Archive for March 2, 2016

Wednesday, March 2, 2016

Typos in Disk Utility

Stephen Hackett:

In addition to the text being so brief it feels incomplete, it has two grammatical errors […] While this may seem silly, it’s this attention to detail stuff that worries me about Apple software.

If ever there were software you’d want to trust not to be buggy it would be the file system and associated tools. These kind of user interface issues don’t inspire confidence. And, unfortunately, the problems are not just skin deep. Lately I’ve been encountering a problem where SuperDuper cloning fails because the disk is full. It turns out that the underlying diskutil tool sometimes fails to erase the volume but tells SuperDuper that it succeeded. So not only does it not work but also it doesn’t know that it doesn’t work.

Previously: Disk Utility in El Capitan.

Update (2016-03-03): Marco Arment says it’s like having “a typo on your brake pads.”

Life and Death in the App Store

Casey Newton (comments):

Since Kaneko founded the company with Scott Sykora in 2009, Pixite has released eight applications dedicated to photo editing and design. Each has been featured by Apple as a Best New App; photo editor Tangent and design tool Assembly won year-end awards from Apple. Between 2013 and 2014, downloads of Pixite apps jumped from 395,472 to 3.1 million, and annual revenue doubled to $943,000. Pixite grew along with its cash flow, expanding from two to six employees as it explored ways to link its apps together and grow a loyal base of customers.

Then the bottom fell out. Last year downloads flattened, and Pixite’s revenues plunged by a third, to $629,000. Suddenly, a company that needed to bring in $2,000 a day to break even found itself making $1,000 or less.


But for a large swath of these app developers — particularly those without venture capital and sophisticated marketing tactics — the original App Store model of selling apps for a buck or two looks antiquated. In 2011, 63 percent of apps were paid downloads, selling for an average of $3.64 apiece. By last year, a mere 27 percent of downloads were paid, and the average price had fallen to $1.27. Today, profiting from the App Store most often requires a mix of in-app purchases, subscriptions, and advertising.


Meanwhile, a fatigue is setting in among customers. There are now more than 1.5 million apps in the App Store (Android users have 1.6 million to choose from), but by 2014, the majority of Americans were downloading zero apps per month. And it turns out people simply don’t use most of the apps they do download. According to ComScore, the average person spends 80 percent of their time on mobile devices using only three apps.

The most telling part to me:

And Pixite clung to using the one-time purchase business model, which led to a perpetual cycle of boom and bust as each launch generated a single revenue spike followed by a rapid decline. […] Pixite aimed to release one app a quarter, giving it just three months to design, code, and ship each product.

This is exactly what Wil Shipley and others predicted would happen given the App Store’s policies of no trials or upgrades.

1Password’s Cleartext IPC

Ross Hosman:

So it appears 1Password is sending data to the browser extensions over the loopback interface in clear text and not only passwords but credit card data as well if you use it for checkout forms. If anyone is sniffing your loopback they can get any data passing between the two.


They’ve made a risk/benefit analysis decision on handling IPC that it’s too difficult to secure, and that effectively any security for the IPC to browser would be 1) functionally meaningless to a targeted attack, like obfuscation, or 2) present undue burden to the people using the software. I’ll +1 their analysis (they also have several blog posts on the topic); makes sense to me. “Once an attacker has broken into your computer, it is no longer your computer.”

Jeffrey Goldberg:

Officially our view is “if a malicious process with user privileges is running on the users machine when they use 1Password, there is little we can do”.

But sometimes we try to do better. The example I raise is the steps we take to make things harder for keystroke loggers. We won’t go to extraordinary measures to enter a battle that we can’t win, but when there are simple things that we can do to make things harder for malware, we will.

Ross Hosman:

The reason I wrote this up is not to let people oh my god the world is ending but to let them know, hey if you are using the browser extension there is clear text passwords being sent over the loopback, if you don’t like that then don’t use their extensions.

You have made very well informed arguments about how hard it is to protect if someone has access to your machine, specifically elevated. But the argument to me seems kind of like “well, it’s hard to protect against then so we just decided to not do anything at all.” It seems like one other password manager company did something, so why wouldn’t you?


You can’t read loopback as a normal user. If you have root, you don’t need to read unencrypted loopback traffic to get the passwords - just use a key logger.

Legal Issues for Developers

Adam Silver interviews David Sparks:

Frankly, when you think about it, one of the ways people come after developers and web guys is they don’t just say “You screwed up and I paid you $5,000, so I want my $5,000 back.” They will say “You screwed up and as a result my website was down for two weeks and I lost $150,000 of revenue because of it and I want you to pay me that.” You want to … The contracts I write for my clients, a lot of the times we have, and this is something out there that you should talk to your lawyers about if you are doing this, it is called a “Limitation of Liability Clause”.


Another thing you do is you put a clause in there that says interest, that allows for interest. Not only if they don’t pay you and your attorney fees, you are going to collect interest on the money. You should also put a clause in there, especially if you are working outside of your home base, a lot of developers work all over the place, is to put local jurisdiction. Make them have to come to court where you live.

Authenticating Support Requests

Matt Henderson:

What I find irritating, is the company’s assumption that the “from” address serves as any kind of authentication, since it’s dead easy to spoof the from address on an email!