180 days, with some in effect within 60 days after publication in the Federal Register. The rulemaking updates started way back in 2019. There’s a fact sheet here that explains the proposal in more detail.

[…]

Trade groups representing everything from media companies and telecoms to car wash operations called the rules “burdensome and unnecessary.” Publishers and Advertisers like the News/Media Alliance also complained about the rules, insisting they would “confuse customers“ (one alliance group member, the WSJ, worked for years to make subscription cancellation as annoying as humanly possible, and didn’t seem too upset about consumer confusion at the time).

Previously:

Netscape at 30

Jamie Zawinski:

According to my notes, it went live shortly after midnight on Oct 13, 1994. We sat in the conference room in the dark and listened to different sound effects fired for each different platform that was downloaded. At some point late that night I wandered off and wrote the first version of the page that loaded when you pressed the “What’s Cool” button in the toolbar.

[…]

This beta release was an unannounced surprise. Prior to this, everyone assumed that what we were doing was going to be a standard for-sale product where you sent off your $35 and then some time later got a disc in the mail with a license key.

[…]

These anniversaries keep piling up, so I don’t really have a lot to add, but check my NSCP tag or the Previouslies for more, particularly the links in this one.

John Gruber:

The thing that confuses people sometimes about new platforms is that while the platform and its clients are different things, you usually need both to be great for the whole thing to succeed.

a16z:

In this special episode, Marc and Ben dive deep into the REAL story behind the creation of Netscape—a web browser co-created by Marc that revolutionized the internet and changed the world. As Ben notes at the top, until today, this story has never been fully told either in its entirety or accurately.

In this one-on-one conversation, Marc and Ben discuss Marc’s early life and how it shaped his journey into technology, the pivotal moments at the University of Illinois that led to the development of Mosaic (a renegade browser that Marc developed as an undergrad), and the fierce competition and legal battles that ensued as Netscape rose to prominence.

Previously:

Thursday, October 17, 2024

ToothFairy 2.8.5

ToothFairy 2.8.5 is a maintenance update of my Bluetooth menu bar utility. It fixes a bug where sometimes ToothFairy wouldn’t auto-launch at login.

An interesting bug was:

Kindle Colorsoft and 2024 Updates

Amazon (Hacker News, MacRumors):

The all-new Kindle Colorsoft brings color to Kindle without compromise. It has everything customers love about Kindle today—high contrast, fast page turns, an auto-adjusting front light, and weeks of battery life. It adds color that is vibrant yet easy on the eyes. Now, you can browse covers in color in your Kindle Library or Store; see book photos and images in color; or add color highlights that you can easily search later.

It’s $279.99 with a 7-inch display (wireless charging dock extra). Color is 150 ppi vs. 300 ppi for monochrome.

The all-new Kindle Scribe combines all the benefits of Kindle with a powerful notetaking device. The display has new white borders, and the screen has a smooth, paper-like texture that makes it look and feel like you’re writing on a sheet of paper. Plus, at 300 ppi, text looks crisp and clear when you’re writing or reading. The Premium Pen is finely crafted to deliver just the right heft and balance, so it feels like holding an actual pen, and the new soft-tipped eraser feels like a pencil—you’ll think you have to brush the screen clean after erasing.

[…]

The new Kindle Scribe offers a first-of-its-kind in-book writing experience and a more powerful notetaking experience. With Active Canvas, you can write your thoughts directly in the book when inspiration strikes. Your note becomes part of the page, and the book text dynamically flows around it—if you increase the font size, change the font style, or the book layout changes, the note remains visible exactly where you want it so you never lose any meaning or context. Coming soon, you’ll also be able to write your notes in the side panel and easily hide them when you are done.

It’s $399.99 with 10.2-inch display. I guess it doesn’t work with the wireless charging dock.

Since its debut in 2012, customers have made Kindle Paperwhite our best-selling Kindle—and the all-new Kindle Paperwhite is our fastest yet. Scrolling through your Kindle Library or Store is snappy and responsive with 25% faster page turns. The display uses an oxide thin-film transistor, which gives it the highest contrast ratio of any Kindle, so text and images pop off the screen. A larger, 7-inch display is a first for Kindle Paperwhite—and yet, it is also the thinnest Kindle Paperwhite ever with up to three months of battery life.

The regular edition is $159.99, and the signature edition (double the storage, wireless charging, front light sensor) is $199.99.

Weighing in at just 158g, the new entry-level Kindle is small enough to fit in your hand or carry in your back pocket—and it’s packed with premium Kindle features. It has a 300 ppi, glare-free display, now with faster page turns, higher contrast ratio, and a front light that is 25% brighter at max setting—as bright as Kindle Paperwhite.

This is $109.99 for a 6-inch display.

Sadly, the Kindle Oasis was not updated and is, in fact, discontinued. This was my favorite design, as it had physical page-turn buttons, a more comfortable shape to hold, and the lightest weight (131g without the cover).

Jason Snell:

The writing was on the wall, but it’s still sad. Amazon has apparently decided that there’s no place in the Kindle line-up for an e-reader that still has physical page-turn buttons.

Regular readers of this site will know that I am an ardent supporter of physical page-turn buttons on e-readers, because they allow you to rest a finger on the button and turn the page with a simple squeeze, while touch-only readers require you to constantly reposition a finger, tap, and the move the finger away. Not exactly torturous, but decidedly less optimal.

See also: M.G. Siegler and Andrew Liszewski.

Previously:

Update (2024-10-21): Riccardo Mori:

Now that the new iPad mini and the new Kindles are out, I can tell you that they both have one thing in common: they have sold me on the previous generation of their respective models or product lines.

[…]

I imagine that, from a manufacturing standpoint, devices with physical buttons may be annoying because they have parts and components that are subject to stress and wear. But physical buttons in ebook readers — especially when well placed — are crucial and make for a much more pleasant experience; they’re exactly where your thumbs rest while holding the device, and turning pages becomes a frictionless action; you click the button instinctively, without having to constantly move your hand away from holding the device to tap on the screen (hopefully in the right place). Amazon should have kept at least one Kindle with physical buttons instead of going touch-only across the whole lineup. Last week, at the local second-hand electronics shop I frequently visit, I’ve seen a Kindle Oasis at a good price, so I guess I’ll go with that.

Kirk McElhearn:

In my experience with Kindles and other devices, automatically adjustable brightness never works. When using it on Kindles, they suddenly darken or brighten, and I’ve always turned this feature off.

[…]

One note about brightness. Amazon says that all these devices have 94 nits maximum brightness. I compared my Kindle Oasis – 2019 model – to my iPad Pro, which maxes out at 1,000 nits. The brightest setting on the Oasis matched about 60% of the highest brightness on the iPad Pro. So I’m not sure what 94 nits actually means. It’s true that Kindles don’t need to be bright, because their e-ink displays are reflective, so when reading outdoors you can generally turn the brightness all the way down, saving on battery.

[…]

Many Kindle users hold onto their devices for a long time, if Internet forum comments are any indication, so getting people to upgrade isn’t easy. Amazon does offer a 20% discount on trade-ins for these new Kindles, along with whatever they offer for the trade-in devices, and runs this offer from time to time. […] Note that you’ll get 20% off regardless of how much your old Kindle is worth, so if you have a very old one, trade that in to get the discount.

Digital River Not Paying Developers

Thomas Claburn (Hacker News):

Digital River has not paid numerous merchants since midsummer for software and digital products they sold through its MyCommerce platform.

[…]

“Astonishingly, Digital River continued to take sales from our loyal customers until we removed them from the order system. It now appears they have no intention of making payments and may be entering a liquidation process under a new CEO who has been involved in similar situations before.”

[…]

The privately-owned, Minnesota-based business appears to have laid off a significant number of employees, presumably the result of what its UK subsidiary describes as cost reduction initiatives implemented in late 2022.

[…]

In a post to LinkedIn three weeks ago, Lorant Barla, CEO of Romania-based Softland, said, “Digital River is automatically ‘pre-signing’ contracts in your MyCommerce account without your approval. The new MSAs [Master Services Agreements] stipulate additional platform fees and payments delayed for up to 60 days (we are still waiting for the payment from July).”

It’s so sad to see them fall apart. eSellerate was great back in the day.

Previously:

Update (2024-10-18): See also: Hacker News.

Wednesday, October 16, 2024

Returning to Core Data

Fatbobman:

However, the release of iOS 18 cast a shadow over this beautiful vision. A year after its first appearance, SwiftData underwent a major underlying refactoring. Although this adjustment was aimed at shifting from a strong coupling with Core Data to supporting more flexible multi-persistence solutions—a direction undoubtedly correct—it seems that the significant changes led to considerable impact on the new version’s stability.

Disappointingly, a large amount of SwiftData code that ran well on iOS 17 encountered various problems in the new version. For a data persistence framework that shoulders heavy responsibilities, these issues are undoubtedly fatal. What’s more worrying is that the complexity of these problems means they may not be thoroughly resolved in the short term. It is foreseeable that throughout the iOS 18 cycle, developers choosing to use SwiftData will have to continuously grapple with these challenges.

[…]

SwiftData’s performance on iOS 18 put me in a dilemma. For an application centered on data management, stability and reliability are non-negotiable. After repeated deliberation, I had to make a tough decision: abandon the thousands of lines of SwiftData code I had completed and return to Core Data.

[…]

When rebuilding the Core Data project, I decided to integrate the modern thinking I learned from SwiftData, using a more innovative approach to harness this time-tested framework.

Personally, I think the sweet spot is using mature frameworks like Core Data and Cocoa from Swift. Apple hasn’t done as much as I’d hoped to make this ergonomic, but there’s a lot you can do yourself. I actually go further than the example here and make all managed object initializers take the required attributes plus the context as arguments.

Previously:

Update (2024-10-17): See also: Hacker News.

Update (2024-10-18): Peter Steinberger:

So a year in, SwiftData is now worse than it was in the initial release? Honestly, don’t trust Apple there, use something open source that is properly maintained and has tests, like GRDB.

Traveling With Apple Vision Pro

Azad Balabanian (via Federico Viticci):

The Vision Pro has quickly become an essential item that I take onto every flight.

It’s a fantastic device to travel with—Be it by train or by plane, it offers an unparalleled opportunity to selectively tune out your environment and sink into an engaging activity like watching a movie or just working on your laptop.

In this blog post, I’ll outline what I’ve learned about the Vision Pro while traveling, explain some of the functionality, shine light onto its drawbacks, as well as assess how it fares against solutions like a phone or a laptop.

[…]

The problem is that for meals that require eyesight to coordinate (aka using a fork to pick up food from a plate), as soon as you look down at your food, the tracking often gets lost. This causes the movie to stop playing and for you to have to look forward for the tracking to re-initialize.

[…]

Here, it doesn’t matter what my front seat neighbor does, I can just tilt my screen down, place the laptop on my lap or tray, pull up a virtual monitor, and get to work.

He uses a generic lens protector instead of the bulky Apple case, adds an Anker battery bank, and uses an extra third-party strap to make it more comfortable.

Passkeys Credential Exchange

Filipe Espósito (Hacker News, MacRumors, Dan Moren):

As just announced by the FIDO Alliance, the new specifications aim to promote user choice by offering a way to import and export passkeys. The draft of the new specifications establishes the Credential Exchange Protocol (CXP) and Credential Exchange Format (CXF) formats for transferring not only passkeys, but other types of credentials will also be supported.

[…]

1Password, which worked with the FIDO Alliance on the new specifications, has already committed to supporting the new passkey import and export formats as soon as they become available. Other companies such as Dashlane, Bitwarden, NordPass, and Google also worked on the draft of the new specifications.

Although nothing has been said about Apple, the company is also part of the FIDO Alliance and was one of the first to introduce support for passkeys in 2022 with iOS 16.

I don’t love this framing because, to me, “export” means that it generates a standalone file that I can do with what I please. I can edit it. Or back it up and import it later—possibly into a different app. As far as I can tell, this is not that. It’s more of a way to transfer passkeys between password managers. It’s specifically designed to “export” an encrypted blob that can only be read by the password manager that requested the export. There’s no use even storing the exported file because, unless you have a way to back up the receiving private key, you won’t even be able to import it again. Maybe a third-party developer will make an app that requests/receives an export and lets you access your own data.

Jeff Johnson:

Export and import should have been extremely simple. Instead, they took years to come up with some convoluted system where the only possibility is to transfer from one vendor lock-in to another vendor lock-in.

The FIDO Alliance would probably say that not allowing true exporting makes it more secure, but I think that’s only true in a kind of security-through-obscurity way. If you make an encrypted happy path for transferring credentials, people will use it because it’s easier. Credential exchange does open the way for people to get at the decrypted data—it just makes it a pain and requires trusting an additional helper app. (Or are they going to somehow prevent non-big-players from participating?) If someone has direct access to my Mac and unlocked password manager, it’s game over, anyway. So I fail to see what this is really protecting against. Do they think people will export CSV files and leave them on unencrypted storage?

Jay Peters:

“It is critical that users can choose the credential management platform they prefer, and switch credential providers securely and without burden,” the FIDO Alliance wrote in its press release.

It’s about platforms, not giving you control of your data.

Martin Pilkington:

This is a big improvement, but I’m still very wary of any authentication system whose secret I can’t easily write down on a piece of paper.

Yes that may seem insecure, but I would also consider having a system that pretty much only major vendors can support to also be insecure in other ways. Loss of access is just as bad as being hacked as an authentication failure point.

I really want to like Passkeys given they’re technically much better, but their flaw is they require you to trust Big Tech (and do so in a far more important way than with passwords). Unfortunately Big Tech has used up pretty much all its remaining trust budget 🤷‍♂️

Phil Dennis-Jordan:

I particularly resent how they’re treating their proprietary, heavily networked implementations in always-connected devices as superior to a mostly-airgapped FIDO2 device. Those USB key like devices don’t have great UX, but I’d rather see some iteration on that idea than allowing Big Tech to silently sync (i.e. delete, copy, insert, etc.) those secrets in my phone.

Micah R Ledbetter (via Hacker News):

Passkeys are a technically interesting idea with many upsides, but I am concerned about the power they take away from users.

[…]

The passkey spec is designed intentionally such that:

  • Sites that use passkeys, like your bank, can tell what app you keep your passkeys in
  • Site that use passkeys can choose to support some apps and not others

This is not a hypothetical concern – it’s being discussed today with regard to the open source KeePassXC app.

[…]

The second ticket linked above makes it clear that sites are prepared to block passkey apps not just for their default settings, but for allowing certain actions to happen at all. In that ticket, the concern is that passkeys can be exported without being encrypted.

tadfisher:

There are FIDO Alliance folks posting Github issues requesting to remove features such as plaintext exporting of credentials, with the explicit threat that the Alliance might block such “open” passkey providers in the future. A local database is not enough, it needs to be locked in a secure element or protected with some TPM-like scheme.

The spec allows for hardware attestation as well, to ensure passkeys are being provided from blessed computing environments. Hopefully implementers continue to ignore this anti-feature, because it’s entirely stupid to lock out users who want to control their own security; at the same time, letting anyone with an Android phone restore passkeys from the cloud with one of their device PINs.

Terr_:

I would also be concerned about whether you can recover when a provider becomes unusable or hostile, and there is no cooperative migration path.

That might be the company going bankrupt, a physical or digital disaster, geopolitical firewalls, or simply a Kafka-esque bureaucracy where your entire account has been deleted without appeal because the company decided it was easier than figuring out the truth behind some moderation issue.

David Heinemeier Hansson (Lobsters):

We had originally planned to go all-in on passkeys for ONCE/Campfire, and we built the early authentication system entirely around that. It was not a simple setup! Handling passkeys properly is surprisingly complicated on the backend, but we got it done. Unfortunately, the user experience kinda sucked, so we ended up ripping it all out again.

The problem with passkeys is that they’re essentially a halfway house to a password manager, but tied to a specific platform in ways that aren’t obvious to a user at all, and liable to easily leave them unable to access of their accounts. Much the same way that two-factor authentication can do, but worse, since you’re not even aware of it.

Vincent:

With this blog post, I want to share with you the learnings on my way when working on a passkey-first auth solution and passkey intelligence with Corbado. All the hard truths, the unknown unknowns (factors that were not anticipated prior to my experience, essentially things we did not know we did not know), and the misconceptions should be uncovered, so that you know what to consider when implementing your own passkey-based authentication.

[…]

Implementing passkeys in a real-life project is 100x harder than you might initially think (trust us – we’ve gone through it).

Jeff Johnson (Mastodon, Hacker News):

I don’t want to place my credentials database under someone else’s control and because I don’t trust the availability and reliability of cloud sync. I prefer to manage credentials myself. Thus, I was surprised to find two passkeys in the “Passkeys Information.csv” file. I don’t recall ever creating a passkey.

[…]

What I didn’t realize until now is that enabling iCloud Keychain also automatically generated apple.com passkeys. I must have missed it at the time or forgot, but Apple automatically assigned passkeys to users of iOS 17, iPadOS 17, and macOS 14 Sonoma. Since passkeys require iCloud Keychain, it makes sense that this happened the exact same time that iCloud Keychain was (forcibly) enabled on my iPad. However, I seem to have lost the passkeys when I manually disabled iCloud Keychain, because the new Passwords app in iPadOS 18 shows zero passkeys. I have no idea how to revoke the lost credentials on Apple’s systems.

My question is, why does Apple have all of this personal, private information, stored in plain text?

Previously:

Update (2024-10-17): Dimitri Bouniol:

For what its worth, exporting passkeys is non-trivial, because authenticators are sometimes expected to count how many times they’ve signed a challenge, specifically so the server can ensure it hasn’t been copied and used on the side by a non-trusted 3rd party 😔

Update (2024-10-18): Lawrence Abrams:

Amazon has seen massive adoption of passkeys since the company quietly rolled them out a year ago, announcing today that over 175 million customers use the security feature.

I would not call it quiet since when users log in it prompts them to add a passkey. If you don’t store cookies it will ask you every time.

Kyle Howells:

This is a worrying decree of platform lock-in. I expect a lot of issues when people lose access to their devices or try to login from a new computer.

Currently, this is not an issue because Amazon allows both password and passkey access to the same account (thus negating some of the benefits of passkeys). But the goal is for passkeys to replace passwords, and some sites already prevent you from using both. So backup and transfer of passkeys are very important.

Apple’s Ricky Mondello has been entertaining my questions about this. My conclusion is that the current situation (pre-CXF and CXP) is not good. You have very little control over your passkeys and can easily get into trouble if something goes wrong. There is always the option of using recovery, e.g. sending a special link to your e-mail, to generate a new passkey. Some people do this as a matter of course whenever they need to log in because they don’t remember their passwords. This horrifies me, as I think of passwords more as irreplaceable secrets to be carefully guarded. Recovery via e-mail (or postal mail) does not easily scale to large numbers of logins, and I don’t think it’s very secure, as people often leave their mail open on an unlocked device. And, as passkeys replace passwords, it may be difficult to access your e-mail without a passkey, creating a circular problem.

When Credential Exchange becomes available, I think it will help a lot, though I still have some concerns.

The Passwords app seems unlikely to support backups directly, so you would need to periodically export manually to maintain control of your data. Will this be limited?

As I suggested in the initial post, it will be possible to write an app that lets users truly export their data, not just transfer it. I was worried that, because sites can block certain authenticators, such an app might only be useful as a utility and could not be used as an actual password manager. It seemed that this was being used to pressure KeePassXC into not allowing exports. However, Mondello says that the identification is “extremely intentionally, an optional unattested hint string.” In other words, like a Web browser’s “User-Agent,” the password manager could identify itself however it wants.

I still don’t like that sites get to see which password manager I’m using. This is a privacy violation, as I doubt the big players are going to let me use a custom user agent. But if this is at least possible (in future versions or with indie password managers) it would prevent users from being locked out due to sites not liking a particular authenticator or big players going to war with each other.

At this point, I would say that I’m cautiously optimistic. However, the whole passkeys system is so complex that I’m sure there are important questions that I don’t even know to ask and failure modes I haven’t considered.

Jeff Johnson:

The credential exchange protocol introduces phishing to passkeys.

What stops an attacker from tricking a victim into approving a transfer of passkeys to a credential provider under the control of the attacker? I’ve read the working drafts, and they’re appalling terse on the subject of security considerations.

John Gruber (Mastodon):

I don’t have strong feelings about passkeys, but I am vaguely unsettled by them. There’s no way to use passkeys without using a proper password manager, like Apple Passwords with iCloud Keychain, or 1Password. But if you’re using a proper password manager, your passwords should all be unique and random, and you should have convenient access to 2FA codes. So what’s the point of passkeys if they can only be used by people who are already using a good password manager? Perhaps the thinking is that too many users just can’t be budged from the risky habit of using passwords they have memorized, and passkeys are a way to break that habit because they can’t be memorized.

The main benefits vs. a password manager seem to be that users can be phished and convinced to bypass the safe auto-fill and that incompetent sites store unsalted passwords, which can then be leaked.

John Gruber (Mastodon):

A friend texted me with another argument for passkeys: it’s somewhat common for websites to break password autofill. Maybe it’s deliberate, in the name of fighting bots? But whether deliberate or not, with passkeys, they have to work with your browser’s connected password manager. So maybe passkeys are a net win for convenience, even for technically-knowledgeable users who are unlikely to fall for phishing scams.

They are also more convenient than 2FA.

Alex R:

I think a lot of the passkey discourse(™) comes about because we’re a cohort of highly technical early adopters who already have password managers set up with sync, autofill, and two-factor auth. For those users, passkeys might lack some features (although I think the gaps are being filled rapidly there), but they aren’t really the people for whom passkeys are a big improvement.

opoto:

From the other side of this correct consideration, the point is to explain to the non tech users that from now they will need to use a password/passkey manager. This introduces complexity for them.

Miguel Arroz:

A bit of feedback: the main problem to me is not the security factor (passkeys are more secure than passwords, period) but the apparent lack of control and ownership of my credentials.

[…]

Why is an Apple platform, macOS, seemingly intentionally hiding my own credential to my Apple account, at least in the Passwords app?

Disk Images in Sequoia

Howard Oakley:

When you create the disk image, macOS creates and attaches its container, and creates and mounts the file system within that. This is then saved to disk as a regular file occupying the full size of the disk image, plus the overhead incurred by the disk image container itself. No sparse files are involved at this stage.

When that disk image is mounted next, its container is attached through diskarbitrationd, then its file system is mounted. If that’s APFS (or HFS+), it undergoes Trimming, as with other mounts. That coalesces free storage blocks within the image to form one contiguous free space. The disk image is then saved in APFS sparse file format, skipping that contiguous free space. When the file system has been unmounted and the container detached, the space used to store the disk image has shrunk to the space actually used within the disk image, plus the container overhead. Unless the disk image is almost full, the amount of space required to store it on disk will be smaller than the full size of the disk image.

[…]

The size of read-write disk images is therefore variable depending on the contents, the effectiveness of Trimming in coalescing free space, and the efficiency of APFS sparse file format.

[…]

Although read-write disk images stored as sparse files are efficient in their use of disk space, they’re still not as compact as sparse bundles.

Howard Oakley:

Read speeds for sparse bundles and read-write disk images were high, whether the container was encrypted or not. On the internal SSD, encryption resulted in read speeds about 1 GB/s lower than those for unencrypted tests, but differences for the external SSD were small and not consistent.

Write speeds were only high for sparse bundles, where they showed similar effects with encryption. Read-write disk images showed write speeds consistently about 1 GB/s, whether on the internal or external SSD, and regardless of encryption.

When unencrypted, read and write speeds for sparse (disk) images were also slower. Although faster than read-write disk images when writing to the internal SSD, read speed was around 2.2 GB/s for both. Results for encrypted sparse images were by far the worst of all the tests performed, and ranged between 0.08 to 0.5 GB/s.

Surprisingly good results were obtained from a new-style virtual machine with FileVault enabled in its disk image. Although previous tests had found read and write speeds of 4.4 and 0.7 GB/s respectively, the Sequoia VM achieved 5.9 and 4.5 GB/s.

Sparse bundles generally have the best performance, though plain read-write images can be faster for reading. Single-file sparse disk images are slow.

Howard Oakley:

If you’re going to use disk images of any type, then getting the right tool for the job is essential. This article considers the leading candidates:

  • Disk Utility, bundled with macOS
  • DropDMG, $24.99 from C-Command, or from the App Store
  • Spundle, free from its Product Page here
  • hdiutil, the command tool bundled with macOS.

Previously:

Update (2024-10-18): Howard Oakley:

While this remarkable bug is present in macOS Sequoia 15.0 and 15.0.1, I’m afraid its days are numbered. If you want to experience the TARDIS sparse bundle, you’ve only got another week or two, as it appears to be fixed in the current beta of 15.1.

Update (2024-10-21): Howard Oakley:

  • Sparse bundles are more complicated than read-write disk images (UDRW), with band size to be set, and compaction to be performed.
  • Default band size appears to work well, and manually setting band size should seldom be necessary.
  • Both types appear highly efficient in their use of disk space, with only small differences between them.
  • Although it might be important to compact sparse bundles in some cases, the amount of free space returned by compaction is unlikely to be significant in many circumstances.

Perhaps this is because we don’t have tools to defragment the free space on APFS volumes.

Previously:

Tuesday, October 15, 2024

iPad mini (7th Generation)

Apple (MacRumors, Hacker News):

With a beloved ultraportable design, the new iPad mini is available in four gorgeous finishes, including a new blue and purple, and features the brilliant 8.3-inch Liquid Retina display. A17 Pro delivers a huge performance boost for even the most demanding tasks, with a faster CPU and GPU, a 2x faster Neural Engine than the previous-generation iPad mini, and support for Apple Intelligence. The versatility and advanced capabilities of the new iPad mini are taken to a whole new level with support for Apple Pencil Pro, opening up entirely new ways to be even more productive and creative. The 12MP wide back camera supports Smart HDR 4 for natural-looking photos with increased dynamic range, and uses machine learning to detect and scan documents right in the Camera app.

The new iPad mini features all-day battery life and brand-new experiences with iPadOS 18. Starting at just $499 with 128GB — double the storage of the previous generation — the new iPad mini delivers incredible value and the full iPad experience in an ultraportable design.

John Gruber:

A17 Pro is the chip from last year’s iPhone 15 Pro models, and, notably, there was no non-“Pro” variant. Still, though: an interesting chip to use for iPad Mini.

I thought the rumor was that was to be a temporary chip because it was much more expensive to manufacture.

Ryan Christoffel:

For Wi-Fi, the previous mini offered Wi-Fi 6 compatibility, but the new mini takes it further by supporting Wi-Fi 6E.

The previous mini supported Bluetooth 5, but the new mini adds the more modern Bluetooth 5.3 spec.

[…]

Both models support USB 3. However, the old mini only offered speeds up to 5 GB/s, whereas the new model doubles that and goes up to 10 GB/s.

M.G. Siegler:

Overall, the update to the iPad mini would seem to be a good one – as tends to be the case when you wait three years between product refreshes.

Federico Viticci:

I’m not even sure that “disappointing” would properly describe this iPad mini update.

Three years for a chip bump and Apple Intelligence, and this thing will likely be replaced in 2027? Cool.

Rui Carmo:

[No] matter how they sugarcoat the A17 Pro, it’s not the upgrade I wanted for my mini 5 in either CPU, display, camera or anything else short of the USB-C port and TouchID (yes, I prefer TouchID).

Given the PR-only prerelease and outrageously spaced out refreshes it’s obvious the mini isn’t a priority for Apple, so I have to figure out if I want to address the fact that the 256GB cellular model is closer to €1000 than I would like or wait another two years to upgrade.

René Fouquet:

Still no Pro Motion display. I tried the last iPad Mini and had to send it back because I couldn’t get used to the low refresh rate.

Steve Troughton-Smith:

iPad mini battery life is pretty miserable as-is, without Stage Manager or ProMotion or Face ID. While I would love to see an M-series iPad mini Pro, with all the bells and whistles, I’m not convinced it can be done to that level with current battery technology.

Adam Overholtzer:

The big problem for me remains the price. The iPad mini isn’t worth $500–600 and I don’t want to pay $500+ for an iPad.

Steve Troughton-Smith:

I would honestly fully support Apple splitting the iPad mini into two separate lines — remove some stuff to make the mini even cheaper than it is today, but have an iPad Pro 8.3-inch (M4) with everything the bigger models have. Give it that 5.1mm OLED design to make it the ultimate notepad/sketchpad

Previously:

Update (2024-10-16): Steve Troughton-Smith:

Well this is dumb — today’s new iPad mini is compatible with the previous generation folio cases, and vice versa. Except those options aren’t provided to you during the purchase process, even though you can still buy them on Apple’s site. So if you preordered with a case color combo you’re not super fond of, now’s your chance to change your order!

Update (2024-10-21): Jason Snell:

Based on various reports, it seems like Apple’s goal is to turn over its entire Mac product line to the M4, so they can leave the old process (used on the M3 as well as the A17 Pro) behind. And yet… here’s a new product that uses a chip on the old process that everyone is trying to drop like a hot rock? What?

That’s why my guess is that the new iPad mini is using this chip for non-technical reasons. Here are the possible explanations[…]

Second, while it’s certainly possible that Apple has stockpiled enough five-GPU A17 Pro chips to make three years’ worth of iPad minis, this model feels more like a holding action that gets the iPad mini onto Apple Intelligence… while also using up some amount of chip excess. If I had to predict when we’ll see a next-next-generation iPad mini, I think I’d guess that it will probably be sooner than three years from now.

Juli Clover:

One of the main complaints about the prior-generation iPad mini 6 was “jelly scrolling” or screen tearing, and it sounds like it’s a problem that Apple may have addressed with hardware updates to the iPad mini 7 display.

Ward Christensen, RIP

Benj Edwards (Hacker News):

Ward Christensen, co-inventor of the computer bulletin board system (BBS), has died at age 78 in Rolling Meadows, Illinois. He was found deceased at his home on Friday after friends requested a wellness check. Christensen, along with Randy Suess, created the first BBS in Chicago in 1978, leading to an important cultural era of digital community-building that presaged much of our online world today.

[…]

Despite creating one of the foundational technologies of the digital age, Christensen maintained a low profile throughout his life, content with his long-standing career at IBM and showing no bitterness or sense of missed opportunity as the Internet age dawned.

[…]

Prior to creating the first BBS, Christensen invented XMODEM, a 1977 file transfer protocol that made much of the later BBS world possible by breaking binary files into packets and ensuring that each packet was safely delivered over sometimes unstable and noisy analog telephone lines. It inspired other file transfer protocols that allowed ad-hoc online file sharing to flourish.

Matt Keeter (Hacker News):

How did I find myself writing a new implementation of a 45-year old protocol?

Previously:

Apple’s Stale Mac Displays

Joe Rossignol:

Apple sells two external displays, including the Pro Display XDR and the Studio Display, but neither has received hardware upgrades in years. In fact, the Pro Display XDR is nearly five years old, having been released all the way back in December 2019.

[…]

In December 2022, Bloomberg’s Mark Gurman said Apple was working on an updated version of the Pro Display XDR with an Apple silicon chip, something the current model lacks. In the Studio Display, an A13 Bionic chip powers features such as Center Stage camera framing, spatial audio, and Siri voice commands. However, there have not been any recent rumors about a new Pro Display XDR, so it’s unclear what Apple’s current plans are.

[…]

There have been on-again, off-again rumors about Apple planning a new 27-inch external display with mini-LED backlighting, which would allow for increased brightness and higher contrast ratio. In April 2023, Apple supply chain analyst Ming-Chi Kuo said the display was slated for mass production in 2024 or early 2025.

This is not surprising, since Apple has historically taken a long time to update its displays. I don’t think the panels necessarily need to be updated. But it’s disappointing because the Studio Display has well documented camera problems and power issues. I had high hopes that, coming from Apple, it would be reliable as a USB hub, but I end up directly connecting as many storage devices as possible to the meager ports on my MacBook Pro.

Also, it would be nice to have a mid-range display in the lineup. You can get an M3 iMac with a built-in 4.5K display for $1,299, yet the Studio Display by itself starts at $1,599. It’s still hard to find good third-party Retina displays. Why can’t Apple sell an iMac-less panel for a reasonable price?

Previously:

Update (2024-10-16): Adam Chandler:

I guess it’s correct to report Apple’s prices but aside from BTO/CTO Macs, I haven’t paid MSRP on an Apple Device in a while. Channel Partners have gotten brazen about prices that undercut Apple’s the point that I buy everything from BestBuy which has price match guarantee for 45 days after purchase and includes 2 years of AppleCare through BestBuy Total for no charge.

Case in point, $1599 was actually $1294 last week on Amazon.

That still seems like a lot for what you get. It’s not clear to me why Apple seems to have stopped caring about retailers charging consistent prices.

Nick Her:

Apple’s software quality has been insufficiently great for years and, so, it does not surprise me that a display running iOS is not as reliable as a display that does not use an entire mobile operating system.

See also: Christina Warren on the Studio Display.

Update (2024-10-21): Kuba Suder:

I asked people recently about this, and from what I could find, for more compact displays (<= 24″) it’s not just that they’re hard to find, there are no good Retina-DPI monitors, unless you manage to find a used LG on Ebay…

Understanding the Limitations of Mathematical Reasoning in Large Language Models

Hartley Charlton (Hacker News):

The study, published on arXiv, outlines Apple’s evaluation of a range of leading language models, including those from OpenAI, Meta, and other prominent developers, to determine how well these models could handle mathematical reasoning tasks. The findings reveal that even slight changes in the phrasing of questions can cause major discrepancies in model performance that can undermine their reliability in scenarios requiring logical consistency.

Apple draws attention to a persistent problem in language models: their reliance on pattern matching rather than genuine logical reasoning. In several tests, the researchers demonstrated that adding irrelevant information to a question—details that should not affect the mathematical outcome—can lead to vastly different answers from the models.

Gary Marcus:

Everyone actively working with AI should read it, or at least this terrific X thread by senior author, Mehrdad Farajtabar, that summarizes what they observed.

[…]

Another manifestation of the lack of sufficiently abstract, formal reasoning in LLMs is the way in which performance often fall apart as problems are made bigger.

[…]

What I argued in 2001, in The Algebraic Mind, still holds: symbol manipulation, in which some knowledge is represented truly abstractly in terms of variables and operations over those variables, much as we see in algebra and traditional computer programming, must be part of the mix. Neurosymbolic AI — combining such machinery with neural networks – is likely a necessary condition for going forward.

Dare Obasanjo:

This is a problem for anyone who belueves they can build autonomous AI agents on this foundation since it means anytime the “agent” sees a pattern it doesn’t recognize, it will fail hilariously or even catastrophically.

Nick Lockwood:

The most surprising part of the news that Apple researchers have discovered that LLMs can’t reason is that anybody who had even a layman’s understanding of LLMs thought they could in the first place.

Pierre Habouzit:

I think that what [LLMs] do is similar to our human so called “intuition”: they recognize “patterns they’ve seen before and intuitively go to the answer that worked then.”

This is an important aspect of how Inthink and a lot of the creative process I have at work is a back and forth between “intuition” and verifying that it sustains a more rigorous model.

[…]

LLMs have a role into an actual form of AI. It just can’t be on its own.

Dave Rahardja:

LLMs can’t do math because they don’t actually understand concepts; they are just really fancy autocomplete engines.

We knew that already, but this paper quantifies it. The math performance is really pretty dismal even with training that tries to optimize for math. The best performance was by OpenAI’s GPT-4o, which scored around 95% for the most basic of grade-school word problems, which means it got 1 in 20 questions wrong, which means it’s not usable for anything in production.

[…]

IMO the biggest problem with LLMs is not that performance is poor, but that there is no way to tell when they get it wrong. The models may make one mistake in a million, but *which output is the wrong one*?

Jason Koebler:

In December, NARA plans to launch a public-facing AI-powered chatbot called “Archie AI,” 404 Media has learned. “The National Archives has big plans for AI,” a NARA spokesperson told 404 Media. It’s going to be essential to how we conduct our work, how we scale our services for Americans who want to be able to access our records from anywhere, anytime, and how we ensure that we are ready to care for the records being created today and in the future.”

Employee chat logs given during the presentation show that National Archives employees are concerned about the idea that AI tools will be used in archiving, a practice that is inherently concerned with accurately recording history.

Previously:

Monday, October 14, 2024

PolyCapture 1.5

App ahead (Reddit):

PolyCapture for Mac lets you to record webcams, microphones, screens, and apps — individually or simultaneously.

[…]

Filter apps from your recordings on the fly, ensuring nothing gets in your way.

