Monday, March 30, 2020 [Tweets] [Favorites]

Xattrs Make Time Machine Backups Waste Space

Howard Oakley:

When metadata used to change relatively infrequently, this had little in the way of adverse effects. Now that security and privacy protection are doing so much with extended attributes, the unintended consequence is that many of the files which are copied into each Time Machine backup haven’t actually changed in substance, but a quarantine flag has been added, for instance.

It’s easy to demonstrate this in action if you’re making Time Machine backups. Simply create a sizeable PDF file which doesn’t have a quarantine flag attached to it, or strip the flag from a file which already has one. Leave the file alone for the next automatic backup. After that, open the document using Preview, which will in a fraction of a second automatically write a quarantine flag to it. Leave it for the next automatic backup, and that backup will contain a second copy of that PDF which only differs in that quarantine flag, maybe as little as 31 bytes in all. Imagine this happening to many 10 GB movie clips and you see where this is heading.


“Cursor,” “Pointer,” and “Insertion Point”

John Gruber:

For clarity, it’s best not to refer to either of these things as cursors. Instead:

  • Mouse/trackpad pointer.
  • Insertion point.

This terminology has been slightly confusing over the last week, since Apple’s surprise announcement of pointer support in iPadOS 13.4. In their marketing materials, Apple is calling pointers “cursors”.


In its technical documentation, Apple is clear.

The new API calls it a “pointer,” but Carbon and Cocoa have historically used “cursor.” Of course, “pointer” also has another meaning in code.

Dr. Drang:

For 35 years, Apple’s been telling me this thing should called a pointer, and I’ve been following along, mainly because I thought the distinction between a pointer and a cursor was useful.


Friday, March 27, 2020 [Tweets] [Favorites]

Old macOS Desktop Pictures, Upscaled

Stephen Hackett (via John Gruber):

Every major version of Mac OS X macOS has come with a new default wallpaper. As you can see, I have collected them all here.

While great in their day, the early wallpapers are now quite small in the world of 5K displays.

Major props to the world-class designer who does all the art of Relay FM, the mysterious @forgottentowel, for upscaling some of these for modern screens.

See also: Joe Groff.


Chris Lattner on Swift, TensorFlow, MLIR, and SiFive

Accidental Tech Podcast (tweet) has a very interesting interview with Chris Lattner, covering a wide range of programming language and compiler topics, as well as the future of WWDC.


Amazon Sellers “Hijack” Listings to Sell Face Masks

Louise Matsakis (via Hacker News):

The 148th most popular book on Amazon Wednesday wasn’t actually a book at all: It was a package of 50 disposable face masks—the kind that shoppers have scrambled to buy amid the coronavirus pandemic. Surging demand for masks, as well as supplies like hand sanitizer and disinfectant wipes, has emptied store shelves, and in some cases led to skyrocketing prices on Amazon.


“Face masks and hand sanitizers are the number one and number two most searched terms on Amazon. That's attracting many sellers who are pulling every trick they can think of to get into search results,” says Juozas Kaziukėnas, founder of the ecommerce data firm Marketplace Pulse, who first alerted WIRED to the face mask listings.


By the end of February, Amazon announced it had removed 1 million products that were falsely advertised to defend against or cure Covid-19, as well as tens of thousands of items listed for inflated prices.


Thursday, March 26, 2020 [Tweets] [Favorites]

Safari 13.1: Third-Party Cookie Blocking and 7-Day Script-Writeable Storage

John Wilander (tweet):

Cookies for cross-site resources are now blocked by default across the board. This is a significant improvement for privacy since it removes any sense of exceptions or “a little bit of cross-site tracking is allowed.”


Safari continues to pave the way for privacy on the web, this time as the first mainstream browser to fully block third-party cookies by default.


Now ITP has aligned the remaining script-writable storage forms with the existing client-side cookie restriction, deleting all of a website’s script-writable storage after seven days of Safari use without user interaction on the site.


That is the case in Safari. Web applications added to the home screen are not part of Safari and thus have their own counter of days of use. Their days of use will match actual use of the web application which resets the timer. We do not expect the first-party in such a web application to have its website data deleted.

The existing cookie restrictions have been really frustrating. There are many sites that I visit monthly, and so I need to enter my username and password every single time. I don’t understand why cookies, of all things, don’t have site-specific settings in Safari. I don’t like cookies in general, but there are some sites that I want to trust. Sometimes I wonder whether I should write a script to auto-open them weekly to keep the cookies warm.

Ole Begemann:

I love the WebKit/Safari teams’ continuing work on limiting third-party cookies and other forms of tracking. I hope they tackle first-party tracking next.

Of the hundreds of websites I visit, I really only want to allow a handful to set cookies, and then perhaps only for a short time.

Safari now has 11 categories of site-specific configuration. It’s strange thatookies/local storage is not one of them.

Aral Balkan:

On the face of it, WebKit’s announcement yesterday titled Full Third-Party Cookie Blocking and More sounds like something I would wholeheartedly welcome. Unfortunately, I can’t because the “and more” bit effectively kills off Offline Web Apps and, with it, the chance to have privacy-respecting apps like the prototype I was exploring earlier in the year based on DAT.


If I use the app in Safari on iOS without adding it to Home Screen and leave it for seven days, will my shopping list be deleted?

If I do the same thing on Safari for macOS (which doesn’t have a Home Screen), will my shopping list be deleted?

Andre Garzia (via Hacker News):

There is a huge opportunity for the creation of private client-side-only PWAs in the world but developers wanting to build such apps are in for an uphill battle against the status quo and now against Apple as well.


I want to remind everyone that installing to the home screen is not what makes a PWA, it is an optional step. A PWA is still a PWA if the user access it only occasionally by typing the URL on the browser or keeping a bookmark. I access many PWAs on my phone but they are not in my home screen because I like to keep it clean. My browser “new tab” lists them for me, they are still as much a PWA as the ones in your home screen.

Saying that you should build a native app is not an answer. Native apps need to go through gatekeepers, the web does not. The web is the only mass communication media where we all have publishing access (to some degree at least), native iOS apps are not like this. There is a reason Mozilla can’t ship Firefox with Gecko on iOS and the reason is not because they don’t know how to do it. Apple is doing this in the name of privacy but what it actually does is force developers closer to their app store.

Jasper Patterson:

At 1Password we are concerned about the sudden announcement that LocalStorage will expire after 7 days, and want to provide our use case of browser storage and how this will cause harm to our users (including irreversible data loss to some).

We have a full featured web app at that allows users to signup for an account, access their vaults, and perform admin functions for their business.


The Secret Key is a randomly generated string generated locally during signup and stored on devices users have previously used. This key is required for users to decrypt their vaults. Given that most signups occur in a web browser, that is the first place we store this critical piece of data. While we do try to encourage users to install our native applications, for some (unknown) number of users out there LocalStorage in their browser will be the only place they have this key saved, and in 7 days may now become irreversibly locked out of their 1Password vaults.


Half of me knows I’ll rarely use and never prefer a PWA on iOS over a native app, so I know that none of this really matters nor will affect me.

The other half of me wants everyone to adhere to the platonic ideal of the web and thinks Apple should stop doing this shit.


When you set up the 1Password apps, your Secret Key will be saved in the apps. So if it gets removed from Safari, you’ll still be able to access your account. It’s an important first step, but there’s more you can do to protect your account.

I’ve seen a new bug since updating to Safari 13.1: specifying Finder tags when using File ‣ Save As in Web Archive format doesn’t actually add the tags to the file.

Retina MacBook Air Staingate

Joe Rossignol (tweet):

Apple this week acknowledged that MacBook Air models with Retina displays can exhibit anti-reflective coating issues, as indicated in a memo shared with Apple Authorized Service Providers and obtained by MacRumors.


Apple’s internal service documentation for this issue previously only mentioned MacBook Pro and discontinued 12-inch MacBook models with Retina displays, but the MacBook Air is now mentioned in at least two places. Apple added a Retina display to the MacBook Air in October 2018 and all models of the notebook have featured once since.

This has been going on for even longer than the butterfly keyboards. So far the repair program is only for MacBook Pros.

Marcin Krzyzanowski:

Apple Care just

1. Rejected my claim for broken screen #staingage
2. Rejected my claim for broken keyboard (clean with air instead)
4. Rejected my battery claim


this is via Reseller (of course). When I was at Apple Store, they were ready to replace the screen, I just couldn’t wait a few days.

this is ridiculous. They advise me to go to the Apple Store instead. The nearest Apple Store is 580km away.


Update (2020-03-27): John Gruber:

I don’t understand how this is still an issue. My beloved 2014 13-inch MacBook Pro is afflicted with this, and I never bothered getting it repaired. Whatever causes this, you’d think Apple would’ve identified the problem after a few years.

Zoom Attention Tracking and Facebook

Wolfgang (Hacker News):

ZOOM monitors the activity on your computer and collects data on the programs running and captures which window you have focus on.

If you manage the calls, you can monitor what programs users on the call are running as well.

EFF (Hacker News):

The host of a Zoom call has the capacity to monitor the activities of attendees while screen-sharing. This functionality is available in Zoom version 4.0 and higher. If attendees of a meeting do not have the Zoom video window in focus during a call where the host is screen-sharing, after 30 seconds the host can see indicators next to each participant’s name indicating that the Zoom window is not active.


Zoom allows administrators to see detailed views on how, when, and where users are using Zoom, with detailed dashboards in real-time of user activity. Zoom also provides a ranking system of users based on total number of meeting minutes. If a user records any calls via Zoom, administrators can access the contents of that recorded call, including video, audio, transcript, and chat files, as well as access to sharing, analytics, and cloud management privileges.

See also: Nick Heer.


When someone sends you a zoom invite, cancel the download, then click the having problems link to download again. Cancel it again. It will show you a link to join by browser.

Joseph Cox (tweet, Hacker News):

What the company and its privacy policy don’t make clear is that the iOS version of the Zoom app is sending some analytics data to Facebook, even if Zoom users don’t have a Facebook account, according to a Motherboard analysis of the app.

This sort of data transfer is not uncommon, especially for Facebook; plenty of apps use Facebook’s software development kits (SDK) as a means to implement features into their apps more easily, which also has the effect of sending information to Facebook. But Zoom users may not be aware it is happening, nor understand that when they use one product, they may be providing data to another service altogether.


Wednesday, March 25, 2020 [Tweets] [Favorites]

Little Snitch and the Deprecation of Kernel Extensions

Rich Trouton:

As part of macOS Catalina 10.15.4, Apple has begun displaying a new dialog window message concerning third-party kernel extensions.


To further reinforce the message that kernel extensions are going away, Apple refers to them in the message window as “legacy system extensions”.


For a number of managed environments, these messages can be prevented from appearing. As long as a third-party kernel extension is whitelisted using an appropriate configuration profile, the message for it should not appear.

Norbert Heger (Hacker News):

We expect the deprecation to become effective with the next major release of macOS. There’s no official release date from Apple, but based on the release schedule of recent years it will not be before this fall. Little Snitch 4 will then not be loaded by the operating system, but there will still be an option to allow the loading.


The replacement APIs that are currently available (NetworkExtension framework on macOS 10.15.4) are not yet completely sufficient to implement the full functionality of Little Snitch. But we are working closely with Apple to fill the remaining gaps and we expect that a beta of the next major macOS version (most likely available at the next WWDC) or even an upcoming version of 10.15 will provide what is missing. As soon as the APIs allow us, we will complete the transition of Little Snitch to the new NetworkExtension API. It’s our goal to provide a public beta in June 2020 and a stable version in October.


Update (2020-03-27): Greg Hurrell:

I sure hope this doesn’t end up breaking Karabiner-Elements. If I had to use a machine without it, it would seriously impact usability for me. When the day comes that Apple breaks kernel extensions once and for all, I’ll be holding off on OS updates for as long as I can.

Adam Engst:

Unfortunately, since the dialogs give only the developers’ names, not the names of their apps, it’s difficult to know who I might contact. A Google search revealed that Ludovic Leger is the dev lead on TripMode, a useful utility I recommend for managing bandwidth use while away from high-speed networks; see “TripMode Prevents Unwanted Internet Data Usage on a Tethered Mac” (22 July 2015). I’m still not sure who Steven Yan is, or what app of his I might be using. That’s not a problem now, but it might be in a few months once the beta of whatever macOS version follows Catalina comes out.

Xcode 11.4 and Swift 5.2

Xcode 11.4 is now available for download (release notes). Alas, it requires Catalina.

Ted Kremenek:

Swift 5.2 is now officially released! 🎉


We have drastically improved the quality and precision of error messages in the Swift compiler.


The compiler leaves “breadcrumbs” when it encounters failures while inferring types in an expression, recording every specific failure along the way. These breadcrumbs allow the compiler to produce precise diagnostics, often with actionable fixes, that lead the developer toward correct code. Below are a few examples of improved error messages.


In Swift 5.2, the internal representation of declarations in the compiler is immutable, and the code generation phase of the compiler is able to trigger lazy evaluation of requests, the result of which are cached. Since requests are more fine-grained than the old validation step, this improves performance by avoiding wasted work. It also improves correctness, fixing a significant number of correctness issues where the type checker did not anticipate needing to validate something that was later required for code generation.

Code completion is also improved.

Esther Hare (Mac Rumors):

Universal purchase for Mac apps now available.


Update (2020-03-27): See also: SDK API Differences.

A Different Zoom in the Mac App Store

Jeff Johnson:

Remember when people bought the wrong Zoom stock because ZOOM is Zoom Technologies, whereas ZM is Zoom Video Communications? Well they’re at it again, this time on the Mac App Store instead of the stock market. “Zoom is an [sic] screen magnifier” […]


The fact that mistakenly purchased abandonware is among the top paid apps is an indictment of the Mac App Store. Why isn’t the “real” Zoom on the Mac App Store? I don’t have any insider information, but as a Mac developer I can make an educated guess: Mac App Store policies. Specifically, Mac App Store policies that restrict API usage, especially the sandboxing requirement.


Too Hard to Delay Daylight Saving Time

Times of Israel:

Israel could delay switching to daylight saving time to discourage public traffic in the streets in the evening hours and promote social distancing, as part of the fight against the coronavirus, Interior Minister Aryeh Deri said Sunday.

Currently, clocks are planned to spring forward later this week, on the night between March 26 and March 27.

Via Dave DeLong:

Oh, and we’ve got 5 days to change and distribute the timezone databases 😉

Hana Levi Julian:

The government decided this week against going ahead with the change from winter time to summer time, mainly because there were too many complications involved in dealing with the digital presets of the servers and other computers and equipment that were already set up for the change to a summer clock to take place overnight between this coming Thursday and Friday.

Tuesday, March 24, 2020 [Tweets] [Favorites]

macOS 10.15.4

Apple (combo update):

macOS Catalina 10.15.4 introduces iCloud Drive folder sharing, Screen Time communication limits, Apple Music time-synced lyrics view, and more. The update also improves the stability, reliability, and security of your Mac.

There’s no mention of Mail fixes, and I already have multiple reports that the bug where messages disappear when dragged to another mailbox is still present. Another customer said that the update did fix the bug he was seeing where rules copied messages instead of moving them.


Update (2020-03-27): See also: Howard Oakley, MacRumors.

Joachim Fornallaz:

A great update of macOS with changes to Photos improving library upgrades, exports, printing, and iCloud downloads.

Tanner Bennett:

macOS update notifications are so user-hostile nowadays. No way to dismiss without agreeing to another notification within the next 24 hours, and really no way to turn them off at all either.

I have update checking turned off but I got a notification just now.

Adam Engst (forum):

To share an iCloud Drive folder in 10.15.4, Control-click it in the Finder and choose Share > Add People. macOS’s odd modal dialog appears, letting you set who can access the folder (invitees or anyone with the link) and what permissions they have (view only or make changes). Select a sharing mechanism at the top and enter the name of the person with whom you want to share, click Share, and you’re done.

Gus Mueller (tweet):

This is a quick developer PSA. MacOS 10.15.4 was just released, and there was a minor change in the way NSAttributedString’s -initWithHTML:options:documentAttributes method works. Previously (10.15.3 and earlier) if you passed a HTML snippet using HelveticaNeue with a size of 20, the minimum line height for the attributed string was set to 25 (and if you passed 40 for the font size, you’d get 49). With 10.15.4 the minimum line height is now set to 0. I’m actually in favor of this change, but if you were expecting certain layouts to happen based on the previous defaults, things might look different for you.

Howard Oakley:

A few users are reporting that, following upgrading their Mac to Catalina 10.15.4, one or more of its USB-C/Thunderbolt 3 ports stops working.

Although uncommon, if your Mac suffers this the remedy is straightforward: reset its SMC.

Aerial Brings Apple TV Screen Savers to the Mac

Josh Centers:

One of the best features of the Apple TV is its Aerial screen saver. That’s not hyperbole—Apple always makes a big deal out of the new scenes it adds to tvOS, often promoting them as a marquee feature of major tvOS updates. If you have liked these screen savers on your TV, you can get them on your Mac, thanks to the free and open-source app Aerial.

I’m not really a screen saver person, but I really like this one.

It uses a ton of disk space—unless you turn off caching, in which case it uses a ton of bandwidth. Unfortunately, Catalina sandboxing issues mean that the cache folder has to be stored on the system drive, i.e. your SSD, rather than on a hard drive that may have more free space.


Update (2020-03-27): Tanner Bennett:

Yeah, Catalina really ruined a lot about what I loved about that screensaver. You used to be able to use the arrow keys to skip to a different one too.

Making Swift Properties Overridable Only in Debug Builds

John Sundell:

Occasionally, we might want to override certain properties in order to facilitate testing, to be able to work on a new feature, or to debug a problem.


Here’s a way to mitigate that problem, using Swift’s new property wrappers feature in combination with the DEBUG compiler flag. By creating a DebugOverridable property wrapper, we can enforce that the properties that we wish to override during testing and development are not actually overridden within any of our code that we’re shipping to production[…]

This is a neat trick, though unfortunately property wrappers don’t work with @NSManaged. What I have been doing is having my tests use underscored versions of the properties. These are a declared in an extension, which is conditionally compiled only when the TEST flag is set.

I’d still like to see Swift’s access controls reworked to make testing easier. @testable import doesn’t really do the job because it only works for symbols that are already visible at the package level. So you can only use private for stuff that will never be used from tests.



Patrick Collison (Hacker News):

Dee Hock was given 90 days to launch the BankAmericard card (which became the Visa card), starting from scratch.


Walt Disney’s conception of “The Happiest Place on Earth” was brought to life in 366 days.


Brendan Eich implemented the first prototype for JavaScript in 10 days, in May 1995. It shipped in beta in September of that year.


Work on the Xerox Alto, the first GUI-oriented computer, started in November 1972 because of a bet: “Chuck said that a futuristic computer could be done ‘in three months’ and a Xerox exec bet him a case of wine that it couldn’t be done”.


Tony Fadell was hired to create the iPod in late January 2001 […] and shipped the first production iPod to customers in November 2001, around 290 days after getting started.


Linus Torvalds started working on Git on April 3 2005. It was self-hosting 4 days later. On April 20 2005, 17 days after work commenced, Linux 2.6.12-rc3 was publicly released with Git.

But modern physical infrastructure projects take longer.


Update (2020-03-27): Patrick Collison:

I asked Tony Fadell about the iPod timeline for my fast project page. Summary: 😯.

Amazon Prime Delivery Delays

Jason Del Rey:

During normal times, Amazon Prime deliveries typically arrive in one or two days in the US. Now, some Prime deliveries for in-stock items are showing five-day delivery promises on the lower end, but those waits are as long as a month on some items.

An Amazon spokesperson confirmed to Recode on Sunday evening that the new April 21 delivery dates are not the result of a technical bug or error; they accurately reflect Amazon’s current reality.

“To serve our customers in need while also helping to ensure the safety of our associates, we’ve changed our logistics, transportation, supply chain, purchasing, and third-party seller processes to prioritize stocking and delivering items that are a higher priority for our customers,” the spokesperson said in a statement. “This has resulted in some of our delivery promises being longer than usual.”

Update (2020-03-27): See also: Hacker News.

Brian Heater:

Amazon today confirmed that an employee in its Queens, N.Y. fulfillment center has tested positive for the novel coronavirus.


It may be the first of its kind in the facility, but it almost certainly won’t be the last. Even as companies encourage workers to stay home at the first sign of sickness for both their benefit and that of customers, many will no doubt come to work. And then there’s the matter of those who are largely asymptomatic.

Brian Fung and Sara Ashley O’Brien:

Amazon warehouses are facing a growing tide of coronavirus cases with at least 11 facilities hit so far, according to Amazon and local media reports.


Amazon has temporarily closed some sites, such as the Queens location, but has largely refrained from mass closures. The company told CNN that it is taking “extreme measures to ensure the safety of employees at our site[s].”


Amazon is witnessing spikes in demand that are comparable to the surge surrounding peak holiday periods such as Black Friday, Jay Carney, Amazon’s senior vice president of global corporate affairs, told CNN’s Poppy Harlow in an interview last week. In response, the company is ramping up hiring.

David Dayen (via Marina Epelman):

How has this filtered down to people like Tyler Hamilton, a worker at Amazon’s warehouse in Shakopee, Minnesota? He gets a couple more bucks an hour now, as Amazon raised its base pay to $17 to attract workers. And amid other complaints from Senators about hazard pay, on Sunday Amazon made overtime work double time instead of time and a half. “It helps, but to get the hazard pay you have to be there for 40 hours a week and the overtime,” said Hamilton, who has been organizing with The Awood Center, a community group that’s part of a larger grassroots coalition pressuring Amazon called Athena. “A lot of people are going to be there for longer. People will take as much OT as they can get, because we’re all poor.”

What Amazon gives with the overtime pay, then, comes at the expense of worker safety, which is nearly impossible to manage in the warehouse and delivery environments. The amount of people in warehouses and the workload makes physical distancing difficult. Amazon has put tape on the floor of Hamilton’s warehouse using a standard of maintaining a three-foot distance from co-workers, half of the recommended six-foot standard.

Josh Centers:

It’s safest and cheapest to wait at least 72 hours before handling or opening the package. While the virus dies off on cardboard in about 24 hours, it lives much longer on plastic. If the warehouse worker who packed the item or delivery person who dropped it off was infected, then there could be virus present not only on the cardboard or paper of the package, but on any plastic tape, labels, or inside the packaging.

If you choose to disinfect instead of waiting it out, use a cleaner from the EPA’s approved list.

You can use ultraviolet light to disinfect, but it’s complicated, expensive, and hard to recommend.

Josh Centers:

Today, the New York Times published an article attempting to refute mine (without mentioning my article, of course). Long story short, they’re telling people not to worry, which I think is highly irresponsible.

Monday, March 23, 2020 [Tweets] [Favorites]

Chrome and Firefox Postpone Disabling TLS 1.0 and 1.1

Martin Brinkmann (via John Opdenakker, Hacker News):

Mozilla has re-enabled TLS 1.0 and 1.1 in the Firefox Stable and Beta browser; it is unclear when Mozilla did that but an update on the Firefox release notes page highlights why the protocols have been enabled again. Mozilla notes:

We reverted the change for an undetermined amount of time to better enable access to critical government sites sharing COVID19 information.

According to the update posted on the release notes page, Mozilla made the decision because some government sites still rely on the old protocols.

And the change “will be remotely applied to Firefox 74, which has already been shipped.”

Google (via Bugzilla):

Due to adjusted work schedules at this time, we are pausing upcoming Chrome and Chrome OS releases.

See also: Deprecation of Legacy TLS 1.0 and 1.1 Versions (tweet, Hacker News).


Apple Mail’s Magic Mailboxes

Chris Hynes:

One of my proudest achievements on the team (and at Apple) was brainstorming with my team members and pushing an idea we internally called Magic Mailboxes and eventually became called Combined Mailboxes.


The 4 “combined mailboxes” (INBOX, Drafts, Sent, Trash) would get top billing, positioned at the top of the list, with unique and large icons to distinguish themselves


Clicking on any of the combined mailboxes would show the union of all the messages in all accounts

Flipping open a disclosure triangle on one of the combined mailboxes

Remember that drawer?


Update (2020-03-27): See also: Hacker News.

Friday, March 20, 2020 [Tweets] [Favorites]

Verifying Photo Locations


Here’s an unexpected side effect of the pandemic - the water’s flowing through the canals of Venice is clear for the first time in forever. The fish are visible, the swans returned.

Eliot Higgins:

Because I’m a massive verification nerd who hates fun, here’s a little thread on geolocating these photos that people are claiming aren’t from Venice.


Now, let’s see if we can find another image, this one will be a little tougher as we’ve no bridge to help narrow down possible locations, so let’s see who can beat me to it.


So we’re looking for 3 building, painted orange, red, and pink in that order. Satellite imager isn’t much use, but Google Earth has 3D buildings, that allows you to look at a larger area than Street View allows all at once.


A quick Google of “ponte dei ferali venezia” brings up plenty of images that seem similar, but how do I know this isn’t just another very similar bridge? Well, I need to find close up photographs of the brickwork and other features and match it perfectly with the original image.

See also: Bellingcat’s Online Investigation Toolkit.


Writing Command Line Interfaces for iOS Apps

Guilherme Rambo:

There are countless ways to go about creating a better environment for debugging and iteration while working in iOS apps, such as using launch arguments, environment variables, or having an internal settings or debug menu inside the app itself where you can tweak things. I believe every shipping app should include those, since they improve the development process significantly.

But even with all of those options available, I still think there’s room for one more: a command line interface. Yes, you read it correctly: I wrote a command line interface for my iOS app.


Thus, there needs to be a way to send data back and forth between a Mac and iOS devices (or the Simulator). There’s probably some way to do it using the wired lightning connection, we could also spin up a socket or HTTP server on the device, but I decided to use the MultipeerConnectivity framework.


What Does the “Move To” Command Do in iWork?

Howard Oakley:

First, it surprises you by not adopting the standard human interface. Instead of the normal Save File dialog, as used by countless apps for a great many years, it drops down a small sheet offering in a popup menu to move the document to where it already is. In the spirit of novelty, as if intended to exemplify bad interface design, that popup lists a strange assortment of locations, of which only a few seem remotely appropriate. If you want a properly-designed purposeful dialog, you have to click on Other… right at the bottom to see a familiar Save File dialog.


What arrives at the destination is disappointingly exactly what you’d get from a regular Finder move: all saved versions are stripped from it. So unless you like this idiosyncratic interface, there seems no advantage in using it over a standard Finder move, and if you want a copy instead, then you’ll want to use the Finder anyway, once again accepting that you’ll lose access to all versions in the process.


Thursday, March 19, 2020 [Tweets] [Favorites]

Mac mini 2020

Tim Hardwick (Hacker News, Apple):

Apple today updated the Mac mini so that standard configurations now come with double the storage capacity.

The $799 configuration now comes with 256GB of PCIe-based SSD storage, while the $1,099 configuration features 512GB of storage as standard.

It’s great to see 256 GB SSDs move through the line—maybe iMac will finally get an SSD soon—but are there no new processors to use?


Update (2020-03-27): Brian Stucki:

Confirmed: the updated Mac mini will still identify as “Late 2018” in software, etc.

The Growth of Command Line Options

Dan Luu (tweet):

We can see that the number of command line options has dramatically increased over time; entries tend to get darker going to the right (more options) and there are no cases where entries get lighter (fewer options).


If structured data or objects were passed around, formatting could be left to a final formatting pass. But, with plain text, the formatting and the content are intermingled; because formatting can only be done by parsing the content out, it's common for commands to add formatting options for convenience.


Over time, more convenience options have been added. For example, to pick a command that originally has zero options, mv can move and create a backup (three options; two are different ways to specify a backup, one of which takes an argument and the other of which takes zero explicit arguments and reads an implicit argument from the VERSION_CONTROL environment variable; one option allows overriding the default backup suffix). mv now also has options to never overwrite and to only overwrite if the file is newer.

Wednesday, March 18, 2020 [Tweets] [Favorites]

MacBook Air 2020

Joe Rossignol (Apple, Hacker News):

Apple today updated its MacBook Air lineup with faster processors and graphics, a scissor switch Magic Keyboard, a lower starting price of $999, and more.

The new MacBook Air features Intel's latest 10th-generation Core processors, including up to a 1.2GHz quad-core Core i7 with Turbo Boost speeds up to 3.8GHz, resulting in up to two times faster performance compared to the previous generation. And with Intel Iris Plus Graphics, the new MacBook Air delivers up to 80 percent faster graphics performance.

A 256 GB SSD for $999 is a big improvement.

In retrospect, I kind of wish I had waited for this instead of buying a 16-inch MacBook Pro. I love the speed and the larger display, but the oversized trackpad and the Touch Bar annoy me on a daily basis.


iPad Pro 2020 and Magic Keyboard With Trackpad

Mitchel Broussard (Apple, Hacker News):

Apple today introduced a new iPad Pro with a faster A12Z Bionic chip, a new Magic Keyboard accessory with a built-in trackpad, an Ultra Wide camera, a LiDAR Scanner, and more. In Apple’s description of the new tablet, it calls it “faster and more powerful than most Windows PC laptops.”


The new LiDAR Scanner measures the distance to surrounding objects up to 5 meters away, and enables advanced experiences with augmented reality on the iPad Pro. Apple said this means that ARKit apps on the new iPad Pro will get improved motion capture and people occlusion, leading to AR experiences “never before possible.”

Lastly, Apple is adding trackpad support to iPadOS 13.4 and the new Magic Keyboard. This new accessory attaches magnetically to iPad Pro and includes a floating design that works well on both a lap or a desk. The Magic Keyboard features cantilevered hinges for smooth adjustments of the viewing angle up to 130 degrees, including a full-size keyboard with backlit keys and a scissor mechanism that delivers 1mm travel.

The cursor and trackpad support look great, though I’m not tempted at all to use this instead of a Mac.

The keyboard for the iPad Pro costs more ($349) than the regular iPad itself ($329), but there are also Logitech ones.

See also Federico Viticci (tweet), Ben Lovejoy, Craig Federighi’s demo.


Tuesday, March 17, 2020 [Tweets] [Favorites]

Understanding Combine

Joseph Heck:

For anyone keeping up with #combine, @mattneub has published Understanding Combine online, first glance looks like a great tutorial with a lot of depth[…]


Rewriting Dropbox’s Sync Engine in Rust

Sujay Jayakar:

Rewriting the sync engine was really hard, and we don’t want to blindly celebrate it, because in many environments it would have been a terrible idea. It turned out that this was an excellent idea for Dropbox but only because we were very thoughtful about how we went about this process. In particular, we’re going to share reflections on how to think about a major software rewrite and highlight the key initiatives that made this project a success, like having a very clean data model.


There were few consistency guarantees, and we’d spend hours debugging issues where something theoretically possible but “extremely unlikely” would show up in production. Changing the foundational nouns of a system is often impossible to do in small pieces, and we quickly ran out of effective incremental improvements.


Rust has been a force multiplier for our team, and betting on Rust was one of the best decisions we made. More than performance, its ergonomics and focus on correctness has helped us tame sync’s complexity. We can encode complex invariants about our system in the type system and have the compiler check them for us.


The Control thread is designed to be entirely deterministic when its inputs and scheduling decisions are fixed. We use this property to fuzz it with pseudorandom simulation testing.


We redesigned the client-server protocol to have strong consistency. The protocol guarantees the server and client have the same view of the remote filesystem before considering a mutation. Shared folders and files have globally unique identifiers, and clients never observe them in transiently duplicated or missing states. Finally, folders and files support O(1) atomic moves independent of their subtree size.


Update (2020-03-27): Sujay Jayakar:

  1. we write almost all of our logic on a single thread, using futures to multiplex concurrent operations on a single thread. then, we make sure all of the code on that thread is deterministic with fixed inputs. there’s lots of ways code can sneak in a dependency on a global random number generator or time.

  2. have traits for the interfaces between the control thread and other threads. we also mock out external time behind a trait too.

  3. then, wrap each real component in a mock component that pauses all requests and puts them into a wait queue.

now, instead of just calling .wait on the control thread future, poll it until it blocks (i.e. returns Async::NotReady). this means that the control thread can’t make any progress until some future it’s depending on completes. then, we can look at the wait queues and psuedorandomly unpause some subset of them and then poll the control thread again. we repeat this process until the test completes.

all of these scheduling decisions are made psuedorandomly from a fixed RNG seed that’s determined at the beginning of the test run. we can also use this seed for injecting errors, generating initial conditions, and “agitating” the system by simulating other concurrent events. the best part is that once we find a failure, we’re guaranteed that we can reproduce it given its original seed.

in fact, we actually don’t even log in CI at all. we run millions of seeds every day and then if CI finds a failure, it just prints the seed and we then run it locally to debug.

iOS Apps Snooping on Pasteboard Data

Talal Haj Bakry and Tommy Mysk (via MacRumors):

This article provides an investigation of some popular apps that frequently access the pasteboard without user consent. These apps range from popular games and social networking apps, to news apps of major news organizations. We found that many apps quietly read any text found in the pasteboard every time the app is opened. Text left in the pasteboard could be as simple as a shopping list, or could be something more sensitive: passwords, account numbers, etc.


The method is simple: Once we connect and pair the devices with Xcode, we can read the system log of the device. Fortunately, all pasteboard events are clearly logged.


We include any app that requests and reads the content of the system-wide pasteboard every time it’s opened, and consider it to be highly suspicious. There are games and apps that do not provide any UI that deals with text, yet they read the text content of the pasteboard every time they’re opened.

Nick Heer:

Most apps do not breach user trust in this manner, so it is surprising to see the breadth of very popular apps that are doing so in this case — many of which have no practical reason for reading pasteboard data in the first place. It’s the kind of thing that makes me wonder if they are all, perhaps, using a shared development framework or analytics bundle.

One way to resolve this may be to require consent from the user before the app can access the pasteboard. That consent can be provided in the form of the user tapping the paste button, upon which point the app is authorized.

Just because I once pasted something into an app doesn’t mean I want it to have ongoing access to read the pasteboard. Yet I don’t want to be prompted for each and every access, either. This seems like another case where it would be helpful for the system to maintain an audit log of what each app was doing.


Microsoft Plots the End of Visual Basic

.NET Team:

We are supporting these application types to provide a good path forward for the existing VB customer who want to migrate their applications to .NET Core. This allows Visual Basic customers to take advantage of new platform features like side-by-side deployment, cross platform support, performance and new API improvements.

One of the major benefits of using Visual Basic is that the language has been stable for a very long time. The significant number of programmers using Visual Basic demonstrates that its stability and descriptive style is valued. Going forward, we do not plan to evolve Visual Basic as a language. This supports language stability and maintains compatibility between the .NET Core and .NET Framework versions of Visual Basic. Future features of .NET Core that require language changes may not be supported in Visual Basic. Due to differences in the platform, there will be some differences between Visual Basic on .NET Framework and .NET Core.

Paul Thurrott (via Hacker News):

When Microsoft released the .NET version of Visual Basic, originally called Visual Basic .NET, alongside C# at the beginning of the .NET era, the two languages were evolved together and had roughly identical feature sets. But this changed over time, with professional developers adopting C# and many fans of classic VB simply giving up on the more complex but powerful .NET versions of the environment. Today, virtually all of Microsoft’s relevant developer documentation is in C# only, with VB source code examples ever harder to find.


What this means to VB developers is that they might be able to bring their existing codebases forward to .NET Core or, soon, to .NET 5.0, which will replace both the traditional .NET and the open-source and cross-platform .NET Core when it’s released in late 2020. The issue is that not all legacy technologies will be supported going forward, so developers using WebForms, Workflow, or Windows Communication Foundation (WCF) will need to stick with classic .NET. Those applications will continue to work and be supported until the underlying Windows versions are retired; classic .NET support life cycles are tied to the Windows versions on which they were initially deployed.


Monday, March 16, 2020 [Tweets] [Favorites]

Microsoft Acquires npm

Nat Friedman (Hacker News):

I’m excited to announce that GitHub has signed an agreement to acquire npm.


For the millions of developers who use the public npm registry every day, npm will always be available and always be free.


The JavaScript ecosystem is massive and growing quickly. It needs a rock-solid registry. We will make the investments necessary to ensure that npm is fast, reliable, and scalable.


Looking further ahead, we’ll integrate GitHub and npm to improve the security of the open source software supply chain, and enable you to trace a change from a GitHub pull request to the npm package version that fixed it.

Working From Home Temporarily

Glenn Fleishman:

Suddenly asked or told to work from home—and never done so regularly before? I wrote a 55-book last week, Take Control of Working from Home Temporarily. It’s free and now available. Packed with tips on setting up a space, setting boundaries, & much more[…]

See also: Rui Carmo, David Sparks, Upgrade.


Update (2020-03-27): See also: John Gruber, Shawn Blanc, Justin Searls.

The Pace of macOS Updates

Jason Snell:

My friend and former Macworld colleague Rob Griffiths keeps a record of macOS releases, which is exactly the kind of thing I’d expect from the guy who created Mac OS X Hints. Prodded by Stephen Hackett, who is apparently now the official Six Colors Chart Muse, I’ve decided to use Rob’s data to take a look at how often Apple updates macOS.

In terms of total updates released during the lifespan of a major version, Mac OS X 10.4 Tiger and macOS 10.13 High Sierra share the crown with 12. However, High Sierra was only the “current” version of macOS for 385 days, while Tiger reigned for nearly three years. That means that Tiger actually was the version of macOS with the longest time between updates, at an average of one update for every 88 days of release.

I think the most important part for quality is not the number of updates but the time between major releases. Snow Leopard lasted almost 2 years.

Bill Gates Leaves Microsoft’s Board

Microsoft (via Hacker News):

Microsoft Corp. today announced that Co-Founder and Technology Advisor Bill Gates stepped down from the company’s Board of Directors to dedicate more time to his philanthropic priorities including global health, development, education, and his increasing engagement in tackling climate change. He will continue to serve as Technology Advisor to CEO Satya Nadella and other leaders in the company.

On June 27, 2008, Gates transitioned out of a day-to-day role in the company to spend more time on his work at the Bill & Melinda Gates Foundation. He served as Microsoft’s chairman of the board until February 4, 2014.


Friday, March 13, 2020 [Tweets] [Favorites]

ViDL 1.0.2

Ole Zorn (tweet):

ViDL is a free Mac app that allows you to easily download videos from YouTube and hundreds of other websites for offline viewing.

It is based on the popular youtube-dl command line tool, but much easier to use, especially with videos/playlists that require a login (like your personal “Watch Later” list).

See also: Downie.


Update (2020-03-27): See also: Josh Centers, Softorino YouTube Converter 2.

TJ Luoma:

As promised, here’s a write-up on how I use iOS Shortcuts to save an URL to Dropbox and have Downie download a video.

Eight Major Releases Later, Sandbox File Limit Bug Remains

Gus Mueller:

The other question I always ask [at WWDC labs]: Is the kernel resource leak for bookmarks in sandboxed applications finally fixed? I’d sure like to put Retrobatch in the app store this year, but this bug means it can only process so many images before it fails and requires a reboot…

Erik Schwiebert:

I was talking to an Apple engineer recently about this problem as it affects Office, Gus. He mentioned you and Retrobatch specifically as a known case that they have yet to address. He said he would prod engineering to look at it.

Daniel Jalkut:

This is a vexing bug that has affected MarsEdit for years, as well.

Gus Mueller:

It’s also a different limit for every Mac configuration, as explained to me by Apple engineers.


Update (2020-03-27): Michael Buckley:

The App Store version of Transmit works around this by prompting users to grant access to their entire home folder. Users have to tap a button, then we open an NSOpenPanel with setCanChooseDirectories. Users then have to correctly open their home folders.

The kernel seems smart enough to track file permissions at the highest possible level. Try to open 1000 files in a folder, you get 1000 entries in kernel memory. Open the folder first, and you only get 1 entry.

Sparkle Project Needs Help

Kornel (via Vadim Shpakovski):

I don’t have enough energy to give this project attention it needs. I’m also mostly developing in Rust these days, so Sparkle doesn’t “scratch my itch” any more.

This project is quite important for security and health of non-walled-garden apps for macOS.

I need your help in getting Sparkle 2 out of the door.

Update (2020-03-27): Graham Miln:

I open sourced our updater. It takes a different approach to Sparkle – being based on packaged installs. Works well with sandboxing.

WWDC 2020 to Be Online-only

Apple (via Phil Schiller, Hacker News, MacRumors):

“We are delivering WWDC 2020 this June in an innovative way to millions of developers around the world, bringing the entire developer community together with a new experience,” said Phil Schiller, Apple’s senior vice president of Worldwide Marketing. “The current health situation has required that we create a new WWDC 2020 format that delivers a full program with an online keynote and sessions, offering a great learning experience for our entire developer community, all around the world. We will be sharing all of the details in the weeks ahead.”

Thursday, March 12, 2020 [Tweets] [Favorites]

Is That Twitter Follower Fake?

NixIntel (via Dan Moren):

This Person Does Not Exist is a website that uses AI to generate random but realistic looking faces. It’s a great tool and has become a popular way of generating fake profiles for sock puppet accounts, but it is not without its limitations. There are a number common flaws and features in TPDNE-generated images that means it’s possible to spot them.


A common feature of TPDNE images is that the eyes and mouth of the person are always in exactly the same place in the picture. The eyes are always the same distance apart and centred in the same place. The mouth is always about one quarter of the way up from the bottom of the image and is also always centred. This occurs regardless of the angle of their head and can sometimes make for quite unusual looking faces.


TPDNE only creates a single image of a person, so if the person truly does not exist, we should never be able to find any image of them other than the fake one where they are staring directly at the camera.


TLS Increasingly Exists in Three Different Worlds

Chris Siebenmann:

The first world is web TLS, which is dominated by browsers. This is the familiar world of public HTTPS, with public Certificate Authorities, requirements for certificate transparency, and so on. The browsers increasingly are calling the shots here and they’re pushing for things like short certificate lifetimes, aggressively moving away from old TLS versions, and so on.


The second is non-web public TLS, where TLS is used for protocols like IMAP, SMTP (with STARTTLS), and so on. This world still uses public CAs, but it has a lot more old clients and servers and is a lot slower to deprecate old TLS and SSL versions, move to shorter certificate lifetimes, and so on.


The third world is internal TLS, where TLS is used inside an organization or a service to encrypt connections and often to authenticate them (and sometimes it’s used between organizations).