Archive for April 26, 2023

Wednesday, April 26, 2023

The Four Types of Safari Extension

Jeff Johnson (Mastodon):

Apple’s Safari web browser first added support for extensions in version 5, and since then—we’re now at Safari version 16—there have been four different extension formats!

  1. Safariextz: 2010 Mac, 2019 RIP
  2. Safari content blocker: 2015 Mac and iOS
  3. Safari app extension: 2016 Mac
  4. Safari web extension: 2020 Mac, 2021 iOS


There’s a widespread misconception that Safari extensions on the Mac can only be distributed via the Mac App Store, and while this is true of Safari web extensions—one of the few Mac API that for some strange reason are limited to the App Store—it’s not true of Safari app extensions.


Due to the strict limits of their API, Safari content blockers are inferior to Chrome and Firefox extensions such as uBlock Origin at blocking ads and other annoyances. When support was introduced for Safari web extensions, people were excited about the prospect of uBlock Origin returning to Safari. There was previously a Safariextz version of uBlock Origin that of course died when Safariextz did. The hopes for a rebirth were in vain, unfortunately, for as I mentioned earlier, a number of features of the WebExtensions API are currently unsupported by Safari.


Google Authenticator Adds Syncing

Christiaan Brand (Hacker News, MacRumors):

We are excited to announce an update to Google Authenticator, across both iOS and Android, which adds the ability to safely backup your one-time codes (also known as one-time passwords or OTPs) to your Google Account.


Since one time codes in Authenticator were only stored on a single device, a loss of that device meant that users lost their ability to sign in to any service on which they’d set up 2FA using Authenticator.

With this update we’re rolling out a solution to this problem, making one time codes more durable by storing them safely in users’ Google Account. This change means users are better protected from lockout and that services can rely on users retaining access, increasing both convenience and security.

I’m not sure why this took so long. Maybe they were working on some way to make sure it’s extra secure, but the announcement doesn’t talk about that.

Mysk (Hacker News):

We analyzed the network traffic when the app syncs the secrets, and it turns out the traffic is not end-to-end encrypted. As shown in the screenshots, this means that Google can see the secrets, likely even while they’re stored on their servers. There is no option to add a passphrase to protect the secrets, to make them accessible only by the user.


Also, 2FA QR codes typically contain other information such as account name and the name of the service (e.g. Twitter, Amazon, etc). Since Google can see all this data, it knows which online services you use, and could potentially use this information for personalized ads.

Surprisingly, Google data exports do not include the 2FA secrets that are stored in the user’s Google Account.

With no backup/syncing from Google Authenticator, I switched from Google Authenticator to 1Password as soon as it supported OTPs, and these days I use Apple’s password manager. But I don’t want to rely on it too heavily, for a variety of reasons, so for important accounts I use it only for OTPs, with the actual passwords in PasswordWallet.


Update (2023-04-27): Mysk:

If you have already enabled syncing in Google Authenticator and now changed your mind and want to use the app offline, opting out won’t delete your tokens and their metadata from Google servers.

To remove your data from the cloud and use the app offline, you need to follow these steps[…]

See also: MacRumors.

Update (2023-05-01): Christiaan Brand (via Accidental Tech Podcast):

E2EE is a powerful feature that provides extra protections, but at the cost of enabling users to get locked out of their own data without recovery.

To make sure we’re offering users a full set of options, we’ve started rolling out optional E2E encryption in some of our products, and we have plans to offer E2EE for Google Authenticator down the line.


This shows that adding end-to-end encryption to Google Authenticator wasn’t planned at all, leaving the data of at least 100M+ users at risk.

Update (2023-08-31): Mysk:

A quick reminder that Google hasn’t updated its Authenticator app to support end-to-end encryption when syncing secrets with Google servers. It has been 4 months since they promised to support e2ee.

1Password to Add Telemetry

Pedro Canahuati (Hacker News):

1Password is beginning an internal test of our new, privacy-preserving in-app telemetry system.


We’re only interested in how people use the app itself, what features and screens they interact with – not what they store in their vaults, what sites they autofill on, or anything like that.


This data will be gathered from a randomized selection of accounts, de-identified, and processed in aggregate.


Over the years, we’ve relied on our own usage in conjunction with your feedback to inform our decision making. This presents a challenge, though: we don’t know when you run into trouble unless you tell us. […] But there are millions of people using 1Password now, often in cool and innovative ways! If we’re going to keep improving 1Password, we can no longer rely on our own usage and your direct feedback alone.

I don’t really understand how they plan to figure out these cool and innovative uses from anonymized, aggregate data. But it does have the potential to identify hot spots that they should be paying attention to. And it’s good that they’re going to offer a way to opt-out. Of course, my preference is for a password manager to make no network connections at all.


