Tuesday, October 16, 2018 [Tweets] [Favorites]

Swift Language Server Protocol Service

Argyrios Kyrtzidis:

I’m excited to announce that we are going to start a new open-source project for a Swift and C-family language service based on the Language Server Protocol. We’ve chosen to adopt LSP so we can benefit from its active community and wide adoption across other editors and platforms. This means that Visual Studio Code, Atom, Sublime Text, or whatever your favorite editor happens to be, can use the same service as Xcode, and any improvements we make to the service will benefit them all.

[…]

We are also going to make the necessary changes for Xcode to use this new LSP-based language service. Similar to how you can load an OSS toolchain in Xcode to try it out now, in the future you will be able to load a build of the OSS LSP service in your installed Xcode and test any fixes or enhancements you make.

This sounds great. It will be written in Swift but work with C/C++/ObjC, too.

Bringing Photoshop to the iPad

Adobe:

Adobe previewed two future mobile apps designed to usher in a new era of multi-surface creation while complementing workflows across Adobe’s existing flagship desktop applications:

  • Photoshop CC on iPad: Redesigned for a modern touch experience, Photoshop CC on iPad will deliver the power and precision of its desktop counterpart. Photoshop CC on iPad will let users open and edit native PSD files using Photoshop’s industry-standard image-editing tools and will feature the familiar Photoshop layers panel. With Photoshop CC across devices, coming first to iPad in 2019, you will be able to start your work on an iPad and seamlessly roundtrip all of your edits with Photoshop CC on the desktop via Creative Cloud.
  • Project Gemini: A new app designed to accelerate drawing and painting workflows across devices, Project Gemini, coming first to iPad in 2019, combines raster, vector and new dynamic brushes into a single app experience built for drawing. Project Gemini enables artists to use and sync their favorite Photoshop brushes and works seamlessly with Photoshop CC.

Dami Lee:

Adobe really wants you to know that the upcoming Photoshop CC for the iPad, which was announced today and is set to be released sometime in 2019, is “real Photoshop.”

The phrase “real Photoshop” came up several times during my week-long preview of an early version of the software giant’s long-awaited app. The underlying code is the same as desktop Photoshop, and although the interface has been rethought for the iPad, the same core tools line the edges of the screen.

Scott Belsky:

I’m going to go on a limb here and say that the era of the file is over. I think that a creation is really a combination of components. Look at a Photoshop “file.” What is it really? It’s a collection of fonts, images and layers of edits and other things taken in from other places, composited together. It’s a collection. All those components, those ingredients of that composition both still exist in their original form as well as their combined altered form, which is ultimately the composition you’re making in a PSD.

What we’ve done — what powers Photoshop on iPad — is what we call the Cloud PSD. The Cloud PSD is in a sense, a manifest of all of these ingredients together.

Underneath the hood, this is a manifest of all the components that you sourced from original sources and then altered into this composition that is what you visually see in Photoshop and iPad, and Photoshop on desktop when you open it. When we ship Photoshop on iPad, [Cloud PSDs] will also run and automatically show up on your desktop product. Suddenly, you’ll have this cloud-powered roundtrip experience akin to a Google Docs experience, where literally the source of truth of your Photoshop creation is in the cloud.

Michael Steeber (MacRumors):

When questioned by Belsky about the role of a creative professional at Apple today, Schiller said creativity has been the foundation of Apple from the very beginning. While the company’s dedication to creativity and the arts hasn’t changed, the technology has, he added. “We never envisioned this would happen,” said Schiller in reference to Photoshop on the iPad.

John Gruber:

The “touch modifier” button is a great idea. It’s a button in the corner that you can press and hold to toggle the current tool. E.g. if you’re using a paintbrush, you can press the touch modifier button to turn it into the eraser. Let go of the button and your tool is back to the paintbrush.

Colin Cornaby:

I think Photoshop on iPad is cool. I also think too many of the hot takes today ignore that professionals use workflows that are a combination of lots of hardware and software. Not just a single application.

Colin Cornaby:

Kind of surprised no one has mentioned memory in talking about Photoshop on iPad. Photoshop can typically use way more than 4 gigs (32 bit limit) on more intensive projects, which is more memory than an iPad ships with. Add in that iOS shuts down apps that use too much memory...

Maybe Adobe is adding their own virtual memory/paging system? Could still be a lot of disk.

Lightroom CC 2.0 and Lightroom Classic CC 8.0

Jeff Carlson:

Facial recognition is a processor-intensive task, as anyone who’s waited for Lightroom Classic to churn through a local library knows. In the new Lightroom CC People View, the library is indexed and analyzed in data centers instead of your computer. It appears as a category under My Photos, along with the All Photos, Recently Added, and By Date categories.

[…]

Tying search to Sensei, however, means there’s no local search capability. If your laptop is offline, the Search field doesn’t even work (but the Filter options do). Or, if you do have Internet access, but you’ve paused the sync feature, the search feature won’t pick up any photos you’ve imported that aren’t yet copied to Creative Cloud.

[…]

The performance of Lightroom Classic has improved over the year, but working in Lightroom CC is faster, plain and simple.

[…]

One of my favorite features of Lightroom CC is how it handles images on disk. My MacBook Pro doesn’t have enough storage for my entire library, so Lightroom invisibly removes older originals to conserve disk space, and downloads them on demand from the cloud when needed. But I also save original copies of each image to an external drive in my office. When that disk is not connected, newly-imported photos are kept on the laptop’s storage; as soon as I connect that external drive, Lightroom automatically moves the files from the MacBook Pro to the external. In Lightroom Classic, you have to manually move and copy images.

[…]

This is perhaps one of the biggest limiters for many people: To really take advantage of Lightroom CC, you need a robust, always-on Internet connection.

Plus, it seems pretty useless unless you subscribe to at least the 1 TB storage plan. When your entire library has to be in the cloud, 20 GB doesn’t go very far.

I’m still not crazy about having to pay the full subscription rate to get the the cloud version and Photoshop when I only use Lightroom Classic. The price has more than doubled since the days of standalone Lightroom, plus now it stops working if I stop paying. On the plus side, there are now improvements to Classic throughout the year, but it seems clear that Adobe’s focus is elsewhere.

Previously: New Lightroom CC and Lightroom Classic CC.

The 2018 MacBook Keyboards Have the Same Old Problems

Casey Johnston (tweet):

In July, Apple slightly redesigned the very low profile butterfly keyboard on its MacBooks and MacBook Pros, not because “a small percentage” of the previous version was rendered useless by a speck of dust, the company said, but to make it quieter; it even invited the tech press to try it out. iFixit teardowns of the hardware revealed that, in fact, Apple had added a silicone membrane under the keys that looks quite a bit like it’s meant to keep dust and debris from lodging under the key and locking it up. Was that the idea? No, Apple unequivocally said.

But this was not the story I got from several Apple employees I have since spoken to at Apple stores I visited. Every time I described the 2017 MacBook Pro I sold because I couldn’t stand its non-functional keyboard and asked an Apple store employee if the new one would screw me over the same way, each assured me that Apple had changed the keyboards so that that would never happen again.

[…]

But checking around online, it appears the new keyboards have the same old issues. They may be delayed, but they happen nonetheless. The MacRumors forum has a long thread about the the “gen 3 butterfly keyboard” where users have been sharing their experiences since Apple updated the design. […] The thread goes one for 600 posts, most either posting complaints, expressing how mystified they are that the problems continue, or speculating what Apple will do now that this design has failed as well.

Previously: Mac Sales Down in Q3 2018 Amid a Lack of Updates, MacBook Pro 2018, Unreliable MacBook Pro Keyboards.

Paul Allen, RIP

Vulcan (MacRumors):

It is with deep sadness that we announce the death of our founder Paul G. Allen, co-founder of Microsoft and noted technologist, philanthropist, community builder, conservationist, musician and supporter of the arts. Mr. Allen died on Monday afternoon, October 15, 2018, from complications of non-Hodgkin’s lymphoma in Seattle. Mr. Allen was 65 years old.

Harry McCracken:

Altair BASIC’s success led to the duo starting a company called “Micro-Soft” to write BASICs for other computers. Over time, the company produced additional programming languages, operating systems, word processors, spreadsheets, email apps, accounting packages, server software, CD-ROM titles, web browsers, and . . . well, you get the idea.

[…]

Allen, who became a billionaire in 1990, was certainly involved in plenty of projects that didn’t go much of anywhere—the FlipStart PC, a tiny Windows palmtop, sticks in my mind—but that’s explained, in part, by the sheer volume of things he did. He funded companies in out-there categories such as fusion energy as well as more straightforward areas like social media, tried to turn a cable company into a next-generation communications behemoth, and pioneered private space flight. He was an exceptionally generous philanthropist in areas from ocean health to Ebola research.

Monday, October 15, 2018 [Tweets] [Favorites]

Google Pixel 3 and 3 XL

Nicole Nguyen (via John Gruber):

The Pixel 3 starts at $799, and Pixel 3 XL at $899. They can be preordered today and ship on Oct. 18. The phones come in two storage sizes, 64GB and 128GB, and three colors: Just Black, Clearly White, and a new hue, Not Pink.

[…]

Google is selling its own wireless charger, called Pixel Stand, for $79. When the Pixel 3 is put on the stand, it goes into a “display assistant” mode and essentially turns the phone into a Google Home, where you can use voice commands to play music, see your calendar, and view photos.

[…]

The Pixel 3 doesn’t have a headphone jack, but it does come with USB-C earbuds.

[…]

But, bizarrely, the front-facing camera does have two lenses now. One is the normal 8-megapixel camera you’d expect, and the other is a wide-angle, GoPro-style lens with a 97-degree field of view (instead of 76 degrees in the normal lens).

Dieter Bohn (via David Chen):

You can see that the Pixel 3 is pulling more detail out of the shadows than the Pixel 2. It’s also going for a slightly warmer tone, especially with faces. In fact, I think it’s moved a little closer to the iPhone in terms of the image it’s trying to produce — but only a little bit. The iPhone XS is applying HDR effects too aggressively and overly brightening the shadows, as though it wants everything to be evenly lit. To me, it just looks off.

Here’s the default selfie camera, zoomed in a bit to show you some detail. Again, the Pixel 3 has much more detail while the iPhone XS feels a little bit over-smoothed. I’m not saying I’m a “Beautygate” truther here, but I definitely prefer the Pixel 3. It’s much more willing to let the light be what it’s going to be and not aggressively trying to flatten everything to the same level.

I’m still not sure what to make of the new iPhone cameras and Smart HDR feature. The failure mode is certainly bad: photos that look unnatural are way worse than photos with some areas in shadow. I’ve gone from initially being tempted to upgrade my iPhone SE mainly for the improved camera to wondering whether I should hold onto it or try to find a used iPhone X or an iPhone 8 until Apple gets its act together. We just don’t seem to have good information yet. I haven’t seen anything definitive about what the Smart HDR setting does or whether the “HDR garbage” still happens when it’s off. Reviewers have been comparing iPhone XS with Smart HDR on to other phones, rather than looking at how the same phone takes photos with different values of that setting.

Previously: iPhone XS Users Complain About Skin-Smoothing Selfie Camera.

Update (2018-10-15): See also: Josh Centers.

Update (2018-10-16): Juli Clover:

You can see all of the full resolution photos that we took with the Pixel 3 XL and the iPhone XS Max in this Imgur album that we created.

Spaces, Apple’s Mostly Ignored macOS Productivity Feature

William Gallagher:

If you use Spaces on your Mac then you probably love this feature so much that you can’t imagine not having it. More likely, though, you’ve vaguely heard of it and not looked to see whether it could be of use to you.

Even Apple seems to have forgotten this feature as it received no updates at all for macOS Mojave —at least no visible ones —and unfortunately it has call to be updated. Right now certain elements feel oddly unfinished and others are downright confusing.

Spaces has been around since macOS 10.5, but it still feels unfinished. It never got full API support in Cocoa, so applications can’t really control which spaces their windows appear on, and neither can scripts. The system decides where new windows will appear, and you have to live with it.

The more complex a Spaces workflow you decide to use, the greater the chance that the system will mess it up, so it’s best to keep things simple. In general, Spaces is better at grouping windows by application rather than by task, which is unfortunate because it’s so natural to want to put separate tasks in separate spaces.

A simple case where this falls down is with state restoration. I often have Safari windows spread across multiple spaces: windows related to customer support in the first space, windows related to development in the second space, and windows related to blogging in the third space. If I quit and relaunch Safari, it restores the windows but combines them all into the current space. As far as I can tell, this is not a Safari bug; it’s just the way macOS’s window restoration feature works. And because there’s no Space API, it’s not possible for third-party apps like BBEdit—which has always had fantastic state restoration in other respects—to do it properly themselves.

Building DSLs in Swift

John Sundell:

So let’s take things one step further, and enable our above code to be used as a proper DSL. The first thing we’ll need is an execution context. One reason that DSLs can remove so much verbosity and cruft, is that they’re used in a very specific context, that itself already provides much of the information required to understand what the code does.

[…]

For our context, we’ll take some inspiration from the UIView.animate API, and use a closure to encapsulate the usage of our DSL. All we need to make that happen is a simple extension on UIView that adds a method that in turn calls our context closure.

[…]

Let’s see how we can improve our DSL using operators - starting with overloading the plus and minus operators to enable us to combine a layout anchor and a constant into a tuple - which’ll later let us act on them as one unit[…]

The Challenge of Just Fine

Chuq Von Rospach:

But the user me? I don’t care. I have an expensive Apple TV an expensive 4K monitor, and an expensive HomePod speaker, and I just want it all to work, because my expectation of Apple is to sweat the details and make it work.

And here I am, telling the TV that yes, it should use the HomePod as speakers again. For the fourth time today. That’s one of those small usability friction point that keeps me from wanting to use the Apple TV and leaves me feeling frustrated that it’s just not as good as it really is. It seems like a minor point — and again hashtag first world problems — but it’s the kind of thing that turns someone from a massive fan of a product into an “oh, it’s okay” person.

[…]

A big part of what made Apple successful in its turnaround was a commitment to sweating the details and living or dying on “it solves your problem, and it just works”. And over the last few years, Apple’s lost that level of detail and commitment to quality. It’s all about sweating the details, and bluntly Apple’s not doing a great job of that right now.

Previously: Anker SoundSync Drive Bluetooth Car Receiver.

The Modern Hackintosh

Stephen Hackett:

This video recently caught my eye[…]

In it, Quinn Nelson walks through a $1,400 machine that gives my $5,000 iMac Pro a run for its money, despite having a worse GPU and an i7 CPU.

Nelson points out that these numbers may come down to cooling. The tower in his video, complete with a liquid CPU cooler, can run its components much harder than the iMac Pro, as it has the thermal headroom to do so.

Previously: Mac Sales Down in Q3 2018 Amid a Lack of Updates, On the Sad State of Macintosh Hardware, Building a Hackintosh Pro.

Sometimes It’s Better to Just Start Over With iCloud Photo Library Syncing

John Gruber:

I did some searching on the web and eventually stumbled on a thread that suggested signing out of iCloud and then signing back in. This makes some sense, because all of these Continuity features go through iCloud. So I did that on the iPhone, and, long story short, that seemed to fix the issue. After one more reboot of the phone, Instant Hotspot was working perfectly.

[…]

Effectively, I think what happens is that when you turn off iCloud Photo Library, it leaves all the photos and videos on your phone in your local library. When you turn iCloud Photo Library back on, it has no idea which of the items in your local iPhone library are duplicates of items in your iCloud library, and so it has to check them one by one. Whatever algorithm it’s using for this is slow as molasses.

[…]

So if you temporarily turn off iCloud Photo Library and turn it back on, it might be easier to just delete all your photos from your iPhone first, and let them all sync back from iCloud.

Friday, October 12, 2018 [Tweets] [Favorites]

Anker SoundSync Drive Bluetooth Car Receiver

I’ve been using an Anker SoundSync Drive to play audio from my iPhone on my car’s speakers without needing a headphone jack (on the phone).

It’s pretty typical of Bluetooth devices in that it basically works but never feels fully reliable. After you turn on the engine, the SoundSync gets power, and you have to press a button to connect it to your phone. Press the button too quickly and nothing happens. You have to hold it down a bit in order for it to work. The required time is not consisent. Some days, you need to hold it longer than others. Some days, it doesn’t work no matter how long you press it or how many times you try, and you have to reboot the phone.

Once Bluetooth has connected, though, it works very well. I’ve never found Siri to be reliable at pausing or resuming audio, so it’s nice to have a physical button to do this. There are also buttons for switching to the next or previous track.

Initially there was a lot of static/buzzing/whistling interference noise, which was especially noticeable during quiet periods. Apparently this happens because the SoundSync and phone are plugged into the same power source. This went away when I added an Mpow Ground Loop Noise Isolator.

Compared with using a combination Lightning charge/audio dongle, the SoundSync requires an extra USB port in the car and an extra cable to manage. It also takes an extra step each time you get in the car, because you have to plug in the phone and turn on the SoundSync, rather than just plug the phone into both audio and power simultaneously.

On the other hand, for a short trip where the phone doesn’t need power and you don’t need to put it in a mount for navigation, the SoundSync lets you keep the phone in your pocket. (But good luck using Siri that way.)

Overall, I find the SoundSync more reliable than third-party Lightning dongles—Apple doesn’t make one, alas. Nothing is as reliable as using a headphone jack on the phone, though that isn’t particularly convenient. Nothing is as convenient as AirPods, though those have other limitations.

The tiny TUNAI Firefly also looks interesting, though I don’t think it would fit properly in my car.

Previously: Lightning vs. USB-C for Headphones, Removing the iPhone’s Headphone Jack.

Update (2018-10-12): See also: Isaac Halvorson.

Is There Hope for the Mac App Store?

Speaking of the Mac App Store, Paulo Andrade writes (tweet):

Since its inception the Mac App Store has lagged behind its iOS counterpart. To this day there’s still no TestFlight or App Store analytics for Mac.

[…]

But although the tendency for shorter app review times was sustained, the unpredictability was still there… at least on the Mac App Store. In the last year alone there were at least a couple of occasions where Secrets for Mac got stuck in either “Waiting for Review” or “In Review” for at least a week. In both cases, contacting App Review seemed to unblock the issue.

[…]

And it sure looks great [in 10.14]. Certainly a great improvement over what was there before, albeit sometimes it feels more like an iOS app running on the Mac than a native Mac app.

[…]

Tried submitting to the Mac App Store but failed because it refuses to accept binaries with the new com.apple.security.automation.apple-events. Since Mojave’s release is still a week and half away, I contact Apple and wait for a response.

[…]

30 days after my initial submission attempt, Secrets 2.8.0 is still not available on the Mac App Store. Besides knowing my issue was escalated, I have no idea what’s going on, why it’s taking so long or when can I expect it to be reviewed.

Lily Bradic (via Phil Schiller):

But after my initial “ooh, Dark Mode!” reaction subsided, I realised it wasn’t just the contrast between the dark backdrop and the rich illustrations that was impressive, but the design of the Mac App Store itself. For the first time ever, the App Store feels like one of the beautifully designed apps you’d go there to purchase — as well as a platform for discovering them.

[…]

Apple have recreated the Mac App Store from the ground up, and it’s a pleasure to use. There’s a joy in simply browsing: with the all-new Discover tab, Apple has introduced fascinating stories, in-depth interviews and weekly picks. These editorial features bring everything together, creating an ecosystem that celebrates the best of what app developers have to offer.

[…]

Exploring the new Mac App Store feels like an adventure, and it inspires you to make the most of what your Mac is capable of doing.

Coincidentally, Andrade and Bradic work on competing products.

Previously: AEDeterminePermissionToAutomateTarget Added, But AEpocalyse Still Looms.

The Math Behind Project Scheduling, Bug Tracking, and Triage

Avery Pennarun (via Hacker News):

Many projects have poorly defined (and often overridden) priorities, hopelessly optimistic schedules, and overflowing bug trackers that are occasionally purged out of frustration in a mysterious process called “bug bankruptcy.” But a few projects seem to get everything right. What’s the difference? Avery collected the best advice from the best-running teams at Google, then tried to break down why that advice works—using math, psychology, an ad-hoc engineer simulator (SimSWE), and pages torn out of Agile Project Management textbooks.

We’ll answer questions like:

  • Why are my estimates always too optimistic, no matter how pessimistic I make them?
  • How many engineers have to come to the project planning meetings?
  • Why do people work on tasks that aren’t on the schedule?
  • What do I do when new bugs are filed faster than I can fix them?
  • Should I make one release with two features or two releases with one new feature each?
  • If my bug tracker is already a hopeless mess, how can I clean it up without going crazy or declaring bankruptcy?

Working Around a Swift “nonmutating” Crash

Nataliya Patsovska (via Florent Pillet):

We recently found a mysterious bug in our framework Flow present only when building with Xcode 10:

-Mutating an object on the same line it was created on would cause BAD_ACCESS crash.

-Splitting the line into 2 lines would work fine.

Of course that was a workaround, not the fix.

[…]

Turns out we were using the “nonmutating” keyword in a protocol extension and the compiler decided it is safe to deallocate the object implementing the protocol too early.

Moving the setter to the class somehow worked[…]

See also: Mutating And Nonmutating Functions.

Previously: Exploring Swift Array’s Implementation.

Update (2018-10-15): Joe Groff notes the bug page and a potential fix.

Thursday, October 11, 2018 [Tweets] [Favorites]

Mac Sales Down in Q3 2018 Amid a Lack of Updates

Juli Clover:

During the quarter, Apple shipped an estimated 4.9 million Macs, compared to 5.4 million in the third quarter of 2017 for an 8.5 percent drop. Apple’s market share also declined, dropping from 8 percent in 3Q17 to 7.3 percent in 3Q18.

[…]

Apple’s decline in Mac sales is no surprise as the company has yet to update much of its Mac lineup for 2018. The only Mac that has seen a refresh so far is the MacBook Pro, with MacBook, MacBook Air, and Mac mini updates still on the horizon for a fall launch.

Falling Mac sales come amid stagnant growth for the overall worldwide PC market. A total of 67.2 million PCs were shipped during the quarter, an 0.1 percent increase from the third quarter of 2017.

Aside from the $4,999 iMac Pro, the current Mac lineup is not very inspiring. The Mac mini and consumer notebooks haven’t been updated recently. The iMac was updated in June 2017 and still has a defective processor. The MacBook Pro was updated this July, but the keyboard remains a question mark; we don’t yet know how reliable the new design is, and it’s been reported as less pleasant to type on than the unreliable one. The Touch Bar is still mandatory.

Apple has yet to deliver on its talk about recommitting to professional users. Mojave added hurdles that make it harder to develop and use pro apps, and a prototype framework for making dumbed-down apps. At WWDC, Apple hinted that there were Mac App Store improvements for developers, but so far they are MIA like those secret Leopard features. We know very little about the forthcoming Mac Pro, which is scheduled for 2019.

Previously: Macs Lose Marketshare, On the Sad State of Macintosh Hardware, Forthcoming MacBook and Mac mini Updates.

SmartBackup 4.2 Is Now Free

Solesignal:

SmartBackup uses its own custom sync engine which offers several performance advantages over other utilities. SmartBackup will immediately start copying data while it in parallel still analyses what has changed. SmartBackup’s sync engine then uses multiple threads that copy files in parallel, squeezing the fastest possible performance out of your storage. This makes it significantly faster that other utilities when cloning SSDs or syncing between fast RAID or SAN storage.

It supports bootable clones and archiving deleted files, and it claims to pass all the Backup Bouncer tests.

More about the threading:

  • If a single “spinning” harddisk is involved as a source or destination 2 copy threads will be fastest.
  • If source and destination are SSD/Flash based, or a RAID, 4 copy threads will give you optimum performance.
  • If you use a network backup, it depends on your setup and the type of data. Somewhere between 2-4 threads will be fastest.
  • On fast Xsan/Stornext volumes, choose the number of stripe groups available as the number of threads.

Max Inspect 1.0

Max Technology Labs:

Ever forgotten to remove a debugging entitlement? Signed an app with the wrong cert? Accidentally linked in an extra framework you didn't need? Don't do that.

This developer tool lets you inspect your apps for mistakes in entitlements, code signing and dependencies. Select or drag an app into Max Inspect and it will reveal useful information for you to verify the app before distribution.

It’s kind of like RB App Checker Lite, which is sadly now on hiatus. Unfortunately, it doesn’t let you drag and drop apps onto its icon in the Dock or LaunchBar.

Previously: RB App Checker Lite 1.0.

Update (2018-10-12): Maxwell:

Version 1.1 just came out, you can now drag apps onto it on the Dock icon :)

Microsoft Opens Its Patent Portfolio

Nat Friedman:

Microsoft is pledging our massive patent portfolio – over 60,000 patents – to Linux and open source by joining OIN this morning. If you're looking for signs that we are serious about being the world's largest open source company, look no further.

Erich Andersen:

We know Microsoft’s decision to join OIN may be viewed as surprising to some; it is no secret that there has been friction in the past between Microsoft and the open source community over the issue of patents. For others who have followed our evolution, we hope this announcement will be viewed as the next logical step for a company that is listening to customers and developers and is firmly committed to Linux and other open source programs.

Wednesday, October 10, 2018 [Tweets] [Favorites]

Swift Nil-coalescing Performance Trap

Ben Cohen (via Ole Begemann):

?? [] is a significant performance and correctness trap.

Not because [] creates an array unnecessarily (it doesn’t, the empty array is a static singleton in the standard library via a performance hack that gives me heartburn).

It’s because when the array isn’t nil, the presence of ?? [] affects the type checker in ways you don’t expect[…]

[…]

So what does maybeHugeRange?.reversed() ?? [] do? The ReversedCollection answer won’t type check, because the rhs of ?? can’t be one. So instead it falls back to the version on forward-only collections. That returns an array. So now, just because of that ?? [], we are attempting to allocate and fill an array of size Int.max. Which blows up.

SE-0231 (Swift Evolution):

This proposal introduces optional iteration (for?) and hence the possibility to use optional sequences as the corresponding attribute in for-in loops.

[…]

The ? notation here is a semantic emphasis rather than a functional unit: there is no for!. Syntactically marking an optional iteration is redundant, however, in constrast to switch, nil values are skipped silently. Swift strives to follow a style where silent handling of nil is acknowledged via the ? sigil, distinctly reflected in optional chaining. This decision was primarily based on inconsistency and potential confusion that an otherwise left without syntactic changes for-in loop could potentially lead to (“clarity over brevity”).

History of Uber’s Design

Eli Schiff:

Not only that, but this is a critical time in Uber’s ascendence, as it is on the precipice of going public in 2019. A lot is at stake. In that context, it makes sense why several weeks ago on September 12, 2018, Uber played the classic PR-dampening move—launching a major brand announcement during an Apple keynote.

[…]

Most publications missed the patterned 2016 icon as though Uber’s prior rebrand had never occurred. But the remaining few writers who did cover any interim icon ignored that Uber has transitioned icons not once, not even twice, but five times between 2016 and 2018.

Out of the recent icon redesigns, the first and most controversial iteration came in February 2016, featuring a bit (rounded rectangle) and atom (circle) motif overlaid on a patterned teal base. This icon bucked the trend of flatness with a minor, almost-invisible dropshadow.

[…]

This time, Khosrowshahi wasn’t going to leave anything in the rebrand to chance. Unlike in Kalanick’s 2015 “passion project,” in 2018, Khosrowshahi left design to the pros at Wolff Olins (branding), MCKL (type), Ueno (development) and R/GA (development), in collaboration with the Uber Brand Experience Team. What was the advantage of leaning on external designers? Uber itself couldn’t be blamed for any bad outcomes.

The Battle for the Home

Ben Thompson:

If the first stage of competition in consumer technology was the race to be the computer users went to (won by Microsoft and the PC), and the second was to be the computer users carried with them (won by Apple in terms of profits, and Google in terms of marketshare), the outlines of the current battle came sharply into focus over the last month: what company will win the race to be the computer within which users live?

[…]

There is one final question that overshadows all-of-this: while the home may be the current battleground in consumer technology, is it actually a distinct product area — a new epoch if you will? When it came to mobile, it didn’t matter who had won in PCs; Microsoft ended up being an also-ran.

The fortunes of Apple, in particular, depend on whether or not this is the case. If it is a truly new paradigm, than it is hard to see Apple succeeding. It has a very nice speaker, but everything else about its product is worse. On the other hand, the HomePod’s close connection to the iPhone and Apple’s overall ecosystem may be its saving grace: perhaps the smartphone is still what matters.

Why Apple Doesn’t Allow Custom Watch Faces

Marco Arment:

It’s great for Apple to offer a wide variety of Apple Watch faces, but most of them are short-lived novelties at best. We’re three years and four generations into the Apple Watch, and almost every Watch owner I know still uses the same handful of “good” faces.

If you want digital time with a good deal of complications, Modular is your only good choice (or Infograph Modular on the Series 4). If you want analog time with numerals, Utility is the only good option. If you want indices instead of numerals — probably the most popular analog watch style in the world — I don’t think there is a good option.

[…]

And we’re restricted to the handful of good watch faces that Apple makes, because other developers aren’t allowed to make custom Watch faces.

[…]

In a time when personal expression and innovation in watch fashion should be booming, they’re instead being eroded, as everyone in the room is increasingly wearing the same watch with the same two faces.

Renaud Lienhart:

The simple reason why Apple doesn’t allow 3rd party watch faces: the vast majority of them would be copyright-infringing, trademark-stealing lookalikes of the mechanical watchmakers’ designs. Apple would be liable for allowing them and be drowning in lawsuits in no time.

Charles Arthur:

think Apple is wary. Got sued over Swiss clock design ripoff in iOS 6, which is a LONG time ago. Clearly hurt. it’s all fine until you get stung for a ton of money.

Jean-Louis Gassée:

True: Rolex, Omega, Patek value their “trade dress”. Recognizable, intended to say something about the wearer.

Marco Arment:

I’ve gotten this theory a lot, and it’s absolutely a valid concern.

But they already have people submitting copyright and trademark violations all the time at a much higher volume, and a process for dealing with them, with the App Store.

Update (2018-10-11): Steve Troughton-Smith:

As so many people were asking, I put my sample Apple Watch ‘face’ project on GitHub. If you want to use this as a jumping off point to prototype your own Watch faces, go nuts!

Apple’s War on iPhone Fraud in China

Wayne Ma:

Five years ago, Apple was forced to temporarily close what was then its only retail store in Shenzhen, China, after it was besieged by lines of hundreds of customers waiting to swap broken iPhones for new devices, according to two former Apple employees who were briefed about the matter. In May 2013, the Shenzhen store logged more than 2,000 warranty claims a week, more than any other Apple retail store in the world, one of those people said.

After some investigation, Apple discovered the skyrocketing requests for replacements was due to a highly sophisticated fraud scheme run by organized teams. Rings of thieves were buying or stealing iPhones and removing valuable components like CPUs, screens and logic boards, replacing them with fake components or even chewing gum wrappers, more than a half-dozen former employees familiar with the fraud said. The thieves would then return the iPhones, claiming they were broken, and receive replacements they could then resell, according to three of those people.

Joe Rossignol:

Hesitant to get Chinese authorities involved, due to the risks of public backlash and negative publicity in state-run media, Apple launched an online reservation system that required proof of ownership, and later developed diagnostic software that allowed retail employees to quickly detect fake parts in iPhones.

Fraudsters found ways to evade these tactics, however, and even went as far as obtaining Apple customer records, including serial numbers, for iPhones that had already been sold in China.

[…]

Apple also began dipping batteries in a special dye that could only be seen under a high-frequency light to authenticate them during repairs, the report says. A-series chips in iPhones are also allegedly coated in a waterproof sealant that can be seen under certain wavelengths, offering another countermeasure.

