Pixel Envy

Written by Nick Heer.

Microsoft Building New Browser Based on Chromium

Brad Sams, Petri:

With the launch of Windows 10, Microsoft tried to build a new browser that was based on their Trident rendering engine that we now know as Edge. But the browser has failed at its objective, to create a Microsoft-built browser that could compete with the likes of Chrome and Firefox.

Because of their lack of momentum since the release of Windows 10, the company is announcing a significant change today, they are building a new browser that is based on Chromium. And the company is bringing the new browser to every platform: Windows 7, 8, 10 and even MacOS.

While the company is not commenting on any timeline for availability aside from a preview build in early 2019, the basics are this: it’s building a new version of Edge, based on Chromium, that will be updated at a cadence that is not tied to Windows updates. Further, this app will not be in the Microsoft Store and will be serviced outside of that platform.

Chromium is already the most popular rendering engine in terms of worldwide browser share on any platform. This decision only builds upon that dominance, and it could lead to more websites built just for Chromium.

It’s funny, though, that the new Internet Explorer really is going to be the new Internet Explorer.

Ron Johnson Interviewed on ‘Without Fail’

I listened to this episode of Alex Blumberg’s “Without Fail” podcast last night and it is an absolutely terrific interview with Ron Johnson, the former head of Apple’s retail division and the guy who effectively brought the concept of the Apple Store to life. Johnson is such an easy conversationalist and a good storyteller.

One thing I thought about while listening to it is just how successful these stores are. To date, Apple has closed only two without a logical replacement. They are often packed with people, and Apple still has one of the best buying and support experiences in the consumer technology space. I still believe that there are elements of the store that have suffered, but they’re still leaps and bounds better than what you get anywhere else.

Google Is Discontinuing Allo, One of Its Messaging Apps, in March

Matt Klainer of Google:

We want every single Android device to have a great default messaging experience. We’ve been working closely with the mobile industry to upgrade SMS so that people around the world can more easily enjoy group chats, share high-res photos, and get read receipts on any Android device. Thanks to partnerships with over 40 carriers and device makers, over 175 million of you are now using Messages, our messaging app for Android phones, every month.


Allo will continue to work through March 2019 and until then, you’ll be able to export all of your existing conversation history from the app — here are instructions on how to do so. We’ve learned a lot from Allo, particularly what’s possible when you incorporate machine learning features, like the Google Assistant, into messaging.

Google’s desire for a great default messaging experience on every Android device has seen them launch and kill several apps with no clear argument, definable strategy, or even a sense of which one they think users should actually use.

Facebook Bought WhatsApp After Seeing Its Growth Through Onavo VPN

Charlie Warzel and Ryan Mac, Buzzfeed:

In February 2014, Facebook purchased the messaging service WhatsApp for $19 billion. The acquisition price was staggering for an app that made little money and was largely popular outside the United States.

Now, newly published confidential Facebook emails and charts show exactly why CEO Mark Zuckerberg spent a small fortune for the messaging app. For months, the company had been tracking WhatsApp obsessively using Onavo, a VPN and data analytics app, whose data showed that the messaging app was not just a rising competitor, but a potential Facebook killer.

The overall unrestricted growth of Facebook — and, in particular, its purchases of Onavo, WhatsApp, and Instagram — should be regarded as one of the greatest failures to apply antitrust regulations in decades.

Facebook Knew Android Call-Scraping Would Be ‘High-Risk’

Russell Brandom, the Verge:

In March, many Android users were shocked to discover that Facebook had been collecting a record of their call and SMS history, as revealed by the company’s data download tool. Now, internal emails released by the UK Parliament show how the decision was made internally. According to the emails, developers knew the data was sensitive, but they still pushed to collect it as a way of expanding Facebook’s reach.

The emails show Facebook’s growth team looking to call log data as a way to improve Facebook’s algorithms as well as to locate new contacts through the “People You May Know” feature. Notably, the project manager recognized it as “a pretty high-risk thing to do from a PR perspective,” but that risk seems to have been overwhelmed by the potential user growth.

The key message here is that Facebook is only concerned about how it looks publicly — not the reasons why it would be negatively received. They don’t care that asking Android users for permission to read and upload logs of their phone calls and text messages is a profoundly creepy thing to do. They care that, when it is reported, there are talking points ready to go.

Furthermore, according to these emails, Facebook’s developers worked to remove the part where the app has to ask for users’ permission to read their call logs. They figured out a way to simply take it.

Facebook has made a series of disturbing choices unparalleled by any of its competitors. When they’re not mining individual users’ phones for details they can use to feed their advertising and user retention figures, they mislead users to download VPN software that helps Facebook know which apps are popular so that they can either buy or copy them. They also track web browsing activity, retain non-users’ contact details, and unfairly monopolize the web in developing nations. Oh, and they’ve been a contributing force in escalating violence and even genocide in Myanmar, Sri Lanka, the Philippines, and India.

To blame one company with a few websites and apps for so many of the world’s woes seems out of scale; however, it is not inaccurate — and perhaps that level of control and dominance is the most terrifying aspect of all. I can’t make the argument that Facebook ought to be shut down. But what would we really lose if that happened?

The Enormous Life of Anthony Bourdain

Anthony Bourdain died six months ago Saturday, but it is, for me, one of those deaths that will always feel fresh. GQ has headlined this piece “The Last Curious Man” — I hope that isn’t the case. If anything, his death should, at the absolute least, inspire more people to do what he did. Explore. Eat. Learn. However you can, within whatever budget you have.

Kuo: AirPods Are Apple’s Most Successful Accessory Ever

Todd Haselton, CNBC:

[Ming-Chi Kuo], who has a track record of accurately predicting Apple product launches, said AirPods are Apple’s most popular accessory ever.

In the note, Kuo said Apple AirPods have the fastest growth momentum of any Apple product. Kuo estimates Apple will ship 26 million to 28 million AirPod units this year, up from 14 million to 16 million in 2017. Kuo also expects Apple to release a new version of AirPods next year with wireless charging that will help propel shipments to 50 million to 55 million units next year, 70 million to 80 million units in 2020 and 100 million to 110 million units in 2021.

On a purely anecdotal basis, this doesn’t surprise me in the slightest. I’ve seen AirPods in increasing ears, especially in the past year. I’ve been in New York for much of the past week and it seems like a third of each subway car at rush hour is wearing their AirPods.

Oddly, even though Kuo’s sources indicate an early 2019 AirPods update — meaning April or before, if Kuo is using Apple’s definition of “early” — he does not mention the AirPower. Those products seemed to go hand-in-glove, and releasing the case without the charging mat would not be a good sign for the announced AirPower product.

By the way, I’m thrilled that the AirPods seem like such a fantastic product. Would it be too much to ask for a version that fits my ears, too?

Update: Victoria Song of Gizmodo points to a patent filing that suggests my wishes may eventually come true:

The patent drawings showcase a design that can be “symmetric so the earbud can be worn interchangeably in either a left or right ear.” The biometric sensors would then be used to tell which earbud was in what ear and automatically adjust sound accordingly. There’s also mention of using foam to provide “constant force independent of ear size”—a departure from the all-plastic design of current AirPods. […]


Data for 100 Million Quora Users Compromised

Adam D’Angelo of Quora:

For approximately 100 million Quora users, the following information may have been compromised:

  • Account information, e.g. name, email address, encrypted (hashed) password, data imported from linked networks when authorized by users

  • Public content and actions, e.g. questions, answers, comments, upvotes

  • Non-public content and actions, e.g. answer requests, downvotes, direct messages (note that a low percentage of Quora users have sent or received such messages)

A security breach is never a good thing, and the compromise of a hundred million users’ account details puts this up there with some of the biggest breaches.

However, I want to give kudos to Quora on three fronts. First, the response speed: they discovered this on Friday and we’re learning about it on Monday, shortly after they believe they fixed the flaw. Quick response times are rare in cases like this one, and they handled that well.


While the passwords were encrypted (hashed with a salt that varies for each user), it is generally a best practice not to reuse the same password across multiple services, and we recommend that people change their passwords if they are doing so.

It is never a great thing then passwords are leaked in any form. But Quora did password security right by uniquely-salting and hashing them.

And third:

Questions and answers that were written anonymously are not affected by this breach as we do not store the identities of people who post anonymous content.

This is fantastic. Lazy programmers would simply replace user-identifying attributes on the frontend with anonymized versions and call it a day. Sincere kudos to their engineering team for doing anonymous posting the correct way.

Marriott Discloses Data Breach Affecting Up to 500 Million Guests Since 2014

Taylor Telford and Craig Timberg, Washington Post:

Marriott said Friday that hackers have had access to the reservation systems of many of its hotel chains for the past four years, a breach that exposed private details of up to 500 million customers while underscoring the sensitive nature of records showing where and when people travel — and with whom.

The breach of the reservation system for Marriott’s Starwood subsidiaries was one of the largest in history, after two record-setting Yahoo hacks, and was particularly troubling for the nature of the data that apparently was stolen, security experts said. That includes familiar information — such as names, addresses, credit card numbers and phone numbers — and also rarer prizes for hackers, such as passport numbers, travel locations and arrival and departure dates.

The potential value of such information on such a large percentage of the world’s travelers triggered speculation that Marriott may have been the target of nation-state hackers seeking to track the movements of diplomats, spies, military officials and business executives. Yet even if the hackers were mere criminals in search of profit, such data offered the raw material for a range of possible misdeeds, including identity theft.

Brian Krebs:

The hotel chain did not say precisely when in 2014 the breach was thought to have begun, but it’s worth noting that Starwood disclosed its own breach involving more than 50 properties in November 2015, just days after being acquired by Marriott. According to Starwood’s disclosure at the time, that earlier breach stretched back at least one year — to November 2014.

Back in 2015, Starwood said the intrusion involved malicious software installed on cash registers at some of its resort restaurants, gift shops and other payment systems that were not part of the its guest reservations or membership systems.

Dave Pell:

No corporation should have the personal details of 500,000,000 customers. That’s too big. It’s too much market. And, as we now know, it’s too risky.

Kevin Beaumont:

The biggest value from GDPR and the like — I can say this from experience — is you get to challenge businesses to justify if they really need to store data — with a legal requirement to back question. If you ask them to inventory data they usually just say delete it instead.

Think about it: a breach of tens- or hundreds-of-millions of individuals’ extremely private information — including, in this case, passport numbers and hashes of credit card numbers — couldn’t happen if the system were designed to purge this information at the earliest possible chance.

The market doesn’t punish incidents like these.1 Stricter regulation — designed carefully by data security experts — is needed to both reduce the amount of personal details companies are allowed to accumulate, and provide a framework for how information should be stored.

  1. On a related note, Equifax’s stock almost recovered to its pre-breach price in September before it dropped again in October by a similar amount as just after the breach announcement. The reason? A mediocre financial quarter with a poor forecast for the current quarter. Call me crazy, but a company should not be punished similar amounts by shareholders for performing a little below expectations as they are for letting third parties pilfer the sensitive details of about a hundred and fifty million people. ↩︎

Bloomberg Is Still Reporting on Their ‘Big Hack’ Story

Erik Wemple, Washington Post:

According to informed sources, Bloomberg has continued reporting the blockbuster story that it broke on Oct. 4, including a very recent round of inquiries from a Bloomberg News/Bloomberg Businessweek investigative reporter. In emails to employees at Apple, Bloomberg’s Ben Elgin has requested “discreet” input on the alleged hack. “My colleagues’ story from last month (Super Micro) has sparked a lot of pushback,” Elgin wrote on Nov. 19 to one Apple employee. “I’ve been asked to join the research effort here to do more digging on this … and I would value hearing your thoughts (whatever they may be) and guidance, as I get my bearings.”

One person who spoke with Elgin told the Erik Wemple Blog that the Bloomberg reporter made clear that he wasn’t part of the reporting team that produced “The Big Hack.” The goal of this effort, Elgin told the potential source, was to get to “ground truth”; if Elgin heard from 10 or so sources that “The Big Hack” was itself a piece of hackery, he would send that message up his chain of command. The potential source told Elgin that the denials of “The Big Hack” were “100 percent right.”

As a big story with a hundred sources that, apparently, took a year and a half to put together, it’s not surprising that finding further sourcing to either corroborate or contradict the story could be hampered by internal-to-Bloomberg deliberations. But, even so, the denials received by Bloomberg before publishing the story were so forceful that it should have inspired comprehensive review prior to its publication, given its blockbuster ramifications, if it is true.

Due diligence and fact checking are processes to be done before a story is published. Following up after a story is published can often be necessary to ensure its validity. But, when the very foundation of this story has been stated to be entirely false, it reads less to me as validation and more like panicked doubt.

Reports of Poor Mac Performance Without an SSD

The first run experience of Safari on a brand new — for 2017 — iMac with a spinning hard drive, as documented by “cocobandicoot” on Reddit, is pretty awful. Judging by Michael Tsai’s post, it is far from the only instance of subpar performance on Macs not equipped with solid state drives. A simple solution for Apple would be to treat these Macs as the baseline for good performance; then, everything with an SSD could be much faster, but a spinning hard drive Mac would not be too slow.

However, as much as I favour holding back on the tendency to maximize newly-expanded technical bandwidth, I can think of some pretty clear instances where the much faster speeds of an SSD could make MacOS more capable than would be possible with a spinning hard drive. The system can build caches in the background so something like the photo picker is always current; a document can be saved with every keystroke; software updates can be downloaded in the background — all of these things can happen at once.

It has been eight years since the introduction of the second-generation MacBook Air, which brought solid state storage to typical Mac users for the first time. Apple has been shipping annual updates to MacOS that presuppose the availability of a SSD — APFS, for example, took a year to come to hard drives. And there are plenty of Mac Minis, iMacs, and tower Mac Pros that are supported by Mojave but will perform poorly because they have hard drives.

So, if these features require an SSD — inasmuch as if the Mac in question were not equipped with one, it would suck to use — I don’t think it’s unreasonable to suggest that Apple should not be selling Macs without solid state drives any longer. They’re most of the way there — the only remaining model available with a spinning drive is the iMac. But, even with a Fusion Drive, it’s clearly still not performing to the standard that it ought to be.

How Some Developers Are Gaming the App Store

David Barnard:

My critique of Apple’s management of the App Store (which began in 2008) has never been about embarassing Apple or denigrating its employees or motives, I want to see this amazing platform Apple created be the best it can possibly be. The App Store is an incredible marketplace that has generated tens of billions in revenue while empowering billions of people around the world to do amazing things with these magical little computers we carry around in our pockets. But I do think the overall success of the App Store has blinded Apple to the need for various course corrections over the years. And as the financial incentive to build and maintain great niche apps dries up, the beautiful and diverse forest of apps that is the App Store will slowly start to look more like the unkempt Play Store.

So, let’s talk about how developers are gaming the App Store and why it matters to the future of the platform. Any one of these tactics might seem somewhat bland individually, but when tens of thousands of apps deploy multiple tactics across many categories of apps, the impact can be measured in hundreds of millions of users and likely billions of dollars.

For all of the activity in the App Store and Apple’s evidently increased investment in it, tactics like these make even its most popular apps feel like the product of a disreputable marketplace. It is disheartening to see unscrupulous developers with crappy apps succeed — and even be featured by Apple, as Barnard documents.

Greg Joswiak Says the iPhone XR Has Been the Top-Selling iPhone Since Its Launch

Shara Tibken, CNet:

Greg Joswiak, Apple vice president of product marketing, told CNET in an interview Wednesday that the device has “been our most popular iPhone each and every day since the day it became available.”


The news comes amid worries about iPhone demand. Apple’s fiscal fourth-quarter results at the beginning of November showed it may be grappling with a case of iPhone fatigue — but it’s still getting people to shell out more money for the phones they do buy. Apple said it didn’t sell as many iPhones as analysts expected in the quarter that ended Sept. 29, and it projected lackluster revenue results for the December quarter. Apple also said it would no longer detail unit sales of its iPhone and other major devices, a reversal from its strategy since first introducing the products.

Apple usually doesn’t announce their sales mix of iPhones but, for two years in a row, they’ve broken with that pattern to quell supply chain rumours. Analysts seem desperate to write off new iPhones as major flops.

Antitrust, the App Store, and Apple

Ben Thompson:

To put it another way, Apple profits handsomely from having a monopoly on iOS: if you want the Apple software experience, you have no choice but to buy Apple hardware. That is perfectly legitimate. The company, though, is leveraging that monopoly into an adjacent market — the digital content market — and rent-seeking. Apple does nothing to increase the value of Netflix shows or Spotify music or Amazon books or any number of digital services from any number of app providers; they simply skim off 30% because they can.

This is the best piece I’ve read so far about this legal issue — not just for what he wrote about the issue itself, but for what it says about the services part of Apple’s business today.

A Business With No End

Jenny Odell, New York Times

Recently, one of my students at Stanford told me a strange story. His parents, who live in Palo Alto, Calif., had been receiving mysterious packages at their house. The packages were all different shapes and sizes but each was addressed to “Returns Department, Valley Fountain LLC.”

I looked into it and found that a company called Valley Fountain LLC was indeed listed at his parents’ address. But it also appeared to be listed at 235 Montgomery Street, Suite 350, in downtown San Francisco.

So were 140 other LLCs, most of which were registered in 2015.


Trying to map the connections between all these entities opens a gaping wormhole. I couldn’t get over the idea that a church might be behind a network of used business books, hair straighteners, and suspiciously priced compression stockings — sold on Amazon storefronts with names like GiGling EyE, ShopperDooperEU and DAMP store — all while running a once-venerable American news publication into the ground.

See Also: There’s No Such Thing as a Free Watch.

On Apple Portables in the Approximately $1,200 to $1,300 Price Range

With the release of the Retina MacBook Air earlier this month came questions about how the product fits into the rest of Apple’s laptop lineup — especially since the starting prices of the MacBook and MacBook Pro are just $100 more than the Air. And, if you wanted, you could arguably add the 12.9-inch iPad Pro with a Smart Keyboard Folio to a comparison shopping list, as that’s about the same price as these 12-to-13-inch Mac notebooks. On the surface, then, it seems like there’s a crowded field of comparable products if you want to spend about $1,200-$1,300 on an Apple portable.

But that’s obviously not right for a couple of reasons. First, these products all have their distinct niches: the Air is a well-rounded consumer notebook; the iPad Pro is ideal for ultra-portability; the MacBook is similar, but for those who want MacOS as opposed to iOS; and the Pro is what you buy when performance matters most. It’s also not right because it isn’t, I don’t think, a fair comparison at each of these models’ base price point.

Yes, you can get a MacBook Air for $1,199 in the U.S., but that comes with just 128 GB of storage; it’s a similar case for the base model MacBook Pro at $1,299. The MacBook starts at 256 GB of storage which, if it were my decision, ought to be the bare minimum for a Mac in 2018.

When these Macs are all specced with 256 GB of storage, a different pricing picture begins to emerge:

  • MacBook at $1,299
  • MacBook Air at $1,399
  • MacBook Pro at $1,499

Now, it’s easy to mix in the iPad Pro with 256 GB of storage, the base model Touch Bar version of the MacBook Pro, and the old MacBook Air to complete this picture:

  • Old MacBook Air at $1,199
  • MacBook at $1,299
  • 12.9-inch iPad Pro with Smart Keyboard Folio at $1,348
  • MacBook Air at $1,399
  • MacBook Pro at $1,499
  • MacBook Pro with Touch Bar at $1,799

To me, this pricing is much more reflective of the Mac products’ positioning as far as performance and capability go. Even the iPad makes sense, as far as Apple’s aspirations — if not yet realizations in software — for it go.1 And there’s even a nice ramp to those prices.

Instead, by starting the MacBook Air with a 128 GB drive, Apple has priced it to fit its status as the default consumer Mac portable to buy. A 128 GB drive is probably enough for a bare minimum user who relies upon Apple Music and offloads their iCloud Photo Library. It’s a little dicey, I think — we all know how easily a hard drive can fill up in unexpected ways, like if Mail downloads a decade’s worth of email — but there are ways to manage that. I really do think 256 GB ought to be the baseline, but a good enough argument can be made for 128 in the Air.

The real anomaly is, I think, the MacBook Pro: the 128 GB model feels like a clear price point play, but how many people are really buying that configuration? Apple must have data supporting its continued existence, but it puzzles me. It is a vastly more capable product with, I think, a completely different audience. Even if “Pro” doesn’t strictly mean professional in Apple’s parlance, it is a higher-performing and more serious product.

It comes down to the honesty and integrity of the product. Every so often, I think to myself could I imagine everyone on Apple’s executive team happily using this product? as a proxy for product integrity. For most of the current lineup, I have few reservations; I bet Phil Schiller would be very happy toting an iPhone XR and a base model iPad, for example. But — and perhaps this is projecting — I think they would get frustrated after a year of using any Mac with 128 GB of storage; but, especially, a MacBook Pro. It’s debatable, to me, whether that’s a fair base storage in the Air, but I don’t think it’s honest in the Pro. As far as I’m concerned, the MacBook Pro makes more sense starting at the $1,499 256 GB configuration — from both a pricing perspective, and for its integrity.

  1. The one tech spec that the iPad cannot match against any Mac is RAM. The 2018 iPad Pro models all come with 4 GB of RAM, with the exception of the 1 TB models which sport 6 GB of RAM. You cannot order a Mac with less than 8 GB of RAM today. I think the same minimum should be in the iPad Pro, too. ↩︎

The Rands Travel Procedure

I live in Canada’s Texas, so the following anecdote isn’t necessarily surprising: I was once directed into a security line behind a man with rings on every finger and an enormous belt buckle. There is no possible way he could have not known that he would be passing through a metal detector, which just seems like he was asking for trouble not just for him, but for everyone behind him. The best thing to do is, of course, be very patient; everyone around you is just as irritated at that one person.

Michael Lopp’s routine is the practiced obsessive procedure of someone who travels a lot, particularly for business. I do not fly nearly as often. But I follow similar patterns because it makes everything better not just for me, but also for the people behind me in every inevitable line.

’Tis the Season

’Tis the season — not the holiday shopping season, but the iPhone Supply Chain Apocalypse/Catastrophe season. If you follow Apple rumours at all, you’re probably familiar with the steady relentless drip of stories about how different parts suppliers have received cuts in orders, all saying that the latest round of iPhones is doing poorly compared to its predecessor. These rumours seem to get more alarming every year, yet the iPhone seems to do just fine — funny how that happens. Despite Apple reporting strong iPhone X sales for every quarter it was available, for example, it took analysts until this September to admit that they were wrong about its success.

This year, there are plenty of such stories, all trumpeting a similar tale and bolstered by Apple’s announcement during their last earnings call that they would begin reporting their financials more similarly to their peers by not releasing unit sales figures.

Take this report, from Takashi Mochizuki at the Wall Street Journal (or bypass the paywall):

Apple suppliers have also recently resumed making the iPhone X, the 2017 model that Apple had stopped selling at its own stores, people familiar with the matter said.

In the past, Apple has produced legacy models for select markets where there is enough demand for those devices, the person familiar with Apple’s sales and production tactics said. The company views it as a way to fuel sales and boost margins, as the components often cost less and manufacturing equipment has depreciated, he said.

People involved in the supply chain said the resumption of the X is due in part to Apple’s contract with Samsung Display, a major provider of iPhone X’s organic-light emitting diode display, or OLED, panels. Apple needs to buy a certain amount of the panels from the South Korean maker, and given the cut in XS and XS Max, Apple is trying to fill the gap with the old device, they said.

To be clear, I don’t know anything more about this than what the Journal wrote. Maybe iPhone XS sales really are falling so far below Apple’s expectations that they need to begin producing a superseded device again for sale in specific markets. The Journal also doesn’t provide more specific sourcing for these claims than “people familiar with the matter”. But, given that it specifically mentions that this relevant to a Samsung Display contract, it’s a safe bet that it’s based on sources working specifically with the display components, and they may not necessarily know whether production of iPhone X devices has resumed.

I mention all of that because, as far as I can tell, there’s a more obvious reason why Apple would suddenly need a bunch of brand new iPhone X display components: they recently launched a repair program for erratically-responding iPhone X displays.

Maybe sales of brand new iPhones really will be much lower this year compared to previous years. I have no financial or personal interest in specific sales figures; there could be loads of reasons for that. But this panic happens every year. You would think that context would be important.

Amazon.com is a Horrible Website

Katie Notopoulos, Buzzfeed:

And yet, somehow Amazon’s website, the place where it sells a gazillion things that make a gazillion dollars… sucks? The experience of shopping on the site itself fails in spectacularly stupid ways.

For a company that is quite arguably the most important at the moment, that touches infinite aspects our daily lives — how we shop, the groceries we eat, the movies and TV shows we watch, how a massive amount of human labor is compensated, how our government’s postal system works — there are simply giant glaring holes in its main product: Amazon.com.

This is a terrific explanation of what I was referring to when I wrote that Amazon is a fine enough place to buy a specific product, but an awful place to shop.

Ryan Christoffel’s ‘Today at Apple’ Experience

Ryan Christoffel, MacStories:

It took nearly 18 months of Apple’s regular Today at Apple promotions through keynote events and press releases, but I finally had my interest in the program piqued. As I wrote earlier this month, whereas every other Apple product is analyzed to death by writers, podcasters, and YouTubers, the company’s retail stores and Today at Apple program are often ignored by tech media. But Apple’s increased trumpeting of its retail initiatives, in the face of a collective shrug from the press, made me wonder what exactly we’re all missing out on here. I mean, if the company is passionate enough about Today at Apple to host over 18,000 sessions per week, then there must be something special about the program.

So I attended my first session.

It might be hard to set aside the cynical view of “Today at Apple” as product tutorials in the company’s retail stores, but I think Christoffel’s experience is reflective of how great this can be for such a broad cross-section of customers. Whenever I’ve passed by my local Apple Store during one of these sessions, I’m struck by how crowded the tables get. I’m not sold on Apple’s — I think — overly-ambitious idea to make their stores feel like town squares; they’re stores, after all, operated by a single company. But there is something unique and truly good about their approach of bringing these custom creative exercises to all of their stores.

The Sextortion Bitcoin Email Scam

Brian Krebs in July:

Here’s a clever new twist on an old email scam that could serve to make the con far more believable. The message purports to have been sent from a hacker who’s compromised your computer and used your webcam to record a video of you while you were watching porn. The missive threatens to release the video to all your contacts unless you pay a Bitcoin ransom. The new twist? The email now references a real password previously tied to the recipient’s email address.

Adam Engst, TidBits:

But not this message. The believability of this blackmail hinges on the fact that — in theory — only you know your password. If the blackmailer can know your password, you think, perhaps their other claims are true too. They’re not, but even people whose browsing habits are always G-rated often report a moment of panic. I presume those who still use ancient insecure passwords experience more than a moment of panic, and well they should.

The problem is that old stolen passwords are just the tip of the iceberg when it comes to information about us that’s readily available online. This blackmail spam combines only two bits of information — your email address and password. What happens when similar attacks expand the amount of information they use?

I’ve noticed a steady flow of these emails falling into my junk mail folder. They’re hilarious, but also deeply convincing. It’s trivial to find evidence that they seem to work, too, because you can look up someone’s Bitcoin wallet address in a blockchain explorer. While some of the Bitcoin addresses report an empty balance with no transactions, at least one of the ones I received had amassed over four Bitcoin from nearly forty deposits. That’s tens of thousands of dollars in just one wallet. Even if the wallet receives deposits from other sources, there is still a lot of money being made from this scam.

What Does It Mean for Facebook to Be at War?

Maya Kosoff, Vanity Fair:

The episode is revealing in that it suggests Zuckerberg still thinks Facebook’s core issue is a communications problem, rather than a substantive one. He’s seemed contrite in press calls and before lawmakers, professing to understand Facebook’s shortcomings as a product. But internally, his response to criticism is more self-righteous. During a Q&A session with employees last week, for example, Zuckerberg reportedly called recent negative coverage “bullshit.” He also reportedly blamed C.O.O. Sheryl Sandberg and her team for the “hysteria” that accompanied the revelation that millions of users’ personal data had been siphoned by Mercer-backed firm Cambridge Analytica, complaining that Facebook “wasn’t effectively managing the response.” (A person familiar with Zuckerberg’s thinking told the Journal that he does not recall using the word “hysteria.”) And he’s been frustrated at Facebook’s response to criticism over the past year, pressuring senior executives to “make progress faster” on issues like securing Facebook’s platform and reversing slow user growth. (In a statement to the Journal, a Facebook spokesperson said the company has “made massive investments in safety and security. While we know we have more work to do, we believe we’ve made progress.”)

Facebook’s executive team appears to view negative press coverage of the company as an affront — as though the media is the enemy — instead of recognizing these stories as the product of a decade-long series of decisions they have made. If Facebook were a country, it would be by far the most populous on the planet, but also among the least-accountable and most poorly-governed.

The worst part of the press’ coverage of Facebook’s faults is not that it is harsh, unfair, or critical. It is that it took until recently for Facebook and its peers to be seen as having the potential to be catastrophically destructive. It has now proven its power by not being willing to face its consequences.

For Nearly Two Years, Ajit Pai’s FCC Has Not Released a Previously-Annual Broadband Provider Report Card

Jon Brodkin, Ars Technica:

Nearly two years have passed since the Federal Communications Commission reported on whether broadband customers are getting the Internet speeds they pay for.

In 2011, the Obama-era FCC began measuring broadband speeds in nearly 7,000 consumer homes as part of the then-new Measuring Broadband America program. Each year from 2011 to 2016, the FCC released an annual report comparing the actual speeds customers received to the advertised speeds customers were promised by Comcast, Time Warner Cable, Verizon, AT&T, and other large ISPs.

But the FCC hasn’t released any new Measuring Broadband America reports since Republican Ajit Pai became the commission chairman in January 2017. Pai’s first year as chair was the first time the FCC failed to issue a new Measuring Broadband America report since the program started — though the FCC could release a new report before his second year as chair is complete.

Here’s something extra strange about this: if you go to the last-available report and replace “2016” with “2017” in the URL, it says that “public access to this page has been disabled by the content owner”. This isn’t a generic error page; if you change it to “2018” instead, you’ll see a blank page. It’s probably nothing exciting — it’s not like they would upload the entire report and then protect its access in a public setting — but I have, of course, filed a FOIA request.

These reports are critical to understanding the actual performance of internet service providers in the United States, and can help shed light on what effect the FCC’s policies have on broadband users.

Update: According to Marguerite Reardon of CNet, the FCC will release a new report tomorrow.

Update: Wednesday has come and gone without the release of said report. Shocker.

Gestures on the iPad

I liked this video by Matthew Cassinelli walking through several gestures on the iPad, but one thing I noticed is how — much like 3D Touch and clipboard gestures — they are difficult to discover. The multitasking ones, in particular, are hard to use from the home screen and Spotlight, and the ability to keep an app in a slide-over view feels awkward.1

I use a Windows PC at work and recently discovered a gesture where, if you select an app’s title bar and wiggle it, it will cause all other apps to minimize. I didn’t know this, so the first time it happened, I thought something had gone wrong. Luckily, I can’t see a way any of the gestures on iOS would necessarily feel destructive by accident, but they are hard to find. Unlike the mouse, there is nothing in the hardware that indicates that this new interaction paradigm is available. They arguably build upon the direct manipulation of iOS — you are literally dragging apps around the screen — but I’m not sure that they are obvious or clear enough. Imagine if multitasking in MacOS were as undiscoverable.

  1. Also, did you know that you can have the same app in slide-over and split view? ↩︎

Axios Interviews Tim Cook

In an interview with Axios — which, despite being a well-funded website with an HBO television show, apparently cannot afford a tripod or, for that matter, a colourist — Tim Cook explored a few pet topics of the company. Most notably, he explained why Google has remained the default search engine in various places on MacOS and iOS, something that was criticised after his speech last month at the ICDPPC:

One, I think their search engine is the best. … But, two, look at what we’ve done with the controls we’ve built in. We have private web browsing. We have an intelligent tracker prevention. What we’ve tried to do is come up with ways to help our users through their course of the day. It’s not a perfect thing. I’d be the very first person to say that. But it goes a long way to helping.

There is something that will always be a little contradictory about Apple’s privacy stance if you view it from an absolutist perspective. If Google were not the default search engine in Safari but users were still able to select it as an option, would that be in conflict with how it views user privacy? Should they still allow apps from Google and Facebook in the App Store? It begins to feel like a Mister Gotcha strip.

Cook also acknowledged the likelihood of privacy regulations in the United States. It’s a good interview, but the Axios format doesn’t make for a particularly compelling read, though it’s better than watching it.

Kevin Alexander Found the Best Burger Place in America, Which Killed It

Kevin Alexander, in Thrillist:

In my office, I have a coffee mug from Stanich’s in Portland, Oregon. Under the restaurant name, it says “Great hamburgers since 1949.” The mug was given to me by Steve Stanich on the day I told him that, after eating 330 burgers during a 30-city search, I was naming Stanich’s cheeseburger the best burger in America. That same day, we filmed a short video to announce my pick. On camera, Stanich cried as he talked about how proud his parents would be. After the shoot, he handed me the mug, visibly moved. “My parents are thanking you from the grave,” he said, shaking my hand vigorously. When I left, I felt light and happy. I’d done a good thing.

Five months later, in a story in The Oregonian, restaurant critic Michael Russell detailed how Stanich’s had been forced to shut down. In the article, Steve Stanich called my burger award a curse, “the worst thing that’s ever happened to us.” He told a story about the country music singer Tim McGraw showing up one day, and not being able to serve him because there was a five hour wait for a burger. On January 2, 2018, Stanich shut down the restaurant for what he called a “two week deep cleaning.” Ten months later, Stanich’s is still closed. Now when I look at the Stanich’s mug in my office, I no longer feel light and happy. I feel like I’ve done a bad thing.

There seems to be no satisfactory or clean answer to the question of what do reviewers leave behind?; the reach of a reviewer with a global audience means that, much like geotagging Instagram photos, it has the ability to share something fantastic to such an extent that it ruins everything that made it good.

Update: It turns out that this story could have a far darker conclusion.

Transmit 5, the Mac App Store, and Privileged File Operations

Cabel Sasser of Panic:

But here’s something you might not know: the reasons we never put Transmit 5 in the App Store. They’re simple. We weren’t sure we could provide a good-enough Transmit experience under the stringent sandboxing security the App Store requires. And frankly, we weren’t sure Apple cared that much about the App Store on the Mac.

Since then, a lot has changed. macOS Mojave gave us a significantly improved App Store that caters to professionals like yourself and seems to treat apps with respect. And sandboxing has evolved enough that Transmit can be nearly feature-parity with its non-sandboxed cousin.

So, as we promised at WWDC: it was time to give this another go.

You can now get Transmit 5 on the Mac App Store!

But, there’s a twist…

The twist is that the Mac App Store version of Transmit is an annual subscription of about $25, instead of the $45 flat cost of buying directly from Panic. I have mixed feelings about that; I’m glad a one-time payment option is still available because, if I were still building websites full-time, I wouldn’t want a critical part of my workflow to evaporate if I unsubscribed. However, I can see the benefit from both Panic’s perspective, as well as for a user or agency that can consistently budget for the software.

There’s one more thing about the Mac App Store version that’s unique, and it’s how it encourages some flexibility in MacOS’ sandboxing.

Daniel Jalkut:

I downloaded Transmit even though I own a copy of the direct-purchase version. I wanted an answer to my question, which I got, at least partially, by dumping the application binary’s “entitlements”, which represent the sandboxing exceptions that the app has received.

New to me among the entitlements is “com.apple.developer.security.privileged-file-operations”, which is a boolean value set to true for Transmit. I don’t see any Google results for this key, so I’m assuming it’s something new that was added for Panic (and maybe BBEdit), and which may or may not be documented in the future for use by other developers.

Apple has a form on their developer site to request the privileged file operations entitlement.

Amazon Made a Voice-Activated Microwave

I didn’t start this week intending to be kind of a jerk about Amazon nearly every day, but, well, they make it so easy. Take their newest creation: a microwave. Sarah Perez, TechCrunch:

Perhaps some microwaves may not have the most intuitive interfaces, but the learning curve isn’t steep. After the first time you learn to program the power level or enter in how many pounds of meat you’re defrosting, you generally retain that knowledge for later use.

But even if you don’t buy into the premise that microwave controls are a challenge to solve, there’s still the novelty aspect of the voice-activated microwave. If it takes the same or less time, but “feels fun,” some consumers may still buy it, I suppose. (???)

Unfortunately, it wasn’t really all that fun.

In fact, it was often frustrating.

I kind of get the idea behind this product. I don’t know anyone who uses the special function buttons on their microwave. But that’s not because it’s necessarily complicated to use those functions on a conventional microwave; it’s because anything beyond time entry adds unnecessary complication.

Also, this may say more about me than this product idea, but if I started telling friends and family when they came over that they should try talking to the microwave, they would think that I was pulling their leg.

I recently moved into a new apartment that came with a microwave because it’s one of those ones that doubles as a range hood. Every time I want to turn on the light above the stove, I have to actively remember that the button for that is on the microwave keypad. It’s ridiculous. All anyone I know wants from a microwave are buttons for time and a big “start” button — that’s it.

Everything on Amazon is Amazon

John Herrman, New York Times:

In the nearly 10 years since AmazonBasics arrived, the company has manifested an alternative brand reality, one both far more comprehensive and yet less conspicuous than those of its brick-and-mortar predecessors. (A family could mostly sustain itself on Kirkland products, but it would be abundantly aware it was living in Costco’s world.) This effort is broadly understood to have been a success, generating up to $7.5 billion this year and potentially $25 billion by 2022, according to analysis by SunTrust Robinson Humphrey.

Amazon-affiliated brands are promoted in search results on the site and inflated by reviews from Amazon’s Vine program, in which users receive items in exchange for their feedback. And, compared to better known competitors, they tend to be priced aggressively. In creating its own brands Amazon is indeed like any other large store. But Amazon isn’t any other large store. It’s Amazon: the world-historical logistical experiment that happens to call itself a store. It has unlimited shelf space and a boss with an eye on global domination. It tends to try a lot of things at once.

I’ve noticed that when I’m looking for something very specific — a refill pack of the exact heads my Oral B toothbrush requires, or a copy of the Gun Club’s “Mother Juno” LP — Amazon is a great place to comparison shop. Ideally, it’s less expensive and I don’t need the item, like, now; often, it’s about the same price as any store here and I do need the item, like, now.

But if I’m browsing more generally than that — if I’m looking for some kind of LED lightbulb, or a new sweater — Amazon is impossible. There’s lots of apparent choice, but it’s repetitive, overwhelming, and often from a brand I’ve never heard of at a suspiciously low price. It’s not long before I feel like I’m browsing the bin behind a factory that exclusively makes counterfeits. And there’s no indication that we want this much choice. It would be like if Apple Music advertised itself as having over a hundred million songs, but didn’t mention that eighty million of them are drunken karaoke performances of “Mambo No. 5”. It feels like a scam.

AT&T CEO Randall Stephenson Complains About Net Neutrality Laws Passed By States

Jon Brodkin, Ars Technica:

AT&T CEO Randall Stephenson yesterday urged Congress to pass net neutrality and consumer data privacy laws that would prevent states from issuing their own stricter laws.

“There are a number of states that are now passing their own legislation around privacy and, by the way, net neutrality,” Stephenson said in an interview at a Wall Street Journal tech conference (see video). “What would be a total disaster for the technology and innovation you see happening in Silicon Valley and elsewhere is to pick our head up and have 50 different sets of rules for companies trying to operate in the United States.”

Stephenson is right: net neutrality regulations would be simpler to comply with if they were implemented nationwide instead of on a per-state basis.

Amazon Selects Locations for Three New Offices

Amazon PR:

Amazon today announced that we have selected New York City and Arlington, Virginia, as the locations for our new headquarters. Amazon will invest $5 billion and create more than 50,000 jobs across the two new headquarters locations, with more than 25,000 employees each in New York City and Arlington. The new locations will join Seattle as the company’s three headquarters in North America. In addition, Amazon announced that it has selected Nashville for a new Center of Excellence for its Operations business, which is responsible for the company’s customer fulfillment, transportation, supply chain, and other similar activities. The Operations Center of Excellence in Nashville will create more than 5,000 jobs.

Scott Galloway:

Amazon’s HQ2 search was not a contest but a con. Amazon will soon have 3 HQs. And guess what? The Bezos family owns homes in all 3 cities. And, you’ll never believe it, the new HQs (if you can call them that) will be within a bike ride, or quick Uber, from Bezos’s homes in DC and NYC. The middle finger on Amazon’s other hand came into full view when they announced they were awarding their HQ to not one, but two cities. So, really, the search, and hyped media topic, should have been called “Two More Offices.” Only that’s not compelling and doesn’t sell. Would that story have become a news obsession for the last 14 months, garnering Amazon hundreds of millions in unearned media?

Both New York and Virginia have agreed to not charge the second highest-valued public company on Earth billions of dollars in taxes and give them ridiculous and unnecessary incentives, despite the already-strained infrastructure in those cities. This, just a year after Wisconsin did the same to attract a Foxconn plant which, ultimately, will fall far short of economic expectations used to justify tax breaks and subsidies there, because of course it will.

See Also: Derek Thompson in an article for the Atlantic arguing for a law prohibiting, as he puts it, “this sort of corporate bribery”.

Update: Benjamin Freed:

Under agreement between Amazon and Virginia, the commonwealth will give the company written notice about any FOIA requests “to allow the Company to seek a protective order or other appropriate remedy”.

Even for the high level of incentives that could be expected for Amazon’s PR stunt, concessions like these are extraordinary and set a highly dangerous precedent.

Apple Confirms That the T2 Chip Can Lock Macs With Invalid Logic Board or Touch ID Repairs

Nick Statt, the Verge:

The T2 is “a guillotine that [Apple is] holding over” product owners, iFixit CEO Kyle Wiens told The Verge over email. That’s because it’s the key to locking down Mac products by only allowing select replacement parts into the machine when they’ve come from an authorized source — a process that the T2 chip now checks for during post-repair reboot. “It’s very possible the goal is to exert more control over who can perform repairs by limiting access to parts,” Wiens said. “This could be an attempt to grab more market share from the independent repair providers. Or it could be a threat to keep their authorized network in line. We just don’t know.”

It’s unfortunate that those are the only two possibilities in Wiens’ mind: either Apple is being a dictator or an autocrat. “We just don’t know”. Is there any reason that could be less insidious and headline-grabbing, and more justifiable?

Apple confirmed to The Verge that this is the case for repairs involving certain components on newer Macs, like the logic board and Touch ID sensor, which is the first time the company has publicly acknowledged the new repair requirements for T2-equipped Macs. But Apple could not provide a list of repairs that required this or what devices were affected. It also couldn’t say whether it began this protocol with the iMac Pro’s introduction last year or if it’s a new policy instituted recently.

Apple is requiring that repairs involving security-sensitive components use genuine Apple parts and are verified after completion — I know that’s a somewhat less attention-grabbing story, but it is a more accurate take on what the company is doing here. That’s not to defend this practice, by the way. It’s understandable, given the prevalence of badly-made fake components that could compromise security, but I wish there were alternatives for those who don’t live close to an Apple Store.

Also, for what it’s worth, I think it’s slightly irresponsible to be quoting Wiens at length for stories like these without disclosing fully that iFixit sells replacement parts and servicing tools. I know that’s fairly widely-known, but journalists should disclose financial interests or other conflicts-of-interests that their sources might hold. I don’t think there’s anything shameful or untrustworthy about putting quotes in context.

Sam Rutherford’s Flexible Phone Pricing Standards

Sam Rutherford of Gizmodo, shortly after Apple announced their new iPhone lineup in September:

The new iPhones are here, and with them, Apple has once again pushed the price of smartphones even higher — especially the iPhone Xs Max which starts at $1,100 and goes all the way up to a staggering $1,450 if you upgrade to 512GB of storage.

This isn’t unusual for Rutherford; when the iPhone X was launched last year, he described its price as “eye-watering” and “outrageous”.

Rutherford today, reacting to the rumoured price of Samsung’s experimental foldable screen phone, in an article with the headline “Samsung’s First Flexible Phone Could Cost $1,700, and That Price Seems Totally Reasonable”:

That’s because Samsung’s flexible screen device — which has been dubbed the Galaxy F for now — may cost around 2 million won (about $1,760 U.S.) when it goes on sale in the first half of 2019, according to an estimate from Golden Bridge Investment published by the Korea Times.

That price may come as a major downer for people who have been searching for alternatives to the boring glass bricks we’ve been living with for the past decade or so. But if you consider the state of smartphones today, 2 million won doesn’t actually seem that outlandish.

Rutherford does a bunch of math based on guesses — like an assumption that the screen will withstand wear and tear for years — still ends up $350 short of the rumoured price of the flexible phone, and somehow just hand-waves that away.

I have absolutely no problem with anyone trying to justify to themselves the high price of a product they want. But you can bet that, if Apple were the ones launching an $1,800 phone that has two folding screens, Rutherford’s commentary would not be so glowing.

I don’t mean to pick on just one person, either. I just think it’s quite weird that it’s somehow less justifiable to charge a high price for a well-made and proven product that people actually want than it is for an experimental and gimmicky product.

An Unzipping Shortcut for iOS

Dr. Drang:

I’ve been planning to write a post about the new Apple products for over a week, but I keep getting distracted. Today, I went to Apple’s PR pages for the MacBook Air, the Mac mini, and the iPad Pro to download images and went off on another tangent. As usual, I will inflict that tangent on you.

Apple provides the product images as zipped archives, so when I clicked on the link in the press release, I was confronted with this “what do I do?” screen in Safari.

The efficient thing would have been to walk ten feet over to my iMac and download the zip files there, where they can be expanded with almost no thought. But I took the procrastinator’s way out, deciding to solve the problem of dealing with zip files on iOS once and for all.

This is one of those iOS things that has always driven me nuts, especially on my iPad. MacOS has unarchiving built into it; iOS pretends that it just doesn’t know what to do with any archive format.

iOS 11 slightly improved upon this with the introduction of the Files app. You can tap the “Preview Content” button and then tap the list button to see the contents of the archive.1 Then you can select each file individually and then tap the share button to save each file individually. That’s not very efficient at all.

There are some unarchiving apps in the store, but they’re all pretty ropey. Drang’s shortcut is probably the best solution I’ve found so far, but this is one of those things that iOS should just be able to handle.

  1. Also, Files apparently thinks that “1” is followed by “10”, unlike the MacOS Finder. ↩︎

Inside Apple’s New Macs

iFixit opened up Apple’s new MacBook Air and Mac Mini and there are some notable changes to the assembly methods of each. The Mini now has user-replaceable RAM, reversing Apple’s decision in 2014 to solder it directly to the board, while the Air differs from recent MacBook Pro models by allowing the battery to be replaced independently of the top case. Yes, storage is still mounted directly on the logic board, but it’s understandable from a security perspective — it is closely linked to the T2’s hardware encryption. (See update below.) Overall, these are small but welcome improvements to repair-averse recent production techniques.

Update: It doesn’t appear that the security features of the T2 necessarily prevent a Mac from having changeable internal storage — at least, not according to the security guide and, more tellingly, iFixit’s teardown of the iMac Pro.

Carrot Weather is the Best Weather App

Ben Brooks:

For a while now I have been bouncing back and forth between using Dark Sky and Hello Weather as my tools of choice. Then a few months ago, after seeing some new features (at the time) of CARROT Weather, I decided to give the quirky app a try. The thing about CARROT is that the entire aesthetic and tone of the app makes it seem like it’s not a serious app.

However, I’ve found that it is perhaps the best weather app. Allow me to explain why.

I’ve bounced around between a lot of weather apps, but Carrot has stuck with me for a long time now. It’s not just well-illustrated and hilarious — particularly if you turn the “personality” setting to “overkill”, as I immediately did upon finding said setting — it is information-dense and customizable, too. If you haven’t tried it yet, consider giving Carrot a shot.

How to Find and Manage App Subscriptions on iOS

In the wake of several apps abusing subscriptions, Charles Arthur put together a well-illustrated guide to finding the app subscriptions management screen on iOS. It isn’t in the App Store, nor can you search for it in Settings because it’s inside of a web view. Ryan Jones previously registered a single-serving domain that redirected to the subscription management screen, but Apple legal didn’t like that.

This needs to be easier. Subscriptions are an increasingly-relevant revenue model. It has been two years since Apple revised the terms of subscriptions to make them more developer-friendly, but the management UI for users has simply never been easily-found.

Ars Technica Interviews Anand Shimpi and Phil Schiller About the A12X

Samuel Axon, Ars Technica:

If you’ve read our iPad Pro review, you know most of those claims hold up. Apple’s latest iOS devices aren’t perfect, but even the platform’s biggest detractors recognize that the company is leading the market when it comes to mobile CPU and GPU performance—not by a little, but by a lot. It’s all done on custom silicon designed within Apple—a different approach than that taken by any mainstream Android or Windows device.

But not every consumer—even the “professional” target consumer of the iPad Pro—really groks the fact this gap is so big. How is this possible? What does this architecture actually look like? Why is Apple doing this, and how did it get here?

After the hardware announcements last week, Ars sat down with Anand Shimpi from Hardware Technologies at Apple and Apple’s Senior VP of Marketing Phil Schiller to ask. We wanted to hear exactly what Apple is trying to accomplish by making its own chips and how the A12X is architected. It turns out that the iPad Pro’s striking, console-level graphics performance and many of the other headlining features in new Apple devices (like FaceID and various augmented-reality applications) may not be possible any other way.

Every passing year that Intel drops the ball is another reinforcement that Apple’s $278 million purchase of P.A. Semi ten years ago was the deal of the century, especially when they announce that they’re building a MacBook on their own architecture.

AT&T to Cut Off Some Customers’ Service in Piracy Crackdown

Sara Fischer and David McCabe, Axios:

AT&T will alert a little more than a dozen customers within the next week or so that their service will be terminated due to copyright infringement, according to sources familiar with its plans.


AT&T owns a content network after its purchase of Time Warner earlier this year, an entity now called WarnerMedia. Content networks are typically responsible for issuing these types of allegations to internet service providers (ISPs) for them to address with their customers.

A source said it’s unclear whether WarnerMedia was involved directly in issuing piracy allegations in these instances, although it’s possible.

Studios and record labels have been fighting for ages to get users disconnected for copyright infringement. Many of them must be thrilled to now be owned by the same people who control internet access — frequently with little competition, leaving users with few or no alternatives.

The 2018 Mac Mini

Apple wisely seeded Marco Arment with a Mac Mini review model:

It’s the same size as the old one, which is the right tradeoff. I know zero Mac Mini owners who really need it to get smaller, and many who don’t want it to get fewer ports or worse performance.

The point of the Mac Mini is to be as versatile as possible, addressing lots of diverse and edge-case needs that the other Macs can’t with their vastly different form factors and more opinionated designs. The Mac Mini needs to be a utility product, not a design statement. (Although, even as someone tired of space-gray everything, I have to admit that the Mini looks fantastic in its new color.)

This new Mini is one of the best updates Apple has shipped recently for the Mac. I know it’s more expensive than the previous model, but I really think that this is a clear instance of “we don’t ship junk”. I say that not necessarily because it’s more powerful in CPU benchmarks than any other Mac, save the iMac Pro and the highest-end Mac Pro configuration — though that’s very nice — but because it’s a product that is very capable in almost every aspect. The only exception to that is graphics performance; but, if that’s important to your workflow, you can pick up an external GPU for maximum power in that regard and have a truly excellent, albeit highly modular, system. I don’t mean this as a slight: I hope the next update is not also four years in the making.

The biggest downside to the new Mac Mini, to my eyes, is that there are simply no good Thunderbolt 5K displays out there. That market just doesn’t exist yet.

An In-Depth Look at Apple’s New Map Data

A new post by Justin O’Beirne is an immediate must-read for me, and this latest one is no exception. In fact, it’s maybe the one I would most recommend because it’s an analysis of the first leg of a four-year project Apple unveiled earlier this year. Here’s what Matthew Panzarino wrote at the time for TechCrunch:

The coupling of high-resolution image data from car and satellite, plus a 3D point cloud, results in Apple now being able to produce full orthogonal reconstructions of city streets with textures in place. This is massively higher-resolution and easier to see, visually. And it’s synchronized with the “panoramic” images from the car, the satellite view and the raw data. These techniques are used in self-driving applications because they provide a really holistic view of what’s going on around the car. But the ortho view can do even more for human viewers of the data by allowing them to “see” through brush or tree cover that would normally obscure roads, buildings and addresses.


Regardless of how Apple is creating all of its buildings and other shapes, Apple is filling its map with so many of them that Google now looks empty in comparison. […]

And all of these details create the impression that Apple hasn’t just closed the gap with Google — but has, in many ways, exceeded it…


But for all of the detail Apple has added, it still doesn’t have some of the businesses and places that Google has.


This suggests that Apple isn’t algorithmically extracting businesses and other places out of the imagery its vans are collecting.

Instead, all of the businesses shown on Apple’s Markleeville map seem to be coming from Yelp, Apple’s primary place data provider.

Rebuilding Maps in such a comprehensive way is going to take some time, so I read O’Beirne’s analysis as a progress report. But, even keeping that in mind, it’s a little disappointing that what has seemingly been prioritized so far in this Maps update is to add more detailed shapes for terrain and foliage, rather than fixing what places are mapped and where they’re located. It isn’t as though progress isn’t being made, or that it’s entirely misdirected — roads are now far more accurate, buildings are recognizable, and city parks increasingly look like city parks — but the thing that frustrates me most about Apple Maps in my use is that the places I want to go are either incorrectly-placed, not there, or have inaccurate information like hours of operation.

Flickr Announces That It Will Only Keep Newest 1,000 Photos for Free Accounts Starting February 5, Alongside Service Improvements

SmugMug is making lots of changes to Flickr, which they acquired in April from Verizon, via Oath, via Yahoo. Yesterday, they announced that they would be supporting wide colour gamuts and move to Amazon Web Services from Yahoo’s data centres; today, they said that they would — finallydisconnect from Yahoo’s account and login system.

But perhaps the biggest Flickr news of today is the discontinuation of the virtually-unlimited terabyte of storage offered to free accounts. Andrew Stadlen, Flickr’s VP of product:

Beginning January 8, 2019, Free accounts will be limited to 1,000 photos and videos. If you need unlimited storage, you’ll need to upgrade to Flickr Pro.


Second, you can tell a lot about a product by how it makes money. Giving away vast amounts of storage creates data that can be sold to advertisers, with the inevitable result being that advertisers’ interests are prioritized over yours. Reducing the free storage offering ensures that we run Flickr on subscriptions, which guarantees that our focus is always on how to make your experience better. SmugMug, the photography company that recently acquired Flickr from Yahoo, has long had a saying that resonates deeply with the Flickr team and the way we believe we can best serve your needs: “You are not our product. You are our priority.” We want to build features and experiences that delight you, not our advertisers; ensuring that our members are also our customers makes this possible.

This decision is understandable, but it is a little confusing: what happens to your pictures if you, like I, have an account that exceeds the thousand-photo limit? A footnote on Flickr’s announcement page goes partway towards explaining:

Free members with more than 1,000 photos or videos uploaded to Flickr have until Tuesday, January 8, 2019, to upgrade to Pro or download content over the limit. After January 8, 2019, members over the limit will no longer be able to upload new photos to Flickr. After February 5, 2019, free accounts that contain over 1,000 photos or videos will have content actively deleted — starting from oldest to newest date uploaded — to meet the new limit.

It sounds like they’re just going to literally delete older photos past the limit, which is pretty wild. It’s not every day that a company tells its users that, in the near future, it’s going to start deleting their data.

But what remains unanswered is if they are truly erasing old photos or if they’re just hiding them from public and user view. I would assume that, if you do pay for a Pro subscription after the February 5 deadline, these photos would once again be visible, but I don’t know that for sure. It is also unclear if there are changes for users with expired pro subscriptions. I’ve reached out to SmugMug and will update this post if I hear back with answers.

In the interim, my suggestion is to download your photos and videos, just to be safe. Head to your Flickr settings and click the button to request your account data.

Facebook’s Political Ad Transparency Efforts Are Woefully Poor

William Turton, Vice:

One of Facebook’s major efforts to add transparency to political advertisements is a required “Paid for by” disclosure at the top of each ad supposedly telling users who is paying for political ads that show up in their news feeds.

But on the eve of the 2018 midterm elections, a VICE News investigation found the “Paid for by” feature is easily manipulated and appears to allow anyone to lie about who is paying for a political ad, or to pose as someone paying for the ad.

To test it, VICE News applied to buy fake ads on behalf of all 100 sitting U.S. senators, including ads “Paid for by” by Mitch McConnell and Chuck Schumer. Facebook’s approvals were bipartisan: All 100 sailed through the system, indicating that just about anyone can buy an ad identified as “Paid for by” by a major U.S. politician.

Allen Tan:

Feature built to curb abuse relies on… people and organizations using it in good faith.

If you can’t trust organizations trying to manipulate elections by preying on individuals’ trust in apparently honest discourse at this tense time in the world, who can you trust?


There’s a lot to discuss following today’s Apple event in New York, but one thing, in particular, that I’d like to highlight is how they promoted external display capabilities as one reason for the change on the new iPad Pro to a USB-C connector from Apple’s proprietary Lightning connector. It’s something John Ternus mentioned a few times onstage but, oddly, this capability is only shown in the video on the iPad Pro’s marketing webpages and it has barely been given a passing mention in the company’s press release.

Even with the limited information available, I think this speaks to Apple’s greater ambitions for the iPad as much — or even more than — the power and software improvements they’ve made over the past few years. The future of the computer probably looks a lot like plugging a display into an iPad and using a connected keyboard and perhaps a trackpad with a different UI.

This isn’t entirely revolutionary; Microsoft has been pursuing a similar strategy with their Surface line for years. The critical difference, I think, is that the Surface was borne of a desktop-and-laptop world, while the iPad was derived from a smartphone. In 2012, I wrote a piece where I proposed — poorly — that that the reason the iPad was selling well where Microsoft’s tablet efforts, at the time, were not was because the common criticism of the iPad as a bigger iPhone was actually an advantage.

If there is a smartphone-to-desktop continuum, with the tablet somewhere in the middle, Microsoft has long approached it as skinning Windows with touch drivers and bigger buttons, while Apple chose to start by making a touchscreen phone and build up from there.

The vestiges of these differing approaches are clearly evident today. There are still plenty of examples of Windows feeling like a desktop operating system even when running on a tablet; and there are lots of places throughout iOS that feel like upscaled smartphone interfaces.

Looking beyond that, though, at what is plausibly within reach in the next few years is a culmination of efforts to overhaul the way we think about computers. Apple has, for years, been touting the iPad as the computer of the future — the pioneer in the post-PC era. But the product has not necessarily matched the company’s rhetoric, largely because it’s still trying to grow out of the smartphone-based constraints that are primarily exposed in software; that’s the root of where most of its limitations still lie.

If the scenario I outlined above is, indeed, the way Apple sees the future of this product line, there’s still a long way to go: multitasking isn’t there yet, the keyboard remains an afterthought, an iPad isn’t as information-dense because its controls still need to be touch-friendly, and so on. But there are clues that Apple is very serious about the iPad as a replacement computer. USB-C and the singling-out of external display support is one such indicator, I feel; iOS 11 brought the Dock to the iPad, which makes it feel much faster for switching between apps; and there are some iPad-specific Springboard improvements destined for iOS 13 that ought to shake things up.

Taking a step back, I think it’s worth addressing how far the iPad’s software has felt compared to the hardware, as far as telling a complete and elegant story about using it as a full Mac replacement. The new iPad Pro models look wildly impressive — like pure slabs of magic internet-connected glass. But the software has evolved far slower. A big reason for this is, I believe, that using iOS as the basis for the future of personal computers has required a rethink of every system paradigm taken for granted on the Mac. I don’t think it has been universally successful. But I do truly believe that by building iOS up as opposed to breaking MacOS down — that is, adding functionality within a made-for-touch framework rather than glomming touch onto MacOS — will prove to be a wise choice in the coming years.

iOS 12’s Security Improvements Impede GrayKey Passcode Cracking Functionality

Thomas Brewster of Forbes broke the news of the existence of GrayKey in March, and has been covering it brilliantly since:

Now, though, Apple has put up what may be an insurmountable wall. Multiple sources familiar with the GrayKey tech tell Forbes the device can no longer break the passcodes of any iPhone running iOS 12 or above. On those devices, GrayKey can only do what’s called a “partial extraction,” sources from the forensic community said. That means police using the tool can only draw out unencrypted files and some metadata, such as file sizes and folder structures.

Previously, GrayKey used “brute forcing” techniques to guess passcodes and had found a way to get around Apple’s protections preventing such repeat guesses. But no more. And if it’s impossible for GrayKey, which counts an ex-Apple security engineer among its founders, it’s a safe assumption few can break iPhone passcodes.

That last sentence requires two more words: “for now”. That’s how it works. After a security threat is revealed, it is patched; repeat constantly until the end of time. The biggest difference here is that there’s an enormous market for iOS vulnerabilities due to its high grade of security and its popularity, so it is not in the best interests of those who find these vulnerabilities to report them to Apple or disclose them publicly.

That, in part, is why the method by which Apple prevented GrayKey from working is just as mysterious as the means by which GrayKey worked in the first place. It’s also why it is plausible that there is a vulnerability just as insidious in every iOS device out there that won’t get reported to Apple for fixing if it’s good enough for Grayshift or Cellebrite to buy.

Hundreds of Popular Android Apps Part of Multimillion-Dollar Ad Fraud Scheme

Craig Silverman, Buzzfeed:

Last April, Steven Schoen received an email from someone named Natalie Andrea who said she worked for a company called We Purchase Apps. She wanted to buy his Android app, Emoji Switcher. But right away, something seemed off.


Schoen had a Skype call with Andrea and her colleague, who said his name was Zac Ezra, but whose full name is Tzachi Ezrati. They agreed on a price and to pay Schoen up front in bitcoin.

“I would say it was more than I had expected,” Schoen said of the price. That helped convince him to sell.

A similar scenario played out for five other app developers who told BuzzFeed News they sold their apps to We Purchase Apps or directly to Ezrati. (Ezrati told BuzzFeed News he was only hired to buy apps and had no idea what happened to them after they were acquired.)

Giant klaxons are already blaring in my head and this doesn’t even concern the actual — you know — fraud part of the story. The ability to migrate apps and their entire user bases to different developers is an alarming security risk, particularly with the broad use of automatic update mechanisms. This reminds me of when the Stylish browser extension was sold to a new owner that immediately saddled it with spyware. Users should be made fully aware of an ownership change and some sort of action on the user’s ought to be required for them to update to a newer version of the software.


One way the fraudsters find apps for their scheme is to acquire legitimate apps through We Purchase Apps and transfer them to shell companies. They then capture the behavior of the app’s human users and program a vast network of bots to mimic it, according to analysis from Protected Media, a cybersecurity and fraud detection firm that analyzed the apps and websites at BuzzFeed News’ request.

This means a significant portion of the millions of Android phone owners who downloaded these apps were secretly tracked as they scrolled and clicked inside the application. By copying actual user behavior in the apps, the fraudsters were able to generate fake traffic that bypassed major fraud detection systems.


App metrics firm AppsFlyer estimated that between $700 million and $800 million was stolen from mobile apps alone in the first quarter of this year, a 30% increase over the previous year. Pixalate’s latest analysis of in-app fraud found that 23% of all ad impressions in mobile apps are in some way fraudulent. Overall, Juniper Research estimates $19 billion will be stolen this year by digital ad fraudsters, but others believe the actual figure could be three times that.

In other forms of advertising, spots are pre-sold for a specific fee based only on an estimated audience. If yet another vacuum-packed mattress company buys ads in an episode of a podcast, it doesn’t matter whether that episode is downloaded ten thousand times or a hundred thousand times — the mattress company will have paid the same price for that spot. Sponsoring later episodes might cost them more if there are an increasing number of listeners, or the podcaster may cut them a deal for multiple sponsorships, but there isn’t a real-time bidding scheme. It’s the same for print and television. Effectiveness in terms of action taken is harder to measure directly, but that encourages advertisers and creative firms to make something eye-catching and memorable.

For most online advertising, though, this is completely backwards: advertisers are charged and ad placements are paid out based on how many views or clicks there have been, not how many there are expected to be. This makes it much harder to differentiate fraudulent behaviour from honest views. It typically requires more tracking in order to be able to model real human behaviour — something that was defeated in this case. And, according to a recent report produced for Radiocentre — a trade group for British commercial radio stations — online ads of all types are completely ineffective (PDF).1

In general, the incentives of online advertising encourage fraud, clickbait, and spyware. This will continue to be the case so long as these ads are behaviourally targeted, and are paid for based directly on the number of views and clicks.

  1. One side effect of the ineffectiveness of online ads is that a huge industry has been built on the basis of creating ads that don’t look like ads. Social media “influencers”, native advertising, and content marketing all fall into this bucket. They’re generally just as unmemorable as other online advertising, but with the added bonus of feeling scummier and more manipulative because they aren’t obviously ads. ↩︎

Apple News’ Reliance on Human Editors Reduces Misinformation in the App

Apple granted Jack Nicas of the New York Times a rare glimpse inside its Apple News team’s editorial discussions:

Apple has waded into the messy world of news with a service that is read regularly by roughly 90 million people. But while Google, Facebook and Twitter have come under intense scrutiny for their disproportionate — and sometimes harmful — influence over the spread of information, Apple has so far avoided controversy. One big reason is that while its Silicon Valley peers rely on machines and algorithms to pick headlines, Apple uses humans like [editor in chief Lauren Kern].


That approach also led Apple News to not run an ABC News bombshell in December about Robert Mueller’s investigation into the Trump campaign’s ties to Russia. The story alleged that former national security adviser Michael Flynn was prepared to testify that Mr. Trump had directed him to contact Russian officials during the 2016 campaign. It rocketed across the internet, boosted by Google, Facebook and Twitter, before ABC News retracted it.

Ms. Kern said she and her team did not run the story because they didn’t trust it. Why? It’s not a formula that can be baked into an algorithm, she said.

“I mean, you read a story and it doesn’t quite pass the smell test,” she said.

There has been a rush to make much of the world driven by machine learning because we now can do that, but seemingly few of the people who are a position to make decisions about this have actually questioned whether we should be letting algorithms replace thought. Apple’s solution is imperfect, but it certainly helps reduce the likelihood of embarrassing blunders — even Apple itself can learn from that.

Tim Cook Speaks About Privacy at ICDPPC

Jon Brodkin, Ars Technica:

Apple CEO Tim Cook today called on the US government to pass “a comprehensive federal privacy law,” saying that tech companies that collect wide swaths of user data are engaging in surveillance.

Speaking at the International Conference of Data Protection and Privacy Commissioners (ICDPPC) in Brussels, Cook said that businesses are creating “an enduring digital profile” of each user and that the trade of such data “has exploded into a data-industrial complex.”

“This is surveillance,” Cook said. “And these stockpiles of personal data serve only to enrich the companies that collect them. This should make us very uncomfortable.”

Apple is, of course, imperfect in this regard: while they try to restrict the ways in which app developers may collect sensitive data, there are plenty of apps that still ask for access to your contact list, ostensibly to allow you to find friends using the same app or service, but without clearly indicating how they will treat that list over a long term; and, as others have mentioned, they have retained Google as the default search provider in Safari on all platforms. The latter is particularly hard to reconcile — last year, they changed web searches made through Siri or Apple Search from Bing to Google. Google reportedly paid Apple $9 billion in 2018 for this privilege, which feels a little bit like a bribe to collect Safari users’ personal information.

On the other hand, Apple has made strides to reduce users’ dependency on Google. The website suggestions that appear as you type in the address bar are not driven by Google, but by Apple’s own web crawler; the suggestions in Search on iOS for things like the weather and sports scores are also not powered by Google. Apple has also continued to roll out privacy protections in Safari with features like Intelligent Tracking Prevention.

Natasha Singer of the New York Times, on Twitter:

It’s much easier to be a privacy hawk when your business doesn’t depend on surveillance-based advertising. Even so, Tim Cook’s critique of the “data industrial complex” is a watershed for tech industry discourse.

It’s also much easier to not build a business dependent on surveillance when you are a privacy hawk.

Cook’s speech reads to me as an honest representation of his own stance and Apple’s ideals about how data ought to be collected and stored. Privacy does not seem like an add-on, but an integral part of the company’s development processes. It is a principled stance.

iPhone XR Reviews Roundup

Embargoes for reviews of the iPhone XR were lifted this morning and John Voorhees of MacStories collected some of the more notable excerpts. Based on everything I’ve read, it sounds like you’re getting virtually all of the experience of an iPhone XS Max in a slightly smaller, far more colourful, and vastly less-expensive device with a not-as-spectacular-but-still-excellent display. All of that sounds great.

But there is one thing eating at me with this new iPhone lineup: the starting price for a current model year iPhone is now $50 more than last year, and $100 more than two years’ prior. It’s as though they’ve dropped the entry-level model and are starting at what was previously Plus model pricing. In Canada, the difference is even more pronounced — for the first time, you cannot get a current model year iPhone for under $1,000. The iPhone XR might be the least-expensive iPhone Apple launched this year, but it is by no means a budget device.

That’s not to say that it’s necessarily the wrong move from a unit sales perspective. Presales of the XR seem strong, and every indication — including the rapidly-rising average selling price — indicates that the iPhone X and XS models have sold very well indeed. It is arguably indicative of how much we value our smartphones compared to any other consumer electronics device. But it also means that getting into the iPhone ecosystem at the base model flagship level has become markedly more pricey.

There are two ways of looking at this: Apple has made more affordable the iPhone X design and features, and Apple has dramatically increased the base price of an iPhone.

Other News Organizations Have Tried But Are Not Able to Corroborate Bloomberg’s Story

Erik Wemple, Washington Post:

According to a [Bloomberg] company source, editorial staff has been “frustrated” that competing news organizations haven’t managed to match the scoop. Sources tell the Erik Wemple Blog that the New York Times, the Wall Street Journal and The Post have each sunk resources into confirming the story, only to come up empty-handed. (The Post did run a story summarizing Bloomberg’s findings, along with various denials and official skepticism.) It behooves such outlets to dispatch entire teams to search for corroboration: If, indeed, it’s true that China has embarked on this sort of attack, there will be a long tail of implications. No self-respecting news organization will want to be left out of those stories. “Unlike software, hardware leaves behind a good trail of evidence. If somebody decides to go down that path, it means that they don’t care about the consequences,” Stathakopoulos says.

In the face of challenges to the story’s veracity, Bloomberg has commissioned additional reporting to reinforce its initial findings. One of the story’s reporters, for example, contacted a former Apple employee on Oct. 10 seeking information on the alleged purge of Supermicro servers, according to correspondence reviewed by the Erik Wemple Blog. We asked Bloomberg about any additional reporting on the alleged hack. “We do not comment on our unpublished newsgathering, editorial processes, or plans for future reporting,” replied a company spokeswoman.

Michael Riley, one of the reporters on the story, quickly asserted after the story’s publication that the physical evidence assured that corroborating stories would soon be published. Not only has that not happened, it’s the inverse that has: source after source raising doubts about the accuracy of the story’s core arguments. This isn’t just embarrassing, it’s toxic to Bloomberg’s credibility and the often-necessary use of sources speaking only on background.

In Interview With Buzzfeed News, Tim Cook Calls for Retraction of Bloomberg ‘Big Hack’ Story

John Paczkowski and Joseph Bernstein, Buzzfeed:

The result has been an impasse between some of the world’s most powerful corporations and a highly respected news organization, even in the face of questions from Congress. On Thursday evening, an indignant Cook further ratcheted up the tension in response to an inquiry from BuzzFeed News.

“There is no truth in their story about Apple,” Cook told BuzzFeed News in a phone interview. “They need to do that right thing and retract it.”

This is an extraordinary statement from Cook and Apple. The company has never previously publicly (though it may have done so privately) called for the retraction of a news story — even in cases where the stories have had major errors or were demonstratively false, such as a This American Life episode that was shown to be fabricated.

What’s wild to me is, if Bloomberg’s story is completely true, no other news organization has been able to independently corroborate it — even in part. Reporters at the New York Times, Wall Street Journal, and Financial Times all have terrific sources within the tech companies concerned, the Chinese supply chain, and the American government. Surely, if the story is as Bloomberg describes, one of those publications ought to be able to use the story as a starting point to confirm either an ongoing investigation or the existence of the suspicious components, right? Or how about well-connected infosec and supply chain experts — why haven’t they, as Buzzfeed reports, been able to echo any of Bloomberg’s claims?

This is one of the most baffling sagas I can remember. Either the supply chain is hosed and companies like Apple and Amazon really have no idea, they do know and their executives are covering it up in flagrant violation of the law, or an esteemed news organization fucked up to an immense degree. If it’s the latter, Bloomberg is doing themselves no favours by continuing to stand by its increasingly dubious reporting.

How did Bloomberg get this so wrong?

Apple Announces October 30 Event in New York

I think these invitations are great. Many companies have strict guidelines that prohibit any transformation of their logo but, because of the ubiquity and simplicity of the Apple logo, they’re able to produce dozens of variations — some more successful than others.

The opera house at the Brooklyn Academy of Music is an interesting venue choice, largely because it’s not in the Bay Area. With the creative theme of the invitations and the venue, new iPad Pros seem like a given for this event. I’m also hoping for new desktop Macs: a refreshed iMac and a completely new Mac Mini seem like safe bets. I wouldn’t expect to hear anything about the Mac Pro or new displays at this event.

Update: If that rumoured Retina display-equipped MacBook Air is slated for this event as well, I’m interested to see how that’s pitched.

Chartbeat: Social Media Referrals Are Down, but Direct Traffic Is Up

Sara Fischer, Axios:

The big picture: Since January 2017, per Chartbeat…

  • Twitter and Facebook have declined in their share of traffic sent to news sites.

  • Facebook traffic to publishers is down so much (nearly 40%) that according to Chartbeat, “a user is now more likely to find your content through your mobile website or app than from Facebook.”

  • Google Search on mobile has grown more than 2x, helping guide users to stories on publishers’ owned and operated channels.

  • Direct mobile traffic to publishers’s websites and apps has also steadily grown by more than 30%.

The declining influence of social networks is a promising sign, but their dominance over publishers’ business decisions should be heeded as a warning — particularly with the rising influence of Google Search, Google News, and Apple News.

Lawsuit Alleges Facebook Inflated Video Ad Viewing Times for Over a Year

Rachel England, Engadget:

It all comes down to the way Facebook initially reported the average viewing time of video ads. During the original investigation, it was found that the company only counted video views that lasted more than three seconds when calculating its “average duration of video viewed” metric. Views under three seconds weren’t factored in, thereby inflating the average length of a view. Facebook disclosed the issue in 2016, claiming it had “recently discovered” the error.

After reviewing some 80,000 pages of internal Facebook records, obtained as part of court proceedings, Crowd Siren now claims that Facebook had not only known about the issue for over a year, but had massively underestimated its miscalculations. The company told some advertisers it overestimated average time spent watching videos by 60% to 80%. The plaintiffs, however, believe that figure is much larger, and that average viewership metrics had been inflated by as much as 900%.

This occurred at roughly the same time a bunch of publishers decided to “pivot to video” — that is, to lay off reporters, writers, and editors and hire a bunch of video producers in their place. Over a longer term, it became clear that this change was driven by ad dollars rather than audience interest, to great detriment to the industry.

It’s a terrible idea to be dependent on traffic from platforms beyond a publisher’s control; it is also awful that Facebook — allegedly — failed to correct the effectiveness of their video platform for a year while paying publishers to buoy it.

See Also: Laura Hazard Owen, Nieman Lab:

It’s impossible to say whether media executives felt the way we did, or whether they actually did watch a lot of news video and truly believed it was the future. What is clear, however, is that plenty of news publishers made major editorial decisions and laid off writers based on what they believed to be unstoppable trends that would apply to the news business.

Concerns Linger About MacBook Pro Keyboards

Casey Johnston, the Outline:

[…] Every time I described the 2017 MacBook Pro I sold because I couldn’t stand its non-functional keyboard and asked an Apple store employee if the new one would screw me over the same way, each assured me that Apple had changed the keyboards so that that would never happen again. I described my issues with “dust” to one shop associate at the Apple Store at the World Trade Center and asked if the new computers were any better. “Yeah, yeah, they fixed that problem… it was a BIG problem,” she told me. “So it doesn’t happen at all?” I asked. “No, it shouldn’t happen,” she said. Maybe the bad days were finally over.

But checking around online, it appears the new keyboards have the same old issues. They may be delayed, but they happen nonetheless. The MacRumors forum has a long thread about the the “gen 3 butterfly keyboard” where users have been sharing their experiences since Apple updated the design. “How is everyone lse’s keyboard doing? I rplaced th first one because ‘E’ and ‘O’ gave double output. The replacment ither eats “E”, “O”, “I” and “T”, or doubles them,” wrote one poster. “I didn’t correct the typos above on purpose.”

It’s pretty wild that the Apple Store employee would admit to anyone that this was a “big problem”, given how often Apple has emphasized that it was a small percentage of users and that the silicone membrane in the 2018 models is just for quieter typing — though, in service documentation, they copped to its debris-fighting intention.

This is my favourite quoted response from that MacRumors thread:

“That’s just plain reckless,” responded a third. “I mean he took a laptop from a closed apartment to a balcony. It was probably an open balcony. Does he think that a laptop is a portable computer or what?!?”

The nature of online reviews and Mac enthusiast forum users, in general, tends to draw out negative experiences in a sort of shared commiseration experience. There aren’t loads of people who will chime in with their flawless keyboard experience. But, even if a smaller number of 2018 MacBook Pro owners are finding their computers susceptible to dust-induced keyboard failures compared to 2016 or 2017 model year users, these problems are still unique to the ultra low profile “butterfly” mechanism used in these models and are not present in previous generations of keyboards. This a serious regression of one of its single most critical components. These are not good keyboards.

Johnston’s thoughts on the current Apple notebook lineup echo my own:

[…] The MacBook is aesthetic but underpowered; the Air is an outdated design paradigm, a “thin and light” notebook that has the worst performance-to-weight-to-cost tradeoff of all the computers Apple makes, but the only one left with a decent keyboard; the MacBook Pro fails at being a Pro in a number of ways (a small number of ports that almost always require dongles, garbage battery life), not least of which is that the keyboard stops working after a couple of months for many people. Every laptop offering has serious tradeoffs, none of them are compellingly priced, and most are just old.

The MacBook today fills the same slot as the MacBook Air of 2008, and vice-versa. Neither represents a massive upgrade for me over my mid-2012 MacBook Air for my changed workflow. The MacBook Pro has a worrisome keyboard, and it’s extremely expensive: a base 15-inch PowerBook in 2004 cost $2,649 in Canada, the 2007 15-inch MacBook Pro started at $2,199, and the Retina 15-inch MacBook Pro started at $2,449 in 2015. But the new 15-inchers start at $3,199. That’s a big leap; Apple’s 15-inch portables haven’t been that expensive since the early 2000s.

More than anything I’m confused by the current Mac lineup. It feels all out of sorts — almost as if each model were handled by a separate team with its own shipping deadline and requirements. There isn’t a clear rubric. I don’t think the lineup needs to go back to the Jobs quadrant, but it ought to be easier to buy a computer than the current lineup permits.

Facebook Acknowledges That Contact Details of Twenty-Nine Million Users Were Stolen

Guy Rosen of Facebook followed up on their earlier disclosure of their security breach in a post euphemistically titled “An Update on the Security Issue”. They have to use the indefinite article “the security issue”, never “our security issue”.1 Anyway:

The attackers used a portion of these 400,000 people’s lists of friends to steal access tokens for about 30 million people. For 15 million people, attackers accessed two sets of information – name and contact details (phone number, email, or both, depending on what people had on their profiles). For 14 million people, the attackers accessed the same two sets of information, as well as other details people had on their profiles. This included username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches. For 1 million people, the attackers did not access any information.

A portion of users have also had their Facebook Messenger conversation names and contacts compromised, and if they were an admin of a page, any messages to that page might also be compromised as well. Katie Notopoulos and Nicole Nguyen of Buzzfeed have put together a great article on how to tell if you’re one of the users impacted.

Earlier this week, Facebook launched an always-on microphone with an attached camera.

  1. I feel a little gross for interpolating Fight Club↩︎

Google Has Continued Its Growth in Europe Post-GDPR, While the Prevalence of Other Trackers Has Been Cut

Natasha Lomas, TechCrunch:

For the GDPR analysis, the team compared the prevalence of trackers one month before and one month after the introduction of the regulation, looking at the top 2,000 domains visited by EU or US residents.

On the tracker numbers front, they found that the average number of trackers per page dropped by almost 4% for EU web users from April to July.

Whereas the opposite was true in the US, with the average number of trackers per page rose by more than 8 percent over the same period.


Summing up their findings, Cliqz and Ghostery write: “For users this means that while the number of trackers asking for access to their data is decreasing, a tiny few (including Google) are getting even more of their data.”

This builds upon and somewhat echoes earlier reporting that GDPR would actually help Google and Facebook compared to their smaller competitors. That’s not surprising: GDPR requires individual companies to get an explicit opt-in from users for ad targeting and tracking, and that’s a lot easier to do when you’re Google or Facebook. It’s also something that can be addressed through greater antitrust enforcement, if the E.U. wishes to pursue more direct targeting of the mass surveillance business models of those two companies.

The Anatomy of a Click

As part of my morning review of news headlines, I like to read Charles Arthur’s excellent Overspill link roundup. In today’s edition, he linked to a fascinating-looking piece by James Ball in the Huffington Post called “The Anatomy of a Click” about programmatic advertising and all of the automated bidding that happens when you click. So I did.

I was greeted first by the burdensome opt-in advertising screen for Oath, the Huffington Post’s parent company. GDPR may require website owners to give visitors choices, but this is just egregious, and shows the scale of Oath’s operation. They don’t make it easy to simply opt-out of all targeting and tracking. This is why ad blockers are popular.

Then I noticed the URL, which now contained all sorts of referral information and tracking data.

The article itself is part of a section called “Digital Life”, which is sponsored by Microsoft — a company that runs a targeted programmatic advertising platform and allows Oath ads on its platforms, including in Windows. That what the people who make the big money call “synergy”, or “synchronicity”, or whatever.

If you look in your Web Inspector, you’ll notice that the article phones home to several trackers and contains loads of programmatic advertising. That makes it especially rich when you read to the bottom of what is generally a well-written explanation of how the market works:

The whole situation is summarised by data protection expert and privacy advocate Johnny Ryan.

“Every single time a person loads a page on a website that uses ‘programmatic’ advertising, information about what they are reading and the device they use is broadcast to a large number of adtech companies, who then do God knows what with it,” he explains.


“In GDPR terms, this “programmatic advertising” is a vast and ongoing data breach, and it means that everyone involved can be subject to an investigation by Elizabeth Denham, the Information Commissioner, and can be taken to court by Internet users.”

I’m not completely stupid; I understand why many websites — including this one — have analytics software and ads. But it is worth pointing out, and not solely to toot my own horn, that there is a vast difference between a “dumb” ad plus one or two analytics packages that do their best to anonymize traffic and respect Do Not Track, compared to the monstrosities created by companies like Oath and the Huffington Post that collect and distribute your browsing history on behalf of dozens of third parties in ways that are beyond your control.

You may, quite rightly, point out that the Huffington Post is not the pinnacle of journalism. But I would argue that the standards of the web should not be so low that we ought to tolerate privacy-invasive behaviour from anyone. And, for what it’s worth, practitioners of great journalism like the Washington Post and the Financial Times also have an egregious record when it comes to online tracking. It is their responsibility to give readers the best possible information, written as well as they can, and publish it on the safest and most reader-friendly platform available.

Two Angles on Apple Product Repairs

Joe Rossignol, MacRumors:

Due to advanced security features of the Apple T2 chip, iMac Pro and 2018 MacBook Pro models must pass Apple diagnostics for certain repairs to be completed, according to an internal document from Apple obtained by MacRumors.

For the 2018 MacBook Pro, the requirement applies to repairs involving the display, logic board, Touch ID, and top case, which includes the keyboard, battery, trackpad, and speakers, according to the document. For the iMac Pro, the requirement only applies to logic board and flash storage repairs.

If any of these parts are repaired in an iMac Pro or 2018 MacBook Pro, and the Apple diagnostics are not run, this will result in an inoperative system and an incomplete repair, according to Apple’s directive to service providers.

Apple’s diagnostic suite is limited to internal use by Apple Stores and Apple Authorized Service Providers, as part of what is called the Apple Service Toolkit. As a result, independent repair shops without Apple certification may be unable to repair certain parts on the iMac Pro and 2018 MacBook Pro.

Adam O’Camb of iFixit:

This service document certainly paints a grim picture, but ever the optimists, we headed down to our friendly local Apple Store and bought a brand new 2018 13” MacBook Pro Touch Bar unit. Then we disassembled it and traded displays with our teardown unit from this summer. To our surprise, the displays and MacBooks functioned normally in every combination we tried. We also updated to Mojave and swapped logic boards with the same results.

That’s a promising sign, and it means the sky isn’t quite falling — yet. But as we’ve learned, nothing is certain. Apple has a string of software-blocked repair scandals under its belt, including the device-disabling Error 53, a functionality-throttling Batterygate, and repeated feature-disabling incidents. It’s very possible that a future software update could render these “incomplete repairs” inoperative, and who knows when, or if, a fix will follow.

FUD aside, this is pretty good reporting: Apple’s repair guides say that, for security reasons, many of the components of the iMac Pro and 2018 MacBook Pro must pass a software diagnostics check after replacement; iFixit tested this and found it not to be the case that the product becomes inoperable, even though Apple’s guidance suggests that it will.

Maintaining the security of components like the keyboard, Touch ID sensor, and logic board seems completely fair to me. Even if Bloomberg’s recent report on compromised Supermicro servers from China turns out not to be exactly as described, it’s completely plausible for cheap parts to contain malicious components — HP’s laptops had a keylogger preinstalled, and there were reports last year that inexpensive replacement phone screens could track a user’s touch input.

But I also completely understand the value of right-to-repair legislation. Sometimes, a Genius Bar appointment is difficult to make either because they’re fully booked or there isn’t an Apple or Apple-certified store in your area. Other times, Apple’s retail staff may suggest needlessly expensive replacements when a simpler fix could be found by more experienced independent technicians.

Rather than compromising the security and privacy of their products, I’d like to see more progress made on certifying independent technicians and making Apple’s official tools more accessible. The security threat model isn’t the same as it once was; your phone probably has a lot more information on it than your computer of ten years ago. Yes, it’s more complicated to replace parts now, but it’s not entirely because companies like Apple want to lock out independent repair shops. Apple’s diagnostic tools could play a great role in this: imagine if you could take a printed report of a successful repair and type in a serial number on Apple’s website to verify that your device was serviced with genuine parts and passed Apple’s testing.

For a different story, Wayne Ma at the Information has a look inside the world of iPhone repair fraud in China. It’s paywalled, but Benjamin Mayo of 9to5Mac has a good summary. Ma:

Five years ago, Apple was forced to temporarily close what was then its only retail store in Shenzhen, China, after it was besieged by lines of hundreds of customers waiting to swap broken iPhones for new devices, according to two former Apple employees who were briefed about the matter. In May 2013, the Shenzhen store logged more than 2,000 warranty claims a week, more than any other Apple retail store in the world, one of those people said.

After some investigation, Apple discovered the skyrocketing requests for replacements was due to a highly sophisticated fraud scheme run by organized teams. Rings of thieves were buying or stealing iPhones and removing valuable components like CPUs, screens and logic boards, replacing them with fake components or even chewing gum wrappers, more than a half-dozen former employees familiar with the fraud said. The thieves would then return the iPhones, claiming they were broken, and receive replacements they could then resell, according to three of those people. The stolen components, meanwhile, were used in refurbished iPhones sold in smaller cities across China, two of the people said.

These criminals were so sophisticated that they resorted to bribing employees and acquiring the serial numbers of iPhones in China to support this scheme.

Ma’s report also helps explain my frustrating support experience at my local Apple Store:

To slow down fraud at its retail stores — a main point of vulnerability — Apple developed a reservation system, which required customers to make appointments online with proof of ownership before they could file claims, according to more than 10 former Apple employees. However, the system was soon swamped with hackers who exploited vulnerabilities in its website to snap up the time slots, one of the people said.

It’s unfortunate that many of the things that used to make Apple’s stores a completely different retail experience — the virtually untethered demo units, easy-to-access support, “surprise and delight”, and a comparatively relaxed staff presence — is being watered down either by crime or for what can often feel like financial reasons.

Assorted Updates Regarding Bloomberg’s ‘Big Hack’ Story

I was going to split these updates into several posts, but there are so many and they all fit around similar narratives that it makes more sense to bundle them together. Previously, I wrote a little about Bloomberg’s massive report and tech companies’ responses. After that came government corroboration of the companies’ statements, as well as a report from Buzzfeed that indicated that senior Apple executives were confused by Bloomberg’s findings.

Yesterday, George Stathakopoulos, Apple’s vice president of information security, sent a letter to congress once again reiterating their claim that they have not found malicious hardware planted in their servers, and that the FBI has not been contacted nor have they been contacted by the FBI about these concerns — this is clearly contrary to Bloomberg’s specific claim that “two of the senior Apple insiders say the company reported the incident to the FBI”. I cannot find any wiggle room in either statement on that matter.

One of the few sources in Bloomberg’s story that was willing to be named has now appeared on a podcast where he expresses concern over how his hypothetical ideas about how a piece of hardware like this might work have seemingly been entirely realized in the final article.

The team of Jordan Robertson and Michael Riley have a new article out today in Bloomberg that claims that a U.S. telecommunications company found manipulated Supermicro hardware in their possession two months ago:

The security expert, Yossi Appleboum, provided documents, analysis and other evidence of the discovery following the publication of an investigative report in Bloomberg Businessweek that detailed how China’s intelligence services had ordered subcontractors to plant malicious chips in Supermicro server motherboards over a two-year period ending in 2015.

Appleboum previously worked in the technology unit of the Israeli Army Intelligence Corps and is now co-chief executive officer of Sepio Systems in Gaithersburg, Maryland. His firm specializes in hardware security and was hired to scan several large data centers belonging to the telecommunications company. Bloomberg is not identifying the company due to Appleboum’s nondisclosure agreement with the client. Unusual communications from a Supermicro server and a subsequent physical inspection revealed an implant built into the server’s Ethernet connector, a component that’s used to attach network cables to the computer, Appleboum said.

Robertson and Riley stress that this is not an identical manipulation to the type described in their earlier story, but it tracks closely: hardware on a Supermicro board that could be used to siphon or reroute data.

However, Jason Koebler, Joseph Cox, and Lorenzo Franceschi-Bicchierai of Vice contacted American telecom companies and, so far, all are denying that Bloomberg’s report could possibly describe them. A source at Apple also told them that they launched another internal investigation after the story was published and they still can’t find any evidence of what Robertson and Riley are claiming.

For what it’s worth, I don’t want Robertson and Riley to have egg on their faces. I hope the story is not entirely as described because, if it is, it is truly one of the biggest security breaches in modern history — Supermicro has supplied a lot of servers to industry giants. But I don’t want the reporters to be wrong; Bloomberg has a great reputation for publishing rigorously-researched and fact-checked longform stories; I don’t want to have lingering doubts about their future reporting. And I’m not defending the biggest corporations in the world out of loyalty or denial — they have PR teams for that, and should absolutely be criticized when relevant. And I think the central point of the article — that the supply chain of a vast majority of the world’s goods is monopolized by an authoritarian and privacy-averse government is a staggering risk — is absolutely worth taking seriously.

But something about this story is not adding up. It doesn’t make sense as-is. I want to see more evidence and a corroborating third-party judgement. Bloomberg — and Michael Riley, in fact — appear to have gotten stories like this one wrong before. I hope that isn’t the case here, despite the terrifying reality if it is, indeed, completely true.

Update: Robert M. Lee was previously contacted by the same journalists regarding other stories while working at the NSA. He thought they were well-meaning, but duped by unsupported theories that didn’t withstand technical scrutiny.

Apple Releases iOS 12.0.1

This update fixes some WiFi, Bluetooth, and iPhone XS charging bugs; but, the best fix is this, documented by John Voorhees at MacStories:

iOS 12.0.1 includes a small design change on the iPad too. With the iOS 12 update, the ‘.?123’ key was moved. With version 12.0.1, that key has been restored to its previous position on the software keyboard.

For the first few days of running the iOS 12 beta, I didn’t notice this change. I did, however, notice the effects of this change. I couldn’t work out why I was suddenly inserting a lot more emoji into anything I was writing on my iPad until I looked at an old screenshot and figured out that the key for symbols and punctuation had been swapped with the emoji key. Presumably, this was changed for consistency with the 12.9-inch iPad Pro, but it upset seven years of iPad typing muscle memory.

Anyway, now that’s fixed and I can delete from my still-in-progress iOS 12 review the three paragraphs I spent pointing out what a terrible change this was.

Google Exposed Data of Half a Million Users Until March but Didn’t Disclose It Because They Feared ‘Regulatory Interest’

Douglas MacMillan and Robert MacMillan, Wall Street Journal:

Google exposed the private data of hundreds of thousands of users of the Google+ social network and then opted not to disclose the issue this past spring, in part because of fears that doing so would draw regulatory scrutiny and cause reputational damage, according to people briefed on the incident and documents reviewed by The Wall Street Journal.

As part of its response to the incident, the Alphabet Inc. unit plans to announce a sweeping set of data privacy measures that include permanently shutting down all consumer functionality of Google+, the people said. The move effectively puts the final nail in the coffin of a product that was launched in 2011 to challenge Facebook Inc. and is widely seen as one of Google’s biggest failures.

A software glitch in the social site gave outside developers potential access to private Google+ profile data between 2015 and March 2018, when internal investigators discovered and fixed the issue, according to the documents and people briefed on the incident. A memo reviewed by the Journal prepared by Google’s legal and policy staff and shared with senior executives warned that disclosing the incident would likely trigger “immediate regulatory interest” and invite comparisons to Facebook’s leak of user information to data firm Cambridge Analytica.

Chief Executive Sundar Pichai was briefed on the plan not to notify users after an internal committee had reached that decision, the people said.

That this disclosure wasn’t made until today — seven months after this breach was noticed — is unconscionable. But it is outrageous that the reason for not disclosing it in the first place was because they wanted to hide it from the law and that Pichai knew about it.

By the way, because Google tried so hard to make Google Plus work, it’s possible that your Google account — if you have one — is a Google Plus profile. You can disconnect it; Google calls it “downgrading”.

This is a fitting end to a bad product managed by people who were almost explicit in their intention for it to collect boatloads more information for advertisers.

Update: Brian McCullough:

Has anyone made this point yet? Pichai refused to testify to congress because he couldn’t. He would have either had to perjure himself or reveal this bug in real time before the committee.

I thought it was just strategic brilliance to let Facebook take all the heat. No, it was next level cowardice. One wonders if they really though they could whistle past the graveyard on this. In which case, also next level hubris.

Pichai is now scheduled to testify before Congress in November.

Update: Jack Wellborn:

I can’t help but think that by taking 7 months to publically disclose this breach, this incident makes Google seem somewhat hypocritical given their strict Project Zero policy to disclose vulnerabilities 90-days when patches aren’t released.

After a Year of Stories Confirming the Logical Consequences of Collecting All of Your Personal Information, Facebook Introduces an Always-Listening Assistant With a Video Camera

Nicole Nguyen, Buzzfeed:

Today, Facebook — which is still reeling from the fallout of the Cambridge Analytica data scandal and last month’s massive security breach — announced a voice-activated gadget with a screen, always-listening microphone, and camera designed for video chat called Facebook Portal. It’s like an Amazon Echo Show for Facebook Messenger.

There are two models: a small 10-inch Portal ($199) and a larger 15-inch Portal+ ($349), which can rotate to portrait or landscape orientations.

Saying a simple command, “Hey Portal,” and then the name of the person you’d like to call, starts a video chat. The camera has the ability to track people when they enter the room, and it can pan, widen, and zoom automatically. The devices also include the always-listening Alexa, Amazon’s voice assistant, and can be used to control smart home devices and offer weather information.

Nobody should buy this product. Moreover, it’s absurd that Facebook would think that now would be a terrific time to introduce an always-listening box with a camera — no matter how many reassuring bullet points they slap on a marketing webpage.

Apple Insiders Say Nobody Internally or at the FBI Knows What’s Going on With Bloomberg’s Story

John Paczkowski and Charlie Warzel, Buzzfeed:

Reached by BuzzFeed News multiple Apple sources — three of them very senior executives who work on the security and legal teams — said that they are at a loss as to how to explain the allegations. These people described a massive, granular, and siloed investigation into not just the claims made in the story, but into unrelated incidents that might have inspired them.


Equally puzzling to Apple execs is the assertion that it was party to an FBI investigation — Bloomberg wrote that Apple “reported the incident to the FBI.” A senior Apple legal official told BuzzFeed News the company had not contacted the FBI, nor had it been contacted by the FBI, the CIA, the NSA or any government agency in regards to the incidents described in the Bloomberg report. This person’s purview and responsibilities are of such a high level that it’s unlikely they would not have been aware of government outreach.

Guy Faulconbridge and Joseph Menn, Reuters:

Apple’s recently retired general counsel, Bruce Sewell, told Reuters he called the FBI’s then-general counsel James Baker last year after being told by Bloomberg of an open investigation into Super Micro Computer Inc , a hardware maker whose products Bloomberg said were implanted with malicious Chinese chips.

“I got on the phone with him personally and said, ‘Do you know anything about this?,” Sewell said of his conversation with Baker. “He said, ‘I’ve never heard of this, but give me 24 hours to make sure.’ He called me back 24 hours later and said ‘Nobody here knows what this story is about.’”

Reuters also reports that a division of GCHQ, Britain’s signals intelligence agency, does not presently doubt Apple and Amazon’s denials. Here’s the score so far:

  • Bloomberg is sticking by its reporting that modified circuit boards with potentially devastating security concerns were found by Apple and Amazon in servers of theirs supplied by and made for Supermicro. They also stand by the existence of cooperation between the tech companies and the FBI in an investigation that has been going on for years.

  • Apple and Amazon have both denied specific allegations in Bloomberg’s story, and have refuted its overall premise. Amazon’s chief information security officer and, now, Apple’s former senior-most legal counsel have put their names behind categorical denials of finding manipulated hardware in their data centres and having any knowledge of an FBI investigation, respectively.

  • Apple’s former legal representative has also said that a senior contact at the FBI told him that they didn’t know anything about this story.

  • British intelligence says that they believe Apple and Amazon’s statements at this time.

  • The U.S. administration has seized upon Bloomberg’s report to continue their campaign of criticism of the Chinese government.

That’s a lot of reputable organisations — and the American government — who have staked their credibility on widely varying accounts of the veracity of this story.

Update: Now the U.S. Department of Homeland Security is echoing the British viewpoint in support of the ostensibly affected companies’ statements, even while the Vice President is using Bloomberg’s report for political purposes.

Thinking About Bloomberg’s Report on Hardware Vulnerabilities in Servers Made in China

Jordan Robertson and Michael Riley of Bloomberg today published a startling report alleging that servers made in China for Supermicro and used by — amongst others — Apple, Amazon, and U.S. federal government agencies have been found to surreptitiously carry tiny chips, likely for backdoor access by the Chinese government, and installed without the knowledge of the companies through deep infiltration into the electronics supply chain. The report also states that individuals at Apple and Amazon discovered this several years ago, did not immediately make changes to their infrastructure, and are working with law enforcement and intelligence agencies, but none of this has been previously disclosed.

If these allegations are true, this would represent one of the most significant national security breaches in decades. Its effects could extend beyond current U.S. sanctions in place on Chinese-made electronic components to the entire electronics supply chain, the vast majority of which is based in China. It would also imply that massive amounts of Apple and Amazon customer data may have been at risk without public acknowledgement, though the report states that “[no] consumer data is known to have been stolen”.

Robertson and Riley:

As recently as 2016, according to DigiTimes, a news site specializing in supply chain research, Supermicro had three primary manufacturers constructing its motherboards, two headquartered in Taiwan and one in Shanghai. When such suppliers are choked with big orders, they sometimes parcel out work to subcontractors. In order to get further down the trail, U.S. spy agencies drew on the prodigious tools at their disposal. They sifted through communications intercepts, tapped informants in Taiwan and China, even tracked key individuals through their phones, according to the person briefed on evidence gathered during the probe. Eventually, that person says, they traced the malicious chips to four subcontracting factories that had been building Supermicro motherboards for at least two years.

As the agents monitored interactions among Chinese officials, motherboard manufacturers, and middlemen, they glimpsed how the seeding process worked. In some cases, plant managers were approached by people who claimed to represent Supermicro or who held positions suggesting a connection to the government. The middlemen would request changes to the motherboards’ original designs, initially offering bribes in conjunction with their unusual requests. If that didn’t work, they threatened factory managers with inspections that could shut down their plants. Once arrangements were in place, the middlemen would organize delivery of the chips to the factories.

The investigators concluded that this intricate scheme was the work of a People’s Liberation Army unit specializing in hardware attacks, according to two people briefed on its activities. The existence of this group has never been revealed before, but one official says, “We’ve been tracking these guys for longer than we’d like to admit.” The unit is believed to focus on high-priority targets, including advanced commercial technology and the computers of rival militaries. In past attacks, it targeted the designs for high-performance computer chips and computing systems of large U.S. internet providers.

These allegations are precise, comprehensive, and are clearly based on tremendous investigative reporting. However, the comments issued by Apple and Amazon have been uncharacteristically detailed as well.

Apple published their un-bylined responses to Bloomberg’s questions at various times throughout the reporting process:

On this we can be very clear: Apple has never found malicious chips, “hardware manipulations” or vulnerabilities purposely planted in any server. Apple never had any contact with the FBI or any other agency about such an incident. We are not aware of any investigation by the FBI, nor are our contacts in law enforcement.

In response to Bloomberg’s latest version of the narrative, we present the following facts: Siri and Topsy never shared servers; Siri has never been deployed on servers sold to us by Super Micro; and Topsy data was limited to approximately 2,000 Super Micro servers, not 7,000. None of those servers have ever been found to hold malicious chips.

This response unequivocally refutes specific allegations made in the Bloomberg report. This isn’t one of those stories where Apple’s PR team is being cagey or not commenting; they’re calling the story flat-out false. And the same is true for Amazon’s statement:

The article also claims that after learning of hardware modifications and malicious chips in Elemental servers, we conducted a network-wide audit of SuperMicro motherboards and discovered the malicious chips in a Beijing data center. This claim is similarly untrue. The first and most obvious reason is that we never found modified hardware or malicious chips in Elemental servers. Aside from that, we never found modified hardware or malicious chips in servers in any of our data centers. And, this notion that we sold off the hardware and datacenter in China to our partner Sinnet because we wanted to rid ourselves of SuperMicro servers is absurd. Sinnet had been running these data centers since we launched in China, they owned these data centers from the start, and the hardware we “sold” to them was a transfer-of-assets agreement mandated by new China regulations for non-Chinese cloud providers to continue to operate in China.

This statement was attributed to Steve Schmidt, Amazon’s chief information security officer and a former FBI section chief.

Supermicro and the Chinese government also issued denials of Bloomberg’s report. The cynical response is something like: of course these companies are denying an extremely sensitive report, whether because it’s embarrassing or due to a law enforcement requirement. But neither situation appears to be the case here. Apple confirmed in their statement that they are not under any sort of gag order that would prevent them from being able to comment on this.

Furthermore, Apple and Amazon are publicly-traded companies and, as a result, lying in public statements such as these would be an SEC violation. These aren’t the typical if-you-squint-it-could-be-seen-as-accurate statements that big companies’ PR teams typically release as damage control. They are wholesale rejections of key arguments in Bloomberg’s reporting: Bloomberg says that hardware modifications and malicious chips were found by Amazon and Apple in their servers; Amazon and Apple say that no hardware modifications or malicious chips were found in their servers. There’s not a lot of room for ambiguity.

This story has been rattling around my head all day today. My early thought was that perhaps the Bloomberg reporters did a Judith Miller. Maybe their government sources had a specific angle they wished to present to create a political case against China or in favour of further sanctions — or actions far more serious — and needed a credible third-party, like a news organization, to create a story like this. But Robertson and Riley’s seventeen sources include several individuals at Amazon and Apple with intimate knowledge of the apparent discovery of unauthorized hardware modifications, something they later confirmed in a statement to Alex Cranz of Gizmodo. This doesn’t seem likely.

Zack Whittaker in TechCrunch points to a couple of ways that these statements may technically be accurate, and how the reporting may be true as well:

Naturally, people are skeptical of this “spy chip” story. On one side you have Bloomberg’s decades-long stellar reputation and reporting acumen, a thoroughly researched story citing more than a dozen sources — some inside the government and out — and presenting enough evidence to present a convincing case.

On the other, the sources are anonymous — likely because the information they shared wasn’t theirs to share or it was classified, putting sources in risk of legal jeopardy. But that makes accountability difficult. No reporter wants to say “a source familiar with the matter” because it weakens the story. It’s the reason reporters will tag names to spokespeople or officials so that it holds the powers accountable for their words. And, the denials from the companies themselves — though transparently published in full by Bloomberg — are not bulletproof in outright rejection of the story’s claims. These statements go through legal counsel and are subject to government regulation. These statements become a counterbalance — turning the story from an evidence-based report into a “he said, she said” situation.

Indeed, Kieren McCarthy of the Register did a fine job parsing each company’s statements, albeit with his usual unique flair. But, though there is absolutely some wiggle-room in each denial, there are remarks made by each company that, were they found to be wrong, would be simple lies.

There are aspects of Robertson and Riley’s reporting that are consistent with previously-acknowledged problems and security concerns with Supermicro’s servers. Early last year, Amir Efrati of the Information reported that Apple was removing Supermicro’s servers from its data centres after a compromised firmware update the previous year. Robertson and Riley are reporting tonight that a Supermicro software update server was infiltrated in 2015; the same report also reiterates that Apple found hardware vulnerabilities on their servers.

This is a complicated story and apparently just the first in a series. My hope is that we’ll know more details soon, and a clearer picture of the truth will emerge. Right now, however, the credibility of a news organization and two trillion-dollar companies is on the line. But the nugget of this story — that outsourced and complex supply chains are prone to abuse due to bad actors and lack of oversight — is a known problem that isn’t taken anywhere near as seriously as it should be. In the garment industry, it’s at least partially responsible for deadly yet preventable incidents. In electronics, the prospect of compromised parts was once science fiction; it may now be reality.

Jason Koelber and Joseph Cox, Vice:

In 2005, the Pentagon warned in a report that outsourcing electronics manufacturing to China could become a problem for America, because of the risk of hardware “tampering.” America has largely lost the ability to create many of the electronics we use everyday — Donald Trump famously asked Apple CEO Tim Cook why the iPhone isn’t made in America, but it’s not clear that the United States is even capable of making iPhones in America at any sort of scale.

China’s cheap, skilled labor, manufacturing infrastructure, and vast rare Earth mineral-mining operations around the world have secured its spot as the high-tech manufacturing hub of the world. This of course has had many benefits for the United States and American companies, but it’s also a great risk.

There is a clear theoretical lesson in all of this, which is that monopolization of anything is extraordinarily risky and often self-destructive. Witness, for example, the ongoing debate over how much moderation power should be exerted by Facebook over posts made on the platform — it’s a difficult question to answer with any certainty in large part because it’s a decision that affects billions of users and a large chunk of worldwide communications. In the case of an apparently-compromised electronics supply chain with decades of highly-specialized knowledge and located in a country governed by an oppressive regime, any resolution is going to be painfully difficult. Outsourcing has deep flaws; even Bloomberg’s website is witness to that. Either manufacturing of these components becomes increasingly diversified or, more likely, far greater control and oversight is required by companies and end-client governments alike.

Mainstream Advertising is Still Showing Up on Conspiracy and Extremist Websites

Craig Timberg, Elizabeth Dwoskin and Andrew Ba Tran, Washington Post:

Jihadi rapists. Muslim invaders. Faked mass shootings. Pizzagate.

Somebody browsing highly partisan websites in recent weeks could have seen articles about all of these subjects — and on the same pages seen cheerful green ads for the Girl Scouts, bearing the slogan “Helping Girls Change the World!”

Such juxtapositions, documented by a Washington Post review of advertising on hundreds of websites, are more than simply jarring. They are products of online advertising systems that regularly put mainstream ads alongside content from the political fringes — and dollars in the pockets of those producing polarizing and politically charged headlines.

Because this is the Post, they use a rather mild description of the kind of horseshit they found mainstream advertisers implicitly supporting. Jeep, Hertz, and the Girl Scouts wouldn’t sponsor a Ku Klux Klan rally; if an ad agency supporting them put their banners up at an extremist’s event, they would be fired. Yet Google somehow has poor control over which websites may use AdSense, especially at the scale at which they operate:

Google says it does not serve ads on sites that feature hate speech, including bullying, harassment or content deemed derogatory or dangerous, and it prohibits publishers that misrepresent their identities. Last year, Google removed 320,000 publishers from the ad network for policy violations and blacklisted nearly 90,000 websites and 700,000 mobile apps, it said.

Those are huge numbers, but so are the numbers in their quarterly earnings report (PDF). I’m not suggesting that Google should be a non-profit, but they certainly can afford more moderators to review what websites are allowed to be in the AdSense program.

As it stands now, advertisers must manually blacklist websites and categories of sites that they don’t wish to see their ads on. If Steven Black’s hosts file is any guidance, that’s a lot of properties that must be blacklisted. Surely it would be more efficient for Google, instead, to quarantine every domain on that list that’s part of their AdSense program.

Update: The unwillingness for ad networks to be more judicious about where their ads may be used might have something to do with how hard it is for them to be held accountable by non-technical users. Think about how hard it is to know — without looking at a site’s markup — which ad network is supporting a website.

I imagine if every placement were required to have visible attribution, ad networks would be a lot more careful about which sites would be allowed. The first time “Powered by Google” appeared on some freelance propagandist’s website or a crank doctor’s bad advice on vaccinations, you know that users would notice.

MacOS Mojave Archaeology

“Uluroo” collected a series of examples of oddities and legacy support in MacOS. My favourite — other than the continued availability of a degauss function in Mojave — is their commentary on Dashboard:

Dashboard is still skeuomorphic. This surprises Uluroo a lot, given that iOS 7 killed skeuomorphism completely on the iPhone five years ago.

Many of Dashboard’s built-in widgets have a refreshingly retro, though inconsistent, aesthetic: Stocks, Dictionary, Weather, Calculator, Calendar, and more all look like they’ve gone untouched since the days of Scott Forstall. The World Clock widget’s second hand moves in the same way as a real clock, rather than moving in a smooth, uninterrupted motion like in iOS and watchOS. Apple still has a built-in “Tile Game” widget. Uluroo wonders if Dashboard will ever be updated to behave more like the Mac’s version of Control Center, or if Apple just doesn’t care much about it anymore.

The surprising thing, for me, about Dashboard is not that it continues to be skeuomorphic; it’s that it exists at all without a single update for years. What was once a top-line feature of Tiger has become abandonware.

(Via Michael Tsai.)

Increased Exclusivity Arrangements Correlates With the Reversal of a Downward Trend of File Sharing

Cam Cullen of Sandvine, a network management and analytics company:

In the first Global Internet Phenomena Report in 2011, file sharing was huge on fixed networks and tiny on mobile. In the Americas, for example, 52.01% of upstream traffic on fixed networks and 3.83% of all upstream mobile traffic was BitTorrent. In Europe, it was even more, with 59.68% of upstream on fixed and 17.03% on mobile. By 2015, those numbers had fallen significantly, with Americas being 26.83% on the upstream and Europe being 21.08% on just fixed networks. During the intervening year, traffic volume has grown drastically on the upstream, with more social sharing, video streaming, OTT messaging, and even gaming on it.

That trend appears to be reversing, especially outside of the Americas. In this edition of the Phenomena report, we will reveal how file sharing is back.

From the report (PDF):

We will talk quite a bit about video in this report, but it is important to highlight the diversity of video streaming traffic around the world. Although Netflix and YouTube are still the largest names in streaming (as you will see in the reports) there is an ever growing number of other streaming providers capturing consumer screen time.

This video diversity trend has led directly to the continued relevance of file sharing, which is still a major source of internet traffic. Consumers that cannot afford to subscribe to all of the different services turn to file sharing to get the latest content, even as governments attempt to shut down sharing sites.

At about $10 per month — give or take — per subscription, those costs begin to add up quickly, especially if users are only choosing a service or channel for one or two shows. This doesn’t seem realistic or sustainable as a long-term industry plan.

Vice News’ Interview With Tim Cook

Elle Reeve of Vice sat down with Tim Cook at Apple’s Grand Central Terminal store to discuss privacy, regulation, and the company’s decision to kick Alex Jones’ extremist fact-free fairy tales off its platforms. There’s one exchange I’d like to highlight, regarding Apple in China:

Reeve: In terms of privacy as a human right, does that apply to how you do business in China?

Cook: It absolutely does. Encryption, for us, is the same in every country in the world. We don’t design encryption […] for the U.S., and do it differently everywhere else. It’s the same. [So] if you send a message in China, it’s encrypted, [and] I can’t produce the content. I can’t produce it in the United States either. If you lock your phone in China, I can’t open it.

The thing in China that some people have confused is certain countries — and China is one of them — has a requirement that data from local citizens has to be kept in China. We worked with a Chinese company to provide iCloud. But the keys, which is the “key”, so to speak — pardon the pun — are ours.

Reeve: But haven’t they moved to China? Meaning: it’s much easier for the Chinese government to get to them.

Cook: Now, I wouldn’t get caught up in where’s the location of it?. I mean, we have servers located in many different countries in the world. They’re not easier to get data from being in one country versus the next. The key question is [sic]: how does the encryption process work? and who owns the keys, if anyone?. In most cases, for us, you and the receiver own the keys.

Apple’s executives are generally plainspoken and direct. Cook injects more corporate speak into his interview responses than, for example, Steve Jobs or Phil Schiller, but he still generally says what he means and avoids obfuscating. So it’s noticeable — and notable — when any Apple executive is cagey, as is the case here.

Cook’s response to Reeve’s second question sidesteps the comparative ease with which Chinese authorities can now demand access to users’ data because they no longer have to go through the stricter legal system of the United States. That appears to be a pretty significant concern to simply gloss over. Of similar concern is that the Chinese company that Apple partnered with to offer iCloud in the country is owned and operated by the Guizhou provincial government.

I don’t think it’s fair to say that Chinese users’ privacy is not subject to compromise. The actual method of encryption may not be any different or weaker than in other countries, but the requirement to store keys in the country behind weaker legal protections for users makes it, in practice, less strong. It is not a product of Apple’s own doing, and the only way they would be able to wipe their hands clean is to entirely discontinue iCloud and other internet services in China. I don’t know that it would be right — it’s likely that the replacement services chosen by users would be far worse for privacy — but it would mean that the company has no implicit connection to complying with a regime that has a piss-poor track record on human rights.

U.S. Justice Department Sues Hours After California Signs Strong Net Neutrality Law

Jazmine Ulloa, Los Angeles Times:

News that the governor signed the ambitious new law was swiftly met with an aggressive response from Justice Department officials, who announced soon afterward that they were suing California to block the regulations. The state law prohibits broadband and wireless companies from blocking, throttling or otherwise hindering access to internet content, and from favoring some websites over others by charging for faster speeds.


The bill’s August passage in the Legislature capped months of feuding between tech advocates and telecom industry lobbyists. Telecom giants such as AT&T and Verizon Communications poured millions into killing the legislation, while grass-roots activists fought back with crowdsourced funding and social media campaigns.

After Comcast and Verizon asked, the FCC was only too happy to prevent states from enacting their own net neutrality legislation. As far as I can tell, the DoJ hasn’t tried to block Washington’s similar law yet.

See Also: Jerri-Lynn Scofield’s summary and overview; Cecilia Kang’s reporting.

And Also: Karl Bode at TechDirt.

New Zealand Customs Authorities Can Now Demand Device Passwords, and May Copy and Review Data

Asha McLean, ZDNet:

The New Zealand Customs Service this week received new powers at the country’s borders, including the ability demand a password off a passenger to search their “electronic device”.

Customs officers have always been able to search a passenger’s laptop or phone, but the changes to the Customs and Excise Act 2018 now specifies that passengers must hand over their password.


Customs now also has the right to copy, in addition to review, the data stored on the device, and can also confiscate it to conduct a further search.

New Zealand isn’t the first place I’d think of as becoming a draconian country for visitors, but I was clearly myopic. If you’re travelling these days, it’s advisable — if you have the means — to travel with devices containing nothing more than their operating systems, and use a well-secured cloud service to store any files you might need while in transit, including your keychain. While New Zealand’s revised customs act does not permit them to download remote data, they could obtain a copy of your keychain which is typically encrypted with the same user account password you would have provided.

You can change your keychain password to be different if you wish, but you will likely need to reenter its password frequently, and it likely won’t protect you against legislation like this — but, alas, I am not a lawyer.

A Deep Exploration of the iPhone XS Camera System

Sebastiaan de With, writing on the Halide blog:

An iPhone XS will over- and underexpose the shot, get fast shots to freeze motion and retain sharpness across the frame and grab every best part of all these frames to create one image. That’s what you get out of the iPhone XS camera, and that’s what makes it so powerful at taking photos in situations where you usually lose details because of mixed light or strong contrast.

This isn’t the slight adjustment of Auto HDR on the iPhone X. This is a whole new look, a drastic departure from the “look” of every iPhone before it. In a sense, a whole new camera.

I don’t think this different look is a regression by any means — in fact, all of the photos I’ve seen from the iPhone XS indicate that this is a massive upgrade — but it is different. The rear cameras have large enough sensors and lenses that they are able to compensate for the higher noise created by faster shutter speeds through more intense noise reduction while preserving detail. When it comes to the front-facing camera’s much smaller sensor, though, it appears that the noise reduction is tuned to be a little more aggressive than expected, and it sounds like Apple is tweaking it.

One tip for RAW shooters:

To add insult to injury, iPhone XS sensor’s noise is just a bit stronger and more colorful than that of the iPhone X.

This isn’t the kind of noise we can easily remove in post-processing. This isn’t the gentle, film-like grain we previously saw in iPhone X and iPhone 8 RAW files.

As it stands today, if you shoot RAW with an iPhone XS, you need to go manual and under-expose. Otherwise you’ll end up with RAWs worse than Smart HDR JPEGs. All third-party camera apps are affected. Bizarrely, RAW files from the iPhone X are better than those from the iPhone XS.

With its bigger sensor, you should be able to get more detail out of an iPhone XS RAW image. But because this camera system is tuned to merge multiple exposures, it’s not quite as straightforward. This is a great piece for iPhone photographers.

At Least Fifty to Ninety Million Facebook User Accounts’ Access Tokens Compromised

Julia Carrie Wong, the Guardian:

Nearly 50m Facebook accounts were compromised by an attack that gave hackers the ability to take over users’ accounts, Facebook revealed on Friday.

The breach was discovered by Facebook engineers on Tuesday 25 September, the company said, and patched on Thursday. Users whose accounts were affected will be notified by Facebook. Those users will be logged out of their accounts and required to log back in.


The security breach is believed to be the largest in Facebook’s history and is particularly severe because the attackers stole “access tokens”, a kind of security key that allows users to stay logged into Facebook over multiple browsing sessions without entering their password every time. Possessing a token allows an attacker to take full control of the victim’s account, including logging into third-party applications that use Facebook Login.

Lorenzo Franceschi-Bicchierai and Jason Koebler, Vice:

“Parts of our site use a mechanism called single sign-on that creates a new access token,” Guy Rosen, Facebook’s vice president of product management, told reporters on a press call. “The way this works is: let’s say I’m logged into the Facebook mobile app and it wants to open another part of Facebook inside a browser, what it will do is use that single sign-on functionality to generate an access token for that browser, so that means you don’t have to login again on that window.”

The hackers took advantage of three distinct vulnerabilities chained together in order to steal the tokens, Rosen said.

The vulnerabilities have existed since at least July 2017 and were related to Facebook’s “View As” tool, which allows you to view your own profile as if you were someone else (this is a privacy feature—it allows, for example, you to check whether your ex, or grandma, or anyone who you want to hide things from can see certain posts on your page.)

Brian Krebs:

Facebook said it was removing the insecure “View As” feature, and resetting the access tokens of 50 million accounts that the company said it knows were affected, as well as the tokens for another 40 million users that may have been impacted over the past year.

Who thought it was a good idea to allow basically one company, for which the most infamous slogan is “move fast and break things”, to grow to unprecedented scale with the personal information of billions of users and non-users with little to no regulation or oversight?

Silly Selfie Surreptitious Skin Smoothing Scandal

I guess that’s what the “S” in “iPhone XS” stands for.

Kif Leswing of Business Insider dedicated the vast majority of an article to an apparent controversy surrounding the images coming off the iPhone XS’ front-facing camera:

According to Apple, the selfie camera system on the iPhone X uses faster sensors, improved chips, and “advanced algorithms” to make your photos look better with a feature called “Smart HDR.”

But some people who have received the new iPhone XS say that the new selfie camera makes them look too good — so good that they think Apple must have added a “beauty mode” filter to the camera’s algorithms to smooth the subject’s skin.

Beauty mode is a feature on a lot of phones and apps that are popular in Asia, like Samsung devices or apps like Meitu or FaceTune. It smooths out and brightens your skin so you look a little more polished on social media.

Several quotes from Lewis Hilsenteger — the Unbox Therapy guy — and Twitter embeds presented without skepticism later, Leswing gets to a more rational reason:

Apple declined to comment on the record when reached by Business Insider, but some people on the Reddit and MacRumors threads say the effect people are seeing isn’t a beauty filter, but is instead part of the new iPhone noise reduction capabilities.


This suggests that perhaps if a photo is taken with more light, the smoothing would appear less prominent. A test run on Thursday in natural daylight did show a less pronounced smoothing effect.

So, despite several uncritically-presented social media posts and giving a –gate-suffixed name to this whole thing, it’s nothing? I am, of course, shocked by Business Insider’s apparent lack of journalistic scruples.

Oh, but Leswing couldn’t just leave it at that:

Apple is unlikely to force a so-called “beauty mode” on iPhone camera users — after all, if people really want to apply filters like that to a photo, they can download any number of apps that do it, like FaceTune, which is one of the best-selling paid apps in the App Store.

Still, beauty filter features are popular in Asia, a region where Apple needs to excel to justify its $1 trillion valuation, even if the effects from apps like Meitu are far more pronounced than what online observers say is happening on iPhones.

Why must there be a storyline and a contrived justification for Apple’s overly-aggressive noise reduction? People generally like smoother pictures because they give the impression of clarity, and will tolerate a lack of detail at typical viewing sizes more than they will a grainy photo. That’s basically it. I wouldn’t be surprised if Apple dials that back if they receive enough complaints that it’s too aggressive, but the idea that this is Apple’s big new controversy over this year’s iPhones is patently ridiculous.

Reading the Tea Leaves

In contrast to most WWDCs I can remember, the mood surrounding this year’s conference seemed more anxious, with developers’ excitement for learning the future of Apple’s platforms muted by a blockbuster Mark Gurman report late last year:

Starting as early as next year, software developers will be able to design a single application that works with a touchscreen or mouse and trackpad depending on whether it’s running on the iPhone and iPad operating system or on Mac hardware, according to people familiar with the matter.

What that meant nobody seemed to know. I think Gus Mueller reflected on it well:

What about the crux of the article, that Apple is working on a shared UI framework between iOS and MacOS? I wouldn’t find it surprising. I could also see it being written completely in Swift (though personally I’d rather it be in Obj-C for maximum interop with existing frameworks).

But history is filled with cross platform UIs and write once run anywhere dreams. None of them turned out insanely great.

John Gruber corrected the latter sentence:

My only quibble with Mueller’s piece is that “None of them turned out insanely great” is way too generous a description of write-once/run-anywhere application frameworks. Most of them are terrible; none of them are good. Or at least none of them are good from the perspective of what makes truly native Mac and iOS apps good — which isn’t everyone’s perspective, but is certainly Apple’s.

Then, in a discussion on Rene Ritchie’s Vector podcast, Gruber said:

We don’t know if it’s good news or bad news. Bad news would be literally just like being able to run the equivalent of what you see in the iOS simulator. Just have a little rectangle shape of an iPhone or an iPad that runs in a window. Every click is like a simulated touch, and that’s it.

Anybody who’s ever tried running an app, like an iPhone app, in the Xcode simulator, it’s a great feature for debugging, but it’s horrible for using. It’s because it just doesn’t mesh with the mouse-and-keyboard paradigm of the Mac. It never feels right to do that.

In a gradient of garbage-to-great, that’s at the rotten end of the scale: a Mac app that’s a simulated iOS app — one that feels like it’s simply running on the wrong platform.

The best possible iteration of shared code between iOS and Mac apps is something that would be invisible to users. It would feel entirely native when running on either platform: an NSButton becomes a UIButton on iOS, for example; perhaps a UISplitViewController turns into a NSSplitView on MacOS. Save and open commands trigger the iOS equivalents instead of MacOS sheets. Stuff like that. It should be something that makes life easier for developers building cross-platform apps, and which users simply do not see any more than whether an app is built with Objective-C or Swift.

On the Mac side, especially, that means building software that adheres to well-established platform expectations. Becky Hansmeyer published a terrific and lengthy list, and I’ve excerpted a few items from it here:

  • Touch Bar support

  • Contextual menus

  • Tooltips

  • Multiple windows

  • File system access

  • Scroll bar elasticity

  • Drag and drop support

These — and many others — are the ingredients that make a true Mac app. But there’s something not on Hansmeyer’s list that I think is just as important, which is the feel of an app. That is: an app could, theoretically, support all of the ingredients on Hansmeyer’s list and still not feel like a Mac app — though I can’t think of an app off the top of my head like that. It is likely that you may find an app that somehow doesn’t feel right on MacOS and only then discover that it’s missing one or more of the features on this list.

The inverse can also be true and, I think, is more likely: an app may be missing a few of the things on Hansmeyer’s list, but it may still have that feeling of a good Mac app. Cultured Code’s Things, for example, doesn’t really allow user interaction with the file system, but it has long felt like the most polished todo app for the Mac. Aperture still feels like more of a Mac app than Lightroom ever will. All of Panic’s Mac apps feel like the best possible iteration of an app for the genres in which they reside.

A cross-platform framework must somehow preserve this Mac-specific quality for MacOS apps, even if the underlying code is shared with an iOS version. Each version of an app should be completely correct on each platform, even if they have shared code. To make an odd comparison, it’s sort of like tea. Now, I’m not a big tea drinker but, as best as I understand it, white, green, and black tea all come from the exact same plant. The differences in colour and flavour are based on when the tea is picked and how long it is aged, but it’s still the same leaf. Ideally, that’s what cross-platform apps are: individual, but with shared origins.

The first four apps that Apple has brought to end users based on their UIKit-for-Mac framework are nothing like this ideal. At their absolute best, they are passably lazy ports of their iOS equivalents; at their worst, as with Home, they sit comfortably near the ass-end of that garbage-to-great scale.

Actually, that’s a little unfair of me. Home, on my Mac, shows exactly the same inescapable error as it does on iOS. I cannot fully judge it. However, screenshots of the app in Andrew Cunningham’s review of Mojave clearly display an iOS app in a MacOS window frame, right down to the spinning “tumbler”-style picker controls. Its full screen view is completely hilarious.

The other three apps Apple has ported from iOS so far — Stocks, News, and Voice Memos — are slightly better, but not by much. They are, quite literally, scaled up and then scaled back down iOS apps, with a handful of MacOS-converted controls. The scaling is noticeable, particularly in text and fine-lined graphics like sharing icons; it looks cut-rate and sloppy. Touch Bar support is reportedly non-existent. These apps do not look or feel at all like real Mac apps. Recall that Notes and Reminders were brought to the Mac in Mountain Lion after being on iOS for years: both look like their iOS counterparts, but fit reasonably well in the MacOS environment — Notes far more than Reminders. Or look at Photos for a more robust and capable app that started life on iOS.1

But that’s not what was shipped in the public version of Mojave. I didn’t want to complain about the state of these apps prior to release because I didn’t think that was fair — plenty of bugs were fixed as the release date drew nearer. Unfortunately, they didn’t become any more Mac-like. That would be fine if these were one-offs, but Apple is planning on releasing this framework to developers just next year, and the initial results are not promising. They remind me of the janky apps you’ll find at the top of the free chart in the Games section of the Mac App Store. I worry that this will be increasingly common now that directly porting an app from iOS is something that is seemingly officially sanctioned, and I’m not the only one. These apps are not ready.

Or, here’s an even worse situation: maybe Apple does consider these apps ready. Surely they figured they were good enough to bundle preinstalled in the latest public update to MacOS. Are these the model apps for third-party developers to aspire to when they get to start porting their apps next year? I certainly hope not.

To be completely fair to the engineers who clearly worked hard on this framework, cross-platform porting probably does represent the future of a segment of Mac apps, unfortunately, and these particular examples are absolutely functional. But they’re still pretty much just tech demos — proofs of concept. Maybe these apps were shipped to an impossible deadline. I’ll tell you who I absolutely feel bad for, though: all of the hardware engineers who worked tirelessly to cram bright, high-resolution, and battery-friendly displays into Apple’s notebook lineup, only to see them draw a bunch of blurry text and horribly-scaled graphics.

Whatever the case, the fact is that these apps have now shipped, and they’re awful examples for the rest of the developer community to follow next year. Maybe — hopefully — this framework will become far more robust and closer to the ideal or, perhaps, start something new. I dread the possibility of a day a few years from now where we must navigate Mac apps this poor the way we do for Electron apps today and Java apps a decade ago. This piece is not about that future, though; it’s about today and the four apps brand new to the Mac. They are no good.

  1. Photos even implemented something like a rudimentary version of this cross-platform framework by way of UXKit. Whether that was part of the same development track or parts of it made their way into the framework that will be released to developers, I don’t know. ↩︎

Facebook Is Allowing Ad Targeting Based on Contact Information You Have No Control Over

Kashmir Hill of Gizmodo, reporting on a new paper (PDF) by Giridhari Venkatadri, Piotr Sapiezynski, and Alan Mislove:

You might assume that you could go to your Facebook profile and look at your “contact and basic info” page to see what email addresses and phone numbers are associated with your account, and thus what advertisers can use to target you. But as is so often the case with this highly efficient data-miner posing as a way to keep in contact with your friends, it’s going about it in a less transparent and more invasive way.

Facebook is not content to use the contact information you willingly put into your Facebook profile for advertising. It is also using contact information you handed over for security purposes and contact information you didn’t hand over at all, but that was collected from other people’s contact books, a hidden layer of details Facebook has about you that I’ve come to call “shadow contact information.” I managed to place an ad in front of Alan Mislove by targeting his shadow profile. This means that the junk email address that you hand over for discounts or for shady online shopping is likely associated with your account and being used to target you with ads.

Facebook denied to Hill last year that they allowed targeting based on this information; after this paper was published, they admitted to doing so.

Even for Facebook’s low standards, this is exceptionally unethical: you haven’t given them permission to use this information; someone you know or someone you purchased products from has done that for you, probably with consent buried in an opaque privacy policy. There’s no way to opt out. And there are few-to-no regulations governing this.

Safari’s “Siri Suggested” Search Results Highlighted Conspiracy Sites

Charlie Warzel, Buzzfeed:

Apple’s Safari, one of the internet’s most popular web browsers, has been surfacing debunked conspiracies, shock videos, and false information via its “Siri Suggested Websites” feature. Such results raise questions about the company’s ability to monitor for low-quality information, and provide another example of the problems platforms run into when relying on algorithms to police the internet.

This isn’t a case where Google-suggested autocompletions are finding their way into Safari; I see the same results as Warzel and I have DuckDuckGo as my Safari search engine. This is just as toxic as Google suggesting the wrong voter registration dates or stating a bunk answer for who invented email — something they’re still doing, by the way.

Unfortunately, while Google provides a small “feedback” button for users to report problematic results, Apple’s procedure is, well, much worse:

“Siri Suggested Websites come from content on the web and we provide curation to help avoid inappropriate sites. We also remove any inappropriate suggestions whenever we become aware of them, as we have with these. We will continue to work to provide high-quality results and users can email results they feel are inappropriate to applebot@apple.com.”

It’s pretty quaint that a trillion-dollar company suggests you report problems to them by sending a direct email — to an address that, for what it’s worth, I did not know existed. As of writing, DuckDuckGo returns no results for it, while Google’s results almost entirely consist of answers that contain “applebot.apple.com”. There is one mention of that address on Apple’s website in this sole knowledgebase article.1

  1. By the way, I’m disappointed with the search results from both search engines. DuckDuckGo failed to find an Apple knowledgebase article containing my exact query on freakin’ Apple dot com, while Google flat-out disobeyed my use of quotation marks and suggested a bunch of stuff that is explicitly not what I was looking for. ↩︎

Instagram’s Co-Founders Are Leaving Amid Frustrations With Facebook

Mike Isaac of the New York Times got the scoop:

Kevin Systrom and Mike Krieger, the co-founders of the photo-sharing app Instagram, have resigned and plan to leave the company in the coming weeks, adding to the challenges facing Instagram’s parent company, Facebook.

Mr. Systrom, Instagram’s chief executive, and Mr. Krieger, the chief technical officer, notified Instagram’s leadership team and Facebook on Monday of their decision to leave, said people with direct knowledge of the matter, who spoke on condition of anonymity because they were not authorized to discuss the matter publicly.

Mr. Systrom and Mr. Krieger did not give a reason for stepping down, according to the people, but said they planned to take time off after leaving Instagram. Mr. Systrom, 34, and Mr. Krieger, 32, have known each other since 2010, when they met and transformed a software project built by Mr. Systrom into what eventually became Instagram, which now has more than one billion users.

Kurt Wagner, Recode:

Instagram co-founders Kevin Systrom and Mike Krieger are resigning from the company they built amid frustration and agitation with Facebook CEO Mark Zuckerberg’s increased meddling and control over Instagram, according to sources.


It’s not uncommon for founders to leave after selling their company. But Systrom and Krieger stayed longer than many would have guessed, and remained influential throughout their tenure. Systrom was the product visionary and was hands-on even after bringing in other product execs to do more of the day-to-day execution.

Krieger, meanwhile, was actively running Instagram’s engineering team, and was seen by many internally as the company’s “heart and soul.”

Instagram has been one of the few apps you could hold up as an example that being acquired by a massive and deeply unethical company might not necessarily be ruinous. Under Facebook, Instagram launched a reasonably complete website version, underwent a major rebrand, bookmarking, a better “Explore” tab that is a genuine improvement over the old search function, more tasteful filters, way better editing tools, and lots more. It has resisted a Facebook-ization; at its core, it still feels like Instagram.

But, now, I’m worried. The kinds of — ugh — growth hacking techniques that Facebook likes in its own apps are surely just around the corner. I don’t think that the Instagram many of us have stuck with and generally like is here for much longer.

Ars Technica’s Review of MacOS 10.14 Mojave

Andrew Cunningham continues John Siracusa’s tradition of publishing the best reviews of MacOS updates. This year’s is well worth reading because, in addition to obvious visual changes in MacOS Mojave, there are plenty of non-obvious but more consequential updates below the surface:

Mac OS X began life as a 32-bit operating system, but a slow, steady transition to 64-bit hardware and software has been happening for over 15 years. Today’s Macs — and any Mac running Mojave or any version of the operating system going all the way back to Mountain Lion — have been all-64-bit, barring a handful of first-party apps and background services and a steadily shrinking list of third-party apps. Still, 32-bit apps run just as well as they did when Snow Leopard shipped on 32-bit Intel Macs back in 2006.

That doesn’t change in Mojave, but this is the last version of macOS that will run those 32-bit apps at all.

There are also plenty of updates to the security and privacy features introduced in MacOS over the past few years:

[…] In High Sierra, Gatekeeper controls access to Location Services, Contacts, Calendars, Reminders, and Photos — any app that wants access to any of that data needs to ask for it and be granted permission first, and the app should fail over gracefully (i.e. not crash) when that permission is denied.

In Mojave, that access control extends to several other areas: access to Mail, Messages, Safari browsing data, HTTP cookies, call history, iTunes device backups, and Time Machine backups all require permission now. And like in iOS, macOS apps now need to ask permission to use any webcam or microphone attached to the system (Apple says this includes the built-in hardware plus any device that uses macOS’ default drivers, which covered both my Logitech C920 webcam and Scarlett Solo USB audio interface).

These changes have not been easy in certain specialized cases; but, for average users — and bugs aside — ought to be worthwhile protection.

I’ve been using MacOS Mojave about 50% of the time since July, and full-time for over a week. Generally speaking, it’s an excellent update: the new Desktop Stacks feature is brilliant and everything Stacks should have been in the first place; the enhanced iPad-inspired Dock is terrific; and the entire system feels rock solid and even a little faster. I’m not necessarily saying you should upgrade right away, but I, personally, did not have the same feeling of trepidation as the past couple of MacOS updates.

Update: One thing I forgot to mention is in regards to the new autofilling two-factor authentication code behaviour, similar to that which is in iOS 12. Here’s how Cunningham describes it:

When you receive two-factor authentication codes via SMS (and when you’ve got your iPhone configured to forward SMS messages to your Mac), Mojave will offer to insert those codes for you in Safari or any other app updated to target Mojave.

Unfortunately, Apple’s own two-factor authentication codes do not autofill because they are not sent over SMS.

Matt Birchler’s Review of WatchOS 5

I don’t think anyone does WatchOS reviews as well as Matt Birchler, and this year’s is no exception. I’ve been running the beta all summer, because I am a demonstrably stupid person, and I learned a few of the more hidden updates to WatchOS in Birchler’s review. For example, the Siri watch face now supports automatic sports alerts:

This is kind of a weird one, but I’m happy to see cards about my favorite sports teams appear on the Siri watch face. It’s weird because your favorite teams are set up in the…TV app. You’d think this might be in the main settings app or something, but yeah, any teams you have set as favorites in the TV app will show on your Siri watch face when they have games going on.

So, to recap: Apple’s house-brand TV shows are available in Apple Music, and Apple Watch alerts for sports are set up in the TV app on your iPhone.

My favourite new feature in WatchOS 5 is probably automatic workout detection. Birchler:

Usually it just takes a few minutes of working out for it to notice that you’re doing something and present the notification. The good news is that it gives you credit for the entire workout, not just from when you confirm you are indeed working out. So when it asks you 5 minutes into a run if you are indeed in a workout, you get credit for the time, distance, and calories burned for those 5 minutes. It’s pretty slick.

The sensitivity of workout detection has been fine-tuned throughout different builds and I think Apple hit a sweet spot by the time WatchOS 5 shipped. Every so often, it doesn’t detect my twenty minute walk to or from work until I’m about halfway, but it doesn’t matter because it typically gives me credit for most of that journey. However, I’ve found it’s not always terrifically accurate at figuring out what kind of workout I’m doing: instead of an outdoor walk, it often thinks I’m running and, a couple of days ago, it thought I was using an elliptical machine.

Updating an Apple Watch is still a gigantic pain in the ass — though the overnight update mechanism, new in WatchOS 5, does help with that — but it’s totally worth it for this version of the software. If you haven’t updated yet, I strongly suggest you do. Apple is honing in on what the Watch is good at, and making it truly excel in those areas.

A Look at How the New Fire, Water, and Vapour Apple Watch Faces Were Made

There aren’t many companies that would construct enormous scaled-up shells of a product to create custom videos specifically for it. Also, consider that each of these effects had to be created a second time with a different model, because these faces behave completely differently on pre-Series 4 watches. It looks like there’s an older-model Apple Watch rig at about twenty-five seconds into this video.

Joint CBC and Toronto Star Investigation Finds Ticketmaster Complicit in Ticket Scalping

Dave Seglins, Rachel Houlihan, and Laura Clementson, CBC News:

In July, the news outlets sent a pair of reporters undercover to Ticket Summit 2018, a ticketing and live entertainment convention at Caesars Palace in Las Vegas.

Posing as scalpers and equipped with hidden cameras, the journalists were pitched on Ticketmaster’s professional reseller program.

Company representatives told them Ticketmaster’s resale division turns a blind eye to scalpers who use ticket-buying bots and fake identities to snatch up tickets and then resell them on the site for inflated prices. Those pricey resale tickets include extra fees for Ticketmaster.

“I have brokers that have literally a couple of hundred accounts,” one sales representative said. “It’s not something that we look at or report.”

Not only does Ticketmaster ignore scalpers’ tactics, this report reveals that the company effectively encourages them to exploit potential buyers with its TradeDesk software. The software’s description in the App Store indicates that it’s built for high-volume resellers, with features like bulk price adjustments and large-scale inventory management.

This is why Ticketmaster does such a terrible job at stopping automated purchases: the fee that they get from direct sales is large, but the commission they get from the reseller platforms that they own is extraordinary. Meanwhile, artists get none of the markup, their fans get bilked into paying obscene ticket prices, and Live Nation — Ticketmaster’s parent company — has a near-monopoly on large-scale tours, events, and venues. That’s not right.

Alternative Influence

Here’s a fascinating new report (PDF) by Rebecca Lewis. From its executive summary:

This report presents data from approximately 65 political influencers across 81 channels. This network is connected through a dense system of guest appearances, mixing content from a variety of ideologies. This cross-promotion of ideas forms a broader “reactionary” position: a general opposition to feminism, social justice, or left-wing politics.


When viewers engage with this content, it is framed as lighthearted, entertaining, rebellious, and fun. This fundamentally obscures the impact that issues have on vulnerable and underrepresented populations — the LGBTQ community, women, immigrants, and people of color. And in many ways, YouTube is built to incentivize this behavior. The platform needs to not only assess what channels say in their content, but also who they host and what their guests say. In a media environment consisting of networked influencers, YouTube must respond with policies that account for influence and amplification, as well as social networks.

When I was in elementary and junior high during the early days of the World Wide Web, I was reminded regularly not to trust poorly-sourced or single-sourced information I found on the web. The situation now is completely different: these videos feature ostensibly intelligent and well-sourced individuals interviewed in a slick style aping that of legitimate news shows.

Similarly, earlier this month, Chris Hayes started a short thread on Twitter about how a simple query about the Federal Reserve quickly leads YouTube viewers down a conspiratorial tunnel.

John Gruber’s Review of the iPhones XS

Many of the iPhone XS reviews I’ve read today have repeated effectively the same thing: it’s an “S” year; this is an incremental update; the big one is really big. Well, yeah.

But John Gruber has, as usual, the best review of the new iPhones — largely because of his explanation of why the new camera system is so different despite seemingly-identical tech specs. And, as a bonus, it includes new information:

[…] I checked, and Apple confirmed that the iPhone XS wide-angle sensor is in fact 32 percent larger. That the pixels on the sensor are deeper, too, is what allows this sensor to gather 50 percent more light. This exemplifies why more “megapixels” are not necessarily better. One way to make a sensor bigger is to add more pixels. But what Apple’s done here is use the same number — 12 megapixels — and make the pixels themselves bigger. 12 megapixels are plenty — what phone cameras need are bigger pixels.

I think what makes this 32 percent increase in sensor size hard to believe, especially combined with a slightly longer lens, is that by necessity, this combination means the sensor must be further away from the lens. This basic necessity of moving the lens further from the sensor (or film) is why DSLRs are so big compared to a phone. But the iPhone XS is exactly the same thickness as the iPhone X, including the camera bump. (Apple doesn’t publish the bump thickness but I measured with precision calipers.) So somehow Apple managed not only to put a 32 percent larger sensor in the iPhone XS wide-angle camera, but also moved the sensor deeper into the body of the phone, further from the lens.

You can see the results of the bigger sensor and better HDR performance in Rafael Zeier’s comparison between the iPhone X and iPhone XS. Judging by the reviews I’ve seen so far, it looks like the result of that is, in part, more detail in images, though I’m not sure how much of that can be attributed solely to the larger sensor and not it in combination with adjusted noise reduction. I bet you’ll get some killer RAW photos on this thing.

Many reviewers are advising readers to wait for the iPhone XR, coming next month. I totally get that — in part, because it’s much less expensive, but also because you’ll get nearly everything that the iPhone XS has. But one thing you won’t get is the telephoto camera. I’ve used that camera for probably half of the pictures I’ve taken on my iPhone X since I got it, and I don’t think I could go back to a single-camera phone. If I were upgrading this year, I’d go for the XS in a heartbeat — just because it has a telephoto camera. In fact, I’d be comfortable with a single-camera iPhone that only had an approximately 56mm-equivalent camera. But that’s just me.

Also, it looks like most, if not all, writers received gold review units. I’m not sure the saturated colour of the steel frame fits my taste, but the cream-coloured back is gorgeous.

A History of Infinite Loop Told in Anecdotes

With the move of Apple’s headquarters from the Infinite Loop campus to Apple Park, Steven Levy interviewed several current and former Apple employees — including high-ranking individuals like Tim Cook, Phil Schiller, Eddy Cue, and Scott Forstall — about their memories of Infinite Loop. This one’s pretty good:

[Tony Fadell]: When I arrived in 2001 [to lead the iPod project], it still felt like a campus that wasn’t filled. There were all these empty offices everywhere in every building. All of the furnishings and everything had not been updated since it opened.

Cook: It was an awful time. The stock crashed, it goes down by 60 to 70 percent. We get a call from Ted Waitt, founder of Gateway. He wants to talk about acquiring Apple. Steve and I went to a meeting with Waitt and their CEO, and it’s a different Steve. Very calm, listening to the comments they made, how they’d probably keep the Apple brand. I was sitting there feeling like my organs were being cut out. Then they said maybe they could come up with a role for Steve, and I’m thinking—he’s going to blow! He’s going to blow any minute! Then they start talking about price. And Steve looks at them—he could look at you with eyes that just penetrated your soul—and says, “Who do you think is worth more, Apple or Gateway?” The meeting lasted only two or three minutes more. And in a few weeks they had some accounting scandal, and their stock crashed.

It’s odd to reflect that many of the products that have defined Apple’s renaissance and Steve Jobs’ legacy were created at a campus that he had no part in designing and, according to this profile, he disliked. Now, Apple is based out of a campus that was his dream; yet, he’s not around to take advantage of it, or be a physical part of this chapter in the company’s legacy.

The MacStories Review of iOS 12

As has become a bit of a tradition around here, I have a review of iOS 12 coming; however, it won’t be out today. Turns out trying to find an apartment in Calgary right now is difficult and time consuming.

In the interim, please read Federico Viticci’s excellent deep dive into iOS 12. It’s far more detailed than mine will ever be and, as the iOS automation expert, he’s uniquely gifted in explaining this update’s improvements to Siri and the new Shortcuts app.

Google China Prototype Links Searches to Phone Numbers

Ryan Gallagher, the Intercept:

Sources familiar with the project said that prototypes of the search engine linked the search app on a user’s Android smartphone with their phone number. This means individual people’s searches could be easily tracked – and any user seeking out information banned by the government could potentially be at risk of interrogation or detention if security agencies were to obtain the search records from Google.


Sources familiar with Dragonfly said the search platform also appeared to have been tailored to replace weather and air pollution data with information provided directly by an unnamed source in Beijing. The Chinese government has a record of manipulating details about pollution in the country’s cities. One Google source said the company had built a system, integrated as part of Dragonfly, that was “essentially hardcoded to force their [Chinese-provided] data.” The source raised concerns that the Dragonfly search system would be providing false pollution data that downplayed the amount of toxins in the air.

If this reporting is correct, there’s simply no other way to cut this: Google is exploring a deeper entry into the Chinese market by agreeing to assist in that government’s oppression and misinformation. I wonder how Google will respond the first time a report is released that implicates them in the imprisonment of an activist or a journalist in China, especially as it’s completely incongruous with their publicly-stated positions. It’s not a perfect comparison, but do you remember how “outraged” they were after reporting in the Washington Post implied that the NSA had a backdoor into their infrastructure? They responded by increasing their use of encryption within their own network over time.

Instead of fighting government surveillance, Google is apparently trying to be of assistance, and they’re dragging their employees into this mess. How many Google employees want to have such a toxic product on their resume? Apparently, several staffers, including senior engineers, have decided that this is too much to bear, and have consequently quit.

China is, of course, an enormous potential market for Google. By not being there, they’re leaving potentially billions of dollars of revenue on the table. However, they would also not be complicit in human rights abuses. How much is that worth? For a company with strict values and some semblance of ethics and morals, it should be a no-brainer.

Amassed Memories in Keychain Access

Earlier this year, I linked to a Twitter discussion started by Marcin Wichary about UIs that amass memories — consider, for example, your WiFi network connection history, or the “Open Recent” menu in applications you don’t use very often.

Anyway, I’m cleaning out my Keychain right now and it reminded me of this idea. I came across login items for websites I don’t visit any more, and accounts I created for a specific purpose long ago. But I also found my login details for websites that were a huge part of my online life for a long time and no longer exist, like dznr and FFFFOUND. I have real memories tied to many of these accounts — even tangible products, in some cases: I created a Club Monaco account to buy a pair of boots that I still wear, but I haven’t used the account since.

It’s striking how something as simple as a list of websites and user names can trigger a similar level of nostalgia as, for example, a photograph.

Goodbye, iPhone SE

Thomas Brand:

As someone who doesn’t value his cell phone as much as the next Apple nerd, the iPhone SE has been an important product for me because of its price. The iPhone SE kept me invested in the iOS ecosystem, and enabled me to purchase a Apple Watch without approaching the ~$700 iPhone ASP I normally attribute to laptop computers. Now that an updated iPhone SE is no longer an option, I am evaluating alternative cell phone platforms. I am sure I am not alone.

The smallest and cheapest iPhone that Apple now sells is the iPhone 7, which is a 4.7-inch device that fills out a typical pants pocket and starts at $449. But, as a two-year-old iPhone, it’s likely that it will support three more years’ worth of software updates (iOS 12 supports up to the five-year-old iPhone 5S). To be clear, that’s more than you can expect of practically any Android phone, but it’s also less than you might expect of an iPhone purchased today.

I’ve seen a lot of people on Twitter and across the web unhappy with the discontinuation of the iPhone SE. For a lot of people, it was a perfectly-sized device — the last one that many people could comfortably reach with their thumbs across the entire display without doing a little shimmy with their hand, and the last one with flattened sides that made it easier to hold for photos. The SE was a really good product, and it’s unfortunate that Apple has chosen to stop making it instead of releasing a successor. It’s one of the few bum notes from yesterday’s event, but it is perhaps the loudest.

Initial Thoughts on the iPhone XS, iPhone XR, and Apple Watch Series 4 Event

If you were paying attention to rumour blogs prior to today’s event, you knew the names of the products announced today as well as what the iPhone XS and new Watch looked like. Those were not surprises; yet, even so, today’s event managed to pack in a lot of big news.

First up, the Apple Watch Series 4, with a bigger display, richer faces, and — amazingly — an FDA-certified electrocardiogram on the sapphire and ceramic back, which now appears on all models.

There are also a bunch of new faces that they say “react uniquely with the curved edges of the case”. This is curious to me because the Apple Watch HIG and the overall design of WatchOS has generally created the impression that there is no boundary around the display. For instance, the “honeycomb” home screen treats app icons almost like bubbles that float against a black backdrop and aren’t cut off. Or, recall the way Jony Ive described, in its introductory video, that “you can’t determine a boundary between the physical object and the software”. Much like the notch on the iPhone, it appears that they’re embracing the limitations of the hardware, which feels more honest to me.

I remember having an initially negative reaction to the Apple Watch when it was introduced. Now that I have owned the product for a few years and Apple has made radical improvements to the software, though, it’s one of my favourite personal technology things that I own, but neither the Series 2 nor the Series 3 compelled me to upgrade. Based on what I’ve seen so far, I’m sold on this new one. It is to the Apple Watch what the iPhone 4 is to the history of that product: a culmination of several years of learning, and leaving everything else in the dust.

My only concern is with the electrocardiogram feature. It’s only going to be available in the United States — presumably for certification and regulation reasons — and Apple says that it won’t be enabled until later this year.

Then there’s the iPhone XS and XS Max. Both are a substantial upgrade from the iPhone X, but — more importantly, as most people probably don’t upgrade every year — a huge leap from the iPhone 7 and 7 Plus: a faster processor, better Face ID, better displays, dual SIM capabilities, better battery life, and better camera processing. The Max model should satisfy those who are aching for an even bigger variant with features specific to it, like split views in some apps.

Finally, they launched the iPhone XR, which is a fascinating product once you get past Apple’s naming foibles. Apart from Apple employees, nobody is actually going to pronounce it “ten-arr”; likewise, most people are probably going to say “excess” rather than “ten-ess”. Also, it turns out that the “R” — and “S”, for that matter, in “iPhone XS” — is neither uppercase nor lowercase but, rather, small caps, because Apple’s marketing team apparently hates everyone who writes about their products. They will be “XS” and “XR” here.

The XR sits at the bottom end of Apple’s pricing range; but, at 6.1 inches diagonally, it’s in the middle of the 5.8-inch iPhone XS and 6.5-inch iPhone XS Max. Its display is an LCD at 326 pixels per inch — exactly the same pixel density as the iPhone 8, and with very similar technical specifications.1 However, its introduction means that Apple’s new iPhone lineup entirely follows the modern gesture-driven design language started by the iPhone X. Unlike the iPhone X and XS, it has some of the same software capabilities as iPhones with Plus- or, now, Max-sized displays, such as split screen in supported apps.

The iPhone XR also marks the first iPhone launched since the SE without 3D Touch. Instead, it has something they’re calling “Haptic Touch”, which appears to simply be haptic feedback triggered by long presses in certain 3D Touch-like contexts.2

I have complaints about that.

For a start, it’s confusing: there are maybe eight people on Earth who can adequately articulate the differences between Haptic Touch, 3D Touch, and Force Touch, which is still what Apple calls the display on the Apple Watch. In the keynote presentation, Phil Schiller compared it to the trackpad in the MacBook Pro, but that’s marketed as a Force Touch thing. I might be an idiot, but this is unfathomable.3

Second, it’s conceptually muddy. There seemed to be specific rules Apple was adhering to with their use of 3D Touch on past iPhones — it opens app menus on the home screen, for instance, or allows you to preview something in a list before opening it. But this indicates that there’s either no difference between a long press and a Force/3D/Haptic Touch press, or there’s no consistency in Apple’s application of it. If Apple doesn’t know what the standards should be, users can’t even begin to understand what they should be doing. I like 3D Touch a lot, but if Apple continues to be confused by their own technology after it has been on the market for three years, I don’t think they should keep it around.

Inside, it features the same A12 SoC as the iPhone XS and XS Max and has a similar wide angle camera, but it does not have a telephoto camera. Even so, it can apparently do the same Portrait Mode and three of the five Portrait Lighting effects.

Its body is made of aluminum, and it’s offered in six gorgeous colours. I’m looking forward to seeing these in person — the vibrant peach-like “Coral” colour, in particular, looks beautiful. I bet these will be hot sellers: they’re colourful, they have the gesture-driven design, and they start at $250 less than the XS. They don’t go on sale until next month, however.

There’s always a catch — in this case, there are three. This iPhone lineup no longer includes the headphone jack adaptor; all iPhones still come with a five-watt charger; and all iPhones still ship with only a USB-A cable instead of a USB-C cable. I don’t get it.

Apple also announced today that they will be updating the HomePod on Monday with multi-timer support, the ability to make phone calls, and the ability to use Siri Shortcuts.

While many of the announcements today were revealed early, one surprise is that there was absolutely no mention of the AirPower. There’s nothing about it on the new iPhone marketing pages, and John Gruber tweeted that nobody at Apple is talking about it. Something clearly went deeply wrong in its development and Apple seems to have no idea when — or if — it will be launched.

  1. Apple bills this display as a “Liquid Retina” display but, even after watching the keynote and reading all about it, I still have no idea what this means or what sets it apart. The only reason to give it a cool marketing name, that I can think of, is if it’s going to be used repeatedly. So, I expect to see references to a “Liquid Retina” display in upcoming iPad marketing materials as well. ↩︎

  2. I also think we’ll see this “Haptic Touch” language used in new iPad marketing materials. ↩︎

  3. Also, they call it “Haptic Touch” but it’s powered by the “Taptic Engine”. Gah↩︎

European Parliament Gives Approval to Over-Broad Copyright Reform Bills

Natasha Lomas, TechCrunch:

The European Parliament has just voted to back controversial proposals to reform online copyright — including supporting an extension to cover snippets of publishers content (Article 11), and to make platforms that hold significant amounts of content liable for copyright violations by their users (Article 13).


BEUC, the European Consumer Organisation, also denounced the result of the plenary vote, warning that if the plans MEPs backed today become EU law the “benefits of the Internet for consumers will be at risk”.

“It is beyond comprehension that time and again EU policy makers refuse to bring copyright law into the 21st century. Consumers nowadays express themselves by sampling, creating and mixing music, videos and pictures, then sharing their creations online. MEPs have decided to thwart this freedom of expression which is dangerous for creativity and innovation,” said Monique Goyens, director general of BEUC, in a statement.

I understand the impetus for stricter adherence to copyright law by forcing platforms to be responsible for users’ uploads, but it’s hard to see how rights-holders will actually benefit from these new laws. A smarter way to update copyright law for the internet wouldn’t look like a giant filter between users and platforms, nor would it charge a fee for merely linking to or citing news stories.

However, this legislation isn’t the law yet:

While the parliament has now agreed its position on the reform the process is not yet over. There will be trilogue negotiations with Member State representatives, via the European Council, and a final vote — likely early next year.

If you live in the E.U., please call or write your local representative and urge them to find a way to make these reforms — since they are likely to pass — less stupid.

Release Types Now Organized Differently in Apple Music

A promising update on an issue surfaced earlier this year. Federico Viticci, MacStories:

While the old artist page design of Apple Music mixed albums, singles, EPs, live albums, and more under the same ‘Albums’ section, the new Apple Music features separate sections for different types of music releases. The new sections include singles and EPs, live albums, essential albums recommended by Apple Music editors, compilations, and appearances by an artist on other albums. As pictured above, Apple Music now also highlights an artist’s latest or upcoming release at the top of the page.

Separation between albums and other releases isn’t a new idea. Beats Music, the streaming service Apple acquired in 2014 and subsequently relaunched as Apple Music in 2015, featured separate views for albums, EPs, and compilations. Three years after its relaunch, it appears Apple has implemented most of Beats Music’s organization of artist releases, which was arguably one of the original service’s most useful and innovative functionalities.

There’s an interesting little side story regarding this news and the last three Nine Inch Nails releases. All three are about half an hour long but, while the first two are classified as EPs — as you might expect for five-track sets — the most recent, released in June, is listed as an LP. The reason for that, according to NIN frontman Trent Reznor, is because streaming services treat EPs as “lesser” albums. Beats Music, which Reznor was heavily involved in the design of, used to do that, but Apple Music didn’t until just recently.

And, strangely, all three recent NIN releases are classified as “Albums” in Apple Music; in Spotify, the two EPs are buried as “Singles”.

EPs are often just as important to an artist’s repertoire as LPs. While I think separating them can be beneficial from a categorization perspective, I would hate to see an artist’s recent release buried just because it’s listed as an EP.


I’d still like to see better grouping options for different editions of the same album: while Beats Music used to group explicit, remastered, and re-issued albums under a single sub-section, these versions aren’t grouped by Apple Music yet.

While we’re at it, I would love to be able to hide clean releases across Apple Music, and have Siri default to the explicit — read: canonical — version of any request.

A Profile of Mark Zuckerberg

This is a long profile by Evan Osnos in the New Yorker and, while it paints a well-researched vignette of Zuckerberg, it’s also confirmation of what you had already probably seen or expected. For example, it catalogues Facebook’s internal belief that if they launch a new feature that has negative reactions, users will eventually come around, even on issues of privacy — the withdrawal of Beacon being one notable exception where user feedback was actually listened to. And on the Alex Jones debacle:

Facebook relented, somewhat. On July 27th, it took down four of Jones’s videos and suspended him for a month. But public pressure did not let up. On August 5th, the dam broke after Apple, saying that the company “does not tolerate hate speech,” stopped distributing five podcasts associated with Jones. Facebook shut down four of Jones’s pages for “repeatedly” violating rules against hate speech and bullying. I asked Zuckerberg why Facebook had wavered in its handling of the situation. He was prickly about the suggestion: “I don’t believe that it is the right thing to ban a person for saying something that is factually incorrect.”

Jones seemed a lot more than factually incorrect, I said.

“O.K., but I think the facts here are pretty clear,” he said, homing in. “The initial questions were around misinformation.” He added, “We don’t take it down and ban people unless it’s directly inciting violence.” He told me that, after Jones was reduced, more complaints about him flooded in, alerting Facebook to older posts, and that the company was debating what to do when Apple announced its ban. Zuckerberg said, “When they moved, it was, like, O.K., we shouldn’t just be sitting on this content and these enforcement decisions. We should move on what we know violates the policy. We need to make a decision now.”

This confirms reporting by Charlie Warzel and Dylan Byers that Apple’s decision was the impetus for Facebook, among other companies, to make a move. Last week, Apple also banned Jones’ company from the App Store. “De-platforming” — as it is known — works, and it’s a decision that Apple, Facebook, and other companies should have made a long time ago.

This irks me:

For many years, Zuckerberg ended Facebook meetings with the half-joking exhortation “Domination!” Although he eventually stopped doing this (in European legal systems, “dominance” refers to corporate monopoly), his discomfort with losing is undimmed. A few years ago, he played Scrabble on a corporate jet with a friend’s daughter, who was in high school at the time. She won. Before they played a second game, he wrote a simple computer program that would look up his letters in the dictionary so that he could choose from all possible words. Zuckerberg’s program had a narrow lead when the flight landed. The girl told me, “During the game in which I was playing the program, everyone around us was taking sides: Team Human and Team Machine.”

I’m a hundred percent sure this was done in good fun. Nevertheless, it reminds me of something that has been rattling around in my head for a while. I’m a competitive person and I want to win at board games; but, I also want to have fun. I like playing with people who also make an effort to win, because it challenges me. Even when I know I’m going to lose, I still have a great time. But I dislike playing with people who need to win. They’re the kind of people who deliberately block all your routes in Ticket to Ride, or buy up one of every property colour in Monopoly. It’s not wrong to do those things, but it doesn’t actually make the game any good. People who have a problem with losing or being wrong sometimes are, generally speaking, destructive assholes.

Rhett Jones, Gizmodo:

The New Yorker can spill thousands of words probing Zuckerberg’s psyche and speaking to colleagues about how he’s growing in his unprecedented role of social media Pope to 2.2 billion users, but it’s still the same Zuckerberg who would apparently rather think about scaling and “community” than real-world consequences his company might be involved in.

Facebook has been aware of its role in violence and ethnic cleansing in Myanmar since at least 2014. It entered a market that it knew little about, where traditional media to inform the public was extremely limited, and found that it had built the perfect weapon for organizing mob violence and propaganda. We’ve seen similar situations in Sri Lanka, Libya, the Philippines, and India. One Sri Lankan official characterized the situation to the New York Times, “The germs are ours, but Facebook is the wind.”

But Zuckerberg keeps repeating the same talking points about being “slow” to recognize the problem and how it’s going to take time to fix it. He told the New Yorker that he plans to have 100 people working on translating and moderation in Myanmar by the end of the year. The fact that a company can connect 2 billion people in a little over a decade but can’t hire 100 people over the course of a few years is telling. But the real issue is scale, and the inability of current technology to keep up with that scale.

Facebook can’t play dumb here. According to Osnos’ profile, the “growth” team was the most celebrated and admired inside the company, and their goals were the company’s goals. If they wanted to “dominate” — as Zuckerberg half-jokingly closed every meeting with — they have no excuse for being bad at it when they actually started to do so, and continuing to be terrible years later.

Purported Security Apps in the Mac App Store Found to Be Stealing User Data

Thomas Reed of Malwarebytes, with a small collection of apps available on the Mac App Store that exfiltrate user data:

It’s blindingly obvious at this point that the Mac App Store is not the safe haven of reputable software that Apple wants it to be. I’ve been saying this for several years now, as we’ve been detecting junk software in the App Store for almost as long as I’ve been at Malwarebytes. This is not new information, but these issues reveal a depth to the problem that most people are unaware of.

We’ve reported software like this to Apple for years, via a variety of channels, and there is rarely any immediate effect. In some cases, we’ve seen offending apps removed quickly, although sometimes those same apps have come back quickly (as was the case with Adware Doctor). In other cases, it has taken as long as six months for a reported app to be removed.

In many cases, apps that we have reported are still in the store.

These are exactly the kinds of things I expect the app review process should catch before apps like these and the aforementioned Adware Doctor make it into the store. The Mac App Store should, if nothing else, be a place for any user to find safe software. Ideally, it’s also one with high-quality, useful, top-tier apps, but security and privacy ought to be the baseline.

(Thanks to Anthony Reimer.)

“Does Anyone’s Ideal World Have Social Media?”

Lauren Oyler in the Baffler:

There’s an argument to be made about social media as a force for political mobilization — or, say, making friends, whom I may speak to multiple times a week but see only two or three times a year, if ever; research shows shared hatreds are more binding than shared interests — but first I’d like to talk a little bit more about myself. When I wake up every morning I look at my phone to see what has transpired in the night, the final waking moment of which is usually the last time I looked at my phone. This is bad for my sleep cycle, I know, and for the nerves in my hands — I refuse to get one of those knobs you can put on the back of your phone to make it easier to hold, which I see as not just admitting I have a problem but resigning myself to it, as well as broadcasting to strangers who see me using my phone in public that I am a Phone Person (worse: a Phone Woman) — but more important, it is just bad. What I dislike about my life are not the facts of it but its texture, the false tension and paranoia and twitchiness. I exist in a state of “might always be checking something,” and along with being unpleasant, it’s embarrassing.

The sentence I quoted for this link’s title comes in the last paragraph of this essay, but it’s not exactly in the context as you might expect from an essay questioning the substantive value of constant connection. It’s very good.

Apple Removes Adware Doctor From Mac App Store for Covertly Sharing User Browser History

Nicole Nguyen, Buzzfeed:

[Security researcher Patrick Wardle], who shared his findings with TechCrunch, found that Adware Doctor requested access to users’ home directory and files — not unusual for an anti-malware or adware app that scans computers for malicious code — and used that access to collect Chrome, Safari, and Firefox browsing history, and recent App Store searches. The data is then zipped in a file called “history.zip” and sent to a server based in China via “adscan.yelabapp.com.” Two independent security researchers confirmed to Motherboard that Wardle’s report was accurate.

In his blog post, Wardle noted, “The fact that application has been surreptitiously exfiltrating users’ browsing history, possibly for years, is, to put it mildly, rather f#@&’d up!”

Security researcher Privacy 1st tweeted that they initially contacted Apple about the Adware Doctor issue on Aug. 12.

One of the theoretical advantages of the Mac App Store — or any app marketplace with a review process — is that spyware like this could be caught before it is published. Yet Adware Doctor has been in the Mac App Store for years and it could have been pilfering user data for any amount of that time. Apple was even notified about it last month, but it was not removed until today. Either Apple dropped the ball hard here, or there’s something missing to explain why it was apparently not a high priority investigation.

For Second Time in Three Years, Mobile Spyware Maker mSpy Leaks Millions of Sensitive Records

Brian Krebs:

mSpy, the makers of a software-as-a-service product that claims to help more than a million paying customers spy on the mobile devices of their kids and partners, has leaked millions of sensitive records online, including passwords, call logs, text messages, contacts, notes and location data secretly collected from phones running the stealthy spyware.

Less than a week ago, security researcher Nitish Shah directed KrebsOnSecurity to an open database on the Web that allowed anyone to query up-to-the-minute mSpy records for both customer transactions at mSpy’s site and for mobile phone data collected by mSpy’s software. The database required no authentication.

This kind of software is pretty gross to begin with. I’m not a parent, so I might be completely off-base here, but it seems to me that there’s an extraordinary amount of risk that is assumed in collecting everything your kid does relative to the actual benefits you might get out of doing so. Spying on your partner — or, potentially, employees — seems completely unethical.


Shah said when he tried to alert mSpy of his findings, the company’s support personnel ignored him.

“I was chatting with their live support, until they blocked me when I asked them to get me in contact with their CTO or head of security,” Shah said.

KrebsOnSecurity alerted mSpy about the exposed database on Aug. 30. This morning I received an email from mSpy’s chief security officer, who gave only his first name, “Andrew.”

This is a chickenshit response. Regardless of the ethical implications of mSpy’s spyware, a report of a security breach should be treated with more gravity than this. Why wouldn’t they prioritize this? Are they so afraid of making mistakes that they evade acknowledging, fixing, or apologizing for them?

In general, it is appalling to me the lengths that individuals and organizations alike will go to in order to cover up or hide from a mistake or a controversy. If you have any integrity whatsoever, you own your values and your actions. If they are seen as problematic, you try to understand why. If you want to stand by those actions, you should be able to produce evidence for your defence. But change can also be cathartic for everyone involved. There is no honour or benefit in trying to hide from actions that are being questioned.

Shooting and Editing Photos With Halide and Darkroom

The editors over at the Sweet Setup asked me to write a short piece on taking pictures with Halide and editing them in Darkroom. It’s the first thing I’ve written in which I specifically recommend not trespassing, so I think it’s worth reading for those curious about jumping beyond the built-in Camera and Photos apps for shooting and editing.

Google Purchased Bulk Transaction Data from Mastercard to Link Online Ads and Offline Purchases

Mark Bergen and Jennifer Surane, Bloomberg:

Alphabet Inc.’s Google and Mastercard Inc. brokered a business partnership during about four years of negotiations, according to four people with knowledge of the deal, three of whom worked on it directly. The alliance gave Google an unprecedented asset for measuring retail spending, part of the search giant’s strategy to fortify its primary business against onslaughts from Amazon.com Inc. and others.


Through this test program, Google can anonymously match these existing user profiles to purchases made in physical stores. The result is powerful: Google knows that people clicked on ads and can now tell advertisers that this activity led to actual store sales.

Google is testing the data service with a “small group” of advertisers in the U.S., according to a spokeswoman. With it, marketers see aggregate sales figures and estimates of how many they can attribute to Google ads — but they don’t see a shoppers’ personal information, how much they spend or what exactly they buy. The tests are only available for retailers, not the companies that make the items sold inside stores, the spokeswoman said. The service only applies to its search and shopping ads, she said.

This appears to be part of the data set that the Washington Post previously reported was being used to attribute purchases to ads.

Initially, Google devised its own solution, a mobile payments service first called Google Wallet. Part of the original goal was to tie clicks on ads to purchases in physical stores, according to someone who worked on the product. But adoption never took off, so Google began looking for allies. A spokeswoman said its payments service was never used for ads measurement.

Since 2014, Google has flagged for advertisers when someone who clicked an ad visits a physical store, using the Location History feature in Google Maps. Still, the advertiser didn’t know if the shopper made a purchase. So Google added more. A tool, introduced the following year, let advertisers upload email addresses of customers they’ve collected into Google’s ad-buying system, which then encrypted them. Additionally, Google layered on inputs from third-party data brokers, such as Experian Plc and Acxiom Corp., which draw in demographic and financial information for marketers.

This entire program — but particularly these two paragraphs — indicates so much about how all of these companies view the consumer landscape. The solution to not-quite-precise-enough numbers has been to collect more data, and the response to privacy concerns is to fuzz that data a little bit when it’s shared between companies. Based on the actions the surveillance capitalism industry has taken, they have not chosen the correct response of collecting less data.

It is worth noting that privacy was one of Apple’s goals for the design of Apple Pay. According to this Bloomberg report, the complete opposite was true of Google Wallet. As much as we view decisions by any companies as financially-motivated, we should remember to also think of Google’s moves — and those of credit card companies, data brokers, and so forth — as inherently creepy, invasive, and also likely not in the best interests of consumers.