Archive for December 19, 2019

Thursday, December 19, 2019

Twelve Million Phones, One Dataset, Zero Privacy

Stuart A. Thompson and Charlie Warzel (MacRumors):

[The data] didn’t come from a telecom or giant tech company, nor did it come from a governmental surveillance operation. It originated from a location data company, one of dozens quietly collecting precise movements using software slipped onto mobile phone apps. You’ve probably never heard of most of the companies — and yet to anyone who has access to this data, your life is an open book. They can see the places you go every moment of the day, whom you meet with or spend the night with, where you pray, whether you visit a methadone clinic, a psychiatrist’s office or a massage parlor.

The Times and other news organizations have reported on smartphone tracking in the past. But never with a data set so large. Even still, this file represents just a small slice of what’s collected and sold every day by the location tracking industry — surveillance so omnipresent in our digital lives that it now seems impossible for anyone to avoid.

[…]

The companies that collect all this information on your movements justify their business on the basis of three claims: People consent to be tracked, the data is anonymous and the data is secure.

None of those claims hold up, based on the file we’ve obtained and our review of company practices.

Yes, the location data contains billions of data points with no identifiable information like names or email addresses. But it’s child’s play to connect real names to the dots that appear on the maps.

Previously:

Update (2019-12-26): John Gruber:

What do we do about it?

Legislation? Make the collection of this sort of data highly-regulated? Is that even feasible with an internet that spans the globe?

Technical? Is there something Apple and Google can do?

I think Apple should empower users to see and control what apps do. Many apps don’t need network access for their core functionality. I should be able to block them from connecting, like I can with Little Snitch on the Mac. Other apps need the network to sync with iCloud, but I want to be able to enforce that’s all they’re doing—not accessing other sites or public CloudKit databases. For apps that need more connections, I should be able to see what servers they’re connecting to, and how often. This is not a solution, but it’s a first step. For example, having this information would make it possible to shame apps that are not well behaved. And apps that work well without making connections could be promoted, e.g. like games that don’t require IAPs.

Update (2019-12-27): John Gruber:

The Times needs to come to grips with the fact that they are a player in this racket.

Swift Evolution Pitch: Modify Accessors

Ben Cohen:

We propose the introduction of a new keyword, modify, for implementing mutable computed properties and subscripts, alongside the current get and set.

The bodies of modify implementations will be coroutines, and they will introduce a new contextual keyword, yield, that will be used to yield a value to be modified back to the caller. Control will resume after the yield when the caller returns.

This modify feature is currently available (but not supported) from Swift 5.0 as _modify, for experimentation purposes when reviewing this proposal.

[…]

We cannot yield the value in the array’s buffer directly because it needs to be placed inside an optional. That act of placing inside the optional creates a copy.

We can work around this with some lower-level unsafe code. If the implementation of Array.first has access to its underlying buffer, it can move that value directly into the optional, yield it, and then move it back[…] During the yield to the caller, the array is in an invalid state: the memory location where the first element is stored is left uninitialized, and must not be accessed. This is safe due to Swift’s rules preventing conflicting access to memory.

Previously:

ML Super Resolution in Pixelmator Pro

Pixelmator Team:

Until now, if you had opened up the Image menu and chosen Image Size, you would’ve found three image scaling algorithms — Bilinear, Lanczos (lan-tsosh, for anyone curious), and Nearest Neighbor, so we’ll compare our new algorithm to those three.

[…]

Until now, if an image was too small to be used at its original resolution, either on the web or in print, there was no way to scale it up without introducing visible image defects like pixelation, blurriness, or ringing artifacts. Now, with ML Super Resolution, scaling up an image to three times its original resolution is no problem at all.

Apple Platform Security Guide (Fall 2019)

Apple (PDF, via Rosyna Keller):

This documentation provides details about how security technology and features are implemented within Apple platforms. It also helps organizations combine Apple platform security technology and features with their own policies and procedures to meet their specific security needs.

[…]

Apple continues to push the boundaries of what is possible in security and privacy. For example, Find My uses existing cryptographic primitives to enable the groundbreaking capability of distributed finding of an offline Mac — without exposing to anyone, including Apple, the identity or location data of any of the users involved. To enhance Mac firmware security, Apple has leveraged an analog to page tables to block inappropriate access from peripherals, but at a point so early in the boot process that RAM hasn’t yet been loaded. And as attackers continue to increase the sophistication of their exploit techniques, Apple is dynamically controlling memory execution privileges for iPhone and iPad by leveraging custom CPU instructions — unavailable on any other mobile devices — to thwart compromise. Just as important as the innovation of new security capabilities, new features are built with privacy and security at their center of their design.

There’s also a Web version.

See also: Behind the Scenes of iOS and Mac Security.

Previously:

Update (2019-12-20): Jeff Johnson:

Apple security folks, what does this mean? Is it a typo? apps that are not using Full Disk Access?

Update (2019-12-23): Perhaps it’s worded correctly, and the point is that apps can no longer access data or executable code that happens to be in the trash. Users don’t intend for the trash to be shared storage, but that’s what it ends up being without addtional protections.

See also: Ivan Krstić.

What’s New in Vapor 4

Tanner (tweet):

Vapor 4’s new dependency injection API is now based on Swift extensions rather than type names. This makes services offered by third party packages - and Vapor itself! - more discoverable and feel more Swift-native.

[…]

Vapor 4 upgrades to SwiftNIO 2.0. This release includes tons of great quality of life improvements, performance enhancements, and awesome features like vendored BoringSSL and pure Swift HTTP/2 implementation.

[…]

Vapor joined forces with Apple to help define common standards for core functionality like Logging and Metrics.

[…]

Fluent 4’s model API has been redesigned to take advantage of property wrappers in Swift 5.1. Property wrappers give Fluent much more control over how models work internally, which has been key to enabling long-requested features like a concise API for eager loading.

[…]

Vapor 4 includes a new testing framework that makes it easier to test your application using XCTest.

Previously:

Update (2020-02-04): Felix Schwarz:

Vapor Cloud will be shutting down on February 29th.

Vapor:

We are sad to announce that Vapor Red will be shutting down on February 29th.

WinterFest 2019

WinterFest:

Winter is coming. It’s time to take a deep breath and roll up your sleeves.

It’s the time for new plans and fresh projects and great new ideas. Whether you’re mapping out your next novel, finishing your dissertation, planning a product, or writing memories for your grandkids, these great tools will help.

As is our custom in this season, we’re hosting a gathering of software artisans who are working to transform research and writing for a new era. We’ve all finished our latest updates, we’re working together to save you lots of money.

25% off some venerable Mac apps and promising newcomer Hook, which makes it easy to create links between different documents and apps (including EagleFiler).

Previously:

How Clean Re-installs Change in Catalina

Howard Oakley:

Because you want to re-install macOS, the logical thing to do would be to wipe the System volume, which suggests that you could get away with retaining your own files on the Data volume through a clean re-install. Sadly, that’s wrong.

[…]

To perform a clean re-install in Catalina, once in Recovery Mode, you need to wipe your Data volume, that’s the one named Macintosh HD - Data, or something similar if you are using a custom name. There are two ways to do this in Recovery Mode: you can select the volume at the left of Disk Utility’s window then click on Erase, or you can select the volume and use the Delete APFS Volume command from the Edit menu (a shortcut to this is to click the – tool).

[…]

At one time, the Recovery volume contained sufficient to restore the current version of macOS if you have entered ‘local’ Recovery Mode using Command-R, but this doesn’t seem to work any more. Whichever type of re-installation you have set now requires that version of macOS to be downloaded afresh.