Archive for November 2019

Friday, November 8, 2019 [Tweets] [Favorites]

Falling Back to an Older MBP

Erica Sadun:

The basic truth for me is that both keyboards are fully usable and that having the dedicated escape key (or not) was never a big deal. The virtual one did the job just fine. That’s something I never expected to admit but it’s true. I may not love MBP keyboards but they work.


On the other hand, moving back from USB-C to all these wonderful ports is delightful. My 2018 was always an octopus, and I had to carry around a bag of hubs and adapters.


I have a bunch of extra file space with the built-in SD card reader with my computer-flush reader adapter so it looks built in. The two standard USB ports are so convenient. I have an entire bag of USB-C gizmos that I’d carry around with the 2018 machine that I dumped into my USB box-of-everything for now.

Unlike others, she doesn’t seem to have had trouble with keyboard reliability and likes the big trackpad. She misses Touch ID but not the Touch Bar.


Update (2019-11-09): Tanner Bennett:

This mirrors how I feel. I don’t mind the Touch Bar or the miss the escape key, and my keys rarely broke, but

• I hate the low-travel keys
• I hate the new arrow key layout
• I miss ports (HDMI, USB)

David Heinemeier Hansson:

Apple’s stubborn four-year refusal to fix the terminally broken butterfly keyboard design led me to a crazy experiment last week: Giving Windows a try for the first time in twenty years.


What this experiment taught me, though, was just how much I actually like OSX. How much satisfaction I derive from its font rendering. How lovely my code looks in TextMate 2. How easy it is to live that *nix developer life, while still using a computer where everything (well, except that fucking keyboard!) mostly just works.

100,000 E-mails From iCloud

Neal Rogers (via John Gruber):

On Oct 10, the day I upgraded to OS 10.15 & iOS 13, iCloud quit working as it had for.. ever. I’ve since received @Apple email “Your Apple ID was used to sign in to iCloud via web browser” ~100,000 times. A month later, no one at @AppleSupport has been able to help me resolve it.


Swift Numerics

Steve Canon (tweet):

I’m excited to announce a new open-source project for the Swift ecosystem, Swift Numerics! Swift Numerics will provide the building blocks of numerical computing in Swift, as a set of fine-grained modules bundled together into a single Swift package. My hope is that we can quickly fill some important gaps in the Standard Library’s existing APIs, and unlock new domains of programming to the Swift language.

I’ve seeded the repository with two much-requested modules that are immediately useful for computational mathematics: Real (providing the functionality of SE-0246) and Complex (providing complex numbers and arithmetic).


The C and C++ complex math libraries attempt to make fine-grained distinctions between different zeros and infinities and NaNs. This is occasionally useful, but it means that multiplication cannot use the obvious arithmetic expression.

Swift does not attempt to make this distinction. Any complex number with zero real and imaginary parts is zero, and all complex numbers with a non-finite real or imaginary part are collapsed into a single “point at infinity”.

Looks good to me.

Firefox Making DNS-over-HTTPS the Default

Selena Deckelmann:

In 2017, Mozilla began working on the DNS-over-HTTPS (DoH) protocol, and since June 2018 we’ve been running experiments in Firefox to ensure the performance and user experience are great. We’ve also been surprised and excited by the more than 70,000 users who have already chosen on their own to explicitly enable DoH in Firefox Release edition. We are close to releasing DoH in the USA, and we have a few updates to share.


In addition, Firefox already detects that parental controls are enabled in the operating system, and if they are in effect, Firefox will disable DoH. Similarly, Firefox will detect whether enterprise policies have been set on the device and will disable DoH in those circumstances. If an enterprise policy explicitly enables DoH, which we think would be awesome, we will also respect that.

Kristian Köhntopp:

Once that happens, the browser will ask Cloudflare over DNS for name resolution instead of whatever your sysadmin configures, leaking the names of all the websites you visit to Cloudflare.


It’s breaking an old contract between OS and application. The browser trying to become an OS, in a way.

It’s also implemented in a way that it is breakable by your ISP (NXDOMAIN on a certain query), so the security improvement doesn’t

Josh Centers:

Cloudflare is slowly gaining a stranglehold over the entire Internet and no one is paying attention.

Firefox: “We’re the privacy browser! Also, we collect absurd amounts of telemetry and now we’re going to route all your DNS requests through one of our partners.”

No one is challenging them on this.


The insecure DNS servers, as set in the network interface settings of your computer, allow the domain name resolution queries sent to DNS servers to be read by someone sitting in the middle such as your ISP. But with secure and encrypted DoH, nobody can know which domain names you are trying to access.

However, some security experts are not happy with Mozilla’s decision to include TRR in the web browser. They are arguing that it should not be enabled for everyone, especially the security conscious users who have configured their network to use trustworthy DNS servers (source: If you are one of those Firefox users who want to use the DNS servers configured with your network interface instead of DoH, then here is how you progress[…]


Many people appear to conflate the concepts of privacy and encryption, which are in fact very different things.

In this post I argue that in September 2019, centralised DoH “by default” is a net-negative for privacy for everyone and that even in later years it will not improve privacy outside of the most privacy hostile environments – where no one should rely on partial measures like DoH to stay secure.

See also: Hacker News.


Thursday, November 7, 2019 [Tweets] [Favorites]

Apple’s New Privacy Page

John Voorhees:

With Apple’s update to its privacy page today, the company has created a site that explains how privacy drives the design of its apps in clear, concise language. However, for anyone who wants to understand the nitty-gritty details, Apple has also published white papers and linked to other materials that provide a closer look at the issues that the main page addresses.

I’m not thrilled with the Safari section and white paper:

Browsers are more convenient to use when information is synced across a user’s different devices. For example, being able to access their history across devices means users can easily find the places that they’ve been on the web, regardless of whether they’re on their phone or their computer. Safari provides a secure way to keep information in sync across devices while protecting privacy. Unlike other browsers, Safari doesn’t have a browser-level sign-in that automatically signs the user in to all the browser vendor’s online services.

Instead, macOS continually badgers you to sign into iCloud, and unless you specifically opt out using the checkbox that merely says “Safari,” it sends your entire browsing history to Apple. Nowhere in the app’s interface does it say that it does this, and you can’t opt out without also losing bookmark syncing. Whereas, Chrome does not badger you to log in, does not enable history syncing by default, and does let you sync bookmarks without syncing history.

It also fails to mention that the Safe Browsing feature sends, from your IP address, information about the sites you visit to Google or Tencent.


RunningBoard in Catalina

Howard Oakley:

Normally, assertions are used during development and debugging, then switched off when software is released. In macOS 10.15 and 10.15.1, at least, the subsystem for handling assertions, RunningBoard, is fully active in release versions, which suggests a substantial change in software practice by Apple.

This subsystem consists of a small service, /usr/libexec/runningboardd, and two Private Frameworks, RunningBoard.framework and RunningBoardServices.framework. There is also an AssertionServices.framework still, as in Mojave. Minimal access is provided from the public macOS interface, in the form of the NSAssertionHandler class and a few calls such as the NSAssert() macro. At present, RunningBoard and assertions are largely the preserve of macOS and don’t appear to be intended for direct third-party use, except in some Objective-C code.

Update (2019-11-08): I’ve received a tip that RunningBoard is not related to NSAssertionHandler. It’s intended for resource assertions, e.g. keeping the device alive during a download or temporarily using more memory.

Limits to Apple’s Butterfly Keyboard Repair Program

Michael Peterson:

Unfortunately, there appear to be limits to how many times you can get a MacBook repaired under that keyboard repair program. Notably, that is something that’s fairly unknown among the Apple community.


According to a post they made back in October, Reddit user spgremlin brought recently their 2016 MacBook Pro in for service for the third time. Under the Apple keyboard replacement, the user’s first two repairs were completely free. As they should be.

But when the Redditor brought their MacBook Pro in a third time, the Genius Bar staff there told them it wasn’t covered under the repair program.


Apple Notes and iCloud Syncing

Warner Crocker:

Recently, (and I sadly can’t pin this on recent iOS or Mac OS system updates because I just wasn’t paying close enough attention), I’ll create a note on one device and it may indeed show up on all three, or perhaps two, and sometimes it won’t sync off of the device it was created on until some random time down the road.


I had spent a morning creating a number of notes on the MacBook in preparation for a production meeting. I walked to theatre, opened up the iPad Pro and none of those notes appeared. I checked the iPhone and some of those notes appeared.


At the end of that testing period I ended up with four different note counts on three devices and the web.


Further, it appeared that some of the notes, not all, I created that morning were gone from all devices and the web.

And it happened again after the Apple Senior Advisor reset his iCloud database.


Update (2019-11-09): Ivan Pavlov:

I can only confirm that since iOS 13 Notes syncing has become much less reliable. It is a pity since it was so good before. Apple is aware of that, my bug report FB7267359 has more than 10 similar reports with no visible actions since September.

Michele Galvagno:

Wow! Thank you for this!

At least I’m not alone in this!

How are you (people affected) facing this?

I’ve not had my sync for one month now... that’s a lot!

Cameron Ehrlich:

This has been driving me nuts!

They Might Never Tell You It’s Broken

Maxime Chevalier-Boisvert:

The more important lesson, that I didn’t understand until that point, is that you can’t count on the people trying your project to quickly and reliably signal bugs to you. Most of the time, if it doesn’t work, they won’t report the problem.


It’s a horrifying thought, but it could be that for every one person who opens an issue on GitHub, 100 or more people have already tried your project, run into that same bug, and simply moved on. So, what can you do? You can encourage people to report bugs.


Twitterrific iOS Windows

Ryan Christoffel:

Twitterrific has become the first Twitter client to add multiwindow support, enabling creating separate windows for different accounts or different views within the same account. The first-party Twitter app, meanwhile, has recently added extensive support for external keyboards, likely as a side benefit of the app making its way to the Mac. In both cases, the Twitter experience on iPad has been meaningfully improved in ways that power users will appreciate.


If you have more than one Twitter account, such as one for personal use and another for business, multiwindow is a compelling way to avoid needing to switch back and forth between them constantly.

Craig Hockenberry:

This review that covers a both a third-party and first-party Twitter app shows how important the former is.

Third parties are always first with platform features like multi-window on iPad. And we’ve had keyboard support for several years.

Sean Heber:

I did quite a lot of work to retain support for iOS 12 while adding iOS 13 multi-windowing, but it’s kind of looking like we probably could have just dropped iOS 12 and saved myself a lot of effort. 😛

A particularly nasty implementation detail when adding multi-window to Twitterrific was that our previous theming system assumed a single global setting. When you send a window to the background on iOS 13, it snapshots it for the app picker a bunch of times.

While it’s taking snapshots for the app picker, it changes the appearance mode for that window between light/dark so it has snapshots ready if your system appearance changes. This caused the whole app to flicker between light/dark whenever any window was being snapshotted.

I had to pull a LOT of stuff apart and rebuild it just to get this all to work per-window so any other visible windows you might have had open didn’t flicker between light and dark.

Another wrinkle here is that we allow custom themes to be loaded from iCloud Drive - but you can’t rely on a file in iCloud Drive to be immediately available (it might have to be downloaded first, for example).


There are just countless little things like this to consider when implementing something as fundamentally disruptive as adding multi-window. People have no idea.


Wednesday, November 6, 2019 [Tweets] [Favorites]

Siri Stores Encrypted E-mails in Plain Text

Bob Gendler:

The snippets.db database is storing encrypted Apple Mail messages…completely, totally, fully — UNENCRYPTED — readable, even with Siri disabled, without requiring the private key. Most would assume that disabling Siri would stop macOS from collecting information on the user. This is a big deal. This is a big deal for governments, corporations and regular people who use encrypted email and expect the contents to be protected. Secret or top-secret information, which was sent encrypted, would be exposed via this process and database, as would trade secrets and proprietary data.


Another database, entities.db, stores records of people’s names, email, and phone numbers you’ve corresponded with. Although the phone number may not be in your contact list, data from emails such as signature blocks and forward information are stored. It’s like an address book built for you. This could be touchy, as it may allow quick and easy access to some potentially sensitive information.


For a company that prides itself on security and privacy, the lack of attention to detail on an issue like this completely and totally surprises me. […] I also have to wonder why it took 99 days for someone to know the answer on how to prevent this. All parties at Apple were alerted multiple times before writing this blog and giving an ample amount of time before I published this.

You can prevent it by going into the Siri settings and unchecking Mail. This does not remove e-mails that have already been stored in the database.

The Suggestions folder is protected from apps that haven’t been given permission, but the data is unencrypted on disk if you aren’t using FileVault.


Update (2019-11-08): Jay Peters:

Apple tells The Verge it’s aware of the issue and says it will address it in a future software update. The company also says that only portions of emails are stored. But the fact that Apple is still somehow leaving parts of encrypted emails out in the open, when they’re explicitly supposed to be encrypted, obviously isn’t good.

Static Types in SwiftUI

Chris Eidhof (tweet, Hacker News):

In SwiftUI, the implementation works differently. In our stack above, SwiftUI knows the type: a vertical stack view with two subviews. During the execution of the program this type will never change — it’s a static property of the code. As such, our program will always render a vertical stack view with a text and a rectangle. When the state changes, some of the views’ properties might change, but the stack view with the two subviews will always persist.

This hard guarantee from the type system means that SwiftUI doesn’t need to do a tree diff. Instead, it only needs to look at the properties of each view, and update those on screen. Theoretically, this still involves walking the entire tree, but walking a tree has a much lower complexity than diffing a tree.


For view trees that have a variable length, SwiftUI uses ForEach. We won’t go into detail on ForEach, but SwiftUI requires you to provide either a constant range, or, if the length is truly dynamic, to use an identifier for each element you’re displaying. When the elements change, ForEach uses the identifier to uniquely identify elements during a diffing step.


An AnyView is a type-erased view, and as such, it provides no information at compile-time about what’s inside. SwiftUI will need to do more work at runtime to verify changes (as mentioned here, and here).

Hardened XPC Services Don’t Prompt


Things get a bit more complicated if an attempt to access contact comes not from the application, but from its bundled XPC service, like explained in the video.


Luckily, smart folks at Apple thought of such scenarios, so macOS security subsystem (for simplicity, I will refer to it as TCC) understands that the AvatarService is trying to access contacts ON BEHALF of GitFinder application.


The application + XPC service combo build with hardened runtime fails to access contacts. Having proper sandbox entitlement defined, the XPC service requests access to contacts and passes that request to the application, just like it did before hardened runtime. However, this time around the TCC does not understand that the request comes from the XPC service on behalf of the application. Instead, it thinks the request comes from the application itself and hence checks if the application has required sandbox entitlement (AddressBook). Since the entitlement isn’t there, because the application does NOT need it at all, access to contact is denied.


