Archive for February 2023

Tuesday, February 28, 2023

Pagi Rejected From the App Store

Lucas (Mastodon, Hacker News):

I found my submission rejected with the following message citing guideline 4.3 Design: Spam of the App Store Review Guidelines[…] I can see how Pagi is similar to other apps in the App Store as it features a full screen text editor, if you dismiss its unique features designed for the morning pages use-case.

The claim that it ‘appears to be similar to another app previously submitted under a terminated Apple Developer Program account’ doesn’t make sense to me. ‘Terminated’ also means that the previously submitted app is not on the App Store anymore. So even if it did appear similar, it shouldn’t be a problem and, by definition, can’t be a duplicate.


They don’t give direction on what to change or improve to get Pagi approved. Instead, they told me to abandon the entire project and start from scratch with another app. Completely dismissing user demand [Users of the Mac version wanted it on iPad.] and all the time it took to build this app.

Apparently, that development time would have been better spent writing yet another authenticator app.

Christopher Atlan:

My sources tell me Google has successfully inserted provocateur agents inside Apples App Review team. They are exceeding their goal to discourage indie devs, making these remarkable apps for the Apple platforms.


Update (2023-03-01): Duncan Babbage:

I think you may have been caught up in the wake of an unrelated bad actor.


My strong expectation is this will have been based on analysis of either screenshot or more likely source code similarities automatically flagged in their system for the reviewer, as part of their processes to try and stop bad actors from just creating new accounts and resubmitting when their developer accounts are terminated.


I see all the iOS dev work on the app right up to two weeks ago is also publicly accessible. So it’s quite possible that a bad actor took your recent work and attempted to submit their own iPad app based on it, before your submission.

Duncan Babbage:

I have learned to pay close attention to the word “Specifically,” in a rejection. Relevant here.

Often, the text that precedes the “Specifically” in the same paragraph seems quite clearly irrelevant or even demonstrably wrong for the submission in question. I think it is the boilerplate description from a parent category.

Often the text that comes after “Specifically” is giving much more important information (whether you like it or not) that is much easier to understand when you try to make sense of it after discarding and ignoring the information that came before that word.

Patrick Smith:

They don’t tell Ed Sheeran that his new album is derivative, and so reject it from Apple Music and tell him to make another one. So why do they do that with apps?


I don’t really understand how it happened yet, but I woke up to Pagi being accepted, without any further notice.

Maybe the right eyes saw it and waved it through. I don’t know.


I received a call from them in the afternoon today. They were very nice and clarified the reason for initial rejection. I will write more about it tomorrow.

The short version is that someone seemed to have uploaded a version of Pagi before me. This was possible, because I developed it in public on GitHub.

Update (2023-03-03): Lucas:

The review team initially upheld the rejection, because the information of evidence they found on their side was very obvious. The case eventually got escalated internally, and they were able to verify that I was the original author of the app and accepted my submission.

In case I have the feeling I am in a situation like this again, I should submit an appeal to App Review.

After everything that happened, I am impressed how quickly they acted after they verified that I am the original author. They called me on the same day to apologize and clarify the situation. I appreciate that.


I think it’s a good thing Apple has this process of checking for duplicates to identify bad actors in the App Store. This definitely serves developers, but their communication could have been better. They should have pointed out ways to verify my authenticity instead of the vague messages they sent me.

Update (2023-03-08): Rob Jonson:

Next level AppStore rejection.

2019, Apple refused my attempt to release MultiMonitorWallpaper 2 as a new app.

Today, a minor update to MultiMonitorWallpaper (live since 2012) was rejected “too much like other apps I released”.

They list ‘unused MMW2’ which was never released.

URL Confirmations in Preview

Jeff Johnson:

This permission prompt is new in macOS 13 Ventura. To see it, just Print this web page, Open in Preview, and click any link.

Preview app shipped with Mac OS X 10.0. In fact, Preview was carried over to Mac from NeXTSTEP. I don’t know why, more than 30 years later, Apple decided to add a permission prompt to links in Preview[…]

This follows macOS Sierra adding similar prompts for bookmarklets in Safari. Also, since 2014 or so, custom URL schemes haven’t been clickable in Preview or Help Viewer. They don’t even give you a confirmation alert, just a beep. I ended up making a trampoline page for my apps’ esoteric preferences.


Update (2023-07-31): See also: Pierre Igot.

Update (2024-05-15): Pierre Igot:

This 🤬 dialog, supposedly there for security reasons, gets really old really fast when you have a PDF in Preview that contains tons of links that you have to check. There is, as far as I know, no way to turn it off, so I did the next best thing for me, which is to create a @KeyboardMaestro macro that at least lets me dismiss it with as little effort as possible, i.e. with a simple ⌘click wherever my mouse pointer happens to be (since my finger is already on the mouse button).

PayPal Friends & Family Payments

Mia Sato (in June 2022):

PayPal is putting new limits on a feature in its payment system that allows people to receive money without paying extra fees, the company recently announced. Starting July 28th, only personal PayPal accounts will be able to get funds via Friends & Family, a transaction method intended for trusted recipients.

There are two ways of sending money on PayPal: Friends & Family and Goods & Services. F&F is intended for paying your friend back for dinner, for example, or giving your kid some birthday money — you know who’s receiving the funds and what you’re paying them for. There’s typically no fee involved, but it also drops protections for issues that might come up, like refunds or scams.


With this new change, US business accounts won’t be able to accept fee-free personal payments, and people who use PayPal for their company will need to create a personal account to receive money fee-free from friends and family.

I’m not sure what to make of this because I haven’t been able to receive fee-free personal payments for a long time, probably at least a decade. When I asked about this, PayPal told me it was a consequence of having a business account. They would not let me create a second account for personal use.

Via Adam Chandler:

Paypal’s fee structure is anti-individual and clearly they only want to serve businesses. Venmo, Zelle, Apple Pay Cash and Cash App are superior and PayPal is dead to me.


I did a full refund via PayPal but I noticed that my account was still showing negative $60. It was only when I did some digging did I realize that even though my friend received his full $2,000 back, I was still on the hook for those fees.

This happened to me, too. The sender was led to believe that, because she had chosen Friends & Family, I wouldn’t have to pay any fees. The online documentation seemed to support that view. When that turned out not to be the case, the refund didn’t recover the fees, either.

Venmo works much better, anyway, and I now see lots of local businesses using it. I’m not sure whether this is to avoid fees by falsely classifying the transactions as personal or simply because everyone seems to already have it set up and the experience is better.

Monday, February 27, 2023

Changing Apple ID Password Using Only a Device and Passcode

Joanna Stern and Nicole Nguyen (tweet, Hacker News, MacRumors):

Using a remarkably low-tech trick, thieves watch iPhone owners tap their passcodes, then steal their targets’ phones—and their digital lives.


With only the iPhone and its passcode, an interloper can within seconds change the password associated with the iPhone owner’s Apple ID. This would lock the victim out of their account, which includes anything stored in iCloud. The thief can also often loot the phone’s financial apps since the pass-code can unlock access to all the device’s stored passwords.


They don’t necessarily account for the fog of a late-night bar scene full of young people, where predators befriend their victims and maneuver them into revealing their passcodes. Once thieves possess both passcode and phone, they can exploit a feature Apple intentionally designed as a convenience: allowing forgetful customers to use their passcode to reset the Apple account password.


A similar vulnerability exists in Google’s Android mobile operating system. However, the higher resale value of iPhones makes them a far more common target, according to law-enforcement officials.

Of course, once they have access to the Apple ID, they can just turn off Activation Lock.

Apple recently introduced the ability to use hardware security keys, little USB dongles, to protect the Apple ID. In the Journal’s testing, security keys didn’t prevent account changes using only the passcode, and the passcode could even be used to remove security keys from the account.


Apps such as Apple Photos, iCloud Drive and Google Drive now offer the ability to search text within images and documents. In the Journal’s tests, a search in the Apple Photos app for “SSN” (Social Security number) and “TIN” (taxpayer identification number) immediately produced a photo of a 1099 tax form with Social Security information that had been stored on the phone.

Joe Rossignol:

I’ve been reporting on Apple for over a decade and I didn’t know or long forgot that you can reset an Apple ID password on an iPhone by simply entering the four-digit passcode – no other steps required!

I’ve always seen the iPhone passcode as a weak point, but I had incorrectly assumed I could protect myself by not putting my Apple ID password into the Apple password manager. I had no idea that the device itself would be treated as verification for the purposes of resetting the password.

I’ve also considered whether it makes sense to have my Apple ID use an e-mail account that’s not configured on the iPhone, so that it wouldn’t be so easy to reset the password and then just read the verification e-mail. However, this is tricky because it seems like, if I’ve enabled iCloud Keychain, the Mac will upload my e-mail passwords to the cloud, anyway. I already exclude my key financial passwords from Apple Passwords, but I need my mail passwords to be in the keychain to be able to use Mail. Is there a way to mark certain passwords as not syncable?



Update (2023-02-27): Jeff Johnson:

I’ve heard, but not verified, that Emergency Reset can bypass Screen Time and still change your Apple ID password.

See also: Dave Mark and Adam Engst.

Update (2023-03-01): See also: The Talk Show.

Update (2023-03-02): It turns out that the ability to reset Apple ID passwords using only an iPhone and passcode was added way back in iOS 11. I blogged about it but at the time was more concerned about the related change to iTunes backups.

Gruber and Arment say that the passcode can always be used as a fallback if Face ID fails, that it’s the master key for everything. This is true for system stuff, but third-party apps have a choice. Apps with sensitive data such as banking apps and password managers can choose to only allow access via biometrics. If Face ID fails, you have to enter the app-specific password. I tested this, and it works correctly, which is great. You can reset Face ID using only the passcode, but that does not give you access to the app data formerly protected via Face ID.

But it seems like there’s a loophole. I was able to add an alternate Face ID appearance using only my passcode (while covering the sensor with my finger). So someone with your phone and your passcode could add their own face to Face ID and then use that to get into your password manager. It seems like you can prevent this by adding yourself as an alternate appearance. Then future Face ID changes would require a reset.

Gruber also notes that if someone takes over your Apple ID account in this way you can lose your data if you’re using end-to-end encryption. Even if you’ve saved the recovery keys or have a recovery contact, those can be revoked by whoever controls your account. Then neither you nor Apple can decrypt the data on their servers. Other devices signed into your Apple ID can also be kicked off, though perhaps they retain caches of some of the data.


Update (2023-03-03): Dave:

If someone steals your iPhone’s passcode and adds an alternate appearance to Face ID on your iPhone, Face ID will be automatically disabled for 1Password and you will be required to enter your account password to re-enable Face ID the next time that you try to unlock the app.

Bank of America handled that the same way for me, but PasswordWallet did not require my password again. Since it seems like the behavior is app-specific, I still think it’s a good idea to configure your own alternate appearance.

Update (2023-03-14): multigreg (via Accidental Tech Podcast):

I set Screen Time restrictions with a passcode, without the option to remove it using AppleID (tapping ‘Cancel’ & ‘Skip’).

When I try the ‘Forgot passcode’ link, it still guides me through the options to enter my AppleID or device password, or find a forgotten AppleID.

John J. Boyer, RIP

James R. Hagerty:

John J. Boyer, raised on a Minnesota farm family with 12 children, was born blind and lost most of his hearing by the time he was 10 years old.

Kelly Meyerhofer (via Hacker News):

Boyer went on to develop a software program that converts written text into Braille, an invention fueled by childhood frustration over too few Braille textbooks to satisfy his scientific curiosity. His work dramatically expanded educational and employment access for the blind.


The National Foundation of the Blind supplied Boyer in college with a translator who took lecture notes and signed them into John’s hand. Boyer himself used no notes, relying completely on memory. His textbooks were transcribed into Braille, but there weren’t graphs of any kind, a challenge for a math major. Still, he graduated second in the college’s class of 1961.

Boyer struggled to find a job out of school. To expand his skillset, he designed his own hearing aid and trained a golden retriever, Sugar, to be his guide dog. He landed some computer programming jobs in Ohio and later at the University of Wisconsin-Parkside.


Boyer developed Liblouis, which translates text into Braille, as a free, open-source software for anyone to use. He also helped develop BrailleBlaster, which translates maps, graphics and math formulas into a format accessible to blind people.


John and I were in graduate school together (computer science, U Wisconsin - Madison). He was indeed a remarkable person. He was blind and deaf. He carried around a little mechanical Braille typewriter. To talk with John, you would type, and he would extend his hand into the device and feel the Braille impressions of what you were typing.


Mammoth 1.0.2

Filipe Espósito:

And now iOS and macOS users will have another great third-party option for accessing the social network from their devices with Mammoth, a new free client for Mastodon.


Unsurprisingly, those who have used Aviary in the past will feel quite familiar with Mammoth.

One of the main features of Mammoth is its multi-column based interface for iPad and Mac. Users can see their timeline, mentions, likes, private messages, bookmarks, and profile all on the same screen with just a scroll. The columns are customizable so that you have quick access to all the information you need.

It’s an iOS app that’s allowed to run on Apple Silicon Macs, but the developer has not verified it.


Update (2023-02-27): Shihab Mehboob:

This first App Store release is just the beginning though. We have a big appetite to make Mammoth a beautiful Mastodon app for the rest of us. We’re a small startup team with a long history in the indie dev community, deeply steeped in Apple culture, open source, and building apps used by hundreds of millions. Our focus is on the end-to-end user experience we can offer as we combine Mammoth with our server and backend work, all fully open source and building on what makes the fediverse special. And if you just want to use Mammoth with your favorite server, that should still be an awesome experience. We’re here to help the next one hundred million users join the Mastodon community. Read all about our vision here.

Bart Decrem:

A few folks have asked about our business model, our investors and why we boldly can state that Mammoth will always be free.

We have mostly decided that there will be a subscription version of Mammoth & However, we have not yet figured out the details, and we care about the details. For example, we love the part of Mastodon culture where folks are encouraged to make a donation to their server team to help cover server costs, and we’d like that to be a significant part of our subscription system (supporting servers beyond, that is), but that comes with legal issues, App Store TOS issues etc.

Bart Decrem (via Colin Devroe):

I am pleased to announce that Mozilla is our principal investor.

KextViewr 2.0


KextViewr is a utility with a simply goal; display all currently loaded kernel modules (or “kexts”). While Apple’s commandline tool kmutil can provide similar information, it’s nice to have a UI version, with filter, search, and export capabilities.


The displayed kernel extensions can be filtered using the ‘Filter Kexts’ search box, found at the top right corner of the app. Simply begin typing to filter all tasks based on their names, paths, etc. For example, typing ‘BSD’ will show only modules that contain ‘BSD’ in their name or path. KextViewr also contains special ‘hash-tag’ filters that can filter modules based on concepts such as “only system modules” (#apple) or “all non-Apple (3rd-party) modules” (#nonapple).

The new version includes an interface refresh and compatibility with newer versions of macOS.

Update (2023-02-27): Corentin Cras-Méneur:

YA great app! I used it on older Mac many times over to track old, legacy extensions that has been installed and long forgotten to get rid of them and regain some sanity!

Friday, February 24, 2023

What Is ChatGPT Doing and Why Does It Work?

Stephen Wolfram (via Hacker News):

And the remarkable thing is that when ChatGPT does something like write an essay what it’s essentially doing is just asking over and over again “given the text so far, what should the next word be?”—and each time adding a word.


The fact that there’s randomness here means that if we use the same prompt multiple times, we’re likely to get different essays each time. And, in keeping with the idea of voodoo, there’s a particular so-called “temperature” parameter that determines how often lower-ranked words will be used, and for essay generation, it turns out that a “temperature” of 0.8 seems best.


In the first neural nets we discussed above, every neuron at any given layer was basically connected (at least with some weight) to every neuron on the layer before. But this kind of fully connected network is (presumably) overkill if one’s working with data that has particular, known structure. And thus, for example, in the early stages of dealing with images, it’s typical to use so-called convolutional neural nets (“convnets”) in which neurons are effectively laid out on a grid analogous to the pixels in the image—and connected only to neurons nearby on the grid.

The idea of transformers is to do something at least somewhat similar for sequences of tokens that make up a piece of text. But instead of just defining a fixed region in the sequence over which there can be connections, transformers instead introduce the notion of “attention”—and the idea of “paying attention” more to some parts of the sequence than others.


First, it takes the sequence of tokens that corresponds to the text so far, and finds an embedding (i.e. an array of numbers) that represents these. Then it operates on this embedding—in a “standard neural net way”, with values “rippling through” successive layers in a network—to produce a new embedding (i.e. a new array of numbers). It then takes the last part of this array and generates from it an array of about 50,000 values that turn into probabilities for different possible next tokens.


Update (2023-03-08): See also: ChatGPT Explained: A Normie's Guide To How It Works (via Hacker News).

Quora’s Poe

Sarah Perez (via John Gruber):

Q&A platform Quora has opened up public access to its new AI chatbot app, Poe, which lets users ask questions and get answers from a range of AI chatbots, including those from ChatGPT maker, OpenAI, and other companies like Anthropic. Beyond allowing users to experiment with new AI technologies, Poe’s content will ultimately help to evolve Quora itself, the company says.

Quora first announced Poe’s mobile app in December, but at the time, it required an invite to try it out. With the public launch on Friday, anyone can now use Poe’s app. For now, it’s available only to iOS users, but Quora says the service will arrive on other platforms in a few months.


Google’s Bard

Sundar Pichai (via John Gruber, Hacker News):

We’ve been working on an experimental conversational AI service, powered by LaMDA, that we’re calling Bard. And today, we’re taking another step forward by opening it up to trusted testers ahead of making it more widely available to the public in the coming weeks.

Bard seeks to combine the breadth of the world’s knowledge with the power, intelligence and creativity of our large language models. It draws on information from the web to provide fresh, high-quality responses. Bard can be an outlet for creativity, and a launchpad for curiosity, helping you to explain new discoveries from NASA’s James Webb Space Telescope to a 9-year-old, or learn more about the best strikers in football right now, and then get drills to build your skills.


Now, our newest AI technologies — like LaMDA, PaLM, Imagen and MusicLM — are building on this, creating entirely new ways to engage with information, from language and images to video and audio. We’re working to bring these latest AI advancements into our products, starting with Search.

Isabel Angelo (via Hacker News):

Unfortunately a simple google search would tell us that JWST actually did not “take the very first picture of a planet outside of our own solar system” and this is literally in the ad for Bard so I wouldn’t trust it yet

Jennifer Elias (via Hacker News):

Staffers took to the popular internal forum Memegen to express their thoughts on the Bard announcement, referring to it as “rushed,” “botched” and “un-Googley,” according to messages and memes viewed by CNBC.

On Monday, Google got ahead of a Microsoft event the following day and had Pichai publicly divulge some details of the company’s chatbot technology.

Paul Graham:

What happens if you take too long to launch: your product is defined by its relationship to whatever launched first.

That casual appositive phrase is worth more to Microsoft than any news story.

Nick Heer:

The original point of search engines was to be directed to websites of interest. But that has not been the case for years. People are not interested in visiting websites about a topic; they, by and large, just want answers to their questions. Google has been strip-mining the web for years, leveraging its unique position as the world’s most popular website and its de facto directory to replace what made it great with what allows it to retain its dominance. Artificial intelligence — or some simulation of it — really does make things better for searchers, and I bet it could reduce some tired search optimization tactics. But it comes at the cost of making us all into uncompensated producers for the benefit of trillion-dollar companies like Google and Microsoft.


Update (2023-03-21): Google (via Hacker News):

Join the waitlist and try it for yourself.

ChatGPT in Bing and Edge

James Vincent (Hacker News):

In demos today the company showed what it’s calling “the new Bing” working in various configurations. One of these shows traditional search results side-by-side with AI annotations (above), while another mode lets users talk directly to the Bing chatbot, asking it questions in a chat interface like ChatGPT (below).


Unlike ChatGPT, the new Bing can also retrieve news about recent events. In The Verge’s demos, the search engine was even able to answer questions about its own launch, citing stories published by news sites in the last hour.


In addition to the new Bing, Microsoft is launching two new AI-enhanced features for its Edge browser: “chat” and “compose.” These will be embedded within Edge’s sidebar.

“Chat” allow users to summarize the webpage or document they’re looking at and ask questions about its contents, while “compose” acts as a writing assistant; helping to generate text, from emails to social media posts, based on a few starting prompts.

Nick Heer:

Microsoft announced today’s event unveiling these developments midday yesterday, hours after Google announced its efforts in the space, as it has done before. I am not sure whether to read this as panic or excitement, though Meta’s caution is notable.


The big question right now is, I think, where Amazon and Apple are at internally. Are they racing to compete with Alexa and Siri? Are they maybe waiting it out to see if this is a real, exciting development, or yet more baseless hype like so many technology land rushes before it?

Noor Al-Sibai:

The lawyer also revealed, per Insider, that Amazon is developing “similar technology” to ChatGPT — a revelation that appeared to pique the interest of employees who said that using the AI to assist their code-writing had resulted in a tenfold productivity boost.

Katyanna Quach (via Hacker News, Nick Heer):

Microsoft’s new AI-powered Bing search engine generated false information on products, places, and could not accurately summarize financial documents, according to the company’s promo video used to launch the product last week.


In reality, both Microsoft’s Bing and Google’s Bard are just as bad as each other. Both companies launched shoddy AI chatbots that generated text containing false information, but Microsoft’s mistakes were not immediately caught. Now, some of its errors have been spotted by Dmitri Brereton, a search engine researcher.


Update (2023-03-28): Akash Sriram and Chavi Mehta (via Hacker News):

The integration of OpenAI’s technology into Microsoft-owned Bing has driven people to the little-used search engine and helped it compete better with market leader Google in page visits growth, according to data from analytics firm Similarweb.

Page visits on Bing have risen 15.8% since Microsoft Corp unveiled its artificial intelligence-powered version on Feb. 7, compared with a near 1% decline for the Alphabet Inc-owned search engine, data till March 20 showed.

ChatGPT Is Ingesting Corporate Secrets

Noor Al-Sibai (Hacker News, Bruce Schneier):

After catching snippets of text generated by OpenAI’s powerful ChatGPT tool that looked a lot like company secrets, Amazon is now trying to head its employees off from leaking anything else to the algorithm.

According to internal Slack messages that were leaked to Insider, an Amazon lawyer told workers that they had “already seen instances” of text generated by ChatGPT that “closely” resembled internal company data.

This issue seems to have come to a head recently because Amazon staffers and other tech workers throughout the industry have begun using ChatGPT as a “coding assistant” of sorts to help them write or improve strings of code, the report notes.

Just like you once had to pay Github to keep your repositories private, perhaps ChatGPT will let you pay not to have your inputs become part of its training data.


Update (2023-02-27): Damien Petrilli:

There is this form you can use to opt out of data training.

I did it and never got any reply. So not sure you can trust them.

It’s a Google Doc.

ChatGPT for Apple Platforms Development

Steve Troughton-Smith:

At this point, I really would appreciate a tool that just parses an Xcode SceneKit .scn scene and spits out a built-in-code representation of it. Xcode’s SceneKit editor has been a liability for years, and it exhausts all my energy to fix its compatibility issues every time I update my projects 😪 PaintCode, but for SceneKit scenes

Just had my mind blown: So I NSLogged a description of my SceneKit hierarchy for the luls and gave it to ChatGPT and told it to turn it into Swift code. Gibberish, right? Well it had NO PROBLEM figuring out what I meant, and it just did what I wanted 🤯

omg ChatGPT can parse Interface Builder XML and output code too? I just dropped my Launch Storyboard into it 😱

So I crafted a storyboard in Interface Builder (pic 1). I then took that XML, pasted it into ChatGPT, and asked it to rewrite it in SwiftUI. It gave me SwiftUI code that, with the tiniest bit of massaging, I could drop into Playgrounds to get the following app (pic 2). It did take some liberties and didn’t get it 100% correct, but it’s pretty darn close

Quentin Zervaas:

This particular screen uses SwiftUI, but off the top of my head, I wasn’t sure of the easiest to create this typing effect. Instead of using Google or Stack Overflow, I thought this might be a good chance to try ChatGPT[…]


I didn’t love how it generated the timers - seemed a bit wasteful to create a repeating timer, only to cancel it every time, so I made a few changes.


On balance, using ChatGPT was a very useful way to mock up some working code. While some tweaks were needed for my specific application, it was ultimately a huge time saver.

• • •

Benjamin Mayo:

Better error messages for SwiftUI result builders coming soon

Michael Steeber:

honestly i just paste my code block and the error into ChatGPT now and have it explain the error. The “solution” usually doesn’t work, but it at least makes the problem clear to me


my success rate is a lot higher than stackoverflow because it understands the exact context of your specific use case, not just the error in an abstract sense of the language

• • •


I also am looking for “UNIBOX” alternative […] I asked if it’s possible to use extensions to make apple mail function better.

p.s. I asked ChatGPT: Maybe someone with more skill can just develop this plugin which turns apple mail into unibox

Scott Morrison:

Don’t believe everything (or anything) ChatGPT tells you.

I have been developing Plugins for Mail App for 20 years.

The ChatGPT response is 100% fiction.


Thursday, February 23, 2023

“Volume contains a macOS or OS X installation which may be damaged”

I was recently setting up a High Sierra test partition, and this error popped up after the installer had rebooted the Mac to complete the installation. At first, I thought it was another variant of the “This copy of the Install OS X El Capitan application can’t be verified. It may have been corrupted or tampered with during downloading” error, which indicates an expired certificate. But setting the Mac’s clock back didn’t help, and neither did downloading a fresh copy of the installer.

I eventually figured out that the destination volume, though it looked empty, contained the remnants of something. After I erased it with Disk Utility, the installation proceeded normally. I think there used to be an option to “Erase and install,” which I surely would have chosen in a situation like this where I was trying to create a clean system for testing, but with no such option presented that possibility was not top of mind.



Nodetics (via Jason Pester):

With Feedbro you can read RSS, Atom and RDF feeds and thanks to built-in integration also content from Facebook, Twitter, Instagram, VK, Telegram, Rumble, Yammer, YouTube Channels, YouTube Search, LinkedIn Groups, LinkedIn Job Search, Bitchute, Vimeo, Flickr, Pinterest, Google+, SlideShare Search, Telegram, Dribbble, eBay Search and Reddit.

Apparently, like Nitter, it can read Twitter without using the API. So it’s a potential alternative to using the Web site if Twitter does follow though on cutting off the remaining apps. It only seems to work for public accounts, though. Feedbro is implemented as extensions for Firefox and Chrome-based browsers; there’s no support for Safari.


Wi-Fi Sync Spyware


There is a little-known feature on all iOS devices called ‘WiFi Sync’, which essentially allows for a backup of the device to regularly be downloaded onto a nearby computer over a WiFi connection.


Unfortunately, this ease of set up and lack of maintenance makes it the perfect target for spyware providers and cyberstalkers. The solution offered by spyware providers requires the stalker to have access to their target device to set the connection up, but after that the target device will provide a full backup to a computer using the same WiFi network. An application on the computer then reads the backup and packages up all the information into a clear report for the stalker.

Nothing needs to be installed onto the phone itself, which makes it very difficult to detect. As far as the phone is concerned, it is just performing a routine backup.


Historically you could perform a simple check in the Settings app on the phone to see if WiFi Sync was enabled (and therefore if you may be a victim of this type of spyware). It would even display the name of the computer that your iOS device was set up to sync with. However, in iOS 13 and all subsequent updates, Apple has removed this information from the Settings app, making it extremely difficult to tell if it is enabled.

Via Nick Heer:

It is also not new — the vulnerabilities of Wi-Fi syncing have been known since at least 2018.

That information does little to ameliorate these abuses, however.


The only way to know if an iPhone has Wi-Fi syncing turned on is by checking in Finder on the trusted Mac, or in iTunes on a Windows PC. If Apple is not retiring this feature, it should be possible to see if an iPhone has Wi-Fi syncing enabled on the phone itself.


macOS 13.2.x and Recovery, a Sad Tale

Robert Hammen:

Apple’s latest updates to macOS Ventura can lead to your FileVault-encrypted Mac booting into Recovery, and, potentially, prompts to enter one or more of […]


As far as what’s happening, without having intimate knowledge (and logs/bug reports), it’s difficult to say exactly, but it seems to revolve around a failure to perform something like an authenticated restart (i.e. restart and unlock the encrypted boot drive without prompting the user). When this fails, macOS falls back to boot to Recovery for authentication/disk unlock.


Apple does not make public statements about bugs/issues. Privately, they’ve indicated that they’re aware of this situation, and have asked for further details (some diagnostic steps below). For now, the recommended workaround is to:

  1. Restart your Mac
  2. Within 30 minutes of restarting, install the update(s)

I’m still having Ventura updates not show up in System Settings. I need to install them using softwareupdate --install --recommended, and with the 13.2.1 update I also needed to add --restart or the command would get stuck after downloading the update.


Speeding Up Scanner in Swift

My first tip goes back to when I started using NSScanner in the Puma days. In short, you should never call scanCharacters(from:into:) in a loop because every time it’s called it creates an inverted copy of the character set. It then delegates to NSString.rangeOfCharacter(from:options:range:), passing that copy. The documentation contains the cryptic comment:

Using the inverse of an immutable character set is much more efficient than inverting a mutable character set.

But my experience is that it’s not fast with immutable characters sets, either. It seems like there should be an NSCharacterSet subclass that flips the membership of another object. Then each character set could store its own inverse with minimal overhead and just return the same one each time. But there’s apparently no such optimization, so I recommend calling inverted yourself, storing the result, and then using scanUpToCharacters(from:into:), which will then use the character set unchanged.

Even this is very slow when calling from Swift, though. Whenever you call scanUpToCharacters(from:into:) with a CharacterSet, it calls CharacterSet._bridgeToObjectiveC(), which calls __CFCharacterSetCreateCopy(), which again makes an expensive copy. (I have been doing a lot of profiling but somehow didn’t notice this until Ventura, so I wonder whether something changed there.) In any case, currently CharacterSet does not bridge efficiently like Data and String do.

