Archive for January 19, 2022

Wednesday, January 19, 2022

No More iOS 14 Security Updates

Juli Clover:

Last week, MacRumors shared news that Apple had stopped releasing iOS 14 security updates and was pushing those still on iOS 14 to upgrade to iOS 15, an apparent reversal of a promise to allow users to stay on the iOS 14 operating system.

Apple today told Ars Technica that the option to stay on iOS 14 and avoid the iOS 15 upgrade was always meant to be temporary. It is not a mistake that there are no more security updates to iOS 14, and support for the update has essentially ended.


“Always meant to be temporary” is a hell of a reply to people who thought they were getting more reliable OS support from a keynote announcement.


1Password Series C Funding Round

Jeff Shiner (tweet, Hacker News):

I’m delighted to announce that 1Password has raised $620 million in our latest investment round that values our company at $6.8 billion. This moment represents a lot of hard work by a lot of amazing people.

Most days, I find myself too busy to truly reflect on all we’ve accomplished over the past 17 years. I think back to our tiny Macworld booth, or the weeks we’d spend at the Cupertino Inn working on our latest iOS or Mac release. It feels like yesterday that I was excited to cross the 100-employee threshold, yet here we are just a few years later approaching 600.


Admittedly, it seems peculiar for a consistently-profitable company to accept outside funding. But just like last time, these partnerships make it possible for us to develop and scale human-centric security solutions for everyone.

David Pierce:

1Password has tripled in size in the last two years, up to 500 employees, and plans to double again this year — while also expanding the vision of what a password manager can do. 1Password has long been a consumer-first product, but the biggest opportunity lies in bringing the company’s knowhow, its user experience, and its security chops into the business world. 1Password already has more than 100,000 business customers, and it plans to expand fast.


“One is, continuing to invest in our team and double the size of our company, again, this year. Two is continuing to look at strategic acquisition. We made the acquisition last year with SecretHub for the secrets automation space. And then three, just have the courage capital to make the big bets that we need to enter new areas and really try and see how ambitiously we can hit those vision and mission goals.”


Update (2022-01-20): John Gruber:

Doesn’t seem like a good investment to me, either. Better password management is getting built into operating systems and web browsers. They’re trying to go enterprise mass market with a niche product that was beloved by nerds who really care about their passwords. As a friend just quipped to me, “Unless they’re factoring the value of the individual passwords, $6B makes no fucking sense.”

As a consumer, I’m not happy about the focus on enterprise. But it makes sense from a business perspective because the basics are getting built in, as Gruber says. I do think there’s room for a solid long-term business offering organizations more, and so the valuation doesn’t seem crazy to me.

Update (2022-01-24): Collin Allen:

It’s bonkers to me that they have 600 people there for a password manager app and service. I could see 60, but 600? 😳

Roustem Karimov:

Well, how much experience with SOC 2 Type 2 do you have? What about running 5 production data centres? Also, how many people do you think it would take to support a few million active users?

We used to kill our entire team and work 70+ hour weeks, thankfully it is in the past.

Roustem Karimov:

Early days: it was about 50/50 between developers and customer support. A single Safari or macOS update could generate 10,000 tickets/day and it was all-hands-on-deck for weeks.

Mitchell Cohen:

Let’s narrow our focus further to one tiny part of the app: icons. Ever seen an icon pop in while scrolling through @1Password ? There’s a story behind that, and it’s related to how we enforce memory hygiene, protect your anonymity, and provide full encryption at rest.

John Gruber:

But, still, whether what 1Password is doing is smart business or not, there’s no question that the longtime 1Password users I know personally are unhappy. They’re not happy that the new 1Password 8 for Mac is built on Electron. They’re not happy that 1Password is going subscription-only. They’re not happy that 1Password vaults are now only hosted by 1Password. But these are all decisions that make perfect sense for the enterprise SaaS world. It might not be feasible to move to the new model without spoiling what many 1Password users liked best about their old one.


I’ve always thought it to be a great product from a great company, but, well, I had my own system for managing passwords from before 1Password existed (which admittedly is a long time ago: they started in 2005) and as the years have gone on, I’ve slowly moved from merely using Apple’s iCloud Keychain to depending upon it. For shared secrets, my family uses locked items in Apple Notes.


Update (2022-02-11): Cabel Sasser:

If you’re wondering if 1P will ever live up to that $6.8 billion valuation, please note that they’ve officially reached the Schedule-a-Meeting Sales Spam level

Update (2022-03-23): Gruber has removed the line:

For shared secrets, my family uses locked items in Apple Notes.

Apple’s documentation currently states:

You also can’t password protect notes that you share with someone else.

Making Mac OS X Unix Compliant Certified

Terry Lambert (via Gus Mueller, Hacker News):

I was the tech lead at Apple for making Mac OS X pass UNIX certification, and it was done to get Apple out of a $200M lawsuit filed by The Open Group, for use of the UNIX™ trademark in advertising.


We were promised 1/10th of the $200 million, or $20 million in stock, on completion. $10 million to me, $5 million to Ed, and $5 million to Karen Crippes, who was looking for a home in Mac OS X development[…]


Eventually, we had everything working and passing the tests. We were ready to pull the trigger.

And then they pulled in the Intel code changes, and crapped all over everything, because we were told to wait two weeks.


All told, probably 4% of the 6% of the Max OS X kernel that I wrote? […] IT came from committing massive signals changes, and attributing them to a simple signal bug resulting in a kernel crash, in the “Radar” bugs database.

A lot of the things Ed did to libc header files, and libc itself, had similar “fibs” in Radar.


You have absolutely no idea how much Apple contributed to the Open Source community, as part of this project, because it was a secret project — at least to people outside Apple — so we didn’t advertise the fact.

But I expect we contributed about two million lines of code, to hundreds of Open Source projects, over the course of that year.

A lot of gratitude — but it wasn’t collective, and so Apple was still faulted for “using Open Source code, but never contributing back”.


The executive who agreed to the deal left his wife for an HR person, and took the stock for himself.

Microsoft Acquires Activision Blizzard

Tom Warren (Hacker News):

Microsoft is acquiring Activision, the troubled publisher of Call of Duty, World of Warcraft, and Diablo. The deal will value Activision at $68.7 billion, far in excess of the $26 billion Microsoft paid to acquire LinkedIn in 2016. It’s Microsoft’s biggest push into gaming, and the company says it will be the “third-largest gaming company by revenue, behind Tencent and Sony” once the deal closes.

Microsoft plans to add many of Activision’s games to Xbox Game Pass once the deal closes. With the acquisition of Activision, Microsoft will soon publish franchises like Warcraft, Diablo, Overwatch, Call of Duty, and Candy Crush. “Upon close, we will offer as many Activision Blizzard games as we can within Xbox Game Pass and PC Game Pass, both new titles and games from Activision Blizzard’s incredible catalog,” says Microsoft’s CEO of gaming Phil Spencer.

NY Times (tweet):

Microsoft framed the deal as strengthening the company’s hand in the so-called metaverse, the nascent world of virtual and augmented reality. The metaverse has attracted huge amounts of investment and talent, though so far is more of a buzzword than a thriving business. Facebook renamed its parent company to Meta late last year to underscore its commitment.

Sami Fathi:

Microsoft’s Xbox Game Pass is available on the iPhone and iPad through Safari, but not the App Store.

John Gruber:

Game Pass subscriptions cost between $10–15 per month. Let’s just call that about $150/year per subscriber. That’s just under $4 billion per year. Assume that the Game Pass subscriber base will keep growing, and $69 billion for Activision doesn’t seem absurd as a long-term investment. And that’s just counting Game Pass subscription revenue, not traditional game sales.


It’s wild how Microsoft has been able to vertically integrate gaming.

They now own the distribution (Xbox Cloud Gaming, Xbox Game Pass), the games (Call of Duty, WoW, Starcraft + what they owned before), the OS (Windows, Xbox), the hardware (Xbox, many PCs), and the back end compute (Azure). The only thing they’re missing, the network bandwidth, is mostly a commodity anyway.

Jon Erlichman:

Microsoft’s biggest acquisitions:

Activision Blizzard: $68.7 billion
Linkedin: $26.2 billion
Nuance: $19.7 billion
Skype: $8.5 billion
ZeniMax: $7.5 billion
GitHub: $7.5 bilion
Nokia phone unit: $7.2 billion
aQuantive: $6.3 billion
Mojang (Minecraft): $2.5 billion


An Examination of the Bug Bounty Marketplace

Bounty Everything (PDF, via Bruce Schneier):

Ellis and Stevens’s research offers a historical overview of bounty programs and an analysis of contemporary bug bounty platforms — the new intermediaries that now structure the vast majority of bounty work. The report draws directly from interviews with hackers, who recount that bounty programs seem willing to integrate a diverse workforce in their practices, but only on terms that deny them the job security and access enjoyed by core security workforces. These inequities go far beyond the difference experienced by temporary and permanent employees at companies such as Google and Apple, contend the authors. The global bug bounty workforce is doing piecework — they are paid for each bug, and the conditions under which a bug is paid vary greatly from one company to the next.