Archive for October 11, 2014

Saturday, October 11, 2014 [Tweets] [Favorites]

Belkin Thunderbolt 2 Express Dock HD

Susie Ochs:

Connecting to your Mac’s Thunderbolt or Thunderbolt 2 port, it puts two Thunderbolt 2 ports in easy reach, as well as three USB 3.0 ports, one HDMI 1.4b, one Gigabit Ethernet, an audio output in the back for speakers, and a headphone jack in the front.

Why can’t someone make a dock with a lot more ports? If you connect the Belkin to a MacBook Air, a display, and a single drive dock, you’re already out of Thunderbolt ports. And three USB ports is barely any. I’m currently using a 9-port Anker USB 3.0 hub (Amazon) and a 7-port USB 2.0 hub. This sort of product would be a lot more interesting if it could cut down on the number of hubs, power adapters, and daisy-chained cables in my office. Otherwise, it is essentially $300 to add a single Thunderbolt port.

Update (2014-10-11): After chatting with Belkin’s support person (see comments below), I learned that there are in fact only two Thunderbolt ports total. So this product does not add any Thunderbolt ports; it only offers a passthrough.

What’s Really Happening With iOS 8 MAC Address Randomization

Nick Arnott:

Initially it looked as if MAC randomization didn’t work at all, which was confusing because Apple has made a point to publicize this feature.

After a lot of digging and a lot of late nights monitoring Wireshark captures, it looks like Apple has shipped this feature as advertised, but not quite as expected. In the WWDC session on user privacy, the slide said “The MAC address used for Wi-Fi scans may not always be the device’s real (universal) address”. They didn’t say it would never be a device’s real MAC, only that it may not always be.

[…]

Unfortunately, the requirement of the phone being asleep makes this feature nearly useless, albeit within the description of what Apple advertised at WWDC. In order to get random MACs to be used I had to turn off notifications for multiple apps, turn off push email, and stay up late at night when there was a greater chance of my phone getting to sleep, uninterrupted, for more than a minute or two. Even under these circumstances, I would only encounter one or two rounds of probe beacons (which seem go to out every couple of minutes) with a random MAC before seeing my phone blast a bunch of probes with my real MAC.

Previously: iOS 8 MAC Address Randomization.

Sunsetting

Geoffrey Goetz:

In November of 2010 .Mac HomePages gave way to MobileMe Web Galleries. Then in June of 2012, MobileMe Web Galleries ceased to exist as iCloud came online. Now the most recent successor, iPhoto Web journals, is being shut down, or at least that is how it appears. With each transition, users of the previous online journaling feature really had little to no options available when it came to migration to a new or replacement feature.

[…]

The problem this time around is that there was very little notice and there really is no recourse or action that can be taken to preserve your iPhoto projects. And unfortunately there is no easy fix for this. According to Apple’s own support page concerning the migration, “Photo Books, Web Journals, and Slideshows are converted into regular albums in Photos. Text and layouts are not preserved.” And thats it, no more iCloud scrapbooking per Apple.

John Gordon:

I expect Apple to screw up anything related to long term data management, but this is extreme even by their standards. GigaOm, in language restrained by fear of Apple, tells us of another Apple datacide and botched product transition.

[…]

Apple is a bit of a serial data killer -- usually with no public response. I still miss the comments I'd attached to iPhoto albums that were lost in the transition to Aperture.

David Sobatta:

Part of the problem is that Apple introduces software and kills it off. The list goes back many years and includes software from Apple's application company Claris. Claris emailer was a good program as was Claris Works. Aperture was well thought of by some users and I was a fan of iDVD. All those programs are gone.

Then there is the iWork series that languished until recently when Apple brought out Pages 5 which creates all sorts of formatting problems when moving back and forth between it and Pages 09. People would not have to move back and forth if Apple had maintained feature parity with the old version.

Word might be bloated and not much fun to use, but it does a much better job moving between platforms and versions. Apple just does not seem to care.

Brent Simmons:

The beauty of indie software is that many apps don’t make financial sense for a larger company, but they make great sense for a small shop. So you can have sustainable apps such as Capo, Acorn, and MarsEdit that you wouldn’t get without indies. And you can also be sure those apps won’t get shut down on some manager’s whim.

[…]

But relying on any software or service, from anybody, is a risk. Always.

Update (2014-10-14): Nick Heer:

Apple is also dropping support for their printed products with Photos for OS X. My dad is a goldsmith, and he uses iPhoto photo books for his portfolio — they’re well-printed, nicely-bound hardcover books that he can lay out himself and order on demand for a reasonable price. I told him that these products would no longer be available; he’s gutted.

Adobe Spying on Users, Collecting Data on Their Libraries

Nate Hoffelder:

Adobe is gathering data on the ebooks that have been opened, which pages were read, and in what order. All of this data, including the title, publisher, and other metadata for the book is being sent to Adobe’s server in clear text.

[…]

The first file proves that Adobe is tracking users in the app, while the second one shows that Adobe is indexing my ebook collection.

The above two files were generated using data collected by an app called Wireshark. This nifty little app can be used to log all of the information that is sent or received by your computer over a network.

Apple’s Software Quality Decline

Russell Ivanovic:

I just wish that Apple would slow down their breakneck pace and spend the time required to build stable software that their hardware so desperately needs. The yearly release cycles of OS X, iOS, iPhone & iPad are resulting in too many things seeing the light of day that aren’t finished yet. Perhaps the world wouldn’t let them, perhaps the expectations are now too high, but I’d kill for Snow iOS 8 and Snow Yosemite next year. I’m fairly confident I’m not alone in that feeling.

John Gruber:

From the outside, it seems like Apple’s software teams can’t keep up with the pace of the hardware teams. Major new versions of iOS aren’t released “when they’re ready”, they’re released when the new iPhone hardware ships. […] Just today: My iPhone 6 rebooted after I changed the home screen wallpaper. Tapped a new image in the wallpaper settings, and poof, it rebooted. Worse, it never stopped rebooting. Endless reboot cycle.

Tim Schmitz:

One thing that’s striking is how many of Apple’s troubles are self-inflicted. Gone are the days when Apple planned product announcements around conferences like Macworld Expo. That the company controls its whole ecosystem, from hardware to software to services, is supposed to be a strength. Controlling everything should mean that you can get all your ducks in a row before pulling back the curtain. The only thing that Apple is truly constrained by are its own self-imposed deadlines. The problem is, Apple keeps shooting itself in the foot. Rather than waiting until a new version of iOS is fully finished, for example, they rush an update out the door to coincide with the release of new iPhones.

Kirk McElhearn:

I recently wrote about Apple’s string of bad luck, with bad press, a bad keynote stream, the U2 album spamming fiasco, and, above all, the iOS 8.0.1 update that bricked a lot of users’ iPhones. If I were to go back in the archives of this website, I’d find other, similar articles about blunders when a new OS was released requiring an update quickly for some embarrassing problems, or when hardware issues that shouldn’t have happened plagued many users. […] I’ve increasingly had the feeling that Apple is finding it difficult to keep up with all these releases, and that quality is slipping.

Matthias Plappert:

Apple: “We cannot keep up with developing stable software for OS X and iOS, so let’s have a new programming language and create a watch OS.”

Caitlin McGarry:

Apple’s having a tough time. Its annual one-two punch of an iPhone launch plus an iOS upgrade—usually a time for celebration—has been followed this year by a compounding series of embarrassments.

Daniel Jalkut:

The biggest/richest company in the world, already staffed with many of the smartest and most creative people, shouldn’t get so many passes.

Tim Burks:

The Swift language project has been a major distraction for the development community and much more importantly for Apple’s internal focus on providing quality developer tools.

Justin Duke:

The review process and walled garden model, which was specifically designed to prevent bad customer experiences like upgrading to an app that breaks immediately, failed to keep out apps that literally cannot make it past the launch screen.

Fraser Speirs:

The iOS 7 and now iOS 8 rollouts have simply not been up to the quality of earlier releases. […] We have seen issues with crashing, devices rebooting, rotation glitches, keyboards playing up, touch screens not responding. Indeed I’m typing this while babysitting the full restore of an iPad that one pupil “broke” - through no fault of their own - while updating to iOS 8.

Gus Mueller:

There’s been a bit more grumbling than usual about the quality of Apple’s software recently. And I can’t help but feel like things have changed for the worse. Random crashes, system instability, background processes crashing and having to reboot to fix things. I’m sure I’ve said it before, but I really think Apple is trying to move too fast.

Mark Crump:

In hindsight, the trouble began in 2012. That’s when Apple moved OS X to the same yearly release cycle as iOS. Since OS X has always been the Peter that Apple robbed to pay Paul (the iOS release cycle), I was concerned Apple would be writing checks it couldn’t cash. […] All of these show systemic failure in Apple’s beta testing. It’s inexcusable for a major new feature like HealthKit to be pulled right after launch due to missed bugs. It’s even worse when an update makes your phone unable to make calls.

Clark Goble:

Apple’s been at a breakneck pace to compete with Google. However the time really has come to slow down a bit. The OS is mature. Yet the apis have been changing so fast it’s hard to keep up with what one is supposed to do.

Brent Simmons:

These days, programmers spend hours and days and weeks working very hard, and usually unsatisfactorily, on getting around bugs in their platform.

Michael Yacavone:

The hard edge of the watch image is an homage to the state of modern software development tools, exemplified by the typical developer experience of everything working fine, and then one day looking up to find a new language, 1,500 new APIs, yet another beta version of the IDE, your old code not working properly in the new SDK, a supposed “GM” release that is more buggy than the last beta, an end-user release recalled in hours, an update for a shell exploit dormant since the ’90s, as well as a wide variety of application interaction WTF, all marching toward a ship schedule so disconnected from quality, stability, and reliability it’s like walking off a cliff.

Kristopher Johnson:

Apple’s operating systems, applications, services, and development tools are all pretty janky. I hope someone at Apple worries about that.

I didn’t think yearly OS releases would be good for quality, and I continue to believe that Apple is trying to move too fast.

Update (2014-10-11): John Gruber and Guy English discuss this issue on The Talk Show.

Update (2014-10-12): Collin Allen:

There are so many bugs in iOS 8. How did this ever get through testing? Frustrating.

Landon Fuller:

For Apple to fix quality, it seems like they’d have to step back from deeply embedded process/cultural changes that arose with iOS’ success.

There are lots of comments on Reddit.

Update (2014-10-14): There are more comments at MacRumors.

Update (2014-10-15): Rob Griffiths writes what he would like Tim Cook to say about all this.

Update (2014-10-16): TUAW (comments):

With engineers at Apple working at full throttle to keep new updates coming down the pipeline, some have started to wonder if Apple’s resources are being stretched too thin. Especially for a company like Apple which tends to have leaner teams, some have voiced the opinion that Apple needs to take its foot off of the gas just a bit to help ensure that future software releases have the level of polish longtime Mac and iOS users are accustomed to.

Update (2014-10-18): Brice Pollack (via Dave Verwer):

Unfortunately, despite the awareness of these daily challenges, it is unclear what is being done to improve upon them. This brings me to my next point. Although Apple has nearly limitless financial resources, I found the company to be incredibly reactive. Eagerly throwing resources into addressing the current biggest user facing issue rather than building the necessary tooling and testing needed to prevent those in the future.

[…]

When project managers start tracking bug numbers upon nearing release dates, tactics or tricks are often used to hide or kill bugs in order to meet milestones. One common tactic was to simply make further investigation so onerous on the person who filed it that they give up and kill the bug, marking it as “not enough information to resolve”.

Update (2014-10-19): Nick Heer:

Apple’s been busy this year. But, as Michael Tsai’s quote roundup reveals, it hasn’t been smooth sailing — the buggy yearly iOS and OS X releases, in particular, have revealed a very rushed schedule. […] That Apple is working on yet another OS — Watch OS — isn’t a free pass for their declining software quality, however. While they were never perfect, the company has long been revered for its consistently-high quality bar. Now? Certainly not as much.

Update (2014-11-22): Peter Cohen:

Yosemite and iOS 8 are fraught with enough difficulties for enough users that I feel like neither of them are fully baked.

Update (2014-12-27): Lloyd Chambers:

Apple Core Rot is accelerating. I deal with it every single day many times over. Stuff that worked for years breaks, while new visual crapware is piled on endlessly. Apple Mail deletes my VIP list every day, file open dialogs are sluggish in most programs, to 4-8 second delays in DreamWeaver and with display glitches. APIs are removed breaking apps some users depend upon. In 10.10.1, Apple broke display scaling APIs in 10.10.1 leading to all sorts of issues with Photoshop and dual and 4K displays, so much so that I cannot use a large 4K display as the main screen and still with problems as a 2nd.

Update (2014-12-29): Marco Arment:

I hope Apple realizes how deeply their reputation has been damaged, in an alarmingly short time, by their rapid decline in software quality.

I’m not excited about the Watch — I’m afraid of the toll it will take on Apple’s greatly strained engineering resources.

Chris Adamson:

What the hell has happened? Remember two years ago when there was such an uproar over Core Data in iCloud not working? It was a hot-button issue, but very limited in scope: Core Data was still a trusted tool when used locally, and even iCloud behaved for most developers using it for documents or simple plists. It was a problem that didn’t involve a lot of collateral damage.

By comparison, what we’ve seen in the last six months is pervasive, if not ubiquitous. It’s in the developer tools, it’s in the operating system, it’s in iLife and iWork. It’s like the floor has utterly dropped out from beneath all Apple software, across the board.

Update (2015-01-06): I’ve posted a new series of links at Apple’s Software Quality, Continued.

Update (2016-02-16): I’ve posted a new series of links at Mossberg Discovers the Functional High Ground. See also the Apple Software Quality tag.

An Aging Collection of Unix Tools

Rob Griffiths:

So while Apple has patched bash, this version of the shell is simply ancient. Just how old is it? bash 3.2.53(1) is roughly seven years behind the current version, 4.3.25. Seven years is like, well, forever, in Internet time!

With that bash age gap in mind, I took at look at a number of common Unix apps—in both Mavericks and Yosemite—to see which versions were in use. Then I checked the same apps in MacPorts, a tool that makes it simple to install many Unix apps.

[…]

The results were interesting, to say the least—many of the core Unix utilities in OS X are years and multiple versions behind their open source, er, sources. You can thank GPL v3 for that, as noted above (and covered in more detail below).

Move Fast and Break Nothing

Zach Holman:

What happens is this: a request will come in as usual and run the existing (old) code. At the same time (or just right after it executes), we’ll also run the new code that we think will be better/faster/harder/stronger (pick one). Once all that’s done, return whatever the existing (old) code returns. So, from the user’s perspective, nothing has changed. They don’t see the effects of the new code at all.

[…]

Science (and its sister library, github/dat-analysis) can generate a graph of the number of times the code was run (the top blue bar to the left) and compare it to the number of mismatches between the control and the candidate (in red, on the bottom). In this case you see a downward trend: the developer saw that their initial deploy might have missed a couple use cases, and over subsequent deploys and fixes the mismatches decreased to near-zero, meaning that the new code is matching production’s behavior in almost all cases.

[…]

All of this gives you evidence to prove the safety of your code before you deploy it to your entire userbase. Sometimes we’ll run these experiments for weeks or months as we widdle down all the — sometimes tricky — edge cases. All the while, we can deploy quickly and iteratively with a pace we’ve grown accustomed to, even on dicey code. It’s a really nice balance of speed and safety.

This is the sort of thing that’s easier to do with hosted software. But it can be applied to apps as well: for example, a debug version of SpamSieve that runs both the old and new e-mail parsers and logs any differences in output.

Shellshock Security Bug in Bash

Huzaifa Sidhpurwala:

[…] the vulnerability arises from the fact that you can create environment variables with specially-crafted values before calling the Bash shell. These variables can contain code, which gets executed as soon as the shell is invoked. The name of these crafted variables does not matter, only their contents.

[…]

Bash has functions, though in a somewhat limited implementation, and it is possible to put these Bash functions into environment variables. This flaw is triggered when extra code is added to the end of these function definitions (inside the environment variable).

Troy Hunt:

Imagine an HTTP request like this:

target = 0.0.0.0/0
port = 80
banners = true
http-user-agent = shellshock-scan (http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html)
http-header = Cookie:() { :; }; ping -c 3 209.126.230.74
http-header = Host:() { :; }; ping -c 3 209.126.230.74
http-header = Referer:() { :; }; ping -c 3 209.126.230.74

[…]

Put succinctly, Robert has just orchestrated a bunch of external machines to ping him simply by issuing a carefully crafted request over the web. What’s really worrying is that he has effectively caused these machines to issue an arbitrary command (albeit a rather benign ping) and that opens up a whole world of very serious possibilities.

[…]

The headlines state everything through 4.3 or in other words, about 25 years’ worth of Bash versions. Given everyone keeps comparing this to Heartbleed, consider that the impacted versions of OpenSSL spanned a mere two years which is a drop in the ocean compared to Shellshock.

Alastair Houghton:

Put another way, unless you have very old code running on your web servers, and unless you are doing something like running a public SSH server that allows restricted log-ins (e.g. to run Git or Subversion via SSH, but nothing else), the chances are that you aren’t vulnerable to remote exploits based on this. You should check, but you should not panic.

Future South Technologies (via Mike Rundle):

While watching their activities, I noticed something very odd. All of the hosts that appeared to be running their perl script were pretty high profile. Not just random web servers around the web, though they do have a separate channel for that. But this channel had a lot of domains sitting in it that would have most you your jaws dropped. The most prevalent of the two being lycos.com and – wait for it – yahoo.com.

Robert Graham:

The theory is the claim promoted by open-source advocates that “many eyes makes bugs shallow”, the theory that open-source will have fewer bugs (and fewer security problems) since anyone can look at the code.

What we’ve seen is that, in fact, very few people ever read code, even when it’s open-source.

Rich Mogull:

Not only is nearly every version of Unix vulnerable, including Linux and OS X, but most of the initial patches are not completely effective at blocking the hole. It’s a near-worst-case scenario where we have a piece of software on nearly every non-Windows server on the Internet — and plenty of personal computers thanks to Apple’s market growth — that is vulnerable to multiple kinds of remote attacks, all capable of completely taking over the system, with no way to stop it completely.

Apple’s OS X bash Update 1.0:

This update fixes a security flaw in the bash UNIX shell.

Straight to Windows 10

The Economist:

The replacement for its widely disparaged Windows 8 operating system turned out to be not Windows 9, as expected, but Windows 10. No explanation, other than marketing waffle, was given as to why the company should skip a release number.

[…]

Or was it, as several software developers tweeted, because so many legacy applications first check whether the computer being used is running a version of Windows beginning with number nine (as in Windows 95 or Windows 98). Had Microsoft’s new operating system been called Windows 9, it was argued, serious compatibility issues could have arisen.

Code such as OpenJDK 1.7 (via @newsoft):

if (osName.startsWith("Windows")) {
    isWindows = true;
    if (osName.startsWith("Windows 9") ||
        osName.startsWith("Windows Me"))
    return; // win9x/Me cannot handle long paths
}

Similar version number comparison problems also show up with Java for Mac.

Update (2014-10-12): Jason Snell:

This sounds ridiculous enough to be an Internet hoax, yet it appears to be real. And it led to a pretty funny joke from Ray Ozzie, developer of the ancient Windows program Lotus Notes.