My 2018 Apple Report Card

At the end of January, Jason Snell published his annual Six Colors Apple Report Card for 2018. This year 55 voters (hand-selected by Snell) graded Apple in 11 areas. I was one of them, and thought it only fair to publish my grades and remarks here at Daring Fireball. Comments in [brackets] are additional commentary I wrote now, and were not included in what I submitted to Snell.

Mac: D

I’d say it’s been an OK year at best. On the MacBook front they had decent MacBook Pro updates and the third-gen butterfly keyboard seems to have fixed the reliability problems with the previous keyboards. But these keyboards are not great. A few people really like them, but most people agree they feel worse than the old keyboards. I may be biased as a writer and a keyboard aficionado, but it used to be the case that Apple’s notebook keyboards were widely hailed as the best in the world — that’s no longer the case, and I think that’s a problem.

I like the new retina MacBook Air a lot, but it was overdue by at least a year.

The new Mac Mini is great, but we still didn’t get a new Mac Pro and none of the iMacs were updated. That’s not good.

Mojave seems fine overall but I personally don’t care about Dark Mode, and the new “Marzipan” apps — Home, News, Stocks, Voice Memos — range from “not great and a little weird” (Home) to “downright terrible” (the other three).

[A “D” may seem harsh here, but the more I think about these MacBook keyboards the more unacceptable I find the whole situation. Apple makes a great keyboard today — the standalone Magic Keyboard 2 has a terrific feel and is completely reliable.

I heard a story years ago about Steve Jobs after the release of the original iPad. Jobs had been on medical leave in 2009 and when he returned to Apple, he was focused almost entirely on the iPad. In 2010, after the iPad was introduced, he had a meeting scheduled with engineers on the MacBook team. The meeting was big picture — What’s the future of the MacBook?, that sort of thing. These engineers had prepared a ton of material to present to Jobs. Jobs comes into the meeting carrying an iPad. He goes to a then-shipping MacBook on a table and wakes it up. It takes a few seconds. He says something like “Look at how long this takes.” He puts it to sleep, he wakes it up. It takes a few moments each time. Then he puts the iPad on the table and hits the power button. On. Off. On. Off. Instantly. Jobs said something like “I want you to make this” — and he pointed to the MacBook — “like this” — and he pointed to the iPad. And then he walked out of the room and that was that.

Is this story true? I don’t know. But it sounds true — and MacBooks do wake up a lot faster than they used to. I’d like someone at Apple to go to the MacBook team with a Magic Keyboard and do the same thing. “I want you to take this keyboard and put it in these MacBooks.”

The MacBook keyboards, lack of iMac updates, and still-missing Mac Pro would’ve led me to give Apple a “C” for the Mac. I took off a whole grade for how embarrassingly bad the “Marzipan” apps are.]

iPhone: A

On the hardware front, the iPhone XS and XS Max are great flagships, and months later I continue to be amazed by the quality and capabilities of their camera systems, both for stills and especially for video. There are some Android phones that are arguably as good as the iPhone for still photography but Apple is years ahead on video.

The iPhone XR is way more XS-comparable than I expected. The compromises Apple chose — LCD instead of OLED, a single rear-facing camera, aluminum instead of stainless steel — aren’t noticeable by most people. And the XR gets better battery life — noticeably better. After spending a few weeks using an XR full-time, I honestly question whether its LCD isn’t better than the XS’s OLED for my needs.

iOS 12 is one of my favorite iOS updates for iPhone in years. Apple promised back at WWDC that they were focusing on performance and they delivered. It’s faster and more reliable, and the new grouped notifications are a joy to use. iOS 12 on iPhone is Apple at its software best.

iPad: B

I really wish this were two categories, hardware and software. On the hardware front Apple had an “A” year. The new 9.7-inch iPad at a sub-$400 starting price is a terrific mass market tablet, now with Apple Pencil support. The new iPad Pros are, quite simply, the best portable computers ever made by anyone. They are astounding in every regard — display quality, performance (CPU and GPU), size and weight. They feel like artifacts from a few years in the future.

Software-wise, I’d be tempted to rate this year for iPad as “N/A”. It wasn’t good, it wasn’t bad — it was nothing. Which, effectively, is bad, because I think the iPad needs an “iPadOS” overhaul. The iPad has always been great for simple use cases. “It’s just a big iPhone” is, for many people and many use cases, a compliment, not an insult. But the iPad needs to scale better for advanced use cases — without complicating simple use cases — and iOS 12 wasn’t an advance on that front in any meaningful way.

Apple Watch: B

I don’t think Apple gets enough credit for its expertise in miniaturization. They’ve long been the best company in the world at making ever-smaller ever-more-powerful tiny personal computers, and their lead seems to be growing, not shrinking. Apple Watch exemplifies that.

My only beef with Series 4 hardware and WatchOS 5 is that there’s an aesthetic mismatch between new hardware and watch faces and old hardware and watch faces. The new WatchOS faces only look right on the new Series 4 watches, and the old faces only look truly right on the older watch hardware.

Apple TV: C

I don’t think Apple needed to come out with new Apple TV hardware this year, but they should have dropped the price on the existing hardware.

Services: B

iCloud Photos is now one of the best sync services I’ve ever used. It’s fast and reliable, and it handles data that I consider invaluable — my family’s photos and videos. iCloud overall has gotten very good. But the 5 GB free tier is just ridiculous at this point.

HomeKit: C

[No remarks.]

Hardware Reliability: B

[No remarks.]

Software Quality: C

[No remarks.]

Developer Relations: C

[No remarks. ]

Environmental/Social: B

[No remarks submitted, but I wish now that I’d made mention of Lisa Jackson’s remarks on stage at the September iPhone XS/XR introduction. Given all the conspiracy theories about Apple and planned obsolescence, it was fascinating to see Jackson on stage touting the durability and longevity of iPhone hardware. Apple promised that iOS 12 would run faster than iOS 11 on older hardware and they made good on that promise. Apple is right to be proud of this, and it’s good for customers and good for the environment. And in the long run, good for Apple.]

Retail: C

In between Snell’s release of the 2018 report card and my posting this piece, Apple has announced that Angela Ahrendts is leaving in April. In the wake of this, there’s been a lot of commentary about the state of Apple’s retail stores, which, in turn, makes me think that “Retail” should be one of the categories on the Six Colors report card. If it were, I’d have given Apple a “C”.

The two best things Apple has done in retail during the Ahrendts era are opening architecturally amazing new flagship stores around the world, and the “Today at Apple” program in every store. But for me, personally, I don’t care about huge new flagship stores in Dubai or Paris, and I don’t partake in the “Today at Apple” classes. I care about two things: buying stuff and getting service at my local Apple Store here in Philadelphia.

I’ve disliked the experience of buying stuff at the Apple Store ever since they did away with queues for checking out. I just want to get in line, wait my turn, pay, and leave. Instead, the way to check out at an Apple Store is to wander around until you get the attention of an employee who has one of the handheld checkout iPod Touches. This can be maddening. My wife refuses to shop at an Apple Store for this reason. I know you can use the Apple Store app to check yourself out, but I don’t like it. Part of the reason Apple’s stores are too crowded is that people are wandering around trying to pay for things.

And getting technical support at Apple Stores is terrible now. In the old days you could just walk in with a broken or otherwise problematic device and get an appointment at the Genius Bar within the hour. Now, the Genius Bar is booked for days in advance — sometimes close to a week. In some ways that’s inevitable — Apple is way more popular now than it was pre-iPhone. But inevitable or not, the result is that getting support at an Apple Store now stinks. And frankly, the technical acumen of the Genius Bar staffers is now hit-or-miss.

“Today at Apple” is nice, but the primary purposes of an Apple Store should be shopping and service — and I think both of those experiences should be a lot better. 

Goldman Sachs: ‘Is Curing Patients a Sustainable Business Model?’ 

Tae Kim, reporting for CNBC:

Goldman Sachs analysts attempted to address a touchy subject for biotech companies, especially those involved in the pioneering “gene therapy” treatment: cures could be bad for business in the long run.

“Is curing patients a sustainable business model?” analysts ask in an April 10 report entitled “The Genome Revolution.”

“The potential to deliver ‘one shot cures’ is one of the most attractive aspects of gene therapy, genetically-engineered cell therapy and gene editing. However, such treatments offer a very different outlook with regard to recurring revenue versus chronic therapies,” analyst Salveen Richter wrote in the note to clients Tuesday. “While this proposition carries tremendous value for patients and society, it could represent a challenge for genome medicine developers looking for sustained cash flow.”

Hard to think of a better example of what is turning capitalism into a dirty word. (Also, this is why we need government-funded research, to make the goal crystal clear: finding a cure, not finding profit.)

The FTC and Facebook Are Negotiating a Record, Multibillion-Dollar Fine for the Company’s Privacy Lapses 

Tony Romm, reporting for The Washington Post:

The Federal Trade Commission and Facebook are negotiating over a multi-billion dollar fine that would settle the agency’s investigation into the social media giant’s privacy practices, according to two people familiar with the probe.

The fine would be the largest the agency has ever imposed on a technology company, but the two sides have not yet agreed on an exact amount. Facebook has expressed initial concern with the FTC’s demands, one of the people said. If talks break down, the FTC could take the matter to court in what would likely be a bruising legal fight.

Finally, billions, not millions. Fuck these negotiations: tell them it’s $20 billion and take them to court if they don’t accept it.

New US Postage Stamp Designed by Aaron Draplin 

Perfect. I’m going to buy a lifetime supply of these.

Kroger Pay 

Dan Monk, reporting for WKRP WCPO Cincinnati

The Kroger Co. debuted a new mobile payment option Wednesday that is launching in Columbus and Colorado but expanding to all stores nationwide by year end.

Kroger Pay is an app that generates a single-use QR code that can be scanned at the checkout counter to pay for a Kroger purchase. The app can be linked to any major credit or debit card. Kroger is also launching the Kroger Rewards debit card so payments, fuel points and other rewards can be tied to each purchase.

I don’t think there’s a Kroger anywhere near Philadelphia. I’ve never set foot in one. But they’re a huge chain — the largest supermarket chain in the world — so, like Walmart, they might have a chance of making their own payments thing work, eschewing Apple Pay.

But, still, QR codes? Gross.

White House Announces National Emergency Using iPhone Notes App 

Very serious, well-prepared people, the Trump administration.

It’s not even a clean screenshot — Sanders screwed it up with a black dot from the Markup feature while cropping.

Peter Kafka: ‘The Logic Behind Apple’s Give-Us-Half-Your-Revenue Pitch to News Publishers’ 

Peter Kafka, writing at Recode:

Here’s the short answer, which I’ve cobbled together by talking to industry sources: Apple has already signed many publishers to deals where they’ll get 50 percent of the revenue Apple generates through subscriptions to its news service, which is currently called Texture and will be relaunched as a premium version of Apple News this spring.

And some publishers are happy to do it, because they think Apple will sign up many millions of people to the new service. And they’d rather have a smaller percentage of a bigger number than a bigger chunk of a smaller number.

In the words of a publishing executive who is optimistic about Apple’s plans: “It’s the absolute dollars paid out that matters, not the percentage.”

Amazon Pulls Out of Planned New York City Headquarters 

J. David Goodman, reporting for The New York Times:

Amazon on Thursday canceled its plans to build an expansive corporate campus in New York City after facing an unexpectedly fierce backlash from some lawmakers and unions, who contended that a tech giant did not deserve nearly $3 billion in government incentives.

What a waste of time and effort. Maybe next time don’t treat it like a game show.

Dieter Bohn on Amazon’s Acquisition of Eero 

Dieter Bohn, writing at The Verge:

We all feel trapped — or maybe captured — by the various ecosystems we live in. We all use excellent products every day made by behemoth companies, but increasingly only made by those companies. iPhone or Android, Chrome or Safari, Surface or Mac, Windows or Chrome OS, and even Facebook or Twitter: all, in one way or another, come from one of the big guys.

Eero was different. It was a tiny little company that made a great little product. Something simple, elegant, and reliable. Would it have been too much to ask that it stay independent? Perhaps, but we don’t know Eero’s financial situation. But it’s getting harder to find independent hardware startups that can scale up to something big without getting bought.

Former Apple Lawyer Who Was Supposed To Keep Employees From Insider Trading Has Been Charged With Insider Trading 

That’s quite the headline.

