Archive for December 7, 2023

Thursday, December 7, 2023

End-to-End Security for Facebook Messenger

Jon Millican and Reed Riley (Hacker News):

  • We are beginning to upgrade people’s personal conversations on Messenger to use end-to-end encryption (E2EE) by default.
  • Meta is publishing two technical white papers on end-to-end encryption:

It even works in the Web interface. Advanced Data Protection for iCloud requires manually opting in, and you can only do that if all your devices are new enough. So, ironically, this may mean that Facebook Messenger will be effectively E2EE for most users before iMessage is.

Tim Hardwick:

As things stand, end-to-end encryption for group Messenger chats remains opt-in, and Meta previously said that Instagram messages will be encrypted “shortly after” the rollout of default encryption for Messenger chats.

Previously:

Update (2023-12-11): Mike Masnick:

It’s extremely rare that I’d offer kudos to Meta, but this is a case where it absolutely deserves it. Even if some of us kept pushing the company to move faster, they did get there, and it looks like they got there by doing it carefully and appropriately (rather than the half-assed attempts of certain other companies).

Update (2023-12-12): See also: Bruce Schneier.

Privacy Manifests Update

Apple:

Starting in spring 2024, if your new app or app update submission adds a third-party SDK that is commonly used in apps on the App Store, you’ll need to include the privacy manifest for the SDK. Signatures are also required when the SDK is used as a binary dependency.

[…]

Based on the feedback we received from developers, the list of approved reasons has been expanded to include additional use cases. If you have a use case that directly benefits users that isn’t covered by an existing approved reason, submit a request for a new reason to be added.

Here’s the updated list. It mercifully still does not seem to apply to Mac apps.

Previously:

Update (2024-03-07): Jesse Squires:

Apple’s security theater and review bureaucracy are just next-level now. I love how they keep finding ways to “innovate” in this space.

Apple: “Here’s an AP to save app preferences!”

Dev: uses API

Apple: “WHY ARE YOU USING THIS API? YOU MUST TELL US.”

Dev: “I’m saving app preferences”

Apple: “Oh, ok. lol. Please fill out this paperwork.”

TV.app in tvOS 17.2

Benjamin Mayo (MacRumors):

Apple will discontinue the standalone iTunes Movies and iTunes TV Shows apps on the Apple TV box, starting with tvOS 17.2 The warning message seen above has started appearing in the release candidate version of tvOS 17.2 beta, released yesterday.

[…]

Apple has updated the TV app in 17.2 in preparation of the migration away from the standalone iTunes videos app, bringing across some functionality that was previously missing in TV. That includes things like filtering by genre in purchased tab, and the inclusion of box sets in the store listings.

John Gruber:

It’s a good simplification overall: Apple’s own content — both iTunes purchases and TV+ streaming content — is in the TV app.

But now you really can’t avoid the streaming content.

Joe Rosensteel:

The issues that I have suggested Apple should resolve:

  1. Unify media and apps into one interface, with the ability to pin favorite apps.
  2. Reduce the amount of Apple TV+ promotion in the interface, particularly for non-subscribers.
  3. Properly personalized recommendations based on viewing habits.
  4. Handle live TV through a unified programming guide, like Amazon does, instead of pretending the only live TV is live sports.

The new interface miraculously resolves none of these things.

Upon upgrading to 17.2, and opening the TV app for the first time, you’re still treated to the same behavior I’ve bemoaned in the past where the TV defaults to showing the Apple TV+ view asking me to “Come back for new Apple Originals” with Jason Sudekis’ mustachioed face right next to it. There’s no more Ted Lasso, fellas. Let it go.

There’s also a new sidebar with Apple TV+ and MLS Season Pass elements that can’t be hidden. As he says, Apple wants to “pretend that the universe revolves around Apple TV+ and consider all other streamers as ancillary add-ons.”

Previously:

Update (2023-12-08): Adam Chandler:

Eddie cue when unveiling the modern Appletv OS said the future of TV is apps. He was right but Apple has chosen to put all of their video into one app. This is user hostile. If you dislike soccer, sports, TV+ and just want to watch a TV show you own from iTunes, you have only one place to go. I want the choice to “uninstall” AppleTV MLS but I can’t do that.

Scott Anguish:

Really disappointed that the iTunes movie store app is going to be going away in 17.2 tvOS.

It’s far and away a better movie purchasing (wishlist) and viewing (able to see descriptions and previews for a movie). It’s much faster than the library in the TV app.

Sonoma’s “cp -l” Won’t Create Links

Rob Griffiths:

I ran into this while working on a Keyboard Maestro macro that creates hard links: The macOS version of cp won’t create links, at least not in Sonoma. In Ventura, it works even though it throws the same error as it does in Sonoma.

[…]

I have filed this bug as FB13255408 with Apple, and I’m hopeful they fix it soon. There is a workaround, obviously: Use ln instead. This works fine for individual hard links, but using cp to quickly copy an entire folder as hard links is a nicer implementation.

The MacBook Air Gap

Joe Rosensteel:

Why do I care about the “Pro” chip so much? Despite the name the Pro is really the middle chip, but there’s no middle laptop for it. The base M2 and M3 can be configured with more RAM (to a point) but they can’t be configured with extra ports, or even drive more than one external display. They’re not like pokey Centrino chips — they do have the ability to perform — but they are inflexible for certain workflows that require additional connectivity, like dual displays.

It’s pretty easy to argue that dual displays is a high-end feature, and thus demands a $1999 or more computer, but that wasn’t true of Apple’s Intel-based laptops. It has always felt like a regression to me since the introduction of the first M1 chips, and it’s not something apple wanted to correct in the M2 or M3.

[…]

If the base M chips could work with dual displays in clamshell mode it would be a no-brainer and I would get the 15” MacBook Air.

[…]

That means there’s a price umbrella between $1499 (15” M2 MBA 8/512 GB) and $2499 (16” M3 Pro MBA 18/512 GB). A thousand dollars where the only thing that can fill that gap is custom RAM and SSD sizes, no chip variation at all.

Mike Rockwell:

My recommendation for almost anyone that wants a desktop Mac now is to get a Mac Mini and an external display. You could get a Mac Studio or a Mac Pro, but if you’re the kind of person that needs the additional performance or connectivity, you already know that the Mac Mini isn’t enough for you.

Unlike the iMac and MacBook Air, even the base Mac mini can support two large displays. And the Mac mini also has an option for a Pro processor.

Previously:

Filing Mail Messages on Sonoma Using the Keyboard

Adam Tow:

As I continue to investigate how to bring MsgFiler to macOS Sonoma, here’s a tip from a user that allows you to file messages via the keyboard on Sonoma. It also works on previous versions of macOS dating back to 2011.

  1. Select a message to file
  2. Click on the Help menu or press Command-Shift-/
  3. Type in a portion of the mailbox you wish to file or copy the message to
  4. Choose the mailbox in the list that appears with the arrow keys or the mouse
  5. Press Return or click the mouse/trackpad

There are a bunch of limitations.

My approach has long been to use a large number of rules so that almost everything is filed automatically. I then have a few AppleScripts, invoked via FastScripts, which move the selected messages to particular mailboxes. Another option is to add mailboxes to the Favorites Bar, and Mail will then automatically assign them numeric keyboard shortcuts.

Previously:

FastSpring Risk Screening

I received a pair of e-mails from one of my payment processors, FastSpring, which included this text:

Our implemented process is designed to ensure full alignment and compliance with regulatory standards, including KYC/KYB (Know Your Customer/Know Your Business) requirements, Anti-Money Laundering (AML) regulations, Countering the Financing of Terrorism (CFT) guidelines, and international sanctions screening. We’ve had to invest in various compliance measures to meet these regulatory requirements, but they do come with associated costs. We’re striving to keep these costs as reasonable as possible for our sellers.

The annual Risk Screening process is applicable to all sellers. To offset the administrative costs associated with this service and to ensure a seamless process, we have implemented a fee of $150.00 to complete the Risk Screening, no more than annually.

