Archive for July 1, 2022

Friday, July 1, 2022

FCC Commissioner Calls for TikTok to Be Remove From App Store

Brendan Carr (Hacker News):

TikTok is not just another video app.

That’s the sheep’s clothing.

It harvests swaths of sensitive data that new reports show are being accessed in Beijing.

I’ve called on @Apple & @Google to remove TikTok from their app stores for its pattern of surreptitious data practices.

[…]

Tiktok’s pattern of misrepresentations coupled with its ownership by an entity beholden to the CCP has resulted in U.S. military branches and national security agencies banning it from government devices.

John Gruber:

This whole charade about moving U.S. TikTok users’ data to servers run by Oracle is a facade — there’s nothing stopping ByteDance employees in China from accessing the data on those servers. The Biden administration shouldn’t merely request that Apple and Google ban TikTok from their App Stores, they should demand it.

Nick Heer:

As a reminder, Carr works for the FCC, not the FTC. Nor does Carr work for the Department of Commerce, which was most recently tasked with eradicating TikTok from the United States. While frequent readers will know how much I appreciate a regulator doing their job and making tough demands, I feel Carr’s fury is misplaced and, perhaps, a little disingenuous.

Carr’s letter follows Emily Baker-White’s reporting earlier this month for Buzzfeed News about the virtually nonexistent wall between U.S. user data collected by TikTok and employees at ByteDance, its parent company in China. The concerns, Baker-White says, are claims of persistent backdoors connected to Chinese military or intelligence which allow access to users’ “nonpublic data”.

[…]

But, you know, maybe they should be worried about that simpler situation. I think Baker-White buried the lede in that big, long Buzzfeed story[…]

Emily Baker-White:

Project Texas’s narrow focus on the security of a specific slice of US user data, much of which the Chinese government could simply buy from data brokers if it so chose, does not address fears that China, through ByteDance, could use TikTok to influence Americans’ commercial, cultural, or political behavior.

Nick Heer:

One of the frustrating characteristics about Carr’s letter is that he is, in many ways, completely right — and I just wish he had raised these concerns about literally everything else applicable. From the perspective of a non-American, his concerns about intrusive surveillance reflect those I have about my data being stored under the control of American companies operating under American laws. Sure, Canada is both an ally and a participant in the Five Eyes group. But it is hard to be reassured by that when the U.S. has lost its moral high ground by wiretapping allies and entire countries.

Chance Miller:

In its response today, ByteDance confirmed that some employees do need “have access to TikTok U.S. user data.” It went on to clarify, however, that these employees are “subject to a series of robust cybersecurity controls and authorization approval protocols overseen by our U.S.-based security team.”

As noted by Reuters, however, ByteDance also committed to making changes that will “fully safeguard user data and U.S. national security interests.” The company said that it is in the process of finalizing “new advanced data security controls” in partnership with Oracle.

Previously:

Update (2022-07-08): Karl Bode:

If you were to dig through the resulting news reports covering Carr’s empty letter, you’d be hard pressed to find a single one that could be bothered to note that Carr doesn’t have any regulatory authority over social media or app stores, the letter has absolutely no meaningful legal backing to support his request, or that Carr himself has absolutely zero credibility on consumer privacy issues.

Via Nick Heer:

Bode’s coverage of Carr’s regulatory history is also worth reading. If the collection of and access to Americans’ private data — maybe by a foreign government — really is a giant security concern, there are meaningful levers Carr could pull. But it is easier to blame this one app because it is very popular.

Update (2022-07-12): See also: The Economist (via Hacker News).

Update (2022-07-19): See also: Hacker News.

Porting Graphing Calculator From C++ to Swift

Ron Avitzur:

C++ is and always has been an effective language for managing complexity in large projects, so why did I change languages? I was incredibly impressed with Apple’s Augmented Reality technology.

[…]

I’ve worked the last 18 months rewriting everything. Here’s what I’ve learned.

[…]

In the end, the port is vastly more maintainable, readable, and compact. When I ported individual sections of functionality, the Swift source typically measured 30% the size of the corresponding C++ code.

[…]

The biggest challenge of the port was achieving comparable speed. Decades of iterative refinement and low-level optimization on every release set a high bar for performance. Navigating Swift’s myriad Unsafe APIs in performance-critical code was difficult, but effective. The biggest remaining challenge is minimizing ARC retain/release overhead navigating expression trees. Relying on ARC eliminated a great deal of code complexity. The C++ code handled expression memory management manually, which was both extremely fragile but also very fast. The Swift version is smaller, easier to write correct code and reason about, but has performance-critical sections where I know that traversing a tree will not change any reference counts but have no way to communicate to the compiler that the ARC retain/release overhead is unnecessary.

Oliver Hunt:

I learned to write Swift in the same way I learn every language: writing a raytracer, and what Ron is saying mostly matches my experience with it. In general it produces code that is Fast Enough, but getting high performance is still harder than C++.

[…]

Unneeded retain/release from ARC in perf critical tree traversal consumes easily >10%, and in some cases >20% of run time in my code - just finding out about the unsafe work arounds was challenging, using it made the code much more unwieldy, and itself created new perf problems.

[…]

I’ve also encountered issues with the performance of generic code, where perf is also difficulty to debug, and much harder to reason about than C++. Part of this is to make it possible to maintain ABI compatibility with generic code (though I’m convinced it should be faster)

Previously:

Update (2022-07-05): Joe Groff:

One major limitation is the nonuniform representation of unspecialized generics in SIL, which means they lose a host of optimizations in addition to having the indirection overhead

Having done it all in native code, I'm also not convinced that was the right call vs. using a higher-level bytecode and interpreter to represent unspecialized generics more compactly

See also: Hacker News.

ConcurrencyPlus

Chime (via Matt Massicotte):

TaskQueue

Conceptually similar to a serial DispatchQueue, but can accept async blocks. Unlike with an unstructured Task, this makes it possible to control the ordering of events.

[…]

CancellingContinuation

Just like a CheckedContinuation, but will automatically resume by throwing if it is deallocated without being resumed manually. This is useful for situations where you cannot guarantee that a closure will be called. An example of such a situation is an XPC call.

FontExplorer X End of Sales

FontExplorer:

As of June 30th 2022, FontExplorer X products are no longer available for purchase or renewal[…] we will not offer any updates and/or support after June 30th, 2023.

[…]

We are working on an exciting new product! Sign up for our newsletter to be the first to know when it’s released. In the meantime, take a look at our cloud based individual offer from Monotype Fonts.

WebKit Moves to GitHub

Jen Simmons:

WebKit is 100% on Git. The SVN repo is officially retired.

Previously:

CMA on WebKit Security Bugs

Open Web Advocacy (Hacker News):

The CMA [UK Competition and Markets Authority] says [Apple’s browser] ban not only doesn’t protect security it could make it worse!

[…]

Out of each of the three major browser engines, Safari has had the had highest number of Browser Code Execution Vulnerabilities.

[…]

If we look at how long it takes Apple to patch vulnerabilities the picture looks even worse.

[…]

Apple doesn’t even apply all the patches to versions of the operating system that are still heavily used. When iOS 15 only had 0.93% of users installed, Apple wasn’t applying all of those security patches to iOS 14.

Florian Mueller:

When lobbying against such initiatives as the Open App Markets Act, Apple emphasizes two pet pretexts: privacy and security--and in order to give the term security more gravitas, Apple--and all sorts of people beholden to it--stress that it’s about national security. What no one can deny is that Apple is the market leader in the U.S. smartphone business, so security issues affecting the iPhone are, by extension, an issue of concern to the country as a whole. But at the heart of Apple’s national security argument resides a total non sequitur:

Apple considers it an axiom that whatever Apple does is inherently secure, and whatever anyone else does is inherently insecure. It’s Apple’s version of what’s called infallibility in connection with various religions.

[…]

What I find so interesting about the OWA’s work (by the way, here’s a link to their response to the UK CMA’s interim report) is that they’ve compiled information that throws into doubt Apple’s conclusory claim of monopolistic behavior being in the interest of (national) security.

Previously: