Archive for December 2022

Friday, December 30, 2022

The Voice Assistant Battle 2023

Marques Brownlee (via Dave Mark):

Google Assistant vs Apple’s Siri vs Amazon Alexa vs Samsung’s Bixby

He says that Google Assistant is far ahead and that Alexa is not what it once was. Siri comes in second, but that seems to mainly be due to the iOS/HomeKit ecosystem—otherwise he seemed to prefer Bixby.

Personally, I’m mostly interested in “easy” tasks, and so I’m frustrated more by Siri’s speed and reliability problems (blaming spurious network issues, pausing for a long time before admitting it is confused, and getting stuck in a mode where it won’t do anything until I unlock my phone) than by how sophisticated it is at following a sequence of questions.

Previously:

Transmit Instead of File Sharing

Accidental Tech Podcast:

It’s 2022 and we still haven’t solved email, batteries, or sharing files between two computers.

Sean Heber:

I really hate local network file sharing. It never seems to work right.

I setup a folder to share on my mac. My computer shows up in the Network section of Finder on every other mac in the house, but when I open on it, it just sits there seemingly trying to load and eventually times out. The list of shared folders never even appear. Using the “Connect As..” button also just times out eventually and I don’t even get a login prompt.

His specific issue may now be solved, but I’ve noticed a lot of flakiness with File Sharing over the last few years. Sometimes, the other computer just doesn’t show up in Finder. Sometimes the alias I’ve been using to access a folder on it stops working. Sometimes the alias fails because it’s trying to log in using the account of a different user.

Copying lots of photo files can take a long time because, after selecting them and initiating the drag, Finder wants to load a lot of data—I guess to generate previews. I have to keep holding down the mouse button while it does this because otherwise it will just freeze again the next time I try to start the drag.

Several versions ago, SMB transfers between my Macs got a lot slower, and they remain slow. So are Screen Sharing transfers. AirDrop is sometimes faster but is usually inconvenient for me because I tend to want to “pull” files from my main Mac; AirDrop requires me to physically go to the other Mac to “push” them.

I’ve settled on using Transmit instead. It’s great about remembering my favorite folders and login info. It’s convenient to be able to configure which local folder should be associated with each remote one. I can even leave tabs open for different Macs and come back a week or two later with it remembering what I was doing. The main limitation that I’ve run into, compared with Finder, is that there’s no way to move a file from the remote server to the local Mac. I have to remember to go back and delete it after the download has completed.

Previously:

Fixing SMB File Sharing in Ventura

tresinnoctem:

I use the SMB file sharing system to access files on my MBPro from my iPhone 12, on my local network. Until now, this has been robust, reliable and fast.

After updating my MBPro to Ventura 13.0 and my iPhone to iOS 16.1 I cannot connect the laptop to the phone or to my old iMac, running Monterey 12.6.

sonicsuperstar:

After I installed macOS Ventura my File Sharing stopped working. I wasn’t able to connect from my Windows computer to my Mac anymore.

I had to turn off File Sharing, reboot my computer, and then turn on File Sharing again. It started to work after I did that.

Via Sean Heber:

It worked and I’m back in business but… like… SERIOUSLY WTF?!

I rebooted a bunch of times trying to get to this work but I never thought to turn off file sharing before rebooting because, like, why would that make any difference?!

Previously:

Update (2023-02-14): Isaac Halvorson:

Ever since getting my new Mac mini server set up, I have had nothing but problems sharing its drive over the network. Apparently there are issues with SMB shares in Ventura, so that’s likely the actual culprit.

[…]

The common workaround is to turn file sharing off on the server, restart the machine, then turn file sharing on again. That does seem to work, but only temporarily for me.

Update (2023-02-21): Isaac Halvorson:

I didn’t want to jump the gun before some time and testing, but it appears that the most recent macOS update (13.2.1) has resolved my SMB network share issues! I’m now able to connect from my MacBook Pro to my Mac mini without issues, and the connection is stable and consistent.

There wasn’t any change to SMB documented in the release notes, so it could be random somehow, but I’m happy regardless.

Previously:

Update (2023-03-23): Joe Rossignol:

Several users who were affected by the issue have noted that network file sharing is functional again as of the third beta of macOS 13.3 and later, with one user saying that Apple confirmed a fix was implemented. macOS 13.3 is in the final stages of beta testing and is expected to be publicly released as soon as next week.

Thursday, December 29, 2022

Options in macOS Update Notifications

Isaiah Carew:

Whoever is in charge of updates, really likes dark patterns.

  • It asks a Yes-or-No question that it does [not] allow you to answer with Yes or No.
  • It doesn’t provide any sort of “snooze” feature -- so non-techy users who might not know how to update manually are faced with now-or-never situation.

I’m pretty sure Apple knows they’re doing this and it’s done to “trick” users into updating even when they don’t want to in attempts to artificially drive up numbers of people that stay up to date.

The iOS alert for new OS versions also seems like it’s trying to trick me. There is a way to decline without scheduling the update for later in the day, but it feels like a puzzle that I have to figure out each time.

Sören:

I wish “auto-update” weren’t a binary switch, mostly because for apps I care about, I want to know there’s an update and read the release notes (but if I turn off auto-update, there’s just a constant huge list, and a lot of apps are jerks about telling you what’s new anyway)

Previously:

It’s Often Memory That’s Killing Your Performance

Rob Napier:

My first mistake was trying to make it parallel before I pulled out Instruments. Always start by profiling. Do not make systems parallel before you’ve optimized them serially. Sure enough, the biggest bottleneck was random number generation.

[…]

Huge amounts of time were spent in retain/release. Since there are no classes in this program, that might surprise you, but copy-on-write is implemented with internal classes, and that means ARC, and ARC means locks, and highly contended locks are the enemy of parallelism.

[…]

I rewrote update and all the other methods to take two integer parameters rather than one object parameter and cut my time down to 9 seconds [from 40].

Steve Canon:

pet peeve: using “big-O” to refer to abstract algorithmic complexity. Big-O is the technique of looking at the leading term and ignoring constant factors. It is usually the right tool to analyze memory use or cache misses as well!

Previously:

Apple Watch’s Camera Control

Dan Moren:

To the rescue flew the Apple Watch’s Camera app. I’ve probably used this feature a handful of times since the first Apple Watch, and probably not at all since I got my Series 7, and frankly I was blown away with just how much better the experience is than I remembered. A modern Apple Watch is now more than capable of showing a live, full-frame video stream with almost zero lag, and the screen is large enough that you can actually use it to tell if everything’s framed the way you want. You can easily take a shot and quickly check it on the watch to make sure that everybody’s eyes are open.

My experience has been different. The non-configurable 3-second delay makes this feature unusable for me. It simply isn’t enough time, and, frankly, I think it must start shooting before the 3 seconds are even up because I’ve captured photos at the start of the burst with my finger still touching the watch.

So, in practice, I use the 10-second timer initiated from the iPhone. Somehow, after walking back into position I end up without about 5 seconds of time before the photo is taken, whereas after pressing the button on the watch it feels like I have about half a second.

The photo on the watch screen is useful to make sure that everyone is in frame, and that small children are looking at the camera, but I find it too small to see whether eyes are open.

I’d like to see a 10-second option for the watch, and (for watch and phone) a way to schedule a series of 5 shots with a couple seconds in between, so that I don’t have to keep starting the timer manually and having everyone wait 10 seconds each time.

Louie Livon-Bemel:

I’ve also used this feature while doing electrical work at home. If you’re the only one home but need to turn off the breaker for a particular circuit, leave your iPhone in a room with the selfie cam pointed at a light (or under an outlet tester with an indicator light), open the Camera Remote app on your watch, then check it after flipping each breaker switch.

Saves you from running up and down the stairs to check every time.

Previously:

Tuesday, December 27, 2022

Ventura Issues

General

Finder

Mail

Storage

System Settings

Other

See also: Fixes and flaws in Ventura 13.0.

Previously:

Update (2022-12-28): See also: Hacker News.

Update (2022-12-29): Two other Mail issues I’m seeing:

See also: Rui Carmo.

Update (2022-12-30): Adam Overholtzer:

Configuring widgets is broken

Third-party widgets don’t load (killall NotificationCenter will fix)

Riccardo Mori:

I’m more surprised by the nature of many of these issues, by how ridiculous they are compared with the sheer age and supposed maturity of a 20+ year-old operating system.

I’ve also heard from a consultant who says he’s seen three isolated cases where Ventura turned on FileVault by itself, without permission or offering a recovery key.

Update (2023-01-05): See also: Reddit and Reynard Jenning.

Update (2023-01-12): Collin Donnell:

Has anyone else been getting this macOS bug where the Apple ID pane in System Settings is blank or entirely unresponsive and there is a “Daemon connection invalidated!” message in Console many times a second?

See also: Overclockers.

Update (2023-01-18): Jesse Squires:

Generally, the built-in Mac Catalyst apps continue to be a major annoyance and extremely cumbersome to use. They do not behave like native AppKit apps and omit very basic features and functionality that typical users expect.

[…]

My biggest complaint is the new System Settings (née System Preferences) redesign, which is absolutely terrible. It is so slow and glitchy.

Safari’s Date Picker Causing Customer Support Issues

Robin (Robert) Thomas (via Hacker News):

There is no option to manually enter the correct date. The only obvious path forward is to tap the left arrow button 924 times to get back to 1945. The not-obvious path forward -- which our elderly users cannot find -- is to tap “December 2022”, which pops open this rolodex-type thing[…]

This is also confusing because[…] You can’t pick the day[…]

The system picker invoked by mobile Safari is particularly annoying, but many Web sites also implement their own custom date pickers that make basic operations cumbersome. AllTrails is but one example where you have to repeatedly go back one month because there is no way to enter the year. MarsEdit has a custom picker that works well—you can click on the calendar or directly type in the date. I think this should be available as a built-in style.

Archive of the Twitter Files

The Twitter Files Archive:

This is an archival of the Twitter Files released by Elon Musk, who shared the information with various independent journalists. The purpose of this site is to make the information given by Elon Musk easily accessible to everyone on and off Twitter.

This is so much better than trying to read the actual threads on Twitter.

Monday, December 26, 2022

SimBuddy 1.0

Craig Hockenberry:

The locations show above, and many others, are available from Xcode using the xcrun simctl command. Every application on every device on every platform can be queried. But these lookups are difficult for developers because the information is structured around automatically generated GUIDs. The GUID you’re looking for changes every time a new OS is available, a device is added, or an application is installed. And we do that a lot!

[…]

SimBuddy uses two popup menus for navigation: the top one shows which devices are running in the Simulator and the one below shows all the applications installed on that device (your apps are listed first). Once you make a choice with those popups, you can use the buttons at the bottom of the window to navigate in the Finder. If you are using app group containers for sharing information between an extension/widget and your main app, you open those folders by selecting the ID and using “Open”.

Previously:

Gitea Actions Preview

xinyu:

The aim of Gitea actions is to bring closer integration between Gitea and existing CI/CD systems. Another goal is to expose a unified management inteface for standalone runners to reduce the adminstrative overhead of supporting multiple systems if desired. The standalone runner workflows are designed to be compatible with GitHub Actions, and can be used to build, test, package, release, or deploy any code project on Gitea.

Gitea Actions goes beyond just DevOps and lets you run workflows when other events happen in your repository. For example, you can run a workflow to automatically add the appropriate labels whenever someone creates a new issue in your repository.

[…]

Gitea Actions implements a built-in CI/CD system framework, compatible with GitHub Actions’ YAML workflow format, and compatible with most existing Actions plugins in GitHub Marketplace.

This could be interesting, since Gitea is easier to administer than Jenkins and GitHub itself has been slow to support new OS versions.

Simon B. Støvring:

GitHub are planning to support macOS 13 Ventura on GitHub Actions at some point between April or June 2023. That’s when developers are starting to prepare for macOS 14 😨

Previously:

Tesla Wireless Charging Platform

Juli Clover:

Tesla today announced the launch of the Tesla Wireless Charging Platform, a $300 wireless charger that is able to charge up to three Qi devices at one time.

The concept is somewhat similar to the AirPower that Apple wanted to produce as the three devices can be placed anywhere on the Tesla charging mat, receiving up to 15W of power each.

However, it doesn’t work with Apple Watch and uses the same technology as the discontinued Nomad Base Station Pro. At around 10x the price, these fancy multi-chargers have never seemed worth it to me.

Previously:

Gatekeeper’s Achilles Heel

Jonathan Bar Or:

Considering symbolic links are preserved in archives and aren’t assigned with quarantine attributes—we looked for a mechanism that could persist different kinds of metadata over archives.

After some investigation, we discovered a way to persist important file metadata through a mechanism called AppleDouble.

[…]

Equipped with this information, we decided to add very restrictive ACLs to the downloaded files. Those ACLs prohibit Safari (or any other program) from setting new extended attributes, including the com.apple.quarantine attribute.

This is pretty clever and was fixed in macOS 12.6.2 and in Ventura.

Previously:

Friday, December 23, 2022

Belkin iPhone Mount With MagSafe for Mac Desktops and Displays

Jason Snell:

Now there’s the Belkin iPhone Mount with MagSafe for Mac Desktops and Displays, a $40 adapter for other displays.

[…]

I have very few reservations of this new adapter. It works well on my Apple Studio Display but would work just as well on an iMac, a third-party display, or even a television.

Previously:

Update (2023-02-14): Felix Schwarz:

Just received the “Belkin iPhone Mount for Mac Desktops” and have mixed first impressions:

🔴 it doesn’t hold my iPhone 12 mini reliably while it is in a relatively thin case

🟢 without case, it adds a stable iPhone mount to my 27" monitor

I was really looking forward to it, but now am not sure whether I’ll keep or return it… will see…

LastPass Breach

Dan Goodin:

LastPass, one of the leading password managers, said that hackers obtained a wealth of personal information belonging to its customers as well as encrypted and cryptographically hashed passwords and other data stored in customer vaults.

The revelation, posted on Thursday, represents a dramatic update to a breach LastPass disclosed in August. At the time, the company said that a threat actor gained unauthorized access through a single compromised developer account to portions of the password manager’s development environment and “took portions of source code and some proprietary LastPass technical information.” The company said at the time that customers’ master passwords, encrypted passwords, personal information, and other data stored in customer accounts weren’t affected.

[…]

The hackers also copied a backup of customer vault data that included unencrypted data such as website URLs and encrypted data fields such as website usernames and passwords, secure notes, and form-filled data.

Update (2022-12-26): evan j:

I worked at LastPass as an engineer a long time ago. 7+ years ago. My 2 cents on the situation.

This is the worst breach LastPass has had. By a lot.

The key difference is that customer vaults were accessed this time, which are kept in a completely separate database.

[…]

URLs aren’t encrypted. This has been a well reported criticism of the product.

But it allows an attacker to see what vault entries are associated with which sites.

Overall. I think OG users of LP are at greater risk for targeted attacks than newer. I don’t think we’ll see widespread vaults being cracked, but targeted attacks are very possible with a user’s entire vault

Cryptopathic (via Hacker News):

I think the situation at @LastPass may be worse than they are letting on.

On Sunday the 18th, four of my wallets were compromised. The losses are not significant.

Their seeds were kept, encrypted, in my lastpass vault, behind a 16 character password using all character types.

Naz Markuta (via Hacker News):

The recent (2022) compromise of Lastpass included email addresses, home addresses, names, and encrypted customer vaults. In this post I will demonstrate how attackers may leverage tools like Hashcat to crack an encrypted vault with a weak password.

Tavis Ormandy (via Dare Obasanjo):

Things start to go wrong when you want integration with other applications, or when you want data synchronized by an untrusted intermediary. There are safe ways to achieve this, but the allure of recurring subscription fees has attracted businesses to this space with varying degrees of competence. I’m generally skeptical of these online subscription password managers, and that’s going to be the focus of the rest of this article.

[…]

I often say that “use a password manager” is bad advice. That’s because it’s difficult to tell the difference between a competent implementation and a naive one. The tech press can review usability and onboarding experience, but can’t realistically evaluate any security claims, so how do you propose users tell the difference? For that reason, I think “use a password manager” is so vague that it’s dangerous.

[…]

My primary area of interest is how remote attackers can interact with your password manager.

[…]

An attacker (or malicious insider) in control of the vendor’s network can change the code that is served to your browser, and that code can obviously access your passwords. This isn’t farfetched, altering the content of websites (i.e. defacement) is so common that it’s practically a sport.

Bruce Schneier:

But this should serve as a cautionary tale for anyone who is using the cloud: the cloud is another name for “someone else’s computer,” and you need to understand how much or how little you trust that computer.

Update (2022-12-29): Jeremi M Gosney:

But things change, and in recent years I found myself unable to defend LastPass. I can’t recall if there was a particular straw that broke the camel’s back, but I do know that I stopped recommending it in 2017 and fully migrated away from it in 2019. Below is an unordered list of the reasons why I lost all faith in LastPass[…]

[…]

So, why do I recommend Bitwarden and 1Password? It’s quite simple[…]?

Jeffrey Goldberg:

LastPass, a competitor, recently announced that password hashes were included in an August 2022 breach of their cloud storage. Their notice claimed that if users had followed default settings, “it would take millions of years to guess your master password using generally-available password-cracking technology.” That claim is highly misleading. In this article, I’ll explore the LastPass claim and unique 1Password features that protect you — now and in the event of a similar breach.

[…]

One of the things that sets 1Password apart is the Secret Key. A year ago I explained how your Secret Key protects you in the event the data we hold is captured by an attacker.

I like the idea of the Secret Key, however it only protects against a breach where the stored encrypted data is stolen. If the server is compromised, all bets are off because the Web client could be secretly modified to steal the Secret Key stored in your browser:

One thing I find annoying is that you can’t manage your account purely in the application, but have to touch the web interface with its “code directly downloaded from 1Password’s server” model.

Update (2023-01-25): Anyjohndoe1 (via Hacker News):

For those that may not have seen it, since instead of a new post they “updated” the one from November…Looks like it’s even worse than they first let on—now not just LastPass, but a bunch of their other products. Oh, and encrypted backups from some of those services—and an encryption key for some of said backups.

Update (2023-03-01): Filipe Espósito (Hacker News):

Now LastPass has revealed that the incident was caused by credentials stolen from a DevOps engineer.

As shared in a blog post (via ArsTechnica), there was a coordinated attack in August 2022 in which hackers were able to access and steal data from Amazon AWS cloud servers. More specifically, the credentials for the servers were stolen from a DevOps engineer who had access to cloud storage at the company. This made it more difficult for LastPass to detect the suspicious activity.

Interestingly, ArsTechnica heard from sources that the engineer’s computer was hacked through a vulnerability found in the Plex media platform. Twelve days after the LastPass attack, Plex confirmed that it had also suffered an attack that resulted in 15 million users’ passwords being stolen.

Update (2023-09-08): Brian Krebs (via Nick Heer):

Monahan said virtually all of the victims she has assisted were longtime cryptocurrency investors, and security-minded individuals. Importantly, none appeared to have suffered the sorts of attacks that typically preface a high-dollar crypto heist, such as the compromise of one’s email and/or mobile phone accounts.

[…]

Then on Aug. 28, Monahan said she’d concluded that the common thread among nearly every victim was that they’d previously used LastPass to store their “seed phrase,” the private key needed to unlock access to their cryptocurrency investments.

[…]

LastPass says that since 2018 it has required a twelve-character minimum for master passwords, which the company said “greatly minimizes the ability for successful brute force password guessing.”

But Palant said while LastPass indeed improved its master password defaults in 2018, it did not force all existing customers who had master passwords of lesser lengths to pick new credentials that would satisfy the 12-character minimum.

[…]

A chart on Palant’s blog post offers an idea of how increasing password iterations dramatically increases the costs and time needed by the attackers to crack someone’s master password. Palant said it would take a single GPU about a year to crack a password of average complexity with 500 iterations, and about 10 years to crack the same password run through 5,000 iterations.

But some customers were not upgraded to more iterations and may have had it set to only 1.

Activating Automatic Backtrack in watchOS 9

David Smith:

The trick was knowing that you have to press that bottom right button in order to discover if an automatic route is being tracked.

I imagine this ambiguity is coming from Apple being very circumspect about protecting user privacy. I wouldn’t be surprised if the system for automatically and surreptitiously recording the user’s locations is entirely walled off from the rest of the Compass app to make sure this very sensitive data can’t inadvertently be leaked without the user’s explicit approval. Hence the need to specifically request and approve it every time you want to see it. That’s just a guess but it seems a reasonable one.

We could quibble about the discoverability of this interface design but I suspect it is motivated by a user privacy.

Previously:

30 Years of PCalc

James Thomson (Mastodon):

At around the same time, we’d started coding using THINK Pascal, and I had begun to explore the Macintosh programming APIs in my own time.

[…]

The Pascal core mathematics code was hand-translated into C, and a new user interface was written around it in C++.

[…]

In 2005, I rewrote PCalc once again. This time, it was to learn the new Carbon HIToolbox APIs - this was a different way of writing an application, somewhat similar to PowerPlant, but provided by Apple.

[…]

I took the code I’d written for the Dashboard Widget version of PCalc, and got that running within a day or two on the iPhone. From there, I wrote a completely new interface around it, this time in Cocoa.

[…]

Well before the days of Mac Catalyst, this new version was actually based on the iOS source code[…]

Previously:

Thursday, December 22, 2022

French Court Fines Apple Over Abusive App Store Practices

Reuters (via MacRumors):

The Paris Commercial Court on Monday fined iPhone maker Apple just over 1 million euros ($1.06 million) for imposing abusive commercial clauses on French app developers for access to the company’s App Store, the court ruling showed.

The ruling, seen by Reuters, said there was no need to order Apple, which has a market value of about $2.1 trillion, to tweak the App Store’s clauses because the European Union’s incoming Digital Markets Act would require changes in any case.

And the pricing complaint was just addressed as part of the Cameron settlement.

Previously:

Update (2022-12-23): Florian Mueller:

I have meanwhile obtained and perused a copy of the entire 30-part judgment by the Paris Commercial Court’s 13th Chamber (trade judges Alain Wormser (presiding judge), Gérard Palti, and Beatriz Rego Fernandez). There are other counts on which Apple prevailed, and which have not received enough attention. As a commentator on these cases, I can’t just ignore the unfavorable parts of a decision.

[…]

My overall impression of the decision is that the three-judge panel was simply not interested in tackling some of the more difficult questions, such as the fairness of Apple’s requirement that all in-app purchases use Apple’s IAP system and the app tax of 30% or more for developers of a certain size (and 15% or more for small ones).

Fixing the “Failed to Enable Personal Hotspot” Error

Thomas Tempelmann:

Some of my older Macs running High Sierra or Mojave were unable to join the Personal Hotspot of one or even two of my iPhones.

[…]

There is a file called com.apple.airport.preferences.plist in the folder /Library/Preferences/SystemConfiguration.

[…]

Delete this file. But that will also reset all your network interfaces[…]

[…]

If you’re more adept, edit the file, e.g. with the app PrefEdit or BBEdit, then find all entries that mention “phone”, and remove those. After saving the changes, you should be able to reconnect to the phone without even requiring a restart.

Problems With Instagram and Flickr Sites on iPad

Juli Clover:

As of iPadOS 16, some Instagram users who access the iPhone version of the app on their iPad have noticed that it’s not working properly on the iPad’s display, making it impossible to post stories, see the full content of images, access polls, and more.

[…]

Story text from others is cut off depending on the layout of an image, and there are graphical errors with interactive Instagram post elements like polls and text entry boxes.

Meanwhile, with Flickr, there is an iOS app that works on iPad, but its features are limited. I can access the desktop site in Safari, but only after cancelling out of an alert that tries to open the app. Even then it shows a Universal Links banner constantly. I can’t get drag and drop on the Organize page to work.

You’d think photo services would be an important use for iPads, but they don’t seem to be prioritizing it.

Previously:

Google Moves Maps to google.com

Garrit Franke:

I opened Google Maps again, and noticed that maps.google.com now redirects to google.com/maps. This implies that the permissions I give to Google Maps now apply to all of Googles services hosted under this domain. So far I only identified Google Flights to have made the same switch (google.com/flights), though I’m sure they’re just beginning to transfer their services to the main google.com domain.

Via John Gruber:

Grant location access to Google Maps now, and you grant it to all of Google.

Monday, December 19, 2022

Ivory

Tapbots:

Some of you may have heard that a new Mastodon client, Ivory,  is in development for iOS (and Mac!). This is true! Tapbots is going all in on Mastodon and we hope this place continues to grow and thrive. Tweetbot will continue to be developed alongside Ivory as a lot of code is shared. A new Mac version of Tweetbot and Ivory are also currently in development and we are working hard on getting those towards a public beta state.

Mark Jardine:

We invested so much into Tweetbot over the past 11 years and to think everything was potentially going to end was the scariest thought. But as the days went on, I started to think more rationally and knew it would be okay. As much as Twitter has brought us success, it has also been extremely frustrating for the past 6-7 years trying to build something great with a nerfed API.

[…]

Building an app for an open and decentralized social platform felt so refreshing. Inspirational! I haven’t been so excited designing something in a long time. With Tweetbot, we were always fighting with the API limitations while knowing in the back of our minds that someday the API could be taken away. I didn’t realize it then, but that killed a lot of our excitement and enthusiasm. With @ivory, we are just ecstatic every single day. It’s just been a pure joy to make software again.

Currently, I’m following Mastodon accounts using NetNewsWire, since the Web interface doesn’t remember where you are in the timeline.

I like what Tapbots did with Netbot for App.net back in the day, though I never found it satisfying to use two different services at once. It’s annoying to have separate timelines in two different apps, with some posts duplicated.

Twitter has been changing its policies so rapidly, and with scant or subsequently deleted explanations, so it doesn’t seem worth following the drama over there too closely.

Previously:

Update (2023-01-12): Dan Moren:

Tapbots has gone ahead and posted a road map for the app, laying out what exactly is in the works for the near future. Currently on the list, which Tapbots plans to update as it goes, are the ability to create content warnings on posts, enhanced profile features, and a filterable navigation bar, among others.

Epic Settles With FTC Over COPPA Complaint

FTC (complaint PDF, Hacker News):

The Federal Trade Commission has secured agreements requiring Epic Games, Inc., creator of the popular video game Fortnite, to pay a total of $520 million in relief over allegations the company violated the Children’s Online Privacy Protection Act (COPPA) and deployed design tricks, known as dark patterns, to dupe millions of players into making unintentional purchases.

Half of this will go to customers and half to the FTC.

Michael Love:

Ironically, the fact that they were able to get away with doing this even when Fortnite was still in the App Store kind of proves Tim Sweeney’s point.

(I’m sure this will be disingenuously weaponized the other way - “Epic wants to avoid App Review so they can be evil’er” - but you can’t throw a brick in the top app charts without hitting a dozen other companies that use dark patterns to dupe people into unintentional purchases)

Even Gaia GPS now has a dark pattern where it takes over the whole screen, and there’s seemingly no way to get back into the app without purchasing an IAP. (I force-quit and relaunch it.)

Epic:

Statutes written decades ago don’t specify how gaming ecosystems should operate. The laws have not changed, but their application has evolved and long-standing industry practices are no longer enough. We accepted this agreement because we want Epic to be at the forefront of consumer protection and provide the best experience for our players.

[…]

Developers who create a teen-rated or mature-rated game can no longer assume that it won’t be deemed to be directed to children, according to the United States’ Children’s Online Privacy Protection Act (COPPA). Younger players who are interested in higher-rated games can find ways to access them.

[…]

There have never been pay-to-win or pay-to-progress mechanics in player-versus-player experiences in Fortnite. And we eliminated paid random-item loot boxes in Fortnite: Save the World in 2019.

Previously:

Update (2023-03-16): FTC (via Hacker News):

The Federal Trade Commission has finalized an order requiring Epic Games, the maker of the Fortnite video game, to pay $245 million to consumers to settle charges that the company used dark patterns to trick players into making unwanted purchases and let children rack up unauthorized charges without any parental involvement.

John Carmack Is Leaving Meta

John Carmack (Hacker News):

Quest 2 is almost exactly what I wanted to see from the beginning – mobile hardware, inside out tracking, optional PC streaming, 4k (ish) screen, cost effective.

[…]

We have a ridiculous amount of people and resources, but we constantly self-sabotage and squander effort. There is no way to sugar coat this; I think our organization is operating at half the effectiveness that would make me happy.

[…]

It has been a struggle for me. I have a voice at the highest levels here, so it feels like I should be able to move things, but I’m evidently not persuasive enough. A good fraction of the things I complain about eventually turn my way after a year or two passes and evidence piles up, but I have never been able to kill stupid things before they cause damage, or set a direction and have a team actually stick to it.

Via Dan Luu:

I find this letter from Carmack interesting in that it summarizes a sentiment I’ve heard from literally all of the highest impact/most effective people I’ve talked to at large companies.

John Carmack:

I am all in on building AGI at Keen Technologies now.

Ashley Stewart and Kali Hays:

During Meta’s developer conference in October, Carmack hosted a solo hour-long talk about the company’s Oculus or Quest headset. He admitted he had many things to be "grumpy" about, like the company’s rate of progress on technological advancements and the basic functionality of the headsets. He said it was frustrating to hear from people inside Meta who found the Quest 2 headsets so unreliable that they refused to use them for work or demo them for people outside the company.

See also: his 2020 keynote (Hacker News).

Update (2023-02-21): John Carmack (via Hacker News):

Startups are so great like that — see a problem and just FIX IT THAT WEEK. The time to deliver a fix to VR users at Meta was often over six months, disregarding all the problems that were just ignored.

Disabling AWDL to Work Around Ventura Wi-Fi Issues

Hamza Malik (via Felix Krause, Hacker News):

Meter is currently tracking an issue that is affecting devices on macOS Monterey and macOS Ventura with M1/M2 Macbooks acutely affected — leading to slow internet connection, drops in Zoom calls, and entirely losing a WiFi connection.

Macbooks use a WiFi interface called AWDL (Apple Wireless Direct Link) for features like AirDrop and AirPlay. Having AWDL on may cause your WiFi connection to periodically reset. Although these issues can manifest in various ways, the underlying issue is the same: throughput and speeds drop, devices get disconnected randomly, and fail to rejoin the network.

[…]

As an interim solution to improve the WiFi connection, Apple recommends that you turn off AWDL interface (this will disable AirDrop/AirPlay). There are a few ways you can do this — either by using the Terminal application and running a script or through the UI (provided below). We’ve run this intervention with a few customers now that have seen improved WiFi performance as a result.

I have not been seeing the problem on my Macs.

The post says that this may be fixed in macOS 13.1, however the issue is not mentioned in the release notes, and I’ve not seen any comments confirming the fix.

Previously:

Update (2023-05-01): See also: Reddit.

Friday, December 16, 2022

Sunsetting AppCode

Anastasia Kazakova (Hacker News):

Since the release of AppCode 1.0 11 years ago, we’ve been applying our expertise to make coding for iOS/macOS more enjoyable. We’ve had many accomplishments, including first-class C++ support (from which CLion, our cross-platform C/C++ IDE, was born), an extremely fast release of initial support for the new Swift language, and finally, Kotlin Multiplatform Mobile technology, which combines our passion for Kotlin with our knowledge of mobile technologies.

While we’ve had some growth in terms of adoption, we didn’t reach the market share we had hoped for. We believe that the time has come to sunset the product and focus our efforts in other directions.

Jacob Gorban:

I’ve used this IDE on and off for many years. It’s got so much stuff that put it way beyond Xcode. At the same time, it was also lagging in some respect, and Apple’s speed of change with its tooling was probably hard to keep up with.

Dave Verwer:

Some people will dearly miss it but never quite made it big enough in the Swift development community to become mainstream. It got close, though, especially a couple of years after it first launched.

Competition in this area is a good thing, but with Xcode being so good and VS Code’s support for Swift getting better every day, it’s an extremely tough market to enter with a paid product.

The reasons behind subsetting AppCode make sense, but the Swift tools ecosystem will be poorer without it.

Previously:

SuperDuper 3.7.1

Dave Nanian:

In Ventura, on some systems, we’ve seen some cases where, post-replication (“Erase, then copy” in Big Sur and later), the destination volumes wouldn’t always re-mount. Sometimes an error would occur (referencing the ‘bsd’ info), sometimes not. When these failures occur, Apple’s replicator has also replicated the source volume name, and due to the error, we didn’t get a chance to rename it back to what’s expected.

Anyway, it was annoying to you and (because we hate things like this) us. So we’ve been working for the last month or so to try to find a way to fix this…and I’m happy to say we have.

[…]

We’ve found the key needed to get the startup items to say something more sensible, and so now they’ll say “SuperDuper!”—please don’t turn them off! If you do, your schedules will not work.

Previously:

Publishing an RSS Feed to Mastodon

Jesse Squires:

If you follow me on Twitter, you’ve likely noticed that my blog posts are automatically tweeted for me. There are multiple services you can use to do this, like Zapier and IFTTT. I use both services for various automations. Each has built-in actions for listening to an RSS feed and then tweeting new items as they appear. Sadly, neither service has a built-in action for Mastodon. However, we can achieve the same results with a generic webhook action on both platforms.

Proton Drive

Andy Yen:

Proton Drive’s mobile apps give you the freedom to access your files and folders from anywhere, anytime. You can upload your files and photos to Proton Drive using your mobile app and access them either on your mobile device or on your laptop or desktop by logging in to the Proton Drive web app. Your files will be available seamlessly on all devices and platforms.

Even in today’s constantly connected world, there are places with weak or no mobile network coverage. Our iPhone, iPad, and Android apps solve this problem by giving you offline access to your files and folders so you can access them without an internet connection. If you activate offline access for a file or folder, they’ll be encrypted and saved on your device so that they can only be accessed through the Proton Drive app. This gives you constant access to your files without compromising their security.

[…]

Your files are encrypted on your mobile device using encryption keys you control, and best of all, this encryption happens automatically without requiring any action from you.

The Mac and Windows versions are not in beta yet.

Tim Hardwick:

Proton Drive offers a free version with 1GB of cloud storage, while users subscribing to 500GB of encrypted storage ($9.99/month) via the Proton Unlimited plan also get Proton Mail, Proton Calendar, and Proton VPN. There’s also an individual Proton Drive subscription that offers 200GB of storage for $3.99 a month.

Previously:

Update (2023-03-03): Anant Vijay:

We’re excited to announce that we’ve open-sourced the Proton Drive Android and iOS apps’ code. This means the code for all Proton apps out of beta, including all Proton Drive apps, is now available for anyone to examine. You can verify for yourself that these are doing exactly what we claim.

Update (2023-05-16): Anant Vijay:

If you’re on a Free plan, Proton Drive will store older versions of files for up to seven days. If you’re on a paid plan, you can access versions of your files that are up to 10 years old.

Swift Pitch: Observation

Philippe Hausler:

There are already a few mechanisms for observation in Swift. Some of these include Key Value Observing (KVO), or ObservableObject; but those are relegated to in the case of KVO to just NSObject descendants, and ObservableObject requires using Combine which is restricted to Darwin platforms and does not leverage language features like async/await or AsyncSequence. By taking experience from those existing systems we can build a more generally useful feature that applies to all Swift reference types; not just those that inherit from NSObject and have it work cross platform with using the advantages from low level language features like async/await.

[…]

Combine’s ObservableObject produces changes on the leading edge of the will/did events and all delivered values are before the value did set. Albeit this serves SwiftUI well, it is restrictive for non SwiftUI usage and can be surprising to developers first encountering that restriction.

[…]

The Observable protocol includes a set of extension methods to handle observation. In the simplest, most common case, a client can use the changes(for:) method to observe changes to that field for a given instance. […] This allows users of this protocol to be able to observe the changes to specific values either as a distinct step in the chain of change events or as an asynchronous sequence of change events.

[…]

By default the concept of observation is transitively forwarded; observing a keypath of \A.b.c.d means that if the field .b is Observable that is registered with an observer to track \B.c.d and so on. This means that graphs of observations can be tracked such that any set of changes are forwarded as an event.

[…]

The ObservationTracking mechanism is the primary interface designed for the purposes to interoperate with SwiftUI. Views will register via the withTracking method such that if in the execution of body any field is accessed in an Observable that field is registered into the access set that will be indicated in the handler passed to the addChangeHandler function. If at any point in time that handler needs to be directly invalidated the invalidate function can be invoked; which will remove all change handlers registered to the Observable instances under the tracking.

[…]

A default implementation can be accomplished in generality by a type wrapper that intercepts the modifications of any field on the Observable . The type wrapper DefaultObservable provides default implementations for the type where the associated Observation type is ObservationTracking.Token. This means that developers have the flexibility of an easy to use interface that progressively allows for more and more detailed control: starting from mere annotation that grants general observability, progressing to delegation to a storage mechanism that manages registering and unregistering observers, to full control of observation.

David Smith:

There’s a number of issues we ran into with KVO, all around concurrency[…]

David Smith:

Philippe’s new ObservationTracking machinery reads like a shippable spiritual successor to that hack.

Update (2023-03-20): Philippe Hausler:

  • Pitch 1: Initial pitch
  • Pitch 2: Previously Observation registered observers directly to Observable, the new approach registers observers to an Observable via a ObservationTransactionModel. These models control the “edge” of where the change is emitted. They are the responsible component for notifying the observers of events. This allows the observers to focus on just the event and not worry about “leading” or “trailing” (will/did) “edges” of the signal. Additionally the pitch was shifted from the type wrapper feature over to the more appropriate macro features.
  • Pitch 3: The Observer protocol and addObserver(_:) method are gone in favor of providing async sequences of changes and transactions.

Update (2023-04-21): Ben Cohen:

The review of SE-0395: Observability begins now and runs through April 24, 2023.

UNAlertStyle Restricted

Patrick Wardle:

If a tool notifies the user via macOS’s notification center the style can no longer be programmatically set to alert …only banner.

Banners are automatically dismissed which breaks security alert requiring user interaction! 🥲

Note: Apple’s apps can send alerts by default 🤪

It’s frustrating how API limitations like this tend not to get announced or documented.

Thomas Reed:

I’ve always argued against a custom alert pop-up implementation in Malwarebytes for Mac, favoring native notifications instead. But if the user can now miss an important alert about an infection, that’s going to change the equation. 😕

C xor C++ Programming

Aaron Ballman (PDF via John Regehr, Steve Canon):

It is not uncommon to hear about C/C++ programming as a shorthand for “C and C++” programming. This implies that C and C++ are similar, but distinct, programming languages with the obvious interpretation being that C++ is a proper superset of C. However, this does not accurately describe the situation. The C++ programming language is inspired by the C programming language and supports much of the syntax and semantics of C, but is not a superset that is built on top of C. Despite sharing a historical relationship to one another, the languages have evolved independently and are specified in separate language standards. Due to this separation of the two specifications, incompatibilities have crept into the shared space of code that can be compiled by either a C compiler or a C++ compiler.

This document enumerates instances where the same source code has different meaning when compiled with C and C++ implementations. Such source code is often a pain point for users and implementers because it represents a “sharp edge” in both languages, especially if the code appears in a header file that may be compiled in separate C and C++ translation units.

Wednesday, December 14, 2022

Apple Considering Dropping WebKit Requirement

Joe Rossignol (Hacker News, Reddit):

As part of a larger story about Apple’s plans to allow third-party app stores on the iPhone and iPad in EU countries, Bloomberg’s Mark Gurman claimed that Apple is also considering removing its requirement for iPhone and iPad web browsers to use WebKit, the open source browser engine that powers Safari.

Gurman said this potential change comes in response to the EU’s Digital Markets Act. It’s unclear if Apple would drop the requirement in other regions.

Previously:

Apple Working on Sideloading for Europe

Juli Clover (Hacker News, Ars Technica, Slashdot):

Apple is planning to allow for alternate app stores on iPhones and iPads ahead of European legislation that will require the company to support sideloading, reports Bloomberg.

The change would allow customers to download apps without needing to use the App Store, which would mean developers would not need to pay Apple’s 15 to 30 percent fees, but to start with, Apple is only planning to implement sideloading support in Europe.

[…]

To protect users from the aforementioned risks of sideloading, Apple is considering implementing security requirements such as verification, a process that it could charge a fee for in lieu of collecting money from app sales. Apple has a verification system on Mac that allows users to be safe while giving them access to apps outside of the Mac App Store.

M.G. Siegler:

But the larger element here may be that last bit: Apple’s own 15% — 30% cut in the App Store. To me, any changes here beyond the EU mandate would point to Apple’s attempt to hold on to this revenue for dear life. Revenue which can be directly tied to Nintendo creating physical videogame cartridges for Hudson back in the day. I’m serious, that’s where the 30% cut originated. It was a more reasonable 10% licensing fee, which got bumped another 20% for Nintendo taking on this manufacturing work. It should go without saying that Apple does no such work.² Yet 30% it remains. Because the iTunes cut was similar and Steve Jobs thought it made sense to keep it simple in those early days when no one had any idea what the App Store would become. It was meant to be a “loss leader”, remember? Yeah…

Anyway, Apple opening up to third-party app stores would take immediate pressure off of their cut in their own App Store. And assuming they do it the right way — probably naive — that feels like a better deal that what we currently have. In other words, Apple will have to compete on a better product and experience for their cut. Sure, they’ll have inherent advantages — namely, the App Store itself would still be pre-installed on iPhones — but it’s a decent enough first step towards actual competition.

Nick Heer:

It will be interesting to see how Apple frames this shift for its European customers. It has spent years claiming its first-party App Store policies are a reason people buy iPhones. While it can continue to promote its own App Store as the best option, it would look silly if it created the impression of reducing security for European users while rolling this out. The same is true of its privacy stance if, as also reported by Gurman, it makes its Find My network more permissive to third-party trackers. Apple may also want to preserve its existing strategy wherever regulators do not require its software and services to be more interoperable, but that could make it look like European customers have more choices than users in, say, the United States — which they probably will.

Riley Testut (Mastodon):

And it wouldn’t be just Meta — every app store would want exclusive apps to compete. And because literally all iOS apps are currently in the App Store, there’s simply no way to amass a competitive app library fast enough without poaching App Store apps.

[…]

So yes, it’s a choice — but the choice is NOT “do I use 3rd party stores to get cool new apps”

Instead it’s: do I use 3rd party stores just to keep using my current apps

This assumes that Apple won’t do something to really discourage the use of alternate app stores and also that the big apps would find it worthwhile to leave the built-in store (which they have not done on Android). It’s fascinating how there’s no consensus on what would happen.

Optimistically, the mere possibility that apps could jump to alternate stores might force Apple to make the App Store better for developers. However, we have nearly 15 years of experience showing a reluctance to do that, and it would be easier to get the same result by making other stores worse.

Rui Carmo:

What I would really like to see is a way for me to install and run my own apps without paying for a developer account and/or having to re-sign them every few days, and I can’t see that clearly spelled out yet.

I know Apple doesn’t really get this, but the inability to develop private applications for the hardware you own without jumping through arbitrary hoops is what keeps people like me from actively developing for the platform (and it is also why I keep dabbling with Android devices).

Previously:

Update (2022-12-16): Michael Love:

They haven’t on Android, despite increasingly onerous restrictions from Google. They might offer a different or better experience for a new non-App-Store app, but no social network wants to put up an additional barrier for new users or risk losing existing ones.

A good basic assumption for sideloading is that everybody who has a successful business on the App Store will keep their app available there; the difference will be a) new apps / business models Apple doesn’t allow and b) experimental sideloaded versions of existing apps.

I’m as militant an App Store opponent as they come and I would never remove or degrade my App Store app unless Apple forced me to; I might, however, offer better pricing or new exclusive features as an inducement to sideload.

Damien Petrilli:

Facebook, WhatsApp, Instagram, Snapchat, etc didn’t leave the Google Play Store so it’s not going to happen on iOS

Sure but did Google screwed them by restricting ads on Android?

Nope. So I wouldn’t bet the incentives are similar on iOS.

Tim Sweeney:

If developers leave the App Store once they’re free to, it’s because it’s a mediocre store with massively inflated payment processing fees. That’s Apple’s own fault.

Joe Rossignol:

In a research note this week, a trio of analysts at investment bank Morgan Stanley argued that third-party app stores and sideloading would pose a “limited risk” to both App Store revenue and Apple’s overall revenue given that iPhone users have “long prioritized the security, centralization, and convenience that the App Store brings.”

John Gruber:

I think whatever Apple is devising to comply with this law, they’re still going to demand a commission on digital purchases.

[…]

I don’t think the DMA requires Apple or Google to allow third-party in-app payment processing from which they don’t require a commission. I say “think” because the DMA is well over 100 pages, and, well, to my eyes, written in opaque bureaucratic language.

[…]

The E.U.’s intent, I think, is to say that Apple can still require apps be submitted for approval, whether they’re going to be distributed outside the App Store or not. But doesn’t that defeat the entire point? Anyone who is hoping that the DMA is going to force Apple to allow any and all third-party software you can imagine — more or less requiring Apple to treat iOS like it does MacOS — is, I think, setting themselves up for disappointment. That’s certainly not what Apple wants or thinks would be best for (most) iOS users, and I don’t think it’s what the DMA mandates.

[…]

If this comes to pass, I foresee a byzantine approval system imposed by Apple even if Apple comes into it with nothing but the best intentions. That is to say, even if Apple’s attitude is to make third-party app stores as appealing and useful as possible, the approval process would still come with requirements and contractural obligations that very few companies could comply with. And I somehow doubt that Apple’s attitude would be “let’s make third-party app stores as appealing and useful as possible”. What happens if Apple makes both running and using third-party app stores as unappealing as possible under the law?

Jason Snell:

My guess is that Apple will add a switch to the Settings app (probably buried down deep, behind a sign saying Beware of the Leopard) that enables the installation of non-App Store apps. (This is what Android does.) Apple will probably give it a name like “Allow Untrusted Apps” or something similarly scary and will undoubtedly follow any attempt to turn it on with a scary alert on the level of “This App May Kill You”.

[…]

I really have a hard time seeing most members of the public turning off App Store protections and installing separate App Stores. Yes, it will happen, but the Play Store is still the place to be on Android, despite its long-time support for sideloading. In fact, Android developers have found that leaving the Play Store and going it alone is quite bad for business. Bet on the status quo.

[…]

While so much attention has been given to the squabbling of large tech companies over their cuts of millions of dollars, I’m much more excited about the idea that there are numerous apps that currently can’t exist on iOS because Apple has deemed them unacceptable for policy reasons, many of them inscrutable.

[…]

But let’s not forget the chilling effect Apple’s policies have had on iOS software development. How many amazing, groundbreaking, platform-changing apps have simply not been pursued by developers because if they’re rejected by Apple, there’s nowhere for those apps to go?

Michael Love:

Interesting tidbits not in the Gurman piece:

  • Sounds very much like sideloading, not just alternate stores
  • Apple is considering launching this worldwide and not just in Europe (!)

See also: Accidental Tech Podcast.

Update (2022-12-23): Tanner Bennett:

So the takeaway here is that if you have ANY security concerns about third party stores (more data collection, running forever in the background, etc) then those concerns are simply security holes in the OS itself that Apple needs to address.

App stores do not provide security.

David Barnard:

EU Regulation : Apple = App Review : Developers

Apple is getting a taste of its own medicine having to deal with a laundry list of opaque rules that may or may not be enforced, may or may not be interpreted as expected, may or may not be rewritten over time by new precedent, etc

The Sub Club Podcast:

On the podcast we talk with John [Gruber] about the far reaching implications of the European Union’s Digital Markets Act, how app developers should be thinking about the opportunities created, and why Apple making so much money from the App Store might be bad for Apple long-term.

Ryan Jones:

Pretty sure Apple loves DMA.

  1. They’ll charge 27% for IP, require Notarization, and have scary warnings.
  2. No one will use it.
  3. They get to comply while giving up nothing, ensuring it fails, and “prove” regulation and side-loading wrong.

Damien Petrilli:

We have seen 2 interesting things this week end.

  1. 1. Gumroad increased their price to 10% and are seeing creators leaving their service because it’s too high.
  2. 2. Twitter tried to lock users in and pushed a lot of new users to Mastodon as a result.

We just had 2 live experiments of what happens when you apply some of the 2 worst rules of the App Store in a competing market. In both cases, outrage & competition rise.

Apple can still afford to apply those rules because they locked out the competition.

Reddit Photo Album Overflows Int32

wejustcallitfood (via Hacker News):

Congratulations to our -2,147,483,648 post!

Xcode 14.2

Apple (download, command-line tools, additional tools):

Xcode 14.2 includes Swift 5.7 and SDKs for iOS 16.2, iPadOS 16.2, tvOS 16.1, watchOS 9.1, and macOS Ventura 13.1. The Xcode 14.2 release supports on-device debugging in iOS 11 and later, tvOS 11 and later, and watchOS 4 and later. Xcode 14.2 requires a Mac running macOS Monterey 12.5 or later.

I don’t see anything about it in the release notes, but fingers crossed this fixes the bug I’ve been seeing where changes to some source files don’t get compiled into the final binary unless I do a clean build. I keep seeing “impossible” behavior only to realize that it’s because old code is running.

Daniel Kennett:

I had a quick spelunk and there’s a user defaults key that looks promising for turning off these adverts Apple has put into Xcode 🤞

defaults write com.apple.dt.Xcode XcodeCloudUpsellPromptEnabled -bool false

Previously:

Tuesday, December 13, 2022

Swift Pitch: Predicates

Jeremy Schonfeld:

We propose creating a new value type, Predicate, as part of the FoundationEssentials package, that addresses these problems. These new constructions of predicates will be expressed using standard Swift syntax elements and are fully type-checked by the compiler. This allows us to design Predicate to be type safe, readily archivable and Sendable, and integrated with Swift development environments.

Aside from type-safety with respect to the object being tested, this could also potentially address the problem where it’s not clear which APIs support which types of NSPredicates.

Debbie Goldsmith and Jeremy Schonfeld:

The current design proposes that any developers that need to expand or restrict the set of allowed expressions in their predicate-accepting APIs need to declare their own predicate types with corresponding macros.

Previously:

macOS 13.1

Juli Clover (release notes, security, enterprise, developer, full installer, IPSW):

Today’s macOS Ventura update introduces the Freeform app, designed to allow users to sketch, draw, and write on a blank whiteboard-style canvas that can be used with friends and colleagues. It also includes Advanced Data Protection for iCloud, expanding end-to-end encryption to iCloud Backup, Notes, Photos, and more.

There are improvements to search in Messages, an option to play a sound in the Find My app to locate AirTags, AirPods Pro, and Find My network accessories, plus there are several bug fixes.

Howard Oakley:

Those using network Locations will be delighted to see that this feature has been restored to System Settings.

See also: Mr. Macintosh.

Previously:

Update (2022-12-14): Howard Oakley:

Significant changes to the version and build number of bundled apps include[…]

Matthias Gansrigler:

[C]onfiguration of 3rd-party widgets is broken[…]

Jeff Johnson:

I’ve discovered that macOS updates do remove Rosetta for everyone, but they also silently reinstall Rosetta. Or attempt to reinstall. The attempts always fail for me, because I have Little Snitch installed.

[…]

So this appears to be fixed now in Ventura!

iOS 16.2 and iPadOS 16.2

Juli Clover (security, developer):

Today’s iOS 16.2 and iPadOS 16.2 updates bring several notable features to iOS 16 and iPadOS 16, including the Freeform app, which is a sort of digital whiteboard that you can use for anything, while also working collaboratively with friends and colleagues.

It includes the Apple Music karaoke feature called “Sing,” it introduces Advanced Data Protection for end-to-end encryption for more iCloud features, plus more. On the iPad, the update brings support for external displays on M1 and M2 iPads.

Federico Viticci:

With today’s release of iPadOS 16.2, the idea behind Stage Manager achieves the full vision first presented in June, while its design and technical implementation remain stuck in an unpolished, half-baked state. Which is to say: conceptually, I love that Stage Manager in iPadOS 16.2 allows me to extend my iPad to an external display and put four additional windows on it; I’ve waited years for this feature, and it’s finally here. Technically speaking, however, the performance of this mode leaves a lot to be desired, with frequent crashes on my iPad Pro and an oft-confusing design that, I will reiterate, needs a rethinking.

Jason Snell:

Freeform is fun. It’s got a bunch of rough edges that I hope can be sanded out over time as it grows and evolves, but I love the idea that Apple decided that its collaboration tools (and, by extension, its platforms) really needed a free space for individuals and groups to use as an infinite sheet of Internet-connected note paper.

[…]

My complaints about Freeform are mostly about how it frequently just didn’t do what I wanted it to do. Sometimes tapping an object and dragging would move it on the canvas, while other times it would lift a copy of the item for me to drag around… but when I dropped it elsewhere in the app, nothing would happen. Sometimes I could drag an image on a shape to automatically use the shape as a mask for the image… other times it just didn’t work. I can crop imported photos, but not videos.

Previously:

Update (2022-12-14): Rui Carmo:

For the first time in years, I can take an iPad to my office, plug it into the same monitor I use with any of my computers and trust it will be usable for actual work[…]

[…]

It’s buggier than a bait store. At noontime, in Summer.

Juli Clover:

With the launch of iOS 16.2, Apple is expanding an AirDrop limitation that was introduced in China with the launch of iOS 16.1.1. Going forward, AirDrop will be primarily restricted to Contacts Only, and the option to turn on AirDrop for “Everyone” will be limited to 10 minutes.

John Gruber (tweet):

I wonder, though, whether “Everyone all the time” should have remained an option alongside “Everyone for 10 minutes” — it does seem like some people (schools for example) make good use of keep AirDrop open always.

Previously:

Update (2022-12-23): See also: Hacker News (on Freeform).

Apple Pay Expiration Dates

Adam Engst:

Apple Pay’s tokenization process prevents Stripe, our payment processor, from knowing the expiration date for the actual card. Instead, Stripe—and the Paid Memberships Pro plug-in that we use to manage TidBITS accounts—displays a seemingly random expiration date from the tokenized card. The problem is purely cosmetic and doesn’t block transactions in any way.

[…]

This date quirk is the first downside of using Apple Pay instead of a straight credit card transaction that I’ve seen. In all other ways, Apple Pay’s tokenization of credit card data is a good thing because it significantly increases security.

The Verse Programming Language

Simon Peyton Jones (via Ian Kettlewell, Hacker News, slides):

Since joining Epic Games in late 2021, I have been involved in the design and development of Verse, a new, declarative programming language that Epic plans to use as the language of the metaverse.

Verse is a functional logic language, with a bunch of innovative ideas. Like Haskell Verse is declarative (a variable in Verse stands for just one, immutable value), and higher order (lambdas are first class). But Verse goes well beyond Haskell, with existential variables, unification, expressions that yield multiple values, and more besides. In this talk I’ll give you a sense of what functional logic programming is about, what it looks like to program in Verse, and how we can give meaning to Verse programs using rewrite rules.

Simon Peyton Jones (PDF):

Functional logic languages have a rich literature, but it is tricky to give them a satisfying semantics. In this paper we describe the Verse calculus, VC, a new core calculus for functional logical programming. Our main contribution is to equip VC with a small-step rewrite semantics, so that we can reason about a VC program in the same way as one does with lambda calculus; that is, by applying successive rewrites to it.

This unpublished draft describes our current thinking about Verse.

Dan Luu:

Interesting to compare [Sweeney (2005)] to [Jones et al. (2022)] to see how the thinking about Epic’s new language has evolved over almost two decades.

There’s obviously a lot of new stuff, but some of the core ideas from 2005 are still there, e.g., […] “Transactions are the only plausible solution to concurrent mutable state.”

[…]

At a meta level, it’s a bit surreal to see a game company fund a two decade research effort into a new language at a time when classic industrial research labs like IBM Research, MSR, Bell Labs, etc., have been severely defunded or shifted much of their focus to shorter-term projects or both.

Monday, December 12, 2022

Blog Updates (Late 2022)

Over the last month or two I’ve made several improvements to this blog:

Hopefully, none of these changes has introduced any new problems. If you see anything wrong, please let me know.

Previously:

The Swifty Future of Foundation

Tony Parker (tweet):

The swift-corelibs-foundation project helped launch the open source Swift version of Foundation in 2016, wrapping a Swift layer around the preexisting, open source C implementation of Foundation.

[…]

Today, we are announcing a new open source Foundation project, written in Swift, for Swift.

[…]

With a native Swift implementation of Foundation, the framework no longer pays conversion costs between C and Swift, resulting in faster performance.

[…]

Multiple implementations of any API risks divergent behavior and ultimately bugs when moving code across platforms. This new Foundation package will serve as the core of a single, canonical implementation of Foundation, regardless of platform.

[…]

Open source projects are at their best when the community of users can participate and become a community of developers. A new, open contribution process will be available to enable all developers to contribute new API to Foundation.

This sounds great. My understanding is that Foundation started as Objective-C and was re-written for Mac OS X to wrap Core Foundation, where possible—much like swift-corelibs-foundation wraps CF in Swift. This added some overhead but unified the implementations. Since then, Foundation has been rewritten back into Objective-C, which made it faster. Now, it sounds like the plan is to rewrite it in Swift and extend Swift to allow Objective-C to call the Swift implementation of the old API.

Tony Parker:

We’ve prototyped this approach and are pretty sure it will work out well. A reimplementation of Calendar in Swift is 1.5x to 18x as fast as the C one (calling from Swift in various synthetic benchmarks like creation, date calculation). And it’s completely compatible with the existing C and ObjC entry points, too.

David Smith:

This means that now

  • Foundation has the option to use a memory safe language internally
  • Most system components that Foundation depends on have the option to use a memory safe language internally
  • Embedded environments like the Secure Enclave can use Swift
  • Pure-Swift processes use less memory
  • Swift Strings use less memory and are faster
  • Swift WebAssembly programs can be much smaller to download
  • NSString<->String bridging can use Foundation/CoreFoundation internals directly, resulting in some speedups

Tony Parker:

Many of Foundation’s features have been subsumed by direct support in the language. These types are currently not planned to be brought forward into the new package[…] On Darwin, the Foundation framework will continue to maintain implementations for these types in a combination of C, Objective-C and Swift.

It’s seems somewhat undetermined what the plan is for functionality in the old types that is not available elsewhere.

Previously:

Update (2023-01-12): See also: Sergio De Simone (via Hacker News).

CleanShot X 4.5

MTW (via Ryan Jones):

  • ✨ Introducing Background Tool in Annotate - easily create beautiful social media posts that stand out from others
  • 🎨 Crop Tool will now recognize background color - automatically detects background color when you expand the canvas
  • 🗑️ You can now remove files from Capture History
  • 🔍 Added filter option to Capture History

It’s $29 for one year of updates or $8/month with unlimited cloud storage.

Previously:

FTC Sues Microsoft to Block Activision Blizzard Purchase

Federal Trade Commission (via Hacker News):

The Federal Trade Commission is seeking to block technology giant Microsoft Corp. from acquiring leading video game developer Activision Blizzard, Inc. and its blockbuster gaming franchises such as Call of Duty, alleging that the $69 billion deal, Microsoft’s largest ever and the largest ever in the video gaming industry, would enable Microsoft to suppress competitors to its Xbox gaming consoles and its rapidly growing subscription content and cloud-gaming business.

In a complaint issued today, the FTC pointed to Microsoft’s record of acquiring and using valuable gaming content to suppress competition from rival consoles, including its acquisition of ZeniMax, parent company of Bethesda Softworks (a well-known game developer). Microsoft decided to make several of Bethesda’s titles including Starfield and Redfall Microsoft exclusives despite assurances it had given to European antitrust authorities that it had no incentive to withhold games from rival consoles.

Tom Warren and Jay Peters:

“We continue to believe that this deal will expand competition and create more opportunities for gamers and game developers,” Brad Smith, Microsoft’s vice chair and president, said in a statement to The Verge.

[…]

Microsoft offered Sony a 10-year deal on new Call of Duty games last month, but Sony hasn’t yet accepted the offer. A similar deal was agreed upon between Nintendo and Valve, though. It could see Call of Duty heading to Nintendo consoles if the Activision Blizzard deal is approved.

John Gruber:

We’ll see how it plays out, but my gut feeling is that this is a mistake on the FTC’s part. The video game industry is incredibly competitive today. Yes, Xbox and PlayStation are the only two high-end consoles, but the Switch is quite arguably Nintendo’s most successful platform ever. And it’s not like Sony is some shrinking violet and lacks for its own exclusive titles. Exclusive titles are a big part of competition. It’s also the case that the dominant players in console and PC gaming are not the dominant players in mobile gaming (Apple and Google).

Florian Mueller:

I’m even more disappointed in what’s going on now, with the FTC wasting resources and losing credibility only because of some decision makers’ desire to be seen as boldly anti-Big Tech. And it isn’t even really anti-Big Tech because Microsoft’s proposed acquisition of Activision Blizzard (NASDAQ:ATVI) has the potential to contribute enormously to a level playing field in mobile app distribution, ultimately benefiting the little guys.

[…]

In yesterday’s analysis of the complaint, I explained that the FTC hasn’t lied here--but it is fair to say that the FTC, which is hard pressed to find any argument for blocking a totally lawful and even procompetitive merger, has misled a lot of people into thinking that Microsoft walked back on a promise on which the clearance of a previous game studio acquisition depended.

Microsoft published a document (PDF) that explains what exactly happened around that acquisition: Microsoft kept its word.

Previously:

Update (2022-12-26): Florian Mueller:

Yesterday, Insider Gaming reported something that could play quite a role in the various regulatory reviews of Microsoft’s acquisition of Activision Blizzard King. According to unnamed Sony-internal sources, PlayStation chief Jim Ryan said at an employee Q&A Microsoft’s Xbox Game Pass offering doesn’t worry him in the slightest[…]

Update (2023-04-26): Florian Mueller:

What is at stake now after the UK Competition & Market Authority’s unbelievable decision (summary (PDF)) to block Microsoft’s acquisition of Activision Blizzard King (ABK) is not just the credibility of that particular regulatory agency and its leadership. The more fundamental question that will have to be answered now is whether the rule of law is intact.

See also: Hacker News.

Update (2023-06-13): David Shepardson:

The FTC said Microsoft and Activision had signaled the deal could close as soon as Friday and asked a federal judge to block any final agreement before 11:59 p.m ET June 15.

Update (2023-06-15): Florian Mueller:

The FTC case places the emphasis on a vertical input foreclosure theory relating to videogame consoles. That one has been rejected by the regulators in charge of 40 countries. Even the UK CMA dropped that one after it made a mathematical mistake that was quite unbelievable and doomed that theory of harm.

The FTC complaint does also mention cloud gaming, so the FTC will try to somehow convince the United States District Court for the Northern District of California that the CMA decision weighs in favor of a TRO and a PI. But cloud gaming as more of an afterthought in the FTC's original December 2022 complaint, and they now had to bring a federal complaint consistent with the one they filed with their in-house court.

Update (2023-06-23): Stephen Totilo (via Hacker News):

In an appeal to the U.S. 9th Circuit Court, lawyers representing a group of gamers suing to block the deal over antitrust concerns point to a purported internal Microsoft email they describe as “uncontroverted evidence that Microsoft had the intention to put its main competition, the Sony PlayStation, out of the market.”

Update (2023-07-11): Tom Warren (Hacker News):

A California judge is allowing Microsoft to close its acquisition of Activision Blizzard after five days of grueling testimony. Microsoft still faces an ongoing antitrust case by the Federal Trade Commission, but Judge Jacqueline Scott Corley has listened to arguments from both the FTC and Microsoft and decided to deny the regulator’s request for a preliminary injunction.

Thursday, December 8, 2022

Firefox Translations Extension

Mozilla (via Hacker News):

Firefox Translations provides automated translation of web content. Unlike cloud-based alternatives, translation is done locally, on the client-side, so that the text being translated does not leave your machine.

Previously:

Hot Bag MacBook

Sam Rowlands:

Have you ever travelled somewhere to find that your MacBook is nice and warm, with next to no battery left? If so, these are the common causes of a “Hot Bag MacBook” that we’ve found so far.

His Sleep Aid app can also help determine what caused the laptop to wake unexpectedly.

Unsplash+

Unsplash:

We are excited to announce the launch of Unsplash+.  An Unsplash+ subscription gives you access to curated content that is royalty-free and available for commercial use. Members will get access to a constantly growing library of premium visuals that are not available in the free Unsplash library, and enjoy an ad-free experience on Unsplash.com.

Nick Heer:

In March 2021, the stock photography giant Getty Images acquired free stock photo site Unsplash. Unsplash said it would remain free under its new ownership.

[…]

Still, the way Unsplash rolled this out makes using the site more frustrating if you are not a subscriber. A typical search results page now mixes Unsplash’s classic free-to-use images with “Plus” images.

Wednesday, December 7, 2022

Advanced Data Protection for iCloud

Apple (MacRumors, Hacker News):

Apple today introduced three advanced security features focused on protecting against threats to user data in the cloud, representing the next step in its ongoing effort to provide users with even stronger ways to protect their data.

[…]

“Advanced Data Protection is Apple’s highest level of cloud data security, giving users the choice to protect the vast majority of their most sensitive iCloud data with end-to-end encryption so that it can only be decrypted on their trusted devices.” For users who opt in, Advanced Data Protection keeps most iCloud data protected even in the case of a data breach in the cloud.

John Gruber:

It’s off by default, primarily, I believe, for customer support reasons. With standard iCloud data protection, customer data is encrypted in transit and in storage on iCloud’s servers, but Apple holds keys that can be used for recovery in case a customer loses access to their account.

I’m guessing it also can’t be enabled if your account has devices with older OS versions, though I haven’t seen any documentation about this.

Apple:

Starting with iOS 16.2, iPadOS 16.2 and macOS 13.1, you can choose to enable Advanced Data Protection to protect the vast majority of your iCloud data, even in the case of a data breach in the cloud.

With Advanced Data Protection, the number of data categories that use end-to-end encryption rises to 23 and includes your iCloud Backup, Photos, Notes, and more.

This also finally makes iMessage actually end-to-end encrypted because the cloud backup that stores the key is now end-to-end encrypted, too. Of course, your messages are only actually protected if everyone that you message with opts in.

If you enable Advanced Data Protection and then lose access to your account, Apple will not have the encryption keys to help you recover it — you’ll need to use your device passcode or password, a recovery contact, or a personal recovery key.

It seems not great that it’s all protected by the device passcode. Mine is shorter than I’d like because I have to thumb-tap it in frequently when Face ID fails. Presumably there’s a key stored in the cloud in case I lose all my devices, and I wish that could be encrypted with a longer password. [Update (2022-12-08): Apple doesn’t quite say this in writing, but the video with Federighi strongly implies that a passcode is not enough; if you lose your trusted device you need a recovery contact or recovery key.]

Some metadata and usage information stored in iCloud remains under standard data protection, even when Advanced Data Protection is enabled. For example, dates and times when a file or object was modified are used to sort your information, and checksums of file and photo data are used to help Apple de-duplicate and optimize your iCloud and device storage — all without having access to the files and photos themselves.

[…]

iWork collaboration, the Shared Albums feature in Photos, and sharing content with “anyone with a link,” do not support Advanced Data Protection. When you use these features, the encryption keys for the shared content are securely uploaded to Apple data centers so that iCloud can facilitate real-time collaboration or web sharing. This means the shared content is not end-to-end encrypted, even when Advanced Data Protection is enabled.

[…]

When Advanced Data Protection is enabled, access to your data via iCloud.com is disabled by default. You have the option to turn on data access on iCloud.com, which allows the web browser that you're using and Apple to have temporary access to data-specific encryption keys provided by your device to decrypt and view your information.

Robert McMillan and Joanna Stern:

Mr. Federighi said that Apple isn’t aware of any customer data being taken from iCloud by hackers but that the Advanced Protection system will make things harder for them. “All of us in the industry who manage customer data are under constant attack by entities that are attempting to breach our systems,” he said. “We have to stay ahead of future attacks with new protections.”

[…]

Mr. Federighi said Apple believes it shares the same mission as law enforcement and governments: keeping people safe. If sensitive information were to get in the hands of an attacker, a foreign adversary or some other bad actor, it could be disastrous, he said.

Possible next steps:

Previously:

Update (2022-12-14): Rosyna Keller:

The new optional end-to-end encryption features requires that you have all devices using an iCloud account be on iOS 16.2/macOS 13.1/watchOS 9.2/audioOS 16.2/iCloud for Windows vNext/et fam or later. If a device doesn’t comply, you must de-iCloud it.

Matthew Green (tweet):

While every single one of these is exciting, one announcement stands above the others. This is Apple’s decision to roll out (opt-in) end-to-end encryption for iCloud backups. While this is only one partial step in the right direction, it’s still a huge and decisive step — one that I think will substantially raise the bar for cloud security across the whole industry.

[…]

I am struggling to try to find an analogy for how crazy this is. Imagine your country held a national referendum to decide whether most citizens should be compelled to photocopy their private photos and store them in a centralized library — one that was available to both police and motivated criminals alike. Would anyone vote in favor of that, even if there was technically an annoying way to opt out? As ridiculous as this sounds, it’s effectively what we’ve done to ourselves over the past ten years: but of course we didn’t choose any of it. A handful of Silicon Valley executives made the choice for us, in pursuit of adoption metrics and a “magical” user experience.

[…]

I wish I could tell you that Apple’s announcement today is the end of the story, and now all of your private data will be magically protected — from hackers, abusive partners and the government. But that is not how things work.

Dan Moren:

But as good as those protections are, there are still a few more places where the company could enact additional security and privacy measures to help make sure that your data stays in your control.

Sami Fathi:

While privacy groups and apps applaud Apple for the expansion of end-to-end encryption in iCloud , governments have reacted differently. In a statement to The Washington Post, the FBI, the largest intelligence agency in the world, said it’s “deeply concerned with the threat end-to-end and user-only-access encryption pose.” Speaking generally about end-to-end encryption like Apple’s Advanced Data Protection feature, the bureau said that it makes it harder for the agency to do its work and that it requests “lawful access by design.”

See also: MacRumors, Slashdot, TidBITS.

Update (2023-05-29): Jesse Squires:

Both iOS and macOS prompt me to do this “Security Settings Verification” like every 2-4 weeks or so. This started after enabling iCloud E2EE.

Kevin Renskers:

On every device you have to give your password / pincode multiple times a month. It sucks.

Update (2023-06-01): Ezekiel Elin:

Wonder if the advanced data protection is more related to people also setting up a recovery key - that’s not required though for ADP but many people did both at the same time

I say because I’ve not seen these prompts and I did NOT set up a recovery key.

Security Keys for Apple ID

Apple (MacRumors):

Apple introduced two-factor authentication for Apple ID in 2015. Today, with more than 95 percent of active iCloud accounts using this protection, it is the most widely used two-factor account security system in the world that we’re aware of. Now with Security Keys, users will have the choice to make use of third-party hardware security keys to enhance this protection. This feature is designed for users who, often due to their public profile, face concerted threats to their online accounts, such as celebrities, journalists, and members of government. For users who opt in, Security Keys strengthens Apple’s two-factor authentication by requiring a hardware security key as one of the two factors. This takes our two-factor authentication even further, preventing even an advanced attacker from obtaining a user’s second factor in a phishing scam.

Apple (via Maxwell Swadling):

A recovery key is a randomly generated 28-character code that you can use to help reset your password or regain access to your Apple ID. While it’s not required, using a recovery key improves the security of your account by putting you in control of resetting your password. Creating a recovery key turns off account recovery. Account recovery is a process that would otherwise help you get back into your Apple ID account when you don’t have enough information to reset your password

Previously:

Apple Abandons CSAM Scanning

Apple (via MacRumors):

After extensive consultation with experts to gather feedback on child protection initiatives we proposed last year, we are deepening our investment in the Communication Safety feature that we first made available in December 2021. We have further decided to not move forward with our previously proposed CSAM detection tool for iCloud Photos. Children can be protected without companies combing through personal data, and we will continue working with governments, child advocates, and other companies to help protect young people, preserve their right to privacy, and make the internet a safer place for children and for us all.

This is kind of surprising because it seemed designed to work on-device, alongside the end-to-end encrypted iCloud Photo Library that just arrived.

Lily Hay Newman:

The company told WIRED that while it is not ready to announce a specific timeline for expanding its Communication Safety features, the company is working on adding the ability to detect nudity in videos sent through Messages when the protection is enabled. The company also plans to expand the offering beyond Messages to its other communication applications. Ultimately, the goal is to make it possible for third-party developers to incorporate the Communication Safety tools into their own applications.

Previously:

Update (2022-12-14): See also: Slashdot.

Update (2023-09-01): Tim Hardwick (Hacker News):

Apple on Thursday provided its fullest explanation yet for last year abandoning its controversial plan to detect known Child Sexual Abuse Material (CSAM) stored in iCloud Photos.

Apple’s statement, shared with Wired and reproduced below, came in response to child safety group Heat Initiative’s demand that the company “detect, report, and remove” CSAM from iCloud and offer more tools for users to report such content to the company.

Ben Lovejoy:

There was no realistic way for Apple to promise that it will not comply with future requirements to process government-supplied databases of “CSAM images” that also include matches for materials used by critics and protestors.

Jeff Johnson:

Apple’s letter is good, but it basically just repeats the reasons that we were all screaming at Apple when they announced on-device scanning. You have to wonder why they decided to ship it in the first place.

Previously:

Update (2023-09-04): Nick Heer:

What is a little bit surprising is that Apple gave to Wired a copy of the email (PDF) Gardner sent — apparently to Tim Cook — and the response from Apple’s Erik Neuenschwander. In that letter, Neuenschwander notes that scanning tools can be repurposed on demand for wider surveillance, something it earlier denied it would comply with but nevertheless remains a concern; Neuenschwander also notes the risk of false positives.

[…]

One of the stories on Heat Initiative’s website concerns a man who abused his then-fiancé’s daughter in photo and video recordings, some of which were stored in his personal iCloud account. It is not clear to me how this case and others like it would have been discovered by Apple even if it did proceed with its proposed local CSAM detection solution as it would only alert on media already known to reporting authorities like NCMEC.

[…]

I simply think my own files are private regardless of where they are stored. Public iCloud photo albums are visible to the world and should be subject to greater scrutiny. Apple could do at least one thing differently: it is surprising to me that shared public iCloud albums do not have any button to report misuse.

MarsEdit 5

Daniel Jalkut (tweet):

MarsEdit 5 features a beautiful new icon, a “Microposting” feature for streamlined short-form blogging, enhanced plain-text editing with built-in Markdown syntax highlighting, a completely rebuilt rich text editor based on Apple’s latest WebKit2 technologies, and a variety of nuanced improvements to make your blogging workflow smoother, and more enjoyable than ever.

It costs $59.95 for new users or $29.95 to upgrade.

I like the new find bar and the smaller font for the metadata at the top of the window, as this lets me see more tags before they get clipped.

The new New Micropost command has a default shortcut of Command-Control-P, which overrides my longstanding shortcut for formatting with <p> tags. I was able to change that in System Settings, and then my shortcut worked again.

The Edit with BBEdit feature seems to be broken—MarsEdit doesn’t detect when I close the BBEdit window—but hopefully can be fixed soon. (I think it’s an interaction between BBEdit’s sandboxing and MarsEdit’s new bundle identifier.)

Previously:

Update (2022-12-14): Daniel Jalkut:

It’s been an exhilarating week releasing @MarsEdit 5. The last thing I expected was that I’d be facing the end of the week still wondering why the app is stuck in Mac App Store app review. Unfortunately I don’t when or if it will be approved. The opacity is very frustrating.

Daniel Jalkut:

MarsEdit 5.0.1 is now available on the MarsEdit site and on the Mac App Store.

BBEdit 14.6.2:

Added MarsEdit 5’s bundle ID to the sandboxing entitlements, so that its “Edit in BBEdit” support works correctly.

Tuesday, December 6, 2022

Capture One Encourages Subscriptions

Jack Williams:

After 1st February 2023, new perpetual license purchases will not receive any feature updates (16.x)

This means that any updates containing new features and functionality will not be included in your license purchase. However, bug fixes and optimizations will be included (16.x.x) until a new paid version is released (16.x).

Finally as a subscription license always provides you with access to the latest version, subscribers will also not be affected by these changes.

[…]

The changes we are making allow us to shift to the latest software development practices without removing perpetual licenses altogether. While over half of our users are on a subscription and close to 80% of new users choose a subscription, we still understand that perpetual licenses are important for many of you. That’s why we’re committed to keeping the option open.

I don’t understand the point of doing feature updates throughout the year but withholding them from certain customers. The stated goal is to move faster, but, if anything, this would create extra development work because now bug fixes might need to be applied on top of two different branches. It seems as though the actual goal was to discourage people from purchasing perpetual licenses without getting rid of them entirely. It also sounds like they are changing the deal for people who recently bought upgrades thinking they would get a year’s worth of features, as before.

Previously:

AirTag Stalking Class Action Lawsuit

Ashley Belanger (Hacker News, MacRumors):

Confronted by police reports and concerns from privacy advocates, Apple released updates in February, claiming that new features would mitigate reported stalking risks. Stalking reports kept coming, though, and it increasingly seemed to victims that Apple had not done enough to adequately secure AirTags. Now, Apple is being sued by two women who claim that the company is still marketing a “dangerous” product.

[…]

Plaintiffs suing represent various stalked classes. They are asking for a jury to assess whether, in addition to injunctive relief and damages, Apple should owe punitive damages for allegedly releasing a defective product with insufficient safeguards to prevent stalking, then profiting off sales after allegedly misleading the public to believe AirTags were “stalker-proof.”

[…]

One of the earliest solutions from Apple was providing text-based notifications for iOS users, alerting them when there was an “AirTag Found Moving With You.” However, users couldn’t always trust this alert was accurate—or referring to an AirTag device located near them in a crowd—and they couldn’t always find the tracking device, even if they knew it existed. For Android users, the situation was even bleaker because Apple had no way to send automatic alerts. Android users, thus, became “nearly defenseless to tracking/stalking using an AirTag,” because the only way to find out was to proactively download an app called Tracker Detect and manually search for AirTags.

It doesn’t seem to me that the product is defective or that there’s something Apple should be doing but isn’t. There’s no way to fully prevent malicious uses, and they already made AirTag less useful in trying to reduce them.

Previously:

Smaller App Store Pricing Increments

Apple (Hacker News, MacRumors):

Under the updated App Store pricing system, all developers will have the ability to select from 900 price points, which is nearly 10 times the number of price points previously available for most apps. This includes 600 new price points to choose from, with an additional 100 higher price points available upon request. To provide developers around the world with even more flexibility, price points — which will start as low as $0.29 and, upon request, go up to $10,000 — will offer an enhanced selection of price points, increasing incrementally across price ranges (for example, every $0.10 up to $10; every $0.50 between $10 and $50; etc.).

[…]

In each of the App Store’s 175 storefronts, developers will be able to leverage additional pricing conventions, including those that begin with two repeating digits (e.g., ₩110,000), and will be able to price products beyond $0.99 or €X.99 endings to incorporate rounded price endings (e.g., X.00 or X.90), which are particularly useful for managing bundles and annual plans.

[…]

Today’s enhancements expand upon these capabilities, allowing developers to keep their local currency constant in any storefront of their choice, even as foreign exchange and taxes fluctuate.

This sounds great, although it will be interesting to see what the new lower tiers like $0.29 will be used for.

Previously:

See also: Slashdot.

Update (2022-12-14): Dave Mark:

From Apple’s original App Store developer class action settlement announcement[…]

Damien Petrilli:

Actually I think the small price tier could be very interesting.

Instead of giving a free trial, you could now propose a very low tier weekly subscription.

Previously:

Update (2023-03-10): Apple (MacRumors):

Starting today, these upgrades and new prices are now available for all app and in‑app purchase types, including paid apps and one‑time in‑app purchases.

Get Rid of the Apple Pay Setup Badge

Adam Engst:

However, if you’re like me and haven’t set up Apple Pay on your iPad, you might be bothered by the way iPadOS badges the Settings app and constantly reminds you to finish setting up your iPad. I expect that succumbing to iPadOS’s demands and setting up Apple Pay would work, but being nagged triggers my rebellious streak, so I wanted to see if there was a way to eliminate both the badge and reminder without setting up Apple Pay. After all, there may be scenarios where setting up Apple Pay is inappropriate, such as on an iPad that a child frequently uses.

[…]

As soon as you cancel out of the Apple Pay setup screen, the Finish Setting Up Your iPad reminder disappears, along with its red badge on the Settings app icon.

Now, how can I turn off the Apple TV+ and Apple Music ads, and tell iOS that I really don’t want a passcode or Touch ID on a certain device?

Previously:

Monday, December 5, 2022

ChatGPT

OpenAI (Hacker News):

We’ve trained a model called ChatGPT which interacts in a conversational way. The dialogue format makes it possible for ChatGPT to answer followup questions, admit its mistakes, challenge incorrect premises, and reject inappropriate requests.

[…]

We are excited to introduce ChatGPT to get users’ feedback and learn about its strengths and weaknesses. During the research preview, usage of ChatGPT is free. Try it now at chat.openai.com.

Ben Thompson (Hacker News):

It happened to be Wednesday night when my daughter, in the midst of preparing for “The Trial of Napoleon” for her European history class, asked for help in her role as Thomas Hobbes, witness for the defense. I put the question to ChatGPT[…] This is a confident answer, complete with supporting evidence and a citation to Hobbes work, and it is completely wrong.

[…]

What has been fascinating to watch over the weekend is how those refinements have led to an explosion of interest in OpenAI’s capabilities and a burgeoning awareness of AI’s impending impact on society, despite the fact that the underlying model is the two-year old GPT-3. The critical factor is, I suspect, that ChatGPT is easy to use, and it’s free: it is one thing to read examples of AI output, like we saw when GPT-3 was first released; it’s another to generate those outputs yourself; indeed, there was a similar explosion of interest and awareness when Midjourney made AI-generated art easy and free[…]

[…]

There is one site already on the front-lines in dealing with the impact of ChatGPT: Stack Overflow. Stack Overflow is a site where developers can ask questions about their code or get help in dealing with various development issues; the answers are often code themselves. I suspect this makes Stack Overflow a goldmine for GPT’s models: there is a description of the problem, and adjacent to it code that addresses that problem. The issue, though, is that the correct code comes from experienced developers answering questions and having those questions upvoted by other developers; what happens if ChatGPT starts being used to answer questions?

josh (via Hacker News):

Google is done.

Compare the quality of these responses (ChatGPT)

Gaelan Steele (via Hacker News):

For fun, I had ChatGPT take the free response section of the 2022 AP Computer Science A exam. […] It scored 32/36.

Susannah Skyer Gupta:

Thus far, Jacob and I have hand-crafted (meaning written with just our own brains), the Apparent Software App Store descriptions. That said, I would definitely consider an AI-assisted approach to get started.

[…]

Some indie developers reporting good luck with this approach thus far include Noam Efergan, author of the upcoming Baby Wize app and Johan Forsell, author of BarTab[…]

Previously:

Update (2022-12-14): Dare Obasanjo:

Google employees explain why we haven’t seen ChatGPT like functionality in their products; the cost to serve an AI result is 10x to 100x as high as a regular web search today plus they’re too slow relative to how quick search results must be returned.

Michael Nielsen:

Curious: have you found ChatGPT useful in doing professional work?

If so, what kinds of prompts and answers have been helpful? Detailed examples greatly appreciated!

Steve Worswick:

Apparently it can cite sources, but just makes them up!

Swift Set Intersection Bug

Dave DeLong:

It turns out, there was a bug in Set.intersection(_:), but it had only been discovered this past June, and the fix only applies to macOS Ventura and later (my machine is running Monterey still). The scope of the bug is fairly limited: it only showed up if you were using the general intersection method, and the sequence had “exactly as many duplicate items as items missing from self”. As it turned out, Advent of Code happened to provide me with exactly the right input to hit this multiple times.

Mac Cryptexes

Howard Oakley:

In practice, a cryptex is a sealed Disk Image containing its own file system, which is mounted at a randomly chosen location within the root file system during the boot process. Prior to mounting the cryptex, macOS verifies it matches its seal, thus hasn’t been tampered with.

[…]

A cryptex can contain a wide range of different contents, typically including command tools, system executables, libraries, man pages, apps and frameworks. Many of the system components that used to be stored on the Data volume are now loaded by Ventura in cryptexes, including Safari and all its supporting components, the JavaScriptCore framework, some AMD graphics drivers, and most importantly dyld shared caches (which had been a heavy burden for Big Sur updates).

[…]

Late in the preparation phase of a macOS update, changed cryptexes are installed by ‘ramrod’. These are referred to as Splat, the internal name for the cryptex subsystem. Unlike the rest of a macOS update, these don’t require the full ‘Update Brain’ needed to build a new System snapshot, nor should they require macOS to be rebooted.

Previously:

Powerdir macOS TCC Vulnerability

Juli Clover (in January):

Microsoft’s 365 Defender Research Team this morning published details on a new “Powerdir” macOS vulnerability that let an attacker bypass the Transparency, Consent, and Control technology to gain unauthorized access to protected data.

Apple already addressed the CVE-2021-30970 vulnerability in the macOS Monterey 12.1 update[…]

Jonathan Bar Or:

We discovered that it is possible to programmatically change a target user’s home directory and plant a fake TCC database, which stores the consent history of app requests. If exploited on unpatched systems, this vulnerability could allow a malicious actor to potentially orchestrate an attack based on the user’s protected personal data.

[…]

First, Apple protected the system-wide TCC.db via System Integrity Protection (SIP), a macOS feature that prevents unauthorized code execution. Secondly, Apple enforced a TCC policy that only apps with full disk access can access the TCC.db files.

[…]

While the solution indeed prevents an attack by environment variable poisoning, it does not protect against the core issue. Thus, we set out to investigate: can an app programmatically change the user’s home directory and plant a fake TCC.db file?

Previously:

Friday, December 2, 2022

Stable Diffusion With Core ML on Apple Silicon

Apple (Hacker News):

Today, we are excited to release optimizations to Core ML for Stable Diffusion in macOS 13.1 and iOS 16.2, along with code to get started with deploying to Apple Silicon devices.

[…]

Beyond image generation from text prompts, developers are also discovering other creative uses for Stable Diffusion, such as image editing, in-painting, out-painting, super-resolution, style transfer and even color palette generation.

[…]

To learn more about how we optimized a model of this size and complexity to run on the Apple Neural Engine, you can check out our previous article on Deploying Transformers on the Apple Neural Engine. The optimization principles outlined in the article generalize to Stable Diffusion despite the fact that it is 19x larger than the model studied in the previous article. Optimizing Core ML for Stable Diffusion and simplifying model conversion makes it easier for developers to incorporate this technology in their apps in a privacy-preserving and economically feasible way, while getting the best performance on Apple Silicon.

Core ML Stable Diffusion:

This repository comprises:

  • python_coreml_stable_diffusion, a Python package for converting PyTorch models to Core ML format and performing image generation with Hugging Face diffusers in Python
  • StableDiffusion, a Swift package that developers can add to their Xcode projects as a dependency to deploy image generation capabilities in their apps. The Swift package relies on the Core ML model files generated by python_coreml_stable_diffusion

An M2 MacBook Air is significantly faster than an M1 Pro MacBook Pro.

Previously:

Coinbase Wallet NFT Transfers Blocked From App Store

Coinbase (Hacker News):

You might have noticed you can’t send NFTs on Coinbase Wallet iOS anymore. This is because Apple blocked our last app release until we disabled the feature.

Apple’s claim is that the gas fees required to send NFTs need to be paid through their In-App Purchase system, so that they can collect 30% of the gas fee.

For anyone who understands how NFTs and blockchains work, this is clearly not possible. Apple’s proprietary In-App Purchase system does not support crypto so we couldn’t comply even if we tried.

This is akin to Apple trying to take a cut of fees for every email that gets sent over open Internet protocols.

Note that, even with IAP, apps aren’t allowed to use NFTs to unlock content. So they only have value outside of the app/device. Normally that’s where IAP restrictions don’t apply. You don’t have to use IAP to transfer funds using Venmo or your banking app. You can also use apps to trade stocks without paying Apple 30% of the brokerage’s fee.

Previously:

Study on Research Code Quality and Execution

Ana Trisovic et al. (via Ethan Mollick):

Research code is typically created by a group of scientists and published together with academic papers to facilitate research transparency and reproducibility. For this study, we define ten questions to address aspects impacting research reproducibility and reuse. First, we retrieve and analyze more than 2000 replication datasets with over 9000 unique R files published from 2010 to 2020. Second, we execute the code in a clean runtime environment to assess its ease of reuse. Common coding errors were identified, and some of them were solved with automatic code cleaning to aid code execution. We find that 74% of R files failed to complete without error in the initial execution, while 56% failed when code cleaning was applied, showing that many errors can be prevented with good coding practices. We also analyze the replication datasets from journals’ collections and discuss the impact of the journal policy strictness on the code re-execution rate.

iPhone 14 Repair Changes

Kevin Purdy:

While the iPhone 14 hardware lineup costs largely the same as the previous generation, the cost of replacing the battery has gone up considerably, surpassing the prices Apple was charging before its 2016/2017 “Batterygate” reckoning.

Replacing the battery in any of the iPhone 14 models will cost $99, up from the $69 Apple charges for the 13, 12, 11, and X lines. The newest iPhone SE and iPhones in the 8 and older series cost $49.

Joe Rossignol:

This is a 43% increase to the fee, which includes the cost of a new battery and service by an Apple Store or an Apple Repair Center. iPhone battery replacement fees will vary at third-party Apple Authorized Service Providers.

[…]

Apple’s out-of-warranty service fees have also increased for select other iPhone 14 repairs. For example, in the U.S., Apple charges $379 to fix cracked glass on an iPhone 14 Pro Max’s display, compared to $329 for the same repair on an iPhone 13 Pro Max.

Benjamin Mayo (Hacker News):

As evidenced in this iFixit teardown, Apple has made it much easier to repair the back glass panel. The back glass can now be removed independently of the logic board, making repairs much cheaper. Previously, only the front glass was separably removable. And, it seems Apple is also passing this cost savings onto consumers…

Kyle Wiens:

We are hearing reports that Apple is continuing their hostile path of pairing parts to the phone, requiring activation of the back glass after installation. You really shouldn’t need Apple’s permission to install a sheet of glass on a phone that you already own.

Previously:

Thursday, December 1, 2022

Long App Hangs Due to Spotlight

Whenever I mount a hard drive with lots of files, typically a clone drive, various other apps that deal with files often hang. An individual hang can last for minutes to over half an hour. If the app is doing a long series of file operations, which would normally take fractions of a second, it can be unusable until some time after the drive has been unmounted. This happens even though the apps in question are not accessing files on the hard drive. The problem has been occurring since Monterey but has gotten a lot worse in Ventura. It got to the point where I didn’t want to do any backups during the day since my Mac could essentially become unusable for hours, even after pausing or aborting the backup.

Sampling the hung apps shows that they are waiting (for an XPC process) to read or write Spotlight metadata. I don’t know exactly what’s going on, but it’s as if the newly mounted drive generates lots of potential work for Spotlight to update its index. You would think that each volume would have its own work queue, but it seems like there’s a single queue so that operations for the slow hard drive, which are not time-sensitive, block high-priority operations for the internal SSD. Maybe this is exacerbated by the fact that my clone drives get ejected after the backup completes so that the Spotlight index is always way out of date.

Once I traced the problem to Spotlight, the obvious workaround was to exclude those volumes from indexing. This is, in fact, effective, though it has some problems:

Some drives were stubborn, and I had better luck excluding them from Spotlight using a Mac running macOS 10.14. I hope to eventually get all of my backup drives excluded, at which point I expect the hangs to stop completely.

Previously:

Update (2022-12-02): Nicolai Henriksen:

Aha! Thats why! I have a TimeMachine backup disk that makes my entire machine halt completely whenever it is attached. It does not return to normal even when connected overnight. The TM disk was only connected once a week - until I gave up.

Blank File Icons in Ventura

After updating to Ventura, throughout Finder, other apps, and the Dock, all my documents were shown with blank icons. This eventually resolved itself in Finder and in open/save panels, but I still see incorrect icons in apps such as BBEdit, EagleFiler, TextEdit, and the Dock. PDF files show a blank document icon. Text files show the generic Mac text file icon, rather than the document icon from the app that they are set to open in.

This is only occurring on one of my Macs, but I’m not alone. Doing a safe boot, resetting the icon services cache, and rebuilding Launch Services didn’t help. Nor did clearing $TMPDIR and the Caches folders. Unless there’s some other cache I need to reset, this seems like a bug in Ventura. It’s easily reproducible outside of these apps, just by calling NSWorkspace.icon(forFileType:) or NSWorkspace.icon(forFile:).

Update (2022-12-23): vitor:

It’s a Ventura bug. Some of my file types are also affected but it’s not just Alfred, they don’t show up in Spotlight either. Found several reports of this on the web, outside of Alfred results[…]

Update (2023-05-23): Vítor:

Seems like “Blank File Icons in Ventura” has finally been fixed in 13.4.

It’s fixed on my Mac.

Previously:

Vector Icon Speedruns

Marc Edwards:

It’s common to have to draw the same kinds of icons over and over — many different apps and websites use similar glyphs, but each instance typically needs to be tweaked for size and style, so they need to be redrawn.

Due to this repetition, I’ve always been interested in trying to work out optimal ways to create them. This is to save time, but also as a fun challenge.

Marc Edwards:

When viewing my vector icon speedruns, it can be difficult to see precisely what’s going on. Everything happens quickly, with many actions triggered via keyboard shortcuts, and Illustrator’s interface is cropped out of view. That’s just the nature of what they are, which means they provide more entertainment than education.

This article aims to be a director’s commentary for my fountain pen icon speedrun, noting the techniques used, and why they were chosen. I use Adobe Illustrator for all the icon speedruns, but many of the tips are relevant for other design tools.

There are corresponding articles for the pushpin, flag, and fingerprint videos, and also a YouTube channel (via John Gruber).

Eufy Cameras Uploading to Cloud Without Consent

Juli Clover:

Anker’s popular Eufy-branded security cameras appear to be sending some data to the cloud, even when cloud storage is disabled and local only storage settings are turned on.

[…]

According to Moore, he purchased a Eufy Doorbell Dual, which was meant to be a device that stored video recording on device. He found that Eufy is uploading thumbnail images of faces and user information to its cloud service when cloud functionality is not enabled.

[…]

There is also another issue that Moore has highlighted, suggesting Eufy camera streams can be watched live using an app like VLC, but little information on the exploit is available at this time. Moore said that unencrypted Eufy camera content can be accessed without authentication, which is alarming for Eufy users.

Previously:

Several claims have been made against eufy Security over the last couple of weeks. We know the need for more straightforward and timely communications on these issues has frustrated many customers. However, we have been using the last few weeks to research these possible threats and gather all the facts before publicly addressing these claims.

[…]

Below we will attempt to better separate fact from fiction and provide more details on any changes we’ve made to our policies, processes, and security solutions.

Update (2023-02-01): Sean Hollister (via Aaron Pearce, MacRumors):

First, Anker told us it was impossible. Then, it covered its tracks. It repeatedly deflected while utterly ignoring our emails. So shortly before Christmas, we gave the company an ultimatum: if Anker wouldn’t answer why its supposedly always-encrypted Eufy cameras were producing unencrypted streams — among other questions — we would publish a story about the company’s lack of answers.

It worked.

In a series of emails to The Verge, Anker has finally admitted its Eufy security camerasare not natively end-to-end encrypted — they can and did produce unencrypted video streams for Eufy’s web portal, like the ones we accessed from across the United States using an ordinary media player.