Tuesday, October 9, 2018 [Tweets] [Favorites]

Sunsetting Google Plus

Ben Smith (Hacker News):

The review did highlight the significant challenges in creating and maintaining a successful Google+ that meets consumers’ expectations. Given these challenges and the very low usage of the consumer version of Google+, we decided to sunset the consumer version of Google+.

To give people a full opportunity to transition, we will implement this wind-down over a 10-month period, slated for completion by the end of next August. Over the coming months, we will provide consumers with additional information, including ways they can download and migrate their data.

At the same time, we have many enterprise customers who are finding great value in using Google+ within their companies. Our review showed that Google+ is better suited as an enterprise product where co-workers can engage in internal discussions on a secure corporate social network.

Scott Perry:

Eight years ago my friends at Google were having their compensation made conditional on the successful launch of Google+. This was the outcome we all predicted, but it took much longer than expected.

Dave Winer:

Google+ was unmotivated by any need for what it did. No one loved it. It was born only to slow Facebook growth. It’s like having a kid so it can beat up your neighbor’s kid. Products, to be any good, must be motivated, have a creative purpose.

Nick Statt:

Google exposed the personal information of hundreds of thousands of users of its Google+ social network, the company announced in a blog post this morning. The news, originally reported by The Wall Street Journal ahead of Google’s announcement, means that Google+ profile information like name, email address, occupation, gender, and age were exposed, even when that data was listed as private and not public. However, Google says that it has no evidence to suggest any third-party developers were aware of the bug or abused it. The bug, affecting an API that was accessed by hundreds of developers, appears to have been active between 2015 and 2018.

The company says it closed the bug in March 2018 shortly after learning of its existence. The WSJ reports that the company chose not to report it because of fear of “immediate regulatory interest” that would lump Google in with Facebook, according to one source’s description of the incident.

Nick Heer:

That this disclosure wasn’t made until today — seven months after this breach was noticed — is unconscionable. But it is outrageous that the reason for not disclosing it in the first place was because they wanted to hide it from the law and that Pichai knew about it.

By the way, because Google tried so hard to make Google Plus work, it’s possible that your Google account — if you have one — is a Google Plus profile. You can disconnect it; Google calls it “downgrading”.

Brian McCullough:

Has anyone made this point yet? Pichai refused to testify to congress because he couldn’t. He would have either had to perjure himself or reveal this bug in real time before the committee.

Update (2018-10-10): Matt Haughey:

I’ll never forget when I was on Google’s campus in 2011 and a product team told me as much as I loved Google Reader, Google+ was going to replace it with something much better.

Update (2018-10-15): Morgan Knutson:

Now that Google+ has been shuttered, I should air my dirty laundry on how awful the project and exec team was.

See also: Eli Schiff, Threader, and John Gruber.

AirPods Knockoffs Tested

Jason Cross:

It turns out that, if you poke around online, you’ll find plenty of AirPods knockoffs. I don’t mean other true wireless earbuds (of which there are plenty of good contenders), I mean products designed to completely mimic the AirPods’ unique design, stems and all.

[…]

That’s because all the store listings for these not-quite-AirPods are from intermediary companies that resell the earbuds, at least until they accumulate enough one-star ratings or complaints to shut down their Amazon shop and start up a new one. In the weeks it took to gather and test these, about half of the product pages completely disappeared, though I was often able to find them again on a different page with a differently-named seller. Most of the products don’t list using a real brand name, instead stuffing the product listing with as many keywords and other popular product names as possible.

[…]

Don’t be fooled by the sometimes slick-looking product shots, too. Many of them are fake, especially the images of people using them. You’ll see lots of earbuds badly photoshopped into the ears of obvious stock photo models, and they always make the earbuds and stems look smaller than they really are.

See also: How to Avoid Counterfeits When Looking for Deals.

Previously: Amazon Is Complicit With Counterfeiting.

Giving Obscura Away in the Apple Store App

Ben McCarthy:

IAP sales were actually lower than expected. Over the first week, about 0.5% of people bought an IAP. Over the full course of the promotion that increased to 0.75% which is still a good bit less than we were expecting. Perhaps the demographics of people who take advantage of such offers are less willing to pay for extras, or perhaps we’re just not pushing the IAPs hard enough within the app. However…

The one thing we did not account for at all in our estimations was that people would continue to buy Obscura. Not only that, but more people would buy Obscura than we’d expected without the promotion. We’re still trying to wrap our heads around it, but we’re certainly not complaining. We were featured in a number of articles as a result of the promotion which definitely introduced us to new audiences, and the increase in downloads probably improved our visibility on the App Store.

[…]

It’s very hard to communicate to people that Apple’s Apple Store app is not the same as Apple’s App Store app. We quickly lost count of the amount of times we had to point people in the right direction.

Of course people expect to find apps in the App Store app. I looked for the free Obscura there myself, but you had to get the promo code from the retail Apple Store app.

Apple Watch Daylight Saving Time Bug

Benjamin Mayo:

A bug with the complications on the new Infograph faces in Apple Watch Series 4 is causing some very unhappy Watch owners today. Users in Australia have just experienced the daylight saving time change and are finding their Watches are now stuck in reboot loops.

Specifically, it seems the large Activity complication on the Infograph Modular face is not handling the loss of an hour elegantly, and instead causing the entire device to crash and reboot …

Previously: Do Not Disturb Bug.

Monday, October 8, 2018 [Tweets] [Favorites]

Supporting Dark Mode

Daniel Jalkut:

The gist of what I have to share comes from tackling challenge after challenge in my own apps. Some interfaces adapted effortlessly to Dark Mode, some needed only a little finessing, while others demanded relatively hard-core infrastructural changes.

My advice will focus on the dichotomy of Light Mode and Dark Mode. The Mac’s appearance support is more nuanced than that. NSAppearance supports a hierarchy of appearances that build upon one another. The light and dark modes are the two most prominent user-facing examples, but variations such as high contrast modes should also be considered.

These articles are loosely organized in order from more fundamental to more arcane, with a priority on establishing knowledge and techniques in earlier articles that you may need to reference in later articles.

Previously: Dark Side of the Mac: Appearance & Materials.

Update (2018-10-09): Howard Oakley:

Dark Mode seems so simple, but turns out to be a lot more complex. Every so often I turn over a fresh stone in Mojave’s otherwise excellent implementation, and discover another crab waiting to bite.

Howard Oakley:

In Mojave, TextEdit follows Apple’s standard protocol of fixing its text display in Light Mode. When you switch to Dark Mode, the window and its controls go dark, but the view in which the document’s text is displayed remains obstinately black on white. That may be fine when you’re working on plain Rich Text, if that’s not a contradiction. But several of my tools here, like Consolation 3 and Nalaprop, now generate multicoloured Rich Text, which looks drop-dead gorgeous in Dark Mode.

Friday, October 5, 2018 [Tweets] [Favorites]

T2 Macs Require Apple-Authorized Repair

Jordan Kahn:

Apple has recently documented a new data recovery process internally for Macs that utilize its T2 chip introduced with the iMac Pro and the 2018 MacBook Pro. The new process for repair staff is being introduced due to the T2 chip’s advanced security features including hardware encryption for SSD storage that isn’t compatible with Apple’s previous data recovery methods used on older machines.

Joe Rossignol:

Due to advanced security features of the Apple T2 chip, iMac Pro and 2018 MacBook Pro models must pass Apple diagnostics for certain repairs to be completed, according to an internal document from Apple obtained by MacRumors.

[…]

If any of these parts are repaired in an iMac Pro or 2018 MacBook Pro, and the Apple diagnostics are not run, this will result in an inoperative system and an incomplete repair, according to Apple’s directive to service providers.

Jason Koebler (Hacker News):

The software lock will kick in for any repair which involves replacing a MacBook Pro’s display assembly, logic board, top case (the keyboard, touchpad, and internal housing), and Touch ID board. On iMac Pros, it will kick in if the Logic Board or flash storage are replaced. The computer will only begin functioning again after Apple or a member of one of Apple’s Authorized Service Provider repair program runs diagnostic software called Apple Service Toolkit 2.

A separate internal training presentation obtained by Motherboard about how to use the diagnostics states that the “Apple Service Toolkit and Apple Service Toolkit 2 are available only to persons working at Apple-authorized service facilities.” This means that it will become impossible for you to repair your new MacBook Pro at home, or for an independent repair provider to repair it for you.

Dave Mark:

I can’t imagine, if true, that this is an effort from Apple to keep all those sweet, sweet repair dollars all to themselves. I’d expect this has something to do with protecting the chain of security, preventing malware from somehow gaining a foothold.

Previously: Apple Fighting New “Right to Repair” Legislation.

Update (2018-10-09): Adam O’Camb (Hacker News):

This service document certainly paints a grim picture, but ever the optimists, we headed down to our friendly local Apple Store and bought a brand new 2018 13” MacBook Pro Touch Bar unit. Then we disassembled it and traded displays with our teardown unit from this summer. To our surprise, the displays and MacBooks functioned normally in every combination we tried. We also updated to Mojave and swapped logic boards with the same results.

That’s a promising sign, and it means the sky isn’t quite falling—yet. But as we’ve learned, nothing is certain.

Update (2018-10-10): Nick Heer:

Rather than compromising the security and privacy of their products, I’d like to see more progress made on certifying independent technicians and making Apple’s official tools more accessible. The security threat model isn’t the same as it once was; your phone probably has a lot more information on it than your computer of ten years ago. Yes, it’s more complicated to replace parts now, but it’s not entirely because companies like Apple want to lock out independent repair shops. Apple’s diagnostic tools could play a great role in this: imagine if you could take a printed report of a successful repair and type in a serial number on Apple’s website to verify that your device was serviced with genuine parts and passed Apple’s testing.

SMS Text Message Login Codes Autofill But Remain Insecure

Glenn Fleishman:

Sites originally chose to use SMS-based code validation for 2FA to lower the barriers to  2FA—more people understand SMS than authentication apps. And, regardless of the vulnerabilities of SMS, it’s far better to use a second factor than not, because it deters wholesale attacks against accounts. Even if an attacker gained access to all the decrypted passwords for a service, every account with 2FA enabled would still be able to resist unauthorized logins. But SMS-based 2FA is vulnerable to targeted attacks and identity theft.

Apple’s proprietary 2FA system for macOS and iOS remains extremely robust, but it still allows the use of SMS and voice calls as a backup when trusted devices aren’t available.

[…]

While it’s admirable Apple has streamlined SMS code entry, it would be even more so if the company would kickstart the move away from SMS.

Finding and Exploiting Safari Bugs Using Publicly Available Tools

Ivan Fratric (Hacker News):

The original advisories most likely didn’t include all the issues because Apple wanted to wait for the issues to also be fixed on MacOS before adding them. However, this practice is misleading because customers interested in the Apple security advisories would most likely read them only once, when they are first released and the impression they would to get is that the product updates fix far less vulnerabilities and less severe vulnerabilities than is actually the case.

Furthermore, the practice of not publishing fixes for mobile or desktop operating systems at the same time can put the desktop customers at unnecessary risk, because attackers could reverse-engineer the patches from the mobile updates and develop exploits against desktop products, while the desktop customers would have no way to update and protect themselves.

Why Matthew Green Is Done With Chrome

Matthew Green (Hacker News):

In this setting, Chrome was a beautiful solution. Even if the browser never produced a scrap of revenue for Google, it served its purpose just by keeping the Internet open to Google’s other products. As a benefit, the Internet community would receive a terrific open source browser with the best development team money could buy. This might be kind of sad for Mozilla (who have paid a high price due to Chrome) but overall it would be a good thing for Internet standards.

[…]

A few weeks ago Google shipped an update to Chrome that fundamentally changes the sign-in experience. From now on, every time you log into a Google property (for example, Gmail), Chrome will automatically sign the browser into your Google account for you. It’ll do this without asking, or even explicitly notifying you.

[…]

Nobody on the Chrome development team can provide a clear rationale for why this change was necessary, and the explanations they’ve given don’t make any sense.

This change has enormous implications for user privacy and trust, and Google seems unable to grapple with this.

Chris Siebenmann:

In theory, I’m not affected by this behavior. I almost never log into any Google site in the first place and I’m basically always doing so in incognito mode, where this doesn’t (currently) apply. In practice, this has pushed me to deciding that this is a bridge too far and I no longer want to use Chrome if I can avoid it, and fortunately I can these days.

Paul Frazee:

There’s a reason people are reacting to Chrome like this. This isn’t an overreaction over one single event. It’s a delayed reaction to a pattern of bad behavior.

It’s contextualized by the very messed-up power dynamic between Google and the open Web.

Matthew Green (Hacker News):

The tech backlash even caused Google to back down, sort of. It announced a forthcoming update last Wednesday: Chrome’s auto-sign-in feature will still be the default behavior of Chrome. But you’ll be able to turn it off through an optional switch buried in Chrome’s settings.

This pattern of behavior by tech companies is so routine that we take it for granted. Let’s call it “pulling a Facebook” in honor of the many times that Facebook has “accidentally” relaxed the privacy settings for user profile data, and then—following a bout of bad press coverage—apologized and quietly reversed course. A key feature of these episodes is that management rarely takes the blame: It’s usually laid at the feet of some anonymous engineer moving fast and breaking things.

Facebook Access Tokens Stolen

Guy Rosen (Hacker News, MacRumors):

On the afternoon of Tuesday, September 25, our engineering team discovered a security issue affecting almost 50 million accounts. We’re taking this incredibly seriously and wanted to let everyone know what’s happened and the immediate action we’ve taken to protect people’s security.

Our investigation is still in its early stages. But it’s clear that attackers exploited a vulnerability in Facebook’s code that impacted “View As” a feature that lets people see what their own profile looks like to someone else. This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts. Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app.

Will Oremus:

Facebook’s Guy Rosen just confirmed that the breach would have allowed hackers to access not only your Facebook account, but your accounts on other sites where you used Facebook as your login.

Also—separate from the question of third-party apps—Facebook says users affected by the breach who have Instagram or Oculus accounts linked to their Facebook account will have to un-link and re-link them.

See also: Mike Isaac and Sheera Frenkel, Nick Heer.

Update (2018-10-16): Glenn Chapman:

Facebook said Friday that hackers accessed personal data of 29 million users in a breach at the world’s leading social network disclosed late last month.

The company had originally said up to 50 million accounts were affected in a cyberattack that exploited a trio of software flaws to steal “access tokens” that enable people to automatically log back onto the platform.

“We now know that fewer people were impacted than we originally thought,” Facebook vice president of product management Guy Rosen said in an online post.

See also: Facebook, Ryan Mac (tweet).

Thursday, October 4, 2018 [Tweets] [Favorites]

Happy 25th Birthday, AppleScript

Chris Espinosa:

On this day 25 years ago, Apple introduced AppleScript, a system and application automation system and language. It’s still shipping in Mojave and is one of the oldest code bases in continual use in macOS. Happy birthday, AppleScript!

Previously: AEDeterminePermissionToAutomateTarget Added, But AEpocalyse Still Looms.

Update (2018-10-05): Mark Alldritt:

Script Debugger 1.0 was released shortly after AppleScript 1.0 appeared. Its been a long ride as AppleScript has made its way from the Classic MacOS to MacOS X and most recently macOS Mojave.

Apple Park in LEGO

Spencer Rezkalla (via John Gruber):

With a footprint of more than 28,000 square studs this model is nearly as large as all my other LEGO skyscraper builds combined.

The model’s facade is constructed in segments using white LEGO 1x2 rail plates and trans-black plates.

A faceted approach to approximating the curvature of a round building is a traditional approach in both LEGO and in actual building construction.

The original plan was to build the campus pathways using LEGO plates set sideways into the landscape. However this approach would result in a jagged appearance as the plates stepped along the curving path trajectories.

Luckily in 2017 The LEGO Group introduced quarter circle tiles. Smoother paths are made possible with these elements, although their tight 90 degree bends cause the pathways to meander more.

The Bandwidth Needed to Restore an iPhone

Kirk McElhearn:

Because iTunes no longer manages apps, you have to redownload potentially tens of gigabytes of stuff. If you have music and photos in the cloud, you have to download some of them, but the apps alone make this process painful.

In addition, you can’t pause the process; you can only put the phone into airplane mode. So if you do need to use the phone to make calls or use data, your connection is saturate, and you’re limited for the several hours it takes to get everything downloaded.

Designed for a California network connection.

Previously: iTunes 12.7 Drops Apps and Ringtones, iCloud Photo Library Re-uploading, Most of the Web Really Sucks If You Have a Slow Connection, Protecting Your Network From Photos Uploads.

Update (2018-10-05): Brian Stucki:

Absolutely. A cache server saves the day on iOS/iPhone/iPad release days for sure.

Lee Hinde:

I blew through my ATT data allotment.

I started restore at my desk and after it was ‘done’ I left for lunch and the phone kept downloading things. Blew through 8 GB. I was both furious and stuck. ATT didn’t do anything wrong; couldn’t go to them and Apple wasn’t going to care.

Previously: When macOS High Sierra’s Content Caching Isn’t Working.

How China Used a Tiny Chip to Infiltrate U.S. Companies

Jordan Robertson and Michael Riley (Hacker News):

Nested on the servers’ motherboards, the testers found a tiny microchip, not much bigger than a grain of rice, that wasn’t part of the boards’ original design. Amazon reported the discovery to U.S. authorities, sending a shudder through the intelligence community. Elemental’s servers could be found in Department of Defense data centers, the CIA’s drone operations, and the onboard networks of Navy warships. And Elemental was just one of hundreds of Supermicro customers.

[…]

Apple made its discovery of suspicious chips inside Supermicro servers around May 2015, after detecting odd network activity and firmware problems, according to a person familiar with the timeline. Two of the senior Apple insiders say the company reported the incident to the FBI but kept details about what it had detected tightly held, even internally.

[…]

Since the implants were small, the amount of code they contained was small as well. But they were capable of doing two very important things: telling the device to communicate with one of several anonymous computers elsewhere on the internet that were loaded with more complex code; and preparing the device’s operating system to accept this new code. The illicit chips could do all this because they were connected to the baseboard management controller, a kind of superchip that administrators use to remotely log in to problematic servers, giving them access to the most sensitive code even on machines that have crashed or are turned off.

Apple’s response:

Over the course of the past year, Bloomberg has contacted us multiple times with claims, sometimes vague and sometimes elaborate, of an alleged security incident at Apple. Each time, we have conducted rigorous internal investigations based on their inquiries and each time we have found absolutely no evidence to support any of them. We have repeatedly and consistently offered factual responses, on the record, refuting virtually every aspect of Bloomberg’s story relating to Apple.

On this we can be very clear: Apple has never found malicious chips, “hardware manipulations” or vulnerabilities purposely planted in any server. Apple never had any contact with the FBI or any other agency about such an incident.

Julie Bort (in 2016, via iStumbler):

Still, Apple is motivated to design build its own hardware, the same as Google and Amazon does, and run it on its own for one pretty scary reason: security. It suspects that the servers it has been ordering from others are being captured during shipping, and backdoors added to them that will make them susceptible to being hacked.

At one point, the company even had people taking photographs of the motherboards in the computer servers it was using, then mark down exactly what each chip was, to make sure everything was fully understood.

Update (2018-10-05): Amir Efrati (in 2017):

In early 2016, Apple discovered what it believed was a potential security vulnerability in at least one data center server it purchased from a U.S.-based manufacturer, Super Micro Computer, according to a Super Micro executive and two people who were briefed about the incident at Apple. The server was part of Apple’s technical infrastructure, which powers its web-based services and holds customer data.

Apple ended up terminating its yearslong business relationship with Super Micro, according to Tau Leng, a senior vice president of technology for Super Micro, and a person who was told about the incident by a senior infrastructure engineering executive at Apple. The tech giant even returned some of Super Micro’s servers to the company, according to one of the people briefed about the incident.

Stephen Schmidt:

Today, Bloomberg BusinessWeek published a story claiming that AWS was aware of modified hardware or malicious chips in SuperMicro motherboards in Elemental Media’s hardware at the time Amazon acquired Elemental in 2015, and that Amazon was aware of modified hardware or chips in AWS’s China Region.

As we shared with Bloomberg BusinessWeek multiple times over the last couple months, this is untrue. At no time, past or present, have we ever found any issues relating to modified hardware or malicious chips in SuperMicro motherboards in any Elemental or Amazon systems. Nor have we engaged in an investigation with the government.

Kim Zetter:

I have to say, this is all really bizarre. The Bloomberg story is very detailed, citing documents and inside sources. But the company denials are also detailed and emphatic. You don’t often see the latter when a company is trying to hide something or be coy.

John Gruber (tweet):

I see no way around it: either Bloomberg’s report is significantly wrong, at least as pertains to Amazon and Apple, or Apple and Amazon have issued blatantly false denials.

Apple (Hacker News, MacRumors):

We are deeply disappointed that in their dealings with us, Bloomberg’s reporters have not been open to the possibility that they or their sources might be wrong or misinformed. Our best guess is that they are confusing their story with a previously-reported 2016 incident in which we discovered an infected driver on a single Super Micro server in one of our labs. That one-time event was determined to be accidental and not a targeted attack against Apple.

[…]

Finally, in response to questions we have received from other news organizations since Businessweek published its story, we are not under any kind of gag order or other confidentiality obligations.

John Gruber:

What sense does it make that Apple discovered a profound security problem in Super Micro motherboards in May 2015, so serious that the company reported it to the FBI, but then didn’t sever ties with Supermicro until at least eight months later? That timeline makes no sense.

Matt Drance:

After reading this Bloomberg story I have two questions:

1) Why not name the “third party company” that found this hack? What security firm wouldn’t want credit for this?

2) FBI and DNI/CIA/NSA declined comment on this story primarily sourced from “US officials.” What’s left?

Zack Whittaker:

In fairness to Bloomberg, chief among Apple’s complaints is a claim that Bloomberg’s reporters were vague in their questioning. Given the magnitude of the story, you don’t want to reveal all of your cards — but still want to seek answers and clarifications without having the subject tip off another news agency — a trick sometimes employed by the government in the hope of lighter coverage.

Yet, to Apple — and Amazon and other companies implicated by the report — they too might also be in the dark. Assuming there was an active espionage investigation into the alleged actions of a foreign government, you can bet that only a handful of people at these companies will be even cursorily aware of the situation. U.S. surveillance and counter-espionage laws restrict who can be told about classified information or investigations. Only those who need to be in the know are kept in a very tight loop — typically a company’s chief counsel. Often their bosses, the chief executive or president, are not told to avoid making false or misleading statements to shareholders.

Nick Heer:

This story has been rattling around my head all day today. My early thought was that perhaps the Bloomberg reporters did a Judith Miller. Maybe their government sources had a specific angle they wished to present to create a political case against China or in favour of further sanctions — or actions far more serious — and needed a credible third-party, like a news organization, to create a story like this. But Robertson and Riley’s seventeen sources include several individuals at Amazon and Apple with intimate knowledge of the apparent discovery of unauthorized hardware modifications, something they later confirmed in a statement to Alex Cranz of Gizmodo. This doesn’t seem likely.

[…]

Indeed, Kieren McCarthy of the Register did a fine job parsing each company’s statements, albeit with his usual unique flair. But, though there is absolutely some wiggle-room in each denial, there are remarks made by each company that, were they found to be wrong, would be simple lies.

[…]

Either manufacturing of these components becomes increasingly diversified or, more likely, far greater control and oversight is required by companies and end-client governments alike.

Kieren McCarthy:

As to the reports – from both Amazon and Apple – that Bloomberg says its sources have seen. It is worth noting that Bloomberg does not claim to have seen those reports itself. How closely were its sources able to scrutinize those reports? Could they have been mistaken?

From that point, it is very possible that the other sources that Bloomberg felt were confirming its story were confirming something else: that China is trying to get into the hardware supply chain. Which is no doubt true, as US intelligence agencies have repeatedly warned in the past year, particularly with respect to mobile phones.

So it is possible that the reporters did an excellent job but ended up in the wrong place, with half a story but going down the wrong path. It is equally possible that they have got 90 per cent of the way there and Apple and Amazon are carefully using the last 10 per cent to issue careful denials.

Update (2018-10-10): Joe Rossignol:

Apple’s recently retired general counsel Bruce Sewell told Reuters he called the FBI’s then-general counsel James Baker last year after being told by Bloomberg of an open investigation into Supermicro, and was told that nobody at the federal law enforcement agency knew what the story was about.

John Paczkowski and Charlie Warzel (Hacker News):

Multiple senior Apple executives, speaking with BuzzFeed News on the condition of anonymity so that they could speak freely, all denied and expressed confusion with a report earlier this week that the company’s servers had been compromised by a Chinese intelligence operation.

Bob Burrough:

What of The Information’s article Feb ’17? I don’t think this would be a conspiracy between the two news orgs. Something’s up.

Kevin Beaumont:

Worth noting same Bloomberg reporters put out a story a few years citing multiple sources that the US knew about Heartbleed. That story was flat out wrong. Bloomberg didn’t follow it up or comment.

Joe Rossignol:

The U.S. Department of Homeland Security today said it has “no reason to doubt” the companies who denied a bombshell Bloomberg Businessweek report this week about Chinese spies using a tiny chip to infiltrate U.S. companies.

Nick Heer:

Reuters also reports that a division of GCHQ, Britain’s signals intelligence agency, does not presently doubt Apple and Amazon’s denials.

[…]

That’s a lot of reputable organisations — and the American government — who have staked their credibility on widely varying accounts of the veracity of this story.

John Gruber:

Bloomberg’s Big Hack story should eventually be fully-corroborated, if true. According to their report, there are thousands of compromised servers out there. If there are, security experts will eventually identify these rogue chips and document them.

See also: Hacker News.

SwiftOnSecurity:

The Bloomberg article has no actionable information for industry or consumers. All claimed involved parties have denied the events described ever happened.

It’s unclear what the purpose of this is.

Apple (Hacker News):

In light of your important leadership roles in Congress, we want to assure you that a recent report in Bloomberg Businessweek alleging the compromise of our servers is not true. You should know that Bloomberg provided us with no evidence to substantiate their claims and our internal investigations concluded their claims were simply wrong. We are eager to share the facts in this matter because, were this story true, it would rightly raise grave concerns.

John Gruber:

Hardware security researcher Joe Fitzpatrick was one of the very few named sources in Bloomberg’s blockbuster “The Big Hack” story. He provided only background information on the potential of hardware exploits in general — he claimed no knowledge of this specific case. On Patrick Gray’s Risky Business (great name) podcast, he expresses serious unease with the story Bloomberg published.

Jason Koebler, Joseph Cox, and Lorenzo Franceschi-Bicchierai:

Even sources used in the original story are confused about what’s going on. The cybersecurity podcast Risky Business interviewed one of the few named sources in the original Businessweek article, hardware security expert Joe Fitzpatrick, who expressed doubts about the article, and said he had never been contacted by any Bloomberg fact-checker. Fitzpatrick was used as an expert source to comment on the technical details of what Bloomberg described and does not have any firsthand knowledge of the actual alleged hack.

John Paczkowski:

what kind of source elicits so much confidence that you don’t provide evidence for review to the companies involved, single source some key details, and stand by your story when two tech bigs are shooting you in the face with both barrels while multiple telecoms say “not us”?

Nick Heer:

For what it’s worth, I don’t want Robertson and Riley to have egg on their faces. I hope the story is not entirely as described because, if it is, it is truly one of the biggest security breaches in modern history — Supermicro has supplied a lot of servers to industry giants. But I don’t want the reporters to be wrong; Bloomberg has a great reputation for publishing rigorously-researched and fact-checked longform stories; I don’t want to have lingering doubts about their future reporting. And I’m not defending the biggest corporations in the world out of loyalty or denial — they have PR teams for that, and should absolutely be criticized when relevant. And I think the central point of the article — that the supply chain of a vast majority of the world’s goods is monopolized by an authoritarian and privacy-averse government is a staggering risk — is absolutely worth taking seriously.

Joe Rossignol:

Rob Joyce, Senior Advisor for Cybersecurity Strategy at the NSA, is the latest official to question the accuracy of Bloomberg Businessweek’s bombshell “The Big Hack” report about Chinese spies compromising the U.S. tech supply chain.

“I have pretty good understanding about what we’re worried about and what we’re working on from my position. I don’t see it,” said Joyce, speaking at a U.S. Chamber of Commerce cyber summit in Washington, D.C. today, according to a subscriber-only Politico report viewed by MacRumors.

See also: Upgrade.

Wednesday, October 3, 2018 [Tweets] [Favorites]

Wi-Fi Alliance Introduces Wi-Fi 6

Wi-Fi Alliance (Hacker News):

Wi-Fi 6 is part of a new naming approach by Wi-Fi Alliance that provides users with an easy-to-understand designation for both the Wi-Fi technology supported by their device and used in a connection the device makes with a Wi-Fi network.

The new naming system identifies Wi-Fi generations by a numerical sequence which correspond to major advancements in Wi-Fi. The generation names can be used by product vendors to identify the latest Wi-Fi technology a device supports, by OS vendors to identify the generation of Wi-Fi connection between a device and network, and by service providers to identify the capabilities of a Wi-Fi network to their customers. The generational terminology may also be used to designate previous Wi-Fi generations, such as 802.11n or 802.11ac.

Jacob Kastrenakes:

It’ll probably make more sense this way, starting with the first version of Wi-Fi, 802.11b:

Wi-Fi 1: 802.11b (1999)
Wi-Fi 2: 802.11a (1999)
Wi-Fi 3: 802.11g (2003)
Wi-Fi 4: 802.11n (2009)
Wi-Fi 5: 802.11ac (2014)

Jason Snell:

Much as I’ll miss the esoteric letters, this will be a heck of a lot easier to explain to non-techie family and friends. We’re all accustomed to version numbers these days.

The one downside (for users) is that it probably will end up making some people feel like they need to upgrade when their setup is still probably fine—the limiting factor to your Internet speeds isn’t usually your Wi-Fi setup. (Still on Wi-Fi 4 here, friends!)

Update (2018-10-09): Glenn Fleishman:

The Wi-Fi Alliance’s new numbering system focuses on generations of speed improvements but looks back only to 802.11n, which is a decade old. Given that 802.11a and 802.11b were approved at the same time, implicitly calling them Wi-Fi 1 and Wi-Fi 2, and extending Wi-Fi 3 to 802.11g, isn’t quite right. But we anticipate people will do it anyway.

Still in macOS 10.14 Mojave

Uluroo (tweet):

Finding the hidden gems of macOS is like paleontology — the old gets buried by the new, but what you can find if you dig is pretty great. At the same time that macOS has changed, aged, and buried its past, it’s left fossils behind. Not all of the old stuff is still around, but the bits that have lasted are the bits worth knowing about. You can find them if you just start digging.

[…]

⌘⇧Y: send selected text to a new Stickies note on the desktop. Uluroo is astonished that he had never known this shortcut until yesterday. Apple has let Stickies fade into the background of macOS, but at least it hasn’t killed the app completely.

[…]

⌥⇧ while changing volume and brightness: adjust those in quarter increments. This gives similar precision to that offered by the brightness and volume sliders in iOS.

[…]

Many of Dashboard’s built-in widgets have a refreshingly retro, though inconsistent, aesthetic: Stocks, Dictionary, Weather, Calculator, Calendar, and more all look like they’ve gone untouched since the days of Scott Forstall. The World Clock widget’s second hand moves in the same way as a real clock, rather than moving in a smooth, uninterrupted motion like in iOS and watchOS.

[…]

.textclipping. You can literally drag text to the desktop as a .textclipping file and AirDrop it.

Previously: Removed in macOS 10.14 Mojave.