Archive for August 2023

Thursday, August 31, 2023

Anticipating the Coming USB-C iPhone Backlash

Tim Hardwick:

Apple may offer a USB-C data transfer accessory cable for iPhone 15 Pro models that is capable of Thunderbolt or USB4 speeds of up to 40Gbps. That is the latest claim made by Kosutami, who posted details of the cable on Twitter (now X).


Speculation therefore remains rife about the USB-C port capabilities of the iPhone 15 lineup, and nothing is certain beyond the switch from Lightning. Rumors suggest the cables supplied in iPhone 15 boxes are limited to USB 2.0 data transfer speeds at a rate of 480 MBps, which is the same as Lightning.


Each iPhone 15 will include a braided USB-C charging cable in the box that is thicker (i.e. more durable) and 50% longer than the Lightning cable that comes with current iPhone models, according to reports. The cables are also rumored to be color-matched to possible new iPhone colors, coming in at least black, white, yellow, blue, and orange.

John Gruber (Mastodon):

Lest you think it nickel-and-dime-y for Apple to sell a Thunderbolt 4 cable separately, note that Thunderbolt 4 cables are expensive. Apple currently sells two: the 1.8m one costs $129, and the 3m one costs $159.


The reason to even offer such a cable, and to offer Thunderbolt 4 performance on the phones, is for data transfer, specifically video. The single biggest frustration regarding iPhones sticking with Lightning until this year is that 4K video files are very large, but USB 2.0 data transfer is very slow.


The larger number of nerds, and even semi-nerds, who travel with multiple computing devices and just want USB-C charging connectors on all them will be happy. But the vast silent majority of normal iPhone users? I think there’s going to be a backlash that most USB-C proponents don’t see coming, premised on accusations that this switch is a money grab from Apple to get people to replace all their Lightning cables with new $30 USB-C cables from the Apple Store.

He says the transition will be made easier since, by now, many people have been using MagSafe. However, Apple could have switched to USB-C long before MagSafe was introduced, avoiding the accumulation of many USB cables, adapters, and AirPods cases.

Jason Snell:

In the end, I actually think the switch from Lightning to USB-C will be less dramatic than the switch from the 30-pin Dock Connector to Lightning. This is primarily because USB-C has had several years to slowly creep into people’s lives in a way the Apple-invented Lightning connector did not. It will be a jarring change, but USB-C is at least familiar and you might have a cable or two around somewhere that will work.


I do wonder about the final fate of Lightning. While older iPhone models and that first-generation Apple Pencil will probably still be sold with the connector for years to come, I suspect we’ve already seen the final new product to include a Lightning port. Rumors suggest that M3 iMacs will be arriving this fall, and while Apple very rarely updates the Magic Mouse, Magic Trackpad, and Magic Keyboard, this would seem to be a good time to revise them to support USB-C.

Steven Aquino:

Data speeds are all well and good, but from a functional point of view, neither Lightning nor USB-C are paragons of greatness if you have less than optimal hand-eye coordination, as I do. True innovation is not one cable to rule them all, but maybe adding MagSafe so actually using the port could be more accessible in a disability context. […] What I’m saying is, it’d be swell if Apple could somehow fuse MagSafe tech with USB-C to make the cables easier to use.


Update (2023-09-04): Malcolm Owen:

In Mark Gurman’s “Power On” newsletter for Bloomberg on Sunday, it is offered that Apple’s announcement of USB-C in the iPhone 15 will be proclaimed as good for consumers.


Apple will do this because the company will always talk about changes from a position of strength, Gurman says.

While Apple will cover the benefits of the change, it will almost certainly avoid discussing European rules about a common charger, which is one of the main real reasons for the update.

Jeff Johnson:

Apple had always been at war with Lightning.

Update (2023-09-06): Tim Hardwick:

Google has expanded on its #BestPhonesForever ad campaign with a new video titled “Spa Day” in which it pokes fun at the upcoming iPhone 15’s implied lack of headline features and its expected adoption of USB-C in lieu of a Lightning port.


“Now it seems like every time I turn around, phones like you are doing stuff I can’t, like unblurring old photos, answering unknown calls with AI, and live translating messages… it’s exhausting. But I’ve still got a few tricks up my sleeve.”

“Like what?” says the Pixel.

“That’s under wraps. But let’s just say you’ll be USB-C-ing soon!”

“You’re finally getting USB-C charging?”

Update (2023-09-08): Dan Moren:

But let us not simply mourn what is being taken from us: let us instead remember and celebrate what Lightning did with its life, the joy and happiness it brought to an entire ecosystem. Its presence will not soon be forgotten.


And so we come to both praise Lighting and bury it. But for those who retain some fondness for the connector, never fear: its demise will not be sudden and swift, but long and drawn out. I fully expect to be finding Lightning cables in my drawers for the next decade.


In lieu of flowers, please send dongles.

Steven Aquino (Mastodon):

In terms of hand-eye coordination, USB-C does absolutely nothing to better the situation. Going all-in on USB-C may be convenient, but convenience and accessibility aren’t the same thing.


It’s also worth mentioning the new Pro models are said to have color-matched, braided cables. If a magnetic USB-C connection is undoable, there is some consolation in the existence of these updated cables. The color-matching should be a win for cognition, while the added friction from the braided material should make inserting and removing the plug at least a little easier.

Update (2023-09-11): Matt Birchler has a timeline of Apple’s adoption of USB-C.

Update (2023-09-18): Ben Lovejoy (via Hacker News):

Prior to Apple’s launch event, there had been numerous suggestions that the iPhone 15 USB-C port might be restricted in some way, with only Apple-certified cables and accessories able to take advantage of full data transfer rates and charging power.


However, Arstechnica says that this is not the case, and that the USB-C port in iPhone 15 models is 100% standard, with no Apple certification requirements for cables or accessories.

Microsoft Discontinuing Visual Studio for Mac

Anthony Cangialosi:

Today we are announcing the retirement of the Visual Studio for Mac IDE. Visual Studio for Mac 17.6 will continue to be supported for another 12 months, until August 31st, 2024, with servicing updates for security issues and updated platforms from Apple.


With today’s announcement, we’re redirecting our resources and focus to enhance Visual Studio and VS Code, optimizing them for cross-platform development.

It was probably not a good sign that the two very different products had such similar names. Mac users often didn’t realize they were two separate products. Visual Studio for Mac was also quite different from Visual Studio for Windows, despite having the same name.

Via Zac Hall:

Visual Studio 2022 introduced a major overhaul for the Mac version including a native user interface and Apple Silicon optimization while going full 64-bit for the first time. Microsoft first brought VS to the Mac in 2016.


To be a fly on the wall of the room where the “sure, we just put a ton of person-hours into migrating UI code from Xwt to AppKit, but MAUI doesn’t support AppKit, so we don’t have a cohesive strategy there; let’s just can the thing” call was made.

Were there huge underestimated technical hurdles? Did MS downsize their non-Azure .NET efforts?

Colin Cornaby:

I spent some time using Visual Studio for Mac and thought it was the victim of poor branding. It was originally the Xamarin IDE - and did a pretty good job at C# or Xamarin related tasks. But it didn’t include Visual C++ which mislead a lot of teams that thought it was feature for feature comparable to the Windows version. Even talked to teams that thought it could build native Windows apps on Mac.

It is a little weird because Microsoft was really pushing their cross platform MAUI framework - which was the successor to Xamarin. Pushing cross platform development without a cross platform IDE is a little weird. Yes - they’re shipping MAUI plugins for Visual Studio Code. But I’m not sure that’s really comparable to having an IDE like Visual Studio Not-Code.


Vexl Rejected From the App Store

vexl (via Hacker News):

Our flagship project — the Vexl app — does exactly this: it connects users with other peers in their social circle so they can exchange cash for bitcoin with them in a privacy preserving way.


Vexl was successfully operated for almost 9 months, gaining traction of thousands of users. Until May this year.


After the obligatory primary rejections due to minor UX tweaks, we found ourselves in the middle of a surreal discussion where we would be endlessly explaining[…] After weeks of silence, we received a resolution stating that Vexl is not a financial institution, it just facilitates, enables, and encourages an activity that is […] legal in all of the locations where the app is available.


Last week we received clarification of our rejection, stating that the app encourages reckless activity. Specifically, the exchange of currencies in person. […] Are Tinder, Hinge, Bumble, Badoo, Grindr, and all other dating apps that encourage people to meet in person also reckless? What about Craigslist and its European counterpart, Vinted, which, on top of meeting in person also include the cash exchange? What about Facebook Marketplace encouraging the same?


Wednesday, August 30, 2023

Analysis of Obfuscation Techniques Found in FairPlay

nicolodev (via Hacker News):

FairPlay comprises a set of algorithms created by Apple for digital rights management (also called DRM, digital rights management). FairPlay is currently used to manage the decryption of iOS applications during their installation on Apple devices. In fact, we know that Apple distributes all applications in the Apple Store through the IPA file format. The IPA file format contains encrypted information that will then be used by the operating system to install an application. All of the encrypted information is handled through FairPlay, which takes care of keeping the decryption key and the whole process secure to avoid the possibility of decrypting the contents of.ipa files to share the contents of an app (perhaps paid for) in the wrong hands.


If during processing, such as during decryption, a cryptographic algorithm performs a simple addition, it is possible to make the arithmetic expression more complex. […] I have already written in a previous post how to be able to create these expressions by applying transformation rules. The process Apple used is the same: take a constant from the code, rewrite the constant using arithmetic operators, and then apply the transformations. Do we already have an expression? We continue to apply the rules of transformations. Note that only some transformations can be applied since they do not change the semantics of the original expression. At the end of the process, the expression is translated back into machine language so that it can be reinserted within the binary.


Opaque predicates are another very “cheap” technique for introducing obfuscation within instructions. This technique consists of introducing some always true or always false conditions that cause the decompiler to explore blocks of instructions with zero utility. The always true or always false conditions include a direct or indirect jump to basic blocks that will never be executed: they do not present additional functionality, they only add complexity to the functions being analyzed.


Very subtly the stack is moved up (or down, depending on how you want to build the stack).


We can then see how the basic blocks have all been brought to the same de facto level by horizontally extending the graph of basic blocks. The case of control flow flattening taken to the extreme drives the analyst crazy[…]


If you are wondering how Apple obfuscate its software, the answer is simple: they built some extensions for LLVM that applies code transformation directly to LLVM IR.


I’m gonna go out on a limb and suggest that this obfuscation scheme is legacy, and they keep it merely as defense in depth and because it’s tested so why not.

Modern Macs can do remote attestations from a trusted boot chain all the way up to specific apps, which obviates the need for this sort of obfuscation. The memory spaces will be protected by the operating system as long as SIP is enabled, and if it’s not enabled or has been disabled / the root partition has been modified, then that will be detectable by Apple remotely. Although code obfuscation is fun (I’ve built a virtualization based obfuscation in the past), a properly implemented remote attestation and security architecture does obsolete it. It’s therefore mostly useful on Windows/Linux PCs where these schemes don’t really hang together.


Premature Optimization: Universally Misunderstood

Milen Dzhumerov (Mastodon):

It has been commonly interpreted as “don’t think about performance in the beginning, you can fix any performance problem later”. This interpretation is completely and categorically wrong.


With the additional context, the quote takes on a significantly different meaning: it’s making a statement only about micro-optimisations ("small efficiencies"), not about performance in general.

Hoare was simply advising against micro-optimisations without finding the hotspots first: the “premature” part refers to lacking measurements.


As tech stack fundamentals, access patterns, data dependencies and data structures are baked into a design, it’s not possible to hotspot your way out of a slow architecture.


No App, No Entry

Andrew Anthony (via Hacker News):

Leaving aside the “sorry, not sorry” expression of regret, the presumption is that the elderly remain vigilant to every missive from the online world, when in fact many find it a jungle of scams, junk mail, endless passwords and security risks into which they venture as little as possible.


Citing the Jaffes, the historian and TV presenter Amanda Vickery noted in a series of outraged tweets last week that “most car parks now don’t take cash, ticket offices are disappearing. If you are not tech-savvy you are toast. It is so exclusionary.”

The real cause of Vickery’s ire, however, was a breast cancer clinic she attended that, in her words, turned away “some old ladies … because they did not have an SMS message from an app.


There are also an estimated to be 1.3 million adults in this country who are “unbanked” – ie do not have a bank account. For them, something as mundane as parking a car is increasingly fraught – a quarter of London councils have removed pay and display parking machines in favour of smartphone-centred apps.

Even if you do have a smartphone, it’s not great to have it be a single point of failure. It could be lost, stolen, away from cell service, or have a low battery. Most electronic tickets and admission passes don’t seem to work with the Wallet app, and who knows whether an e-mail, app, or Web link will fail when you need it, even if it was cached. A common pattern is to take a screenshot of the barcode or QR code, but that requires more tech-savvy.


What frustrates me is how fragile this can quickly become.

I recently was traveling with my 7 year old daughter on public transit, and her card was denied… something was wrong with the ‘kids free travel’ product loaded on her card. Since her card is actually issued by a train company, I had to login to their website. Since I hadn’t logged into their site (as her) in a while, I had to verify my account with a password reset link. The site then sends a create password link to HER email (they would not let me use my email since I was already a user), which I had also not used in a while, so I needed to answer some security questions. The email was severely delayed so cue lots of refreshing.


Thankfully it was a long bus ride but the driver was clear I would need to pay if I couldn’t arrange it. This is all totally insane as kids ride free and you don’t need an RFID card to see that at 7 year old is under 14. And the worst part is that since it’s a bus pass loaded on a train card linked to an email address you need to access on your mobile phone… there is just no accountability.

A similar event happened when my bank just decided I couldn’t login since I accidentally used a VPN once, with no error message. Congrats, you won the lottery, you get to play the 3 hour call support game.

Update (2023-08-31): John Gordon:

I last wrote about “mass disability” and the Left Behind in a 2021 post. The concept has sometimes seemed on the edge of going mainstream but it’s never quite made it. Maybe we’re getting closer; a recent Michael Tsai post (No App, No entry) reminded me of my Mastodon thread from a few weeks ago[…]

Update (2023-09-04): Naveen Arunachalam (via Hacker News):

One day, I was so insistent on doing my laundry without a smartphone that I even considered doing my laundry off-campus so that I could avoid having to deal with Washlava. So imagine my surprise when I learned that Washlava indeed does provide an option for users without a phone. You can actually check out an iPod Touch, generously provided by Washlava and SidPac, to open the Washlava app and perform your laundry.


As it turns out, I was the first person in SidPac history to request the procurement of this device. When Andrea finally found the abandoned relic, she dreadfully noted that the Laundry Pod was out of battery.


When the Laundry Pod finally gained consciousness, little did I expect to encounter yet another challenge: a password screen. After a couple failed attempts to guess the password, I admitted defeat and dejectedly retreated to the front desk to request the password.


My next hurdle was logging into Washlava. When I first made my Washlava account, I had used my personal gmail and a temporary password that I intended to change later. My Android had always logged me in automatically after that, so I never got around to changing my password and never had to log in after the first time. Thus, lacking practice in the art of presenting my credentials to Washlava, I found that I was unable to log in.


As I made one last-ditch attempt to guess my password, I decided it was time to press the sacred button of last resort. Unfortunately, this turned out to be futile: on the iPod Touch, the keyboard cannot be retracted to uncover the “Forgot Password” text, meaning that it is effectively impossible to click it.


One significant problem with making your hardware dependent on an app is that if you are a washing machine company, you probably don’t make mobile apps. So, you hire a contractor. They design an app without any expertise in the product or the domain, and program it on the cheap. It is trash. Later, the contractor goes out of business and you give the code to another contractor. They notice that the code is garbage, and not even garbage that somebody there made. Feature work is impossible, the app languishes. 1.5 stars in the app store. Every time there’s an iOS update, people can’t do their laundry for a couple weeks, until the one programmer working half time on the app can push an update. Later, you (the washing machine company) decide to sunset that product line, which means there’s no updates to the app. iOS changes, the app stops working altogether, everybody has to buy a new washing machine.

I’ve been that contractor, which is why I will never be the owner of an appliance that requires an app to function.

Tuesday, August 29, 2023

Web Scraping for Me, But Not for Thee

Kieran McCarthy (via Dare Obasanjo):

Some of the biggest companies on earth—including Meta and Microsoft—take aggressive, litigious approaches to prohibiting web scraping on their own properties, while taking liberal approaches to scraping data on other companies’ properties. When we talk about web scraping, what we’re really talking about is data access. All the world’s knowledge is available for the taking on the Internet, and web scraping is how companies acquire it at scale. But the question of who can access and use that data, and for what purposes, is a tricky legal question, which gets trickier the deeper you dig.


But make no mistake, these companies view this data, generated by their users on their platforms, as their property. This is true even though the law does not recognize that they have a property interest in it, and even though they expressly disclaim any property rights in that data in their terms of use.

Since the law does not give them a cognizable property interest in this data, they must resort to other legal theories to prevent others from taking it and using it.


Mac Won’t Accept Correct Login Password

I was recently surprised to find that my Mac kept rejecting my password at boot. I’ve been using the same password for years and was sure it was correct. I typed it slowly while looking at the keys. I made sure that the Caps Lock key was not down. I also tried the MacBook Pro’s built-in keyboard, in case I’d worn through another USB Apple aluminum keyboard. macOS kept not recognizing the password and locking me out of retrying for increasing amounts of time.

I rebooted into macOS Recovery, which did accept my password and let me unlock the drive in Disk Utility. My data was safe.

I did some searching online. Most pages are about resetting your password if you’ve forgotten it. Some other users seemed to be in the same situation as me but didn’t have a solution. There were suggestions to reset the NVRAM (didn’t help) and to reset the SMC (seems to happen automatically on Apple Silicon, anyway).

Eventually I figured it out: I had been typing the correct keys, but they had been producing the wrong characters because the Dvorak keyboard layout was selected. Earlier in the day, I had been writing some code for SpamSieve so that its hotkeys would work with different keyboard layouts, even though the virtual keycodes in Events.h such as kVK_ANSI_S refer to the ANSI-standard US keyboard. To test this, I had been switching among different keyboards. Even though I had long since switched back to the QWERTY layout, the login screen had remembered a previous setting. In fact, even after I selected the proper keyboard from the menu on the login screen, it still switched back to Dvorak on the next reboot. I had to delete Dvorak in System Settings to prevent this from happening.

Update (2023-08-30): Howard Oakley:

During normal startup, before you have logged in as a user, your Mac doesn’t use the custom keyboard set for a specific user, and in older versions of macOS should use that stored in /Library/Preferences/, which may be quite different from any set in a user’s ~/Library/Preferences/ file. This doesn’t appear to be true for Ventura, where the pre-login settings are now hidden.

In some cases, this can prevent passwords from being entered correctly, and can readily confuse. When there’s only a single admin user, macOS should keep settings in sync, but when there are multiple users with different keyboard settings, they can become confused.


Like all preference files, they are now maintained by a service which means that editing them directly is unlikely to do a great deal: the service will happily overwrite the files with what it thinks they should be.

That is apparently what happened to me. The service saved the wrong keyboard, i.e. not what I had selected in System Settings, even though there was only one admin user. And then it failed several times to update the login setting.

Jevgeni Mullo:

Hey, it wasn’t just for me! The difficulty that I had was macOS showing correct layout being selected, yet actually using a different one. And then, quietly not switching the layout when I actively selected desired one in the language drop-down. I was going nuts.

Carlos August:

I use both an English and Spanish layout in my MBP. Although English is the default (and the language I need to be in to type my password due to muscle memory), my MBP has been choosing the Spanish layout on first boot for years.

I have been trying to fix since day 1, no luck.

Update (2023-09-05): Howard Oakley:

This stores key settings which the M1 Mac can’t obtain from internal disk storage during the early part of the boot process. An example is the location of the boot volume to be used. In Intel Macs, these are stored in discrete memory which can be reset to factory defaults. M1 Macs are different again, in that there’s no single manoeuvre which resets the contents of NVRAM.


NVRAM contents are listed in System Information under Software > Logs > NVRAM contents, and can be edited using the nvram command in Terminal. Many of the variables contained in the NVRAM of an M1 Mac aren’t intended to mean anything to the user, nor should they be changed or removed. Among those of interest and potential use are the following:


prev-lang:kbd – the initial keyboard language, such as en-GB:2 for British external (supplied as a string).

Update (2024-02-28): Howard Oakley:

If you can’t seem to enter the right password, be very careful: don’t just keep trying in the hope that you’ll get it right, as you could end up locking up your Mac altogether.


If that doesn’t do the trick, open the keyboard menu item at the top right, and check that you’re using the correct keyboard layout for the language you’re using. Although it’s not common, sometimes this menu changes its mind, and there’s nothing worse than trying to enter a password based on an English QWERTYUIOP keyboard layout when your Mac is expecting it from a French AZERTY layout.


This may give you the option of resetting your password using your Apple ID, in which case click the arrow next to that and provide your Apple ID and its password, then follow the instructions. The alternative is to use your Recovery Key if you’ve already obtained one, which is again selected by clicking on the arrow, after which you enter the key and follow the instructions.


Chime Text Editor Now Open Source


The code in this repo should be considered Non-Functional right now. You can download the currently released version.

Chime used to be commercial, but is now free. It built up some pretty significant cruft over time. In particular, the core UI application architecture is just in a bad state. It is also quite complex to build. So, I've opted to re-implement that core and pull in parts as appropriate. I'll be putting an emphasis on extracting components into packages as I go. A fitting rebirth, I would say.

There are also some interesting libraries, such as Rearrange:

Rearrange is a collection of utilities for making it easier to work with NSRange and NSTextRange. It’s particularly handy when used with the Cocoa text system.


[RangeMutation] is a struct that encapsulates a single change to an NSRange. It’s useful for serializing, queuing, or otherwise storing changes and applying them.

You can also use this class to tranform individual points or other NSRanges. This is handy for updating a set of stored NSRanges as text is changed. This might seem easy, but there are a large number of edge cases that RangeMutation handles, including mutations that invalidate (for example completely delete) a range.

See also: CotEditor.


Monday, August 28, 2023

Giving Up the iPad-Only Travel Dream

Jason Snell (Hacker News):

For many years, I tried very hard to travel with only an iPad. (Why bring two devices? And I’m not leaving my iPad at home.) Since the arrival of Apple silicon, however, I’ve gone back to traveling with both an iPad and a MacBook Air.


I’ve noticed that a lot of my colleagues who were previously working hard to integrate the iPad into their professional work have backed off, retreating to the more flexible and powerful Mac side of the house.


My productivity needs are clearly unlike those of most people, but the truth is that everyone’s got different productivity needs. The problem with the iPad continues to be that as it builds functionality, it has failed to build in flexibility—or at least the flexibility offered by a platform like macOS. If the iPad doesn’t support it, you’ve hit a brick wall. Your choices are to find a workaround or give up.


This is where the iPad is today. It’s good enough for what it does. If it doesn’t do it, it doesn’t do it. This is the fundamental difference between the Mac (a platform that basically lets developers and users do anything they want) and the iPad (where if Apple doesn’t specifically allow it, it can’t be done).

After years of finding that I rarely used my iPad while traveling, I now pack only my MacBook Pro and Kindle, unless I’ll be on a plane, in which case I sometimes want the iPad for watching videos. I usually don’t do much, if any, development while traveling, so it’s not that I couldn’t use the iPad, but I find the Mac so much more efficient for e-mail and general Web stuff.

John Gruber (Mastodon):

I’ve written at length, multiple times, about my decidedly mixed feelings regarding the iPad — most stridently in January 2020, in a piece titled “The iPad Awkwardly Turns 10”. Stage Manager is the biggest change to the iPad interface since I wrote that, and its existence certainly helps on that “power user” front. (And Stage Manager sees some nice improvements in this year’s iPadOS 17.) But for me personally, I continue to find that I’m most productive when I spend my working time in front of my Mac. Gobs of people thrive using their iPads for writing and other creative endeavors. But I know I’m best off, productivity-wise, using my iPad basically as a single-tasking consumption device for long-form reading and video watching.


The question is whether I even pack my iPad Pro at all, or just go it alone with iPhone and Mac. When I’m packing, I generally wind up tossing the iPad in my bag, thinking I’ll miss it if I don’t. But when I do just leave the iPad at home, I don’t miss it.

Matt Birchler:

“Well, your use case is specialized and 80% of people will never run into that.”

This is of course impossible to argue, of course the 100 things I do on a computer are a unique combination of things that no one else in the world has exactly. My counter to this argument is that everyone has things they do on a device that falls in the 20% (or lower) minority of users.

So yes, if you happen to fall into the exact set of use cases that work best on iPadOS, then absolutely you should be happy and enjoy it, but it’s worth understanding that as soon as you venture outside of what the iPad is built to do, you run into pain very quickly.

Steven Aquino:

During the pandemic’s apex, I did so much on my well-loved 2019 Retina 4K iMac, I just never bothered with iPadOS again. Then my partner got me an iPad mini and an M2 MacBook Air as gifts, and I love both. I could do all my work from iPadOS, but I don’t because inertia. (The iPad mini size is just delightful, honestly.)

Steve Troughton-Smith:

iPad’s been stuck in a rut for a decade. We’re still having the same conversations about it and what it can/can’t do, who it’s good for. Either it suffered from a tremendous lack of vision, or it was intentionally hobbled so as not to tread on Mac’s toes. I fear we’re about to go through the same cycle on visionOS. Can it replace the desktop in ten years? Is it the kind of project that will survive Apple’s next CEO transition?

Somehow, both Mac and iPad fans think that their favorite platform is being hobbled to prop up the other. I do wonder about this in some cases, for example the lack of Macs with cellular. But mostly, I think, Apple (surprisingly) doesn’t have the resources to develop each to its fullest self.


At its core the iPad is bad at being a productivity tool outside a limited number of use cases. When the m1's came out, I went from “iPad is my mobile” to just living on a MacBook Air. Turns out what I wanted was relatively instant response time and for a device to let me work how -I- want to work. I went from “oh shit I need to send a zip file, what shortcut/app do I have to find” to “I’ll just right-click and I’m done.”

Where I worry about VisionOS is that it seems like there are a lot of things that Apple is similarly up its own ass about a la the recent discussion on @atpfm re:unauthorized trash cans. There are still things that I love and basically only do on my iPad, but it’s a fewer and further between. Just a real clipboard manager, for example, would change the game, but if you believed Apple you’d think no one ever copies/pastes.

Michael McGuire:

I think this is the strategy tax of wanting to collecting a portion of the revenue of software sold on the platform.

Rowan Johnson:

It’s long been clear that a real computer can’t exist within the walled garden of the App Store.

If VisionOS is as locked down as the iPad, it’s never going to be the future of computing.

Steve Troughton-Smith:

The real tragedy of iPad is the vast gulf between how much potential it had as a platform, and Apple’s disinterest in letting it live up to that. It is easy to imagine an alternate universe where iPad grew up to outright replace desktop computing, in all shapes and sizes, running powerful, complex software good enough to supplant everything we used a Mac for. A modern do-over of the entire personal computing industry. Nobody looks at iPhone and thinks ‘oh this could be so much more’, but iPad?

It’s also hard to talk about iPadOS today and not reference visionOS, because the two platforms are inextricably linked. They run effectively the same software, on top of the same OS — much more so than ‘iPhone OS’ was ever ‘Mac OS X’. These platforms are going to grow together, are going to share the best and the worst aspects of each other. They’re the same. With Apple talking about visionOS as the future of computing, it’s difficult not to be reminded about similar empty promises for iPad.

Rui Carmo:

I’ve been reading this bemusedly on my iPad mini (which I travel and work with since… forever), and although Jason’s use case (podcast creation) is indeed a hassle (as anyone who’s tried to use an iPad for music will attest to), writing and publishing has never been a real problem provided you were willing to jump through some minimal hoops (this post is being published semi-automatically via Shortcuts and Working Copy).


Right now I travel with a Raspberry Pi Zero 2 W, which I can talk to via Bluetooth PAN and use as a “sidecar” when I need something specific.

John Gordon:

I read people claiming that the iPad was a better work tool that an Air and it made no sense to me.

Colin Cornaby:

I think Apple Silicon killed the iPad dream. At this point there is no reason to force an iPad workflow if it’s inefficient. A MacBook Air is a pretty similar form factor with the same or better hardware. iPad’s domain is really just down to touch and pencil support.

Jonathan Hendry:

If you could flip a Macbook display around and close it to cover the keyboard while using it as a tablet, there goes any need for the iPad.

Hartley Charlton:

Along with the significant overhaul of the tablet itself, the updated version of the Magic Keyboard for iPad will offer a larger trackpad, addressing criticisms of the current model, and “makes the iPad Pro look even more like a laptop than the current setup.”


Update (2023-08-30): Jan:

It’s always been my impression that when the iPad was released, Apple shouted very loudly to the technical/web community that the iPad was a device for consumption, not creation, and that they would resist every change that made it easier to create anything on it that might challenge the way they decided to do things. Well over a decade later, none of my iPads can even keep an ssh connection alive while I’m reading docs in the browser -- even the most up-to-date.

I remember Apple emphasizing that iPad was not just for consumption and not just a big iPhone.


Not wanting two devices but valuing touchscreen and stylus, I eventually gave up and bought a Windows convertible.

These devices exist in a spectrum of use cases. It makes no sense to me to draw a line through the middle and say “tablet here”, “laptop there.”

Milen Dzhumerov:

[By] design, neither iPadOS nor visionOS would be the “future of computing” since they can’t even replace a basic general purpose computer, by definition. So it would be interesting to see how this will play out in long term.

FWIW, I do think these platforms (iOS, iPadOS, visionOS) can be successful as consumer-focused OSes with a focus which caters to popular use cases.

But iPhones, iPads, Vision Pros are not general purpose computers, as long as they run locked down platforms.

mg Text Editor

Wikipedia (via Accidental Tech Podcast):

mg, originally called MicroGnuEmacs (and later changed at the request of Richard Stallman), is a public-domain text editor that runs on Unix-like operating systems. It is based on MicroEMACS, but intended to more closely resemble GNU Emacs while still maintaining a small memory footprint and fast speed.

I’ve been occasionally annoyed, since Catalina, that Emacs is no longer built into macOS. Yes, it can be installed, but it was nice to be able to depend on it always being there. Fortunately, mg is pre-installed and seems to be a good substitute for my purposes of quickly doing small searches or edits from Terminal or via SSH.


Download the Things You Love

Matt Birchler:

Anyway, I linked to the show’s Wikipedia page because the original episodes are no longer available to download from the official source (here’s an archived version). Happily, a kind soul has recently uploaded many episodes to YouTube, but that’s just lucky, and those aren’t guaranteed to be eternal either.


This applies to other things as well. There are little internet videos from the pre-YouTube days that I think about and would love to see again, but can’t. There are versions of songs that you can’t get on streaming services. There are just some things I remember from years ago that I can’t see again, and that’s a shame.

Things on the internet can be forever, but you can’t assume someone else will keep them going[…]

I wrote an app for that, though the focus is more on saving Web pages, documents, and mail archives than media files. Now there’s lots of likely ephemeral audio and video available, and storage has advanced such that it actually is practical to store what you want to keep.

Glenn Fleishman:

Buying two 12TB drives (and configuring them as RAID1 mirrors) reminds me that I own nearly half a million times as much storage as I did in 1990.

I’ve been using Downcast to download local copies of podcasts. It still has problems, probably due to sandboxing, if I let it accumulate more than a few months of episodes. But I don’t want to store a lot on my Mac’s internal SSD, anyway, so I periodically rsync them to an EagleFiler library on an external drive and delete them from the app.

For videos and one-off audio downloads, I like Downie and the unofficial WWDC app.


Update (2023-08-30): See also: Hacker News.

Update (2023-09-01): Marc:

Many podcasts I recall from ~15 years are no longer available. So I wrote a tool to archive shows in a neat folder structure (using Visual Studio for Mac, ironically) and run it regularly for shows I think I might want to keep.


Self-Wiping SanDisk Extreme SSDs

Sean Hollister:

If you’re thinking of buying a SanDisk Extreme Pro, Extreme Portable, Extreme Pro Portable, or WD MyPassport SSD, maybe just don’t.

My colleague Vjeran just lost 3TB of video we’d shot for The Verge because the drive is no longer readable.

This isn’t a drive he purchased many months or years ago — it’s the supposedly safe replacement that Western Digital recently sent after his original wiped his data all by itself. Remember when we warned you about that?

Sean Hollister (via John Gordon):

Eleven days ago, we sent these questions to Western Digital’s head of PR and published them publicly on The Verge[…]

What’s the fuss? For months, the company has been laughably silent about how its pricey portable SanDisk Extreme SSDs might lose all your data. It happened to my colleague Vjeran Pavic twice. It happened to Ars Technica. It happened to PetaPixel.

Months after our inquiries, Western Digital continues to sell these drives due to deep discounts, fake Amazon reviews, and issues with Google Search that rank favorable results far higher than warnings about potential failures.

Matt Panaro:

I just got some WD-drives (cheaper HDDs) because Seagates were apparently just failing w/in a couple months of purchase. Trust no-one, I guess (is there even any other game in town?)

I have generally had the best luck with WD hard drives. Seagates have been the worst both for noise and reliability.

Friday, August 25, 2023

Apple Supports California Right-to-Repair Bill

Jason Koebler (Hacker News, at the new 404 Media, Hacker News):

Apple told a California legislator that it is formally supporting a right to repair bill in California, a landmark move that suggests big tech manufacturers understand they have lost the battle to monopolize repair, and need to allow consumers and independent repair shops to fix their own electronics.


This is a landmark shift in policy from Apple, the most powerful electronics manufacturer in the world and, historically, one of the biggest opponents of right to repair legislation nationwide. It means, effectively, that consumers have won. The news was first reported by TechCrunch and iFixit.


The legislation would require manufacturers “to make available, on fair and reasonable terms, to product owners, service and repair facilities, and service dealers, the means, as described, to effect the diagnosis, maintenance, or repair of the product.” This means manufacturers have to make the same diagnostics, tools, and parts available to the public as they make available to their own authorized repair professionals.

Nick Heer:

If you are interested in how SB 244 evolved over time, I have uploaded a comparison between the bill text introduced and the latest version. One update that caught my eye is that, according to the definition on line 56, a “desktop computer, laptop, tablet, or cellphone” are all considered “general” or “all-purpose” computers.

Sam Bergin:

The bill states that manufactures will need to provide the same tools and parts that they use internally for repair. Meaning logic boards, major part assemblies, and the software needed to pair new parts into the system. Like most manufactures today, they only swap out major (expensive) parts. They certainly don’t do component level repair, and they don’t use schematics or board view PDFs. Access to individual board components and documentation are the things truly needed if device owners are to stand a chance at having reasonably-priced and successful repair experiences.

John Gruber:

I don’t find Apple’s support for this legislation surprising, but most people commenting on it do.


Providing all the necessary documentation, tools, and parts for every new device the company makes is a pain in Apple’s corporate ass, and I think that’s why Apple resisted such legislation. From their perspective any such law is an unnecessary annoyance. But it’s undeniably reasonable for there to be consumer protection laws, and if there are going to be Right to Repair laws that cover computing devices, those laws ought to be good ones. And the plain language of Apple’s letter is that the company thinks this is a good one.


If Apple says they support California’s SB 244, it probably just means they actually support it.

Juli Clover:

California’s bill also says that service and repair facilities that are not authorized repair providers for a company must disclose if they’re using replacement parts that are used or not from the manufacturer. That means an independent iPhone repair shop in California would be required to source parts from Apple or to inform customers that device repairs are done with counterfeit components or used parts.

Further, the bill has a component that prevents manufacturers from being required to make tools, parts, and documentation available for any component that would disable or override antitheft security measures, which would encompass features like Face ID.

Independent repair shops already have the option of purchasing components from Apple, but have complained that Apple forces them to sign invasive contracts. As for the Self Service Repair Program, the kits and components that Apple sells are not much more affordable than simply getting a repair from an Apple Store.


There’s the loophole right there.

Apple is currently electronically serializing every component in their devices, including the battery for “anti-theft” purposes. Apple has already serialized the lid angle sensor on MacBooks, meaning you can’t replace the simple magnetic switch without going through Apple or an ASP.


Pretty soon, the iPhone back glass, USB-C port, and the individual keyboard key caps will be serialized for “anti-theft.”


Update (2023-10-27): Kevin Purdy (Hacker News):

Following the passage of California’s repair bill that Apple supported, requiring seven years of parts, specialty tools, and repair manual availability, Apple announced Tuesday that it would back a similar bill on a federal level. It would also make its parts, tools, and repair documentation available to both non-affiliated repair shops and individual customers, “at fair and reasonable prices.”


I repair mobile devices and computers on the side, I’ve repair hundreds of iPhones and tablets. From batteries to screens to Audio IC repair, I’ve purchased from eBay MobileSentrix InjuredGadgets Amazon other repairers who sell their bulk parts and so on. Apples self service repair store has to be one of the most obtuse, expensive, SLOW, and inflexible distributors for parts. Some of which you can only get from Apple. Sure their guides are nice and detailed but it’s all centered around pop n swap repair, no schematics or diagrams. The calibration and pairing software is all hidden behind black boxes and they only allow you to use it at a certain point with their parts only. The shipping options are crap and way overpriced. It’s essentially adult play repair, they rent you the tools and devices to fix your own device so you can play doctor. It’s seemingly stunted look at your customers. Go look at Sony or others who partner with large distributors to ship their parts and also provide a helpfully linked place to find manuals and diagrams. If the current Apple Self Service repair store is what Apple does in support of right to repair, I shudder to think how worse it would be if they are allowed to influence the policy and grow out their options. Yikes


It’s appears they are convinced some meaningful part of the “Right to Repair” can’t be stopped and of course as competent strategists they are, Apple can’t be caught “of the wrong side of history” so they pretend to switch sides, or even paint themselves as on of the original supporters.


I’m 99% sure in practical terms this will amount to as much as the “Apple-certified repair” program or those repair kits sold for almost the price of a device.

I’m sorry to be so negative, but the company is the same, the people are the same, their track record has been the same. So.. what are the chances this is different?


Update (2023-12-12): Karl Bode:

But given the immense, bipartisan popularity of right to repair reform, Apple (like Microsoft) back in August claimed it was having a change of heart. The company’s support helped push California’s new right to repair law over the finish line, and now Apple is clearly lending its support for a federal right to repair law[…]


Here’s the thing: most of these companies haven’t genuinely changed their stripes. They just know that the bipartisan popularity of these reforms make it impossible for them to continue actively opposing them. So what they’re doing is lending their support for state laws, provided said laws exempt most of the key industries engaged in the dumbest behaviors.

Karl Bode:

Maine is the fourth state behind Colorado, New York, and Minnesota to pass right to repair protections in the last year, much to the chagrin of the auto industry. While lobbyists did manage to weaken many of the laws (particularly in New York), several of the new laws (notably Minnesota) offer significant improvements to state law, making it cheaper and easier to repair consumer technology.


I suspect many of those companies, including Apple and Microsoft, have pivoted away from fighting state level right to repair laws, and toward using their political influence to co-write a weaker federal law that pre-empts tougher state restrictions.

Karl Bode:

While Apple obtained ample praise for its recent decision to support the California right to repair law, the company generally remains terrible on numerous aspects of right to repair. iFixit, you’ll recall, recently had to downgrade the iPhone 14’s repairability score after users complained Apple was using parts pairing to ensure that independent, affordable repair is either cumbersome as hell or simply impossible.

According to iFixit, the iPhone 15 is even worse[…]


Mastodon Full-Text Search

Renaud Chaput (via ednl, Hacker News):

Full text search has been merged in #Mastodon main branch, and will be in the next (and final?) 4.2.0 beta.

It is opt-in, so it will take some time to be filled with people content as they enable their profile to be indexed, but this was one of the most wanted Mastodon features for some time.

We plan to deploy it to and in the coming days to have a bit more feedback on it and see how it behaves in the wild.

To opt into your content being searchable, once your instance is upgraded to support this feature, head to the your profile, and the new “Privacy and reach” tag, then tick the “include public posts in search”.

This sounds great, since the lack of search is probably the most annoying part of Mastodon right now. It remains to be seen whether enough users will opt in to make this work.


Update (2023-08-28): Mastodon Migration:

Full text search is now live on and

It is “opt-in”, meaning you need to check the “Include public post in search results” box to enable your posts to be searchable: Click Preferences (on right near bottom [gear icon]) >>> Click Public Profile (on left near top [person icon]) >>> Click Privacy and reach box (near top [lock icon]) >>> Under Search (scroll down middle of page)

Here’s some information about the search syntax.

Michael Stanclift:

Also new in search is “from:me” operator to quickly narrow down search to your own post history.

You do NOT have to opt-in to full search for this to work! Your own data is always available to you regardless of other people’s ability to search for it.

Python in Excel

Tom Warren (via Hacker News):

A public preview of the feature is available today, allowing Excel users to manipulate and analyze data from Python.

“You can manipulate and explore data in Excel using Python plots and libraries, and then use Excel’s formulas, charts and PivotTables to further refine your insights,” explains Stefan Kinnestrand, general manager of modern work at Microsoft. “Now you can do advanced data analysis in the familiar Excel environment by accessing Python directly from the Excel ribbon.”

You won’t need to install any additional software or set up an add-on to access the functionality, as Python integration in Excel will be part of Excel’s built-in connectors and Power Query. Microsoft is also adding a new PY function that allows Python data to be exposed within the grid of an Excel spreadsheet. Through a partnership with Anaconda, an enterprise Python repository, popular Python libraries like pandas, statsmodels, and Matplotlib will be available in Excel.

This sounds really cool, though it’s kind of a shame that it doesn’t run on-device.

macOS 13.5 No Longer Allows Setting System-Wide ulimits

axeman12 (via Hacker News):

As of the newest MacOs releases (11.7.9, 12.6.8, and 13.5) I am no longer able to increase the ulimit of my computer using the strategies outlined here.


This is relevant for me as I am using Vite which is currently broken and blocks me from developing locally. It is mentioned in their troubleshooting page that Vite causes a large number of open files and how to increase the limit.


Changing a system-wide setting to work around an issue with a specific product seems rather extreme. A better option would be to change it for that process specifically. If you have access to the code, add a call to setrlimit. If you don’t have access to the code, you could work out how the code is launched and add a wrapper, using either a shell script (and hence ulimit) or a native executable (setrlimit again).

Apple Staff:

This is in fact a bug. Good news is, there’s a workaround!

launchctl limit maxfiles 256 unlimited
launchctl limit maxfiles 128000 524288

However, one commenter says this doesn’t work. What does seem to work is turning off System Integrity Protection.


Thursday, August 24, 2023

Threads Social Network Expands to the Web

Juli Clover:

Meta-owned Twitter competitor Threads is finally getting a highly requested feature -- web access. The Threads social network can be accessed on the desktop and mobile devices using any web browser.

However, it does not seem to support RSS, and (like Instagram) it only shows a limited number of posts if you aren’t logged in.


Update (2023-08-28): John Gruber (Mastodon):

Just as with Threads’s older sibling Instagram, the native iOS app only runs with an iPhone screen layout on iPad. The web app (again, just like with Instagram) looks and feels very much like a native app would.

M.G. Siegler:

This continues the awkward trend for Meta/Apple, most famously with Instagram itself, where the native app experience for iPad is worse than the web. Everyone will say this is a good thing — and, to be, clear, it likely is — but Apple can’t be thrilled about it, no matter what they say.


Update (2023-11-20): Alex Heath and Jay Peters:

Meta’s competitor to Elon Musk’s X has hit “just under” 100 million monthly users since it was released in early July, CEO Mark Zuckerberg announced Wednesday during his company’s quarterly earnings call.

Via John Gruber:

Threads just keeps getting better: more and better features, and more activity.

I just haven’t found the time to look there, when there’s so much happening on Mastodon and (still) Twitter.

Digital Will Sues Apple Over Developer Account Termination

Jack Purcher (via Hacker News):

Plaintiff received a boilerplate message from Apple’s App Store Review stating that Apple determined that Digital Will’s ADP membership “has been used for dishonest or fraudulent activity,” and thus, Plaintiff’s ADP account was “flagged for removal.”


In fact, Apple’s message did not identify any specific facts whatsoever, or any particular misconduct in which Digital Will engaged that violated the DPLA.


The message further stated that Digital Will could appeal this determination within 14 days so long as it provides a written statement that thoroughly explains the issues Apple identified, the specific steps Plaintiff will take to resolve them, and any new information clarifying the issues.

However, it was impossible for Digital Will to appeal and respond to “the issues [Apple] identified,” when Apple had not identified any specific issues.

Ben Lovejoy:

Apple has voraciously denied accusations that the App Store has monopolistic control over iPhone apps, yet the company’s ability to unilaterally close developer accounts without explanation forms a textbook antitrust case.


Some five months after Digital Will had its apps pulled from the App Store, and two months after it sent a lawyer’s letter to Apple, the Cupertino company reinstated the account. No explanation was offered.


U.K. Proposal to Weaken Messaging Security

Ioannis Kouvakas:

The existing IPA regime appears to already allow the U.K. government to demand that companies alter their services in a manner that may affect all users. For example, a technical capability notice requiring the “removal by a relevant operator of electronic protection” could be used to force a service, such as WhatsApp or Signal, to remove or undermine the end-to-end encryption of the services it provides worldwide, if the government considers that such a measure is proportionate to the aim sought.


As a result, an operator of a messaging service wishing to introduce an advanced security feature would now have to first let the Home Office know in advance. Device manufacturers would likely also have to notify the government before making available important security updates that fix known vulnerabilities and keep devices secure. Accordingly, the Secretary of State, upon receiving such an advance notice, could now request operators to, for instance, abstain from patching security gaps to allow the government to maintain access for surveillance purposes.

Via John Gruber (Mastodon):

Removing E2EE wouldn’t require some mere tweak to the protocols, it would require replacing the protocols entirely (with inherently insecure ones).

And the notion that security updates, for every user in the world, would need the approval of the U.K. Home Office just to make sure the patches weren’t closing vulnerabilities that the government itself is exploiting — it boggles the mind. Even if the U.K. were the only country in the world to pass such a law, it would be madness, but what happens when other countries follow?


What will actually happen, I believe, is that E2EE messaging platforms like WhatsApp (overwhelmingly popular in the U.K.), Signal, and iMessage will stop working and be pulled from app stores in the U.K., full stop. The U.K. seems to think it’s a bluff; I don’t.


Update (2023-08-25): Benedict Evans (via Dare Obasanjo):

The tech industry always has a reason why any new laws or regulations are bad - indeed, so does any industry. They always say that! The trouble is, sometimes it’s true, and some laws are (or would be) disasters. So which is it? Well, there are three ways that people say ‘NO!’

Update (2023-08-28): Nick Heer:

But Evans does not give nearly enough weight to how often big industry players and their representatives simply lie. They often claim the effects of new regulations will be of the second or third type when there is no evidence to support their claims.


In 2015, after Uber launched in Calgary, the city proposed reasonable and sensible rules, which Uber claimed were entirely “unworkable” for ride sharing as a genre. Many, including popular media outlets, concurred with Uber and begged the city to fold. But it compromised on only a single rule; everything else was passed, meaning that Uber drivers were subject to the same sorts of regulations as taxi drivers because they do the same job. And guess what? Uber has been happily operating in Calgary ever since.

Apple spent years opposing repair legislation on the basis that people would hurt themselves replacing batteries, and that any state which passed such laws would become a “mecca for bad actors”. That line of argument was echoed by some, only for Apple to now support such legislation — with caveats — despite using exactly the same type of battery it says is dangerous for people to swap themselves.

Karl Bode (via Hacker News):

Countless companies and industries enjoy making up scary stories when it comes to justifying their opposition to making it easier to repair your own tech. Apple claims that empowering consumers and bolstering independent repair shops will turn states into “hacker meccas.” The car industry insists that making it easier and cheaper to repair modern cars will be a boon to sexual predators.

Throughout the arguments is routinely peppered a single theme: providing easier and cheaper repair options to consumers is simply too dangerous to be considered. It apparently doesn’t matter that an FTC study recently found those claims to be self-serving bullshit designed to protect harmful repair monopolies from reform and lost repair revenue.


Asked for data to back up the claim that e-bike fires were being caused by unauthorized repairs, Lovell said that it was “anecdotal, from folks that are on the ground in New York.”


Update (2023-09-07): Cristina Criddle, Anna Gross, and John Aglionby:

The UK government has conceded it will not use controversial powers in the online safety bill to scan messaging apps for harmful content until it is “technically feasible” to do so, postponing measures that critics say threaten users’ privacy.

Via John Gruber:

This isn’t the worst reporting on encryption and lawmakers’ fantasies about “backdoors only accessible by the good guys”, but it’s fundamentally misleading. End-to-end encryption’s meaning is right there in its name. There’s no dial that can be adjusted from “weak” to “strong”.

Tim Hardwick:

The UK government has denied that it has dropped a controversial plan to scan encrypted messaging services for harmful content as part of its Online Safety Bill, which is due to become law later this year.

Nick Heer:

Even though that is unclear, this argument is tautological: the government is arguing that technology companies will not be required to use technology which does not exist or is impossible. Which, well, duh. But then it says Ofcom is empowered to demand tech companies develop this impossible technology to the best of their abilities[…] It really sounds like the U.K. government wants operators of encrypted services to throw their “considerable resources” at doing as much as possible to solve the impossible.

Update (2023-10-24): Chris Vallance:

Peers have passed a controversial new law aimed at making social media firms more responsible for users' safety on their platforms.

Via Nick Heer:

Remember how, a couple of weeks ago, there was lots of press coverage celebrating an apparent withdrawal of provisions in the bill which required encryption to be broken, largely based on a Financial Times report? You may recall my subtly different interpretation based on the actual words of Lord Parkinson promoting the bill’s passage, and an actual reading of the text of the bill, which indicated that regulators would be granted the power to build something impossible.


By the way, it is not just encrypted messaging which has been put at risk in the U.K. because of this bill. The resources of the Wikimedia Foundation will probably be blocked in the U.K. because those sites — wisely — do not engage in mass data collection or user profiling, so they cannot effectively verify users’ ages.

Wednesday, August 23, 2023

White Noise Podcasts on Spotify

Ashley Carman (via Hacker News):

[The] company has achieved its goals to recruit more creators to the platform with 44% of all podcasts being hosted on Anchor as of July 2022. At the same time, though, not all the podcasters fit the classic show mold. In particular, one segment of users found massive success through Spotify’s tools: white noise creators.

As I wrote last year , these podcasters, whose shows entail playing various noises like crashing waves or bird sounds on repeat, could make at least $18,000 a month through advertisements that Spotify placed in the programming. I posited in that story that some algorithmic magic seemed to be pushing people to this content, and now, over a year later, documentation from Spotify confirms as much.


Once Spotify realized how much attention was going to white noise podcasts, the company considered removing these shows from the talk feed and prohibiting future uploads while redirecting the audience towards comparable programming that was more economical for Spotify — doing so, according to the document, would boost Spotify’s annual gross profit by €35 million, or $38 million.

Spotify didn’t actually do that, but some podcasters have reported that their episodes mysteriously went missing.


TimeStory Dev Journal

Aaron Trickey:

I’ve been building the iPad version of TimeStory for some time now, and it’s going well. I want to start journaling interesting or useful aspects of the project, and a logical place to start is with the choice of UI toolkit and the basic design for sharing code with the Mac app.


The main editor layout and chrome are all set up in SwiftUI: the container for the timeline view, the toolbar, the Inspector, the filter bar, and all sheets and popovers. It’s proven very effective and pleasant to use. SwiftUI has arrived at a very good place for these things.


I tried the SwiftUI document-based app lifecycle, and found it too limiting.


I use zero SwiftUI in the Mac app.


Microsoft Signing Key Stolen by Chinese

Zack Whittaker (Hacker News):

Microsoft still doesn’t know — or want to share — how China-backed hackers stole a key that allowed them to stealthily break into dozens of email inboxes, including those belonging to several federal government agencies.

In a blog post Friday, Microsoft said it was a matter of “ongoing investigation” how the hackers obtained a Microsoft signing key that was abused to forge authentication tokens that allowed the hackers’ access to inboxes as if they were the rightful owners. Reports say targets include U.S. Commerce Secretary Gina Raimondo, U.S. State Department officials and other organizations not yet publicly revealed.

Dan Goodin (via Hacker News):

In standard parlance among security professionals, this means that Storm-0558 exploited zero-days in the Microsoft cloud services.


While both conditions are clearly met in the Storm-0558 intrusion, Friday’s post and twoothers Microsoft published Tuesday, bend over backward to avoid the words “vulnerability” or “zero-day.” Instead, the company uses considerably more amorphous terms such as “issue,” “error,” and “flaw” when attempting to explain how nation-state hackers tracked the email accounts of some of the company’s biggest customers.


A plain-English summary of the event would seem to be: Microsoft has patched three vulnerabilities in its cloud service that were discovered after Storm-0558 exploited them to gain access to customer accounts. It would also be helpful if Microsoft provided a tracking designation under the CVE (Common Vulnerabilities and Exposures) system the way other cloud companies do. So why doesn’t Microsoft do the same?


Besides being opaque about the root cause of the breach and its own role in it, Microsoft is under fire for withholding details that some of the victims could have used to detect the intrusion, something critics have called “pay-to-play security.”

Shir Tamari (via Hacker News):

Microsoft have said that and Exchange Online were the only applications known to have been affected via the token forging technique, but Wiz Research has found that the compromised signing key was more powerful than it may have seemed, and was not limited to just those two services. Our researchers concluded that the compromised MSA key could have allowed the threat actor to forge access tokens for multiple types of Azure Active Directory applications, including every application that supports personal account authentication, such as SharePoint, Teams, OneDrive, customers’ applications that support the “login with Microsoft” functionality, and multi-tenant applications in certain conditions.

Dan Goodin (via Hacker News):

The comments from Amit Yoran, chairman and CEO of Tenable, come six days after Sen. Ron Wyden (D-Ore.) blasted Microsoft for what he said were “negligent cybersecurity practices“ that enabled hackers backed by the Chinese government to steal hundreds of thousands of emails from cloud customers, including officials in the US Departments of State and Commerce. Microsoft has yet to provide key details about the mysterious breach, which involved the hackers obtaining an extraordinarily powerful encryption key granting access to a variety of its other cloud services. The company has taken pains ever since to obscure its infrastructure’s role in the mass breach.


Monday’s disclosure said that the firm notified Microsoft of the problem in March and that Microsoft reported 16 weeks later that it had been fixed. Tenable researchers told Microsoft that the fix was incomplete. Microsoft set the date for providing a complete fix to September 28.

“To give you an idea of how bad this is, our team very quickly discovered authentication secrets to a bank,” Yoran wrote.

Bruce Schneier (Hacker News):

A bunch of networks, including US Government networks, have been hacked by the Chinese. The hackers used forged authentication tokens to access user email, using a stolen Microsoft Azure account consumer signing key. Congress wants answers. The phrase “negligent security practices” is being tossed about—and with good reason. Master signing keys are not supposed to be left around, waiting to be stolen.

Actually, two things went badly wrong here. The first is that Azure accepted an expired signing key, implying a vulnerability in whatever is supposed to check key validity. The second is that this key was supposed to remain in the the system’s Hardware Security Module—and not be in software. This implies a really serious breach of good security practice. The fact that Microsoft has not been forthcoming about the details of what happened tell me that the details are really bad.

I believe this all traces back to SolarWinds.


Update (2023-09-08): Microsoft (via Michael Love, Hacker News):

Our investigation found that a consumer signing system crash in April of 2021 resulted in a snapshot of the crashed process (“crash dump”). The crash dumps, which redact sensitive information, should not include the signing key. In this case, a race condition allowed the key to be present in the crash dump (this issue has been corrected). The key material’s presence in the crash dump was not detected by our systems (this issue has been corrected).

We found that this crash dump, believed at the time not to contain key material, was subsequently moved from the isolated production network into our debugging environment on the internet connected corporate network. This is consistent with our standard debugging processes. Our credential scanning methods did not detect its presence (this issue has been corrected).

After April 2021, when the key was leaked to the corporate environment in the crash dump, the Storm-0558 actor was able to successfully compromise a Microsoft engineer’s corporate account. This account had access to the debugging environment containing the crash dump which incorrectly contained the key.

Dan Goodin (Hacker News):

Microsoft has said that roughly 25 organizations had one or more of their accounts breached in the campaign, which began on May 15 and lasted until June 16. Microsoft wasn’t aware of the mass hack until a customer tipped it off.

Tuesday, August 22, 2023

macOS Window Management

Mac Power Users:

Since the dawn of multitasking, users have needed to juggle things on their screens. Apple has taken several swings at building good window management tools into macOS, but better solutions can be found in a long list of third-party apps. Stephen and David have tried just about all of them for this episode.

I’ve been using Moom for a long time. One of my favorite features is that it can trigger a preset when the number of displays changes. So windows automatically rearrange themselves when I dock or undock my MacBook Pro.


iOS App Setup for Remote Push Notifications

Natalia Panferova (Mastodon):

Remote push notifications are messages that app developers can send to users directly on their devices from a remote server. These notifications can appear even if the app is not open, making them a powerful tool for re-engaging users or delivering timely information. They are different from local notifications, which are scheduled and triggered by the app itself on the device.

Adding remote notifications capability to an iOS app is a quite involved process that includes several steps and components. This post will walk you through all the necessary setup so that you can enable remote push notification functionality in your iOS project.

Twitter Media Datacide

Tom Coates (Hacker News):

Twitter has now removed all media posted before 2014. That’s - so far - almost a decade of pictures and videos from the early 2000s removed from the service.


This is what Twitter pre-2014 looks like - every image and video removed and replaced with a dead link.

It’s unclear whether this is intentional or a bug, and some images seem to be back now, though most are gone.


Specifically, it looks like they’ve broken any http links to, while the newer https ones still work. The practical effect of this is actually worse than the thread stated -- all old media and links on Twitter are broken (at least, since 2010 when they started using But perhaps they can fix it by restoring the http version of


Update (2023-08-23): Richard Lawler:

Now the @Support account at X, the company formerly known as Twitter until Elon Musk rebranded it, says, “Over the weekend we had a bug that prevented us from displaying images from before 2014. No images or data were lost. We fixed the bug, and the issue will be fully resolved in the coming days.”

Some images are back, but many are still missing.

Monday, August 21, 2023

John Warnock, RIP

Adobe (via Reuters, Hacker News):

Dr. Warnock co-founded Adobe in 1982 with Dr. Charles Geschke after meeting as colleagues at Xerox. Their first product was Adobe PostScript, groundbreaking technology that sparked the desktop publishing revolution. Dr. Warnock retired as CEO in 2000 and he was chairman of the board, a position he shared with Dr. Geschke, until 2017. He was a member of the Board of Directors since then. In recognition of their technical achievements, Dr. Warnock was awarded the prestigious National Medal of Technology and Innovation by President Barack Obama; the Computer Entrepreneur Award from the IEEE Computer Society; the American Electronics Association Medal of Achievement; and the Marconi Prize for contributions to information science and communications.


In his 1969 doctoral thesis, Warnock invented the Warnock algorithm for hidden surface determination in computer graphics. It works by recursive subdivision of a scene until areas are obtained that are trivial to compute. It solves the problem of rendering a complicated image by avoiding the problem. If the scene is simple enough to compute then it is rendered; otherwise it is divided into smaller parts and the process is repeated. Warnock noted that for this work he received “the dubious distinction of having written the shortest doctoral thesis in University of Utah history”. The Warnock algorithm solving the hidden surface problem enabled computers to render solid objects at a time when most computer renderings were only line drawings[…]


Unable to convince Xerox management of the approach to commercialize the InterPress graphics language for controlling printing, he, together with Geschke and Putman, left Xerox to start Adobe in 1982. At their new company, they developed from scratch a similar technology, PostScript, and brought it to market for Apple’s LaserWriter in 1985.


In late 1986, Warnock had invented Adobe Illustrator, a computer drawing program which used lines and bézier curves to render images. He initially developed it to automate many of the manual tasks utilized by his wife, Marva, a graphics designer.


In the spring of 1991, Warnock outlined a system called “Camelot”, that evolved into the Portable Document Format (PDF) file-format.

John Warnock (1986):

Another nice benefit of simple syntax [for PostScript] is that other computer programs can generate new programs easier. The straightforward, simple syntax made this language structure a natural candidate for a printing protocol; if you want your printing protocol to be procedurally based, and to be a programming language as opposed to a static data structure.

Bob Sproull and William Newman at PARC developed a format, called Press Format, that consisted of static data structures. But they found that it wasn’t the most flexible way to handle printing. To add a feature, you had to essentially rebuild the system with more features in it.


So Interpress was a good candidate for a printing protocol. Chuck and I tried to get Xerox to do something reasonable with Interpress for two years, but it became clear that in the process of getting it out to consumers, they were going to destroy it. They were going to add some features and take away other features that would make it not only difficult to implement but difficult to maintain, and difficult to educate people about. We felt that if we were on our own, we could create a product in a much more straightforward and reasonable way.


There will always be some smart guy who will come along and figure out a better algorithm, or figure out an easier way of performing some task. One of the tricks of the trade is to recognize this early, adopt it quickly, and exploit it without having a “not-invented-here” hangup about doing it your way.

John Warnock (2010):

If you represented characters as outlines the obvious [way], the fonts looked terrible. The sampling artifacts [the side effects of digitization] were horrendous. We knew that no publication or office environment would live with that. […] The very simple idea is: Rather than figuring out what dots to turn on, you stretch the characters so that they line up with the rasters.


There is a property of PostScript that made Acrobat possible: Every one of the operators [PostScript’s basic commands] can be redefined. If you take all the graphic operators and define them so that they output just the parameters, you get a static file of all the graphics that are in a PostScript file — but the pages have all been delimited. Everything is now a data structure as opposed to a program. […] I first used this trick with PostScript when Steve Jobs had this tax form that he wanted to use as a demo. […] I wrote a basic version of the Distiller in the early 1980s that would flatten the file and make it an efficient PostScript file, which got the execution down from a couple of minutes to 20 seconds.


The other problem we had to solve was font substitution. We didn’t have all the licenses to ship fonts [with the electronic document]. If the receiver [of the document] didn’t have the right font, you still wanted the layout to be exactly right. So I invented a variation of the type solution so that you could vary the widths of the typefaces with these specially designed fonts to make substitution fonts.


In the case with FrameMaker, the FrameMaker architecture was infinitely better — infinitely better — than the Aldus architecture. I could never get anybody except the ex-Frame employees at Adobe to understand that the architecture was fundamentally more sound in FrameMaker than in Aldus. The Aldus side won, essentially, with [the development of Adobe’s page layout product] InDesign. We’re still trying to catch up to FrameMaker.


Update (2023-08-28): Clay Risen:

Acrobat and the PDF were not immediately successful, even after Adobe made its Acrobat Reader free to download. The company’s board wanted to retire them, but Dr. Warnock persisted.


Dr. Warnock and Dr. Geschke, who ran the company as equals, were rare exceptions among the outsize egos and eccentric zillionaires of Silicon Valley: avuncular and academic, they built an aggressively competitive company while consistently ranking high on lists of the best places to work.

Despite its size, Adobe was often cast as the David versus much larger Goliaths, most often Microsoft — which, unlike Apple, repeatedly rejected Dr. Warnock’s entreaties to collaborate and instead tried to beat Adobe with its own protocols and programs. None of them worked.

Via John Gruber:

Warnock and Geschke understood what Steve Jobs often preached: technology alone was not enough. PostScript was — and remains! — excellent technology. But it was not a product. The LaserWriter was a product. You hooked it up, went to File → Print in any application, and you got professional-grade 300 DPI output with no technical expertise necessary. It was as easy to print high-quality output on a LaserPrinter as it was to print junk output on a slow, noisy dot-matrix printer. That was a product.

And Illustrator turned PostScript from a rather difficult but highly-capable programming language into a tool designed for use by artists. They didn’t just make a nice code editor for writing PostScript. They created an app that presented a visual framework in which you directly manipulated shapes, lines, and curves as objects. Even expert Illustrator users were never exposed to PostScript directly. The Illustrator metaphor was a complete encapsulation. That too was a product, and Illustrator remains an essential tool. If Warnock and Geschke had been satisfied merely with shipping great technology alone, Adobe Systems would be a nearly forgotten Silicon Valley footnote. Instead, they pushed to make Adobe the great tool-making product company we know today.

See also: The Dalrymple Report.

Update (2023-08-31): See also: The Talk Show.

Bypassing App Management With TextEdit

Jeff Johnson (Mastodon):

In retrospect, I regret participating in the Apple Security Bounty program. It has been a giant, frustrating waste of time, and I wish I had just dropped this 0day on October 24 of last year when Ventura was released. I suspect that if I had done so, Apple would have found a way to address the issue already in Ventura. Thus, I feel that my prolonged silence has not protected Mac users. The standard practice in reporting a security vulnerability is to give the vendor 90 days to address the issue, and I’ve given Apple vastly more time than expected.


I discovered—almost by accident—that a sandboxed app could modify files that it shouldn’t be able to modify: files inside the bundle of a notarized app that were supposedly protected by App Management security.


This isn’t the first time that a major macOS update included a new security (theater) feature with a gaping hole. For example, I previously discovered a bypass for Mojave’s new privacy protections. And it’s important to keep in mind that I’m not a professional security researcher.

It’s hard to make a living reporting security bugs when Apple has a history of declaring them not bugs, being stingy with payments, and stalling—which encourages releases like this that forfeit the possibility of collecting a bounty.

Jeff Johnson:

Today I want to illustrate the vulnerability a little more clearly to a non-developer audience.


As you can see, modifying that file would mess with Firefox’s software update mechanism, perhaps leaving the user vulnerable to a malicious software update.


TextEdit is sandboxed. Ironically, sandboxing was designed to prevent attacks, but in this case it allows an attack. That’s the bug, the vulnerability. A sandboxed app can modify a file that is supposed to be protected by App Management.


This has all been just for illustration. It wasn’t a real, viable attack, because I had to do everything manually. However, my disclosure yesterday presented an example of an automated tool that could execute a real attack.

Thijs Alkemade:

When I looked at this feature before Ventura was released I immediately found 4 different ways to bypass it. It really looks like it hasn’t been tested at all, as every potential method I’ve thought of worked. But bypassing by using a sandboxed app was not something I could have imagined working. 😂


Fake Steve Jobs and Letters from BILL G

Matt Sephton:

On 9th August 2006, “Fake Steve (Jobs)” started blogging at The Secret Diary of Steve Jobs. The blog featured scathing criticism of Silicon Valley and the tech industry at large, a pinch of political satire, along with many in-jokes and pandering to the zeitgeist. It was, above all else, very funny. A year or so after it began the identity of the ghost writer was revealed as journalist Dan Lyons. The blogging eventually stopped as the (real) Steve Jobs’ health deteriorated, and a single posthumous post appeared the day after his untimely death. I often think about Fake Steve, some of his best lines, some of his funniest observations. It was a different time.

Anyway… imagine my surprise when, earlier this year, I discovered that somebody in Japan had done a “Fake Bill (Gates)” a decade before Fake Steve! Truly, everything is a remix.


After the column had been running for around 6 months, ramping up to the publication of the first book, a teaser/promo website was introduced featuring a selection of letters. This is cool because internet was still pretty new at this point! Both the books and the website feature letters in their “original” English as well as in “translated” Japanese (of course, this is the opposite of the real order of events).


Twitter to Remove Block Feature

Juli Clover:

Twitter or “X” owner Elon Musk today said that the option to block people on Twitter is going to be “deleted as a feature” in the future, as it “makes no sense.”

Musk made the comment in response to a tweet asking whether there was a reason to block someone instead of muting someone on the social network. Mute and block are two fundamentally different features on Twitter. Mute prevents you from seeing content from Twitter users, while block prevents other people from seeing your content, following you, and interacting with you.


[If] someone replies to the reply from the muted person, you will see that notification and be alerted to the conversation. For many users, the loss of the block function would be detrimental.

Nick Heer:

Though harassment and abuse are the most obvious cases for blocking another user, I find a low threshold is necessary for a more enjoyable use of these platforms. It removes from your view any user who spoils your experience for any reason. That is excellent. If anything, I think using the “block” button on social media is increasingly necessary, as platform owners have decided to decrease the extent to which users control their own experience.

John Gruber:

Both platforms thus require social media apps to support users being able to block other users. Google’s language is unambiguous. The rub is how “blocking” is defined. If all Musk wants to do is changing blocking to mean that blocked users can still see tweets from users who blocked them, but can’t interact (reply, quote, retweet) with them, I think that’s fine.

I think he means “fine with Apple,” which requires the ability to block without saying what that means. It’s not going to be fine with users who need more protection than what muting offers.

In any case, you may not be able to block people, but Twitter itself still will, for seemingly petty reasons:

Scott Galloway, a marketing professor at NYU who’s also known as an author and public speaker, said he was locked out of his X account after a quarrel with Elon Musk.


“For 18 days I have been unable to log-on to Twitter,” Galloway told Insider in an email. “Filled out form on the site, but no word back.”


Galloway most recently posted about Musk on X on July 27, commenting on a Reuters investigation which said Tesla created a secret team to suppress complaints about vehicles’ driving range.


Reuters also appeared to face a backlash from X after publishing its Tesla investigation, after links on the platform to its website saw a five-second delay — although this was seemingly reversed after news outlets reported on it.

Craig Grannell:

Threads and Mastodon are not doomed. What is: an expectation they can replace Twitter.


Friday, August 18, 2023

iOS 17 Moves “End Call” Button

Chance Miller:

In iOS 16 and earlier, the iPhone’s end call button was located at the very bottom of the in-call interface. Above it were two separate rows of buttons for things like mute, the keyboard, FaceTime, audio controls, and more.

In iOS 17, Apple has revamped this interface to shift everything down to the lower third of the screen. This means that the “End” button has been intermixed with other buttons for audio controls, FaceTime, muting, adding callers, and the keypad.


This feature and change has been included in iOS 17 since the first beta was released at WWDC in June. It’s going “viral” this week after being reported on by CNBC on Tuesday. Since then, a number of other outlets have also covered the change – including the Associated Press.

This was to make room for Contacts Posters.


Update (2023-12-11): David Kopec:

In this edition of dumb UI design, Apple decided to eliminate some of the space between the “End Call” button and the bottom of the screen in iOS 17. So now when you swipe up to look something up while you’re on a call you can accidentally end the call all together!

Dash 7


Dash 7 includes a completely rewritten fuzzy search engine, which makes it easier to find the page you need, fast.


Dash 7 will now search disabled docsets when you start your search query with the docset name or keyword (e.g. searching for “css display” will search for “display” in the CSS docset even when the CSS docset is disabled)


I’ve decided to switch Dash to a subscription pricing model, as the paid upgrade pricing model is no longer a good fit.

Dash’s highest development priority is docset updates and supporting new docsets, but the paid upgrade pricing model focuses on new features. The subscription pricing model will allow me to focus more on Dash’s #1 feature: its docsets.

Still one of my most-used developer tools.

It’s $15/year vs. formerly $30 to buy or $20 to upgrade (about every other year).


Update (2024-05-20): Christian Tietze:

After a long period of grand-fathering us non-subscription users of old versions, (the documentation browser for Mac) removed the old Apple API update feed. Now I’m getting periodical error notifications :)

macOS 13.5.1

Juli Clover (release notes, full installer, IPSW):

macOS Ventura 13.5.1 addresses a bug that impacts location services settings on the Mac. Mac users have complained since July of an issue with the location privacy settings, with the bug preventing them from accessing and controlling location permissions for first and third-party apps.

This was another troublesome update for me. I haven’t upated my main Mac yet. On my test Mac, after starting the update from System Settings it again failed to prepare. Using softwareupdate, the first time it restarted without actually applying the update. The second time it applied the update but kernel panicked right before showing the desktop. Restarting again worked. I suppose a benefit of the SSV is that, despite these problems, I can be sure that the installation is not actually damaged.

See also: Mr. Macintosh and Howard Oakley.


Update (2023-08-22): Howard Oakley (Hacker News):

I have now realised one cause of substantial discrepancies seen in the sizes of macOS updates for Apple silicon Macs.


The first download was similar in size to that for Intel Macs, and essentially the size given for the update by softwareupdate. In the case of the 13.5.1 update, that was around 500 MB for Intel, and just over 700 MB for Apple silicon Macs. As that part of each update should be similar between different architectures, there’s usually little difference. However, there’s a second component that is only downloaded by Apple silicon Macs, which is generally about 1.1 GB in size, bringing the total size to be downloaded to about 1.8 GB.


So if you’re updating an Apple silicon Mac, pay little attention to the download size given by softwareupdate or in SilentKnight, or at least add the fixed 1.1 GB overhead to it to arrive at the download size reported in the update progress window. Websites that report the size of macOS updates also need to make clear whether the figures they give are for Intel or Apple silicon Macs, and whether they include that overhead.

Post-Exploit Fake Airplane Mode

Jamf Threat Labs:

Jamf Threat Labs developed a post-exploit persistence technique on iOS 16 that falsely shows a functional Airplane Mode. In reality, after successful device exploit the attacker plants an artifical Airplane Mode that edits the UI to display Airplane Mode icons and cuts internet connection to all apps except the attacker application. This enables the attacker to maintain access to the device even when the user believes it is offline.


To accomplish this, we hooked two Objective-C methods and injected a piece of code that adjusts the cellular icon to pull off the intended effect.


Using this database of installed application bundle IDs we can now selectively block or allow an app to access Wi-Fi or cellular data using the following code. When combined with the other techniques outlined above, the fake Airplane Mode now appears to act just as the real one, except that the internet ban does not apply to non-application processes such as a Backdoor Trojan.

Via Guilherme Rambo:

“Here’s how we hacked a hacked device”

Saagar Jha:

I’m going to pick on @iMore for a moment. They definitely aren’t the only site doing it, but they do happen to do basically everything wrong here, even if they didn’t mean to.


@JamfSoftware researchers did not find an exploit. They presented their idea of a potential post-exploit technique. It’s not that this has “yet to be observed in the wild” but more that it’s something they created as a thought experiment.


To have this kind of access, an attacker has already completely pwned your system. Again, this is a post-exploit technique. It’s definitely a somewhat amusing one but 100% not something that works by itself.

John-Anthony Disotto:

When asked if there was any fix to this Airplane Mode threat users can take advantage of, Michael Covington, VP of Strategy at Jamf told us no (as of yet), but said, “Users should be on the lookout for unusual app crashes, unexpected device reboots, rapid battery drains, and the activation of sensors like the camera, microphone, or GPS, which can all trigger a UI indicator for the privacy-aware.”


Apple is aware of the exploit and will likely have a resolution sooner rather than later, heck, they may have already fixed this threat.

Saagar Jha:

My dude, did you even read your own blog post? It is literally about hiding UI indicators of an exploit. I’m sure that checking caller ID will help people avoid a 0-day 🙄


The real takeaway from this is: JAMF Threat Labs did some reverse engineering of Airplane Mode. They then made a little tweak that fakes the UI, which is always possible after an exploit. “omg be scared hackers can do unspeakable things to you” is not the right take.

Thursday, August 17, 2023

macOS 14 Simplifies Restoring a Mac in DFU Mode

Juli Clover:

In macOS Ventura and earlier, reviving or restoring a Mac requires a second Mac that has the Apple Configurator app installed, but in macOS Sonoma, Apple Configurator is no longer required.

Restoring or reviving using Finder is basically the same process as restoring with Configurator, just without the need for additional software. The two Macs will still need to be connected to one another through a USB-C cable, and the same steps will likely apply. Both machines will need to have macOS Sonoma installed to use Finder for a restore.


Update (2023-08-18): Howard Oakley:

I’m not sure that this actually simplifies anything: the tricky bit is putting the target into DFU mode. Configurator is valuable for the details in its Help book describing that. (It has also been the case since the first developer beta in June.)

It’s also annoying when building a macOS VM. When the Finder sees the IPSW during VM installation, it offers to connect to a Mac in DFU mode and restore it. Have to close that every single VM build.

How to Automate Memory Leak Detection With XCTest

Dan Torres:

Inside the addTearDownBlock, we can assert if sut and spy are deallocated by asserting if they’re nil. We hold sut and spy with weak references so that they won’t be strongly retained when executing the block.


But adding this block to all your tests may reduce readability. So we can add an extension to XCTestCase, which will allow us to use it in any test. We would also add the file and line so the failure message can be at the exact line and file where the test failed.

I’ve found this sort of thing very helpful. I don’t recall why I didn’t use weak closure captures. Instead, I’ve been using associated objects that fulfill XCTestExpectations when they’re deallocated. Sometimes it takes a run loop cycle before objects are deallocated.

In order for this to work, you have to be careful of when you and Cocoa autorelease objects. For example, creating an NSWindow or setting its title will end up extending the life of its view controller. So does changing the selected tab view item or some other tab view properties. You may think you’re avoiding leaks by using NSHashTable to store weak references, but adding or reading the objects causes them to be retained and then autoreleased.

See also: Bruno Rocha, Paul Samuels, John Sundell.


Book Publishers v. Internet Archive

David Streitfeld:

He unveiled the National Emergency Library, a vast trove of digital books mostly unavailable elsewhere, and made access to it a breeze. […] On Friday, the publishers said through their trade association that they had negotiated a deal with the archive that would remove all their copyright books from the site.


The archive had a muted response, saying that it expected there would be changes to its lending program but that their full scope was unknown. There is also an undisclosed financial payment if the archive loses on appeal.


Six thousand writers signed a petition supporting the lawsuit, and a thousand names are on a petition denouncing it. The Romance Writers of America and the Western Writers of America joined a brief in favor of the publishers, while Authors Alliance, a group of 2,300 academics whose mission is to serve the public good by widely sharing their creations, submitted a brief for the archive.

Via Glenn Fleishman:

I am an absolute fan of the Internet Archive and all the work they’ve done to preserve cultural and technical history. But as this article makes clear, they are fighting a legal battle they cannot win, because the law is clear. They need to be fighting a structural battle, all about the law, because they will not win these cases. A judge would have to come up with novel interpretations that would surely be overturned at appellate or Supreme Court level.

They are conflating multiple different battles about copyright, some of which affect current authors, making a living from their work, and some of which relate to orphansed works or works that should be out of copyright but due to vagaries, their status is unknown. If they focused, I believe there would be a much happier outcome. Their legal arguments are highly unconvincing to me. But their moral arguments have real standing. There’s also a lot of nonsense in copyright law about older works.

Dan Moren:

As an author, I think there’s yet a third level to this discussion. At the end of the day, the writers are usually the ones who get squeezed.

Most authors don’t make a living from their work, but I think the vast majority of them (if not all) support libraries and the free access to information. Most of us have used libraries a lot during our lives, some have even depended on them. I don’t think most writers view people borrowing their books from the libraries as lost sales—we view them as possible lifelong fans of our future work.

The solution, perhaps, is to find other ways to recompense authors for their work being borrowed. Right now, ebooks are usually sold to libraries under licensing procedures that regulate how many times a title can be loaned out before a new license has to be purchased. It’s an uncomfortable compromise, but the power remains in the hands of the publisher (as it usually does).


Update (2024-04-30): Bryan Lunduke (via Hacker News):

On April 19th, The Internet Archive filed the final brief in their appeal of the “Hachette v. Internet Archive“ lawsuit (for which, judgment was handed down, against Internet Archive, last year).

What is curious, is that this final brief fails -- almost completely -- to reasonably address the core issues of the lawsuit. What’s more, the public statements that followed, by The Internet Archive, appeared to be crafted to drum up public sympathy by misrepresenting the core of the case itself.

Which suggests that The Internet Archive is very much aware that they are likely to lose this appeal.

Update (2024-06-25): Ashley Belanger (Hacker News):

As a result of book publishers successfully suing the Internet Archive (IA) last year, the free online library that strives to keep growing online access to books recently shrank by about 500,000 titles.


“We use industry-standard technology to prevent our books from being downloaded and redistributed—the same technology used by corporate publishers,” Chris Freeland, IA’s director of library services, wrote in the blog.

However, what got Internet Archive in trouble is that they had not been using this technology. It was more like Napster than a library.

Recording Industry v. Internet Archive

Chris Freeland (PDF, Hacker News):

Late Friday, some of the world’s largest record labels, including Sony and Universal Music Group, filed a lawsuit against the Internet Archive and others for the Great 78 Project, a community effort for the preservation, research and discovery of 78 rpm records that are 70 to 120 years old.


Of note, the Great 78 Project has been in operation since 2006 to bring free public access to a largely forgotten but culturally important medium. Through the efforts of dedicated librarians, archivists and sound engineers, we have preserved hundreds of thousands of recordings that are stored on shellac resin, an obsolete and brittle medium. The resulting preserved recordings retain the scratch and pop sounds that are present in the analog artifacts; noise that modern remastering techniques remove.


These preservation recordings are used in teaching and research, including by university professors[…]. While this mode of access is important, usage is tiny—on average, each recording in the collection is only accessed by one researcher per month.


While I strongly disagree with the length of copyright protection, after reading this and reading more about the case, from a purely legal perspective, I just don’t see how IA has any defense. They basically just seem to be saying “these are old records, so we should be able to copy them. Also, our work is mainly for academic researchers.” My guess is that they are arguing fair use, but I just don’t see how that applies here when they make copyrighted works available, for free, over the Internet.


The fourth part of the fair use test rests on whether the use of the work impacts the commercial market for the work.

Given these works are often:

  • Not offered in their original form
  • Would likely have little residual commercial value if so offered
  • And, the article states, are only accessed by one researcher per month

Indicates that the research, educational, and cultural value from this use likely far outweighs the impact to the commercial use of these works.

I find this confusing because, even if true, how could this be known in advance? Is the idea that they are so sure the recordings won’t be popular that they are comfortable risking the inevitable lawsuit? How is the average number of accesses across the collection relevant to the commercial value of any particular recording? It’s hard to believe that nothing in the collection has commercial value. With no DRM, how do we even know how many accesses there were given that the MP3s can be downloaded and redistributed?

It seems like Internet Archive is being increasingly aggressive, and I hope this doesn’t backfire and end up in the destruction of the organization and the uncontroversial parts of its stewardship.

Andy Maxwell:

From IA’s perspective, the project is all about the preservation of art. From the diametrically opposed view of the plaintiffs, the defendants willfully made copies thousands of recordings to which they own the copyrights. The digitized copies were then uploaded to the Internet Archive from where they were illegally distributed to users of the website millions of times.

The complaint lists 2,769 individual works from some of the most fmaous artists of all time, including Frank Sinatra, Ella Fitzgerald, Billie Holiday, Miles Davis, and Louis Armstrong. Listed songs include “White Christmas” by Bing Crosby, “Sing, Sing, Sing” by Benny Goodman, “Peggy Sue” by Buddy Holly, and “Roll Over Beethoven” by Chuck Berry.


The record companies further reject claims that the music being made available illegally needs to be ‘saved’. They claim that of the 2,749 recordings listed in the complaint, all but a “small sample” are already available to stream or download from licensed online platforms so they “face no danger of being lost, forgotten, or destroyed.”

Via Nick Heer:

While versions of some of these recordings are present in newer formats, there is to me a vast difference between preserving these specific pressings compared to making available any version. I have no idea if that makes a legal difference — again, not a lawyer — but there are artistic and technical reasons which should not be ignored. Different record pressings sound different, sometimes by a lot.

Besides, it is not as though people are treating the Great 78 Project as a replacement for a streaming service. The Internet Archive does not show total plays or downloads, but the most-viewed recording in the collection has less than 140,000 views as of writing. Notable for a 1942 folk recording, for sure, but the most popular song from the same artist on Spotify has over half a million plays.

Glenn Fleishman:

What IA and many others should be doing (and some have done in a limited way) is press Congress for cultural-preservation exceptions to digitization of out-of-print/out-of-media works. Instead, they are going boldly forward in ways that the courts will likely firmly find against, giving even more ammunition to media companies on ancient copyrights. There should be exceptions; what IA is doing is clearly outside the rules; the laws should change.


Update (2023-08-22): Craig Grannell:

I remember the same conversations 20 years ago when it was clear loads of 8-bit games were gone. IP owners don’t care. The ONLY reason we now have eg a fairly complete C64 archive is the pirates. It shouldn’t be that way. But it is.

Wednesday, August 16, 2023

Twitter Delays URLs for Certain Sites

Jeremy B. Merrill and Drew Harwell:

The company formerly known as Twitter has been slowing the speed with which users could access links to the New York Times, Facebook and other news organizations and online competitors, a move that appeared targeted at companies that have drawn the ire of owner Elon Musk.

Users who clicked a link on Musk’s website, now called X, for one of the targeted websites were made to wait about five seconds before seeing the page, according to tests conducted Tuesday by The Washington Post. The delayed websites included X’s online rivals Facebook, Instagram, Bluesky and Substack, as well as the Reuters wire service and the Times.

Via John Gruber (Hacker News):

Purposeful spite and inadvertent bug strike me as equally likely here, and the list of domain that suffer this delay really does look like Musk’s shitlist. But regardless of the cause, the effect is undeniably bad for users: click or tap a link to these popular sites from Twitter, and it takes about 5 seconds for the URL to resolve.

Nitter, which had been restored, seems to be broken again. The “temporary emergency measure” of requiring logging in shows every sign of being permanent.


Worth pointing out that has always been an instance of an annoying and seemingly unjustified practice I named “nonsemantic redirect”. Rather than legitimately redirecting using an HTTP Location header, it instead is an HTML page with a META refresh tag on it.

You don’t see this with curl/wget because they use user agent sniffing. If they don’t think you’re a browser they will give you a Location header.


The purpose is so that Twitter is seen as the source of the traffic. A lot of Twitter-sourced traffic comes from native apps, so when people click links from tweets, they usually don’t send referrer information.

If the redirects were server side (setting the Location header), a blank referrer remains blank. Client side redirects will set the referral value.

From Twitter’s POV, there’s value in more fully conveying how much traffic they send to sites, even if it minorly inconveniences users.

John Gruber:

As I speculated last week, nothing you do on Twitter is private. Not your DMs, not your “deleted” DMs, not your searches, not your location (if you’re foolish enough to grant Twitter/X access to it), not your draft posts.


Apple to Send Batterygate Payments

Juli Clover:

iPhone owners who signed up to receive a payment under Apple’s “batterygate” iPhone throttling lawsuit settlement should soon be receiving their payments. As noted by The Mercury News, the judge overseeing the lawsuit has thrown out an appeal from two iPhone owners who were attempting to object to the settlement, clearing the way for the payments to be sent out.

Apple in 2020 agreed to pay $500 million to settle the “batterygate” lawsuit, which accused the company of secretly throttling older iPhone models. The class action lawsuit was open to U.S. customers who had an iPhone 6, 6 Plus, 6s, 6s Plus, 7, or 7 Plus running iOS 10.2.1 or iOS 11.2 prior to December 21, 2017.

Dare Obasanjo:

Apple is finally paying out users for slowing down the performance of older phones. This was one of those conspiracy theories that turned out to be true.


Affected users who filed claims should get a $65 check. Much less than the replacement phone they likely purchased. 😁

Ian Williamson:

I would much rather have a phone that ran a bit slower than one that frequently shut down, often at times when you were most relying on it.

Ultimately Apple is still at fault here for designing a phone that could draw more power than the battery could supply (at least towards the end of its lifetime). The slowdown fix and poor communication of said fix were just results of that initial mistake.

Nick Heer:

I remain stunned that anyone at Apple thought it would be completely fine to kneecap iPhones with underperforming batteries without telling users. Asking for forgiveness instead of permission works when you borrow a coworker’s pen, not when you alter the product characteristics of millions of smartphones without a word of communication. It has got to be one of the stupidest decisions made by this company in the past decade.

There were actually two communication problems. First, there had been a narrative that some people thought Apple was purposely making their phones slower but that this was a crazy conspiracy theory. Apple let this continue, even as it knew that it really was throttling phones. Second, Apple eventually flipped and tried to pretend that it had told us all along about the throttling—just like how Amazon secretly getting a special App Store rate turned into an “established program.” I don’t consider that asking for forgiveness.

Ultimately, the problem was a hardware design flaw (never really acknowledged), and the throttling was helpful in that a slow phone is better than a broken phone, but the secrecy meant that many people purchased a new phone when all they needed was a new battery.


Update (2024-01-09): Joe Rossignol (Hacker News):

The website for the so-called “batterygate” settlement said payments would likely start to be distributed this January, and payouts have began on schedule. MacRumors readers Ken Strand and Michael Burkhardt are among the individuals who have received payments of $92.17 per claim from Apple as part of the settlement.

The iMac at 25

Jason Snell (MacRumors, Hacker News):

Essentially, Jobs went back to his playbook for the original “computer for the rest of us,” the Mac, to sell simplicity. The Mac’s mouse-driven graphical interface may have changed the course of the PC world, but its all-in-one design just hadn’t clicked. Jobs decided it was time to try again.

The iMac contradicted every rule of the PC industry of the mid-’90s. Instead of being modular, it was a self-contained unit (with a built-in handle!). Beige was out, and translucent blue-green plastic was in. The iMac looked like nothing else in the computer industry.

But the iMac wasn’t just a rule-breaker when it came to looks. Jobs made a series of decisions that were surprising at the time, though he’d keep repeating them throughout his tenure at Apple. The iMac gave no consideration to compatibility or continuity and embraced promising new technology when the staid PC industry refused.


The iMac gets remembered for a lot of things, and rightly so, but it doesn’t get enough credit for essentially kick-starting the USB revolution.

USB on the original iMac was so incredibly slow compared with the I/O that previous Macs had had. If you wanted to connect an external hard drive, the iMac was the wrong Mac to buy. But many people didn’t need external storage, and USB was good enough for adding removable storage for occasional use. One peripheral I saw a lot was the Imation SuperDisk. It could read and write regular floppy disks (at increased speed) and also supported its own 120 MB disks (20% larger than the Zip disks of the time).

Stephen Hackett:

Back in 2016, I set out to collect every model of iMac G3 that was produced over the machine’s six generations. The result of that was one of my favorite projects to ever grace the pages of 512 Pixels. That page has links to all of my iMac G3 coverage, including my look back at the original’s announcement[…]

Monica Chin:

From 2002 to 2009, the iMac was consistently updated every couple of years. The gaps then began to grow: there was a span of over three years between the 2009 “unibody” iMac and the 2012 “slim” iMac and another three years before the Retina iMac in 2015. We then got the iMac Pro, but that was kind of its own thing; the real successor to the 2015 product didn’t arrive until 2021, almost six years later. That was the iMac in which Apple’s Silicon would debut.

Since then, we’ve gotten a refresh of the M1 Mac Mini, two generations of theMac Studio, and a somewhat inexplicable refresh of the 2019 Mac Pro. There’s been a new MacBook Air and a bigger MacBook Air and a whole cadre of MacBookPros. At this point, almost all of Apple’s lineup has been updated to the M2 (or M2 Pro, or M2 Max, or M2 Ultra) chip. But not the iMac.

In fact, as of this writing, Apple hasn’t updated the iMac in well over 800 days — which is the longest gap in recent memory and double the average gap between updates over its history.

Nick Heer:

New iMacs are expected in October, according to Mark Gurman, as part of the debut of the M3 lineup.

I think everyone assumed that, with Apple making its own processors for Macs, it would update them like clockwork as it did for iPhone. Then we saw that the chips themselves were on a slower cadence. And now it looks like Apple is skipping processor generations. I don’t think it’s a huge deal in this case, since the M1 is still quite fast, though it has a lower RAM ceiling.

Jim Luther:

The iMac was also Apple’s first “ROM in RAM” Macintosh where the “ROM”image containing much of the OS was on the boot disk, read into RAM, and then executed. That made updates to that code much easier.

Craig Grannell:

A whistle-stop tour through the best – and worst – moments from the iMac’s evolution.


Typography Is Impossible

Marcin Wichary (2016):

Sticking out is not unusual in typography, even if you don’t use flamboyant typefaces like Zapfino. Here are four examples from Medium today where cropping text precisely at its box’s edges would cut stuff off[…] The box is just a suggestion.


So, yes: two fonts of the same size are likely to not actually be the same size.

There are consequences of this beyond just font sizing. Since the font designer can do whatever they want within the box, some fonts will inevitably end up closer to top, or to bottom. You might have to take that into account when laying things out[…]


Type is aligned when it feels aligned, not when it actually is aligned.

Tuesday, August 15, 2023


andrews05 (via David C.):

ResForge is a resource editor for macOS, capable of editing classic resource fork files and related formats. Based on ResKnife by Nicholas Shanks and Uli Kusterer, this derivative of the project has been rewritten for modern macOS systems.


Supports both resource and data forks in the original resource file format, as well as experimental support for the new extended format defined by Graphite.

Hexadecimal editor, powered by HexFiend.

Template editor, supporting a wide array of field types.


Image editor, supporting 'PICT', 'PNG ', 'cicn' & 'ppat' resources, plus view-only support for a variety of icons and other bitmaps.

Sound editor, supporting sampled 'snd ' resources.

Old Kindle Fires Can No Longer Download Books

Andrew Abernathy:

TIL that old Kindle devices can’t be registered to an account, and thus can’t be used for reading books. […] I learned this by having my Amazon credentials repeatedly rejected despite various two-factor/OTP contortions and finally managing to contact a human being who ultimately took the device serial number and said “ah, that model is too old”.


I gather this is a first-generation Kindle Fire, which makes it from 2011. So it’s old, but I can’t even use it with it’s original software to read books that were made for that platform.


I’ve now tested and I can indeed load PDF and non-DRM .mobi via USB.

Sad. It sounds like E-ink Kindles, which are even older, may still be supported, though.


Update (2023-08-16): Andrew Abernathy:

I just tried registering this first-gen Kindle Fire again and it worked right away.

I’m reluctant to say it was user error, since I tried the exact same process many times yesterday with ever-increasing care to make sure I was entering things correctly, and Amazon support asked me for the serial number, then told me it was too old and couldn’t be registered. But…maybe I did manage to mess it up. Or maybe Amazon later flipped some switch based on the serial #?

A happy result, but, as with GrammarlyGO, when the good news directly contradicts the bad news given by support, I have questions.


Turning Off Core Data Persistent History Tracking

It’s not documented, but Core Data doesn’t like you to turn off persistent history tracking once it’s been enabled for a store. If you set NSPersistentHistoryTrackingKey to false after it had been set to true, opening the store will seem to succeed, but it will log an error like:

Store opened without NSPersistentHistoryTrackingKey but previously had been opened with NSPersistentHistoryTrackingKey - Forcing into Read Only mode store at

No error is reported to your code, although you can check whether store.isReadOnly matches what you passed for NSReadOnlyPersistentStoreOption. If you fail to notice this, your app is likely to crash at some point. For example, the NSPersistentStoreCoordinator.setMetadata(_:for:) method will raise an NSInvalidArgumentException, which cannot be caught in Swift.

This makes sense in that, if you could turn off history tracking and later turn it back on, the history would be there but would have a gap, which could lead to bugs. In my case, though, I had only turned on history tracking to track down a bug—which ended up not being an unexpected writer but rather a bug in Core Data’s uniqueness constraint conflict resolution. I no longer needed history tracking for that store and wanted to avoid the associated performance cost.

It turns out that you can turn off history tracking if you first delete the history. So, I can open the store with NSPersistentHistoryTrackingKey set to true, then execute this request:

let request = NSPersistentHistoryChangeRequest.deleteHistory(before: .distantFuture)

Internally, this seems to only do a batch delete on the ACHANGE and ATRANSACTION tables. It does not actually clear out the interned strings in ATRANSACTIONSTRING or remove the history tracking tables themselves. But the bulk of the data is gone, and Core Data will let me re-open the store with NSPersistentHistoryTrackingKey set to false.

Going forward, I will add a key to the store’s metadata to record whether it was last opened using NSPersistentHistoryTrackingKey. When loading the store, if the key is true, I know to remove the history and can avoid logging the error. If it’s false, I know that the store can be safely opened without adding the history tracking tables.


Toolbar SF Symbols Vertically Stretched on a 1x Display

John Brayton:

Toolbar images based on SF Symbols are vertically stretched when displayed on a 1x display. I filed this as FB12928137, but wanted to let other developers know. This is tricky because the effect is subtle and because developers without a 1x display will not see the issue. I worked around it by exporting the SF Symbols as 37-point images and putting them in PDFs in the asset catalog. I made each image 55x55, and centered the symbol graphic inside it.


You can see the effect in the Settings windows of Apple apps, including Apple Mail and Messages.

I noticed this a while ago in Safari and Mail, and now I can’t unsee it. I’m glad that he wrote up the bug.

There are a lot of little glitches like this with 1x displays, and especially when you have both a 1x display and a Retina display connected. Checkboxes in tables sometimes look weird, icons don’t draw using the proper representation, etc.

Mario Guzmán:

Top… the 1x rendering of sidebar icons in Apple TV app on macOS.

Bottom, my MiniPlayer with custom drawing (yes, you can use images too if you want)…

Both screenshots rendered on a non-retina display aka @ 1x.

But you can see how if you really care about your app, your icons could be great in both 1x and 2x. Best align to nearest pixel where possible otherwise they look so blurry and marred.


Update (2023-08-16): Matt Sephton:

I’m running a non-retina external display again—needs must—and I’m reeling from the lack of attention given to user interface elements in macOS and across Apple’s own apps.

  • Finder search button (squished)
  • Safari refresh page button (squished and badly positioned)

But most freaky is when switching back to the icon view in System Preferences, where the retina icons are briefly visible before they are all swapped out for the non-retina. Jarring.

Sam Rowlands:

I mean seriously… 3 Trillion dollars and you can’t even align icons in the center of the circle.

Monday, August 14, 2023

Making an IPv6 URLRequest

Casey Liss:

I’m trying to make a URL GET request to a service I’m discovering via Bonjour.

I have gotten a NWBrowser.Result, and I’ve gotten an NWEndpoint.

The endpoint is an IPv6 link local address.

How the hell do I make a URLRequest to this? I don’t seem to be able to construct a URL from what I’ve got, but I suspect I’m holding it wrong.


Wait, it seems the presence of “%en0” at the end may be the problem?

Greg Thompson:

In a browser you would enter an IPV6 address like this: https://[XXXXXIPV6ADDRESS]/index.html

Andreas Hartl:

my reading of RFC 6874 is that you must percent-escape the %: http://[<IPv6address>%25<zoneID>]

Jira Burnout Chart:

TIL about encoding a desired network interface as part of the host name into a URL

It’s interesting that he asked on Mastodon rather than on Stack Overflow.

See also:


GrammarlyGO Training on User Content With Questionable Opt Out

Rahul Roy-Chowdhury:

GrammarlyGO provides on-demand generative AI communication assistance directly in the apps where people write. Whether in an email thread or a long-form document, GrammarlyGO is right there with you and your teams during the writing process. GrammarlyGO understands context to quickly generate high-quality, task-appropriate writing and revisions.

Karolina Szczur (via Hacker News):

any product i’m using that announces AI features makes me instantly suspicious about privacy & security of my data. perfect example? grammarly.


i immediately contacted support asking:

  • how it was trained
  • can i opt out

it took me a while to get an honest answer but the ONLY way you can opt out is to pay for a business subscription for 500+ people.

Suha (Vocalize4754):

I’m Grammarly’s CISO.


When it comes to our genAI features, we use Microsoft Azure as our LLM provider and don’t allow Azure, or any third party, to use our customers’ data to train their models—this is contractually mandated. For text analyzed by Grammarly to provide revision suggestions (like adjusting tone or making text more concise), we may retain randomly sampled, anonymized, and de-identified data to improve the product. This data is disassociated from user accounts and ONLY used in aggregate.

We’ve devoted a ton of time and resources to developing methods that ensure the training data is anonymized and de-identified. And any Grammarly user (Free, Premium, Business) can view the data associated with their account by requesting a personal data report from us.

Re: opt-out: When we go through a security review with a business, if requested, that business can completely opt out of Grammarly training on their de-identified and anonymized data—opt-out is not limited to a 500+ license size.

This seems to directly contradict what Szczur was told by customer support.

I don’t see how viewing data associated with your account would be helpful if the worry is that the text isn’t properly cleaned before going into the anonymized soup. If they don’t store where it came from, you won’t be able to see which text you contributed.


Zoom ToS Allowed Training AI on User Content With No Opt Out

Alex Ivanovs (via Hacker News):

Zoom Video Communications, Inc. recently updated its Terms of Service to encompass what some critics are calling a significant invasion of user privacy.


What raises alarm is the explicit mention of the company’s right to use this data for machine learning and artificial intelligence, including training and tuning of algorithms and models. This effectively allows Zoom to train its AI on customer content without providing an opt-out option, a decision that is likely to spark significant debate about user privacy and consent.

Additionally, under section 10.4 of the updated terms, Zoom has secured a “perpetual, worldwide, non-exclusive, royalty-free, sublicensable, and transferable license” to redistribute, publish, access, use, store, transmit, review, disclose, preserve, extract, modify, reproduce, share, use, display, copy, distribute, translate, transcribe, create derivative works, and process Customer Content.

Smita Hashim:

To reiterate: Zoom does not use any of your audio, video, chat, screen-sharing, attachments, or other communications like customer content (such as poll results, whiteboard, and reactions) to train Zoom’s or third-party artificial intelligence models.

Nick Heer:

But why is all of this contained in a monolithic terms-of-service document? Few people read these things in full and even fewer understand them. It may appear simpler, but features which require this kind of compromise should have specific and separate documentation for meaningful explicit consent.

Oliver Hunt:

If some company (like Zoom) posts an update to their terms of service that give them carte blanche access to your data for “AI” or any other reason, it doesn’t matter if their marketing department makes a post talking about how they won’t use that bit of their ToS.

The ToS change was made for a reason, and that reason is to abuse you and your data.


That their response to uproar about the ToS change is a blog post, and not to revert their ToS indicates that they intend to use that clause (if they hadn’t been doing so already without “explicit” consent)

Jay Peters:

Zoom has updated its terms of service and reworded a blog post explaining recent terms of service changes referencing its generative AI tools. The company now explicitly states that “communications-like” customer data isn’t being used to train artificial intelligence models for Zoom or third parties. What is covered by communications-like? Basically, the content of your videoconferencing on Zoom.

Jai Vijayan (via Hacker News):

Zoom’s decision — and the reason for it — is sure to add to the growing debate about the privacy and security implications of technology companies using customer data to train AI models.

In Zoom’s case, the company recently introduced two generative AI features — Zoom IQ Meeting Summary and Zoom IQ Team Chat Compose — that offer AI-powered chat composition and automated meeting summaries.


newly revised policy still gives Zoom all “rights, title, and interest” to a lot of service generated data including telemetry data, product usage data, and diagnostic data. But the company will not user customer content to train AI models.


Update (2023-08-16): Bruce Schneier:

Of course, these are Terms of Service. They can change at any time. Zoom can renege on its promise at any time. There are no rules, only the whims of the company as it tries to maximize its profits.

JVM Compares Strings Using the pcmpestri x86 Instruction

Jackson Davis (2016, tweet, Hacker News):

String.compareTo is one of a few methods that is important enough to also get a special hand-rolled assembly version.


Introduced in SSE4.2, pcmpestri is a member of the pcmpxstrx family of vectorized string comparison instructions. With a control byte to specify options for their complex functionality, they are complicated enough to get their own subsection in the x86 ISR. […] Now that’s really putting the C in CISC!


If this wasn’t complicated enough for you, have a quick gander at the indexOfimplementations (there are 2, depending on the size of the matching string), which use control byte 0x0d, which does “equal ordered” (aka substring) matching.

It sounds like it only compares the Unicode code points, so that equivalent precomposed and decomposed strings are not considered equal.


One thing I learned about pcmpxstrx is that it’s surprisingly slow: latency of 10-11 cycles and reciprocal throughput of 3-5 cycles on Haswell according to Agner’s tables, depending on the precise instruction variant. The instructions are also limited in the ALU ports they can use. Since AVX2 has made SIMD on x86 fairly flexible, it can sometimes not be worth using the string comparison instructions if simpler instructions suffice: even a slightly longer sequence of simpler SIMD instructions sometimes beats a single string compare.


Friday, August 11, 2023

AppKit vs. SwiftUI: Stable vs. Shiny

Milen Dzhumerov:

Mitchell Hashimoto has been working on a new cross-platform terminal written in Zig and posted a update on the project’s progress. […] So, usage of SwiftUI constrained the product to have bugs and missing features.


Because of its maturity, AppKit does not change often nor significantly: it provides a stable foundation to build upon. Desktop OS innovation is quite slow as resources are focused on mobile and spatial. In turn, this means lower likelihood of breaking changes on each major release and more time to focus on your product.


SwiftUI is tackling a much harder problem along multiple dimensions[…]


SwiftUI can be thought of as a unifying rewrite of AppKit and UIKit, so the usual rewriting caveats, risks and benefits apply.


Unraveling the Digital Markets Act


When Facebook introduced Threads on July 5th, they excluded Europe due to non-compliance with the Digital Markets Act (DMA), an EU regulation effective since May 2, 2023. The question arises: Did the DMA function as intended, or were Europeans penalized by flawed legislation?

To comprehend the DMA’s relevance to us as an independent software company, we read and analyzed it from beginning to end. Our investigation aimed to determine if the criticisms, portraying EU laws as inefficient and uninformed, were justified.


To prevent gatekeepers from unfairly benefitting from their dual role, it is necessary to ensure that they do not use any aggregated or non-aggregated data, which could include anonymised and personal data that is not publicly available to provide similar services to those of their business users. That obligation should apply to the gatekeeper as a whole, including but not limited to its business unit that competes with the business users of a core platform service.


To ensure contestability, the gatekeeper should furthermore allow the third-party software applications or software application stores to prompt the end user to decide whether that service should become the default and enable that change to be carried out easily


The gatekeepers should, therefore, be required to ensure, free of charge, effective interoperability with, and access for the purposes of interoperability to, the same operating system, hardware or software features that are available or used in the provision of its own complementary and supporting services and hardware.


The gatekeeper shall not require end users to use, or business users to use, to offer, or to interoperate with, an identification service, a web browser engine or a payment service, or technical services that support the provision of payment services, such as payment systems for in-app purchases, of that gatekeeper in the context of services provided by the business users using that gatekeeper’s core platform services.


Update (2023-08-15): Jesper:

To the extent that is realistically possible, this is a piece of legislation that plucks the power bestowed upon a few actors from their hands and back into the citizens, the customers, the owners.

The world is complicated and there are a number of points where the law will force one trade-off to turn into another trade-off.


I view this as a cornerstone of civil rights and customer rights in the same vein as the GDPR. The EU does not get everything right and are not the foremost authority on how this all should work. But they are in the same place as the United States Government was before passing the Clean Air Act and Clean Water Act. When the corporations involved have decided that they don’t feel like doing anything, what else is left to do?

Nick Heer:

There remain lingering concerns, like the requirement for interoperability among messaging platforms, which may impact privacy protections. Many E.U. member states have expressed interest in weakening end-to-end encryption. That is not part of this Act but is, I think, contextually relevant.

I am also worried that the tech companies affected by this Act will treat it with contempt and make users’ experiences worse instead of adapting in a favourable way. After GDPR was passed, owners of web properties did their best to avoid compliance. They could choose to collect less information and avoid nagging visitors with repeated confirmation of privacy violations. Instead, cookie consent sheets are simply added to the long list of things users need to deal with[…]

CNET Deletes Thousands of Old Articles to Game Google Search

So speaking as someone who’s adjacent to the SEO industry (not my job, but I’ve spent a couple of decades in publishing, digital media, and analytics), I can share a little detail about what I suspect is going on here.

“Content pruning” is a common practice, and largely includes taking out of date content so that readers can focus on more current and/or profitable content. This is routine for large sites, and usually includes updating out-of-date but popular articles. Also has the benefit of trimming the amount of content to manage - spring cleaning, if you will.

From an SEO perspective, Google will dedicate limited resources to indexing any given site (its so-called “crawl budget”). If you take down the pages that aren’t doing you any good because they’re unprofitable, Google stops spending resources on those pages, and stops sending traffic to pages that don’t make money. If you’re lucky and have better pages with relevant content, Google will hopefully send those people to those better pages instead.


As for why Google says this isn’t necessary, well, CNET and Google have different objectives.

Thomas Germain (via Slashdot, Hacker News):

Archived copies of CNET’s author pages show the company deleted small batches of articles prior to the second half of July, but then the pace increased. Thousands of articles disappeared in recent weeks. A CNET representative confirmed that the company was culling stories but declined to share exactly how many it has taken down. The move adds to recent controversies over CNET’s editorial strategy, which has included layoffs and experiments with error-riddled articles written by AI chatbots.

“Removing content from our site is not a decision we take lightly. Our teams analyze many data points to determine whether there are pages on CNET that are not currently serving a meaningful audience. This is an industry-wide best practice for large sites like ours that are primarily driven by SEO traffic,” said Taylor Canada, CNET’s senior director of marketing and communications. “In an ideal world, we would leave all of our content on our site in perpetuity. Unfortunately, we are penalized by the modern internet for leaving all previously published content live on our site.”


Removing, redirecting, or refreshing irrelevant or unhelpful URLs “sends a signal to Google that says CNET is fresh, relevant and worthy of being placed higher than our competitors in search results,” the document reads.

Danny Sullivan:

Are you deleting content from your site because you somehow believe Google doesn’t like “old” content? That’s not a thing! Our guidance doesn’t encourage this.

Nick Heer:

A bunch of SEO types Germain interviewed swear by it, but they believe in a lot of really bizarre stuff. It sounds like nonsense to me. After all, Google also prioritizes authority, and a well-known website which has chronicled the history of an industry for decades is pretty damn impressive. Why would “a 1996 article about available AOL service tiers” — per the internal memo — cause a negative effect on the site’s rankings, anyhow? I cannot think of a good reason why a news site purging its archives makes any sense whatsoever.

It’s quite possible the consultants were taking them for a ride or are just wrong. But it’s also possible that the SEO people who follow this stuff really closely for a living have figured out something non-intuitive and unexpected. Google obviously doesn’t want to say that it incentivizes sites to delete content, and the algorithms are probably not intentionally designed to do that, but that doesn’t mean this result isn’t an emergent property of complex algorithms and models that no one fully understands.

Danny Sullivan:

Indexing and ranking are two different things.

Indexing is about gathering content. The internet is big, so we don’t index all the pages on it. We try, but there’s a lot. If you have a huge site, similarly, we might not get all your pages. Potentially, if you remove some, we might get more to index. Or maybe not, because we also try to index pages as they seem to need to be indexed. If you have an old page that doesn’t seem to change much, we probably aren’t running back ever hour to it in order to index it again.


People who believe removing “old” content aren’t generally thinking that’s going to make the “new” pages get indexed faster. They might think that maybe it means more of their pages overall from a site could get indexed, but that can include “old” pages they’re successful with, too.


Suppose CNET published an article about LK99 a week ago, then they published another article an hour ago. If Google hasn’t indexed the new article yet, won’t CNET rank lower on a search for “LK99” because the only matching page is a week old?

If by pruning old content, CNET can get its new articles in the results faster, it seems this would get CNET higher rankings and more traffic. Google doesn’t need to have a ranking system directly measuring the average age of content on the site for the net effect of Google’s systems to produce that effect. “Indexing and ranking are two different things” is an important implementation detail, but CNET cares about the outcome, which is whether they can show up at the top of the results page.

It would be nice to look at concrete data. Google knows how the CNET pages rank in its index, and CNET knows how its traffic changed (or didn’t) after the deletions. But so far neither is sharing.


Update (2023-08-15): Nick Heer:

The whole entire point of a publisher like CNet is to chronicle an industry. It is too bad its new owners do not see that in either its history or its future.

Adam Engst:

Though I’m dubious of most SEO claims based on my experience with the TidBITS and Take Control sites over decades, it’s conceivable that SEO experts have discovered a hack that works—until Google tweaks its algorithms in response. Regardless, I disapprove of deleting legitimate content because there’s no predicting what utility it could provide to the future; at least CNET says it’s sending deleted stories to the Internet Archive.

Update (2023-08-16): Chris Morrell:

I will say that Google has a history of publicly stating things about rankings that were measurably untrue. I would not at all be surprised to find out that “content pruning” is actually effective and is just another way Google’s search algos incentivize bad content decisions.


Google has claimed for years that they crawl client-side JS just fine, but almost everyone knows that’s not true. They’ve also said very clearly that Core Web Vitals are important but experimentation shows they have minimal impact.

I’m not advocating for deleting content on the web, but I do think that Google has put a lot of publishers in a position to second-guess everything because what they say often doesn’t match the evidence.

Update (2023-08-22): Nik Friedman TeBockhorst:

So speaking as someone who’s adjacent to the SEO industry (not my job, but I’ve spent a couple of decades in publishing, digital media, and analytics), I can share a little detail about what I suspect is going on here.

“Content pruning” is a common practice, and largely includes taking out of date content so that readers can focus on more current and/or profitable content. This is routine for large sites, and usually includes updating out-of-date but popular articles. Also has the benefit of trimming the amount of content to manage - spring cleaning, if you will.

From an SEO perspective, Google will dedicate limited resources to indexing any given site (its so-called “crawl budget”). If you take down the pages that aren’t doing you any good because they’re unprofitable, Google stops spending resources on those pages, and stops sending traffic to pages that don’t make money. If you’re lucky and have better pages with relevant content, Google will hopefully send those people to those better pages instead.


As for why Google says this isn’t necessary, well, CNET and Google have different objectives.

Overlaying Text on Images

Eric D. Kennedy (previous version):

If you hop into Dev Tools and remove the overlay, you’ll see that the original image was too bright and had too much contrast for the text to be legible. But with a dark overlay, no problem!


Whip up a mildly-transparent black rectangle and lather on some white text. If the overlay is opaque enough, you can have just about any image underneath and the text will still be totally legible.


A surprisingly good way for making overlaid text legible is to blur part of the underlying image.


The floor fade is when you have an image that subtly fades towards black at the bottom, and then there’s white text written over it.


A scrim is a piece of photography equipment that makes light softer. Now it’s also a visual design technique for softening an image so overlaid text is more legible.

Via Shannon Hughes:

Just set the background color of the UIVisualEffectView (the view itself, not the contentView) to a partially opaque white. And, crucially, skip the vibrancy effect for the text. (As an extra flourish, make the text color black with 70% opacity so the background can show through just a little. And we made the border color black at 40% opacity so it doesn’t compete with the text, which is what you’ve seen in all these examples, but wasn’t something we hit upon until the end.)


In sum, be cautious when using UIVisualEffectsViews over backgrounds you don’t control, but don’t despair. Adding a semi-opaque background color to the effect view might be all you need to get legible text you can count on.


Thursday, August 10, 2023

China to Require Apps to Register With Government

Josh Ye:

China will require all mobile app providers in the country to file business details with the government, its information ministry said, marking Beijing's latest effort to keep the industry on a tight leash.


You Yunting, a lawyer with Shanghai-based DeBund Law Offices,said the order is effectively requiring approvals from the ministry. The new rule is primarily aimed at combating online fraud but it will impact on all apps in China, he said.


Bishop said that in order to comply with the new rules, app developers now must either have a company in China or work with a local publisher.

Via Craig Hockenberry:

This will basically put an end to indie apps on the Chinese App Store.

We’re too small too work with a local publisher, much less open an office.

Hopefully Apple figures out a way to establish themselves as a publisher (not just a distributor).

If you are forced to remove a subscription for a product in China, you could be on the hook for pro-rated refunds (even though the country may not require them, it’s a general Apple policy).


Update (2023-08-22): Christopher Atlan:

Seems like Amazon is out as well.

Objective-C Internals

Brian T. Kelley (via Dave Verwer):

Get ready to dive deep into the inner workings of the Objective-C language and runtime! Each post delves into a specific aspect of the language and explores the details of its implementation. I hope you’ll find this valuable to demystify the language, tackle tricky bugs, and optimize your code for performance.


Highly recommended! Even if you lived through all this evolution, and spend way too much time staring at hex dumps in the debugger, you’ll still learn something.

Update (2023-08-15): See also: Hacker News.

Update (2023-08-28): Scott Perry:

wrt immortal objects in Python, I can’t believe adding a conditional branch in the refcount code path didn’t cause measurable performance issues; we got a big win when we moved the tag bit to the top of object pointers so we could use p<=0 on the fast path to catch nil and tagged pointers in one shot.

Wednesday, August 9, 2023

Paddle Billing


Paddle Billing is a new set of developer friendly subscription billing APIs with feature enhancements and functionality improvements built to strengthen Paddle’s Merchant of Record platform. This developer-friendly upgrade enables SaaS businesses to support more billing models, and represents a comprehensive step forward in Paddle’s capabilities. It improves your ability to increase revenue, retain customers, and scale operations hassle-free.


Paddle Billing also features brand new APIs that are built to modern standards and are designed to be simple to use. The APIs have been built to empower our customers, and the API returns are thorough and helpful to outline causes and solutions. This is backed by comprehensive API documentation for a seamless developer experience. You can also attach custom data to every entity within Paddle to keep track of data that matters to you, whether that’s on a customer, a subscription or an invoice.


Paddle Classic currently supports over 4,000 SaaS sellers around the world, it isn’t going anywhere. It will continue to be a stable, compliant, and secure platform with strong and unwavering support. […] You will continue to get updated payment methods and tax updates as they become available. However, some feature updates will only be available in Paddle Billing only.

There’s more information in the announcement. I’m not sure what to make of this. The focus seems to be on subscriptions, and it’s not clear to me whether any of the longstanding limitations of the Paddle platform have been addressed. Compared with other e-commerce providers, Paddle has always felt to me more like a platform than a solution. It has a very basic/opinionated feature set, with no support for shopping carts, very limited discounts, limited support for licenses, no way to fix incorrect addresses, etc. There’s a powerful API that gives you a lot more flexibility—but then you have to reimplement much of the store yourself. The API was also buggy and under-documented at the time I set up my store. The new API sounds better, but I really want is more features that work out of the box without having to use the API.

Some years ago, FastSpring also bifurcated their store/API, into Contextual and Classic. I stuck with Classic because it was working and I didn’t want to have to reimplement and test my whole store. FastSpring Classic continues to work, but it never got new features such as Apple Pay support. In both cases, I wish they could have brought their existing stores and transaction data along, i.e. support the old features and API within the new system. In both cases, I’ll probably eventually have to rewrite using the new API, not because I actually need anything that the new API offers, but because the customer-facing parts of the old system haven’t been updated.


Bram Moolenaar, RIP


In the early 90s, programmer Bram Moolenaar was frustrated with limitations of the vi text editor.

So he created his own open source fork called Vim!

Vim improved on vi with new features like multi-level undo/redo, visual selection, and syntax highlighting.


What makes Vim special? Its modal editing approach - you enter commands to manipulate text instead of mousing around.

This makes editing super fast and precise! ⚡️

Laura Bernheim (via Hacker News):

Vim, originally abbreviated from “Vi IMitation,” sought to extend the functionality of the vi editor. With the release of Version 2.0 a few years later, Vim declared the new abbreviation was for “Vi IMproved” because their feature set had surpassed vi.

More than two decades since the text editor’s creation, Vim has become so configurable and adaptable that even Bram doesn’t know about all the features it has anymore.

vim_announce (via Fatih Arslan):

It is with a heavy heart that we have to inform you that Bram Moolenaar passed away on 3 August 2023. Bram was suffering from a medical condition that progressed quickly over the last few weeks.

Bram dedicated a large part of his life to VIM and he was very proud of the VIM community that you are all part of.


Anyone who’s used Vim has seen evidence of Moolenaar’s generosity. “Vim is Charityware,” Moolenaar wrote in its pioneering license. “You can use and copy it as much as you like, but you are encouraged to make a donation for needy children in Uganda.” Moolenaar pioneered the concept of charityware decades ago, and also helped to popularize its adoption. To this day Vim users can still view the license by typing the command :help Uganda or :help ICCF. And Vim’s sponsor FAQ notes that “Each registered Vim user and sponsor who donates at least 10 euro will be able to vote for new features.”

Muhammad (via Hacker News):

In this post, I will be sharing my favorite vim one-liners that have significantly enhanced my vim workflow, making it more productive and efficient. As an avid vim user, I have extensively utilized these one-liners to edit files, and they never cease to surprise me with their ability to accomplish tasks swiftly, saving precious time. This is precisely what drew me to Vim - the unparalleled efficiency it offers when it comes to editing text.

Update (2023-08-10): Christian Brabandt (archive, via Hacker News):

The future of the Vim project


Access to the github organization is possible and Ken and me have been granted admin rights by Brams family, so we can continue with Github.


Bram was owner of the all of the mailing lists. I don’t know yet how he managed this and how to request access[…]

Tuesday, August 8, 2023

Kaleidoscope 4.1

Florian Albrecht (Mastodon):

Kaleidoscope can now directly talk to Git. While Kaleidoscope could always integrate with Git, until now it could only show the results of a Git operation, such as git difftool and git mergetool, which was typically initiated through a Git client like Tower.


For the 4.1 update, we decided to focus on the ability to display and compare multiple revisions of a file.


Below the File History entries, there are two more useful functionalities:

  1. The Filter field allows quick filtering of the commit list. Enter text to search in authors, commit hashes, dates, and the commit message. For example, entering your name will filter the list to show only your commits.
  2. The branch button in the bottom right allows you to look at a different git reference, such as a specific branch or tag. Selecting an entry will reload the list and show commits for that reference.

I’m a big fan of Tower, but it has always been weak at showing the history of a single file. You can’t quickly open a file from Terminal or via drag-and-drop. Once you get the file history open, it doesn’t show the entire commit message. Once you open the commit associated with a file revision, you can see the other files, but it still doesn’t show the full commit message. The full History view does, but you can’t copy the commit hash from the commit view to paste it into the History view’s search field. Tower supports multiple windows but doesn’t make it very easy; you can’t just select two files and open their histories at the same time.

Kaleidoscope makes some of these tasks really easy. There are many ways to get it to open a single file, and then it automatically loads the history (and even the previous version, if you want). It’s easy to navigate the history to pick which versions you want to compare. I’ve seen many different apps implement this type of interface, and Kaleidoscope’s version may be the best. There’s a popover that shows the full commit message, though unfortunately the text in it isn’t selectable. It would also be nice to be able to resize the history pane to see bit more of each commit summary. It’s easy to open multiple windows to look at the histories of different files, and they show up in Open Recent so it’s easy to get back to them.


Update (2023-08-09): Kaleidoscope 4.1 is not sandboxed, and I think this Git integration would have been tough to implement and less smooth to use from a sandboxed app. (Telling an app to open a file does not give it access to the associated Git repository. There are ways to automatically get access to a nearby file, e.g. the journal file next to a database, but I don’t think this would work with Git, whose data is typically in an enclosing folder.) So I wonder whether this feature would have ever shipped if Kaleidoscope had remained in the Mac App Store.


Unicode Is Harder Than You Think

Marco Cilloni (via Cédric Luthi, Hacker News):

Reading the excellent article by JeanHeyd Meneide on how broken string encoding in C/C++ is made me realise that Unicode is a topic that is often overlooked by a large number of developers. In my experience, there’s a lot of confusion and wrong expectations on what Unicode is, and what best practices to follow when dealing with strings that may contain characters outside of the ASCII range.


The fact UTF-32 is a fixed-width encoding is only marginally useful, due to grapheme clusters still being a thing. This means that the equivalence between codepoints and rendered glyphs is still not 1:1, just like in UCS-4[…]


As I previously mentioned, Unicode codepoints can be modified using combining characters, and the standard supports precomposed forms of some characters which have decomposed forms. The resulting glyphs are visually indistinguishable after being rendered, and there’s no limitation on using both forms alongside each other in the same text bit of text[…]Another headache is the fact Unicode also may define special forms for the same letter or group of letters, which are visibly different but understood by humans to be derived from the same symbol.


Another User Locked Out of Apple Account

Wasingtheisofwas (Hacker News):

So this morning I go to update my apps. Instead of it going ahead with the update or asking for my fingerprint or the like, I get a message saying “your account has been disable in the app store and itunes”.


I reach out to customer service. They tell me that I have violated the terms and conditions of the app store. I ask them to explain and they say that the account has been flagged for “Fraudulent Patterns”. I have no idea what that means, or what I could possibly have done on my iPhone that would constitute fraud.

The customer support rep tells me that I will need to create a new Apple ID. When I ask him what will happen to all of the content that I have paid for over the years, as well as the subscriptions that I am currently paying for, he tells me that there is nothing he can do and that I cannot be refunded.


The Apple Support Senior Advisor told me it was permanent.[…]

It’s not “under review” It’s not “temporary” and there is no “possibility of regaining my ID”

Because it’s about security, Apple won’t say what the infraction supposedly was. The support manager says there’s no procedure to get the account reinstated even though this happens “frequently.”

Francisco Tolmasky:

If I am understanding this thread correctly, Apple might disable your AppleID if your credit card is stolen… even if the fraudulent charge doesn’t even happen on your account. It’s crazy that disabling an AppleID is a remedy for anything, let alone things not happening on your account. That means you’d lose all your emails on iCloud, BACKUPS on iCloud, data, your logins to every site you used sign-in-with-Apple, the list goes on. This is absolutely crazy.


Update (2023-08-09): Ezekiel Elin notes that it may be that Wasingtheisofwas retains access to iCloud and was only barred from purchased content. In theory, the iCloud data could be migrated to a new account, although I don’t think it would necessarily be easy or even possible for all apps.

Matt Ankerich:

I can’t get apple to let me CHANGE my appleID and delete the atme email address associated with it (it is on the dark web because of a data leak, and I get hundreds of spam emails addressed to the account daily). The only remedy is to delete the appleID which would annihilate my purchases. The holiness that apple treats these original ids is absurd not to mention that we can’t merge IDs purchased content into single accounts.


Update (2023-08-15): Mike Rockwell:

I hope we’re nearing a future where you can realistically use an iPhone without an Apple ID at all — replacing all of Apple’s services, including the App Store, with independent alternatives.

Lots of third-party apps are locked in via CloudKit.

What’s the Deal With Sensor Tower?

John Gruber:

So, I see three ways Sensor Tower collects usage information for apps and websites that aren’t their own: (1) ad-blocking web browser extensions, (2) screen time monitoring apps for Android and iOS, which on iOS requires access to Screen Time, and (3) the Adblock Luna VPN. (Perhaps I’m underestimating how much data they can collect from users who play Melody Run.)

These apps may well be popular — again, they claim that Adblock Luna has been installed by over 15 million users — but is the data they collect from them representative of the general public?


The news media so badly wants to know usage data that they just accept Sensor Tower and other such firms’ pronouncements at face value, without ever describing — let alone questioning — how they ostensibly know what they claim to know about very private data.


Monday, August 7, 2023

End of Support for Cortana in Windows

Microsoft (via Hacker News):

Starting in August 2023, we will no longer support Cortana in Windows as a standalone app. However, you can still access powerful productivity features in Windows and Edge, which have increased AI capabilities.


This change only impacts Cortana in Windows, and your productivity assistant, Cortana, will continue to be available in Outlook mobile, Teams mobile, Microsoft Teams display, and Microsoft Teams rooms.

I guess Windows Copilot has a totally different backend than Cortana, but if it takes text as input I wonder why they don’t do text-to-speech and let you control it by voice.

Filipe Espósito:

According to Windows Latest, Cortana is also expected to be shut down on previous versions of Windows in the coming weeks.


Seeing what other companies are achieving with generative AI, I do think it’s time for Apple to give up on Siri and focus its efforts on new technologies.

It seems like in this case Microsoft is doing things the Apple way (making a clean break) and Apple is doing things the Microsoft way (improving the old technology).

Sören Nils Kuklau:

Cortana is being shut down because not enough cared about it for Microsoft to find some monetization scheme.

Siri, meanwhile, is used by plenty of people every day, and Apple just subsidizes it through hardware sales.


AirTag Success Story

Julia Buckley (via Hacker News):

When they arrived at Denver after midnight, the bag wasn’t on the belt. United representatives at Denver gave them a case number and told them the bag should arrive on the 8.30 a.m. flight from Chicago in just a few hours. When it didn’t, Shuster called the toll-free number for lost baggage that she’d been given.

“They said, ‘Your bag’s going to come in later today on one of two flights.’ I said ‘OK, great,’ but it never came. So I called later that afternoon and they said ‘Your bag is still in Baltimore,’” says Shuster.


And the AirTag was showing as being at baggage reclaim at O’Hare.


Tagged with another passenger’s details, the bag had been sent to the belt, ready for pick up at O’Hare – and when nobody claimed it, staff had moved it to their back office.

Unfortunately, even with the AirTag, due to United’s incompetence she had to fly back and retrieve the bag herself.


Kagi Search’s Most Promoted and Blocked Domains

Kagi (Hacker News):

View the top domains that users create personalizations for.

Some of the commenters are raving about the ability to boost and block certain domains. It’s an intersting idea, but at the moment it’s not clear to me how I would use this.

Via Brian Webster:

It’s a subscription service, but Google has gotten so bad that I think it’s become worth it for me at least.

I have been trying Kagi on and off for over a year. Overall, I have not been impressed. The results have been OK. There definitely seems to be less spam at the top of the results, but in general the pages that I wanted haven’t been at the top, either. But today, for the first time, it found a good result for me, at the top of the list, that I hadn’t found at all with Google or Bing. So Kagi is not my default search engine, but I intend to keep it in the rotation. I think we’re firmly back in the pre-Google world where it’s common to need multiple engines to find stuff.

Kagi (in March):

We are launching three new search features today: Summarize Results, Summarize Page, and Ask Question about Document.

All three features are activated on demand as per our AI integration philosophy, and do not incur any cost towards the user unless used. Usage for these features is converted into search usage and is discussed in more detail below.


Lisa’s Secret Burial

The Verge (video):

Sabotage, hired goons, and a landfill in Utah: this is a story about the life, death, and afterlife of Apple’s most pioneering flop, the Lisa computer. How it inspired generations of computers to follow; how Steve Jobs championed it, then turned against it; and how an outsider gave it another chance…before Apple closed the door on the Lisa forever.

See also Sun Remarketing:

Sun Remarketing bought the MacWorks XL emulator from Apple in the 1980s to spur sales of the Lisa computers by making them able to run Macintosh applications. Following the introduction of the Macintosh Plus by Apple with its enhanced 128K ROM, many new Macintosh applications no longer worked under MacWorks XL. To clear its remaining inventory, Sun Remarketing took the bold step of underwriting the development of a new emulator called MacWorks Plus which fully supported the 128K ROM on the Lisa hardware, and packaged it together as the Lisa Professional.


Friday, August 4, 2023

Brave Search for Images and Video

Brave (via Hacker News):

Brave Search is releasing its own privacy-preserving image and video search that is independent from Big Tech search engines. Users will no longer need to leave Brave Search for image and video search results. Now any Brave Search query can be served directly from Brave’s own index, enabling users to benefit from a fully independent search engine that protects their privacy and is censorship-resistant. Our recently released Brave Search API will also imminently include these image/video results.

My initial impression is that the image search finds fewer and less relevant matches than other search engines, but it’s good to see them working on this.


Apple’s Q3 2023 Results

Apple (transcript, Hacker News, MacRumors):

The Company posted quarterly revenue of $81.8 billion, down 1 percent year over year, and quarterly earnings per diluted share of $1.26, up 5 percent year over year.

“We are happy to report that we had an all-time revenue record in Services during the June quarter, driven by over 1 billion paid subscriptions, and we saw continued strength in emerging markets thanks to robust sales of iPhone,” said Tim Cook, Apple’s CEO.

Jason Snell:

The three key hardware categories were all down year-over-year: Mac was down 7%, iPad was down 20%, and the all-important iPhone was down 2%. Things were a little different in the two portions of Apple’s business that have shown indefatigable growth in recent years: Services revenue was up 8% and the Wearables, Home, and Accessories category was up 2%.


Update (2023-08-11): Benjamin Mayo:

But that’s about all Apple will tell us as to the performance of Services. It hasn’t reported Apple Music subscriber numbers since 2019, nor has it ever given hard figures about the performance of Apple TV+, Apple Arcade, News, iCloud, or Apple One in general. A billion subscribers is a huge headline figure, but it obscures the real story of what most people think of when you say ‘Apple services’. Services includes the App Store, and so a majority of that 1 billion total includes In-App Purchase subscriptions from third-party apps in the App Store. Although we never know for sure because Apple won’t tell us, it follows that the majority of Services revenue growth hails from the 15-30% commission Apple collects on those in-app purchase transactions.

If I was a financial investor, I would be growing increasingly dissatisfied with the murkiness of the Services business. For Apple’s flagship growth unit, it’s really hard to get a read on its performance. The golden goose of Apple’s stronghold on the App Store is constantly under threat from regulation, but we can’t measure the potential impact on Services revenue. The success of Apple’s content services are a hedge against the risk of App Store commission drying up, but we don’t know anything about the state of those offerings — we can’t even say for sure they are successful.

Avoiding Implicit Retain Cycles When Using Swift Function References

Svein Halvor Halvorsen:

Even though we capture self unonwed in the outer closure, the callbacks that gets registered with the socket, are captured strongly. So even when the object above is released from where ever it was created, the object is still kept alive.


The [unowned self] in and argument list is just boilerplate, repeated over, with no other purpose than to pass arguments from one function (the in-line closure) on to the next (the actual event handler functions).


What if we took self.dynamicType.onChatMessageReceived from the second event handler above, but without the argument (self), and passed that as a parameter to our wrapper function, together with a reference to self? Maybe we could then capture that reference unowned, and pass the unowned instance reference to the class function to get an instance function, without creating a retain cycle.

As he says, this works but it is far from optimal. I wonder if there’s a way to make it better with macros.

Sean Heber:

In the first line, Swift will helpfully tell me that I’m accidentally capturing self, but in the second line there’s no warning whatsoever.


Update (2023-08-09): Doug:

I’ve hit that enough to make a helper library and there’s a forum discussion proposing a syntax for weakly capturing a method that’s quite relevant.

However, the last post was more than 5 years ago.

Update (2023-08-15): See also: Revisiting requiring explicit self. when passing a method as an escaping closure (via Robin Kunde).

Spectre Camera Pro

Tim Hardwick:

Spectre, the long-exposure AI-powered iPhone camera app made by the developers of the popular Halide photography app, is now free.


Previously $1.99, the app's switch to freeware marks the introduction of a new paid-for Pro version, which includes additional 15- and 30-second exposure modes, plus a new Pro icon [for $4.99].


Thursday, August 3, 2023

Building, Testing, and Scaling With SwiftUI

Steve Troughton-Smith:

I like the idea of Xcode Previews, but in practice I can’t see the logic of putting elements in your codebase that will auto-open the canvas and take tens of seconds to render a preview (or an error) every time you open a source file. Even when I’m working with SwiftUI, I have to turn previews off. I don’t know how they ever fix this, since it’s booting up virtual machines in the background every time and that will just never be fast or reliable.

Rafael Schmitt:

You just have to learn what it is good for and what it’s not. It’s good for building small UI components and getting feedback on changes very quickly. It’s not good at running your main view and being reliable when you’re switching between many view files.

Gustavo Poscidonio:

One aspect of SwiftUI that is crucial to my workflows is the SwiftUI Preview system. Previews are an incredibly powerful and sophisticated tool, intelligently recompiling only the code which has been modified, in order to achieve a blazing fast edit-refresh cycle.


Beyond its time-saving qualities, I find that when you develop your views to be previewable, you’re also just writing good code. Writing views that preview easily means you’re writing views that clearly define their inputs and outputs, which make them highly reusable and highly testable.


The goal of defining a view model protocol is to clearly define all inputs and outputs to a view. By doing so, we are able to create stub implementations of our view models that don’t rely on a production environment to function.


Since we’re hardcoding our values in, we can largely ignore the behavior of data fetching tasks for most use cases (hence the no-op) and now our preview is based entirely on our locally defined static data. This means we can do lots of things we couldn’t very easily do before!

Gustavo Poscidonio:

You’ll notice that regardless of what kind of view model we pass into PokemonList, we are always using a production view model for PokemonDetailView (notice the lack of Stub in the view model name, which I have been using to indicate the test/stub version of the view model protocols).

To rectify this, it’s important to make a key observation: the view models for child views are a dependency of the parent view. In this example, PokemonDetailViewModel is a dependency of PokemonListView, since PokemonListView is the one instantiating it and passing it to the child view. Since it’s a dependency, we should include it in our view model protocol, which requires getting a little fancy with the type system.

In order to preserve concrete types through a protocol, we introduce an associated type that allows each version of the view model protocol to define its own detail type. Basically, we’re trying to add the ability for a production view model to say “I want to use a production detail view model” and for stub view models to say “I want to use a stub detail view model”.

Update (2023-08-10): Craig Hockenberry:

If you’re experiencing problems with SwiftUI not updating previews and getting stuck “preparing”, that’s because there are some processes that don’t get terminated and hang around causing problems. Even if you quit Xcode and Simulator.

Here’s a simple script that cleans things up[…]

Update (2023-08-15): Craig Hockenberry:

Xcode Folks: I don’t know what the future of UI previews looks like, but here’s what it doesn’t look like: launching hundreds of CoreSimulator processes that fail unpredictably.

I restart Xcode and the Simulator dozens of times every day because I’m working on things that target multiple platforms. In practice, developers who work across Apple’s entire ecosystem are penalized. Adding watchOS to an iOS project results in reduced productivity.

And now we’re adding visionOS to this mess…

Update (2023-08-18): Craig Hockenberry:

Imagine how awful it would be to do web development by typing a line of code and then firing up a VM with Windows 10 and its Edge browser.

Guess what? We’re doing that awful thing with SwiftUI thousands of times every day.

Textual Paint

Isaiah Odhner (via Rhet Turnbull):

MS Paint in your terminal.

This is a TUI (Text User Interface) image editor, inspired by MS Paint, built with Textual.


Many file formats are supported, including ANSI art, raster images, SVG and HTML.

How NSHostingView Determines Its Sizing

Brian Webster:

I couldn’t get my SwiftUI view to expand to fill up the entire superview that the NSHostingView was being added to.


The next thing I came across was a property on NSHostingView called sizingOptions, which is described in the documentation as “The options for how the hosting view creates and updates constraints based on the size of its SwiftUI content.” Well that sounds promising! The default setting is all three options, [.minSize, .intrinsicContentSize, .maxSize], so I tried setting it to just [.minSize] and lo and behold, it worked! The Spacer was now growing to take up the whole height of the superview! (setting [.minSize, .maxSize] also worked)

But, there’s just one problem… this property was introduced in macOS 13 and I’m still targeting macOS 12. 😭 But, after seeing this property and how it works, I think I now understand what was going on with the size proposals earlier. I believe what NSHostingView does is to probe its rootView once each so it can set up constraints for a minimum size, intrinsic content size, and maximum size. […] So what I need to do is basically reimplement what the sizingOptions property is doing, which is to ignore the intrinsic content size of the SwiftUI view.


Wednesday, August 2, 2023

Rethinking Window Management

Tobias Bernard:

We’ve wanted more powerful tiling [in GNOME] for years, but there has not been much progress due to the huge amount of work involved on the technical side and the lack of a clear design direction we were happy with. We now finally feel like the design is at a stage where we can take concrete next steps towards making it happen, which is very exciting!


Mosaic is the default behavior. You open a window, it opens centered on the screen at a size that makes the most sense for the app. For a web browser that might be maximized, for a weather app maybe only 700×500 pixels.

As you open more windows, the existing windows move aside to make room for the new ones. If a new window doesn’t fit (e.g. because it wants to be maximized) it moves to its own workspace. If the window layout comes close to filling the screen, the windows are automatically tiled.


One important missing piece is having information on the maximum desired size of a window. This is the size beyond which the window content stops looking good. Not having this information is one of the reasons that traditional tiling window managers have issues, especially on larger screens. […] In addition, it’d be helpful to know the range of ideal sizes where an app works best.

Via Lukas Mathis:

Window management is probably the single worst aspect of current operating systems, and his ideas for how a modern tiling window manager might work are extremely compelling to me.


Mozilla Shutting Down Pocket for Mac

Michael Potuck (Mastodon):

Mozilla has announced today that its read-it-later service Pocket will be retiring its Mac app this month. Users are encouraged to install the iOS app on their Mac or use the web going forward.

The whole point of native apps is that I don’t want a “consistent user experience across mobile and web.” That’s another way of saying “lowest common denominator.” I would rather have a differentiated/optimized experience on each platform. This change also completely removes support for the app on Intel-based Macs, which can’t run iOS apps. Although, if it’s anything like most Catalyst, not to mention iOS apps for the Mac, I’d probably prefer the Web version, anyway.

Catalyst is not working out as I’d hoped. Four years in, and it still seems to be caught in an awkward middle ground. With very few exceptions, the apps don’t feel like real Mac apps. Yet they’re apparently not easy enough to write and maintain that a lot of companies will add Mac support—and even existing Mac versions are being discontinued.

With iOS Apps for Mac, expectations are lower, and I’ve sometimes found them useful, but it seems like most apps aren’t marked as available.


Update (2023-08-09): John Voorhees:

I think we’re going to see more and more of this with Mac apps.

Marco Arment:

For primarily-iOS apps, letting your app run in iPad-compatibility mode on a Mac is MUCH less work than maintaining a Catalyst app, which itself is massively less work than having a separate AppKit app.

[A] Catalyst version requires a completely separate testing and release workflow, and a separate approval process for every update, because it needs to be listed in the Mac App Store.

iPad apps running on Apple silicon just use their iOS App Store entries.

John Gruber:

On the Mac, Pocket seems like the sort of thing that makes sense to use in your web browser. Even Apple’s own News app is built with Catalyst, and every single time I use Apple News on the Mac I wind up wishing I were reading the article in Safari instead.

Cesare Forelli:

The Cocoa app hadn’t been updated in 5 years, but still worked natively and well (it WASN’T a web wrapper!), with the only thing missing being support for Dark mode.

Here’s a few screenshots for comparing information density and Mac-likeness of the old app and the iPad version.

Personally, I disagree that on Macs such service works well in a browser: I always liked having a dedicated bookmarking app in its’ corner of the screen, independent from browser tabs.


My biggest complaint about the iPad app on macOS is the SafariViewController => Safari bridge, which throws up a clunky “this link is being opened in Safari” window every time you view web content. I accept the underlying conceit, but it’s a pretty rude kludge.

See also: Reddit.

Helping ckbk Remove Ad Tracking

Adam Engst:

Matt was referring to “Use Live Text to Digitize Your Cookbooks” (5 January 2023), and he wanted to tell me about his service ckbk, which provides the full text of roughly 700 cookbooks to subscribers.


I downloaded the ckbk app to my iPhone and was dismayed to discover that this compelling-sounding service from someone I’d probably enjoy a great deal in person seemingly wanted to track me. […] My politely worded disappointment about tracking resulted in ckbk refactoring the app to remove the dialog, which will create a better experience for new ckbk users, possibly including TidBITS readers. Everyone wins.

I also learned that Apple’s App Tracking Transparency might be a bit more of a blunt instrument than I had previously thought. As you saw in the screenshot above, I still use a fair number of apps that have asked to track me, and perhaps they aren’t as evil as I had believed. But I’m still not going to give them permission. And don’t get me started about the likes of Facebook and Instagram, which I won’t let anywhere near my iPhone.


Tuesday, August 1, 2023

Twitter Is Now X

John Gruber:

Company-wide memo from nominal X Corp CEO Linda Yaccarino, sent this morning[…]

Sarah Perez (via John Gruber):

The owner of the @x Twitter handle confirmed that the company, now known as X, took over his account without warning or financial compensation, telling him the handle is property of X. The handle had previously belonged to Gene X Hwang of the corporate photography and videography studio Orange Photography. In a letter, the company formerly known as Twitter thanked Hwang for his loyalty and offered him a selection of X merchandise and a tour of X’s HQ, as a “reflection of our appreciation.”

Tim Hardwick:

X, the social media platform formerly known as Twitter, has updated its official app on Apple’s App Store to conform with the new branding that was announced last weekend by billionaire owner Elon Musk.

Instead of “Let’s talk” – Twitter’s original tagline – “Blaze your glory!” is the curious subtitle on X’s iOS App Store listing, which describes the app as “the trusted digital town square for everyone.”

The new logo and name are meant to reflect Musk’s longstanding intention to transform the social media network into an “everything app” similar to China’s WeChat.

Dave Mark:

Apple blinked.

X breaks App Store rule, becomes the very first single character listing.

Wonder when the Twitter URLs will switch over to X dot com. 🤔

Craig Hockenberry:

“We treat all developers the same.”

I'm fine with that not being true, and there are good reasons for it not being true, but I wish Apple would stop saying it.

Falls into the Google-not-being-evil category.

See also: Netflix.

Esther Crawford (tweet, via Jay Peters):

[Elon Musk’s] focus on speed is incredible and he’s obviously not afraid of blowing things up, but now the real measure will be how it get reconstructed and if enough people want the new everything app he is building.

I learned a ton from watching Elon up close — the good, the bad and the ugly. His boldness, passion and storytelling is inspiring, but his lack of process and empathy is painful.

Elon has an exceptional talent for tackling hard physics-based problems but products that facilitate human connection and communication require a different type of social-emotional intelligence.

Social networks are hard to kill but they’re not immune from death spirals. Only time will tell what the outcome will be but I hope X finds its footing because competition is good for consumers.

Update (2023-08-04): Mysk:

The bundle ID of X for iOS is still com.atebits.Tweetie2.

Update (2023-08-09): Dave Mark:

The Mac Twitter client has no mention of X (see pic).

  • Still called Twitter
  • The copyright is 2022, Twitter Inc.

Given all the things drawing focus for the Twitter rebrand, think Musk will ever reskin Twitter for Mac? Or will it eventually just die, as tweets make their way to x dot com and the old client can no longer find them? 🤔

Update (2023-08-22): John Gruber (Hacker News):

So if you don’t know that Twitter changed its name to X, and search for “Twitter”, the top result is a paid ad from a competitor (Snapchat, Facebook, Instagram, etc.), and the result for X doesn’t look anything like Twitter. It doesn’t have the name, doesn’t say “formerly Twitter”, and isn’t even blue. It’s just the ugly X icon and the insipid slogan “Blaze your glory!”

So it’s no surprise that downloads are dropping.

System Settings That Aren’t in System Settings

Howard Oakley:

By rights, settings in an app should only control the behaviour of that app. Settings for macOS behaviours should be controlled in System Settings, after all that’s what the name says. However, over the years Apple has hidden some away in its bundled apps, leaving users confused as to how these settings get changed without their control. Here’s a list of useful and important system settings you might otherwise struggle to find.


To change the destination and other details for screenshots, press Command-Shift-5 for its floating panel with the Options menu.

There are, of course, several third-party apps that give more coherent and extensive access to these and other controls, but it’s frustrating that instead of rationalising them, System Settings doesn’t centralise them any better than System Preferences did.


Update (2023-08-09): Thomas Clement:

The default web browser setting is under “Desktop & Dock” 😐

Swift Enum Pattern Matching With Extra Conditions

Natalia Panferova:

In this post we are going to explore how we can provide more precise conditions for pattern matching when working with enums in Swift. The most common use case is using switch statements with the where clause to get more control over case conditions. But we'll also look into using the where clause in for-in loops to avoid unnecessary extra iterations. And finally, we'll see how to add extra conditions in while loops and if-case statements when the where clause is not available.

I’ve always found Swift’s if case syntax confusing, because you have to put the constant first, and then you use =, which looks like an assignment, instead of ==. It makes more sense if you think about the variant Panferova shows, where there are associated values. Then it becomes if case let, and the order and operator are what you’d expect for a let. I generally write if anEnum == .aCase if I don’t need to bind any variables, but my recollection is that this either wasn’t supported or had issues in earlier versions of Swift.

Christian Tietze:

I believe there’s tremendous value in summaries like these to learn the Swift programming language and its syntax: these short summaries show a slice of different aspects of the language in close proximity.


It’s zooming in on where-clauses, and so the reader gets to know a different “view” into the syntax as a whole that is different from the book’s presentation.


Tax Services Shared Financial Information With Google and Meta

Colin Lecher:

Meta and major tax preparation companies inappropriately shared millions of taxpayers’ financial data for years, according to a congressional report released today that was spurred by a Markup article.

Our investigation, which was published in November, revealed how tax filing services including H&R Block, TaxAct, and TaxSlayer were transmitting data to Facebook’s parent company, Meta, through a tool called the Meta Pixel. The data was sent as taxpayers filed their taxes and included personal information like first and last names, income, filing status, and refund amounts. Some data was also sent to Google through its analytics tools, and Google was also a subject of the congressional investigation.

Via Nick Heer:

For example, while everyone involved acknowledged the inadvertent collection of tax-related information by ad tech companies, they waved away any concern because, they said, the data was de-identified. We all know how comforting a statement like that really is. Two of the three tax software providers enabled the collection of additional data — one of them blamed it on advice given to them by a Meta representative — and none knew exactly what had been transmitted to Meta. Nobody seems to be able to say exactly how this information was used after transmission, but the investigation concluded it was likely it was used for targeted advertising, because that is the main reason for this data collection in the first place.

I previously filed tax returns through H&R Block; in 2022, I used Wealthsimple. The tax prep areas for both sites appear to still be using tracking products from Google and Meta. It looks to me like less information is being collected; however, it is still strange to me that I would find any third-party trackers in tax prep software.

I’ve been using the TurboTax app, which should be better as it seems to use Mono rather than Web technologies. However, Little Snitch still detected some questionable connections to domains like,, and