[…]

Capture voiceovers, podcasts, interviews, music, or commentary. If a microphone can pick it up, PolyCapture can record it.

[…]

Use macOS’s Voice Isolation to enhance speech quality and reduce background noise. Apply video effects like Portrait Mode, Studio Light, and Center Stage to level-up your recordings.

This looks well done, and it’s only $3.99.

Previously:

Update (2024-10-15): Marc Edwards:

Screenflick has been my screen recording app of choice for a very long time, but PolyCapture looks extremely nice.

Fake Safari Link Sharing Text

Joshua Long:

For nearly six years, Apple has neglected to fix a bug that enables anyone to effectively create false or misleading news headlines that appear to come from credible sources.

[…]

Apple’s Safari browser includes a feature related to link sharing. If you select (highlight) text within a Web page and then tap on the Share button, you can “quote” the selected portion of the page for the recipient when you share the link via Apple’s Messages app. The feature is intended to allow users to include a direct quote from an article, embedded within the iMessage link preview.

However, Apple does not limit the preview text selection to the contents of the page as received from the Web server—and therein lies the flaw.

Users can type something into a page’s search bar (or any other text field), select the text they just typed, tap Safari’s Share button, and then tap the green-and-white Messages icon to send it to any iMessage recipient—either an individual or a group.

Swift Foundation Unification

Ben Cohen:

The keynote from Tony [Parker] and me at ServerSideSwift2024 is up. Hear about how Swift interoperability allowed Foundation to make the switch to Swift, and about the latest direction for interoperability: from Swift to Java.

Apple has rewritten Foundation in Swift, and the Objective-C Foundation and Core Foundation now call into the Swift implementation. This improves performance from Swift, as there are fewer conversions, and also generally, as the Swift code has in some cases been optimized to reduce allocations.

The actual Foundation running on Apple’s platforms is now open source! They are working on a simpler review process for minor API proposals and encouraging more proposals from new contributors.

Quinn:

This seems to be a good time to remind folks that…

Those who live by the swizzle will die by the swizzle!

When I was getting started with Cocoa, Apple had just written an Objective-C to Java bridge. Apple emphasized that you could write native apps in Java This was seemingly rarely done, and I opted to use Objective-C even though I had been a Java programmer. I did use the Java bridge to call into a Java library that didn’t have an Objective-C equivalent. It worked well.

Anyway, there’s now a prototype bridge between Swift and Java. There are code generation tools to make it easier to call in both directions.

See also: The Success Story of Server-Side Swift at Cultured Code.

Previously:

Greppability Is an Underrated Code Metric

Moriz Büsing (via Hacker News):

It turns out that splitting up, or dynamically constructing identifiers is a bad idea.

[…]

Don’t rename fields at application boundaries to match naming schemes. An obvious example is then importing postgres-style snake_case identifiers into javascript, then converting them to camelCase.

[…]

Taking inspiration from the Zen of Python, when dealing with namespaces, flattening your folders/object structures is mostly better than nesting.

Sarah Reichelt:

I applauded Swift’s plan to eliminate all the NS prefixes but searching for Data or String is impossible. NSData & NSString were much more searchable.

No matter how smart the IDE is, there will be times when you need to search the raw source. And, of course, Google and Stack Overflow and your issue tracker don’t understand what the symbols refer to.

Friday, October 11, 2024

A Brief History of Defragging

Howard Oakley:

All storage media, including memory, SSDs and rotating hard disks, can develop fragmentation, but most serious attention has been paid to the problem on hard disks. This is because of their electro-mechanical mechanism for seeking to locations on the spinning platter they use for storage. To read a fragmented file sequentially, the read-write head has to keep physically moving to new positions, which takes time and contributes to ageing of the mechanism and eventual failure. Although solid-state media can have slight overhead accessing disparate storage blocks sequentially, this isn’t thought significant and attempts to address that invariably have greater disadvantages.

Fragmentation on hard disks comes in three quite distinct forms: file data across most of the storage, file system metadata, and free space. Different strategies and products have been used to tackle each of those, with varying degrees of success.

[…]

Manually defragging HFS+ hard disks was always a questionable activity, as Apple added background defragmentation to Mac OS X 10.2, released two years before Coriolis was even founded. By El Capitan and Sierra that built-in defragging was highly effective, and the need for manual defragging had almost certainly become a popular myth.

I would agree that defragging became much less useful since the days when I was using the Speed Disk component of Norton Utilities on System 7. But my recollection is that HFS+’s automatic defragmentation didn’t fully solve the problem because it wasn’t able to work on all files (notably skipping large ones, which could have hundreds or even thousands of fragments for a single file) and didn’t consolidate the free space. iDefrag remained useful for spinning disks until the advent of APFS.

APFS also has built-in defragmentation, which in some cases I enabled myself and in other cases seemed to have been automatically enabled. I haven’t noticed any improvement from enabling it, which is unsurprising since Oakley and Mike Bombich say that it doesn’t defragment the file system metadata. APFS performance remains really bad on spinning disks, in my opinion.

Previously:

Using NSDockTilePlugIn

Mario Guzmán (Mastodon):

Customizing an application’s Dock tile when the application itself is not running requires that you write a plug-in. The plug-in’s principal class must implement the NSDockTilePlugIn protocol.

The name of the plugin is indicated by a NSDockTilePlugIn key in the application’s Info.plist file.

The plugin is loaded in a system process at login time or when the application tile is added to the Dock. When the plugin is loaded, the principal class’ implementation of setDockTile(_:) is invoked, passing an NSDockTile for the plug-in to customize. If the principal class implements dockMenu() it is invoked whenever the user causes the application’s dock menu to be shown.

[…]

It is rare to see apps use NSDockTilePlugIn because apps that contain one are not allowed on the Mac App Store.

Previously:

Sorting Burst Shots in Apple Photos

Kevin Yank:

When I import a large batch of shots from my camera into Photos, I usually want them in an album, sorted in the order I shot them. The Keep Sorted By Oldest First option would seem to be what I want, but unfortunately its sorting is only based on the capture time of each photo in seconds.

[…]

In order to get the photos into the order I want them, I just need to sort them in the order of their filenames. PA020007.ORF comes after PA020006.ORF, and so on. But Apple Photos can only sort by title, not by filename.

So, to get the sort order I want, I must first assign every photo in the album a title based on its original filename. Of course, typing all these titles in by hand would be impossibly tedious. Thankfully, there’s an open-source tool for that!

Virtualizing iOS on Apple Silicon

Nick Botticelli (via Hacker News):

Now, to get started, a strategy for approaching the daunting task of running iOS on vma2 is needed. I found the most success with reusing a fully macOS 12.0.1 bootchain and simply replacing the system (OS) image, along with its associated mtree, root_hash, and trustcache files, with that of the iOS 15.0.2’s (iPhone XR build). This would largely bypass the need for (almost) any modifications before iOS initializes, such as to the bootchain and ramdisk (restore process). The XR build was chosen for its arm64e capability and lower-resolution (if that mattered). You should see success with other arm64e device configurations, but do note that the vma2 kernel is hardcoded to return “iPad8,6" for some sysctl key. arm64 versions experienced additional issues and binary incompatibilities, so there is no point in trying these builds.

I used my own fork of tart (a third-party application for managing Apple silicon virtual machines), super-tart for running the iOS VM, which allows for using the required undocumented features provided by Virtualization.framework. I have not yet pushed all of my changes, such as for setting _setProductionModeEnabled(false). Do note that such Virtualization.framework tools that use private APIs require SIP to be turned off, and maybe AMFI as well. I also use my own fork of idevicerestore.

[…]

Getting past the system keybag issues requires many more patches and an understanding of the system as it exists in the iOS system and kernel that I currently lack. This project has already taken at least a few hundred hours of exploration, and I’d be curious to see if anyone can take it further than just booting to PreBoard.app.

Previously:

Thursday, October 10, 2024

Apple TV+ in Amazon Prime Video

Jess Weatherbed:

Amazon is adding Apple TV Plus to Prime Video, a move that could help bolster the iPhone maker’s languishing streaming service. Apple TV Plus will be available on Prime Video in the US later this month as a $9.99 monthly add-on — the same you’d otherwise pay directly to Apple. The difference now is that Apple TV Plus is being promoted directly to Amazon’s massive video subscriber base.

[…]

For Amazon, Apple TV Plus joins over 100 streaming service add-ons already available through Prime Video Channels. It’s all part of the company’s plan to become a global “first-stop entertainment hub” according to Hopkins, a goal that Apple once had for Apple TV.

Alex Weprin:

“We want to make Apple TV+ and its award-winning library of series and films from the world’s greatest storytellers available to as many viewers as possible,” said Eddy Cue, Apple’s senior VP of services, in a statement.

I wonder whether Apple will allow this within the Prime Video app on Apple TV or whether you’ll still have to use the TV app there.

Benjamin Mayo:

Apple TV+ as a channel inside Amazon Prime Video is perfectly fine and sensible for Apple TV+, but it speaks volumes about how Prime Video is eating the TV app’s lunch as a streaming all-in-one aggregator.

Previously:

Internet Archive Hacked

Lawrence Abrams (Hacker News):

Internet Archive’s “The Wayback Machine” has suffered a data breach after a threat actor compromised the website and stole a user authentication database containing 31 million unique records.

[…]

Hunt told BleepingComputer that the threat actor shared the Internet Archive’s authentication database nine days ago and it is a 6.4GB SQL file named “ia_users.sql.” The database contains authentication information for registered members, including their email addresses, screen names, password change timestamps, Bcrypt-hashed passwords, and other internal data.

[…]

While the Internet Archive is facing both a data breach and DDoS attacks at the same, it is not believed that the two attacks are connected.

Springtime:

Just in terms of privacy, it’s worth noting that anyone who has uploaded something on IA already has their email address publicly viewable.

This isn’t something that commonly known (even judging by comments here) but in the publicly viewable metadata of every upload it contains the uploader’s IA account email address. So from a security perspective it’s bad but from a privacy perspective a lot of users probably weren’t aware of this detail if they’ve uploaded anything.

Previously:

Update (2024-10-21): Lawrence Abrams (Hacker News):

The Internet Archive was breached again, this time on their Zendesk email support platform after repeated warnings that threat actors stole exposed GitLab authentication tokens.

[…]

In the case of the Internet Archive, there was no money to be made by trying to extort the organization. However, as a well-known and extremely popular website, it definitely boosted a person's reputation amongst this community.

We need a fully separate Internet archive as a backup.

Apple Passwords’ Generated Strong Password Format

Ricky Mondello (Mastodon):

To make these passwords easier to type on suboptimal keyboard layouts like my colleague’s game controller, where the mode switching might be difficult, these new passwords are actually dominated by lowercase characters. And to make it easier to short-term have in your head little chunks of it to bring over to the other device, the passwords are based on syllables. That’s consonant, vowel, consonant patterns. With these considerations put together, in our experience, these passwords are actually a lot easier to type on a foreign, weird keyboard, in the rare instances where that might be needed for some of our users.

And we weren’t going to make any changes to our password format unless we can guarantee that it was as strong or stronger than our old format. So if you want to talk in terms of Shannon entropy once again, these new passwords have 71 bits of entropy, up from the 69 from the previous format.

[…]

So these new passwords are 20 characters long. They contain the standard stuff, an uppercase character. They’re dominated by lowercase. We chose a symbol to use, which is hyphen. We put two of them in there, and a single [digit]. We picked this length and the mix of characters to be compatible with a good mix of existing websites.

I like the password format that Safari generates, but I wish I could turn off auto-generation of passwords. It’s a really awkward workflow if I prefer to create new accounts and passwords in PasswordWallet. As far as I can tell, I can only opt out for individual text fields. That takes a bunch of extra clicks, and if I forget I end up with the password stored in the wrong place, which I may not realize until much later, when it’s harder to fix. Just let me choose to have an empty text field by default.

Previously:

cachiporra:

I love how Hulu’s password reset input field silently strips out the dashes and compacts the password, while Apple dutifully saves the original.

Update (2024-10-11): Ricky Mondello notes that on Sequoia there’s a setting in the Passwords app to turn off password generation.

Update (2024-10-18): See also: Hacker News.

Sequoia Security Scoped Bookmarks Bug

Matthias Gansrigler:

If you’re using Yoink on macOS Sequoia, you might have encountered an issue where Yoink would not accept any files anymore.

[…]

Basically any app that handles file URLs and saves them as a security-scoped bookmark for later access can be bitten by this bug, currently occurring on macOS 15.0 and 15.0.1.

DTS Engineer:

What you’re hitting is bug in “ScopedBookmarksAgent” which can cause it hang if it happens to have been launched when the keychain was also locked (for example, late in the screen lock process). That bug is fixed as of macOS 15.1 beta 4.

If you’re hitting it regularly during development, you can resolve the issue by killing ScopedBookmarksAgent (you may also need to kill and relaunch your app, depending on what state it ends up). On the user side, a log out (or reboot) should resolve the issue.

Jeff Johnson:

macOS Sequoia is disproof of the theory that spreading out WWDC-announced features over the course of the year will improve software quality.

Previously:

Wednesday, October 9, 2024

Panic Drops Google Drive Access

Michael Buckley (Mastodon, Hacker News):

At some unknown point in the future, Google will revoke Transmit’s access to Google Drive. Sometime after that, we’ll be releasing updates to Transmit and Nova that remove the ability to create Google Drive connections.

[…]

In March, Transmit was re-approved for Google Drive access — but we were told we would now need to pass this check annually. At this point, we began to question whether this yearly process was worth it.

Between the weeks of waiting, submitting the required documentation and the process of scanning the code, it took a significant amount of time from our engineers. For example, Google provided a Docker image for running the scanner, but it didn’t work. We had to spend more than a week debugging and fixing it. And because the scanner found no problems, it didn’t result in any improvements to Transmit. No one benefitted from this process. Not Google, not Panic, and not our users.

[…]

Google completely removed the option for us to scan our own code. Instead, to keep access to Google Drive, we would now have to pay one of Google’s business partners to conduct the review. […] These ever-shifting requirements and expenses are finally catching up to third parties.

Damien Petrilli:

I have the feeling that Google Drive is going to be useless very soon. Most indie apps are going to stop supporting it.

Previously:

Musi for YouTube Removed From the App Store

Ashley Belanger:

Musi, a free music-streaming app only available on iPhone, sued Apple last week, arguing that Apple breached Musi’s developer agreement by abruptly removing the app from its App Store for no good reason.

According to Musi, Apple decided to remove Musi from the App Store based on allegedly “unsubstantiated” claims from YouTube that Musi was infringing on YouTube’s intellectual property. The removal came, Musi alleged, based on a five-word complaint from YouTube that simply said Musi was “violating YouTube terms of service”—without ever explaining how. And YouTube also lied to Apple, Musi’s complaint said, by claiming that Musi neglected to respond to YouTube’s efforts to settle the dispute outside the App Store when Musi allegedly showed evidence that the opposite was true.

[…]

In its complaint, Musi fully admits that its app’s streams come from “publicly available content on YouTube’s website.” But rather than relying on YouTube’s Application Programming Interface (API) to make the content available to Musi users—which potentially could violate YouTube’s terms of service—Musi claims that it designed its own “augmentative interface.” That interface, Musi said, does not “store, process, or transmit YouTube videos” and instead “plays or displays content based on the user’s own interactions with YouTube and enhances the user experience via Musi’s proprietary technology.”

Ben Lovejoy:

Musi launched back in 2016, and proved a big hint with teens in particular, as it provided completely free music streams without the audio ad interruptions you get on Spotify’s free tier.

By the beginning of this year, Musi was actually bigger than many of its rivals.

[…]

The Google-owned company said that Musi violated its terms of service by doing this, while the service claimed it was effectively just acting as a web browser and therefore was doing nothing wrong.

Previously:

China Possibly Hacking US “Lawful Access” Backdoor

Bruce Schneier:

The Wall Street Journal is reporting that Chinese hackers (Salt Typhoon) penetrated the networks of US broadband providers, and might have accessed the backdoors that the federal government uses to execute court-authorized wiretap requests. Those backdoors have been mandated by law—CALEA—since 1994.

Zack Whittaker:

The wiretap systems, as mandated under a 30-year-old U.S. federal law, are some of the most sensitive in a telecom or internet provider’s network, typically granting a select few employees nearly unfettered access to information about their customers, including their internet traffic and browsing histories.

But for the technologists who have for years sounded the alarm about the security risks of legally required backdoors, news of the compromises are the “told you so” moment they hoped would never come but knew one day would.

Jon Brodkin:

The Washington Post reported on the hacking campaign yesterday, describing it as “an audacious espionage operation likely aimed in part at discovering the Chinese targets of American surveillance.” The Post report attributed the information to US government officials and said an investigation by the FBI, other intelligence agencies, and the Department of Homeland Security “is in its early stages.”

The Post report said there are indications that China’s Ministry of State Security is involved in the attacks.

John Gruber:

This incident should henceforth be the canonical example when arguing against “back doors for the good guys” in any networks or protocols. It’s not fair to say that all back doors will, with certainty, eventually be compromised, but the more sensitive and valuable the communications, the more likely it is that they will. And this one was incredibly sensitive and valuable. There are downsides to the inability of law enforcement to easily intercept end-to-end encrypted communication, but the potential downsides of back doors are far worse.

Nick Heer:

According to a 2016 paper from Public Safety Canada, “Australia, the U.S., the UK and many other European nations require CSPs [Communications Service Providers] to have an interception capability”; it also notes Canada does not. Such a requirement is understandable from an investigative perspective. But, as Pfefferkorn says, capabilities like these have been exploited before, and it will happen again. These are big targets and there are no safe backdoors.

Previously:

Google App Store Monopoly Remedy

Sean Hollister (PDF, Hacker News, MacRumors):

Today, Judge James Donato issued his final ruling in Epic v. Google, ordering Google to effectively open up the Google Play app store to competition for three whole years. Google will have to distribute rival third-party app stores within Google Play, and it must give rival third-party app stores access to the full catalog of Google Play apps, unless developers opt out individually.

These were Epic’s biggest asks, and they might change the Android app marketplace forever — if they aren’t immediately paused or blocked on appeal.

[…]

In Epic v. Google, Epic successfully argued that Google had created such a substantial array of deals with developers, carriers, and device makers that it was nigh-impossible for rival stores to spring up. By blocking those sorts of deals, and proactively helping rival app stores, it’s possible some real competition to Google’s monopoly could now arrive.

Google will still have some control over safety and security as it opens up the Google Play Store to rival stores. The injunction says that Google can “take reasonable measures” that are “strictly necessary and narrowly tailored” and are “comparable” to how it currently polices the Google Play Store. Google will be able to charge a fee for that policing, too. Epic has repeatedly argued that Google should not be able to deter third-party app stores through policing, so it’s likely Epic and Google will keep butting heads over this.

Thomas Claburn:

Google, in a blog post, unsurprisingly disagreed – it is appealing the verdict and will ask the courts to pause the injunction until its appeal is heard.

John Gruber:

What Judge Donato is demanding is effectively pass-through to the actual Play Store listing for any apps and games that aren’t available in a third-party app store. So if you search in the Brand X app store for “FooApp” but FooApp isn’t available in the Brand X store, Brand X’s store app can let you install and download FooApp from the Play Store. But that counts as a regular Play Store installation. It’s just a way to encourage users of third-party stores to search those stores first, even though the vast majority of apps will likely remain exclusively in the Play Store.

Michael Love:

This is fantastic news, going way beyond what Apple v Epic required. And will solve a big practical problem for me, namely that people get unofficial mirrored Play versions of Pleco from Chinese app stores, can’t use Play IAP + I can’t link to another method.

It’s also going to help a lot with getting iOS users to buy from my website, because their Android friends will see a link to save money buying on my website and will tell their iOS using friends about it. (In fact I can even mention in the app that it works on iOS too)

M.G. Siegler:

The DoJ is basically putting every option on the table, including the big one: a breakup of Google itself into smaller parts.

Previously:

Update (2024-10-10): See also: Hacker News.

Tuesday, October 8, 2024

Scripting News at 30

Dave Winer:

Today is the 30th anniversary of this blog.

I did a roundup of thoughts when this blog turned 25. I stand by what I wrote then, but I’d add this. My blog started because I needed content to test a script I had written that sent emails on my Mac using Eudora, which was an early scriptable app and I had a nice scripting system that worked with it. I looked around for something to send (30 years ago today), and shot out an email to the people whose business cards I had collected at various tech conferences. It was a thrill, so I did it again, and again and three more times, before I realized hey I could use this thing to get my own ideas out there. And thus began this thing that I still do to this day. Look at the two posts I wrote about WordPress in the last few days. There may be hope to find a blogosphere buried somewhere in there. And it may be possible to give them some sweet new writing tools so they can get excited about writing on the web the way we did all those years ago. I actually am kind of optimistic about that. Maybe we can stand up something in the midst of the noise. When we booted up podcasting, approx 20 years ago, we had a slogan -- “Users and developers party together.” It worked! That is still the way I want to build stuff, it’s the only way I know how to do it. Blogging started out as a programming adventure and eventually became a form of literature. How about that. I’m up for doing more of that if you all are. But please expect to make contributions, don’t expect it all to come to you for free, because as we know nothing really is free.

[…]

I appreciate all of the messages, but would appreciate them even more if they were on your blog. We need to keep using the tech. Blogging is kind of lost, and I would like to see that change. Every time you post something you’re proud of on a social media site, how about taking a moment and posting it to your blog too. And while there, if appropriate, link to something from some part of your post, even though the social media sites don’t support linking, the web is still there and it still does.

Om Malik:

The best version of Dave is the Hopeful Dave. Today, writing on his blog, he is still pushing for the blogs into the future, one line at a time.

John Naughton:

In 1983, Winer founded a company, Living Videotext, to develop and commercialise the outlining idea, and six years later sold it to Symantec for enough money to enable him to do his own thing for the rest of his life. One of those things involved playing a leading role in developing RSS (really simple syndication), a tool that allows users to keep track of many different websites in a single application (a news aggregator) that constantly monitors sites for new content. (Think of it as the hidden wiring of the web.)

[…]

Like many of us, he realised that what came to be known as the blogosphere could be a modern realisation of Jürgen Habermas’s idea of “the public sphere” because it was open to all, everything was discussable and social rank didn’t determine who was allowed to speak. But what he – and we – underestimated was the speed and comprehensiveness that tech corporations such as Google and Facebook would enclose that public sphere with their own walled gardens in which “free speech” could be algorithmically curated while the speakers were intensively surveilled and their data mined for advertising purposes.

John Gruber:

Winer is rightfully renowned for his technical achievements — outliners as an application genre, RSS in general, and RSS in the specific context of podcasting in particular — but what’s kept me reading Scripting News for the entirety of Scripting News’s 30-years-and-counting run is his writing. He has such a distinctive writing voice that is impossible to imagine in any medium other than the web.

See also: Guy Kawasaki’s podcast about Winer’s career and this post about MORE:

We called it that because there was so much more in it than the earlier outliner, ThinkTank 512, we didn’t have any idea which new feature, if any, would be the one that turned people on.

We didn’t have the luxury of picking among them because our company was on the verge of going out of business. We needed help from Apple to make it to shipping. They gave us a loan of $400K, and we put our source code in escrow in case the company failed, which looked like a real possibility.

Dave Winer:

This is why listening to users is so important.

Sometimes they give you the idea that puts your product over the top.

That’s how our outliner became a blockbuster on the Mac in 1986.

It’s how podcasting was born in 2001.

Previously:

Jettison 1.8.9

St. Clair Software:

  • When you set keyboard shortcuts for ejecting, sleeping and remounting, they are now shown in Jettison’s menu.
  • Fixed a bug that could result in an error message when manually mounting a volume even though the volume mounts correctly.
  • When an encrypted disk cannot be mounted because its password is not in the keychain, the error message explains how to fix the problem.

The app is presented as a way to eject external drives before putting your Mac to sleep. I use it for other things:

Previously:

Photoshop Elements Switches to Subscriptions

Jeremy Gray (Hacker News):

In Photoshop Elements 2025, a new AI-powered Remove Tool makes it easy to erase and replace distracting objects in photos, including unwanted people and distracting objects. This new feature also includes an accompanying “Object Removal” Guided Edit to walk new users through the process.

[…]

Photoshop Elements has long included a range of collage tools, enabling users to combine multiple photos. With AI-powered subject detection tools, it’s now easier to blend the subject from one shot with the background of another. Editors can learn the ropes of this type of photo compositing with a new “Combine Photos” Guided Edit.

[…]

While prior versions of Photoshop and Premiere Elements have been lifetime licenses — the user buys the software and then owns it indefinitely — this year’s release has moved to a three-year license term. […] Once that period is up, users will no longer have access to the software’s editing functions, although they will still have access to Elements Organizer to view and manage their files.

But at least it’s separate from Creative Cloud.

Previously:

Networking Issues in Sequoia

Christian Starkjohann:

We don’t recommend upgrading [to Sequoia] now because there are several bugs related to networking and firewalls in the 15.0 release. We expect most of them to be fixed in 15.1.

[…]

There are individual reports of websites aborting loading midway. We believe this is a general problem with TCP connections, not only ssh, but ssh seems to trigger it most frequently.

[…]

If you have configured Apple’s firewall to block incoming connections, it blocks all incoming UDP packets, even if they are responses to requests, e.g. responses to DNS name lookups.

Christian Starkjohann:

According to our tests, the issue with the built-in firewall appears to be fixed [in 15.0.1].

[…]

Recent user feedback indicates a shift of the situation: users who consistently encountered the problem no longer report it, while others, who were previously unaffected, are now experiencing ssh connections dropping after some time. We don’t yet have sufficient data to determine whether this is coincidence or if the bug persists.

[…]

We have received several reports from users of Little Snitch and Little Snitch Mini where the network content filter became inactive in the course of installing the macOS update. You’ll notice that you are affected if the Network Monitor stops displaying traffic or if connection blocking no longer works.

Previously:

Monday, October 7, 2024

Launching Before UserDefaults Is Available

Christian Selig (Mastodon):

It seems at some point, even though UserDefaults is intended for non-sensitive information, it started getting marked as data that needs to be encrypted and cannot be accessed until the user unlocked their device. I don’t know if it’s because Apple found developers were storing sensitive data in there even when they shouldn’t be, but the result is even if you just store something innocuous like what color scheme the user has set for your app, that theme cannot be accessed until the device is unlocked.

[…]

Again, who cares? Users have to unlock the device before launching my app, right? I thought so too! It turns out, even though Apple’s prewarming documentation states otherwise, developers have been reporting for years that that’s just wrong, and your app can effectively be fully launched at any time, including before the device is even unlocked.

Combining this with the previous UserDefaults change, you’re left with the above situation where the app is launched with crucial data just completely unavailable because the device is still locked.

[…]

If you use Live Activities at all, the cool new API that puts activities in your Dynamic Island and Lock Screen, it seems if your app has an active Live Activity and the user reboots their device, virtually 100% of the time the above situation will occur where your app is launched in the background without UserDefaults being available to it.

UserDefaults doesn’t actually report an error, and this can lead to incorrect behavior and data loss.

Christian Selig:

It’s a really rough bug, because if you sometimes can’t trust UserDefaults, it means you can read out data from it with the intent to modify it slightly before saving it back, only now you’re modifying junk data and overwriting the good data 🫤

Quinn (in 2015):

IMO the best way around this is to avoid NSUserDefaults for stuff that you rely on in code paths that can execute in the background. Instead store those settings in your own preferences file, one whose data protection you can explicitly manage[…]

NSFileProtectionCompleteUntilFirstUserAuthentication and prewarming don’t apply on the Mac, but similar problems can occur there. A common cause of support issues is that the customer has entered some data or changed a setting, and the app seems to work normally for that launch, but upon relaunch all the changes are forgotten. macOS doesn’t notify the app that the data was never saved to the .plist file, e.g. because of a file permissions problem or because the user tried to redirect the user defaults storage using a symlink.

Previously:

Update (2024-10-08): Guy English:

This is a very nasty corner of a dead simple API that can lead to data loss for customers. UserDefaults should be as straightforward to use as possible. I’d propose a new UserDefaults domain for “public” data that you’d access via something like: UserDefaults.public.

[…]

As more of app functionality is subsumed by the OS managing a series of plugins this sort of thing must be reliable and foolproof.

[…]

“Changed” may be off the mark here too—I think those security changes were done way back in iOS 7. I suspect what’s happening is that the issue is becoming more apparent due to the differing security contexts code is running under more frequently now. It makes sense to secure the Defaults. But it also makes sense to store non-sensitive defaults there… so it’s a pickle currently.

Pasi Salenius:

In addition to encrypted userdefaults being unavailable on background launches, there is something else that is not working right. I sometimes notice defaults not being available in viewDidLoad, and have received reports of that happening to my users. It usually happens after an OS update and reboot.

Christian Selig:

Yeah that’s part of the whole “full launch” business unfortunately, appDidFinishLaunching and corresponding view controllers will be fully getting built without UserDefaults being available even though the docs on prewarming state otherwise.

Christian Selig:

I wanted to build something small and lightweight that would serve to fix the issues I was encountering with UserDefaults and thus TinyStorage was born! It’s open source so you can use it in your projects too if would like.

Dealing With Objective-C Protocol Types in Swift

Dave Rahardja:

There are two ways to refer to this protocol in Swift: using a native Swift type, or using an Objective-C Protocol object reference.

let fungibleSwiftProtocol = Fungible.self
let fungibleObjCProtocol = NSProtocolFromString("Fungible")!

These two types should be the same—after all, they refer to the same protocol—but they are not, as shown when we print out their descriptions and ObjectIdentifiers[…]

[…]

The answer is yes: there is a way to convert a Swift type that refers to an Objective-C protocol into an Objective-C Protocol reference.

[…]

fungibleSwiftProtocol as AnyObject as? Protocol

There is apparently no way to convert in the other direction.

Previously:

Xcode 16 Folders and Groups

Sarah Reichelt (Mastodon):

In Xcode 16, project files and folders are arranged differently in the Project navigator. What used to be a group is now a folder, and this simple change has some interesting effects. At first, I was against the new scheme - in fact in my SwiftUI for Mac 2024 article, I specifically recommended reverting back to the old group method. But after doing some more reading and testing, I think the answer is not so clear cut.

[…]

At a first glance, there are two differences: the order of the files & folders and the color of the folder icons. A less obvious difference is that in Xcode 15, I can drag files around to arrange them in the order I prefer. In Xcode 16, I can’t do that. I can drag files into or out of folders, but I can’t move them around at the same level.

[…]

This points out the fundamental difference between the two approaches: groups are an artificial construct that is stored in the project files. Usually, this mirrors the file and folder structure in Finder, but it doesn’t have to. When you use folders, Xcode is reading the file and folder structure directly from the Finder.

[…]

The big difference is in source control, especially if you’re working with other people. When every file addition, deletion or move also changes the project file, you have a much greater chance of getting a merge conflict.

Previously:

Meta Fined for Logging Passwords

Alexander Martin (via Hacker News):

The social media giant Meta has been fined €91 million ($101 million) for accidentally storing hundreds of millions of its users’ passwords in plaintext instead of in an encrypted format on its internal systems.

Meta first announced discovering the engineering mistake back in 2019. At the time, the company stated it would be notifying everyone whose passwords were stored without protection although it stressed the passwords were only exposed internally at Meta, and there was no evidence that any of them had been abused.

Following a five year investigation, the Irish Data Protection Commission (DPC) — which is the EU’s lead privacy authority on Meta, as the company’s European headquarters are based in Ireland — found the incident was a breach of Meta’s legal duties under the EU’s General Data Protection Regulations (GDPR).

Dan Goodin (Hacker News):

The company said that apps for connecting to various Meta-owned social networks had logged user passwords in plaintext and stored them in a database that had been searched by roughly 2,000 company engineers, who collectively queried the stash more than 9 million times.

[…]

For more than three decades, best practices across just about every industry have been to cryptographically hash passwords.

Because “only” hundreds of millions of users are affected, it sounds like they were not actually storing the passwords in the database unhashed. Rather, they were probably inappropriately logging some raw request data. So it’s not that the passwords should have been hashed but that they shouldn’t have been logged. This is bad, but it seems Meta caught the problem themselves and were transparent about it. It’s unclear to me what the DPC was investigating for five years.

Friday, October 4, 2024

“Damaged” Mac App Store Apps

Keith Gugliotto:

The Mac App Store places a receipt file in each purchased application. The receipt includes a certificate the application uses to validate that receipt to be sure you’ve made a bona fide purchase. That certificate is only valid for a limited amount of time – in our experience, up to about 25 months, though sometimes significantly less, which could indicate the App Store renews these certificates every so often. So, when you see this “damaged” message out of the blue, it’s almost surely because the certificate in the receipt has expired. You could set the date on your Mac back a bit to work around it, but you really want to straighten things out so you don’t have to go through that fun every time you sit down to use an application.

Usually, as long as your current Apple Account has a valid purchase for the application in question, you won’t ever see the “damaged” message because the application will tell the Mac the receipt’s invalid, the Mac will automatically refresh your receipt, and you’re on your way. You should only see the message in those three cases we outlined above.

Matthias Gansrigler:

Are any other Mac developers observing a surge of support requests for “<App> is damaged and can’t be opened. Please re-download it from the Mac App Store” recently?

It started yesterday, out of the blue. macOS 15, 14, 13 and 12 as well…

I am not seeing this personally, and I’m not sure what’s going on here, but there are multiple reports of problems launching Mac App Store apps.

This bug thread suggests that some receipt validation code needs to change because Sequoia adds MAC address randomization. This post and other sources suggest that it’s important to use StoreKit 2 instead of validating receipts directly, although perhaps that only pertains to IAP. Apple’s sample code does not seem to have changed.

Previously:

Update (2024-10-08): Sam Rowlands (tweet):

The OWStoreKitBridge is the latest Mac App Store receipt verification code from Ohanaware. It uses a whole new design to fit in with Apple’s StoreKit, now that the classic Mac receipt verification functions have been moved to legacy.

Update (2024-10-15): See also: this thread.

Lukas Kubanek:

Since exit(173) is the macOS counterpart to SKReceiptRefreshRequest on iOS, I guess it falls into the same deprecation category. However, they say that the original API will continue to work. But then, exit(173) has had long phases of not working at all (example), so I’m not surprised if it’s been cut.

Alexander Blach:

I would like to move to AppTransaction, but last time I checked it didn’t support volume purchases (VPP). For apps bought in Apple School Manager, it showed an Apple ID login prompt instead.

exit(173) now shows the “API no longer available” alert when I run a build from Xcode 16 on macOS 15, but it still actually refreshes the receipt anyway.

I wonder in which circumstances exactly this alert is shown. Maybe only when using the sandbox environment?

Setting Up an iOS VPN Without an App

ForestVPN:

Many of us rely on VPN apps to secure our online activities, but did you know there’s a way to set up a VPN on your iPhone without downloading an app? This method not only saves space but also provides a seamless experience for users who prefer a more direct approach.

Via John Gruber:

It just requires some futzing in Settings and a VPN provider that supports it. Presumably, this technique remains available to iPhone users in Russia.

[…]

VPN apps remove complexity from this process, but it’s worth noting that VPN access doesn’t require an app.

However, at least in the case of ForestVPN, it’s confusing how to sign up for the service without using an app. If you click Get Started it just directs you to download the app. It looks like if you click Get MacOS CLI it will let you sign up on the Web.

Riley Testut:

Anecdotally, Russia has long been the most popular country for AltStore Classic usage by far

Previously:

macOS 15.0.1

Juli Clover (release notes, no security, enterprise, no developer, full installer, IPSW):

According to Apple’s release notes, macOS Sequoia 15.0.1 fixes a bug that could cause the Messages app to crash when a message with a shared Apple Watch face was sent, and it improves third-party software compatibility.

See also: Mr. Macintosh and Howard Oakley.

Previously:

Update (2024-10-08): Lorenzo Franceschi-Bicchierai:

In September, Apple released the new version of its computer operating system macOS 15, also known as Sequoia, which broke the functionality of several cybersecurity products, including those made by CrowdStrike and Microsoft.

Three weeks later, on Friday, Apple released the first update to macOS 15, and it claims to have fixed those issues. In the macOS 15.0.1 release notes, Apple says that the update “improves compatibility with third-party security software.”

Update (2024-10-15): Ugur Koc:

We’ve noticed some users still facing internet connectivity issues (with 15.0.1). Please check if you have multiple Network Filters enabled, as having more than one can cause network problems on Mac. This issue is not limited to Defender for Endpoint on macOS and can also affect other security software vendors and VPN applications.

iOS 18.0.1

Juli Clover (release notes, security, enterprise, no developer):

iOS 18.0.1 update addresses issues with several bug fixes for the touch screen, camera, and Messages app.

Previously:

iPadOS 18.0.1

Juli Clover (release notes, security, no developer):

Apple today released iPadOS 18.0.1 for the iPad, and it brings iPadOS 18 to the for M4 iPad Pro models for the first time since the iPadOS 18 update was pulled for those devices. After iPadOS 18 was released, it was found that a small number of M4 iPads were bricked when the software was installed. If you haven’t been able to install iPadOS 18 on your iPad Pro, it is now available.

Previously:

watchOS 11.0.1

Juli Clover (release notes, no security, no developer):

watchOS 11.0.1 introduces bug fixes for the Apple Watch. It fixes an issue that could cause the Music app to crash, plus it addresses a bug that could cause the battery to drain faster than expected. There’s also a fix for a bug that could cause the touchscreen to be unresponsive on the latest Apple Watch models, and a bug that could cause unexpected restarts.

Previously:

visionOS 2.0.1

Juli Clover (release notes, no developer, no security, no enterprise):

The visionOS 2 update fixes a bug that could cause YouTube in Safari to freeze, plus it addresses an issue with Safari Web Extension data.

Previously:

Thursday, October 3, 2024

PDFpen/Nitro and Cleverbridge

Matt Henderson:

There used to be a great PDF app for the Mac called something like PDFPro [PDFpen]. At some point it got acquired by @NitroHQ, and began to ask to upgrade to a new version seemingly every time I launched it—up to version 13.

Today, on macOS 15, I needed it, but it wouldn’t launch. So I visited the website and it’s been acquired by a faceless enterprise company called @cleverbridge.

Version 14 for Mac is $170 (!) but I needed it so off to checkout. I enter my details, all fields light up green, and—purchase failed, please fix the “incomplete fields”. Wtf.

They double-billed him and signed him up for an unwanted subscription.

Not only that but I get activation instructions for the Windows version of the app! The Mac version simply shows a login screen.

But I don’t have an account! Create an account with the same email address, and their system doesn’t recognize I’ve purchased the app.

[…]

Visiting the “customer support portal” and trying to submit a request results in a—blank page.

As far as I can tell, Nitro purchased Cleverbridge and is using it to process payments:

Online orders of Nitro PDF Pro are processed (payment and order fulfillment) by our partner, Cleverbridge, Inc.

If you are an account admin who has purchased a Nitro Pro subscription through our partner reseller CleverBridge, you can now purchase additional licenses directly from within the Nitro Admin app.

[…]

When your payment is successfully processed, you will be directed to a Purchase Confirmation page with your CleverBridge Order number and invoice.

But if you need a refund you’re supposed to contact Nitro:

If you recently purchased Nitro Productivity Suite and wish to request a refund, please contact Nitro directly via their website. They would be happy to assist you with your request. While Cleverbridge is a partner of Nitro, we do not currently process their refunds.

It’s too bad that Smile didn’t want to keep developing and supporting the app.

Previously:

Finder Sync Extensions Removed From System Settings in Sequoia

ZigZag (also):

Even though Finder Sync extensions are embedded and distributed in their containing applications (like containing application FileUtils embeds its extension FileUtilsSync), the actual hosting application for those extensions is Finder. They modify Finder’s appearance and behavior, adding menu items and icon badges. Hence, fundamental things related to these extensions, like registering with OS, start and termination, as well as enabling and disabling them, aren’t controlled by the containing application, but by Finder and macOS instead. Registration with OS is done by Launch Services. It usually happens at the time the containing application is launched for the first time (after passing TCC quarantine check). Starting and termination of Finder Sync extension is also controlled by Finder/macOS and there may even be more processes of the same extension running, depending on how many Finder windows and file selectors (open/save panels) are open. The containing application can surely try to start and terminate its embedded extension, but the documentation clearly discourages that, since it can collide with how Finder controls them.

Finally, there’s enabling and disabling Finder Sync extensions. Even though an extension can be installed and registered, per user request it can be disabled (thus, completely ignored) and enabled. Containing application can do this programmatically, by tasking pluginkit command line tool to list, enable and disable (any, not just Finder Sync) extension, or using private NSExtension class found in FoundationKit framework. End users traditionally performed this task in System Settings application (System Preferences on macOS 12 Monterey and earlier). Well… Until macOS 15 Sequoia! In the latest incarnation of macOS, there isn’t any graphical UI way to manage Finder Sync extensions!

[…]

Revealing “Extensions” settings in System Settings on Ventura shows the same subsections like in System Preferences on Monterey, with one, for this story very important, change… “Finder Extensions” subsection is missing! The only place to find Finder Sync extensions settings is “Added Extensions” subsection. Early versions of Ventura even had “Finder Extensions” subsection, dedicated to Finder Sync extensions, but it was buggy and unreliable.

[…]

And then macOS 15 Sequoia came some 17 days ago. In its third reincarnation, System Settings application experienced third rearranging and shifting. “Extensions” settings are now under “General” section, “Logging Items & Extensions” subsection. […] Yes, you see it right, there is no “Added Extensions” section!

Managing extensions using the pluginkit command-line tool is not very friendly (and can’t be invoked by a sandboxed app), so Dragan Milić has written a free app called FinderSyncer that puts a nice user interface on top.

It’s not entirely clear what Apple is doing here, but the impression I get is that these days Apple is focusing on the File Provider Extension architecture that’s used for cloud syncing. It’s a shame because this does not allow all the same functionality as Finder Sync Extensions:

I believe many other developers understood it the same as me, especially considering the fact that Finder Sync extensions provide a way to add custom menu items to Finder’s contextual menu. I think most developers saw it as a sort of continuation of old CMPlugin API from MacOS (yes, the capital ‘M’) 8/9 days, which was available until Mac OS 10.6 Snow Leopard. It’s seen as a way to extend Finder’s capabilities, by executing custom operations (not limited to “synchronize the contents of a local folder with a remote data source”) on files selected in Finder.

I think I know about 50 - 60 applications embedding Finder Sync extensions at the moment, and only a dozen of them actually “synchronize the contents of a local folder with a remote data source”, mostly coming from huge and well known cloud providers (Dropbox, Google, Microsoft…). All others, mostly coming from independent Mac developers, offer some custom operations of files selected in Finder, nothing related to any sort of syncing. I believe MR_Noodle’s case is the similar one, “outside of its recommended use case”. Taking the above into consideration, I think it’d be a huge mistake for Apple to discontinue and deprecate Finder Sync extensions without providing functionally equivalent replacement. That would break a lot of third party Mac software and render those applications completely useless.

Previously:

IDA Pro 9 Switches to Subscriptions

Alex Petrov (release notes):

This release is amplified with new disassemblers and decompilers, such as the RISC-V decompiler, the disassembler support of T-Head instruction set for the XUANTIE-RV architecture, the nanoMIPS decompiler and disassembler, and the Web Assembly (WASM) disassembler.

Balaji N:

The latest version of the Interactive Disassembler (IDA) software introduces a unified licensing model, allowing users to operate a single license across Windows, Linux, and macOS platforms.

Also, there are no more perpetual licenses, only subscriptions. The home version (2 cloud-based decompilers) is $365/year, while the Pro Expert 2 version (2 local decompilers) is $2,999/year.

Stefan Esser:

In light of recent changes to the IDA license model my training courses will be adjusted to fully support Ghidra scripting within the next 12 months. Existing IDA 8.x scripts will not be ported to IDA 9.

No idea what happens to the free version but for pay versions will become a yearly subscription that actually expires one month after it runs out. IDA will stop working then. Furthermore the subscription with 2 decompilers will cost nearly double what I pay now for 4 dexompiers

And it seems like they are reneging, in that if you had recently purchased a perpetual license for version 8, you were supposed to get free updates for a year. Instead, they are giving access to version 9 for a year, but then it stops working and you have to go back to version 8 or sign up for a subscription.

Previously:

Restoring Shift-Key Slow-Motion Minimizing to Dock

John Gruber:

What I’d forgotten is that Apple had removed this as default behavior a few years ago (I think in MacOS 10.14 Mojave), but you can restore the feature with this hidden preference, typed in Terminal:

[…]

defaults write com.apple.dock slow-motion-allowed -bool YES; killall Dock

Update (2024-10-07): Saagar Jha:

High Sierra, actually.

Wednesday, October 2, 2024

Juno for YouTube Removed From the App Store

Christian Selig (tweet, Mastodon, Hacker News):

For those not aware, a few months ago after reaching out to me, YouTube contacted the App Store stating that Juno does not adhere to YouTube guidelines and modifies the website in a way they don’t approve of, and alludes to their trademarks and iconography.

I don’t personally agree with this, as Juno is just a web view, and acts as little more than a browser extension that modifies CSS to make the website and video player look more “visionOS” like. No logos are placed other than those already on the website, and the “for YouTube” suffix is permitted in their branding guidelines. Juno also doesn’t block ads in any capacity, for the curious.

I stated as much to YouTube, they wouldn’t really clarify or budge any, and as a result of both parties not being able to come to a conclusion I received an email a few minutes ago from Apple that Juno has been removed from the App Store.

The App Store guideline is stacked against developers:

5.2.2 Third-Party Sites/Services: If your app uses, accesses, monetizes access to, or displays content from a third-party service, ensure that you are specifically permitted to do so under the service’s terms of use. Authorization must be provided upon request.

So it doesn’t matter whether the app was actually violating the terms of use. If YouTube complains and won’t provide authorization, there’s nothing you can do. There seems to be no limiting factor that would prevent any Web site from objecting to any app that displays Web content.

Juli Clover:

YouTube does not have a dedicated app for the Vision Pro, which is why Selig designed and released Juno last February. Prior to when the Vision Pro launched, YouTube said that it would not develop a Vision Pro app, nor would it allow the YouTube iPad app to run on the headset. With Juno removed, those who want to watch YouTube on Vision Pro will need to use Safari.

Kyle:

Dang, just last night I thought to myself, “if it wasn’t for Juno I would never use my Vision Pro.”

David Barnard:

Welp… with that, the one use-case I really cared about on Vision Pro is now gone (or at least unable to be updated, and Google may eventually break the app).

Vision Pro is probably the worst “business investment” I’ve ever made. As much as I love the hardware, there’s just not enough content and not enough compelling apps. If Google does break Juno, my several hour a week usage will probably drop to near zero.

John Gruber (Mastodon):

I don’t expect to see YouTube launch a native VisionOS app soon, and even if they do, I doubt it’ll be anywhere near as good as Juno. What I was obviously wrong about in that February post was thinking that YouTube wouldn’t care about Juno’s existence, given that Juno did not block ads. All it did was make the YouTube experience great on Vision Pro.

This makes Selig — one of the most gifted indie developers working on Apple’s platforms today — 2 for 2 on getting hosed by big platforms for which Selig created exquisitely well-crafted clients.

It’s a shame, but clients for services that you don’t control just seem to be a bad place to be. If the service is free, the company providing it can kill your app. If it’s paid, Apple will want a cut of the revenue, even though it doesn’t pass through you.

Previously:

Update (2024-10-03): Andre LaBranche:

There is exactly one reason that Juno is very easy for YouTube to kill and yt-dlp is very hard for YouTube to kill.

Pinning iCloud Drive in Sequoia

Howard Oakley:

The reason for this bizarre and annoying interface is the way that pinning is implemented.

When you pin files individually or in groups of up to ten, each file gains its own pinning extended attribute, of com.apple.fileprovider.pinned. But when you pin a folder, only that folder gains the extended attribute, none of the files or folders within it. The whole folder and the paths within it are designated as being pinned. And, as far as I can tell from the absence of any better information in Apple’s missing documentation, there’s no single method to determine whether a file in iCloud Drive is pinned.

Instead, you have to both

  • look for the extended attribute attached to the file, and
  • check all the folders in its path to determine if any of them has the extended attribute, which would then pin everything in their path.

Apple doesn’t document any file or URL attribute that can be used to determine whether a file or folder is pinned.

I think the design makes sense in that if I pin a folder I do want its future contents to be pinned. This is also how inclusions and exclusions for backup software generally work. But it seems that the interface could be clearer and more helpful.

Previously:

Update (2024-10-03): Howard Oakley:

If you have 100 files in a folder and want to pin 99 of them, you have to select groups of no more than 10 and pin each group, ten times.

Migrating the TelemetryDeck SDK to Swift 6 Mode

Cihat Gündüz:

And this summer at WWDC 2024 the longest session of them all was migrating your app to Swift 6 for a reason. This major new update to the language brings a new level of safety – namely data-race safety – which is awesome news for more correct code, but it also comes with a lot of new requirements we all need to adapt to.

[…]

The following 3 sections explain how we fixed the ~30 issues we've run into in our code, grouped by the solution we applied and an explanation why we opted for that solution with a code sample.

[…]

As ISO8601DateFormatter is a type defined within Foundation, we can't make it concurrency-safe itself, so we just need to deal with its mutable nature and work around it. The easiest way to this in our case was to turn our let constant into a get-only computed property, like so[…]

I find this aesthetically displeasing. It would be unusual and bad form to modify the properties of a shared formatter. But there’s no way to tell Swift you’ll treat it as immutable, so therefore we give every user a fresh copy? There’s probably a way to wrap it in a Sendable type, but how much do you want to contort your code to avoid this inefficiency?

Migrating to Swift 6 mode with all of its data-race safety glory was not an easy task. Despite our small project size, we ran into many warnings that all looked similar on the surface, but each of them needed careful consideration.

Previously:

Update (2024-10-03): Jesse Squires:

Ok so it appears someone has botched Swift Concurrency for UICollectionViewDiffableDataSource.

How are you supposed to work around this?

Local Network Privacy on Sequoia

Collin Allen:

Running into a Sequoia bug where third party binaries running under a launchd agent are denied local network access despite approving the privacy prompt. This has the effect of making my iOS app’s CI unable to deploy successful builds, as my deployment tool is not one that ships with macOS.

Quinn:

  • If you run a tool from Terminal, then Terminal is considered the responsible code and, as a system app, it’s not subject to local network privacy.

  • If you run an executable as a launchd daemon, it runs as root and local network privacy does not apply to code running as root.

However, if you configure the executable to run as a launchd agent, you will see local network privacy prompts.

dverevkin:

Here my experiments also show different results - if the bundled application is launched as a launchd daemon, the prompt will appear, even though the app runs with root privileges[…]

And, apparently, even approving the prompt doesn’t work.

Previously:

Tuesday, October 1, 2024

Hurricane Helene and Messages via Satellite

Ryan Christoffel:

Hurricane Helene has caused massive damage and taken over 100 lives across several US states. Many thousands of people are without power and/or cell service. But in the wake of the storm, reports have surfaced about a key iOS 18 feature that has been a lifeline for survivors: Messages via satellite.

[…]

To learn more about Messages via satellite, Apple has a support document available here.

Satellite messaging was added in iOS 16 (for iPhone 14 and newer) but only supported contacting emergency services. With iOS 18, you can also contact family and friends when there’s no Wi-Fi or cellular coverage.

Eric Berger:

Unfortunately, the National Climatic Data Center is based in Asheville, North Carolina. As I write this, the center’s website remains offline. That’s because Asheville, a city in North Carolina’s Blue Ridge Mountains, is the epicenter of catastrophic flooding from Hurricane Helene that has played out over the last week. The climate data facility is inoperable because water and electricity services in the region have entirely broken down due to flooding.

[…]

So how does a region nearly 500 miles from the Gulf of Mexico become devastated by flooding from a hurricane that originated there?

The answer is that Helene’s rapid movement inland—it was one of the fastest-moving storms at landfall in the Gulf of Mexico in recent history—created a massive river of atmospheric moisture and funneled it into parts of North Carolina, northern Georgia, and southeastern Tennessee.

Kanishka Singh:

The White House said on Monday dozens of Starlink satellite systems that provide high-speed internet access were in use in North Carolina, with over 100 more in transit to areas devastated by Hurricane Helene.

Tommy Greene (Hacker News):

Spruce Pine sits about an hour northeast of Asheville, Mitchell County, and is home to the world’s biggest known source of ultra-pure quartz—often referred to as “high-purity quartz,” or HPQ. This material is used for manufacturing crucibles, on which global semiconductor production relies, as well as to make components within semiconductors themselves.

[…]

Spruce Pine supplies around 70 percent of the naturally occurring HPQ that is needed for computing devices and products. The site’s market position and significance were underlined in 2019 when a manager for Quartz Corp, one of the two main mining companies that works the deposit, told the BBC: “Inside nearly every cell phone and computer chip you’ll find quartz from Spruce Pine.”

Previously:

Update (2024-10-07): Joe Rosensteel (Mastodon):

He tried force-quitting Messages, and restarting his iPhone, and reseting his network settings, but no matter what he did, my iPhone insisted Ry was only reachable via satellite. So then I restarted my iPhone, and I tried turning off and on all the various connection methods at my disposal.

That’s when I found out that everyone else having a one-on-one conversation with Ry from an iOS 18 device was also experiencing what I was experiencing.

[…]

If I had to guess (and it’s probably better if I don’t) it seems like Ry’s phone pushed some status to Apple’s iMessage servers which was pushed to our iOS 18 devices… and stuck. I can’t think of another reason why the satellite messaging state was preserved until we each toggled off iMessage support on our individual devices. There’s no toggle to disable sending and receiving satellite messages in Settings. In fact, if you search Settings for “satellite” it doesn’t return any results at all.

Update (2024-10-10): Adam Engst:

The bottom two screenshots in the collection above show conversations that refused to allow satellite communications. The first is straightforward—group chats aren’t available via satellite, even if everyone is on iMessage. I get that—even if there isn’t a technical limitation, Apple presumably doesn’t want people overloading the system with chatty conversations.

The second is more obscure. Apple warns in its notes that iMessage won’t work for someone “if you haven’t sent them an iMessage recently,” but SMS should. That message appears in a conversation that hasn’t seen any traffic for six months. We should have been given the option to use SMS.

Swift Concurrency and Objective-C

Paul Haddad:

Anyone know why calling the following in a MainActor class/func

MyTest.increment(1) { result in
    NSLog("result=\(result)")
}

crashes (asserts) when building with Swift 6?

I get that its not happy that the completion is coming in on another dispatch_queue but it should complain about it at compile time, or ignore it at run time.

Unfortunately, it seems to be designed this way.

OneSadCookie:

SE-0423 “Dynamic actor isolation enforcement from non-strict-concurrency contexts” adds the crash (otherwise your “safe” Swift 6 code is unsafe).

It’s not that the code is unsafe but that neither the Swift compiler nor the Swift runtime can prove that it’s safe because the MyTest class is written in Objective-C. You are supposed to annotate your Objective-C code so that Swift Concurrency can understand it, though this is not really documented.

Doug Gregor:

In Swift 5 mode, this code silently introduces a data race into the program.

In Swift 6 mode, the data race is caught by the dynamic isolation check. That’s the first point at which the data race can be detected, and the check is there to prevent this race from becoming weird runtime behavior.

This is all as designed. If that Objective-C code were Swift 6 code, we’d catch the error at compile time. As Objective-C, runtime is the earliest it’s possible to detect the race. Enabling Swift 6 language mode means turning previously-unobserved or undiagnosed data races into ones that fail predictably to flush out any contract violations outside of the Swift 6 code. As more code enables Swift 6, the runtime checks get replaced with compile-time.

Swift 6 mode is being “helpful” by proactively crashing the app even though there’s not necessarily a problem. It may be that it just doesn’t understand that GCD is being used to call everything on the right thread.

I get why Swift 6 is designed this way, but I don’t understand how you’re supposed to make the transition. Swift 5 mode gives no errors at compile time and doesn’t even log any errors at runtime. Swift 6 mode gives no errors at compile time and crashes at runtime. To get from one to the other you’re supposed to go through the code line-by-line and not make any mistakes.

Personally, I’m skeptical of the benefit of switching to Swift 6 mode with a hybrid codebase. If you started off with good code, it seems more likely that you’ll get some annotation wrong and have Swift 6 trigger an unnecessary crash than that you actually discover a latent concurrency bug that matters. I think it makes more sense to migrate the code to Swift before flipping the switch. Then you can get errors at compile time instead of at runtime.

Mike Apurin:

I think that Swift 5 mode doing nothing is part of the problem here. I’ve run in similar issues in Combine and was very blindsided by it. There is no way to progressively discover and deal with such isolation violations, just enabling 6 mode and praying.

But this illustrates that porting your code to Swift doesn’t fully solve the problem, either. It seems that you still have to annotate your closures because of Apple’s code.

Matt Massicotte:

The core problem, in my opinion, was Combine was not updated and that’s bananas.

Previously:

Update (2024-10-02): See also: further discussion on Mastodon.

Epic’s Document Request and Apple’s Injunction Challenge

Anthony Ha (Hacker News):

Apple faces a looming deadline to produce what it says are more than 1 million documents related to recent App Store changes.

On Friday, Judge Thomas S. Hixson denied the company’s attempt to extend that deadline, describing the request as “bad behavior.” So Apple’s deadline is still Monday, September 30: “It’s up to Apple to figure out how to meet the deadline, but Monday is indeed the deadline.”

[…]

In August, a judge directed Apple to produce all documents related to how it decided on the new App Store rules. But on Thursday, Apple said Epic’s search terms surfaced more than twice as many documents as expected, so the company needed two more weeks to review what turned out to be “north of 1.3 million documents.”

Ben Lovejoy:

A second judge in the Apple versus Epic Games lawsuit has implied that the Cupertino company has lied to the court. It comes after the original judge strongly implied that Apple had not told the truth about the reasons for its new App Store policy.

A second judge tasked with overseeing Apple’s disclosure of decision-making documents in the antitrust case said that a court filing made by the company was “simply not believable” …

[…]

Apple had claimed its decision wasn’t financially motivated, despite the 27% commission being identical to 30% less the 3% typically charged by payment processors (which would now be paid by Epic). The judge expressed skepticism, and ordered the iPhone maker to hand over all documents leading up to it decision to continue charging commission even on sales made outside the App Store.

[…]

In a response (spotted by The Verge), the Judge Hixson has rejected that request, and said that Apple’s claim that it had only just discovered this error was “simply not believable.”

Wesley Hilliard:

The Epic vs Apple saga resulted in an injunction forcing Apple to remove its anti-steering rules, but Epic wasn’t happy with Apple’s implementation. After more back and forth, Apple was meant to produce 1.3 million documents related to the App Store rules, but it produced something else unexpected on Monday.

Apple has filed for the court to set aside its injunction based on two new sets of precedents that didn’t exist when the injunction was filed. The 32 page court document goes into excruciating detail, and was first shared by X user Vidushi Dyall.

Basically, Apple says the injunction is no longer viable given two specific cases that took place in recent months — Beverage vs Apple and Murthy vs Missouri. The first is a state case that establishes Apple’s anti-steering rules aren’t unfair, and the second is, well, complicated.

Jeff Johnson:

The weird thing about the continuing Epic Games v. Apple case is that Epic is still banned in the US App Store, so even if they win on the anti-steering charge, they can’t take advantage of any remedy.

Previously:

Sequoia’s Warning When Turning Off Bluetooth

Jeff Johnson (Mastodon, Hacker News):

Does this prompt appear monthly? No, that would be far too convenient. So how often? Every. Single. Time. You. Try. To. Disable. Bluetooth.

Have I mentioned that Apple re-enables Bluetooth on every OS update on purpose? This behavior continues with macOS 15. Also, Bluetooth is notorious for security vulnerabilities; just google site:support.apple.com bluetooth “security content”.

The prompt warns that I “won’t be able to use a Bluetooth keyboard or mouse,” despite the fact my Mac mini already has a USB keyboard and mouse plugged in. Indeed, the Mac isn’t using any Bluetooth devices, and macOS knows this but doesn’t care. Moreover, the Bluetooth prompt appears even when all Bluetooth-related features are disabled such as AirDrop and Handoff. There’s no “intelligence” to the prompt.

[…]

The issue isn’t whether the existence of a warning makes sense. The issue is that the warning can’t be suppressed. The prompt has no “Don’t ask me again” checkbox.

Phillip Cohen:

thankfully, looks like you can still turn it off without a confirmation by using the shortcut action, but still ridiculous

Jeff Johnson:

The prompt also appears on macOS 14.7 (but not macOS 13.7).

The prompt does not appear on laptops.

Previously:

Copyright © 2000–2024 Michael Tsai.