Archive for December 2018

Wednesday, December 12, 2018 [Tweets] [Favorites]

What’s Apple’s Plan for Haptic Touch and 3D Touch?

Benjamin Mayo:

iOS 12.1.1 added Haptic Touch support for notification previews on iPhone XR. It also added a new menu in Accessibility settings that lets you change the Haptic Touch settings …


Prior to this release, a third-party developer could perfectly copy the Haptic Touch experience in their own apps by setting up a long press gesture recognizer, that concludes with a haptic vibration. However, now that users can adjust the duration in this new Haptic Touch menu, a third-party app will not be able to stay in sync with the user’s preferences.

The supported API for 3D Touch allows apps to inherit the exact same behavior (including changes to 3D Touch Sensitivity) as Apple’s 3D Touch implementations, but an analogous system for Haptic Touch does not currently exist.

Nick Heer:

It is worth asking: if the same action is invoked by using 3D Touch as it is when the user simply taps and holds, then what is the clear and direct intent of 3D Touch?

However, I think it’s a feature that is made worse by its exclusion on the iPhone XR, where it is sort of replaced with Haptic Touch. Haptic Touch is like 3D Touch, except for all of the ways in which it is not. It works for the flashlight and camera buttons on the lock screen, invokes a trackpad from the onscreen keyboard’s space bar, and, as mentioned earlier, on notification bubbles. But it does not work in every place 3D Touch does: an app’s icon on the home screen does not display a menu when the user touches and holds on it, and the peek and pop gestures are unseen.


But if 3D Touch is truly on its way out, it should be a clean kill across the board. A piecemeal approach with a similar-but-not-quite-the-same feature on just one product is a confusing distraction.

Previously: What is Haptic Touch on iPhone XR?.

Australian Assistance and Access Act

Danny O’Brien:

With indecent speed, and after the barest nod to debate, the Australian Parliament has now passed the Assistance and Access Act, unopposed and unamended. The bill is a cousin to the United Kingdom’s Investigatory Powers Act, passed in 2016. The two laws vary in their details, but both now deliver a panoptic new power to their nation’s governments. Both countries now claim the right to secretly compel tech companies and individual technologists, including network administrators, sysadmins, and open source developers – to re-engineer software and hardware under their control, so that it can be used to spy on their users. Engineers can be penalized for refusing to comply with fines and prison; in Australia, even counseling a technologist to oppose these orders is a crime.


Levy explained that GCHQ wants secure messaging services, like WhatsApp, Signal, Wire, and iMessage, to create deceitful user interfaces that hide who private messages are being sent to.

In the case of Apple’s iMessage, Apple would be compelled to silently add new devices to the list apps think you own: when someone sends you a message, it will no longer just go to, say, your iPhone, your iPad, and your MacBook – it will go to those devices, and a new addition, a spying device owned by the government.

Via Jeffrey Goldberg:

One of the most disturbing things about the Assistance and Access Act is that it apparently authorizes the Australian government to compel someone subject to its laws to surreptitiously take actions that harm our customers’ privacy and security without revealing that to us. Would an Australian employee of 1Password be forced to lie to us and do something that we would definitely object to?

We do not, at this point, know whether it will be necessary or useful to place extra monitoring on people working for 1Password who may be subject to Australian laws. Our existing security and privacy design and internal controls may well be sufficient without adding additional controls on our people in Australia. Nor do we yet know to what extent we should consider Australian nationality in hiring decisions. It may be a long time before any such internal policies and practices go into place, if they ever do, but these are discussions we have been forced to have.

The Many Setups of the 2018 iPad Pro

Federico Viticci:

But what makes iPad unique is that, unlike a desktop computer or laptop, it is able to take on other forms – and thus adapt to different contexts – simply by connecting to a variety of removable accessories. The iPad can be used while relaxing on a couch or connected to a 4K display with a Bluetooth keyboard; you can work on it while waiting in a car thanks to built-in 4G LTE, or put it into a Brydge keyboard case and turn it into a quasi-MacBook laptop that will confuse a lot of your friends who aren’t familiar with iPad Pro accessories. In a way, the iPad is modern computing’s version of Kirby, the famous Nintendo character that is a blank canvas on its own, but can absorb the capabilities of other characters when necessary.

See also: Marco flies next to a Microsoft commercial.

Previously: iPad Pro 2018.

Apple Puts Third-party Screen Time Apps on Notice

Sarah Perez (via Dan Masters):

A number of app developers building third-party screen time trackers and parental control applications are worried that Apple’s increased scrutiny of their apps in recent weeks is not a coincidence. With Apple’s launch of iOS 12, the company has implemented its own built-in screen time tracking tools and controls. Not long after, developers’ third-party screen time apps came under increased review from Apple, and, in some cases, rejections and removals from the App Store.


Some of the developers, we understand, were told they were in violation of App Store developer guideline 2.5.4, which specifies when multitasking apps are allowed to use background location. Specifically, developers were told they were “misusing background location mode for purposes other than location-related features.”


In an odd turn of events, after Space and Mute published on their public company blogs to complain, they received a call from Apple and had their apps reinstated on the App Store.

Previously: Apple Removes RescueTime From the App Store.

Don’t Believe System Information’s Legacy Software

Howard Oakley:

Mojave introduces a new feature in its bundled tool System Information: in the Software section is a list of Legacy Software. According to Apple’s Support Note:

If you’re using macOS Mojave, select Legacy Software in the sidebar to see all applications that have not been updated to use 64-bit processes.

Only what you’ll see in Legacy Software is far from complete, and thoroughly misleading.

Previously: ScanSnap 64-bit Software Update, Removed in macOS 10.14 Mojave.

Tuesday, December 11, 2018 [Tweets] [Favorites]

Make the iPad More Like the Mac

Radu Dutzan (via Daniel Cohen):

Fast forward to almost-2019: the iPad is now “Pro”, the screen goes up to 13", it has an optional keyboard and pointing device, and bests over half the MacBook line in benchmarks. Yet it still runs the iPhone’s OS. Yeah, they added a fancier multitasking UI and the ability to run up to 3 apps at once in a limited set of configurations, but it still behaves like it’s a pocket-sized device for use with your imprecise fingers as you walk down the street. The home screen is still just a sparse grid of apps, a useless mess left to the user to manage. Things like Spotlight, Siri, voice calls or interacting with notifications still take up the entire screen, and so do apps (except for the highly limited and sometimes confusing floating window mode). Undo is still a mess. And text cursor behaviors are a bureaucratic hassle, even when used with a Pencil.


I’m so tired of holding my breath for Apple to release some sort of iPad Xcode, and the people at Sketch said back in 2015 that it just didn’t make financial sense for them to build a touch version, so I pulled the trigger, and got the Luna on Black Friday. It arrived yesterday, and I’ve been living my dream: I’m running macOS on my iPad. Well, not so much as running it on the iPad, more like streaming it from my Mac, but it’s pretty close.


There are so many places where the iPad could benefit from some adaptation of tap-and-drag selection. […] That same heuristic could be applied to iPad text fields and layout apps such as Keynote: after holding a touch still on a text field or on the canvas for a set amount of time, the gesture could become a selection drag, and moving your finger could begin selecting the text or objects encompassed by the net dragged distance.

Previously: iPad Pro 2018, Using an iPad as a Mac mini Display, Proof That iOS Still Hasn’t Gotten Undo Right.

Update (2018-12-12): Michael Love:

This; but, RAM is still a fundamental issue we don’t have a good solution for. Essential to iPad’s nature that it always be running / turn on instantly, but you can’t do that with 16 GB RAM without a gonzo battery.

Apple can come up with an utterly flawless desktop-replacement OS for iPad in 2019, but as long as it’s stuck at 4-6 GB of RAM it’ll never be able to run Xcode or other professional apps without offloading most of the work to a server somewhere.

Colin Cornaby:

I also want to tack onto this that iOS’s no-swap-file memory architecture is basically unacceptable for pro apps. Alone it is a blocker for things like Xcode and Final Cut Pro.

Tracking Leakers With Watermarked Screens

Cullen (via Ryan McLeod)::

One of the most fun jobs I ever had was figuring out how to embed the serial number of your Xbox 360 into rings emanating from the bottom right, so we could track and identify leaks

Majd Taby:

In 2010 someone at MobileMe encoded the IP address into the paddings and margins of the page to track leakers.


This thread post contains detailed information on how to view a hidden watermark which has been verified to exist embeded in JPG screenshots produced by the WoW client. The watermark itself includes, encoded in unencrypted bytes, the user’s account name (\World of Warcraft\WTF\Account\), an HH:MM timestamp and the IP address of the server.

The Key From Before Enabling FileVault

Lloyd Chambers:

The behavior I observe implies that turning on FileVault and supplying a password does nothing more than encrypt the encryption key already there using the user-supplied password (and presumably a random salt value or vice versa). Because if the data is already encrypted, the decryption key and/or salt value either must remain the same, or all the data must be decrypted and re-encrypted.

Which suggests some level of security risk since that key already existed without the password protection of the user-supplied encryption password. I presume that the T4 secure enclave somehow forestalls this security risk, but I do not know the details. Maybe there is some per-chip specificity that forestalls a general security weakness. Even so, that assumes hardware invulnerability, which is not possible.

I have been wondering about that, too.

Why I’m Usually Unnerved When Modern SSDs Die on Us

Chris Siebenmann:

Like most of the SSDs deaths that we’ve had, this one was very abrupt; the drive went from perfectly fine to completely unresponsive in at most 50 seconds or so, with no advance warning in SMART or anything else. One moment it was serving read and write IO perfectly happily (from all external evidence, and ZFS wasn’t complaining about read checksums) and the next moment there was no Crucial MX300 at that SAS port any more. Or at least at very close to the next moment.


What unnerves me about these sorts of abrupt SSD failures is how inscrutable they are and how I can’t construct a story in my head of what went wrong.

Epic Removes Infinity Blade From the App Store

Eli Hodapp (tweet):

The App Store had evolved considerably over the years, but one of the most distinct divisions of time in the early days of the App Store was the release of Epic’s Infinity Blade. Our review, published almost exactly eight years ago today, does a great job of illustrating just how monumental the release of this game was. Over the next few years we’d see a sequel, and then Infinity Blade III would join the mix, turning the series into a trilogy. As of today, all three games are no longer available for purchase on the App Store. If you already own them, you can re-download them, but all the IAP has been disabled and the games should be accessible for the “foreseeable future.” The reason for their removal, according to Epic is, “it has become increasingly difficult for our team to support the Infinity Blade series at a level that meets our standards.”


The game company that has the biggest hit in the world, and is raking in so much cash that they’re even opening their own online game distribution platform for developers with absurdly generous terms can’t make sense out of continuing to maintain their mobile games.

John Voorhees:

It’s a shame that a historically important series is gone but not shocking. Epic soured on paid-up-from games long ago.

Monday, December 10, 2018 [Tweets] [Favorites]

2018 iPhone Sales

I have no idea whether this time it’s different and the reported production cuts actually do mean that sales are lower than Apple expected. But Apple itself does seem to be reacting differently than in past years.

Sean Keane:

Apple told its main phone assemblers, Foxconn and Pegatron, to stop plans for additional iPhone XR production lines, a report said Monday.

The order to the two Taiwanese companies suggests that demand for cheapest of the 2018 iPhones hasn’t lived up to Apple’s expectations, according to Nikkei, which cited anonymous sources.

Joe Rossignol:

In recent weeks, Apple slashed production orders for its latest iPhone XS, iPhone XS Max, and iPhone XR models due to “lower-than-expected demand,” among other reasons, according to unnamed sources cited by The Wall Street Journal.

Shara Tibken:

Apple’s iPhone XR has been outselling the iPhone XS and iPhone XS Max every day since the cheaper, colorful phone hit the market last month.

Greg Joswiak, Apple’s vice president of product marketing, told CNET in an interview Wednesday that the device has “been our most popular iPhone each and every day since the day it became available.”

Mark Gurman:

Apple Inc. is experimenting with iPhone marketing strategies it rarely uses -- such as discount promotions via generous device buyback terms -- to help goose sales of its flagship product.

Company executives moved some marketing staff from other projects to work on bolstering sales of the latest handsets in October, about a month after the iPhone XS went on sale and in the days around the launch of the iPhone XR, according to a person familiar with the situation. This person described it as a “fire drill,” and a possible admission that the devices may have been selling below some expectations.

Michael Steeber:

Starting this week throughout U.S. stores, Apple co-opted its Genius Bar Displays in classic locations, Apple TV demos, and Today at Apple Forum Displays to promote iPhone XS and XR deals. Rolling out Wednesday, animated video demo loops play on the displays, followed by text similar to Apple’s online copy: “Limited Time. iPhone XR from $449. Trade in your current iPhone and upgrade to a new one.” While Apple has used similar wording for in-store promotion of its Back to School offer, the advertising has traditionally been limited to desktop wallpapers on display Macs.

Until recently, Genius Bar Displays were used to showcase product tips and Apple Support videos. Last month, Apple began highlighting upcoming Today at Apple sessions on the displays. The change brought consistency to Apple’s message at every location. In updated stores, the Video Wall serves a similar role and runs playlists of curated artwork when not in use. Forum Displays, when idle between sessions, also highlight each store’s Today at Apple schedule. Marketing of limited-time offers is outside the scope of their original intended use.

Bob Burrough:

Visual comparison of iPhone sales 2015-2018.

Previously: Apple’s Q4 2018 Results, My Today at Apple Experience.

Update (2018-12-11): Tim Hardwick:

Two of Apple’s largest suppliers have reported healthy jumps in monthly revenue, suggesting fears of weak iPhone demand may be overblown (via Bloomberg).

Asian firms TSMC and Foxconn (Hon Hai) both posted a 5.6 percent rise in November sales, reversing a recent trend of Apple suppliers reducing production or revenue outlooks to reflect lowering demand for Apple’s smartphones.

Update (2018-12-12): Tim Hardwick:

Apple this morning began offering promo codes to Apple Music subscribers that allow them to buy a HomePod at a discounted price for a limited time, in a holiday-themed promotion.

Mike Murphy:

This is probably the last one of these charts I’ll ever get to make

Apple is going to stop breaking out shipment data, and it seems pretty obvious why[…]

Ryan Jones:

App Store Editorial team - told to sell hardware too.

How Subscriptions Are Remaking Corporate America

Alex Eule (via Josh Brown):

Investors, somewhat belatedly, have discovered the subscription payoff. The market now values Microsoft at $23 for every dollar of profit it generates, while Apple’s price/earnings ratio is mired at a hardware-like 13 times.


In 2012—the last full year it sold boxed software—Adobe earned $2.35 a share. This year, the company is projected to earn $6.82, going to $7.98 next year.

It’s a stunning jump for a 36-year-old outfit. The stock’s gain has outpaced earnings growth because investors are paying more for every dollar of profit. The stock has risen 793% since Adobe outlined its subscription strategy in 2011.


“Retention is the new growth,” Narayen tells Barron’s. The subscription model, he adds, has made the company more responsive, with developers tracking customer habits and updating software in nearly real time.

Steven Sinofsky:

This is true. But it also dramatically changes product development to be more incremental and less aggressive about dealing with potentially disruptive change. It makes one think everything exists to sustain the subscription bundle.


The bigger problem is the class divide the subscription model is creating. The less well off population is now (or soon will be) unable to access tools that were available to them a few years ago.

Chuq Von Rospach:

True, which is why Lightroom has 3-4 legitimate competitors chasing its market where two years ago it has none.

Previously: Productivity Apps and Subscription Pricing.

ScanSnap 64-bit Software Update

Fujitsu (via David Sparks):

ScanSnap Home is the 64 bit application for macOS for the following ScanSnap scanner models.


The 64 bit application for macOS is not provided for the old scanner models such as ScanSnap S1500, S1500M, and etc. because their support periods have already expired. If you wish to have the 64 bit application for macOS, please consider purchasing ScanSnap products that are currently available on the market.

Unlike before, the new software really doesn’t seem to work with the old scanners, and it will remove the old software when you install it. It seems silly to replace hardware that’s still working perfectly, especially when I have doubts about the new software, so I’ll probably set up my old MacBook Pro that can’t run Mojave to use it with the old software.

Update (2018-12-11): Mark Munz:

64-bit support was WAY overdue. After taking so long, they now expect customers to buy a brand new piece of hardware ($$$$) to get it.

Kirk McElhearn:

I was planning to use a VM for that. I’m very disappointed, especially because I’ve heard a lot of bad things about the new software that ships with the newer devices.

The Thumb Zone

Joe Cieplinski:

Unfortunately, phone manufacturers and software developers have all but thrown the one-hand principle out the window in recent years. The allure of larger and larger screens has decreased the thumb-reachable percentage of the screen significantly. And yet, much of our software, particularly on iOS, has failed to accommodate.

When the first iPhone was released, with its puny 3.5-inch screen, I could easily reach every corner with either thumb. On an iPhone XS Max, with its gargantuan 6.5-inch screen, I’m lucky to reach even 60% of the total screen area without a second hand. And yet, Navigation bars, with their all-important Cancel and Done buttons, and many other controls are still located at the top of the screen, way out of thumb’s reach.

Muting Gas Station Ads

Eric Ravenscraft (via Eric Schwarz):

Whether your pump advertises it or not, however, there’s a handy way to shut the dang thing up. There’s an array of buttons along the side of the screen. One of these buttons (usually) mutes the ads. Which one is anyone’s guess, as different companies choose a different mute button. To figure out which one, just start at the top and start pressing each button until you find the one that gives you the blissful silence you’re looking for.

Friday, December 7, 2018 [Tweets] [Favorites]

Electron and the Decline of Native Apps

John Gruber (tweet, Hacker News):

In some ways, the worst thing that ever happened to the Mac is that it got so much more popular a decade ago. In theory, that should have been nothing but good news for the platform — more users means more attention from developers. The more Mac users there are, the more Mac apps we should see. The problem is, the users who really care about good native apps — users who know HIG violations when they see them, who care about performance, who care about Mac apps being right — were mostly already on the Mac. A lot of newer Mac users either don’t know or don’t care about what makes for a good Mac app.

One could also argue that the worst thing that ever happened to the Mac was the iPhone.

As un-Mac-like as Word 6 was, it was far more Mac-like then than Google Docs running inside a Chrome tab is today. Google Docs on Chrome is an un-Mac-like word processor running inside an ever-more-un-Mac-like web browser. What the Mac market flatly rejected as un-Mac-like in 1996 was better than what the Mac market tolerates, seemingly happily, today. Software no longer needs to be Mac-like to succeed on the Mac today. That’s a tragedy.

Don’t miss his rant about Finder keyboard shortcuts in Mojave.

Previously: The Mojave Marzipan Apps, Is There Hope for the Mac App Store?.

Apple Removes Afghanistan ’11 From the App Store

Alex Allegro:

Apple has removed game developer Slitherine’s Afghanistan ’11 from the iOS App Store for using a “specific person or real entity” as the enemy of the game, even though it is touted as being entirely historically accurate in depicting the US war in Afghanistan.

Slitherine, a small UK based game developer, specializes in accurate war simulation games. With a strong emphasis placed on learning, rather than gameplay, further paired with the fact the app has been available for well over a year, it comes as a surprise that Apple chose to pull the plug here rather than giving Slitherine an outright rejection from the get-go.

The guidelines say:

Realistic portrayals of people or animals being killed, maimed, tortured, or abused, or content that encourages violence. “Enemies” within the context of a game cannot solely target a specific race, culture, real government, corporation, or any other real entity.

World War II and other historically based games remain in the store. Is that because they let you target both sides? Or because the historical enemies are no longer considered real? Or simply inconsistent reviewing?

WordPress 5.0, Gutenberg, and MarsEdit

Daniel Jalkut:

This change to the editor is part of a trend with WordPress of moving away from the dedicated purpose of blogging, towards satisfying the more general-purpose needs of a full-featured CMS.


When editing a post with block-based content in MarsEdit, you will see the raw HTML for your blocks when editing in Plain Text mode, and a rendered version of the HTML in Rich Text mode. Unlike the WordPress web-based editor, you will not see a visual representation of the blocks as separate entities in your posts. But when you edit and publish changes to your post, the block information should be preserved.


I don’t think Gutenberg threatens the MarsEdit workflow, even after it becomes the only editing framework for WordPress. The way blocks are implemented, users will have the option of simply writing “one block” per post if they feel that is sufficient. I don’t anticipate the status quo for MarsEdit users being disrupted unless they specifically choose to use themes that only work well if multiple blocks per post are used.

Update (2018-12-10): Matt Mullenweg:

The overall goal is to simplify the first-time user experience of WordPress — for those who are writing, editing, publishing, and designing web pages. The editing experience is intended to give users a better visual representation of what their post or page will look like when they hit publish. As I wrote in my post last year, “Users will finally be able to build the sites they see in their imaginations.”


Over the past several years, JavaScript-based applications have created opportunities to simplify the user experience in consumer apps and software. Users’ expectations have changed, and the bar has been raised for simplicity. It is my deep belief that WordPress must evolve to improve and simplify its own user experience for first-time users.

Mark Hughes:

All of this suggests that Gutenberg was pushed out because it was useful in business competition with SquareSpace, not because it helps any WordPress users. The classic rich text editor was fine for many newbies, and then they'd graduate to HTML or Markdown, neither of which are rocket surgery, when they needed more control.

Update (2018-12-11): Manton Reece:

Meanwhile, WordCamp US was a few days ago in Nashville. WordPress founding developer Matt Mullenweg gave his State of the Word talk to wrap up the conference. The talk + Q&A is long, over 1.5 hours, but provides a detailed overview of Gutenberg and where WordPress is going.

The Friendship That Made Google Huge

James Somers:

Jeff and Sanjay began poring over the stalled index. They discovered that some words were missing—they’d search for “mailbox” and get no results—and that others were listed out of order. For days, they looked for flaws in the code, immersing themselves in its logic. Section by section, everything checked out. They couldn’t find the bug.


On Sanjay’s monitor, a thick column of 1s and 0s appeared, each row representing an indexed word. Sanjay pointed: a digit that should have been a 0 was a 1. When Jeff and Sanjay put all the missorted words together, they saw a pattern—the same sort of glitch in every word. Their machines’ memory chips had somehow been corrupted.


When a car goes around a turn, more ground must be covered by the outside wheels; likewise, the outer edge of a spinning hard disk moves faster than the inner one. Google had moved the most frequently accessed data to the outside, so that bits could flow faster under the read-head, but had left the inner half empty; Jeff and Sanjay used the space to store preprocessed data for common search queries. Over four days in 2001, they proved that Google’s index could be stored using fast random-access memory instead of relatively slow hard drives; the discovery reshaped the company’s economics.

Facebook Was Aware That Tracking Contacts Is Creepy

Arvind Narayanan:

The internal Facebook documents released today make for an incredible read. Remember the Dark Pattern consent dialog that FB used to grab Android users' call and text history w/o alerting them? Now we can see some of the scheming that led to that decision.


1) How completely broken is Android’s security model if malicious apps are somehow automatically granted permissions on private data?

2) How can people at Facebook still have a conscience and do stuff like this?

Kashmir Hill (via John Gruber):

The business team wanted to get Bluetooth permissions so it could push ads to people’s phones when they walked into a store. Meanwhile, the growth team, which is responsible for getting more and more people to join Facebook, wanted to get “Read Call Log Permission” so that Facebook could track everyone whom an Android user called or texted with in order to make better friend recommendations to them. (Yes, that’s how Facebook may have historically figured out with whom you went on one bad Tinder date and then plopped them into “People You May Know.”) According to internal emails recently seized by the UK Parliament, Facebook’s business team recognized that what the growth team wanted to do was incredibly creepy and was worried it was going to cause a PR disaster.

Thursday, December 6, 2018 [Tweets] [Favorites]

Mac App Notarization and Customer Privacy

Jeff Johnson:

What does not appear to be documented is that Mojave “phones home” to Apple on first launch of every downloaded app, regardless of whether the app was notarized. […] This status is not cached.


In packet traces I see a reference to, which suggests that Gatekeeper may be using some form of Online Certificate Status Protocol (OCSP), a standard method for checking whether a certificate has been revoked. The internet traffic is to on TCP port 443, in other words, https. Thus, the data is likely encrypted.


It’s important to note that no explicit consent has been given for this information to be transmitted to Apple. In System Preferences, I had disabled all of the Analytics in Security & Privacy and all of the automatic checks in Software Update, so as far as Mojave was concerned, Apple had no permission. I’m not aware of any official Apple privacy policy with regard to Gatekeeper. I have no reason to believe that Apple will use this data for competitive or marketing purposes, but… who knows? It would certainly be a gold mine of information about Mac consumer usage of third-party apps. Apple has announced that app notarization will be required for all apps in an upcoming version of macOS, so in effect Apple is forcing developers and end users to give Apple valuable business data.

I wonder how long Apple stores this data and whether anyone would be motivated to try to gain access to it.

Proof That iOS Still Hasn’t Gotten Undo Right

John Gruber (tweet, Hacker News):

There is a common convention for Undo/Redo in iOS drawing apps — circular arrow buttons, counterclockwise for Undo and clockwise for Redo. (And, thankfully, these are the same icons used for Undo/Redo on the iPad on-screen keyboard. Consistency is not completely lost.) You can see them in these screenshots from Apple Notes and Linea Go on iPhone.

But it speaks to how weak this convention is that Procreate Pocket could do something not just different but totally different — multi-finger taps with no on-screen buttons — and not just get away with it but be celebrated by Apple for it. I’m not saying Procreate’s two/three-finger taps are better or worse than on-screen buttons. (Well, stay tuned.) And I can see the thinking — screen space on an iPhone is so precious that any reduction in on-screen buttons is a win in terms of reducing UI clutter and maximizing the screen space available for showing the content of the illustration. Also, I’m sure the two/three-finger taps are very fast once you’re used to them.


What it comes down to, I think, is that the menu bar has become a vastly underestimated foundation of desktop computing. Once heralded, the menu bar is now seen as a vestige. I’m not arguing that iOS should have a Mac-style menu bar.

I think iOS could use some sort of menu bar or Start menu. There needs to be a standard place for extra commands that don’t fit as buttons and that shouldn’t be shoe-horned into the Share button.

Previously: On “Shake to Undo”.

Update (2018-12-11): Procreate:

Whether you’re one of our competitors, or in an entirely different field, please feel free to grab the project below. Take it, use it, and give your users the most instinctive Undo and Redo method available.

How OmniDiskSweeper Reports Free Space

Ken Case:

The “purgeable” space is space that the operating system knows how to reclaim when you try to create files that need that space. But it’s not truly cleared up from the disk yet and still shows up in OmniDiskSweeper’s summary list. But even though it shows up in the summary, it won’t show up when you browse the disk looking for files to delete—so OmniDiskSweeper will end up reporting different numbers for space used based on how it scans your disk.


These snapshots can take nearly zero space at the start (because their contents are exactly the same as the current files on disk), but as files get edited or removed the snapshots start to take up more and more space. In particular, when you delete huge files (because you’re trying to clear up space), they will disappear from your filesystem but will still exist in your snapshots until those are removed. This is where I usually find the bulk of the “purgeable” space reported in Disk Utility.

Also, OmniDiskSweeper doesn’t tell you about APFS cloned files. (I’m not sure how it reasonably could.) So, although it will tell you how much space a given file is using, deleting that file may only increase the free space by a fraction of that amount.

Previously: Dive Into APFS.

iOS and the Hassle of Dropping Your Wi-Fi As You Move Away From Your House

Dave Mark:

This happens to me all the time. I’m in an app that’s attached to my home WiFi and I walk (or drive, as a passenger) away from my house. As I move further from my house, the signal gets progressively weaker and whatever app I’m in just hangs, stuck waiting for a reply from my home WiFi that’s never coming.


Some time ago, Apple added the setting Cellular > Wi-Fi Assist (scroll down below that long list under CELLULAR DATA) that someone suggested might help with this, though I believe the intent was to help with poor WiFi, not specific to this problem. As it turns out, this is on for me. Does not make a difference.

Wednesday, December 5, 2018 [Tweets] [Favorites]

@rpath What?

Marcin Krzyżanowski:

@rpath stands for Runpath Search Path.

  • In the Xcode, it’s set with LD_RUNPATH_SEARCH_PATH setting.
  • In ld command tool it’s set with -rpath parameter when linking. So it’s a search path for the linker. Runtime Search Path instructs the dynamic linker to search a list of paths in order, to locate the dynamic library.

The value of the parameter may be an absolute path (or multiple paths) to a directory, e.g.: /usr/private/lib or @executable_path/Frameworks.


However, if we need to modify the @rpath manually, e.g., as a part of installation phase - there’s an app for that: install_name_tool.

Apple Music Analyser

Mitchel Broussard:

Following Apple’s recently launched Data and Privacy portal, which lets customers download a copy of their Apple-related data, developer Pat Murray has built a browser-based app aimed at visualizing your Apple Music activity. With the download of one file on Apple’s Data and Privacy portal, Murray’s app organizes your complete Apple Music listening history since you first started using the service.

The developer promises that none of your data ever leaves your computer in the process, and explained to me that once it’s loaded, the web app will even work offline and still be able to run all computations and present users with their data. The full source of the app is available to read on GitHub, and it’s worth pointing out that Murray’s app is only asking for access to a single CSV file related to your Apple Music activity, and nothing else.

Previously: Requesting Your Personal Data From Apple.

Amazon Offering Apple Products


Apple Music subscribers will be able to enjoy Apple Music’s 50 million songs on Echo devices. Customers will be able to ask Alexa to play their favorite songs, artists, and albums—or any of the playlists made by Apple Music’s editors from around the world, covering many activities and moods. Customers will also be able to ask Alexa to stream expert-made radio stations centered on popular genres like Hip-Hop, decades like the 80s, and even music from around the world, like K-Pop. Just ask Alexa to play Beats 1 to hear Apple Music’s global livestream including in-depth artist interviews— all completely ad-free. Simply enable the Apple Music skill in the Alexa app and link your account to start listening.

John Gruber:

It’s still an open question whether Apple sees subscription content (mostly music now, with more original shows and movies coming soon) as something for its own devices, or cross-platform. Making Apple Music available to Echo devices sure sounds more like the latter.

Joe Rossignol:

Nearly two weeks after Amazon reached an agreement with Apple to sell more of its products, a selection of Apple products are available on Amazon in the United States, including the latest iPad Pro, Apple Watch Series 4, MacBook, MacBook Air, MacBook Pro, iMac, iMac Pro, Mac Pro, and Mac mini models.


Amazon has yet to begin selling any new iPhones directly from Apple or its network of Apple Authorized Resellers, but the iPhone XS, iPhone XS Max, and iPhone XR are expected to be available soon as part of the deal. One product that won’t be available is the HomePod since it is an Amazon Echo competitor.

Jason Snell:

Apple has often used exclusivity to drive hardware sales, which is one reason why you can’t watch iTunes purchases on Amazon Fire TV or Roku devices. Now the HomePod needs to compete as a high-end premium speaker, rather than as literally the only option if you want to give voice commands to an Apple Music-enabled smart speaker.

This is a move that could have huge ramifications for Apple’s forthcoming TV service, which has left the Apple TV caught between Apple’s current desire to grow services revenue and its classic focus on hardware profit margins. In fact, it brings to mind a similar move from back in 2002 and 2003, when Apple made the iPod compatible with Windows PCs.

Joe Rosensteel:

Apple’s desire to grow services revenue stands in direct opposition to whatever passes for a TV hardware strategy in Cupertino. To grow subscribers they need to lower the cost of the devices required to view video service content, subsidize their sale, or make the service available on the platforms they compete with. If they don’t, then this is over a billion that they wouldn’t be able to make back as a niche, premium content provider.

Previously: Amazon Kicks Off Unauthorized Apple Refurbishers, Amazon Will Stop Selling Nest Smart Home Devices, YouTube Drops Echo Show, Amazon Adds Apple TV, Amazon Prime Video Finally Available for Apple TV, Apple TV 4K, Still a Hobby, Cultural Insularity and Apple TV, The Apple Music and HomePod Strategy.

Finding New Ways to Spy on iPhones

Lorenzo Franceschi-Bicchierai:

Governments around the world have been willing to spend a fortune on iOS malware. Saudi Arabia paid $55 million to purchase iPhone malware made by NSO Group, according to a recent report by Israeli newspaper Haaretz. There’s several companies specializing in iOS malware, such as Azimuth, NSO Group, and some more. But despite the appearances, iOS malware isn’t only in the hands of big companies and their government customers.


Mobile Device Management or MDM is a feature in iOS that allows companies to manage and monitor devices given to their employees. By installing an MDM profile or certificate on an iPhone, a user gives the MDM owner some control over the device. This mechanism can be used by malware creators. In July, security firm Talos found that a hacking group used MDM to target a few iPhones in India (Mobile Device Management can be turned on for every iPhone.)


It’s unclear how government hackers get the malware on target’s iPhones. Kaspersky Lab researchers speculated it may be via social engineering “using fake mobile operators sites.” In other words, this malware does not leverage any bugs or exploits in iOS, but instead takes advantage of MDM, which is a specific design feature in the operating system. In this way, it relies on a tried-and-tested social hacking technique—tricking users into installing something. For many years, the average user could essentially click on any link, download any app, and otherwise use their iPhone without worrying about targeted surveillance. That may soon no longer be the case.

Thomas Reed:

Sad truth: malware for iOS exists, but there’s absolutely no way to detect that it’s installed due to sandboxing restrictions in iOS.

Patrick Wardle:

^^this 💯

I have no idea how to check if my iPhone is hacked 😰

Nation States actually ♥️ hacking iPhones - largely because once they’re in (and yes, they can get in even remotely), the chance of detection is essential 0%🤭

Custom ARM Processor for Amazon Web Services

Tom Krazit:

After years of waiting for someone to design an Arm server processor that could work at scale on the cloud, Amazon Web Services just went ahead and designed its own.

Vice president of infrastructure Peter DeSantis introduced the AWS Graviton Processor Monday night, adding a third chip option for cloud customers alongside instances that use processors from Intel and AMD. The company did not provide a lot of details about the processor itself, but DeSantis said that it was designed for scale-out workloads that benefit from a lot of servers chipping away at a problem.

The new instances will be known as EC2 A1, and they can run applications written for Amazon Linux, Red Hat Enterprise Linux, and Ubuntu.

Chris Williams:

Up until 2015, Amazon and AMD were working together on a 64-bit Arm server-grade processor to deploy in the internet titan’s data centers. However, the project fell apart when, according to one well-placed source today, “AMD failed at meeting all the performance milestones Amazon set out.”

In the end, Amazon went out and bought Arm licensee and system-on-chip designer Annapurna Labs, putting the acquired team to work designing Internet-of-Things gateways and its Nitro chipset, which handles networking and storage tasks for Amazon servers hosting EC2 virtual machines.

Update (2018-12-11): See also: Hacker News.

Starwood/Marriott and Quora Breaches

Nicole Perlroth et al. (Hacker News):

The hotel chain asked guests checking in for a treasure trove of personal information: credit cards, addresses and sometimes passport numbers. On Friday, consumers learned the risk. Marriott International revealed that hackers had breached its Starwood reservation system and had stolen the personal data of up to 500 million guests.

The assault started as far back as 2014, and was one of the largest known thefts of personal records, second only to a 2013 breach of Yahoo that affected three billion user accounts and larger than a 2017 episode involving the credit bureau Equifax.

Marriott (via Dave Kennedy):

For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128). There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken.

Bob Burrough:

Generally, business executives don’t know what questions to ask to make sure this doesn’t happen. But worse, most professional software developers don’t either.

The best way to prevent data from being leaked is to not store it.

Nick Heer:

Think about it: a breach of tens- or hundreds-of-millions of individuals’ extremely private information — including, in this case, passport numbers and hashes of credit card numbers — couldn’t happen if the system were designed to purge this information at the earliest possible chance.

Perry E. Metzger:

Today’s news about the Marriott breach should finally drive home a lesson that has been missed for years now: “we’ve been doing what every other big company does” means you are insecure and have to change your ways, because the median large company has terrible security.

Brian Krebs:

The hotel chain did not say precisely when in 2014 the breach was thought to have begun, but it’s worth noting that Starwood disclosed its own breach involving more than 50 properties in November 2015, just days after being acquired by Marriott. According to Starwood’s disclosure at the time, that earlier breach stretched back at least one year — to November 2014.

Back in 2015, Starwood said the intrusion involved malicious software installed on cash registers at some of its resort restaurants, gift shops and other payment systems that were not part of the its guest reservations or membership systems.

However, this would hardly be the first time a breach at a major hotel chain ballooned from one limited to restaurants and gift shops into a full-blown intrusion involving guest reservation data.

Brian Krebs:

But anytime we see such a colossal intrusion go undetected for so long, the ultimate cause is usually a failure to adopt the most important principle in cybersecurity defense that applies to both corporations and consumers: Assume you are compromised.


This involves not only focusing on breach prevention, but at least equally on intrusion detection and response. It starts with the assumption that failing to respond quickly when an adversary gains an initial foothold is like allowing a tiny cancer cell to metastasize into a much bigger illness that — left undetected for days, months or years — can cost the entire organism dearly.

The companies with the most clueful leaders are paying threat hunters to look for signs of new intrusions. They’re reshuffling the organizational chart so that people in charge of security report to the board, the CEO, and/or chief risk officer — anyone but the Chief Technology Officer.

Adam D’Angelo (via Troy Hunt):

For approximately 100 million Quora users, the following information may have been compromised:

  • Account information, e.g. name, email address, encrypted (hashed) password, data imported from linked networks when authorized by users
  • Public content and actions, e.g. questions, answers, comments, upvotes
  • Non-public content and actions, e.g. answer requests, downvotes, direct messages (note that a low percentage of Quora users have sent or received such messages)

Questions and answers that were written anonymously are not affected by this breach as we do not store the identities of people who post anonymous content.

Nick Heer:

However, I want to give kudos to Quora on three fronts.

Tuesday, December 4, 2018 [Tweets] [Favorites]

Optional OmniFocus Subscriptions

Ken Case (tweet):

Beyond supporting this new service model, there are some other benefits to offering subscription pricing as an option. Some of you have told us that you’re frustrated by our current “a la carte” pricing model, where each edition of the app is purchased separately. That you would prefer the option to pay a subscription each year which covers the price of future upgrades and unlocks the app everywhere. That you’d rather not have to worry about when the next major upgrade is coming, budgeting for how much that will cost. That you don’t want to have to think about whether you’ve bought the app for Mac or for iOS; that instead, you just want to use it on whichever device you happen to be using. Offering a subscription option for our desktop and mobile apps would help with all of these requests.


The OmniFocus subscription will cost $9.99/month, giving you access to the web service as well as OmniFocus Pro on all your Mac and iOS devices. If you’ve already invested in OmniFocus 3 and just want to add the web service, the cost for that will be $4.99/month.


I should note that subscriptions do have significant downsides. The initial cost to start using the product is lower, but over time subscriptions will end up costing more—and unlike our one-time purchases, it’s not an investment: when you stop subscribing to OmniFocus you’ll lose access to the things that were being provided by that subscription.

This seems very logical and well explained. Not yet announced: who you’ll pay for the subscriptions. Presumably, Omni could sell them directly to customers, bypassing the App Store’s 30% and offering educational discounts if they want.

Previously: Business Licensing for Omni’s iOS Apps, Transmit 5 on the Mac App Store.

iCloud Drive Stuck Uploading and Downloading Files

Matt Henderson:

To solve the problem, after moving my GitHub folder outside of Documents, I then backed up all the files in Desktop and Documents on my Mac that I need, and disabled “iCloud Drive” in the iCloud area of the system preferences, and instructed the Mac to delete all the local files.

I then went into iCloud Drive via the website, and started deleting everything from there.


So the fact that deletions are getting processed one by one in the browser, but there’s no UI to indicate that, can cause terrible confusion when trying to perform the kind of mass cleanup that I was doing.

Update (2018-12-11): Wojtek Pietrusiewicz:

I was trying to transfer an edited photo from my iPad to my MacBook Pro a few minutes ago. I saved it to iCloud Drive and went to look for it on my Mac. Not there. I checked my iPhone and verified it was synced. So I restarted my Mac. Nope, nothing.

Want to know what triggered the sync process? I created a new folder in Finder.

Microsoft EdgeHTML Replaced by Chromium

Zac Bowden (via Wojtek Pietrusiewicz):

Microsoft’s Edge web browser has seen little success since its debut on Windows 10 in 2015. Built from the ground up with a new rendering engine known as EdgeHTML, Microsoft Edge was designed to be fast, lightweight, and secure, but it launched with a plethora of issues that resulted in users rejecting it early on. Edge has since struggled to gain traction, thanks to its continued instability and lack of mindshare, from users and web developers.

Because of this, I’m told that Microsoft is throwing in the towel with EdgeHTML and is instead building a new web browser powered by Chromium, which uses a similar rendering engine first popularized by Google’s Chrome browser known as Blink. Codenamed “Anaheim,” this new browser for Windows 10 will replace Edge as the default browser on the platform, according to my sources, who wish to remain anonymous.

Update (2018-12-05): Kuba Suder:

This is so stupid, we’ve spent like a decade fighting the IE monoculture, only to replace it now with a Chrome monoculture And that basically leaves 3 engines on the market, 2 of which share common history.

Update (2018-12-06): Joe Belfiore (Hacker News):

Microsoft Edge will now be delivered and updated for all supported versions of Windows and on a more frequent cadence. We also expect this work to enable us to bring Microsoft Edge to other platforms like macOS. Improving the web-platform experience for both end users and developers requires that the web platform and the browser be consistently available to as many devices as possible. To accomplish this, we will evolve the browser code more broadly, so that our distribution model offers an updated Microsoft Edge experience + platform across all supported versions of Windows, while still maintaining the benefits of the browser’s close integration with Windows.

Steve Troughton-Smith:

Gotta wonder why Microsoft didn’t co-opt Chrome long before this; why would anybody go download Google’s Chrome if the built-in Windows browser is basically the same thing

David Heinemeier Hansson:

Sad to see Microsoft throw in the towel on their own browser rendering engine. The web doesn’t benefit when developers are encouraged to “just test in Chrome” through consolidation. We need a strong, diverse set of browsers. HANG IN THERE FIREFOX!

Steve Troughton-Smith:

Microsoft Edge coming to the Mac will be the first time Microsoft’s flagship browser has been on the platform since Internet Explorer 5.2.3, 15 years ago

Cabel Sasser:

IE Mac was the first browser to support alpha channeled png’s which we used on the Audion faces page for live previews with dragging etc.! And which Microsoft then used for press demos! What a great browser back then — incredible and groundbreaking

Steve Troughton-Smith:

IE for Mac’s download manager & progressbar icons for in-progress downloads were some of my favorite features. Took Safari a while to pick that up

John Siracusa:

It was also the first browser on the Mac to have decent CSS1 support. It was the web developer’s browser for a while.

Jimmy Grewal:

My favorite release of Mac Internet Explorer was the bootleg version 5.5 we put together at MacHack 2000 that was only available on the MacHack CD. 48 hours of caffeine & sugar fueled coding by @t, @sfalken, and @MafVosburgh...built & tested by me.

Jesse Vincent:

“Konqueror” always felt like it was a bit much for a browser name. Now I can see that it was just prescient.

See also: Zac Bowden, Tom Warren, MacRumors.

Update (2018-12-07): Chris Beard (Hacker News):

From a social, civic and individual empowerment perspective ceding control of fundamental online infrastructure to a single company is terrible. This is why Mozilla exists. We compete with Google not because it’s a good business opportunity. We compete with Google because the health of the internet and online life depend on competition and choice. They depend on consumers being able to decide we want something better and to take action.

Will Microsoft’s decision make it harder for Firefox to prosper? It could. Making Google more powerful is risky on many fronts. And a big part of the answer depends on what the web developers and businesses who create services and websites do. If one product like Chromium has enough market share, then it becomes easier for web developers and businesses to decide not to worry if their services and sites work with anything other than Chromium. That’s what happened when Microsoft had a monopoly on browsers in the early 2000s before Firefox was released. And it could happen again.

Oluseyi Sonaiya:

The ideal behind Web Standards is that the specification is implementation-independent, and that competing implementations drive different vendors to improve. If the majority of browsers coalesce around a single implementation, though, we lose that impetus.

Rui Carmo:

I’m actually kind of sad about this because it risks turning the Web into a monoculture again. Even if it does have the potential of making it substantially easier to build and maintain web sites in the long run.

John Gruber:

This is really rather stunning news, especially when you think back to the browser war in the 1990s. And I don’t think it’s a good thing for the web.

Update (2018-12-10): Owen Williams (via Meek Geek):

Yes, that’s right: not only will Microsoft shift to Chromium as its rendering engine, it’ll begin shipping Edge across all supported desktop devices on the planet, and it’ll start building it into the web platform within Windows.

This is huge news for the industry across the board, and is poised to propel the web to a first-class experience on par with native application development, as well as making it a much better experience for a broad swathe of internet users who might not have power over what browser they’re using.

The web has already swallowed native application development whole, but it’s about to get a lot better.


The strategy differences here are very different to that of Apple, which has largely ignored any feature of the open web that might threaten its own dominance. There’s no web-based notifications in Safari on iOS, or the ability to execute tasks or caching in the background, and so on.

I kind of wish Apple would switch to Chromium as well. With the rest of the world—especially on the desktop—mostly using the same browser, even popular sites can’t always be bothered to make things work well with Safari.

Dan Masters:

For all the criticism Google receives regarding Chrome, they've added some very pro-consumer features over the years.

This one is particularly interesting, as we usually associate sneaky subscription signups with native apps, but it clearly is a problem on the web too.

Update (2018-12-11): John Gruber:

Which, in turn, makes me wonder what the endgame will look like with Microsoft adopting Chrome. Is Microsoft really going to stick with Chrome, under Google’s ultimate control, or will they fork it, the way Google forked WebKit?

Dan Masters:

I’ve seen the same problem[…]

Sublime Merge Build 1092

Jon Skinner:

The contents view lets you step through modified files one by one. You can get to the contents view via the Contents tab on the side bar, double-clicking on a commit, or pressing space. It’s especially handy for reviewing and creating large commits.


Word wrap is now set to Auto mode by default: text and HTML files are displayed with word wrap on, while source code is displayed with word wrap off. You can set word wrap on or off for all files from the context menu.

These were two of the biggest issues for me. A recent update also added full text search. I still think the interface feels a bit weird, and not as intuitive as Tower’s, but the speed and syntax highlighting remain great, and I like seeing such quick development progress.

Previously: New Git Client: Sublime Merge.

Monday, December 3, 2018 [Tweets] [Favorites]

On Switching From an iPad Pro and a MacBook to a Pixelbook

Fraser Speirs (tweet):

When Google Drive launched in 2012, we started making more use of it and Google Docs. In the six years since, we have really gone all-in on these apps. I was never a huge fan of web-based software but we started with one particular project where we cut so much time and effort out of the process that I couldn’t help but get interested.


Fast forward to 2018 and virtually all of the work I do at school is now in Google Docs. I don’t think I’ve created anything new outside Google Docs for a couple of years now.


My school runs on GSuite but we usually access it through iPads. What I have found, though, is that the GSuite iOS apps are not very good. They lack important (and sometimes basic) functionality found in the web version of GSuite and they take a long time to adopt iOS platform features.


The point, though, is that GSuite is so powerful and so much at the heart of everything I do at school that if you asked me to decide between giving up GSuite and giving up iPad, I’m afraid iPad has to go. It is for this reason that I have been vocally advocating that Apple make iOS Safari as close to a “desktop class” browser as it can be.

Zac Cichy:

Why does Apple get called out for how poorly G Suite works on iOS, and not Google for making sub-par iOS apps?

Foad Afshari:

It is oftentimes said to be Apple’s problem versus the users’ problem. What if I like to use iOS and G Suite? Why do I as a user have to suffer for it?

Keith Edwards:

Why does everyone accept that you can’t set default apps on iOS? Why am I given a worse experience for a premium product because I choose to use apps outside of apples services ecosystem and how it is legal to not provide an option to switch?

Interview With Ron Johnson

Without Fail (via Matt Henderson):

Twenty years ago, Steve Jobs had an idea: he wanted to build an Apple store. Something sleek and iconic and unlike anything else in retail. But he had no idea how to do it. So he called someone who might: retail genius Ron Johnson. Ron tells Alex the story of what it was like to work with Steve and help transform Apple into a household name. And Ron talks about life after Apple—which included a huge and humbling failure.

Ron Johnson is now CEO and Founder of Enjoy.

Great interview, but far too short.

Update (2018-12-06): Nick Heer:

One thing I thought about while listening to it is just how successful these stores are. To date, Apple has closed only two without a logical replacement. They are often packed with people, and Apple still has one of the best buying and support experiences in the consumer technology space. I still believe that there are elements of the store that have suffered, but they’re still leaps and bounds better than what you get anywhere else.

Why Excel for iOS Doesn’t Support VB Macros

TJ Luoma:

Finally watched that “I tried to edit a movie on the iPad Pro” and this video editing professional is amazing and amazed at what it can do.

Commenter: “Yeah but Excel on iOS can’t do macros…”


I think the hardware can handle it.

Erik Schwiebert:

VB macros on iOS are forbidden by Apple. Review guideline 2.5.2 says in part that apps may not “download, install, or execute code which introduces or changes features or functionality of the app”.

I thought maybe Google Sheets would get around this by running the macros on the server, but apparently not.

Previously: iPad Pro 2018, How to Game the App Store, Hasta La Vista, Visual Basic.

Root Certificates From Sennheiser Headphone Software

Hans-Joachim Knobloch and André Domnick (PDF)

We found that – caused by a critical implementation flaw – the secret signing key of one of the clandestine planted root certificates can be easily obtained by an attacker. This allows him or her to sign and issue technically trustworthy certificates. Users affected by this implementation bug can become victim of such a certificate forgery, allowing an attacker to send e.g. trustworthy signed software or acting as an authority authorised by Sennheiser.


According to Sennheiser, the browser must be able to access this local web socket through a trusted HTTPS connection in order to bypass cross origin resource sharing (CORS) restrictions implemented by relevant browsers. Hence, the HeadSetup SDK needs a locally trusted TLS server certificate issued to the localhost IP address ( and the associated private key.


Despite its designation as CA certificate, the HeadSetup software employs it as the TLS server certificate for the local secure web socket. In order to turn it into a trusted credential, the HeadSetup installer pushes the certificate into the local machine trusted root certificate store of the Windows system on which it is installed.

Note that the HeadSetup installer must run with local administrator privileges. Once the installing user confirms the installation of the software there is no further system prompt warning about the addition of the certificate to the trusted root store and displaying the certificate’s fingerprint, like there would be if this root certificate were added manually.

Via Andrew Ayer:

Like Superfish, anyone can use this key, which is the same on all installations, to forge certificates and impersonate websites.