Month: September 2022

Citizen Lab:

Using only a single website, as well as publicly available material such as historical internet scanning results and the Internet Archive’s Wayback Machine, we identified a network of 885 websites and have high confidence that the United States (US) Central Intelligence Agency (CIA) used these sites for covert communication.

The websites included similar Java, JavaScript, Adobe Flash, and CGI artifacts that implemented or apparently loaded covert communications apps. In addition, blocks of sequential IP addresses registered to apparently fictitious US companies were used to host some of the websites. All of these flaws would have facilitated discovery by hostile parties.

I am an idiot and I was able to find several archived websites that appeared to be part of this scheme using only the information disclosed by Citizen Lab. If I could find part of this network, imagine what a more determined adversary would have been able to do. This is a shocking betrayal by the CIA of informants’ trust in its capabilities and security.

Joel Schectman and Bozorgmehr Sharafedin of Reuters published a full investigation based on Citizen Lab’s findings.

20 Years of Rogue Amoeba

Rogue Amoeba’s 20th anniversary sale ends very soon! Their next sale probably won’t be for another 5 years, so buy now to save 20%.

Since 2002, Rogue Amoeba has been making amazing audio apps for the Mac. Whether you’re a podcaster, musician, or just someone who listens to audio on their Mac, Rogue Amoeba can make your life better. Whatever your audio needs, it’s a good bet they have a tool to help you. And right now, for a very limited time, you can save 20% off any purchase.

Rogue Amoeba’s product line-up includes:

  • Audio Hijack: Record any audio you hear on your Mac, and so much more.

  • Loopback: Get ridiculously powerful audio routing to pass audio from one application to another, without needing cables or mixers.

  • SoundSource: It’s the sound control that should be built into MacOS, with per-app volume and output control, audio effects on any audio, and fast audio device switching.

There’s also Airfoil (home audio streaming), Farrago (the Mac’s best soundboard app), Fission (fast and lossless audio editing), and Piezo (charmingly simple audio recording).

Free fully-featured trials are available for all these products, right from Better still, in celebration of 20 years in business, Rogue Amoeba is offering a very rare sale. If you buy before October, you’ll save 20% off every purchase from Rogue Amoeba.

You don’t need any coupon codes or special URLs, but act fast. Visit now to save. You’ll be glad you did.

Ivan Mehta, TechCrunch:

Last week, a startup called Un1feed launched an Instagram client called The OG App, which promised an ad-free and suggestion-free home feed along with features like creating custom feeds like Twitter lists. The app raked up almost 10,000 downloads in a few days, but Apple removed the app from the App Store for violating its rules earlier this week.

Separately, Un1feed said that Meta disabled all team members’ personal Instagram and Facebook accounts.

Meta didn’t specify if they asked Apple to remove the app from the App Store, but it said that the app breached its rules.

Thereby illustrating the difference between what some users value about Instagram and what Meta values. Users want to view friends’ photos and videos on their own terms; Meta wants them to watch suggested Reels and shop.

Perhaps most interesting is that Un1feed’s founders told TechCrunch earlier this week that an Instagram clone was only the first step, and the company has raised early funding. This may be a sketchy looking reverse-engineered effort, but Un1feed is establishing itself as more legitimate than it may seem at first glance.

Phil Harrison, Google’s vice president in charge of Stadia:

A few years ago, we also launched a consumer gaming service, Stadia. And while Stadia’s approach to streaming games for consumers was built on a strong technology foundation, it hasn’t gained the traction with users that we expected so we’ve made the difficult decision to begin winding down our Stadia streaming service.

In early 2020, Insider’s Ben Gilbert spoke with developers about Stadia as Google struggled to get enough traction. They offered a few explanations — a lack of financial incentives and questionable audience size — but Gilbert says a repeated concern was this exact scenario:

“If you could see yourself getting into a long term relationship with Google?” one developer said. “But with Google’s history, I don’t even know if they’re working on Stadia in a year. That wouldn’t be something crazy that Google does. It’s within their track record.”

This concern — that Google might just give up on Stadia at some point and kill the service, as it has done with so many other services over the years — was repeatedly brought up, unprompted, by every person we spoke with for this piece.

Google may have kept it going for a couple of years longer than the quoted developer speculated, but everything else about this rings true.

