Archive for December 16, 2020

Wednesday, December 16, 2020

Preview in Big Sur Destroying PDFs Again

Manuel Grabowski (Hacker News):

In the lower half is the result after modifying (removed a blank page) and saving that same PDF in Preview.

Hard to believe, but that’s not the first time Apple messed this up. Sure, even Apple can’t account for all use cases when changing complex stuff like internal PDF handling. But:

  • The iX500 is an insanely popular and common scanner
  • I don’t know any OCR software that is more popular than ABBYY FineReader
  • macOS used to be the absolute best in class OS for dealing with PDFs by a long shot

As with the macOS 10.12 bug—was it not added to a regression test suite?—this doesn’t affect all PDFs with text layers, apparently just those created by ABBY FineReader.

As Grabowski says, PDF support on macOS used to be great, but I don’t think it’s yet recovered from the rewrite five or so years ago. I’m still seeing slow progressive rendering, intermittent glitches where pages go blank, and buggy scrolling. Big Sur did fix a Catalina regression that broke clickable links by truncating the URL.


Update (2021-01-04): Jonas M. Ribe:

I wouldn’t put this on Big Sur. The bug has existed in some form since the PDFKit rewrite (Sierra). Fewer people run into it after Preview started doing incremental saves for some PDF operations (High Sierra?). Deleting a page in Preview still does a full save and can break text.

Podcasts in Big Sur


All other things notwithstanding, revisiting Podcasts is informative. Nearly all of it seems to still hold true. Someone is awake at the switch somewhere since Cmd+L now does jump to the “show” of the current episode, but it doesn’t select the episode and scroll it into view to let you pick neighboring episodes. Indeed, it first loads an empty list and then visibly populates it with data, leaving you at the top.

Furthermore, I am now thrilled to discover that hitting Space in Podcasts no longer play/pauses.


[It] still looks, feels and behaves more like a poorly written web app, a mélange of UI goo scraped out of a foreign metaphor and allowed to set without much customization or supervision.

I have little interest in playing podcasts on my Mac, but I liked that iTunes made it easy to download and archive them locally. This avoids filling up my phone, lets me flag favorite episodes and add notes, and protects me from losing episodes if a feed disappears or starts requiring a subscription.

Apple’s Podcasts app is not fit for this purpose because its interface makes it harder to manage episodes and because, instead of organizing them on disk with friendly folder and filenames, it dumps a bunch of UUIDs all into the same folder.

So I’ve been using Downcast as my podcast downloader. It actually works better for this than iTunes did, except that for years I’ve been plagued by sandbox issues where its security-scoped bookmarks go bad and it loses access to files in its own container. The last time this happened I very nearly switched to gPodder, Gtk interface and all, but with the developer’s help I was able to get Downcast working again.

The takeaway, from a programming point of view, is that even though security-scoped bookmarks claim to be able to give you the file’s previous path, even if the bookmark can no longer be resolved, you can’t rely on this. You need to store your own copy of the path so that if the bookmark breaks (which seems to happen all the time, even for folders that were never moved) you can prompt the user for access and create a new bookmark.


Facebook Protests App Tracking Transparency

Tom Warren (Hacker News):

Facebook is publicly criticizing Apple’s upcoming iOS privacy changes in full-page newspaper ads today.

Dan Levy:

Apple’s new iOS 14 policy will have a harmful impact on many small businesses that are struggling to stay afloat and on the free internet that we all rely on more than ever.


They’re creating a policy — enforced via iOS 14’s AppTrackingTransparency — that’s about profit, not privacy. It will force businesses to turn to subscriptions and other in-app payments for revenue, meaning Apple will profit and many free services will have to start charging or exit the market.


Our studies show, without personalized ads powered by their own data, small businesses could see a cut of over 60% of website sales from ads.


They’re not playing by their own rules. Apple’s own personalized ad platform isn’t subject to the new iOS 14 policy.

Facebook is not wrong that this is bad for businesses buying and selling ads. And Apple is not playing fair. But, as an iOS user, I do like being offered the choice to control tracking. It seems like a reasonable compromise, compared with other cases where the App Store forbids certain business models entirely.

Joe Rossignol:

A refresher on the situation: Starting early next year, Apple will require apps to get opt-in permission from users to collect their random advertising identifier, which advertisers use to deliver personalized ads and track how effective their campaigns were. This will occur in the form of a prompt that shows up when users open apps on iOS 14.


“We believe Apple is behaving anti-competitively by using their control of the App Store to benefit their bottom line at the expense of app developers and small businesses,” said Facebook. “We continue to explore ways to address this concern.”

As one course of action, Facebook is now showing its support for Fortnite maker Epic Games’ antitrust lawsuit against Apple. Facebook said that it will be providing the court overseeing the case with information on how Apple’s policies have adversely impacted Facebook and the people and businesses who rely on its platform.

Apple (also: Mike Isaac):

An Apple spokesman disagreed, telling CNBC its own apps and services have to comply with its tracking rules and that its own ad network, called SKAdNetwork, is free for developers and Apple doesn’t make any money off it.

“We believe that this is a simple matter of standing up for our users. Users should know when their data is being collected and shared across other apps and websites — and they should have the choice to allow that or not,” Apple said in emailed statement. “App Tracking Transparency in iOS 14 does not require Facebook to change its approach to tracking users and creating targeted advertising, it simply requires they give users a choice.”


Update (2020-12-24): Filipe Espósito:

As noted by some users today and now confirmed by 9to5Mac, Facebook is now promoting banners on some of its iOS apps, once again criticizing Apple for the changes in App Store privacy guidelines.

Rob Jonson:

If developers were allowed to make functionality conditional on tracking, then transparency would be 100% justified. ‘You can get facebook for free if you let us track you to serve ads’. Apple doesn’t allow that because they care about killing ad revenue, not customer choice.

John Gruber:

There’s nothing “forced” about the software update Facebook is talking about either, which, I think, is going to be iOS 14.4. It’s actually quite interesting that Apple does not force software updates, or perform them in a hard-to-disable-or-detect manner.

Apple does in that sometimes iOS updates reverses the preference that you set and turns future auto-updates on. If you don’t update, iOS constantly nags you. New devices require new OS versions. You can’t downgrade a device. In practice, updates end up being mandatory.

Jack Wellborn:

Usually companies in a big public disputes like this construct their arguments on competing assumptions. What’s interesting here is that Facebook’s prognostications of doom are based on the exact same assumption Apple used to justify these prompts to begin with — that no one will volunteer to be tracked if given the choice.

Lukas Mathis:

Personalized ads that use user tracking measure ads based on a direct causal relationship between users seeing an ad, and users acting on that ad by buying the product advertised in the ad. By that metric, the vast majority of ads just don’t work. People don’t see an ad for a product, and then buy that product immediately, or perhaps a few days later.

(In fact, every time scientists try to measure the effectiveness of advertising, it turns out to not be very effective at all.)

Instead, the way ads work is that when people decide to buy a product, they will have more trust in products whose ads they see consistently, and whose products they associate with publications they trust.


If Facebook wanted to increase the value of its ads, they would join Apple in fighting against user tracking, because in the end, it will increase the value of its ads. The less advertisers know about the direct causal effects their ads have, the higher they will value them.

See also: Josh Centers, EFF, Anupam Chugh, Hacker News.

Update (2021-01-01): Brad Hill:

I shouldn’t be surprised anymore but it is amazing that none of the press coverage I’ve read of Apple’s iOS 14 changes re: advertising have managed to mention at all the single most salient fact of the situation.

It’s not that Apple requires developers to ask users if they consent to sharing data with 3rd parties.

It’s that Apple forbids developers from doing anything differently when users decline.

No, “Share your data to enable meaningful ads, or pay $15 to use this app,” no “Enable personalized advertising to unlock premium features,” not even, “You’ll see more, less valuable, ads if you decline.” That would be user choice.

Update (2021-01-13): Chance Miller:

As first reported by iMore, Facebook has sent another round of emails to businesses informing them that while it disagrees with Apple’s planned changes, it has no choice but to follow them. Facebook says that the App Tracking Transparency feature, which requires apps to obtain consent from users before tracking them across other websites and apps, will have “hard-hitting implications across targeting, optimization, and measuring campaign effectiveness.”

SolarWinds Breach

Reuters (via Zack Whittaker, Hacker News):

On Monday, SolarWinds confirmed that Orion - its flagship network management software - had served as the unwitting conduit for a sprawling international cyberespionage operation. The hackers inserted malicious code into Orion software updates pushed out to nearly 18,000 customers.

And while the number of affected organizations is thought to be much more modest, the hackers have already parlayed their access into consequential breaches at the U.S. Treasury and Department of Commerce.


Security researcher Vinoth Kumar told Reuters that, last year, he alerted the company that anyone could access SolarWinds’ update server by using the password “solarwinds123”


Others - including Kyle Hanslovan, the cofounder of Maryland-based cybersecurity company Huntress - noticed that, days after SolarWinds realized their software had been compromised, the malicious updates were still available for download.

TJ Luoma:

Wait… is this the same SolarWinds that bought Pingdom a few years ago?

SaveBreach (via Hacker News):

As per the screenshot posted by Vinoth, which we wrote about in our previous post, SolarWinds were possibly using unencrypted plain FTP server for their Downloads server in the age of global CDN technologies. However, not a direct attack vector its very likely that the FTP server had more vulnerabilities and unencrypted communication can always be intercepted, and modified. But we don’t believe this maybe something as concerning as the FTP password leak.


To corroborate his claim, Vinoth shared the the following link to the Configuration file exposed that was exposed in the mib-importer GitHub repo possibly belonging to a SolarWinds employee[…] So we concluded that the credentials to the FTP server and other potentially sensitive information in that exposed repository possibly existed for more than 1 year in the public domain until Vinoth reported it to the SolarWinds PSIRT.


Update (2020-12-24): See also: Brian Krebs, Nick Heer, Bruce Schneier.

John Gruber:

This hack should be Exhibit A in the response to every future dummy in the government who advocates for mandatory encryption backdoors on the grounds that you can trust the government with the keys.

Update (2021-01-01): Bruce Schneier:

Recent news articles have all been talking about the massive Russian cyberattack against the United States, but that’s wrong on two accounts. It wasn’t a cyberattack in international relations terms, it was espionage. And the victim wasn’t just the US, it was the entire world. But it was massive, and it is dangerous.


SolarWinds has removed its customer list from its website, but the Internet Archive saved it: all five branches of the US military, the state department, the White House, the NSA, 425 of the Fortune 500 companies, all five of the top five accounting firms, and hundreds of universities and colleges. In an SEC filing, SolarWinds said that it believes “fewer than 18,000” of those customers installed this malicious update, another way of saying that more than 17,000 did.

Microsoft (via Hacker News):

Our investigation has, however, revealed attempted activities beyond just the presence of malicious SolarWinds code in our environment. This activity has not put at risk the security of our services or any customer data, but we want to be transparent and share what we’re learning as we combat what we believe is a very sophisticated nation-state actor.

Update (2021-02-05): See also: Bruce Schneier.

Update (2021-09-08): Bruce Schneier:

Robert Chesney wrote up the Solar Winds story as a case study, and it’s a really good summary.

Update (2023-05-03): Bruce Schneier:

New reporting from Wired reveals that the Department of Justice detected the SolarWinds attack six months before Mandiant detected it in December 2020, but didn’t realize what it detected—and so ignored it.

Nick Heer:

Zetter’s thorough investigation into the circumstances of the 2020 SolarWinds breach — including her previously reported story about the FBI’s foreknowledge — is worth your time. It is also a reminder to me that the circumstances of Bloomberg’s Supermicro story, another supposed supply chain compromise, remain mysteriously uncorroborated and without similar on-the-record journalism.