Archive for November 24, 2021

Wednesday, November 24, 2021

Apple Sues NSO Group

Apple (PDF, Hacker News, Reddit):

Apple today filed a lawsuit against NSO Group and its parent company to hold it accountable for the surveillance and targeting of Apple users. The complaint provides new information on how NSO Group infected victims’ devices with its Pegasus spyware. To prevent further abuse and harm to its users, Apple is also seeking a permanent injunction to ban NSO Group from using any Apple software, services, or devices.

Nicole Perlroth:

The lawsuit is the second of its kind — Facebook sued the NSO Group in 2019 for targeting its WhatsApp users — and represents another consequential move by a private company to curb invasive spyware by governments and the companies that provide their spy tools.


The sample of Pegasus gave Apple a forensic understanding of how Pegasus worked. The company found that NSO’s engineers had created more than 100 fake Apple IDs to carry out their attacks. In the process of creating those accounts, NSO’s engineers would have had to agree to Apple’s iCloud Terms and Conditions, which expressly require that iCloud users’ engagement with Apple “be governed by the laws of the state of California.”

The clause helped Apple bring its lawsuit against NSO in the Northern District of California.

John Gruber:

Apple repeatedly refers to the “FORCEDENTRY” exploit by name. This is not PR bullshit — they’re talking about a very specific exploit. Second, they refer to Android as their compatriot, not their competitor. There’s a time and place for Apple to brag about iOS being more secure than Android, but this isn’t it. The message here: “This isn’t just about us, NSO Group is after everyone.”

John Gruber:

I genuinely wonder what Apple’s goals are with this suit. Is it just to bring NSO Group’s activities to light? If this goes to trial, the testimony should really be something to see. How much in damages will Apple seek at trial? Enough to bankrupt NSO Group?

Jason Snell:

Say what you will about Apple’s policies regarding bug bounties and other security issues—the company is capable of spending a nearly infinite amount of money on lawyers who will try to make NSO Group’s existence painful for a very long time.

Maxwell Swadling:

are you taking any steps to improve platform security processes to prevent what happened over the last 2 years? Such as addressing security disclosures quicker, opening up the security researcher program or catching more issues internally that project zero picks up externally?

Stefan Esser:

NSO has managed what a lot of legitimate security researchers have been unable to do: make people see the security of iPhones in a more realistic light. Furthermore Apple going after people who discover security problems in their products is just normal Apple tactic anyway.

Never forget that when NSO was first caught and the first time the general public learned about PEGASUS it was Apple who threatened Lookout to not release samples to the public. Nice AppStore app you have there. It would be a shame if something happened to it.

Yeah also never forget that System and Security info which was capable of finding PEGASUS on your iPhone was banned from the Apple App Store because Apple did not want their customers to be able to see if they were infected.

Steve Troughton-Smith:

Observation from Apple’s NSO complaint: Apple, curiously, completely omits any mention of App Store or lack of sideloading as a fundamental security measure of iOS. Almost as if they no longer believe they can rely on that point to remain in their favor.

Orin Kerr:

According to its CFAA claim filed today, Apple thinks that when your iPhone’s operating system is hacked, Apple is hacked-- and it can sue-- because Apple still owns the operating system on your iPhone.

Hmm, seems like a pretty big stretch to me.


Apple threat notifications are designed to inform and assist users who may have been targeted by state-sponsored attackers. These users are individually targeted because of who they are or what they do. Unlike traditional cybercriminals, state-sponsored attackers apply exceptional resources to target a very small number of specific individuals and their devices, which makes these attacks much harder to detect and prevent. State-sponsored attacks are highly complex, cost millions of dollars to develop, and often have a short shelf life. The vast majority of users will never be targeted by such attacks.

If Apple discovers activity consistent with a state-sponsored attack, we notify the targeted users in two ways[…]

Nick Heer:

One of the minor privacy flaws of iMessage is that it will automatically tell you whether someone else has enabled it. All you have to do is type an email address or a phone number into the “To:” field in Messages; if it turns blue, it is an iMessage account and, therefore, associated with an Apple ID and an Apple device. In a vacuum, this is not very meaningful, but it appears that NSO Group was using a similar technique to figure out where to send its spyware.


I cannot find any reports of Apple notifying potential victims of state-sponsored attacks, so this appears to be a new policy. Twitter was doing this in 2015, and Google in 2012.


Update (2021-12-13): John Gruber:

Fascinating to consider that the U.S. State Department is only aware of this hack because Apple notified the affected employees. That’s certainly how this report reads.

The MacBook Pro Notch

Tom Warren:

Snazzy Labs owner Quinn Nelson has posted two videos on Twitter demonstrating some of the early notch issues. The main video demonstrates what appears to be a bug in macOS. Status bar items like Apple’s battery indicator can get hidden underneath the notch when status bar items are extended.

Nelson demonstrates this with iStat Menus, which can be hidden under the notch or can force system items like the battery indicator to be hidden underneath the notch. While Apple has issued guidance to developers on how to work with the notch, the developer behind iStat Menus says the app is just using standard status items and that Apple’s dev guidance “won’t solve the issue presented in the video.” This doesn’t appear to be intended behavior, as the notch works differently inside certain apps.

Jason Snell:

You could imagine this notch being a major pain point for developers and users alike, but it’s not. And that’s thanks to the menu bar, a Mac convention since day one that provides the perfect place to hide a display cutout. The menu bar has been given a little extra height to completely encompass the notch, and menu items automatically move to the other side of the chasm if there isn’t room for them to fit.

It takes no time to get used to having a notch at the top of the display. And it’s a good use of space since moving the menu bar up into what would otherwise have been unused bezel means that there’s more room downstairs for everything else. (I see now why Apple changed the metrics on the menu bar in macOS Big Sur—it was clearly laying the groundwork for this display. Add in the curved-edge highlights that appear when you click on a menu-bar item and the whole approach really looks great.)

Howard Oakley:

If you obsess about it, I’m sure it could become irksome, but I barely notice it.

John Gruber:

The notch in the menu bar for the camera is very weird at first. The mouse pointer passes under it, so it justs disappears when in the center of the menu bar. That’s really weird! If I had written this review a week ago, after my first day with the machine, I’d have written a lot more about the notch. One week in, I’m just not noticing it. One notch-related change I’m still getting used to is the taller menu bar. It makes the menu titles look even more disconnected from the actual menus. It’s interesting that last year’s redesigned menu bar in MacOS 11 Big Sur was seen by some as laying UI groundwork for future touch screen support in MacOS, but it now seems clear it was redesigned to more elegantly fit with the notch. You’ll notice that most of Apple’s product photography for these new MacBooks shows them with dark desktop pictures. With default translucency settings, a dark desktop gives you a dark menu bar, and a dark menu bar disguises the notch.

D. Hardawar:

Upon first glance, it’s almost laughable that Apple is leaning even more into a design element that everyone hates. But, honestly, the notch isn’t a big deal.

Stephen Hackett:

A week in, I’ve mostly forgotten it’s there.

Nilay Patel and Monica Chin:

But to me, rather than thinking of the notch eating into the display, I think of the display getting larger except in that one spot. The MacBook Pro effectively has a 16:10 display with a little extra bit at the top where the menu bar and the notch live. You stop noticing it after just a few minutes, just like you stopped noticing the iPhone notch.

Riccardo Mori:

On the Mac, the notch visually splits the menu bar, a UI element you interact with all the time. The notch covers, occupies a part of the menu bar that could be devoted to displaying menu items and menu extras. This isn’t a real problem when you have apps with just a few menus. But with more sophisticated and professional apps, with many menus on the menu bar reaching and even surpassing the middle point, then yes, the notch is definitely in your way and you can’t tell me you’re not going to notice it. When you launch an app with lots of menus on one of the new MacBook Pros, all the ‘excess menus’ will get moved on the right, and the notch will of course be a sort of gap between them. So, according to Linda Dong (Apple Design Evangelist), developers now need to take the notch into account when designing their apps (more unnecessary work for them, but who cares, right Apple?)

Fred McCann:

It’s tempting to call this bad design, but this looks more to me like someone who was responsible for making a product level decision refused to make a decision about what was the most important thing and shipped a broken compromise.


What’s not evident from this screenshot is that menu items are under the hole, inaccessible. Unlike menus which wrap around the hole, menubar items simply disappear. This isn’t some Bartender behavior, this is the default behavior in the operating system.


What were the product people at Apple thinking? I can’t know for sure but I suspect they thought thin bezels, a better webcam, and a nicer screen were all equally important. This is another way of saying is no one at Apple actually decided what the most important thing was. They punted.


The one thing the product people at Apple thought wasn’t important was a working menubar.


Update (2022-01-17): Matt Birchler:

I’m here to say that yes, I notice the notch on the 2021 MacBook Pro every single time I use the computer, and yes, it’s annoying.

MacBook Pro 2021 Reviews

Jason Snell:

The new 14- and 16-inch MacBook Pro models usher in a new era in Apple laptops. These are the first high-end Macs to be powered by Apple-designed processors, and that’s a big deal—but they also reject the minimalist design mid-2010s Apple, which achieved design simplicity by forcing complexity and frustration on users.

These new MacBook Pros are a success story not just because of Apple’s custom-built processors, but because Apple has admitted (in deeds, if not words) that the previous generation of laptops were a misstep.


I’m happy to report, it’s true—all of it. Apple has undone its mistakes of the past few years and created a laptop that’s essentially a Mac Pro you can slide into a backpack.

John Gruber:

A few factors contribute to this sense of thickness. The first is that the new MacBook Pros are more rectilinear. We tend to think of the MacBook Air as the tapered MacBook, but MacBook Pros have been tapered for years. Looking at the new model next to last year’s M1, it’s striking just how far from flat the previous design is. The 13-inch MacBook Pro is 0.61 inches thick only in the middle. The new 14-inch MacBook Pro is 0.61 inches thick from edge to edge, front to back.


Apple’s best products have always been both tools for work and objects of art. Almost every single change with these new MacBook Pros is in the name of making them better tools for work. Conversely, the controversial decisions that went into the Touch-Bar-era MacBooks were in the name of artistic purity. Minimalism trumping practicality. They were out of balance.


That, to me, explains the entirety of this new MacBook Pro. The differences between a MacBook Pro and MacBook Air should not be subtle. Let the truck be a truck, true to its purpose. Let the MacBook Pro be unabashedly pro.

D. Hardawar (Hacker News):

But lean in a bit closer and you’ll notice some retro flourishes. They’re slightly thicker, with more bulbous edges that hearken back to Apple’s notebooks from the 2000’s. They’re also heavier than you’d expect: the 14-inch model comes in at 3.5 pounds, while the 16-inch varies between 4.7 and 4.8 pounds, depending on the chip you choose. That’s about half a pound heavier than the last 16-inch MacBook Pro.

Nilay Patel (tweet):

It’s easy to be excited about the new MacBook Pros — it feels like Apple finally listened to everyone and brought back the best parts of the beloved 2015 MacBook Pro, while pushing the display and performance to new heights.

Austin Mann:

I really wish there was a matte/non-glare screen option. Years ago, this was an option on Apple’s laptops, and with the recent Pro Display XDR “nano-etch” anti-glare option, I was crossing my fingers we might see something similar on the MacBook Pro.

Stephen Hackett:

For the nearly nine years between the two machines, the keyboard’s feel isn’t radically different. The new keys seem slightly larger, have less space between them and feel more stable, somehow. The sound is a little deeper, but I’ve gotten used to the new keyboard pretty quickly.


My new 14-inch machine packs a lot more pixels than my 15-inch Retina MacBook Pro.

Nilay Patel and Monica Chin (tweet):

So yes, the ports are definitely more convenient, and totally fine for most situations, but there are still reasons to visit dongletown. For example, macOS Monterey now supports variable refresh rate external displays using a Vesa standard called Adaptive-Sync, but Apple tells me you’ll need a Thunderbolt to DisplayPort dongle for that. I also ran into a strange bug where sending audio out over HDMI resulted in stuttering video and glitchy audio, which Apple says it is looking into.


Lastly, the speakers on these new MacBook Pros are terrific. The first thing we did with these when we got them was open up a video to check out the new displays, but the first thing we noticed was that the speakers are so good. They are clear and crisp, with some actual low-end from four woofers, and they get super loud. It’s impressive — and while the 14-inch speakers are really good, the 16-inch models in particular have the best speakers we’ve ever heard on a laptop.


A lot of you asked whether the extra money for the M1 Max is worth it, and after all that, we think the answer is: no, not for most people. Carrying around all those extra GPUs has an impact on battery life [10 hours vs. 16] whether you’re using them or not.

Jon Porter (Hacker News):

But it’s hard to ignore the broader context of these improvements, which is that they effectively bring the company’s 2021 MacBook Pros back in line with the features they were already offering from 2012 to early 2016. Arguably, the primary reason these new MacBooks are being greeted with overwhelming enthusiasm now is that Apple made the wrong bet on where laptop design was headed back then.

Juli Clover:

It’s officially MacBook Pro launch day, and customers around the world who pre-ordered after last Monday’s event are receiving their devices today. We’ve already seen reviews of the new MacBook Pro models from media sites, but now first impressions from everyday users are available.

Paul Haddad:

This is pretty hilarious. Rosetta results for the M1 Pro/Max vs my 10850k 10 core real Intel machine.

Jason Snell:

[Here’s] a pic of how deep the SD card slot is in the new MBP

It sticks out a lot more than on my 2012 MacBook Pro.

Marco Arment:

Based on this, I’m guessing the new SD slot won’t safely support those nearly-flush adapters that could hold a MicroSD card for extra semi-permanent storage.

John Gruber:

Here are the effective “looks like” resolutions for the new 14-inch MacBook Pro

Moshen Chan:

13" M1 MBP vs. 14" MBP. Mini-LED ‘Liquid Retina XDR’ showing huge contrast difference.

Saagar Jha:

Interesting, it looks like the new MacBook Pros can’t really go from black to light colors very well. There’s a fairly noticeable “ghosting” effect where it first tries to turn on the right LED regions and then gets to the right color.

Computer Clan:

I love how Apple went from removing the escape key to making the biggest escape key ever on a Mac. 😂

Paul Haddad:

I’ve not seen any performance difference in the various reviews between the 14” and 16”. I have seen several instances of the fans being significantly louder on the 14” under any kind of sustained load. Add to that longer battery life and bigger screen…

Joe Rossignol (Hacker News):

iFixit has shared a teaser of its 14-inch MacBook Pro teardown, and one noteworthy detail is the inclusion of pull tabs for the battery cells, which the repair website said will allow for easier do-it-yourself battery replacements.

Juli Clover:

In Final Cut Pro, a video export test saw the M1 Max machine export a 6-minute 4K video in one minute and 49 seconds, a task that took the M1 Pro 2 minute and 55 seconds. When it comes to 8K RAW footage, both machines were able to handle the load. The M1 Max MacBook Pro performed close to flawlessly, while the M1 Pro had a few issues with dropped frames and stuttering, but was ultimately able to keep up.

Howard Oakley (Hacker News):

The internal SSD is the fastest that I have ever tested, although as it’s the 2 TB model, it’s expected to be significantly slower than the results quoted by Apple, which are for 8 TB versions. Using my own app Stibium, it attains transfer rates of 6.7 GB/s read and 6.9 GB/s write. Maximum speeds were found between 60-400 MB transfer sizes.

I’m going to look in more detail at how the M1 Pro uses its cores in tomorrow’s sequel to this article. For the moment, though, I’ll give you a teaser that, like the M1, the M1 Pro runs lowest QoS processes on its Efficiency cores, which includes most macOS services like Time Machine. Although the M1 Pro has only two Efficiency cores, compared to the M1’s four, numerical tests run on them in the M1 Pro complete in around 67% of the time of the M1. The M1 Pro’s Performance cores are managed quite differently from those in the M1 too.

Swift Package Index:

Overall, it’s remarkable that the M1 MacBook Air already had the best performance before Apple introduced the new MacBook Pros, but the M1 Pro and Max chips take this further. They improve on the M1 Air’s best result of 47 seconds with a build time of less than 31 seconds. Those extra cores matter, and the ~35% improvement is in line with what you’d expect, going from a 4+4 performance/efficiency core setup to an 8+2 configuration.

Brian Webster:

OK, the M1 Max benchmark that matters for me: a clean build of PowerPhotos (~80,000 LOC, about 1/3 Swift, 2/3 ObjC)

2017 5K iMac: 160 seconds
2018 MacBook Pro Core i9: 159 seconds
2021 MacBook Pro M1 Max: 76 seconds

Michael Love:

Up and running with 14" M1 MacBook Pro. Thoughts so far:

- Very fast; build times roughly halved vs 2019 Intel 16"
- Android dev on M1 has a few glitches but basically OK
- Notch is fine; stupid, but ignorable
- No difficulty driving 4K@120 external monitor (Gigabyte M32U)

Marco Arment:

I’ve now had the 16” M1 Max MBP at full sustained CPU load (800%+) for 3 hours.

I do, finally, hear the fans — but just barely. It’s quieter than my iMac Pro was at full sustained CPU load.

Hard to notice above ambient noise from a few feet away. Gotta put your ear up close.

Ben Sandofsky:

Build times for @halidecamera

2019 Macbook Pro
2.4ghz, 8-Core, 32GB RAM
𝟔𝟑 𝐒𝐞𝐜𝐨𝐧𝐝𝐬

2021 MBP M1 Pro
10-Cores, 32GB RAM
𝟐𝟖 𝐒𝐞𝐜𝐨𝐧𝐝𝐬

…and the 2021 model was $300 cheaper.

See also: iFixit, MacRumors, Accidental Tech Podcast, The Talk Show.


GitHub’s Commitment to npm Ecosystem Security

Mike Hanley:

Today, we are sharing details of recent incidents on the npm registry, the details of our investigations, and how we’re continuing to invest in the security of npm. These investments include the requirement of two-factor authentication (2FA) during authentication for maintainers and admins of popular packages on npm, starting with a cohort of top packages in the first quarter of 2022.