Archive for October 2019

Sunday, October 13, 2019 [Tweets] [Favorites]

Podcasts in Catalina

Alex3917:

The new Podcasts app deleted years of downloaded podcasts when I updated, including a lot that are no longer hosted on the web. For some reason the “sensible default” in the new app is to delete anything beyond the most recent ten episodes. Now I need to remember to restore from backup before it gets overwritten, heh.

Beware. But, for me, it did not do this. Instead, it left my iTunes library in place, not migrating it at all, and showed me the list of podcasts from years ago, before I had turned off the Sync podcast subscriptions and settings option in iTunes.

So, naturally I wanted to delete all those old podcasts and import my new ones. I found that:

Overall, the Mac version of Podcasts seems like a huge regression from what we had with iTunes. There’s no standard table view of all the episodes. There’s no list of shows, just a grid of icons. The interface is very modal. You can tell it’s a Catalyst app because instead of sheets you get these little popovers with narrow, rounded text fields and flat buttons like in no other Mac app.

So I’m looking for a replacement app for archiving podcasts. (I mostly listen on my phone using Overcast.) I checked out a bunch of RSS readers—NetNewsWire 5, Reeder, Vienna, Leaf, News Explorer—but none seem to support auto-downloading attachments.

I have previously had success with Downcast, but several times it got totally messed up and could no longer read its own files. This seems to have been caused by a sandbox bug, so maybe that’s fixed in Catalina. I’ll probably give it another try.

I’ve also heard that Newsboat can handle RSS attachments. I’d prefer an actual Mac app. But I’ll use something text-based and cross-platform if it works well. Isn’t this what Catalyst was supposed to prevent?

Previously:

Opting Out of Sharing Siri Audio Recordings

Juli Clover:

Today’s iOS 13.2 beta introduces a new option that allows iPhone and iPad users to delete their Siri and Dictation history and opt out of sharing audio recordings, features that Apple promised after being called out for its Siri quality evaluation processes.

And on Catalina, Steve Troughton-Smith notes:

That’s definitely more explicit than before…

Jason:

That’s an improvement, but it still says “Not now” instead of “No”

Kyle Howells:

This year Apple lost the ability to write ‘no’, instead they’ve had to replace it with ‘not now’ everywhere.

It’s their new design pattern.

Previously:

Saturday, October 12, 2019 [Tweets] [Favorites]

Waiting to Update to Catalina

As a developer, there are a bunch of new APIs that I want to be able to use. And, of course, I’ve been using it for a few months on a couple of auxiliary Macs for testing. But as a user, I see very little to tempt me to upgrade anytime soon. As ATP put it, there’s not enough carrot and too much stick, not to mention early bugs.

Dieter Bohn:

At the risk of being an I-told-you-so kind of person, I’m just going to repeat what I said in the Catalina review again. You probably depend on your Mac or PC for “real work,” and so updating on day one could threaten that real work — literally threaten your livelihood. It’s better to wait and see how things shake out, to let other people experience the problems and report them.

Telling people not to upgrade to the new OS for a few weeks used to be so common that it sounds weird to emphasize it so much. But somewhere in the past decade the yearly updates for both iOS (and, to a lesser extent, Android) lulled us into a false sense of complacency.

Adam Engst:

Nevertheless, for most people, we recommend delaying your upgrade for a while for a variety of reasons[…]

Jason Snell:

If there’s a must-have app that only runs on Catalina, or you want to use Voice Control or Screen Time or Find My or Apple Arcade, and all your go-to software checks out, then by all means, make the jump to Catalina. (I’ve been using it for the last month with only a few minor app incompatibilities that I expect to be resolved as updates roll out alongside the new release.) But if you can wait, you should. Let other people discover the early bugs and suffer the app incompatibilities. Catalina will still be there for you when you’re ready for it.

Mike Rundle:

It’s blowing my mind how many folks are upgrading to Catalina immediately. Unless you absolutely need to upgrade for development testing, macOS releases have been buggy as hell in recent years. I always wait 6+ months just to be safe 👻

John Voorhees:

A lot of the cautionary advice about upgrading to Catalina conflates the risk of installing the new version of macOS with the risk of relying on unmaintained 32-bit apps. Not doing the former doesn’t eliminate the risk of the later.

Robert Hammen (Rich Trouton):

Want to block macOS Catalina from showing up in Software Update preferences on macOS Mojave? sudo /usr/sbin/softwareupdate --ignore "macOS Catalina" prevents it from appearing!

Jeff Johnson:

I temporarily removed the Dock badge with defaults delete com.apple.systempreferences AttentionPrefBundleIDs, but then it came back after checking again. :-(

When you’re ready to update:

sudo /usr/sbin/softwareupdate --reset-ignored should do the trick

Glenn Fleishman:

But maybe you’d like to hedge your bets. In the past, you’d need to partition your startup drive, which could turn into a lot of effort, or get an external drive—preferably SSD—and install and boot from that.

[…]

The way this works to your advantage with Catalina is that if you have enough spare in your main container to handle Catalina—a few tens of gigabytes, but preferably more—you use Disk Utility to add a value into your main container, then install Catalina into that volume. You can then use the Startup Disk preference pane to swap among your volumes without involving an external drive at all.

This can continue to be useful after Catalina is released if you want to keep a Mojave volume active for 32-bit apps that no longer run in Catalina.

Previously:

Update (2019-10-13): Rob Griffiths:

(Note: You may have to restart the Dock for the red dot to vanish; you can do that with killall Dock in Terminal.)

I decided to tackle this by creating a launchd agent—which is just the technical name for scheduled tasks in macOS’ Unix core.

Peter Maurer:

As a user, Catalina is the worst macOS update I’ve ever seen. Worse than 10.7, worse than 10.10.

It’s unfortunate that it also happens to be the first macOS update that Apple pushes this aggressively.

Please slow down.

Friday, October 11, 2019 [Tweets] [Favorites]

Mail Data Loss in macOS 10.15

I’m working on more posts about the Catalina release, but I wanted to start with a short warning. I’ve heard a bunch of reports of data loss in Apple Mail. Thankfully, none seem to be caused by my apps. (Ironically, one of the bugs I’ve encountered is the inability to delete messages via AppleScript.) And, in fact, most of the damage has occurred without my Mail plug-in even being installed. Nevertheless, people contact me because it’s not unreasonable to wonder if third-party software is to blame, and I also hear from people who want a second opinion because what Apple support told them didn’t make sense.

What I’m hearing:

I don’t know whether these are due to Mail bugs or to other factors such as problems on the Mac or with the mail server. But my advice is to hold off on updating to Catalina for now. These sorts of issues are pernicious because:

  1. You may not notice that anything is wrong unless you are looking at the particular mailbox or messages that are affected.

  2. Because the data is synced to the server, problems can propagate to other Macs and iOS devices.

  3. Making a backup is difficult because, even if you set the preference, Mail no longer automatically fully downloads all messages. So the backup of the local data will necessarily be incomplete. (See EagleFiler’s Importing Attachments instructions for more about this. I’m happy to have most of my mail archived outside of Mail.)

  4. Restoring a backup is difficult because Mail data is constantly changing. There is no straightforward way to merge restored data in with messages received since the last backup, and also with the live data on the server.

Of course, it’s good to make backups anyway.

Apple advisors are apparently telling customers that if Mail data gets lost on Catalina, it can’t be recovered from a Time Machine backup that was made using Mojave. This didn’t make sense to me, and I’ve verified that it’s not the case. You can use Time Machine to get at previous versions of the folders in Mail’s data store, and then use the File ‣ Import Mailboxes… command to selectively import them into Catalina Mail. Since they import as new, local mailboxes, this shouldn’t affect messages that are on the server.

I also think that the advice to restore the whole Mac to Mojave makes no sense because as soon as you launch Mail it’s going to delete all the messages that were deleted on the server. In order to actually restore them, you have to make copies of the messages that might have already been deleted. That’s what Import Mailboxes does.

Update (2019-10-11): See also: Howard Oakley, TidBITS, Hacker News.

Update (2019-10-12): See also: MacRumors, iMore.

Update (2019-10-13): See also: AppleInsider.

Thursday, October 10, 2019 [Tweets] [Favorites]

How My Application Ran Away and Called Home From Redmond

Mikko Kenttälä (via Paul Haddad):

We were puzzled because I had killed the Beacon process and it should not be running anymore. I logged in to my Windows test machine to see if the Beacon is still running. But there was nothing. We were confused. Then I checked the alerts more carefully.

[…]

After that I realized Beacon’s Home received the packet from an unknown IP address. At this point I was confused and freaking out — why someone else is running the same unique binary which was recently built just for me? Are my systems hacked?

[…]

I managed to narrow it down to Microsoft Defender and the “Automatic sample submission” feature. […] Microsoft Windows 10 sends all new unique binaries for further analysis to Microsoft by default. They run the executable in an environment where network connectivity is available. This opens interesting data leak vector for attacker and also includes some privacy concerns. It is quite common that even in isolated environments, many of the Microsoft IP address ranges are whitelisted to make sure systems will stay up to date. This enables adversary to leak data via Microsoft services which is extremely juicy covert channel.

Silent Failure

John Gruber:

I continue to hold that one of the worst aspects of today’s Apple is their strident antipathy toward error messages. Silent failure is so much worse than an error message, but that’s the way Apple rolls.

I don’t know when it started (maybe with the update to 13.1.2? maybe one of the other 13.1.x updates?) but for a week or so I’ve been unable to buy new apps on my iPad. I hit the buy button, confirm with top button, Face ID authenticates me, it spins for a bit — then, nothing.

[…]

I don’t mind that my card needed to be verified. Security is good. But why in the world wasn’t I told that the reason why I couldn’t purchase anything is that my card needed to be verified?

[…]

Even a bad error message, something that just says “An Error Occurred” with no indication of what the error was, is better than silent failure. Silent failure is the UI equivalent of gaslighting — it makes you feel like you’re going crazy.

Todd Heberlein:

Seriously. In the age of search engines, being able enter error message details into a search field, even if the messages seem cryptic to the typical user, will often lead the user to a simple, step-by-step solution to their problem.

But you need the message to start the search

Dan Crosby:

My guess: software quality is now metric-driven, so their efforts are to driving down (or up) numbers they can track: crashes, dialogs displayed, etc. Silent errors don’t show up in metrics, so nobody is rewarded for either fixing or revealing them.

Andy Newman:

I wonder how much this gives Apple a false sense that their software is performing better than it actually is, simply because so many issues can’t always be accurately described or fixed by the average user. Many just give up.

Previously:

Update (2019-10-11): Jeff Baxendale:

speaking of infuriating Apple bugs with no error messages or information whatsoever… I can pretty much no longer install from the App Store on my laptop (cache clearing/disk repair attempted) 🤷‍♂️

Can’t see anything useful in Console either.

Update (2019-10-13): Cédric Luthi:

“An Error Occurred” without further information is an extremely low bar to set. Software engineers should feel comfortable writing more core handling errors than handling the happy path. Unfortunately, this is often not how software is written. 🤷‍♀️

Brian Webster:

I strive to have good user facing error messages, but even an error with tech gobbledygook can at least give me some clue of what’s going on when I get the angry email so I can try to fix it.

