Thursday, December 2, 2021 [Tweets] [Favorites]

Apple Wants Fee for Alternate Billing Systems

Benjamin Mayo (motion):

Although the appeal of the Apple-Epic lawsuit is ongoing, Apple is currently subject to the judge’s decision and will have to allow app developers to show links to external payment platforms inside from December 9, unless the Ninth Circuit grants a stay.

In a related legal filing, Apple indicates that it is considering charging a commission on any such transactions that are initiated from within an app, even though they are not using In-App Purchase.

[…]

The filing is presented to the court in a last-ditch attempt to delay the December 9 implementation date. As such, Apple also stresses the “substantial engineering” that it says is necessary to allow linking to other payment systems. This includes policies and APIs to enable features like Parental Controls and purchase restoration to keep working, in a world where customers can buy things using platforms other than Apple IAP.

Are they building a way to track external purchases so they can get their fee?

Florian Mueller:

Apple merely needs to convince the appeals court of there being pretty good grounds on which the UCL injunction may be overturned. As I explained before, it would be an unprecedented kind of anti-anti-steering injunction under U.S. law. Apple has other arguments that the district court wasn’t receptive to but which are likely to bear weight with the appeals court, such as that Epic’s defeat under the Sherman Act is also dispositive of its UCL claims. Even if one doesn’t agree with Apple on this 100% (I, for one, am convinced that California UCL does give courts more wiggle room than federal antitrust law), the fact that Apple’s business model was (regrettably, if you ask me) cleared under federal antitrust law at least makes it a pretty good possibility that the UCL injunction won’t be affirmed.

There’s also the notable absence of a market definition from the UCL part of the district court’s judgment and question, and Apple continues to dispute Epic’s standing, pointing to a decision by the Second Circuit that found merchants who don’t accept Amex cards lack standing to challenge Amex’s anti-steering provision. Epic is not on the App Store anymore; some of its subsidiaries are, but Epic elected not to make them parties to the case, as Apple accurately notes (and which may be one of those decisions that Epic regrets in retrospect--they made some brave and smart decisions, but also some that weren’t great).

[…]

But Apple is now the proverbial pot calling the kettle black. Two months ago I criticized Apple for utilizing ACT | The App Association, which is more accurately described as ACT | The Apple Association. ACT issues statements on App Store issues all the time, and I guess we’ll see amicus briefs from them in this case, too. While CAF did a poor job on that amicus brief (failing to disclose even that Epic is a member is an unforgivable mistake and diminishes its credibility), there can be no doubt that not only all of its members but also all of its financial backers are genuine app developers (like Epic and Spotify). That is more than ACT can say: ACT simply renamed itself “The App Association” at some point, but there is no indication that many of its current members actually make apps, as I’m not aware of ACT only accepting sign-ups from actual app makers (apparently there’s no vetting, and I know of a U.S. professor who held a position with the Clinton White House and at some point signed up for free just to verify the hypothesis of ACT not applying any criteria to who joins, or charging a cent) or that they kicked out members who don’t make apps when ACT repositioned itself as an app developer organization.

Previously:

Twitter’s New Photo-Removing, Anti-Doxxing Privacy Policy

Twitter (via Dave Mark, Hacker News):

As part of our ongoing efforts to build tools with privacy and security at the core, we’re updating our existing private information policy and expanding its scope to include “private media.” Under our existing policy, publishing other people’s private information, such as phone numbers, addresses, and IDs, is already not allowed on Twitter. This includes threatening to expose private information or incentivizing others to do so.

[…]

When we are notified by individuals depicted, or by an authorized representative, that they did not consent to having their private image or video shared, we will remove it. This policy is not applicable to media featuring public figures or individuals when media and accompanying Tweet text are shared in the public interest or add value to public discourse.

Inside Apple’s Chat Support

Zoe Schiffer:

While Apple’s corporate offices take a proactive, deliberate approach to product development, Apple’s customer support function operates in a reactive mania, using a vast array of processes and metrics to keep employees on task. If workers go to the bathroom or are away from their computers for more than five minutes, they’ll sometimes get a note from their manager asking why they aren’t working. They’re monitored based on their customer satisfaction score, as well as after call work time, which dictates how much time after a call or chat they spend writing up notes, and average handle time (AHT), which indicates how long it takes them to solve a customer issue. A good AHT is around 15 minutes for phone calls and about two minutes for chats.

“It starts to get into a game of fixing the numbers more than helping the customers. They look at the numbers and assume that is helping the customer,” a former employee says.

Employees who really want to help customers say they often have to sacrifice their personal metrics. “If I have an elderly person on the phone, am I going to be a little slower with them to the detriment of my personal metrics?” a current employee asks. “Yes, I can’t treat every person the same because they’re not all the same.”

On chats, the ability to resolve issues can be even more difficult, as employees are expected to speak to three people simultaneously during busy parts of the year. “It’s impossible to do a good job multitasking with that many scenarios,” a current employee explains. “Especially because we have to respond in two minutes — from an Apple ID issue to an iCloud issue to an iOS [or] Mac install.” […] “We equated it to being able to do your job with one hand tied behind your back.”

Previously:

Luau Programming Language

Roblox (via Hacker News):

Luau (lowercase u, /ˈlu.aʊ/) is a fast, small, safe, gradually typed embeddable scripting language derived from Lua.

It is designed to be backwards compatible with Lua 5.1, as well as incorporating some features from future Lua releases, but also expands the feature set (most notably with type annotations). Luau is largely implemented from scratch, with the language runtime being a very heavily modified version of Lua 5.1 runtime, with completely rewritten interpreter and other performance innovations. The runtime mostly preserves Lua 5.1 API, so existing bindings should be more or less compatible with a few caveats.

Luau is used by Roblox game developers to write game code, as well as by Roblox engineers to implement large parts of the user-facing application code as well as portions of the editor (Roblox Studio) as plugins. Roblox chose to open-source Luau to foster collaboration within the Roblox community as well as to allow other companies and communities to benefit from the ongoing language and runtime innovation.

Previously:

William Cook, RIP

Hamish Sanderson:

Dr William Cook, who along with Warren Harris designed and developed AppleScript for Apple back in the early 90s, has sadly passed away at age 57.

Shriram Krishnamurthi:

Much of 1990s OOP was defined by his seminal papers. When he returned after a decade in industry (AppleScript!) I invited him to @BrownCSDept (where he got his PhD from Peter Wegner) and we became friends. Tragic.

See also:

Previously:

Wednesday, December 1, 2021 [Tweets] [Favorites]

Firefox’s Optimized Zip Format

Taras Glek:

Unfortunately reading files started from ending precludes readahead. It is also suboptimal to read files from zip in random order.

The following creative interpretation of Zip spec results in optimized zip files[…]

[…]

Thus we have a sequentual-read-friendly zip file that can still be ready by zip tools that follow the spec.

[…]

At the time optimized jar change broke antivirus scanners, which further sped up Firefox startup :)

Thunderbolt 4 Docks

Rob Mayoff:

In case you’re looking for a Thunderbolt 4 dock for your new MacBook Pro, here’s the list I made when I was shopping for one. I bought with the Kensington. It’s fine but the OWC is what I’d buy now (it’s $50 less for the same ports but wasn’t out then).

Previously:

Batch Converting Shortcuts to Scripts and Applets

John Voorhees:

To streamline the process, I turned, of course, to Shortcuts itself. In total, I’ve created four shortcuts to help me deploy my favorite shortcuts across macOS:

  • Script Builder: Generates .scpt files that can be incorporated in other apps from multiple shortcuts using AppleScript
  • Dock Applet Builder: Creates Dock applets from shortcuts that can be launched from the Finder, app launchers, and more
  • Script Applet Builder: Converts shortcuts into AppleScript applets with custom icons that behave like Dock applets but don’t get automatically deposited in your Dock
  • PopClip Builder: Produces and streamlines installation of multiple PopClip extensions with custom icons that run shortcuts

It’s probably better to use .applescript for the file extension, since .scpt is for compiled scripts.

Previously:

Tuesday, November 30, 2021 [Tweets] [Favorites]

Little Annoyances in macOS 12.0.1

Howard Oakley:

These appear to be part of long-standing problems with Apple’s wireless trackpads and keyboards, which can also occasionally result in the doubling of letters and other glitches. Although these have improved to the level of occasional irritants, I can’t understand how Apple’s own devices can’t be used without these bugs getting in the way.

[…]

Sadly the answer is that they’re still non-functional. Open the Desktop & Screen Saver pane, select the Screen Saver tab, and then preview the Classic, for example. All I can see is a black screen with the time displayed.

[…]

One of the oldest prominent bugs in macOS, which dates back at least eight years to OS X 10.9 if not before, is a flaw in the Finder calculating the width of columns, which I’ve named the Finder column width bug.

The biggest issues for me are:

If we’re talking annoyances, rather than bugs per se, the top of my list would have to be the narrow alerts.

Previously:

Safari Background Tabs Reactivate

Jeff Johnson (tweet):

The madness in this case is Safari background tabs spontaneously coming to the front again, an obviously undesirable behavior. The initial report was for an obscure (to me) web site in New Zealand, but then I asked around, and someone said it also happened on ESPN, which is not so obscure (to me).

[…]

If window.open is called in a Safari background tab with an iframe browsing context, the tab comes to the front.

I’ve definitely seen this one.

Previously:

Requesting Your Personal Data From Amazon

Nick Heer:

Amazon does not promise to turn around its files nearly as quickly. It says that it can take up to thirty days to create the exported data. When it does become available, you are presented with a list of individual downloads labelled and categorized by function — in mine, there were 57.

And there is no “download all” button.

Oh, and all of the download buttons are not actually direct links to each file, but instead link to an HTML page that fetches the correct download, which means you cannot save the files to a specific folder on your computer.

Previously:

Are Mac Malware Defenses Changing Again?

Howard Oakley:

Although updates to XProtect’s data files and to MRT always have been irregular, a year ago they occurred quite frequently, with XProtect updates every 7-21 days, and MRT every month or so. As of today, the last XProtect update was pushed on 24 September (version 2151), and there has only been one very minor update to MRT (1.85) since 13 September – a period of over two months.

[…]

Whatever is happening, this can only worry those using earlier versions of macOS. For all their limitations, XProtect and MRT have still been providing Macs with valuable malware detection and removal. If malware defences in Monterey are moving away from those tools, and Apple has cut back their maintenance, that leaves Big Sur and earlier worryingly exposed.

Previously:

Monday, November 29, 2021 [Tweets] [Favorites]

Snowflake Weather 1.3 for iOS

Bjango:

Snowflake is an incredibly detailed weather app, covering almost everything you could possibly want to know about current conditions and forecasts.

I’m not sure why I haven’t heard much about this app, but I was glad to discover it recently. As expected from the developer of iStat Menus, the interface is thoughtfully designed and very customizable. It’s vaguely Weather Line–inspired. Like Weather Strip, it shows both the daily and extended hourly forecast on the same screen. But it also mixes in textual descriptions and lets you easily see the total precipitation for each day. And it’s easy to switch locations by long-pressing on the home icon. $4.99 for the basic version ($0.99 Black Friday deal), plus $4.99/year to get more weather providers, longer forecasts, maps, etc.

Previously:

Mac Upgrade Program

Sami Fathi:

In association with CIT as the financing partner, Apple has launched a new Mac Upgrade Program for small businesses and Apple business partners that allow companies to easily distribute and upgrade their fleets of MacBooks at an affordable price to all of their workers.

[…]

The new 14-inch and 16-inch MacBook Pros are offered at $60 and $75 per month, respectively, while the 13-inch MacBook Pro and MacBook Air are offered at $30 and $39 monthly payments.

It seemed inevitable that Apple would offer Macs as a subscription service. Unlike the iPhone Upgrade Program, this is so far only for businesses.

Chance Miller:

As mentioned earlier, business customers can return or swap their Macs after three months. If you’re in a situation where you routinely upgrade your Mac every new release, this model might make a lot of sense from an accounting perspective. Depending on how you depreciate your laptops, simple financing options might help you write it off each month while getting a new upgrade whenever Apple releases new models. If you’d been using a 13″ MacBook Air with M1 for the last year, you’d have an easy path to upgrade to a 14″ or 16″ model without dealing with trade-ins or selling online.

CIT’s fine print says that the financing is 3% of the total cost, so as you add upgrades to your Mac, the monthly cost would change slightly.

Including the financing, you “pay” for a $999 MacBook Air in just under 3 years. Without the upgrade program, after 3 years you would still have the original MacBook but could trade it in to get a new one or keep using it without making additional payments. With the upgrade program, you may have gotten multiple “free” upgrades in that time, but it’s not clear to me whether you can keep or resell the computer if you stop paying the monthly fee.

Previously:

Tech Giants

Ben Lovejoy:

The breaking up of a bunch of old-school industrial conglomerates is leading some to question the very long-term prospects of the “new conglomerates” – tech giants like Apple, Amazon, Facebook, and Google.

But a piece in the WSJ argues that they have two advantages over companies like General Electric, which could see them last even longer …

[…]

The dismantling of General Electric, Toshiba, Johnson & Johnson, Siemens, DowDuPont, United Technologies and other sprawling business empires in recent years has been heralded as the end of the conglomerate and the demise of the idea that brilliant management teams can succeed operating in very different industries. But just as those giants of traditional industry are being dismembered, today’s tech giants have arisen as latter-day conglomerates—what some even call “neo-conglomerates.” They boast valuations bigger than any other companies in history, and have diversified their businesses through acquisitions and new starts just like conglomerates of old[…]

Who can say when technology changes so quickly, but the new giants arguably have more lock-in and are quasi monopolies/duolopies.

Romeen Sheth:

Check out the difference between the world’s largest companies in 2005 and 2021.

Mac/iOS Safari Extension: Vinegar

Zhenyi Tan (via John Gruber):

YouTube5 was a Safari extension back when Flash was still a thing and hated by everyone. It replaced the YouTube player (written in Flash) with an HTML <video> tag.