The consequence of absence of absolutely unnecessary sandbox entitlement is the user consent dialog NOT being displayed at all. The user won’t even know the application would like to access contacts and the access will be permanently declined.

This probably happens for all the entitlements, not just the Contacts one. The same thing happened for a while with command-line tools on macOS 10.14 (except without the workaround). If not addressed, this will become a bigger issue in January, when the hardened runtime becomes a requirement.


Update (2019-11-07): Felix Schwarz:

Bug: in #macOS 10.14/10.15 host apps needs to be given the same privacy entitlement as bundled XPC services - even if ONLY the XPC service needs it; eliminating THE key security benefit of sandboxed XPC services & increasing attack surface.

Apple’s Rosyna Keller says this is a feature, not a bug:

The issue here is better attribution in TCC. If App B is immediately passing data to App A, they both need the entitlement (because macOS knows you’re giving contacts to an unprivileged app).

This prevent attacks in which a malicious app asks a privileged app for private info only the latter is supposed to have access to.

I’m not convinced by this reasoning. Apparently, the requirement works this way for the TCC entitlements but not the traditional sandbox ones.

Felix Schwarz:

What if the XPC service only returns avatar images for email addresses?

In that case, a compromised GitFinder has no access to contacts data & only to those avatars for which the attacker already knows the email.

W/o separation of powers, an attacker gains unlimited access.

Update (2019-11-09): Jeff Johnson:

The sandbox allows the xpc service and the main executable to have different sandbox entitlements, which is how one can have the Contacts entitlement and the other not. In contrast, the hardened runtime depends only on the main executable of the app.


The app is still blocked unless the hardened runtime and the sandbox are in agreement. Here’s the catch: for better or worse, the hardened runtime and the sandbox use the same name for some entitlements. For example, they both use for the Contacts entitlement. As a consequence, if an app is both hardened and sandboxed, it’s impossible to give the Contacts hardened runtime entitlement to the [XPC service] without also giving the Contacts sandbox entitlement to the main executable!

I agree that the root problem for GitFinder is that the sandbox and hardened runtime use the same entitlement names for different purposes and with different inheritance rules.

In my opinion, I’m not sure that it is a problem. I don’t think the architecture of GitFinder reflects the intent behind Apple’s XPC API.


If the xpc passes Contacts info back the app, and network attackers compromise the app, then the network attackers have the Contacts info! The attackers may not have unlimited access to Contacts, but they still have some illicit access to Contacts. So you really haven’t solved the problem there.

This part I don’t agree with. I think it does make sense to use separate XPC services for privilege separation. In GitFinder’s case, the network and Contacts access are confined to separate XPC services. The app itself is isolated, so it shouldn’t get compromised. If it did, and the hardened runtime entitlements worked the same way as the sandbox, it would have only very limited access to Contacts through the XPC service, which is good.

The goal of the xpc service is not to limit the damage the app can do if it’s compromised, the goal is to prevent the app from getting compromised in the first place.

Why can’t it be both?


I’ve never said it’s related to notarisation, but in my experience it IS related to hardened runtime, because app+xpc without hardened runtime worked fine, while the same app+xpc with hardened runtime fails on the very same macOS version/build.


Furthermore, if it’s intentional (hence, a feature - “better attribution it TCC”) it would’ve been much easier if anyone from DTS had said that to me immediately, instead of having, like, seven months of back/forth correspondence…


… with two DTS guys, including filing a bug report (and reporting bug number back to DTS), running log stream for “” while running test applications and doing other things I was asked for, just to confirm noticed behaviour.

Alas, the TCC/privacy stuff is virtually undocumented and was only discussed in a cursory manner at WWDC. So it’s not surprising that is isn’t well understood inside Apple, either.


That’s actually what GitFinder is doing; its XPC service returns only image data for known email address (known from git commit) and nothing else.


Forcing compromised GitFinder to get something else back from XPC service would require compromising XPC service as well. But if GitFinder (application) has contacts entitlement, then all contacts data is available right away.


I have to agree with @mjtsai here and I think we “understand” the concept of “privilege separation with XPC services” the same way, but I accept I may be wrong. Anyway, there’s that video I referred to in the blog post


It actually starts at about 2:25 and is related to architecture and different pieces it consists of, each having access to only limited resources.


Preview is probably chosen as an example of a know app. Anyway, this is how I thought of the whole concept: I will isolate access to contacts in a very small service, which can access contacts only…


… not disk, not network. If it is compromised (somehow, anyhow), access to contacts is there, but no contacts data can be written to disk or send over the network. And as a small binary, (I hope) the number of potential security holes is much smaller that in much larger app.

Ilya Kulakov:

I think the case is that given

- App with the network entitlement
- Contained XPC service with the contacts entitlement

the system has to assume that App can access contacts too. XPC protects nothing: hijacked App it to give all the data.

My understanding is that privilege separation is still beneficial though: hijacked XPC cannot request App to give it contacts unless it is a part of the XPC connection protocol.

Don’t Interrupt the Installation

Adam Engst:

The details vary, but all revolve around problems at boot, with complete lockups, accounts not available, current passwords not working, the login window reappearing after the user enters the password, or a crash screen after login. So far, it seems that only Macs with the T1 or T2 security chip are affected—that includes the MacBook Pro with Touch Bar (2016 and later), iMac Pro, MacBook Air (2018), and Mac mini (2018).


In the end, my advice is simply to go ahead with installing Security Update 2019-011 (Mojave), with two important caveats. First, make sure you have good backups before starting, in case the worst happens. That’s always a good plan anyway. Second, do not interrupt the installation process! It may take longer than you expect, but let it run as long as it needs.

I don’t know what I’m going to do once I get a T2 Mac because, since macOS 10.10 or so, probably 50% of my macOS updates get stuck and don’t complete the first time. I end up waiting several hours or overnight before giving up and hard resetting the Mac.

Archive Team’s Yahoo Groups Rescue Effort

Andy Baio:

For me, it took ten full days to get an email that my archive was ready to download — are they doing this by hand!? — but it appears complete: it contained a folder for every group I belonged to, each containing their own ZIP files for messages, files, and links.


The Archive Team wiki charts the rise and fall of Yahoo Groups, showing a peak in 2006, and rapid fall after that.


As you’d expect, the volunteer team of rogue archivists known as Archive Team are working hard to preserve as much of Yahoo! Groups as possible before its shutdown.

The Their initial crawl discovered nearly 1.5 million groups with public message archives that can be saved, with an estimated 2.1 billion messages between them. As of October 28, they’ve archived an astounding 1.8 billion of those public messages.


FastScripts 2.8

Red Sweater updates one of my favorite apps:

Custom folder icons are now displayed in the FastScripts menu

FastScripts can now be quit by cmd-dragging the icon out of the menu bar

Revealing a folder from FastScripts now respects the user setting for default folder opener

Apps such as Path Finder can set the handler for the public.folder UTI to control which app will be used when an app tells the system to open a folder. FastScripts, along with other apps like BBEdit, lets you hold down the Option key to edit a script instead of running it, or Shift to reveal it in Finder. Unfortunately, the system doesn’t use the default folder opener when revealing a file. My apps check whether Path Finder is running and send it an Apple event to do that.

Catalina No Longer Caches Shared Photos Locally

Tyler Hall:

So, I looked, and, sure enough, that sharedstreams folder is gone. But where?


Ok. That’s great. It actually makes more sense to have shared photos also live inside your library instead of somewhere random in ~/Library.


Of the 112 GB my shared albums previously took up, only 250 MB (MB!!!) are cached locally.


I don’t trust iCloud with my photos. And I’m not trying to single out Apple. I don’t trust Google Photos either. I don’t trust any cloud with my data. I love the convenience of iCloud photo sharing with friends and family and using Google Photos as a source of truth for my own family archives. But I want a backup of my data – just in case – that I’m in control of.

The option to “Download Originals to this Mac” doesn’t apply to shared photos. So you can’t back them up youself, and there’s no backup in the cloud. Not only does it no longer download the photos, but it also deleted the ones that had been downloaded by macOS 10.14.


Tuesday, November 5, 2019 [Tweets] [Favorites]

Dell UltraSharp 27 4K PremierColor Monitor

Malcolm Owen:

In this monitor’s case, it offers 100% of the Adobe RGB range, 98% coverage of DCI-P3, and 80% of BT2020, allowing it to represent a wide array of color space standards.


Displaying at a 4K resolution of 3,840 by 2,160 pixels at 60Hz, the LCD screen has a contrast ratio of 1,300:1 and a typical brightness of 250 nits. The front features an anti-glare treatment for the front polarizer hard coating, and the backlight is a white LED edgelight system.


Dell’s monitor may be seen as a potential cost-saving alternative to Apple’s Pro Display XDR, which is anticipated to be available to purchase in the near future. While Dell’s monitor is $3,000 cheaper than Apple’s version, it has fewer Thunderbolt 3 connections, is smaller with a lower resolution, and doesn’t feature Apple’s optional nano-texture glass etching to produce a matte finish.

Looks like it includes a stand. But why can’t they make a 5K?


Update (2019-11-05): wooliegeek:

The PPI is all wrong for macOS unfortunately. I wish Dell hadn’t cancelled their 5K. 😢

Raphael Sebbe:

Also something I don’t understand. 27″ @ 5K and 21″ @ 4K are the perfect retina (2x) densities, comfortable & crisp. Yet no one is making those.

Instead we get Full HD or oversized 4K, with all kinds of secondary features: response time, P3/Adobe RGB. Even Porsche design.

Monday, November 4, 2019 [Tweets] [Favorites]

“Real” Photoshop for iPad

Michael Steeber:

A full, desktop-class version of Photoshop on iOS has been one of the most hotly anticipated creative apps for designers and artists since the original iPad’s introduction in 2010. In the years since, competitors have released their own products hoping to fill the void, but can’t offer true integration with Creative Cloud that existing Photoshop customer have come to expect. Today at 2018’s Adobe MAX conference in Los Angeles, Adobe is answering the requests of the creative community by previewing what it calls real Photoshop CC for iPad.

Mark Gurman and Nico Grant:

Adobe has been testing Photoshop for iPad under the codename Rocket with a small group of beta testers since earlier this year. Participants have told Bloomberg News that some beta versions don’t include well-established features they expected to be part of the release. They complained about less advanced or missing features around core functionality like filters, the pen tool and custom paintbrush libraries, vector drawing, color spaces, RAW editing, smart objects, layer styles and certain options for mask creation.


“I understand it is based on desktop Photoshop code, but it doesn’t feel like it right now.” Other testers have called the app “rudimentary” and said, in its current state, it is inferior to other apps like Procreate and Affinity on the iPad.

John Gruber (tweet):

From what I gather, the mistake Adobe made was not precisely setting expectations for the initial release of Photoshop for iPad. When Adobe described it as “real” Photoshop, what a lot of people heard was “full” Photoshop, and that was never the plan. Some of this expectation-setting is attributable to Bloomberg, which described the project as “the full version of its Photoshop app” as far back as July last year.

Photoshop for iPad is real because it is using the same code base that’s been running on the desktop for decades. That’s an amazing technical accomplishment. Photoshop for iPad is not full — and the initial release was never planned to be — because it only exposes a subset of features from the desktop version.

Steve Troughton-Smith:

I’d phrase it more like: Adobe is years late to what Serif is doing with Affinity Photo on iOS, and it’s no surprise that it might take years to catch up. It’s up to Serif to really take advantage of that lead while they can

John Voorhees (tweet, MacRumors):

It’s against this backdrop of rumors and hype that Photoshop for iPad has emerged finally. Mindful of the outsized expectations that were created, Adobe takes great pains in its announcement today to explain that Photoshop for iPad 1.0 ‘is just the beginning,’ emphasizing that the new app is built on the same code base as the desktop version but optimized for touch. The company also stresses that its new cloud-based PSD file architecture will allow users to move seamlessly between platforms.

That’s good news, but not the same as the ability to substitute one app for the other. What users can accomplish on the new iPad app is more limited than the desktop. Adobe says the initial release focuses on compositing, masking, and basic retouching, which I can confirm from my limited use of the app. Those are core Photoshop features that many users will welcome, but desktop Photoshop can do much more. So, for the time being, Adobe is positioning its new iPad app as an accessible way to introduce Photoshop to new users, a complement to the desktop version, and a companion app for professional users.

Russell Ivanovic:

Alternate take: Photoshop for iPad is going to be and feel like Photoshop Lite forever. Adobe sucks at this. I can’t see them ever getting it right.

Lightroom, certainly, remains very different from the “classic” desktop version. Of course, Microsoft Office, iWork, and Omni’s apps are also “real” but not “full.”

Dave Mark:

Looks like Photoshop for iPad does NOT support RAW.

This seems like a huge deal to me.

Eli Schiff:

I’d like to write off the cuff about the evaluation of design tools based on my thorough usage of @photoshop @sketch and @figmadesign

Update (2019-11-07): Scott Belsky:

a real-time v1 lesson: you’ve gotta ship an MVP to start the journey, but it will be painful at first. by definition, it won’t please everyone (and if it’s a reimagination of a 30yr old popular/global product, will displease many)

Bob Burrough:

Changing the way the user interacts with software (replacing mouse+keyboard with multitouch) is a major, fundamental change. Adobe did not carefully manage expectations. Instead, they misled their customers by describing it as “real” Photoshop.

For Apple’s part, they had no qualms letting Adobe take center stage to make such a claim. Apple has been trying to convince us for years that iPad is a suitable replacement for mouse+keyboard PC’s. Unfortunately, that isn’t the case. It will never be the case.


Keyboard+mouse is better at open-ended computing that requires high bandwidth input. iPad is far superior at mobility. Apple Pencil and Wacom tablets are far more expressive than mouse or multitouch will ever be. But, different they remain.

Electron Apps Rejected From the Mac App Store (via Ben Sandofsky, Hacker News, Slashdot):

Allright, as a follow up to the previous chapter in this odyssey I can now state that, apparently,  you cannot submit an electron 6 or 7 app to the apple store:

The first refusal from apple states:

Your app app links against the following non-public framework(s):

I am not the only one having this issue and I did write back to Apple trying to explain that I am using Electron and I can’t really change any of these public-framework usage (I assume is something from Chromium)[…]

Craig Hockenberry:

There was a time when digging into the bowels of the macOS implementation was “necessary”. Back in the day, you’d use NSThemeFrame to get UI into an app’s titlebar.

iTunes did it, so everyone wanted to do it.

But those days are long gone - there are public APIs to get the job done now.

And with the advent of Spaces, split-screen windows, and translucent effects, using these private APIs are likely to break an app.

Unfortunately, that isn’t the whole story. Some of the private APIs are used in the Web rendering engine itself:

Mozilla recently published a good write up on why they started using the undocumented CALayer API in Firefox 69. The TLDR is that that these private API’s allowed them to get up to 3x better battery usage in Firefox. The article also mentioned that Chrome uses these Core Animation API’s.

So there are a multiple problems here:

  1. It’s (apparently) impossible for Chromium to get competitive performance and battery life without using private API, which Safari freely uses.
  2. Apple probably has good reasons for keeping these APIs private.
  3. Private API has always been banned, but Apple has been accepting these apps for years and then abruptly stopped without any notice.
  4. Apps using Electron probably didn’t know that they were even using private API. Neither Xcode nor Application Loader reports this, and App Review was accepting the apps.
  5. The rule is not being enforced equally.

Jeff Johnson:

I just checked Slack, which was updated 3 days ago, and its embedded Electron Framework contains all of the listed private symbols.

“And developers, from first-time engineers to larger companies, can rest assured that everyone is playing by the same set of rules.”


This, however, is draconian:

Continuing to use or conceal non-public APIs in future submissions of this app may result in the termination of your Apple Developer account, as well as removal of all associated apps from the App Store.

“Keep trying to submit, and we might just ban you forever” is insane. Every program of any complexity depends on third party libraries, and many people wouldn’t be able to tell what arcane APIs their dependencies (or their dependencies’ dependencies) call. “If you continue to have an upstream dependency that violates our terms, we might permaban you” is bullshit.

Colin Cornaby:

This has got to be a big problem for Apple. The widespread distribution of Electron and Chromium means they have to maintain this as semi-public API. Or risk breaking a lot of apps in a future OS release. Google is forcing them into a bad spot.

Matt Birchler:

Good people of Twitter, what are your favorite Catalyst apps? Asking because I am yet to find one that is remotely as good as the Electron apps I use daily.

I’ll be more specific: Slack and Visual Studio Code works great for me, while Postman is a little annoying, but very functional. Meanwhile the Jira and Twitter Catalyst apps have sent me running back for the web.


Update (2019-11-05): anatomisation points out that the Mozilla post does not actually say that they are using private API and that WebKit is not using CALayerHost very extensively. However, Chromium does seem to be using it for compositing during rendering.

Pierre Lebeaupin:

Reminds me of the time people found out Unity was relying on an undocumented API, around the iPhoneOS 3 or iOS 4 timeframe IIRC. I think we were affected too (by direct usage, not through Unity. Our bad.

Jeff Johnson:

These private symbols have been in Electron/Chromium for a long time. Strange coincidence that Apple is changing their enforcement now, so soon after Catalyst is available.


That neither Chrome nor Firefox is in the MAS could be considered an indictment of the MAS.


Rosyna Keller:

FWIW, Chromium is using CALayerHost for something better served by public IOSurface APIs and public CALayer properties.

Update (2019-11-09): Owen Williams (via Hacker News):

Developers use technologies like Electron and PWA because they allow for faster updates across platforms without an array of different codebases. Some argue that this results in lower quality apps, but I’d argue the alternative is no app at all or apps that are rarely updated because maintaining unique Windows, Mac, and web-based products is complex and expensive.


Apple’s subtle, anti-competitive practices don’t look terrible in isolation, but together they form a clear strategy: Make it so painful to build with web-based technology on Apple platforms that developers won’t bother.


These types of changes may be made in the name of privacy or security, but the reality is that the argument looks weak when both users and developers simply don’t have a choice because Apple controls the platform, browser engine, and the distribution method. Regardless of your opinion of Electron app quality, choice is important.

Apple TV, Apple TV, Apple TV, and Apple TV+

Dustin Curtis (via Hacker News):

Apple TV is a hardware device.

Apple TV is an app on Apple TV that curates content you can buy from Apple and also content you can stream through other installed apps (but not all apps, and there is no way to tell which ones).

Apple TV is an app on iOS/iPadOS devices that operates similarly to Apple TV on Apple TV. Apple TV on iOS/iPadOS syncs playback and watch history with Apple TV on Apple TV, but only if the iOS/iPadOS device has the same apps installed as the Apple TV – and not all apps are available on all platforms. Apple TV is also an app on macOS, but it does not show content that can only be streamed from external apps on an Apple TV or iOS/iPadOS device.

Here’s the post color-coded.

Update (2019-11-07): Jason Snell:

An article like this would also be written if Apple went to market with a hardware device called Apple TV, an app called Videos, a smart-TV app called Apple, a reselling strategy called Apple Channels (or having no name at all!), and a subscription streaming service called Apple Cinema. Too many names, Apple! It’s confusing! Why not something simpler?


So, yes: Apple’s strategy is a mess. I’m also not sure that the alternatives are any better.

I saw someone the other day say that television is so much simpler than it used to be, and I had to laugh. Television has never been more complicated. Apple’s very Apple-like attempt to stick to a single simple phrase—“Apple TV”—can’t spackle over just what a messy situation the streaming entertainment world is right now.

Twitter’s Ban on Political Ads

Will Oremus:

Twitter CEO Jack Dorsey announced on Wednesday that the company will ban political advertising, a move that earned the company a rare wave of positive press.


There’s something to be said for a tech platform taking its responsibilities to the democratic process seriously. But banning political ads is not as straightforward, nor as obviously correct, as those cheering Dorsey’s announcement seem to think.

The problem is twofold. First, defining which ads count as “political” gets tricky in a hurry. Second, prioritizing commercial speech over political speech is itself a political stance, and not necessarily one that we should want our online communication platforms to take.

Facebook’s policy is to allow such ads but to “[exempt] political candidates from its rules on misinformation in advertising.” This perhaps makes sense because fact checking is not straightforward, and it would set them up to be blamed for any controversial decision. But it creates an obvious loophole, which is already being exploited.

Update (2019-11-05): Ben Thompson:

Start with the latter: it is hard to interpret Twitter’s decision as anything other than a Strategy Credit. The company, by its own admission, earned an immaterial amount of revenue from political ads in the last election cycle; now it gets to wash its hands of the entire problem and chalk up whatever amount of revenue it misses out on as an investment in great PR.

Such a policy, however, particularly were it applied to Facebook, where much more advertising is done (political or otherwise), would significantly disadvantage new candidates without large followings, particularly in smaller elections without significant media coverage. It is, at a minimum, a rejection of social media’s third estate role; best to leave the messy politics to the parties and the mass media.

Facebook, meanwhile, has struggled to defend its decision in the context of a “marketplace of ideas”. After all, what value is there in a lie? In fact, Mill would argue, there is a great deal of value in exactly that, but it’s a hard case to make! Never mind that most disputes would be less about easily disprovable lies and more about challengeable assumptions.

Saturday, November 2, 2019 [Tweets] [Favorites]

Efficiently Mutating Nested Swift Data Structures

Radek Pietruszewski:

That feel when you’re profiling a React Native app, and you’re sure JavaScript is the source of your problems… but no, it’s ridiculously misoptimized Swift doing… well… nothing much for two minutes.


Code does something that seems completely reasonable, but ends up creating a new copy of a large Set 10,000s times. Not entirely sure if Swift is supposed to be smart enough to figure out that it can safely mutate it, or it’s programmer’s responsibility.

The intention is to insert to a Set that’s in a Dictionary that’s a mutable variable on a class

Joe Groff:

Older versions could not modify values in dictionaries without copying them, but 5.0 and later should be able to.

Karoy Lorentey:

Yep, Array & Dictionary both support in-place mutations. For Dictionary, the recommended way is to use the defaulting subscript. E.g., this won’t make a CoW copy:

sets[key, default: Set()].insert(foo)

But this will:

var tmp = sets[key]
sets[key] = tmp

The Dictionary.Values collection also supports this, and it may come handy if you need to distinguish between existing and new keys:

if let i = sets.index(forKey: key) {
} else {
  fatalError("Unknown key \(key)")

I’ve written about this before, but I think it’s worth re-emphasizing how this works. It’s counterintuitive and unusual in programming for introducing a temporary variable, as people often do when debugging, to radically change the behavior of the code. Copy-on-write is a leaky abstraction.


Update (2019-11-02): See also: Karoy Lorentey.

Preparing to Migrate From Aperture to

John Gordon:

I’ll still be on Aperture into 2020, three years beyond my original plan. The Catalina catastrophe has made staying on Mojave more agreeable. I’ll have to switch sooner or later though, almost certainly by 2021. So I’m working on a list of what I need to do prepare. I’ll update this post with items I think about[…]


Xcode 11.2 and XIBs With UITextView

Juri Pakaste:

Xcode 11.2: NSInvalidUnarchiveOperationException. Oh boy.

Nikita Zhuk:

Xcode 11.2 seems to cause havoc if you have XIBs which contain UITextViews. Beware!

Marcin Krzyzanowski:

This is really bad year for devtools at Apple

Peter Steinberger:

One more reason not to use Interface Builder.

Randy Reddig:

DEAD_CODE_STRIPPING = NO seems to fix it for the moment.


Update (2019-11-05): Thomas Ricouard:

Xcode 11.2 retail fail to decode UITextView from Xib/Storyboard on any iOS lower than iOS 13.2.

Marc Palmer:

PSA: do not submit builds with Xcode 11.2 or you will have huge numbers of crashes on iOS releases older than 13.2. We luckily just hit this in our CI rather than in production.

XcodeReleases (9To5Mac):

#Xcode11.2.1 GM Seed is out!


To be clear, the UITextView issue is fixed for iOS and tvOS. It’s still an issue on macOS.

Update (2019-11-07): Paul Haddad:

Cool, deprecate the current version without releasing the new version to the App Store…

Friday, November 1, 2019 [Tweets] [Favorites]

Google Acquires Fitbit

Rick Osterloh (via MacRumors, Hacker News):

Today, we’re announcing that Google has entered into a definitive agreement to acquire Fitbit, a leading wearables brand.


Over the years, Google has made progress with partners in this space with Wear OS and Google Fit, but we see an opportunity to invest even more in Wear OS as well as introduce Made by Google wearable devices into the market. Fitbit has been a true pioneer in the industry and has created engaging products, experiences and a vibrant community of users. By working closely with Fitbit’s team of experts, and bringing together the best AI, software and hardware, we can help spur innovation in wearables and build products to benefit even more people around the world.


Consumer trust is paramount to Fitbit. Strong privacy and security guidelines have been part of Fitbit’s DNA since day one, and this will not change. Fitbit will continue to put users in control of their data and will remain transparent about the data it collects and why. The company never sells personal information[…]

Except, I guess, when they sell all of it to Google at once.

Mike Wuerthele:

Multiple analysts say that Fitbit’s value has more to do with user data collection, more than hardware. The company has been making deals with insurance companies to bundle the product in with customer health offerings, and is trying to expand its revenue in a crowded low-end fitness tracking market, increasingly squeezed by the Apple Watch.

Dieter Bohn:

Fitbit is going to be part of Google’s hardware division, this is about Google getting smarter at making wearable hardware -- Wear OS is almost tangential to this deal from what I can tell.

I stand by everything I wrote earlier this week when the Fitbit acquisition was just a rumor.

Think of this like the HTC acquisition: it will make Google slightly better at making wearable hardware. But Fitbit doesn’t make processors.

Buying Fitbit won’t help Google overcome Apple’s biggest smartwatch advantage It’s the silicon, stupid

….and Fitbit’s platform will need to be supported for 3? at least 3 years preferably much more alongside Wear OS. There’s also Google Fit.

Basically this integration is going to take forever and there is a good chance it’ll be messy and involve a long Nest-esque falllow period

Update (2019-11-02): See also: Hacker News.

The Varying Date.distantFuture


An NSDate object representing a date in the distant future (in terms of centuries).

Craig Hockenberry:

Date.distantFuture is fixed at “January 1, 4001 at 12:00:00 AM GMT” - that means its timeIntervalSince1970 (currently at 64,092,211,200) will change over time because of leap seconds.

Date/time will always be hard, unless the Earth stops moving.

In other words, even within the same run (not to mention when unarchiving), you can’t rely on two distant future dates being equal. So don’t use it as a sentinel value.

Nikolai Ruhe:

I think timeIntervalSinceReferenceDate (and 1970) works differently: It does not take leap seconds into account. Each day ends at an exact multiple of 86400. That means that a given timeInterval might point to one (normal), two or zero points in time (at leap seconds).

Update (2019-11-02): The value can also vary between OS releases.

Tylenol Moment for Apple’s Laptop Keyboards

Kev van Zonneveld (Hacker News):

Both in terms of productivity and delight I had my best years on Apple and I didn’t think I’d ever look back. But here we are.

Why? I (guess I’m the only person alive that) didn’t mind the TouchBar or lack of a real escape key (can map Caps Lock to that). And I liked having 4 USB-C+ ports that I could do anything with. But yes, The Keyboard.

I spent the most money I ever did on this MacBook Pro, and it’s also the worst machine I ever had because the keyboard breaks down (like, it won’t register the s).


So far I’ve brought it in for repairs three times, and each time I’m without my workhorse for a week. Those are unplanned holidays that are dragging my productivity–and basically my company down.

I personally also feel macOS has taken a freefall regarding robustness and polish, but that might be just me. It’s the keyboard that ultimately made me feel just really concerned about having my productivity/company/future so tightly coupled to what Apple ships next.

Joe Rossignol:

While it is unclear if the widely rumored 16-inch MacBook Pro will launch in 2019 or 2020, the latest report from DigiTimes claims that Apple will begin receiving volume shipments of the notebook in the fourth quarter of this year.


Apple analyst Ming-Chi Kuo originally said the 16-inch MacBook Pro would launch in the fourth quarter of 2019 with an all-new design, including a scissor switch keyboard. As of late, however, Kuo has more vaguely stated that a “new MacBook model” with a scissor keyboard will launch in mid 2020. It’s unclear if the “new MacBook model” that Kuo has referred to more recently is the 16-inch MacBook Pro.

Mid-2020 would be more than five years after the initial 12-inch MacBook shipped with the bad keyboard, and it may take longer to turn over all the laptop product lines.

David Heinemeier Hansson:

My great hope for the keyboard debacle is that Apple pulls a Johnson & Johnson 1982 move and recalls every single laptop they’ve sold since 2015, and gives buyers a new scissor-keyboard equipped model instead. How many billions might that cost? A quarters’ worth of buybacks?


I know it’s institutionally almost impossible for Apple to accept that they not only fucked up the MacBook’s keyboard, but that they failed to fix their fuckup for 4 years running, with several attempts. They’re proud people, Apple. But I’d be prouder still of them if they did.


Apple’s consumer confidence amongst people who’ve been stricken by the keyboard debacle is hurting. Maybe it’s not showing up in their net-promoter scores yet, but it’s there. Oh it’s there. I-FUCKING-BOUGHT-A-WINDOWS-LAPTOP it’s there.

Alec Joy:

I bought the first butterfly switch MacBook Pro when it came out in 2016. After three years, and 4 keyboard repairs (thankfully all free) I bought a Thinkpad last month and sold my MacBook and ipad.

Patrick McKenzie:

I felt like I was really missing something for years after I started using Macs in 2014. My next personal computer is unlikely to be a Mac, solely because I want a built-in keyboard that works. Happy to eat N months of retraining muscle memory to get it.


Yup. I was an Apple Fanboi until the current generation of MBPs (2015+). Then they demonstrated just how utterly tone-deaf they are to the things that matter to actual professionals.

Colin Cornaby:

Both my home and work Touch Bar MacBook Pro creak very loudly as they heat and cool. I have heard Apple is fixing this with top case replacements.

I use two MacBook Pros and both have serious hardware issues in addition to the keyboard.

Dave Nanian:

Even thought I’m a macOS developer, when I’m on vacation and don’t need to do development, I travel with a Windows laptop, because my Mac laptops are kind of awful.

Awful to the point where I’ve considered installing macOS in a VM on said laptop.


Update (2019-11-02): David Heinemeier Hansson:

The favorite go-to explanation for why Apple screwed up their laptop keyboards seems to be: They went too thin!! This fails to account for the fact that the Surface Laptop is thinner than a MacBook Air and has a great keyboard. ThinkPad X1 is super thin, great keyboard.

Addison Webb:

If I didn’t use Xcode for a living, I would be heavily considering a non-Apple laptop to replace my 2016 MacBook Pro.

Dave Hidding:

Truth. With all due respect & as a really long-time Mac owner (going back to a FatMac) @tim_cook, this is worth the five minute read. Surprise us with a J&J response...


Current MacBook Pro status:

- external keyboard on top because internal keyboard broken
- frozen shrimp as ice pack to stop overheating while browsing the web

Update (2019-11-05): Giles P. Croft:

Yes. Must confess, this was one of the factors that led me to sell my MacBook Pro: typos in every other sentence on that damned keyboard 🙄

It’s crazy that one company can concurrently make both the best/most satisfying keyboard I’ve ever used (Magic Keyboard) and the worst (every Mac laptop currently on sale).

The TV App Strategy Tax

Joe Cieplinski:

Take a look at the TV app on your iPhone, iPad, or Apple TV. At first, when I saw the way Apple was mixing and matching all the content from available channels, iTunes rentals, purchases, and streaming services like Prime, I was annoyed. How am I supposed to find shows specific to certain sources in here? And more importantly, how can I tell the difference between what I already have access to with my existing subscriptions, and what is going to require a new subscription or a one-time payment?

And that’s the rub. You can’t easily get a screen with all the content you already have access to. Sure the library tab will show you movies and tv shows you’ve purchased on iTunes. But my HBO subscription? Prime? These are just mixed in with all the rest of the content. You can dig and find HBO specific pages, sure. But they are buried behind multiple layers of UI. And there’s a good reason for that.

The TV app is not an app. It’s a store. And Apple knows a thing or two about running stores. They know the more you walk in and hang out, the more likely you will spend some money while you are in there.

In other words, the app is designed to optimize for Apple’s needs rather than the customer’s. I prefer the old strategy where Apple makes its money from hardware, so it’s free to design the software to do the right thing. “Only Apple could do” didn’t only apply to the technical aspects, but also to what it could do because of its business model. Now, the strategy is that Apple, too, can spend money to buy content, creating constraints for itself that didn’t need to be there. The whole effort is clearly a distraction from product concerns for Tim Cook and various company departments. And it gets in the way of making partnerships with other content companies, which didn’t have to be enemies.

The question is why? Does TV content further the mission of empowering people through technology? I don’t see how. Is that even still the mission? Does it provide a better return on investment than technology R&D, documentation, or QA? Sadly, maybe, at least in the short term.

Lesley Goldberg and Natalie Jarvey:

By several accounts, the company already has well outspent its initially projected $1 billion annual content budget. Morning Show alone costs $15 million an episode for a total of $300 million for two seasons, per sources, due in large part to the $2 million-an-episode fees that Witherspoon and Aniston negotiated. (Their deals are said to be even higher with producing fees and ownership points.) See also is expensive, with sources estimating $240 million for two seasons. These costs are at the high end of premium streaming but represent pocket change for Apple.

The reason they are doing this:

Though Apple makes significantly more — $167 billion in 2018 — from the sale of the iPhone, as people hold on to their devices longer, services like TV+ will be key to ensuring Apple ecosystem loyalty. “There’s a lot at stake,” notes Wedbush analyst Daniel Ives. “TV+ is going to play a major role in them further monetizing their 900 million iPhone users. The next leg of growth for Apple is going to be services.” Apple declined to participate in this story.

I see a lot about how this will increase services revenue but little about net services income. Netflix has only recently become profitable, and there is now more competition in streaming.

And does “ecosystem loyalty” mean keeping people buying Apple hardware or getting more revenue per hardware customer?

The logic for the latter is clear, although I’m not sure why customers should care. No one seems to expect Apple to lower prices and make its products more widely accessible because it’s making the profit up from services.

For the former, the idea seems to be that Apple is going to make TV shows so good that they keep people from considering Android or Windows. But that seems kind of nutty and is belied by the availability of Apple TV+ on Amazon Fire as well as various TVs.


Update (2019-11-02): Jason Snell (tweet):

Consider the soul-sucking term ARPU. It stands for Average Revenue Per User (or, alternately, Unit), and it’s a useful-yet-noxious lens through which businesses can view their customers. Of course, businesses should be aware about how much revenue their customers are generating—the issue is more that focusing on ARPU is often a sign that a business is on a path that will attempt to wring every last penny out of its customers. It’s a sign of nickel-and-diming, sliding in hidden fees, and all sorts of other questionable practices that make sense if you’re looking at a balance sheet—but are so infuriating if you’re a customer.

On the phone call, Evercore Analyst Amit Daryanani asked Tim Cook directly about whether Apple’s growth in services revenue was based on growing the overall number of people using Apple products, or scratching more money out of the collective wallets of existing Apple customers. Cook walked that line[…]

Update (2019-11-06): Nick Heer:

Apple TV Plus doesn’t fit that archetype — not yet, anyway. This becomes plain if you compare it to the closest television equivalent to an Apple product that I can think of: HBO — a premium cable channel that features must-watch shows that are defined as much by their quality as their budgets, all without being interrupted by ads. Apple TV Plus is, so far, serving up fine shows with astronomical budgets, all for either a low monthly cost or, if you’ve bought a new Apple product recently, a free year’s trial. Are they going for subscription volume?

Apple TV Plus has just launched, and the app is more of a storefront for more established players in the streaming video market. They can get better at this, and they should. But I want to hear a reason for Apple to be in the streaming business beyond ARPU and subscription stickiness.

Giving Notes on China

Eddy Cue, just a few months ago:

There’s never been one note passed from us on scripts, that I can assure you. We leave the folks [alone] who know they’re doing.

Alex Kantrowitz and John Paczkowski (via John Gruber, Hacker News):

Apple’s recent actions in China are a continuation of the company’s years-long practice of appeasing Beijing. To do business in China, the company adopts to local dictates, distasteful as they may be to its CEO Tim Cook, an outspoken gay rights advocate and privacy crusader. It’s an ironic inversion of a longstanding argument in the West that by bringing China into the world trade system, the country would adopt western values. Instead, China is asking tech companies to adopt its values — and Apple is willing to pay that price.

In early 2018 as development on Apple’s slate of exclusive Apple TV+ programming was underway, the company’s leadership gave guidance to the creators of some of those shows to avoid portraying China in a poor light, BuzzFeed News has learned. Sources in position to know said the instruction was communicated by Eddy Cue, Apple’s SVP of internet software and services, and Morgan Wandell, its head of international content development. It was part of Apple’s ongoing efforts to remain in China’s good graces after a 2016 incident in which Beijing shut down Apple’s iBooks Store and iTunes Movies six months after they debuted in the country.

Nilay Patel:

If you want to be the face of “privacy is a human right” then you are also the face of “we brushed off a targeted attack against a religious minority in China” and “we told our TV creators not to piss off China”

Nick Heer:

The bigger story here can be found in an article yesterday from Shane Savitsky in Axios[…]

Jason Kottke:

The partnership between China and Western governments & corporations has hit a rough patch recently, namely the Hong Kong protests and how the NBA, Apple, and gaming company Blizzard have handled various responses to them on their platforms.

Ben Thompson:

And then there is Apple: the company is deeply exposed to China both in terms of sales and especially when it comes to manufacturing. The reality is that, particularly when it comes to the latter, Apple doesn’t have anywhere else to go. That, though, is where the company’s massive cash stockpile and ability to generate more comes in handy: it is past time for the company to start spending heavily to build up alternatives.


The biggest, shift, though, is a mindset one. First, the Internet is an amoral force that reduces friction, not an inevitable force for good. Second, sometimes different cultures simply have fundamentally different values. Third, if values are going to be preserved, they must be a leading factor in economic entanglement, not a trailing one.

Nick Heer:

Just a few months ago, Tim Cook denied that the company was exploring other places to build their products. The depth and extent of the electronics supply chain in China beggars belief — and, in one of those decades-old twists of fate, Cook helped make it so. There are loads of American tech companies that build products in China; Apple’s particular investment, though, is notable.

Nilay Patel:

It’s not hard to understand that carmakers in the US market build to California emissions standards because they are the strictest - it’s the most efficient choice.

Not a leap to think global companies will hold themselves to China’s speech restrictions for the same reason.

Josh Rogin (via Ryan Saavedra):

Last year, China severely punished Marriott after an employee in Omaha, Neb., “liked” a pro-Tibet tweet. Marriott profusely apologized and fired the employee.

Joe Rogan:

Superstar German DJ ‘permanently banned’ from China for liking a ‘South Park’ tweet

Noah Smith:

HOLY SHIT there are a lot of American companies doing pro-China censorship!!!

Tom Gara:

The new DreamWorks movie uses a map of Southeast Asia that contains the Chinese “nine dash line” that annexes basically all of the South China sea[…]


Update (2019-11-06): Chance Miller:

Apple, alongside viral video sharing app TikTok, skipped a congressional hearing today that focused on the relationship between the tech industry and China. The absence of an Apple representative drew ire from some lawmakers at today’s hearing.

Safari Safe Browsing, China, and Privacy

Matthew Green (tweet, Hacker News):

It appears that, at least on iOS 13, Apple is sharing some portion of your web browsing history with the Chinese conglomerate Tencent. This is being done as part of Apple’s “Fraudulent Website Warning”, which uses the Google-developed Safe Browsing technology as the back end. This feature appears to be “on” by default in iOS Safari, meaning that millions of users could potentially be affected.


Google first computes the SHA256 hash of each unsafe URL in its database, and truncates each hash down to a 32-bit prefix to save space.


If the prefix is found in the browser’s local copy, your browser now sends the prefix to Google’s servers, which ship back a list of all full 256-bit hashes of the matching URLs, so your browser can check for an exact match.


The weakness in this approach is that it only provides some privacy. The typical user won’t just visit a single URL, they’ll browse thousands of URLs over time. This means a malicious provider will have many “bites at the apple” (no pun intended) in order to de-anonymize that user. A user who browses many related websites — say, these websites — will gradually leak details about their browsing history to the provider, assuming the provider is malicious and can link the requests. (There has been some academic research on such threats.)

MacJournals covered Safe Browsing back in 2008:

We must point out here that this system provides, indirectly, a way for Google to estimate what pages you’re visiting. If the URL of a page you want to visit matches the hash prefix of a known malicious page, Safari 3.2 appears to send that prefix to Google and ask for the entire 256-byte hash to make sure that this really is a malicious page (and also to verify that the page hasn’t been removed from Google’s lists since Safari’s last list update). Millions and millions of URLs could produce hashes that start with the same 32 bits, but if Google gets several requests for the same value, the company could reasonably infer that people were visiting the malicious page it had tracked—and since the request from Safari to Google comes from your IP address, Google might infer data from that as well. Mozilla’s privacy policy would forbid use of that data except to improve the service, but Apple’s privacy policy does not. Neither Apple nor Google state anywhere that they would only use such data to improve the phishing and malware protection features.


Safari 3.2’s “SafeBrowsing.db” file does not appear to contain data for Google’s whitelist, but the specification confirms that some clients can, with Google’s permission, use an “enhanced mode” that looks up each page you visit rather than maintaining the list on the client computer.

Rene Ritchie (MacRumors, Hacker News):

First, here’s Apple’s statement[…]


Because Safari is communicating with Google and Tencent, they do see the IP address of the device, and because they have the hash prefix, they do know the general pool to which the site belongs.

I assume the URLs are not very private, despite being hashed, because with knowledge of the full set of URLs and visit frequency, it’s probably possible to estimate what the hash prefixes map to. The main source of privacy is not the hashing but the fact that most URLs are only checked locally.

And you’d hope that only “unsafe” URLs would be looked up with Google/Tencent. But the implementation, at least initially, used a Bloom filter to save space. Since Bloom filters allow false positives, this means that the browser would be sending lookup requests even for some URLs whose prefixes didn’t actually match the local data set, i.e. ones that were not even suspected to be dangerous.

In a perfect world, a more privacy-centric company like Duck Duck Go or Apple would be able to maintain and use their own lists, both internationally and inside China. In the meantime, some system that anonymizes and relays requests, like Siri does or like Sign in with Apple, perhaps, could improve privacy within the current implementation.

This likely wouldn’t have much performance impact, since it would only affect URLs whose hash prefixes already matched.

John Gruber:

My assumption was that Apple was only using Tencent in mainland China, where Google services are banned. Apple’s statement today makes it clear that that is true. But Apple brought this mini-controversy upon itself, because Apple’s own description of the feature doesn’t specify when the Fraudulent Website Warning feature uses Google and when it uses Tencent.

John Gruber:

Via Dino Dai Zovi, a user on Hacker News disassembled the code for Safari’s Fraudulent Website Warning feature and verified that it only uses Tencent (instead of Google) if the region code is set to mainland China.