Archive for December 17, 2020

Thursday, December 17, 2020

Where Is End-to-End Encryption for iCloud?

Ole Begemann:

In a December 2020 video recorded for the European Data Protection & Privacy Conference, Apple’s Craig Federighi touts end-to-end-encryption for iMessage[…]

Apple has been using this self-congratulatory tone about their encryption efforts for years and I find it increasingly disingenuous. What Federighi fails to mention: if you have iCloud Backup enabled, that last claim (emphasis mine) is not the whole truth.


In other words, if you use Apple services as intended and recommended by Apple, a large portion of your most sensitive data is in fact not securely encrypted.


No More Downloadable macOS Updates

Normally, the delta and combo updaters are available for download here within a day of the macOS update becoming available via automatic software update. There was never an updater posted for macOS 11.0.1, but I didn’t think much of it because 11.0 wasn’t in wide circulation. But there are no updaters for macOS 11.1, either.

Mr. Macintosh:

Manual downloadable delta and combo updates for Big Sur are no longer available.

Howard Oakley:

If you feel that you “have a need for individual downloads for Big Sur delta/combo updaters”, please let Apple know. In the strongest possible terms, via Feedback, Apple Support and any other means available.

Unless a strong case is made for the reinstatement of standalone installer versions of Big Sur updates, it’s most likely that none will be provided for download – as has already happened with the 11.0.1 and 11.1 updates.

Otherwise, I guess the best solution is to download and keep a copy of each 12 GB full installer. You may be able to download it again later via the softwareupdate tool, but I’ve had mixed luck with that. Also:

Some digging has revealed that this password prompt is shown when the softwareupdate binary is called, and only on Apple Silicon devices.

Calling the softwareupdate binary is something which we Mac Admins have done for years, and it’s likely folks have workflows in place calling the softwareupdate binary which is then triggering this prompt.

So, what’s the fix? Short term, don’t call the softwareupdate binary on Apple Silicon devices and raise this issue with Apple.


Update (2020-12-24): Stephen Hackett:

These packages were also very useful while troubleshooting, and could often be used to fix software issues that didn’t require a full reinstall.

Tim Hardwick:

Apple hasn’t confirmed that it has ended update packages for macOS, but the current lack of standalone installers for Big Sur doesn’t look particularly good for users who rely on them.

That said, there is an alternative solution in the Sharing pane in System Preferences in the form of a Content Caching option, which enables one Mac to download updates and other Macs on the same network to download them directly from the local Mac.

Howard Oakley:

This doesn’t allow a client to install an update more than once. If something goes wrong and the first attempt to install that update causes problems, there’s no repeat button: if that Mac thinks the update has been applied, you can’t force your server to offer it again to that client.

Neither, it appears, is there any way of extracting a standalone installer from the updates cached locally.


Although the Content Caching Server is very useful for many users, and merits serious consideration by anyone with more than one Mac, it doesn’t address any of the use cases which have been put forward for the continuation of standalone software update installers.

Update (2021-02-08): Howard Oakley:

Just over month later, Apple released the update to 11.2. Not only are there still no standalone installers for that, and no explanation or (heaven forbid) apology, but Apple immediately removed the full 11.1 installer app, and still hasn’t provided standalone installer packages for the concomitant security updates to Mojave and Catalina. As things stand at the moment, even if you use sudo softwareupdate --fetch-full-installer --full-installer-version 11.1 at the command line, Apple’s servers tell you it wasn’t found. Download the current version of 10.15.7 using the same mechanism, and you’ll be given the version from last November, without either Security Update 2020-001 or 2021-001 installed.


I’m very grateful to @rosyna for pointing out that, as Big Sur should retain a pre-update snapshot, users could now be able to use that to revert to the previous System snapshot in the event that an update goes wrong, as 11.2 has for SoftRAID users.

I thought that Apple had removed support for automatic snapshots.

Pruning GitHub’s Code Search Index

GitHub (Hacker News):

Starting today, GitHub Code Search will only index repositories that have had recent activity within the last year. Recent activity for a repository means that it has had a commit or has shown up in a search result. If the repository does not have any activity for an entire year, the repository will be purged from the Code Search index.

That seems much less useful. I would rather have a comprehensive seach, even if it’s slower.

Little Snitch 5.1 Beta

Objective Development (tweet):

There has been a lot of turmoil about Apple excluding some of their own processes from third party firewalls. This release focuses on the problem and adds an option to uncover whitelisted connections in Network Monitor.

It cannot block them, however.


Update (2021-01-04): Murus (via Leo):

For the brave of you who like experimental software: Exclusions Blaster for #macOS #BigSur Monitor and block processes included in Content Filter Exclusion List.

iOS Autocorrect and the Delete Key

Hank Green:

On Android, if you type a word and it wrongfully autocorrects it, the moment you hit backspace it changes back. On iPhone, if you type a word and it wrongfully autocorrects it, and you delete it and retype it IT WILL CHANGE IT AGAIN TO THE EXACT SAME WRONG WORD.

Ken Kocienda:

When I created the original iPhone autocorrection code, I treated the delete key as an important signal, and I made sure that the software didn’t offer the same correction after a delete.

Not doing the wrong thing was just as important to me as doing the right thing.


Texas vs. Google

Russell Brandom:

In a bizarre video posted to the office’s verified Twitter account, Texas AG Ken Paxton says the company “repeatedly used its monopolistic power to control pricing” in online ads. “These actions harm every person in America,” Paxton continues. “It isn’t fair that Google can harm the web pages you visit and read.”


The most detailed allegation is that Google used its market power to sabotage “header bidding,” a practice that allows advertisers to route a single request through multiple exchanges at once. “Google viewed header bidding’s promotion of genuine competition as a major threat,” the complaint alleges, citing internal communications obtained as part of the probe.

Google eventually adopted the practice, allowing its ad server to route requests through multiple exchanges at once. But according to the complaint, Google rigged that system to rout requests to its own exchange, even when a competitor had submitted a higher bid.

From the complaint (PDF, Hacker News):

As internal Google documents reveal, Google sought to kill competition and has done so through an array of exclusionary tactics, including an unlawful agreement with Facebook, its largest potential competitive threat, to manipulate advertising auctions.


Header bidding is only possible if publishers can insert JavaScript code into the header section of their webpages. To respond to the threat of header bidding, Google created Accelerated Mobile Pages (“AMP”), a framework for developing mobile web pages, and made AMP essentially incompatible with JavaScript and header bidding.


Google ad server employees met with AMP employees to strategize about using AMP to impede header bidding, and how much pressure publishers and advertisers would tolerate. First, Google restricted the code to prohibit publishers from routing their bids to or sharing their user data with more than a few exchanges a time, which limited AMP compatibility with header bidding. At the same time, Google made AMP fully compatible with routing to exchanges through Google. Google also designed AMP to force publishers to route rival exchange bids through Google’s ad server so that Google could continue to peek at rivals’ bids and trade on inside information. Third, Google designed AMP so that users loading AMP pages would make direct communication with Google servers, rather than publishers’ servers. This enabled Google’s access to publishers’ inside and non-public user data. AMP pages also limit the number of ads on a page, the types of ads publishers can sell, as well as enriched content that publishers can have on their pages.


Google falsely told publishers that adopting AMP would enhance load times, but Google employees knew that AMP only improves the [redacted] and AMP pages can actually [redacted]. In other words, the ostensible benefits of faster load times for cached AMP version of webpages were not true for publishers that designed their web pages for speed.

Google also [redacted] of non-AMP ads by giving them artificial one-second delays in order to give Google AMP a [redacted][…] which Google uses to turn around and denigrate header bidding for being too slow.

Dan Luu:

One thing I’ve wondered about is how Google convinced so many employees that AMP was good with such transparently bad reasons.


Update (2021-01-01): Jason Kint:

WSJ has now reported Facebook and Google’s sketchy price fixing deal terms. Alleges the “duopoly” allocated their surveillance advertising biz and this sure seems to back it up.

Ashkan Soltani:

In 2015, @Facebook signed an exclusive agreement granting @Google access to millions of Americans’ end-to-end encrypted @Whatsapp messages, photos, videos, and audio files

@Google coordinated with @Facebook, @Apple, @Amazon, and @microsoft to delay privacy regulation because of its impact to Google’s ad business.

@Google cut off publishers’ ability to identify users (cookie-sync) purportedly on privacy grounds [p53], but permitted @Facebook to identify users in publishers’ auctions in order to better target and win more often in auctions.

Update (2021-01-18): Daisuke Wakabayashi and Tiffany Hsu:

Executives at six of the more than 20 partners in the alliance told The Times that their agreements with Google did not include many of the same generous terms that Facebook received and that the search giant had handed Facebook a significant advantage over the rest of them.


The disclosure of the deal between the tech giants has renewed concerns about how the biggest technology companies band together to close off competition. The deals are often consequential, defining the winners and losers in various markets for technology services and products. They are agreed upon in private with the crucial deal terms hidden through confidentiality clauses.

Update (2021-03-23): Adi Robertson and Russell Brandom:

But in the updated complaint, the states apply this argument to Google’s “Privacy Sandbox” — a tool that’s supposed to replace invasive third-party tracking cookies with a more limited system devised by Google.

“Google’s new scheme is, in essence, to wall off the entire portion of the internet that consumers access through Google’s Chrome browser,” the complaint reads. Blocking cookies might broadly be a good thing — other browsers like Firefox and Safari have already done it. But Chrome dominates the browser market, and it’s part of a much larger Google product suite. The suit argues that Google’s plans would require advertisers to use it as a middleman and would make Google’s own advertising system far more attractive.


Update (2021-04-16): Malcolm Owen:

Google used a secret program called “Bernanke” that used historical bidding data to give its ad-buying system a major advantage over its rivals, an antitrust lawsuit filing claims, a program that earned the company hundreds of millions of dollars in revenue.