Paczkowski: ‘Apple Event Planned for March 25 Around a News Subscription Product’ 

John Paczkowski, writing for BuzzFeed News:

Apple has settled on a date for its first big product announcement of 2019. Sources tell BuzzFeed News that the company plans to hold a special event on March 25 at the Steve Jobs Theater on its Apple Park campus. Headlining the gathering: That subscription news service that has been all over the news today. Unlikely to make an appearance: next generation AirPods, or that rumored new iPad Mini.

Sources described the event as subscription services focused, but declined to say anything about Apple’s standalone video streaming service which is also rumored to debut in 2019.

‘At This Time’ 

Lauren Goode, writing for Wired:

Eero privacy policy currently states that the company collects data about users’ Eero networks to optimize performance, that it may share anonymized data, and that it may share personal data with third-party service providers. However, it also states, “We don’t ever track the websites you visit or collect the content of your network traffic. We don’t sell our customer data, and we don’t sell ads based on this data.”

Amazon tells Wired it has “no plans to change Eero’s policy at this time.”

I know Amazon wants to keep its options open and isn’t going to commit to anything today, but that “at this time” is painful to read.

Apple Fails to Block Porn and Gambling ‘Enterprise’ Apps 

Josh Constine, reporting for TechCrunch:

Facebook and Google were far from the only developers openly abusing Apple’s Enterprise Certificate program meant for companies offering employee-only apps. A TechCrunch investigation uncovered a dozen hardcore pornography apps and a dozen real-money gambling apps that escaped Apple’s oversight. The developers passed Apple’s weak Enterprise Certificate screening process or piggybacked on a legitimate approval, allowing them to sidestep the App Store and Cupertino’s traditional safeguards designed to keep iOS family friendly. Without proper oversight, they were able to operate these vice apps that blatantly flaunt Apple’s content policies.

The situation shows further evidence that Apple has been neglecting its responsibility to police the Enterprise Certificate program, leading to its exploitation to circumvent App Store rules and forbidden categories.

I had no idea until this Facebook thing broke just how many developers are using the “enterprise” system to effectively sideload native iOS apps, bypassing the App Store. TechCrunch has a list of a few dozen here, but the full list is way longer. Dozens and dozens of bootleg content apps like this one, which just changes its cert every few weeks. Either Apple has been purposefully looking the other way on this, or they’ve been asleep at the switch and a reckoning is coming.

WSJ: Apple Wants ‘About Half’ of Apple News Subscription Revenue 

Benjamin Mullin, Lukas I. Alpert, and Tripp Mickle, reporting for The Wall Street Journal (paywalled, as usual, alas):

Apple Inc.’s plan to create a subscription service for news is running into resistance from major publishers over the tech giant’s proposed financial terms, according to people familiar with the situation, complicating an initiative that is part of the company’s efforts to offset slowing iPhone sales.

Before we get to the Apple News subscription stuff, can I just point out that every single story about Apple this year frames every single thing they’re doing as an “effort to offset slowing iPhone sales”. This framing makes no sense. Does anyone think they’d be doing anything differently if last quarter’s iPhone sales had been slightly up rather than slightly down? And if you don’t actually know the numbers — that last quarter, although below expectations, was the second-best quarter for iPhone revenue ever, behind only the same quarter one year prior — this framing would lead a reasonable person to believe that iPhone sales are tanking.

I get it, Apple started banging the “look at our growth in Services” drum a few years ago because they’re running out of room for growth to even be possible in iPhone sales. And this Apple News subscription thing is definitely a service. But the context of this framing leaves a casual reader with a very wrong impression.

In its pitch to some news organizations, the Cupertino, Calif., company has said it would keep about half of the subscription revenue from the service, the people said. The service, described by industry executives as a “Netflix for news,” would allow users to read an unlimited amount of content from participating publishers for a monthly fee. It is expected to launch later this year as a paid tier of the Apple News app, the people said.

The rest of the revenue would go into a pool that would be divided among publishers according to the amount of time users spend engaged with their articles, the people said. Representatives from Apple have told publishers that the subscription service could be priced at about $10 a month, similar to Apple’s streaming music service, but the final price could change, some of the people said.

Apple keeping “about half” of this revenue is nuts. Given the margins in the news industry today, even Apple’s usual 70/30 split would seem a bit greedy, but half is insane.

MacRumors Projects WWDC Dates: June 3-7 in San Jose 

Joe Rossignol, writing for MacRumors:

In our continued research, we discovered that San Jose requires permitting for large public events such as Apple’s WWDC Bash, which took place at the Discovery Meadow park next to McEnery in 2018.

Following that thread, we unearthed a 2019 events calendar from the City of San Jose’s Office of Cultural Affairs that lists this year’s WWDC Bash at Discovery Meadow on the evening of Thursday, June 6. The event is named “Team San Jose 2019 WWDC” and is organized by “Apple.” An identical WWDC entry was listed in the Office of Cultural Affairs’ 2018 events calendar for the actual WWDC 2018 Bash.

Nothing’s official until it’s official, but June 3-7 in San Jose has been the smart money bet all along. It seems highly unlikely Apple will move WWDC back to San Francisco, and the O’Reilly Velocity conference is in San Jose June 10-13.

Hotel rates in downtown San Jose are higher than they’ve been the last two years, but that’s been true for these dates for months. They’ve already gone up since MacRumors published this story this morning, though.

Burying the Lede 

Reuters headline: “Vimeo Revenue Jumps 54 Percent in 2018, Paying Subscribers Near 1 Million”.

Sounds good, but five paragraphs down we get this:

Although Vimeo’s revenue is expected to rise “20 to 30 percent in the near-term,” according to its Chief Executive Anjali Sud, the video service is far from making a profit as it burns cash on product development and aggressive marketing to popularize its brand.

Vimeo started 15 years ago and still aren’t close to running in the black.

Amazon to Acquire Eero 

Amazon Press Center:

Amazon and eero today announced that they have entered into a definitive merger agreement under which Amazon will acquire eero. eero’s home mesh WiFi systems set up in minutes and blanket every room of a customer’s home in high-performing, reliable WiFi. eero is already delighting Amazon customers with its products and services, as indicated by eero’s 4.6-star product rating on

The natural and obvious plan would be to integrate Eero base stations with Echo speaker units — one set of small things to plug in around your home, rather than two. Which of course, while convenient, would be a no-go for anyone who wants to use Eero for Wi-Fi without having listening devices in their house. (I hope Amazon supports existing no-microphone Eero hardware for years to come, and see no reason why they wouldn’t.)

I liked it when Eero was an independent company, but I always suspected an acquisition was inevitable. I was kind of hoping it would be Apple, if anyone, if only for privacy reasons.

(Disclosure: Eero is a long-time sponsor of Daring Fireball, particularly The Talk Show.)

John Dingell’s Last Words for America 

John Dingell, the longest-serving member of Congress, one day before he died last week:

One of the advantages to knowing that your demise is imminent, and that reports of it will not be greatly exaggerated, is that you have a few moments to compose some parting thoughts. […]

My personal and political character was formed in a different era that was kinder, if not necessarily gentler. We observed modicums of respect even as we fought, often bitterly and savagely, over issues that were literally life and death to a degree that — fortunately — we see much less of today.

Think about it:

Impoverishment of the elderly because of medical expenses was a common and often accepted occurrence. Opponents of the Medicare program that saved the elderly from that cruel fate called it “socialized medicine.” Remember that slander if there’s a sustained revival of silly red-baiting today.

AirPods: From Mockery to Status Symbol 

Elena Cresci, writing for The Guardian:

Of all the widely ridiculed tech products, Apple’s AirPods have experienced an extraordinary turnaround. Back in 2016, they were roundly mocked by the tech industry. Tiny wireless earbuds? It seemed like a recipe for disaster — streets would be littered with these lost headphones, which would clutter up city pavements like discarded gloves and babies’ socks.

“If only there were an invention that could keep those AirPods tethered together, like a string,” wrote Ashley Esqueda from the tech website CNET on Twitter. “The beauty of the headphone cable is just like the beauty of a tampon string: it is there to help you keep track of a very important item,” wrote Julia Carrie Wong in the Guardian.

I never understood the notion that AirPods look weird. They look exactly like wired earbuds, without the wires. I do get the initial skepticism that they’d fall out and get lost frequently, but somehow Apple designed them not to, and it’s worked.

Turns out they’re one of the best products Apple has ever made. Almost everyone I know who has them loves them.


My thanks to Skillshare for sponsoring this week at DF. With over 7 million members and more than 25,000 classes, Skillshare is one of the best ways to learn new skills. It’s like Netflix for online learning. Interested in web development or data science? How about UX design, mobile photography, filmmaking, creative writing, even coffee brewing? Skillshare has it all.

Skillshare’s production values and content quality are so much better than what you typically see on the web. High quality is obviously their first priority. Here’s a personal recommendation: “Customizing Type with Aaron Draplin: Creating Wordmarks That Work”. Just look at the cool wordmarks on the title image of the video. So sweet.

And for this week only, Skillshare is offering the first 1,000 Daring Fireball readers two free months of Skillshare Premium.

Apple Tells App Developers to Disclose or Remove Screen Recording Code 

Zack Whittaker, TechCrunch:

Apple is telling app developers to remove or properly disclose their use of analytics code that allows them to record how a user interacts with their iPhone apps — or face removal from the app store, TechCrunch can confirm.

In an email, an Apple spokesperson said: “Protecting user privacy is paramount in the Apple ecosystem. Our App Store Review Guidelines require that apps request explicit user consent and provide a clear visual indication when recording, logging, or otherwise making a record of user activity.”

A lot of these notices went out last night (according to several DF-reading developers), and Apple’s only giving them 24 hours to submit updated apps before they’re removed from the App Store. I think Apple’s doing the right thing here, and it’s an impressive display of what the App Store review team can analyze, but given that this has been going on for years, I think 24 hours notice over a weekend is a bit drastic.

On Covering Webcams

I’m a big fan of Joanna Stern — she was in fact just on my podcast and it was one of my favorite episodes in a while. At the end of the episode, she mentioned that she was working on a piece about webcam security for her Personal Tech column at The Wall Street Journal. That column dropped yesterday, and I found it half enlightening, half maddening.

How secure are these tiny eyes into our private lives? The bad news is, it was possible for Mr. Heid to get into my Windows 10 laptop’s webcam and, from there, my entire home network. He also eventually cracked my MacBook Air. The good news is that both operating systems were initially able to thwart the hacker. It took me performing some intentionally careless things for him to “succeed.”

Key words there: intentionally careless.

Here’s how he got into her Windows 10 laptop — admittedly using only “off-the-shelf hacking tools”:

When I opened the attached Word doc, Microsoft ’s built-in, free anti-virus software, Windows Defender, immediately flagged it. When I clicked the link to the “reel,” the file that began downloading was identified as a virus and deleted. The system worked, but I wanted to see what would happen if I were someone who didn’t have anti-virus turned on in the first place, or who turned it off because it got annoying.

Here’s how the security expert got into her MacBook (again, using only “off-the-shelf hacking tools”):

Hacking a 2015 MacBook Air running the latest MacOS version, Mojave, also required a multistep process (and some missteps by the “victim”). This time the malware was embedded in an .odt document, an open-source file format.

To open it, I downloaded LibreOffice. The free version of the popular open-source office suite isn’t in the Mac App Store, however, so I had to disable the Mac security setting that prevents unverified developer software installation. […]

Once I installed LibreOffice, I turned off its macro security setting, per the hacker’s instructions. There are scenarios where you might do this — say, for instance, because your company used a specially designed inventory spreadsheet or sales form — but for most people, it’s a bad idea. […]

I did get a pop-up asking for camera access, and I clicked OK, like we might do when we’re in a rush. Because Mr. Heid was only snapping stills, the webcam LED only lit up for a second.

So she had to download LibreOffice (weird), disable LibreOffice’s macro security (really weird), and then still had to grant explicit permission for LibreOffice to access the camera. If you open a document that prompts you for access to the camera, aren’t you expecting it to be able to access your camera?

Stern’s advice to Mac users:

Installing those nagging security and OS updates are a must — on your phone, laptop, router, thermostat, really anything that connects to the internet. They include the latest attempts to patch the holes that hackers use to get in. Mac users should install Malwarebytes or other malware-fighting software — and don’t turn off any security features just because someone asks you to.

I’ve long argued that third-party anti-malware software on the Mac causes more problems than it solves. If someone is willing to ignore the warning from MacOS that an app isn’t from a verified developer, and is willing to disable the security settings in that app at the behest of a social engineering hacker, why wouldn’t that same person be gullible enough to also disable their anti-malware software?

Stern also claims she’s now using a physical stick-on camera cover. But why? In both cases — Mac and PC — the built-in system software did its job and issued clear warnings that she had to ignore for the attack to proceed. And even then — on both Mac and PC — the light next to the camera went on when it was in use.

There’s nothing in Stern’s story that makes me worry in the least bit about the security of my Mac webcams, and I don’t see anything that should worry someone running Windows 10 with Windows Defender (Microsoft’s built-in security software). The path to compromising Stern’s cameras was like a test of your home security that starts with a request that you leave your door unlocked and turn off your alarm system.

I have never understood the mass paranoia over laptop webcams — which have in-use indicator lights, which I’ve seen no evidence can be circumvented on Macs from the last decade — and the complete lack of similar paranoia over microphones, which cannot be blocked by a piece of tape and which have no in-use indicator lights. And I don’t see anyone taping over the cameras on their phones. This story is only going to feed that paranoia, because the takeaway is going to be “The Wall Street Journal says you should cover up your webcam.

Security researchers at Johns Hopkins released a paper in 2013 revealing that the indicator lights on Macs released prior to 2008 could be circumvented by software. I linked to this in 2016, wondering if the same exploit was possible on more recent Macs. Here’s an answer I received from a former engineer at Apple who was intimately familiar with the software drivers for Mac webcams:

The original cameras had the problem that the JHU researchers detailed in the article that your linked to. Problem was that the firmware was downloaded on every boot and there was no security/encryption mechanism for verifying it. The part used was fairly common and the firmware was just in RAM (hence the loading after a cold boot), as oppose to flashed.

All cameras after that one were different: The hardware team tied the LED to a hardware signal from the sensor: If the (I believe) vertical sync was active, the LED would light up. There is NO firmware control to disable/enable the LED. The actual firmware is indeed flashable, but the part is not a generic part and there are mechanisms in place to verify the image being flashed. […]

So, no, I don’t believe that malware could be installed to enable the camera without lighting the LED. My concern would be a situation where a frame is captured so the LED is lit only for a very brief period of time.

The still photo problem — where the light only turns on for the instant the image is being captured — is interesting. But I would wager real money that the camera indicator light cannot be circumvented by software on any Mac released this decade.

As I wrote back in 2016 about taping over your webcam:

I think this is nonsense. Malware that can surreptitiously engage your camera can do all sort of other nefarious things. If you can’t trust your camera, you can’t trust your keyboard either. Follow best practices to avoid malware in the first place — don’t install Flash Player, and don’t install software from sketchy sources — and you’ll almost certainly be fine.

The problem isn’t your camera, it’s malware. Don’t install any software from unknown or sketchy sources, keep your OS up to date1, and you should be fine. And if you do have malware on your Mac, the webcam is likely the least of your problems. 

  1. MacOS 10.14 Mojave, in particular, has made some significant improvements to identifying and disabling malware automatically. I got a fascinating email from a Genius Bar tech recently, who said that his time the last few years had been consumed more and more by Mac malware problems. Then Mojave shipped, and malware problems dropped noticeably, and when he does see a malware problem these days, it’s almost always on a Mac that isn’t running Mojave. ↩︎

Sprint Sues AT&T Over Its Bullshit 5G Branding 

Richard Lawler, reporting for Engadget:

In its claim, Sprint said it commissioned a survey that found 54 percent of consumers believed the “5GE” networks were the same as or better than 5G, and that 43 percent think if they buy an AT&T phone today it will be 5G capable, even though neither of those things are true. Sprint’s argument is that what AT&T is doing is damaging the reputation of 5G, while it works to build out what it calls a “legitimate early entry into the 5G network space.”

I don’t understand why Apple is participating in this charade. It’d be more honest for iOS to indicate this with a poop emoji in the status bar than with “5GE”.

Facebook’s Whack-a-Mole Markup Battle Against Ad Blockers 

Wolfie Christl:

Facebook adds 5 divs, 9 spans and 30 css classes to every single post in the timeline to make it more difficult to identify and block ‘Sponsored’ posts, oh my.

One look at the markup in the tweet he links to is enough to drive an HTML purist to drink.

On Margins: Lisa Brennan-Jobs and the Design, Production, and Writing of Memoir 

Speaking of excellent podcast episodes, do not miss Craig Mod’s interview with Lisa Brennan-Jobs. Any podcast that spends 15-20 minutes talking about the design of a book cover is catnip for me. But after listening, I went from not being interested in Brennan-Jobs’s memoir to wanting to read it immediately. It’s just a fabulous interview.

Reply All: ‘Negative Mount Pleasant’ 

Absolutely riveting podcast episode on the very local story behind Foxconn’s Wisconsin factory scam, as reported by Sruthi Pinnamaneni. A story of farcically bad government turns heartbreaking by the end.

Jeff Bezos’s War With National Enquirer Involves a Huge Spy Scandal 

John Schindler, writing for Observer:

A hint where this scandal is headed appeared last night when a Post reporter revealed on MSNBC that Gavin de Becker, the security guru to the stars whom Bezos hired to look into AMI, “told us that he does not believe that Jeff Bezos’s phone was hacked, he thinks it’s possible that a government entity might have gotten hold of his text messages.” […]

Another suspect is Saudi Arabia, which incurred the wrath of The Washington Post by murdering and dismembering their columnist Jamal Khashoggi in Istanbul last October. Bezos referenced that awful crime in his blog post, including the line, “Pecker and his company have also been investigated for various actions they’ve taken on behalf of the Saudi Government,” explaining that AMI is seeking Saudi funding. Bezos added, “Several days ago, an AMI leader advised us that Mr. Pecker is ‘apoplectic’ about our investigation. For reasons still to be better understood, the Saudi angle seems to hit a particularly sensitive nerve.”

Here’s a detail I would like to see everyone reporting on this story identify: what type of text messages was Bezos exchanging with Lauren Sanchez? “Text message” technically implies SMS, but in common usage most people call iMessage messages “texts”, and the act of sending them “texting”. Or were they using some other platform? People call all sorts of messages “texts”.

This matters because SMS is not encrypted. iMessage is not just encrypted but end-to-end encrypted. If, as Bezos’s investigator apparently believes, Bezos’s phone was not compromised, that means either Sanchez’s phone was compromised, or the messages were intercepted in transit. But if they were iMessages, they couldn’t be intercepted in transit.

Jeff Bezos Exposes Extortion Attempt From National Enquirer 

Jeff Bezos:

Something unusual happened to me yesterday. Actually, for me it wasn’t just unusual — it was a first. I was made an offer I couldn’t refuse. Or at least that’s what the top people at the National Enquirer thought. I’m glad they thought that, because it emboldened them to put it all in writing. Rather than capitulate to extortion and blackmail, I’ve decided to publish exactly what they sent me, despite the personal cost and embarrassment they threaten. […]

Well, that got my attention. But not in the way they likely hoped. Any personal embarrassment AMI could cause me takes a back seat because there’s a much more important matter involved here. If in my position I can’t stand up to this kind of extortion, how many people can? (On that point, numerous people have contacted our investigation team about their similar experiences with AMI, and how they needed to capitulate because, for example, their livelihoods were at stake.)

Reminiscent of when David Letterman exposed an extortion attempt regarding extramarital affairs in 2009.

Purported Exploit Exposes Keychain Passwords on MacOS 

Thomas Brewster, Forbes:

Just last week it emerged that a 14-year-old uncovered a bug that allowed snooping on iPhone and Mac users thanks to a problem in FaceTime. Now German 18-year-old Linus Henze has uncovered a vulnerability affecting the latest Apple macOS that leaves stored passwords open to malicious apps. That could include logins for your bank website, Amazon, Netflix, Slack and many more apps. And even though this is a Mac-only bug, if you’re using the iCloud keychain, passwords synced across iPhones and Macs may also be in danger.

To make matters worse, it’s likely that no fix is in the works. Henze isn’t disclosing his findings to Apple, telling Forbes the lack of payment for such research was behind his decision to keep the hack’s details secret from the Cupertino giant.

Henze hasn’t released code (thankfully), only a video purporting to show his exploit in action. I’d be skeptical except that Patrick Wardle has tested the exploit and vouches for it, telling Sergiu Gatlan at the website Bleeping Computer:

Yes, I was able to test it on a fully patched system and it worked lovely… It’s a really nice bug inspiringly so… If I’m a hacker or piece of malware this would be the first thing I do once I gain access to the system… Dump various keychains to extract passwords private keys signing certificates and sensitive tokens. It’s unfortunate that there is yet another bug in the keychain access… One would hope something like a keychain which is supposed to be secure would, in fact, be secure but unfortunately, that’s not the case.

This looks like a really bad vulnerability — especially so since Henze isn’t sharing details with Apple.

Why in the world Apple only offers security bounties for iOS is beyond my comprehension. Of course iOS has the most users, but the potential for truly critical bugs exists on all of Apple’s platforms.

Apple Is Compensating the 14-Year-Old Who Discovered Major FaceTime Security Bug 

Tom Warren, reporting for The Verge:

Apple released iOS 12.1.4 today to fix a major security flaw in FaceTime that allowed people to eavesdrop on iPhone users. The bug was originally reported to Apple by Michele Thompson after her 14-year-old son, Grant, discovered that you could add yourself to a Group FaceTime call and force recipients to answer immediately. Apple was initially slow to respond, but the company has now credited the discovery to Grant Thompson of Catalina Foothills High School.

Apple also tells The Verge that it’s compensating the Thompson family for discovering the vulnerability, and providing an additional gift to fund Grant Thompson’s tuition. Apple hasn’t revealed exactly how much it’s paying the Thompson family.

Hundreds of Bounty Hunters Had Access to AT&T, T-Mobile, and Sprint Customer Location Data for Years 

Joseph Cox, reporting for Motherboard:

Around 250 bounty hunters and related businesses had access to AT&T, T-Mobile, and Sprint customer location data, with one bail bond firm using the phone location service more than 18,000 times, and others using it thousands or tens of thousands of times, according to internal documents obtained by Motherboard from a company called CerCareOne, a now-defunct location data seller that operated until 2017. The documents list not only the companies that had access to the data, but specific phone numbers that were pinged by those companies.

In some cases, the data sold is more sensitive than that offered by the service used by Motherboard last month, which estimated a location based on the cell phone towers that a phone connected to. CerCareOne sold cell phone tower data, but also sold highly sensitive and accurate GPS data to bounty hunters; an unprecedented move that means users could locate someone so accurately so as to see where they are inside a building. This company operated in near-total secrecy for over 5 years by making its customers agree to “keep the existence of confidential,” according to a terms of use document obtained by Motherboard.

This story from January — also broken by Cox — just got a whole lot worse.

Reuters: ‘Apple Puts Modem Engineering Unit Into Chip Design Group’ 

Stephen Nellis, reporting for Reuters:

Apple Inc has moved its modem chip engineering effort into its in-house hardware technology group from its supply chain unit, two people familiar with the move told Reuters, a sign the tech company is looking to develop a key component of its iPhones after years of buying it from outside suppliers.

Modems are an indispensable part of phones and other mobile devices, connecting them to wireless data networks. Apple once used Qualcomm Inc chips exclusively but began phasing in Intel Corp chips in 2016 and dropped Qualcomm from iPhones released last year.

Johny Srouji, Apple’s senior vice president of hardware technologies, took over the company’s modem design efforts in January, the sources said. The organizational move has not been previously reported.

Recall the Cook Doctrine:

We believe that we need to own and control the primary technologies behind the products we make, and participate only in markets where we can make a significant contribution.

Right now Apple only has two choices for modems: Qualcomm and Intel. Qualcomm’s modems have historically been superior, and probably still are, but Apple’s relationship with Qualcomm is contentious, to say the least. At Qualcomm’s FTC trial last month, Jeff Williams said “We had a gun to our head” when it came to negotiating with Qualcomm for iPhone modems, and that it cost Apple $1 billion a year in licensing fees Apple considers unfair. Considering that Apple’s only alternative is Intel, who’ve always been second-fiddle to Qualcomm in modems, yeah, I’d say this qualifies as a “primary technology” Apple needs to “own and control”.

Imagine what a spot Apple would be in if they relied on Qualcomm for CPUs.

OnePlus Photo Contest Winner Stole His Photo From Instagram User — Who Used a Canon DLSR to Shoot It 

Michael Zhang, writing for PetaPixel:

In September 2018, the Chinese smartphone maker OnePlus announced the winners of a #ShotonOnePlus photo contest in India to celebrate the best photos captured by its phone cameras. One of the winning shots was a shock to photographer Aman Bhargava: it looked strangely similar to a photo he had captured two years earlier on his Canon DSLR.

Submitted by photographer Pratyush Yadav, the photo looked like a slightly cropped version of a photo Bhargava captured in 2016 and posted to Instagram on May 22, 2017.

(The link to the contest winners has since been taken down by OnePlus.)

So there are two levels of fraud here. First, Yadav clearly stole the photo from Bhargava. There’s no question they’re identical, not merely very similar. Second, OnePlus selected it as a winner even though it was shot with a Canon DSLR, not one of their own phones.

Yadav was so bad at covering his tracks that he submitted the image with EXIF data (which is easily forged) that indicated the photo was shot in April 2017 using a OnePlus A6000 — a model that didn’t come out until May 2018.

Amidst the hubbub over Apple’s current Shot on iPhone contest, it occurred to me that Apple surely goes to extraordinary lengths to verify that the photos it advertises as having been “shot on iPhone” really were shot on an iPhone — and that they were shot by the photographer claiming to have shot them. This guy Yadav is the fraudster here, but it’s OnePlus that had the most to lose. Can you even imagine the bad publicity that would result if something like this — either a stolen photograph or a photo shot with an SLR (let alone both) — was named a winner in Apple’s contest?

More From Angela Ahrendts on Whether She Misses Fashion (and London) 

Vogue’s Suze Menkes, posting on Instagram last week:

I had to ask Angela Ahrendts this question: did she miss fashion after giving up Burberry five years ago to take on Apple retail? There was a significant pause before she answered:

“I loved fashion for 40 years. It is wonderful when you know everything there is to know about the industry, because you grew up in it. “I’ve been gone from London almost five years. I have two kids there — they were at university when we moved and they decided to stay. My son is a budding musician with an honours degree in song writing and my daughter has an honours degree in marketing — she works for a start up magazine and he does gigs round London and writes great music! I miss them, obviously. It’s such a great city and we try to make it back as much as we can. But California is not so bad!

In hindsight, that’s a far more interesting answer than what made it into Menkes’s profile of Ahrendts. This makes it sound like Ahrendts didn’t miss the fashion industry so much as her London-based family. I still find Ahrendts’s departure a surprise, but at this point, including a warm farewell from Tim Cook on Twitter, I think it simply looks like Ahrendts decided it was time to leave.

(Via Neil Cybart’s Above Avalon newsletter.)

Inside Wisconsin’s Disastrous $4.5 Billion Deal With Foxconn 

Austin Carr, reporting for Bloomberg Businessweek*:

“This is the Eighth Wonder of the World.”

So declared President Donald Trump onstage last June at a press event at Foxconn’s new factory in Mount Pleasant, Wis. He was there to herald the potential of the Taiwanese manufacturing giant’s expansion into cheesehead country. He’d joined Foxconn Chairman Terry Gou and then-Wisconsin Governor Scott Walker to celebrate a partnership he’d helped broker — “one of the great deals ever,” Trump said. In exchange for more than $4.5 billion in government incentives, Foxconn had agreed to build a high-tech manufacturing hub on 3,000 acres of farmland south of Milwaukee and create as many as 13,000 good-paying jobs for “amazing Wisconsin workers” as early as 2022.

How’s it turning out? Terribly for Wisconsin:

The only consistency, many of these people say, lay in how obvious it was that Wisconsin struck a weak deal. Under the terms Walker negotiated, each job at the Mount Pleasant factory is projected to cost the state at least $219,000 in tax breaks and other incentives. The good or extra-bad news, depending on your perspective, is that there probably won’t be 13,000 of them. […]

A report from the Wisconsin Legislative Fiscal Bureau, a nonpartisan government agency, estimated the state would be in the red on the deal until at least 2042, and even that projection didn’t account for the kinds of increased public-services costs associated with population growth. It also based income tax revenue projections on the implausible assumption that every employee would live in Wisconsin, whereas some would almost certainly commute from nearby Illinois. “There’s no way this will ever pay itself off,” says Tim Bartik, a senior economist at the W.E. Upjohn Institute for Employment Research. He says Foxconn’s incentives are more than 10 times greater than typical government aid packages of its stripe.

The best part is where Wisconsin officials admit they never looked at Foxconn’s record in such deals:

Wisconsin officials apparently didn’t consider Gou’s track record problematic. Instead, they describe the billionaire, who charmed them with stories of his early days selling TV parts in the Midwest, as almost philanthropic. “My impression of him was, what a nice person,” says Scott Neitzel, who led negotiations for the Walker administration. “An extremely genuine, down-to-earth tycoon.” When asked if the state looked at Foxconn’s history, WEDC Chief Executive Officer Mark Hogan says, “We didn’t spend a lot of time on that because, in the end, we got to know these people so well.”

Foxconn Chairman Terry Gou, well-known philanthropist.

* Bloomberg, of course, is the publication that published “The Big Hack” in October — a sensational story alleging that data centers of Apple, Amazon, and dozens of other companies were compromised by China’s intelligence services. The story presented no confirmable evidence at all, was vehemently denied by all companies involved, has not been confirmed by a single other publication (despite much effort to do so), and has been largely discredited by one of Bloomberg’s own sources. By all appearances “The Big Hack” was complete bullshit. Yet Bloomberg has issued no correction or retraction, and seemingly hopes we’ll all just forget about it. I say we do not just forget about it. Bloomberg’s institutional credibility is severely damaged, and everything they publish should be treated with skepticism until they retract the story or provide evidence that it was true.

‘It’s Here. It’s Now.’ 

John Schwartz and Nadja Popovich, reporting for The New York Times:

NASA scientists announced Wednesday that the Earth’s average surface temperature in 2018 was the fourth highest in nearly 140 years of record-keeping and a continuation of an unmistakable warming trend.

“The five warmest years have, in fact, been the last five years,” said Gavin A. Schmidt, director of the Goddard Institute for Space Studies, the NASA group that conducted the analysis. “We’re no longer talking about a situation where global warming is something in the future. It’s here. It’s now.”

Over all, 18 of the 19 warmest years have occurred since 2001.

Number of times this was mentioned in last night’s State of the Union: zero.

Vogue Business Ran an Angela Ahrendts Profile Just Last Week 

Suzy Menkes, in a piece for Vogue Business last week:

It’s a long way from Burberry. I look at her tailored outfit by Ralph Lauren (she is on the company’s board) and the high-heeled boots she’s worn to the building site and ask if she misses fashion.

After a pause, she replies: “You know, I loved fashion for 40 years. It is wonderful when you know everything there is to know about the industry because you grew up in it. There are things about the fashion industry that I miss, but I went to Apple because I felt it was a calling to one of the greatest companies on the planet. I felt we could even do a little of what we did at Burberry: uniting people to do incredible things.”

Doesn’t sound like someone who was getting ready to leave Apple. And it’s rather conspicuous that Ahrendts doesn’t have anything else lined up yet.

Angela Ahrendts to Leave Apple in April; Deirdre O’Brien Named Senior Vice President of Retail and People 

Apple Newsroom:

Apple today announced that Deirdre O’Brien is taking on new responsibilities for Apple’s retail and online stores in an expanded role as senior vice president of Retail + People, reporting to CEO Tim Cook. After five transformative years leading the company’s retail and online stores, Angela Ahrendts plans to depart Apple in April for new personal and professional pursuits.

Ahrendts lasted a lot longer than John Browett, but in Apple’s executive culture, five years is not a long run.

Interesting that they’re putting O’Brien in charge of retail. With 30 years at Apple, she’s an insider, not an outsider like Browett or Ahrendts.

‘Can’t Unsee’ 

Fun web game where you need to spot the mistakes in iOS-style UI designs.

Square In-App Payments SDK 

My thanks to Square for sponsoring this week at Daring Fireball.

Square’s In-App Payments SDK makes it easy to integrate secure, compliant payments into your app. Square built an interactive card-entry interface that is optimized for speed and accuracy, and you can customize the look to match your app. Apple Pay and other digital wallets are supported, and you can also enable buyers to securely save their card on file for quicker checkout next time. If you’re a developer who needs to process payments, check it out.

Abu Zafar: ‘Why iMessage Is Better Than the Best Messaging Apps on Android’ 

Abu Zafar:

Messaging on Android is a mess.

iPhone users have it easy. iMessage comes preinstalled, and it achieves more than even the best messaging apps on Android. iMessage is end-to-end encrypted, it supports SMS, and it’s packed with features that range from gimmicky (Animoji) to can’t-live-without-it useful (Memoji). The experience of one iPhone user messaging another is seamless, secure, and convenient.

The same can’t be said for Android users.

In the video above, I tested a number of popular messaging apps on Android to try and replicate the iMessage experience. I found many that came close, but not a single one achieves the perfect trifecta of seamless, secure, and convenient.

iMessage is one of the most successful and most important products in Apple’s history. It’s widely taken for granted though.

See also: Dieter Bohn: “The Moral Case for iMessage on Android”.

Apple Apologizes for Group FaceTime Bug, Software Update With Fix Delayed Until Next Week 


We have fixed the Group FaceTime security bug on Apple’s servers and we will issue a software update to re-enable the feature for users next week. We thank the Thompson family for reporting the bug. We sincerely apologize to our customers who were affected and all who were concerned about this security issue. We appreciate everyone’s patience as we complete this process.

We want to assure our customers that as soon as our engineering team became aware of the details necessary to reproduce the bug, they quickly disabled Group FaceTime and began work on the fix. We are committed to improving the process by which we receive and escalate these reports, in order to get them to the right people as fast as possible. We take the security of our products extremely seriously and we are committed to continuing to earn the trust Apple customers place in us.

Good on Apple for thanking the Thompson family, and for acknowledging that something is wrong with their process for escalating critical bugs reported by regular customers.

In the meantime, regular 1:1 FaceTime works and is safe to use. But Group FaceTime is unavailable until the software update rolls out next week.

25 Years Ago: RAM Doubler

Adam Engst, writing for TidBITS from Macworld Expo 25 years ago:

RAM Doubler is a single small extension that literally doubles your RAM. It’s not guessing at a 2:1 compression ratio, like Salient’s AutoDoubler and DiskDoubler (now owned by Symantec) — you actually see your total memory being twice your built-in memory. Since RAM Doubler is an extension, there are no controls, no configuration. You just install it and it doubles the amount of application RAM you have available.

A number of people have expressed disbelief that such a feat is possible, saying that they’d avoid anything like RAM Doubler because it’s obviously doing strange things to memory, which isn’t safe. […] > Needless to say, since RAM Doubler has only been out for a few days, we haven’t been testing for long, but I can honestly say that neither of us have noticed anything out of the ordinary during this time.

This is the start of a series TidBITS is running, looking back at old articles from their archive.

I couldn’t use RAM Doubler on my Mac LC, because it required a 68030 processor and the LC only had a 68020. But I used it on other Macs, and it really did work as advertised — it doubled your RAM in exchange for a negligible cost in performance. The most amazing thing, in hindsight, isn’t that compression and clever virtual memory techniques could double your memory — it’s that Mac OS was so open that something as low-level as RAM Doubler was even possible. Effectively, a Mac running RAM Doubler was running a fork of the OS — not just a subtle fork but a fork where the entire memory manager was written by a third party.

In hindsight, the lack of protected memory and disk permissions in classic Mac OS are generally only looked back upon as severe deficiencies. And there certainly were deep problems with that architecture — one app or extension crashing often resulted in the entire machine going down. But that anything goes openness also resulted in tremendous opportunities for third-party software.

From a low-level computer science operating systems perspective, the classic Mac OS was dangerously primitive. But from a high-level user interface perspective, it remains amazing. To install RAM Doubler — software that radically changed the way the OS worked — all you had to do was copy one file to the Extensions folder in your System folder. To uninstall, you just moved it out of that folder. That’s it. One file in one special folder and then restart the machine.

Third-party extensions could be exasperating, yes, but they could also be amazing and just plain fun in ways that aren’t possible today.