Archive for September 2, 2019

Monday, September 2, 2019

Time Tracking with Timeular

David Sparks:

Lately, I’ve been trying a new time tracking gizmo, a Timeular device. It’s a polygon-shaped piece of plastic and electronics that connects to my iPhone. I can assign a different task to each side, and when I switch modes, say going from screencasting to legal clients, I just flip the gizmo to put the briefcase icon (legal) sunny side up, and the iPhone app starts tracking time toward the new task.

I love how this is a physical device that’s always available in front of you. No need to switch apps on your iPhone or find the right window on your Mac. With that being said, I do sometimes like seeing a running counter and often work with my iPhone in a Qi dock, displaying Hours.

With the current summer sale, Timeular costs $53 for the hardware and basic features, $9/month for advanced features, or $299 for “lifetime” tracking with no subscription. You need the subscription or lifetime package in order to be able to export your data—not cool.

A potential downside:

Can I use the Tracker without internet connection?

No, in order to enable real-time sync across your devices and for the software to work, your device (laptop or smartphone) must be connected to the internet. You do not need a wifi connection, a cellular connection works as well.

I don’t want to send my time tracking data to the cloud, and I especially don’t want to spend cellular data to do so.


Thirty Years of Fetch

Jim Matthews:

Of the thousands of other Mac apps on the market on September 1, 1989 I can only think of four (Panorama, Word, Excel and Photoshop) that are still sold today.


I imagined a new Fetch that had all the improvements that I’d daydreamed about, and none of the old code that made it so hard to implement new features.

This, of course, is one of the classic blunders in software development. It was exhilarating to be free of the shackles of our legacy code. But with a blank slate and no clear destination or deadline, we spent years without getting anywhere close to having a product that we could actually sell. Meanwhile Fetch 5 stagnated, and customers who needed more than Fetch 5 could offer moved on.


In January, 2018 I finally accepted that I wasn’t going to make Fetch 6 happen. Apple had made it clear that 32-bit apps like Fetch 5.7 weren’t long for this world, so it looked like the time had come to lay Fetch to rest for good. But I wasn’t quite ready to say goodbye, and it occurred to me that there was a third option, something between finishing Fetch 6 and letting Fetch die: I could port Fetch 5.7’s Carbon user interface to Cocoa and make a 64-bit Fetch 5.8.


PrivilegedHelperTools and Checking XPC Peers

Objective Development:

It all began with a security improvement by Apple in macOS High Sierra (10.13). Apple had revoked access to the folder /Library/Logs/DiagnosticReports for non-admin users. The protection goes so far that even a root process spawned by AuthorizationExecuteWithPrivileges() cannot access the folder.


Every installer application which needs root permissions is now urged to install a system-wide daemon for this purpose. This system-wide daemon is usually left behind, because Apple provides no API for removing it.


In an internal code review, another developer looked over the code and verified all assumptions. He did not find a proof for the assumption that XPC connections are authorized by the system. Since there was little information available, he made a test project and could exploit our privileged helper tool!


The helper (and the app using the helper) should check the identity of the peer before performing any operations. Even if an AuthorizationExternalForm is already used. The most secure way for such a check is the code signature.


Note that this example uses the private NSXPCConnection.auditToken property. If we want to avoid using a private property, we need to use the Unix process ID. But this is inherently insecure (see Don’t trust the PID! by Samuel Groß). We therefore decided to use auditToken anyway.

So, because Apple decided to protect the logs folder, and the documentation is not very good, the Little Snitch developers ended up introducing a privilege escalation vulnerability, and even now they can’t make it fully secure without using private API. These are smart developers with a long history building a highly regarded security-focused product. Of course it sounds like a good idea to make the logs secure, but I think we can ask whether it was worth the cost in collateral security and engineering time. And why should it be so difficult and error-prone for an app to facilitate the customer sending in a diagnostic report?

See also: CVE-2019-13013.

Joe Auricchio (in 2016, via Jeff Johnson):

It’s better to keep using the deprecated SM functions than to run launchctl. Sorry, but replacements are not yet available.

There isn’t presently API for a system-wide LaunchDaemon to open a Mach IPC or XPC connection to a LaunchAgent, which I’d guess is closer to what you’d really like to do? This would be a good enhancement request, please file one!

Ending the “npm Install Funding” Experiment

Feross Aboukhadijeh (via Yan Zhu):

The idea was this: whenever users install open source software, the funding package would display a message from a company that supports open source. The sponsorship would pay directly for maintainer time. That is, writing new features, fixing bugs, answering user questions, and improving documentation.


Right now, the status quo is that maintainers create massive amounts of value and then for-profit companies and SaaS startups capture almost all of it.


As long as significant personal sacrifice is a prerequisite for open source participation, we’ll continue to exclude a lot of smart and talented folks. This isn’t good for anyone.

And we’re forcing the folks who are able to participate to make extreme sacrifices that inevitably lead to burnout.

The Changelog:

In this episode we’re shining our maintainer spotlight on Feross Aboukhadijeh. Feross is the creator and maintainer of 100’s of open source projects which have been downloaded 100’s of million of times each month — projects like StandardJS, BitMidi, and WebTorrent to name a few. This episode with Feross continues our maintainer spotlight series where we dig deep into the life of an open source software maintainer.


Update (2019-09-03): See also: Simon Cropp.

Google Begins Penalising Domain Leasing

Barry Schwartz (via Hacker News):

Google issued a warning about sites that lease out its own subdomains and subfolders so that other companies can rank their content better on leased domains. Well, now it seems Google is taking action by penalizing those sections of sites that have these leased out sections.

I don’t quite understand how they decide whether a subdomain or subfolder is considered legit. And likewise for links. Some types of sponsored links are OK, but certain topics will kill your Page Rank.