Telemetry in a “trust us, this closed-source application which contains all your secrets, which we provide you and which we update periodically, is only contacting us for “privacy protecting telemetry” and not exfiltration, intentionally or not, of your most sensitive of all data” application is a hard pass for me. This seems like an IQ test kind of question.

(So many times error reporting, etc. have accidentally leaked highly sensitive data, which was then the source of a major compromise, in other systems. Maybe 1Password won’t get it wrong, maybe 1Password will never be subject to any pressure to get it wrong…)

Casey Liss:

In and of itself, no, telemetry doesn’t bother me. And rolling it out to your own internal users first is 👍🏻

But it seems pretty clear that this isn’t a problem that needs solving: customers have been SHOUTING FROM THE ROOFTOPS explaining what is wrong.

Mostly, I have been hearing about problems with the browser extensions.


Users: We want standalone non-subscription licenses!
1Password: I really wish we knew what users wanted.

Users: Please don’t move to Electron, I don’t want Chrome bugs in my password manager.
1Password: I’m just baffled. We never hear from users.

Users: Please, for the love of God, give us control over our vaults. Don’t go cloud-only, we’re begging you!
1Password: Better turn on telemetry. It’s the only way to solve this mystery for the ages.

The fundamental issue is that they decided to focus on a larger market that has very different concerns than their original customer base. This sets up the situation where they feel like they are listening, and in many ways the product is better for its target audience; yet some us feel like we’ve been ignored for the last 7 years or so, with each successive version straying farther from what we originally liked.


Update (2023-04-27): Daniel Jalkut:

For 20 years it seemed 1Password knew exactly what customers wanted, how they used their software, and how it could be improved. They’ve been taking a PR beating the last couple years, at least in my circles. They used to be the obvious choice, and now most people I know are looking for other options (or older versions). I don’t think telemetry will fix that.

I find this troubling in ways that are comparable to Apple’s “bad years” of MacBook Pros with unreliable keyboards. It was still the main thing I’d recommend to folks, but I couldn’t do so effusively.

Update (2023-06-23): Matt Grimes (Hacker News):

After months of development and refinement, we’re now confident we can deploy this system in a way that helps us build a better 1Password without compromising on our commitment to protect your privacy.

Later this summer, you’ll see the option to participate in our telemetry system and help improve 1Password. You don’t need to take any action right now, and we won’t collect any usage data without your awareness and consent first. Participation will be optional for Individual and Family plan customers. And at this time, our telemetry system won’t be rolled out to any team or business using 1Password.

Netflix Ads, Password Sharing, and DVDs

Tim Hardwick:

Netflix said that it would be increasing the video quality of its Basic With Ads tier to 1080p at no extra cost to subscribers. Additionally, it said it would increase the number of simultaneous streams from one to two.


Netflix revealed in its earnings report that its Basic with Ads plan already brings in more revenue than its Standard plan, which costs $15.49 per month and offers HD quality streaming.

Juli Clover:

Netflix is planning a “broad rollout” of the password sharing crackdown that it began implementing in 2022, the company said today in its Q1 2023 earnings report [PDF].


When Netflix brings its paid sharing rules to the United States, multi-household account use will no longer be permitted. Netflix subscribers who share an account with those who do not live with them will need to pay for an additional member. In Canada, Netflix charges $7.99 CAD for an extra member, which is around $6.


Netflix users will need to establish a primary location, and subscribers who are not at this location will not be able to use the service through that account. There are allowances for travel or second homes, with Netflix requiring users to open the Netflix app at the primary location once per month.

David Pierce (Hacker News):

Even in 1998, when the company mailed its first DVD — the 1988 cult classic Beetlejuice, in case you’re wondering — it was already imagining a world without discs. The company was called Netflix, after all, not DVDsByMail.


Now, Netflix is officially getting out of the DVD business. The company announced along with its quarterly earnings that it is planning to shutter, which is the new name for its DVD by mail business. (You might remember when Netflix tried to spin out this business under the name Qwikster, which remains one of the worst product names of all time and lasted all of about a week. But the less we talk about Qwikster, the better.) It will ship its last discs on September 29th, and I have a sneaking suspicion you won’t need to return them.

Kate Hagen:

At this moment, Netflix is streaming about 3800 films - less than half of what the average Blockbuster used to carry.

As for films made before 1990? Only 79 titles are currently streaming. If we go to 1980 or earlier, that drops to 36 (!)


Update (2023-04-27): Clara Hernanz Lizarraga and Thomas Seal (via Hacker News):

Netflix Inc. lost more than one million users in Spain in the first three months of 2023 according to market research group Kantar, a sign that the streaming giant’s crackdown on password-sharing could face pushback.

Update (2023-05-24): Zac Hall (Hacker News):

The company’s crackdown on password sharing has been ramping up across the globe for a while now, and starting today, Netflix is bringing it to the United States.

In a post on its Innovation blog, Netflix announced that it will now begin notifying subscribers who are sharing accounts between households of the need to pay up.

Paul Haddad:

Wait a second, I'm on the highest Netflix plan which I thought was a family plan? Now they want me to pay extra just because I have kids off at college? Makes me want to either just downgrade or cancel all together.

Update (2023-06-13): Juli Clover:

Just after putting an end to multi-household password sharing in the United States, average daily signups to Netflix reached 73k per day, a 102 percent increase from the prior 60-day average. Netflix saw close to 100,000 daily signups on both May 26 and May 27, beating out signups even during COVID lockdown periods.

Update (2023-06-26): Chris Adamson:

We worried that streaming was going to reinvent the cable TV subscription, by costing just as much to subscribe to all the different services. We never imagined it was going to reinvent broadcast TV from the 70s, when shows get canceled and taken down, never to be seen again.

Or, for older shows, only seen on DVD.

Update (2023-06-27): David Friend:

Netflix Canada is done with being basic.

The streaming giant says it’s phasing out the $9.99 “basic” option from its price plans, taking away the cheapest subscription without ads.

Update (2023-07-26): Juli Clover (Hacker News):

Netflix today quietly eliminated its most affordable ad-free plan in the United States and the United Kingdom, raising the price of ad-free streaming options.

In the U.S., the Basic plan was priced at $9.99 per month, and with its removal, ad-free streaming now starts at $15.49 per month. Netflix subscribers can opt for the $6.99 per month “Standard with ads” plan, but that price point includes advertisements.

Juli Clover:

Netflix earlier this year began cracking down on password sharing in the United States and other countries, and the effort has been successful, the company said today. Netflix gained 5.9 million new global subscribers in the second quarter of 2023[…]

Jose Fernandez, Ed Barker, Hank Jacobs:

Basic with ads was launched worldwide on November 3rd. In this blog post, we’ll discuss the methods we used to ensure a successful launch[…]

Update (2023-08-24): Nikki Main (via John Gordon):

Netflix’s DVD subscription platform will allow subscribers to keep their final delivery of DVDs as the company prepares to close its 25-year-old service, the company announced on Monday.

Update (2023-12-08): Janko Roettgers:

But as old-school as Netflix’s DVD business might sound, the service has been anything but low-tech. In order to send out more than 5 billion discs to millions of subscribers over the years, the company deployed cutting-edge automation, embraced machine learning before it was cool, and laid the technical and financial foundation for what would ultimately become the massive, worldwide streaming business Netflix is known for today.


At first, Netflix introduced machines to stuff its iconic red envelopes, to the tune of 4,500 discs per hour, and sort them by zip code for shipping. Then, it also automated the processing of returned DVDs. Netflix commissioned Bronway, an Ireland-based company that had been building machines to pack and ship CDs and DVDs for clients like Microsoft and Nintendo, to make a machine for its incoming mail.

Juli Clover:

Netflix has been “completely satisfied” with the pace of the password sharing crackdown it initiated in the United States earlier this year, Netflix co-CEO Ted Sarandos said today at the UBS Global Media and Communications Conference (via Variety).


According to Netflix, an estimated 222 million paying households were sharing with an additional 100 million households that were not being monetized.

Following the password sharing crackdown, Netflix said that it saw strong subscriber growth in countries where password sharing was restricted. Netflix in Q2 2023 added six million subscribers, including more than a million in the U.S. and Canada. Revenue increased in every region where paid sharing was rolled out, and signups ultimately exceeded cancelations.

Update (2024-04-24): Dare Obasanjo:

Netflix’s password sharing crackdown and addition of cheaper advertising based tiers continues to bear fruit. Subscribers rose 16% to 269.6M blowing away expectations by 5M.

Update (2024-05-01): Craig Grannell:

I was waiting for this one. Netflix kills the legacy Basic plan and gives you to pick between a shitty ‘with ads’ plan (crowing that you’ll save 35%) or nudging you towards the more expensive Standard.

Cheating Is All You Need

Steve Yegge (via Hacker News, Mastodon):

LLMs aren’t just the biggest change since social, mobile, or cloud–they’re the biggest thing since the World Wide Web. And on the coding front, they’re the biggest thing since IDEs and Stack Overflow, and may well eclipse them both.


In one shot, ChatGPT has produced completely working code from a sloppy English description! With voice input wired up, I could have written this program by asking my computer to do it.


All you crazy MFs are completely overlooking the fact that software engineering exists as a discipline because you cannot EVER under any circumstances TRUST CODE. That’s why we have reviewers. And linters. And debuggers. And unit tests. And integration tests. And staging environments. And runbooks. And all of goddamned Operational Excellence. And security checkers, and compliance scanners, and on, and on and on!

So the next one of you to complain that “you can’t trust LLM code” gets a little badge that says “Welcome to engineering motherfucker”. You’ve finally learned the secret of the trade: Don’t. Trust. Anything!

Francisco Tolmasky:

Conversations with ChatGPT probably reveal a lot about how you yourself program. I’ve asked ChatGPT very few actual coding questions like what I see online (“what function does this” or “write this for me”), but I spend a lot of time asking ChatGPT to help me design or name things. If I think back, a lot of my “coding time” is in fact spent just thinking about how to lay things out vs. generating tons and tons of view code or whatever.

One way of looking at this is like ChatGPT being the “ultimate rubber duck” for “rubber duck debugging”. Just someone that will listen to your programming thoughts and bounce ideas off of.


With GPT so hot in the news right now, and seeing lots of impressive demos, I’m curious to know, how are you actively using GPT to be productive in your daily workflow? And what tools are you using in tandem with GPT to make it more effective? Have you written your own tools, or do you use it in tandem with third party tools?

I’d be particularly interested to hear how you use GPT to write or correct code beyond Copilot or asking ChatGPT about code in chat format.

But I’m also interested in hearing about useful prompts that you use to increase your productivity.

Horace He (via Hacker News):

I suspect GPT-4’s performance is influenced by data contamination, at least on Codeforces.

Of the easiest problems on Codeforces, it solved 10/10 pre-2021 problems and 0/10 recent problems.

This strongly points to contamination.

Sternsafari (via Dan Luu, Hacker News):

My Job is different now since Midjourney v5 came out last week. I am not an artist anymore, nor a 3D artist. Rn all I do is prompting, photoshopping and implementing good looking pictures. The reason I went to be a 3D artist in the first place is gone. I wanted to create form In 3D space, sculpt, create. With my own creativity. With my own hands.

It came over night for me. I had no choice. And my boss also had no choice. I am now able to create, rig and animate a character thats spit out from MJ in 2-3 days. Before, it took us several weeks in 3D. The difference is: I care, he does not. For my boss its just a huge time/money saver.

Ben Thompson:

Hawkins theory is not, to the best of my knowledge, accepted fact, in large part because it’s not even clear how it would be proven experimentally. It is notable, though, that the go-to dismissal of ChatGPT’s intelligence is, at least in broad strokes, exactly what Hawkins says intelligence actually is: the ability to make predictions.

Dan Grover:

Since the implosion of web3, the raising of interest rates, and layoffs in FANGs, the tech world has been searching for a new bright spot and has, for now, seized on generative AI.


So I – and most people I know now – use it just about every day. I have a fraught relationship with it. I send my boss a spec I labored over researching for hours, and he gets back to immediately with “oh, I found one issue — ChatGPT says we should also support X.”


The iPhone comparison is probably the most apt one — the iPhone, like ChatGPT, was just a skillful combination of existing, well-understood technologies in a nice package. But it feels like magic.


But the most underlooked impact of the current generative AI explosion — more than what is actually directly possible with these models — is giving so many people a fun and motivating entry point into the field. Regardless of anything OpenAI may do, it seems a certainty that there will be more and more “script kiddies” at every level learning how to customize AI for their own problems, either by tweaking someone else’s models, fine-tuning, or making their own.


Update (2023-04-27): Ldorigo:

Just paste in a chunk of systemd (or whatever) logs and start asking questions. Often just pasting in the logs and pressing enter results in it identifying potential problems and suggesting solutions. It helped me troubleshoot a huge amount of issues on linux desktops and servers that would have taken me a lot longer with google - even if it doesn’t always give the right solution, 99% of the time it at least points to the source of the error and gives me searchable keywords.

Matt Birchler:

The fact that things (code or otherwise) generated by these models is imperfect means we need to be careful with how we use them, but it does not mean they are useless. As always, I like to look at these things as practically as I can, and the video below shows me adding a feature to Quick Reviews in real time, and I think is a good example of how these tools can help, without replacing the need to understand what you're doing.

Update (2023-06-15): Erik Dörnenburg:

But how would Copilot fare with a less common language and code that’s involving more complicated data structures? To find out I turned to Crellinor, my genetic programming / artificial life simulator written in Rust[…]