Sara Fischer (Hacker News):
Ad tech giant Taboola has struck a deal with Apple to power native advertising within the Apple News and Apple Stocks apps, Taboola founder and CEO Adam Singolda told Axios.
[…]
The deal is also a recognition from Apple that growing its ad business will require a serious sales operation — one that, if Apple doesn’t build internally, will need to be outsourced.
[…]
This isn’t the first time Apple has worked with a third party on ad sales. Before working with Taboola, Apple had an exclusive deal with NBCUniversal to sell ads for Apple Stocks and Apple News.
Om Malik:
I’ve been a happy Apple One customer. It made perfect sense to sign up for the package considering I was paying for Apple TV+, Apple Music, and iCloud storage. For an extra couple of dollars, I could get Apple News+, so I thought why not. That ended today when I learned that Apple had struck a deal with Taboola, a company known for serving low-quality ads next to web content. I decided to cut bait.
[…]
If you look at Facebook’s ARPU in the U.S. and Canada, it is hovering around $54 or about $4.50 a month. There’s no way Apple News and Stocks are as good at monetizing from advertising or have the market power to extract better advertising pricing. If they did, then they wouldn’t be partnering with Taboola. It makes more sense for Apple to charge a few dollars more from its Apple News customers and eschew all advertising. That’s almost a better business decision and actually maintains brand integrity.
Nick Heer:
Then again, services revenue seems to have compelled Apple to do lots of things which previously felt wrong. It has a credit card with interest rates currently between 19.24% and 29.49%. It aggressively advertises its services in its operating systems to the detriment of users’ experiences.
These moves may not feel like they fit Apple’s brand if your impression of it was formed more than ten years ago. There is no use protesting that they are out of character, however, when priorities like these feel like they represent today’s Apple.
M.G. Siegler:
The typical Taboola ads you see around the web – “chumbox” as they’re called, which is just a great way to frame them – are terrible. They’re visual reminders of the worst tendencies of humanity. They’re clickbait, productized to the max. So yes, it is shocking that Apple would partner with the company responsible for spreading these around the web.
But it’s also quite possible that Apple is going to heavily restrict the kind of ads Taboola can serve up.
Eric Schwarz:
Apple News as a whole (both the free version and the “plus” version) just isn’t very good and hasn’t been for awhile. Between repeatedly surfacing content from topics and news organizations I’ve blocked and already tacky ads, it’s not a place I really want to spend time or spend money on.
John Gruber:
If you told me that the ads in Apple News have been sold by Taboola for the last few years, I’d have said, “Oh, that makes sense.” Because the ads in Apple News — at least the ones I see — already look like chumbox Taboola ads. Even worse, they’re incredibly repetitious.
senturion:
A service you pay for should have no ads let alone the shitty ads Apple adds to the News app.
Previously:
Advertising Apple News Apple One Apple Services Business iOS iOS 17 Mac macOS 14 Sonoma Stocks
Rory Tingle et al.:
The ‘most serious IT outage the world has ever seen’ sparked global chaos today - with planes and trains halted, the NHS disrupted, shops closed, football teams unable to sell tickets and banks and TV channels knocked offline.
See also: Reddit, Hacker News, and Slashdot.
Qasim Nauman (Hacker News):
Frontier Airlines briefly grounded all flights on Thursday amid a major outage in Microsoft networks, which also knocked out some computer systems at low-cost carriers Allegiant Air and Sun Country Airlines.
Microsoft said on the status page for Azure, its flagship cloud computing platform, that the problem began at 5:56 p.m. and affected multiple systems for customers in the central United States.
Andrew Cunningham (Hacker News):
Airlines, payment processors, 911 call centers, TV networks, and other businesses have been scrambling this morning after a buggy update to CrowdStrike's Falcon security software caused Windows-based systems to crash with a dreaded blue screen of death (BSOD) error message.
Sergiu Gatlan (Hacker News):
The list of services impacted by the outage includes Microsoft Defender, Intune, Teams, PowerBI, Fabric, OneNote, OneDrive for Business, SharePoint Online, Windows 365, Viva Engage, Microsoft Purview, and the Microsoft 365 admin center.
Edward Zitron:
What’s happened today with Crowdstrike is completely unprecedented (and I’ll get to why shortly), and on the scale of the much-feared Y2K bug that threatened to ground the entirety of the world’s computer-based infrastructure once the Year 2000 began.
[…]
The problem here is systemic — that there is a company that the majority of people affected by this outage had no idea existed until today that Microsoft trusted to the extent that they were able to push an update that broke the back of a huge chunk of the world’s digital infrastructure.
Jowi Morales:
Southwest Airlines, the fourth largest airline in the US, is seemingly unaffected by the problematic CrowdStrike update that caused millions of computers to BSoD (Blue Screen of Death) because it used Windows 3.1.
Tim Hardwick:
The cause of the failure has been identified as an update to Crowdstrike Falcon antivirus software installed on Windows 10 PCs, but Mac and Linux machines running the same cybersecurity software have been spared.
Simon Sharwood:
CrowdStrike’s now-infamous Falcon Sensor software, which last week led to widespread outages of Windows-powered computers, has also caused crashes of Linux machines.
Tom Warren:
CrowdStrike says the issue has been identified and a fix has been deployed, but fixing these machines won’t be simple for IT admins. The root cause appears to be an update to the kernel-level driver that CrowdStrike uses to secure Windows machines. While CrowdStrike identified the issue and reverted the faulty update after “widespread reports of BSODs on Windows hosts,” it doesn’t appear to help machines that have already been impacted.
Rui Carmo:
This is why I keep telling people that third-party kernel extensions should be banned from production servers, period.
And shipping LIVE cloud updates direct to endpoints, unchecked, without any canaries?
[…]
But since most of the affected systems are in a boot loop that may well require physical (or IPMI) access to the machine.
Howard Oakley:
The macOS version of the Falcon sensor uses a kernel extension (kext) on Intel Macs prior to Big Sur, but because of the limitations of kexts on Apple silicon, it now uses an endpoint security System Extension instead.
Stefan Esser:
People pointing to EndpointSecurity framework in MacOS as the solution for the Crowdstrike problem are missing the point. ES is a typical Apple solution and basically means:anyone who can bypass it has to have exactly one exploit (chain) that will allow them to bypass ALL vendors
Sure yes running drivers in user land has less likelihood of taking down the whole system but it also means their functionality is severely limited by what API the vendor provided. Apple is simply gatekeeper in one more area of their devices.
It would be sufficient for OS protection to mark drivers that crash as dirty and if this happens repeatedly boot without the driver and/or optionally allow a rollback to a previously not crashing configuration
M.G. Siegler:
The EC obviously felt they were helping out third-parties by requiring Microsoft to continue to grant the same level of kernel access that they have. And perhaps this was even a good thing for end-users as these companies could cover security bases that Microsoft wouldn't, for whatever reason – security in general, of course, has not been a Microsoft strong suit, of late. But there are also often unintended consequences of such actions. In this case, a third-party service with a single code-push could take out millions of machines overnight and thus, cripple key infrastructure around the world.
Ben Thompson:
Fast forward nearly two decades, and while Symantec and McAfee are still around, there is a new wave of cloud-based security companies that dominate the space, including CrowdStrike; Windows is much more secure than it used to be, but after the disastrous 2000s, a wave of regulations were imposed on companies requiring them to adhere to a host of requirements that are best met by subscribing to an all-in-one solution that checks all of the relevant boxes, and CrowdStrike fits the bill. What is the same is kernel-level access, and that brings us to last week’s disaster.
Tavis Ormandy:
This strange tweet got >25k retweets. The author sounds confident, and he uses lots of hex and jargon. There are red flags though… like what’s up with the DEI stuff, and who says “stack trace dump”? Let’s take a closer look…
Patrick Wardle (tweet, Hacker News):
I don’t do Windows but here are some (initial) details about why the CrowdStrike’s CSAgent.sys crashed.
Aleksey Shipilëv:
“Professional programmers” focusing on CrowdStrike disassembly/language is a coping mechanism that protects them from realizing that there is a remotely updated 3rd party kernel module that is deployed on significant part of the world. That is why real postmortems are important.
Bryan Cantrill:
The CrowdStrike BSOD fiasco is extraordinary in its scale and scope; on Monday’s Oxide and Friends,
@ahl
and I will be joined by security researcher and
@LutaSecurity
CEO
@k8em0
to help us sort through the many layers of this mess
See also: xkcd.
Previously:
Update (2024-07-23): Sebastiaan de With:
Has anyone checked on the App Store backend? Automated reports have been MIA since the Crowdstrike incident. 👀
Adam Engst:
Apple devices may not be as vulnerable to a bug in an update to third-party software like CrowdStrike, but that doesn’t mean we can be complacent. Apple itself regularly releases updates, and while it’s essential to install them to patch security vulnerabilities, Apple’s engineers could make a mistake that would cause problems for millions. Howard Oakley’s article reminded me of when an Apple update inadvertently disabled Ethernet (see “El Capitan System Integrity Protection Update Breaks Ethernet,” 29 February 2016). Apple quickly addressed the problem, but the lack of Ethernet prevented some Macs from getting the revised update, requiring manual intervention.
[…]
Even if we give CrowdStrike the benefit of the doubt and say that the bug was a subtle mistake that could have slipped by any developer, I can’t see any excuse for why it wasn’t caught in testing. Either CrowdStrike wasn’t doing real-world testing—the company constantly releases patches like this—or someone messed up big time.
Juli Clover:
In a statement to The Wall Street Journal, Microsoft blamed the European Commission for an inability to offer the same protections that Macs have. Microsoft said that it is unable to wall off its operating system because of an “understanding” with the European Commission. Back in 2009, Microsoft agreed to interoperability rules that provide third-party security apps with the same level of access to Windows that Microsoft gets. Microsoft agreed to provide kernel access in order to resolve multiple longstanding competition law issues in Europe.
Thomas Clement:
Nothing prevents Microsoft and Crowdstrike from developing and adopting a user space solution if they so wish. But they didn't.
Also I'd like to point out that it is totally possible to completely deadlock macOS with user space endpoint security.
Nick Heer:
If one has a general worldview for technology today, they can find it in some analysis of this CrowdStrike failure. This saga has everything.
Update (2024-07-24): Oxide Computer Company:
Bryan and Adam were joined by security expert, Katie Moussouris, to discuss the largest global IT outage in history. It was an event as broadly impactful as it will be instructive; as Bryan noted, you can see all of computing from here, from crash dumps to antitrust.
Update (2024-07-26): Bruce Schneier and Barath Raghavan:
The catastrophe is yet another reminder of how brittle global internet infrastructure is. It’s complex, deeply interconnected, and filled with single points of failure. As we experienced last week, a single problem in a small piece of software can take large swaths of the internet and global economy offline.
The brittleness of modern society isn’t confined to tech. We can see it in many parts of our infrastructure, from food to electricity, from finance to transportation. This is often a result of globalization and consolidation, but not always. In information technology, brittleness also results from the fact that hundreds of companies, none of which you;ve heard of, each perform a small but essential role in keeping the internet running. CrowdStrike is one of those companies.
This brittleness is a result of market incentives. In enterprise computing—as opposed to personal computing—a company that provides computing infrastructure to enterprise networks is incentivized to be as integral as possible, to have as deep access into their customers’ networks as possible, and to run as leanly as possible.
Update (2024-07-29): Katie Moussouris:
The cause of the most significant internet outage event in history was a cascade of failures in both testing and deployment capability. The technical bugs in the testing and the client-side interpreter code are one area for improvement, and the process failures that propagated this so widely and quickly are another. Both functional areas need to be addressed to ensure we don’t have to endure an outage of this magnitude again.
Patrick Wardle:
I was rather skeptical that this wasn’t an elaborate joke, but yes,
@CrowdStrike
has apparently emailed its customers & offered a ~$10 UberEats gift card/coupon for any “inconvenience”
…and yes, it errors out when one goes to redeem it, saying it has been cancelled 🫠
Ian Brown:
ANOTHER opinion piece repeating Microsoft’s claim the EU is responsible for the #CrowdStrike debacle. You can read the “interoperability undertaking” Microsoft made in 2009 yourself… no, it does NOT require kernel access for Windows competitors.
Microsoft (Hacker News):
In this blog post, we examine the recent CrowdStrike outage and provide a technical overview of the root cause. We also explain why security products use kernel-mode drivers today and the safety measures Windows provides for third-party solutions. In addition, we share how customers and security vendors can better leverage the integrated security capabilities of Windows for increased security and reliability. Lastly, we provide a look into how Windows will enhance extensibility for future security products.
Update (2024-07-30): Thom Holwerda (via Nick Heer):
It turned out be a troll tweet. A reply to the tweet by Russakovskii a day later made that very lear: “To be clear, I was trolling last night, but it turned out to be true. Some Southwest systems apparently do run Windows 3.1. lol.”
[…]
These few paragraphs do not say that Southwest is still using ancient Windows versions; it just states that the systems they developed internally, SkySolver and Crew Web Access, look “historic like they were designed on Windows 95”. The fact that they are also available as mobile applications should further make it clear that no, these applications are not running on Windows 3.1 or Windows 95. Southwest pilots and cabin crews are definitely not carrying around pocket laptops from the ’90s.
These paragraphs were then misread, misunderstood, and mangled in a game of social media and bad reporting telephone, and here we are.
Jordan Novet and Ari Levy:
Delta has hired prominent attorney David Boies to pursue potential damages from CrowdStrike and Microsoft after a mass outage earlier this month, CNBC’s Phil Lebeau reported on Monday.
John Wiseman (Hacker News):
Airline cancellations is a good metric, but I want to look directly at air traffic: How many planes were in the air? How many planes should have been in the air?
Update (2024-07-31): Patrick McKenzie (Hacker News):
It would be an overstatement to say that the United States federal government commanded U.S. financial institutions to install CrowdStrike Falcon and thereby embed a landmine into the kernels of all their employees’ computers. Anyone saying that has no idea how banking regulation works.
[…]
Does the FFEITC have a hugely prescriptive view of what you should be doing for malware monitoring? Well, no […]But your consultants will tell you that you want a very responsive answer to II.C.12 in this report and that, since you probably do not have Google’s ability to fill floors of people doing industry-leading security research, you should just buy something which says Yeah We Do That.
CrowdStrike’s sales reps will happily tell you Yeah We Do That.
Update (2024-08-14): See also: Accidental Tech Podcast.
Airplane Bug CrowdStrike European Union Health Kernel Extensions Legal Linux Mac macOS 14 Sonoma Microsoft Azure Security Windows
What’s new in Swift:
We’ll briefly go through a history of Swift over the past decade, and show you how the community has grown through workgroups, expanded the package ecosystem, and increased platform support. We’ll introduce you to a new language mode that achieves data-race safety by default, and a language subset that lets you run Swift on highly constrained systems. We’ll also explore some language updates including noncopyable types, typed throws, and improved C++ interoperability.
Migrate your app to Swift 6:
Experience Swift 6 migration in action as we update an existing sample app. Learn how to migrate incrementally, module by module, and how the compiler helps you identify code that's at risk of data races. Discover different techniques for ensuring clear isolation boundaries and eliminating concurrent access to shared mutable state.
Explore Swift performance:
Discover how Swift balances abstraction and performance. Learn what elements of performance to consider and how the Swift optimizer affects them. Explore the different features of Swift and how they’re implemented to further understand the tradeoffs available that can impact performance.
Demystify explicitly built modules:
Explore how builds are changing in Xcode 16 with explicitly built modules. Discover how modules are used to build your code, how explicitly built modules improve transparency in compilation tasks, and how you can optimize your build by sharing modules across targets.
Paul Hudson (list):
2024 is Swift’s 10th anniversary, and for the last five of those years we’ve had no major-version Swift updates – literally half of Swift’s life has been 5.0 through to 5.10.
This is more common than you might think. In fact, several major programming languages have some kind of release that takes significantly longer than all others: Python 3 took years to arrive, PHP 6 took so long the team bailed out and jumped straight to PHP 7, and Perl 6 dragged on so much that it ended up evolving into a different language called Raku.
Swift last had major breaking changes back in Swift 3, but when enabled in full Swift’s own v6 has the potential to make Swift 3 look like a walk in the park. This is partly because of new changes, but partly also because many features added in recent Swift versions have been hidden behind feature flags that will be enabled by default in Swift 6.
Migrating to Swift 6:
Swift’s concurrency system, introduced in Swift 5.5, makes asynchronous and parallel code easier to write and understand. With the Swift 6 language mode, the compiler can now guarantee that concurrent programs are free of data races. When enabled, compiler safety checks that were previously optional become required.
Adopting the Swift 6 language mode is entirely under your control on a per-target basis. Targets that build with previous modes, as well as code in other languages exposed to Swift, can all interoperate with modules that have been migrated to the Swift 6 language mode.
Joe Heck:
There is a lot of great stuff coming in the Swift programming language. I love the focus and effort on validating data-race safety, and is probably the feature set that I’ll spend the most time with. But my favorite new tidbit? Swift 6 now supports a Linux SDK and the ability to compile a stand-alone, statically linked binary.
Alex Grebenyuk:
In recent years, there’ve been some questionable changes, the latest one being Data Race Safety in its current form in Xcode 16 beta.
[…]
If you want to migrate a large codebase to support Swift 6 mode, you need to fix thousands of compiler warnings that become errors once you enable this mode. For example, if you have any global variables, they are now errors.
[…]
In the ideal world, I would love to have more granular control over the types of warnings and errors the compiler produces, depending on what you can tolerate in your project. If data race safety is a compelling enough feature, people will enable it. There are also questions about whether it should be enabled by default and whether its current design can allow it to be enabled by default considering the lack of progressive disclosure.
[…]
Speaking about compile time, one of Swift’s original premises was that it was “fast,” and you would expect it to apply to the compile time. However, with the current slow compilation, developers have to go to extreme lengths to work this around, including reinventing header files by creating protocol-only modules, which Swift was designed to eliminate. If there was a way to disable some of the language features to improve compile time, I would do it in an instant. I’m bringing this up because I wonder what the impact of data race safety is going to be, especially once it gets upgraded with more advanced techniques for eliminating false positives.
Alex Grebenyuk:
For context, it took me months and multiple releases to get this ~4K lines of code somewhat compatible with Sendable and Swift 6. And I now have to revert my concurrency changes in Pulse from last week because I broke some stuff.
I’m farily certain no existing large size codebase will ever be able to fully adopt Swift Concurrency Checking and Swift 6. I would also expect a short-term rise in concurrency bugs in iOS apps.
See also: Jon Reid: A Conversation With Swift 6 About Data Race Safety.
Heath Borders:
I really love Swift the language, but if I had my way, Twitch would only have switched to Swift 2-3 years ago when static linking was easily available.
I got a lot of pressure from other devs to switch back in 2018, so we did, but we had a modularized codebase in Objective-C that we had to demodulalize in Swift bc of no static linking back then. Our clean build times used to be 90 seconds, and now it’s 8 minutes.
[…]
People would be mad if we were still in Objective-C, but I think that’s bc they’d see all the cool stuff at WWDC and wouldn’t be able to use any of it. They’d rightly think they were falling behind the industry. They wouldn’t be as marketable in other jobs.
The main reason for Swift is because everyone else is using it.
Helge Heß:
No, it is because of:
> fighting the direction of the platform, and fighting Apple is generally a losing game
This is IMO not rooted in preferences of developers.
A big issue here is that Apple ties features to the language (and unlike ObjC, Swift has no FFI). The Apple platform developer tooling is a closed system and Apple exploits that to lock devs into their own things over alternatives, regardless of quality.
Previously:
Update (2024-07-23): Drew McCormack:
It is a risky time for Swift. They are channeling enormous resources into solving multi-threading at compile time, but the remedy is worse than the sickness. They are introducing a whole different problem: systemic race conditions. Interleaving of async functions. These are much more difficult to track down IMO. I am literally breaking my head on some of these things. Without a transactional system like dispatch, you end up with something more complex than multithreading.
Update (2024-08-08): Rob Napier:
Every time you write Task, I want you to pretend it's actually this:
Task {
let delay: Int = (0...10).randomElement()!
try await Task.sleep(for: .seconds(delay))
// .. Your code
}
Is your code still correct? I not, then you need to make it correct.
Tasks do not make promises about when they start. Currently, they do not even make promises about whether they start in order (they will, but not quite yet). So if the above addition would break your code, your code is wrong.
Rob Napier:
IMO, no one today understands Swift Concurrency in depth, not even the core team. We’re all kind of feeling our way through it together in public and hoping to discover patterns that are more correct than what we were doing before. There are many great resources for the basics out there, but I don’t think there’s any one resource for how to use this tool “the right way” because I don’t think anyone knows that yet.
Drew McCormack:
The thing about the Swift 6 concurrency bomb is that I know already it won’t catch a single bug. Every error I have to fix is purely to appease the compiler. I see in every case that my code logic is correct, that there is no concurrent access. I also don’t see crashes related to threading (at least not in app level code). Like most static checking dogma, you end up spending a lot of time doing busy work, purely to tell the compiler what you already know.
The irony is that a lot of the solutions to the Swift 6 concurrency errors are to introduce another layer of indirection in the form of an async func. I think it may actually lead to new bugs, rather than fixing old ones. Wouldn’t surprise me if we see problems due to interleaving or data races that weren’t there before.
See also: Marcin Krzyzanowski.
Update (2024-08-13): Thomas Clement:
Apple encouraged developers into updating all their completion hander based functions into async functions which suddenly caused them all to move off the main thread. It was before the concurrency warnings and in the last few years it’s been the number 1 cause of crashes in the projects I’ve been working on. Yes there’s quite a lot of it.
Language Design Programming Swift Concurrency Swift Programming Language