[…]

Upon successful payment processing, our Risk team will reach out to you in the following weeks to guide you through the screening process. We understand the importance of your business, and we are committed to upholding the highest standards of security and service. If the fee isn’t received by the specified date, your account will be unfortunately disabled, resulting in loss of access to the FastSpring platform and payment processing capabilities, including subscription renewals.

This sounded a bit suspicious. The e-mails seemed to be sent from FastSpring, but they looked different from other e-mails I’ve received from them. They used different formatting and did not address me by name. A link to their terms of service was included. The ToS does mention a $150 fee, but it refers to it as a “Vendor Risk Verification Fee,” whereas the e-mail calls it a “Risk Screening Fee.”

The e-mail said to go to fastspringverifications.onfastspring.com to pay the fee. This is odd because it’s a store hosted at FastSpring itself. It calls FastSpring an “authorized reseller” and has a field to enter a coupon code. There’s a “Get updates about our products and offerings” box that’s pre-checked. Nothing on the main fastspring.com site seems to link to this store.

This store is not inside of the admin interface for my account, and it doesn’t ask for my account ID, so it’s not clear how they would associate the payment with my account. Do they match the e-mail address? And why aren’t they just taking the fee out of my earnings automatically, like they do for their other fees?

This all just looked strange, but I contacted FastSpring’s support and they said it was legitimate.

The decision to use a separate payment link, fastspringverifications.onfastspring.com, is intentional and aimed at enhancing the accuracy of fee tracking. This approach ensures a detailed and accurate record of all fee-related activities.

I don’t understand that at all. In any case, I’m a longtime customer but am currently only using FastSpring as a backup processor, so the transaction volume is low, which may explain why they want me to pay the fee.

It’s not that big of a deal, if legit, and it seems I have no choice if I want to keep the account, so I went to pay the fee, but they said my credit card was declined (3 times). I know the card works and had just used it for something else. It’s never been declined anywhere else. I contacted the card issuer who said there was no record of FastSpring even attempting a charge. I’ve contacted FastSpring again to see what’s going on but have not heard back from them since yesterday, whereas the initial confirmation that the e-mails were real came after only a few hours.

Everything else with FastSpring has gone smoothly over the years, which is what makes this so surprising. So I wanted to document this odd interaction in case anyone else gets these e-mails that look like possible phishing.

As a side note, when I got started selling software, all the e-commerce providers would post their rates online. It was all transparent and simple to compare. Now, they are all up front about the fact that rates depend on negotiating custom deals based on your scale. FastSpring pointedly does not tell you their pricing, except to say that it’s “simple, flat-rate” that “works on a revenue-sharing model.” But there’s apparently at least one hidden fee that’s only mentioned in the fine print.

Previously:

Update (2023-12-08): FastSpring e-mailed me back to say that the payment issue was corrected, but it again reported that my card was declined.

Update (2023-12-08): FastSpring “pointed the store to a different processor,” and then it worked for me. They were very nice and said they would proceed with the screening, anyway, if we couldn’t get the payment to work.

Update (2023-12-11): See also: Hacker News.

I forgot to note that the first e-mail that I got had the FastSpring domain name misspelled!

As to the verification, FastSpring asked me some basic questions about my business and requested some documents. We then moved on to the next phase with ShuftiPro, which I failed. The live photo capture didn’t work in Safari on my Mac—I gave it camera permission, but it kept showing a blank image. They then gave me a QR code to scan with my iPhone to continue the process there. I used the phone’s camera to take a photo of my face, but it was rejected for being “altered or photoshopped.” They also requested a document for address verification, so I submitted an insurance certificate, but that document was rejected for being “altered/edited.” So I’ve now contacted FastSpring to see how I can try again and what I can do about it falsely claiming that the information I’m providing was altered.

Update (2023-12-12): Rob Jonson:

I really want to use @PaddleHQ for billing in my SAAS. They really don’t seem to want the business. Applied for verification two weeks ago. Responded to email a week ago explaining what I do. Still no response.

Back when I did verification with Paddle it was quick. I’ve yet to hear back from FastSpring about what to do about the verification that failed yesterday.

Update (2023-12-16): FastSpring was able to manually verify me, so my account is back in good standing.

Update (2023-12-21): See also: Reddit.

Update (2024-01-03): Even though FastSpring had previously told me that I was verified, I got another e-mail from a different support person saying that I still need to do the verification.

Update (2024-01-04): I have not yet heard back about my verification. I did receive an e-mail yesterday from Braden Steel, Senior Product Marketing Manager at FastSpring, who writes:

As a payment provider, FastSpring is required by our upline payment processors and other organizations to perform ongoing risk assessments on all of our customers in order to comply with various regulations and rules related to fraud prevention, money laundering, sanctions screening, and other similar concerns. For customers processing more than $5,000 per month through the FastSpring platform, ongoing risk assessments are free. For customers processing less than $5,000 per month through FastSpring (e.g. using FastSpring as a failover / backup payment solution) there is a $150 per year fee to cover the administrative costs of ongoing risk assessments which isn’t fully covered by FastSpring’s fees for customers processing less than $5,000 per month. If you’d like more information on the fee or have additional concerns, please contact support@fastspring.com.

I can kind of see why FastSpring doesn’t want to be a backup, though if they made it attractive to be a backup they would be on-deck to be promoted to primary at any time, whereas now they are encouraging developers to drop them completely. It’s unfortunate that developers who are just starting out, are part time, or are getting most of their sales from the App Store are going to be stuck with a semi-hidden fee that’s a higher percentage of their revenue even though they are prioritizing FastSpring.

I asked why they are adding the fee now—since I’m not aware of the regulations changing in the last year—and whether the $5,000 per month is a minimum for the year or an average, but have not heard back yet.

Update (2024-01-05): Here are two more Reddit threads on FastSpring and alternatives.

Update (2024-01-10): More clarifications from Steel:

Why Now? In the 18 years we’ve been in business, we’ve built up a large number of customers who use us as a backup or may maintain their FastSpring account despite only using FastSpring for only a small amount of their sales. As the number of these customers has grown, not only do admin costs increase, but potential risk also goes up. We’ve made the call to do this now to ensure that we’re protecting our customers and our business.

I don’t find that this really answers the question about why longtime customers who have never caused problems and haven’t changed their business info are suddenly a risk. There are legal and regulatory requirements, but it seems that they do not specify that verification needs to be done annually (and other payment processors do not):

The requirements can vary depending on where they originate globally. To ensure continued compliance with all of those regulations, we’ve made the decision to standardize our internal processes.

I’ve also heard that longtime customers with higher sales volumes, while exempt from the fee, are not being required to do the verification, either. So it seems that FastSpring is only worried about the risk from low-volume accounts, or perhaps they are staggering the verifications and focusing on those first.

The fee seems to be determined based on the lowest-sales month of the year:

To calculate this fee, we look at the previous year’s sales volume on a monthly basis to see who falls below the $5,000 monthly threshold. Those who do may be subject to the fee for the following year as we do our standard risk verification that is applicable to all sellers on the FastSpring platform. Sellers are only subject to this fee after they’ve been on the FastSpring platform for an entire year as well to give them time to ramp up their stores on the FastSpring platform.

If you aren’t able to ramp up to $60K of annual sales, with no month falling below the minimum, you have to pay the fee every year.

Update (2024-01-11): I got an update from FastSpring saying that the original e-mail from Steel was in error:

The fee is only applicable to sellers who are transacting at less than $5000 annually, not monthly.

The original text seemed to be part of a coordinated press response, so I have to believe this is more a backtracking than a correction. In any case, the reduced threshold is great news for smaller businesses who don’t have $60K in annual sales. And businesses using FastSpring as a secondary processor could direct some orders to FastSpring until they hit the threshold in order to avoid the $150 fee. In theory, everyone will still need to go through the annoying annual screening, though.