Archive for July 9, 2019

Tuesday, July 9, 2019 [Tweets] [Favorites]

Apple Discontinues 12-Inch MacBook

Joe Rossignol:

Coinciding with refreshes to the MacBook Air and the entry-level 13-inch MacBook Pro today, Apple appears to have discontinued the 12-inch MacBook, which is no longer available through its online store.

It’s a bit sad to see it go because I know some people really liked the tiny size. But it’s hard to justify its existence and premium price when compared with a still-small MacBook Air with a much better display that’s faster and has more ports. I’m surprised it wasn’t discontinued when the 2018 MacBook Air was introduced.

I don’t think I’ve ever seen a 12-inch MacBook in the wild, and it’s the least popular Mac among users of my apps. There are roughly 40% more customers using the pricey iMac Pro—which didn’t ship until 6 months after the last MacBook update—than the entire MacBook family (which includes the older polycarbonate models).

Perhaps this size and name will return when Apple introduces its first ARM Macs.

Matt Birchler:

One thing I find interesting is that Apple’s completely new computers from 2013-2016 include:

  • Trash can Mac Pro
  • 12” MacBook
  • Touch Bar MacBook Pros

3 of those are already dead and we have rumblings of a new MBP design coming in the next year or so.

Since then we’ve had:

  • iMac Pro
  • New Mac mini
  • Mac Pro (cheese grater 2.0 edition)
  • New MacBook Air

Clearly, Apple has turned a corner when it comes to Mac hardware.

Ryan Jones:

Credit to Cupertino for killing the MacBook One!

Been saying it for years - that computer was a mistake. Stupid to go one port, premature to go USB-C, launched with no supply, bad name, immediate forgotten in the roadmap.

Apple’s starting to do literally exactly what I/we said they should with Mac lineup. More evidence they are back to listening to core users.

Previously:

Update (2019-07-10): Jason Snell:

Theory: It’s another thermal corner. They couldn’t add anything to the product w/o a redesign because of the fanless thing, they couldn’t get it down under $1000, and decided (early on, I guess!) to replace it with another Air.

My daughter has one and loves it 🤷🏻‍♂️

Riccardo Mori:

First it was the 11-inch MacBook Air, now it’s the 12-inch MacBook. Do you want an Apple ‘ultrabook’? You’ll have to get an iPad Pro. What a coincidence.

Apple Lowers SSD Prices

Benjamin Mayo (tweet, MacRumors):

In addition to launching refreshes to the MacBook Air and MacBook Pro, Apple has lowered the cost of higher-end Mac solid state storage options, cutting the price in half for many of the configurations.

For example, the 4 TB SSD of the 512 GB 15-inch MacBook Pro used to cost $2800. It now costs $1,400. These savings are seen across the iMac, iMac Pro, Mac mini, and MacBook Air line.

[…]

The general pattern is that the first upgrade still costs the same, with price reductions applied to the bigger capacities.

This is great news, although the prices still seem inflated. For comparison, Apple is charging $400 to go from 256 GB to 1 TB, but you can get a highly regarded 1 TB Samsung SSD for $137. And there’s now a 2 TB Intel one for $103. Granted, this is not as fast as what Apple ships, but for many people the tradeoff would be worth it for that amount of storage. And it would certainly be an improvement over the spinning hard drive in the 2019 iMac.

It’s important to get enough internal storage because current Macs don’t have many ports, and there are issues with external drives.

Howard Oakley:

The snag with thermal throttling is that it only happens when you’re putting pressure on the SSD, maybe with it writing hundreds of GB of video. So when you need the X5’s performance most is when it’s most likely to have to use thermal throttling to keep itself cool. In what I thought was a comfortable ambient of 23˚C (73˚F) with a light breeze and good shade, my X5 suffered thermal throttling fairly consistently when I left it to run the Blackmagic Disk Speed Test for longer than 2 minutes 45 seconds, and by 3 minutes most of its writing was being done at 700 MB/s or less.

[…]

Yes, the installer thought it had worked and installed the two kernel extensions it required (two kernel extensions? really?), but in fact they had been blocked by macOS, so the Samsung app couldn’t see the SSD.

Previously:

MacBook Air 2019 and New 13-inch MacBook Pro

Joe Rossignol:

Apple today announced that it has updated the MacBook Air with a True Tone display and lowered the price of the notebook to $1,099 in the United States, or $999 for qualifying students through Apple’s education store.

[…]

Alongside today’s update and price drop, Apple has also discontinued the 2017 MacBook Air, which it had continued to sell for $999 following the introduction of the revamped MacBook Air last October.

It is great to see more frequent Mac updates. Now the only non-Retina Mac is the base iMac—unless you count the Mac Pro and Mac mini because of the available external displays.

Joe Rossignol:

Apple today announced it has updated its entry-level 13-inch MacBook Pro with the latest 8th-generation Intel Core quad-core processors for up to two times faster performance compared to the previous generation. The notebook now also features a Touch Bar with Touch ID, a True Tone display, and the Apple T2 security chip.

It’s sad to no longer be able to get a MacBook Pro without a Touch Bar, but the 13-inch MacBook Escape hadn’t been updated in more than two years.

Wojtek Pietrusiewicz:

If Apple hadn’t added the Touch Bar to the non-Touch Bar model and just upgraded the CPU, I would be ordering one right now — the new CPUs are exactly what I have been waiting for. Unfortunately, they did, so that probably means no more Macs for me, at least until they get rid of the Touch Bar. And no, the Air is not sufficient for my needs — it lacks Display P3 and a proper processor.

retrac98:

99%+ of my usage of the touchbar is pressing escape, adjusting screen brightness, speaker volume, or accessing music controls.

All of these worked flawlessly when I had physical keys, but now it’s hard to know what I’m pressing without looking, and sometimes the controls become unresponsive to touches or drags.

I am also a musician. The Touch Bar is fantastic to adjust tuneables in GarageBand, without the gorilla arm or wobbly screen effect you get on touchscreens.

Mark Munz:

Apple adds Touch Bar to entry level MacBook Pro, because THAT’S what everyone has been clamoring for – more Touch Bar.

🤦‍♂️

Nick Heer:

This simplifies the lineup dramatically. No longer are there three similar yet purportedly different computers within $200 of each other; now, there’s a simple choice of consumer models and professional models, and at respectably lower price points to boot.

Stephen Hackett:

I think for almost everyone, the MacBook Air is the right notebook. It’s thin and light, with plenty of power for most tasks, but if you need a better GPU or more cores, the MacBook Pro is a logical upgrade. I like it when the Mac product line makes sense.

John Gruber:

Other than the increase in size of the “smallest” MacBook, the only knock against today’s revamp is that the starting price (for those other than college students) has jumped from $1000 to $1100.

Previously:

Update (2019-07-10): See also: Hacker News.

Update (2019-07-11): Dan Seifert:

macbook pro owners: what are you using the touchbar for at this point, three years on from its debut?

Joe Rossignol:

Geekbench 4 scores indicate the base 2019 model with an 8th-generation 1.4GHz quad-core Core i5 processor has up to a 6.8 percent increase in single-core performance, and up to 83.4 percent faster multi-core performance, compared to the base 2017 model with a 7th-generation 2.3GHz dual-core Core i5 processor.

Update (2019-07-15): Benjamin Mayo:

The equivalent 256 GB SSD 2018 MacBook Air could top 2 GB/s read and around 0.9 GB/s write speeds. Therefore, the new SSD component in use has marginally superior write speeds but 35% slower read speeds, falling from 2 GB/s to 1.3 GB/s.

Update (2019-07-19): Dieter Bohn:

Most of all — keyboard aside — the overall design and quality of the hardware is top-notch. There are dozens of Windows laptops in the same price range that beat this Air on any number of metrics. You can get edge-to-edge screens, log in with your face, and find faster and more powerful processors. But very few of them have the same iconic look and feel of the aluminum Air.

[…]

There’s also the fact that Apple was unable to update the processor to something more powerful. It is still using a 1.6GHz dual-core “Y-series” Intel processor, which is not nearly as powerful as the “U-series” processor you find on the MacBook Pro and many Windows laptops.

Via Nick Heer:

Based on Bohn’s review, it seems like this year’s revision gets closer to correcting the balance. Get a decent keyboard in these things again and there ought to be no reason for most people with the money to spend to even consider buying anything else.

Zoom Vulnerabilities

Jonathan Leitschuh (Hacker News, Reddit):

A vulnerability in the Mac Zoom Client allows any malicious website to enable your camera without your permission. The flaw potentially exposes up to 750,000 companies around the world that use Zoom to conduct day-to-day business.

[…]

Additionally, if you’ve ever installed the Zoom client and then uninstalled it, you still have a localhost web server on your machine that will happily re-install the Zoom client for you, without requiring any user interaction on your behalf besides visiting a webpage. This re-install ‘feature’ continues to work to this day.

This vulnerability leverages the amazingly simple Zoom feature where you can just send anyone a meeting link (for example https://zoom.us/j/492468757) and when they open that link in their browser their Zoom client is magically opened on their local machine.

Joseph Cox:

The problem lies is how Zoom allows whoever sets up the call—be that someone creating a conference call for a company, or perhaps a hacker—to decide whether participants’ webcams are enabled at the start of the call or not. Leitschuh says Zoom did fix this, and stopped an attacker from turning on a user’s video camera, but then an issue with the patch was discovered, still allowing a hacker to turn on the camera.

Richard Farley, Zoom:

Second, when Zoom is installed on a Mac device by the user, a limited-functionality web server that can only respond to requests from the local machine is also installed on the device to help launch Zoom meetings. This is a workaround to a change introduced in Safari 12 that requires a user to confirm that they want to start the Zoom client prior to joining every meeting. The local web server enables users to avoid this extra click before joining every meeting. We feel that this is a legitimate solution to a poor user experience problem, enabling our users to have faster, one-click-to-join meetings. We are not alone among video conferencing providers in implementing this solution.

I wonder if, rather than “Safari 12,” he means “Safari in macOS 10.12,” as that was the version that introduced the incredibly annoying confirmation alert every time you click a link to another app. It doesn’t just prompt you the first time for a particular app, or the first time a link from a certain site takes you to that app; it asks you every single time. I have to click through these alerts dozens of times a day, and after years of this you can be sure that I don’t read them.

If this Safari security feature had not been so draconian, I doubt that Zoom and similar apps would have gone to such lengths to work around it. And I have serious doubts that the alert actually helps security much, both because of the limited ways such links could be abused and because I don’t think most users are able to make an informed decision about it.

Frankly, everyone looks bad here. Zoom, obviously, because of questionable design decisions and poor engineering. And Apple, because this is the type of app that should be in the Mac App Store. Whenever someone would send me a Zoom link, I would try to find another way to communicate because I didn’t want to run their installer and figure out how to remove any junk that it added. Were the app in the Mac App Store, I would have easily installed it and trusted that it was confined to its container. Technically, the app should be able to do everything it needs within the sandbox. But for whatever reason—perhaps business—Zoom didn’t find the Mac App Store to be a good way to distribute its app.

The solution is not to further lock down apps outside the store, making both users and developers miserable. Think about what types of lock down would have been required to prevent this and whether it would have actually been effective. (Are you going to ban local Web servers? Try to discourage the user from clicking Allow?) No, the solution is to make the store more attractive so that it makes sense for mainstream apps—from indies to multi-billion dollar companies like Zoom—to be there.

Jim Rea:

This sucks, and I am upset with Zoom, but am I correct in thinking if this happened I could just immediately quit the zoom app? I mean the zoom app isn’t exactly stealthy. Also, maybe I might be more worried about it sharing my screen than the camera, is it doing that?

Tony Arcieri:

The flipside to responsible disclosure: failure to patch a critical vulnerability in 90 days makes a software vendor irresponsible and it’s a good thing for their irresponsibility to become public knowledge sooner than later

Jeff Nadeau:

Oh hey, Zoom is that product that installs the entire app inside its package preflight script if it detects that you’re running as administrator. Naughty indeed.

Maxwell Swadling:

If you don’t like how Zoom bypasses safari security wait till you see how Google Chrome proxies USB / HID clients 🤭

Alexis Gallagher:

What other apps install local web servers that always run, even when the app is not running, even after you’ve uninstalled the app?

For instance, is that you @figmadesign? 😔

agreenbhm:

I also found that, instead of making a regular AJAX request, this page instead loads an image from the Zoom web server that is locally running. The different dimensions of the image dictate the error/status code of the server...One question I asked is, why is this web server returning this data encoded in the dimensions of an image file? The reason is, it’s done to bypass Cross-Origin Resource Sharing (CORS).

Sean Coates:

You know the state of video conferencing apps is bad when “it might turn on your camera without your permission” isn’t bad enough to make you switch to one of the worse alternatives.

Josh Centers:

To check to see if the Web server is running, open Terminal, enter this command, and press Return:

lsof -i :19421

[…]

If you want to get rid of the hidden Web server, though, you’ll have to use Terminal.

Mateusz Stawecki:

Zoom nastiness removal one-liner. Open Terminal, paste and press return:

lsof -i TCP:19421 | awk 'NR > 1 {print $2}' | xargs kill -9; rm -rf ~/.zoomus; touch ~/.zoomus

Dr. Drang:

I don’t pretend to follow all of Leitschuh’s explanation of the vulnerability, but I do understand the commands for the fix. I thought I’d talk about what they do. Also, there’s a cut-and-paste solution getting some traction on Twitter that I want to talk about.

Previously:

Update (2019-07-11): Jason Snell:

I think this Zoom story is getting a bit overhyped, but the fact is that Apple added a security feature that required an extra click by the user, and @zoom_us responded by... installing a local web server to bypass the feature. Talk about a disproportionate response.

Jason Snell:

My guess is that Zoom’s original sin comes out of its corporate culture, which is focused on competing in a pretty cutthroat industry with demanding clients (IT managers) and not particularly technically literate customers (the individual business users). There’s probably a great fear of losing business to other businesses who can boast about running video meetings with ever less friction to the user.

Glenn Fleishman:

Zoom had a cascading failure of product decisions, security bypasses, and then a terrible hand-waving blog post—which has been updated several times, and they’re finally doing the right thing.

This reminds me of the 2005 Sony rootkit scandal. Zoom had no ill intent here, but they scored own goals by allowing developers to create a system that intentionally bypasses security protections, installs unknown software, and has no consent involved.

John Gruber:

But the fact that Zoom implemented it in a way such that the web server was still there, still running, even when you deleted the Zoom app, is morally criminal, and should be legally criminal. No one who understands how this worked could possibly have thought this was ethical.

Renaud Lienhart:

Yes, @zoom_us is a garbage fire that deserves to go bankrupt. But we need to analyse why they do this: it’s because macOS doesn’t provide the frameworks & infrastructure to implement these features in a simple & secure way.

Ideally, macOS would work more like iOS, where developers could bundle specific extensions within their bundles that the system would register and launch on demand for these purposes. Instead, they have to work around these limitations in an atrocious way.

Rosyna Keller:

The Safari security feature that requires user-confirmation will always stop drive-by [no user interaction] attacks. Attacks that are designed to passively launch exploits.

Rosyna Keller:

In Catalina, apps can use universal links + associated domains to avoid the confirmation dialog.

Rich Trouton:

I’ve taken those [uninstall] commands and used them to build a script to address the vulnerabilities described in CVE-2019-13450.

Zoom (Hacker News):

We are stopping the use of a local web server on Mac devices. Once the patch is deployed, Mac users will be prompted in the Zoom user interface (UI) to update their client. Once the update is complete, the local web server will be completely removed on that device. 2. Allow users to manually uninstall Zoom – We’re adding a new option to the Zoom menu bar that will allow users to manually and completely uninstall the Zoom client, including the local web server. Once the patch is deployed, a new menu option will appear that says, “Uninstall Zoom.” By clicking that button, Zoom will be completely removed from the user’s device along with the user’s saved settings.

Zack Whittaker (Hacker News):

Apple has released a silent update for Mac users removing a vulnerable component in Zoom, the popular video conferencing app, which allowed websites to automatically add a user to a video call without their permission.

So the Zoom story seems to be mostly over. However, there remain some open questions:

  1. Why didn’t Zoom use a Safari extension to avoid the extra click? Would it not have done the job? Did they not consider this option? Did they deem it too clunky for customers to install and enable?

  2. Is the browser the appropriate place to put these sort of protections? After all, potentially dangerous links can be received via other means, such as e-mail and iMessage. Would it make more sense for the app receiving the link to offer protection? For example, FaceTime requires you to click a button to answer a call (though Apple lets it bypass asking for camera access). There could be a preference—off by default—to auto-accept connections, or to only auto-accept from certain trusted callers.

  3. What does Apple consider to be the actual problem—opening custom links in response to user action, or only drive-by attacks?

  4. Will Universal Links in macOS 10.15 make a difference? It sounds like the answer is only in some cases.

  5. Why aren’t people talking about BlueJeans, which runs a similar daemon for similar reasons?

  6. Will browsers continue to allow remote pages to access local servers? That seems to be the root problem in this case.

Update (2019-07-12): Jonathan Leitschuh:

That @zoom_us daemon (hidden web server) is now known to have a Remote Code Execution Vulnerability!

Patrick Wardle:

Zoom: Let’s allow remote access to your mic/cam 🛡️ OverSight: Fine, but we’ll detect & alert

Apple: Let’s silently remove Zoom 🛡️ BlockBlock: Fine, but we’ll detect & alert

Update (2019-07-16): Juli Clover:

Apple today pushed a second silent security update to Macs to address further vulnerabilities related to the Zoom video conferencing app for macOS, reports The Verge.

Apple removed software that was installed by RingCentral and Zhumu, two video conferencing apps that relied on technology from Zoom and were also found to have the same vulnerabilities as Zoom earlier this week.

Update (2019-07-17): Rich Trouton:

To verify that you have this installed, here’s a one-line command to check for the latest installed MRT installer package[…]

John Gruber:

This option is enabled by default — even if you choose to install regular system updates manually — which is why the vast majority of Mac users are getting these “silent” updates automatically. But if you disable this option, even these silent updates won’t be installed automatically. I confirmed this with an Apple spokesperson, who emphasized that Apple only issues such updates “extremely judiciously”. Any pending security updates will be installed the next time you manually update software.

[…]

If I could tweak anything, it would be to have these updates show up in the regular list of pending software updates if you have “Install system data files and security updates” turned off.

Bruce Schneier:

This is why we disclose vulnerabilities. Now, finally, Zoom is taking this seriously and fixing it for real.

Apple Revives Texas Hold’em Game

Michael Potuck:

In a surprise move, Apple has revived its Texas Hold’em game for iOS today. The update to the original game comes in celebration of the 10-year anniversary of the App Store and has been redesigned to include new characters, improved graphics, more challenging gameplay, and much more.

I certainly didn’t expect that to happen.

John Voorhees:

Missed the 10th anniversary by 363 days.

Theories:

  1. The intern didn’t finish the update until this summer
  2. Jony said no, but now that he’s leaving, anything is possible

Marco Arment:

  1. They submitted it last year but it was held up by app-review limbo.
  2. The build was stuck “Processing” for a year.

Previously:

Update (2019-07-15): John Gruber:

They’ve switched the font to San Francisco (but maybe that’s just because they were always specifying the system font), and it adapts to fit the iPhone X-class displays, but there’s still no iPad version and still no iCloud syncing across devices. For the most part, the game seems unchanged. Oh, and in a sign of the times, the price dropped from $4.99 to free.