Archive for October 12, 2017

Thursday, October 12, 2017 [Tweets] [Favorites]

Strange Apple ID Sign-In Locations

Glenn Fleishman:

The first step in Apple’s 2FA is a location alert that appears on every computer and iOS you own logged into the same Apple ID account. The notion is that you should validate that the location is correct before you proceed to get the code. Clicking Don’t Allow terminates the login attempt.

[…]

The location can also be imprecise. My wife routinely is told she’s logging in from about 30 miles south, although on the same home network, it’s more accurate for me. If we both had this issue, I’d expect that the IP address of our network was misplaced in whatever geo-identification system Apple relied on to match IPs with a rough place on the globe.

Kirk McElhearn:

I’m not near London; I’m about 100 miles away.

[…]

I don’t use a VPN, which would certainly affect this, and I find it surprising that the Apple devices that already know my exact location can’t pass this info on to Apple’s authentication servers. Because if I look on Apple Maps on the same iPad, it pinpoints me, exactly where I am.

Nick Heer:

This is particularly troubling because two factor authentication is promoted as being a more secure login option. If a typical user were to set that up and then be shown a map of a login attempt from miles away, they may be concerned, and reasonably so.

Update (2017-10-13): Michael Kummer:

What puzzled me was that according to whatsmyip.org, the geolocation of my IP is Atlanta, GA. So why would Apple show a different location? As it turned out, there are various geo-location databases, and each shows slightly different information. Separate databases map my IP address  to the following locations:

  • Richardson, TX (IP2Location)
  • Atlanta, GA (EurekAPI)
  • Wallingford, CT (DB-IP)

That explains why I see strange location information when signing in from a new device or browser. Evidently, Apple uses the DB-IP database, instead of EurekAPI to query IP geolocation information. Interestingly enough, Apple Maps knows my correct location as you can see in the screenshot below.

Ten Safari Long-Press Shortcuts

Benjamin Mayo:

Much of Safari’s advanced functionality is hidden behind ‘secret’ long-press gestures that you can’t really know about unless you try randomly … or someone tells you. We’ve rounded up all the Safari long press tips and tricks below, so you can take advantage of all the different shortcuts and features it offers.

[…]

New to iOS 11, it is actually possible to have Safari automatically launch Reader for select domains. This means you can view a particular website without distractions, in the streamlined reading-focused Safari Reader interface, automatically every single time.

Update (2017-10-13): Rob Mathers:

Long pressing an image also displays the alt-text, if there is any.

Google Pixel Buds

Valentina Palladino:

Unlike Apple’s AirPods, the Pixel Buds have a wire connecting the two earpieces. However, that wire doesn’t connect to a smartphone or other device. […]

All of the Pixel Buds’ controls are built in to the right earpiece, which is a common hardware solution on wireless earbuds. […]

But the most intriguing feature of the Pixel Buds is the integrated Google Translate feature. Demoed on stage at Google’s event today, this feature lets two Pixel Bud wearers chat in their native languages by translating conversations in real time.

[…]

Pixel Buds have a battery that should last five hours on a single charge, which is average for wireless earbuds. They also come with a charging case that can hold up to 24 hours of battery life. Google’s Pixel Buds are available for preorder today for $159.

Dan Masters:

Kudos to Google for offering a distinct value proposition over AirPods, rather than just copying.

Nilay Patel (via Hacker News):

No one else can make W1 headphones, and obviously no one else can modify iOS to support their own custom wireless Bluetooth riff. So your choices are the four W1 headphones, and then a large market of second-class citizens.

Google’s version of this is the Pixel Buds, a set of over-ear neckbuds that serve as basic Bluetooth headphones but gain additional capabilities when used with certain phones. Seamless fast pairing? You need Android N or higher, which most Android phones don’t have. The always-on access to Google Assistant? That’s only for Android phones with Google Assistant; iPhone owners need not apply. And that cool Google Translate integration where Pixel Buds instantly translate languages in real time? Well, that’s entirely exclusive to the Pixel.

APFS and Institutional Recovery Keys

Rich Trouton:

This recovery key model has continued to be used on Apple File System (APFS), starting with macOS High Sierra 10.13.0, with one important difference:

  • You can encrypt an APFS boot drive using an IRK.
  • You cannot unlock or decrypt an encrypted APFS boot drive using an IRK.

[…]

The issue appears to be that a necessary function has not been added to the diskutil command line tool. For FileVault 2 on macOS Sierra and earlier, the command to unlock using an IRK is shown below[…]

Uncle Bob and Silver Bullets

Robert C. Martin:

I just finished reading an extremely depressing article in The Atlantic entitled: The Coming Software Apocalypse. The article does a good job, at first, of describing several terrible software bugs that have harmed, maimed, and killed people. But then the article veers off in a direction that I found disheartening.

The author of the article interviewed many thought leaders in the industry, but chose only those thought leaders who were inventing new technologies. Those technologies were things like Light Table, Model Driven Engineering, and TLA+.

[…]

The obvious solution:

  1. Raise the level of software discipline and professionalism.
  2. Never make excuses for sloppy work.

If only it were that easy.

Hillel Wayne (via Hacker News):

One of the core assumptions of modern systems engineering is that there’s a constant flow of defects: that people make mistakes. You can’t rely on people to not fuck up on their own: after all, the US still has 30,000 auto deaths a year. Rather, the best way to reduce the volume and severity of mistakes is to adjust the system itself. Either make them harder to do, make them easier to catch, or make them cause less damage when they do happen. Don’t just blame the drivers, give them safe roads! Give them seatbelts!

[…]

But unit tests are not enough. Type systems are not enough. Contracts are not enough, formal specs are not enough, code review isn’t enough, nothing is enough. We have to use everything we have to even hope of writing correct code, because there’s only one way a program is right and infinite ways a program can be wrong, and we can’t assume that any tool we use will prevent more than a narrow slice of all those wrong ways.