I feel bad for those working on the products unceremoniously canned by Google — or, indeed, any company. It sucks to see your hard work evaporate. But part of Google’s problem is its perpetual cycle of introducing new products, letting them linger as users and sometimes developers wonder whether they should commit, and then killing them when there is little uptake — see step two in the cycle.

Daryl Worthington, the Quietus:

Just as much as cassettes or LPs, CD’s have qualities and quirks. And they also have affordances that make them ideal for certain kinds of music. But, despite being 40 years old, and gradually being replaced by downloads and streaming, they don’t seem to trigger the same nostalgia and whimsy.

What a great dive into the unique properties of the CD, and the ways different artists have experimented with what, on its face, seems like a cold and inflexible medium.

Arun Maini, known on YouTube as “Mrwhosetheboss”, has a library of dozens of devices he has tested, from all manufacturers. But he noticed the batteries in his Samsung phones — and only his Samsung phones — were dangerously expanding, sometimes in phones he received less than two years ago. In discussions with other YouTube personalities, he discovered he was not the only one seeing problems with Samsung devices specifically or, at least, disproportionately.

While he is still waiting for results from Samsung’s internal investigation — the company confiscated some of his affected devices — his video on the topic is worth watching.

In August, CBC News reported that Lyft was lobbying the Alberta government to remove commercial license requirements for ride hailing drivers. In comments made today about forthcoming changes to the province’s licensing system, it appears the government partly caved to its demands.

Bill Graveland, of the Canadian Press:

An additional road test will also no longer be mandatory to obtain a Class 4 driver’s licence, which is required to transport passengers in taxis, ride-share vehicles, limousines, small buses and ambulances.

To translate, while a commercial license will still be required, a driver’s skill will no longer be evaluated, though a knowledge test is still required. Disappointing, made doubly so by framing this as mere red tape.

Matthew Panzarino of TechCrunch interviewed Craig Federighi after WWDC this year, and asked why Stage Manager was limited to M1 iPads:

“It’s only the M1 iPads that combined the high DRAM capacity with very high capacity, high performance NAND that allows our virtual memory swap to be super fast,” Federighi says. “Now that we’re letting you have up to four apps on a panel plus another four — up to eight apps to be instantaneously responsive and have plenty of memory, we just don’t have that ability on the other systems.”

It was not purely the availability of memory that led Apple to limit Stage Manager to M1 iPads though.

“We also view Stage Manager as a total experience that involves external display connectivity. And the IO on the M1 supports connectivity that our previous iPads don’t, it can drive 4K, 5K, 6K displays, it can drive them at scaled resolutions. We can’t do that on other iPads.”

It turns out Apple was able to find some of those capabilities in older iPad Pro models after all.

Nathan Ingraham, Engadget:

That changes with the latest iPadOS 16 developer beta, which was just released. Now, Apple is making Stage Manager work with a number of older devices: it’ll work on the 11-inch iPad Pro (first generation and later) and the 12.9-inch iPad Pro (third generation and later). Specifically, it’ll be available on the 2018 and 2020 models that use the A12X and A12Z chips rather than just the M1. However, there is one notable missing feature for the older iPad Pro models — Stage Manager will only work on the iPad’s build-in display. You won’t be able to extend your display to an external monitor.

Stage Manager has been decoupled from external display support, which will be coming to M1 iPads in a separate software update. In some ways, this more closely mirrors Apple’s history of soft limitations in Macs. For example, recent MacBook Air models — like old iBooks — only officially support a single external display, even though they can drive more.

Unfortunately, Stage Manager has been among the buggiest new features in this year’s round of new operating system versions and it remains troubled in the latest beta.

Update: Steve Troughton-Smith:

What’s really telling to me is that if Stage Manager were taken apart & rebuilt from scratch properly, there is not one aspect of the current version that I would preserve (other than floating windows that can be resized/overlapped). Not one bit of how any of this works is right.

This is just one perspective, but it is worrisome.

The main thing I am left wondering after reading this New York Times story about a forthcoming deal to resolve U.S. national security concerns is whether anything will be enough to satisfy the biggest TikTok hawks. I can already see the complaints of any agreement not being enough, speculation of the existence of a back door, and general distrust of TikTok. I still think a focus on TikTok as a specific point of vulnerability is a distraction from much more pressing privacy and security concerns.

Vivian Qu:

And still, I was surprised to receive an App Review message. I hadn’t submitted a new update for WorldAnimals. The app was still working well, with zero crashes and a handful of new downloads every month. My boss had even shown me last week that he had downloaded my app on his phone for his daughter – we played the game together during a work meeting and laughed at the silly animal sounds. In my mind, there was no reason I should be receiving a vaguely threatening message from Apple’s App Review system.

Well, it turns out, Apple’s problem with my app was the fact that I wasn’t updating it.

Via Michael Tsai:

The undocumented “minimum download threshold” seems to be saying that you can buy lots of App Store search ads to be exempt from the requirement to have an updated app — then you’re welcome to inflict it on lots of users.

Users of Apple’s products would probably benefit more from a crackdown on scams and brand name apps that flout App Store rules than removing perfectly fine apps just because they do not get enough monthly downloads or have not been updated in a while.

Apple (via Benjamin Mayo):

Avoid using a Live Activity to display ads or promotions. Live Activities help people stay informed about ongoing events and tasks, so it’s important to display only information that’s related to those events and tasks.

Apple once prohibited the use of Push Notifications to deliver ads, but developers abused it anyway. Notification ads are now permitted so long as users are allowed to opt out but, in practice, this rule does not seem to be enforced. Doordash is among the worst abusers of this, pushing ads to users’ devices daily, and sometimes more frequently than that.

A Live Activity would be the perfect way for an app like Doordash to update users’ on a delivery’s progress. Based on the company’s abuse of push notifications, I could not see myself enabling it. The Live Activity format is such a great enhancement to notifications and the iOS experience. It is unfortunate to see Apple shooting itself in the foot by allowing the worst developers’ behaviour instead of holding them to a basic standard of respect.

Speaking of parking and privacy, Not My Plate is a way for European citizens to generate GDPR requests for removal from parking networks that rely on automated plate recognition. Researchers devised some ingenious ways of tracking plates and, by extension, vehicles and possibly people. From the whitepaper:

One discovered methodology involved (re-)registering the license plates into parking and toll road applications that start- and stop sessions based on automatic license plate recognition. Out of the 120 license plates monitored, we were able to track down the live location of slightly over 29% of vehicles during a 100-day window (26.5% of which using methodology #1, and additional 2.5% using methodology #2 which was tested on a smaller scale).

Another technique was proven to work in areas without cameras, such as on-street parking in cities and residential neighborhoods. A proof-of-concept stalkerware application was developed to routinely create one-second parking sessions for a multitude of parking zones across the country, intercepting any errors that would indicate the vehicle is already parked there. When used in areas that offer limited free parking time, the scan would only have to run once a day and would not incur any charges for the attacker.

In the U.S. and Canada, vehicle plates are typically assigned to the owner. But in other places, plates are attached to a specific vehicle for its entire life.

Some local news followup. Joel Dryden, CBC News:

An investigation conducted by the Calgary Parking Authority, the city-operated agency that manages municipal parking services in the city, has revealed that the personal information of 145,895 customers was exposed for at least two months last year.


The CPA initially said only 12 customers had their data compromised. But on Monday, it confirmed that figure was well over 100,000.

Funny how these estimates almost never get revised downward.

20 Years of Rogue Amoeba

Since 2002, Rogue Amoeba has been making amazing audio apps for the Mac. Whether you’re a podcaster, musician, or just someone who listens to audio on their Mac, Rogue Amoeba can make your life better. Whatever your audio needs, it’s a good bet they have a tool to help you. And right now, for a very limited time, you can save 20% off any purchase.

Rogue Amoeba’s product line-up includes:

  • Audio Hijack: Record any audio you hear on your Mac, and so much more.

  • Loopback: Get ridiculously powerful audio routing to pass audio from one application to another,, without needing cables or mixers.

  • SoundSource: It’s the sound control that should be built into MacOS, with per-app volume and output control, audio effects on any audio, and fast audio device switching.

There’s also Airfoil (home audio streaming), Farrago (the Mac’s best soundboard app), Fission (fast and lossless audio editing), and Piezo (charmingly simple audio recording).

Free fully-featured trials are available for all these products, right from Better still, in celebration of 20 years in business, Rogue Amoeba is offering a very rare sale. If you buy before October, you’ll save 20% off every purchase from Rogue Amoeba.

You don’t need any coupon codes or special URLs, but act fast. Visit before the end of September to save. You’ll be glad you did.

A fascinating series of posts from Simon Willison about attacks with malicious prompts for automated responses based on machine learning — the second and third parts are linked in the sidebar.

Fascinating and troubling to consider this as a parallel to social engineering attacks on real, living people. It is not a stretch to imagine more call centre tasks being offloaded to automated systems — regrettably.1 Agents are trained to avoid divulging information like the customer’s address or partial credit card number, but too heavy reliance on prompt-based tasks might result in an uptick of these kinds of attacks.

  1. The loss of employment for millions is an obvious concern. On the other side of the phone line, there is a satisfaction difference. I have spent the past couple of weeks on the phone with various call centres, and there is a vast gulf in my level of happiness between speaking with a real person and speaking with a robot for even part of it. ↥︎

I have read many reviews of the Apple Watch Ultra and seen a few videos, but I do not think anyone gets as close to testing its capabilities as Ray Maker:

Whether or not the Apple Watch Ultra is for you, depends largely on what you plan to use it for. If you had or wanted an Apple Watch, but were held back by battery life, and perhaps button usability – then the Ultra largely solves that. Similarly, if you wanted more advanced running/workout metrics, then WatchOS 9 on the Apple Watch Ultra also solves that too. And, if you never knew you wanted an emergency siren on your wrist for when you fall off an embankment, then the Ultra is for you too (but seriously, that feature is surprisingly well executed).

However, as good as Ultra is for most existing Apple Watch users (or more mainstream prospective users), it falls short when it comes to features that you would need to complete an actual ‘ultra’ – that is, a long distance running race, or trek, or really any adventure in the backcountry. These gaps fall into a couple of different camps. Sure, there’s the bugs like the openwater swim one, or the disappearing compass backtrack one. I’m less concerned about those at the moment. Instead, it’s the navigational feature gaps, and sensor pairing/broadcasting gaps that are more key for Apple.

I am not in the target market for the Apple Watch Ultra; my most backcountry hikes are still within a couple hours’ drive of a decent espresso. But I have a few friends who do more extreme sports and they have expressed similar questions as Maker about its endurance and navigation capabilities. Its marketing may have oversold it somewhat. I look forward to learning more from real-world users about what it is actually like in the most hardcore circumstances.

Do you remember having the capacity for shock?

To be fair, it may have been muted by years of relentless news stories exploring an entire industry of privacy invasions. Some of these articles might involve subjects familiar to you; perhaps you were an early worrier about how Facebook apps could harvest data on users’ friends, a capability which the company later found was happening at shocking scale. Unfortunately, most of the general-audience press began paying attention to these concerns after the 2016 U.S. election, when that Facebook scandal was disproportionately blamed for a particularly idiotic presidency. But, at last, mainstream newsrooms did cover these problems, and they brought the budget, sources, and access to uncover some truly horrifying news items, with such regularity that my ability to be shocked has been blunted.

This made my jaw drop.

Joseph Cox, Vice:

Multiple branches of the U.S. military have bought access to a powerful internet monitoring tool that claims to cover over 90 percent of the world’s internet traffic, and which in some cases provides access to people’s email data, browsing history, and other information such as their sensitive internet cookies, according to contracting data and other documents reviewed by Motherboard.


“The network data includes data from over 550 collection points worldwide, to include collection points in Europe, the Middle East, North/South America, Africa and Asia, and is updated with at least 100 billion new records each day,” a description of the Augury platform in a U.S. government procurement record reviewed by Motherboard reads. It adds that Augury provides access to “petabytes” of current and historical data.

The NSA and GCHQ have, for years, intercepted and ingested data as it flows from server farms through fibre optic cables and across the internet. These programs built upon previous general surveillance efforts like the FBI’s Carnivore software.

These wildly intrusive and untargeted capabilities, once the domain of government intelligence gathering efforts, now appear to be offered to anyone who can afford whatever Team Cymru is charging. Regardless of your opinion of the programs operated by the NSA and GCHQ, at least they had the appearance of formal controls and specific goals. As Cox reports, now that the monitoring is done by a private business, it eliminates the need for pesky roadblocks like warrants.

This is wild, too:

Beyond his day job as CEO of Team Cymru, Rabbi Rob Thomas also sits on the board of the Tor Project, a privacy focused non-profit that maintains the Tor software. That software is what underpins the Tor anonymity network, a collection of thousands of volunteer-run servers that allow anyone to anonymously browse the internet.

I am not sure if the dissidents and drug seekers who rely on Tor should be worried, but I do not know what to make of this conflict. The Tor Project says there is no conflict of interest, though, so I feel silly.

Jason Diamond, the Melt:

That was always my problem with the rise of the coffee snob. And, again, I’m not saying you, the person with all your gadgets at home to make your perfect French press or espresso on your machine. The real-life versions of Ari Spyros from Billions, the compliance officer obsessed with his office setup is, honestly, goals. I wish that I took that much interest in the coffee I make. But I don’t. I do buy certain beans and I researched my grinder and coffee maker, but the truth is that I live in a city with countless options to just walk outside my door and get a coffee from and the idea is that since they all charge the same price that they should all serve good coffee.

And yet, that’s never the case. This is a very arbitrary assessment, but of the six (yes, six (I do live in Brooklyn, remember) places I could count that are all within eight minutes of my home (I timed these and rounded down to eight, I swear I didn’t just pick a number at random) that serve “specialty” coffee from roasters like Sey or Counter Culture, Partners or Intelligentsia, where the average price of a small coffee is four dollars, I’d say that four of those places just aren’t worth the cost. The coffee just isn’t that good. The two-dollar cup I get at the bodega does the trick.

I have a similar number of “good” coffee places within a short walk of my house. As with Diamond’s experience, only a few of these are actually decent. There are many places which have good beans from roasters I trust, made on all the “right” equipment by people who appear to care — and it just comes out all wrong. The atmosphere is wrong, too: one of the places near me has Edison bulbs and reclaimed wood everywhere, and it feels like it came from a kit; another place is a mix of a coffee shop, coworking space, and retail for clothing and knick-knacks. You do not need to be a snob to recognize that beneath the pastiche of specialty coffee is a seeming lack of care from the top down.

Matthew Panzarino, TechCrunch:

Apple says that all of the iPhone 14 models have a new internal structure that allows for better thermals and heat dissipation. It’s next to impossible to determine if there is any real benefit here in my testing, though I’m sure that a teardown will display whatever architectural changes Apple has made. Whatever has changed, it is significant, because the iPhone 14’s back glass can now be replaced without having to disassemble the phone, something that was not possible before.

Kyle Wiens, iFixit:

The best feature of the iPhone 14 is one that Apple didn’t tell you about. Forget satellite SOS and the larger camera, the headline is this: Apple has completely redesigned the internals of the iPhone 14 to make it easier to repair. It is not at all visible from the outside, but this is a big deal. It’s the most significant design change to the iPhone in a long time. The iPhone 14 Pro and Pro Max models still have the old architecture, so if you’re thinking about buying a new phone, and you want an iPhone that really lasts, you should keep reading.

Rare praise from iFixit for Apple’s assembly choices. It is not all good news; Wiens speculates Apple will require software pairing of the back glass to the phone’s chassis, for some reason. But changes like these and Apple’s self-service repair program go a long way to permit more people to avoid long lines at an Apple Store they may live far away from.

It also means device owners get more say in what parts can be replaced and when. I sure would love to have Apple repair my deeply scratched iPhone 12 Pro display — especially since I have AppleCare Plus — but the company has so far refused because it may reduce the phone’s water resistance. Apple has not launched self-repair in Canada, so I must either be comfortable with components of unknown provenance or delude myself into not seeing the gash in my screen.

Michael Tsai put together a great collection of notable indie developer anniversaries, including one from Ken Case of the Omni Group:

Speaking of time flying, today marks the 30-year anniversary of the day we started doing business together as “the Omni Group.” We registered the domain on September 8, 1992 — thirty (30) years ago — back when having an Internet domain had nothing to do with having a website.

And here is one more — Rogue Amoeba is celebrating its twentieth birthday. Paul Kafasis:

20 years ago this month, Rogue Amoeba unveiled Audio Hijack 1.0.0, the very first version of what has become our flagship product. To celebrate that anniversary, we’ve got a great deal to share with you. But first, take a gander at what things looked like way back on September 30, 2002: […]

I am trying to decide whether I prefer the early Aqua stripes in the Audio Hijack screenshot, or the marble-textured Omni logo in Case’s post. Both have their appeal.

There is something very special about using products made by independent developers like these. It is software with personality, driven by a level of care and passion that is understandably lost in larger organizations. When I am having trouble or want to request a feature enhancement, I can send an email from somewhere in the application and receive a response from a real person who has the power to make things happen. Institutional developers have their place, but I feel an level of individual care from the indie software projects I use on a daily basis. Congratulations to the Omni Group, Rogue Amoeba, and the many other indie developers who make the software many of us rely on.