Archive for February 20, 2023

Monday, February 20, 2023

Contacts.app Skipping Export of Some Contacts

Miles Wolbe:

Some contacts would not export to vCard from Contacts.app, instead exhibiting the following behavior:

  • when clicked and dragged alone, the resulting file, “Contact.vcf”, was zero KB

  • when clicked and dragged with unaffected contact(s), affected contact(s) would be skipped

  • when exported via File → Export → Export vCard…, affected contact(s) would be skipped if combined with unaffected contact(s), while no output would be produced if only affected contact(s) was/were selected.

This has the potential for data loss since, with a mixed selection, it will look like the contacts were exported. You would have to check the counts to realize the export was only partial. He was able to work around this using Automator.

Previously:

Bing Search API Pricing Increase

Steve Bennett (Hacker News):

Today, Microsoft has announced that it will be raising the costs for developers utilising the Bing Search API starting from 1st May 2023, and the rise is quite substantial in a move that shows some similarities to what Twitter has recently announced.

[…]

You can find the full pricing model below. However, Microsoft has not gone out of its way to emphasise the differences between the previous and new models, which is not surprising given that some tiers have increased by 1000 percent.

This sounds like a problem for DuckDuckGo and other search engines that rely on Bing, unless they have special long-term deals.

Previously:

Meta Verified and Twitter Blue

Mark Zuckerberg (Hacker News):

[This] week we’re starting to roll out Meta Verified -- a subscription service that lets you verify your account with a government ID, get a blue badge, get extra impersonation protection against accounts claiming to be you, and get direct access to customer support. This new feature is about increasing authenticity and security across our services. Meta Verified starts at $11.99 / month on web or $14.99 / month on iOS.

Juli Clover:

Meta also plans to make the same verification process available on Instagram, but separate subscriptions will be required for each platform, so an individual or business that wants to be verified on both Facebook and Instagram will need to pay separate subscription fees.

Instagram and Facebook are monetized through advertising at the current time, but changes like Apple’s App Tracking Transparency can make ads an unreliable revenue stream. Subscription payments will give Facebook a steady monthly income.

Elon Musk:

Twitter is getting scammed by phone companies for $60M/year of fake 2FA SMS messages

Eric Priezkalns (via Hacker News):

Having seen plenty of evidence about the revenue-generating schemes operated by dodgy telcos, and their symbiotic relationship with criminals both inside and outside of their companies, it comes as no surprise that an organization like Twitter would be targeted for an abuse of this nature. What is surprising is that the previous management were so ignorant, idle or incompetent that they did nothing about it. Twitter made a loss of USD221mn in 2021, which was significantly less than the previous year, but still large enough to question why USD60mn of fraud would be tolerated.

Twitter:

As a Twitter Blue subscriber, you can add another layer of protection to your account with access to two-factor authentication via SMS.

[…]

Twitter Blue subscribers who joined for $7.99 on iOS will be notified by Apple that their subscription will be automatically renewed for $11/month (or your local pricing) unless they choose to cancel their subscription.

Web pricing remains $8/month. These, along with YouTube Premium and Epic Direct Payment, are probably the highest profile examples of passing IAP fees on to the customer.

Dare Obasanjo:

After App Tracking Transparency (ATT), every major social app is now charging for features and Apple gets a cut on iOS.

Ricky Mondello:

SMS 2FA has documented and frequently-discussed limitations in terms of the security benefits it provides. It can also trip people up in terms of usability, like when people switch phones, or when they can’t receive texts at their phone number, like when they’re on an airplane, or sometimes when they’re traveling internationally.

Despite its limitations, I’ll argue that SMS 2FA is a huge success story in actually reducing the harm caused by weak and reused passwords.

[…]

People who don’t use password manager software — and that’s a lot of people — almost always reuse the same passwords across the services they use. For many of them, SMS 2FA provides value, despite its flaws. Making a person’s weak or reused password not sufficient to gain access to their accounts is genuinely good, even if a very motivated attacker could compromise the SMS channel or phish the one-time code.

So, offering e-mail 2FA as an alternative would perhaps not be as secure as you might think. On the other hand, it’s easier to use than authenticator apps. By not supporting e-mail, some users will end up without 2FA. But, given the choice, others would pick e-mail over an app and end up less secure.

On iOS, time-based one-time code generation is built into the operating system. No “authenticator app” is required to install.

Previously:

Update (2023-02-21): Matt Sephton:

I was using SMS based 2FA only because the autofill experience is so much better, at least on iOS. The number appears over the keyboard, you tap it, done.

iOS 2FA (or other 2FA apps) don’t autofill as easily, they require more steps: worse user experience.

Previously: