Archive for February 26, 2018

Monday, February 26, 2018 [Tweets] [Favorites]

WatchKit Is a Sweet Solution

Marco Arment:

The separation of Apple’s internally-used frameworks from WatchKit has two huge problems:

  • Apple doesn’t feel WatchKit’s limitations. Since they’re not using it, it’s too easy for Apple’s developers and evangelists to forget or never know what’s possible, what isn’t, what’s easy, and what’s hard. The bugs and limitations I report to them are usually met with shock and surprise — they have no idea.

  • WatchKit is buggy as hell. Since Apple doesn’t use it and there are relatively few third-party Watch apps of value, WatchKit is far more buggy, and seems far less tested, than any other Apple API I’ve ever worked with.

Apple will never have a very good idea of where WatchKit needs to improve if they’re not using it. But this sweet solution is the only choice anyone else has to make Apple Watch apps.

Previously: A Very Sweet Solution.

Update (2018-02-26): Dan Masters:

Reminds me of Core Data sync: “There are two iClouds. One of them is used heavily inside Apple & the other is offered as a developer API & used only selectively for Apple’s own apps”

Update (2018-02-28): John Gruber:

I’ve long given up on using any third-party apps on my Apple Watch, and I am so much happier for it. A year or two ago I would have been “Hell yeah”-ing this piece by Arment, but at this point I half feel like Apple should just get rid of third-party WatchOS apps and be done with it.

The one type app I think most people want is the one type of app Apple is never going to allow: custom watch faces.

iCloud in China and on Google’s Cloud

Stephen Nellis and Cate Cadell (Hacker News):

Until now, such keys have always been stored in the United States, meaning that any government or law enforcement authority seeking access to a Chinese iCloud account needed to go through the U.S. legal system.

Now, according to Apple, for the first time the company will store the keys for Chinese iCloud accounts in China itself. That means Chinese authorities will no longer have to use the U.S. courts to seek information on iCloud users and can instead use their own legal system to ask Apple to hand over iCloud data for Chinese users, legal experts said.

Jack Purcher:

In a statement, Apple said it had to comply with recently introduced Chinese laws that require cloud services offered to Chinese citizens be operated by Chinese companies and that the data be stored in China. It said that while the company’s values don’t change in different parts of the world, it is subject to each country’s laws.

“While we advocated against iCloud being subject to these laws, we were ultimately unsuccessful,” it said. Apple said it decided it was better to offer iCloud under the new system because discontinuing it would lead to a bad user experience and actually lead to less data privacy and security for its Chinese customers.

[…]

It’s now clear that this is the route that any foreign government could take in the future in order to break Apple’s holier than thou stance on handing private data. China has shown them all the way. Pandora’s Box has now been opened and other foreign governments with any clout are likely to adopt China’s policy on privacy over time and that’s the sad reality of the day.

Or even the U.S. government. How long before there’s a law requiring man-in-the-middle access to iMessage?

Nick Heer:

Nothing about this is good news, but it’s very hard to see what alternatives there are in this case. They could threaten to pull out of the Chinese market unless the law is changed, but that would do more damage to Apple than it would the Chinese government, with likely little effect. Also, it’s likely that iCloud not being offered in China would motivate people there to switch to a less secure alternative.

Jordan Novet (MacRumors):

Apple periodically publishes new versions of a PDF called the iOS Security Guide. For years the document contained language indicating that iCloud services were relying on remote data storage systems from Amazon Web Services, as well as Microsoft’s Azure.

But in the latest version, the Microsoft Azure reference is gone, and in its place is Google Cloud Platform.

James Thomson:

Presumably, if Apple was only using Amazon and Google’s cloud services, the millions of square feet of data centres they own themselves would be entirely superfluous…

Bob Burrough:

It doesn’t bother me one bit that Apple buys cloud services from Google. Cloud services are such a commodity that there can be competitive advantage in buying on the open market.

Nick Heer:

I don’t think that iCloud users expect their data to be stored in ways not entirely controlled by Apple, especially given the company’s emphasis on privacy.

Zac Cichy:

Apple needs to think long and hard about privacy and their messaging around it or they’ll (deservedly) look like constant hypocrites.

Previously: Chinese Firm to Operate China iCloud Accounts, Apple Starts Using Google Cloud Platform, iOS 5 and iCloud, Apple Is Trying to Make iMessages More Private, Apple’s iMessage Metadata Logs, Can Apple Read Your iMessages?.

Update (2018-02-27): See also: Rene Ritchie, Nick Heer, John Gruber, Eric Young, Lloyd Chambers.

Nicholas Weaver (via Dan Masters):

iMessage and FaceTime have a cryptographic architecture that enables prospective wiretapping, yet there is reason to believe that Apple not is fully complying with lawful court orders to exercise this capability. There is also evidence that, although Apple is supposedly complying with pen register orders, the company is actually providing something substantially less than what the law is able to compel them to provide in response to a pen-register or trap-and-trace (PR/TT) order.

[…]

Such monitoring works because Apple, unlike Signal and other end-to-end encrypted platforms, does not provide transparency to its users when keys are added or changed. If Bob uses Signal or WhatsApp, he is notified whenever Alice’s key changes. This prevents Signal from silently replacing Alice’s key with the FBI’s. Likewise, when Alice makes a call with Signal, it shows two “random” words that aren’t actually random but a function of the key used to encrypt the message. If Alice and Bob agree that they see the same words, they will then know that their key is the same, preventing a man-in-the-middle. Apple could have implemented similar features, perhaps hidden behind options, years ago; they have not.

Since Apple now seems to pride itself that “[they] follow the law wherever [they] do business,” I think it is reasonable for the U.S. government to demand that Apple do so in the U.S. Because it seems to me they haven’t.

Update (2018-02-28): Bruce Schneier:

While I would prefer it if it would take a stand against China, I really can’t blame it for putting its business model ahead of its desires for customer privacy.

Ben Bajarin:

Apple retains all encryption keys and Chinese gov still has to make requests to Apple only on an individual level.

Update (2018-03-12): See also: The Talk Show.

BigTechCo Strategy: Paying the Platform Tax

Sriram Krishnan:

In a world dominated by Aggregation Theory, a few large players own large vectors of distribution. Mobile? You can’t work around Apple and Google. Search? Can’t work around Google.

If you’re one of these large companies and you have a product that needs distribution through a competitor, you face a choice: do you pay a potential competitor their ‘rake’ - in whatever form that takes - or do you go it alone?

[…]

Once you clarify what your business actually is, you then get to define who gets protection and who has to face competition. One framework you could apply: working with a competitor that cannibalizes a supporting, or new & unproven business is acceptable but one that risks a core business is a no-go.

[…]

You can see why Fitbit resists some very vocal customer requests to build Apple Health support - they probably believe doing so will only let Apple compete with Fitbit faster.

The Dropbox Comp

Ben Thompson (Hacker News):

Dropbox’s customer base, thanks to all those consumers, is over 500 million users (Dropbox announced 500 million signups last March, but explained in its S-1 that it had culled what were apparently ~100 million inactive accounts over the last year), while Box, as of last quarter, had only 57 million registered accounts. On the other hand, 17% of Box’s users had paid accounts; only 2% of Dropbox’s did. This contrast in efficiency gets at the biggest difference between the two companies: to whom they sell, and how they go about doing so.

Box sells to big companies using a traditional sales force; free accounts exist primarily to enable temporary collaboration with paid accounts, as well as trials. There is a self-serve option, but that’s not the point: Box notes in its financial filings that “Our marketing strategy also depends in part on persuading users who use the free version of our service to convince decision-makers to purchase and deploy our service within their organization”. In other words, when it comes to Box’s ideal customer, the CIO decides for everyone all at once.

For Dropbox, on the other hand, self-serve is the most important channel by far. The company brags that “We generate over 90% of our revenue from self-serve channels — users who purchase a subscription through our app or website.” Dropbox has a sales team, but as it notes in its S-1, the team “focuses on converting and consolidating these separate pockets of usage into a centralized deployment. Nearly all of our largest outbound deals originated as smaller self-serve deployments.”

Tom Krazit (Hacker News):

After making the decision to roll its own infrastructure and reduce its dependence on Amazon Web Services, Dropbox reduced its operating costs by $74.6 million over the next two years, the company said in its S-1 statement Friday.

Previously: Dropbox Files Confidentially for IPO, Dropbox’s Exodus From the Amazon Cloud Empire.

Update (2018-03-01): Lisa Stromer (via Hacker News):

And today, we’re announcing a new partnership with Google Cloud that will bring Dropbox and G Suite users one step closer to a world where our work comes together.

Money Laundering via Author Impersonation on Amazon?

Brian Krebs:

But that didn’t stop someone from publishing a “novel” under his name. That word is in quotations because the publication appears to be little more than computer-generated text, almost like the gibberish one might find in a spam email.

[…]

The impersonator priced the book at $555 and it was posted to multiple Amazon sites in different countries. The book — which as been removed from most Amazon country pages as of a few days ago — is titled “Lower Days Ahead,” and was published on Oct 7, 2017.

Reames said he suspects someone has been buying the book using stolen credit and/or debit cards, and pocketing the 60 percent that Amazon gives to authors.

[…]

Reames said Amazon refuses to send him a corrected 1099, or to discuss anything about the identity thief.

Google and HTTP

Dave Winer:

I’ve been writing about Google’s efforts to deprecate HTTP, the protocol of the web. This is a summary of all the reasons why I am opposed to them doing this.

[…]

They don’t have standing. The web is an open platform, not a corporate platform. It is defined by its stability. Also, if Google succeeds, it will make a lot of the web’s history inaccessible. People put stuff on the web precisely so it would be preserved over time. That’s why it’s important that no one has the power to change what the web is.

Previously: The Rush to “Deprecate” HTTP.

Update (2018-03-09): Nick Heer:

As Mill points out in his article, there are great reasons to add an HTTPS certificate to a website that has no interactive elements beyond links. It makes sense to me to generally prefer HTTPS going forward, but I have concerns about two browser vendors working to effectively eliminate the non-HTTPS web; or, at least, to put barriers between it and users.

Edward Snowden:

@Citizenlab catches ISPs invisibly redirecting download requests for popular programs, injecting them with government spyware. Unencrypted web traffic is now provably a critical, in-the-wild vulnerability. 20-30% of top internet sites affected.

Update (2018-03-12): Dave Winer:

What Google is planning on doing to the web is unnecessarily damaging to the work of millions of people they don’t know. If they could step back and look at their objectives, and let’s see if we can compromise, so they can get what they really want and the web can be what it always has been, an open space for experimentation, free thought, and the development of world-changing ideas. It’s where Google itself came from.

Update (2018-03-23): Dave Winer:

I had to explain to a non-technical friend the significance of Google breaking HTTP in their browser. I offered an analogy.

Update (2018-05-19): See also: Mark Hughes.

Update (2018-07-11): James Donohue (via Jason Snell):

A few weeks ago the BBC News website finished transitioning to HTTPS. The green padlock you now see next to the web address is probably the biggest publicly visible technical change to the site since it relocated from news.bbc.co.uk in 2011. Even so, a question we’re often asked is “why did it take so long?”