Dave DeLong:

I think it stems from your expectation about what you want your users to actually DO about it.

As an indie dev, you want users to contact you.

I’m not convinced Apple institutionally wants that

scott:

This has seemingly gotten worse with every software release under Federighi. I often say that giving support to Mac and iPhone used to be great since everything was so predictable and explaining the problem often lead the person to a better understanding of the products.

Now it’s just impossible to troubleshoot problems. I won’t even offer to help anymore, because I have no idea where to start. And good luck with official Apple support.

Thomas Fuchs:

The App Store In 10.14 shows Twitter here, but clicking “GET” does absolutely nothing because it’s not compatible with 10.14. No error message, just nothing.

Leo Natan:

The Mac App Store has many such issues. It allows downloading 32-bit apps on Catalina (and worse, allows purchase of such apps). 🤦‍♂️

See also: John Siracusa’s problems with certain contacts that silently didn’t sync because their images were too large.

Implementing Dark Mode in iOS 13

Tim Johnsen:

That being said, we didn’t use UIKit’s APIs alone since most developers in the company and our build systems are all still using Xcode 10, and introducing iOS 13 APIs would cause build breakages. We went with the approach of writing thin wrappers around UIKit APIs that are compatible with Xcode 10 and iOS 12.

Writing little wrappers is often the best engineering solution, but it seems like a waste that so many developers have to do essentially the same thing for the same APIs. Why can’t the tools handle this automatically?

We discovered towards the end of our dark mode adoption that our implementation of dynamic colors had equality implications because a new instance of UIColor was returned each time and the only thing that was comparable about each was the block passed in. In order to resolve this we modified our API slightly to create single instances of each of semantic colors so that they were comparable. Doing something like dispatch_once-ing your semantic colors or using asset catalog-based colors and +colorNamed: will produce comparable colors if your app is sensitive to color equality.

[…]

One clever testing trick this IGTraitCollection wrapper afforded us is something we’ve come to call “fake dark mode” — which is an internal setting that override IGTraitCollection to become dark even in iOS 12!

Sherlocked by Sidecar

Savannah Reising:

A big misconception is that your main competitors are the other companies creating similar products to yours. In our case, we viewed Astropad and Luna Display’s biggest competitors as other second display and graphics tablet creators.

But all along, we really should have been worried about our platform provider, Apple. There will always be infinite ways to differentiate yourself against other competitor companies via price, features, and target markets. But if your platform provider decides to step into your domain, it’s a tough battle to position your product against a free, native feature.

[…]

We always knew that we wanted to go cross-platform. For quite awhile, we’ve heard from creative professionals about an exodus from Mac to Windows. For these creatives, it all comes down to getting more bang for your buck — super powerful PCs at a lower price than Apple products. In fact, we’d often hear from people begging us to come to Windows. But even though we knew the market was waiting for us, we pushed off the Windows effort because it created a catch-22 situation of really tough engineering problems.

[…]

In other words, while Sidecar will be good enough for the average user, we’ve carved out a niche space for the pro users that need a more powerful tool.

Adam Bell:

I spent an absurd amount of time trying to get Sidecar working on my hackintosh, and I really wish I didn’t :P

@LunaDisplayHQ has much better image quality and a higher frame rate ¯\_(ツ)_/¯

Previously:

Update (2019-10-13): Dan Counsell:

Oh my god, Sidecar on Catalina is incredible, it’s so responsive. My iPad Pro just got a lot more useful!

Michael Luís Brown:

TIL that Sidecar (iPad as external monitor) in macOS Catalina only works if you have an Apple Pencil. I mean, it works without one, but you can't “click” (ie tap) on any control with your finger, it has to be the pencil 🤦‍♀️

Colin Cornaby:

The more annoying thing to me is that Apple didn’t make public the feature to create a new display without physical hardware present (as far as I saw.) A lot of things the rely on creating a second display without hardware could use that.

There’s a legacy kernel extension based interface for that sort of thing. But it doesn’t support Metal acceleration, or easily support Retina output.

Also it requires a kernel extension.

If you use USB display hardware (like DisplayLink) it works by creating a virtual second display and streaming the contents. That experience could be made dramatically better with the private features Apple added for Sidecar.

See also: Hacker News.

Wednesday, October 9, 2019 [Tweets] [Favorites]

Settings URLs Supported by iOS and iPadOS 13.1

Federico Viticci (tweet):

A few weeks ago, I came across a post on Reddit claiming that Apple had restored the ability to launch specific sections of the Settings app via Shortcuts in iOS and iPadOS 13.1. I was inspired by that discovery to finish working on a project I had long been putting off: documenting all the URLs supported by the Settings app in iOS and iPadOS.

After some a lot of trial and error, I’ve collected 120+ URLs that can open individual pages and sub-sections of the Settings app. In this post, I’m going to share the complete list of URLs that are supported as of iOS and iPadOS 13.1 (specifically, iOS 13.1.2), as well as a custom shortcut to launch them.

For example, you can open the iCloud Backup settings using prefs:root=CASTLE&path=BACKUP.

The equivalent Mac System Preferences URLs start with x-apple.systempreferences.

Matthias Gansrigler:

So, using @viticci’s iOS Settings URLs (prefs:root) will get your app rejected. Figures.

Now, I’m not sure if it’s the prefs: url scheme itself, or if it’s prefs:root= that they’re having an issue with.

I’m guessing the latter, because before, I used prefs: to launch Settings.app, and that wasn’t rejected.

I’d even argue using public APIs to open a URL constructed from a string doesn’t really constitute using “private API”, but what do I know..

Previously:

File System Events Privacy Protections Bypass

Jeff Johnson (tweet):

Two months later, Apple has shipped major updates to all of their operating systems. Yesterday, macOS 10.15 Catalina was released. And yet, the new bug bounty program has not opened. Perhaps the public assumes that the bug bounty program has already expanded, but it has not. To this day, there’s still no Mac bug bounty program. Apple announced the expanded bug bounty program while their major OS updates were still in beta testing, but Apple did not open the bug bounty program during the beta testing period. The irony is that the new program was announced to offer increased bounties for bugs found in pre-release software, but no opportunity was given for that to occur.

[…]

I did not give Apple a deadline, but many security researchers give vendors only 90 days before they disclose a reported vulnerability. I reported mine to Apple 8 months ago, so they’ve had a lot of time.

Apple has since said that this vulnerability is not eligible for the bounty (because it’s only for privacy, not security?), so he’s disclosing it and saving the other two that he found until the bug bounty program opens:

An app without special permissions can register for notifications of file system events that occur in directories that are supposed to be protected. These file system event notifications can disclose private information that the app should not have access to.

[…]

I said, “a malware app could secretly violate a user’s privacy by examining their web browsing history.” How is this possible with file system events? If you look inside the directory ~/Library/Safari/LocalStorage, you’ll see that Safari saves local storage files that are named after their associated web sites, for example, https_www.apple.com_0.localstorage. The File System Events API can’t see the file contents, but it can see the file names! And because Safari names files after the web sites you visit, the File System Events API can be used to determine your web browsing history.

Previously:

Taiwan Flag Removed from iOS Emoji Keyboard in Hong Kong

Kris Cheng (via Daniel Sinclair):

According to an article on Hiraku, a blog about Apple devices, any device model with “CN” or “ZA” region – denoting China and Hong Kong – will not have access to the Taiwan emoji via the keyboard.

If users have a device from another region, but they set the region to Hong Kong or Macau, the Taiwan emoji will also disappear.

[…]

Last year, HKFP reported that the names of some Chinese state leaders and activists were deemed “inappropriate words” and censored shoppers hoping to engrave their iPad, iPod Touch or Apple Pencil with a custom message.

Jeremy Burge (Hacker News):

Previously restricted on Chinese iOS devices, all other regions of the world have continued to enjoy access to all flags in the iOS emoji font, until now.

[…]

Notably, the emoji 🇹🇼 Flag: Taiwan is still supported by iOS in Hong Kong. As of iOS 13.1.2, released last week, this is now hidden from the emoji keyboard but remains available by other means.

[…]

Apple’s Hong Kong approach differs from the complete ban on the emoji in China.

Previously:

Adobe to Ban Users From Venezuela

Adobe (Hacker News, Reddit):

The U.S. Government issued Executive Order 13884, the practical effect of which is to prohibit almost all transactions and services between U.S. companies, entities, and individuals in Venezuela. To remain compliant with this order, Adobe is deactivating all accounts in Venezuela.

[…]

We are unable to issue refunds. Executive order 13884, orders the cessation of all activity with the entities including no sales, service, support, refunds, credits, etc.

[…]

You have until October 28, 2019 to download any content that you have stored in your Adobe account. After this date your account will be deactivated.

I’m not sure what happened to the English version of this page that was originally at the linked URL; it now only shows Spanish.

CM30:

What makes this even worse is that this is only a huge issue because Adobe moved to the whole ‘Creative Cloud’ thing rather than the old ‘buy each product outright’ model. With the old model, it wouldn’t hurt these creators all that much if their accounts got deactivated, since the software would just not get updates. Now on the other hand… they’re screwed. It’s a ‘brilliant’ example of how these ‘cloud’ based services are a bad deal for the user, because it puts them at the risk of getting locked out their own purchases due to legal hassles like this.

And the old non-subscription version is stuck at 32 bits and so won’t work with Catalina.

Sergiu Gatlan:

Microsoft-owned GitHub also banned users from Crimea, Cuba, Iran, North Korea, and Syria following previously imposed U.S. economical sanctions.

Previously:

One Year After “The Big Hack”

Nick Heer:

It sounded like the information security scoop of the decade — except there’s virtually no proof that any of it is true.

At the time of the story’s publication, representatives from the named companies denied Bloomberg’s reporting in statements that left virtually no wiggle room. Tim Cook called for the story’s retraction — a call that was soon echoed by Amazon and Supermicro. Michael Riley — who reported the story alongside Jordan Robertson — took to Twitter on October 5 to point out that the physical evidence would make it “hard to keep more [details] from emerging”.

So far, that has not happened.

[…]

Most upsetting is that we don’t know the truth here in any capacity. We don’t know how the story was sourced originally other than the vague descriptions given about their roles and knowledge. We don’t know what assumptions were made as Riley and Robertson almost never quoted their sources. We don’t know anything about the thirty additional companies — aside from Amazon and Apple — that were apparently affected, nor if any of the other nine hundred customers of Supermicro found malicious hardware.

William Gallagher:

Mind you, if it were true, there would also be proof.

This was the one thing lacking from the Bloomberg piece, though you would think it would be the first thing that this or any publication would have insisted on. You would at least, at the utter least, expect Bloomberg to have one of these motherboards and show us this spy chip. Instead, we got an illustration by artist Scott Gelber.

It’s not as if the company would have had to go far —the Bloomberg company itself owns some Super Micro servers.

[…]

There is this one exception, but it’s not that anyone agrees with the story, it’s that we do not know the outcome of this other investigation. That’s because it was done by Bloomberg itself, after publication, and its findings have not been published.

[…]

Co-author Michael Riley was promoted in September 2019 to oversee all of Bloomberg’s technology security coverage.

