An Illustrated History of Easter Eggs

Bargain HoudahSpot Mac Mac App macOS 10.14 Mojave Nisus Writer Pro Panorama X TaskPaper Tinderbox

Thursday, July 18, 2019 [Tweets] [Favorites]

Have We Hit Peak Podcast?

Nick Heer:

Jennifer Miller of the New York Times wrote about the eruption of podcasting popularity — a seemingly evergreen topic. Nieman Lab wondered in 2017 if we had hit “peak podcast”, while Wired thought the same in 2015. Podcasts were “back” in 2012, according to Social Media Examiner, and also in 2014, according to the Washington Post. 2005 was the “year of the podcast”, according to Slate. Podcasting seems perpetually mainstream and, also, simultaneously on the verge of death.

Much as I think this story subject is well worn, there’s plenty of research in Miller’s article that helps provide a sort of status update on the podcasting industry. One stat she quotes near the end of the piece is particularly eye-opening: less than 20% of podcasts tracked by Blubrry issued a new episode between March and May.

No, I don’t think this is the peak, either in terms of the number of active shows or listeners.

Previously:

Apple to Bankroll Original Podcasts

Business Podcasts

iPhone Loyalty

Chance Miller:

In total, using its own data and data from other companies, BankRoll concludes that iPhone loyalty has hit its lowest point since 2011, falling to 73 percent. This compares to loyalty in 2017 of 92 percent.

[…]

There are several things worth noting with this data. For one, the sample size is relatively small and seemingly comes almost entirely from customers using the specific BankMyCell service. Furthermore, other data from companies like CIRP has suggested that iOS loyalty has continued to hit new highs. In January, CIRP said that iOS loyalty was at 91 percent.

Another inconclusive report. I wonder whether Loyalty is more important than Customer Sat. Maybe yes, because it’s about action rather than just reported sentiment. On the other hand, it doesn’t measure people who aren’t buying a new phone this year (an increasing percentage). And, of course, Customer Sat. doesn’t count the customers who have already switched away.

Anecdotally, I am hearing less interest and satisfaction in the iPhone X series of phones, and increasing concerns (whether true or not) that Apple’s cameras are no longer market leading. And, at least prior to iOS 13, iPhones can be slower at launching apps. Personally, I remain quite happy with my iPhone XR.

Previously:

Android Business iOS iOS 12 iPhone

10 Comments

Wednesday, July 17, 2019 [Tweets] [Favorites]

SummerFest 2019 Ending Soon

The SummerFest festival of artisanal software is ending tomorrow. Besides the apps I previously mentioned, it includes HoudahSpot (better Spotlight searching), Nisus Writer Pro (my favorite word processor), Panorama X (RAM-based database), TaskPaper (plain text lists), and Tinderbox (power notes organizer).

Lowercase Passwords

Stuart Schechter:

Your master password should be at least 12 lowercase characters or five words. Why use lowercase characters or words when you’ve probably been told (and coerced) to use uppercase characters and symbols in the past? If you have to enter the password on a device with on on-screen keyboard (like your phone’s), each uppercase letter or symbol may require extra key presses. You can get the same security, and save yourself a great deal of frustration, by making your all-lowercase password just 30% longer than if it were mixed case [9]. In other words, a randomly-generated 13-character lowercase password, which can be entered with 13 keystrokes, is as secure as a 10-character mixed password, which may require many more.

Via Ricky Mondello:

This plays into why the passwords that iCloud Keychain generates are dominated by lower-case letters; you might have to type them somewhere, sometime (but not remember). I explain this in the talk I gave at PasswordsCon 2018.

Previously:

iCloud Keychain iOS iOS 12 Mac macOS 10.14 Mojave Passwords Safari Security

8 Comments

Branches and Continuous Integration

Soroush Khanlou (tweet):

A problem presents itself, however. You need to build a feature that takes 1,000 lines of code, but you’d like to merge it in in smaller chunks. How can you merge the code in if it’s not finished?
Broadly, the strategy is called “branch by abstraction”. You “branch” your codebase, not using git branches, but rather branches in the code itself. There’s is no one way to do branch by abstraction, but many techniques that are all useful in different situations.
[…]
Of course, the humble if statement is also a great way to apply this technique; use it liberally with feature flags to turn features on and off. (A feature flag doesn’t have to be complicated. A global constant boolean gets you pretty far. Feature flags don’t have to come from a remote source! However, I would recommend against compile-time #if statements, however. Code that doesn’t get compiled might as well be dead.)

Branches are just not very useful for managing features or major releases for which development will take a long time (during which you will keep working on the shipping version). They’re great when you want to make a bug fix release based on an old version, and thereafter plan for the branch to die. But, otherwise, you spend a lot of time merging changes back and forth between two active branches and still end up with a potentially difficult integration at the end. It’s better to use feature flags and potentially extra Info.plist files and Xcode targets to support simultaneous development of multiple versions.

Previously:

Craft Git iOS Mac Programming Version Control Xcode

8 Comments

Why Does APT Not Use HTTPS?

Chris Lamb (via Hacker News):

Accessing mirrors over HTTPS would not prevent a compromised mirror tampering with packages, so APT already has other mechanisms to guard against this.

Also, HTTPS would not stop a determined attacker deducing which apt packages your system was downloading (though this becomes more difficult).

[…]

A switch to HTTPS would also mean you could not take advantage of local proxy servers for speeding up access and would additionally prohibit many kinds of peer-to-peer mirroring where files are stored on servers not controlled directly by your distribution. This would disproportionately affect users in remote locales.

Previously:

Linux Security Web

64-Bit Mac Mac App macOS 10.15 Catalina

Go64 Finds 32-bit Apps

St. Clair Software:

macOS 10.15 Catalina will not run 32-bit Mac applications. At all. Once you upgrade to Catalina, those apps won’t even launch.

To prepare, I wrote Go64, a free application that scans your system for 32-bit apps and shows them all in one place, with version and website information to make it easier to assess whether you need to update or look for an alternative.
[…]

As they say, the devil’s in the details, and dealing with the vagaries of what goes on inside applications got interesting. Go64 leverages Spotlight to compile a list of executables, but then does a deep dive into each 64-bit application to check for any helper apps, frameworks, services or plugins that might not be 64-bit. While I knew this could be an issue, Howard’s work highlighted just how common it is to have a mix of executables bundled within apps. Most of the time, it’s just for expediency, and developers do the proper juggling to run the correct one, but how’s a user to know? So Go64 does a bunch of checks to look for common methods, and if it still can’t make sense of things, errs on the safe side and flags the app with a little caution icon.

Previously:

macOS 10.13.4 to Warn About 32-bit Apps Starting April 12

Tuesday, July 16, 2019 [Tweets] [Favorites]

Apple to Bankroll Original Podcasts

Lucas Shaw and Mark Gurman (MacRumors, Hacker News):

Apple Inc. plans to fund original podcasts that would be exclusive to its audio service, according to people familiar with the matter, increasing its investment in the industry to keep competitors Spotify and Stitcher at bay.

Executives at the company have reached out to media companies and their representatives to discuss buying exclusive rights to podcasts, according to the people, who asked not to be identified because the conversations are preliminary. Apple has yet to outline a clear strategy, but has said it plans to pursue the kind of deals it didn’t make before.

The introduction of Apple Music made the Music app worse for everyone not using it. This will likely have a bigger negative effect for podcasts, both because it messes up Apple’s incentives (for their apps and directory) and because it will make it harder for customers to get content in the apps that they want.

Unfortunately, this is both very likely and a lot less awesome.

Previously:

Update (2019-07-17): See also: Hacker News.

I expect Apple to have as much success with exclusive podcasts as everyone else has.

karizma23:

Hypothetically speaking, would you take their money for a show if offered?

App Store China iOS iOS 12 iOS App Mac Networking Privacy Virtual Private Network (VPN)

No, for the same reason it’s unwise for most people to do “podcasts” exclusive to one platform:

Most of my audience isn’t there and won’t move for me, the paywall/appwall would halt most audience growth, and any new audience I build won’t follow me off the platform if necessary.

Manton Reece:

Not sure where Apple is going with exclusive podcasts, but it’s probably nowhere good. By default I’m against any “podcast” that can’t play in multiple podcast apps because it erodes the openness of the ecosystem.

Zac Cichy:

I’ve kind of been arguing for Apple to go hard on owning its podcast platform for a really long time. The thing is, things have changed and it doesn’t matter what anyone says a podcast is. Market is maturing, and Apple should have done more years ago to hedge the inevitable.

It’s not a popular position around here, and I personally have zero incentive to argue this, but Apple should be trying to create a centralized podcast platform.

Every time Apple waits on something like this, a market moves on without them.

Jason Snell:

Given Apple’s deep pockets and its focus on services, I can’t see how the company wouldn’t at least investigate the possibility of adding original audio content to its portfolio, both to strengthen the pull of the Podcasts app and increase the value of one of its existing services or a forthcoming services bundle.

Apple Apple Podcasts Business iOS Mac Podcasts Strategy Tax

6 Comments

How Many Kinds of USB-C to USB-C Cables Are There?

Benson Leung (via Hacker News):

We have a matrix of 2 x 3, with 2 current rating levels (3A max current, or 5A max current), and 3 data speeds (480mbps, 5gbps, 10gpbs).

Adding a bit more detail, cables 3-6, in fact, have 10 more wires that connect end-to-end compared to the USB 2.0 ones in order to handle SuperSpeed data rates. Cables 3-6 are called “Full-Featured Type-C Cables” in the spec, and the extra wires are actually required for more than just faster data speeds.

“Full-Featured Type-C Cables” are required for the most common USB-C Alternate Mode used on PCs and many phones today, VESA DisplayPort Alternate Mode. VESA DP Alt mode requires most of the 10 extra wires present in a Full-Featured USB-C cable.

Alexis Gallagher:

Inconvenient but not crazy. I’d say the design failure here is the absence of a system of clear graphic symbols to convey this.

Jonathan Wight:

Assuming no one has invented a USB-C hub yet? (USB-C <-> USB-C).

Still just a bunch of USB-3 hubs or overpriced “docking stations”…

Most “Free” VPN Apps Secretly Owned by China

Simon Migliano:

Unfortunately, the majority of apps appearing in the top results for “VPN” searches are free products from obscure and highly secretive companies that deliberately make it very difficult for consumers to find out anything about them.

[…]

Our investigation uncovered that over half of the top free VPN apps either had Chinese ownership or were actually based in China, which has aggressively clamped down on VPN services over the past year and maintains an iron grip on the internet within its borders.

[…]

Apple and Google have let down consumers by failing to properly vet these app publishers, many of whom lack any sort of credible web presence and whose app store listings are riddled with misinformation.

Via Josh Centers:

Additionally, the investigation revealed many have bad or nonexistent privacy policies, don’t even have legitimate Web sites, and share user activity with third parties. If you’re selecting a VPN in order to guard your privacy, be careful of which one you choose and do your research to find a trustworthy provider because a VPN service can monitor all of your Internet activity.

How can you even tell whether a paid VPN is trustworthy—not a honeypot and actually follows its privacy policy?

Update (2019-07-17): Adi Robertson (tweet):

An OO-certified app or site must meet three criteria. First, it needs to demonstrate “a basic level of transparency” by making its code and infrastructure — among other things — public and fully documented. Second, it needs to lay out its policy in the form of “claims with proof,” establishing what user data is collected, who can access it, and how it’s being protected. Third, those claims must be evaluated by an OO-certified auditor who then makes the audit results public.
The site OpenlyOperated.org, for example, is OO-certified. (It’s one of two OO-certified services right now, alongside Lin and Dewan’s Confirmed VPN.) Its audit report lists several easily readable and footnoted claims about the site, including the claim that your email address is kept totally private — even from the site’s operators. It then includes details about the encryption system that makes this possible, plus statements from cybersecurity consultants who corroborate the claims. While companies can already run privacy audits, Openly Operated’s branding is supposed to promise a certain level of depth, in addition to guaranteeing transparency.

6 Comments

Google Photos Is Making Photos Semi-public

Robert Wiblin (via Hacker News):

Whenever you share a photo with a specific person or account on Google Photos, it creates a link that will allow anyone in the world to view those photos, forever, until you go and manually deactivate that link in an obscure part of the interface.

[…]

If that ‘secret’’ link is ever revealed, anyone anywhere will be able to see it until I go and delete that specific sharing instance. And I’d have no way to find out that they were viewing it!

This is perhaps not surprising if you’ve used Flickr, which works the same way, and even has a way to track visits to the link. But it is surprising from the perspective of Facebook or Google’s own Drive, where sharing with a particular user makes a link only for that user.

Update (2019-07-17): Russell Brandom (via sciwizam):

So why is that public URL more secure than it looks? The short answer is that the URL is working as a password. Photos URLs are typically around 40 characters long, so if you wanted to scan all the possible combinations, you’d have to work through 10^70 different combinations to get the right one, a problem on an astronomical scale. “There are enough combinations that it’s considered unguessable,” says Aravind Krishnaswamy, an engineering lead on Google Photos. “It’s much harder to guess than your password.” Because web traffic for Photos is encrypted with SSL, it’s also kept secret from anyone on the network who might be listening in.

However, it would be easy for people to listen in if you send the URL to anyone via an unencrypted service such as e-mail.

Facebook Flickr Google Photos Photography Privacy URL Web

Why Did Moving the Mouse Cursor Cause Windows 95 to Run More Quickly?

Retrocomputing (via Devon Zuegel):

Windows 95 applications often use asynchronous I/O, that is they ask for some file operation like a copy to be performed and then tell the OS that they can be put to sleep until that operation finishes. By sleeping they allow other applications to run, rather than wasting CPU time endlessly asking if the file operation has completed yet.

For reasons that are not entirely clear, but probably due to performance problems on low end machines, Windows 95 tends to bundle up the messages about I/O completion and doesn’t immediately wake up the application to service them. However, it does wake the application for user input, presumably to keep it feeling responsive, and when the application is awake it will handle any pending I/O messages too.

Thus wiggling the mouse causes the application to process I/O messages faster, and install quicker. The effect was quite pronounced; large applications that could take an hour to install could be reduced to 15 minutes with suitable mouse input.

Whereas, on classic Mac OS, you could pause certain processing by depressing the mouse button.

Update (2019-07-17): Dimitri Bouniol:

Even today, the main run loop mode will change and stop typical timers from running if you open a menu in a modern Mac app.

Kevin Purcell:

This was true of 3270 terminals on IBM mainframes running CMS on VM/370.

If you hit the spacebar you’d get a little hit of CPU time.

I recall numbers of mech eng and elec eng grad students sitting at 3270 tapping the keyboard in the late 1980s when running their FORTRAN codes.

History Mac Mac OS 9 macOS 10.14 Mojave Windows

Monday, July 15, 2019 [Tweets] [Favorites]

Airmail Adds Subscription for Push Notifications

Joe Rossignol (tweet, Reddit):

Airmail for iOS is now free to download on the App Store, but push notifications and multi-account support have become premium features priced at $2.99 per month or $9.99 per year in the United States. The app was previously available for a one-time, upfront cost of $4.99 with all features unlocked.

Speaking of changing the price for features already shipped…

At face value, the change appears to violate Apple’s App Store Review Guidelines, which state “if you are changing your existing app to a subscription-based business model, you should not take away the primary functionality existing users have already paid for.”

Leonardo Chiantini:

Customers who purchased the app can still have access to multiple accounts but not push notifications which, is a side service of the app and is not preventing the use of the app’s core functionality.

We do understand users frustration, the decision was made to keep the business sustainable as we face increasing backend service expenses.

Previously:

Productivity Apps and Subscription Pricing

Update (2019-07-19): ilia kukharev:

What happens when you ask your paid users to pay again, by changing the monetization model.

Via Ryan Jones:

Brutal :( for Airmailer. I feel for them, it’s not easy.

Airmail App Store App Subscriptions Business E-mail Client iOS iOS App Push Notifications

Fernando Corbató, RIP

Katie Hafner (via Rodney Brooks):

Dr. Corbató, who spent his entire career at M.I.T., oversaw a project in the early 1960s called the Compatible Time-Sharing System, or C.T.S.S., which allowed multiple users in different locations to access a single computer simultaneously through telephone lines.

[…]

C.T.S.S. gave rise to a successor project called Multics, which Dr. Corbató also led. He told the Babbage Institute, “Multics started out as kind of a wish list of what we would like to see in a big computer system that might be made as a commercial model.”

Multics was a collaboration among M.I.T., AT&T’s Bell Laboratories and General Electric. It failed as a commercial endeavor, but it inspired a team of computer scientists at Bell Labs to create Unix, a computer operating system that took root in the 1970s and was adopted widely in the ′80s and ′90s.

[…]

In the course of refining time-sharing systems in the 1960s, Dr. Corbató came up with another novelty: the computer password.

History Passwords Programming Rest in Peace Unix

Bug Mac macOS 10.14 Mojave Night Shift Time

Shape Up

Ryan Singer (Ryan Singer):

This book is a guide to how we do product development at Basecamp. It’s also a toolbox full of techniques that you can apply in your own way to your own process.

[…]

First, we work in six-week cycles. Six weeks is long enough to build something meaningful start-to-finish and short enough that everyone can feel the deadline looming from the start, so they use the time wisely.

[…]

Second, we shape the work before giving it to a team. A small senior group works in parallel to the cycle teams. They define the key elements of a solution before we consider a project ready to bet on. Projects are defined at the right level of abstraction: concrete enough that the teams know what to do, yet abstract enough that they have room to work out the interesting details themselves.

[…]

Third, we give full responsibility to a small integrated team of designers and programmers. They define their own tasks, make adjustments to the scope, and work together to build vertical slices of the product one at a time. This is completely different from other methodologies, where managers chop up the work and programmers act like ticket-takers.

[…]

This book is about the risk of getting stuck, the risk of getting bogged down with last quarter’s work, wasting time on unexpected problems, and not being free to do what you want to do tomorrow.

Basecamp Book Business Craft Design Programming

Infinite Night Shift

Austin Johnsen (via Ashley Bischoff):

TIL that if you go North of the Arctic Circle in the summer and bring a MacBook with Night Shift set to be triggered by sunrise/sunset, the process will go into an infinite loop because the sun never sets...

I noticed this when my computer fan went crazy because my CPU was running at 120% trying to calculate when sunset was in order to trigger Night Shift. As soon as I turned Night Shift off, that process disappeared and the fan spun back down...

Previously:

Mac macOS 10.15 Catalina Programming Safari Universal Links URL

Friday, July 12, 2019 [Tweets] [Favorites]

SFUniversalLink

Jonathan Grynspan:

As promised, API for macOS browsers to adopt universal links!

Please review the header for details on how to adopt—ADC hasn’t got them yet. 🤐

Universal Links let certain HTTP links (e.g. Dropbox and Twitter, or hypothetically Zoom) open directly in an app instead of in the browser, potentially bypassing a confirmation alert that a custom URL scheme would have caused. This API lets third-party browsers provide an experience that matches Safari.

However, sometimes the user doesn’t want the link to open in the app, and so Safari in Catalina lets you Control-click to choose the browser instead. (On iOS you can long-press.) The isEnabled property lets you see how the user last opened a link for that app, so that you can respect the preference. And it’s shared across the OS, so you can change it in a third-party browser and affect Safari’s behavior.

Previously:

Advertising App Store App Subscriptions Business In-App Purchase iOS iOS 12 iOS App

Mac Marketshare in Q2 2019

Eric Slivka:

If accurate, Gartner’s estimates would put Apple with its lowest share of the U.S. PC market since the first quarter of 2014 and the lowest recorded on a global basis since Gartner started including Apple as a top global vendor in the third quarter of 2014.
[…]
IDC’s estimates paint a much different picture, however, projecting worldwide PC shipment growth of 4.7 percent compared to the second quarter of 2018. IDC pegs Apple as having shipped 4.011 million Macs in the quarter for nearly 10 percent year-over-year growth.

Previously:

Apple Business Mac

3 Comments

Local 1Password iOS Vaults No Longer Free

gross (via Hacker News):

I have a workflow where I use 1Password on my phone - locally, no sync, do not want sync, can not use sync. Obviously this is not my main way of using 1Password, which I have been using now since 2011, mostly on Mac and iOS.

On that phone, I often remove 1Password and reinstall it. The last time I did this was a few weeks ago, likely running 7.3.1 or 7.3.2.

Today, I needed to urgently do this again, and I reinstalled 1Password to realize the new onboarding screen does not seem to let me configure my local vault at all.

I looked at release notes - all I can see is that 7.3.1 had improvements to standalone vault syncing, which seems to mean standalone vaults still work, and 7.3.3 reduced the size of the app by 27%.

Ben:

I’m sorry for the trouble. 1Password no longer offers a free-to-use option on iOS. It can either be used with a 1Password membership account or it can be synced to a standalone vault created by 1Password for Mac or 1Password for Windows. It wouldn’t be possible to create a new standalone vault from 1Password for iOS. Standalone vaults still work, but must be created by a licensed product (1Password for Mac or 1Password for Windows).

It seems pretty reasonable to disallow free creation of vaults. But it does reduce the utility of the app for those of us who don’t want to use the cloud service, because there’s no longer a way to pay for the iOS app without subscribing to the service.

The other issue this story highlights is that app updates aren’t handled well on iOS. Chances are that you’ll get silently updated to the new version—and in this case the change wasn’t called out in the release notes, anyway—and there’s no way to go back or even to restore from backup. So you can never be sure that a feature you depend on won’t suddenly disappear or break.

haaf:

Perhaps one could split the arguments in this thread into two categories; 1) forcing payment for some features is frustrating when it was free before, 2) stand-alone vault synchronisation features are disappearing because AgileBits thinks it’s more secure and more convenient to work via 1P-accounts.
As a five year old customer of both personal and company plans, I also see the disappearance of stand-alone synchronisation as a negative. I’ve brought it up with customer support and sales on multiple occasions.
Unfortunately, the outcome of those conversations is always similar to this thread.

ken:

One thing I’ve learned about software in general is that I never want to be outside of the primary use case. If you’re not using it the same way that the people building it do, it’s going to be a pain to use, and your requests will be ignored.

“Ignored” is probably too strong here, but the overall point is sound. This is also why people get uneasy about Apple dropping certain types of hardware and adding impediments to automation workflows. Even if it’s technically still possible to do what you could do before, everything becomes more difficult and less supported when you’re on a niche path.

Previously:

Update (2019-07-19): See also: Reddit.

MrRooni:

I am sorry that we removed a feature that some of you rely on for your workflow and I’m sorry we didn’t communicate its removal. In all honesty I assumed it would go mostly unnoticed. I figured that existing customers already have 1Password setups that are working for them, so no one would miss it. And really, why draw attention to the removal of a feature that shouldn’t really affect anyone anyway?

Clearly I missed the mark on this one.

[…]

I also want to touch briefly on why this feature was removed. For better or worse, a good chunk of the answer comes down to how we want 1Password viewed as a product among the field of other password managers. Prior to this change 1Password would frequently appear on the list of the “best free password managers” and while that’s flattering, it’s not where we want to be. 1Password is a paid product, and prior to today 1Password for iOS was the only 1Password app on any platform that could be used entirely for free. That is no longer the case. Another large reason why we removed this feature was that an unsynced vault on an iOS device is a dangerous thing. We receive enough customer support from people who set up 1Password in this way and then lose their device and lose everything that we wanted to take a very deliberate step in removing the possibility that people could find themselves in that state.

Tim Hardwick:

The good news is that 1Password has listened to user feedback, and the latest update, v7.3.4, restores the ability to create standalone vaults from setup to customers who had previously purchased 1Password 4 for iOS or the Pro Features in-app purchase.

However, for new users at least, there’s no longer any way to use the password management service without subscribing to a paid plan.

1Password App Store iOS iOS 12 iOS App

3 Comments

Predatory iOS App Subscriptions

David Barnard:

I decided to try and tune the my niece’s Disney princess guitar and went to the App Store looking for a tuner. Top result is an ad for an app by MVM, the company I called out last week for shady onboarding and $400+/yr subscriptions.

Second result is a curated story, so I figured that would be better than continuing to look through the search results. So I download one of those apps. Similar shady onboarding, then a $100/yr subscription. (At least this one has a close button hidden in the top left.)

[…]

What’s especially insidious is that to make these scams work, developers are spending tons of money on user acquisition. I’ve talked to some knowledgable folks who estimate these apps spend as much as 90% of their gross revenue on app install ads.

[…]

Apple is allowing these scams to tarnish their brand and destroy people’s trust in the App Store to make a little extra money and pad the pockets of Google and Facebook. They’ve been playing whack-a-mole for years instead of doing the deeper work of re-aligning incentives.

[…]

And that brings us back to my rant last fall. Not only is Apple failing to re-aligning incentives, they are actively incentivizing revenue over user experience by featuring apps based on how well they do financially without regard for how they do it.

Dominik Wagner:

The @AppStore currently promotes a metronome app that has a $7.99 weekly price. That is $415.48 for the default trial subscription it shows at start. That’s promoting fraud. And not the first occasion. @Apple we demand better.

Rene Ritchie:

Gross. Looks like a few metronome apps do this. Among a ton of other gross of apps.

Totally destroys the “you can just trust it” reputation of the @AppStore

Hope Apple cracks down on all the subscription scams and yesterday.

I don’t think Apple should ban these apps or prevent developers from setting the prices. But it should be easier for customers to see what they’re committing to and to cancel before they get rebilled.

Ryan Jones:

The scammers that are ruining the App Store WILL erode consumer trust, Apple’s advantage, viability of good products, and services revenue.

Again, I think and talk about it a lot, because these things change slowly, then all of a sudden.

Previously:

Apple News Firefox Google Chrome Little Snitch Mac Mac App Store macOS 10.14 Mojave Privacy Safari Security Web Zoom

Thursday, July 11, 2019 [Tweets] [Favorites]

Why Do Web Browsers Allow Access to the Local Network?

Jeff Johnson:

Since constantly requiring confirmation is obviously incredibly annoying, Apple has conveniently exempted some of its own apps from the requirement. For example, macappstore and macappstores URLs will automatically open App Store app without your confirmation.

But, curiously, Safari does prompt for opening the News app.

Zoom is certainly deserving of criticism. But I’ve seen very few people stop to ask, how was Zoom’s little trick even possible in the first place? Why does Safari allow a web page, zoom.us, to make requests to a localhost server? Is this possibility not surprising to you? It was surprising to me! The problem is actually worse than this. The major browsers I’ve tested — Safari, Chrome, Firefox — all allow web pages to send requests not only to localhost but also to any IP address on your Local Area Network! Can you believe that? I’m both astonished and horrified.

[…]

Moreover, a web page can even scan your network to find the addresses of your devices. I found a recent paper by Forcepoint that discusses in detail these kinds of attacks on your LAN from the web. So security researchers are aware of this possibility, but it seems that the browser vendors are doing nothing to plug the holes in their web browsers!

It seems strange that browsers prohibit access to local files but not the local network.

Bob Burrough:

Run some Javascript to scan common local router IP’s and save the results to the server. It would even map to your WAN IP so they could start hitting your router externally. The web is an absolute mess.

Previously:

Update (2019-07-15): See also: Hacker News.

Update (2019-07-17): Maxwell Swadling:

re web browsers, use LuLu or Little Snitch. They are great for lots of reasons, not just web browsers.

Agreed, but unfortunately most people don’t even know about such utilities—hence the argument for browsers providing some security here.

7 Comments

iCloud Data Loss With macOS 10.15 and iOS 13 Betas

Max Seelemann:

Whereas in recent years, it was pretty safe to install preview versions early on, this year that’s definitely not the case (see for example this report on Cult of Mac).

Most impactful for us, however, is that the (great, great) updates done to iCloud are also leading to severe problems with the service. As iCloud is Apple’s sync service, it’s beyond our power to solve them, of course. Some public beta users reported synchronization outages and data loss that propagated to devices that did not even run the beta but were just connected via iCloud.

Craig Hockenberry:

If you have an iOS or macOS beta installed, disable iCloud on that device NOW.

If you don’t you’ll end up with data loss on your production devices. Also, these problems are not app-specific, things are fucked up at the framework level.

Judging from the release notes, Apple knew about many of the issues prior to releasing the betas, so it’s surprising that they chose to release the public betas earlier this year.

John Gruber (tweet):

Right now iCloud is dangerous on the beta OSes. That’s not a complaint in and of itself; if there weren’t bugs they wouldn’t be betas. But I think it was a bad idea for Apple to release public betas at this stage.

Craig Hockenberry:

Apple talks a lot about services being the future of the company, but then they pull shit like this and it makes me wonder if they have any clue that the most important part of a data service is protecting its contents.

Wil Shipley:

The real BS part of this is that there’s really no good way for us to restore iCloud data, which is becoming increasingly more of our data.

Max Seelemann:

I know what a beta is and what that means. But in times where everything is a beta, people tend to to forget.

imo, a company giving betas to millions of people is responsible for doing this in a responsible manner. As a minimum it’s to make sure to at least not delete data.

Colin Weir:

There’s also an implied level of stability in a public beta that’s not in a developer beta. We know they’re basically the same builds, but to normal users “public beta” means “safe, but some stuff might work weird"

So by putting out unstable developer betas and calling them public betas, they’re doing a big disservice

Steve Troughton-Smith:

iBooks is unusable in iOS 13 thanks to iCloud issues. It took three weeks (!) for it to re-index my iCloud library before it would let me open a book, and it deletes it and requires a redownload, citing space issues, constantly (I have 180GB free space). Local cache is whack

It’s definitely not the worst beta process by a long shot, but it’s definitely way too rough for public seeding on iPad. I’m losing touches constantly, which makes the software keyboard as bad as the MacBook Pro for reliability At least they’re consistent…

Craig Hockenberry:

We submitted a detailed DTS incident about corrupted/deleted iCloud documents in the iOS 13 beta. But guess what? DTS doesn’t support beta releases.

So it’s a public release, but not.

Steve Troughton-Smith:

from what I’ve seen, a lot of the time I run into ‘data loss’ is where some migration/indexing process has got stuck, making it look like I’ve got no/wrong data, and instead of waiting it out I try and fix it myself while the system is still broken

It’s very easy to panic and do a lot of damage when the OS makes it look like your data is screwed up, even when underlying data is totally fine and it’s actually some intermediary daemon process hanging in the bg. Sometimes you really do need to chill & wait for the next beta

Previously:

iBooks iCloud iCloud Drive iOS iOS 13 Mac macOS 10.15 Catalina

Apple News Business iOS iOS 12 Mac macOS 10.14 Mojave

Apple News+ Revenue

Juli Clover:

Apple News+ seems to be floundering just months after its launch, according to new details from participating magazine publishers shared by Business Insider.
Multiple publishers have been unimpressed with the revenue generated from Apple News+. One told Business Insider that revenue was one twentieth of what Apple promised, while another said that it was on par with what was earned from Texture, which isn’t much.

Nilay Patel:

This implies Apple News publishers are making half of what they did with Texture, which is impressively bad. (10x/20 = .5x)

Oluseyi Sonaiya:

Apple made a big deal about WSJ, for example, being part of News+, but if I understand correctly the index of articles is not included, so you can’t browse the content listing. You’re left with inbound links and whatever they push into the News+ feed.

Gotta pony up for the feed.

Chance Miller:

Last month, Eddy Cue said that Apple had “hundreds” of people working to make Apple News+ better. Apple News+ is currently available in the United States and Canada, but it’s expected to launch in the UK this year as well.

Rob Griffiths:

You know what what would make Apple News better? This…

• Let me delete my downloaded mags.
• Show new issues in sidebar list of my subscribed mags.
• Give the Mac version support for multiple windows or tabs—no more of this one-window iOS bullcrap.

Mitchel Broussard:

Jumping to the topic of Apple News+, Cue stated that one of Apple’s big goals right now is to convince younger people to subscribe to the service.

Previously:

Apple News+

Update (2019-07-15): Josh Centers:

The best bet for Apple News+ isn’t legacy publishers, but small, platform-oriented ones like @GlennF and @jdalrymple. Too bad Apple already burned people like that with Newsstand.

These big dinosaurs have a hard time adapting to these new formats. Smaller outlets can and will do it if given the proper support. Look at what @MacSparky does with Apple Books.

“Hey, read a month-old Macworld article for just $10 a month” isn’t a great sales pitch.

Conference Documentation iOS iOS 13 Mac macOS 10.15 Catalina Programming WWDC

Wednesday, July 10, 2019 [Tweets] [Favorites]

WWDC 2019 Video Transcripts Now Available

Apple:

Take advantage of transcripts to quickly discover and share information presented in WWDC19 videos. You can search by keyword, see all instances where the keyword is mentioned in the video, go straight to the time it was mentioned, and even share a link to that specific time.

It seems like they are more human-edited this year, which is good because the sessions now serve as defacto documentation in many cases.

Previously:

EagleFiler Hook Mac Mac App macOS 10.14 Mojave

Hook 1.0

CogSci Apps:

Hook supplies the missing links in macOS, to allow users to access the documents that are most relevant to the task at hand. The app, based on cognitive science, allows users to instantly create notes linked to a document, or other information item, providing instant navigation between the two.

Hook doesn’t replace any of a user’s favorite Mac apps, but instead augments them. For instance, by using a simple keyboard hotkey combination, a Mac user can instantly create a new item (in the app of their choice) that Hook links to the current item (such as a web page, PDF, email or file). With Hook, a document can be linked to an outline, an OmniFocus project, an email, and many other types of information.

It works with EagleFiler’s record links.

GDPR Fines: So Now We Know

Doug Lhotka:

In the past few days, Marriott and BA were both hit with $100M+ fines for breaches. While both are going to appeal, the benchmark has been set, and we now know that the regulators are serious about enforcement. One interesting fact – if the reports are accurate, Marriott is being fined under the GDPR, while the breach occurred before it went into effect. That certainly changes the risk equation, as retroactive security is, alas, still beyond our ability today. I suspect we’ll see a similar seriousness with CCPA (the new California regulation), though those costs will include consumer litigation as well.

GDPR Legal Web

Gosh Darn SwiftUI

Sarun Wongpatcharapakorn (via Andy Bargh):

All the answers you found here don’t mean to be complete or detail, the purpose here is to act as a cheat sheet or a place that you can pick up keywords you can use to search for more detail.

kateinoigaku (Soroush Khanlou):

Only Apple knows the actual implementation. But it’s certain that AttributeGraph.framework has its own reflection system.
I said “I’m looking forward to your great libraries using metadata” in try! Swift but I had never thought Apple do it, I think Apple started to use metadata because ABI stability was built since Swift5. In fact, ABI stability brings us great benefits!

Previously:

SwiftUI and Combine

Update (2019-07-11): Jeff Nadeau:

A clever teardown, and not far off in principle

Cocoa Documentation iOS iOS 13 Mac macOS 10.15 Catalina Programming Swift Programming Language SwiftUI

Tuesday, July 9, 2019 [Tweets] [Favorites]

Apple Discontinues 12-Inch MacBook

iMac iMac Pro Intel Kernel Extensions Mac Mac mini MacBook Air MacBook Pro Samsung Solid-State Drive (SSD) Storage

Coinciding with refreshes to the MacBook Air and the entry-level 13-inch MacBook Pro today, Apple appears to have discontinued the 12-inch MacBook, which is no longer available through its online store.

It’s a bit sad to see it go because I know some people really liked the tiny size. But it’s hard to justify its existence and premium price when compared with a still-small MacBook Air with a much better display that’s faster and has more ports. I’m surprised it wasn’t discontinued when the 2018 MacBook Air was introduced.

I don’t think I’ve ever seen a 12-inch MacBook in the wild, and it’s the least popular Mac among users of my apps. There are roughly 40% more customers using the pricey iMac Pro—which didn’t ship until 6 months after the last MacBook update—than the entire MacBook family (which includes the older polycarbonate models).

Perhaps this size and name will return when Apple introduces its first ARM Macs.

Matt Birchler:

One thing I find interesting is that Apple’s completely new computers from 2013-2016 include:

Trash can Mac Pro

12” MacBook

Touch Bar MacBook Pros

3 of those are already dead and we have rumblings of a new MBP design coming in the next year or so.

Since then we’ve had:

iMac Pro

New Mac mini

Mac Pro (cheese grater 2.0 edition)

New MacBook Air

Clearly, Apple has turned a corner when it comes to Mac hardware.

Ryan Jones:

Credit to Cupertino for killing the MacBook One!

Been saying it for years - that computer was a mistake. Stupid to go one port, premature to go USB-C, launched with no supply, bad name, immediate forgotten in the roadmap.

Apple’s starting to do literally exactly what I/we said they should with Mac lineup. More evidence they are back to listening to core users.

Previously:

Update (2019-07-10): Jason Snell:

Theory: It’s another thermal corner. They couldn’t add anything to the product w/o a redesign because of the fanless thing, they couldn’t get it down under $1000, and decided (early on, I guess!) to replace it with another Air.

My daughter has one and loves it 🤷🏻‍♂️

Riccardo Mori:

First it was the 11-inch MacBook Air, now it’s the 12-inch MacBook. Do you want an Apple ‘ultrabook’? You’ll have to get an iPad Pro. What a coincidence.

Mac MacBook

7 Comments

Apple Lowers SSD Prices

Benjamin Mayo (tweet, MacRumors):

In addition to launching refreshes to the MacBook Air and MacBook Pro, Apple has lowered the cost of higher-end Mac solid state storage options, cutting the price in half for many of the configurations.

For example, the 4 TB SSD of the 512 GB 15-inch MacBook Pro used to cost $2800. It now costs $1,400. These savings are seen across the iMac, iMac Pro, Mac mini, and MacBook Air line.

[…]

The general pattern is that the first upgrade still costs the same, with price reductions applied to the bigger capacities.

This is great news, although the prices still seem inflated. For comparison, Apple is charging $400 to go from 256 GB to 1 TB, but you can get a highly regarded 1 TB Samsung SSD for $137. And there’s now a 2 TB Intel one for $103. Granted, this is not as fast as what Apple ships, but for many people the tradeoff would be worth it for that amount of storage. And it would certainly be an improvement over the spinning hard drive in the 2019 iMac.

It’s important to get enough internal storage because current Macs don’t have many ports, and there are issues with external drives.

Howard Oakley:

The snag with thermal throttling is that it only happens when you’re putting pressure on the SSD, maybe with it writing hundreds of GB of video. So when you need the X5’s performance most is when it’s most likely to have to use thermal throttling to keep itself cool. In what I thought was a comfortable ambient of 23˚C (73˚F) with a light breeze and good shade, my X5 suffered thermal throttling fairly consistently when I left it to run the Blackmagic Disk Speed Test for longer than 2 minutes 45 seconds, and by 3 minutes most of its writing was being done at 700 MB/s or less.

[…]

Yes, the installer thought it had worked and installed the two kernel extensions it required (two kernel extensions? really?), but in fact they had been blocked by macOS, so the Samsung app couldn’t see the SSD.

Previously:

MacBook Air 2019 and New 13-inch MacBook Pro

Apple today announced that it has updated the MacBook Air with a True Tone display and lowered the price of the notebook to $1,099 in the United States, or $999 for qualifying students through Apple’s education store.

[…]

Alongside today’s update and price drop, Apple has also discontinued the 2017 MacBook Air, which it had continued to sell for $999 following the introduction of the revamped MacBook Air last October.

It is great to see more frequent Mac updates. Now the only non-Retina Mac is the base iMac—unless you count the Mac Pro and Mac mini because of the available external displays.

Apple today announced it has updated its entry-level 13-inch MacBook Pro with the latest 8th-generation Intel Core quad-core processors for up to two times faster performance compared to the previous generation. The notebook now also features a Touch Bar with Touch ID, a True Tone display, and the Apple T2 security chip.

It’s sad to no longer be able to get a MacBook Pro without a Touch Bar, but the 13-inch MacBook Escape hadn’t been updated in more than two years.

Wojtek Pietrusiewicz:

If Apple hadn’t added the Touch Bar to the non-Touch Bar model and just upgraded the CPU, I would be ordering one right now — the new CPUs are exactly what I have been waiting for. Unfortunately, they did, so that probably means no more Macs for me, at least until they get rid of the Touch Bar. And no, the Air is not sufficient for my needs — it lacks Display P3 and a proper processor.

retrac98:

99%+ of my usage of the touchbar is pressing escape, adjusting screen brightness, speaker volume, or accessing music controls.

All of these worked flawlessly when I had physical keys, but now it’s hard to know what I’m pressing without looking, and sometimes the controls become unresponsive to touches or drags.

I am also a musician. The Touch Bar is fantastic to adjust tuneables in GarageBand, without the gorilla arm or wobbly screen effect you get on touchscreens.

Mark Munz:

Apple adds Touch Bar to entry level MacBook Pro, because THAT’S what everyone has been clamoring for – more Touch Bar.

🤦‍♂️

Nick Heer:

This simplifies the lineup dramatically. No longer are there three similar yet purportedly different computers within $200 of each other; now, there’s a simple choice of consumer models and professional models, and at respectably lower price points to boot.

Stephen Hackett:

I think for almost everyone, the MacBook Air is the right notebook. It’s thin and light, with plenty of power for most tasks, but if you need a better GPU or more cores, the MacBook Pro is a logical upgrade. I like it when the Mac product line makes sense.

John Gruber:

Other than the increase in size of the “smallest” MacBook, the only knock against today’s revamp is that the starting price (for those other than college students) has jumped from $1000 to $1100.

Previously:

Update (2019-07-10): See also: Hacker News.

Update (2019-07-11): Dan Seifert:

macbook pro owners: what are you using the touchbar for at this point, three years on from its debut?

Mac MacBook Air MacBook Pro Solid-State Drive (SSD) Touch Bar True Tone

Geekbench 4 scores indicate the base 2019 model with an 8th-generation 1.4GHz quad-core Core i5 processor has up to a 6.8 percent increase in single-core performance, and up to 83.4 percent faster multi-core performance, compared to the base 2017 model with a 7th-generation 2.3GHz dual-core Core i5 processor.

Update (2019-07-15): Benjamin Mayo:

The equivalent 256 GB SSD 2018 MacBook Air could top 2 GB/s read and around 0.9 GB/s write speeds. Therefore, the new SSD component in use has marginally superior write speeds but 35% slower read speeds, falling from 2 GB/s to 1.3 GB/s.

Update (2019-07-19): Dieter Bohn:

Most of all — keyboard aside — the overall design and quality of the hardware is top-notch. There are dozens of Windows laptops in the same price range that beat this Air on any number of metrics. You can get edge-to-edge screens, log in with your face, and find faster and more powerful processors. But very few of them have the same iconic look and feel of the aluminum Air.

[…]

There’s also the fact that Apple was unable to update the processor to something more powerful. It is still using a 1.6GHz dual-core “Y-series” Intel processor, which is not nearly as powerful as the “U-series” processor you find on the MacBook Pro and many Windows laptops.

Via Nick Heer:

Based on Bohn’s review, it seems like this year’s revision gets closer to correcting the balance. Get a decent keyboard in these things again and there ought to be no reason for most people with the money to spend to even consider buying anything else.

Camera Mac Mac App Mac App Store macOS 10.14 Mojave macOS 10.15 Catalina Privacy Safari Security Universal Links Zoom

Zoom Vulnerabilities

Jonathan Leitschuh (Hacker News, Reddit):

A vulnerability in the Mac Zoom Client allows any malicious website to enable your camera without your permission. The flaw potentially exposes up to 750,000 companies around the world that use Zoom to conduct day-to-day business.

[…]

Additionally, if you’ve ever installed the Zoom client and then uninstalled it, you still have a localhost web server on your machine that will happily re-install the Zoom client for you, without requiring any user interaction on your behalf besides visiting a webpage. This re-install ‘feature’ continues to work to this day.

This vulnerability leverages the amazingly simple Zoom feature where you can just send anyone a meeting link (for example https://zoom.us/j/492468757) and when they open that link in their browser their Zoom client is magically opened on their local machine.

Joseph Cox:

The problem lies is how Zoom allows whoever sets up the call—be that someone creating a conference call for a company, or perhaps a hacker—to decide whether participants’ webcams are enabled at the start of the call or not. Leitschuh says Zoom did fix this, and stopped an attacker from turning on a user’s video camera, but then an issue with the patch was discovered, still allowing a hacker to turn on the camera.

Richard Farley, Zoom:

Second, when Zoom is installed on a Mac device by the user, a limited-functionality web server that can only respond to requests from the local machine is also installed on the device to help launch Zoom meetings. This is a workaround to a change introduced in Safari 12 that requires a user to confirm that they want to start the Zoom client prior to joining every meeting. The local web server enables users to avoid this extra click before joining every meeting. We feel that this is a legitimate solution to a poor user experience problem, enabling our users to have faster, one-click-to-join meetings. We are not alone among video conferencing providers in implementing this solution.

I wonder if, rather than “Safari 12,” he means “Safari in macOS 10.12,” as that was the version that introduced the incredibly annoying confirmation alert every time you click a link to another app. It doesn’t just prompt you the first time for a particular app, or the first time a link from a certain site takes you to that app; it asks you every single time. I have to click through these alerts dozens of times a day, and after years of this you can be sure that I don’t read them.

If this Safari security feature had not been so draconian, I doubt that Zoom and similar apps would have gone to such lengths to work around it. And I have serious doubts that the alert actually helps security much, both because of the limited ways such links could be abused and because I don’t think most users are able to make an informed decision about it.

Frankly, everyone looks bad here. Zoom, obviously, because of questionable design decisions and poor engineering. And Apple, because this is the type of app that should be in the Mac App Store. Whenever someone would send me a Zoom link, I would try to find another way to communicate because I didn’t want to run their installer and figure out how to remove any junk that it added. Were the app in the Mac App Store, I would have easily installed it and trusted that it was confined to its container. Technically, the app should be able to do everything it needs within the sandbox. But for whatever reason—perhaps business—Zoom didn’t find the Mac App Store to be a good way to distribute its app.

The solution is not to further lock down apps outside the store, making both users and developers miserable. Think about what types of lock down would have been required to prevent this and whether it would have actually been effective. (Are you going to ban local Web servers? Try to discourage the user from clicking Allow?) No, the solution is to make the store more attractive so that it makes sense for mainstream apps—from indies to multi-billion dollar companies like Zoom—to be there.

Jim Rea:

This sucks, and I am upset with Zoom, but am I correct in thinking if this happened I could just immediately quit the zoom app? I mean the zoom app isn’t exactly stealthy. Also, maybe I might be more worried about it sharing my screen than the camera, is it doing that?

Tony Arcieri:

The flipside to responsible disclosure: failure to patch a critical vulnerability in 90 days makes a software vendor irresponsible and it’s a good thing for their irresponsibility to become public knowledge sooner than later

Jeff Nadeau:

Oh hey, Zoom is that product that installs the entire app inside its package preflight script if it detects that you’re running as administrator. Naughty indeed.

Maxwell Swadling:

If you don’t like how Zoom bypasses safari security wait till you see how Google Chrome proxies USB / HID clients 🤭

Alexis Gallagher:

What other apps install local web servers that always run, even when the app is not running, even after you’ve uninstalled the app?

For instance, is that you @figmadesign? 😔

agreenbhm:

I also found that, instead of making a regular AJAX request, this page instead loads an image from the Zoom web server that is locally running. The different dimensions of the image dictate the error/status code of the server...One question I asked is, why is this web server returning this data encoded in the dimensions of an image file? The reason is, it’s done to bypass Cross-Origin Resource Sharing (CORS).

Sean Coates:

You know the state of video conferencing apps is bad when “it might turn on your camera without your permission” isn’t bad enough to make you switch to one of the worse alternatives.

Josh Centers:

To check to see if the Web server is running, open Terminal, enter this command, and press Return:
lsof -i :19421
[…]

If you want to get rid of the hidden Web server, though, you’ll have to use Terminal.

Mateusz Stawecki:

Zoom nastiness removal one-liner. Open Terminal, paste and press return:
lsof -i TCP:19421 | awk 'NR > 1 {print $2}' | xargs kill -9; rm -rf ~/.zoomus; touch ~/.zoomus

Dr. Drang:

I don’t pretend to follow all of Leitschuh’s explanation of the vulnerability, but I do understand the commands for the fix. I thought I’d talk about what they do. Also, there’s a cut-and-paste solution getting some traction on Twitter that I want to talk about.

Previously:

Update (2019-07-11): Jason Snell:

I think this Zoom story is getting a bit overhyped, but the fact is that Apple added a security feature that required an extra click by the user, and @zoom_us responded by... installing a local web server to bypass the feature. Talk about a disproportionate response.

Jason Snell:

My guess is that Zoom’s original sin comes out of its corporate culture, which is focused on competing in a pretty cutthroat industry with demanding clients (IT managers) and not particularly technically literate customers (the individual business users). There’s probably a great fear of losing business to other businesses who can boast about running video meetings with ever less friction to the user.

Glenn Fleishman:

Zoom had a cascading failure of product decisions, security bypasses, and then a terrible hand-waving blog post—which has been updated several times, and they’re finally doing the right thing.

This reminds me of the 2005 Sony rootkit scandal. Zoom had no ill intent here, but they scored own goals by allowing developers to create a system that intentionally bypasses security protections, installs unknown software, and has no consent involved.

John Gruber:

But the fact that Zoom implemented it in a way such that the web server was still there, still running, even when you deleted the Zoom app, is morally criminal, and should be legally criminal. No one who understands how this worked could possibly have thought this was ethical.

Renaud Lienhart:

Yes, @zoom_us is a garbage fire that deserves to go bankrupt. But we need to analyse why they do this: it’s because macOS doesn’t provide the frameworks & infrastructure to implement these features in a simple & secure way.

Ideally, macOS would work more like iOS, where developers could bundle specific extensions within their bundles that the system would register and launch on demand for these purposes. Instead, they have to work around these limitations in an atrocious way.

Rosyna Keller:

The Safari security feature that requires user-confirmation will always stop drive-by [no user interaction] attacks. Attacks that are designed to passively launch exploits.

Rosyna Keller:

In Catalina, apps can use universal links + associated domains to avoid the confirmation dialog.

Rich Trouton:

I’ve taken those [uninstall] commands and used them to build a script to address the vulnerabilities described in CVE-2019-13450.

Zoom (Hacker News):

We are stopping the use of a local web server on Mac devices. Once the patch is deployed, Mac users will be prompted in the Zoom user interface (UI) to update their client. Once the update is complete, the local web server will be completely removed on that device. 2. Allow users to manually uninstall Zoom – We’re adding a new option to the Zoom menu bar that will allow users to manually and completely uninstall the Zoom client, including the local web server. Once the patch is deployed, a new menu option will appear that says, “Uninstall Zoom.” By clicking that button, Zoom will be completely removed from the user’s device along with the user’s saved settings.

Zack Whittaker (Hacker News):

Apple has released a silent update for Mac users removing a vulnerable component in Zoom, the popular video conferencing app, which allowed websites to automatically add a user to a video call without their permission.

So the Zoom story seems to be mostly over. However, there remain some open questions:

Why didn’t Zoom use a Safari extension to avoid the extra click? Would it not have done the job? Did they not consider this option? Did they deem it too clunky for customers to install and enable?
Is the browser the appropriate place to put these sort of protections? After all, potentially dangerous links can be received via other means, such as e-mail and iMessage. Would it make more sense for the app receiving the link to offer protection? For example, FaceTime requires you to click a button to answer a call (though Apple lets it bypass asking for camera access). There could be a preference—off by default—to auto-accept connections, or to only auto-accept from certain trusted callers.
What does Apple consider to be the actual problem—opening custom links in response to user action, or only drive-by attacks?
Will Universal Links in macOS 10.15 make a difference? It sounds like the answer is only in some cases.
Why aren’t people talking about BlueJeans, which runs a similar daemon for similar reasons?
Will browsers continue to allow remote pages to access local servers? That seems to be the root problem in this case.

Update (2019-07-12): Jonathan Leitschuh:

That @zoom_us daemon (hidden web server) is now known to have a Remote Code Execution Vulnerability!

Patrick Wardle:

Zoom: Let’s allow remote access to your mic/cam 🛡️ OverSight: Fine, but we’ll detect & alert

Apple: Let’s silently remove Zoom 🛡️ BlockBlock: Fine, but we’ll detect & alert

Update (2019-07-16): Juli Clover:

Apple today pushed a second silent security update to Macs to address further vulnerabilities related to the Zoom video conferencing app for macOS, reports The Verge.

Apple removed software that was installed by RingCentral and Zhumu, two video conferencing apps that relied on technology from Zoom and were also found to have the same vulnerabilities as Zoom earlier this week.

Update (2019-07-17): Rich Trouton:

To verify that you have this installed, here’s a one-line command to check for the latest installed MRT installer package[…]

John Gruber:

This option is enabled by default — even if you choose to install regular system updates manually — which is why the vast majority of Mac users are getting these “silent” updates automatically. But if you disable this option, even these silent updates won’t be installed automatically. I confirmed this with an Apple spokesperson, who emphasized that Apple only issues such updates “extremely judiciously”. Any pending security updates will be installed the next time you manually update software.

[…]

If I could tweak anything, it would be to have these updates show up in the regular list of pending software updates if you have “Install system data files and security updates” turned off.

Bruce Schneier:

This is why we disclose vulnerabilities. Now, finally, Zoom is taking this seriously and fixing it for real.

9 Comments

Apple Revives Texas Hold’em Game

Michael Potuck:

In a surprise move, Apple has revived its Texas Hold’em game for iOS today. The update to the original game comes in celebration of the 10-year anniversary of the App Store and has been redesigned to include new characters, improved graphics, more challenging gameplay, and much more.

I certainly didn’t expect that to happen.

John Voorhees:

Missed the 10th anniversary by 363 days.

Theories:

The intern didn’t finish the update until this summer

Jony said no, but now that he’s leaving, anything is possible

They submitted it last year but it was held up by app-review limbo.

The build was stuck “Processing” for a year.

Previously:

Update (2019-07-15): John Gruber:

They’ve switched the font to San Francisco (but maybe that’s just because they were always specifying the system font), and it adapts to fit the iPhone X-class displays, but there’s still no iPad version and still no iCloud syncing across devices. For the most part, the game seems unchanged. Oh, and in a sign of the times, the price dropped from $4.99 to free.

App Store Game iOS iOS 12

Bug Cloudflare Regular Expression Web

Monday, July 8, 2019 [Tweets] [Favorites]

Cloudflare Outage Caused by Regular Expression

John Graham-Cumming:

Unfortunately, one of these rules contained a regular expression that caused CPU to spike to 100% on our machines worldwide. This 100% CPU spike caused the 502 errors that our customers saw. At its worst traffic dropped by 82%.

We were seeing an unprecedented CPU exhaustion event, which was novel for us as we had not experienced global CPU exhaustion before.

Update (2019-07-15): John Graham-Cumming (Hacker News):

Although the regular expression itself is of interest to many people (and is discussed more below), the real story of how the Cloudflare service went down for 27 minutes is much more complex than “a regular expression went bad”. We’ve taken the time to write out the series of events that lead to the outage and kept us from responding quickly. And, if you want to know more about regular expression backtracking and what to do about it, then you’ll find it in an appendix at the end of this post.

Bug Datacide iMessage iOS iOS 12 Mac macOS 10.14 Mojave Messages.app Objective-C Programming

Malformed iMessage Could Cause iPhone Boot Loop

Project Zero (via Hacker News):

The method -[IMBalloonPluginDataSource individualPreviewSummary] in IMCore can throw an NSException due to a malformed message containing a property with key IMExtensionPayloadLocalizedDescriptionTextKey with a value that is not a NSString. This method calls [IMBalloonPluginDataSource _summaryText] which returns the property assuming it is a string, but this is not checked. The calling method then calls -[IMBalloonPluginDataSource _replaceHandleWithContactNameInString:] which calls im_handleIdentifiers on the NSString which is really an NSNumber, which throws an exception as the selector does not exist in that class.
On a Mac, this causes soagent to crash and respawn, but on an iPhone, this code is in Springboard. Receiving this message will case Springboard to crash and respawn repeatedly, causing the UI not to be displayed and the phone to stop responding to input. This condition survives a hard reset, and causes the phone to be unusable as soon as it is unlocked. The only way I could find to fix the phone is to reboot into recovery mode and do a restore. This causes the data on the device to be lost though.

The bug is fixed in macOS 10.13.4 and iOS 12.3, but what about customers on previous OS versions? Now that the bug is known, they could be targeted. And it doesn’t seem like Apple could intercept the bad messages at the server level without decrypting private messages.

NSSecureCoding can’t really protect against this kind of mistake. Maybe Swift could have, depending on how the code was written.

I recently ran into a similar bug with AVPlayer, where using the scroll wheel calls an internal method with the wrong data type where a number was expected, causing an exception and alert window. I’m sure sort of thing happens all the time, throughout the iOS/macOS and apps, but rarely are the potential consequences so dire.

Previously: