Archive for April 27, 2015

Monday, April 27, 2015

Mythology

Soroush Khanlou:

In one of my favorite posts of all time, Mike Hoye looks up exactly why we use zero indexed arrays. To spoil it, he finds that it was to optimize for compilation speed (rather than execution speed) on hardware where you only had a limited time to run your job.

[…]

Why has MVC attained this state of reverence when it’s trivial to find cases where it doesn’t apply? And it’s not as though MVC is a mere suggestion: the Cocoa documentation actually states that every object has to be either a Model, a View, or a Controller, even though there are objects within Cocoa that don’t even fit in one of those three categories! “MVC” isn’t a rigorously-defined term anymore, but rather a necessary, low-information signal to other developers that our new framework fits into their worldview.

[…]

C-style syntax probably will never go away as long as we have text-based programming languages. Even Swift, which tries to fix tons of flaws in programming, doesn’t even begin to move away from C-style syntax. It’s too ingrained in the way we view code.

[…]

It’s too easy to continue doing what we’ve always done. I want to question all the constants in my programming career. The things that are already status quo are don’t need cheerleading: they’re already winning. But the weird ideas, the undersung ones, those are the ones we should be championing.

Previously: Why Array Indices Start at Zero. I find Hoye’s post interesting but not entirely convincing.

Hey Apple, Stop Messing With My Music

Kirk McElhearn:

Okay, Apple, this is getting out of hand. It’s bad enough that when I sync my music to my iPhone, you think you have the right to replace some of my album art. But now you’re changing my tags. And they’re wrong.

Greg Shadley:

What I have discovered is they way music is sorted has changed. If you go into the album info, go to the sorting tab. The “Sort As” lines have information that I never put there. Apple has changed the way I sort my music and I don’t like it. If you delete the information in those lines, it will return your library to the way you originally set it up. At least it has for me.

Joe Nash:

So it’s showing different metadata when playing back in iOS 8.3, but not changing any of your actual iTunes metadata on the Mac? I hope this is the case, because it means they are just changing it for display purposes. If iTunes messed with my real metadata, I think I’d cry.

HTTPS Bug in AFNetworking Affects 25,000 iOS Apps

Dan Goodin:

The new vulnerability is the result of a bug in AFNetworking that fails to ensure the domain name contained in the certificate matches the domain name of the HTTPS server it protects. As a result, anyone with a man-in-the-middle position—say, an attacker on an unsecured Wi-Fi hotspot, a rogue employee inside an Internet service or virtual private network provider, or a state-sponsored hacker sniffing the Internet backbone—can present their own CA-issued certificate, then read or tamper with the protected communications.

coolfactor:

It wasn’t a black-box bug, but rather the library has now been made more idiot-proof and “safer out of the box”. The validatesDomainName property was always configurable by developers using the library, and those that failed to be aware of it could’ve been bitten in the situation where the setting was defaulting to “NO” under non-pinning connections. It now defaults to “YES” in all cases, but a developer could’ve chosen to set that explicitly in their own code and been okay.

NateLawson:

There is no valid production scenario for turning off domain validation. It literally disables SSL to any attacker in the middle (e.g. shared WiFi). The fact that AFNetworking has now exposed user data two different ways via APIs that are only useful for testing shows that the defaults should be secure, and test mode should be something that is off by default and prints huge warnings if SSL is ever used in test mode.

Update (2015-04-28): Alamofire Software Foundation:

AFNetworking 2.5.1 and 2.5.2 include default behavior that are unsuitable for production applications—specifically, they do not provide necessary TLS evaluation without additional configuration.

AFNetworking 2.5.3 defaults to safer behavior, enabling domain name validation even when not using SSL pinning.

orrc:

You seem to be upset by articles discussing this already-publicly-disclosed vulnerability (though again, I’m not sure which parts you find objectionable), yet you continue to ask people to report security issues publicly via GitHub.

[…]

To enable responsible disclosure, this project needs a way of reporting security issues privately. On the master branch right now, the README only mentions Twitter as a way of getting in touch. Even with open source projects, having a security contact or private bug tracker for security issues isn’t unheard of.

EFF Busts Podcasting Patent

The Electronic Frontier Foundation (via John Gruber):

The U.S. Patent and Trademark Office (USPTO) invalidated key claims in the so-called “podcasting patent” today after a petition for review from the Electronic Frontier Foundation (EFF)—a decision that significantly curtails the ability of a patent troll to threaten podcasters big and small.

[…]

In petitions filed with Patent Office, EFF showed that Personal Audio did not invent anything new before it filed its patent application, and, in fact, other people were podcasting for years previously. Earlier examples of podcasting include Internet pioneer Carl Malamud's "Geek of the Week" online radio show and online broadcasts by CNN and the Canadian Broadcasting Corporation (CBC).

Previously: Personal Audio vs. Adam Carolla.