Wednesday, May 27, 2020 [Tweets] [Favorites]

Catalina Fonts You Didn’t Know You Had Access To

Ralf Herrmann:

Apple has recently licensed fonts from type foundries such as Commercial Type, Klim Type Foundry and Mark Simonson Studio to be used as system fonts on Mac OS Catalina. But since these fonts are an optional download, many users of Mac OS X are not even aware they have access to them for free.

To see and install these optional fonts, open the FontBook application and switch to “All Fonts”.

Some highlights are Founders Grotesk, Produkt, and Proxima Nova. The full list is here.

The LG UltraFine 5K, kernel_task, and Me

Peter Steinberger:

Since we first purchased the displays, we’ve been having issues with them, starting with delayed shipping, ghosting, and Wi-Fi interference, and moving on to compatibility — there’s no HDMI, DisplayPort, or similar. The only way to use these monitors is with a modern Mac. As for the compatibility issue, that was a known tradeoff, and for me, it was acceptable. After all, the benefit of only having a single cable as a modern docking station and a beautiful panel outweighed the drawbacks. I still remember my innocent excitement.

Since receiving these displays, we’ve had to return most of them to get fixes for various issues, and we’ve patiently updated the firmware multiple times with LG’s crappy Screen Manager software. There are also issues with expanding batteries, and Apple has blamed the LG 5K, saying just don’t use it a lot and you’ll be fine.


The 16-inch MacBook Pro doesn’t seem to suffer from this temperature sensor misplacement and can drive the LG UltraFine without slowdown on both ends. […] The bad news: The LG can provide 87 watts of power, but the notebook comes with a 96-watt adaptor. This means that the battery is constantly compensating. […] I mostly use the separate power plug to fix the “missing 9-watt problem.”

Despite all this, he recommends it. There just aren’t many Retina options.


macOS 10.15.5

Apple (TidBITS, MacRumors, Hacker News, Mr. Macintosh, Howard Oakley):

macOS Catalina 10.15.5 introduces battery health management in the Energy Saver settings for notebooks, an option to control automatic prominence of video tiles on Group FaceTime calls, and controls to fine-tune the built-in calibration of your Pro Display XDR. The update also improves the stability, reliability, and security of your Mac.

The update went smoothly for me on the MacBook Pro. I’m still using Mojave on my iMac. Alas, the update does not fix the remaining data loss issue with Apple Mail. Mail’s version number is unchanged since macOS 10.15.4.

Mr. Macintosh:

NOTE!!! on the softwareupdate --ignore flag change.

Major new releases of macOS are no longer hidden when using the softwareupdate command with the --ignore flag

****This change also affects macOS Mojave and macOS High Sierra after installing Security Update 2020-003.****

Adding a Catalina nag in a security update is not very nice.

Jeff Johnson:

Apple’s support article seems to be not entirely accurate. It’s true that the Software Update preference pane now refuses to ignore the Catalina update on Mojave. Nonetheless, softwareupdate itself does continue to ignore it! Fortunately, then, there’s still a way to make the red badges go away. We don’t need no stinkin’ badges!

The key is to avoid opening the Software Update preference pane. It’s fine to open System Preferences though. If you happened to open the preference pane after installing the Security Update 2020-003, you can just repeat the above steps, and the badge will still go away.


It may be a bummer to have to check and install everything from the command line, but it’s preferable to a permanent red stain on your Dock, isn’t it?

Mr. Macintosh:

I have received 3 different reports that the 10.15.5 Update is still changing the ComputerName & HostName back to default

The last update that I’ve received from Apple said that this issue will NOT be fixed until macOS 10.16

Mike Bombich:

Early last week we discovered an APFS filesystem bug in a beta of macOS 10.15.5. The technical details of the bug are laid out below, but the short version is that we’re no longer able to use our own file copier to establish an initial bootable backup of a macOS Catalina System volume.


The chflags() system call can no longer set the SF_FIRMLINK flag on a folder on an APFS volume. Rather than fail with an error code that we would have detected, it fails silently – it exits with a success exit status, but silently fails to set the special flag. That’s a bug in the APFS filesystem implementation of chflags – if a system call doesn’t do what you ask it to do, it’s supposed to return an error code, not success. That’s a fairly nasty bug too. Apple preaches that you should always check your error codes, and we do – religiously. This bug slipped past us for who knows how long because the system call exits with a success error code.

Tim Schmitz:

Please fix the recurrent kernel panics during sleep on my 16” MBP 🤞🤞🤞


Bot Twitter Accounts Discussing COVID-19

Karen Hao (via John Gruber):

Kathleen M. Carley and her team at Carnegie Mellon University’s Center for Informed Democracy & Social Cybersecurity have been tracking bots and influence campaigns for a long time. Across US and foreign elections, natural disasters, and other politicized events, the level of bot involvement is normally between 10 and 20%, she says.

But in a new study, the researchers have found that bots may account for between 45 and 60% of Twitter accounts discussing covid-19. Many of those accounts were created in February and have since been spreading and amplifying misinformation, including false medical advice, conspiracy theories about the origin of the virus, and pushes to end stay-at-home orders and reopen America.

Virginia Alvino Young:

To analyze bot activity around the pandemic, CMU researchers since January have collected more than 200 million tweets discussing coronavirus or COVID-19. Of the top 50 influential retweeters, 82% are bots, they found. Of the top 1,000 retweeters, 62% are bots.


Many factors of the online discussions about “reopening America” suggest that bot activity is orchestrated. One indicator is the large number of bots, many of which are accounts that were recently created. Accounts that are possibly humans with bot assistants generate 66% of the tweets. Accounts that are definitely bots generate 34% of the tweets

These are extraordinary claims, both because of the high numbers and because lots of real people are also talking about COVID-19. Some of them are spreading misinformation, and some are in favor of reopening sooner. In my own Twitter feed I have seen very few if any COVID-19 tweets that look like they are bot-related. How did the researches arrive at these counts, with such apparent certainty?

Neither of these articles shows actual examples of bots. I could not find a published paper, data, methodology, or code. Professor Carley did give a seminar on March 31, which has more details than the news release (via Tess Owen). One of the precise claims is:

Overall in the discussion around corona virus about 45% of the users are more than 50% likely to be bots

This is a bit less sensational, and it clarifies that these are not numbers based on humans looking at the tweets and accounts and categorizing them as bot or not-bot. Rather, they are counting accounts that were assigned bot percentages by a machine learning model.

Darius Kazemi:

The short of it is: knowing what we know about the study, which is very little, it seems like these researchers have in the past used a very loose and nearly useless definition of “bot”


Also worth looking at is this informal audit of a few “bots” that were identified by these researchers back in April, some of which are humans with faces and lives who post videos of themselves like, talking and living and stuff


Also if you’re interested in this you can check out my blog post on “The Bot Scare” which is not peer-reviewed but I try to cite lots of sources and make a decent argument that most of this kind of research is pretty flimsy.

Yoel Roth (Twitter Head of Site Integrity):

There’s no right or wrong way to use Twitter — and many “bot” studies wind up dismissing a lot of real activity as inauthentic.

Even if you take “bot” to mean “automated spam,” there’s little evidence that the dramatic conclusions of the #COVID19 study are accurate.

That’s not to say that spam isn’t an issue. We know that discussions about #COVID19 are a prime target for all sorts of platform manipulation. Since March, our proactive systems have challenged millions of spammy accounts Tweeting about COVID.


Why not just suspend accounts immediately, or share information about our other actions in our APIs? Doing so would make it easier for adversaries to know we’ve caught them, and adapt to evade our detections.

Possibly the bot threat is exaggerated, but that’s not exactly comforting, either.

Joey D’Urso:

Bots do exist, and there have been several concerning stories in recent years about foreign bots attempting to influence elections in the UK, US, and elsewhere.

But a lot of the time, what looks like foreign bot activity is nothing of the sort.

The truth is often something even harder to get your head around — people voluntarily choosing to copy and paste identikit slogans on social media to spread a partisan message or simply wind up their opponents.

Tuesday, May 26, 2020 [Tweets] [Favorites]

Jailbreaking for iOS Developers

Peter Steinberger:

Jailbreaking has a bad taste because it can be used to pirate apps. But there are many other, much more noble or interesting reasons why it’s worth exploring, like enhancing accessibility[…]

This is a great collection of apps, tweaks, and links.


Sublime Merge 2

Dylan Johnston (Hacker News):

  • Repository-Level Tabs - use tabs to quickly navigate between multiple repositories
  • Upgraded Commit UI - focus on what’s important with an upgraded commit UI
  • Flexible Layouts - adapt the layout to fit your context and workflow
  • Hardware Acceleration - harness your device's power with OpenGL rendering

I love how fast this app is and the way it shows diffs with intra-line changes, syntax coloring/styles (albeit not for Swift), and the name of the modified function. I use it sometimes for searching and browsing a file’s history. But I haven’t been able to get used to it for regular daily Git use. The keyboard navigation between and within panes is weird. I can’t batch-select uncommitted files. Page Up/Down doesn’t work in the diff pane.


Phantom App Updates, Part 2

Eric Slivka:

Over the past few hours, a number of MacRumors readers have reported seeing dozens or even hundreds of pending app updates showing in the App Store on their iOS devices, including for many apps that were already recently updated by the users. In many cases, the dates listed on these new app updates extend back as far as ten days.

Jeff Johnson (tweet):

These were not new versions of the apps submitted by the developers but rather re-releases of the current versions, modified somehow by Apple. […] It has been speculated that these new releases are to fix a recent issue plaguing iOS users that prevents them from opening their installed apps. Instead, they see an alert that says “This app is no longer shared with you. To use it, you must buy it from the App Store.”


Sure enough, the Apple iPhone OS Application Signing certificate expired on May 20, 2020 at 9:04:15 PM Central Daylight Time. I searched “social media”, and the first reference I found to the current batch of “This app is no longer shared with you” errors was on May 21. What an incredible coincidence!


Public Triplebyte Profiles

Ammon Bartram:

Now, you can use your Triplebyte credentials on and off the platform. Just like LinkedIn, your profile will be publicly accessible with a dedicated URL that you can share anywhere (job applications, LinkedIn, GitHub, etc). When you do well on a Triplebyte assessment, your profile will showcase that achievement (we won’t show your scores publicly). Unlike LinkedIn, we aim to become your digital engineering skills resume — a credential based on actual skills, not pedigree.

The new profiles will be launching publicly in 1 week. This is a great opportunity to update your profile with your latest experience and preferences. You can edit your profile privacy settings to not appear in public search engines at any time.

In other words, you have less than a week to opt out if you don’t want your information to be public. But it apparently takes 30 days for the change to be processed.

Ammon Bartram:

You came to us with the goal of landing a great software engineering job. As part of that, you entrusted us with your personal, sensitive information, including both the fact that you are job searching as well as the results of your assessments with us. Launching a profile feature that would automatically make any of that data public betrayed that trust.


What I will do now is slow down, take a step back, and learn the lessons I need to avoid repeating this.

Netflix Stops Charging Inactive Customers

BBC (via Hacker News):

The company said the notifications would be sent to those people who signed up with a credit card or other payment method, but have not watched anything in the year since signing up.

It will do the same for other users who have been paying for the service, but have not watched anything in the past two years.

Users with dormant accounts will receive a notification asking if they want to continue with their subscription, and those who do not respond will have their account cancelled.

And your data is preserved if you resubscribe later. Bravo.


Years ago, I heard of a dating site doing the opposite of this. They normally sent periodic digests and newsletters to their users to try to increase engagement, but if a user went a certain number of months without logging into their account, but still allowed monthly fees to be charged, they were labeled as a “sleeping giant” in the database. Once in this state, they would not be contacted by the site for any reason until they logged in again by their own initiative. The site had determined that, on average, contacting these users had a net-negative effect on retention — i.e., they would be reminded that they were paying for an unused service and cancel.


Monday, May 25, 2020 [Tweets] [Favorites]

Grocery Shopping With Guided Access

Ole Begemann:

Problem: Face ID doesn’t work with face masks. You have to type in your passcode all the time during grocery shopping to check your shopping list.

Solution: Open your shopping list app and activate Guided Access. Tada!


Guided Access limits your device to a single app and lets you control which features are available.


Go to Settings > Accessibility, then turn on Guided Access.


On an iPhone X or later, triple-click the side button.

On the plus side, this keeps the phone unlocked, so you don’t have to type your passcode every time you take it out of your pocket. The downside is that there’s no way to turn off the display to prevent accidental input or battery drain.


Update (2020-05-25): You need to enter your Guided Access passcode to exit Guided Access, and then enter your full passcode to pay with Apple Pay.

unc0ver Jailbreak Tool for iOS 13.5

Frank McShan (Hacker News):

The team behind the “unc0ver” jailbreaking tool for iOS has released version 5.0.0 of its software that claims to have the ability to jailbreak “every signed iOS version on every device” using a zero-day kernel vulnerability by Pwn20wnd, a renowned iOS hacker.


As for security, unc0ver’s website says it utilizes “native system sandbox exceptions” so that “security remains intact while enabling access to jailbreak files.”


Solving the “Miracle Sudoku” in Prolog

Jason Kottke:

The solver himself calls it “a work of sublime genius” and “one of the most extraordinary puzzles we’ve ever seen”. It’s fascinating listening to him slowly uncover different aspects of the puzzle — watching him methodically figure out the 3s was genuinely thrilling.

Ben Congdon (via Hacker News):

Since Prolog is a declarative language, writing a Sudoku solver is remarkably concise. In essence, all the programmer needs to do is define the constraints of the game, and Prolog is smart enough to find solutions[…]


The cool thing about this code is that it works both as a Sudoku solver and as a Sudoku generator. You can query it with a partially solved board, and it will find all valid solutions.


Surprisingly, there are only 72 solution boards that meet the Miracle Sudoku constraints.

Friday, May 22, 2020 [Tweets] [Favorites]

macOS 10.15: Slow by Design

Allan Odgaard (via Cocoa-Dev, Hacker News):

In episode 379 of ATP both Marco Arment and John Siracusa described noticeable delays and stalls after upgrading to macOS 10.15.


Another way to reduce the delays is by disabling System Integrity Protection. I say reduce, because I still do get some delays even with SIP disabled, but the system does overall feel much faster, and I would strongly recommend anyone who thinks their system is sluggish to do the same.


Apple delays execution while waiting for a reply from their server. This check for me takes close to a second. […] This is not just for files downloaded from the internet, nor is it only when you launch them via Finder, this is everything. So even if you write a one line shell script and run it in a terminal, you will get a delay!


Surprisingly though, just obtaining the display name or icon for one of these folders will trigger Apple’s code to verify that the client is allowed to access the location.


Specifically calling SecKeychainFindGenericPassword can cause noticeable delays, on a bad internet day I had this call stall for 3.3 seconds and this was with System Integrity Protection disabled!


This is the worst issue, sometimes, things will stall for 5-30 seconds [at application launch].


With SIP enabled and on a bad internet day I can have the entire machine freeze for 1-2 seconds every 10th minute, not to mention everything just being sluggish.

It’s worse in Catalina, but I’ve been seeing frequent problems since Mojave:

Marco Arment:

The macOS security team needs to ask themselves hard questions about their implementation choices when very smart people are disabling huge parts of their OS security layer just to get reasonable performance from common tasks.

Sean Heber:

Apple needs to do something about this. The random stalls and slowness are pervasive, infuriating, annoying, and perhaps even approaching demoralizing.

Jeff Johnson:

This is why Apple needs remote workers, not just in the US but worldwide. Any feature that requires phoning home to Cupertino is going to be very fast in Cupertino, but possibly very slow elsewhere.


Update (2020-05-22): nut_bunnies:

I just got a new 13” MBP and sold my 2015 Pro that was on Mojave. It could be a botched backup migration but twice now I’ve had app and service lockups permeate throughout the system and apps that required a reboot to stop

Update (2020-05-25): Greg Hurrell (tweet, Hacker News):

Apple seems bent on locking things down in the name of security (a laudable effort), but at the cost of breaking shit for developers who just want to get along with their work. First came System Integrity Protection which was only a minor annoyance and probably a net win in terms of the security-vs-convenience trade-off. But then it was followed by an increasingly draconian series of cumbersome security measures, culminating with incessant authorization prompts reminiscent of Windows Vista’s infamous User Account Control and, most recently, with the horrible network-gated permission checks to do simple things like, er, running executables.

Jeff Johnson (tweet, Hacker News):

You can verify that there’s an online check by taking packet traces. […] Is Catalina trying to check the notarization of the executable? The evidence strongly indicates yes.


By the way, you can block macOS notarization checks without turning off your internet connection by installing Little Snitch and setting the rules to deny any outgoing connection from syspolicyd.


What about compiled command-line tools that are not scripts but not apps either? I created a simple “Hello World” project in Xcode, and I changed the build settings so that the tool was not code signed at all by Xcode. When I ran the tool for the first time, there was no online notarization check, which was a bit surprising to me. When I looked at the Xcode build transcript, though, I found the explanation. The final phase of the build, after the linking phase, was “Register execution policy exception”. Xcode called builtin-RegisterExecutionPolicyException on my tool. This gave the tool permission to execute on my Mac without getting checked.


One major problem, though, is that this information is not documented anywhere, to my knowledge.


Xcode (the UI) is able to bypass GateKeeper checks for things it builds.

The “Developer Tool” pane in System Prefs, Security, Privacy is the same power. Drag anything into that list you’d like to grant the same privilege (such as xcodebuild). This is inherited by child processes as well.

The point of this is to avoid malware packing bits of Xcode with itself and silently compiling itself on the target machine, thus bypassing system security policy.


Making this about speed is burying the lede. From a privacy and user-freedom perspective, it’s horrifying.

Don’t think so? Apple now theoretically has a centralized database of every Mac user who’s ever used youtube-dl. Or Tor. Or TrueCrypt.

Rui Carmo:

Besides the potential for failure (Apple has historically been mediocre at doing online systems, except for the iTunes/App Store, which is finely honed and cached up the wazoo), the potential for data gathering is serious enough that I can see Macs being banned from use in public sector clients outside the US (development or not).

And even if it can be argued that this caches results and normal users will mostly run things from the App Store and seldom notice any delays, it is something that ought to be surfaced properly for developers and power users alike.

Howard Oakley:

One other strange thing which happens to shell scripts the first time that they are run in Catalina is that a xattr is added to them, containing a UUID which is common across several scripts, at least. That doesn’t appear to contribute to any delay in launching the script, but is further evidence that what is recorded in the unified log is no reflection on the processes which have taken place. It also raises further questions about the purpose of this new type of xattr, which had previously been associated with per-document privacy control by TCC.


What Time Is It in London, Siri?

John Gruber:

Nilay Patel asked this of Siri on his Apple Watch. After too long of a wait, he got the correct answer — for London Canada. I tried on my iPhone and got the same result. Stupid and slow is heck of a combination.


Worse, I tried on my HomePod and Siri gave me the correct answer: the time in London England. I say this is worse because it exemplifies how inconsistent Siri is. Why in the world would you get a completely different answer to a very simple question based solely on which device answers your question? At least when most computer systems are wrong they’re consistently wrong.

I would certainly appreciate better smarts from Siri, but the main problems I consistently have are:

After nearly 9 years, I don’t expect a perfect AI, but the basic stuff should be reliable.

Nick Heer:

What bugged me most about this, though, is that searching Maps locations through Siri and by keyboard entry frequently requires an unnecessary amount of precision. For years, getting directions to the Ikea location here in Calgary required typing “Ikea Calgary, Alberta”, otherwise it would consistently get directions to Ikea in Edmonton, about three hours away. Apple has fixed that now, but there are plenty of other times where it has directed me to similarly-named pizza joints and dry cleaners in the southern United States instead of mere blocks away. Why is Siri so eager to prioritize proximity for a query that is about time difference by distance, yet Maps search reliably thinks I want to travel many hours to get furniture or dinner?

Most egregious to me was that time, earlier this year, when Siri suggested an inconceivable day-long road trip instead of a route to my office. It got every possible aspect wrong of something I do with scheduled regularity.

Dr. Drang:

The interesting difference between my 2016 experience and John Gruber’s and Nilay Patel’s 2020 experiences is that I did want the nearest city with the name I gave. It’s fun to see the wide variety of ways in which Siri manages to choose the worthless answer, but we really should have a better assistant by now.


Marking Unused Required Swift Initializers As Unavailable

Jesse Squires:

However, if you do not use Interface Builder, then init(coder:) is irrelevant and will never be called. It is annoying boilerplate. But the real problem is that Xcode (and presumably other editors) will offer init(coder:) as an auto-complete option when initializing your view or view controller. That is not ideal, because it is not a valid way to initialize your custom view or view controller. Luckily, you can use Swift’s @available attribute to prevent this, which also has the benefit of more clearly communicating that you should not use this initializer.

It’s annoying how each of my view and managed object subclasses has to reimplement a required initializer that I never intend to call.

New York Times Phasing Out 3rd-Party Advertising Data

Sara Fischer:

The New York Times will no longer use 3rd-party data to target ads come 2021, executives tell Axios, and it is building out a proprietary first-party data platform.


The Times will begin to offer clients 45 new proprietary first-party audience segments to target ads.


Other publishers like Vox Media and The Washington Post have also begun building out first-party data solutions in response to the growing industry backlash against using third-party data to target ads.

This is being reported as a pro-privacy move, which it is in the sense that the data won’t all end up at Facebook, Google, and Twitter. On the other hand, the large media companies are ramping up data collection and tracking within their sites.

Antonio García Martínez:

Due to GDPR penalizing third-party data, and due to the advantages granted thereby to large first-party repositories of data, the NYT is precisely emulating FB and becoming a data collector (but with worse privacy probably).


You can have better privacy controls, but it’ll result in more entrenched incumbents. Or you can have a competitive data landscape, but no privacy. But not both.


It means there will be a menu of segments (based on your data) for “Young Influencers” and “Suburban Affluents” or whatever BS their PMM cooks up. But since the NYT allows 3rd-party ad serving, it’ll all leak and be used elsewhere too.

Balaji S. Srinivasan:

Folks, when we say NYT is a competitor to tech companies we aren’t kidding.

They’re literally offering ad targeting services.

A direct competitor is not a neutral arbiter.

One could also say that tech—by which he means Silicon Valley unicorns—moved into media. Regardless, hostilities between the two groups have been increasing for the past few years.

Nick Heer:

The personalized advertising model of the last decade or so is toxic to the web. It incentivizes surveillance of users to create highly granular categories of behaviour and interests because there is the assumption that more data points lead to better targeting which, I guess, is supposed to mean a greater likelihood of conversion into ad clicks. In return, users are supposed to be comfortable with their every click and scroll being tracked from website to website — all for only about 4% greater ad revenue than non-tracking ads with relevant context.


I would vastly prefer to revert to a pre-personalized ad world, but I still see this move as a step in the right direction.

Thursday, May 21, 2020 [Tweets] [Favorites]

Apple Purchasing Podcasts

Lucas Shaw and Mark Gurman:

Apple Inc. is ramping up its push into original podcasts by seeking an executive to lead the initiative and buying shows that would be exclusive to its services.

The technology giant has begun acquiring two types of original podcasts, according to people familiar with the matter: one category is audio spinoffs of existing movies and programs on its Apple TV+ service, and the other is original programs that could eventually be adapted into future TV+ video content.


Separate from its work on originals, Apple has asked some producers working on podcasts to provide versions of their offerings without advertisements, which fits into TV+’s ad-free approach.


HEIC and the College Board

Monica Chin (via Nilay Patel):

Nick Bryner, a high school senior in Los Angeles, had just completed his AP English Literature and Composition test last week. But when he snapped a photo of a written answer with his iPhone and attempted to upload it to the testing portal, it stopped responding.

The website got stuck on the loading screen until Bryner’s time ran out. Bryner failed the test.


[The] testing portal doesn’t support the default format on iOS devices and some newer Android phones, HEIC files. HEIC files are smaller than JPEGs and other formats, thus allowing you to store a lot more photos on an iPhone.

I like HEIC because overall it saves me lots of storage space on my iPhone and Mac. But it’s a shame it isn’t more widely supported.

Even Lightroom seems to only partially support it. It treats HEIC files like RAW images and maintains a huge Adobe Camera Raw 2 cache folder of the ones that it has recently converted so that it can work with them.


Update (2020-05-22): Josh Centers:

The College Board says that 1 percent of students experienced problems, which means that, if they are representing the failure rate accurately, only tens of thousands will have to retake their tests.


Nonetheless, it would behoove Apple to contribute resources to upgrading open-source image-processing libraries so HEIC could be supported as easily as other, more common image formats.

Remote Code Execution in qmail

Qualys (via Marcel Weiher, Matthew Garrett, Hacker News):

Surprisingly, we re-discovered these vulnerabilities during a recent qmail audit; they have never been fixed because, as stated by qmail’s author Daniel J. Bernstein:

This claim is denied. Nobody gives gigabytes of memory to each qmail-smtpd process, so there is no problem with qmail’s assumption that allocated array lengths fit comfortably into 32 bits.

Indeed, the memory consumption of each qmail-smtpd process is severely limited by default (by qmail-smtpd’s startup script); for example, on Debian 10 (the latest stable release), it is limited to roughly 7MB.

Unfortunately, we discovered that these vulnerabilities also affect qmail-local, which is reachable remotely and is not memory-limited by default[…]

See also: Some thoughts on security after ten years of qmail 1.0 (PDF).

“Lack of Action” on Siri Recordings

Alex Hern (via Julian Mair):

A former Apple contractor who helped blow the whistle on the company’s programme to listen to users’ Siri recordings has decided to go public, in protest at the lack of action taken as a result of the disclosures.

In a letter announcing his decision, sent to all European data protection regulators, Thomas le Bonniec said: “It is worrying that Apple (and undoubtedly not just Apple) keeps ignoring and violating fundamental rights and continues their massive collection of data.

I don’t understand what more he wants Apple to do.

Juli Clover:

Apple resumed Siri quality control practices in the fall with the release of the opt-out option. Siri quality control is no longer handled by third-party contractors and is done in-house, and Apple has made changes to minimize the amount of data that reviewers have access to.


iOS 13.5

Juli Clover:

Apple today released iOS and iPadOS 13.5, major updates that come more than a month after the launch of iOS and iPadOS 13.4.1. iOS 13.5 is a major health-related update that brings many features related to the ongoing public health crisis.


Apple has tweaked Group FaceTime, adding a new toggle to disable the feature that automatically enlarges the tile of the person who is speaking.


Hide UI

Olivia Solon (via John Gruber):

Software called Hide UI, created by Grayshift, a company that makes iPhone-cracking devices for law enforcement, can track a suspect’s passcode when it’s entered into a phone, according to two people in law enforcement, who asked not to be named out of fear of violating non-disclosure agreements.


In order for this feature to work, law enforcement officials must install the covert software and then set up a scenario to put a seized device back into the hands of the suspect[…] For example, a law enforcement official could tell the suspect they can call their lawyer or take some phone numbers off the device. Once the suspect has done this, even if they lock their phone again, Hide UI will have stored the passcode in a text file that can be extracted the next time the phone is plugged into the GrayKey device.

See also: USB Restricted Mode in iOS 13: Apple vs. GrayKey, Round Two.


Wednesday, May 20, 2020 [Tweets] [Favorites]

Don’t Bury a Wet Laptop in Rice

Kevin Purdy (via Josh Centers):

Most importantly, don’t try to use rice to “draw out the moisture.” It doesn’t work, at all. You’re giving water more time to corrode your laptop, and you’re probably getting rice inside your laptop or under your keys.


If you can remove the bottom of your laptop, or even just open up a battery/memory/hard drive compartment with a switch on the bottom, do that.


Here’s the trick with most MacBooks out there: the screws on the bottom are pentalobe screws. Specifically, they are P5 screws. They’re intentionally uncommon.

Joe Rogan Moves to Spotify

Joe Rogan:

Starting on September 1 the podcast will be available on Spotify as well as all platforms, and then at the end of the year it will move exclusively to Spotify

The podcast was already hugely financially successful, and it seems like this can only reduce his audience. On the other hand, maybe the fans will follow him and this will open up a new audience of people who don’t understand how podcasts work but already use Spotify (as 286 million people do). If I were a regular listener, I would be annoyed at having to use a separate app for one show.

Ashley Carman (tweet):

Listeners won’t have to pay to access the episodes, but they will have to become Spotify users. Spotify said in a press release that Rogan retains creative control over his show. It didn’t disclose how much it spent on the deal. The company will also work with an ad agency to jointly sell ads against the program. Rogan said last year his show reached about 190 million downloads a month.

Rogan’s YouTube channel will remain live, but it won’t contain full episodes.

Julia Alexander:

Rogan’s YouTube presence has two main avenues; full length eps and clips. Does not having full length episode impact spread of clips?

Peter Kafka (tweet):

Unlike other deals, this isn’t an acquisition, but a “multiyear licensing deal.” So Rogan will end up owning his own work and can eventually hop somewhere else.


This has echoes of Sirius XM’s move to bring Howard Stern’s popular morning show to the satellite radio service in 2004. One big difference: Sirius was a subscription-only service, and Spotify offers a free, ad-supported version; an ad-free version of Spotify costs $10 a month in the U.S.

Todd Spangler:

With Rogan, Spotify has landed one of the podcasting biz’s whales. It currently ranks as the No. 2 most popular show on Apple Podcasts (after Barstool Sports’ “Call Her Daddy,” whose hosts have been the focus of an ongoing controversy), according to Apple. A source familiar with the deal said Rogan became sold on Spotify’s ability to build his audience worldwide, after initially resisting distributing the podcast on the platform because he saw it as primarily a music service and because Spotify wasn’t offering to pay enough in licensing fees.

Via Sara Fischer:

Most Americans only subscribe to one audio service, but that could change if more podcasts begin to be offered exclusively on certain platforms.


Everyone saying it’s a cash grab doesn’t listen closely. Over the last few years Joe has been demonetized and controlled by YouTube. I see a lot of podcasters following.

John Gruber:

It’s interesting to me, as someone with (to put it mildly) rather strong feelings on the advantages of publishing on the open internet, that Rogan sees moving to one exclusive app, with invasive tracking, as not exerting any sort of “creative control over the show”. I’m not trying to be coy, I know what he means — the content of the show will remain as-is, with no influence from Spotify. (So they say.) But I’m a big believer in Marshall McLuhan’s axiom: “The medium is the message.” Open podcasts and Spotify podcasts are similar, for sure, but they are not the same medium.


Update (2020-05-25): See also: Hacker News, MacRumors, M.G. Siegler, The Talk Show.

David Heinemeier Hansson:

[The] difference between $20m/yr and $100m/yr is negligible in terms of lifestyle. The difference between literally RUNNING YOUR OWN SHOW vs being content bait on someone else’s hook is immense.

Nicholas Quah interviews Bill Simmons:

Spotify wants to be the dominant audio platform everywhere. That was the No. 1 reason I wanted to go there. I’m at a point in my life where I really just want to win. I’ve been in situations of all kinds over the last 20, 25 years, but the most fun I had was probably 2009 to 2014 at ESPN when we had the combination of the reach, the right people behind the scenes, the right ambition, and a lot of money. And people who are willing to take chances with it. If you look back at the stuff we attempted during that stretch, it was a cool time for the company. It’s probably something that will not happen again for them because of the way subs went backwards and everything.

Spotify reminded me of that point when I was at ESPN and a lot of the stars had aligned. The big difference is Daniel. The guy is like a genius. He might be Steve Jobs for audio.

Matt Birchler:

We can argue about how bad form it is for shows to go exclusive to one platform, and we can argue about how we distinguish shows that are available in all apps vs those who are available in specific apps, but to refuse to call these shows “podcasts” at all I feel is blatant gatekeeping that sounds very much like Spielberg’s stance, except people taking this stance would probably be calling films on Netflix “long TV shows”.

“I prefer podcasts that are distributed via RSS so I can listen in the app of my choice,” is a totally valid statement, but what I tend to hear is, “it’s not a podcast if I can’t subscribe to it from Overcast/Castro/Pocket Casts,” which is really starting to rub me the wrong way.

We already have a term for audio that’s not distributed via RSS, and it predates “podcast”: Internet radio.

Halide’s Third Birthday

Ben Sandofsky:

Meanwhile, a storm brewed on the horizon: iOS 13. At the start of summer, we tested Halide with the first iOS beta, and found significant issues. We filed tickets with Apple and hoped for the best, but as iOS 13 reached its last few betas in August, it was clear these issues weren’t going to be fixed in time If we didn’t find workarounds, we expected users breaking down our doors with torches and pitchforks.

So we halted work on Spectre to find iOS 13 workarounds for Halide.

Halide 1.13 launched with little fanfare but no complaints, which is all we hoped for.


There’s a million things we want to do, but the lost Spectre update was a warning sign that we’re bumping up against our limits. In the last year it’s felt like we’ve had to weigh the opportunity cost of everything. Does it make sense to spend two weeks building a demo for Apple’s event? (Absolutely.) Should we spend a few days writing this post? A few days doesn’t feel like much until you realize all product work grinds to a halt.

See also: LIDAR: Peek Into The Future With iPad Pro, Halide: Year Two.


Be Careful When Scheduling Events Using Siri

Adam Engst:

When I used Siri to create the calendar event for the call, because I specified Mickie and Gary by name, Siri tried to be smart and invited them to the event without telling me. I didn’t want that to happen—the event was for my reference, not because I wanted to put it on their calendars.


Speaking as someone who doesn’t work in a large organization, calendar invitations make me uncomfortable. I never quite know when they’re being sent, or in what manner, or how the recipient will respond. […] Plus, when I receive invitations, I don’t know what will happen if I accept, reject, or ignore the invitation.


As a result, when I scheduled the call using Siri, it created the associated event on a calendar in Google Calendar. In itself, that wouldn’t have been a problem except that, by default, Google Calendar automatically adds video calls to events I create with other attendees. […] So as soon as Gary said he had been waiting in Google Hangouts, I realized that he had, for whatever reason, seen the event invitation and its associated link, rather than the email I’d sent.

Tuesday, May 19, 2020 [Tweets] [Favorites]

Timing in SSH

Dr. Drang:

Apparently, in its neverending quest to save battery, Apple is powering down the wifi system between packets, which means a delay when new packets arrive or need to be sent. This doesn’t materially affect file transfers or streaming because the packets keep coming, but it plays havoc with intermittent communication like a terminal session.

Pistos’s solution was to set up two connections: one that keeps up a constant, albeit low volume, flow of bytes between the Mac and whatever was connected to it; and another for what he really wanted to do. I took his solution and turned it into this short shell script[…]


A better question might be why Apple is trying to save battery life on a Mac that doesn’t run on battery.


Why NetNewsWire Is Fast

Brent Simmons (tweet):

The parsers are fast — but we also do our best to skip parsing entirely when we can. There are two ways we do that.

We use conditional GET, which gives the server the chance to respond with a 304 Not Modified, and no content, when a feed hasn’t changed since the last time we asked for it.

This is wonderful in theory, but it doesn’t seem to work consistently with my blog. I’ve tested it, and the logs show that a few percent of NetNewsWire users are getting 304-cached content, but the vast majority are not. This may be a WordPress issue.

WP Super Cache:

Supercache doesn’t support 304 header checks in Expert mode but does support it in Simple mode.

I think at one point it worked when I hacked WP Super Cache to cache feeds using mod_rewrite, but currently I’m using the unmodified version in Simple mode.

Back to Simmons:

The same API that marks a single article as read is used to mark 10,000 articles as read. This way the database is updated once, the unread counts are updated once, and we push just one action on the undo stack.

The Cocoa frameworks can provide all sorts of notification and undo functionality almost for free, but to get bulk operations right you need to do it by hand.


Update (2020-05-25): See also: Hacker News.

FBI Unlocks Pensacola Phone

Joe Rossignol:

FBI officials have somehow managed to unlock at least one of two passcode-protected iPhones owned by Mohammed Saeed Alshamrani, the perpetrator of a mass shooting at a Naval Air Station in Florida last December, according to CNN.

Apple provided the FBI with iCloud data belonging to Alshamrani, but it refused to assist investigators with gaining access to the iPhones.

Malcolm Owen:

Though the unlock method wasn’t revealed, the fact that the FBI has been able to gain access to evidence would usually be thought to slightly reduce the pressure applied by the US government and law enforcement agencies upon Apple to provide more assistance beyond what is already offered by the iPhone maker. To US Attorney General William Barr, the press conference was an opportunity to try and increase that pressure.


Apple responded to the FBI’s first requests for information just hours after the attack on December 6, 2019 and continued to support law enforcement during their investigation. We provided every piece of information available to us, including iCloud backups, account information and transactional data for multiple accounts, and we lent continuous and ongoing technical and investigative support to FBI offices in Jacksonville, Pensacola and New York over the months since.


It is because we take our responsibility to national security so seriously that we do not believe in the creation of a backdoor — one which will make every device vulnerable to bad actors who threaten our national security and the data security of our customers. There is no such thing as a backdoor just for the good guys, and the American people do not have to choose between weakening encryption and effective investigations.

I’m trying to figure out what the last clause means. It seems like Apple is saying that it’s good that there was a security flaw that the FBI was able to exploit. This seems to let everyone have their cake and eat it, too. We get strong encryption, and the FBI gets the information it wants. But, if Apple ever fixes all the flaws, then there will be a hard choice between weakening encryption for all and impeding investigations. And, in the meantime, the strong encryption carries a huge asterisk because the government seems to be able to get into every high-profile phone, and there are tools for sale that let others do so as well.


Update (2020-05-20): Kevin Collier and Cyrus Farivar:

The FBI was able to eventually access Alshamrani’s phone not by an unprecedented technical feat, but rather by “an automated passcode guesser,” according to a person familiar with the situation who spoke on condition of anonymity because the person was not authorized to speak publicly on the matter.

Via John Gruber:

So you can see why the FBI and DOJ are still pressuring Apple to build backdoors into devices — if the Pensacola shooter had used a decent alphanumeric passphrase it’s very unlikely they’d have been able to get into his iPhone.

On the other hand, law enforcement benefits greatly from the fact that the default iOS passcode remains only 6 numeric digits.

Apple vs. Security Researchers

Lorenzo Franceschi-Bicchierai:

The lawsuit, however, has already produced a tangible outcome: very few people, especially current and former customers and users, want to talk about Corellium, which sells the eponymous software that virtualizes iPhones and Android devices. During the lawsuit’s proceedings, Apple has sought information from companies that have used the tool, which emulates iOS on a computer, allowing researchers to probe potential iPhone vulnerabilities in a forgiving and easy-to-use environment.

“Apple has created a chilling effect,” a security researcher familiar with Corellium’s product, who asked to remain anonymous because he wasn’t allowed to talk to the press, told Motherboard.

“I don’t know if they intended it but when they name individuals at companies that have spoken in favor [of Corellium], I definitely believe retribution is possible,” the researcher added, referring to Apple’s subpoena to the spanish finance giant Santander Bank, which named an employee who had Tweeted about Corellium.

Peter Steinberger:

So we’re back at security through obscurity? That always worked out great in history.

Joe Rossignol:

Zerodium this week announced that it will not be purchasing any iOS exploits for the next two to three months due to a high number of submissions. In other words, the company has so many security vulnerabilities at its disposal that it does not need any more.

Thomas Claburn (Hacker News):

“iOS Security is fucked,” said Zerodium’s founder Chaouki Bekrar via Twitter. “Only [Pointer Authentication Codes] and non-persistence are holding it from going to zero…but we’re seeing many exploits bypassing PAC, and there are a few persistence exploits (0days) working with all iPhones/iPads. Let’s hope iOS 14 will be better.”


The market for iOS vulnerabilities took a hit last September when Zerodium said for the first time that it would pay more for flaws in Android than in iOS.


Asked whether Zerodium’s statement reflects the actual state of iOS security or should be taken as a company just trying to make waves, Patrick Wardle, principal security researcher at Jamf Security and founder of Objective-See, told The Register that it’s probably a bit of both.

Peter Steinberger:

Almost seems like Apple suing the #1 company allowing security research on iOS (Corellium) and not paying out bounties could have a chilling effect on white hats while black hats thrive.


Monday, May 18, 2020 [Tweets] [Favorites]

Magic Lasso Adblock (Sponsor)

My thanks to Magic Lasso for sponsoring the blog this week.

Magic Lasso Adblock is an efficient and high-performance ad blocker for the iPhone, iPad, and Mac.

It allows you to experience a cleaner, faster web—without ads. As a native Safari content blocking extension, Magic Lasso blocks intrusive ads, pop ups, and trackers when browsing the web.

Magic Lasso Adblock

Magic Lasso Adblock provides a 2.0x speed increase on common websites, improves your privacy and security by removing ad trackers, and works with Safari across all Apple devices. It’s as if Apple themselves had designed an ad blocker.

And unlike some other ad blockers, Magic Lasso Adblock respects your privacy, doesn’t accept payment from advertisers, and is 100% supported by its community of over 150,000 users.

Download for free today via the Magic Lasso website, the App Store, and the Mac App Store.

Security Theatre in Safari Download Permissions

Nick Heer:

Twitter’s URL shortener works by creating 301 redirects, but Safari apparently doesn’t follow those to their destination URL. In some cases, that probably makes sense — large file downloads are often hosted on CDNs with inscrutable addresses. It does, however, mean that however this is supposed to benefit security or privacy is easily defeated if downloads are redirected through common URL shorteners.

Edison Mail Bug Allows Access to Other Users’ Data

Eric Slivka:

Several users of popular email app Edison Mail this morning are reporting that they are able to see email accounts of other users within the iOS app. In what appears to be a major privacy breach, users report that after enabling a new sync feature, they have full access to these other email accounts.

Via Cabel Sasser:

All I wanted was a modern email client that downloaded directly from the server — like they have forever — with no risky middleman. The Edison privacy policy said “we store as little of your email on our servers as possible”.


What an interesting butterfly effect

Apple wants to preserve your battery life > email clients can’t check in the background > email clients set up servers to store credentials and check email to push notify you of new email > everyone’s email now exposed to huge security vector

Apple should lift this restriction on checking in the background. This would bring a better user experience and better privacy. Its own Mail app is allowed to do that, with apparently acceptable effects on battery life and RAM use. For many users, iOS devices already offer plenty of battery life, and some are operated while plugged in.

Edison (via John Gruber):

No account credentials were compromised; issue was fully resolved within 30 hours of first report by ‘bricking’ access to potentially impacted Edison iOS app users and any email messages from the app.

Kudos to them for a quick fix and for revealing the exact number of affected accounts.


Facebook to Buy Giphy

Axios (via Hacker News):

Facebook has agreed to buy Giphy, the popular platform of sharable animated images, Axios has learned from multiple sources. The total deal value is around $400 million.


Giphy is a massive video library, with hundreds of millions of daily users that share billions of GIFs, that generates revenue via branded content.

Vishal Shah:

GIPHY, a leader in visual expression and creation, is joining the Facebook company today as part of the Instagram team.


50% of GIPHY’s traffic comes from the Facebook family of apps, half of that from Instagram alone. By bringing Instagram and GIPHY together, we can make it easier for people to find the perfect GIFs and stickers in Stories and Direct.

John Gruber:

Of course Giphy is going to retain its own brand. If they renamed it to “Facebook Tracking Pixels”, usage might drop off.

Owen Williams (via Will Oremus):

GIF search engines like Giphy have become a core part of how we collectively discover and share animated images. Giphy’s tools can be found embedded in apps from Slack to Signal, allowing users to instantly find the right GIF to reflect the moment. All told, Giphy has some 300 million active users every day across those platforms.


What might not be obvious, however, is that each search and GIF you send with Giphy is also a “beacon” that allows the company to track how and where the image is being shared, as well as the sentiment the image expresses. Giphy wraps each of its animated GIFs in a special format that helps the image load faster, and also embeds a tiny piece of Javascript that lets the company know where the image is being loaded, as well as a tracking identifier that helps follow your browsing across the web.

When embedded into third-party apps, Giphy can track each keystroke that’s searched using Giphy tools. Developers who install Giphy tools into their apps are required to give the service access to the device’s tracking ID.

Moxie Marlinspike:

Now that Giphy has been acquired by FB, many have reached out to ask whether we should be concerned about Giphy search in Signal.

Signal already uses a privacy preserving approach to prevent gif search providers from receiving user data[…]

John Gruber:

I believe this is basically how Apple’s Giphy search in Messages on iOS (through the built-in “#images” app) works.

Slack VP Brian Elliott (quoted by John Gruber):

Giphy doesn’t receive any information about users or even companies using the Giphy for Slack integration, and only sees Slack usage of the Giphy API in aggregate.

See also: Nick Heer.

Update (2020-05-19): Matt Haughey:

I was surprised since I participated in their early investing experiment, through Alphaworks, but never got any emails about this. In July of 2014, I invested the minimum, $2,500 in GiPHY. I want to show you investments rarely pan out in this thread[…]

Update (2020-05-22): Josh Constine (tweet):

GIPHY could let it learn about what apps are growing quickly (increased GIPHY searches), what types of content or influencers it might want to add to Watch or its Live streaming deals (what’s searched for), what visual media is most appealing (which GIFs get picked), and possibly tie this interest data to users’ identity (since developers have to send device Tracking IDs to GIPHY).


But then I got a very different perspective from an animation startup founder and GIF maker who’s been waging a campaign against the startup for years, accusing GIPHY of piracy.


For years, multiple sources say GIPHY would scrape Tumblr GIFs, rename the files as giphy.gif, and make them available with no attribution. Later it encouraged artists to claim profiles of their GIFs. But it’s still tough for an end user to find out who made the GIF they just tweeted.

What’s New in Swift 5.3

Tibor Bödecs:

SE-0279 [multiple trailing closures] is one of the most debated new proposal.


Enum types don’t have to explicitly implement the Comparable protocol thanks to SE-0266.


SE-0269 aka. Increase availability of implicit self in @escaping closures when reference cycles are unlikely to occur is a nice addition for those who don’t like to write self. 🧐


SE-0270 adds a RangeSet type for representing multiple, noncontiguous ranges, as well as a variety of collection operations for creating and working with range sets.


SE-0263 adds a new String initializer that allows you to work with an uninitialized buffer.

See also: Paul Hudson.

Ted Kremenek:

The new APIs in SE-0270 (RangeSet) are going to bake a bit longer and likely won’t be part of Swift 5.3. They are still in the Standard Library preview package.

Thursday, May 14, 2020 [Tweets] [Favorites]

WWDC 2020 Wishlists

Becky Hansmeyer (tweet):

Most of my issues with SwiftUI boil down to 1) Missing UI elements and 2) Missing customizations.


I would really like to see an easier way to support the native Apple Pencil mark-up tools in PDFKit.


A system-wide color picker in iOS. It’s bananas that I can’t select some text in Apple Notes on my iPad and change its color.


De. Fault. Apps. Let me change them.


A revamped iPad multitasking system (yep, just do it again until it’s right) that isn’t big ol’ hot mess.

Jordan Merrick:

Shortcuts desperately needs a way to copy and paste actions across shortcuts—it’s almost criminal that it doesn’t have it already. There’s simply no way to reuse a set of actions from one shortcut in another or even just duplicate actions within the composer.


