Archive for August 2019

Friday, August 30, 2019

Apple’s Inconsistent Ellipsis Icons

Josh Centers:

In this example, the ellipsis button is akin to choosing File > Get Info on the Mac to open the Get Info window, which displays metadata about the selected file. Interestingly, Wallet only recently switched to using the ellipsis button; before that, it relied on a button that looked like the lowercase letter i. Perhaps the i was awkward when localizing the interface into other languages and script systems, but it is an ISO standard symbol.

Let’s say you then switch to the Music app to play some tunes. While playing a song, you see yet another ellipsis button. You might assume that tapping it would display more information about the song, perhaps like what you can see in iTunes when you choose Edit > Song Info. But no, the ellipsis button in the iOS Music app brings up a list of track-specific actions, like adding it to your library, adding it to a playlist, creating an Apple Music station based on it, and so on.

[…]

These interface confusions extend to the Files app in iOS 13 as well. Much like with Wallet, Apple replaced a perfectly understandable Edit link with an ellipsis button. […] No, this time it offers commands for scanning documents, connecting to servers, and the options to edit locations, favorites, and tags.

Reminds me of how the Mac gear icon has been used for so many different purposes.

Apple Will Sell iPhone Parts to Repair Shops

Apple (MacRumors, Hacker News):

Apple today announced a new repair program, offering customers additional options for the most common out-of-warranty iPhone repairs. Apple will provide more independent repair businesses — large or small — with the same genuine parts, tools, training, repair manuals and diagnostics as its Apple Authorized Service Providers (AASPs).

[…]

There is no cost to join Apple’s independent repair program. To qualify for the new program, businesses need to have an Apple-certified technician who can perform the repairs. The process for certification is simple and free of charge.

Interesting that non-iPhone devices are excluded.

Jason Koebler:

Second, it will have the very real effect of making it easier for people to get their iPhones repaired in rural areas and countries without many Apple Stores.

[…]

Apple isn’t going to begin selling parts to the general public, it’s not going to sell to people who repair phones out of their homes, and it’s only making the program available to people who meet specific requirements.

[…]

Apple is also selling a limited number of parts. These include iPhone batteries, cameras, speakers, and displays. This means Apple isn’t going to allow independent repair professionals to do a wide variety of repairs (for example, as of October 2018, it wasn’t selling charging ports for iPhones, a part that is both easy to replace and commonly needs replacement on older iPhones.)

[…]

Buying these new parts from Apple is also still more expensive than buying original but refurbished parts, which are commonly used by independent repair companies.

Jason Snell:

Self-repair advocates iFixit seem enthusiastic about the news, with some caveats. iFixit’s Kyle Wiens applauded the move, while also pointing out that more formal right-to-repair legislation is probably on the way and this is Apple’s attempt to get in front of that.

Tanner Bennett:

Repair → screen or housing replacements and not much else

Apple doesn’t even truly repair their own iOS devices. This doesn’t mean they’re magically going to allow third parties to try advanced repairs

Previously:

Downsides of Apple Card Being Titanium

Jeff Geerling (via Hacker News):

The card feels amazing to hold. But because it’s finely machined Titanium, those beautiful edges also mean sensitive fingers (e.g. anyone with dry skin or problems such as eczema) can be damaged just by pulling the card out of a slot in a wallet or sleeve. This is not as big an issue with plastic as the sides do not maintain a perfect edge for very long.

[…]

Finally, I use a ‘back of the iPhone’ wallet, which is basically a little pocket that holds my driver’s license, insurance card, and a credit card (for pesky retailers who don’t accept contactless payment yet). With any modern iPhone, the Apple Card acts as a perfect RF block for Qi wireless charging (which operates in the 80+ kHz range). This means, if you are like me, and store your credit card in an iPhone case, say goodbye to the ability to charge wirelessly.

However, one commenter disputes that the edges remain sharp.

Previously:

Accidentally Quadratic Constant Folding

Neal Gafter:

Fixing the problem was fairly straightforward, using a technique I learned from the Cedar/Mesa compiler in the early ’80s. Rather than representing string constants in the compilers using strings, they are now represented using a data structure called Ropes. Concatenating two ropes requires only a small constant amount of memory.

Any compiler for a language that supports constant folding of string concatenation will run into this problem unless there is a similarly low-space representation of two concatenated strings. This is a technique that should be in the bag of tricks of any compiler writer.

Thursday, August 29, 2019

The Curious Case of the Core Data Crash

Sean Heber:

iOS routinely terminates apps for all sorts of reasons, including using too much memory or taking too long to do background processing. I don’t know why this information isn’t included in Xcode’s Organizer, but it’s a critical piece of a debugging puzzle.

[…]

But one result let to Tech Note 2151, with the code listed at the end under Other Exception Types:

The exception code 0xdead10cc indicates that an application has been terminated by the OS because it held on to a file lock or sqlite database lock during suspension.

[…]

I discovered that Twitterrific was sometimes closed while it was doing a network download and iOS left it running in the background long enough for the network request to finish. But not long enough for the database update to finish.

Sean Heber:

Converting to NSURLSession wasn’t very hard and we did it a long time ago. However something had been bothering me and I could never quite pin it down. Specifically, it really felt like network tasks that started while foregrounded and ended while backgrounded were less reliable.

[…]

I eventually determined that sometimes a request would fail to start and the error code returned by the NSURLSessionDataTask would be something odd like NSURLErrorNetworkConnectionLost or the ever-helpful NSURLErrorUnknown.

[…]

I scoured the NSURLSessions docs looking for a clue and came across something I had missed all the times before - a property called shouldUseExtendedBackgroundIdleMode “In addition to requesting that the connection be kept open … when the app moves to the background.”

Waitaminute! What is this? Does this mean there’s now an assumption that the connection will NOT be kept open when moving into the background?! Holy buckets on a wagon.

It appears that they REALLY want you to use the special background support in NSURLSession. In fact they seem to say to go ahead and use it all the time - don’t try to make it conditional.

[…]

And just like that, the flakiness seemed to be gone. For years I made the assumption that an open NSURLSession connection would be allowed to finish as long as you had a background task active like NSURLConnection did - but NOPE it doesn’t do that by default!

Spotlight Excludes Mail Folder on macOS 10.15

iQser_Developer:

Spotlight search for emails neither works with MDQueryRef nor with mdfind in the Terminal.app even if the user has granted full disc access for the app in the security settings. The application logic of our app works for High Sierra bot not for Catalina any more. Is this a bug or a feature? Hopefully it’s not a feature. Other content like documents, calendar events and contacts can be retrieved by MDQueryRef.

If I search with the default Spotlight interface (command-space), I can find emails. But even if I select “Show in Finder” in the result list, the Finder window is empty.

This seems to be due to Mail using Core Spotlight. This newer API makes it possible to index items that don’t have a one-to-one correspondence with files on disk. However, though the Spotlight user interface integrates results from both the old file-based Spotlight and Core Spotlight, it seems that the APIs for apps to do their own global querying only work with the former. Mail has been shifting towards using Core Spotlight for several releases, but until now the actual files in ~/Library/Mail were still searchable. The message files are still there in Catalina, and there’s still a Spotlight importer plug-in that can read them, but you can’t actually search them.

And this extends to system apps that use those APIs:

We realized, that even Automator has a problem, if one use Spotlight in a workflow. Alternatively one can use Find Email Messages, but this takes minutes before Automator shows a result.

houdah:

In prior versions of macOS, Spotlight searches allowed programatic access to mail messages. Mail metadata was readily available and well documented as properties on MDItem. The removal of this OS feature breaks what in essence was public API.

[…]

As a user I am worried to see more and more application data confined to closed “silos”. Previous versions of macOS / OS X have removed Safari bookmarks and history, Apple notes, etc. from indexing and thus from access by third party applications. This reduces the extensibility, scriptability, flexibility and thus usefulness of these core applications and ultimately the platform as a whole.

eskimo:

There’s an obvious conflict between the original Spotlight architecture (every app has access to everything) and the Core Spotlight architecture (every app is siloed), and it’s also obvious that the latter is better aligned with Apple’s ongoing privacy efforts.

houdah:

I don’t think the siloing of Core Spotlight is part of Apple’s privacy effort or that it actually aligns with this. The privacy effort is focussed on user consent. Once consent is given the data should be readily available. This allows for application integration, automation, platform extension and avoids duplicated effort. To me it seems we are actually looking at an incomplete implementation. API to search Core Spotlight is missing. API to access mail messages is missing.

For example: once access to photos is granted, photos can be accessed via the file system, via scripting, via PHPhotoLibrary, and via MLMediaLibrary frameworks. All sorts of things become (resp. remain) possible. All hinges on user consent.

The current siloing and move to Core Spotlight has two problems:

  • Much information is no longer available as siloing proceeds faster than API evolution. E.g. there is no API to access not notes or email messages. This limits integration and automation opportunities. In some cases, third-party developers can resort to duplicating effort. E.g. by direct access to IMAP servers
  • Where public API to silos exist (PHPhotoLibrary, Contacts, …) the API lack the unifying nature of Spotlight / NSMetadataQuery. A public API to Core Spotlight should solve that.

Update (2019-11-27): Pierre Bernard:

Spotlight was the de-facto API for accessing Mail messages. It gave access to messages, their subject, sender and recipient names, as well as a wealth of other well-documented metadata. Spotlight also provided notifications when new mail was downloaded.

This allowed applications and scripts to work with mail without duplicating the effort of connecting to mail servers. Automation tools could set up actions to run upon receiving email messages. E.g. a mail to self to “turn on screen sharing”.

[…]

This may appear to be a cautious approach that favors security and privacy over application interoperability and productivity. In truth, the new situation is likely to undo privacy benefits provided by the “Full Disk Access” protection introduced with macOS Mojave.

Power users and third-party applications are likely to create their own search indexes. These additional copies of the private data contained in mail messages will not benefit from SIP / “Full Disk Access” protection.

[…]

Since there is no way for third-party applications to search Core Spotlight, no third-party can offer a full-featured alternative to the Spotlight window.

What Happened to PencilKit?

Geoff Pado:

The culprit here is lines 9–13; the ones that reference the PrivateFrameworks path. These lines are telling the linker to link against the private version of PencilKit… if the deployment target is less than iOS 13.0. Which Black Highlighter is. So we’re out of luck, right? No way to use PencilKit without dropping support for iOS 12? 😭

Geoff Pado:

Apple is now saying that your app’s deployment target has to be 13.1 to link PencilKit at all? Even if you cordon it off with #available checks? Will there be a public 13.0 at release? Will this mean that developers can’t support that release, either?

Previously:

Update (2019-08-30): Steve Troughton-Smith:

New Xcode beta explicitly excludes PencilKit classes from the Catalyst SDK, so the app I’ve been working on all summer, which worked great up to the current betas, is no longer compilable or functional. In the last beta they removed input so I could render but not draw

The release notes have said since WWDC that PencilKit apps on macOS are ‘view-only’, but that was untrue up to the latest betas where they ripped out the (till-then, working) functionality and forcibly made it so. I don’t understand this decision at all

I think every app I’ve worked on this summer used PencilKit in some form, even on the desktop. Having that ripped out at the last minute, with no guarantee that drawing/input will be coming back to macOS this year at all, is preeetty frustrating

Missing Family Support

Michael Potuck:

As you’ve probably heard by now, Apple isn’t offering the option of getting an additional Apple Card for a second user. If you’re in a relationship, that means both you and your significant other have to fill out separate applications for Apple Card on iPhone or iPad which if approved, will be tied to your Apple ID.

And then, since there’s no Web interface, I guess you need to borrow their phone every time you want to update the shared family financial records.

Matt Birchler:

Apple Photos would also benefit from a lot of family-oriented updates. it’s ridiculous that I can easily access any app my wife has bought on the App Store but there’s no way for me to get a photo she took without her manually sharing it with me (via album or more often iMessage)

Goodbye, Safari Extensions Gallery

Apple (via Jeff Johnson):

As a reminder, the Safari Extensions Gallery will no longer be available in September 2019. Legacy Safari Extensions (.safariextz files) are not supported in Safari 13 on macOS Catalina, macOS Mojave, or macOS High Sierra. Users on macOS High Sierra or later can easily find extensions on the Mac App Store by choosing Safari Extensions from the Safari menu.

To make sure users can take advantage of your extensions on the latest versions of Safari on macOS High Sierra or later, we recommend that you convert your Legacy Safari Extensions (.safariextz files) built with Safari Extension Builder to the Safari App Extensions format and either submit them to the Mac App Store or notarize them for distribution outside the Mac App Store.

Previously:

Wednesday, August 28, 2019

Installing Old Versions of macOS

Craig Hockenberry:

TIL: You can no longer download older versions of macOS for testing. The Mac App Store link works, but as soon as you GET, this appears[…]

All of Apple’s support documents make the assumption that you can download[…] That is no longer true.

Meanwhile, we have customers on 10.12 who are having issues with Twitterrific, and we can’t fix the problems without seeing them first.

Aldrin Tauro:

If you have a Mac that shipped on anything before Catalina, you can boot holding CMD-Shift-R and it’ll download the recovery partition for the OS it shipped on. Then you can install that on another drive and use it for downloads.

However, this doesn’t help with getting intermediate releases. You should be downloading and saving copies of those as they become available. If you haven’t already done so, you may be able to use this workaround to download them manually.

Then there’s the question of how to install them. I recently set up an old Mac to use with my ScanSnap, whose software will no longer run on macOS 10.15. When installing from the recovery partition, I got an error that the software couldn’t be verified. And I kept getting errors like that when trying to install two separate versions of macOS from installers I had previously downloaded.

How could all three installers be damaged? The answer is that they weren’t:

Two unusual error messages that can occur during the attempted installation of OS X El Capitan or OS X Yosemite are the “This copy of the Install OS X El Capitan application can’t be verified. It may have been corrupted or tampered with during downloading” error, or a “This copy of the Install OS X Yosemite application can’t be verified. It may have been corrupted or tampered with during downloading” message, or a more vague “An error occurred while preparing the installation. Try running again” error message. Sometimes these can be resolved by simply rebooting and trying to reinstall OS X again (or re-downloading the OS X installer if it was damaged), but if the error messages are persistent, then you may find that modifying the system date of the Mac can be the resolution.

It seems that the installer is signed with a certificate that has expired. When booted from the installer, you can open Terminal and use the date command to set the clock to the past, i.e. to when that version of macOS was current. After installing, be sure to set the clock to the correct date, or various other things won’t work properly.

Paul Haddad:

The fact that Apple no longer supports old versions of OS X in the latest Xcode’s is a much harder problem to deal with. Good luck debugging a 10.12 specific problem with Xcode 10.2.

Craig Hockenberry:

Paul speaks the truth. The “easiest” option is to build with current tools into a folder that’s shared with a VM running the older OS.

Along with a healthy portion of NSLog() or print().

Previously:

Update (2019-08-29): Craig Hockenberry:

Weirdly, some older macOS releases still work. Starting to think this is a bug, rather than a policy.

Mr. Macintosh (tweet):

I am going to try documenting Xcode patch change notes, maybe this will end up being useful to Developers.

Awesome.

See also: Apple Platform SDK API Differences.

Update (2019-08-30): See also: Howard Oakley.

Update (2020-10-15): I just reinstalled Mojave from an installer disk built with DropDMG. I had to turn off Wi-Fi to prevent the clock from correcting itself, then set the date backward using date -u 1015171718 so that the installer would ignore the expired certificate that caused it to report that the installer was damaged.

Update (2021-04-14): See also: How to get old versions of macOS.

Previously:

iOS 13.1 Developer Beta 1 Is Already Out

John Gruber:

Basically, I think we need to get used to WWDC announcements being a roadmap for the next year of OS releases, not a list of what’s going to ship in the initial dot-zero release in the fall.

Yep. And Apple should, too. It’s much better to ship a solid base (which, alas, 13.0 doesn’t seem to be) and add features later when they’re ready.

Identifiable in Swift 5.1

Mattt Thompson:

The Swift Evolution proposal for Identifiable, SE-0261, was kept small and focused in order to be incorporated quickly. So, if you were to ask, “What do you actually get by conforming to Identifiable?”, the answer right now is “Not much.” As mentioned in the future directions, conformance to Identifiable has the potential to unlock simpler and/or more optimized versions of other functionality, such as the new ordered collection diffing APIs.

[…]

Normalization is the key to successfully using strings as identifiers. The easiest place to do this is in the initializer, but, again, if you find yourself repeating this code over and over, property wrappers can help you here, too. […] Unfortunately, the Foundation framework doesn’t provide a single, suitable API for URL canonicalization, but URL and URLComponents provide enough on their own to let you roll your own[…]

[…]

As we’ve said time and again, often it’s the smallest additions to the language and standard library that have the biggest impact on how we write code. (This speaks to the thoughtful, protocol-oriented design of Swift’s standard library.)

Because what Identifiable does is kind of amazing: it extends reference semantics to value types.

Preference Panes and Catalina

Paul Kim:

System Preferences has had a major change: preference panes now load in a separate process. Apple ones get their own while all the third party ones get stuck in a process called “legacyLoader (System Preferences)”.

[…]

The other problem is that magenta. What is that? Apparently, it’s a security feature. Any windows besides the main preference window will have their transparent areas colored magenta. I’ve been trying to pin down the rules as to when this occurs but it’s been slow going and also the screenshot above contradicts what I’ve been told. Note that my software is notarized so it’s not like this is only applying to unknown software.

[…]

To top this all off: none of this has been announced or documented. I’ve only found out about this through backchannels and then later, via a “conversation” via Feedback Assistant (FB6758586).

The lack of documentation makes it take longer to find out about and adapt to these types of changes. It also adds a layer of uncertainty: it’s not clear how things are intended to work, so weird behavior that you see could be by design or something that’s in the process of being fixed or an unknown bug.

Previously:

Update (2019-08-30): Paul Kim:

Paraphrased response from Apple regarding my pref pane dark mode bug which you can replicate with a newly created project in Xcode with no added code: “Here are some things to check in your code, oh, and could you provide a sample project?”

What deeply worries me is that they apparently aren’t QA-ing with third party panes since an empty pane is the most basic thing you can have.

Per-Build Release Notes

Mr. Macintosh:

Most Mac websites only report that Apple released a new Beta, but don’t mention any of the actual changes. This article is meant to save you time going through the notes to find what is new and what is still leftover from the last beta. I went through both Beta 6 and the new 10.15 Beta 7 (19A546d) release notes to find all the changes. Like usual, I also have included the entire patch notes list as an archive.

This is great. Is anyone doing this for Xcode builds? (And, obviously, why can’t Apple write normal release notes that are organized per-build?)

Previously:

Tuesday, August 27, 2019

Git Tower 3.5

fournova:

GPG is a collection of tools that allow signing and encrypting of data using asymmetric cryptography (with public / private keys). Git uses GPG to sign and verify commits and tags. With such a signature, you can easily verify that a commit (or tag) was really made by a specific user.

[…]

Tower indicates directly in its History views if a commit was signed or not. On top of that, you can also see the signature status (green / orange / red) and access additional information through a popover window.

[…]

Apart from commits, you can also verify the signatures for tags in Tower. Either right-click on the tag in the sidebar or directly click it in one of the commit views.

[…]

You can configure if you want Tower to automatically sign new commits - either just in a certain repository or globally.

It’s great that Git supports signing, but I simply don’t hear much about it.

DevMate End of Life

DevMate:

However, with recent changes in the way that software businesses manage their applications, it has become clear that reproducing DevMate capabilities in Paddle would not best support their needs for the future. As a result we have taken the decision to close the DevMate platform.

On December 16th 2019, the DevMate platform and software suite will be retired. After this date, there will be no new product features and no ability to generate new licenses. Existing licenses will continue to work; you will be able to manage existing licenses securely through a new tool, and we will continue to provide essential technical support.

I recommend doing your own license generation.

Previously:

Update (2019-09-09): Christian Tietze:

Nowadays I discover more and more people struggling to migrate away, and my blog pops up in their searches – apparently because I wrote a book on selling apps on FastSpring.

This post is meant to help you figure some things out, but I don’t yet have a compelling alternative to offer. As far as I know, there is no fully compatible drop-in replacement.

Friday, August 23, 2019

Amazon Has Ceded Control of Its Site

The Wall Street Journal (via Christopher Mims):

In practice, Amazon has increasingly evolved like a flea market. It exercises limited oversight over items listed by millions of third-party sellers, many of them anonymous, many in China, some offering scant information.

A Wall Street Journal investigation found 4,152 items for sale on Amazon.com Inc.’s site that have been declared unsafe by federal agencies, are deceptively labeled or are banned by federal regulators—items that big-box retailers’ policies would bar from their shelves. Among those items, at least 2,000 listings for toys and medications lacked warnings about health risks to children.

[…]

Amazon’s struggle to police its site adds to the mounting evidence that America’s tech giants have lost control of their massive platforms—or decline to control them. This is emerging as among the companies’ biggest challenges.

See also: Passive Guy.

Previously:

Update (2019-08-30): Josh Dzieza:

Under the surface, Amazon is a scene of constant warfare. A growing share of goods on the platform are sold by third parties, who compete viciously for limited real estate. Some hop onto fast-selling listings with counterfeit goods, or frame their competitors with fake reviews. One common tactic is to find a once popular, but now abandoned product and hijack its listing, using the page’s old reviews to make whatever you’re selling appear trustworthy.

Amazon’s marketplace is so chaotic that not even Amazon itself is safe from getting hijacked.

[…]

Take this listing, formerly for an AmazonBasics HDMI cable. Amazon removed it and other listings after being contacted by The Verge, but before it was taken down, it was being used to sell two completely different alarm clocks: a “Warmhoming 2019 Updated Wooden Digital Alarm Clock with 7 Levels Adjustable Brightness, Display Time Date Week Temperature for Bedroom Office Home,” and a white wake-up light clock, which was out of stock. Strangely, that clock was listed as a second variety, color “Blackadaafgew,” yet the listing’s copy referred to binoculars that “can help you see a clear face from more than 650 feet away.” Many of the Amazon listings appear to undergo multiple hijackings.

Update (2019-09-13): Ashley Bischoff:

I just bought a product that was listed as “Amazon’s Choice” and “Fulfilled by Amazon”—and it still ended up being counterfeit. Ughh. (The top review details how one can spot counterfeits.)

Update (2019-10-13): See also: Accidental Tech Podcast.

Some Obscure C Features

bymultun (via Hacker News):

The current most used version of the language, c99, brought a bunch of new features, many of which are completely unknown to most C programmers (Older specifications obviously also have some dark corners).

Here are the ones I know about[…]

iMessage, NSKeyedArchiver, and _NSDataFileBackedFuture

Natalie Silvanovich:

CVE-2019-8646 is a somewhat unusual vulnerability I reported in iMessage. It has a number of consequences, including information leakage and the ability to remotely read files on a device. This blog post discusses the ways that an attacker could use this bug. It is a good example of how the large number of classes available for NSKeyedArchiver deserialization can make a bug more versatile. It’s also a good example of how minor functional bugs can make a vulnerability more useful.

Please note that this blog post assumes some familiarity with NSKeyedArchiver deserialization. If you haven’t read our general post on iMessage, I’d recommend reading that first.

[…]

There are two immediate problems with being able to deserialize this class in an untrusted context. One is that it has the potential to allow a process to access a file that it is not authorized to access, because the process doing the deserialization is the one that loads the file. When I reported this bug, I thought that this was more likely to be a concern for deserialization that occurs locally via IPC as opposed to deserialization that occurs on a remote target like iMessage. The second is that this class violates one of the guarantees that the NSData class makes, that the length property will always return the length of the bytes property. This is because the length of the buffer returned by [_NSDataFileBackedFuture bytes] is the length of the loaded file, and has no relationship to the deserialized length returned by [_NSDataFileBackedFuture length].

[…]

Putting this all together allowed for a file to be read remotely from an iPhone.

Update (2019-09-13): Samuel Groß:

After looking at iOS 12.4.1 I’m happy to say that Apple has hardened iMessage by no longer allowing child classes during its NSUnarchiving. This prevents almost all of the vulnerabilities @natashenka and I found from being remotely exploited :)

GitUp 1.1

GitUp 1.1 adds support for Dark Mode, Catalina, drag-and-dropping files out of the app, and DiffMerge tool support.

Previously:

The Problems With HomePod

Kirk McElhearn:

Apple released the HomePod in February, 2018, and the device has never seemed to catch on. There have been strong rumors recently about a HomePod 2 coming next year. But there are lots of problems with the HomePod, which Apple needs to address.

[…]

In any case, the market decides for products like this. The HomePod just seems like it wasn’t thought out for real-world usage. It has powerful technology, which is wasted, and its price is way above what people want to pay.

This is probably the most comprehensive take I’ve seen.

Update (2019-08-29): Kirk McElhearn:

I’m correcting a statement that Daniel Eran Dilger on AppleInsider posted in a rebuttal to my recent article about the HomePod. While I’m happy to disagree on some points, he makes the statement below about the HomePod not being a mono speaker, which is simply incorrect.

[…]

Listen to that song on a single HomePod and you’ll quickly understand that it’s not stereo. The two channels are in a single stream, and you don’t hear the voice on one side and the guitar and drums on the other.

Nick Heer:

But I wonder if some of this advanced speaker technology is being prototyped for a wider rollout in the company’s more mainstream products. Perhaps this is a test bed for getting impossibly good sound out of the speakers in a MacBook or an iMac, for example.

Thursday, August 22, 2019

Microsoft Edge for Mac Beta

Juli Clover (Hacker News):

Previously, the Microsoft Edge browser was available as a preview build, but Microsoft has now graduated to an official beta. Microsoft’s beta channel represents more stable software than the preview channel.

[…]

The beta version of the Edge browser features new personalization options, such as tab page customization, dark theme support, and extensions from the Microsoft Insider Addons store or other Chromium-based web stores like the Chrome Web Store.

Tracking prevention has been added to protect users from being tracked by websites, built-in Microsoft Search for Bing, and Internet Explorer mode with Internet Explorer 11 compatibility.

Paul Thurrott (via Hacker News):

Thanks to the open-source nature of Chromium, Microsoft has had its first major and positive impact on Chrome, Google’s web browser. Thanks to a feature request from Microsoft, Google will issue a change to Chromium, the open-source project by which Google makes Chrome, that significantly improves battery life.

“Today, media content is cached to disk during acquisition and playback,” Microsoft’s Shawn Pickett explains in his change suggestion for Chromium. “Keeping the disk active during this process increases power consumption in general, and [it] can also prevent certain lower-power modes from being engaged in the operating system. Since media consumption is a high-usage scenario, this extra power usage has a negative impact on battery life. This change will prevent the caching of certain media content to disk for the purpose of improving device battery life for users.”

e_rationalist:

[Microsoft’s] most major chromium impact is to move input handling off the main thread which has been empirically a massive success on Edge.

Previously:

Storing Your Apple Card Wrong

Apple (via MacRumors, The Verge):

If your titanium Apple Card comes into contact with hard surfaces or materials, it’s possible that the coating can be damaged.

[…]

Some fabrics, like leather and denim, might cause permanent discoloration that will not wash off.

[…]

Place your card in a slot in your wallet or billfold without touching another credit card. If two credit cards are placed in the same slot your card could become scratched.

Marco Arment:

I always store my credit card in a leather wallet, in a slot with two other cards, in my denim jeans pocket — and I don’t think this is a rare setup.

John Gruber (tweet):

If Apple Card gets genuinely sloppy-looking after carrying it like you would any other card — if it’s atypically prone to staining or scratching — that’s a problem. But I suspect these are instructions for obsessives who want to keep their cards in mint condition.

Joe Cieplinski:

All kidding aside, Apple is clearly trying to get out in front of the eventual story. And the strategy will likely be pretty effective.

I hope that’s it.

Dr. Drang (tweet):

My complaint is not that the Apple Card may lose its luster in a wallet. I’m not sure anything will maintain its looks when put between sheets of leather and compressed by my butt. My complaint is that Apple wrote a support document that looks absurd and invites snarky comments. Everything Apple does generates derision from Apple haters; this generated derision from Apple’s best customers.

The support document is, in fact, putting function over form. Apple wants to tell its customers that the card won’t look brand new forever and advise them on the best way to store it. That’s the function of the document. But through bad writing—how many people read this before it was published?—it looks like Apple made a fragile card and is advising you to store it in a way that will destroy it.

Peter N Lewis:

Only Apple could make a titanium card that can get scratched by plastic cards…

Jessie Char:

Apple design’s OCD is showing. Not everyone is going to obsess over physical credit card maintenance and by the sound of it the cards will look bad with average treatment.

Apple’s biggest strength can be its biggest weakness. Everyone’s so focused on flawless execution that they forget consumers aren’t also going treat the products with white gloves. To them it’s a sculpture, to us it’s a thing we want to use and not worry about.

Vítor Galvão:

Apple is supposed to be the design company. This card is bad design (it gets worn out by contact with common material).

Daren Ulmer:

What would any of their products be if you didn’t need some kind of dongle to use them in a normal manner?

Storm Garelli:

“Apple Card Socks!”

Jessica Glenn:

2011 iPhone4: avoid contact with hands

2016 MacBook Keyboard: avoid contact with fingers

2019 Apple Card: avoid contact with wallet or jeans

2022 Apple Car: avoid contact with road

Felix Salmon (via John Gordon):

The Apple Card is a “World Elite” Mastercard, which carries the highest possible interchange fee in all circumstances. That fee, which can range as high as 3.25% plus 10 cents, is taken off the top of any payment before the merchant receives anything. The fee is the same whether you use the physical Apple Card or the virtual one on your phone.

The Apple Card is the first card without an annual fee to get World Elite status, payments consultant Richard Crone tells Axios. And it’s almost certainly the first to get issued to subprime borrowers.

Update (2019-08-22): Zed Murray:

Worst on the mag strip and edges. But everywhere on the card that looks “dirty” cannot be rubbed off, it’s from the white that has already come off

Definitely looks worse than a regular card.

Update (2019-08-23): Dominic Rushe:

The news triggered plenty of jokes online, with people offering suggestions for Apple, such as making a knitted cosy for the card or hanging the card in a “floating glass frame in a dimly lit, year round 70 degree, humidity controlled location. No flash photography please.”

Bruce Tognazzini:

The Apple mania for visual design at the expense of usability has reached a new apex: The new Apple credit card must not be kept in anything made of leather or denim, nor left adjacent to other cards. In other words, leave it at home.

See also: Hacker News.

Update (2019-08-29): Matt Birchler:

I can only speak for my social/workplace circles, but Apple’s “Apple Card shouldn’t really touch leather or denim” message has added tons of wood to the “Apple doesn’t design things for human beings” fire.

Joshua Emmons:

Enough with the weird obsessing over a care doc for the Apple Card. They have these for every one of their products. The story isn’t that they don’t want you to put it in you wallet, it’s that they’re treating it as a full-fledged product.

I mean, the cleaning guide for the iPhone case literally says it’s best not to clean it. And then suggests to also keep it away from water, oil, denim, and sunlight. It’s just they way these are written.

However, Apple Card actually does seem to be a lot more sensitive.

Update (2019-09-03): See also: Accidental Tech Podcast and The Talk Show.

Update (2019-09-09): I received my Apple Card, and it started out with some of the coating scraped off the magnetic strip. This is the first time in 20+ years of using credit cards that a new one did not arrive in perfect condition. So I’m inclined to believe that it’s more fragile than a regular plastic card.

On the plus side, the edges of the card are less sharp than I expected based on what I’d read.

Why Spiderweb’s Games “Look Like Crap”

Jeff Vogel (via Dare Obasanjo, Hacker News):

The key problem here is that, when most people say, “Your art looks bad,” what they mean is, “I want art that is good.” They mean, “I want AAA-quality art.” And I can’t make that. Not even close.

I have had games where I worked very hard to improve the graphics, spending a lot of time and money, and they really did look better! But when I released those games, the vast majority of people who had said, “Your games look bad.” STILL said, “Your games look bad.”

[…]

When you spend more money, you need to increase sales to match those expenses. Make sure you have a good chance of doing this, and make sure you can stomach the risk.

[…]

That is why all of my games have a more generic fantasy style. I have to work with a lot of different artists. It’s the nature of the business. Thus I have to write games in a way that the artists can be replaced. The generic style this requires is not ideal, but it is necessary.

Update (2019-08-29): Jeff Vogel (tweet, Hacker News):

Basically, my blog post said, “Some people like my art, but I am still super-bad at art. Always have been. Fixing the problem costs time and cash, and I don’t have any of either to spare. So that’s why our games look bad.”

I got a lot of questions about this. Good questions. Why can’t I afford art direction? How much does art cost? Why don’t I do this or that smart thing? So that’s why I’m writing this. I want to answer the good questions.

Why Generics in Go?

Ian Lance Taylor (via Hacker News):

If we can write generic types, we can define new data structures, like these, that have the same type-checking advantages as [the built-in] slices and maps: the compiler can statically type-check the types of the values that they hold, and the values can be stored as themselves, not as interface types.

It should also be possible to take algorithms like the ones mentioned earlier and apply them to generic data structures.

[…]

Most importantly, Go today is a simple language. Go programs are usually clear and easy to understand. A major part of our long process of exploring this space has been trying to understand how to add generics while preserving that clarity and simplicity. We need to find mechanisms that fit well into the existing language, without turning it into something quite different.

[…]

We are working on actual implementations to allow us to experiment with this design. It’s important to be able to try out the design in practice, to make sure that we can write the kinds of programs we want to write.

Lightning to USB 3 Camera Adapter

Josh Centers:

The downside of this workaround is the amount of gear involved: a USB cable from Apple’s adapter to the hub and the hub’s beefy charging brick. I’d prefer not to travel with such a collection. Plus, the Lightning to USB Camera Adapter supports only USB 2.0 speeds, which aren’t ideal for transferring data quickly.

So I (figuratively) kicked myself when I learned that Apple sells another Lightning to USB adapter that works better for this scenario: the Lightning to USB 3 Camera Adapter. It costs only $10 more and supports USB 3.0 speeds, at least on iPad Pro models. More importantly, it features both a USB-A port and a Lightning passthrough port. The Lightning passthrough port is helpful because you can connect a normal Lightning cable to it, and plug that Lightning cable into one of Apple’s tiny USB wall chargers. Then it can both charge your device and power accessories like thumb drives.

Seems like they should stop selling the old adapter so people don’t buy the wrong one.

Wojtek Pietrusiewicz:

Below are some immediate gripes and comments I have regarding external keyboard implementation in the current beta of iPadOS 13[…]

Previously:

Wednesday, August 21, 2019

Simple Opt Out

Simple Opt Out (via Troy Davis):

Simple Opt Out is drawing attention to opt-out data sharing and marketing practices that many people aren’t aware of (and most people don’t want), then making it easier to opt out. For example:

  • Target “may share your personal information with other companies which are not part of Target.”
  • Chase may share your “account balances and transaction history … For nonaffiliates to market to you.”
  • Crate & Barrel may share “your customer information [name, postal address and email address, and transactions you conduct on our Website or offline] with other select companies.”

Persistent History Tracking in Core Data

Steffen Ryll:

At WWDC ’17, Apple introduced a number of new Core Data features, one of which is Persistent History Tracking or NSPersistentHistory. But as of the time of writing, its API is still undocumented. Thus, the only real reference is the What’s New in Core Data WWDC session.

Since Persistent History Tracking makes sharing an NSPersistentStore across multiple processes and is one of my favorite new Core Data features, it is unfortunate that it mostly seems to fall of the radar.

The purpose of this post is to give a real-world example on how to use it and what makes it so great.

That was written a year and a half ago, and NSPersistentHistory remains a really cool feature that’s under-discussed and under-documented. Some resources I’ve found are:

Here are some things I figured out by exploring:

Update (2019-08-22): Deeje Cooley:

I incorporated Persistent History Tracking into CloudCore, an open-source CoreData-CloudKit sync engine, specifically to support offline sync. Check it out!

Update (2020-09-14): See also: Antoine van der Lee.

Catalina’s Path Changes

Howard Oakley:

If you write scripts of any kind for macOS – shell scripts, AppleScripts, or anything similar – now is the time to join the Catalina beta programme (if you’re not already signed up) if you want those scripts to work with macOS 10.15 when it’s released in a month or so. There are plenty of changes to security and privacy which you’ll need to check out, but my concern in this article is the effect of Catalina’s read-only system volume on paths – a topic which doesn’t seem to have been discussed much, but which may well break many scripts and apps.

[…]

Reality is always more complex than a slide in a WWDC presentation, and there are a great many more folders/directories which are affected by this new division.

[…]

Unfortunately, the illusion created by the Finder is unhelpful for identifying paths to be used in Terminal, scripts or apps: important new paths like /System/Volumes/Data/ aren’t shown there even when you enable the display of hidden items. Indeed, browsing the new folder hierarchy in the Finder looks very clean and simple, but will only cause endless confusion.

Previously:

Nullable References in C# 8.0

Erik Sink:

Bottom line, C# 8.0 uses the same syntax for nullability of reference types that we have been using for value types:

string  x; // not nullable
string? y; //     nullable

And yes, that means that the meaning of a type declaration like string (without the ?) has changed.

Whoa, isn’t that a massive break in compatibility? Actually no. In fact, although this feature looks like a huge breaking change, the entire thing was carefully designed to preserve backward compatibility.

First of all, this whole feature is turned off by default, and has to be explicitly turned on. Second, all it really does is generate warnings.

This seems not that different from nullability in Objective-C, only with cleaner syntax.

Tuesday, August 20, 2019

Feedbin Pages (Read Later)

Ben Ubois:

Feedbin now has a read later feature. This enables you to send articles and webpages from anywhere and have them appear alongside your feeds, email newsletters and Twitter subscriptions. It’s called Pages.

[…]

Pages works like a regular feed, so anything that gets sent to it will sync to any client you use with Feedbin.

It works via an action extension or a bookmarklet.

Previously:

Home Sharing Improvements in macOS Catalina

Kirk McElhearn:

But this centralized media sharing [in System Preferences] has a great advantage: you don’t need to launch any of the apps to be able to share their content. As long as the computer hosting the media is running, you can load its content on another computer, an Apple TV, or on iOS (in the Music or TV apps). And if you have Wake for Network Access checked in the Energy Saver preferences, your library is accessible even if the host Mac is asleep. (On a laptop, this only works if it’s connected to power.)

The Fate of the iTunes Store in macOS Catalina

Kirk McElhearn:

In early betas of macOS Catalina, the iTunes Store was visible, but in recent betas it did not show up in the sidebar of the Music app if the user was signed into Apple Music. That seems to be the default now: if a user has an Apple Music account, they won’t see the iTunes Store. You can display it, if you wish, in the Music app’s Preferences, on the General pane, but if you’re a streamer, you won’t see it by default.

You’ll note that in the screenshots on Apple’s macOS Catalina preview pages, the iTunes Store is not visible.

[…]

If the iTunes store is active, your search shows results in three tabs: library, Apple Music, and iTunes store.

Nick Heer:

What this means for the future of the iTunes Store seems obvious, but it is not a future I’m willing or eager to accept.

Previously:

Git 2.23

Taylor Blau:

It turns out git checkoutcan do quite a lot. You can use it to change branches with git checkout <branch> or if you supply --branch, create a new branch (as in git checkout --branch <new-branch>). If you don’t want to switch branches, don’t worry, because git checkout can change individual files, too. If you write git checkout -- <filename>, you will reset <filename> in your working copy to be equivalent with what’s in your index. If you don’t want to take changes from the index, you can specify an alternative source with git checkout [treeish] -- <filename>.

The new commands, by contrast, aim to clearly separate the responsibilities of git checkout into two narrower categories: operations which change branches and operations which change files. To that end, git switch takes care of the former, and git restore the latter.

See also: Junio C Hamano.

Monday, August 19, 2019

Catalina, App Notarization, and Sparkle

Craig Hockenberry:

If your macOS app is in a sandbox, you’ll be using the version that relies on XPC services to perform the update. Like everything else in your application package, these will need to be signed correctly before you can submit your app for notarization.

The “Sign Frameworks” build phase should look like this[…]

[…]

You’ll also add a new Run Script build phase just before the XPC Services are embedded in your application package.

Previously:

OWC Thunderbolt 3 Dock

John Voorhees:

I had been thinking about ways to improve my summertime beta setup when Other World Computing offered to send me its OWC Thunderbolt 3 Dock to test. I took them up on the offer, and having used it for a while now, I love the convenience of being able to connect everything to my MacBook Pro with a single Thunderbolt 3 cable. It’s not an inexpensive solution, but compared to the cost of purchasing multiple over-priced dongles, it’s not as extravagant as it might seem at first.

[…]

One especially nice touch that I appreciate is a free menu bar utility OWC offers called OWC Dock Ejector. If you have multiple drives attached to a dock, the process of ejecting each one before disconnecting the dock defeats some of the convenience of having a single Thunderbolt cable connected to your Mac. With OWC Dock Ejector, a single click safely ejects every external drive attached to my dock, so I can yank out the Thunderbolt cable and be on my way.

Another $300+ dock. This one gives you a passthrough Thunderbolt port, a Mini DisplayPort, and a single USB-C port. How about just putting more ports on the computer?

Previously:

Update (2019-08-20): See also: Jon Alper and my reply.

Update (2019-08-23): Howard Oakley :

The same happened with good old USB-A: even when your Mac has four, you quickly accumulate more USB-C devices than you’ve got ports. Yet no one seems to be offering a ‘port expander’ to turn a single USB-C port into several. In particular, I’m now accumulating several external SSDs in compact cases. One obvious step forward would be to mount two or more in a single housing, which is the aim of this article.

Code Generation via “curl --libcurl”

Guillaume Valadon:

The curl --libcurl option generates a C file that mimics the used command line! #awesome

I’m a fan of this pattern. Some other examples:

Update (2019-08-20): Michael Tofias:

I don’t use it often these days, but one of things that made me fall in love with Stata was being able to copy the code generated by using the GUI. Super helpful when building graphs and such with non-intuitive APIs.

WebKit Tracking Prevention Policy

WebKit (via Jon Davis, Hacker News):

This document describes the web tracking practices that WebKit believes, as a matter of policy, should be prevented by default by web browsers. These practices are harmful to users because they infringe on a user’s privacy without giving users the ability to identify, understand, consent to, or control them.

[…]

WebKit will do its best to prevent all covert tracking, and all cross-site tracking (even when it’s not covert). These goals apply to all types of tracking listed above, as well as tracking techniques currently unknown to us.

[…]

We do not grant exceptions to our tracking prevention technologies to specific parties. Some parties might have valid uses for techniques that are also used for tracking. But WebKit often has no technical means to distinguish valid uses from tracking, and doesn’t know what the parties involved will do with the collected data, either now or in the future.

It’s good to have this all summarized in one place.

There are practices on the web that we do not intend to disrupt, but which may be inadvertently affected because they rely on techniques that can also be used for tracking. […] When faced with a tradeoff, we will typically prioritize user benefits over preserving current website practices. […] However, we will try to limit unintended impact. We may alter tracking prevention methods to permit certain use cases, particularly when greater strictness would harm the user experience.

I can’t tell from this whether they intend to prioritize the “user benefit” of not being tracked above the benefit of being able to use the site. It sounds like the policy is to decide case-by-case.

Previously:

Bluetooth KNOB Attack

Key Negotiation of Bluetooth Attack (via Luis Grangeia, Hacker News):

The specification of Bluetooth includes an encryption key negotiation protocol that allows to negotiate encryption keys with 1 Byte of entropy without protecting the integrity of the negotiation process. A remote attacker can manipulate the entropy negotiation to let any standard compliant Bluetooth device negotiate encryption keys with 1 byte of entropy and then brute force the low entropy keys in real time.

[…]

The KNOB attack is possible due to flaws in the Bluetooth specification. As such, any standard-compliant Bluetooth device can be expected to be vulnerable. We conducted KNOB attacks on more than 17 unique Bluetooth chips (by attacking 24 different devices). At the time of writing, we were able to test chips from Broadcom, Qualcomm, Apple, Intel, and Chicony manufacturers. All devices that we tested were vulnerable to the KNOB attack.

After we disclosed our attack to industry in late 2018, some vendors might have implemented workarounds for the vulnerability on their devices. So the short answer is: if your device was not updated after late 2018, it is likely vulnerable. Devices updated afterwards might be fixed.

hannob:

What is even more bananas than the mere existence of this attack is the statement of the bluetooth standardization group.

Here’s their plan to fix this:

To remedy the vulnerability, the Bluetooth SIG has updated the Bluetooth Core Specification to recommend a minimum encryption key length of 7 octets for BR/EDR connections

7 octets, aka… 56 bit. So it looks like this vulnerability is here to stay. They just raise the bar from “trivially breakable” to “you need a bit of cloudcomputing effort to break a connection”.

Bluetooth SIG:

For an attack to be successful, an attacking device would need to be within wireless range of two vulnerable Bluetooth devices that were establishing a BR/EDR connection.  If one of the devices did not have the vulnerability, then the attack would not be successful.  The attacking device would need to intercept, manipulate, and retransmit key length negotiation messages between the two devices while also blocking transmissions from both, all within a narrow time window.

So it sounds like the good news is that this could potentially be fixed at the OS level, i.e. updating half of each pair. You wouldn’t have to replace all your Bluetooth devices.

Update (2019-08-29): Josh Centers:

Apple has already mitigated this vulnerability in macOS 10.14.6 Mojave, Security Update 2019-004 for Sierra and High Sierra, iOS 12.4, watchOS 5.3, and tvOS 12.4.

Friday, August 16, 2019

Apple Files Lawsuit Against Corellium for iOS Virtualization

Juli Clover (Hacker News):

Apple today filed a lawsuit against Corellium, a mobile device virtualization company that supports iOS. Corellium describes itself as the “first and only platform” that offers iOS, Android, and Linux virtualization on ARM.

In the lawsuit, filed today in the Southern District of Florida, Apple accuses Corellium of copyright infringement for illegally replicating the operating system and applications that run on the iPhone and the iPad.

[…]

Apple says it does not want to encumber “good-faith security research” but instead is aiming to end Corellium’s “unlawful commercialization of Apple’s valuable copyrighted works.”

Thomas Brewster:

The startup is Corellium, first revealed by Forbes in February 2018, when the husband-and-wife founded company came out of stealth. Its product provides “virtualized” versions of iOS. For security researchers, such software-only versions of the Apple operating system are incredibly valuable. For instance, it’s possible to use Corellium to pause the operating system and analyze what’s happening at the code level. Some in the industry have called it “magic,” as it should help security researchers uncover vulnerabilities with greater ease and speed than having to work with a commercial iPhone.

Various sites have called this “iOS emulation,” but it sounds to me more like running iOS on commodity hardware (i.e. iOS Hackintoshes) and then selling online access to the virtual machines. This seems really useful but almost certainly violates Apple’s copyright and/or software license agreements.

See also: Apple v. Psystar.

Previously:

Update (2019-08-19): Steve Troughton-Smith:

you have to download & install your own IPSW last time I tried, but I don’t know what advanced offerings they have for special customers.

If Corellium is only providing hardware that you install iOS on yourself, I would think they (but not the customer) would legally be in the clear. But that doesn’t seem to be what they’re doing.

Brendan Shanks:

A screenshot from the complaint shows a list of iOS versions, which they apparently download-on-demand. Legally feels shakier than requiring the user provide an IPSW

Lorenzo Franceschi-Bicchierai:

Matt Suiche, a well-known researcher who developed virtualization software in the past, tweeted: “Imagine what today's Cloud Computing landscape would look like if VMware had been sued by IBM or Microsoft back in 1998,” referring to the popular virtualization platform VMware. Daniel Cuthbert, who is on the Black Hat conference review board and a veteran of the infosec community, called it a “poor move” by Apple. Luca Todesco, a well-known iPhone hacker, said this lawsuit is akin to Apple pulling “a Sony,” in reference to the Japanese giant suing security researcher George “Geohot” Hotz, in 2011 for jailbreaking the Playstation 3.

[…]

The employee explained that the way Apple licenses its software, you can’t run a virtual version of MacOS on VMware or other virtualization platforms if it’s not running on a Mac computer. Corellium does something similar, but with iOS.

The Version Museum

Jason Kottke:

The mission of Version Museum is to record and present what the interfaces of software and websites looked like, from their earliest versions until now. The site’s tagline is “a visual history of your favorite technology”.

For example, it has Amazon’s first Web site, Adobe Photoshop, iTunes, Microsoft Word, as well as classic Mac OS, Mac OS X, and iOS.

Previously:

Update (2019-08-19): Doeke Zanstra has a collection of Microsoft Office icons.

App Store Editorial Stories on the Web

Benjamin Mayo:

Apple has recently updated its App Store Preview pages for stories to allow users to view the full content of stories from inside their desktop web browser. App Store stories have always been shareable as links, but the web version was just a title and a navigation link to ‘open this story in the App Store’.

Between August 9th and August 11th, Apple has upgraded the experience and now includes full imagery, app lists and paragraphs copy in the web version. This means you can access the same content online as you would be ale to find in the native App Store experience.

[…]

Whilst you still cannot access the App Store front page from the web, or buy apps through the browser, if you see someone share an App Story story about an app you might be interested in, it’s now a much nicer experience to interact with that article from a Mac.

John Gruber links to the feature for Yoink, and I can view that in Safari, although it simultaneously opens the App Store app on top of Safari. However, the feature for ToothFairy still uses the old style of showing the artwork without the editorial text (and also opens the Mac App Store app). On iOS, it shows the text from the Mac App Store in the iOS App Store app. So you can’t select text, copy it, or search, like you could if it were in a Web browser.

Previously:

Update (2019-09-03): Gus Mueller:

The link above will give a little preview to the story, but to read the whole thing, you’ll need to follow the link to the Mac App Store.

No way to read the story in a browser or to select/copy/print the text. If you want to save a copy of it, I guess you need to screenshot it (and scroll down and screenshot it again).

Should the Web Be archive.org?

Dave Winer:

There’s a consensus that porting the [LinuxJournal site] to archive.org is the answer. Jon Udell, a highly respected developer says on Twitter that redirecting to archive.org, as Doug Kaye does, is the “gold standard” for preserving sites.

I’ve always resisted this, instead preferring that we take steps to make the web itself more permanent.

Archive.org is great, but I agree that it’s unsatisfying that the Web itself can’t be preserved.

AMP Server-Side Rendering

Sebastian Benz (Hacker News):

AMP now officially supports a technique called server-side rendering (SSR) which you can apply to your AMP pages to make them load even faster. Our tests show increases of up to a whopping 50% on the popular FCP metric. The Google AMP Cache has utilized this technique for a while, but now you can also use it on your own domain!

[…]

SSR is a technique for improving first-contentful-paint times (FCP) for frameworks rendering the page client-side such as React or Vue.js. The downside of client-side rendering is that all Javascript necessary to render the page needs to be downloaded first. This delays the time until users can see the actual content of the page. To alleviate this, both React and Vue.js support pre-rendering the DOM on the server on navigation requests. Rendering is then picked up by the client-side Javascript, a process called (re)hydration. Users will be able to see content much faster as a result.

[…]

With this attribute being set, the validator treats SSR’d AMP as valid AMP. SSR’d AMP optimizations break the rules of the AMP spec, hence making the document invalid, which is why it’s necessary to indicate this case with this new flag. With the flag and the optimizations both being in place, the document is considered valid and you’re good to go.

amluto:

Wait, does this mean that websites could serve plain HTML but set this flag and this avoid being penalized by Google? Win!

Ricky Mondello:

If only the industry had thought of servers directly sending markup to render pages from the beginning. 🙄

Update (2019-08-22): Curtis Herbert:

Piece by piece AMP stops being about a “lightweight page” and more a full replacement to the standards that power the web.

They are using thier search engine dominance to force everyone to adopt this stuff, otherwise no one would. No one needed or asked for this stuff.

Chrome pulled out all the stops to woo over the tech space over the course of a decade, only to pull the rug out from under things that are Bad For Google (content blockers) now that they are the dominant browser.

Think AMP isn’t going to go the same way?

See also: How can we destroy AMP?.

Thursday, August 15, 2019

The Cost of Sharing iOS and Android Code at Dropbox

Eyal Guthmann (Hacker News):

Until very recently, Dropbox had a technical strategy on mobile of sharing code between iOS and Android via C++. The idea behind this strategy was simple—write the code once in C++ instead of twice in Java and Objective C.

[…]

We have now completely backed off from this strategy in favor of using each platforms’ native languages (primarily Swift and Kotlin, which didn’t exist when we started out). This decision was due to the (not so) hidden cost associated with code sharing. Here are some of the things we learned as a company on what it costs to effectively share code.

[…]

Last, but definitely not least, is the cost of training and/or hiring developers to work on our very custom stack. When Dropbox started with this mobile strategy, we had a core group of experienced C++ developers. This group started the C++ project and trained other mobile developers at Dropbox on how to contribute to the codebase.

Over time, these developers moved on to other teams and other companies. The engineers who remained did not have sufficient experience to fill the technical leadership gap that opened up, and it became increasingly difficult to hire replacement senior engineers with relevant C++ experience who would be interested in mobile development.

David Owens II:

C is basically the only truly portable and interoperable language.

Also, PALs are tough, often created with the inverse goals, and I’ve seldom seen them work well for anything that desires truly native integration.

dougk16:

I have come to this same conclusion after many years. It’s not cost-effective to have any bespoke business logic (models, controllers, etc.) shared between the two mobile platforms (don’t get me started on sharing UI code). If you have some incredibly tricky low-level algorithm/library and/or need for speed, think database, crypto, intense graphics, etc., then fine, you may be able to swing a shared module in C++ or something. Other than that, it’s almost like the collective consciousnesses of Google and Apple conspire to make cost-effective code-sharing of typical CRUD apps almost impossible.

jugg1es:

I often struggle trying to explain to more junior developers that there are times when it’s OK to write code more than once. There is a mindset that you should only ever write code once. It exists for (very) good reason. But if you follow it dogmatically, you may end up with an unmaintainable tangle of dependencies that can only be resolved with a rewrite.

Sometimes, it’s OK to write the same thing twice if the alternative is a major refactor - such as inventing your own stack.

cbsks:

It seems like the real issue was that Dropbox lost all of their senior C++ engineers. That’s a real mistake on their part, losing the only people who truly understand your product can be a death sentence for a company. I know my employer is very conscious of who knows what part of our products, and does their best to ensure that we never have any knowledge gaps.

Previously:

Update (2019-08-16): Sam Deane:

I’m well aware of the complications involved in maintaining cross-platform C++, but dubious about their conclusions. It smells to me (at least partially) of a spin on a technical management failure.

Nick Heer:

Fascinating stuff from a company that is about to launch an Electron-based desktop client.

Global Mac Defaults and Hidden Preferences

Howard Oakley:

There are settings for a great many features in Mojave, and the common problem is discovering where any given setting is, and how to control it. Some are exposed in the GUI, others are hidden away from easy access. This article concentrates on global settings which are usually presented in a pane in System Preferences, or the NSGlobalDomain of defaults.

See also: Esoteric Preferences, defaults-write.com.

C++ Development Tips

Sebastian Aaltonen (thread reader):

Now that people have already said highly controversial stuff like ”debugger is useless for C++ development”, I think I can share my own controversial thoughts about unit testing, DRY, copy-paste coding and function length, etc... with 20 years of C++ programming experience.

Lot of good points here—I’m surprised he considers them controversial.

Previously:

Facebook and Microsoft Contractors Listen to Recordings, Too

Sarah Frier:

Facebook Inc. has been paying hundreds of outside contractors to transcribe clips of audio from users of its services, according to people with knowledge of the work.

The work has rattled the contract employees, who are not told where the audio was recorded or how it was obtained -- only to transcribe it, said the people, who requested anonymity for fear of losing their jobs. They’re hearing Facebook users’ conversations, sometimes with vulgar content, but do not know why Facebook needs them transcribed, the people said.

Joseph Cox (via Jason Koebler, Hacker News):

The contractor said they are expected to work on around 200 pieces of data an hour, and noted they’ve heard personal and sensitive information in Cortana recordings. A document obtained by Motherboard corroborates that for some work contractors need to complete at least 200 tasks an hour.

The pay for this work varies. One contract obtained by Motherboard shows pay at $12 an hour, with the possibility of contractors being able to reach $13 an hour as a bonus. A contract for a different task shows $14 an hour, with a potential bonus of $15 an hour.

[…]

After Motherboard reported that contractors were listening to some Skype calls made using the service’s translator function, Microsoft updated its privacy policy and other pages to explicitly include that humans may listen to collected audio.

Previously:

Keyboard Maestro 9

Stairways Software (tweet):

Keyboard Maestro 9 expands on the powerful base of previous versions, adding Dark Mode, multiple editor windows, and support for OCR and JSON, together with lots of new actions and additions.

Interesting idea to apply OCR to screenshots on the clipboard. (Back in the classic Mac days there was a neat utility that could do this without actual OCR by intercepting the QuickDraw calls that were used to draw text to the screen.) Plus, toolbar labels!

The upgrade is $18 or $36 for new purchasers.

Previously:

See also: Keyboard Maestro 8.

Tuesday, August 13, 2019

NetNewsWire 5 Public Beta

Brent Simmons:

NetNewsWire has reached public beta! It only took like five years. :)

Our definition of beta is release candidate. With each beta release, we believe that the app is ready to ship. But we want to do further testing to make sure.

It’s come a long way since debuting as Evergreen and now supports syncing via Feedbin.

Brent Simmons:

NetNewsWire isn’t the answer — it’s an answer. It’s just a small part of what needs to be done. But it’s the work we personally know how to do, so we do it.

We also love high-quality Mac and iOS apps, and we hope that NetNewsWire will be an example. The code is available for anyone to learn from and use. We believe it’s one of the largest open source projects written (mostly) in Swift.

Previously:

Update (2019-08-21): Brent Simmons:

Before every major release I like to try and think of everything mean that people might say about the app. It’s fun!

[…]

This took five years? I could write an RSS parser in a weekend.

Locked Out of an Apple Account

Luke Kurtis (via Andrew Orr):

About a week after I redeemed the gift card, I noticed my iTunes account wasn’t working. When I tried to log in, it said my account was locked. I searched online for help, but I couldn’t find a solution. I called up Apple support. […] The senior agent informed me my account had been locked because I’d used a fraudulent gift card. […] Apparently all she had to do was to escalate this to Apple’s internal security team who, because she had vetted my account, would re-enable everything within 24 hours.

[…]

Except that after 24 hours, there had been no word. Even after a few days, the agent was nowhere to be found, even after I emailed her directly. I ended up calling back into the main support line to start with a new agent […] “There is nothing else you can do, there is no escalation path.”

[…]

But when Apple locked my account, all of my devices became virtually unusable. At first, it seemed like a mild inconvenience, but I soon found out how many apps on my iOS and Mac devices couldn’t be updated, not to mention how I couldn’t download anything new. When I had to take a trip for a family emergency, the JetBlue app wouldn’t let me access my boarding pass, saying I had to update the app to use it.

[…]

All in all, I was locked out of my account for roughly two months. Had I not taken advantage of my internal Apple contacts, I may not have gotten my account back.

Update (2019-08-15): Isaiah Carew:

pretty much what happened to me about three years ago. but the account was disabled for ~6mnths. long enough that i totally gave up. i wrote off thousands of dollars in apps, movies, music, trashed 2 apple TVs, and stopped “buying” any kind of digital content on any platform.

Apple Card Lacks Web Interface, Sends Push Notifications

Nicole Nguyen:

Apple Card has an iPhone-only interface. If you lose said iPhone and need to make a payment, Apple’s recommendation is to use a second iOS device (eg. iPad) or call support (not, presumably, with the phone you just lost).

In other words, despite its titanium, futuristic-veneer Apple Card does not afford you what nearly every other credit card does: a website accessible on desktop that gives you the flexibility to pay bills or see transactions from any device.

Great, so you can’t export your data or view it on a large screen. And this will probably be like Apple’s other purchased/billing interfaces, where you can’t select and copy text and the searching is very basic, if there at all.

The Tape Drive:

Apple will target users for marketing emails and push notifications based on their transaction history. “For example, Apple may send a message to your device that is relevant to people who typically purchase travel.” Apple might have been able to negotiate reduced fees by agreeing to allow advertising to Apple Card users.

Via CM Harrington:

This is the kind of bullshit you get when you become a ‘services’ company… “We don’t allow marketing push notifications unless they’re our marketing push notifications”. No thanks, Tim Apple.

[…]

I WANT to have push notices for my transactions. I don’t want Apple to look at my transaction history and decide I should be marketed at OD is even creepier. it means there’s a daemon always watching my purchases for marketing opportunities.

Jon Alper:

Apparently the message is sent globally and then evaluated on device as to whether to delver to you based on what the device knows. Yes, sucks you can’t get notifications of transactions and not get marketing messages.

And receiving these marketing messages is going to use up cellular data, too.

Previously:

Update (2019-08-15): Nick Heer:

Based on what I’m reading here, it sounds like Apple is sending push notification message text to all Apple Card users, but only displaying it if it’s relevant to a specific user. It’s a clever way of doing semi-targeted ads without violating users’ privacy.

I think that’s less relevant to users than whether they expect to receive ads in their email account and on their lock screen because they signed up for Apple’s credit card. The more nihilistic user might, but Apple is supposed to be the company that doesn’t point to some clause in their terms and conditions as a free pass to exploit users.

[…]

Apple’s solution is in agreement with the letter of these statements, but certainly not the spirit.

Daniel Storm:

PSA: Apple Search Ads are included in the 3% back on Apple Card 💰

Update (2019-08-19): See also: Accidental Tech Podcast.

Update (2019-08-20): John Gruber:

I don’t think the reason for this is to keep you locked to your iPhone, although that’s certainly a side effect. I think this simply reflects Apple’s internal culture. Apple’s culture is to make native apps for everything as a first priority, with web interfaces as a much lower priority. And in recent years, that’s shifted from native apps for iOS and Mac to just native apps for iOS. (E.g. the craptacular Catalyst apps for Stocks, News, Voice Memos, and most especially Home.) It feels ridiculous that you can’t access your Apple Card account from a Mac, whether from a native Mac app or from a website.

Update (2019-10-04): Despite the lack of a Web interface, I did get an e-mail notification about a PDF statement:

Your September statement is ready to view.

You can view your statement balance or pay your bill by tapping Apple Card in your Wallet App.

To view a PDF of your statement, tap Apple Card in your Wallet app, tap Total Balance, and tap the month.

Amber Neely:

Apple Card users who have checked their Apple Card PDF statements for September may notice that their statements are not itemized. While the Apple Card still shows itemized transactions within the Wallet app itself, the downloaded PDF currently shows a single monthly transaction, rather than an itemized list.

AppleInsider received a tip from a reader who noticed that their statements were not itemized. Staffers who own the Apple Card were able to recreate this problem upon checking their own statements.

[…]

“We are aware that some PDF billing statements are not showing transaction level detail. Transaction details in the Wallet app are correct,” said the Goldman Sachs representative. “The PDF Statements are being regenerated and will be available in Wallet later today.”

Juli Clover:

Things you can’t use Apple Card for: renting a car at enterprise.

Andrew Abernathy:

1. Went to pick up Redbox reservation but the box didn’t recognize me. Searching online, others say the issue is that the card # encoded on the card is different from the one shown in Wallet. (Chatted w/ Redbox; they cancelled.)

2. Yesterday an online transaction was rejected, forcing me to use different card. In case of suspected fraud, aren’t they supposed to send a notification? In my case they didn’t — fraud services called, left voicemail ~10 minutes later. (I don’t answer unrecognized numbers.)

Update (2020-07-03): Juli Clover:

Apple today launched a website that’s designed to allow Apple Card holders to check their balances, view statements, and make Apple Card payments online.

Verizon Sells Tumblr to Automattic

Julia Alexander (Hacker News):

Verizon has agreed to sell Tumblr to WordPress owner Automattic Inc. for an undisclosed amount, TheWall Street Journal reports.

Verizon, which first acquired Tumblr in 2017 after it purchased Yahoo, started to explore a sale earlier this year. Automattic reportedly bought Tumblr for less than $3 million, according to Axios, a stunning drop in value from the $1.1 billion Yahoo paid for it in 2013.

Marco Arment:

This is pretty cool. Can’t think of a better owner today than Automattic for Tumblr’s huge creative publishing community.

Matt Mullenweg:

Will do our best to make you proud about this next chapter for @tumblr.

Matt Mullenweg:

When the possibility to join forces became concrete, it felt like a once-in-a-generation opportunity to have two beloved platforms work alongside each other to build a better, more open, more inclusive – and, frankly, more fun web. I knew we had to do it.

In the underlying technology of our platforms, I think there are some good opportunities to standardize on the Open Source WordPress tech stack, but the front-end user experience on Tumblr will evolve on its own path. It has been so successful already, and we want to keep that going.

Colin Devroe:

This is good for a variety of reasons. It ensures Tumblr will very likely be around in some form or another in perpetuity while still retaining its unique posting UI that its community no-doubt loves. I know I love it. I wish I had the same thing for my WordPress blog. Maybe I will get that now?

Brian Krogsgard:

The most recent controversy for Tumblr was a community revolt over the treatment of adult content. Matt says Tumblr’s new adult content policy will stay in place under the new ownership. On Hacker News, he said, “Adult content is not our forte either, and it creates a huge number of potential issues with app stores, payment providers, trust and safety… it’s a problem area best suited for companies fully dedicated to creating a great experience there. I personally have very liberal views on these things, but supporting adult content as a business is very different.”

[…]

Tumblr will remain a separate brand. There is a dedicated Tumblr community even after years of neglect and confusion. Still, Matt says Tumblr’s user base is “several times larger than [WordPress.com’s].”

Previously:

Update (2019-08-16): Daniel Jalkut:

A 950-employee, completely distributed company, is taking on 200 employees who are accustomed to urban office life. I think that will be one of the most interesting challenges in this merger.

Matt Mullenweg:

Tumblr is multi-office, so does have a distributed aspect. But I see moving toward being natively distributed as taking a few years, and we don’t want to disrupt things that are already working.

Nilay Patel:

One thing that jumped out in this interview: the real sense that Tumblr didn’t lose nearly as many users due to the porn ban as people think.

Fred Wilson:

Tumblr was both a blogging platform and a social media application and while I always loved the versatility of the platform, native mobile applications benefit from simplicity, not complexity.

[…]

David Karp, the founder of Tumblr, always focused on making Tumblr a “positive” experience. That is why he refused to have comments, even though I pushed him to do it and hacked Tumblr by putting Disqus on mine. That is why he made the primary (only?) form of engagement a heart.

And it worked. Tumblr was a happy place and using it made people feel good about themselves.

Previously:

Chris Mohney:

Your one million paying Tumblr users just brought in $24 million for the year—or, almost double what Tumblr made the first year it sold advertising. Assume the Tumblr active user base is more like 20 million, and/or entice more of them to pay, and/or offer various Tumblr-appropriate upsells, and/or implement and charge for all the years’ worth of community-driven functionality asks … well, getting to the $100 million revenue goal that Tumblr publicly shot for (and likely never achieved) seems not unreasonable.

And you do this without selling ads. I will forever and repeatedly die on the hill that pursuing advertising as Tumblr’s revenue strategy was what killed the site’s independence and alienated users long before the porn ban. I personally believe the management/investor/industry advice to sell ads was not only bad advice, but quite possibly given in bad faith and maybe even predatory in nature. Advertising has pros and cons depending on the situation, but anyone who looked at Tumblr back in the day and saw a Facebook-style infinite-ad-revenue reservoir was fooling themselves and/or others. Demonstrably so.

Buzz Andersen:

Tumblr is my go to example of a company that could have evolved into a fine independent business but instead was destroyed by the decision to “go big” with venture capital.

Nick Heer:

Automattic will obviously be a better steward of Tumblr than Yahoo or Verizon were, but I question whether the unique qualities of its communities can experience a resurgence. It has felt for years like it has been dying a protracted death, and its 99% discounted sale price speaks to that.

Matt Mullenweg (Hacker News):

First, [Verizon] chose to find a new home for Tumblr instead of shutting it down. Second, they considered not just how much cash they would get on day one, but also — and especially — what would happen to the team afterward, and how the product and the team would be invested in going forward. Third, they thought about the sort of steward of the community the new owner would be. They didn’t have to do any of that, and I commend them for making all three points a priority.

Monday, August 12, 2019

RIP AirPower, But Great Gadget Chargers Abound

Mitchel Broussard:

Twelve South today launched the “PowerPic,” a traditional wooden picture frame that includes a hidden, 10W wireless charger. You can place any 5" x 7" photo in the PowerPic, and then to charge an iPhone 8, 8 Plus, X, XS, XS Max, or XR, you simply place the device on top of the photo.

Twelve South says that the idea behind the PowerPic was to create a Qi charger that would not add to the clutter of a bedside table or desk, so that when your iPhone (or any compatible Qi smartphone) isn’t charging, it just looks like any other framed picture in your home.

Joe Rossignol:

Belkin today introduced its BOOSTUP Wireless Charging Dock for wirelessly charging an iPhone and Apple Watch at the same time. There is also a USB-A port for charging a third device like an iPad via Lightning cable.

Julio Ojeda-Zapata:

If you like the notion of charging an iPhone, Apple Watch, and AirPods all at once, you have options. I evaluated a lot of wireless and wired chargers in this category. I zeroed in on a handful I like, but they are not without their annoyances.

Samuel Axon:

To be clear, this does not fully realize the vision Apple originally laid out for AirPower. Whereas AirPower could charge three devices in any combination—say, two iPhones and a Watch, or two Watches and one AirPods case, or three iPhones—the mophie pad has a dedicated spot for each device type: iPhone, Apple Watch, and AirPods. Further, the Watch doesn’t actually charge on the mat; it charges on a distinct surface that protrudes from the mat. And for AirPower, Apple imagined a software solution that would display on your iPhone’s screen the charge status of every device on the mat. The mophie pad doesn’t offer that.

Michael Kummer:

To charge an iPhone as quickly as possible, I recommend abandoning the 5W power brick and upgrading to a more powerful adapter. The good news is that you might already have a faster charger at home.

Previously:

AirPods Charger Teardown and Reverse Engineering

Freddie Temperton (via Jon Masters):

One thing we noticed when playing with the AirPods is that your phone knows the charge state of the AirPods individually, as well as the case itself. How were they doing this? Our interest was piqued! We also noticed that if you don’t have either AirPod in the charger cradle, the phone is unable to read the charger cradle charge state. It was very unlikely that the case has another Bluetooth radio in it as that seems total overkill and power hungry, so we discussed other options. As there are only 2 contacts between the charger and AirPods, we theorized they must be using a form of powerline communication and hijacking the radio in one of the AirPods to transmit information from the charging cradle to the phone.

[…]

With the first glimpse of the innards, we knew this was a lot more than a simple dumb charger. There’s an ARM Cortex-M0+ in there!

[…]

The little button on the back is actually a whole custom assembly. Two metal contacts are moulded into a piece of plastic to contact with the springs on board, then a SMD switch soldered on. The button that presses down even has a tiny milled metal insert for pushing the button! Very impressive ME work!

Grief From Transitioning to Subscriptions

Peter Steinberger:

Transitioning an app to subscription is always an adventure - even if you don’t take features away, people give you 💩

Twitterrific:

Even if you ADD a ton of features.

Pádraig Kennedy:

fwiw we were shocked that we barely had any of this when we moved Castro to subscription. I guess it depends on the type of app and who your users are.

Markus Müller-Simhofer:

You get the same 💩 when you dare to release a paid upgrade. Or even when you do Freemium to offer a [trial]. Two example from just today.

And you have no idea how many people give us 1-star reviews because Mac and iOS are separate purchases (cross platform unlocks are only allowed for subscriptions). I [file] those as feature request for a subscription… 🤐

Michael Simmons:

This is a loud, but luckily, minority of users. These people seem to think apps write and update themselves and that that supporting an app is free. These same “loyal” users wouldn’t care if we went out of business. Part of the app business (and life!), I guess. 😉

Kyle Howells:

Part of the problem is iOS itself.

Apps need constant maintenance to just keep running and working because, else they break. The means, I want to keep this thing I’ve already bought, and, I want new features and updates all the same, end up combined together.

as a result you get “I bought this app, I just want to keep it, why are you taking it away from me and making me pay again?”

But without more work, iOS itself will take the app away from you by breaking it or refusing to run it.

Previously:

Update (2019-08-13): Isaiah Carew:

counterpoint: selling paid upgrades off the app store for $34.95

still pretty great.

11 years indie.

proven sustainable.

we’ve had a handful of whiners, sure. but more fans that tell us we’re undercharging.

Hitting the Limits of APFS

Howard Oakley:

APFS limits the number of volumes which can exist within each container. The absolute maximum is 100, which is hardly likely to be reached unless you’re doing very peculiar things. However, there’s a smaller limit which is more likely to come into play: in any given container, the maximum number of volumes is the size of that container divided by 512 MiB, rounded up to the nearest integer. So if your container is 1.1 GiB in size, the maximum number of volumes it can support is not 100, but only 3.

[…]

This results in the anomalous situation that:

  • the smallest container size is 8.4 MB when there’s only one container, but around 20 MB when there are two or more;
  • the smallest volume size is 8.4 MB when there’s only one container and one volume, 20 MB when there are two or more containers, or about 300 MB when there are two or more volumes in the same container.

Google Chrome Incognito Mode Can Still Be Detected

Lawrence Abrams:

With the release of Chrome 76, Google fixed a loophole that allowed web sites to detect if a visitor was using Incognito mode.  Unfortunately, their fix led to two other methods that can still be used to detect when a visitor is browsing privately.

Some web sites were using Incognito mode detection in order to prevent users from bypassing paywalls or to give private browsing users a different browsing experience.

[…]

When Google made it so that Incognito mode uses a temporary filesystem using the computer's RAM, it opened up a new method of detecting it based on the amount of storage set aside for the internal filesystem used by the browser.

[…]

As Chrome switched to a memory filesystem in Incognito mode, it is now possible to detect private browsing by measuring the speed of writing to the filesystem.

Friday, August 9, 2019

Guardian Firewall 1.0

Sudo Security Group (via Will Strafach, Wired):

Guardian Firewall will be available [in] July. The cost is $9.99/month (or $99.99 per year) for VPN + Firewall capabilities. VPN-only service will be available at no cost.

[…]

Thousands of hours and a 5 month back-and-forth with Apple’s App Review team later, this mission has resulted in our creation of the first real firewall for iOS devices. Managed by a unique dataset that is the result of our continuous and exhaustive in-house research, Guardian Firewall updates instantaneously as we discover new threats to ensure that you don’t have to do any work at all.

[…]

The initial 1.0 release of Guardian Firewall primarily does one thing, and it does it well: Block those trying to track you, and tell you who they are as well as what types of data they likely tried to collect.

[…]

In order to effectively keep track of all known trackers being used on iOS, we periodically scan the App Store and use custom automated tooling to decompile, disassemble, and index the contents of iOS apps.

[…]

The Guardian Firewall app has been designed to simply act as a client for remotely hosted VPN servers running custom fully-featured firewall software[…]

Previously:

“Mastered for iTunes” Becomes “Apple Digital Masters”

Nick Heer:

The way this is written makes it sound like Apple Digital Masters is equivalent to the lossless files offered by other platforms, but it is not. It is a rebranding of the Mastered for iTunes spec — probably because Apple is no longer using the soiled “iTunes” branding to refer to their music products, with the exception of the iTunes Store. This spec is important because it helps labels deliver music that is mastered specifically for a compressed audio format, not just a conversion from the CD or vinyl master. This is great.

It still uses 256kbps AAC files.

Bye-Bye iPad

Jeff Perry:

I simply don’t use an iPad anymore for my work.

No, this isn’t a “you can’t get real work done on an iPad” article. I have gotten real work done on an iPad for years and loved it, but due to some changes in my life the iPad isn’t the best tool for the job anymore.

[…]

If I am being totally honest, it isn’t just the editing that makes me want to use my Mac over the iPad. I’m not sure if it is me not always happy with certain limitations on iOS or if I am just used to the Mac, but something about the Mac allows me to work with less friction.

Previously:

Launching the SwiftPM Library

Dave Verwer:

Introducing, the SwiftPM Library! It’s a Swift Package Manager search engine. There’s more information here but it should be fairly obvious what it does and how to use it.

Picking the right dependencies to add to your project is hard, and that’s what the SwiftPM Library aims to help with. There’s much more to do on that side of things, but I’m already analysing the Package.swift file, any relevant Xcode project files inside the library and the git history for each package to make sure that the search results recommend the best quality libraries first. I want to make it easy for you to make great decisions about what dependencies to use.

Apple Maps in iOS 13

Ryan Christoffel:

Timed with the spread of its first-party mapping data, Apple is giving the Maps app a big upgrade in iOS 13 that represents the company’s biggest push yet to overtake Google Maps as the world’s most trusted, go-to mapping service.

[…]

The hallmark feature of iOS 13's Maps is Look Around, which serves as a direct competitor to Google's popular Street View. It enables viewing and moving through a 3D representation of the world from the perspective of a car on the road. Google launched Street View over 12 years ago, so Apple is laughingly late to the game with Look Around, but it aims to atone for its delay by offering a more modern, elegant experience than Google.

Outside of Look Around, some of the biggest changes in the new Maps app reside in an improved navigation panel. Favorites have been revamped and made more accessible, while a new Collections feature makes it easy to save groups of locations for revisiting later.

What I really want to know: how is the basic map data?

Clark Goble:

Regarding rural driving - people not used to driving in open areas don’t quite understand the problem. Most places don’t have addresses so turn by turn is useless or highly inaccurate. So directions refer to roads but when zoomed out you can’t see any of the roads.

This isn’t a problem in the city, but I wish both Apple and Google would just have an option to display secondary roads. Both also confuse paved secondary roads, dirt roads, and OHV dirt roads.

Previously:

Update (2019-08-13): Craig Grannell:

I’ve used the new Apple Maps quite a bit, and it is an improvement. Apple’s Street View rip-off, ‘Look Around’, not only sounds like a terrible 1970s BBC family TV show, but it’s smoother and more useful (what with inline POIs) than Google’s equivalent. Also, Apple now gives you shareable collections, and still actually knows what colour roads are supposed to be on maps in the UK. (Hint, Google: motorways are BLUE; A roads are GREEN.)

But the wheels come off unless you’re living in a big US city, and armed with as much data as your phone can eat – on a connection that never dies. Head beyond a handful of US cities and Look Around vanishes entirely. The lack of a map download option means Apple Maps is effectively useless unless you’re online.

Thursday, August 8, 2019

Windmill for iPhone Rejected From the App Store

Markos Charatzas:

For the past few months, I have been working on Windmill 3.0 which enables Windmill on the Mac to publish your iOS app.

Effectively, every time you make a code change, Windmill will also publish your app so that you can install it on your iPhone.

Markos Charatzas:

Unfortunately, Apple has firmly rejected Windmill on the iPhone. Windmill on the Mac does not seem to have Apple’s blessing either.

[…]

I was reminded of one very specific reason that I was given too.

Guideline 5.2.5 - Legal - Intellectual Property

YOUR APP IS TOO SIMILAR TO TESTFLIGHT, WHICH CREATES A MISLEADING ASSOCIATION WITH APPLE PRODUCTS.

[…]

More importantly. Apple took the stance that the Command Line Tools Package is only meant to be used by developers in-house and not by 3rd parties to provide support for continuous integration systems - continuous delivery in the case of Windmill.

Via Brent Simmons:

I don’t understand all the issues here, I admit, but I start by thinking that useful developer tools should be allowed on the App Store.

Update (2019-09-06): Markos Charatzas (Hacker News):

I don’t feel motivated knowing what is possible will be subpar, constrained, unwelcome, unappreciated and on the bad side of Apple. I feel crippled as an Apple Developer to make the best of all available platforms and technologies.

[…]

For Apple, this was just an app that was submitted, went through due process and was rejected. For me, this is a moment in time that will define what turn my life takes next.

Update (2019-09-09): gitpusher:

Former Apple + TestFlight employee here (3 years at TF + 2 at App Store post-acquisition) Apple is very territorial about developer tools. They do allow certain businesses (like Fastlane) to operate in this space (a tacit acknowledgement that those tools provide value) yet they deny others (like Windmill) the right to operate.

This follows the typical Apple ethos of “we can do it better because we’re vertically-integrated”. However this only works if your product is damn-near perfect. And Apple is infamously imperfect when it comes to software/services.

On top of the competence issue, they also have no real motivation to improve tooling. They know that developers will build stuff no matter how onerous the terms, and no matter how nitpicky is their approval process.

If they re-framed their perspective, and began considering devs as “users” in their own right, then perhaps they, too, would experience the tender love + attention that Apple lavishes on its end users. But this is simply not how they view it, and there is little political will inside Eddy’s org to accomplish such a shift.

Update (2020-01-06): Markos Charatzas:

The last version of Windmill on the Mac is 3.1.2. There are no plans to support Xcode 11 or any future versions of Xcode. Windmill on the iPhone never made it to the App Store.

GitHub Actions CI/CD in Beta

GitHub (tweet, Hacker News):

GitHub Actions makes it easy to automate all your software workflows, now with world-class CI/CD. Build, test, and deploy your code right from GitHub. Make code reviews, branch management, and issue triaging work the way you want.

[…]

Hosted runners for every major OS make it easy to build and test all your projects. Run directly on a VM or inside a container.

Save time with matrix workflows that simultaneously test across multiple operating systems and versions of your runtime.

Free plans include 2,000 minutes per month, with extra macOS minutes available for $0.08 (10x the Linux price and 5x the Windows price).

GitLab:

And while we bet on this philosophy the industry is now seeing it as well. In September of 2015 we combined GitLab CI and GitLab version control to create a single application. By March of 2017, Bitbucket also realized the advantages of this architecture and released Pipelines as a built-in part of Bitbucket. In 2018, GitHub announced Actions with CI-like functionality built into a single application offering. In the last six months, JFrog acquired Shippable and Idera acquired Travis CI, showing a consolidation of the DevOps market and a focus on CI. The market is validating what we continually hear from our users and customers: that a simple, single DevOps application meets their needs better.

GitLab:

With about 3.44M job instances per week/13.76M per month, GitLab CI is growing at a rapid rate to help our customers and users with their deployment needs. Read on below to learn more about all of the exciting CI/CD features in the 12.0 series of releases that will help you to deploy your code quickly.

Previously:

Apple Is Locking Batteries to Specific iPhones

Jason Koebler (tweet):

A longtime nightmare scenario for independent iPhone repair companies has come true: Apple has tied batteries to specific iPhones, meaning that only it has the ability to perform an authorized battery replacement on the newest versions of iPhones, two independent experiments have found.

Battery replacements are among the most common repairs done by Apple and by independent repair companies. This is because lithium ion batteries eventually lose their ability to hold a charge, which will eventually make the phone unusable. Replacing the battery greatly extends the life of the phone: Apple CEO Tim Cook acknowledged earlier this year that battery replacements are resulting in fewer people buying new iPhones, which has affected Apple’s bottom line.

It’s concerning on many levels, then, that on the iPhone XS, XS Plus, and XR, that any battery swap not performed by Apple will result in the phone’s settings saying that the new battery needs “Service.”

Craig Lloyd (MacRumors, Hacker News):

Put simply, Apple is locking batteries to their iPhones at the factory, so whenever you replace the battery yourself—even if you’re using a genuine Apple battery from another iPhone—it will still give you the “Service” message. The only way around this is—you guessed it—paying Apple money to replace your iPhone battery for you. Presumably, their internal diagnostic software can flip the magic bit that resets this “Service” indicator. But Apple refuses to make this software available to anyone but themselves and Apple Authorized Service Providers.

Our friend Justin notes that there’s a Texas Instruments microcontroller on the battery itself that provides information to the iPhone, such as battery capacity, temperature, and how much time until it fully discharges. Apple uses its own proprietary version, but pretty much all smartphone batteries have some version of this chip. The chip used in newer iPhone batteries includes an authentication feature that stores the info for pairing the battery to the iPhone’s logic board.

Previously:

Update (2019-08-13): Rene Ritchie:

Some of the coverage has then focused on this being a move deliberately designed to hurt third party repair shops and it’s going to make Apple look really, really bad.

The first part is about as silly as saying right-to-repair is deliberately pushed to make a buck off selling high priced DYI kits. It’s just nonsense. Hurting third parties really sucks. Like really sucks. But it’s collateral damage. And it’s why the second part is bunk too. Apple doesn’t really care about looking bad with this.

What Apple cares about is catastrophic battery failures. Apple cares about that a lot.

Adam Engst:

I think Rene is significantly overstating the case. There have been third-party batteries available for Apple laptops and iOS devices for many years, and while it’s possible that dodgy parts or repair shops have caused problems, I can’t think of a single instance where that has reflected badly on Apple in a big way.

[…]

I’ll return to the car analogy. If you go to a lousy mechanic and get rebuilt or aftermarket parts that don’t work well, you complain to the mechanic, not Ford or GM. And more to the point, if someone does a terrible repair that results in an accident (which is a heck of a lot more likely with a car than an iPhone), no one expects that it will reflect badly on Honda or Toyota.

This is control freakery on Apple’s part.

Jerri-Lynn Scofield (via Hacker News):

I want to focus on one practical problem here: the dearth of Apple stores to conduct these repairs. This is a problem outside major US cities, as I understand there are big chunks of the US that lack Apple stores. This means people who live in these areas must now either schlep to an Apple store – or ship their iPhone – when they need a simple battery change (unless they are prepared to ignore bogus error messages). Uh huh.

Josh Centers:

Frankly, this is bush-league anti-competitive behavior on Apple’s part. Anyone who chooses to have an iPhone battery replaced by an independent repair shop—or opts to do it on their own—knows what they’re getting into. Independent car mechanics who rely on aftermarket parts have existed since the Ford Model T as an alternative to working with a dealer, and car owners have no trouble deciding which sort of business they’d prefer to patronize. That should remain true of computers and smartphones as well.

Update (2019-08-15): Rene Ritchie (tweet):

Apple sent me the following statement:

We take the safety of our customers very seriously and want to make sure any battery replacement is done properly. There are now over 1,800 Apple authorized service providers across the US so our customers have even more convenient access to quality repairs. Last year we introduced a new feature to notify customers if we were unable to verify that a new, genuine battery was installed by a certified technician following Apple repair processes. This information is there to help protect our customers from damaged, poor quality, or used batteries which can lead to safety or performance issues. This notification does not impact the customer’s ability to use the phone after an unauthorized repair.

[…]

No batteries are being locked out. That’s hyperbole, sensationalism, scare tactics.

It actually seems worse than blocking certain batteries, because it also complains about genuine Apple batteries that were merely not installed by a certified technician.

See also: Josh Centers.

A Year of Working Remotely

Mike Davidson:

First, let’s dispense with the easy part: despite what you may read on Twitter, remote work is neither the greatest thing in the world nor the worst. We are not moving to a world where offices go completely away, nor are we going through some sort of phase where remote work will eventually prove to be a giant waste of time. In other words, it’s complicated.

The way to look at remote work is that it’s a series of tradeoffs. You enjoy benefits in exchange for disadvantages. The uptake of remote work over the next decade will depend most on the minimization of those disadvantages rather than the maximization of the benefits. Reason being, the benefits are already substantial while many of the disadvantages will be lessened over time with technology and process improvements.

Via Mike Rundle:

I’ve been working remotely for ~6 years now and love it, so here are a few more tidbits I’d like to offer.

Colin Devroe:

That chatter that happens in office can sometimes bear fruit. Since these serendipitous interactions will no longer happen you have to create those interactions through deliberate action. Over communicate with your team about what you’re doing, what your ideas are, etc.

[…]

Meetings do not have to be terrible. There are some simple rules that I like to follow that help them suck less. Namely; Be certain you need an actual meeting, rather than an email or chat. Always give people enough time in advance to prepare. Always have an agenda. Always have action items. Follow up on those action items weekly or as appropriate.

Update (2019-08-13): Matej Bukovinski:

I’ve now been working remotely for more than 10 years and have faced many of these challenges myself, so in this post, I’ll be sharing some of my experiences and tips for making the most of remote work.

[…]

The company needs to be fundamentally set up for remote work, and it has to be the right fit for you personally. If either of those is not the case, you’ll have a miserable time.

Leakiest Abstractions

peterbourgon:

what are some of the worst/leakiest abstractions we’re currently dealing with in computers these days?

maybe things like: posix threads? the upper layers of the OSI model? the notion of a secure boot loader? OOP in general?

There are too many good replies to quote.

Previously:

Wednesday, August 7, 2019

iOS 13 to Limit VoIP API, Eliminate Background Activity

Aaron Tilley (Hacker News):

Right now, the calling feature in these apps runs in the background even when it’s not in use, ensuring the apps can connect calls faster but also making it possible for them to perform other, unrelated tasks such as collecting data. Now, Apple is restricting that background access so that it can only be used for internet calls.

Apple’s move will force Facebook to redesign its messaging apps, two people familiar with the issue said. It may have a particularly heavy impact on WhatsApp, which has been using the internet calling feature in a variety of ways, including for implementing the app’s end-to-end encryption, the people said.

[…]

In a statement, a Facebook spokesperson said the company was not collecting data through the calling feature.

Michael Potuck (via Ben Sandofsky):

However, Apple’s former App Store review chief, Phillip Shoemaker, shared concerns about how Facebook could have been or still is using the background app access.

[…]

Shoemaker also noted that Facebook tried to keep the PushKit API in its main app when the company split off Messenger as a standalone app in 2014. When Apple caught on, it made Facebook remove the API.

Previously:

Apple Card Exporting and Arbitration

Juli Clover:

In a support document on how the Apple Card works, Apple says exporting data from Apple Card is not a feature offered at this time. From the document: “Exporting data from Apple Card to a financial app like Mint is not currently supported.”

And, as far as I know, the feature is also iOS-only. So your data really is locked away, and you can’t easily back it up, either.

Andrew Orr:

Basically, if you don’t reject the provision, you forfeit any public claim against Goldman Sachs. Arbitration involves an arbiter (not a judge) overseeing the case, and both parties have input into who the arbiter may be. Goldman Sachs will pay the arbitration fees and other costs.

Apple Card lets you use Business Chat to quickly contact customer support, so you can probably send them the above information to opt out.

Previously:

Update (2019-08-08): Rich Siegel:

It’s abusive. “I know you said ‘no’, but I really want you to say ‘yes’, so instead of letting you have the agency to give or withhold affirmative consent, I’m going to let you think that I’ll keep asking until eventually you cave in and say ‘yes’.”

Ben Bajarin:

In my view, and I’ve written extensively on this, Apple is a customer experience company. If you view Apple as a company, who strives to look for product opportunities where customer experience is lacking, and they have an opportunity to solve some pain points for consumers, then any product category is not off-limits. This certainly extends to technology, but technology is simply an ingredient of the overall Apple process.

[…]

This wording is a demonstration of how Apple is planting the seeds for future disruption of financial services. And, one of my favorite sayings, that serves as a helpful barometer for disruption is “wherever unhappy customers are, the potential for disruption exists.” While a consumer may be content with their banks or financial services, I can’t imagine customer satisfaction is at all-time highs in that sector. There is much to be desired, and Apple Card feels like a step in the direction of raising the bar for customer experience and satisfaction when it comes to financial services.

Update (2019-08-16): Nick Guy:

Apple Card PSA: Opting out of arbitration is super easy! Just hop on chat support and they can take care of it in seconds.

Downloading AT&T Wireless Usage Data

Chris Espinosa:

Thing 1 I have learned about AT&T Wireless data plan usage download:

You can download you usage for Excel, and it downloads as an .xls file—but it’s XML, not BIFF.

Thing 2 I have learned about AT&T Wireless data plan usage download:

You can download you usage as a CSV file, and it’s saved by default as .csv—but it uses a vertical bar as the column delimiters, not a comma.

Thing 3 I have learned about AT&T Wireless data plan usage download:

When you finally get the usage data into a spreadsheet, the values in the Usage column represent either kilobytes or megabytes, on a row by row basis. There’s no scale indicator in the row data.

I wish I could say this was the first time I’ve seen mixed units in a column or a “CSV” file with no C’s.

Previously:

Suggestions As Part of the Pro Workflow Team

Aaron Bushnell:

You wake up to an email from Phil Schiller that you’re on the new Pro Workflow team for a complete overhaul of macOS, iPadOS and iOS. What suggestions would you provide for the next generation of Apple operating systems?

I enjoyed the the answers on the recent Accidental Tech Podcast, which included:

Previously:

Tuesday, August 6, 2019

FileMaker Returns to Claris Name

Joe Rossignol:

Apple subsidiary FileMaker today announced it has returned to its original name Claris from the late 1980s.

[…]

Now, the company plans to expand its portfolio again, leading it to readopt the Claris name. FileMaker Pro will remain one of its offerings.

Before it was pared down to FileMaker, Claris had a fantastic portfolio of apps.

Previously:

Update (2019-08-13): See also: FileMaker.

No Thanks vs. Later

Tim Hardwick:

Apple Card got its first group of public test users today. A limited number of customers who signed up on Apple’s website to be notified about the release of Apple Card are now able to apply for the card in their Wallet app as well as order a physical Apple Card (via TechCrunch).

Nilay Patel:

Hey how badly does Apple want to be your default card in Wallet? It doesn’t say “no thanks,” at this prompt, it says “Set as default later”

And “Set as Default Later in Wallet” doesn’t even look like a button.

Marco Arment:

Apple, you’re above tricks like this.

Sure, it’s a small thing. But small things add up. We all love Apple because of a large collection of GOOD small things over time.

Don’t let customer-hostile tricks in today’s services strategy cheapen the brand you’ve built over decades.

Kyle Howells:

They use this ‘now or later’, with no ‘no’ option, all over the place in iOS now. I can’t stand it. It feels less and less like my device and more like Apple allowing me to use theirs.

Mark Villacampa:

Counterpoint: this wording let’s people know they can set it as default later, hence reducing the anxiety of tapping “No thanks” and not being able to change it later, so fewer people will tap “Set as default”

Previously:

Update (2020-06-03): See also: Jeff Johnson and macOS 10.15.5.

Update (2023-01-05): Peter Hosey:

Having to install QuickTime 4.1.2 in SheepShaver in order to install AppleWorks 6 has made me angry about the whole QuickTime Pro thing all over again.

[…]

That might’ve been when Apple first embraced interrupting shit I want to do with shit Apple wants me to do, with the only options being “now” and “later”, with no “fuck off”.

Practical Concurrency: Some Rules

Mark Bernstein:

You can get away with murder. Going by the book, you’ve got to use extreme caution and you’ve always got to get it right. In practice, Tinderbox Six took all sorts of risks and accepted that it was Doing It Wrong in order to get stuff done.

It sounds like there’s a good story here. My experience has been more that it’s sometimes hard to know when you’re doing something wrong, but that once you’re aware of it it’s not that much extra effort to do it by the book. I try to do that as much as possible because it’s no fun tracking down concurrency-related bugs.

The profiler is now good. It wasn’t always. In the Tinderbox 4 era, firing up the Profiler meant recompiling the world, and that took 20 minutes. Then, you'd get slow and inconclusive results, and throw up your hands. Life today is better[…]

The profiler is indeed really great—when it works. Unfortunately, I have not had much luck getting it to work with tests. Most of the time, I Control-click on the test diamond and choose “Profile ‘testName()’”, it recompiles and launches Instruments, but it doesn’t actually run the test code. Sometimes I can get it to work with the old and clunkier approach of stopping at a breakpoint and then attaching Instruments to the running process, but other times it doesn’t actually record what it’s supposed to.

If a queue has one clear purpose, it’s easier to be confident it won’t deadlock. Dispatch queues are cheap. Don’t share queues, don’t reuse queues, don’t worry about making queues.

Classes should encapsulate their queues.

Update (2019-08-07): Thomas Clement:

Queues are not cheap, you should reuse queues, you should worry a lot about making (too many) queues.

He’s posted some libdispatch efficiency tips and links to some good threads from Swift Evolution. You may find them easier to read in the new Swift forums:

Although some of the messages seem to have been imported out-of-order.

Previously:

Update (2019-08-08): Marcel Weiher:

From a, cough, well-respected, cough, performance book:

In the end, I’ve rarely had to use multi-threading for speeding up a CPU-bound task in anger, and chances are good that I would have made my code slower rather than faster.

... The advice to never optimize without measuring as you go along goes double for multi-threading.

Yelp Inserts Tracking Phone Numbers

Adrianne Jeffries (via Jason Koebler):

Even though restaurants are capable of taking orders directly—after all, both numbers are routed to the same place—Yelp is pushing customers to Grubhub-owned phone numbers in order to facilitate what Grubhub calls a “referral fee” of between 15 percent and 20 percent of the order total, I learned while researching an episode for the podcast Underunderstood.

Yelp has historically functioned like an enhanced Yellow Pages, listing direct phone numbers for restaurants along with photos, information about the space, menus, and user reviews. But Yelp began prompting customers to call Grubhub phone numbers in October 2018 after the two companies announced a “long-term partnership.”

[…]

Restaurant owners may not be aware of the change. Mohammad Zaman, an owner of Afghan Kabab and Grill House in Brooklyn, insisted the phone number that showed up in Yelp was a mistake until a call placed to the number rang at his desk.

Hacker-Friendly iPhones and Mac Bug Bounty Program

Thomas Brewster (via Patrick Wardle):

Later this week, at the Black Hat security conference in Las Vegas, Apple is to announce plans to give security researchers special iPhones that will make it easier for them to find weaknesses in the smartphone, Forbes has learned. It’ll also be announcing an Apple Mac bounty, so anyone who can find security issues in macOS will get rewarded, sources claimed.

Steve Troughton-Smith:

What could a pre-jailbroken iPhone from Apple look like? I would have to imagine it has debug symbols (+ no dyld cache) and the ability to attach a kernel debugger, maybe even SSH, and is surely very securely provisioned and locked to your dev account with strict usage rules

Joel Bernstein:

Uh, can you provide non-current-OS iPhones to devs?

Ivan Krstić:

Very excited to return to the Black Hat stage this year to talk about some world-class Apple security features! iOS code integrity and Pointer Authentication Codes, Mac secure boot with the T2 Security Chip, the crypto behind the Find My feature, and more.

Previously:

Update (2019-08-08): Rich Mogull:

Basically, Apple will be releasing to authorized applicants a version of iOS devices with a research chain and appropriate hooks already installed. Think an iPhone already with a shell on it for research, no jailbreak needed.

Talking bug bounties now. Current program was iOS and iCloud only and invite only with a max payout of $200K.

They received 50 high value reports.

Just opened up to all researchers.

Massive jump in Apple bug bounties. Now payouts for pre release (with a 50% bonus).

Up to $1M for a zero click full chain kernel code execution!!!

Releasing a vuln research kit with ssh and more on iOS. Full chain access device (yes a supported hardware platform).

Update (2019-08-13): See also: MacRumors, Hacker News.

Felix Krause:

I found a security issue with the iTunesConnect backend, where I could access the full build information unreleased builds (e.g. internal TestFlight) of any app available.

Reporting it was a pain, it took forever. They fixed it within 4w. I never heard back. I never got thanked.

Monday, August 5, 2019

Opening Huge CSV Files

Matt Birchler:

Basically, BBEdit was remarkably fast at opening the file, being 4x faster than Visual Studio Code and 20x faster than Sublime. And then in terms of saving changes to the file, most apps were in the same ballpark, which I assume is because this is reliant on my SSD’s ability to save the data, not the app doing anything special.

Patrick Seemann:

ed: immediately
emacs: ~6s
vi: ~8s

I’d like to see the results for Excel, Numbers, and TextEdit.

Previously:

Update (2019-08-06): Greg Hurrell:

Vim takes 8s to open a 1.5GB CSV file.

Matt Birchler:

I updated the post with the 3 apps you listed 🙂

Venkat:

Regarding the csv loading, Numbers can’t load more than 255 columns of data, which annoyed me frequently in the past few weeks. Google sheets and Excel had no problem with lots of columns.

Friedrich Markgraf:

Numbers does not support more than 65k lines. Current versions at least warn about that after the long import. Last year it just silently dropped lines.

Phantom Types in Swift

John Sundell:

When converting Data into a String, like we do above, we pass the encoding that we want the string to be decoded using — in this case UTF8 — by passing a reference to that type itself. That’s really interesting. If we dive a bit deeper, we can then see that the Swift standard library defines the UTF8 type that we refer to above as a case-less enum within yet another namespace-like enum called Unicode[…]

[…]

Through the use of phantom types, the above two measurement values can’t be mixed, since what kind of unit that each value is for is encoded into that value’s type. That prevents us from accidentally passing a length to a function that accepts an angle, and vice versa — just like how we prevented document formats from being mixed up before.

[…]

Using phantom types is an incredibly powerful technique that can let us leverage the type system in order to validate different variants of a given value. While using phantom types usually makes an API more verbose, and does come with the added complexity of generics — when dealing with different formats and variants, it can let us reduce our reliance on run-time checks, and let the compiler perform those checks instead.

Previously:

Performance of Combine

quickbirdstudios (via Peter Steinberger):

This project contains a benchmarking test suite for comparing the performance of the most commonly used components and operators in RxSwift and Combine. For a detailed comparison of RxSwift with Combine have a look at our blog post.

[…]

As a summary Combine was faster in every test and on average 4,5x more performant than RxSwift.

You can also use the two test files as a Rosetta stone.

Previously:

Update (2019-08-06): Matt Gallagher:

The numbers on that page are generated in Debug builds.

I’m disappointed that people are repeating values so uncritically. Built in Release, those tests show Combine to be slightly faster than RxSwift but not by much.

Matt Gallagher:

The biggest change I would suggest for most of the tests is to put the Publisher/Subscribe/Cancel outside the measure closure. These can be expensive but are done only once so only matter in specific scenarios.

Matt Gallagher:

Reactive programming frameworks have different specialities. I have test cases where RxSwift is 3 times faster. I have test cases where Combine is 5 times faster.

Cloudflare and Voxility Ban 8Chan

Matthew Prince:

We just sent notice that we are terminating 8chan as a customer effective at midnight tonight Pacific Time. The rationale is simple: they have proven themselves to be lawless and that lawlessness has caused multiple tragic deaths. Even if 8chan may not have violated the letter of the law in refusing to moderate their hate-filled community, they have created an environment that revels in violating its spirit.

We do not take this decision lightly. Cloudflare is a network provider. In pursuit of our goal of helping build a better internet, we’ve considered it important to provide our security services broadly to make sure as many users as possible are secure, and thereby making cyberattacks less attractive — regardless of the content of those websites. Many of our customers run platforms of their own on top of our network. If our policies are more conservative than theirs it effectively undercuts their ability to run their services and set their own policies. We reluctantly tolerate content that we find reprehensible, but we draw the line at platforms that have demonstrated they directly inspire tragic events and are lawless by design. 8chan has crossed that line. It will therefore no longer be allowed to use our services.

Adi Robertson (via Hacker News):

Internet hate forum 8chan has gone dark after web services company Voxility banned the site — and also banned 8chan’s new host Epik, which had been leasing web space from it. Epik began working with 8chan today after web services giant Cloudflare cut off service, following the latest of at least three mass shootings linked to 8chan. But Stanford researcher Alex Stamos noted that Epik seemed to lease servers from Voxility, and when Voxility discovered the content, it cut ties with Epik almost immediately.

Previously:

Update (2019-08-07): Ben Thompson (Hacker News):

The question of when and why to moderate or ban has been an increasingly frequent one for tech companies, although the circumstances and content to be banned has often varied greatly. Some examples from the last several years[…]

[…]

In short, Section 230 doesn’t shield platforms from the responsibility to moderate; it in fact makes moderation possible in the first place. Nor does Section 230 require neutrality: the entire reason it exists was because true neutrality — that is, zero moderation beyond what is illegal — was undesirable by Congress.

Keep in mind that Congress is extremely limited in what it can make illegal because of the First Amendment. Indeed, the vast majority of the Communications Decency Act was ruled unconstitutional a year after it was passed in a unanimous Supreme Court decision. This is how we have arrived at the uneasy space that Cloudflare and others occupy: it is the will of the democratically elected Congress that companies moderate content above-and-beyond what is illegal, but Congress can not tell them exactly what content should be moderated.

Apple No Longer Is the iPhone Company

Jean-Louis Gassée:

When the iPhone grew to represent more than 50% of Apple’s revenue, critics worried that the company was overly dependent on the device. Now, critics fret because the percentage fell to 48% in the quarter ending in June. The decline isn’t bad news; it’s the mark of a neatly maturing business that benefits from its ecosystem’s network effects.

[…]

Still, there is a problem to be solved: What do you do when your leading product finds itself in a saturated and stagnating market? A strong temptation is to wage a price war. When the race to the bottom ends, the last man standing is supposed to be able to raise prices back to profit-making levels.

[…]

Apple’s iPhone Game Plan is in plain view, repeatedly explained by its executives to Wall Street analyst in Earnings Release conference calls and other public pronouncements: Let the iPhone stay in its natural element: the Affordable Luxury segment, analogous to Audi for cars or Burberry for clothing. And, from there, play the ecosystem game.

Why is the alternative selling products at a loss in a race-to-the-bottom? Why not trade some margin for more marketshare, which would help both the app ecosystem and services revenue? Or expand down by designing lower cost, lower end products that are nevertheless good and still have good margins.

This is probably even more needed with the Mac product line. Too many potential customers are being turned away because the base prices keep going up and up.

See also:

Previously:

Update (2019-08-08): Rich Edmonds:

When looking at the two different prices, you’d assume the MacBook Pro packs more of a punch, but throwing these two notebooks into the ring would result in a draw. The numbers don’t lie.

Friday, August 2, 2019

Excluding From iCloud Drive

Ole Begemann:

Today I learned that if you put a folder named “Dropbox” in your iCloud Drive, iCloud refuses to upload it. It only says “Ineligible”.

flovilmart:

I recall de compiling the iCloud Drive binary and seeing “Dropbox” string part of a blacklist.

malhal (via Tanner Bennett):

Here are all the file/folder names excluded[…]

Nebula:

Adding one empty file named .nosync to a folder will prevent that folder from syncing.

You can also use this as a file extension to specific files, but the folder treatment is quite useful.

Previously:

Netflix vs. Blockbuster Total Access

modest proposal (via Dare Obasanjo):

Blockbuster couldn’t find a way to overcome Netflix head to head. But market research showed ability to combine rental by mail with in store was a game changer.

[…]

Total Access grabbed 1M subs in two months and was taking over 100% share. Netflix modeled that it was bankrupting Blockbuster

[…]

Hastings told Antioco he was spending the company into ruin and offered to buy Blockbuster Online subs. He later followed up with $200/sub offer. Antioco demurred, realizing he had Netflix on the ropes.

[…]

At Blockbusters Board meeting. Antioco suggested they turn down the offer. The Board agreed. Then turned to his comp. He had hit the targets set by the Comp Committee so expected perfunctory approval. Icahn exploded.

[…]

TL,DR: Antioco quits, and against all logic instead of hiring the COO, Icahn hires an ex 7-11 retail guy whose plan is to do everything that Blockbuster already tried and failed at. After he laid out his plan, the entire exec team sold most or all of their stock next open window! […] Not only did the Blockbuster execs sell all their stock, they bought Netflix stock!

Carl Icahn has also tried to tell Apple what to do, before he sold all his shares. The excerpts are from the book Netflixed.

Craig Bonthron:

Alternatively, a great podcast version of the history of Netflix here.

Update (2019-09-25): Minda Zetlin (via Hacker News):

In his new book That Will Never Work, Netflix co-founder Marc Randolph describes a meeting he attended with Antioco along with Netflix co-founder Reed Hastings and its then-CFO Barry McCarthy at Blockbuster headquarters in Dallas. Everyone from Blockbuster who was at that meeting must cringe when they think back on it now. The company could have bought Netflix that day for $50 million, but its CEO didn’t even bother to consider the possibility. He seemed to see it as a great big joke.

See also: The inside story of how Netflix transitioned to digital video after seeing the power of YouTube.

Notarization and Java Apps

Hendrik Schreiber:

For beaTunes things are a little different, as it uses Java as runtime. So far Oracle (or anybody else I know of) has not shipped a Java runtime that has been compiled against macOS SDK 10.9 or later and the hardened macOS runtime. Additionally, Oracle’s Java executables are not signed with suitable signature algorithms (see Bug JDK-8223671 for a detailed list of notarization failures). All these are requirements for notarization. There is no way for me to ship a notarized version of beaTunes before they are addressed and unless I want to roll my own version of Java (I don’t!!), I simply have to wait and hope that someone at Oracle will take pity on Mac devs.

It is increasingly difficult to be off the beaten path of using Apple’s preferred tools and frameworks.

Timo Perfitt:

“Uploading to Apple to Notarize” is the new “COMPILING!”

Previously:

Update (2019-08-05): McCloud:

Handy reminder: Everything in your entire stack, up to and including your programming language’s runtime environment, is a liability.

Rosyna Keller:

Developers should make sure it’s their own Developer ID that signs libraries they ship inside their apps.

Also, OpenJDK 8 is rather old and new JDKs are properly built against macOS 10.9 or later.

George Adams:

We have enabled hardened runtime on our macOS binaries which will allow them to be bundled into applications and pass Apple’s Notarization tests. OpenJDK 11+ will work out of the box, OpenJDK8 needs a bit more work because it’s built on an older toolchain that the notarization test doesn’t support. We will be creating a second release of jdk-11.0.4+11 and jdk-12.0.2+10 which will have hardened runtime enabled.

Thursday, August 1, 2019

Decoding Intel Chip Names

Sean Hollister (via Nilay Patel):

Particularly because not all these chips are equal: a Core i7-1060G7, Core i7-1065G7 and Core i7-1068G7 might sound roughly the same, but they’re really not.

[…]

The first two digits are always “10,” and they simply mean you’re looking at a 10th Gen Ice Lake processor with all the benefits that confers, like faster graphics and better battery life when playing HEVC video, but also often a lower base clockspeed than before. If you see a “9” or an “8”, you’re looking at an older Intel processor.

The third digit seems to be how high a chip sits on the totem pole in terms of speed. For instance, a Core i7-1065G7 is clocked 100MHz higher than a Core i5-1035G7, and can boost 200MHz faster for short periods of time.

But the fourth digit is weirdly more important than the third digit, because it tells you the entire class of processor you’re looking at[…]

Lightning Video Adapters

Lisa Braun:

Here is my little thread about Lightning video adapters – also known as Haywire – which are actually computers that feature Apple Secure Boot and run Darwin kernel

[…]

Both support up to 1080p video output according to Apple and make use of the same SoC – S5L8747. Its part number is H9TKNNN2GD and according to The iPhone Wiki it has 256MB of RAM. Not much else is known about it

Unfortunately, these adapters are of terrible quality. HDMI adapter got 2 out 5 stars on US Apple Store web-site and reviews are all like this one[…]

[…]

Haywire itself doesn’t store any firmware (well, except for SecureROM), so iOS has to upload it every time. Firmware bundle for it is very tiny, around 25MB uncompressed. Shipped as preinstalled asset with iOS and/or can be downloaded.

[…]

You can easily connect Haywire to PC because it’s basically an USB device. All you need to get to accomplish is Lightning and micro-USB female breakout boards and few connecting wires[…]

All these years later, and iOS video output over Lightning is still less reliable than using the old Dock connector adapter.

Previously:

Why Unsubscribing Can Take Time

Joe Pettersson:

I saw a tweet asking why sometimes when you unsubscribe from an email list it says it can ‘take a few days’. Buckle up, as I have a RIDICULOUS story about this happening in The Enterprise™️...

[…]

This web service sends an email to an internal email address every time it’s clicked. This happens 100s of times a day.

This email was originally sent to an individual. They left the bank five years before.

This mail address is now forwarded to an email group. They couldn’t change the address as it’s hard coded and they don’t have the code that was used to compile this Java 6 service.

[…]

If they’re a customer, they execute another SQL query that updates a customer record in a type of ETL staging area. Every one of these changes is reviewed (at 4pm UK time) by a team in an office in Scotland. If they approve it, it gets executed 24 hours LATER at 4pm

[…]

If they ARE a ‘high value prospect’ the marketing team MANUALLY sends an email asking if they REALLY REALLY want to unsubscribe? It looks like an automated email, but it ain’t.

[…]

IIRC this took FOUR BUSINESS DAYS on average.

Safari Won’t Load Google Sites

All week, Safari on my MacBook Pro hasn’t been able to access any Google sites. I first noticed the problem when using public Wi-Fi, but it persisted after I got back to my home network. Firefox and Google Chrome load the pages fine, as do third-party apps that use WebKit. And Safari on the same Mac works when it’s booted from a different macOS installation.

So, either this is a really weird bug, or something is messed up with my system. What’s odd is that the error is so generic:

Safari Can’t Connect to the Server

Safari can’t open the page “https://www.google.com” because Safari can’t connect to the server “www.google.com”.

so it’s not clear what the problem is, or even where to look. There’s no lock icon reporting a certificate problem, and the error does not even mention secure connections. Console only mentions error code -1004 (NSURLErrorCannotConnectToHost).

I don’t have any custom DNS settings, and I’ve tried resetting Safari’s cache and other files, as well as other voodoo like restarting and creating a new network location in System Preferences.

Previously: