Archive for December 20, 2019

Friday, December 20, 2019

Apple Stops Staingate Repairs After 4 Years

Joe Rossignol:

Apple continues to authorize free display repairs for eligible MacBook and MacBook Pro models with anti-reflective coating issues for up to four years after the affected notebook’s original purchase date, the company said in an internal memo distributed to Apple Authorized Service Providers this week.


Over the years, the issues have led to an online petition with nearly 5,000 signatures, a Facebook group with over 17,000 members, and complaints across the Apple Support Communities, Reddit, and our own MacRumors forums. A so-called “Staingate” website was set up to share photos of affected MacBooks.

Macs should last much longer than 4 years. If larger numbers of them fail due to a design or manufacturing problem, Apple should recall them and replace them with a fixed version. Instead, they tried to keep the problem a secret and ran out the clock.

For the 2016 MacBook Pro keyboards, there is a public repair program, but it only lasts for 4 years. Yet they just replace one defective keyboard with another, so the problem is bound to recur after you’re no longer eligible. And, even within the 4-year window, some customers have been denied more than 2 repairs.


Flickr Needs More Paying Users

Connie Loizos (Hacker News):

In an email tonight to users of Flickr who pay roughly $50 annually for the service, MacAskill has basically asked them if they know anyone else who might be interested in a yearly subscription to Flickr, explaining that it “still needs your help. It’s still losing money.”


To sweeten the deal for new subscribers, SmugMug is offering 25% off a Flickr Pro account for those who visit this link and input the code 25in2019.

Don MacAskill (tweet):

Flickr is the world’s largest photographer-focused community. It’s the world’s best way to find great photography and connect with amazing photographers. Flickr hosts some of the world’s most iconic, most priceless photos, freely available to the entire world. This community is home to more than 100 million accounts and tens of billions of photos. It serves billions of photos every single day. It’s huge. It’s a priceless treasure for the whole world. And it costs money to operate. Lots of money.


Every Flickr Pro subscription goes directly to keeping Flickr alive and creating great new experiences for photographers like you. We are building lots of great things for the Flickr community, but we need your help. We can do this together.

Louie Mantia, Jr.:

I can take a really nice picture from my very nice iPhone. And on my iPhone, I can view it how it was meant to be seen. But if I post it to a social network, it will be compressed because the convenience of delivery outweighs the full quality weight of the file.

A. Lee Bennett Jr.:

People are perpetually complaining about @Flickr and the price increase for a Pro account.

But what Louie is describing is exactly why there is value in Flickr Pro. One of the few places that stores your original photos, uncompressed, and EXIF data intact.


Mac Bug Bounty Program Opens

Apple (Hacker News, MacRumors):

As part of Apple’s commitment to security, we reward researchers who share critical issues with us through the Apple Security Bounty. You can now earn up to $1,500,000 and report issues on iOS, iPadOS, macOS, tvOS, watchOS, and iCloud. In addition, Apple offers public recognition for those who submit valid reports and will match donations of the bounty payment to qualifying charities.

Apple Security Bounty:

These eligibility rules are meant to protect customers until an update is available, ensure Apple can quickly verify reports and create necessary updates, and properly reward those doing original research.


Not disclose the issue publicly before Apple releases the security advisory for the report. (Generally, the advisory is released along with the associated update to resolve the issue).

It sounds like you don’t get paid until (and unless) Apple fixes the bug.


Update (2019-12-20): Jeff Johnson:

iOS 13 and macOS 10.15 may have huge security holes that we haven’t heard about yet — that even Apple haven’t heard about yet! — because everyone started hoarding their bugs after the bounty program was announced back in August, while those major OS updates were still in beta.

Rob Napier:

I’d be most concerned about a system that used payment to prevent disclosure without fixing the issue. That achieves none of the goals.

I’m ok with “if you disclose early you don’t get paid.” That creates reasonable trade-offs for both sides. If Apple thinks the bug isn’t as important as you do, then Apple should be ok with you disclosing it. But if it’s very complex, then it could take months to fully fix.


Where I’d be concerned is if submitting the bug creates an NDA situation, paid or not. That would definitely be a problem.

Alas, that seems to be how the bug bounty program is designed.

Update (2020-04-20): Jeff Johnson:

Here’s the problem, though. What happens if a reported issue is not addressed for a very long time: 9 months, 12 months, or even more? Does Apple refuse to pay the bounty during that time? […] The Apple Security Bounty eligibility rules also state that researchers must “Not disclose the issue publicly before Apple releases the security advisory for the report”. As discussed recently by Google Project Zero, it’s common industry practice to disclose reported vulnerabilities after 90 days, but the rules of the Apple Security Bounty could force vulnerability reporters to remain silent indefinitely, which is unacceptable.


I hope that Apple has a good solution to this problem, and that Apple’s intention is not just to keep vulnerabilities a secret for as long as possible by dangling a bounty in front of the reporters.

The hacker-friendly phones announced at the same conference don’t seem to be available yet.

Update (2020-04-22): Francisco Tolmasky:

RE: Unbounded bug fix times. My further concern is whether you become persona non grata for future reports if you decide on principle to disclose your bug after 90 days despite losing your bounty reward.

Jeff Johnson:

I’m thinking about withdrawing from the Apple Security Bounty program.

I see no evidence that Apple is serious about the program. I’ve heard of only 1 bounty payment, and the bug wasn’t even Mac-specific.

Also, Apple Product Security has ignored my last email to them for weeks.


It’s a joke. I think the goal is just to keep researchers quiet about bugs for as long as possible.

Project Connected Home Over IP

Apple (via Hacker News):

The goal of the Connected Home over IP project is to simplify development for manufacturers and increase compatibility for consumers. The project is built around a shared belief that smart home devices should be secure, reliable, and seamless to use. By building upon Internet Protocol (IP), the project aims to enable communication across smart home devices, mobile apps, and cloud services and to define a specific set of IP-based networking technologies for device certification.

The industry working group will take an open-source approach for the development and implementation of a new, unified connectivity protocol. The project intends to use contributions from market-tested smart home technologies from Amazon, Apple, Google, Zigbee Alliance, and others.

See also: Project Connected Home over IP.

Update (2019-12-23): Benjamin Mayo:

Like everyone else, I was sceptical the moment the news broke. Why would these companies suddenly want to play happy families, after five years of constructing fiefdoms?

Well, I think I’ve figured out the motivations. This open protocol commoditises access to appliances and accessories. For manufacturers today, getting their stuff to work (and certified) with proprietary platforms is expensive and time consuming, especially for HomeKit. An open initiative should break down those walls and reduce costs. For Apple, Amazon and Google, they don’t base their business on the smart home accessories themselves. Their interest is in the voice assistants, in the intelligence layer, in the hardware and services that manages the accessories. And this doesn’t threaten that at all.

Update (2020-01-10): See also: The Talk Show.

The Cub Programming Language

Louis D’hauwe:

Cub is an interpreted, dynamically typed, scripting language inspired by Swift. This project includes a lexer, parser, compiler and interpreter, all written in Swift.

Cub is used for OpenTerm’s scripting feature. A language guide is available in OpenTerm and online. Cub was derived from Lioness (my first programming language).

The standard library (abbreviated: stdlib) contains basic utility functions, for example to convert from/to dates.

Via Ezekiel Elin:

Found in the Apple Research app

Hamish Sanderson:

The author joined Apple in 2018 as an Xcode engineer. Read as much or as little into that as you want.

(Not that I’m thrilled by the thought of yet another 1990s-era scripting lang, but honestly at this point any sign of a clear automation strategy at Apple would be welcome.)