My first try at working around this was to do the bridging up front:

let fast = characterSet as NSCharacterSet

and then pass the same NSCharacterSet, which should bridge cheaply, each time. But this didn’t help.

What did work was to create an NSCharacterSet directly:

let fast = NSCharacterSet(bitmapRepresentation: characterSet.bitmapRepresentation)

With that change, the bridging overhead goes way. Scanner is still not particularly fast, though. Maybe this will improve with the forthcoming Swifty Foundation, or I may end up writing a replacement for just the few cases that I need that works directly on Swift strings.


Update (2023-02-24): Another point to be aware of is that the documention implies that the caseSensitive option applies to scanCharacters(from:into:), and scanCharacters(from:into:) does actually pass the option into NSString.rangeOfCharacter(from:options:range:), but NSString.rangeOfCharacter(from:options:range:) is documented to ignore that flag, and in fact it does. So caseSensitive only actually applies to the Scanner methods that take strings.

Rhys Morgan:

swift-parsing from @pointfreeco is a really good library that’s usually faster than Foundation’s Scanner!

Update (2023-03-10): Jonathan Wight:

(NS)Scanner is truly one of the most under appreciated features of Foundation. I use it whenever I need to do structured parsing of text when a simple regex isn’t appropriate (or even possible).

But why limit your Scanning to just Strings?

Here’s my CollectionScanner that can scan any collection of arbitrary elements. Useful if you need to process arrays of data that aren’t necessarily Strings.

Indeed, I’ve found it really useful to have a Data scanner.

Wednesday, February 22, 2023

The Making of Ice Cubes

Thomas Ricouard:

With Mastodon it was time, I could finally make my own social network app, and with iOS 16 and all the great new SwiftUI API that came with it, it was the perfect timing.


The pinning and reading remote timelines feature was shipped as part of the initial release, and I received positive feedback about it every day. I know I’m not the first to do it, as other apps were already doing it before. However, making it a core feature and placing it in front of the user, on top of being easy to use, really helped raise awareness about it quite a lot.


The packages are split by domains and features. There is very little code in the app itself; everything is self-contained in its own package. This makes it easier to test (even if, for now, there are barely any tests) and faster to work at the package level with SwiftUI previews, faster build times, and so on.


It have one main view, one view model, and then it’s composed of small, targeted subviews. […] The idea is to connect and do the minimum amount of update possible in those subviews to keep updates while scrolling at the minimum (actually next to none in the case of scrolling a list of statuses). This played a big part into improving performances while scrolling the timeline in the 1.5.X versions of the app.

The repo is here.


The Story Behind Apple’s Newton

Tom Hormby (in 2010, via Dave Mark):

Steve Jobs hired Sakoman in 1984 to help work on a laptop version of the Macintosh after the successful release of the HP Portable. When Jobs left Apple, these laptop plans were scrapped, and Sakoman helped lead the teams creating the Mac Plus, Mac SE, and Mac II.

He found the work uninteresting, however. He wanted to leave Apple to work on handheld computers, and he recruited Jean Louis Gassée to lead a brand new company that would be bankrolled by Lotus founder, Mitch Kapor. The plan fell through, since it appeared that Apple would probably sue the nascent company.

To keep the talented Sakoman from defecting, Gassée proposed creating a skunk works project to create an Apple handheld computer. Gassée got permission to start the project from Sculley (without telling him what was being researched), and Sakoman set to work.


Sakoman’s end goal for Newton was to create a tablet computer priced about the same as a desktop computer. It would be the size of a folded A4 sheet of paper and would have cursive handwriting recognition and a special user interface.

However, they ended up focusing on the smaller and cheaper Junior model.

Solving Common Problems With Kubernetes

Adam Chalmers (via Jim Rea):

My computer science degree had taught me all about algorithms, data structures, type systems and operating systems. It had not taught me about containers, or ElasticSearch, or Kubernetes. I don’t think I even wrote a single YAML file in my entire degree.


This article is aimed at engineers who need to deploy their code using Kubernetes, but have no idea what Kubernetes is or how it works. I’m going to tell you a story about a junior engineer. We’re going to follow this engineer as they build a high-quality service, and when they run into problems, we’ll see how Kubernetes can help solve them.


Kubernetes exists to solve one problem: how do I run m containers across n servers?

Its solution is a cluster. A Kubernetes cluster is an abstraction. It’s a big abstract virtual computer, with its own virtual IP stack, networks, disk, RAM and CPU. It lets you deploy containers as if you were deploying them on one machine that didn’t run anything else. Clusters abstract over the various physical machines that run the cluster.

Why Not a Smaller MacBook, Too?

Dan Moren:

Once upon a time, Apple offered its lightest notebook in two sizes: the 13-inch it sells today and a smaller 11-inch model. Alas, only the good die young, and the 11-inch Air was discontinued in 2019—the same year that Apple discontinued its other small laptop (and putative Air replacement), the 12-inch MacBook.

Nowadays, the smallest Mac laptop you can get is that 13-inch Air and while it’s shrunk down to be a bit closer to the 11-inch in many dimensions, it’s still larger and heavier than both of those discontinued models—and that’s a shame, because a small, light laptop has a lot going for it.

To me this is the biggest surprise of the Apple Silicon transition. A lot of people expected something like this right out of the gate. Aside from the butterfly keyboard, the knock against the 12-inch MacBook was that was too slow. The M1 processor, or even one of the recent A-series ones, would seem to be the solution. Apple kept saying that making their own processors would let them make Macs that were not possible with Intel. Yet, after years of 11- and 12-inch MacBooks with Intel processors, we’ve seen two generations of Apple Silicon MacBook Airs that start at 13 inches.


The Limits of Computational Photography

Will Yager:

Every time I tried to take a picture of the engraved text, the picture on my phone looked terrible! It looked like someone had sloppily drawn the text with a paint marker. What was going on? Was my vision somehow faulty, failing to see the rough edges and sloppy linework that my iPhone seemed to be picking up?


Well, I noticed that when I first take the picture on my iPhone, for a split second the image looks fine. Then, after some processing completes, it’s replaced with the absolute garbage you see here.


Significantly more objectionable are the types of approaches that impose a complex prior on the contents of the image. This is the type of process that produces the trash-tier results you see in my example photos. Basically, the image processing software has some kind of internal model that encodes what it “expects” to see in photos. This model could be very explicit, like the fake moon thing, an “embodied” model that makes relatively simple assumptions (e.g. about the physical dynamics of objects in the image), or a model with a very complex implicit prior, such as a neural network trained on image upscaling. In any case, the camera is just guessing what’s in your image. If your image is “out-of-band”, that is, not something the software is trained to guess, any attempts to computationally “improve” your image are just going to royally trash it up.

Via Nick Heer:

This article arrived at a perfect time as Samsung’s latest flagship is once again mired in controversy over a Moon photography demo. Marques Brownlee tweeted a short clip of the S23 Ultra’s one-hundredfold zoom mode, which combines optical and digital zoom and produces a remarkably clear photo of the Moon. As with similar questions about the S21 Ultra and S22 Ultra, it seems Samsung is treading a blurry line between what is real and what is synthetic.


Another reason why it is so detailed is also because Samsung specifically trained the camera to take pictures of the Moon, among other scenes.


Update (2023-03-14): ibreakphotos (MacRumors):

So, while many have tried to prove that Samsung fakes the moon shots, I think nobody succeeded - until now.


The moon pictures from Samsung are fake. Samsung’s marketing is deceptive. It is adding detail where there is none (in this experiment, it was intentionally removed). In this article, they mention multi-frames, multi-exposures, but the reality is, it’s AI doing most of the work, not the optics, the optics aren’t capable of resolving the detail that you see.

Via John Gruber:

Have to say I’m surprised both Raymond Wong and Marques Brownlee were taken in by this. These “amazing” moon photos seem impossible optically, and, more tellingly, no one is able to get these Samsung phones to capture similarly “amazing” 100× zoom images of random objects that aren’t the moon.

It’s strange, since Brownlee’s words are that “It’s not an overlay,” but then he references the Huawei controversy, where it was established that the details came from an ML model rather than a bitmap overlay. So he knows that Samsung might be doing the same thing yet seems to assume it’s just a great lens.

Nick Heer:

Samsung has explained how its camera works for pictures of the Moon, and it is what you would probably expect: the camera software has been trained to identify the Moon and, because it is such a predictable object, it can reliably infer details which are not actually present. Whether these images and others like them are enhanced or generated seems increasingly like a distinction without a difference in a world where the most popular cameras rely heavily on computational power to make images better than what the optics are capable of.

Update (2023-03-16): Samsung (via Hacker News):

As part of this, Samsung developed the Scene Optimizer feature, a camera functionality which uses advanced AI to recognize objects and thus deliver the best results to users. Since the introduction of the Galaxy S21 series, Scene Optimizer has been able to recognize the moon as a specific object during the photo-taking process, and applies the feature’s detail enhancement engine to the shot.

When you’re taking a photo of the moon, your Galaxy device’s camera system will harness this deep learning-based AI technology, as well as multi-frame processing in order to further enhance details.

Update (2023-03-21): John Gruber:

There’ve been a couple of follow-ups on this since I wrote about it a few weeks ago. Marques Brownlee posted a short video, leaning into the existential question of the computation photography era: “What is a photo?” Input’s Ray Wong took umbrage at my having said he’d been “taken” by Samsung’s moon photography hype in this Twitter thread.

Samsung’s phones are rendering the moon as it was, at some point in the past when this ML model was trained.

And that’s where Samsung steps over the line into fraud. Samsung, in its advertisements, is clearly billing these moon shots as an amazing feature enabled by its 10× optical / 100× digital zoom telephoto camera lens. They literally present it as optically superior to a telescope. That’s bullshit. A telescope shows you the moon as it is. Samsung’s cameras do not.

Tuesday, February 21, 2023

Scam Authenticator App Steals QR Codes

Ben Lovejoy:

Twitter’s latest bonehead move has led to a flurry of scam authenticator apps, with at least one of them using App Store advertising to figure prominently in search results – and then sending all scanned QR codes to the developer’s analytics service.


Developer and security researcher Mysk quickly spotted a whole bunch of suspiciously-similar apps, all of which demand an in-app subscription purchase in order to scan QR codes.


At least one of these tries to force you to subscribe even if you tap the close box.

Not only were a dozen of these apps approved by App Review, but they’re also promoted by App Store search ads. The point is not that Apple should have caught this but that, in general, they can’t, so they should not be claiming to keep you safe. Apple’s ads and store and illusion of safety make it more likely for people to get themselves into trouble vs. somehow discovering and trusting an unknown authenticator app on a random Web site.

Via Jeff Johnson, whose app was recently rejected:

This screenshot wasn’t taken by App Store review though; it’s one of my own App Store screenshots! In fact it’s not even a new screenshot, as you can see from the date “Sat Oct 2”, but just an old screenshot carried forward from an earlier version of StopTheScript (in the App Store since October 2021). As I said, nothing changed in the new version except the launch screen.


App Store Review should know how to use Safari extensions, and understand the Safari permissions system, since they review Safari extensions, right?


Update (2023-02-23): Mysk:

One of the sketchy authenticator apps

Website: A Google Docs form
Privacy policy: A Google Docs page
Ratings: 4.9/5

App Review team: Spotify’s new audiobooks offering breaks the rules governing how developers may communicate with customers


These two scam authenticator apps are very similar. Their binaries clearly show that they’re clones. It’s funny that their support links redirect to the same Google Docs form 🤦‍♂️. They’re published by two different registered businesses. Both apps are now removed ✌️

Update (2023-02-27): Mysk:

Many iPhone users are asking us to recommend safe authenticator apps. Well, the App Store is making it useless to recommend any app. No matter what you search for, the top hit is almost always an ad for a scam app.

Paul Ducklin:

When we tried searching on the App Store, for example, our top hit was an app with a description that bordered on the illiterate (we’re hoping that this level of unprofessionalism would put at least some people off right away), created by a company using the name of a well-known Chinese mobile phone brand.

Given the apparent poor quality of the app (though it had nevertheless made it into the App Store, don’t forget), our first thought was that we were looking at out-and-out company name infringement.

We were surprised that the presumed imposters had been able to acquire an Apple code signing certificate in a name we didn’t think they had the right to use.

We had to read the company name twice before we realised that one letter had been swapped for a lookalike character, and we were dealing with good old “typosquatting”, or what a lawyer might call passing off – deliberately picking a name that doesn’t literally match but is visually similar enough to mislead you at a glance.

Fines As a Security System

Chris Hulls:

What happened is that the thief who took Lyndsey’s bike got an alert that proactively told her an AirTag was following her location. And, after Apple’s most recent firmware update (December 2022), the thief could even use the precision finding feature to find the exact location — down to the inch — where the tag was hidden.

This feature was designed solely to prevent stalking so that victims of stalkers could identify if an unknown AirTag was following them. So there is no anti-theft feature built into AirTags, and the anti-stalking feature could worsen the already increasing theft issue.

Juli Clover (Hacker News):

AirTag competitor Tile today announced a new Anti-Theft Mode for Tile tracking devices, which is designed to make Tile accessories undetectable by the anti-stalking Scan and Secure feature.


To prevent stalking with Anti-Theft Mode, Tile says that customers must register using multi-factor identification and agree to stringent usage terms, which include a $1 million fine if the device ends up being used to track a person without their consent.

Bruce Schneier:

Interesting theory. But it won’t work against attackers who don’t have any money.


My complaint about the technical solutions is that they only work for users of the system. Tile security requires an “in-app feature.” Apple’s AirTag “notifies iPhone users.” What we need is a common standard that is implemented on all smartphones, so that people who don’t use the trackers can be alerted if they are being surveilled by one of them.

Chris Hulls:

Life360/Tile CEO. I came up with this idea, not our lawyers, as they would be the first to say it is unclear how enforceable this is. But what IS clear, is that based on our new TOS, and because this is opt-in, we definitely could take a flyer in court, and who knows?

Do you want us to unleash millions of dollars of lawyers on you? I don’t think many people will want to find out. I genuinely believe this plus a ID scanning will be a huge deterrent. Stalkers will go buy $30 real time stealth GPS trackers on Amazon instead.


Fake Uber Eats Delivery From Apple Store

Joe Rossignol:

The latest cautionary tale was shared this week by a Reddit user in California, who claimed that the iPhone 14 Pro Max and Apple Watch Ultra they ordered through Apple’s online store with same-day delivery was falsely marked as delivered by the Uber Eats driver assigned to deliver the order. The customer contacted Apple’s customer service team, but claimed that Apple ultimately declined to offer a refund for the $2,098 purchase, despite the customer having video evidence of waiting outside for the delivery at the address provided.


The customer said they were informed by Apple that “our carrier has completed the requested investigation, and no further action will be taken by Apple.”


The underlying issue appears to be that Apple and its courier partners like Uber have inadequate measures in place to prove that an order was actually delivered, leaving the burden of proof on the customer in incidents where theft may have occurred.


In an update to their Reddit post today, the customer from California claims that a member of Apple’s leadership team contacted them and agreed to issue a full refund for the cost of the items.

Going to the press…


Google Gives Apple a Cut of Chrome iOS Search Revenue

We’ve known that Google pays Apple billions for Google searches from Safari, but I had missed that Google is also paying for searches made through Chrome.

Bloomberg (in 2020, via Chance Miller):

Apple also gets a slice of revenue from searches made through some of Google’s own apps, such as Chrome, installed on iPhones, iPads, and Macs[…]

Thomas Claburn:

This is one of the aspects of the relationship between the two tech goliaths that currently concerns the UK’s Competition and Markets Authority (CMA).


The British competition watchdog is worried that Google’s payments to Apple discourage the iPhone maker from competing with Google. Substantial payments for doing nothing incentivize more of the same, it’s argued.

This perhaps explains why Apple, though hugely profitable, has not launched a rival search engine or invested in the development of its Safari browser to the point that it could become a credible challenger to Chrome.

See also: MacRumors and Hacker News.


Web Push for Web Apps on iOS and iPadOS

Brady Eidson and Jen Simmons (Hacker News):

Today also brings the first beta of Safari 16.4. It’s a huge release, packed with over 135 features in WebKit — including RegExp lookbehind assertions, Import Maps, OffscreenCanvas, Media Queries Range Syntax, @property, font-size-adjust, Declarative Shadow DOM, and much more.


Now with iOS and iPadOS 16.4 beta 1, we are adding support for Web Push to Home Screen web apps. Web Push makes it possible for web developers to send push notifications to their users through the use of Push API, Notifications API, and Service Workers all working together.

A web app that has been added to the Home Screen can request permission to receive push notifications as long as that request is in response to direct user interaction — such as tapping on a ‘subscribe’ button provided by the web app. iOS or iPadOS will then prompt the user to give the web app permission to send notifications. Once allowed, the user can manage those permissions per web app in Notifications Settings — just like any other app on iPhone and iPad.


In iOS and iPadOS 16.4 beta 1, third-party browsers can now offer their users the ability to add websites and web apps to the Home Screen from the Share menu.

John Gruber:

Push notifications are foremost, but a lot of longstanding feature requests for web apps are being added with this release. […] It’s impossible to say whether increased regulatory scrutiny has changed Apple’s priorities regarding iOS’s support for web apps, but it sure seems like a factor.

Jack Wellborn:

While I no longer think embracing PWAs might ease regulatory pressure, my take that Apple should embrace PWAs as a way to control the experience is aging quite nicely.


Update (2024-05-03): Brian Lovin:

You can spend all the time you want building a PWA, but at the end of the day, push notifications will just randomly stop delivering until the app is re-opened.

Apple went halfway.

Monday, February 20, 2023 Skipping Export of Some Contacts

Miles Wolbe:

Some contacts would not export to vCard from, instead exhibiting the following behavior:

  • when clicked and dragged alone, the resulting file, “Contact.vcf”, was zero KB

  • when clicked and dragged with unaffected contact(s), affected contact(s) would be skipped

  • when exported via File → Export → Export vCard…, affected contact(s) would be skipped if combined with unaffected contact(s), while no output would be produced if only affected contact(s) was/were selected.

This has the potential for data loss since, with a mixed selection, it will look like the contacts were exported. You would have to check the counts to realize the export was only partial. He was able to work around this using Automator.


Bing Search API Pricing Increase

Steve Bennett (Hacker News):

Today, Microsoft has announced that it will be raising the costs for developers utilising the Bing Search API starting from 1st May 2023, and the rise is quite substantial in a move that shows some similarities to what Twitter has recently announced.


You can find the full pricing model below. However, Microsoft has not gone out of its way to emphasise the differences between the previous and new models, which is not surprising given that some tiers have increased by 1000 percent.

This sounds like a problem for DuckDuckGo and other search engines that rely on Bing, unless they have special long-term deals.


Meta Verified and Twitter Blue

Mark Zuckerberg (Hacker News):

[This] week we’re starting to roll out Meta Verified -- a subscription service that lets you verify your account with a government ID, get a blue badge, get extra impersonation protection against accounts claiming to be you, and get direct access to customer support. This new feature is about increasing authenticity and security across our services. Meta Verified starts at $11.99 / month on web or $14.99 / month on iOS.

Juli Clover:

Meta also plans to make the same verification process available on Instagram, but separate subscriptions will be required for each platform, so an individual or business that wants to be verified on both Facebook and Instagram will need to pay separate subscription fees.

Instagram and Facebook are monetized through advertising at the current time, but changes like Apple’s App Tracking Transparency can make ads an unreliable revenue stream. Subscription payments will give Facebook a steady monthly income.

Elon Musk:

Twitter is getting scammed by phone companies for $60M/year of fake 2FA SMS messages

Eric Priezkalns (via Hacker News):

Having seen plenty of evidence about the revenue-generating schemes operated by dodgy telcos, and their symbiotic relationship with criminals both inside and outside of their companies, it comes as no surprise that an organization like Twitter would be targeted for an abuse of this nature. What is surprising is that the previous management were so ignorant, idle or incompetent that they did nothing about it. Twitter made a loss of USD221mn in 2021, which was significantly less than the previous year, but still large enough to question why USD60mn of fraud would be tolerated.


As a Twitter Blue subscriber, you can add another layer of protection to your account with access to two-factor authentication via SMS.


Twitter Blue subscribers who joined for $7.99 on iOS will be notified by Apple that their subscription will be automatically renewed for $11/month (or your local pricing) unless they choose to cancel their subscription.

Web pricing remains $8/month. These, along with YouTube Premium and Epic Direct Payment, are probably the highest profile examples of passing IAP fees on to the customer.

Dare Obasanjo:

After App Tracking Transparency (ATT), every major social app is now charging for features and Apple gets a cut on iOS.

Ricky Mondello:

SMS 2FA has documented and frequently-discussed limitations in terms of the security benefits it provides. It can also trip people up in terms of usability, like when people switch phones, or when they can’t receive texts at their phone number, like when they’re on an airplane, or sometimes when they’re traveling internationally.

Despite its limitations, I’ll argue that SMS 2FA is a huge success story in actually reducing the harm caused by weak and reused passwords.


People who don’t use password manager software — and that’s a lot of people — almost always reuse the same passwords across the services they use. For many of them, SMS 2FA provides value, despite its flaws. Making a person’s weak or reused password not sufficient to gain access to their accounts is genuinely good, even if a very motivated attacker could compromise the SMS channel or phish the one-time code.

So, offering e-mail 2FA as an alternative would perhaps not be as secure as you might think. On the other hand, it’s easier to use than authenticator apps. By not supporting e-mail, some users will end up without 2FA. But, given the choice, others would pick e-mail over an app and end up less secure.

On iOS, time-based one-time code generation is built into the operating system. No “authenticator app” is required to install.


Update (2023-02-21): Matt Sephton:

I was using SMS based 2FA only because the autofill experience is so much better, at least on iOS. The number appears over the keyboard, you tap it, done.

iOS 2FA (or other 2FA apps) don’t autofill as easily, they require more steps: worse user experience.


Friday, February 17, 2023

iOS Betas Tied to Apple ID

Filipe Espósito (MacRumors):

Whereas previously installing an iOS beta required a special profile, that process will now be tied to the developer’s Apple ID.


“Your iPhone or iPad must be signed in with the same Apple ID you used to enroll in the Apple Developer Program in order to see this option in Settings.”

This is touted as making it easier for developers to install betas, since they can just go to the new Beta Updates menu in Software Update, without having to install a configuration profile. However, it seems like this will cause problems since many people use a separate Apple ID only for development, with their apps and iCloud data owned by a different Apple ID.


Update (2023-02-17): Rob Jonson:

This is nuts. Of course my company Apple ID (which purchases the developer program) isn't the same as my personal id...


This reminds me of when Apple started requiring 2FA for developer Apple ID accounts. It was initially clunky to add a second iCloud developer account on your personal account’s iPhone (for the 2FA codes), but then it got easier and better. Hopefully they will come around on this.

Or maybe it will use that same system, which many developers have already set up. I had forgotten about that, and didn’t see it in Settings anymore. It turns out that now, instead of adding the developer Apple ID under Settings ‣ Passwords & Accounts, you are supposed to go to Settings ‣ Mail ‣ Accounts ‣ Add Accounts ‣ iCloud.

Homecoming for Mastodon 2.0

Jeff Johnson:

As before, when you’re viewing a Mastodon page in another instance, clicking the extension icon in Safari’s toolbar opens that page in your own instance. On the other hand, when you’re viewing a Mastodon page in your own instance, clicking the extension icon in Safari’s toolbar opens that page in the original instance.


Returning to motivation, why would you want to open a Mastodon page in its original instance when you’re already reading it in your instance? The answer is that a Mastodon instance is a kind of island. It can only show you the data stored locally. Unlike a centralized network such as Twitter or Facebook, Mastodon is decentralized and distributed: no individual instance has a copy of all the data encompassing the federation of Mastodon, only a subset of the data. Every Mastodon instance has gaps in its data, blind spots. An instance stores all of the posts of its local accounts, and it downloads new posts of anyone followed by its local accounts, as notified by the ActivityPub protocol, but your instance doesn’t download old posts from other instances. This is why when you view someone else’s account profile in your instance, you might not see their older posts (unless someone else on your own instance was already following that account).

The data gaps are especially problematic on smaller Mastodon instances with fewer accounts, because on a smaller instance it’s less likely that another account on your instance was already following someone you’re interested in.

This is a great new feature, since the built-in Open original page menu command is not in a convenient location. It’s also useful for finding the RSS feed of a user.

Unfortunately, there is no way to assign keyboard shortcuts to extension buttons in Safari. So I wrote an AppleScript to click the button:

tell application "System Events"
    tell application process "Safari"
        set _items to entire contents of toolbar 1 of window 1
        repeat with _item in _items
            if _item's class is button and _item's description is "Homecoming for Mastodon" then
                click _item
            end if
        end repeat
    end tell
end tell

and used FastScripts to assign the script a keyboard shortcut.

Unfortunately, the script has yet to work for me when run from FastScripts, even though I gave Accessibility access to both FastScripts and FastScripts Script Runner. It always fails with:

Error Number: -1719

System Events got an error: Can’t get toolbar 1 of window 1 of application process "Safari". Invalid index.

I assume this is some sort of TCC issue since the script sometimes works from Script Debugger but sometimes fails with a similar error.


Update (2023-02-21): Jeff Johnson:

Homecoming for Mastodon version 2.1 is now available in the Mac App Store.

What’s New: Control-Command-M keyboard shortcut!

Creating a Personal Mastodon Instance

Jim Carroll:

People also need to understand they can do their own instance and avoid all this server migration stuff in their Mastodon home going down or becoming unstable.

Having a domain-name-related instance that belongs to you negates any of the down-the-road hassles of migrating. Also, your Mastodon handle today might look like a Hotmail or AOL address down the road.


Also, I control the configuration - so my software is up to date, and my character count is set at 1,500, though I rarely use that.

He’s written up the details here. It seems like this should be “right” thing to do, but at the moment I don’t want to be responsible for the hosting and maintenance. Also, the user experience (with the Web interface) is definitely better when interacting with people who are on the same instance. Otherwise, various actions require extra clicks, and sometimes posts don’t auto-load.

I assume that hosting and migration will get easier in the future, so I don’t feel too bad about starting out with a shared instance. And having the posts partitioned between two instances makes less of a difference when there’s no full searching, anyway.

Adam Chandler:

4 Weeks of usage history running my own Mastadon instance. Following about 45 people and followed by 25 with a few photos. Media Storage is something you should be aware of if running your own server. Your instance will cache media from the federated timeline and people you follow. There are admin server settings for media retention which I set to 2 days. My toots and media are not purged (although you can enable that).


Finding Open Files

Sveinbjörn Þórðarson (Hacker News):

Sloth is a native Mac app that shows all open files and sockets in use by all running processes on your system. This makes it easy to inspect which apps are using which files and sockets.

It’s open-source.

See also: What’s Open and lsof.


Thursday, February 16, 2023

macOS 11.7.4

Juli Clover (full installer):

Today’s update addresses an ongoing issue with Safari icons. The Big Sur 11.7.3 update introduced a bug that prevented icons from showing up in the Safari Favorites section. Spaces where icons normally appear were blank, making it difficult to see which sites are in the Favorites section at a glance.

Alas, the blank icons bug in Ventura remains unfixed.


Update (2023-02-21): Jeff Johnson:

Safari 16.3.1 on Big Sur 11.7.4 fixed the missing extension icons, but it still hasn't fixed the missing pane in the extensions preferences.

Adding Contacts Without Entitlements

David Kopec:

For one-off contact additions, there’s a simpler way that requires none of that. The idea is basic: you create a contact, save it in vCard format, and then ask the operating system to open the vCard file in the Contacts app. When the Contacts app opens, it will ask the user if they really want to add the contact. This requires no entitlements (even if you’re using the note field), no authorization, and even works in a sandboxed app.


It works, but you might say, what about that note field? If you add a note property to your CNMutableContact you will notice it is silently dropped when the contact is added to the address book. This has nothing to do with the note special entitlement. It turns out CNContactVCardSerialization does not have support for either images or the note field. You can easily add both of these back. A Stack Overflow post provides some code showing how to do so.


When working on a new version of my macOS app Restaurants, I came across the note field entitlement requirement. I submitted a request to Apple using their online form to have access to the entitlement and a week later I was rejected for my request being too vague. Fair enough, it’s their sandbox, and they have the right to reject me for being too vague. But waiting so long to get an answer was frustrating and adding contacts requires a lot of ceremony.


Choosing and Switching Mastodon Instances

Jeff Johnson:

Does it matter which Mastodon instance you choose? I’ve seen many people claim that it doesn’t matter, and moreover that you can easily switch instances. I learned the hard way that this claim is unwarranted, a disservice to new Mastodon users. Your choice of instance is important, indeed crucial. Until yesterday I was on, a Mastodon instance with well over 4000 active users according to its server stats. Yesterday morning I woke to a “frozen” timeline. […] It turned out that my own experience was far from unique: looking at the federated timeline of, at a certain point all posts from other Mastodon instances stopped, leaving only posts from local users.


When you move from one Mastodon instance to another, you can export your follows, lists, account mutes, account blocks, domain blocks, and bookmarks from your old instance and import them on the new instance. But you can’t bring your posts with you! Your posts remain with your account on the old instance, which becomes inactive after you move, so you can no longer edit or delete those posts, though you can delete the account entirely. You also lose access to your direct messages: when your account becomes inactive, you can’t even read your old DMs anymore. You can request an archive of your data from your server, which I did before moving instances. However, this process has not yet completed.


Other parts of your account cannot be migrated via export and import. You need to manually recreate your profile, including avatar, header, bio, and metadata. You need to reset your preferences. You need to recreate your filters!

Jeff Johnson (Mastodon):

After 6 days of breakage, and 6 days of no word from the instance administrator, an automated email arrived yesterday from stating that my archive was ready for download. […] Moreover, later that day my followers finally transferred automatically to my new instance, a process that, again, was initiated 6 days prior.


According to the Mastodon Server Covenant, “All Mastodon servers we link to from our server picker commit to the following… At least one other person with emergency access to the server infrastructure”. Nonetheless, Join Mastodon is actually where I found back in December, when the covenant had the exact same language, and there’s no sign that or has an emergency backup admin, otherwise the outage wouldn’t have lasted for 6 days. Thus, it appears Mastodon doesn’t follow its own server covenant. Caveat emptor!


I remain on Mastodon now, despite the dismaying experience of the past week, not because I’m committed, not because Mastodon is great, but because the people I know happen to be on Mastodon. The same reason I was on Twitter. It’s too bad that both services turned out to be disasters.

Dr. Drang:

I switched Mastodon instances recently. I started on back in 2018 and moved to for a couple of reasons:

  1. I’d been hearing negative things (mainly from Anil Dash, who left a month or so ago) about the people who took over the instance. […]
  2. is using an older version of the server software which didn’t allow editing of posts. […]


Mastodon has a set of instructions for migrating servers, but I found this guide at Nerds Chalk to be more useful.


Update (2023-04-05): Jeff Johnson:

It looks like the Mastodon instance went down permanently a number of weeks ago with no notice.

Using Order Files to Speed Up Launches and Conformance Checks

Noah Martin:

A 150MB+ app binary file, like the one in Uber‘s app, takes between 500 ms and 1 second just to be loaded into memory (measured on an iPhone 6s). Loading large files like this is just a fraction of the app‘s launch time. To put in perspective, Apple‘s recommended startup time is just 400ms. That‘s already 1-2x the recommended completed launch time without any code even executing!

By default, apps can need to read more than 75% of their binary during startup. However, with the help of order files, we can read only the functions we need during start up.


The order file instructs the linker to put functions in a specific sequence. By ordering the binary so all the startup functions are together, we now only need to load those pages.

Noah Martin:

By default, protocol conformances end up spread throughout the __TEXT/__const section of the binary. This is because each module in an app generates their own static binary. When they are linked into the final app, the binaries are placed side by side. Data from different modules is not interleaved in the executable.


We can apply the idea of using order files to group data onto as few pages as possible to conformances, and generate an order file that moves all conformances onto their own pages.


In our tests, co-locating the conformances like this resulted in an over 20% decrease in protocol conformance lookup time on an iPhone 7 running iOS 15!

You can generate an order file that has this result by parsing the linkmap file.


Ejecting External Disks With macOS 13

Howard Oakley:

Among the rough edges in macOS is that infuriating message you may see when you try to eject or unmount a volume: it failed because the volume is in use.


In Disk Utility, the answer seems to be to try again, several times if necessary. It’s unusual for this not to work at all, although it may take a couple of attempts.


My personal favourite of them all is Sloth, from here. Although it’s not notarized, it does everything that I’d want in terms of matching lsof or fuser’s features. Most importantly, if you click its padlock at the lower right and authenticate, it will show all processes running as root.

This has been happening a lot for me since Catalina. Typically, I don’t get an error message at all—it just doesn’t eject.

The bigger problem is that sometimes Finder does show that it ejected, but then when I switch off the drive I get a warning saying that I ejected a drive that was still in use.

Aristotle Pagaltzis:

Ever since upgrading to a recent Mac that came with the disk formatted with AFPS, a perennial irritation has been Time Machine. I use a USB hard drive for backups, which of course needs unplugging when I want to take the machine with me somewhere. There are long stretches of time when I don’t even think about this because it works just fine. And then there are the other stretches of time when this has been impossible: clicking the eject button in Finder does nothing for a few ponderous moments and then shows a force eject dialog.


Unfortunately when this happens, there is no help for it: even closing all applications does not stop the mystery program from using it. So what is the program which is using the disk? The Spotlight indexer, it turns out.

There doesn’t seem to be a way to get Spotlight to stop, other than to kill the mds process and then try to unmount the drive before it respawns. I’m not keen on doing that, though, because I don’t want to corrupt the index file. It’s not that I want to be able to search my Time Machine backup—I wish I could disable indexing on that volume entirely—but that, with a damaged index file, indexing may keep running continuously.

Pierre Igot:

None of its volumes is currently mounted.

None of its files is currently open anywhere.

Yet somehow the disk is “in use” and cannot be safely ejected.

David Bureš:

I don’t know what it is with the recent releases of macOS and disks, but it’s been a complete disaster.

macOS would not unlock one of my encrypted drives. Just that single one. I even had to write a script to automatically unlock it when it got mounted, because it was juch a pain in the ass. And then one day, it fixed itself and never happened again.

Now, one of my drives just refuses to get mounted, which completely freezes the entire OS.

I have seen these behaviors, too.


Update (2023-02-21): Drew:

The culprit is always QuickLook for me.

If you run a lsof /Volumes/MY_DRIVE you should see a bunch of QuickLook processes.

Issuing a killall -KILL QuickLookUIService should allow it to immediately be ejected.

This just happened to me shortly after reading this post. The Quick Look process in question was for a file I had previewed about 12 hours earlier.

Wednesday, February 15, 2023

Lawsuits Over Apple Analytics Switch


The App Store on macOS 13.2 sends detailed usage data and analytics to Apple. All interactions are associated with the user’s iCloud ID, or dsid. This happens even when you turn off sharing usage data and analytics.


Here’s an example of the analytics sent when I search for “Holy Moly” on the App Store. Everything is logged and associated with the user’s iCloud ID, even when you play a video of an app and click on the unmute button. Data collected can identify a user personally.


The privacy label of the App Store does state that the app collects usage data and links it to the user’s identity. However, the description in the Settings of “Share Mac Analytics” gives the impression that usage data will be turned off with that switch.

Thomas Germain (via Dare Obasanjo):

The company was just hit with a fourth class-action lawsuit over accusations surreptitious iPhone data collection. Three of those lawsuits were filed in January alone.


In November, Gizmodo exclusively reported on research demonstrating that your iPhone collects hyper-detailed data about what you do on its apps, like the App Store, Apple Stocks, Apple Music, Apple News, and more—even when you turn off the iPhone Analytics privacy setting, which explicitly promises to stop the snooping.


Gizmodo contacted Apple about this problem for the seventh time this morning, which has to be another record breaker. As happened the previous six times, the company didn’t respond. Apple hasn’t said a single word to defend this privacy issue in public.


Update (2023-03-14): Mysk:

Apple is facing two more class action lawsuits for “its practice of harvesting data from iPhones and its other consumer personal computing devices”

Now the total number of lawsuits settles at 20, all of which are based on the “Mysk Study”

Update (2023-03-23): Mysk:

Another class action lawsuit against Apple for deceptively and systematically violating wiretapping, privacy, and consumer fraud laws for its own financial gain.

Update (2023-06-16): Mysk:

Craig Federighi: “The data that’s interesting to train these [AI] models is data that is publicly available data, not personal data. We do not need your personal data to make our systems smart. And when we need to get specific data for a specific person, we’re not doing that by spying on people we’re gonna go out and get it the right way.”

Such public statements about respecting users privacy are the reason why #Apple is facing 21 class action lawsuits for collecting exhaustive usage data in the App Store app and linking it to the user’s identity without providing an option to opt out.

Update (2024-02-20): Mysk:

Users should be aware that the App Store collects exhaustive usage data and sends it to #Apple. This can’t be turned off. We made this video to show how tapping an app link gets recorded in details.

After tapping a link posted on X, we requested a copy of the Apple ID data and we found this: (76,779 records in 734 days 🤯)

Swapping App Data After Review

William Gallagher:

Con artists involved in a so-called “pig butchering” scam sneaked apps into Apple’s App Store and Google Play Store by temporarily presenting innocuous functionality.


As the apps went through review, they each appeared to be doing exactly what they claimed to be.

Once the apps were approved and on the App Store, though, the destination websites were seemingly changed.


In this case, the very presence of the apps on the App Store and Google Play Store helps make them seem legitimate.


Arbitrary Beautiful Colors

Soroush Khanlou:

Unfortunately, colors generated like this look really bad. They often come out muddy and ruddy, and generating more than one color doesn’t come with any pattern or structure. The colors are all over the place.

This is a structural problem with RGB. RGB is focused on how color is produced, rather than how it’s perceived.

Fortunately, the solution to this problem is well documented. There are a few blog posts out there (warning: JavaScript) that lay out an approach. The idea is this: by using a hue based color space, like HSL, you can hold two parameters constant (saturation and lightness), and modify only the hue, giving you multiple colors that live in the same “family”.


It turns out that the answer I was looking for was in a YouTube video I watched over 10 years ago. The remarkable Vi Hart published a series of videos (one, two, three) about how plants need to grow their new leaves in such a way that they won’t be blocked by the leaves above, which lets them receive maximum sunlight.

Geekbench 6

John Poole (via MacRumors):

Geekbench tests have always been grounded in real-world use cases and use modern. With Geekbench 6, we’ve taken this to the next level by updating existing workloads and designing several new workloads, including workloads that:

  • Blur backgrounds in video conferencing streams
  • Filter and adjust images for social media sites
  • Automatically remove unwanted objects from photos
  • Detect and tag objects in photos using machine learning models
  • Analyse, process, and convert text using scripting languages


We also updated the datasets that the workloads process so they better align with the file types and sizes that are common today.


The multi-core benchmark tests in Geekbench 6 have also undergone a significant overhaul. Rather than assigning separate tasks to each core, the tests now measure how cores cooperate to complete a shared task. This approach improves the relevance of the multi-core tests and is better suited to measuring heterogeneous core performance.

Akamai Kills Linode Brand

Blair Lyon (via Hacker News):

Since Akamai’s acquisition of Linode in early 2022, we’ve been hard at work to bring the platforms together under one roof. With the announcement of Akamai Connected Cloud, Linode is now fully integrated into the Akamai brand. Going forward, Linode’s services will be referred to as Akamai’s cloud computing services.

Rui Carmo:

I understand that Akamai execs may have thought killing the Linode brand would help bring their compute services upmarket, but very strongly believe this was the stupidest thing they could do.

Linode’s success and brand name came from reliable, cost-effective servers managed by knowledgeable people, and everything I know about Akamai at a personal level these days is the exact opposite[…]

Meanwhile, DigitalOcean is doing layoffs.


Update (2023-07-26): Marco Arment:

Linode/Akamai has notified me that they’re forcing an offline migration of one of my primary databases within 48 hours.

In the middle of a week.

It’ll cause ~8 hours of complete Overcast downtime if I don’t bring up a new instance and migrate everything over myself by then.

And this server costs 20% more than it did a year ago.

The Akamai acquisition of Linode has not improved anything for Linode’s customers, as far as I can tell. So far, we’re just paying more for equal or worse service.

Disabling Internet Explorer

Eric Van Aelstyn:

The out-of-support Internet Explorer 11 (IE11) desktop application was permanently disabled on certain versions of Windows 10 on February 14, 2023 through a Microsoft Edge update. Note, this update will be rolled out over the span of a few days up to a week, as is standard for Microsoft Edge updates.

All remaining consumer and commercial devices that were not already redirected from IE11 to Microsoft Edge were redirected with the Microsoft Edge update. Users will be unable to reverse the change. Additionally, redirection from IE11 to Microsoft Edge will be included as part of all future Microsoft Edge updates.

Via Nick Heer:

It is an interesting update, though, if only because it is rare for any vendor to force users to stop using software, let alone Microsoft.


Update (2023-02-21): See also: Hacker News.

Tuesday, February 14, 2023

DiskWarrior 5.3

Alsoft (via Agen Schmitz):

Supports OS X 10.8 Mountain Lion through macOS 13 Ventura when rebuilding Mac OS Extended volumes.

Now runs on Apple Silicon M1 & M2 Macs to rebuild Mac OS Extended volumes.

No longer requires a kernel extension (KEXT) to operate in macOS 11 Big Sur and later.

Now runs within the macOS 11 Big Sur (and later) Recovery environment on Intel Macs.


The next major release of DiskWarrior (DiskWarrior 6.0) will include the ability to rebuild APFS disks. Apple released a majority of the APFS format documentation in June of 2020. Our developers are now using this documentation to update DiskWarrior in order to safely rebuild Apple File System (APFS) disks.

I would be interested in this, since several times files have disappeared from my APFS volumes (from all snapshots).


Comcast Gave False Map Data to FCC

Jon Brodkin (via Hacker News):

When Hillier looked up his address on the FCC map, it showed Comcast claims to offer 1.2Gbps download and 35Mbps upload speeds at the house. In reality, he makes do with CenturyLink Internet that tops out at 60Mbps downloads and 5Mbps uploads.

Hillier—an engineer with 30 years experience who previously worked for several telecom firms, including Comcast and Charter—submitted a challenge to the FCC in mid-November, telling the commission that Comcast doesn’t serve his address. Correcting false data is important because the map will be used to determine which parts of the US are eligible for $42.45 billion in federal grants to expand broadband availability.

Program rules require ISPs to respond to challenges within 60 days, and Comcast’s first response to Hillier’s insisted that it actually does serve the house, which is on a street called Quartz Loop.

David Major:

We demonstrate a new approach to building broadband coverage maps: automated large-scale queries to the public availability checking tools offered by major internet service providers. We reverse engineer the coverage tools for nine major ISPs in the U.S., test over 19 million residential street addresses across nine states for service, and compare the results to the FCC’s maps.

Our results demonstrate that the FCC’s coverage data significantly overstates the availability of each ISP’s service, access to any broadband, connection speeds available to consumers, and competition in broadband markets. We also find that the FCC’s data disproportionately overstates coverage in rural and minority communities.


Update (2023-02-23): Jon Brodkin (via Hacker News):

Comcast has fessed up to another mistake on the national broadband map after previously insisting that false data it gave the Federal Communications Commission was actually correct.


The FCC says it can conduct audits of provider-reported availability information and confirmed to Ars last week that it has “multiple ongoing” investigations into data submitted by ISPs. One of those investigations began after our report about an Ohio ISP called Jefferson County Cable, which admitted to lying to the FCC about the size of its network in an attempt to block funding to rivals. While the FCC confirmed an investigation into Jefferson County Cable, it hasn’t yet confirmed an investigation into Comcast.

A spokesperson for FCC Chairwoman Jessica Rosenworcel told Ars that Comcast’s correction of the Fort Collins mistake shows the challenge process is working as intended.

Compare Binary Data Using Kaleidoscope

Florian Albrecht:

As we have done before on several occasions, we’re going to employ macOS Shortcuts to create a solution for comparing binary data of files in Kaleidoscope, without the need to change Kaleidoscope itself.


Some Kaleidoscope users prefer dealing with the command line. Almost the same functionality that took us several setup steps in Shortcuts can be achieved using an elegant single line command in Terminal:

ksdiff <(xxd A.txt) <(xxd B.txt)

Monday, February 13, 2023

macOS 13.2.1

Juli Clover (release notes, security, full installer, IPSW):

Apple today released macOS Ventura 13.2.1, the a minor to the macOS Ventura operating system initially released in October.

Juli Clover:

According to Apple’s security notes for the updates, The software fixes a WebKit issue that could allow maliciously crafted web content to result in arbitrary code execution. Apple says that it is “aware of a report that this issue may have been actively exploited.”


Update (2023-02-21): Howard Oakley:

A small minority of users experienced something strange when they updated to macOS 13.2.1, or even 13.2. Instead of the updated macOS automatically returning them to the Finder and Desktop once the update was complete, it bounced the Mac into Recovery (or similar, if your Mac is managed) and asked for the password. This article explains what happened, and other accidents that can happen when updates don’t work right.

iOS 16.3.1 and iPadOS 16.3.1

Juli Clover (security):

According to Apple’s release notes, the iOS 16.3.1 update includes multiple bug fixes, addressing issues with iCloud and Siri requests for Find My, plus it adds more Crash Detection optimizations.

The iCloud settings fix may address an issue that could cause some people not to be able to toggle on automatic iCloud backups on the iPhone and the iPad, a problem that some users have been experiencing since the launch of iOS 16.3.

Crash Detection optimizations likely address ongoing issues with Crash Detection reported at ski resorts and amusement parks.

Yesterday, I somehow triggered Apple Watch’s fall detection for the first time. I was at a ski resort, but I didn’t fall, and it detected the “fall” while I was walking in a flat parking lot at a constant pace.


Formulas for Optical Adjustments

Marc Edwards:

Using the area works well for a circle, but, what about a donut? The hole in the middle reduces the total area. This also happens with stars and other shapes. Holes and concave segments should probably be ignored. A method to do this exists, and it’s typically called a convex hull. It’s like stretching a rubber band around the entire object. That’s probably a pretty good formula to work out visual weight that matches human perception. Here’s some more shapes, using the convex hull area to set the scale.


For triangles, the center of the bounding box often does not feel like the center of the triangle, and aligning by this method looks incorrect.

Triangles have many different types of centers, including centroid, incenter, circumcenter, and orthocenter. For equilateral triangles, those all coincide, so it doesn’t matter which is used. Aligning the triangle centroid to the center of the circle now looks right — the distance from the triangle points to the edge of the circle are consistent and it appears perfectly centered.

Something Only Apple Can Do

Dave Verwer:

I don’t think I’ve ever seen anything that sums up the balance of the pros and cons of life in the iOS App Store better than this Apple Developer News post from last week. It announces more flexibility to the billing grace period feature for subscriptions and subscription trials in your apps.


All that logic, all the edge cases, and all the implementation time. All done by Apple.


What if you wanted to change how your subscription billing works or add features like these for your app five years ago? What if you believe that the lack of this feature (or a hundred others) costs your business money, and if you were in control of your checkout and subscription logic, you would have changed it?

Android App Cloning

Ron Amadeo (via Peter Steinberger):

The feature leverages Android's multi-user system to have two copies of the same app but with different data, allowing you to log in to each with different accounts. Some apps support multiple accounts and some don't, but this feature would bring multiple account support to everything. It would also bring a great deal of consistency to having multiple accounts—every app could deal with multiple accounts in the same way, with one icon for account number one and a second icon for account number two.

This sounds great. iOS doesn’t even have real multi-user support.


Thursday, February 9, 2023

Resetting TCC

Howard Oakley:

When privacy settings are playing up, and you get prompted to allow access that you have already agreed to, or access fails when it should have worked, there’s little you can do about it. Once you’ve fiddled with Privacy & Security settings without success, the only tool to try is tccutil.

If problems are confined to just one or two privacy categories, then you can reset just those using a command like sudo tccutil reset ListName only Apple doesn’t document the ListName to be used for each category. Experience suggests you could usefully try the following[…]


The nuclear option is to delete TCC’s database, a process requiring the use of Terminal in Recovery mode. This has been described in detail by Robin Kunde, and fleshed out further by Glenn Fleishman at MacWorld.


This all begs the question as to how the TCC database became corrupted in the first place. After all, it’s better to treat a cause rather than a symptom. As many users seem able to go for years without suffering problems so intractable as to require this nuclear option, and TCC databases are generally small in comparison with other vital system databases, it’s not easy to see how they can repeatedly become corrupted.

Indeed. I don’t recall this ever happening to me, but it’s not uncommon to hear about it from my customers, so it’s frustrating that a full reset is so obscure and difficult to do. Here are my instructions for troubleshooting TCC.


Update (2023-02-13): Robin Kunde:

Another unfortunate vector for TCC corruption is device management software. At the dayjob we had a long running incident where most people couldn’t screenshare from Google Hangouts because it was impossible to grant the relevant permission to Chrome

Tanner Bennett:

TCC was easily corrupted on Catalina as a user with SIP disabled. I had to be careful to enable SIP before launching an app that would trigger a TCC prompt or the app wouldn’t show up in the list in System Prefs with no way to add it manually.

Howard Oakley:

The list of apps in Location Services isn’t determined by the user, all you can do is enable or disable apps that macOS recognises as wanting access to location information. Similarly for those listed in System Services, it’s on or off only. Not only that, but those settings aren’t handled by TCC or its databases, but by the locationd service. When you reset TCC, or remove its database, that leaves these settings unaffected. Neither does there appear to be any other way to alter these, even a command tool like tccutil.


If you intend to delete the whole database at /Library/Application Support/ in Recovery mode, before doing so you should perform a full reset using sudo tccutil reset All and allow a couple of minutes for that to propagate to the user database, to ensure that has also been emptied.


Many of TCC’s settings and controls aren’t visible in Privacy & Security, as they determine access to iCloud services. Service names used by TCC for these include kTCCServiceLiverpool and kTCCServiceUbiquity, for CloudKit and iCloud Drive respectively.

Howard Oakley:

Even when you have the correct permissions, and SIP isn’t involved, read and write access to some locations can be blocked by the privacy controls in macOS, a subsystem for Transparency, Consent and Control, the dreaded TCC. While it manages access to services and features like camera and microphone, and controls over other apps, TCC also restricts disk, folder and file access. This is confusingly controlled by two interrelated categories in Privacy & Security settings, Full Disk Access and Files and Folders.

Those don’t govern access to iCloud, which, while also controlled by TCC, is in System Settings > Apple ID > iCloud Drive > Options.

Transmission 4.0

Transmission (Hacker News, Mac Rumors):

This is a major release, both in numbering and in effort! It’s been in active development for over a year and has a huge list of changes -- over a thousand commits -- since Transmission 3.00.


The code has been extensively profiled and improved to fix inefficient code and memory use. For example, a stress test of starting transmission-daemon with 25,000 torrents is almost entirely IO-bound, using 50% fewer CPU cycles and 70% fewer memory allocations than Transmission 3.00.


The entire codebase has been migrated from C to C++. In the process, we’ve removed thousands of lines of custom code and used standard C++ tools instead. The core’s code has shrunk by 18%. The core codebase has been extensively refactored to be more testable and maintainable.

Clascal in the Lisa Source Code

Chris Hanson:

While Lisa appears to have an underlying procedural API similar to that of the Macintosh Toolbox, the Office System applications were primarily written in the Clascal language—an object-oriented dialect of Pascal designed by Apple with Niklaus Wirth—using the Lisa Application ToolKit so they could share as much code as possible between all of them. This framework is the forerunner of most modern frameworks, including MacApp and the NeXT frameworks, which in turn were huge influences on the Java and .NET frameworks.


You define a class and its methods as an interface, and then its implementation doesn’t require repetition. This may sound convenient but in the end it means you don’t see the argument lists and return types at definition sites, so everyone wound up just copying & pasting them into comments next to the definition!


Just like Macintosh, Lisa has a Memory Manager whose heap is largely organized in terms of relocatable blocks referenced by handles rather than fixed blocks referenced by pointers. Thus normally in Pascal one would write SELF^^.h := h; to dereference the SELF handle and pointer when accessing the object. However, since Clascal knows SELF and myPoint and so on are objects, it just assumes the dereference—making it hard to get wrong. What I find interesting is that, unlike the Memory Manager on Macintosh, I’ve not seen any references to locking handles so they don’t move during operations. However, since there isn’t any saving and passing around of partially dereferenced handles most of the time, I suspect it isn’t actually necessary!

Chris Hanson (Mastodon):

Here’s another interesting thing I’ve learned about Clascal and Object Pascal: It went through exactly the same evolution from combining object allocation & initialization to separating them that Objective-C did a decade later!


2022 Six Colors Apple Report Card

Jason Snell (Hacker News):

Coming off the high of the release of Apple Silicon, the Mac has slid back for two consecutive years. There was plenty of praise for the M2 MacBook Air, but the delay to the M2 Mac mini and MacBook Pro—which didn’t get announced until January, when our survey was in the field—definitely led to the Mac taking a hit. Panelists also expressed frustration with the lack of updates to the iMac, the lack of a Mac Pro, and issues with the Studio Display.


Like the Mac, iPhone scores also slid for the second straight year. (Given the smaller updates in the iPhone 13 and 14, that’s not surprising.) Despite expressing some boredom about the iPhone hardware, the panel largely had praise for iOS 16’s Lock Screen improvements and the Dynamic Island, and the iPhone 14 Pro’s always-on display was generally well received. The iPhone mini being discontinued was also a negative. This is tied for the lowest score Apple’s flagship product has ever received in this survey, but it’s still a strong score, all things considered.


The iPad took a precipitous fall to its lowest score in the history of this survey. There was some praise for the iPad 10th generation, but even that product got dinged for its confusing Apple Pencil story—and the fact that its new features make the rest of the product line feel antiquated. A treading-water update for the iPad Pro and the rough introduction of Stage Manager seem to be the biggest culprits in the bad mood of our panelists.


Things are good in wearables land. The Apple Watch Ultra refreshed that product line, and AirPods continue to impress as well.

Jason Snell:

First up is a chart that drills down into the vote distributions across all the categories, so you can see which categories gathered a variety of votes and which ones were a bit more consistent across all 55 voters.

Here are my responses:

Mac: 2 The highlight of the year has to be the Mac Studio, which seems like a success except for the multi-month shipping delays that extended into the fall. Otherwise it was a quiet year for hardware, except that the new MacBook Air gained a welcome 24 GB RAM ceiling. That’s OK since the rest of the hardware lineup is still solid. After many years of waiting, we finally got the Studio Display. As a display, it’s great, albeit pricey, however the camera is extremely disappointing, the audio and USB hub have been unreliable, and the lack of a power button causes a variety of problems. macOS continues to deteriorate in terms of reliability, and in general it seems like Apple has forgotten how to design Mac software. Many apps feel like iOS ports, and the services apps just don’t work very well. Aside from its own efforts, Apple continues to get in the way of third parties making good software. The Mac version of SwiftUI still doesn’t live up to Apple’s pitch.

iPhone: 4 iPhone hardware and iOS seem to be in decent shape. I usually upgrade my phone every two years, but I skipped this one because there was no new iPhone mini, and the regular iPhone 14 got a relatively minor update. The Dynamic Island is interesting. Lock Screen customization is welcome but awkward and limited. The camera seems to be slipping a bit vs. the competition, and photos sometimes look too processed and fake.

iPad: 3 As always, the software seems to be letting down the hardware. iPadOS continues to feel limited. Stage Manager seems half-baked, and its system requirements are too steep.

Wearables: 4, Apple Watch: 3 Apple Watch Ultra and the watch hardware in general seem to be doing well, except that CPU improvements continue to be minimal. The software has had some problems, with complications broken for me for much of the year, the Camera Remote timer delay too short to be usable, and unexplained giant battery drains. AirPods Pro’s noise cancellation has gotten worse with software updates, and I’m now having regular problems with static that never occurred before.

Apple TV: 2 Apple doesn’t seem to know what to do other than add a faster processor. The software seems to be designed around Apple’s business needs rather than what customers would want. The remote still needs work.

Services: 2 I continue to have reliability problems with iMessage and Siri. The apps that go along with the media services just aren’t very good. Apple Maps is still not as good as Google Maps in the areas where I go, but it does seem to be improving.

HomeKit/Home Automation: No vote I don’t use any of this stuff, and looking at the Home app doesn’t make me want to start.

Hardware Reliability: 4 My Mac hardware itself has been very reliable, but I count problems with iOS and audio on the Studio Display under hardware reliability. Hardware can regress through firmware updates; my AirPods Pro’s noise cancellation doesn’t work as well as it used to. My iPhone’s battery seems to be failing after a little more than 2 years, though iOS reports it at 88% health.

Software Quality: 1 Most things feel kind of buggy, and the Mac is in a particularly bad state, with a large number of small bugs (many persisting for years) and some debilitating larger ones. I’ve documented some of them here.

Developer Relations: 2 Pretty much everything to do with the App Store needs work, as does the documentation.

Social/Societal Impact: No vote [This is such a sprawling category that I never know how to boil it down to a number.]

See also:


Update (2023-02-13): Nick Heer:

In 2022, I filed something like two bug reports every week solely against Apple’s own applications and operating systems.


Is all of that deserving of a lower score? Probably, but I have a hard time figuring out whether this is abnormally poor or merely worse than it ought to be. I seem to be living and working in a sea of bugs no matter whether I am using my Macs at home, the Windows PC at work, Adobe’s suite of products, or my thermostat.

It didn’t used to be like that.

John Gruber:

Resentment over App Store policies continues to build. Frustrations with the App Store review process seem unimproved. Apple’s goal should be for developer relations to be so good that developers want to create software exclusively for Apple’s platforms. The opposite is happening.

See also: TidBITS.

Wednesday, February 8, 2023

Swift Proposal: Custom Reflection Metadata

SE-0385 (discussion):

In Swift, declarations are annotated with attributes to opt into both built-in language features (e.g. @available) and library functionality (e.g. @RegexComponentBuilder). This proposal introduces the ability to attach library-defined reflection metadata to declarations using custom attributes, which can then be queried by the library to opt client code into library functionality.


Registering code to be discovered by a framework is a common pattern across Swift programs. For example, a program that uses a plugin architecture commonly uses a protocol for the interface of the plugin, which is then implemented on concrete types in clients. This pattern imposes error-prone registration boilerplate, where clients must explicitly supply a list of concrete plugin types or explicitly register individual plugin types to be used by the framework before the framework needs them.


To support advanced schema customization, the [Realm] property wrapper could store a string that provides a custom name for the underlying database column, specified in the attribute arguments, e.g. @Persisted(named: "CustomName"). However, storing this metadata in the property wrapper requires additional storage for each instance of the containing type, even though the metadata value is fixed for the declaration the property wrapper is attached to. In addition to higher memory overload, the metadata values are evaluated eagerly, and for each instantiation of the containing type, rendering property-wrapper instance metadata too expensive for this use case.

Git Tower 9.2


Working Copy and Branches Review: On macOS 13, the width of the middle pane in the Working Copy and Branches Review sections always reset themselves to the default after leaving the view.

This has been annoying me every day since Ventura was released—glad to see it fixed.


New WWDR Intermediate Certificate and Receipt Verification


Starting January 18, 2023, the App Store receipt signing certificate will use a new WWDR intermediate certificate. The existing intermediate certificate expires on February 7, 2023. In most cases, this certificate change won’t require changes to apps. However, we recommend reviewing how you verify the sale of your apps and in-app purchases from the App Store to make sure your apps aren’t impacted.

James Thomson:

Confirmed - my Mac TestFlight build receipts are still being signed with the Apple certificate that expired yesterday.


Certificates are such a fun show case of “can a corporate bureaucracy handle something that happens every few years and few people have access to” (the answer may surprise you).


Some of you with active subscriptions have reported issues with the app thinking you aren’t subscribed or unable to “Restore Purchases” on another family device. This is because Apple is currently having some issues with Receipt Verification. We will try to fix this temporarily on our end until Apple sorts the issue out.


Update (2023-02-13): Rich Trouton:

Mac admins who have previously installed macOS apps from the Mac App Store (MAS) or the Volume Purchase Program (VPP) may be seeing some of those apps displaying warning messages on launch that the application is damaged.

James Thomson:

And that’s Dice on Mac rejected for crashing at startup because receipt validation is failing.

So, it seems like they’ve fixed the receipt certs for TestFlight, but not yet in the App Review testing setup.

This is tedious.

Matthias Gansrigler:

PSA: If you’ve recently seen “this app is damaged” or “sign in to the App Store” dialog on your Mac, the following link might explain why[…]

The Evolution of Facebook’s iOS App Architecture

Dustin Shahidehpour:

After years of iteration, the Facebook codebase does not resemble a typical iOS codebase:

  • It’s full of C++, Objective-C(++), and Swift.
  • It has dozens of dynamically loaded libraries (dylibs), and so many classes that they can’t be loaded into Xcode at once.
  • There is almost zero raw usage of Apple’s SDK — everything has been wrapped or replaced by an in-house abstraction.
  • The app makes heavy use of code generation, spurred by Buck, our custom build system.
  • Without heavy caching from our build system, engineers would have to spend an entire workday waiting for the app to build.


The dylib solution worked beautifully. FBiOS was able to curb the unbounded growth of the app’s startup time. As the years went by, most code would end up in a dylib so that startup performance stayed fast and was unaffected by the constant fluctuation of added or removed products in the app.

The addition of dylibs triggered a mental shift in the way Meta’s product engineers wrote code. With the addition of dylibs, runtime APIs like NSClassFromString() risked runtime failures because the required class lived in unloaded dylibs. Since many of the FBiOS core abstractions were built on iterating through all the classes in memory, FBiOS had to rethink how many of its core systems worked.


With the new Buck-powered plugin system. FBiOS was able to replace most runtime failures with build-time warnings by migrating bits of infra to a plugin-based architecture.


Ultimately, the FBiOS team began to advise that product-facing APIs/code should not contain C++ so that we could freely use Swift and future Swift APIs from Apple. Using plugins, FBiOS could abstract away C++ implementations so that they still powered the app but were hidden from most engineers.

Louis Gerbarg:

I am to say the exact same thing I said to to them when they asked me about some of these choices:

They are large developer with dedicated QA and perf who releases dozens of app updates a year for a network service that can force uses to upgrade.

Which means a number of potentially labor intensive or high risk optimizations are appropriate for them because if they become an issue later they will notice them early and have the ability to undo them.

Having said that, the more elaborate these things are and the less like other apps built with the normal tools are the less likely the future optimizations we are building will improve your apps perf. We knew were doing dyld3 and page in linking years before we shipped them.

And the advice we were giving people on how to structure their apps was to set them up to work well in that future environment we were not ready to discuss.

Eric Schwarz:

The post gets into a bit of technical details that are fascinating, but the tone strikes me as weird. While it’s great to celebrate milestones, it seems a little odd to be happy about layers of legacy code and nonstandard, custom choices that lead to a 300MB app that does most of the same things as a web page.

Big cross-platform apps still seem like an unsolved problem. No one wants to write multiple native versions of the same app, so we either get wrappers and in-house abstractions or something like Electron. I guess Microsoft Office probably does it the best. It’s strange to think about this because intuitively it seems like Office does a lot more than the Facebook app, but (as far as I know) Microsoft hasn’t had to go to these lengths.

John Gruber:

As Eric Vitiello commented on Mastodon regarding this post, if we assume “thousands of engineers” means just 2,000, that means a new engineer has started adding code to Facebook’s iOS app every two days, nonstop, for a decade. It’s closer to one new engineer every day if we count only weekdays.


Update (2023-02-13): Nick Heer:

I am sure there are valid reasons for Meta to treat these applications [Facebook (blue) and Facebook Messenger] differently, but reading these posts back to back sound like they are from two completely different companies.

Tuesday, February 7, 2023


Mark Alldritt (Mastodon):

MastodonLib is a library that allows you to query Mastodon timelines and post to a Mastodon account from AppleScript. This library is far from a complete implementation of the Mastodon API.


wordexp() Shells Out

Steve Klabnik:

you: “c is nice because there’s no hidden costs, you see every malloc and free, and know that the standard library doesn’t do shenanigans behind your back”

Steve Troughton-Smith:

libc does what 😟

Apparently I forgot to link to this back when the story broke in 2015 and 2016. For many years, Apple implemented the wordexp() function by starting a separate process for a Perl interpreter. Later, this was changed to use /usr/lib/system/wordexp-helper, which may be based on Bash, and so perhaps the code can only be called that way because of the GPL.


macOS Isn’t As Small As You Think

Matt Birchler (Mastodon):

I think Apple should add touch to Macs, and I think that this will allow them to not only make current form factors better, but it will allow them to create Macs that are more flexible, more powerful, and more accessible than any Macs before them.

That said, there are people in the Mac community who disagree with me here, and their number one concern is that macOS has a UI that is simply unusable with touch.


Again, all of these comparisons are being done at the default UI scaling mode. If you have less than perfect vision and boost the UI size at all, by all accounts, the UI on a Mac is as big, if not bigger than the same UI elements on an iPad mini.


There’s a narrative out there that touch is just so incompatible with macOS and that in order to make it work, the macOS UI would have to get blown up to comical proportions, but I don’t think that’s the case.

I think that’s right, but I would argue that it shows that macOS is not properly optimized for its form factor. Information density has gotten worse on the Mac over the last decade or so, as both Apple and developers have brought their iOS designs “back to the Mac.” It’s also happened with some iOS apps such as Music. Configurable font sizes are good thing, as they improve accessibility. But bulky designs and increased spacing everywhere reduce the amount of stuff you can see at once. In some cases, this just means a bit more scrolling, but it can also cause serious frustration and feel like part of your display has been stolen. Getting rid of title bars has negative consequences and doesn’t make up for the space lost elsewhere.


From iTunes to Everywhere

Louie Mantia (via John Gruber):

As part of this same release, I also redrew iTunes controls, like the playback buttons, LCD, and volume slider. I suggested making the “stoplight” window controls vertical, to eliminate the titlebar since that entire toolbar was grabbable. (Not everyone loved it, but Panic adopted this style for Coda!)

One day during the development of this release, Steve requested to remove all the icons from the [iTunes] sidebar because it was getting too busy. My heart sank. Icons are my life. How were were going to navigate such a long list without icons that hint at the type of list item? In a last-ditch effort to save icons in the sidebar, I created shaded monochrome icons for the source list, and Steve approved them. This style of icon inadvertently became the de facto style of sidebar icons on a system level for the next decade.

A book could probably be written about the influence of iTunes on the design of Mac apps from Apple and third-party developers.


Monday, February 6, 2023

Tracking Hover Location in SwiftUI

Natalia Panferova (tweet):

For a while we only had onHover(perform:) modifier in SwiftUI that is called when the user moves the pointer over or away from the view’s frame. There used to be no official way to continuously track the pointer location. This changed with the introduction of onContinuousHover(coordinateSpace:perform:) in macOS 13 and iPadOS 16.

The new modifier lets us read the current HoverPhase and reports the exact location of the pointer when it’s within the view’s bounds. Let’s see it in action.

Update (2023-02-13): John Siracusa (Mastodon):

SwiftUI’s .onHover View method fails sporadically when applied to a view that does not cover the entire containing window and that window has a “clear” background color. This sample project demonstrates the bug, which has been filed with Apple as FB11988707.

The workaround is to make the background color anything that is not “clear.”

Update (2023-03-08): Donny Wals:

Long shot: in a macOS app that leverages this gist for a more reliable hover effect in SwiftUI[…]

On some macs with macOS 12.x this is completely fine. On others with 12.x the app is fine until the very first time the app is clicked. After that happens there’s a huge slowdown that seems related to the code in that gist (based on Instruments trace) but without a reliable reproduction on virtually identical machines I have no idea where to start debugging.

Facebook Negative Testing

Kathianne Boniello (via Jamie Zawinski):

Facebook can secretly drain its users’ cellphone batteries, a former employee contends in a lawsuit.

The practice, known as “negative testing,” allows tech companies to “surreptitiously” run down someone’s mobile juice in the name of testing features or issues such as how fast their app runs or how an image might load, according to data scientist George Hayward.

He refused to do that and was fired.

Cory Doctorow:

Hayward balked because he knew that among the 1.3 billion people who use Messenger, some would be placed in harm’s way if Facebook deliberately drained their batteries – physically stranded, unable to communicate with loved ones experiencing emergencies, or locked out of their identification, payment method, and all the other functions filled by mobile phones.


We don’t know much else, because Hayward’s employment contract included a non-negotiable binding arbitration waiver, which means that he surrendered his right to seek legal redress from his former employer.

Update (2023-02-14): Tracy Lopez:

Testing within an app is aimed at improving it, but this was not the case with Facebook apps, both on iOS and Android: the company it slowed down the loading of the images, the connections to the pages of the links and even made the application consume more battery.


Meta carried out negative tests for draw a relationship between app performance and app experience.

This seems to be clearly in violation of App Store guideline 2.4.2. Though, according to the NTIA, Apple claims it “reviews each line of an app’s code,” we know they don’t do that in any real sense and likely didn’t realize Facebook was doing this.

Example Custom FormatStyles

Jonathan Wight:

I’ve been making a package of custom Swift (Parseable)FormatStyles for types that don’t currently get any love by the standard library.

My main need for this is GUI apps showing complex 3D types (think a SwiftUI field editor for a quaternion, etc) -- but am building it by composing basic types and FormatStyles.


PodSearch Reborn

David Smith:

Back in 2017 I had created a site which took the the audio of some of my favorite podcasts and tried to make them searchable by passing them through an automated speech-to-text engine.


Thankfully since then OpenAI has released Whisper a powerful speech-to-text engine that I can run right on my Mac and results in transcripts that are shockingly good. They aren’t quite at the level of a human transcriber but they get darn close in many instances. Getting close to the level where you could use them to grab a pull quote with only a little bit of tidying up to do.


Update (2023-02-14): Jason Snell:

While not perfect, Whisper was staggeringly better than the 2017 transcript and really, much better than any other AI-driven transcription I’d tried recently. It got the punctuation. It got proper names. And it didn’t turn “Thanks for listening to The Incomparable, I’ve been your host Jason Snell” into “Goodnight everybody for listening to be uncomfortable, I’ve been your Hostess and smell.”

Fortunately, a fellow named Georgi Gerganov made a C++-native port of Whisper that is easy to install and run on macOS and is optimized for Apple silicon. I downloaded and installed Gerganov’s version, downloaded the medium English model, and discovered that it could transcribe a podcast at rates up to 2x!

This was great, but the last thing I needed was to have to remember all the arcane command-line commands required to get the files in the right place. So instead, I wrote The Transcriptor, a Shortcut that lets me control-click on audio files and turn them into transcripts in a format of my choice.

Friday, February 3, 2023

Competition in the Mobile Application Ecosystem

Ben Lovejoy:

The White House asked the National Telecommunications and Information Administration to investigate, and Axios reports that it also concluded antitrust legislation is required.

The NTIA’s report is here (PDF).

Jon Brodkin:

The Biden administration wants major changes to the Apple and Google mobile app models, saying the companies “act as gatekeepers over the apps that people and businesses rely on” and enforce policies that “have the potential to harm consumers by inflating prices and reducing innovation.”

An analysis of the market and recommendations for lawmakers and regulators were issued today in a report by the Department of Commerce’s National Telecommunications and Information Administration (NTIA). The report was required by President Biden’s 2021 executive order on competition and touted by the White House today as being part of “new progress on his competition agenda.”

The NTIA concluded that “consumers largely can’t get apps outside of the app store model, controlled by Apple and Google,” and that “Apple and Google create hurdles for developers to compete for consumers by imposing technical limits, such as restricting how apps can function or requiring developers to go through slow and opaque review processes.”

Hartley Charlton:

On the basis of the investigation’s findings, the report recommends:

  • Third-party app stores should be permitted and users should not be prevented from sideloading apps outside a gatekeeper’s own app store. Legislative and regulatory measures should prohibit restrictions on sideloading, alternative app stores, and web apps.
  • Requirements that ban developers from using alternative in-app payment systems should be banned.
  • Third-party web browser apps should be able to offer full functionality and not face browser engine restrictions.
  • Pre-installed apps, default options, and anticompetitive self-preferencing should be limited, including in search results.
  • Users should be able to choose their own apps as defaults and delete or hide pre-installed apps.
  • App store review processes should be more transparent.

Florian Mueller:

It’s suboptimal, though, and I don’t just mean the fact that there are various typos (unusually many for a government document). As an app developer who tried to make a game work as a web app (and found the results extremely dissatisfactory), I believe the part about web apps could have raised several additional issues.

There are quotes from ACT | The App Association (again, it’s actually an Apple Association) and the R Street Institute that argue small app developers benefit from the trust that end users place in apps they download from curated stores. First, if they trust an Apple or Google store, why wouldn’t they also trust a Microsoft, Amazon, or Meta store? Second, independent software vendors (ISVs) have historically had great opportunities on open systems like Windows and the Mac (which compared to iOS is pretty open, though Apple may change that step by step). It’s not like mobile app stores were needed so the little guys had a chance to succeed. I’m extremely cautious about what I download to my Windows computers (desktop and notebook) and never installed any malware (nothing was found whenever I scanned, and nothing ever happened that suggested the presence of malware), but even I install software from small developers: I’m just careful about where I obtain it from, but that doesn’t mean I trust only Microsoft’s own store.


Update (2023-02-14): Florian Mueller:

President Biden effectively reinforces push for Open App Markets Act in State of the Union speech: first SOTU reference to antitrust since 1979

Designing Swift’s Macros Feature

Doug Gregor:

Swift folks, we’re busy working on a macros for the Swift language and would love your thoughts. It’s a big feature with a lot of details that need to be right.


As things are starting to work in the prototype, we’re putting them into a sample repository with a couple of different kinds of macros. These demonstrate different aspects of macros, from the kind of code you can generate to how you handle errors. The repository is here.

Swift Macros Dashboard:

This gist provides a “dashboard” with links to the various documents and example projects that are part of the Swift Macros effort.


Update (2023-03-03): Ben Cohen:

This is a beautifully short example of how macros have the potential to make swift library code easier to use for everyone.

Update (2023-03-08): See also: the Option Set Declaration Macro pitch.

Touchability, Productivity, and Portability — Pick Two

Federico Viticci:

In simpler terms: what happens if you prefer the Apple ecosystem for UI and UX but you’re feeling hamstrung by it at the same time?


The problem is that an iPad, at least for people like me, isn’t supposed to be a companion to work that happens somewhere else. It is the work. And ultimately, I think it’s fair to demand efficiency from a machine that is supposed to make you productive. I feel this every time Stage Manager doesn’t let me place windows where I want on an external display; every time I can’t place more than four windows in a workspace; every time I can’t record podcasts like I can on a Mac; every time a website doesn’t work quite right like it does on a desktop; I feel it, over a decade into the iPad’s existence, when developers like Rogue Amoeba or Raycast can’t bring their software to iPadOS.


Maybe this has been true for a while and Stage Manager was the proverbial straw that broke the camel’s back. You can’t separate art from the technology, but, at the end of the day, there’s also work to be done.

Jack Wellborn:

It’s foolishly optimistic to think that Microsoft or even Apple can make pointer interfaces as touch friendly as iPadOS without also destroying the very thing that makes them more productive than iPadOS — information density. Smaller controls means these platforms can disclose more information and interactivity to their users at once. That’s why a bunch of windows on even a 11″ MacBook Air feels natural while only four windows on a “large” 13″ iPad feels ungainly.

Conversely, it’s impossible to make iPadOS more information dense without sacrificing the very thing that makes it the best tablet OS — touch friendliness. iPad users want more information on screen because that will help them be more productive, but the only way to present more information in iPadOS without sacrificing touch friendliness is a larger display. Not only is a larger display not portable, iPadOS’s support for larger displays still sucks. There’s nothing Apple can do about large displays not being portable, but better support for larger displays? That’s a problem Apple can solve.


Update (2023-02-21): Jack Wellborn:

The lesson to take from this half decade of disappointing iPadOS and iPad Pro updates is not that the iPad platform is fatally flawed and that Apple needs to jump ship to macOS for its pro tablet OS. It’s that Apple’s been trying to solve what increasingly seems like an impossible set of constraints — touchability, productivity, and portability. It’s foolish to think Apple or anyone can move those same constraints and demands to a different platform and assume a better outcome. I am all for adding touch support to Macs, but that won’t satisfy the dreams of iPad Pro users who want the same touch first experience found on their iPads today. Furthermore, overhauling macOS to create a touch first experience would only introduce the same problems found on iPadOS today, and if that’s the case, then what’s the point?


Apple’s Q1 2023 Results

Apple (transcript, Hacker News, MacRumors):

The Company posted quarterly revenue of $117.2 billion, down 5 percent year over year, and quarterly earnings per diluted share of $1.88.


“We set an all-time revenue record of $20.8 billion in our Services business, and in spite of a difficult macroeconomic environment and significant supply constraints, we grew total company revenue on a constant currency basis,” said Luca Maestri, Apple’s CFO.

Jason Snell:

Again, total profit was the second-most ever at $30 billion but it’s down from last year.


By all accounts, Apple originally intended to have new MacBook Pro and Mac mini models ready to go during this quarter, but those releases were delayed until this month. With no new Macs in the offing at all, Mac sales took a big hit, down 29 percent year-over-year.


Honestly, given that Apple warned of iPhone production problems that would prevent the company from meeting demand, being down only 8% year over year strikes me as being a bit of a relief.

Jason Snell:

Since the iPad is taking a victory lap, let me hit you with a few other iPad tidbits. It’s the first time the iPad has sold better than the Mac in a quarter in seven years. And it’s the biggest iPad quarter by revenue in nine years. The iPad is, at this point, basically a $32 billion a year business for Apple, when just a few years ago, it looked like it might be worth $20 billion at most. Sure, we might look at that janky Apple Pencil adapter on the 9th-generation iPad and at the aging design of the iPad Pro and wonder what’s up with the hardware design, but the numbers don’t lie.

John Voorhees:

The year-over-year decline was driven by multiple factors, including:

  • Shortages of iPhone 14 Pro and Pro Max caused by COVID lockdowns in China
  • Soft consumer demand resulting from worldwide inflationary pressure
  • Adverse effects caused by foreign currency exchange rates

Although Apple did not forecast results for Q1 2023 during its last earnings call, the company warned in November that production disruptions would impact shipments, so the declines today should not be a shock.


Thursday, February 2, 2023

ChatGPT Plus

OpenAI (Hacker News):

The new subscription plan, ChatGPT Plus, will be available for $20/month, and subscribers will receive a number of benefits:

  • General access to ChatGPT, even during peak times
  • Faster response times
  • Priority access to new features and improvements

Johan Lajili (via Hacker News):

Whereas you might think “well, if it’s not broken don’t fix it”, I believe the web as a way to access information is getting worse by the day. Content generated with GPT-3 is going to start to show up for every long tail search under the sun, whereas regular content is going to get even heavier with SEO keyword to survive. The web is going to get worse and worse, and the only way to get good information is with a system that can extract the signal from the noise, a.k.a ChatGPT.

Arvind Narayanan and Sayash Kapoor (via Hacker News):

The philosopher Harry Frankfurt defined bullshit as speech that is intended to persuade without regard for the truth. By this measure, OpenAI’s new chatbot ChatGPT is the greatest bullshitter ever. Large Language Models (LLMs) are trained to produce plausible text, not true statements. ChatGPT is shockingly good at sounding convincing on any conceivable topic. But OpenAI is clear that there is no source of truth during training. That means that using ChatGPT in its current form would be a bad idea for applications like education or answering health questions. Even though the bot often gives excellent answers, sometimes it fails badly. And it’s always convincing, so it’s hard to tell the difference.

Yet, there are three kinds of tasks for which ChatGPT and other LLMs can be extremely useful, despite their inability to discern truth in general:

  1. Tasks where it’s easy for the user to check if the bot’s answer is correct, such as debugging help.

  2. Tasks where truth is irrelevant, such as writing fiction.

  3. Tasks for which there does in fact exist a subset of the training data that acts as a source of truth, such as language translation.


Twitter to Charge for API

Twitter Dev (Hacker News):

Starting February 9, we will no longer support free access to the Twitter API, both v2 and v1.1. A paid basic tier will be available instead.


We’ll be back with more details on what you can expect next week.

At present, I would pay a reasonable fee to keep using Twitter with NetNewsWire and IFTTT. That may change if the people I follow continue to leave the platform. And I think this may be shortsighted in that a free API encourages people to do things that make the platform more valuable.

As with other recent Twitter changes, it’s rude to announce this with so little notice—and no details.

Nick Heer:

As usual for the new Twitter, there are no details about what this means and no coordination among what is left of its teams — its developer site proudly still says it permits “free access”.

Eric Schwarz:

Although third-party clients have been gone for awhile, this will most likely kill automated posting tools. That’s been used for years on this site and it’s just not worth the money to pay for API access. It’s also a pretty bold move for Twitter to think that publications, especially smaller ones, should pay to generate content for their site even if it ultimately brings eyeballs to the destination sites. In addition to that, tools that allow you to delete your tweets or create things outside of simple posting will also go away.

Jeffrey Zeldman:

Here comes the punchline: one day Twitter emailed me to say that my Twitter Blue account was being discontinued, but I would soon have the opportunity to pay for an exciting new version of Twitter Blue.

Then Twitter emailed me inviting me to roll over my credit card so as to become a member of the new Twitter Blue. Which made me wonder: do I continue to go by the principle of paying for software I use, even when I disapprove of the direction in which a new owner is taking the platform? Or do I register my dislike of that direction by refusing to pay, even if it accelerates the death of the platform? (Whereas I was still hoping for the platform to survive and right itself, no pun intended.)

In the end, and I know I’ll lose many of you here, I decided to keep paying. And now the promised punchline: Twitter was unable to accept my credit card, and the subscription failed.


Update (2023-02-03): Ged Maheux:

Just amazing how far Musk has moved the goal posts so that giving Twitter devs a single week’s notice before their app/service is rendered inoperable is now considered an “improvement”. 🤬

Elon Musk:

Yeah, free API is being abused badly right now by bot scammers & opinion manipulators. There’s no verification process or cost, so easy to spin up 100k bots to do bad things.

Just ~$100/month for API access with ID verification will clean things up greatly.

If that’s the real motiviation, they should make the read-only parts of the API free.

Thomas Reed:

Musk is teaching a mastery-level class in how not to manage relationships with third-party developers.

Michael Love:

Twitter blocking Movetodon over unspecified violations[…]

Update (2023-02-13): Twitter Dev (last week):

We’re excited to announce an extension of the current free Twitter API access through February 13.


Paid basic access that offers low level of API usage, and access to Ads API for a $100 monthly fee.

A new form of free access will be introduced as this is extremely important to our ecosystem – limited to Tweet creation of up to 1,500 Tweets per month for a single authenticated user token, including Login with Twitter.

Twitter Dev:

There has been an immense amount of enthusiasm for the upcoming changes with Twitter API. As part of our efforts to create an optimal experience for the developer community, we will be delaying the launch of our new API platform by a few more days.

They still haven’t said anything about read access.

Ben Ubois:

A lot of customers have asked about the future of Twitter support in Feedbin. Even with today’s update there’s still not enough information to make a decision.

Feedbin’s priority is to keep the stuff that you subscribe to up-to-date, so the plan is to continue to use the API. However, it also depends on what the price ends up being[…]

Wednesday, February 1, 2023

The State of Enthusiast Apps on Android

Matt Birchler:

I recently commented on Mastodon that I thought when it comes to third party apps, iOS is remarkably far ahead of Android. My feeling is that you can take the best app in a category on Android, and that would be the 3rd to 5th best app in that category on iOS.


This app (again, in beta) is way behind apps like Reeder, Unread, and NetNewsWire in both functionality and design.

This app was presented to me as an example of how Android apps are better than iOS apps, and it instead made me more confident in my opinion.

John Gruber (Hacker News):

Whilst we iOS users celebrate the recent releases of Thomas Ricouard’s Ice Cubes, Tapbots’s Ivory, and Tusker, and look forward to the imminent release of other new Mastodon clients like Shihab Mehboob’s Mammoth, over on Mastodon I asked what the best clients for Android are.

Long story short: crickets chirping.

The app that got the most recommendations is Tusky, an open-source client available free of charge. It’s fine, and for now, it’s what I’ve got on my home screen on my Pixel 4. But if Tusky were an iOS app, it wouldn’t make the top 5 for Mastodon clients.


Update (2023-02-03): John Gruber:

Android enthusiasts don’t want to hear it, but from a design perspective, the apps on Android suck. They may not suck from a feature perspective (but they often do), but they’re aesthetically unpolished and poorly designed even from a “design is how it works” perspective. (E.g., Read You doesn’t offer unread counts for folders, has a bizarrely information-sparse layout, and its only supported sync service was deprecated in 2014. It also requires a frightening number of system permissions to run, including the ability to launch at startup and run in the background.) And as I wrote yesterday, the cultural chasm between the two mobile platforms is growing, not shrinking. I’ve been keeping a toe dipped in the Android market since I bought a Nexus One in 2010, and the difference in production values between the top apps in any given category has never been greater between Android and iOS. And that’s just talking about phone apps, leaving aside the deplorable state of tablet apps on Android.


Of course there are Android users and developers who do see how crude the UIs are for that platform’s best-of-breed apps. But we’re left with two entirely different ecosystems with entirely different cultural values — nothing like (to re-use my example from yesterday) the Coke-vs.-Pepsi state of affairs in console gaming platforms.

Steven Aquino:

iOS apps may attract more software aesthetes, but it’s also the case accessibility on iOS is far more expansive and polished than on Android. This isn’t to say Google ships inaccessible crap or cares less, but they certainly don’t match the breadth and depth Apple provides. This is well known in a11y circles. Not a trivial matter.

Nicolas Magand:

Outside of Google’s own apps and others from big tech companies, apps on Android are generally terrible. Feature-wise they do the job, they are stable enough, not too buggy, decently integrated with the OS, but they are either ugly, weird, or both.

Federico Viticci (Mastodon):

To say that I found the ecosystem worse than I remembered would be an understatement.


I do appreciate the greater freedom Android grants power users who care about aspects such as split-screen multitasking, total control over default apps, or theming. But the whole experience feels fragmented, and as a result crude, when it comes to using your phone with apps in everyday life. The general baseline of quality for design and expected system features is simply higher on iOS.

Update (2023-02-14): Barbara Krasnoff:

On the other hand, I have to admit that when I hear about an app that looks really easy and useful, go running to its site to see if I can try it out, and find that it’s only available for iOS, I can become, for a moment, something akin to an angry five-year-old. I want to play with this new toy, and I deeply resent anyone who says I can’t.

Bypassing iOS 16.2 Location Privacy

Rodrigo Ghedin:

iFood, Brazilian largest food delivering app evaluated at USD 5.4 billion, was accessing his location when not open/in use, bypassing an iOS setting that restrict an app’s access to certain phone’s features. Even when the reader completely denied location access to it, iFood’s app continued to access his phone’s location.


An educated guess was revealed by iOS 16.3 release notes, launched on January 23th. Apple mentions a security issue in Maps in that “an app may be able to bypass Privacy preferences”.

Via Nick Heer:

I do not want to spread fear or uncertainty, but it is hard to believe iFood would be the only app interested in using location data even if the user has opted out of it. There were several privacy-related bugs fixed in this most recent round of operating system updates.

John Gruber:

If the iFood app was really doing this, why is it still in the App Store? If circumventing location privacy by exploiting a bug doesn’t get you kicked out of the store, what does?


Pausing Finder Copies and Dragging to the App Switcher

Tim Hardwick:

When you copy a large file or folder to another location in Finder using the Copy and Paste options, a pie chart progress indicator next to the copying item’s name gives you an idea of how long the copy will take to complete. If it looks like it’s going to take longer than you’d like, you can always pause the copy and resume it later.


An oft-overlooked function of the App Switcher is its ability to open files. Simply begin to drag a file from a Finder window, then invoke the App Switcher and drag the file onto the relevant app icon in the overlay. Let go of the file and it should open in the selected app.

This is a good list of some less commonly mentioned tips.

Renewing the App Store Small Business Program

Greg Pierce:

I got an email from Apple saying I’m eligible for the Small Business Program–which I am already in. Do we need to re-apply?

So did I, though I don’t recall getting such an e-mail last year. There doesn’t seem to be a place to actually check your status, so of course I re-applied. I’m guessing that Apple sent a mass e-mail without bothering to scope it to those not already in the program, but now they’ll have to process lots of duplicate applications.

Jesse Squires:

Wouldn’t it be nice if App Store Connect showed some kind of “small business program” badge or other visual indicator of your status?

Instead, I see developers talking about back-calculating Apple’s fee from their financial reports to see whether they’re still in the program.


Update (2023-02-03): John Siracusa:

I had to email Apple to find out if I was still enrolled in the Small Business Program. (If it’s anywhere on any website, I couldn’t find it, and the person who answered my email at Apple didn’t tell me where I could have found it myself.) The result: I am still enrolled, despite getting that email about the program.