There’s no way to easily back up shortcuts, which feels like a regression and something that was possible with Workflow (i.e., saving workflows as files). iCloud syncing helps keep devices in sync but it’s not a backup tool.


Subroutines could be mini-shortcuts that don’t exist within the standard set of shortcuts, instead they could be accessed like actions. Sharing a shortcut should also include a full copy of the subroutine.


Update (2020-05-18): David Smith:

So now I am turning my attention towards the future and what might be possible for the Apple Watch.

John Gruber:

Fiddling with the home screen on iOS is just awful. Whenever I sit down and try to clean it up — deleting apps I don’t use, moving apps into some semblance of order — it drives me insane. The 1984 Finder was awesome for rearranging icons, right on day one. Yet we’re 13 years into iOS and rearranging apps is still terrible, because the whole thing is based on a home screen design where there’s just one screen and no third-party apps. The concept worked fine when all you could do was rearrange 12 built-in apps on a single screen. It feels like a prank trying to use it today.

Update (2020-05-22): Becky Hansmeyer:

The first is by Steve O’Dell, who helps run a Girls Who Code after-school program at Bacon Elementary School in Colorado. His wishlist stems from a desire for Apple to once again become a major player in the education space.


The next wishlist I wanted to share comes from Daniel Andrews. It’s a great list; some of my favorite things are feature parity for Messages across platforms, the return of the magnification loupe, making better use of the iPad status bar, and improvements to search on iPad. He also mentions some specific improvements to Mail[…]

Stuart Breckenridge:

This WWDC wishlist is focused around the frameworks and functionality that I’ve been working with over the last year or so.


I’d like to see BGAppRefreshTask improved with some form of guaranteed refresh schedule, e.g. three times a day. I spent a not inconsiderable amount of time trying to workaround the refresh schedules for NetNewsWire—including using Location Services—to no avail.


SwiftUI has rough edges and outright missing features.


Make SF Symbols available for Mac app development


Using CloudKit shouldn’t make it impossible to transfer an app


Security Flaws in Adobe Acrobat Reader

Yuebin Sun (tweet, MacRumors):

Today, Adobe Acrobat Reader DC for macOS patched three critical vulnerabilities […] I reported. The only requirement needed to trigger the vulnerabilities is that Adobe Acrobat Reader DC has been installed. A normal user on macOS(with SIP enabled) can locally exploit this vulnerabilities chain to elevate privilege to the ROOT without a user being aware.


SMJobBlessHelper is based on NSXPC, its client checking exists in [SMJobBlessHelper listener:shouldAcceptNewConnection:]. The checking logic is as pseudo-code shows below, gets the client’s PID, and then obtains Bundle ID based on the client’s process path, the client will be trusted if its Bundle ID is “com.adobe.ARMDC”.


Yes, the symlink is still valid, it can help us to bypass temp directory protection. I can force /var/folders/zz/xxxxx/T/download/ARMDCHammer to link to anywhere.


So if we can replace the “/tmp/test/hello_root” with our malicious file after validateBinary, launchARMHammer will launch our malicious process.

You may think the race condition window is too narrow to control, I will show the tricks later.

I don’t like it when third-party code uses the name of a system class or function as a prefix.


Dell UltraSharp 49 Review

Ben Lovejoy:

Thin bezels, single-cable connection, and the ultra-wide format I fell in love with a couple of years ago.


If you’re used to an Apple Thunderbolt Display 27, or any other 2560×1440 monitor, you’re going to be perfectly happy with the quality. However, if you’re used to either working directly on the MacBook Pro display or any doubled-pixel one, like the LG UltraFine 5K, then text will definitely seem less sharp.


When viewing photos or video, however, the quality is stunning. As I said last time, it’s not a pro monitor – and doesn’t have a pro monitor price tag – but I think even enthusiastic photographers will be more than happy with this. Photo editing on this size monitor is going to be a dream.


The Dell UltraSharp 49 does offer an alternative setup: you can split the monitor in half and create two virtual 27-inch monitors, each 2560×1440.

That makes a lot of sense because then you could put the menus in the middle, easily snap windows to the middle “edge,” and zoom to half the screen. In most cases, I don’t even want full-width windows on a 27-inch display.


Magic Keyboard for iPad Teardown

Juli Clover:

iFixit last week shared x-rays of the new Magic Keyboard for iPad Pro, giving us a little look at what’s inside Apple’s newest keyboard design, and today, iFixit is back with a mini trackpad teardown.

Kevin Purdy:

There is so much going on here, you might never guess that this is technically an accessory to the actual iPad Pro (until you notice the $330 price tag).


What looks like multiple buttons in the X-ray is actually just one button and a simple, elegant lever system. The single button is at the center of the trackpad, where the mechanism is rigid. When you apply pressure near the center, whether top, middle, or bottom-center, you are directly pressing the button. Press near the top, bottom, or one of the corners, however, and the lever system comes into play, forcing the contact plate in the center upward to make a click happen. You can see it happen in this animation below. Note how the lever mechanism covers not only the diagonal corner areas, but the perimeter of the trackpad, too.


Valve Drops Mac Support for SteamVR

Valve (via Rene Ritchie, MacRumors, tweet, Hacker News):

SteamVR has ended macOS support so our team can focus on Windows and Linux.

Mark Hughes:

Now, that’s just their VR headset, which is an extremely low-volume, 1% of the market gadget; VR’s kind of awful in practice, but it keeps being “useful next year” for the last 40 years, and someday it’ll be right. Steam as it is, >50% of the games I look at have a Mac version; it’s not dead yet, but it definitely smells bad.

I blame Apple and their terrible support for gaming, in fact overtly hostile attitude.


The suggestion to use Windows Boot Camp is just a giant middle finger, but what else are you gonna do?

Quinn Nelson:

I don’t know what else Valve was supposed to do? They ported Steam, they supported SteamVR, and they ported their entire software catalog to Mac. This whole thing just makes me laugh cause Gabe Newell said this about Apple in 2007 and it seems much hasn’t changed.

Oskar Groth:

I called this last year… Which is when Valve effectively ended further development of the Mac port. From my perspective, cooperation with Apple seemed great. It was Valve execs decision to axe the project to focus on PC.

Was that decision a result of poor Mac GPU performance? Sure, the Nvidia-Apple fallout contributed negatively. But it’s not like Valve didn’t know from the beginning that Mac VR was going to be an eGPU venture for the foreseeable future.

John Gruber:

I don’t blame Steam one bit. If anything, it’s surprising Steam “supported” the Mac for VR up until now. No Macs ship with a video card that supports VR gaming, and MacOS doesn’t support the Vulkan or OpenXR APIs that popular VR games are built on. It doesn’t help (to put it mildly) that Nvidia and Apple remain at odds. Apple is doing its own thing with Metal and ARKit — which are both excellent, but not part of the VR gaming world.