Archive for August 2017

Thursday, August 31, 2017

Sarahah Quietly Uploads Your Address Book

Yael Grauer:

Sarahah bills itself as a way to “receive honest feedback” from friends and employees. But the app is collecting more than just feedback messages. When launched for the first time, it immediately harvests and uploads all phone numbers and email addresses in your address book. Although Sarahah does in some cases ask for permission to access contacts, it does not disclose that it uploads such data, nor does it seem to make any functional use of the information.


After this piece was published, the app’s creator, Zain al-Abidin Tawfiq, tweeted that the contacts functionality would be removed in a future release and had been intended for a “‘find your friends’ feature.” He later told The Intercept the feature was stymied by “technical issues” and that a partner, who he has since stopped working with, was supposed to remove it from the app but “missed that.” He claims the functionality was, however, removed from the server and that Sarahah stores no contacts in its databases. This is impossible to verify.

The TLS 1.3 Controversy

Rich Mogull:

What exactly is the security weakness TLS 1.3 eliminates? – Version 1.3 eliminates support for an older way of setting up encrypted connections using a master key. It could enable someone with a copy of the master key to sniff all encrypted traffic. They could also decrypt any previously recorded traffic protected with that key. The proposed updates to TLS use a different key for every connection, so there is no master key which could allow unrestricted monitoring. We call this Perfect Forward Secrecy, if you want to look it up.

This is a pretty big weakness, which has been used in attacks. Unfortunately it’s also used by legitimate security tools for more efficient monitoring.


TLS 1.2 is still completely supported and will be for a long time. As online services start adopting TLS 1.3, organizations which rely on passive sniffing of encrypted connections may start losing visibility into those connections. Organizations which want to maintain this visibility will need to update their tools and techniques.

Using Lazy Variables to Work Around Swift Initialization Rules

Chris Adamson:

In all these cases, you have to provide the object with its delegate (or target) at initialization time. And that leads to a terrible head-scratcher. What do you do if you want to use one of these objects as a property, but also use self as the delegate?

Swift won’t let you easily do this.


The point of the lazy variable is that it won’t be assigned until its needed. Which in turn means that it can’t be accessed until self exists, because otherwise there’s no way to access it. Therefore, it’s always OK to reference self when assigning a lazy variable.

I understand the reasoning behind Swift’s rules for two-phase initialization and where you can access self. But in practice they introduce extra work and code ugliness in order to prevent a class of problems that I don’t think I’ve ever had. lazy variables are the best solution I’ve found for the issue that Adamson mentions. In fact, lazy variables are pretty cool in general, although beware that their initialization is not thread-safe.

The other main issue I run into with initialization is that you can’t call helper methods before calling super.init(). This is not an issue in Objective-C because, there, calling [super init] is the first thing you do. But in Swift you have to initialize all of your properties before calling super.init(). Implicitly-unwrapped optionals are the obvious, easy solution. Otherwise, you would need to move helper code from instance methods to static functions or a separate helper object or, in some cases, completely restructure your code if you need to access state or functionality from the superclass.

Update (2017-08-31): One of the issues that neither lazy nor IUOs solve is that you may end up needing to make the property var instead of let, even though you have no intention of modifying it once set. You can partially mitigate this by marking the property private(set). However, that adds yet more verbosity and doesn’t as obviously protect against concurrent access the way let does.

Regarding lazy and concurrency, Heath Borders writes:

I just use another computed property that wraps the lazy var in a Dispatch.sync over a private queue, then I never touch the lazy var.

Update (2017-09-01): Another issue with IUOs is the way they work with type inference. If you assign an IUO to a temporary variable, the inferred type is an optional. This means that you have to either force unwrap when assigning to the temporary or at each use of the temporary. So the IUO has leaked outside of its class. One way around this is to create two properties in the class. The first is a private var of type T!. The second is a computed property of type T that returns the first property (implicitly) unwrapped. Then clients of the class can use the computed property and not have to deal with unwrapping.


Swift’s Error Handling Implementation

Mike Ash:

Swift 3 works by essentially automating Objective-C’s NSError convention. The compiler inserts an extra, hidden parameter which is essentially Error *, or NSError **. Throwing an error consists of writing the error object to the pointer passed in that parameter. The caller allocates some stack space and passes its address in that parameter. On return, it checks to see if that space now contains an error. If it does, it jumps to the catch block.

Swift 4 gets a little fancier. The basic idea is the same, but instead of a normal extra parameter, a special register is reserved for the error return.

Joe Groff:

Some more fun trivia: r12 and x21 were specifically chosen because they’re normally callee-saved registers, so a non-throwing function can be “toll-free bridged” as a throwing one, since the non-throwing ABI will always preserve null in the error register.


One of the arguments against manual propagation of errors has long been the code size and performance cost at each call, but Swift’s ABI does a pretty good job of minimizing the cost without getting too avant-garde—it’s one instruction to zero out the error register at the boundary where you enter a “throws” context, and one instruction (on ARM64 at least, though still one fused uop on Intel) to jump-if-not-zero into the catch block after each call that might throw.

Reliability of macOS Sierra: Scheduled and Background Activities

Howard Oakley:

In Sierra, the DAS and CTS dispatching system now manages more than seventy activities at most times, one of which is Time Machine’s scheduled backups. However, in Sierra at least, this system has a bug which results in its breakdown: backups suddenly become irregular or stop altogether, and the other activities also become unreliable.

When this happens, it is tempting to revert to scheduling backups using the older launchd mechanism, and that will certainly restore them. But it does nothing for the seventy or so other services which the DAS and CTS dispatching system manages. […]

For anyone needing to run their Mac continuously, particularly as a server, this is a devastating flaw. Although I and others have tried various solutions, the only way currently known to restore normal dispatching services is to restart the Mac. That is literally a showstopper for any server, and is more than inconvenient for many other Mac users.

Previously: Sierra Bluetooth Problems Due to GCD?.

Update (2017-08-31): Thomas Clement:

You can use TimeMachineEditor if you need a third-party Time Machine scheduler.

btw TimeMachineEditor used to be implemented via xpc_activity but eventually had to switch to a custom implementation due to various issues.

Tuesday, August 29, 2017

APFS to be Mandatory for SSDs in High Sierra

Apple (via Felix Schwarz):

When you upgrade to macOS High Sierra, systems with all flash storage configurations are converted automatically. Systems with hard disk drives (HDD) and Fusion drives won’t be converted to APFS. You can’t opt-out of the transition to APFS.


Boot Camp doesn’t support Read/Write to APFS-formatted Mac volumes.


Volumes formatted with APFS can’t offer share points over the network using AFP.

I assumed Apple would let you opt-out, since that was possible for the betas.

Previously: Pondering the Conversion From HFS+ to APFS.

Update (2017-08-29): Steve Moser:

I wonder what this means for hackintoshes since I read some where that APFS requires Apple firmware.

Update (2017-08-31): Edward Marczak:

For anyone worried about being “forced” into converting to APFS, startosinstall still supports the --converttoapfs flag

Swift 4: Bridging Peephole for “as” Casts

John McCall (via Peter Steinberger):

Bridging conversions are not always desirable. First, they do impose some performance overhead which the user may not want. But they can also change semantics in unwanted ways. For example, in certain rare situations, the reference identity of an NSString return value is important — maybe it's actually a persistent NSMutableString which should be modified in-place, or maybe it's a subclass which carries additional information. A pair of bridging conversions from NSString to String and then back to NSString is likely to lose this reference identity. In the current representation, String can store an NSString reference, and if the String is bridged to NSString that reference will be used as the result; however, the bridging conversion from NSString does not directly store the original NSString in the String, but instead stores the result of invoking +copy on it, in an effort to protect against the original NSString being somehow mutable.

Bridging conversions arising from reasons #1 and #2 are avoidable, but bridging conversions arising from reason #3 currently cannot be eliminated without major inconvenience, such as writing a stub in Objective-C. This is unsatisfactory. At the same time, it is not valid for Swift to simply eliminate pairs of bridging conversions as a matter of course, precisely because those bridging conversions can be semantically important. We do not want optimization settings to be able to affect things as important as whether a particular NSString is mutable or not.

He proposes eliminating pairs of bridging conversions under certain circumstances:

This would avoid the bridging conversions through [View] on the return value of the getter:

let subviews = view.subviews as NSArray

This would not:

let subviews = view.subviews
let nsSubviews = subviews as NSArray

This would avoid the bridging conversion through [CIFilter] on the argument to the setter:

view.backgroundFilters = nsFilters as [CIFilter]

This would not:

let filters = nsFilters as [CIFilter]
view.backgroundFilters = filters

YouTube Transcripts

David Pogue:

Believe it or not, YouTube creates a written transcript for every single video. Just click More and Transcript and boom!

What’s cool is that you can use this feature as a great way to create free transcripts of your own recordings.

Given its native software and focus on accessibility, this is the kind of thing I’d expect Apple to do. Indeed, Clips does use speech recognition, but it’s for adding titles on top of the video, not transcribing what’s there. And I don’t think there’s anything like this in iMovie. I don’t know what Apple uses for the WWDC videos. Meanwhile, Google has implemented what looks like an impressive interface in the browser.

Deep Learning for Siri’s Voice

Siri Team:

Recently, deep learning has gained momentum the field of speech technology, largely surpassing conventional techniques, such as hidden Markov models (HMMs). Parametric synthesis has benefited greatly from deep learning technology. Deep learning has also enabled a completely new approach for speech synthesis called direct waveform modeling (for example using WaveNet [4]), which has the potential to provide both the high quality of unit selection synthesis and flexibility of parametric synthesis. However, given its extremely high computational cost, it is not yet feasible for a production system.

In order to provide the best possible quality for Siri’s voices across all platforms, Apple is now taking a step forward to utilize deep learning in an on-device hybrid unit selection system.


For iOS 11, we chose a new female voice talent with the goal of improving the naturalness, personality, and expressivity of Siri’s voice. We evaluated hundreds of candidates before choosing the best one. Then, we recorded over 20 hours of speech and built a new TTS voice using the new deep learning based TTS technology. As a result, the new US English Siri voice sounds better than ever. Table 1 contains a few examples of the Siri deep learning -based voices in iOS 11 and 10 compared to a traditional unit selection voice in iOS 9.

Update (2017-09-11): John Gruber:

It’s the voice assistant equivalent to getting a better UI font or retina graphics for a visual UI. But: if given a choice between a Siri that sounds better but works the same, or a Siri that sounds the same but works better, I don’t know anyone who wouldn’t choose the latter.

Monday, August 28, 2017

Carbon Copy Cloner 5

Mike Bombich:

I introduced CCC to the world over 15 years ago. With the debut of CCC 5 within reach, I thought it would be neat to see how CCC has changed over the years.

Carbon Copy Cloner 5 costs $40, with upgrades discounted 50%.

What’s new (tweet):

Create a bootable clone of your hard drive, but also keep copies of your recently deleted and changed files — just in case. SafetyNet is smarter than ever: if you run out of space during a backup, CCC can free up space automatically and resume your backup.

This should fix my number one annoyance with previous versions, which was that a backup would run for a long time and eventually fail because the SafetyNet made it run out of space. You had to guess up-front how much space you’d need, and CCC would prune the SafetyNet before starting the backup. Guess too low, and the backup would fail in the middle of the night. In the morning, you’d have to free up some space and try again. Guess too high, and you’d waste time pruning files that didn’t need to be pruned, and also lose access to those versions, which you actually did have room to keep. It sounds like this new “Auto adjust” option will do the right thing automatically, pruning just enough old versions so that the backup will complete. And it should provide certainty that when you start a backup it will definitely succeed—important if you need to depart on a trip or update the OS.

Excluding a folder or two from a backup task has always been trivial with CCC, and now it’s even easier to precisely define what should and should not be backed up. You can also now visualize the effects of custom filter rules, and now CCC will report how much data is going to be backed up.


The setup procedure for backing up to a remote Macintosh has been greatly simplified. SafetyNet pruning is now available for remote Mac destinations, and CCC can now show you the content of a remote Mac source.


Have you ever worried that your backup might fail when you need it? CCC has you covered. CCC can run a special monthly or weekly corruption check to identify damaged files in your backup – and automatically replace them.

The checksumming feature was there before, but you had to manually turn it on and off if you didn’t want to verify the backup every time. Now, CCC can manage the verification schedule for you.

There are lots of other new “task” features like this, which are designed around the idea that CCC is managing and scheduling your backups. This is a nice idea, but it doesn’t really work for me in practice. I need to keep track of backups made by a variety of apps (Arq, CCC, SuperDuper, and Time Machine) on multiple Macs. Most of the backup drives are not attached, so CCC cannot initiate a backup on its own, anyway. And for each backup, I need to keep track of where it is, what it contains (e.g. “last 10.11.x clone” rather than just the date of the backup), when it was started, when the media and contents were last verified, problems encountered, and rotation information. So I end up managing all this with a text file and OmniFocus, and I have a CCC task for each type of backup rather than for each backup disk.

The bundled ccc command line application allows pros to incorporate CCC backup tasks into larger and more complex workflows. Pre- and postflight scripts bring that same level of customization into existing CCC task workflows. Task and individual task filters can be imported and exported, allowing you to manage exclusion lists across tasks and to duplicate tasks to other Macs.

All backup products should provide this last feature, in a way that works across different home folder paths.

See also: Everything you need to know about Carbon Copy Cloner and APFS.

Previously: Pondering the Conversion From HFS+ to APFS.

Update (2017-08-30): Bombich informs me that CCC checksums the resource fork and extended attributes in addition to the data fork.

Dylan and Newton History

There’s lots of interesting stuff in this Hacker News thread.

Mikel Evins:

Larry asked me and a couple of other people to see what we could do with Dylan. We took that ball and ran with it--maybe too far. Like maybe Larry wanted us to run it down to the end zone and instead we ran it across the border and into Patagonia somewhere. We, the five of us or so, wrote a whole OS in Dylan, essentially competing with the 60 or so people working on Scully’s mandated C++ OS.


From a business point of view, though, it was silly. Obviously Apple was never going to ship 2 Newton OSes. Equally obviously, it wasn’t going to choose to develop our weirdo Lisp OS instead of Capps’ C++ OS that was developed by almost the whole Newton team in response to an order from on high.

In those days (and perhaps nowadays, too, for all I know), Apple didn’t really invent products by having some visionary leader invent a goal and directing engineers to fulfill the vision. Instead, it tolerated skunkworks projects hither and yon, and the visionary leader(s) cherry-picked the ones they thought most promising. Newton itself had been created as a means to keep Steve Sakoman from leaving Apple, rather than as a product vision. So you can perhaps forgive us for imagining that if we just made our project good enough, Apple would find a place for it.


My meeting with Steve was memorable. He carved out a fairly large chunk of time to give me the hard sell about how I should give up on Apple and come change the world with NeXT. I hadn’t met him before. His famous charisma was real enough. It was a little odd, though, too. He tried a bunch of different angles to convince me, and he could tell really quickly when it wasn’t working. In fact, nothing worked in that meeting. I was skeptical that NeXT would survive, and all of Steve’s pitches were pegging my BS meters. It was kind of cool to see him start a pitch, recognize that it wasn’t working, and instantly flip to a different one, as if changing channels on a TV. Eventually he gave up and ended the meeting.

Oliver Steele:

The original Apple [Dylan] implementation compiled to native ARM code. The runtime was intended to be competitive with C, but by the time we approached that target, large parts of the toolbox had already been written in C, and Walter Smith had created NewtonScript as a scripting language that worked as an alternative for non-performance-critical code. At that point the Cambridge team re-targetted the implementation to build Macintosh applications, but that wasn’t a sufficiently compelling (to Apple management) use, and we had lost our executive sponsor when the director of the Apple Cambridge lab was promoted to a position in Cupertino.

Landon Dyer:

The decision was made to ship “junior” (the handheld unit that became the MessagePad 100) using C++, while work was still being done in Dylan on “senior”, the tablet unit. Eventually the Junior project grew in importance (“Holy crap, we have to ship this in a year”) and it was all hands on deck to get it out the door. For a while there were a bunch of Dylan programmers roaming the hallways, they were clutching copies of the C++ Annotated Reference Manual and looking really unhappy. The writing was on the wall, Senior got canceled a few months later and a bunch of the Dylan folks quit.

Just Following Orders

Robert C. Martin:

The year is 2006. Executives at VW know that their diesel engine can not meet American emissions standards. So they ask the enginers for a solution that does not require a redesign of the engine. […] We may never know all the details; but it’s clear that the executives asked the engineers to find a way to defeat the emission tests.


Engineers take note: Your employer can’t cover for you. Doing your job does not mean that you just follow orders. The courts are going to hold you to a high ethical standard, even if your employer does not.

Update (2017-08-29): See also: Hacker News.

Thursday, August 24, 2017

Portable External MacBook Pro Displays

Luna Display:

Luna Display seamlessly extends your Mac desktop to your iPad, creating a wireless second monitor with stunning image quality. Available for Mini DisplayPort or USB-C, Luna sets up in seconds and instantly works with your existing Wi-Fi.


Luna Display acts as a complete extension to your Mac, allowing you to use it directly from your iPad with full support for external keyboards, Apple Pencil, and touch interactions.

Via Craig Hockenberry:

I’ve had two displays on my development machines since the 1990’s. By now, it’s fully ingrained in my habits and makes for a very efficient workflow. So much so that it’s the capability I miss the most when I travel, especially when I have an iPad with a kick-ass display. It’s not hyperbole to say that this new product, called Luna Display, solves this problem completely.


When you put the Luna Display app into the background with the iPad’s home button, the display disappears from the Mac after a few minutes. All iOS apps have a limited time in the background and Luna Display is no different.

It looks cool to have a wireless connection, with only a little dongle plugged into the Mac. But it can also work with a USB cable, which I expect is much more reliable.

That said, this is not particularly helpful for me because I have an iPad mini. I wanted a larger, portable external display for my MacBook Pro, so a few months ago I got an AOC e1759Fwu. It’s a 17-inch display with a fold-out stand that easily fits in my laptop backpack. It connects via a USB cable (no separate power connector) and, once you install the kernel extension, the Mac sees it as a regular external display (though Night Shift is not supported). It supports both portrait and landscape modes. I prefer the portrait, which at 900 × 1,600 pixels (it’s not Retina) is the same height as a 30-inch display.

The AOC’s USB 3 connection is a big improvement over the square-SCSI SuperMac adapter that I once used to connect a color display to my monochrome PowerBook, but it does feel laggy compared with a regular display connector. The picture quality isn’t great, either: a bit fuzzy, uneven brightness, and so-so color. But it succeeds at giving me more screen space when traveling. The extra vertical pixels are especially welcome when replying to customer e-mails in FogBugz. The main downsides are that it’s an extra step to unpack it and repack it and that some hotels don’t really have enough table/desk space to set it up. It would be better if Apple sold a MacBook Pro with a larger internal display.

Previously: Duet Display.

How Some Thunderbolt 3 Cables Underperform With USB-only Drives

Glenn Fleishman:

You can purchase what are effectively four kinds of cables that have USB-C connectors on both ends[…]


The trouble that AppleInsider discovered arises only in a particular set of circumstances:

  • You have a hard drive with a USB-C port that supports only USB 3.1.

  • You’re using a Thunderbolt 3 cable to connect that drive to a Thunderbolt 3-capable computer.

  • The Thunderbolt 3 cable is active, rather than passive.

Instead of carrying up to 5 Gbps of USB 3.1 Gen 1 data, these active Thunderbolt cables throttle down to USB 2.0 speeds, offering about one-tenth as much throughput.

Update (2017-08-29): David Heinemeier Hansson:

Why have a USB-C standard if you need x-ray vision to determine what a given cable is capable of?


Apple’s charger cable has no identifying markers. No clue it only carries power. Some times the computer industry is too smart for itself.

USB-C is giving Bluetooth a good run for its money as The Most Frustrating Standard out there.

Don Wauchop:

This week I watched a genius fruitlessly try 5 USB-C cables to figure out which was Thunderbolt 3.

Jony Ive has taken minimalism too far.

iOS 11 Will Strip AMP Garbage From Shared URLs

Federico Viticci (via John Gruber):

Very nice: when sharing AMP pages to iMessage or Reading List, iOS 11 Safari automatically removes AMP’s crap from the URL. Go Apple 👍

Previously: Dangers of Google AMP, The Problem With AMP, Google to Automatically Link to AMP Results.

Update (2017-08-28): Malte Ubl (via Edward Marczak):

TL of AMP here. Just wanted to clarify that we specifically requested Apple (and other browser vendors) to do this. AMP’s policy states that platforms should share the canonical URL of an article whenever technically possible. This browser change makes it technically possible in Safari. We cannot wait for other vendors to implement.

Malte Ubl:

We confirmed that this actually implemented as a generic solution. (Sharing <link rel=canonical>), so there is nothing AMP specific here.

See also: Why AMP Is Fast, Why AMP HTML Does Not Take Full Advantage of the Preload Scanner.

Update (2017-08-29): Nick Heer:

So if AMP’s own spec doesn’t see AMP links being used for general referrals, social network referrals, or direct links, then their only function seems to be links from Google searches. That seems silly.

TRAI’s Spat With Apple Over App Access to Messages and Call Logs

Roopesh Chander:

I think Apple is highly unlikely to create public APIs to access call logs or messages, but that’s not really needed for an app like this.

Rather, Apple could provide a way to share an SMS through a share sheet, so a third-party app can get access to all relevant fields of an SMS message (i.e. body text, sender id and timestamp) that the user explicitly chose to share with the app. That way, TRAI can create an app to report errant SMS messages, while Apple can retain their right to not give apps blanket access to the phone’s SMS data.

So this is how I think TRAI and Apple can settle this without compromising either party’s positions, and simultaneously keep Apple’s privacy-conscious customers happy as well.

Update (2017-11-15): Tim Hardwick:

Apple has agreed to help the Indian government develop an anti-spam app for iOS devices, after initially refusing to do so because of privacy concerns, according to Reuters.

Wednesday, August 23, 2017

Testing Auto-Renewable Subscriptions on iOS

David Barnard (tweet):

Subscriptions work differently in TestFlight, the sandbox, and live on the App Store, so testing them requires knowledge of those differences. This is my attempt to help sort out the mess and document it for others to reference.


It would be nice if the purchase flow while testing mirrored that of a live app on the App Store, but that’s just not the case for whatever reason.


For an app that has yet to be released on the App Store, getting an early version of the app approved is a great way to test subscriptions[…]

He suggests setting it to manual release and then sending out promo codes so that people can test the real app before it’s available to everyone.

Implementing and testing subscriptions sounds like it’s much more complicated than you would expect. The developer of Ulysses says that it took their highly regarded team 1.5 man-years and 22K lines of code to implement subscriptions.

Update (2018-04-20): See also: Supertop.

AccuWeather Caught Sending User Location Data, Even When Location Sharing Is Off

Zack Whittaker:

Security researcher Will Strafach intercepted the traffic from an iPhone running the latest version of AccuWeather and its servers and found that even when the app didn’t have permission to access the device’s precise location, the app would send the Wi-Fi router name and its unique MAC address to the servers of data monetization firm Reveal Mobile every few hours. That data can be correlated with public data to reveal an approximate location of a user’s device.


“Everything is anonymized,” said Brian Handley, the company’s chief executive. “We’re not ever tracking an individual device,” but described a situation where his company can point advertising to customers inside a Starbucks location, for example.


“Reveal is updating its SDK and pushing out new versions of the [software kit] in the next 24 hours, with the iOS update going live [Tuesday],” said an AccuWeather spokesperson. “The end result should be that zero data is transmitted back to Reveal Mobile when someone opts out of location sharing.”

Via John Gruber:

To me this is a one strike and you’re out situation.

Update (2017-08-23): Ron Gilbert:

iOS needs a setting to deny all internet access on an app-by-app basis, like they do access to the camera, contacts, etc.

This is probably the iOS feature that I want most, although without more fine-grained control it seems incompatible with certain app types like weather.

Jacob Terry:

iOS should ask permission for network access similar to how it asks permission to access contacts and photos. Unlike those permissions, however, this one should be optional to the app author.


To distinguish apps that opt-in, Apple should brand the feature (“Secure Networking”, for example) and have an accompanying logo. Apps that opt-in should get a badge in the App Store, and Apple should promote the feature, especially to enterprises.

One more thing: authorization should happen per domain.

Update (2017-08-24): John Gruber:

AccuWeather issued a statement regarding the controversy over their app sending location-identifying information to a monetization firm. It’s a veritable mountain of horseshit[…]


The accusation is not that AccuWeather itself was using the location of the Wi-Fi router, but that Reveal Mobile was.


In other words, Reveal Mobile makes money by revealing your location to retailers (anonymously, so they claim), and AccuWeather made money from Reveal by embedding their SDK in their app.

Update (2017-08-28): Dark Sky:

While the outrage may be warranted, the surprise shouldn’t be. This isn’t just a case of a single company monetizing their customer’s location data in a shady manner; it’s a much larger — and more widespread — phenomenon. How do I know? Because there are entire companies devoted to buying this very data from the countless apps that currently make use of location data, and they contact us all the freakin’ time.


Because of this, we also believe that Apple and Google should do more to prevent this sort of behavior. They should set — and aggressively enforce — clear App Store rules forbidding the sharing of location data for any purposes not directly relevant to the app’s core functionality. If an app is caught breaking this rule, it should be removed from the store. This won’t stop all abuse, but it would, at the very least, put many of these data monetization companies out of the business of tracking where you go.

Nick Heer:

Here’s the thing, though: Grossman’s suggested response has been in place for years. […] All Apple had to do in this case was enforce their own rules. I understand that something will occasionally slip through the cracks and it will sometimes be with a high-profile app, but this is really the sort of thing that should have been caught.

AccuWeather has removed Reveal Mobile but is now sending GPS coordinates to another company.

Product Graveyard

Product Graveyard commemorates “the most memorable products that have gone away” (via John Gordon).

Swift Local Refactoring

Xi Ge (via Argyrios Kyrtzidis):

Xcode 9 includes a brand new refactoring engine. It can transform code locally within a single Swift source file, or globally, such as renaming a method or property that occurs in multiple files and even different languages. The logic behind local refactorings is implemented entirely in the compiler and SourceKit, and is now open source in the swift repository. Therefore, any Swift enthusiast can contribute refactoring actions to the language. This post discusses how a simple refactoring can be implemented and surfaced in Xcode.

Tuesday, August 22, 2017

What You Can Learn From LockState

Mark Bessey:

The root cause of this incident was apparently that LockState had produced an update intended for one model of their smart locks, and somehow managed to send that to a bunch of locks that were a different model. […] It’s trivially-easy to avoid this issue, using a variety of different techniques. Something as simple as using a different file name for firmware for different devices would suffice. If not that, you can have a “magic number” at a known offset in the file, or a digital signature that uses a key unique to the device model.


Every remote firmware update process should have the ability to be tested internally via the same process end-users would use, but from a staging environment.


Tying into the previous point, wouldn’t it be great if you could measure the percentage of systems that were successfully updating, and automatically throttle the update process based on that feedback?

Cloudflare’s Lava Lamps

Katharine Schwab:

When you walk into the San Francisco office of the cloud network and security firm Cloudflare, you’re greeted by a receptionist–and a giant wall of 100 lava lamps. It isn’t just a throwback to the 1960s. The lava lamps act as a random number generator, helping to encrypt the requests that go through Cloudflare, which make up 10% of all internet requests.


Cloudflare turns the “Wall of Entropy” into encryption using a camera that photographs the wall every millisecond of every day of the year. Any one of the company’s systems can turn the display of pixels–which changes based on a multitude of factors, like the movement of the lava, the inclusion of anyone who’s walking by, and the shifting daylight–into random numbers.


In London, they use dual pendulums. While a single pendulum swinging back and forth is very predictable, mathematicians have shown that if you take a pendulum and hang another pendulum from it, you’ll create a system that no one has figured out how to model.

Swift 4: Synthesizing Equatable and Hashable Conformance


Developers have to write large amounts of boilerplate code to support equatability and hashability of complex types. This proposal offers a way for the compiler to automatically synthesize conformance to Equatable and Hashable to reduce this boilerplate, in a subset of scenarios where generating the correct implementation is known to be possible.


CrashPlan Discontinues Consumer Backups

CrashPlan (Hacker News, MacRumors, Reddit, 9to5Mac, Backblaze):

Thank you for being a CrashPlan® for Home customer. We’re honored that you’ve trusted us to protect your data.

It’s because of this trust that we want you to know that we have shifted our business strategy to focus on the enterprise and small business segments. This means that over the next 14 months we will be exiting the consumer market and you must choose another option for data backup before your subscription expires. We are committed to providing you with an easy and efficient transition.

They’re keeping the small business plan, which at $10/month is twice the cost of the individual version (which itself had gone up quite a lot in recent years). This is the only transition option that will preserve your years of backup history. If you switch to another provider and later find out that you need to restore a version of a file from 2016, you’re out of luck. Plus, depending on your data set and connection speed—my mother has less than 100 GB of data but only a DSL connection—it may take months just to upload the current versions of your files to another provider.

I’m not sure what differences there might be in switching to the business version, but based on the way the company has behaved I no longer want to rely on them. I would prefer to transition my family members to a service equivalent to CrashPlan Home, but there doesn’t seem to be one that’s good. (See the Backblaze and Carbonite caveats below.) Right now, the leading contender is probably Arq, which is a bit more complicated to set up and not as easy to remotely monitor, though probably cheaper in the long run.

For years, I’ve relied on CrashPlan both as an offsite backup and as a long-term history. I have a bunch of clone drives that I don’t rotate, so I have some ability to go back and get old files. But what I liked about CrashPlan was that it would let me go back and get any version of any file. That’s not easy to manage with local backups both because of the available software and the limited drive sizes.

After running into CrashPlan limitations a few months ago, I realized that I could no longer rely on it for long-term history and started using local Arq backups for that. However, I’d like to find another solution (other than clones and Time Machine, which corrupts itself too often) so that I don’t have all my eggs in one basket.

Joe Payne:

This is not an easy course of action for us at Code42 for a couple of reasons. First, we have consumers who love our CrashPlan for Home product and trust us every day to protect their personal files. Second, our number one core value at Code42 is “Put the Customer First” and our announcement today may seem to be at odds with that. But, it is precisely this core value that led us to the strategic decision to focus on business customers. And, in order to serve businesses well, we need to prioritize their needs–which have diverged from the needs of the consumer.


The benefit for our business customers is that we now have a singular focus on solving their complex data protection, security and compliance challenges. In addition, we will be able to accelerate our R&D investments that strengthen our technology foundation and further our data protection innovations.

Joe Kissell:

On 22 October 2018, the consumer version of the CrashPlan app will stop working entirely — that includes local and peer-to-peer backups. So, even if you weren’t backing up to CrashPlan Central (Code42’s cloud storage space for consumers), you won’t be able to keep using the CrashPlan app.


Code42 offers a discount on a Carbonite subscription, along with assistance in migrating to Carbonite. […] Unfortunately, while Carbonite is not bad on Windows, I would not recommend it to Mac users, because the Mac version offers neither versioning nor the option to use a personal encryption key. Plus, Carbonite artificially restricts upstream bandwidth, making it significantly slower than many competitors.


Backblaze is fast, reliable, and secure, and it costs $5 per month per computer. […] Backblaze stores deleted files and older versions of files for only 30 days, whereas CrashPlan lets you keep them indefinitely.


As angry as I am about this news, I’m livid about being misled.

Over the past few years, Code42 has made several moves that, in retrospect, were the proverbial writing on the wall. […] Each time one of these things happened, I wrote to my contacts at Code42, who downplayed the significance of these changes and assured me, repeatedly, of their ongoing commitment to the consumer market.

Update (2017-08-24): Peter Cohen:

Look, not to go all Fox Mulder here, but Crashplan’s consumer product pullout demonstrates an important principle: You can’t trust anyone when it comes to the safety of your data.

That’s why your first defense against data loss should be the local backup. Preferably multiple copies, but that amount of redundancy may not be for everyone. But don’t trust yourself. Find an offsite service that you trust to store your data. Use them as a secondary line of defense.

Storing your valuable data in the cloud is an excellent backup practice. Just don’t make it your only one.

Update (2017-08-28): See also: Backblaze (FAQ, tweet), Retrospect.

Charles Perry:

If @crashplan had simply raised prices, I would have paid. But if I have to redesign my backup strategy anyway, I might as well shop around.

Update (2017-08-29): See also: MacVoices.

Update (2017-09-04): One great feature of CrashPlan was the regular e-mails telling me when each Mac last backed up and how much data had been copied. Unfortunately, the e-mail that I got from Backblaze was actually misleading. About two weeks after removing the Backblaze trial from my Mac, I got an e-mail telling me that my files “are automatically being backed up.”

This is a good MacInTouch thread about Backblaze, CrashPlan, and Retrospect (via John Gordon).

Update (2017-10-03): Joe Kissell:

After carefully comparing 19 services and testing six, we believe that Backblaze (currently $50 per year per computer) is the best online backup service for most people, as it offers a great combination of useful features, unlimited storage, and excellent performance at an attractive price—the proverbial cost of a latte per month. Backblaze offers fast, reliable backups, as well as the simplest setup process I’ve seen and a number of nice touches.


Runner-up IDrive is more expensive than Backblaze and offers only 2 TB of storage, but it lets you back up from or to network volumes, offers indefinite retention of deleted files and old versions of files, lets you seed an initial backup at no charge, and provides the fastest throughput of any service in our test group. If Backblaze isn’t suitable for your needs and you’re willing to spend a bit more, IDrive may be an excellent choice.

Monday, August 21, 2017

iTunes U Collections Are Moving to Apple Podcasts

John Voorhees:

Apple has announced that in September, when iTunes 12.7 is released, it will migrate iTunes U collections to Apple Podcasts. iTunes U courses will be available only through the iTunes U app on iOS.

iTunes U was launched in 2007 to offer downloadable collections of free educational content through the iTunes Store. In 2012, Apple introduced the iTunes U iOS app, which allowed educators to create iTunes U courses that go beyond audio and video by incorporating handouts, homework, quizzes, ebooks, and other content. Although courses are currently listed alongside collections in iTunes on macOS, courses are designed to work best in the iTunes U app, which is iOS-only.

This may break some courses, since it’s not clear whether Apple Podcasts supports ePub files. The audio will still be available in iTunes for Mac, as there is no Mac version of Apple Podcasts, but the Mac version of iTunes will lose the ability to view the course materials.

iMessage’s Popularity Among US Teens

Giuseppe Stuto (via Dan Masters):

The Piper Jaffrey data shows how commanding iPhones are in today’s smartphone landscape for teens. This is in line with our various surveying here at Fam, in which we have approximated over the past year that 75% of US teens use iPhones. In terms of why this may be the case, there are several factors to consider: design, iTunes, network effects, and of course what we believe to be the most important one, iMessage.


iMessage is a pre-installed platform on every single iPhone so obviously it will naturally have a ton of engagement. But it being pre-installed should not be a reason to discount it, especially when taking into account the level of saturation within the Gen-Z demographic and its dynamic user experience to date (relative to traditional SMS). Of course this is more of a subjective premise, however, after first hand observing how teens use iMessage over the past few years it is clear that they treat it as much more than a basic text message delivery service. It’s the center of their mobile social life, whether they themselves realize that or not.

Update (2017-08-23): John Gruber:

Here’s a Reddit thread chock full of anecdotes about how dominant iMessage and iPhones are among US teens.

Update (2017-10-23): Owen Williams:

It turned out that the only excuse I had for staying in Apple’s ecosystem was quite literally iMessage and that ditching it didn’t matter at all. If that was the only thing stopping me from switching to a Pixel 2, it was a pretty dumb excuse, and one that only self-reinforced over time.


The beauty of 2017 is that it really doesn’t matter — everyone’s on everything anyway, and if you really can’t reach them there’s always *gasp* SMS there to save the day. Almost everyone you know is on Facebook Messenger and WhatsApp, and for the others there’s Signal, Allo, Telegram, Slack, whatever.

Why Is ARKit Better Than the Alternatives?

Matt Miesnieks (via iOS Dev Weekly):

To get 3D you need to have 2 views of a scene from different places, in order to do a stereoscopic calculation of your position. This is how our eyes see in 3D, and why some trackers rely on stereo cameras. It’s easy to calculate if you have 2 cameras as you know the distance between them, and the frames are captured at the same time. With one camera, you capture one frame, then move, then capture the second frame. Using IMU Dead Reckoning you can calculate the distance moved between the two frames and then do a stereo calculation as normal (in practice you might do the calculation from more than 2 frames to get even more accuracy). If the IMU is accurate enough this “movement” between the 2 frames is detected just by the tiny muscle motions you make trying to hold your hand still! So it looks like magic.

To get metric scale, the system also relies on accurate Dead Reckoning from the IMU. From the acceleration and time measurements the IMU gives, you can integrate backwards to calculate velocity and integrate back again to get distance traveled between IMU frames. The maths isn’t hard. What’s hard is removing errors from the IMU to get a near perfect acceleration measurement. A tiny error, which accumulates 1000 time a second for the few seconds that it takes you to move the phone, can mean metric scale errors of 30% or more. The fact that Apple has got this down to single digit % error is impressive.


Google also could easily have shipped Tango’s VIO system in a mass market Android phone over 12 months ago, but they also chose not to. If they did this, then ARKit would have looked like a catch up, instead of a breakthrough. I believe (without hard confirmation) that this was because they didn’t want to have to go through a unique sensor calibration process for each OEM, where each OEMs version of Tango worked not as well as others, and Google didn’t want to just favor the handful of huge OEMs (Samsung, Huawei etc) where the device volumes would make the work worthwhile. Instead they pretty much told the OEMs “this is the reference design for the hardware, take it or leave it”.


So ultimately the reason ARKit is better is because Apple could afford to do the work to tightly couple the VIO algorithms to the sensors and spend *a lot* of time calibrating them to eliminate errors / uncertainty in the pose calculations.

When Exactly Will the Eclipse Happen?

Stephen Wolfram:

The answer, I think, is well enough that even though the edge of totality moves at just over 1000 miles per hour it should be possible to predict when it will arrive at a given location to within perhaps a second. And as a demonstration of this, we’ve created a website to let anyone enter their geo location (or address) and then immediately compute when the eclipse will reach them—as well as generate many pages of other information.


These days it’s easy to find out when the next solar eclipse will be; indeed built right into the Wolfram Language there’s just a function that tells you (in this form the output is the “time of greatest eclipse”)[…]


I have to say that I consider Newton in a sense very lucky. It could have been that it wouldn’t have been possible to work out anything interesting from his theory without encountering the kind of difficulties he had with the motion of the Moon—because one would always be running into computational irreducibility. But in fact, there was enough computational reducibility and enough that could be computed easily that one could see that the theory was useful in predicting features of the world (and not getting wrong answers, like with the apse of the Moon)—even if there were some parts that might take two centuries to work out, or never be possible at all.

Friday, August 18, 2017

Concurrency in Swift: One Possible Approach

Chris Lattner (tweet):

We focus on task-based concurrency abstractions commonly encountered in client and server applications, particularly those that are highly event driven (e.g. responding to UI events or requests from clients). This does not attempt to be a comprehensive survey of all possible options, nor does it attempt to solve all possible problems in the space of concurrency. Instead, it outlines a single coherent design thread that can be built over the span of years to incrementally drive Swift to further greatness.


Modern Cocoa development involves a lot of asynchronous programming using closures and completion handlers, but these APIs are hard to use. This gets particularly problematic when many asynchronous operations are used, error handling is required, or control flow between asynchronous calls is non-trivial. […] Error handling is particularly ugly, because Swift’s natural error handling mechanism cannot be used.


Asynchrony is the next fundamental abstraction that must be tackled in Swift, because it is essential to programming in the real world where we are talking to other machines, to slow devices (spinning disks are still a thing!), and looking to achieve concurrency between multiple independent operations. Fortunately, Swift is not the first language to face these challenges: the industry as a whole has fought this dragon and settled on async/await as the right abstraction. We propose adopting this proven concept outright (with a Swift spin on the syntax). Adopting async/await will dramatically improve existing Swift code, dovetailing with existing and future approaches to concurrency.

The next step is to define a programmer abstraction to define and model the independent tasks in a program, as well as the data that is owned by those tasks. We propose the introduction of a first-class actor model, which provides a way to define and reason about independent tasks who communicate between themselves with asynchronous message sending. The actor model has a deep history of strong academic work and was adopted and proven in Erlang and Akka, which successfully power a large number of highly scalable and reliable systems. With the actor model as a baseline, we believe we can achieve data isolation by ensuring that messages sent to actors do not lead to shared mutable state.

Previously: Swift: Challenges and Opportunity for Language and Compiler Research, Python 3.5: async and await, C# 5.0’s async.

Update (2017-09-11): See also: Swift Unwrapped.

iPhone Secure Enclave Firmware Key Found

David Schuetz (Hacker News):

Earlier today, it was reported that a hacker/researcher called “xerub” had released the encryption key, and tools to use it, for the firmware that runs the Secure Enclave Processor (SEP) on iPhone 5S. Reporting was…breathless. Stories suggested that this move was “destroying key piece of iOS mobile security,” and that we should “be on the lookout for Touch ID hacks” and “password harvesting scams.”

Is it really that bad? No, not really.


What was released today was the key to decrypt that firmware, but not a key to decrypt the region of disk used by the SE to store data. So now we can actually reverse-engineer the SE system, and hopefully gain a much better understanding of how it works. But we can’t decrypt the data it processes.

Gab App Rejected by Google (and Apple)

Timothy B. Lee:

On Thursday, Gab said that Google had banned its Android app from the Google Play Store for violating Google’s ban on hate speech.

Google’s e-mail doesn’t explain how Gab violated Google’s rules, and the company’s policy on the topic isn’t very specific. It says only that “We don’t allow apps that advocate against groups of people based on their race or ethnic origin, religion, disability, gender, age, nationality, veteran status, sexual orientation, or gender identity.”


Google is following in Apple’s footsteps here. Apple has long had more restrictive app store policies, and it originally rejected the Gab app for allowing pornographic content to be posted on the service—despite the fact that hardcore pornography is readily available on Twitter. In a second rejection, Apple faulted the app for containing content that was “defamatory or mean-spirited”—Apple’s version of the hate speech rule.

My understanding is that Gab is a social network/platform, with all the content/speech/advocacy generated by users. So these rejections don’t make much sense to me. I don’t think an app developer should be held responsible for the content of messages that the app’s users send to one another.

And look at the larger context of apps that are approved. Twitter, Facebook, Reddit, etc. have policies to restrict certain kinds of content, but in practice all manner of violations and abuse still occur. Those apps are not in any danger of being rejected. How are they different from Gab, or, other than being too big to ban?

There are also Web browser, e-mail, RSS, and podcast apps that provide access to totally unfiltered content—including from Gab’s site. And there are secure messaging apps that only transmit opaque encrypted content.

Banning apps based on user content seems to only inconvenience users without really protecting them, anyway.

Update (2017-08-18): Google clarified:

In an email to Ars, Google explained its decision to remove Gab from the Play Store: “In order to be on the Play Store, social networking apps need to demonstrate a sufficient level of moderation, including for content that encourages violence and advocates hate against groups of people. This is a long-standing rule and clearly stated in our developer policies.

Apple’s guidelines say:

Apps with user-generated content present particular challenges, ranging from intellectual property infringement to anonymous bullying. To prevent abuse, apps with user-generated content or social networking services must include:

  • A method for filtering objectionable material from being posted to the app
  • A mechanism to report offensive content and timely responses to concerns
  • The ability to block abusive users from the service
  • Published contact information so users can easily reach you

Apps with user-generated content or services that end up being used primarily for pornographic content, objectification of real people (e.g. “hot-or-not” voting), making physical threats, or bullying do not belong on the App Store and may be removed without notice. If your app includes user-generated content from a web-based service, it may display incidental mature “NSFW” content, provided that the content is hidden by default and only displayed when the user turns it on via your website.

App Review listed some additional requirements:

[We] require that you act on objectionable content reports within 24 hours by removing the content and ejecting the user who provide the offending content.

This is rather vague. Who determines what’s objectionable? How many reports do you need to get before ejecting the user? How does Apple determine whether you are getting reports or acting on them? Obviously, there is lots of objectionable content on other social networks that remains for more than 24 hours.

Phil Schiller says:

“The App Store does not review or reject apps for political views. The App Store will not distribute apps designed to promote racism, pornography, or hatred.”

I’m not sure what “designed to promote” means here, since those things seem to be prohibited by Gab’s guidelines, which are not as different from Twitter’s as I expected.

Gab’s mission is to put people and free speech first. We believe that the only valid form of censorship is an individual’s own choice to opt-out. Gab empowers users to filter and remove unwanted followers, words, phrases, and topics they do not want to see in their feeds. However, we do take steps to protect ourselves and our users from illegal activity, spam, and abuse.


Users are prohibited from calling for the acts of violence against others, promoting or engaging in self-harm, and/or acts of cruelty, threatening language or behaviour that clearly, directly and incontrovertibly infringes on the safety of another user or individual(s).

Gab said in January that they try to enforce the guidelines but that it’s physically impossible to act within 24 hours or to know about violations that users don’t flag.

However, a little later Andrew Torba seemed to change their stance:

We refuse to “eject users” who post “offending content.”

And that makes Gab clearly in violation of Apple’s (unwritten) rules.

Update (2017-08-28): Alex Tabarrok:

I also fear that Google and Apple haven’t thought very far down the game tree. One of the arguments for leaving the meta-platforms alone is that they are facially neutral with respect to content. But if Google and Apple are explicitly exercising their power over speech on moral and political grounds then they open themselves up to regulation. If code is law then don’t be surprised when the legislators demand to write the code.

iOS 11’s Emergency SOS Feature

Juli Clover:

Emergency SOS is activated by pressing on the sleep/wake button of an iPhone five times in rapid succession. When the requisite number of presses is complete, it brings up a screen that offers buttons to power off the iPhone, bring up your Medical ID (if filled out) and make an emergency 911 call.

Along with these options, there’s also a cancel button. If you hit the sleep/wake button five times and then hit cancel, it disables Touch ID and requires a passcode before Touch ID can be re-enabled. Touch ID is also disabled if you actually make an emergency call.

I presume this is so that people can’t get into your phone after you call 911 and pass out. However, it’s also a way to temporarily disable Touch ID, so you can’t be forced to unlock your phone.

Thursday, August 17, 2017

New Google Docs Features Power Team Collaboration

Birkan Icacan:

Today, we’re introducing new updates to better help with “version control,” to customize tools for your workflows, and to help teams locate information when they need it.


Being able to assign custom names to versions of your document is a great way to keep a historical record of your team’s progress. It’s also helpful for communicating when a document is actually final. You can organize and track your team’s changes in one place under “Version history” (formerly known as “Revision history”) on the web. Select File > Version history > Name current version. For even quicker recall, there’s an option to select “Only show named versions” in Docs, Sheets or Slides.


Compare documents and review redlines instantly with Litera Change-Pro or Workshare Add-ons in Docs.


Teams use templates in Docs and Sheets to save time on formatting. At the same time, developers are building add-ons to customize functionality. We thought, why not bring these two together? That’s why today, we’re introducing new templates with built-in add-ons and the ability to create your own, so your templates not only look good—but they make sure the work gets done.

The Life, Death, and Legacy of iPhone Jailbreaking

Lorenzo Franceschi-Bicchierai and Brian Merchant (via Zac Cichy):

The world’s first jailbreaking step-by-step procedure, discovered in 2007, was posted online for all to see. Subsequent jailbreaks were used by millions of people. At one point, there was even a website—called—that was free for all to use and jailbroke your phone simply by visiting it.


Things, however, have changed. The jailbreaking community is fractured, with many of its former members having joined private security firms or Apple itself. The few people still doing it privately are able to hold out for big payouts for finding iPhone vulnerabilities. And users themselves have stopped demanding jailbreaks, because Apple simply took jailbreakers’ best ideas and implemented them into iOS.


“What do you get in the end?” he asks. “It used to be that you got killer features that almost were the reason you owned the phone. And now you get a small minor modification.”

“That turns into, like, a death spiral, where when you get fewer people bothering to jailbreak you get fewer developers targeting interesting things, which means there’s less reasons for people to jailbreak,” he added. “Which means there’s fewer people jailbreaking, which causes there to be less developers bothering to target it. And then you slowly die.”

Update (2017-10-16): Tim Jackson:

Here is an admission in black and white that prominent members of the jailbreaking community are giving up on attacking iOS devices. Apple created a system where their engineers, like soldiers in a castle under siege, were able to outlast the besieging army; throwing back assault after assault, until the attackers, deciding the siege was no longer worthwhile, packed up and headed home.

Ten years ago, finding a jailbreak was fairly doable, though it required skill. As iOS jailbreaks became harder to find, however, they became more valuable. Zerodium publicly announced it would pay $1 million, now increased to $1.5 million, for a remote jailbreak flaw (e.g. remote code execution) on iOS. This effectively priced the jailbreak community out of the market for iOS vulnerabilities. Markets only assign commodities such value when they are rare and difficult to obtain. If somehow you remain unconvinced, consider that the last publicly available untethered (e.g. persistent across reboots) jailbreak was discovered over a year ago, and was part of the government-quality attack tool Pegasus. The current generation of jailbreaks require the user to run a jailbreak app every time they reboot.

Bit Twiddling Hacks

Sean Eron Anderson (Reddit, Hacker News) has a long list of code snippets:

As of May 5, 2005, all the code has been tested thoroughly. Thousands of people have read it. Moreover, Professor Randal Bryant, the Dean of Computer Science at Carnegie Mellon University, has personally tested almost everything with his Uclid code verification system. What he hasn’t tested, I have checked against all possible inputs on a 32-bit machine.

It sounds like they’re correct, but that since the list dates to 2005 the performance characteristics may have changed.

Wednesday, August 16, 2017

CS Papers I Like

Fabian Giesen (tweet):

One thing I noticed while writing the list is that the kind of paper I like most is those that combine solid theory with applications to concrete problems. You won’t find a lot of pure theory or pure engineering papers here. This is also emphatically not a list of “papers everyone should read” or any such nonsense. These are papers I happen to like, and if you share some of my interests, I think you’ll find a lot to like in them too.

See also: Part 2.

Update (2017-09-11): See also: Part 3, Part 4, Part 5.

An Aside About flatMap and Monads

Matt Gallagher:

The way Haskell deals with these problems is that you can interact with these services freely but you never get access to the result. Instead, you get a container (an IO monad) that you can never unwrap. If you never unwrap a container containing side effects, then you remain free from the impact of those side effects – your actions remain the same regardless of whether the container holds a fully parsed data structure or a file-not-found error.

How can you handle a container that you can never unwrap? With transformations like map, of course. A map transformation in Haskell is effectively your code telling the runtime system: please look inside the container for me and should the container contain a value, then apply this function.


A true monad transformation requires that all the container types involved be the same kind - a restriction which is not enforced, here. This [Swift] flatMap function operates on any Sequence, produces a second Sequence kind that isn’t necessarily the same as the first and returns the concatenation as an Array. This function is only a monad if both the Sequence arguments are Array. All other usage of this function results in not-a-monad.


For the purpose of flatMap, it appears that Optional is treated as a collection and is permitted to be mixed and matched like any other collection. This bothers some people but personally, I think it makes sense. I’ve always been more concerned by the naming problem caused by the fact that flatMap(x) needs to be read backwards. The function is really flatten(map(x)) – a map and then a flatten – which would be more correctly transcribed as mapFlatten.

Tuesday, August 15, 2017

Tech Companies Fighting for User Privacy


The request from the DOJ demands that DreamHost hand over 1.3 million visitor IP addresses — in addition to contact information, email content, and photos of thousands of people — in an effort to determine who simply visited the website. (Our customer has also been notified of the pending warrant on the account.)

That information could be used to identify any individuals who used this site to exercise and express political speech protected under the Constitution’s First Amendment.


As we do in all such cases where the improper collection of data is concerned, we challenged the Department of Justice on its warrant and attempted to quash its demands for this information through reason, logic, and legal process.

Mitchel Broussard:

Apple, Twitter, Snap, Facebook, Microsoft, and a collection of other technology companies have filed a legal brief this week, aimed at the Fourth Amendment and its “rigid analog-era” protections that lag behind protecting users in the modern age (via Reuters).

Update (2017-08-23): Kate Conger:

The US Department of Justice is rescinding its request for IP logs that would have revealed visitors to a website used to plan a protest during Donald Trump’s inauguration.

Update (2017-08-24): Robert Iafolla:

A District of Columbia Superior Court judge on Thursday approved a government warrant seeking data from an anti-Trump website related to Inauguration Day protests, but he added protections to safeguard “innocent users.”

Some on Hacker News think this may be related to the DDoS that DreamHost is currently experiencing.

Update (2017-08-28): See also: these two DreamHost posts and The Register.

Update (2017-10-11): DreamHost:

Under this order, we now have the ability to redact all identifying information and protect the identities of users who interacted with before handing over any data to the court. Chief Judge Morin acknowledged that the government “does not have the right to rummage through the information contained on DreamHost’s website” to “discover the identity of . . . individuals not participating in alleged criminal activity.”


As it stands today, the sum total of requested data in this case very closely aligns with hundreds of other government requests that DreamHost has received, and complied with lawfully, in the past.

We do not intend to appeal the court’s ruling.

Tech Companies Refusing DNS Service to Daily Stormer

Katie Mettler:

After months of criticism that GoDaddy was providing a platform for hate speech, the Web hosting company announced late Sunday that it will no longer house the Daily Stormer, a neo-Nazi website that promotes white supremacist and white nationalist ideas.


“Given The Daily Stormer’s latest article comes on the immediate heels of a violent act, we believe this type of article could incite additional violence, which violates our terms of service,” Race wrote in the email.


GoDaddy has previously said that the content, however “tasteless” and “ignorant,” is protected by the First Amendment. The company told the Daily Beast in July that a Daily Stormer article threatening to “track down” the family members of CNN staffers did not violate Domains by Proxy’s terms of service.

Russell Brandom (Hacker News):

Just hours after being dropped by GoDaddy, prominent white nationalist publication The Daily Stormer attempted to find a home at Google. As of press time, the site’s registration info pointed to, indicating the web giant had taken over services as registrar.

Shortly after the switch was noticed, Google announced plans to drop the site. “We are cancelling Daily Stormer’s registration with Google Domains for violating our terms of service,” the company said in a statement. Later in the day, Google also banned The Daily Stormer from YouTube, according to Bloomberg.

Common carrier laws do not apply to DNS or Web hosting.

GoDaddy’s terms of service state in part:

You will not use this Site or the Services in a manner (as determined by GoDaddy in its sole and absolute discretion) that:

  • Is illegal, or promotes or encourages illegal activity;
  • Promotes, encourages or engages in child pornography or the exploitation of children;
  • Promotes, encourages or engages in terrorism, violence against people, animals, or property;

Google’s term of service don’t seem to have anything that specific, but they do include a sort of catch-all:

Google may accept or reject Registrant’s application for registration or renewal for any reason at its sole discretion[…].

In a way, this is disappointing because you can’t see where and how they would draw the line. On the other hand, this is the first I’ve heard of any companies refusing DNS service, and I don’t expect to see a slippery slope where lots of sites have to worry about this. I imagine that GoDaddy’s actual policy is that it’s all at their sole discretion, anyway. I seriously doubt they would reinstate service if the particular offending article were removed, nor do they want to have to continuously monitor the content of new articles.

Update (2017-08-15): Joseph Cox:

Early Tuesday morning, users on Twitter started sharing a link for a dark web version of the Daily Stormer. Searches for the URL of the site returned no results on Google, indicating that the site may be newly created. (Although the content of dark web sites themselves may not be cached by Google, many sites maintain collections of addresses for Tor hidden services, which are catalogued by the search engine.)


Running as a Tor hidden service means the site will be largely immune to some of the issues the Daily Stormer has faced over the past few days. It doesn’t rely on a domain registrar, such as GoDaddy or Google, so those companies can’t decide to stop providing services. And it is typically not possible to see what company is providing web servers to the site itself, making it unclear where to direct any complaints or takedown requests.

Keith Collins:

Other tech companies have also made moves against the far right: Airbnb banned users it suspected were traveling to attend the rally, while Discord, a chat service for online gamers, shut down a server and some accounts used for spreading extremist views.


Cloudflare acts as a shield between websites and the outside world, protecting them from hackers and preserving the anonymity of the sites’ owners. But Cloudflare is not a hosting service: It does not store website content on its servers. And that fact, as far as the company is concerned, exempts it from judgment over who its clients are—even if those clients are literally Nazis.


Cloudflare’s indiscriminate approach to its clients appeals not only to neo-Nazis, but also to another set of bad actors: websites that provide illegal hacking services.

Update (2017-08-16): See also: Hacker News.

Update (2017-08-17): Juli Clover:

Apple has disabled Apple Pay support on websites selling white nationalist and hate group apparel and accessories, reports BuzzFeed.

Matthew Prince (via Hacker News):

Earlier today, Cloudflare terminated the account of the Daily Stormer. We’ve stopped proxying their traffic and stopped answering DNS requests for their sites. We’ve taken measures to ensure that they cannot sign up for Cloudflare’s services ever again.

Our terms of service reserve the right for us to terminate users of our network at our sole discretion. The tipping point for us making this decision was that the team behind Daily Stormer made the claim that we were secretly supporters of their ideology.


The size and scale of the attacks that can now easily be launched online make it such that if you don’t have a network like Cloudflare in front of your content, and you upset anyone, you will be knocked offline. In fact, in the case of the Daily Stormer, the initial requests we received to terminate their service came from hackers who literally said: “Get out of the way so we can DDoS this site off the Internet.”


In a not-so-distant future, if we’re not there already, it may be that if you’re going to put content on the Internet you’ll need to use a company with a giant network like Cloudflare, Google, Microsoft, Facebook, Amazon, or Alibaba. […] Without a clear framework as a guide for content regulation, a small number of companies will largely determine what can and cannot be online.

Update (2017-08-18): John Gruber:

Prince’s thoughtful explanation makes clear that this was a last resort, and hopefully one-time exception, to their policy of not censoring sites over political content.

Nick Heer:

We have replaced many of the rights afforded to us in our own jurisdictions with the rights given to American companies.


Even for free speech advocates, this situation is deeply fraught with emotional, logistical, and legal twists and turns. All fair-minded people must stand against the hateful violence and aggression that seems to be growing across our country. But we must also recognize that on the Internet, any tactic used now to silence neo-Nazis will soon be used against others, including people whose opinions we agree with.


These are methods that protect us all against overbroad or arbitrary takedowns. It’s notable that in GoDaddy and Google’s eagerness to swiftly distance themselves from American neo-Nazis, no process was followed; CloudFlare’s Prince also admitted that the decision was “not CloudFlare’s policy.” Policies give guidance as to what we might expect, and an opportunity to see justice is done. We should think carefully before throwing them away.

Update (2017-08-21): Richard Kirkendall (via Hacker News):

At Namecheap, we see both sides of the free speech consideration. On the one hand, we cannot be the ones censoring content, unpopular though it may be. On the other hand, and without question, the content appearing on the is highly offensive, even more so in light of the recent events in Charlottesville, VA.


So, the question, as I see it, is whether deletion of these domains contradicts our core principle of advocacy of free speech? In this particular case, I state that the answer is “No.”


But is this the right thing for freedom of speech and should a registrar be the one making this decision? I don’t think so. In a perfect world, a registrar should be able to remain neutral in these situations regardless of public opinion but the fact of the matter is that this cannot happen in reality. Any business cannot operate under these circumstances due to the mob mentality and the nature of our current politics.

Update (2017-08-22): Tor (tweet):

We are disgusted, angered, and appalled by everything these racists stand for and do. We feel this way any time the Tor network and software are used for vile purposes. But we can't build free and open source tools that protect journalists, human rights activists, and ordinary people around the world if we also control who uses those tools. Tor is designed to defend human rights and privacy by preventing anyone from censoring things, even us.

Update (2017-11-27): Ernesto Van der Sar (via Hacker News):

Adult entertainment publisher ALS Scan wants to depose Cloudflare CEO Matthew Prince. The company is involved in a piracy liability battle with the CDN provider and brought up the recent decision to terminate the account of neo-Nazi site Daily Stormer as key evidence in the case.

F.lux 4

f.lux Software (via Hacker News):

Now f.lux can adapt to your schedule, so by telling it when you wake up, f.lux will automatically adjust throughout the seasons to help you synchronize to the day.

We’ve also tried to explain a really big topic: how light affects your body. So there are some numbers in f.lux now that indicate how bright your screen is, compared to standing outside on a bright day.

We’ve improved performance, so f.lux will have much less impact on your system and on games especially.

I never really used the more advanced features, so I’ve been pretty happy with Night Shift.

Update (2017-08-17): Ashley Bischoff:

For what it’s worth, it looks like F.lux 4 has only been released for Windows so far.

Modeling Implicit View Behaviors

Jared Sinclair:

The most critical reason why UI testing wasn’t the right choice for us is that it doesn’t make it easier to avoid breaking implicit behaviors in the first place. Over time, conditional statements pile up until it isn’t obvious from the code itself what the expected behaviors are. If a developer needs to make a change, it can be difficult to know where to begin and how to avoid introducing regressions. On our project, we sought an approach that substituted implicit behaviors with explicit behavior modeling — value types that can be passed between components and verified for correctness at compile time and in unit tests.


The evaluator returns three things: 1) an updated model, 2) a set of UI updates, and 3) a set of actions. The core replaces its current model with the updated model and performs all the actions in the actions set (if any). Lastly it forwards the UI update instructions to the view controller via a delegate protocol.


Because all the decision-making occurs inside the evaluator, and because the evaluator is a purely functional creature operating only on its inputs and always returning a value, we were able to unit test the evaluator for every event under all relevant conditions. Every property on the model struct — which is a comprehensive representation of the status of the entire system — is a value type, so it was trivial to establish special conditions for each test. As we discovered edge cases and added new features, we were able to extend the evaluator’s implementation and know immediately whether we had introduced any regressions.

Update (2017-08-16): See also: Andy Matuschak.

Monday, August 14, 2017


Mike Ash:

In order to work with C APIs, we sometimes need to convert Swift object references to and from raw pointers. […] You can do this with unsafeBitCast, although I strongly recommend against it.


To create the Unmanaged value, use fromOpaque. Unlike passRetained and passUnretained, you must specify the generic type for Unmanaged when using fromOpaque so that the compiler knows which class you're expecting to receive.

Once you have the Unmanaged value, you can get a reference out of it. Using takeRetainedValue will perform an unbalanced release, which will balance an unbalanced retain previously performed with passRetained, or by C code which confers ownership on your code. Using takeUnretainedValue will obtain the object reference without performing any retain or release.


To retrieve a reference from C into Swift code, you create an Unmanaged value from the raw pointer, then take a reference from it. There are two ways to take a reference: one which consumes an unbalanced retain, and once which performs no memory management.

Previously: Swift 3.0 Unsafe World.


Chris Campbell:

While working on the next major version of VoodooPad, an observation was made: user interfaces are basically just bidirectional transformation functions, taking data from some source and presenting it to the user, and vice versa. It sounds so simple when boiled down like that, but the reality of app development is a different story, often filled with twisty, error-prone UI code, even with the help of functional programming aids (e.g. Rx and its ilk). A question then emerged: can we build a library that allows us to express those transformations in a concise way, with an eye towards simplifying app development?

PLRelational is our (exploratory) answer to that question. At its core, PLRelational is a Swift framework that allows you to:

  • declaratively express relationships using relational algebra
  • asynchronously query and update those relations
  • observe fine-grained deltas when a relation’s data has changed

Update (2017-08-28): Mike Ash:

This article will give an overview of the basics of relational algebra in a way that programmers can easily understand, aimed at explaining the foundations that PLRelational is built on. Terminology will match what PLRelational uses.

Update (2017-08-31): Chris Campbell:

Before looking into all the goodies that PLRelational and PLRelationalBinding have to offer, it helps to first understand how the core Relation classes compute and deliver changes.

Update (2017-09-11): Mike Ash:

We’ve been talking a lot lately about PLRelational and all the fancy stuff it does. However, we’ve been glossing over a fundamental part of it: how it actually stores data. After all, PLRelational is a data persistence framework at its core.

A Brief History of the UUID

Rick Branson (via Hacker News):

[Apollo’s] NCS introduced the concept of the UID (Universal IDentifier), which served as the unique primary identity for entities. UIDs are 64-bit numbers that combine a monotonic clock with a unique host ID permanently embedded in the hardware of all of their workstations. Under this scheme, identifiers could be generated thousands of times per second at each host and remain globally unique for all time with no scaling bottleneck. The only point of coordination was at Apollo’s factories — where the machines were permanently branded with their respective identifiers.


NCA introduced UUIDs, which built on the UID design, but accommodated a broader range of vendors by extending the number space to 128-bits. Thus the UUID was born. This concept was so useful that even after NCA became a distant memory and RPC fell out of fashion, the UUID remained popular, eventually being standardized by ISO, IETF, and ITU.


As the untrustworthy Internet became the dominant networking platform, UUID generation which depended on trust became obsolete. All of these concerns have lead most to abandon leveraging hardware identifiers in UUIDs.


Later on Paul went on to Microsoft, and I’m fairly certain that it was due to Paul that Microsoft adopted the OSF DCE RPC layer for its internal use, and UUID’s started being used extensively inside Microsoft. UUID’s also got used in Intel’s EFI specification for the GPT partition table, although somewhere along the way they got renamed “Globally Unique ID’s” --- it’s the same spec, though.


As far as uuidd is concerned, the reason why it exists is because a certain very large Enterprise Resource Planning system was using libuuid to generate uuid’s for its objects, and it needed to create them very, very quickly so they can initalize the customer’s ERP database in finite time. They were also using the time-based UUID’s, with the UUID stored in the database with the bytes cleverly rearranged so the time bits would be stored in the LSB, and the Ethernet MAC address would be in the MSB, so that a database using a B-tree (plus prefix key compression) for its indexing would be able to very efficiently index the UUID’s. This is similar to k-ordering trick that Flake was using, but this very large enterprise planning company was doing in 2007, five years before team at Boundary came up with Flake, and they were doing it using standard UUID’s, but simply storing the Time-based UUID bytes in a different order. (I believe they were also simply storing the ID in binary form, instead of base-62 encoding, since if you’re going to have jillions of objects in your ERP database, you want them to be as efficient as possible.)

Anyway, a certain Linux distribution company contacted me on behalf of this very large Enterprise Resource Planning company, and we came up with a scheme where the uuidd daemon could issue blocks of time-based UUID’s to clients, so we could amortize the UUID generation over blocks of 50 or 100 UUID’s at a time. (This ERP was generating a huge number of UUID’s.) I did it as a freebie, because I was tickled pick that libuuid was such a critical part of a large ERP system, and it wasn’t that hard to implement the uuidd extension to libuuid.

Classic Game Postmortem: Oregon Trail

Game Developers Conference (via Avi Drissman):

In this GDC 2017 postmortem, Oregon Trail creator Don Rawitsch sets off on a journey to explore the development of this classic educational game that took the world by storm.

Friday, August 11, 2017

HyperCard on the Internet Archive

Jason Scott (Hacker News):

Flourishing for the next roughly ten years, HyperCard slowly fell by the wayside to the growing World Wide Web, and was officially discontinued as a product by Apple in 2004. It left behind a massive but quickly disappearing legacy of creative works that became harder and harder to experience.

To celebrate the 30th anniversary of Hypercard, we’re bringing it back.

After our addition of in-browser early Macintosh emulation earlier this year, the Internet Archive now has a lot of emulated Hypercard stacks available for perusal, and we encourage you to upload your own, easily and quickly.

Phil Schiller:

Celebrating #HyperCard (I created some insane stacks in the day…)

As an Apple II user, I was surprised that Macs didn’t have BASIC built-in. I ended up liking HyperTalk fine, and HyperCard was a great environment for writing little programs, making quick user interfaces, and building presentations and databases.

Update (2017-08-12): See also: Jonathan Wight, Alan Storm, Chris Espinosa, Thomas Brand, Bill Bumgarner, Mouse Reeve.

Safari Should Display Favicons in Its Tabs

John Gruber:

Once Safari gets to a dozen or so tabs in a window, the left-most tabs are literally unidentifiable because they don’t even show a single character of the tab title. They’re just blank. I, as a decade-plus-long dedicated Safari user, am jealous of the usability and visual clarity of Chrome with a dozen or more tabs open. And I can see why dedicated Chrome users would consider Safari’s tab design a non-starter to switching.

I don’t know what the argument is against showing favicons in Safari’s tabs, but I can only presume that it’s because some contingent within Apple thinks it would spoil the monochromatic aesthetic of Safari’s toolbar area. I really can’t imagine what else it could be. I’m personally sympathetic to placing a high value on aesthetics even when it might come at a small cost to usability. But in this case, I think Safari’s tab design — even if you do think it’s aesthetically more appealing — comes at a large cost in usability and clarity. The balance between what looks best and what works best is way out of whack with Safari’s tabs.


I really can’t say this strongly enough: I think Safari’s lack of favicons in tabs, combined with its corresponding crumminess when displaying a dozen or more tabs in a window, is the single biggest reason why so many Mac users use Chrome.

It’s not even really monochromatic. Unless you turn on “Reduce transparency,” Safari will use color to show an unreadable blur of the top part of the page beneath the toolbar and tabs. And it will also bleed the colors of your desktop picture underneath the Bookmarks sidebar. To my eye, it’s ugly, non-functional, and harder to read. But can Safari use shapes or colors to help you identify which tab is which? No, it won’t let you do that.

Update (2017-08-14): See also: Hacker News.

Update (2017-11-27): Faviconographer (via John Gruber):

Faviconographer is a little utility that displays Favicons for the tabs you have opened in the current Safari window, just like almost every other browser does it. This helps you navigate between them more quickly.

It uses the accessibility APIs to find the locations of the tabs on screen.

A a a a a Very Good Song

Mitchel Broussard:

For some vehicles, when an iPhone is plugged into the car’s USB port music playback begins automatically, and it always starts in alphabetical order at the top of the user’s iTunes library. Because of this, many users will hear the same song, usually beginning with an “A,” over and over again each time they plug their iPhone into their car. This week, a potential solution to that problem has been soaring up the iTunes charts in the form of a ten-minute silent song called “A a a a a Very Good Song” [Direct Link].

Created by Samir Mezrahi, the song allows users a full nine minutes and fifty-eight seconds to find the song they actually want to hear after connecting their iPhone to their car through USB. Mezrahi is charging $0.99 for each download of the music-less track, although Apple Music subscribers can simply add the song into their library for free.

It’s not just in the car. My iPhone often gets confused when I try to resume audio playback, and instead of remembering which podcast I was listening to it picks a song to play (using a different app).

Update (2017-08-12): See also: David Pierce (via JR Raphael).

How Facebook Squashes Competition From Startups

Betsy Morris and Deepa Seetharaman:

At an all-hands meeting last summer, Facebook Chief Executive Mark Zuckerberg told employees they shouldn’t let pride get in the way of serving users, another way of saying they shouldn’t be afraid to copy rivals, according to someone who was at the meeting. The message became an informal internal slogan: “Don’t be too proud to copy.”


Facebook uses an internal database to track rivals, including young startups performing unusually well, people familiar with the system say. The database stems from Facebook’s 2013 acquisition of a Tel Aviv-based startup, Onavo, which had built an app that secures users’ privacy by routing their traffic through private servers. The app gives Facebook an unusually detailed look at what users collectively do on their phones, these people say.

Via John Gruber:

So Facebook is using a VPN app that is supposed to protect users’ privacy to violate their privacy by analyzing which apps they use.

Also worth noting: in the iOS App Store, Onavo’s owner is still listed as “Onavo, Inc.”, not “Facebook”.

Because people would probably find a VPN app from Facebook creepy.

Version Control ssh:// URL Shell Injection Vulnerability

Junio C Hamano (via Greg Hurrell):

These contain a security fix for CVE-2017-1000117, and are released in coordination with Subversion and Mercurial that share a similar issue.


A malicious third-party can give a crafted “ssh://…” URL to an unsuspecting victim, and an attempt to visit the URL can result in any program that exists on the victim’s machine being executed. Such a URL could be placed in the .gitmodules file of a malicious project, and an unsuspecting victim could be tricked into running ”git clone --recurse-submodules” to trigger the vulnerability.


A “ssh://…” URL can result in a “ssh” command line with a hostname that begins with a dash “-”, which would cause the “ssh” command to instead (mis)treat it as an option.


In the same spirit, a repository name that begins with a dash “-” is also forbidden now.

Thursday, August 10, 2017

Ulysses Switches to Subscription

Marcus Fehn (Hacker News):

As of today, we’re changing Ulysses’ payment model. It’s still the same Ulysses, same features, same distribution, we’re just switching to subscription. For $4.99 per month or just $39.99 per year, you can now use Ulysses on all your Macs, iPads and iPhones, including sync. You no longer need to buy two separate versions for either platform – from now on, it’s just Ulysses, and you can use it wherever you want.


We can finally offer a free, cross-platform trial. Ulysses can now be downloaded and fully tested for 14 days, on all devices, including sync, no price or strings attached.


We are offering all our current customers a lifetime discount on Ulysses’ yearly plan (it’s 50% off the regular monthly subscription).

As with other recent switches to subscriptions, the Ulysses change seems to be accompanied by a price increase. The subscription is $40/year, while previously the Mac version was $45 and the iOS version was $25.

The FAQ:

Both the monthly and the yearly subscriptions are auto-renewing.


With the change to subscription, we changed the versioning scheme to better match the new model. We’re now increasing the version number for each new feature release. Ulysses has had 10 feature releases (1.0, 1.1, …) so far, so this is the 11ᵗʰ feature release. The next feature release will be version 12.

Max Seelemann (tweet):

I am not exaggerating in saying that this was the hardest decision in our whole time as professional software developers. After all, we have a system which currently works — after 14 years we are still around, Ulysses is still “a thing”, it’s even going better than ever before, and there are no immediate signs which hint at a change coming soon.


If you bought Ulysses at its launch in April 2013, you will now have received nine major feature releases. For free, at no additional cost. At least 80% of that originally purchased app have since been scraped and replaced. Its functionality has quadrupled during the same time.


In-between such big point-releases, sales will often drop to a non-sustainable level. So it’s not that we’re getting rich during the development period, and even richer after each update. No. We’re actually loosing money during development. And so the longer it takes to ship an update, the riskier it becomes financially. We are, in fact, highly dependent on these sale spikes, in order to make money.

He doesn’t think upgrade pricing is the answer, in part because the way people update their devices has changed:

It’s perfectly obvious that the overall situation is the same for paid updates as for one-time purchases. The situation is less severe than with the paid-once system — the sales spikes after bigger releases will be much higher –, but after each release, sales will fall back to a similar level.


And let’s just say you don’t update. You simply stay on the previous version, because you don’t think you need the new features, or because you find the update price not worth it. How long will this very version continue to work? On the same device and the same operating system… probably “forever”, sure. But does that really hold nowadays, when people get new phones every two years and OS updates are free?


Ulysses, for example, had critical bugs on every new version of macOS and iOS that came out since we launched in 2013. Yes, we fixed them immediately, but the next device, the next OS, will break some stuff again. The old app will break eventually, there’s just no way around it. As soon as the user’s environment changes, old stuff breaks.

And with the iOS version only available via the App Store, there’s no practical way to stay with an old version—and a newer iOS version may not be able to sync with an older Mac version.

See also: MacRumors (forum), 9to5Mac, John Gruber, Shawn Blanc, Michael Rockwell, Adam C. Engst, Ben Sandofsky, Dan Counsell, Dr. Drang, Wojtek Pietrusiewicz, Joe Cieplinski, Charlie Sorrel, Alex Cranz, Matt Gemmell, Dan Counsell, Eddie Smith, Matt Gemmell, Core Intuition, Gopal Sharma.

Update (2017-08-14): Max Seelemann:

Adding subscription to Ulysses took us 7 months, with 1 man-year engineering, 1.5 man-years total effort. It’s 22k lines of production code.

It feels like most of that should have been handled by the App Store. So. Many. Pitfalls. Everywhere.

Update (2018-04-20): See also: ChartMogul.

Update (2018-08-31): Max Seelemann:

The amount of pain we’re going through by trying to run a cross-platform subscription business without accounts is mind-boggling.

I hate accounts, but for us that’d certainly have been faster and more reliable.


No detail yet (ask Macoun 😉) but essentially we’re syncing receipts through iCloud.


We also didn’t want to have them, as that’d leave the impression we’d also have user’s data. Which we never wanted to have. And it would still feel weird today. Data and license syncing through two different system...

Why Apple’s Glasses Won’t Include ARKit

Matt Miesnieks (via Peter Steinberger):

I know glasses are being worked on at Apple, and the prototypes are state of the art. I also know what it takes to build a full-stack wearable AR HMD, having built fully functional prototypes from scratch. There are a bunch of elements that need to work before a consumer product can exist. These elements don’t all exist today (even at the state of the art).


ARKit is a big deal for the AR industry. Not just because it’s got Apple’s marketing fairy dust, but because it means that developers now have a high quality “6dof pose” to use in AR Apps. Everything in AR is built on top of a high quality pose. Solid registration of digital assets in the world. Indoor & outdoor navigation. 3D reconstruction algorithms. Large scale tracking systems. Collision & Occlusion of digital & real. Gesture detection. All these only work as good as the pose the tracking system provides. My earlier article explains more about how Apple did this & how it all works.


The most important advantage re the Glasses is that Apple has Marc Newson on the team. Look him up if you don’t really know who he is. He knows how to design cool glasses. One lesson I learnt at Samsung, is that Industrial Designers view glasses as one of the most difficult physical products to design, mostly because everyone’s face shape & taste is different, and there’s physically almost nothing to them (ie can’t add features to keep everyone happy, the design has to be very pure & simple).

Taking Uber to Small-claims Court

Joe Mullin:

The Uber car was squeezed into the narrow Boston street between other cars, and Wilcox had to shimmy out. So he hauled out just the suitcases, telling the driver he’d be back in a minute to grab the backpack. But when he reached the curb, the Uber car immediately drove off with his backpack still sitting in the back seat.


At that point, Wilcox went to the police and filed a report. He had the driver’s first name, a picture of him from the Uber app, the car’s license plate number, and confirmation of his ride details.


When Wilcox finally got the police report, it contained a big surprise. Uber had stonewalled Wilcox but emphasized—in court, in phone conversations, and in public statements—that it always cooperates with law enforcement. Yet the police report showed that Uber maintained the ride hadn’t even taken place […]

The investigating police officer made multiple visits to the address on record of the vehicle’s owner, but no one had answered. Uber, meanwhile, said the driver hadn’t worked for them for two years.

See also: Wilcox’s blog post.

Mixing Constant and Literal Strings in Swift

Joshua Emmons:

And now we have an interesting decision to make. Do we want to enforce safe, well-known constants and provide an option to specify arbitrary strings? Or do we want to allow arbitrary strings and provide an option to specify safe, well-known constants?


Situations come up all the time where we need an “escape hatch” from our carefully calculated set of pre-defined options.

When that happens, we don't need to throw our hands up in despair and make everything a String. Enumerations (combined with CustomStringConvertible and maybe even ExpressibleByStringLiteral) let us work around the 20% case while not jeopardizing the safety and convenience of the 80% out there.

Wednesday, August 9, 2017

Swift 5: Start Your Engines

Ted Kremenek (via Erica Sadun):

ABI stability is the center focus of Swift 5 — and we will pivot much of our prioritization of efforts for Swift 5 around it. With Swift 4, ABI stability was a strong goal. In Swift 5, it is a requirement of the release. Whatever ABI we have at the end of Swift 5 is the ABI that we will have. ABI stability is an important inflection point for the maturity of the language, and it cannot be delayed any longer.


It is a non-goal of Swift 5 to roll out a full new concurrency model. That is simply too large an effort to do alongside ABI stability. However, it is important that we start making progress on discussing the directions for concurrency and laying some of the groundwork.


After reflecting on the evolution process during both the Swift 3 and Swift 4 releases, the Core Team felt that we could strike a balance with not diluting attention from ABI stability while still enabling a broader range of proposals compared to Swift 4 by requiring that all proposals have an implementation before they are officially reviewed by the Core Team. An implementation can come long after an idea has been pitched and after a proposal has been written. However, before a pull request for an evolution proposal will be accepted — and thus an official review scheduled — an implementation must be in hand for a proposal as part of the review.

Update (2017-08-10): See also: Hacker News.

The Internet Archive Adds 25,000 78rpm Records

The Internet Archive (via Jason Scott):

Through the Great 78 Project the Internet Archive has begun to digitize 78rpm discs for preservation, research, and discovery with the help of George Blood, L.P.. 78s were mostly made from shellac, i.e., beetle resin, and were the brittle predecessors to the LP (microgroove) era.

The digitization project currently focuses on discs that are less likely to be commercially available--or available at all in digital form--particularly focusing on underrepresented artists and genres. Digitization will make this less commonly available music accessible to researchers in a format where it can be manipulated and studied without harming the physical artifacts. We have preserved the often very prominent surface noise and imperfections and included files generated by different sizes and shapes of stylus to facilitate different kinds of analysis.

Radix Sort Revisited

Pierre Terdiman:

Although the standard Radix Sort doesn’t work very well with floating point values, this is something actually very easy to fix. In this little article I will review the standard Radix Sort algorithm, and enhance it so that:

  • it sorts negative floats as well
  • it has reduced complexity for bytes and words
  • it uses temporal coherence
  • it supports sorting on multiple keys


A Radix Sort is an apparently bizarre sort routine which manages to sort values without actually performing any comparisons on input data. That’s why this sort routine breaks the theoretical lower bound of the O(N*logN) complexity, which only applies for comparison-based sorts. Radix is O(k*N), with k = 4 most of the time, and although this is not an in-place sort (i.e. it uses extra storage) it is so much faster than any other sorting methods it has become a very popular way of sorting data.

Protocol Composition in Swift and Objective-C

Jesse Squires:

Any protocol in Swift that contains optional members must be marked as @objc. I have written before about avoiding @objc in your Swift code as much as possible. When @objc infiltrates your object graph, nearly everything must inherit from NSObject which means you cannot use Swift structs, enums, or other nice features. This leaves you not writing Swift, but merely “Objective-C with a new syntax”.


A better approach is to split up large protocols into smaller ones, and provide a unique property (like a delegate) for each one.


This design transfers the “optional-ness” from the protocol itself to an additional optional property on the class. If you want headers and footers in your table view, you can opt-in to those by setting titlesDataSource. To opt-out, you can set this property to nil. The same applies to reorderingDataSource, and so on.


Instead of numerous disjoint protocols, you can design a union of protocols. This provides a single, top-level “entry point” to reference. You can extract the optional members of a protocol into a new protocol, then add an optional property for this new protocol on the original protocol. The result is a comprehensive top-level protocol and a set of “nested” protocols.

Tuesday, August 8, 2017

QuickCheck for Swift

SwiftCheck (via Andy Bargh):

What makes QuickCheck unique is the notion of shrinking test cases. When fuzz testing with arbitrary data, rather than simply halt on a failing test, SwiftCheck will begin whittling the data that causes the test to fail down to a minimal counterexample.


SwiftCheck implements random generation for most of the types in the Swift Standard Library. Any custom types that wish to take part in testing must conform to the included Arbitrary protocol. For the majority of types, this means providing a custom means of generating random data and shrinking down to an empty array.

Lazy Permutations in Swift

Joshua Emmons:

Why is our generic type X an iterator but we force Y to conform to Collection? If you look at the nested loop in our naive example above, you’ll see that while we iterate over xs only once, we actually loop over ys a number of times (an xs.count number of times, to be precise).

IteratorProtocol allows us to iterate over a set exactly once, so it’s perfect for our X type. But only Collection guarantees us the ability to non-destructively traverse a sequence over and over. So Y must be a little more constrained.


And so, finally, we can lazily iterate over every ordered pair of our collections — all while only storing the collections themselves, not their product.

Kryptonite: Protect Your SSH Private Key

Kryptonite (via Steven Frank):

On iOS, Kryptonite generates a 4096-bit RSA key pair using the Apple iOS Security framework or optionally an Ed25519 key pair using libsodium. Kryptonite stores the private key in the iOS Keychain with accessibility level “kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly”.


The role of a private key in an SSH login is to sign the SSH handshake. When a signature is required, your workstation calls out to Kryptonite running on the paired phone with the data that must be signed. If authorized, Kryptonite performs the signature using the private key and returns only the signature to the workstation.


Upon install, Kryptonite adds a few lines to your SSH configuration (at ~/.ssh/config) that cause SSH to offer your Kryptonite key. Your other keys will still be presented and your Kryptonite key will only be used if it has access to the service you are connecting to.

The potential benefit is that your private key doesn’t have to be stored at a known path on your Mac, where other apps can access it. Unfortunately, due to iOS limitations, there’s no easy way to ensure that Kryptonite isn’t sending your private key somewhere.

Previously: HandBrake Proton Trojan.

Making the Internet Archive’s Full Text Search Faster

Giovanni Damiola (via Hacker News):

Analyzing the hot threads we discovered that our bottleneck was in the parsing of the lucene‘s inverted index.

We have a lot of high-frequency words, some of them present in almost all of the 35M documents.

The combination of large documents (we index a whole book as a single document) and the need to support full phrase queries (and show the user the correct results) leads to a serious problem: when a phrase query includes a specific token present in a large portion of the documents, all of these candidate documents must be examined for scoring. The scoring process is very IO intensive because relative proximity data for the tokens in a document must be determined.


What if we were to encode proximity information at document index time? And then somehow encode that in the inverted index? This is what the Common Grams tokenizer was made for.

For the few thousand most common tokens in our index we push proximity data into the token space. This is done by generating tokens which represent two adjacent words instead of one when one of the words is a very common word. These two word tokens have a much lower document hit count and result in a dramatic reduction in the number of candidate documents which need to be scored when Lucene is looking for a phrase match.

Monday, August 7, 2017

Creating New Snippets

Dr. Drang:

I returned to TextExpander for two reasons. First, I have an iPad and want to do more writing on it. I didn’t realize how much I relied on expansions—even those that don’t run scripts—until I didn’t have them. TextExpander is the only solution that works on both the Mac and iOS.

TypeIt4Me does work on iOS, but its keyboard extension is much less convenient than the TextExpander SDK, which many apps have integrated.

I noticed in the past year that I haven’t been making the sort of throwaway snippets I used to make regularly in TextExpander to help me write reports that require the repeated use of technical phrases or product names. This meant more typing and more editing, because misspelled product names and inconsistent terminology kept creeping into my writing. This isn’t a knock on Keyboard Maestro—it’s a more general tool that just doesn’t have streamlined methods for creating new text substitution macros.

I have been using LaunchBar, and here’s how you can easily create new snippets with it:

iPhone and Android Cameras

Vic Gundotra:

It’s because when Samsung innovates with the underlying hardware (like a better camera) they have to convince Google to allow that innovation to be surfaced to other applications via the appropriate API. That can take YEARS.


Apple doesn’t have all these constraints. They innovate in the underlying hardware, and just simply update the software with their latest innovations (like portrait mode) and ship it.

Bottom line: If you truly care about great photography, you own an iPhone. If you don’t mind being a few years behind, buy an Android.

Via Kirk McElhearn (and John Gruber):

But this brings up a broader question: is the iPhone camera good enough for most people? Yes, certainly. Will it replace the DSLR? Certainly not. The use cases are very different. I think Gundotra has peers who used DSLRs for family photos, which is something they’re not very good at (well, they are, but they’re overkill). What is more correct is that the iPhone camera has killed the point and shoot camera, the compact, fixed lens camera.


But for those interested in photography, the DSLR with larger sensors, more megapixels, better high-ISO shooting, and interchangeable lenses, will remain popular. They just won’t be any more popular than SLRs were back in the days of film. Those of us who remember those days remember that most people had Instamatics or Polaroid cameras; it was very rare to see someone take family or vacation photos with an SLR.

Most of Gundotra’s remarks are in comment #51 to his Facebook post, but Facebook doesn’t seem to respect it own permalink or even expand the comments when following the link.

Gundotra is impressed with Portrait Mode, and I’ve seen good results from it, but I’ve also seen it really mess up images in ways that are not detectible from the thumbnail. So I definitely recommend using the Keep Normal Photo option. Otherwise you can end up with only the messed up Portrait version of a photo. (It’s too bad that HDR doesn’t work like Portrait in this respect. It’s no longer possible to automatically take both regular and HDR versions.)

Bringing Back Visual Basic IDE to Office for Mac

Erik Schwiebert (tweet):

Many of you have noticed the limited Visual Basic development environment that shipped with Office 2016 for Mac, and have asked for the full environment to make its way back to the Mac. Later this fall we will indeed be releasing an update that includes the full editor, including multiple code windows, breakpoints, watches, the Object Browser, and more!

Previously: Hasta La Vista, Visual Basic.

What’s Wrong With the Touch Bar

Josh Centers:

On a Touch Bar-equipped MacBook Pro, you have three main (there are others, but they’re even slower) ways to do this:

  • Press Command-B on the keyboard, which lets you keep your hands on the keyboard and eyes on the screen.

  • Click the Bold button in Word’s toolbar, which takes your hands off the keyboard but keeps your eyes on the screen.

  • Tap the Bold button on the Touch Bar, which takes your eyes off the screen and your hands off the keyboard.

In most cases, the Touch Bar is the slowest way to perform an action! It’s a cool-looking racing stripe that slows you down in many cases, and even worse, eliminates useful physical keys that you probably reach for reflexively, like Esc.


If background apps could present Touch Bar icons, automation utilities like Keyboard Maestro could allow users to trigger custom macros from the Touch Bar without requiring a potentially obscure key combination. Was it Command-Shift-Option-M or Control-Shift-Option-M?

The next time I buy a notebook, I’ll likely get a less capable one since that’s the only way to get a full keyboard instead of a Touch Bar.

The most loved part of the Touch Bar seems to be Touch ID, but there’s no reason the two need to be bundled together.

Update (2017-08-14): Mark Bessey:

I hated the Touchbar pretty much right away, and I generally haven’t warmed up to it at all over the last 6 months. Even though I’ve been living with it for a while, I have only recently really figured out why I don’t like it.


With a very few exceptions [maybe worth exploring those more?], the Touchbar is designed to launch actions on finger-down. This is inconsistent with the rest of the user experience, and it puts a very high price on having your finger slip off of a key at the top of the keyboard. This is exacerbated by bad decisions made by third-party developers like Microsoft, who ridiculously put the “send” function in Outlook on the Touchbar, because if there was ever anything I wanted to make easier, it’s sending an email before I’m quite finished with it.


Failing that, at least some way to bail out of hitting the Touchbar icons would be worth pursuing - possibly making them less senstive to grazing contact, though that would increase the cases where you didn’t activate a button while actually trying to.

Update (2017-08-21): Katie Floyd:

I’ve been using the MacBook Pro for nine months now and the truth is, I haven’t found much of a use for the Touch Bar.

Update (2017-08-28): Chuq Von Rospach (tweet, MacRumors, Hacker News):

It seems to me Apple fell in love with the technology of the Touch Bar system, which if you dig into it a bit is a stunning piece of engineering, and expected all of us to fall in love with it as well. The problem is: Apple rarely sells things to us based on neat technology, it sells us based on the stories of how that technology will solve problems for us, and right now, the problems a Touch Bar solves for us that we care about being solved are few and far between.


The current laptop line forces users to pay for the Touch Bar on the higher end devices whether they want it or not, and that’s a cost users shouldn’t need to pay for a niche technology without a future. So Apple needs to either roll the Touch Bar out to the entire line and convince us we want it, or roll it back and offer more laptop options without it.

Hoà V. DINH:

If you go with a new MacBook Pro, I wouldn’t recommend the touch bar. It has lots of usability/distraction issues.

Jonathan LaCour:

I agree, and the sad part is that the Touch Bar isn’t even the worst aspect of these new MacBook Pros.

Chuq Von Rospach:

If we assume that Apple is committed to using the Secure Enclave in Macs to enable user authentication and to secure Apple Pay, I think it’s okay to assume Apple will be including it in most, if not all, future Macs. If that’s true, then the economics of the Touch Bar are minimal.


If I’m right, future Macs will use the infrared facial recognition, and they can embed those sensors in the bezel of the monitor on both the iMac and the laptops. This simplifies the problem of needing to secure the communication between the sensor and the Secure Enclave; by moving those sensors into the device and off the keyboard, everything gets a lot cleaner. And they can build a much less expensive keyboard with a Touch Bar on it that doesn’t require the level of communication security that would be required if it also had the TouchID sensor.

Update (2017-08-29): Nick Heer:

But I also wonder if the very concept of the Touch Bar is far better suited towards some industries than others. I can see film and audio editors potentially using it to navigate long timelines efficiently, but it’s probably not solving any problems for programmers. I’m almost certainly writing more based on what I want rather than what is logical, but I’d love to the Touch Bar become a simple configuration option for any MacBook Pro. Users who don’t need or want it don’t have to equip it, and could have all the performance they need with a traditional keyboard.

Benjamin Mayo:

Apple probably needs to re-think some of the dynamic interfaces — even a year later, I can’t train myself to use it when I’m flitting between so many different states and applications.


Pushing Touch Bar into lower-end MacBooks will be a big win for Apple. I strongly believe that the Touch Bar is better suited for novices than professionals; it is far more useful to people that have to stare down at the keyboard to type.

Wojtek Pietrusiewicz:

Either way, the Touch Bar is neither the future of keyboards, nor is it a sensible stop-gap to on-screen keyboards. In my use case, where I can’t even see it without moving my hands off the keyboard, it’s just an annoyance and I consider it to be bad design.

See also: The Loop.

Update (2017-09-01): John Martellaro:

I think the reason for this inattention by Apple may be related to the dark years of the Mac: 2015-2016. That’s when Apple got distracted and stopped updating its Macs on a timely basis. But one technology seemed to be dwelled on, and that’s the Touch Bar. Because a lot of engineering effort was put into the Touch Bar (and its follow-on technologies) my guess is that some executives believed that the Mac was being properly attended to.


Perhaps the lesson in all this is that any company must be mindful of the technical needs of users and not dismiss them because it thinks it has something really cool up its sleeve, ready to come to fruition in a few years. Keeping us excited in the here-and-now while the future pieces are being put into place is a job for clever engineering and marketing.

Update (2017-09-04): Greg Hurrell:

If Apple goes with an all Touch Bar laptop lineup, my next machine will either be an iMac or bloody PC laptop running Linux.

Update (2018-10-26): Ben Lovejoy:

That brings me to the second thing: there are times when it the Touch Bar is actively counterproductive.

There are a number of ways it can slow me down. For example, if I want to use the music controls, and the Touch Bar isn’t expanded, it’s two touches in two places rather than one keypress. Or if the bar is expanded and I instead want to mute the machine, it’s again two touches in two places.

Then there are the mistakes. I can’t count the number of times I’ve reached for the backspace key and either hit the Siri button instead, or caught it with the edge of my finger so I get both the backspace and Siri popping up. I then have to touch it again to close the window.

Update (2019-01-23): Dave Nanian:

A Full and Complete Accounting of the Benefits of the TouchBar

Friday, August 4, 2017

Using a Downloaded HTML File to Steal Files From a Mac

Anton Lopanitsyn (via Felix Schwarz):

Interestingly, . DS_Store can easily be parsed to get the names of all the files on in the catalog. […] And this means that, with this information, we can now recursively call .DS_Store to get the complete hierarchy of files on my computer — all without authorized access to any of the directories.


We know that in the Chrome browser, reading local files is not that straightforward. The only way to do that is to launch Chrome with a special argument ( — disable-web-security).

Safari also warns that it can’t work with the local files: such as file://

HOWEVER, if the file has originally been downloaded from the internet, Safari is a lot more permissive towards this kind of requests. Thus one can send XHR request to a local file and get back its content […] …if a file is local — you get access!

Knowing this Safari idiosyncrasy, with a full path name we can load the complete file content and upload it to an external server.

It seems like Safari’s Local File Restrictions should cover XMLHttpRequest in addition to file: URLs.

Using Static Frameworks to Speed Up Launching

Eric Horacek (via Ljuba Miljkovic):

This slowdown happens because every dynamic framework adds overhead for dyld to do before an app’s main() function is called (known as “loading, rebasing, and binding”). In this WWDC 2016 talk, Apple suggests replacing dynamic frameworks with static archives to mitigate this. To take this approach, we rebuilt as many of our dynamic frameworks as possible statically and then merged them into a single monolithic dynamic framework named AutomaticCore.


Apple wasn’t exaggerating when they said too many dynamic frameworks could slow down your app’s launch time. However, merging our dynamic frameworks wasn’t trivial: we had to rework our development workflow to build our app this way from now on.


It was not trivial to add support to Carthage for building static archives (.a files). However, with some minimal changes, we were able to update Carthage to support building static frameworks (.framework files). Static frameworks are just like static archives, but packaged differently. They have a similar structure to dynamic frameworks, but with a static Mach-O file in place of a dynamic one.


However, unlike dynamic frameworks, static frameworks are not embedded—meaning we needed to do some extra legwork to make their resources available.

See also: App Startup Time: Past, Present, and Future.

How Rust Is Tested

Brian Anderson (via Hacker News):

Rust has a strict continuous integration system that runs a great number of tests on every pull request, basically guaranteeing that the Rust master branch always works; which is crucial because Rust releases nightly builds every night, and stable builds every six weeks. And Rust further tests every release against its entire open source library ecosystem.

I’ve always admired well-tested software projects, like SQLite, and aim to place Rust among the pantheon of the best. This document then, is a catalog of all the ways we test Rust. I hope it provides insight into what it takes to deliver a production-quality programming language, a hint at the wide variety of techniques employed in software validation, and that it reinforces your confidence in Rust’s reliability.

Thursday, August 3, 2017

CwlLayout: a Swift Wrapper Around Auto Layout

Matt Gallagher:

Much of the debate I see around Auto Layout focusses on how it’s cumbersome to implement in code – as opposed to Interface Builder – but all of the 9 constraints would still need to be applied in Interface Builder to achieve this same layout and you’d still need to understand why each of these constraints is necessary.


The problem is that no matter how you apply them, constraints are not layouts; constraints are building blocks from which we can make layouts but an actual layout requires starting a different way.


A far better solution for programming a declarative system is to use an API that itself is declarative and builds the whole system as a single composeable expression and rather than constructing individual constraints separately, understands the whole system and can automatically include constraints needed for consistency.

“required” Swift Initializers and Decodable

Jordan Rose (via Jesse Squires):

The initializer is required, right? So all subclasses need to have access to it. But the implementation we provided here might not make sense for all subclasses—what if VerySpecialSubclassOfPoint doesn’t have an init(x:y:) initializer? Normally, the compiler checks for this situation and makes the subclass reimplement the required initializer…but that only works if the required initializers are all known up front. So it can’t allow this new required initializer to go by, because someone might try to call it dynamically on a subclass.


required initializers are like methods: they may require dynamic dispatch. That means that they get an entry in the class’s dynamic dispatch table, commonly known as its vtable. Unlike Objective-C method tables, vtables aren’t set up to have entries arbitrarily added at run time


In most cases you don’t care about hypothetical subclasses or invoking init(from:) on some dynamic Point type. If there was a way to mark init(from:) as something that was always available on subclasses, but dynamically checked to see if it was okay, we’d be good.


For more information on this I suggest checking out my write-up of some of our initialization model problems.

Graphing Calculator Started As a Demo for PenMac

Ernie Smith (via Ron Avitzur):

Called the PenLite, the tablet device was designed to work with a stylus, but Apple never fully followed through. It became an obscure example of a Mac prototype that never saw the light of day. More people know of Apple’s notorious Pippin video game console than the PenLite, despite the fact that it was clearly a more influential device on Apple’s trajectory.


Back in January 2010, as the buzz around the iPad, which had yet to be announced, was just starting to reach a fever pitch, developer Arno Gourdol wrote a blog post pondering whether Apple had finally gotten things right this time. He knew what the prototype looked like, its weaknesses, along with its potential.


While information on the PenLite is somewhat hard to come by online, there is information floating around. Perhaps the most obscure and intriguing is a 2012 YouTube clip, nearly an hour in length, that features early Apple engineer Thomas Gilley going through the paces of the PenLite as part of the long-running patent case involving Apple and Samsung.

Wednesday, August 2, 2017

Did the iPad Turn the Corner This Quarter?

Jason Snell:

It took a while. Seriously, it’s been more than three years since Apple posted year-over-year growth in iPad revenue. That’s a really long time—and a long slide downward on just about every iPad chart you can think of.


Now, one quarter doesn’t make a turnaround—but when you consider the contraction of the iPad business for the past 13 quarters, a 15 percent year-over-year growth spurt sticks out like a sore thumb.

John Gruber:

But iPad revenue was only up about 2 percent. That suggests to me, strongly, that this sales bump was driven strongly by the new 9.7-inch iPad that starts at $329.

I don’t quite understand why people are treating this as a bad thing. It’s good that Apple has made a more affordable iPad that customers seemingly like (unless they just didn’t want to be stuck on iOS 9). And more units sold will be good for the app market.

Also of note: AirPods are still supply constrained.

Update (2017-08-03): Nigel Warren:

At the same time, it’s important that the iPad continue to grow at the high end. So much iPad commentary over the past two years of falling sales has been about the fear that the device has already reached its peak potential utility. And if so, that peak has been far lower than what many dreamed of when it first debuted.

The iPad’s average selling price can be seen as an indication of whether the iPad has the potential to continue evolving into a more capable tool.

There’s some truth in this, but I think most of the limits on the iPad’s potential are due to software (which is improving with iOS 11) and the overall form factor (which iPad Pro doesn’t change much). Also, I see the cheaper iPad as a great gateway product. Someone who is skeptical about iPad as a work device may not want to jump in at the Pro level. But they can buy a regular iPad, get hooked, and upgrade later. And it’s important to remember that the capabilities of the base iPad will improve over time. So I actually lean towards the opposite view, which is that if growth were primarily at the high end, that would be bad news for iPad’s potential.

Joe Rossignol:

“ASPs were steady from last quarter, showing that higher priced iPad Pro models also sold well, even though the new 12.9-inch and 10.5-inch models were out for less than a month in the June quarter,” he added.

Golden Hill Software Acquires Unread

John Brayton:

There was no way to move Unread from Supertop’s App Store account, so Unread 1.7 is now available as a new app. If you had purchased the unlocked functionality, you can migrate your purchase to this new version at no cost. A Migration Guide is available with more details.

Still no way to move apps with IAPs between accounts? Is this a lot more complicated than it seems or just really low on Apple’s priority list?

Update (2017-08-02): Pádraig Kennedy:

The issue is that apps that have ever used iCloud’s KVS can never be transferred, even if they remove the feature.

Powerline Ethernet Adapters Are Everyday Magic

Josh Centers:

Ultimately, both claims were overstated. Powerline networking evolved quietly but was overshadowed by Wi-Fi, cellular broadband, and fiber-optic networks. Although powerline networking never made it to the big time, it didn’t vanish. Rather, it has become reliable, readily available, and shockingly cheap.


I wanted to avoid drilling through the ceiling if at all possible, so I checked to see if powerline Ethernet is still an option — it is! A quick search on Amazon pointed me toward the best-selling TP-Link AV200 — a $25 kit consisting of a pair of 200 Mbps powerline Ethernet adapters.

If you need more speed, you can pay modest amounts more for the AV500 ($35), AV600 ($50), AV1000 ($40), or the AV1200 ($60). The model numbers correspond to their top throughput, so the AV1200 provides up to 1200 Mbps, which should be enough for gigabit Ethernet.

It sounds better and cheaper than I recall.

Tuesday, August 1, 2017

NSProgress Shortcomings and CSProgress

Charles Srstka:

Unfortunately, the performance of NSProgress is simply terrible. While performance is not a major concern for many Cocoa classes, the purpose of NSProgress—tracking progress for operations that take a long time—naturally lends itself to being used in performance-critical code.


Furthermore, there’s no atomic way to increment the change count. To do so, one first has to get the current completedUnitCount, then add something to it, and then finally send that back to completedUnitCount’s setter, resulting in the lock being taken twice for one operation.


All of NSProgress’s reporting is done via KVO. That’s slick, right? You can just bind your UI elements, like NSProgressIndicator, directly to its fractionCompleted property and set it up with no glue code. Right? Well, no, because most classes in the UI layer need to be accessed on the main thread only, and NSProgress sends all its KVO notifications on the current thread. Hrm.


So instead of the main benefit of KVO—being able to bind UI elements to the model without glue code—we have more and much weirder glue code than we’d see in a typical blocks-based approach.

Overall, it seems like a terrific idea, but it’s unnecessarily difficult to use it well. His solution is a complete reimplementation, CSProgress, which bridges to NSProgress.

Moom 3.2.9

Many Tricks:

Moom now uses the entire display as the grid. You can still specify your grid dimensions, but you’ll be selecting regions of the entire display, instead of on a slanted hexagonal window. One advantage of this approach—besides not dealing with hexagons—is that you can drag a grid on any connected display, not just the display where the window currently resides.

I have been using the keyboard to summon Moom and then the arrow keys to move between displays and select the region for the window. But this new method is cool because you can just directly draw where you want the window to go.

Previously: Moom vs. the Rectangular Grid Patent.

Counterparts Lite 1.5

Michel Fortin:

Find & Replace lets you quickly change a word or phrases everywhere in a document. It shows you a nice preview of the changes. You can choose whether to apply the change or not for each row. And there’s a useful checkbox to automatically capitalize the first letter of your replacement text when the text it replaces begins with a capital.

Looks good.

Your Favorite Mac Markdown Editors

Josh Centers and Adam C. Engst:

In “Vote for Your Favorite Mac Markdown Editor” (20 July 2017), we asked you to rate the Mac text editors that you’ve used to write in the Markdown text markup language. Over 400 TidBITS readers responded to our survey of 42 apps, submitting nearly 2200 votes. As we thought might happen, BBEdit racked up by far the most votes and tied for the highest rating. But many other apps did well too, showing that the category has numerous entrants worth your time.

Markdown seems to be everywhere now.