John Gruber:

With not one shred of evidence emerging in a year, it seems very clear that this was, in fact, “the biggest reporting fuck-up of its type”.

Previously:

GyazMail 1.6.1

GyazMail is now 64-bit, just in time for macOS 10.15 Catalina. This version also improves its SSL support, so it can work with mail servers that have more stringent security requirements.

I’ve always been impressed by how many OS versions it supports. The prior version worked all the way from Mac OS X 10.1 through macOS 10.14. The new version drops PowerPC support but still works all the way back to OS X 10.6.

GyazMail has built-in support for SpamSieve.

Previously:

Friday, October 4, 2019 [Tweets] [Favorites]

BBEdit 13

Bare Bones Software (tweet):

The “Pattern Playground” window provides an interactive interface for experimenting with the behavior of Grep patterns (regular expressions). This makes the process of creating complicated patterns much less trial-and-error, since you can see exactly what will match, and how, before committing to any irreversible actions.

A complete description of the pattern playground is in the Pattern Playground Notes.

This is really great.

Added the Grep Cheat Sheet. […] The button pops up a menu which provides some common Grep pattern idioms and brief descriptions; choosing one will insert it literally into the pattern and select it (replacing anything that has been selected).

As is this.

BBEdit allows you to make rectangular selections in documents for which “Soft Wrap Text” is turned on.

A longstanding limitation addressed.

When editing the search string in the Find window, any matches for it will highlight in the “target” document window[…] This allows basic previewing of the effects of a Find All or Replace All operation.

What did I ever do without this?

There are two new commands on the “Select” submenu of the Edit menu[…]

Live Search Results: selects matches found while searching using the Live Search feature.

The trick to using this is that before you can do anything with the multiple selection you need to click the Done button or press Esc to go back to editing mode. I haven’t quite figured out yet when working with the selection is better than using the Find window (since it’s also live now).

The Python language module gets a built-in set of tags, for the core Python symbols.

This is kind of a regression for me because it highlights a bunch of commonly used words when I’m only using them as argument names or local variables. However, it was easy to turn it off by creating a language-specific color scheme that colors the “ctags symbols” the same as regular text.

Added a new command to the Text menu: “Apply Transform”. This command provides an “express” way to apply a single text transformation to specific files or folders, without requiring the explicit creation of a Text Factory.

I like this because, in recent versions, the “Convert to ASCII” command has only been available via a text factory.

The Text Colors preferences are now easier to use for selecting and editing color schemes. A central concept is that there is now always a color scheme in effect. It can be a factory color scheme, one you’ve downloaded, or one you’ve created. The previous “Custom Settings” indication no longer appears.

[…]

If you have a color scheme selected, any changes you make to settings in the Text Colors preferences will change the color scheme file on disk.

This was kind of confusing before and is much more intuitive now.

Andrew Madsen:

BareBones continues to set the standard for detailed change logs.

Jeff Johnson:

Has @siegel ever considered trolling everyone with a “Bug fixes and performance improvements” update? Maybe on April 1.

Rich Siegel:

That’s kinda what we have to do in the app store, because there’s not enough space or formatting support to render the full change notes. ¯\_(ツ)_/¯

Jason Snell:

BBEdit 13.0’s paid version costs $50, and users from previous paid versions can upgrade for $30 (from the previous version) or $40 (from older versions). The last paid update to BBEdit was two years ago, and the previous one to that was five years ago. Users of BBEdit on the Mac App Store won’t have to pay to get the update; on the Mac App Store, BBEdit’s premium features are a subscription for $40/year or $4/month and get access to all updates forever.

Ryan Dotson:

It’s been my companion for over twenty years. I’ve never seriously considered any alternative – BBEdit doesn’t let me down, and is never anything short of helpful.

[…]

My favourite enhancement is to the editor’s status bars – a large text option. My eyes are still good enough to see the normal size but the large version is just a bit more comfortable to read. Importantly, though the widgets are larger, they don’t feel it.

Peter Hosey:

It says a lot about my trust in @BBEdit —and my lack of it in almost all other software—to not move my cheese or otherwise fuck things up that I saw this and was immediately excited to update.

It really doesn’t suck. And I trust its developers to keep it that way.

Previously:

Weather Line 2

Ryan Jones (9to5Mac):

+ All-new design
+ All-new weather data solution
+ 21 new features
+ 17 themes (4 dark modes)
+ Super Forecast
+ Travel Assist
+ 10-day forecasts
+ HD radar
+ Hyperlocal rain

[…]

Initially we had Dark Sky, The Weather Channel, and WDT, a meterorlogist PhD we consulted said those were the best.

We directed users how to pick… but wait… why pick one, just give me THE BEST OF THEM ALL!

Sounds really good. I haven’t tried it yet, because it requires iOS 13, and I plan to stay away from that for a while longer. Weather Line 1 was one of my favorite iOS apps, but I can no longer use it either its weather data was turned off. So, for now, I’m using Apple Weather. I’ll miss the old Weather Line icon, and I’m slightly worried about the two-level design and lower information density, but I’m reserving judgement until I’ve used it for a while.

Off Coast LLC:

There is a Free plan for those who wish to continue using our core features with limited ads, plus some of the new 2.0 features.

Our Pro plan is called “Supercharge” and includes a 7-day free trial, all the new features, and no Ads. It will be $1.99 per month, $0.83 per month ($9.99 billed annually), or $44.99 for a lifetime unlock.

Anyone who ever bought Weather Line 1 will get their first year of Supercharge at 50% off - just $4.99 (less than 50 cents per month).

Ryan Jones:

If you HATE subscriptions, there is an expensive Lifetime Unlock that goes for the lifetime of Weather Line.

Some people are upset because features that were formerly included in the purchase price are now accompanied by ads if you haven’t subscribed. I guess this is a gray area of the App Store guidelines.

Marco Arment:

Do the math. If you bought it for $4.99, they got 70% of that: $3.49. If you use it for 4 years, that’s 87 cents a year in revenue.

The Dark Sky API costs $0.0001 per call. If data refreshes once an hour, it’s about 88 cents per year, per weather location.

See the problem?

Ryan Jones:

Times 3 for The Weather Channel and radar

Mike Piontek:

For me it went something like:

• A few years of “eventually Apple will support upgrades”
• OK, subscriptions are clearly the only option
• Wow people are mad about subscriptions
• Wow it takes a long time to try to create something people won’t be mad about paying a sub for

Ryan Jones:

Bingo. Exactly why we worked for 2 years with no income, while the app lost money for 4 years.

To make WL2 worthy of a $10/yr subscription.

Previously:

Update (2019-10-04): Isaac Halvorson:

FYI, the old Weather Line icon is one of the options in Weather Line 2!

At the top, I linked to two tweets, since deleted, saying that Weather Line 1 “would be shutting down today no matter what” and that “shutting down” meant “turning off the data.” This has now been clarified:

We are not shutting off WL1 data! We would have to if we did not do this (WL2)

I updated a spare iPhone to iOS 13 and installed Weather Line 2. What was not clear from the blog post is that the Free plan is a regression from Weather Line 1. Even with the ads, it includes different (less accurate) weather data, and it does not include the Dark Sky precipitation information. (As of this writing, Weather Line 2 predicts tonight’s low to be 10 degrees warmer than either Weather Line 1 or Apple Weather, and the current temperature is already below its predicted low.)

At least on the iPhone SE, I’m not a fan of the new card-based design, as I can no longer see all the important information without scrolling.

Keyboards as Competitive Advantage

John Gruber:

Microsoft started yesterday’s event by banging the drum that they never have and never will compromise on the quality of their laptop keyboards — a clear and completely fair competitive dig at Apple. That’s the message they should have left the world with — that they, not Apple — now make the best laptop hardware in the world. Instead, they left everyone talking about two products that won’t be out for another year.

In less than six months, my wife’s Retina MacBook Air developed some keys that sometimes don’t type anything. This Mac has the third-generation butterfly keyboard. It’s never been used outside the home, isn’t used near food or sources of dust, and isn’t left open when not in use.

David Heinemeier Hansson:

“Went in for a keyboard replacement, they decided it needed a logic board. Got back home, it didn’t turn on, so back to the store. Apple replaced the entire machine because it’s had 3 major repairs in 12 months.”, employee just trying to get work done on a MacBook Pro. Disgrace.

This is just normal course of business at Basecamp. Every single month we have employees taking their machines back to Apple for the second, third, fourth, or fifth repairs of their broken MacBook Pro keyboards. Apple keeps claiming “small minority”. Bullshit.

Seriously, nothing has eroded my trust in Apple’s capacity as a computer maker as their inability to come clean on the utter catastrophe that is the butterfly keyboard design. If ever there was a worthy cause for a class-action lawsuit to take them to the cleaners.

Matt Anderson:

We are dealing with this at TaxJar weekly. We spend too much time shipping machines and buying loaners for those in remote areas far from Apple stores.

Per Henrik Lausten:

Picked up my MBP 2018 this morning from the 3rd repair in 3 months. Logic board replaced twice and battery replaced once. With each repair I’m without my primary work laptop for a week (oh, and replacing the logic board means all data on the SSD is lost)

Michael Hartl:

I’ve had mine fixed twice and completely replaced on a third occasion.

Mike Wilkerson:

As an Apple fanboy who’s all-in on the ecosystem, I used to dismiss this as overblown. After a keyboard replacement for my 2017 MBP last week, and the space bar on my 2018 MBP now acting up, confidence is shaken enough to look at alternatives. Definitely not a premium experience.

See also: Joanna Stern’s keyboard broke while she was writing her iPhone 11 reviews.

Previously:

Update (2019-10-04): Daniel Jalkut:

Had my late-2016 MacBook Pro keyboard replaced again. It’s really impressive how fast Apple turns around mail-in repairs. I sure am glad I keep a spare (previous gen) MBP around as a backup. Maybe the 2016 will serve that purpose soon...

NSDistributedNotificationCenter No Longer Supports nil Names

merlinme (via Jeff Johnson):

I’m not sure if this is a bug or an API change, but we have an app which relies on distributed notifications which didn’t work on Catalina. After debugging I think the problem is that specifying a name: nil in addObserver fails silently.

[…]

Apple have now replied to my Feedback submission to confirm that the API has changed. Specifying a nil name in addObserver is now a privileged operation, so for practical purposes all applications currently using a nil name will stop receiving notifications when they move to Catalina, and will need to be updated to use a specified name.

Another breaking change to an API that’s been around since Mac OS X 10.10, without updating the documentation or mentioning the change in a release note:

notificationName The name of the notification for which to register the observer; that is, only notifications with this name are delivered to the observer. When nil, the notification center doesn’t use a notification’s name to decide whether to deliver it to the observer.

I guess maybe there are privacy reasons to prevent an app from seeing notifications from other apps or the system. However:

Stop Saying, “We Take Your Privacy and Security Seriously”

Zack Whittaker (Hacker News):

[DoorDash] said in a blog post Thursday that 4.9 million customers, delivery workers and merchants had their information stolen by hackers.

[…]

The news comes almost exactly a year after DoorDash customers complained that their accounts had been hacked. The company at the time denied a data breach and claimed attackers were running credential stuffing attacks, in which hackers take lists of stolen usernames and passwords and try them on other sites that use the same passwords. But many of the customers we spoke to said their passwords were unique to DoorDash, ruling out such an attack.

Zack Whittaker:

Companies can start off small: tell people how to reach contact them with security flaws, roll out a bug bounty to encourage bug submissions and grant good-faith researchers safe harbor by promising not to sue. Startup founders can also fill their executive suite with a chief security officer from the very beginning. They’d be better off than 95 percent of the world’s richest companies that haven’t even bothered.

But this isn’t what happens. Instead, companies would rather just pay the fines.

It does seem like breaches have been normalized. I doubt they cause many people to close their accounts, both because the business or service may not have a good replacement and because you have no way of knowing whether the alternatives are any safer.

Thursday, October 3, 2019 [Tweets] [Favorites]

Instapaper Safari App Extension

Instapaper:

Today we’re launching Instapaper Save for Safari on Mac. You can download it now from the Mac App Store.

As with MarsEdit, I’m torn between using the bookmarklet, because it’s simpler and can have a keyboard shortcut, and using the extension, because it doesn’t show a security alert for each invocation.

Ironically, despite triggering the scary alert, the bookmarklet is probably better for privacy because it only has access to the pages I invoke it on (and doesn’t have a companion app that can run arbitrary code).

Previously:

Update (2019-10-03): I confused my different bookmarklets. The Instapaper one does not trigger a security alert because it sends the page to a Web URL rather than to a native app.

Thus, I think the main downside of the bookmarklet is that it often makes me log into instapaper.com. I’m not sure whether Instapaper or Safari is responsible for logging me out. But perhaps the app is better able to stay logged in.

Update (2019-10-04): Paul McGrane:

the old pre-Safari 13 @InstapaperHelp extension also had a context-menu item for saving links by right-clicking on them.

Neither the bookmarklet nor the new MAS extension can do that today. I don’t know if the modern extension can do it or not.

Also the old Safari extension inserted “Save to Instapaper” links quite subtly into every post on Reddit and Hacker News, which is a little disturbing but was actually very useful. Neither modern option does that either.

Instapaper:

We’ll be working on getting those back into the save options, we just decided to get the most basic version of it out there to ensure users could save from Safari 13 first - thanks for making sure!

Two Weeks With Apple Arcade

Craig Grannell:

Part of the blame lies with Apple, but it’s also an indication of modern society. When content becomes ephemeral rather than something you can hold, people have been trained to assume they should not have to pay for it. So we now exist in a world where a developer can create a mobile title, and get a review slamming them for including ads and not enough levels, by someone who otherwise claimed they loved the game – and yet played with Airplane Mode on to disable ads, thereby robbing the developer of any income.

[…]

Even with these features, I initially tempered optimism with a healthy dollop of scepticism. Remember, this was Apple. This was the company that got good in games by mistake – and despite itself. This was the company that repeatedly bafflingly rejected perfectly good games from the App Store, often for oddball puritanical reasons. It was the company that messed up games controllers to a degree that possibly warrants some kind of trophy. It was the company that despite raking in millions from games, still gave you the impression no-one senior at the company gave the slightest crap about them.

[…]

Personally, I’d say it splits slightly better than 50:50 in terms of great-to-good and OK-to-poor (with OK being a larger group than the few games that are garbage). Some of the titles reek of freemium with freemium bits removed at the last moment, and that’s a pity. But there are deeply premium efforts made with love. […] And with iCloud save states, this is a service you could feasibly dip in and out of, perhaps subscribing for a while every now and again, if you don’t fancy dropping a fiver every single month.

Craig Grannell:

What surprises me most, though, is the amount of grading on a curve. Having so far played at least some of 68 of the 71 games on Apple Arcade (It’s a living! Sort of.), my personal take is they split right down the middle in terms of what’s good and what’s merely mediocre or outright crap. That in itself is not a bad hit rate, note, but I’m often seeing people championing the entire package – and even games that are objectively a bit shit.

Craig Grannell:

The thing is, as much as the press wants to drum up these services as direct competition, I don’t see them as existing in the same space. Although there’s more than a whiff of me-too about Google Play Pass, it reminds me more of something similar I once tried on Amazon – bundling a bunch of existing apps under an all-you-can-eat subscription.

Cabel Sasser:

I am finally getting a chance to play Apple Arcade games! Quick thoughts:

• The selection is incredible, so well curated, SO many good games
• It’s an incredible bargain
• I will never buy a game in the regular App Store again
• I can’t stop playing What The Golf
• Good job

Andrew Webster (via Dieter Bohn):

The real loser in this scenario is Android users, who likely won’t see many of the biggest iPhone games ported to their platform of choice. For developers, though, this may not be a huge loss. “If premium games were dying on iOS,” Holowaty says, “they’ve been a rotting corpse on Android.”

Previously:

Update (2019-10-04): Patrick Klepek:

Apple Arcade’s launch was a mixture of well-known franchises (Frogger, Rayman), new games from designers during the App Store’s creative heights (Card of Darkness, Overland), and releases from high-profile publishers (Square Enix, Capcom). The service, part of a larger shift towards monthly subscriptions, is a big deal for Apple, so it made sense to double down on attention-grabbing titles. Operator 41, also part of the launch, is hardly that, but is notable for a different reason: Operator 41 was developed by 14-year-old London designer Spruce Campbell.

Update (2019-10-13): See also: The Making Of Operator 41 for Apple Arcade (via Phil Schiller).

HKmap Live Rejected From the App Store

Kieren McCarthy (Hacker News):

Apple has banned an app that allows people in Hong Kong to keep track of protests and police activity in the city state, claiming such information is illegal.

“Your app contains content - or facilitates, enables, and encourages an activity - that is not legal … specifically, the app allowed users to evade law enforcement,” the American tech giant told makers of the HKmap Live on Tuesday before pulling it.

The makers, and many others, have taken exception to that argument, by pointing out that the app only allows people to note locations - as many countless thousands of other apps do - and so under the same logic, apps such as driving app Waze should also be banned.

That argument is obtuse of course[…]

It’s actually an interesting question whether apps should be reviewed based on what they technically do vs. what they are marketed to do vs. what customers end up choosing to do with them. The same issue came up with Gab.

Anyway, here’s your regular reminder that the only reason Apple is involved in deciding which politically sensitive apps should be available is that it forbids iOS users from downloading and installing apps themselves.

Tim Hardwick:

Apple is reviewing its decision to reject HKmap Live, reports Bloomberg, and is likely investigating whether the software violates local laws. It’s not yet clear if the app will be re-added to the App Store and the developer has not yet received an update from Apple following the commencement of the new review.

Previously:

Update (2019-10-04): Nick Heer:

At this stage, it seems just as likely to me that this rejection was due to an App Review failure as it was a way to appease the Chinese government. Either way, it’s a problem of Apple’s own creation.

If it’s the former, it just goes to show how accurate App Review needs to be, and the gaping chasm between where it is now and where it ought to be.

[…]

But if it’s deliberate, it suggests a far worse situation.

John Gruber:

Hanlon’s Razor — “Never attribute to malice that which is adequately explained by stupidity” — has never applied to anything more aptly than App Store rejections (although “incompetence” might be a better word than “stupidity”). So I think there’s a good chance that there’s nothing to this other than a bad decision on the part of a rank-and-file App Store reviewer. The HK Map developers think the same thing. (And to be clear, this is a new app that was rejected, it’s not an app that Apple pulled from the App Store. Also, the good news for iPhone-owning Hongkongers is that HK Maps has a good mobile web app.)

HKmap.live (Hacker News):

@Apple finally made the right decision. Will update later as things are going crazy in #HK now.

No explanation for why it was first rejected.

About Project Zero

Lorenzo Franceschi-Bicchierai (tweet):

Ever since Project Zero was announced in 2014, these hackers have taken apart software used by millions of people—and predominantly written by other company’s engineers—with a mission to “make zero-day hard.”

[…]

In five years, Project Zero researchers have helped find and fix more than 1,500 vulnerabilities in some of the world’s most popular software, according Project Zero’s own tally. In Apple products, Beer and his colleagues have found more than 300 bugs; in Microsoft’s products they found more than 500; in Adobe’s Flash, they found more than 200. Project Zero has also found critical issues in CloudFlare, several antivirus apps, and chat apps such as WhatsApp and FaceTime. A Project Zero researcher was also part of the group who found the infamous Spectre and Meltdown flaws in Intel chips.

[…]

For one, Project Zero has normalized something that years ago was more controversial: a strict 90-day deadline for companies that receive its bug reports to patch the vulnerabilities. If they don’t patch in that time frame, Google drops the bugs itself. […] According to its own tally, around 95 percent of bugs reported by Project Zero get patched within that deadline.

[…]

But some think Project Zero may actually be helping law enforcement and intelligence agencies learn from its research and help them develop what are known as N-day or 1-day exploits. These are hacks based on zero-days that have been disclosed—hence their name—but work until the user applies the patch. According to some critics, the idea here is that malicious hackers could lift the code published by Google researchers as part of their reports and build on it to target users who have yet to update their software.

Indeed, Apple and other vendors don’t always update old versions of their software, so some users can’t update. But I don’t think that’s a good reason not to publish the research.

See also: Fun with FaceTime.

Previously:

Tuesday, October 1, 2019 [Tweets] [Favorites]

Apple’s New Map Expands to Northeast U.S.

Justin O’Beirne:

This is the fifth time that Apple has expanded its new map since its public launch in September 2018[…]

In June 2019, Apple announced that its new map would cover “the entire U.S. by the end of 2019”[…]

With this latest expansion, Apple’s new map now covers 27.5% of the U.S.’s land area...and almost half of its population (47.2%)[…]

It definitely looks much improved in my area, though I still find Google Maps to be better.

Previously:

Update (2019-10-04): See also: Hacker News, Andrew J. Hawkins.

Update (2019-10-11): Michael Love:

New Apple Maps data is out for New England and the 3D visualization tool is a really interesting way to visualize how towns are developed. For example, here’s the dividing line between Norwalk on the left and Westport on the right[…]

Deep Fusion Beta

Matthew Panzarino:

Deep Fusion is a technique that blends multiple exposures together at the pixel level to give users a higher level of detail than is possible using standard HDR imaging — especially in images with very complicated textures like skin, clothing or foilage.

[…]

According to Apple, Deep Fusion requires the A13 and will not be available on any older iPhones.

As I spoke about extensively in my review of the iPhone 11 Pro, Apple’s ‘camera’ in the iPhone is really a collection of lenses and sensors that is processed aggressively by dedicated machine learning software run on specialized hardware. Effectively, a machine learning camera.

John Gruber:

Deep Fusion only works with the telephoto and regular wide lenses — it does not work with the ultra-wide lens. Because of that, Deep Fusion is not compatible with “Photos Capture Outside the Frame”, because the outside-the-frame content is usually captured with the ultra-wide lens. So I think we now have two reasons why “Photos Capture Outside the Frame” is not turned on by default[…]

[…]

Deep Fusion is not a mode or even an option like Night Mode is — it will simply apply automatically when the Camera app thinks it should.

Previously: