Written by Nick Heer.

Archive for October, 2017

A Workaround for Broken Media Keys in High Sierra

In previous versions of MacOS, media keys would control whatever audio- or video-specific app was most recently foregrounded. If you launched iTunes, say, and then played some songs in the background, they would control iTunes; if you switched to Spotify and then put that in the background, the keys would automatically control Spotify instead. The keys would also work with QuickTime, VLC, and other media apps, but they never controlled playback in web apps like Netflix or YouTube, and that probably irritated some people very much.

In High Sierra, Apple has resolved this — web apps that play media now get the same priority as native apps. And that’s fine and well.

The problem is that there’s a bug where media keys simply stop working altogether. I’ve seen all sorts of tips: quitting Chrome might help, quitting Slack might help because it’s effectively a Chrome browser, quitting Safari might help, and making sure no tabs are open with embedded media. But these tips are ridiculous, and if iTunes or Spotify are presently playing audio when I press a key, it’s a no-brainer what I’m trying to control. I’ve dumped the Console output on Pastebin for those who are curious.

Anyway, I got fed up with this tonight so I started poking around for a solution and stumbled across a tiny menu bar utility by Milan Toth. It doesn’t support the Touch Bar and it seems to only work for iTunes and Spotify, but this is pretty much perfect for my needs.

One small worry is that it is unsigned, so High Sierra throws a hissy fit if you try to run it. Toth has open-sourced the app so if you’re worried about it, you can review the code. You can also easily compile and sign it yourself, which is what I did for my copy. I’m thrilled that my media keys now behave as I expect them to, but I’m once again dismayed that there’s yet another problem with an input mechanism for MacOS.

The Pixel 2 XL Has a Really Crappy Display

By all means, Google’s new line of Pixel 2 smartphones sound very impressive. They’re almost surely the best Android phones on the market. But the display in the Pixel 2 XL is clearly terrible. Vlad Savov, the Verge:

Look at that New York Times icon in the image above. Stop flinching and really look at it, soak in the kaleidoscope of colors washing over it. Just to make sure we’re all on the same page, I’m seeing a haze of green in the middle of the gothic “T”, which then blooms into a red that eventually transitions into the white that the icon is supposed to be. But the fun isn’t over; when you get up real close, you’ll see the edges of the icon are all fringed by a sort of purply-red and, again, green. The neighboring heart icon, which is also supposed to be white, presents us with a crosshatch of red and green and white micropixels.

Does that look like 2017 to you?

In their review of the Pixel 2, Ars Technica posted a comparison of the same image shown on the regular Pixel 2’s Samsung-made display and the Pixel 2 XL’s LG-made display, and it’s plainly obvious that the XL’s display is horrible.

That makes this part of Savov’s article a little more than curious:

The Verge’s Creative Director James Bareham sides with Google on this, describing the Pixel 2 XL as the phone screen tuned most closely to professional displays: “it presents natural colors in terms of photos, but is a little dark,” he says. But here’s the real problem: James uses truly pro equipment that nobody is trying to sell to consumers; what he thinks of as accurate, what might technically be accurate, is not what the majority of us see on most of the devices we use.

I don’t buy that for a second. DisplayMate hasn’t published results for the Pixel 2 yet or the iPhone 8, but they said last year that the iPhone 7 was the most accurate phone display they had ever tested; this year, when set to the DCI-P3 colour gamut, they gave the Samsung Galaxy S8 a very high grade as well. Neither of those displays produce anything like the colour variation shown by the Pixel 2 XL. I sincerely doubt that a test would show that its display is better-calibrated than displays that don’t look wonky and are measurably very accurate.

Apple Posts Knowledgebase Article Advising the Deletion of Touch Bar Data Before Selling a MacBook Pro

I dunno — I guess it’s Apple Input Device Week around here. Zac Hall of 9to5Mac points to Apple’s knowledgebase

First, start up from macOS Recovery: Hold down Command-R on your keyboard immediately after pressing the power button to turn on your Mac, or immediately after your Mac begins to restart.

When the macOS Utilities window appears, choose Utilities > Terminal in the menu bar. Type this command in Terminal:

xartutil --erase-all

According to Stephen Hackett, this command will wipe recorded fingerprints.

This isn’t a complicated command, but it does feel inelegant. You know how iOS has a button to “erase all content and settings” that you’re supposed to tap before you sell or exchange your iPhone? I feel like MacOS could use one of those, too: it would be great if you could boot into Recovery mode and then click one button to prepare your Mac for sale. It could erase Touch Bar data, remove encryption keys, and do its best to wipe data and make it unrecoverable. It’s a little thing, but the little things matter.

Queries From the Curious and Answers to Them

Jaime Fuller, writing in the Awl:

In 1908, there was no sparsely decorated webpage with a blinking cursor silently begging to answer every stupid question that had ever decided to staycation in your brain. So when New York Times reader F.S. Shaw wanted to know the know the heights of the Eiffel Tower and the Singer Building in order to settle a bet, his best option was sending a letter to the newspaper. When fellow subscriber David Levy was curious about the population of Salt Lake City, he did the same, as did the person who just wanted to know how Benedict Arnold’s descendants were doing. Eventually, the answers appeared in a column in the fashion and society section, forbear to the Sunday Styles, next to articles about the Long Branch dog show, the fine weather at Bar Harbor, and diatribes against the dearth of small hats this season. It was called “Queries from the Curious and Answers to Them.” It was mail-order Google for the exceptionally patient.

This is such a great story. As Fuller points out, there are still queries that aren’t well-suited to algorithmically-returned results. This seems to be a small obsession in the tech industry — Biz Stone’s ill-fated Jelly app was an experiment in crowd-sourced answers to questions, like Yahoo Answers without the Yahoo-ness. Those with a large-enough Twitter audience can also use that platform to answer questions in a timely manner. But none of these options are a match for having an expert research a specific question, particularly when the asker’s memory is just fuzzy enough for their question to be just too unsearchable.

Anyway, fantastic article. You should read it.

Key Press Latency of Popular Keyboards

Dan Luu tested a bunch of popular keyboard models and recorded their latency. Something that might surprise you: Apple’s Magic Keyboard, when connected over USB, had the fastest response time — albeit imperceptibly so in actual usage.

That goes to show that Apple can build great keyboards. They have, repeatedly. Apple’s trackpads are also widely considered to be the best in the industry. These products are fantastic from a technical perspective, an ergonomics perspective, and a longevity perspective. Their mice haven’t been praised to nearly the same extent, but I still think the Magic Mouse — at least — is a great product.

The latest batch of keyboards and the software that interprets input devices should be considered an anomalies, but they are worrying ones.

Google’s Pixel Buds

Earlier this month, Google announced their wireless headphones. They’re $159, they look kinda cheap, they have a wire connecting them — so, wireless might be a little generous — and Google hasn’t announced when they’re actually being released. But the Pixel Buds have a really cool feature that blows me away. Valentina Palladino, Ars Technica:

But the most intriguing feature of the Pixel Buds is the integrated Google Translate feature. Demoed on stage at Google’s event today, this feature lets two Pixel Bud wearers chat in their native languages by translating conversations in real time. In the demo, a native English speaker and a native Swedish speaker had a conversation with each other, both using their native languages. Google Translate translated the languages for each user. There was barely any lag time in between the speaker saying a phrase and the Buds’ hearing those words and translating them into the appropriate language.

Watch Google’s demo of this feature and tell me that it doesn’t look like the future. It’s limited — both parties must be using Pixel Buds and, according to Nilay Patel, this feature only works when paired to the Google Pixel smartphone, so the likelihood that you’ll meet someone by chance who can use this feature is pretty remote — but even so, it’s impressive if this works as well in the real world as it does in Google’s demo.

Update: The Google Translate app seems to work even better than the Pixel Buds, and doesn’t require both parties to have a Pixel-specific hardware combination.

Dust and Tedium

Casey Johnston, the Outline:

I was in the Grand Central Station Apple Store for a third time in a year, watching a progress bar slowly creep across my computer’s black screen as my Genius multi-tasked helping another customer with her iPad. My computer was getting its third diagnostic test in 45 minutes. The problem was not that its logic board was failing, that its battery was dying, or that its camera didn’t respond. There were no mysteriously faulty innerworkings. It was the spacebar. It was broken. And not even physically broken — it still moved and acted normally. But every time I pressed it once, it spaced twice.

“Maybe it’s a piece of dust,” the Genius had offered. The previous times I’d been to the Apple Store for the same computer with the same problem — a misbehaving keyboard — Geniuses had said to me these exact same nonchalant words, and I had been stunned into silence, the first time because it seemed so improbable to blame such a core problem on such a small thing, and the second time because I couldn’t believe the first time I was hearing this line that it was not a fluke. But this time, the third time, I was ready. “Hold on,” I said. “If a single piece of dust lays the whole computer out, don’t you think that’s kind of a problem?”

Johnston’s keyboard isn’t an outlier: various people and organizations she spoke with have indicated that dust under the keys — in particular, under the spacebar — is a common affliction of the latest generation of Apple laptop keyboards. Apple provides instructions on how to remove dust, but they are ridiculous: you must hold your laptop in one hand at a recommended 75° angle and spray the keyboard with compressed air while rotating your computer in midair.

I do not baby my electronics, but I want them to last. These instructions seem like a fantastic way to shatter the display or destroy the case.

Stephen Hackett kept running into this problem, too, with his months-old MacBook Pro, and he followed Apple’s steps to clean it:

After a couple days of light usage, the problem got worse.

The bottom lip of the key began to flip up a little bit as the key tried sprinting back up after being depressed. Light was leaking around it, and eventually this happened:


One of the tiny arms that the key cap clips onto is broken. My nearly $2,000 laptop that I bought less than a year ago is now missing a key, as I shared with our Connected audience this weekend.

This is, frankly, inexcusable. I was already hesitating on upgrading from my five-year-old MacBook Air because this generation of MacBook Pros still seems like a work-in-progress; now, I will absolutely be waiting another generation to see if this problem gets fixed.

By the way, I know there will be some people suggesting that plenty of generations of Apple products have had their teething issues. I don’t deny that; the MacBook Pro was recalled for graphics issues, the first-generation iPod Nano scratched like crazy and the battery could overheat, and the unibody plastic MacBook’s bottom case peeled off.

But input devices should always — and I mean always — work, in hardware and in software. If a speck of dust affects the functionality of the most-used key because of an attribute inherent to the design of the keyboard, that’s a poor choice of keyboard design, especially for a portable computer.

On a related note, too, there’s an existing bug in recent versions of MacOS where key and cursor inputs are sometimes delayed. I notice the keyboard bug especially frequently in Messages when I haven’t switched to it for a while, and I experience delayed trackpad input often in Safari and in Photos. But it seems to persist throughout the system, and it is infuriating. I’m glad that apps on my Mac crash less frequently but I would genuinely rather have Safari crash on me as much as it used to than I would like to keep seeing problems with input mechanisms. I can choose a different web browser; I can’t choose a different way for MacOS to process my keystrokes.

Problems like these should not escape Cupertino.

Sketchy Mattress Review Websites

David Zax, in a must-read article for Fast Company, describes the litigation initiated by Casper against several mattress review websites:

On April 29, 2016, Casper filed lawsuits against the owners of Mattress Nerd, Sleep Sherpa, and Sleepopolis (that is, Derek), alleging false advertising and deceptive practices.

Mattress Nerd and Sleep Sherpa quickly settled their cases, and suddenly their negative Casper reviews disappeared from their sites, in what many onlookers speculated was a condition of the settlements. But by the end of 2016, when I started closely studying the lawsuits, Derek’s Casper review remained, defiantly, up on Sleepopolis. He was soldiering on in his legal battle with the mattress giant. People who knew him called Derek a fighter; one of his nicknames was “Halestorm.”

Casper had another way of referring to him. Derek was “part of a surreptitious economy of affiliate scam operators who have become the online versions of the same commission-hungry mattress salesmen that online mattress shoppers have sought to avoid,” Casper’s lawsuit alleged. The company complained that Derek was not forthright enough about his affiliate relationships, noting his disclosures were buried in a remote corner of his site. This did violate recently issued FTC guidelines, and Derek updated his site to comply.

This is a deeply disturbing piece. Derek Hales, the founder of Sleepopolis, was doing some shady things that seemed to be driven by the value of affiliate links more than his honest opinion of the mattresses. But Casper’s practices are even more suspect, beginning with this correspondence between CEO Phillip Krim and Jack Mitcham of Mattress Nerd:

In January 2015, Krim wrote Mitcham that while he supported objective reviews, “it pains us to see you (or anyone) recommend a competitor over us.”

Krim went on: “As you know, we are much bigger than our newly formed competitors. I am confident we can offer you a much bigger commercial relationship because of that. How would you ideally want to structure the affiliate relationship? And also, what can we do to help to grow your business?”


Krim then upped his offer, promising to boost Mitcham’s payouts from $50 to $60 per sale, and offering his readers a $40 coupon. “I think that will move sales a little more in your direction,” replied Mitcham on March 25, 2015. In the months that followed, Mattress Nerd would become one of Casper’s leading reviews site partners. (The emails surfaced due to another mattress lawsuit, GhostBed v. Krim; if similar correspondence exists with Derek Hales, it has not become public.)

It certainly sounds like Krim was, behind the scenes, financially incentivizing reviewers to push the Casper mattress. You’ll want to read Zax’s full article for the kicker to the Sleepopolis saga. It’s atrocious.

Update: I’ve been racking my brain all day trying to think about what the end of Zax’s story reminds me of:

“Hello!” ran the text beside the headshot. “My name is Dan Scalco and I’d like to personally welcome you to the brand new version of Sleepopolis. Here’s what’s up… On July 25th, 2017 our company acquired Sleepopolis.com …. Derek Hales and Samantha Hales are no longer associated with Sleepopolis.”

An italicized note added:

“In July 2017, a subsidiary of JAKK Media LLC acquired Sleepopolis.com. Casper provided financial support to allow JAKK Media to acquire Sleepopolis.”

David Carr, writing in the New York Times in 2014:

Last week, I read an interesting article about how smart hardware can allow users to browse anonymously and thus foil snooping from governments. I found it on what looked like a nifty new technology site called SugarString.

Oddly enough, while the article mentioned the need for privacy for folks like Chinese dissidents, it didn’t address the fact that Americans might want the same kind of protection.

There’s a reason for that, although not a very savory one. At the bottom of the piece, there was a graphic saying “Presented by Verizon” followed by some teeny type that said “This article was written by an author contracted by Verizon.”

SugarString writers were apparently prohibited from writing stories about net neutrality or the NSA’s spying activity — remember, this was in 2014, when both of those topics were especially concerning. So if you were going to SugarString for your tech news, you were highly misinformed. Likewise, if you were to visit Sleepopolis — owned by Casper — do you think you’d be getting a fair review of mattress buying options?

The reason I’ve been puzzled all day about this is because I’m nearly certain that there was a similar marketing-spun publication that was created by — I think — a mining or oil and gas company. I don’t think I’m making this up or misremembering it, so if you have any idea what I might be thinking about, let me know.

Major Security Vulnerabilities Now Have Marketing Campaigns

Shannon Vavra, Axios:

There’s a four-way handshake that establishes a key for securing traffic, but the third step allows the key to be resent multiple times, which allows encryption to be undermined, according to a researcher briefed on the vulnerability. The researchers, the United States Computer Emergency Readiness Team and KU Leuven, report this breach, called KRACK (Key Reinstallation Attacks) could allow connection hijacking and malicious code injection.

Mathy Vanhoef discovered the vulnerability, which comprises ten CVEs. And, yeah, it’s a big problem, but we’re not all completely screwed. Alex Hudson explains:

Remember, there is a limited amount of physical security already on offer by WiFi: an attack needs to be in proximity. So, you’re not suddenly vulnerable to everyone on the internet. It’s very weak protection, but this is important when reviewing your threat level.

Additionally, it’s likely that you don’t have too many protocols relying on WPA2 security. Every time you access an https site – like this one – your browser is negotiating a separate layer of encryption. Accessing secure websites over WiFi is still totally safe. Hopefully – but there is no guarantee – you don’t have much information going over your network that requires the encryption WPA2 provides.

Juli Clover, MacRumors:

Apple’s iOS devices (and Windows machines) are not as vulnerable as Macs or devices running Linux or Android because the vulnerability relies on a flaw that allows what’s supposed to be a single-use encryption key to be resent and reused more than once, something the iOS operating system does not allow, but there’s still a partial vulnerability.

Apple’s latest round of betas, released to developers today, include a patch.

Here’s the thing about this: it’s clearly a bad bug, but it is both generally fixable and the fear is — at least to some extent — driven by the researcher’s PR campaign around it. Much like Heartbleed, KRACK has a cool name and a logo.

But compare the immediate groundswell of attention around Heartbleed and KRACK against, say, a critical flaw in the widely-used RSA encryption library, also announced today. Dan Goodin, Ars Technica:

The weakness allows attackers to calculate the private portion of any vulnerable key using nothing more than the corresponding public portion. Hackers can then use the private key to impersonate key owners, decrypt sensitive data, sneak malicious code into digitally signed software, and bypass protections that prevent accessing or tampering with stolen PCs. The five-year-old flaw is also troubling because it’s located in code that complies with two internationally recognized security certification standards that are binding on many governments, contractors, and companies around the world. The code library was developed by German chipmaker Infineon and has been generating weak keys since 2012 at the latest.

This bug isn’t receiving anywhere near the same attention as KRACK, despite RSA being used to generate some — not all — keys for PGP and GitHub, and potentially all keys for Microsoft BitLocker and identity cards for Estonia and Slovakia.

I get why security researchers are dialling up the campaigns behind major vulnerabilities. CVE numbers aren’t interesting or explanatory, and the explanations that are attached are esoteric and precise, but not very helpful for less-technical readers. A catchy name gives a vulnerability — or, in this case, a set of vulnerabilities — an identity, helps educate consumers about the risks of having unpatched software, and gives researchers an opportunity to take public credit for their work. But, I think the histrionics that increasingly come with these vulnerabilities somewhat cheapens their effect, and potentially allows other very serious exploits to escape public attention.

Twitter’s Abuse Problem Comes Down to a Failure of Leadership and a Reliance on Algorithms

Natasha Lomas, TechCrunch:

Twitter has clearly not fixed the problem of abuse on its platform — and very clearly also continues to fail to fix the problem of abuse on its platform.

Leaning on algorithms to do this vital work appears to be a large part of this failure.

But not listening to the users who are being abused is a even greater — and more telling — lapse of leadership.

There’s an enormous disconnect between what tech companies feel compelled to restrict and what users feel is worth restricting. The New York Times illustrates this today with an interactive feature about what Facebook considers hate speech worthy of removal. The second phrase — “Poor black people should still sit at the back of the bus.” — would likely not be considered hate speech on its own by Facebook’s standards:

While Facebook’s training document lists any call for segregation as an unacceptable attack, subsets of protected groups do not receive the same protection, according to the document. While race is a protected category, social class is not, so attacks targeting “poor black people” would not seem to qualify as hate speech under those rules, Ms. Citron said. That is because including social class in the attack negates the protection granted based on race.

As of right now, 93% of over 60,000 Times readers think that statement constitutes hate speech, and I think most reasonable people would agree on that: the historical connotations of forcing black people to sit at the back of a bus far overwhelm the income status of the subject. Surely there’s enough context within that single phrase to establish that it’s driven by race, right?

But this is the thing: tech companies are generally run by people who are not subjected to abuse or targeted hate speech on their platforms. It would be prudent of them to take seriously the concerns raised by affected users. But this is also another reason why executive teams need to comprise more diverse perspectives because, as far more eloquent writers have pointed out, not doing so creates a huge blind spot.

Tech companies need to mature to a point where they recognize the responsibility they have to the billions of people on this planet, because that’s the scale they operate at now.

A Decade of Airlines Ignoring Hyphenated Names

John Scott-Railton:

United Airlines keeps changing my hyphenated last name, costing me up to hours of trouble when I travel. When an airline like United changes travelers names, all parts of a trip can be affected I am not alone in this: hyphenated users have complained about this for a decade. There are tens of thousands of hits on Google for this problem.

By deleting hyphens, United Airlines creates a Passenger Name Record mismatch, which torpedoes smooth air travel. Here are some common problems for people with hyphens who fly on United, I have encountered all of them: Online check-ins don’t work, forcing travelers to arrive early at the airport to get a paper boarding pass, or miss their flights. Customs flags travelers arriving in the US for extra scrutiny, resulting in long waits. TSA may send travelers back to airline counters.

United has publicly shrugged about this for over a decade. Noted security expert Bruce Schneier even blogged about the issue of hyphenations nine years ago. @united can be found on twitter advising passengers to simply delete their hyphens, which is bad advice and may result in a records mismatch, and delays. In 2017 the problem is still not fixed. Is United Airlines incapable of such a simple change?

Scott-Railton published this back in June, and Freia Lobo of Mashable noted at the time that this issue isn’t isolated to United Airlines: Delta’s ticketing system has the same problem.

But I’m linking to it today because Delta recently updated their app to remove the check-in process and issue boarding passes automatically. That’s terrific. Unfortunately, there’s no indication that Delta or any other airline has addressed the issue with hyphenated names — I found tweets from as recently as August with the same issue, and complaints about similar character validation problems from September.

These kinds of problems are almost certainly due to legacy or outdated equipment. There’s probably some key part of these airlines’ ticketing infrastructure that will simply never accept anything other than A–Z characters — at least, not without replacing it. But with the huge number of people out there who do have hyphens, apostrophes, or diacritical marks in their names, surely a modernization of their character palette should be a higher priority.

At the very least, this shouldn’t be a passenger problem a decade after it Schneier pointed it out. If a name needs to have characters dropped for compatibility reasons, it shouldn’t trigger a security warning or require additional scrutiny for passengers.

Google Disables Touch Functionality on Home Mini After a Reviewer’s Device Recorded Ambient Audio Constantly

Artem Russakovskii, Android Police:

Several days passed without me noticing anything wrong. In the meantime, as it turns out, the Mini was behaving very differently from all the other Homes and Echos in my home – it was waking up thousands of times a day, recording, then sending those recordings to Google. All of this was done quietly, with only the four lights on the unit I wasn’t looking at flashing on and then off.


Further clarifications arrived. The Google Home Mini supports hotword activation through a long press on the touch panel. This method allows people to activate the Google Assistant without saying the hotword. On a very small number of Google Home Mini devices, Google is seeing the touch panel register “phantom” touch events.

In response, the updated software disables the long press to activate the Google Assistant feature. Once the Google Home Mini devices receive the updated software, all long press events (real or phantom) will be ignored and Google Assistant will not be invoked accidentally.

I’m not paranoid, but it’s events like these that shake my confidence in the security of ambient audio-based assistant devices. Google’s a big company, and something like this really should have been caught far earlier; bugs like these — and, for what it’s worth, the malfunctioning LTE bug that affected the Apple Watch — suggest that far more thorough quality assurance processes are necessary.

Aaron Mamiit, Tech Times:

While it would certainly have been much better if the issue never existed in the first place, the speed and finality of Google’s response to the controversy certainly deserve praise from the technology industry and its customers.

Why, exactly, should we praise Google for this? A fast reaction is the bare minimum response anyone should expect for a device that’s unintentionally always recording and uploading audio in the background. I don’t see anything particularly praiseworthy about not including a bug that enables such an egregious privacy violation on a shipping device.

Denise Young Smith at the One Young World Summit

Aamna Mohdin, Quartz:

Apple, like many other tech titans such as Google, and Microsoft, is trying to take key steps in addressing the problem of having a lack of diversity, which has been highlighted by investors. But it does look like the company is making progress. Apple’s latest statistics show that a majority of new hires in the US are from ethnic minorities, although white employees still account for 56% of the overall current workforce.

When asked whether she would be focusing on any group of people, such as black women, in her efforts to create a more inclusive and diverse Apple, [VP of Diversity Denise Young Smith] says, “I focus on everyone.” She added: “Diversity is the human experience. I get a little bit frustrated when diversity or the term diversity is tagged to the people of color, or the women, or the LGBT.” Her answer was met with a round of applause at the session.

Young Smith went on to add that “there can be 12 white, blue-eyed, blonde men in a room and they’re going to be diverse too because they’re going to bring a different life experience and life perspective to the conversation.” The issue, Young Smith explains, “is representation and mix.” She is keen to work to bring all voices into the room that “can contribute to the outcome of any situation.”

I get where Young Smith is coming from here — that diversity is more than a single-item checkbox question. Nobody should feel like the token person on a team, only there to meet a diversity quota; everyone should feel valued. I recently attended a discussion panel concerning equity in the arts in Calgary, and a similar point was made there as well.

But it is unfair and disingenuous to make this argument without also acknowledging that the tech industry is dominated by individuals within a very narrow spectrum of diversity — typically white, typically male, and typically wealthy or from wealthier backgrounds. This tendency is more pronounced the higher up one looks at a company’s corporate ladder. Of course, these stereotypes are not fully representative — and, even if they are, those individuals may have different life experiences; that’s what Young Smith is getting at — but it’s hard to see the framing of twelve white men as a “diverse” group as anything other than a cop-out after Apple’s investors once again voted against a diversity proposal earlier this year.

Omar Ismail on Quora, responding to a user’s question about whether they’re privileged simply because they are white:

It doesn’t mean you’re rich. It doesn’t mean you’re luckier than a lucky black guy. Nobody wants you to be crippled with guilt. Nobody has ever wanted that, or means those things.

It means you have an advantage, and all anyone is asking is that you *get* that. Once you get that, it’s pretty straightforward to all the further implications.

DeRay Mckesson made a similar point in response to Young Smith’s answer at the summit:

You didn’t work hard for every band aid to look like you, for every baby doll to look like you, for the world to treat you as human, and everything as ‘other’ is not the result of your personal hard work — that’s what white privilege is.

Tech companies have a massive responsibility. They may overwhelmingly be based in the United States, but they play a significant role in how the world communicates. Right now, their senior leadership does not look like the world in which they reside. When that changes, we can start really looking at the life experience of twelve white men and how that substantially contributes to the company’s diversity objectives — however, bigger steps are needed before we can get to that point. I think we need to reconsider how people are educated, hired, and promoted. But, as I wrote near the top of this piece, nobody should feel like they’re a “token” person in a team; that can start with companies pursuing truly comprehensive opportunities to make their staff at all levels more like the world they connect.

Update: I worry that companies more lax in their diversity efforts will use this kind of defence as an excuse for hiring just 36 black Americans in a whole year.

Seven Years and One Month Since Microsoft’s Funeral for the iPhone

Peter Bright reports for Ars Technica earlier this week:

During the weekend, Microsoft’s Joe Belfiore tweeted confirmation of something that has been suspected for many months: Microsoft is no longer developing new features or new hardware for Windows Mobile. Existing supported phones will receive bug fixes and security updates, but the platform is essentially now in maintenance mode.

Microsoft already announced last year that they would stop making phones, and I expected this announcement would follow sooner than it actually did. Nevertheless, it’s unsurprising, and made worse by a cringeworthy funereal procession that Microsoft held for shipping Windows Phone 7 — their first try at an iPhone OS competitor — three and a half years after Apple first demonstrated the iPhone.

Vlad Savov writing for Engadget in September 2010:

An elaborate parade, replete with hearses and black capes, was organized last week to denote the passing of the BlackBerry and iPhone into the land of unwanted gadgets. We’d say this is done in poor taste, but we don’t enjoy stating the obvious. We will, however, enjoy the fallout from this poorly judged stunt.

They also danced to Michael Jackson’s “Thriller” at the same parade. To be fair to them, BlackBerry really has all but vanished from everyone’s pockets, but its replacements run iOS and Android, not Windows Mobile.

Uber’s iPhone App Had Screen Recording Capabilities

Kate Conger, Gizmodo:

To improve functionality between Uber’s app and the Apple Watch, Apple allowed Uber to use a powerful tool that could record a user’s iPhone screen, even if Uber’s app was only running in the background, security researchers told Gizmodo. After the researchers discovered the tool, Uber said it is no longer in use and will be removed from the app.

The screen recording capability comes from what’s called an “entitlement” — a bit of code that app developers can use for anything from setting up push notifications to interacting with Apple systems like iCloud or Apple Pay. This particular entitlement, however, was intended to improve memory management for the Apple Watch. The entitlement isn’t common and would require Apple’s explicit permission to use, the researchers explained. Will Strafach, a security researcher and CEO of Sudo Security Group, said he couldn’t find any other apps with the entitlement live on the App Store.

The Gizmodo story acknowledges later that this entitlement could have been sandboxed to function only within Uber’s app — though Apple wouldn’t say one way or another — and Uber said that it was only live for a single version of the app to make the Apple Watch app run more smoothly. Even so, given Uber’s outrageous history of violations of privacy and basic decency, it seems quite risky to me for Apple to have granted Uber’s app this entitlement. I’m sure precautions were taken, but I cannot imagine any other developer having this kind of influence, particularly an indie developer or one with such a poor track record.

App Review Should Screen Apps for Discrepancies In Device Requirements

I’ve been on vacation for the past few days and I was curious about what was stored on my hotel room keycard. So I downloaded one of those NFC-reading apps, opened it, and was surprised to see a message indicating that my device was incompatible. I re-checked the listing in the App Store and it said that my iPhone was compatible; I also remembered that my 6S does not support the new NFC-reading API in iOS 11.

I looked at a few other NFC-reading apps in the store and they all indicate that my phone is compatible, even though I know it isn’t. It turns out that there is a way for a developers to indicate when the new API is a requirement — it’s just that many developers don’t use it.

I think App Review ought to do a better job of screening apps for discrepancies between what apps say they do and what requirements they need. Dedicated NFC-reading apps that don’t correctly indicate which devices are compatible ought to be rejected, as should apps with similar inconsistencies.

Boy, Do I Feel Naïve

Laura Wagner of Deadspin reacts to Joseph Bernstein’s blockbuster story for Buzzfeed on how Breitbart cultivated a destination for white supremacists, misogynists, and other scum:

Is there a word for when you feel embarrassed about your naïveté? Because I feel dumb as hell. I assumed that when [Olivia Nuzzi] and her down-the-middle cohorts wrote things like this glowing profile of Mike Cernovich in New York magazine, they went home and immediately took a hot shower to wash off the stink. I didn’t realize they were just writing about their friends.

A very charitable part of me wants to believe that none of the writers now shown to be quite cozy with Steve Bannon and his ilk were aware of the impact of being associated with Breitbart’s brand of conspiracy-tinged journamalism. But I still don’t understand why anyone would want to be associated with them in any way, particularly after the outright discriminatory, racist, sexist, and irrationally caustic articles they’re well-known for.

Apple Releases High Sierra Security Update

This update includes fixes for the encrypted disk password-as-hint bug as well as the keychain exfiltration bug that was revealed last week.

Unfortunately, Apple recommends that those affected by the encrypted disk bug install this security update, then format and restore their drive. This applies mostly to those who think that there’s a chance that their disk password may have been exposed — I don’t set password hints, so this bug didn’t affect me. But if you’re one of the unlucky ones who are affected, you know how you’ll be spending your weekend.

I still want to know how a bug like the latter bypassed quality control checks and a multi-month developer beta, though. It’s not confidence-inspiring.

MacOS High Sierra Vulnerability Exposes Passwords of Encrypted APFS Containers

Matheus Mariano:

This week, Apple released the new macOS High Sierra with the new file system called APFS (Apple File System). It wasn’t long before I encountered issues with this update. Not a simple issue, but a potential vulnerability.

The vulnerability? Under certain not-so-uncommon conditions, a drive or container formatted as APFS can show the actual password as the hint.

Via Michael Tsai:

The bug was easy to reproduce on my Mac. Plugging the drive into another Mac also shows the password as the hint. So I’m guessing it’s not actually an APFS flaw but rather that Disk Utility is passing the wrong variable as the hint parameter.

That seems to be the case. Felix Schwarz:

Creating a volume via diskutil, the hint, not the pw is shown. Looks like the root cause is Disk Utility storing the password as hint.

So, from the looks of it, if you haven’t specified a password hint – or if you haven’t used Disk Utility, you’re probably safe.

Disk Utility was made extraordinarily buggy in a rewrite two years ago and we’re still feeling the effects of that decision. That’s a big problem for an app as consequential as Disk Utility.

Update: Apple told Rene Ritchie that they’re rolling out a fix for this today. That’s a fast response, but this is a bug that should have been caught far sooner. Why wasn’t it?

The Verge’s Preview of Google’s New Pixel 2 Phones

Dieter Bohn of the Verge got an early look at Google’s new Pixel 2 and Pixel 2 XL phones, officially announced today:

The speakers on both phones got plenty loud without too much distortion. I’m sure it was a priority to get those speakers in there, but I’m also sure I would rather have smaller bezels. The overall audio story on Pixel 2 is a big deal: it does away with the headphone jack, but it also supports a bunch of new audio codecs over Bluetooth 5. I can also tell you that the Pixel 2 is a thousand percent better at recognizing when I say “OK Google” than last year’s phone.

That’s the sole mention of the headphone port in Bohn’s preview. That’s weird, because less than a year ago, Bohn agreed with Nilay Patel’s sentiment that removing the headphone port was “user-hostile”. Even two months ago, Bohn was “going to continue to be a curmudgeon about” the removal of 3.5mm headphone port on today’s smartphones.

By the way, both Google and Apple include 3.5mm adaptors in the box. If you want to buy an extra one, Apple will charge you $9 for their Lightning-to-3.5mm adaptor, but Google will charge a whopping $20 for a USB-C-to-3.5mm adaptor. Just throwing that out there.

Bohn again:

That’s not to say there aren’t impressive design elements to point out. There are no visible antenna lines anywhere on the XL’s aluminum unibody. Even though the 6-inch screen on the XL might not technically count as edge-to-edge, it still fits a much larger screen in a body that’s just a little bigger than last year’s Pixel XL, which had a 5.5-inch screen. On both, you’ll see that there is no camera bump beyond a slight raised ridge around the lens.

But there is a camera bump, right? Either there is or there isn’t, and the photo in this article indicates that it’s virtually the same treatment as that on my iPhone 6S — a treatment that Bohn previously described as a “camera bump” and “aesthetically aggravating”.

Rather than go with dual lenses and a camera bump like Apple, […]

There is a camera bump. I get it: nobody likes camera bumps. Depending on who you ask, they’re either a symptom of an obsession with smartphone thinness, or a tolerable — if not ideal — compromise. But Bohn can’t make the bump go away by denying its existence, and I’m not sure what to make of his attempts to do so.