And now the YouTube player situation has gotten bad enough that we need another extension to fix it. That’s where Vinegar comes in. Vinegar also replaces the YouTube player (written in who-knows-what) with a minimal HTML <video> tag.

$1.99 for a universal purchase.

Previously:

Friday, November 26, 2021 [Tweets] [Favorites]

Xcode’s Environmental Pollution

Daniel Jalkut (tweet):

After a lot of trial and error, I came across the strangest observation: if I invoke “xcodebuild” from within my Python-based build script, the warning is emitted. If I invoke it directly from the Terminal, it isn’t. In fact, if I simplify my build script to simply invoking “xcodebuild”, the warning happens. Stranger still? If I change the script from “python3” to just “python”, the warning goes away again.

[…]

Sure enough, the environment variables differed when I ran the script with “python” vs. “python3”.

[…]

That “CPATH” entry for example only exists when invoking the script with python3, and it’s this very environment variable that is creating the unexpected Xcode warnings!

I was perplexed about how or why the version of Python could impact these environment variables, but then I remembered that python3 is bundled in Xcode itself, and the version at /usr/bin/python3 is a special kind of shim binary that directs Apple to locate and run the Xcode-bundled version of the tool. Apparently, a side-effect of this mechanism causes the problematic environment variable to be set!

New Rowhammer Techniques

Catalin Cimpanu (via Hacker News):

Google says Rowhammer attacks are gaining range as RAM is getting smaller A team of Google security researchers said they discovered a new way to perform Rowhammer attacks against computer memory (RAM) cards that broaden the attack’s initial impact.

[…]

Initial Rowhammer attacks targeted RAM DDR3 memory cards, but academics kept researching the topic. In the following years, they also discovered that Rowhammer attacks could also impact RAM DDR4, that attacks could be executed via JavaScript code loaded on a web page, or even via network packets sent directly to a computer’s networking card.

Furthermore, researchers also found that Rowhammer attacks could also be used to exfiltrate data from the RAM (not only alter it) and that attacks could also be accelerated by using locally installed GPU or FPGA cards.

[…]

In a new attack variation named Half-Double, researchers said they managed to carry out a Rowhammer attack that caused bit flips at a distance of two rows from the “hammered” row instead of just one.

Computer Security Group (via Bruce Schneier):

We demonstrate that it is possible to trigger Rowhammer bit flips on all DRAM devices today despite deployed mitigations on commodity off-the-shelf systems with little effort.

[…]

As the search space of non-uniform patterns is huge, we conducted a series of further experiments to determine the structure of patterns that effectively bypass TRR. Our experiments showed that the order, regularity, and intensity of accessing aggressor rows in non-uniform patterns are essential. We noticed that our observations nicely match with common parameters of the frequency domain, namely frequency, phase, and amplitude. We used these parameters to design frequency-based Rowhammer patterns that can effectively explore the space of non-uniform patterns. We implemented these patterns in a black-box fuzzer named Blacksmith that determines suitable parameter values crafting effective patterns targeting a specific device.

Previously:

Metal-cpp

Apple (via Hacker News):

Metal-cpp is a low-overhead C++ interface for Metal that helps developers add Metal functionality to graphics apps, games, and game engines that are written in C++.

[…]

No measurable overhead compared to calling Metal Objective-C headers, due to inlining of C++ function calls.

[…]

For convenience, you can alternatively use metal-cpp as a single-header include in your project.

[…]

Metal-cpp follows the object allocation policies of Cocoa and Cocoa Touch. Understanding those rules is especially important when using metal-cpp because C++ objects are not eligible for automatic reference counting (ARC).

It’s not often that Apple encourages using C++.

Previously:

2021 E-reader Roundup

Jason Snell:

Which brings me to page-turn buttons. The Paperwhite still doesn’t have them. Amazon has decided that page-turn buttons are a premium feature that should only be available on its $270 Oasis. (This is one of the reasons I recommend the Kobo Libra 2.) Clicking a button is just a better way to move through a book than moving your finger from the edge of the device’s bezel to over the screen for a single tap or swipe, and then putting your finger back on the bezel.

[…]

If physical page-turn buttons are something you care about, and you don’t mind a screen that’s recessed into the bezel, the $180 Libra 2 is a great choice.

If you can’t countenance a recessed screen and want a larger screen, the $260 Kobo Sage is a big, beautiful e-reader with some fancy features like Dropbox support—and of course, physical page-turn buttons.

[…]

Beyond compatibility, though, the Kobo experience is remarkably similar to the Kindle. You can buy books on Kobo’s store, either on the device or on the web. The prices are the same as those found on the Kindle Store. Of course, Kindles have access to Amazon services like Kindle Unlimited. On the other hand, Kobos are much better citizens when it comes to borrowing e-books from your local public library.

Previously:

Wednesday, November 24, 2021 [Tweets] [Favorites]

Apple Sues NSO Group

Apple (PDF, Hacker News, Reddit):

Apple today filed a lawsuit against NSO Group and its parent company to hold it accountable for the surveillance and targeting of Apple users. The complaint provides new information on how NSO Group infected victims’ devices with its Pegasus spyware. To prevent further abuse and harm to its users, Apple is also seeking a permanent injunction to ban NSO Group from using any Apple software, services, or devices.

Nicole Perlroth:

The lawsuit is the second of its kind — Facebook sued the NSO Group in 2019 for targeting its WhatsApp users — and represents another consequential move by a private company to curb invasive spyware by governments and the companies that provide their spy tools.

[…]

The sample of Pegasus gave Apple a forensic understanding of how Pegasus worked. The company found that NSO’s engineers had created more than 100 fake Apple IDs to carry out their attacks. In the process of creating those accounts, NSO’s engineers would have had to agree to Apple’s iCloud Terms and Conditions, which expressly require that iCloud users’ engagement with Apple “be governed by the laws of the state of California.”

The clause helped Apple bring its lawsuit against NSO in the Northern District of California.

John Gruber:

Apple repeatedly refers to the “FORCEDENTRY” exploit by name. This is not PR bullshit — they’re talking about a very specific exploit. Second, they refer to Android as their compatriot, not their competitor. There’s a time and place for Apple to brag about iOS being more secure than Android, but this isn’t it. The message here: “This isn’t just about us, NSO Group is after everyone.”

John Gruber:

I genuinely wonder what Apple’s goals are with this suit. Is it just to bring NSO Group’s activities to light? If this goes to trial, the testimony should really be something to see. How much in damages will Apple seek at trial? Enough to bankrupt NSO Group?

Jason Snell:

Say what you will about Apple’s policies regarding bug bounties and other security issues—the company is capable of spending a nearly infinite amount of money on lawyers who will try to make NSO Group’s existence painful for a very long time.

Maxwell Swadling:

are you taking any steps to improve platform security processes to prevent what happened over the last 2 years? Such as addressing security disclosures quicker, opening up the security researcher program or catching more issues internally that project zero picks up externally?

Stefan Esser:

NSO has managed what a lot of legitimate security researchers have been unable to do: make people see the security of iPhones in a more realistic light. Furthermore Apple going after people who discover security problems in their products is just normal Apple tactic anyway.

Never forget that when NSO was first caught and the first time the general public learned about PEGASUS it was Apple who threatened Lookout to not release samples to the public. Nice AppStore app you have there. It would be a shame if something happened to it.

Yeah also never forget that System and Security info which was capable of finding PEGASUS on your iPhone was banned from the Apple App Store because Apple did not want their customers to be able to see if they were infected.

Steve Troughton-Smith:

Observation from Apple’s NSO complaint: Apple, curiously, completely omits any mention of App Store or lack of sideloading as a fundamental security measure of iOS. Almost as if they no longer believe they can rely on that point to remain in their favor.

Orin Kerr:

According to its CFAA claim filed today, Apple thinks that when your iPhone’s operating system is hacked, Apple is hacked-- and it can sue-- because Apple still owns the operating system on your iPhone.

Hmm, seems like a pretty big stretch to me.

Apple:

Apple threat notifications are designed to inform and assist users who may have been targeted by state-sponsored attackers. These users are individually targeted because of who they are or what they do. Unlike traditional cybercriminals, state-sponsored attackers apply exceptional resources to target a very small number of specific individuals and their devices, which makes these attacks much harder to detect and prevent. State-sponsored attacks are highly complex, cost millions of dollars to develop, and often have a short shelf life. The vast majority of users will never be targeted by such attacks.

If Apple discovers activity consistent with a state-sponsored attack, we notify the targeted users in two ways[…]

Nick Heer:

One of the minor privacy flaws of iMessage is that it will automatically tell you whether someone else has enabled it. All you have to do is type an email address or a phone number into the “To:” field in Messages; if it turns blue, it is an iMessage account and, therefore, associated with an Apple ID and an Apple device. In a vacuum, this is not very meaningful, but it appears that NSO Group was using a similar technique to figure out where to send its spyware.

[…]

I cannot find any reports of Apple notifying potential victims of state-sponsored attacks, so this appears to be a new policy. Twitter was doing this in 2015, and Google in 2012.

Previously:

The MacBook Pro Notch

Tom Warren:

Snazzy Labs owner Quinn Nelson has posted two videos on Twitter demonstrating some of the early notch issues. The main video demonstrates what appears to be a bug in macOS. Status bar items like Apple’s battery indicator can get hidden underneath the notch when status bar items are extended.

Nelson demonstrates this with iStat Menus, which can be hidden under the notch or can force system items like the battery indicator to be hidden underneath the notch. While Apple has issued guidance to developers on how to work with the notch, the developer behind iStat Menus says the app is just using standard status items and that Apple’s dev guidance “won’t solve the issue presented in the video.” This doesn’t appear to be intended behavior, as the notch works differently inside certain apps.

Jason Snell:

You could imagine this notch being a major pain point for developers and users alike, but it’s not. And that’s thanks to the menu bar, a Mac convention since day one that provides the perfect place to hide a display cutout. The menu bar has been given a little extra height to completely encompass the notch, and menu items automatically move to the other side of the chasm if there isn’t room for them to fit.

It takes no time to get used to having a notch at the top of the display. And it’s a good use of space since moving the menu bar up into what would otherwise have been unused bezel means that there’s more room downstairs for everything else. (I see now why Apple changed the metrics on the menu bar in macOS Big Sur—it was clearly laying the groundwork for this display. Add in the curved-edge highlights that appear when you click on a menu-bar item and the whole approach really looks great.)

Howard Oakley:

If you obsess about it, I’m sure it could become irksome, but I barely notice it.

John Gruber:

The notch in the menu bar for the camera is very weird at first. The mouse pointer passes under it, so it justs disappears when in the center of the menu bar. That’s really weird! If I had written this review a week ago, after my first day with the machine, I’d have written a lot more about the notch. One week in, I’m just not noticing it. One notch-related change I’m still getting used to is the taller menu bar. It makes the menu titles look even more disconnected from the actual menus. It’s interesting that last year’s redesigned menu bar in MacOS 11 Big Sur was seen by some as laying UI groundwork for future touch screen support in MacOS, but it now seems clear it was redesigned to more elegantly fit with the notch. You’ll notice that most of Apple’s product photography for these new MacBooks shows them with dark desktop pictures. With default translucency settings, a dark desktop gives you a dark menu bar, and a dark menu bar disguises the notch.

D. Hardawar:

Upon first glance, it’s almost laughable that Apple is leaning even more into a design element that everyone hates. But, honestly, the notch isn’t a big deal.

Stephen Hackett:

A week in, I’ve mostly forgotten it’s there.

Nilay Patel and Monica Chin:

But to me, rather than thinking of the notch eating into the display, I think of the display getting larger except in that one spot. The MacBook Pro effectively has a 16:10 display with a little extra bit at the top where the menu bar and the notch live. You stop noticing it after just a few minutes, just like you stopped noticing the iPhone notch.

Riccardo Mori:

On the Mac, the notch visually splits the menu bar, a UI element you interact with all the time. The notch covers, occupies a part of the menu bar that could be devoted to displaying menu items and menu extras. This isn’t a real problem when you have apps with just a few menus. But with more sophisticated and professional apps, with many menus on the menu bar reaching and even surpassing the middle point, then yes, the notch is definitely in your way and you can’t tell me you’re not going to notice it. When you launch an app with lots of menus on one of the new MacBook Pros, all the ‘excess menus’ will get moved on the right, and the notch will of course be a sort of gap between them. So, according to Linda Dong (Apple Design Evangelist), developers now need to take the notch into account when designing their apps (more unnecessary work for them, but who cares, right Apple?)

Fred McCann:

It’s tempting to call this bad design, but this looks more to me like someone who was responsible for making a product level decision refused to make a decision about what was the most important thing and shipped a broken compromise.

[…]

What’s not evident from this screenshot is that menu items are under the hole, inaccessible. Unlike menus which wrap around the hole, menubar items simply disappear. This isn’t some Bartender behavior, this is the default behavior in the operating system.

[…]

What were the product people at Apple thinking? I can’t know for sure but I suspect they thought thin bezels, a better webcam, and a nicer screen were all equally important. This is another way of saying is no one at Apple actually decided what the most important thing was. They punted.

[…]

The one thing the product people at Apple thought wasn’t important was a working menubar.

Previously:

MacBook Pro 2021 Reviews

Jason Snell:

The new 14- and 16-inch MacBook Pro models usher in a new era in Apple laptops. These are the first high-end Macs to be powered by Apple-designed processors, and that’s a big deal—but they also reject the minimalist design mid-2010s Apple, which achieved design simplicity by forcing complexity and frustration on users.

These new MacBook Pros are a success story not just because of Apple’s custom-built processors, but because Apple has admitted (in deeds, if not words) that the previous generation of laptops were a misstep.

[…]

I’m happy to report, it’s true—all of it. Apple has undone its mistakes of the past few years and created a laptop that’s essentially a Mac Pro you can slide into a backpack.

John Gruber:

A few factors contribute to this sense of thickness. The first is that the new MacBook Pros are more rectilinear. We tend to think of the MacBook Air as the tapered MacBook, but MacBook Pros have been tapered for years. Looking at the new model next to last year’s M1, it’s striking just how far from flat the previous design is. The 13-inch MacBook Pro is 0.61 inches thick only in the middle. The new 14-inch MacBook Pro is 0.61 inches thick from edge to edge, front to back.

[…]

Apple’s best products have always been both tools for work and objects of art. Almost every single change with these new MacBook Pros is in the name of making them better tools for work. Conversely, the controversial decisions that went into the Touch-Bar-era MacBooks were in the name of artistic purity. Minimalism trumping practicality. They were out of balance.

[…]

That, to me, explains the entirety of this new MacBook Pro. The differences between a MacBook Pro and MacBook Air should not be subtle. Let the truck be a truck, true to its purpose. Let the MacBook Pro be unabashedly pro.

D. Hardawar (Hacker News):

But lean in a bit closer and you’ll notice some retro flourishes. They’re slightly thicker, with more bulbous edges that hearken back to Apple’s notebooks from the 2000’s. They’re also heavier than you’d expect: the 14-inch model comes in at 3.5 pounds, while the 16-inch varies between 4.7 and 4.8 pounds, depending on the chip you choose. That’s about half a pound heavier than the last 16-inch MacBook Pro.

Nilay Patel (tweet):

It’s easy to be excited about the new MacBook Pros — it feels like Apple finally listened to everyone and brought back the best parts of the beloved 2015 MacBook Pro, while pushing the display and performance to new heights.

Austin Mann:

I really wish there was a matte/non-glare screen option. Years ago, this was an option on Apple’s laptops, and with the recent Pro Display XDR “nano-etch” anti-glare option, I was crossing my fingers we might see something similar on the MacBook Pro.

Stephen Hackett:

For the nearly nine years between the two machines, the keyboard’s feel isn’t radically different. The new keys seem slightly larger, have less space between them and feel more stable, somehow. The sound is a little deeper, but I’ve gotten used to the new keyboard pretty quickly.

[…]

My new 14-inch machine packs a lot more pixels than my 15-inch Retina MacBook Pro.

Nilay Patel and Monica Chin (tweet):

So yes, the ports are definitely more convenient, and totally fine for most situations, but there are still reasons to visit dongletown. For example, macOS Monterey now supports variable refresh rate external displays using a Vesa standard called Adaptive-Sync, but Apple tells me you’ll need a Thunderbolt to DisplayPort dongle for that. I also ran into a strange bug where sending audio out over HDMI resulted in stuttering video and glitchy audio, which Apple says it is looking into.

[…]

Lastly, the speakers on these new MacBook Pros are terrific. The first thing we did with these when we got them was open up a video to check out the new displays, but the first thing we noticed was that the speakers are so good. They are clear and crisp, with some actual low-end from four woofers, and they get super loud. It’s impressive — and while the 14-inch speakers are really good, the 16-inch models in particular have the best speakers we’ve ever heard on a laptop.

[…]

A lot of you asked whether the extra money for the M1 Max is worth it, and after all that, we think the answer is: no, not for most people. Carrying around all those extra GPUs has an impact on battery life [10 hours vs. 16] whether you’re using them or not.

Jon Porter (Hacker News):

But it’s hard to ignore the broader context of these improvements, which is that they effectively bring the company’s 2021 MacBook Pros back in line with the features they were already offering from 2012 to early 2016. Arguably, the primary reason these new MacBooks are being greeted with overwhelming enthusiasm now is that Apple made the wrong bet on where laptop design was headed back then.

Juli Clover:

It’s officially MacBook Pro launch day, and customers around the world who pre-ordered after last Monday’s event are receiving their devices today. We’ve already seen reviews of the new MacBook Pro models from media sites, but now first impressions from everyday users are available.

Paul Haddad:

This is pretty hilarious. Rosetta results for the M1 Pro/Max vs my 10850k 10 core real Intel machine.

Jason Snell:

[Here’s] a pic of how deep the SD card slot is in the new MBP

It sticks out a lot more than on my 2012 MacBook Pro.

Marco Arment:

Based on this, I’m guessing the new SD slot won’t safely support those nearly-flush adapters that could hold a MicroSD card for extra semi-permanent storage.

John Gruber:

Here are the effective “looks like” resolutions for the new 14-inch MacBook Pro

Moshen Chan:

13" M1 MBP vs. 14" MBP. Mini-LED ‘Liquid Retina XDR’ showing huge contrast difference.

Saagar Jha:

Interesting, it looks like the new MacBook Pros can’t really go from black to light colors very well. There’s a fairly noticeable “ghosting” effect where it first tries to turn on the right LED regions and then gets to the right color.

Computer Clan:

I love how Apple went from removing the escape key to making the biggest escape key ever on a Mac. 😂

Paul Haddad:

I’ve not seen any performance difference in the various reviews between the 14” and 16”. I have seen several instances of the fans being significantly louder on the 14” under any kind of sustained load. Add to that longer battery life and bigger screen…

Joe Rossignol (Hacker News):

iFixit has shared a teaser of its 14-inch MacBook Pro teardown, and one noteworthy detail is the inclusion of pull tabs for the battery cells, which the repair website said will allow for easier do-it-yourself battery replacements.

Juli Clover:

In Final Cut Pro, a video export test saw the M1 Max machine export a 6-minute 4K video in one minute and 49 seconds, a task that took the M1 Pro 2 minute and 55 seconds. When it comes to 8K RAW footage, both machines were able to handle the load. The M1 Max MacBook Pro performed close to flawlessly, while the M1 Pro had a few issues with dropped frames and stuttering, but was ultimately able to keep up.

Howard Oakley (Hacker News):

The internal SSD is the fastest that I have ever tested, although as it’s the 2 TB model, it’s expected to be significantly slower than the results quoted by Apple, which are for 8 TB versions. Using my own app Stibium, it attains transfer rates of 6.7 GB/s read and 6.9 GB/s write. Maximum speeds were found between 60-400 MB transfer sizes.

I’m going to look in more detail at how the M1 Pro uses its cores in tomorrow’s sequel to this article. For the moment, though, I’ll give you a teaser that, like the M1, the M1 Pro runs lowest QoS processes on its Efficiency cores, which includes most macOS services like Time Machine. Although the M1 Pro has only two Efficiency cores, compared to the M1’s four, numerical tests run on them in the M1 Pro complete in around 67% of the time of the M1. The M1 Pro’s Performance cores are managed quite differently from those in the M1 too.

Swift Package Index:

Overall, it’s remarkable that the M1 MacBook Air already had the best performance before Apple introduced the new MacBook Pros, but the M1 Pro and Max chips take this further. They improve on the M1 Air’s best result of 47 seconds with a build time of less than 31 seconds. Those extra cores matter, and the ~35% improvement is in line with what you’d expect, going from a 4+4 performance/efficiency core setup to an 8+2 configuration.

Brian Webster:

OK, the M1 Max benchmark that matters for me: a clean build of PowerPhotos (~80,000 LOC, about 1/3 Swift, 2/3 ObjC)

2017 5K iMac: 160 seconds
2018 MacBook Pro Core i9: 159 seconds
2021 MacBook Pro M1 Max: 76 seconds

Michael Love:

Up and running with 14" M1 MacBook Pro. Thoughts so far:

- Very fast; build times roughly halved vs 2019 Intel 16"
- Android dev on M1 has a few glitches but basically OK
- Notch is fine; stupid, but ignorable
- No difficulty driving 4K@120 external monitor (Gigabyte M32U)

Marco Arment:

I’ve now had the 16” M1 Max MBP at full sustained CPU load (800%+) for 3 hours.

I do, finally, hear the fans — but just barely. It’s quieter than my iMac Pro was at full sustained CPU load.

Hard to notice above ambient noise from a few feet away. Gotta put your ear up close.

Ben Sandofsky:

Build times for @halidecamera

2019 Macbook Pro
2.4ghz, 8-Core, 32GB RAM
𝟔𝟑 𝐒𝐞𝐜𝐨𝐧𝐝𝐬

2021 MBP M1 Pro
10-Cores, 32GB RAM
𝟐𝟖 𝐒𝐞𝐜𝐨𝐧𝐝𝐬

…and the 2021 model was $300 cheaper.

See also: iFixit, MacRumors, Accidental Tech Podcast, The Talk Show.

Previously:

GitHub’s Commitment to npm Ecosystem Security

Mike Hanley:

Today, we are sharing details of recent incidents on the npm registry, the details of our investigations, and how we’re continuing to invest in the security of npm. These investments include the requirement of two-factor authentication (2FA) during authentication for maintainers and admins of popular packages on npm, starting with a cohort of top packages in the first quarter of 2022.

Previously:

Tuesday, November 23, 2021 [Tweets] [Favorites]

Black Friday 2021

My apps are on sale for Black Friday and Cyber Monday, and here are some other good deals that I found:

Stores:

Accessories:

Books:

Photos and Video:

Lists of Deals:

Previously:

Dropbox and Maestral

Hartley Charlton:

An official Dropbox support thread, shared by Mitchell Hashimoto on Twitter, reveals a fiasco around native support for Apple silicon Macs. Dropbox is seemingly insisting that a significant number of community members will have to vote for native Apple silicon support for it to be implemented. There are also multiple repetitious requests with different phrasing, fragmenting users’ votes for support.

[…]

In a reply on Twitter, Dropbox founder and CEO Drew Houston apologized for the confusion sparked by the “not ideal” support responses and said that Dropbox is “certainly supporting Apple silicon” with a native Apple silicon build planned for release in the first half of next year.

Steve Troughton-Smith:

Not the full story, at all. There are technical issues & negotiations at play. It shouldn’t surprise anybody that Apple doesn’t really want companies making kexts anymore

Apple wants apps to use the new File Provider extension API instead, but from what I’ve heard it’s limited and unreliable.

Ryan Jones:

Exploring Dropbox alternatives?

I did ~6 months ago. Fully installed Box, G Drive, One Drive, and tried iCloud Drive.

I ran back to Dropbox and paid for Plus. For speed, simplicity, and less bullshit.

Marco Arment:

Had enough with the Dropbox Mac app? Me too.

I switched to maestral.app a few weeks back and couldn’t be happier. ~7x less RAM, ~10x less disk space, doesn’t burn 100% CPU during Xcode unzips.

Only drawback is it doesn’t sync xattrs, which doesn’t affect my usage.

Maestral:

Maestral is an open-source Dropbox client written in Python. The project’s main goal is to provide a client for platforms and file systems that are no longer directly supported by Dropbox.

Maestral currently does not support Dropbox Paper, the management of Dropbox teams, and the management of shared folder settings.

[…]

The focus on “simple” file syncing does come with advantages: on macOS, the Maestral App bundle is significantly smaller than the official Dropbox app and uses less memory.

Maestral uses the public Dropbox API which, unlike the official client, does not support transferring only those parts of a file which changed (“binary diff”). Maestral may therefore use more bandwidth that the official client.

Max Seelemann:

🏎 Ulysses clean build on M1 Max: ~65s.

🚀 Same but with Dropbox app NOT running: ~55s.

Quitting Dropbox saves 10s or ~15% for me! Reproduced multiple times.

See also: Accidental Tech Podcast.

Previously:

Booting an M1 Mac From an External Disk With Monterey

Howard Oakley:

One of the stumbling blocks to using an external boot disk with an M1 Mac is that it may not cope if you update macOS on the internal SSD, then try booting from the external disk to update that. You may be prompted to assign an authorised user to that external disk, only to be informed that the version of macOS on that disk isn’t bootable and needs to be replaced.

[…]

If you’re unable to boot from a bootable disk using an older (non-current) version of macOS, change its boot policy to Reduced Security and it should then become bootable again.

Use Reduced Security to update bootable external disks, and to maintain older bootable versions of macOS.

If you’ve updated a bootable disk to the current version of macOS, change its boot policy back to Full Security.

This is done in the Recovery Assistant.

Howard Oakley:

Unlike a T2 Mac, M1 Macs don’t set one boot security policy for the Mac, but a policy for each bootable disk. This is attractive, as it means that you can still ensure that, when it boots from its internal SSD it does so in Full Security, but your M1 Mac can be more relaxed when it boots from an external disk instead.

[…]

At present, the odd situation is when LocalPolicy is set to Full Security and the macOS versions don’t match, but the external disk is connected via USB-A rather than USB-C or Thunderbolt. In that circumstance, it appears that booting continues despite the conflict in macOS versions. This could be a simple bug, but I suspect that it’s a limitation of the USB-A bus (I recall historical issues in which USB-A had problems with security systems which could be related).

[…]

The final piece in this jigsaw puzzle is the macOS full installer app. In response to user outcry when it removed the macOS 11.2 installer as soon as 11.2.1 was released, Apple now leaves full installers available for each version of Big Sur. However, they don’t appear to be of much use to those with M1 Macs, as all attempts to install an older version of macOS on an external disk appear to fail.

Howard Oakley:

On M1 Macs:

  • Carbon Copy Cloner 6 can now create full clones of bootable system volume groups in containers on an external disk;
  • making a full clone of the internal SSD works, but it can’t readily be booted, and is strange in other ways too. Unless you have a compelling reason for doing so, avoid this;
  • booting from a full clone of the internal SSD is to be avoided;
  • making a full clone of an external SSD works, but has little or no advantage over performing a full install of macOS on that disk.

Howard Oakley:

I’m delighted to report that five months after I wrote that M1 Macs had problems starting up from external disks, Apple has finally fixed Big Sur 11.4 so that they now work fully.

[…]

Changing between external boot disks is normally simple and direct using the Startup Disk pane. Changing back to the internal SSD when booted from an external disk usually requires a visit to recoveryOS, where you need to authenticate in Recovery Assistant. After a long pause, once that has been accepted as successful, select the Restart button.

[…]

Check LocalPolicy for your bootable systems using sudo bputil -d, which should then list available macOS installations by the UUID of their boot volume group[…]

[…]

If your external disk connects by USB-C rather than Thunderbolt and you experience problems, try connecting it using a USB-C data cable rather than a certified Thunderbolt cable. If that doesn’t help, and you have a USB-A port available, use a USB-C to USB-A cable instead, which appears to be the most reliable.

Howard Oakley:

When Apple released Big Sur 11.4 update, nothing in its release notes indicated that any change had taken place in support for bootable external disks. Indeed, as far as I can tell, Apple hasn’t mentioned these problems, and anyone considering buying an M1 Mac would probably be completely unaware of their gross unreliability with bootable external disks.

[…]

There’s an obvious explanation which I came across when looking at what had changed in the 11.4 update: a brand new kernel extension AppleVPBootPolicy.kext which is concerned with the management of LocalPolicy, which determines security level on boot disks.

[…]

The evidence is that these problems were the result of bugs in managing and implementing LocalPolicy, which were fixed by that new extension, and other changes in macOS 11.4. In other words, M1 Macs didn’t work properly for a period of six months because their Secure Boot system was broken.

Howard Oakley:

As Apple doesn’t yet appear to provide complete instructions for the creation of a bootable external disk in recent versions of macOS, and the information which it does provide is at best misleading in places, this article attempts to remedy this for both Intel and M1 Macs.

Howard Oakley:

I hope this has dispelled some of the rumours about using external boot disks with M1 series Macs, which seem still to be based on Big Sur before 11.4. Installing, configuring and using them is now highly reliable, quick and simple. I’m sure that someone will be able to find a model of SSD which doesn’t yet work perfectly, but this demonstration is based on a regular retail Samsung SSD fitted inside an anonymous case bought cheaply from Amazon, and a regular Thunderbolt 3 cable. No witchcraft or incantations were involved.

Previously:

Monday, November 22, 2021 [Tweets] [Favorites]

Chromium’s URL Blocklist Can Now Prevent Viewing Page Source

Thomas Claburn:

Future Chromium-based browsers under administrative control will be able to prevent users from viewing webpage source code for specific URLs, a capability that remained unavailable to enterprise customers for the past three years until a bug fix landed earlier this week.

[…]

Evidently, tech savvy students were viewing the source code of web-based tests to determine the answers.

Nick Heer:

The rationale for this bug seems pretty weak. If exam software is revealing answers in the page source, it should be rewritten. In this case, it was Google Forms, which makes this bug fix from Google’s Chromium project look especially hinky.

[…]

If the web were still primarily a venue for document viewing, as I naïvely believe it ought to be, I would see this through a more debilitating lens. But the web is basically an operating system and viewing the source tells you little these days. I think that is a bigger regression, but it is only tangentially related to this bug.

Reviewing Content Instead of the App

Sean Hollister (tweet):

You pissed off people by somewhat breaking your app, and they’re leaving angry reviews. How can you salvage your reputation? Apple just found one incredibly effective way — get listeners to submit better reviews by interrupting their podcast experience with an in-app prompt to submit a rating.

That’s how the Apple Podcasts app went from a publicly embarrassing 1.8-star score all the way to 4.6 stars in a little over a month without any actual fixes, as developer and App Store watchdog Kosta Eleftheriou points out.

[…]

But do those people actually love Apple Podcasts? Because if you really look at the reviews, it seems like some funny business is going on. There are new, positive reviews, but they aren’t reviews of the Apple Podcasts app at all — they’re reviews of podcasts themselves.

Juli Clover:

The top review in the App Store right now starts out with “Best Podcast Ever!”, with the reviewer lauding the podcast they had been listening to at the time the review prompt popped up.

The rest of the reviews are a mix of one star comments about the design of the Podcasts app and positive reviews for podcast content.

[…]

Looking at the reviews of third-party podcast apps, the majority of the ratings are for the apps themselves, and customers do not seem to be accidentally offering reviews for podcast content as is happening with the Podcasts app.

Kuba Suder:

people reviewing content is unfortunate, it’s maybe a UI problem, but I know it happens in other apps too (eg. Yelp)

Previously:

Safari Forgets Your History

Jeff Johnson:

Clicking a link in a web browser changes the URL, and if you look at the browser’s history after clicking, you’ll see both the old URL and the new URL. The URL can also be changed programmatically, using the JavaScript Location API. After a new location is assigned in JavaScript, you should also see the old URL and the new URL in the browser’s history. You should, and you do in Chrome and Firefox. But not in Safari! For some reason, Safari forgets the URLs. This bug appears to be many years old: it occurs in the latest version 15.1, and it occurs in the oldest version that I could test, Safari 11 on macOS 10.13 High Sierra. You can reproduce the bug by simply clicking the button below.

[…]

If you want to see how this Safari bug plays out in “the real world” as opposed to just my contrived test, take a look at your history after searching the web with DuckDuckGo. Below you can see that I’ve clicked on a DuckDuckGo search result, but the new URL is missing from my Safari History.

This bug has been bothering me for years, and it does seem to primarily affect pages that I visited via search results.

The Unexpected Return of JavaScript for Automation

Armin Briegel:

One reason python became so popular with MacAdmins, was that the pre-installed python on Mac OS X, also came with PyObjC, the Objective-C bridge for python.

[…]

I’ll be honest here and admit that working with JXA seems strange, inconsistent, and — in weird way — like a step backwards. Putting together a Command Line Tool written in Swift feels like a much more solid (for lack of a better word) way of solving a problem.

However, the Swift binary command line tool has one huge downside: you have to install the binary on the client before you can use it in scripts and your management system.

[…]

However, as flawed as it is, JXA can be a simple replacement for the classic python “one-liners” to get data out of a macOS system framework. Other interesting use cases are being discovered, such as JSON parsing.

Python is no longer the favored choice because “Monterey will now throw up dialogs warning the user.”

AppleScriptObjC is built-in, however.

Previously:

Update (2021-11-26): See also: Hacker News.

The Reincarnation of the Touch Bar

Luc P. Beaudoin:

The obvious advantage was providing configurable, direct access to context sensitive commands.

[…]

To reduce the need to look down towards the physical keyboard, macOS could present a virtual command bar on the main screen. This would be triggered by some event, such as a physical key, keyboard shortcut, Siri, hand gesture, eye gesture, or facial gesture (see next section). This virtual keyboard could be presented as a single row of buttons, or a 2-D array of buttons.

As someone who really hated the actual Touch Bar, I do think there’s something to the idea of providing similar functionality in other ways. (Ideally it would be much more configurable than the Touch Bar was.) I’m thinking something like the old System 7 Control Strip, but with an area for application-specific functionality, too. To a certain extent, this idea lives on in menu bar status items. But the menu bar fills up easily, and the old Control Strip could be resized, hidden, and shown, including via keyboard shortcut. In Big Sur, Apple freed up some menu bar space by consolidating popular status items into a single Control Center icon, but it doesn’t have a keyboard shortcut and isn’t keyboard navigable. It doesn’t even activate via the “Move focus to status menus” shortcut.

Previously:

Friday, November 19, 2021 [Tweets] [Favorites]

Click to Subscribe, Call to Cancel

Sarah Scire:

Publishers tend to think of this as “retention.” A study of 526 news organizations in the United States found that only 41% make it easy for people to cancel subscriptions online, and more than half trained customer service reps in tactics to dissuade customers who call to unsubscribe.

The Federal Trade Commission, meanwhile, recently made it clear that it sees the practice as 1) one of several “dark patterns that trick or trap consumers into subscriptions” and 2) straight-up illegal. The FTC vowed to ramp up enforcement on companies that fail to provide an “easy and simple” cancellation process, including an option that’s “at least as easy” as the one to subscribe.

[…]

Translation? If you can subscribe online, you should be able to cancel your subscription online.

Previously:

AOL Exploits Bug in Own Software

Geoff Chappell (in 1999, via Hacker News):

In e-mail of dubious origin sent to security expert Richard M. Smith, it is alleged not only that the AIM client software has a so-called “buffer overflow” bug but also that AOL actually does use its knowledge of this bug to induce users’ machines, which are running the AIM client software, to execute code that is downloaded from the AIM server. AOL is said to do this as a way for the AIM server to distinguish AIM clients from MSN clients so that the latter may be denied service.

[…]

An ordinary, though certainly not necessary, effect of a program’s corrupting memory on its stack is that the program crashes some time later. The particular packet presented in the e-mail to support the allegations against AOL fits case 0013h but contains 0118h bytes of string data. This is too long and will indeed induce the AIM client to corrupt memory, as described above. However, the AIM client does not crash.

The reason is that the packet data, as received from the AIM server, is contrived so that the corruption of memory by the AIM client is carefully controlled. The buggy routine in the AIM client is made to “return” to an address at which it is known there will be the bytes for a call esp instruction (actually provided in the bitmap for an icon in the AIM.EXE resources). The effect of this instruction is to start executing some of the packet data.

Previously:

Update (2021-11-23): Sherief, FYI:

Check out the section titled “(s)elf-exploitation

Unicode and Copying and Pasting Code

Glenn Faison:

I recently saw first-hand why I should never copy and paste any code I found online (or anywhere, for that matter).

[…]

To cut the long story short, what looks like a loose inequality check on line #4, is deceptively an assignment operation, which reads like (environmentǃ = ENV_PROD)! In JavaScript, assignment operations return the assigned value, which in this case is truthy (will be treated as true wherever a boolean value is expected).

But isn’t environmentǃ an invalid variable name in JavaScript, you ask? It’s complicated. You’d be right to say an exclamation sign cannot be part of a variable name. However, the ǃ you see there is in fact not the everyday exclamation sign you know. It’s an obscure character that happens to be accepted as regular text by the JavaScript interpreter, and thus can be a valid part of a variable name.

This particular example is unlikely to happen in Swift, both because assignments don’t have values and because the compiler is picky about whitespace around operators.

Via Nick Lockwood:

This is why unicode (outside of string literals) in programming languages was a mistake.

[…]

Support for unicode in variables adds a massive new surface for hiding security exploits in plain sight (see also: unicode urls).

The supposed benefit of being able to use mathematical symbols for custom operators is mostly just an attractive nuisance since you can’t type them.

Inclusivity is good, but unicode variables offer little practical benefit to non-English speakers if the platform APIs and dominant 3rd party frameworks are not localized, and unicode is neither necessary nor sufficient to solve that (it should ideally be handled at IDE-level).

CVE-2021-42574 (via Daniel Martín):

The Rust Security Response WG was notified of a security concern affecting source code containing “bidirectional override” Unicode codepoints: in some cases the use of those codepoints could lead to the reviewed code being different than the compiled code.

Previously:

First MacPaint and MacWrite Public Demo

level1807 (via John Siracusa):

The well-known presentation already available on YouTube is from January 24 of 1984. What’s not so well remembered: Jobs did it all twice, in less than a week. Six days after unveiling the Mac at the Flint Center on the De Anza College campus near the company’s headquarters in Cupertino, Calif., he performed his show all over again at the monthly general meeting of the Boston Computer Society.

“That’s the first time I touched the keyboard.” Atkinson later refers to the Feature key.

Thursday, November 18, 2021 [Tweets] [Favorites]

Forgotten Image Formats

Ernie Smith (via Gus Mueller, Hacker News):

Around this time 30 years ago, two separate working groups were putting the finishing touches on technical standards that would come to reshape the way people observed the world. One technical standard reshaped the way that people used an important piece of office equipment at the time: the fax machine. The other would basically reshape just about everything else, becoming the de facto way that high-quality images and low-quality memes alike are shared on the internet and in professional settings. They took two divergent paths, but they came from the same place: The world of compression standards. The average person has no idea what JBIG, the compression standard most fax machines use, is—but they’ve most assuredly heard about JPEG, which was first publicly released in 1992. The JPEG format is awesome and culture-defining, but this is Tedium, and I am of course more interested in the no-name formats of the world.

Are TIFF, BMP, and PCX really considered to be forgotten?

XCRemoteCache

Bartosz Polaczyk (Hacker News):

We are excited to be open sourcing XCRemoteCache, the library we created to mitigate long local builds. As the name suggests, this library is a remote caching implementation for iOS projects with an aim to reuse Xcode target artifacts generated on Continuous Integration (CI) machines. It supports Objective-C, Swift, and ObjC+Swift targets and can be easily integrated with existing Xcode projects, including ones managed by CocoaPods or Carthage.

[…]

A remote cache is a popular technique to speed up builds of big applications by applying the “compile once, use everywhere” approach. As long as all input files and compilation parameters are the same, instead of building a target locally, one can download artifacts that were built and shared from some other machine. A key success factor for remote caching is finding an optimal caching level. Caching units that are too granular, where every single piece of the compilation step is cacheable, may lead to extensive network traffic overhead, which can offset CPU savings. On the other hand, putting the entire codebase into a single cacheable unit may significantly degrade the caching hit rate; every single local change invalidates remotely available cache artifacts, triggering a full build, locally.

The main Spotify iOS application is highly modularized and contains more than 400 independent modules configured as separate Xcode targets. Applying target-level caching was natural, and as we found out later, the right decision.

Previously:

WebKit E-mail Formatting Bug

Adam Engst:

Now and then, we get a report from a reader whose TidBITS issue has an entire article formatted as a column of text that’s a single character wide. I could tell what happened in at least two cases, but I’m utterly stumped as to what might be causing it. The problem doesn’t appear to originate on our end.

In one report where the reader forwarded the badly formatted issue to us, the problem stemmed from CSS corruption.

I’m not sure what causes this, but I’ve seen it happen to a variety of e-mails (though none from TidBITS) starting with Catalina, both in Mail itself and in my app that uses WebKit to render HTML e-mails. For me, at least, it’s a transitory problem that goes away if I relaunch the app and view the same e-mail again.

See also: Peter Steinberger.

Pacifist 4.0.1

Filipe Espósito:

Pacifist is a popular file extractor for macOS that lets users view and extract multiple file formats, including PKG, DMG, XAR, and TAR.

CharlesSoft:

Completely rewritten in Swift 5

[…]

Added command-line interface

[…]

Support for Asset Catalog files

Support for Mac OS 9 Installation Tome files

It’s $20 or $10 to upgrade.

Previously: