Archive for September 28, 2016

Wednesday, September 28, 2016

Pro Music Perspective on Apple

Peter Kirn (via Michael Yacavone):

Apple’s desktop OS is too often unstable and incompatible, and the yearly update cycle isn’t helping. […] Instead, we’re being treated to disastrous, showstopper audio reliability problems.

[…]

Here’s how bad this is: you show up to a gig, and out of the blue, your machine starts popping or dropping buffers or creating random distortion. That’s clear-the-floor stuff, things that could make people never want to play again. […] People who work in support paint an ugly picture, and then anecdotal evidence is useful, because it covers a range of different situations. And it’s getting been worse through El Capitan: “OS X 10.9 (rare occurrences), OS X 10.10 (occasional occurrences) and OS X 10.11 (most occurrences, compared to the aforementioned OS versions).”

Now, it’s not uncommon to wait a few weeks when an OS comes out to make sure your complex ecosystem of software hosts, plug-ins, and hardware is compatible. But note the OS numbers – that’s years without a fix, and instead worsened regressions. That’s simply unacceptable. OS X 10.9 Mavericks is about to turn three years old (older if you count pre-release builds).

It is apparently fixed, with some caveats, in Sierra. But:

In a now yearly ritual, Apple has broken plug-in validation for its own Audio Unit format. Open question: why? Why is this now a regular feature of updating an operating system for a format that has basically remained unchanged for years? Why shouldn’t desktop upgrades be the kind of no-brainer mobile upgrades are.

There are some workarounds for plug-ins, but this reveals a deeper, more cultural problem at Apple. The inability to ship OS builds to developers in time for them to adapt, a tendency to change OS internals without properly documenting the results, or whatever the reason, the upshot is the same. If musicians can’t trust an upgrade, they won’t install it – and that means they will avoid critical fixes, too.

How Apple’s Hardline Privacy Policy Limits Key Features

Dan Moren:

When Apple first announced the feature, it made a big deal about the fact that the processing of photos for faces was done locally, on the device itself, rather than transmitted to servers. It was an obvious jab against Google Photos, which had already rolled out a similar feature, but did its processing in the cloud.

Again, there’s a laudable element to this. People don’t like to feel that their personal and private photos are being pored over, even if “just” by a machine. But these local silos have, at least at the moment, made the feature less useful, because the analysis happens on each device that the new Photos is on. That means even if all the photos on your iPhone are scanned for faces, when you upgrade your Mac to Sierra, the Photos app there doesn’t benefit from the information on your phone—even if they’re all the same photos.

It sounds like to have things work the way you’d want, you would have to re-tag all your photos on each device. And, I guess, forget about doing anything with faces from the Web interface.

Rui Carmo:

So yes, all those neat, magic features like face detection and Moments will turn out to be pretty much useless in real life – if not for me, then surely for the millions of people about to run out of iCloud storage and realize they have no easy, practical way to safekeep their photos.

Greg Barbosa:

Apple clarified that the use of differential privacy to collect user data would be opt-in, meaning if a user didn’t want to give into the system they didn’t have to. What Apple never indicated was where this opt-in area would be and what would happen if you decided against it…

[…]

With iOS 10, opting in to having diagnostic and usage data sent automatically to app developers means that users are also automatically subjected to data collection using differential privacy. It seems that if a user wants to submit diagnostic data to developers, but not be subject to the collection of this new data, they’re out of luck.

Via Nick Heer:

Though this may seem paradoxical, I think the critical factor in the unfriendliness of the setup process is the number of pages and options presented. This could be made less intimidating by, for instance, storing as many options and settings as possible in iCloud, and allowing the user to confirm them on a single page during setup.

Google Reneges on Allo Privacy Feature

Russell Brandom: (via John Gruber, Hacker News)

The version of Allo rolling out today will store all non-incognito messages by default — a clear change from Google’s earlier statements that the app would only store messages transiently and in non-identifiable form. The records will now persist until the user actively deletes them, giving Google default access to a full history of conversations in the app.

[…]

Like Hangouts and Gmail, Allo messages will still be encrypted between the device and Google servers, and stored on servers using encryption that leaves the messages accessible to Google’s algorithms.

Yahoo Says Hackers Stole Data on 500 Million Users in 2014

Bob Lord (via Hacker News):

A recent investigation by Yahoo has confirmed that a copy of certain user account information was stolen from the company’s network in late 2014 by what it believes is a state-sponsored actor. The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers.

Nicole Perlroth:

Yahoo announced on Thursday that the account information of at least 500 million users was stolen by hackers two years ago, in the biggest known intrusion of one company’s computer network.

[…]

Two years is an unusually long time to identify a hacking incident. According to the Ponemon Institute, which tracks data breaches, the average time it takes organizations to identify such an attack is 191 days, and the average time to contain a breach is 58 days after discovery.

Via John Gruber:

Verizon, in midst of acquiring Yahoo, only found out about this two days ago.

Nick Heer:

The massive 2014 breach disclosed today by Yahoo is just one of three reported hacks from the past four years. As noted previously, there was also a 2012 breach of 200 million accounts, and Emptywheel has pointed to an individual account hacked earlier this year.

There’s something very unsettling about the way tech companies are responding to these big security breaches: none of them informed their users with anything resembling a sense of urgency.

Lloyd Chambers:

Yahoo stored unenencrypted user data, including all sorts of personal data that should be stored encrypted, but was not—gross security incompetence to maintain a dossier on every user.

Nicole Perlroth and Vindu Goel (via Melanie Ehrenkranz, Slashdot):

The 2014 hiring of Mr. Stamos — who had a reputation for pushing for privacy and antisurveillance measures — was widely hailed by the security community as a sign that Yahoo was prioritizing its users’ privacy and security.

[…]

Mr. Stamos and his team had pressed for Yahoo to adopt end-to-end encryption for everything. […] Mr. Bonforte said he resisted the request because it would have hurt Yahoo’s ability to index and search message data to provide new user services.

[…]

But when it came time to commit meaningful dollars to improve Yahoo’s security infrastructure, Ms. Mayer repeatedly clashed with Mr. Stamos, according to the current and former employees. She denied Yahoo’s security team financial resources and put off proactive security defenses, including intrusion-detection mechanisms for Yahoo’s production systems. Over the last few years, employees say, the Paranoids have been routinely hired away by competitors like Apple, Facebook and Google.

[…]

Mr. Stamos, who departed Yahoo for Facebook last year, declined to comment. But during his tenure, Ms. Mayer also rejected the most basic security measure of all: an automatic reset of all user passwords, a step security experts consider standard after a breach. Employees say the move was rejected by Ms. Mayer’s team for fear that even something as simple as a password change would drive Yahoo’s shrinking email users to other services.

Update (2016-09-30): Bruce Schneier:

I did a bunch of press interviews after the hack, and repeatedly said that “state-sponsored actor” is often code for “please don’t blame us for our shoddy security because it was a really sophisticated attacker and we can’t be expected to defend ourselves against that.”

Well, it turns out that Yahoo! had shoddy security and it was a bunch of criminals that hacked them.

Update (2016-10-03): Paul Szoldra (via Slashdot):

To be sure, Yahoo has said that the breach affected at least 500 million users. But the former Yahoo exec estimated the number of accounts that could have potentially been stolen could be anywhere between 1 billion and 3 billion.

Update (2016-10-04): Joseph Menn (Hacker News):

Yahoo Inc last year secretly built a custom software program to search all of its customers’ incoming emails for specific information provided by U.S. intelligence officials, according to people familiar with the matter.

[…]

The sources said the program was discovered by Yahoo’s security team in May 2015, within weeks of its installation. The security team initially thought hackers had broken in.

When Stamos found out that Mayer had authorized the program, he resigned as chief information security officer and told his subordinates that he had been left out of a decision that hurt users’ security, the sources said. Due to a programming flaw, he told them hackers could have accessed the stored emails.

Update (2016-10-11): Sarah Perez (Hacker News, Slashdot):

At the beginning of October, Yahoo disabled an email forwarding feature, which would allow users to automatically redirect incoming emails sent to their Yahoo address to another account.

Update (2017-01-23): Tim Hardwick:

Yahoo is under investigation from the Securities and Exchange Commission over its failure to disclose its massive data breaches sooner, according to The Wall Street Journal.

Update (2017-10-04): Chance Miller (Hacker News):

Yahoo today has disclosed that the 2013 hack initially thought to have affected 1 billion accounts actually affected all 3 billion of its user accounts. The company made the announcement in a filling with the SEC…

Nick Heer:

If you ignore the press release’s spin of what wasn’t stolen, you’ll notice that they omit what was: as acknowledged previously, that includes names, email addresses, MD5 hashed passwords, phone numbers, birthdates, and security questions and answers.

Update (2018-10-24): Mitchel Broussard:

In the settlement, Yahoo has agreed to put $50 million into a fund for victims of the breach, provide two years of credit monitoring from AllClear, and a few other benefits for victims. The settlement is still awaiting court approval.

Overcast Tries Ads

Marco Arment:

If any new patron-only features are widely demanded, I’ll be stuck with the year-one problem again. If not, they won’t bring in enough money. The latter is more likely: what most people want (and will pay for) is pretty well covered by Overcast’s current features.

[…]

Charging money only works in scarcity, but most kinds of software are no longer scarce, especially on iPhone. Whatever I charge money for, someone else can give away, and vice versa. For instance, most of my competitors now offer a dark theme at no additional charge, but if I give mine away without any other changes, I’ll go out of business.

[…]

The content industries figured out the solution a long time ago. If 97% of my users can’t or would rather not pay, but they spend substantial time in the app every day, the solution is probably ads.