The iPhone XR

There’s got to be a catch.

That’s what everyone has been thinking ever since Apple announced the iPhone XR alongside the XS and XS Max on September 12. Right? The iPhone XR seemingly offers too much of what the XS provides at a significantly lower price.

Well, there is no catch.

The iPhone XR is everything Apple says it is, and it’s the new iPhone most people should buy. I’ve been using one as my primary phone for the last week, and it’s a lovely, exciting device. Even some of the things I thought were compromises don’t feel like compromises at all in practice. Overall, yes, the XS and XS Max are better devices, but in a few regards the XR is actually better.

Let’s start with the price. For the equivalent amount of storage, the iPhone XR costs $250 less than an iPhone XS, and $350 less than an XS Max.

64 GB 128 GB 256 GB 512 GB
iPhone XS Max $1100 $1250 $1450
iPhone XS 1000 1150 1350
iPhone XR 750 800 900

But in practical terms, the difference is even more striking than that. 64 GB of storage is a credible baseline — a far cry from just a few years ago when storage started at a criminally meager 16 GB for the iPhones 6S in 2015, and 32 GB for the iPhones 7 in 2016. But the sweet spot for most people in 2018, in my opinion, is one tier above 64 GB.

I think my wife is a fairly typical iPhone user. Music, photos, podcasts, games. I just checked and her iPhone is using right around 64 GB of storage. She could actually save about 12 GB if she enabled the Offload Unused Apps feature in iOS. So she could get by with 64 GB, but she’d need at least 128 GB to be comfortable. I think a lot of iPhone users have similar storage needs.

But only the iPhone XR offers a 128 GB storage tier, and it’s just $50 more. If you want more than 64 GB with an iPhone XS, you’ve got to pay $150 more than the base price and jump all the way to 256 GB. So in terms of what I would actually recommend for most people — getting the storage tier one level above entry level — the 128 GB iPhone XR costs $350 less than the 256 GB XS and $450 less than the XS Max.

People who are looking for some way that iPhone XR purchasers are getting screwed have it backwards. If anyone is getting screwed on pricing, it’s XS and XS Max purchasers, who don’t have the option of buying a 128 GB device for just $50 more than the baseline 64 GB models.

In terms of what most people actually need and will use, storage-wise, the iPhone XR is $350-450 less than an iPhone XS or XS Max. That pricing difference is far more remarkable than any of the technical differences between the XR and XS iPhones.

So what actually is different? There’s the lack of a second rear-facing camera, the different display technology (LCD instead of OLED, without 3D Touch), the different materials (aluminum instead of stainless steel) and sizes, and a few other relatively minor trade-offs.

Camera

The entire front-facing camera array on the XR is the same as on the XS models. Same camera, same depth sensor, same improved Face ID performance.1 The iPhone XR’s lone rear-facing camera is exactly the same as the wide-angle camera on the XS — same lens, same sensor, and in my side-by-side testing, the exact same image and video quality.

For regular stills and video, the effect of not having a telephoto second camera is obvious: if you want to zoom in, image quality is noticeably worse than on the iPhone XS because the XR can only zoom digitally, not optically.

The difference is more complicated with Portrait Mode. The iPhone XS and XS Max shoot portraits using the f/2.4 telephoto lens. (They use the wide-angle lens in Portrait Mode, but only for computational help, not for primary image capture.) The iPhone XR does Portrait Mode using the f/1.8 wide-angle lens. An f/1.8 lens is about one full stop faster than f/2.4. And, as I covered in detail in my iPhone XS review, the wide-angle camera shared by the XR and XS also has a significantly larger sensor, which can gather up to 50 percent more light. By using the camera with the faster lens and bigger sensor, Portrait Mode on the iPhone XR works significantly better than on the XS in very low light scenarios.

Here are two shots of my son in a dark room at night, lit only by a nearby TV.

iPhone XS (original image file):

Low-light Portrait Mode on iPhone XS.

iPhone XR (original image file):

Low-light Portrait Mode on iPhone XR.

I have done no post-processing on these images other than to scale them to a smaller size, and I shot both with the iOS 12 Camera app. The original images, untouched other than converting from HEIF to JPEG when exporting from Photos, are about 2.2 MB in size.

Here are the same two images with a bit of editing in the iOS Photos app. For the XS shot, I turned up the “Light” significantly and applied the “Dramatic” filter. For the XR shot, all I did was apply the “Dramatic” filter. (I find “Dramatic” — along with its “Dramatic Warm” and “Dramatic Cool” variants — a good way to very quickly improve noisy low-light images.)

iPhone XS (full-size image file):

Low-light Portrait Mode on iPhone XS, after a bit of editing in the Photos app.

iPhone XR (full-size image file):

Low-light Portrait mode on iPhone XR, after a bit of editing in the Photos app.

In short, Portrait Mode is usable on the XR in some low light situations where it’s unusable on the XS.

With plenty of light, Portrait Mode is much better on the XS than the XR, simply because the XS telephoto lens is a much more appropriate focal length for portraits. And most of the time, Portrait Mode is useful when there’s plenty of light. I don’t want to make too much hay over the XR’s ability to shoot portraits in low light, because the XS models can just shoot regular still photos in low light and in a lot of cases that’s probably the way to go.

Portrait Mode on the XR has a few other limitations. For one, it only works with human faces. The subject’s face does not have to be directly facing the camera — the subject can even be in profile — but there must be a human face for the camera to recognize. It won’t work with dogs, and it won’t work with faceless mannequins. Portrait Mode on the iPhone XS, on the other hand, although optimized for human faces, will work with inanimate subjects, whether human-like or not.

Lastly, Portrait Mode on the iPhone XR does not offer the Stage Lighting or Stage Lighting Mono lighting effects. No big loss, in my opinion — I’ve never once shot a Portrait Mode photo that looked good with either of these effects. To be honest, I’ve shot over 300 Portrait Mode keepers in the last year, using the iPhone X and now XS, and I almost never use any of the lighting effects. I see the potential with them, but for now they all still look more gimmicky than good, especially the Stage ones.

Now what’s interesting about the differences in Portrait Mode between the XR and XS is that while the XR simply cannot do what the XS does (because it doesn’t have the telephoto second lens), the iPhone XS could, in theory, offer the XR’s Portrait Mode using the wide-angle lens. I believe Apple doesn’t allow this in the interest of simplifying the user experience. It’s easy to explain that Portrait Mode only works with human subjects with the iPhone XR. It would be confusing for most people to explain why Portrait Mode sometimes only works with human subjects but sometimes works with any subject, depending upon focal distance, if Apple were to enable wide-angle Portrait Mode on the XS today.

The most important bottom line comparing the iPhone XR to the XS is this: if you want to use the telephoto lens, the iPhone XS may well be worth a few hundred extra dollars for that reason alone. If you don’t care about the telephoto lens, on the other hand, you should almost certainly consider buying an iPhone XR instead of a XS.

Display and Battery Life

After the camera, the second biggest difference between the XR and the XS models is the display. The XS models use OLED; the XR display is LCD. OLED is generally “better” than LCD — much higher contrast ratio with deeper blacks, and for technical reasons OLED displays can get closer to the edges of the device, reducing bezels. But LCD has advantages — most noticeably energy consumption. Apple goes out of its way to disguise this in its iPhone tech spec comparisons, but the iPhone XR has the longest battery life of any iPhone ever made. The primary reason is that the XS and XS Max’s OLED displays use more power. All three new iPhones get good battery life, but it’s really interesting that the lower-priced XR gets the best.

Another difference is that the XR display is 2x retina and the XS displays are 3x retina. That’s 326 pixels per inch for the XR and 458 pixels per inch for the XS displays. More pixels per inch is better — but again, in general. The higher resolution of the XS displays contributes to their consuming more energy.

Yes, 326 pixels per inch is the same pixel density as the first retina iPhone, the iPhone 4 all the way back in 2010. But pixel density is not the only measure of display quality. The XR display is the brightest iPhone LCD display Apple has ever made. It looks terrific. To my eyes, the biggest difference between the XR and XS displays is the slightly larger bezel around the XR display — not the displays themselves. People who use an iPhone case — which is to say the vast majority of iPhone owners — may not even notice the larger bezel. And even without a case it’s not a problem, per se, and is really only evident when compared side-by-side.

I’m not aware of any other phone in the world with an LCD display with no chin or forehead. Getting an LCD display to extend from corner to corner is a legitimate technical breakthrough on Apple’s part. Also getting tap-to-wake working with an LCD — once you get used to tap-to-wake you simply cannot go back. The XR display is certainly a less expensive component than the XS’s, but in no way does it look like Apple has cheaped out. It’s an excellent, beautiful display.

The other notable display difference between XR and XS has nothing to do with what they look like, but what they feel like. The XR does not offer 3D Touch. This situation is a mess, in my opinion. Some iPhones have 3D Touch, some don’t, and no iPad (to date at least) has it. This means no iOS software can depend upon 3D Touch.

In its place, the iPhone XR offers “haptic touch”, but only in a few places where 3D Touch is used. For example, the Flashlight and Camera shortcuts on the lock screen. As far as I can tell, the heuristic for triggering haptic touch is just a long press. Whereas on the iPhone X and XS you press harder on the Flashlight or Camera lock screen shortcuts to trigger them, on the XR, you just press and hold for a short moment. I notice the delay, but it’s not bothersome.

But anywhere where a long press already has meaning, haptic touch can’t work. Most obviously, the home screen shortcut menus for apps. A long press on a home screen app icon already has meaning — it puts you in the jiggly-icon mode where you can rearrange and delete apps. iOS can’t use a long press on an icon both to enter jiggly mode and to open the 3D Touch shortcut menu, so the iPhone XR doesn’t offer these menus.

Where I miss 3D Touch the most is while editing text. A little-known but powerful feature in iOS is that while editing text you can 3D Touch on the keyboard to turn it into a trackpad for moving the insertion point around. iOS 12 introduced a feature where you can get into this mode without 3D Touch by tapping and holding on the space bar. That’s almost as good, but I’ve developed strong muscle memory that I can get into this mode by pressing anywhere on the keyboard. With 3D Touch you can also force press again once you’re in trackpad mode to select text. There’s no way to do this on the iPhone XR.

I don’t think the absence of 3D Touch is a dealbreaker for anyone, but it’s just weird that the iPhone XR is the first new iPhone since 3D Touch was introduced not to have it. (The iPhone SE doesn’t have 3D Touch either, but the SE was sort of only half new.)

Physical Attributes

Size-wise, the iPhone XR falls between the iPhone XS and XS Max. But because the XR has a somewhat thicker bezel surrounding the display, its relative proportions are a bit different. As a physical object, it’s a bit closer in size to the XS Max than it is to the XS. But its display is closer in size to that of the XS.2

What’s interesting, though, is how this size difference manifests in software. The XS and XS Max displays have way more pixels than the XR, but from a developer standpoint, the XR is not a new size. Developers (mostly) deal in points, not pixels. In the old pre-retina days, points and pixels were interchangeable — there was one on-screen pixel for each virtual point in the user interface. With a 2x retina display, like the iPhone XR, there are 2 display pixels in each dimension for every point, so a point, on screen, is represented by a 2 × 2 matrix of 4 pixels. On a 3x retina display, like the XS and XS Max, each point is a 3 × 3 matrix of 9 pixels. But the points are what correspond to the physical real-world size of on-screen buttons and text. In terms of points, the iPhone XR offers two display modes: standard and zoomed. You choose between these modes during initial setup, and you can subsequently switch between them in the Settings app. Standard mode is 896 × 414 points; zoomed is 812 × 375 points. These are the exact same as the standard and zoomed display modes on the XS Max. The iPhone XS only has one display mode: 812 × 375 points.

Effectively, this means that the iPhone XR is more like a smaller XS Max than it is a larger iPhone XS. And the difference between standard and zoomed modes on the iPhone XR is far more subtle than it is on the XS Max.

The XR is also less dense — about 9 percent less dense than the XS and 7.5 percent less dense than the XS Max. There could be internal components that contribute to this, but the obvious explanation is that aluminum weighs less than stainless steel. I think this lower density works in the XR’s favor — it feels better, weight-wise.

The most visually striking difference, of course, is that the XR is available in a variety of cheerful colors. The black XR (which admittedly isn’t cheerful) looks a lot like the black XS and XS Max — it’s hard to tell them apart at a glance. The white XR (which is the color I’ve been using for the past week) is a much brighter white than the XS. The aluminum XR can’t compete with the premium look of the XS’s polished steel frame, but I think the white glass back of the XR looks better than that of the white XS models. It’s really nice — and a bit Stormtrooper-y. The coral, yellow, blue, and Project Red models all look great. I got another look at all of them last week when I picked up my review unit in New York, and to me, the Project Red phone in particular is striking.

Given that most people keep their phones in cases, do these colors matter? I don’t know. Maybe these colors will lead to a lot of people buying clear cases. Speaking of which, it’s a bit strange that Apple isn’t offering any first-party cases for the XR — at least not yet. To my recollection, the iPhone XR is the first iPhone since the 3GS to debut without first-party cases or bumpers from Apple.

Misc

  • The iPhone XS models support high-speed gigabit LTE; the XR does not. But this gigabit LTE support is the reason why the XS models have asymmetric antenna lines, and thus asymmetric speaker grills on the bottom. The XR is nicely symmetric in both regards.

  • The iPhone XR uses the same glass on the front as the XS models — glass that Apple is describing as their “most durable glass ever”. But only the XS models use that same glass on the back. The XR uses some lesser quality glass on the back. Still supposedly scratch and crack resistant, but not as durable as the glass on the front.

  • Apple, for whatever reasons, has never advertised how much RAM is in iOS devices. But third-party utilities such as GeekBench can report on it. The iPhone XS and XS Max both sport 4 GB of RAM; the XR only has 3 GB. Ah-hah, I can hear you thinking, there’s another catch. I’m not so sure about that. 4 GB of RAM is, of course, more expensive than 3 GB of RAM, but in terms of making your device run faster or the user experience better, I’m not sure the extra gigabyte of RAM in the XS models will make a difference. The XS models might need more RAM because they have twice as many pixels to push around on screen. Memory is shared between the GPU and CPU on iOS devices, which is what allows some things, like image filters, to run faster than they can on desktop computers. I don’t think the XR has been shortchanged on RAM — I just think it makes sense that it needs less RAM to offer comparable performance because it has few physical pixels in its display.

    Look for some dopes on YouTube to make a stink about this RAM difference, though.

The Bottom Line

I’ve focused mostly on the differences between the XR and XS models because, well, I covered everything else in my XS/XS Max review. But really, what matters most is everything they share — the same great A12 chip, the same great rear-facing wide-angle camera and front-facing camera system, vastly improved stereo speakers, and more.

The difference here isn’t about the XS models being A-team phones and the XR being a B-team phone. It’s more like the XS models are a bit luxurious — an extra camera, stainless steel frames instead of aluminum, OLED instead of LCD — and the XR is a bit more practical. But they’re all on the A-team in terms of quality and performance. The XR is actually better in some ways, notably battery life and low-light Portrait Mode photography.

Last year’s iPhone 8 and 8 Plus were great new phones, but the differences between them and the all-new iPhone X were vast. They simply looked hundreds of dollars different. Not so with the differences between the XR and XS models this year.

It sounds too good to be true, but the XR is almost as good as the XS models at a far lower price. Dollar for dollar, the XR is almost certainly the best iPhone Apple has ever made. 


  1. One small thing that’s nice about Face ID versus Touch ID is how much faster it is to set up with a new iPhone — especially if you set up more than one finger with Touch ID. Most people only go through this process once, when their phones are brand-new, but after testing three new iPhone review units and setting up my personal iPhone XS all during the last 6 weeks, it’s something I really noticed. I know there are people out there hoping that Apple will bring back Touch ID with an under-the-glass fingerprint sensor in the future, but I just don’t see that happening. ↩︎

  2. Apple advertises the XS, XR, and XS Max display sizes as 5.8, 6.1, and 6.5 inches respectively. But look at the exact numbers in footnote 1 on their tech spec page: “The display has rounded corners that follow a beautiful curved design, and these corners are within a standard rectangle. When measured as a standard rectangular shape, the screen is 5.85 inches (iPhone XS), 6.46 inches (iPhone XS Max), 6.06 inches (iPhone XR), or 5.85 inches (iPhone X) diagonally.” Apple has rounded 5.85 down to “5.8 inches” rather than up to “5.9 inches”, I presume to make it look like the XS and XR displays are more evenly spread apart. And the iPhone XR display, at 6.06 inches, is only just big enough to justify rounding up to “6.1 inches”. Apple’s marketing numbers — 5.8 and 6.1 inches — make it sound like the XR display is 0.3 inches bigger diagonally, when in fact it is only 0.2 inches bigger. The XS Max display is a full 0.4 inches larger diagonally than that of the XR. ↩︎︎


iPhone Type R 

Engadget’s Chris Velazco got to sit down with Phil Schiller to talk about the iPhone XR:

To add to the curiosity of it all, the R doesn’t mean much either. Phil Schiller, gingerly gripping a cup of coffee across from me, said the letters Apple uses never stand for something specific. But then his voice softened a little as he started to tell me about what the letters mean to him.

“I love cars and things that go fast, and R and S are both letters used to denote sport cars that are really extra special,” he said with a smile.

It just isn’t worth worrying whether the “R” (or “S” for that matter) stands for anything in particular. R sounds cool and is one click “less than” S.

Flow 

My thanks to Flow for sponsoring Daring Fireball last week. Flow is a professional UI animation tool that lets you design in Sketch and export your animations to production-ready code (iOS or HTML).

Flow offers a new class of motion design for anyone with a creative flair and a taste for building beautiful products and writing great software. Don’t just hand your developers static screenshots — send them animations and working code. It’s a powerful tool for crafting your vision and exporting high-quality layout and animation code.

They have a bunch of tutorials to get you started, and a fun introductory video on their homepage. Give Flow a shot with a 30-day free trial.

‘Your Move, Bloomberg’ 

Washington Post media critic Erik Wemple:

Sources tell the Erik Wemple Blog that the New York Times, the Wall Street Journal and The Post have each sunk resources into confirming the story, only to come up empty-handed. […]

The best journalism lends itself to reverse engineering. Though no news organization may ever match the recent New York Times investigation of Trump family finances, for instance, the newspaper published documents, cited sources and described entities with a public footprint. “Fear,” the recent book on the dysfunction of the Trump White House, starts with the story of a top official removing a trade document from the president’s desk, an account supported by an image of the purloined paper.

Bloomberg, on the other hand, gives readers virtually no road map for reproducing its scoop, which helps to explain why competitors have whiffed in their efforts to corroborate it. The relentlessness of the denials and doubts from companies and government officials obligate Bloomberg to add the sort of proof that will make believers of its skeptics. Assign more reporters to the story, re-interview sources, ask for photos and emails. Should it fail in this effort, it’ll need to retract the entire thing.

The Verge: ‘How China Rips Off the iPhone and Reinvents Android’ 

I just loved this deep dive into Chinese phone makers’ custom Android-based OSes by Sam Byford:

Many experienced Android users in the West who try out Chinese phones, including reviewers here at The Verge, often find themselves unable to get over an immediate stumbling block: the software. For the unfamiliar, Chinese phone software can be garish, heavy-handed, and quite unlike anything installed on phones that are popular outside of Asia. If there’s anything that’s going to turn you off the brand-new Huawei Mate 20 Pro, for example — unsubstantiated Cold War-esque paranoia aside — it’s likely to be the software.

But for the last year-plus, I’ve used almost every major Chinese phone extensively, traveled to the country several times, and met with dozens of people at its biggest phone manufacturers. This experience hasn’t altogether stopped me from feeling that most Chinese phone companies have a long way to go in many areas of software development. No one has a great answer for why everyone copies the iPhone camera app so embarrassingly. But I have learned a lot about the design principles behind many of these phones, and — as you ought to expect — there does tend to be a method behind what some may assume to be madness.

Byford makes a compelling case that these Android derivatives — Xiaomi’s MIUI, Vivo’s Funtouch OS (real name, I swear), Oppo’s ColorOS, and Huawei’s EMUI, just to name some of them — are best thought of as Android-based OSes, not mere “skins” atop Google’s canonical Android. There really is no canonical Android anymore, really, because the OS Google ships on its Pixels isn’t available to other handset makers.

And these Chinese companies all rip off iOS with absolutely no shame:

As for the camera apps, it’s really incredible how similar the vast majority are — both to each other and to Apple. Judging by the accuracy and specificity of the rip-offs, the camera app from iOS 7 has a serious claim to being one of the most influential software designs of the past decade. Just look at the picture above. Xiaomi wins an extremely low number of points for putting the modes in a lowercase blue font. But otherwise, only Huawei has succeeded in creating a genuinely new camera app design, which happens to be very good. I consider it penance for the company’s egregious and barely functional rip-off of the iOS share sheet.

Oculus Co-Founder Brendan Iribe Departs Facebook 

Jamie Feltham,

Oculus co-founder Brendan Iribe, the company’s first and only CEO, is parting ways with parent company Facebook.

In a post on Facebook Iribe noted he would be taking his “first real break” in over 20 years, though didn’t provide a reason for his departure.

I wonder how long John Carmack will last?

Update: John Carmack:

I do intend to stay at Facebook past the launch of Oculus Quest.

The Quest is a $399 standalone (no PC or phone required) VR headset slated for Spring 2019.

AWS CEO Andy Jassy: ‘Bloomberg Should Retract’ 

Amazon Web Services CEO Andy Jassy on Twitter:

@tim_cook is right. Bloomberg story is wrong about Amazon, too. They offered no proof, story kept changing, and showed no interest in our answers unless we could validate their theories. Reporters got played or took liberties. Bloomberg should retract.

If you want a taste of Bloomberg’s attitude toward Apple’s and Amazon’s protestations, check out this video from Bloomberg TV from the day after the story was originally published. Jordan Robertson, co-author of the story, says this:

In addition, there is no consumer data that is alleged to have been stolen. This attack was about long term access to sensitive networks. So by that logic, companies are not required to disclose this information, so there’s no advantage for these companies in confirming this reporting.

This shows their dismissive attitude toward Amazon’s and Apple’s strenuous, unambiguous denials. Rather than give them pause, they blew it off.

I would argue that Amazon and Apple have a tremendous amount to lose — their credibility. If they wanted to hide something, whether for publicity or national security reasons (or both), the way to do it without risking their credibility is not to comment at all. Both Amazon and Apple have instead vigorously denied the veracity of this story.

‘Transgender’ Could Be Defined Out of Existence Under Trump Administration 

Erica L. Green, Katie Benner, and Robert Pear:

The Trump administration is considering narrowly defining gender as a biological, immutable condition determined by genitalia at birth, the most drastic move yet in a governmentwide effort to roll back recognition and protections of transgender people under federal civil rights law.

Needlessly cruel, and out of touch with demographic trends. This might play with Trump’s base today, but with these retrograde policies, the Republican Party is digging itself into a deep hole they’ll likely never climb out of as younger generations take over the U.S. electorate. Among kids today, support for transgender people — not just legally but socially — is a bedrock. Outright hateful policies will neither be forgotten nor forgiven.

‘How to Vote’ 

Demi Adejuyigbe with a short lesson on how to democracy.

Jony Ive on the Apple Watch and Big Tech’s Responsibilities 

Nice little interview with Ive by Nicholas Foulkes for The Financial Times:

“I think we have been lulled into this sense that people will accept new products and services very quickly, and I don’t believe that’s true at all,” he says. “Very often, so much of what a product ends up being able to do isn’t what you initially thought. If you’re creating something new, it is inevitable there will be consequences that were not foreseen — some that will be great, and then there are those that aren’t as positive. There is a responsibility to try and predict as many of the consequences as possible and I think you have a moral responsibility to try to understand, try to mitigate those that you didn’t predict.”

“If you genuinely have a concern for humanity, you will be preoccupied with trying to understand the implications, the consequences of creating something that hasn’t existed before. I think it’s part of the culture at Apple to believe that there is a responsibility that doesn’t end when you ship a product.” As he speaks, his face rearranges itself into a troubled frown. “It keeps me awake.”

If you can’t get past the FT’s paywall, going through a Google search might help.

Apple CEO Tim Cook Is Calling for Bloomberg to Retract Its Chinese Spy Chip Story 

John Paczkowski and Joseph Bernstein, reporting for BuzzFeed News:

“There is no truth in their story about Apple,” Cook told BuzzFeed News in a phone interview.

This is an extraordinary statement from Cook and Apple. The company has never previously publicly (though it may have done so privately) called for the retraction of a news story — even in cases where the stories have had major errors, or were demonstrably false, such as a This American Life episode that was shown to be fabricated.

Reached for comment, Bloomberg reiterated its previous defense of the story. “Bloomberg Businessweek’s investigation is the result of more than a year of reporting, during which we conducted more than 100 interviews,” a spokesperson told BuzzFeed News in response to a series of questions. “Seventeen individual sources, including government officials and insiders at the companies, confirmed the manipulation of hardware and other elements of the attacks. We also published three companies’ full statements, as well as a statement from China’s Ministry of Foreign Affairs. We stand by our story and are confident in our reporting and sources.”

I’m calling it now. Bloomberg is fucked on this story. The longer they drag this out before a full retraction, the more damage they’re taking to their long-term credibility. Read their statement closely — they’re not saying their story is true or that Apple and Tim Cook are wrong. All they say is they spent a year on the story and spoke to 17 sources multiple times.

And the bottom half of BuzzFeed’s story is even more damning than the top — no one in the security community has been able to verify anything in Bloomberg’s story. Anything at all. And no other news publication has backed the story. Bloomberg is all alone on this.

Landscapes of Ladakh, India 

Gorgeous photos from Om Malik, all shot on an iPhone XS Max.

Apple Announces October 30 Event 

Presumably to announce all-new iPad Pro models, and, I hope, new MacBooks. (I don’t want to jinx anything by even mentioning new Mac Minis outside a parenthetical.) The event is being held on the east coast, at the Brooklyn Academy of Music’s 2,100-seat Howard Gilman Opera House.

Apple often holds private press briefings in New York, including an iPhone XR preview for YouTube creators yesterday. But the only media event I can recall in New York was their education-focused event in January 2012 at the Guggenheim. Unless I’m overlooking something, Apple has not introduced new hardware products at an event in New York since the days of Macworld Expo. 1999, maybe, when they introduced the first iBook and AirPort base station and Phil Schiller performed a genuinely impressive stunt on stage.

Q4 Daring Fireball Sponsorships 

The schedule is mostly open for DF sponsorships through the end of the year. If you’ve got a product or service you want to promote to DF’s savvy audience, get in touch. Weekly sponsorships now include both a sponsored post in the DF RSS feed at the start of the week and the display ad you see over there in the sidebar. Sponsors have been reporting great results from this combination.

Special: The sponsorship for this current week remains open. Act quickly and you can scoop it up at a discount.

Also, The Talk Show is largely sold out through the end of the year, but does have a few openings remaining. I think the show is a great opportunity for smaller indie companies — hardware or software. Get in touch with Neat.fm for details, or with me directly if you want to work out a deal for a combination of a weekly sponsorship and a podcast spot.

Lawsuit Claims Facebook Inflated Ad Metrics Up to 900 Percent 

Ethan Baron:

Not only did Facebook inflate ad-watching metrics by up to 900 percent, it knew for more than a year that its average-viewership estimates were wrong and kept quiet about it, a new legal filing claims.

A group of small advertisers suing the Menlo Park social media titan alleged in the filing that Facebook “induced” advertisers to buy video ads on its platform because advertisers believed Facebook users were watching video ads for longer than they actually were.

That “unethical, unscrupulous” behavior by Facebook constituted fraud because it was “likely to deceive” advertisers, the filing alleged.

If true, Facebook’s big “pivot” to video was really a scam. Again, Facebook is looking more and more like a criminal enterprise. A Silicon Valley racket.

The Talk Show: ‘It’s a Deep Notch’ 

Dan Frommer returns to the show. Topics include Apple Watch Series 4 and the notion of third-party watch faces, Google’s Pixel 3 phones and Pixel Slate two-in-one tablet/notebook, and Bloomberg’s disputed “The Big Hack” story.

Brought to you by these fine sponsors:

  • Casper: Save $50 on select mattresses with code talkshow.
  • Squarespace: Make your next move. Check out with code talkshow for 10% off your first order.
  • Tres Pontas: Freshly-roasted coffee from a single farm in Brazil, shipped directly to you. Use code thetalkshow at checkout and save an extra 10% on any subscription.
Google Will Start Charging Android Device Makers a Fee for Using Its Apps in Europe 

Jacob Kastrenakes and Nilay Patel, writing for The Verge:

There is one other key change happening here. In the past, Google required that companies building phones or tablets that included the Play Store only build phones and tablets that included the Play Store — they couldn’t make some other Android device that dropped the Play Store in favor of something else. Now, that’ll be allowed. So if Samsung wanted to ship a Galaxy phone that only included the Galaxy Apps store, it could now do that in Europe.

This seems like the real news here, not the licensing fees.

Every Article About Huawei Phones Should Mention Their Egregious Design Rip-Offs 

Three cameras, a big screen, blah blah blah. What I don’t get is why every single article about Huawei phones doesn’t mention their egregious design rip-offs. Right on their default home screen, they flat out copied the icons for Music and Health from Apple. Their “live photo” icon in their camera app is ripped-off from Apple, and on and on.

This cavalier attitude toward design rip-offs might fly in China, but it shouldn’t fly here in the West, and Huawei should be called out for it in every single article until they stop doing it.

A Google Pixel 3 Review in the Age of Incremental Updates and Unrelenting Trauma 

I just loved Mat Honan’s Pixel 3 review — it’s half review of this particular phone, and half condemnation of the outsized role phones play in our lives today.

Facebook Will Use Data Collected From Its Portal in-Home Video Device to Target You With Ads 

Kurt Wagner, writing for Recode:

Last Monday, we wrote: “No data collected through Portal — even call log data or app usage data, like the fact that you listened to Spotify — will be used to target users with ads on Facebook.”

We wrote that because that’s what we were told by Facebook executives.

But Facebook has since reached out to change its answer: Portal doesn’t have ads, but data about who you call and data about which apps you use on Portal can be used to target you with ads on other Facebook-owned properties.

If you trust Facebook with a camera and microphone in your house, I’d love to have you at my table in a poker game.

Apple Fixes Bagel Emoji 

The original really is a crummy-looking bagel. I’m an everything bagel man, myself, but I can accept this plain one for the emoji.

The Magic Leap Con 

Brian Merchant, reporting from Magic Leap’s developer conference for Gizmodo:

You know that weird sensation when it feels like everyone around you is participating in some mild mass hallucination, and you missed the dosing? The old ‘what am I possibly missing here’ phenomenon? That’s how I felt at LEAP a lot of the time, amidst crowds of people dropping buzzwords and acronym soup at light speed, and then again while I was reading reviews of the device afterwards — somehow, despite years of failing to deliver anything of substance, lots of the press is still in Leap’s thrall. […]

“This is more like the Apple Newton than the Apple iPhone,” one venture capitalist told me. It’s something that I thought about a lot as I moved from demo to demo, listened to keynotes, and sat in on developer meetings. Magic Leap has spent over half a decade and quite actually billions of dollars, and has not yet come up with something particularly compelling to do with its allegedly world-transforming computing system, besides shoot robots in the face.

I’d say this is unfair to the Newton. The Newton was a complete system. It worked, and it was good. Its experience was a cohesive whole. Its problem was that it was ahead of its time — we now know mobile devices need ubiquitous wireless networking, and when the Newton debuted, we didn’t even have Wi-Fi, let alone cellular data. Magic Leap isn’t even a cohesive whole.

Anyway, great piece by Merchant.

Paul Allen, Microsoft Co-Founder and Seahawks Owner, Dies at 65 

Rachel Lerman, reporting for The Seattle Times:

Paul Allen, the co-founder of Microsoft and a prominent leader of both business and philanthropy in the Seattle area, has died at age 65 from complications of non-Hodgkin lymphoma.

Allen died Monday afternoon, according to his multifaceted holding company Vulcan Inc., just two weeks after announcing he had restarted treatment for the cancer that he was first treated for in 2009.

Allen co-founded Redmond tech giant Microsoft with childhood friend Bill Gates. After leaving the company, he turned his focus to a wide range of other business and scientific pursuits, which including founding the Allen Institute for Brain Science, and the real estate arm of Vulcan, which went on to build much of Amazon’s campus.

See also: Statement from Vulcan on behalf of the company and Allen’s family.

Morgan Knutson on Working as a Designer on the Google Plus Team 

Morgan Knutson on Twitter:

Now that Google+ has been shuttered, I should air my dirty laundry on how awful the project and exec team was.

I’m still pissed about the bait and switch they pulled by telling me I’d be working on Chrome, then putting me on this god forsaken piece of shit on day one.

Air some dirty laundry indeed. This whole thread is kind of nuts — you just don’t see former employees expose dysfunctional workplaces like this very often. Here’s a real eye-opener — teams across Google were effectively bribed to integrate Google Plus, regardless if such integration made sense for their products:

If your team, say on Gmail or Android, was to integrate Google+’s features then your team would be awarded a 1.5-3x multiplier on top of your yearly bonus. Your bonus was already something like 15% of your salary.

You read that correctly. A fuck ton of money to ruin the product you were building with bloated garbage that no one wanted. No one really liked this. People drank the kool-aid though, but mostly because it was green and made of paper.

Adobe Previews Photoshop for iPad 

Dami Lee, writing for the The Verge:

Adobe really wants you to know that the upcoming Photoshop CC for the iPad, which was announced today and is set to be released sometime in 2019, is “real Photoshop.”

The phrase “real Photoshop” came up several times during my week-long preview of an early version of the software giant’s long-awaited app. The underlying code is the same as desktop Photoshop, and although the interface has been rethought for the iPad, the same core tools line the edges of the screen.

The “touch modifier” button is a great idea. It’s a button in the corner that you can press and hold to toggle the current tool. E.g. if you’re using a paintbrush, you can press the touch modifier button to turn it into the eraser. Let go of the button and your tool is back to the paintbrush.

The video here is more interesting than the article — a bunch of artists from The Verge give their thoughts on using this for their work.

The New Palm Is a Tiny Phone to Keep You Away From Your Phone 

Dieter Bohn, writing at The Verge:

That’s the idea behind the new Palm phone. It’s a sidecar for your phone. You should almost think of it more as a thing to get instead of a connected smartwatch than as a second phone. In fact, thinking of it as a smartwatch is a good move since that’s precisely how Verizon (and only Verizon) is selling it: as an add-on for existing plans. You can’t just go buy the thing on its own or unlocked as your primary phone.

It’s cute, and I’m glad to see someone working on smaller phones, but a secondary phone seems like something no one wants. I wish they would have tried making a phone this small that could be your primary phone.

If you want to put your phone away at night and on weekends but still stay connected, get an Apple Watch.

HyperJuice 

My thanks to Hyper for sponsoring Daring Fireball this week to promote HyperJuice, their airline-safe 27,000 mAh battery pack with dual USB-C ports (100W and 60W) and one 18W USB-A port. All three ports can be used at once, so you can charge a 15-inch MacBook Pro, a smaller MacBook or iPad Pro, and an iPhone all once, all at high speeds.

Using the 100W USB-C input, you can recharge HyperJuice from empty to full in about one hour using a MacBook Pro’s charger. HyperJuice weighs only 550 grams and can fit in the palm of your hand. It’s a lot of power in a small package.

It’s a Kickstarter project that has already been funded (many times over). The campaign ends on Monday so act quickly — right now you can order HyperJuice for up to 50 percent off the expected retail price. Over 5,700 backers have already pledged over $1 million to get HyperJuice at these discounted prices.


Sometimes It’s Better to Just Start Over With iCloud Photo Library Syncing

Early this week I noticed that I wasn’t able to use the Instant Hotspot feature with my iPhone XS. That’s the feature where you can leave the cellular hotspot turned off in Settings, but enable it on-the-fly from a Mac when you connect via the Wi-Fi menu. These “Personal Hotspots” show up at the top of the list of available Wi-Fi networks, in their own special section of the menu. My Wi-Fi menu no longer listed my iPhone, only my iPad. If I went into the iPhone’s Settings app and enabled the Personal Hotspot manually — i.e. turned it on and left it on — my iPhone’s hotspot was listed as a regular Wi-Fi network on my Mac, and when I connected, it worked just fine. So the hotspot worked, but the magic Instant Hotspot feature wasn’t working.

I tried rebooting the Mac and iPhone, of course. No dice. I reset network settings on the phone. No dice. I then noticed that my iPhone’s name (Settings → General → About → Name) had been changed to “iPhone”. Not even “John’s iPhone”, which is the default when you set up a new iPhone. Just plain “iPhone”. I changed it back to my custom name. Rebooted the phone again. Still no Instant Hotspot. And then eventually the device name was changed back to “iPhone” again. Weird, right? This was all on the release version of iOS 12.0.1, by the way.

I had a trip to New York coming up, and wanted to fix this. I did some searching on the web and eventually stumbled on a thread that suggested signing out of iCloud and then signing back in. This makes some sense, because all of these Continuity features go through iCloud. So I did that on the iPhone, and, long story short, that seemed to fix the issue. After one more reboot of the phone, Instant Hotspot was working perfectly.

A side effect of signing out of and back into iCloud is that it seemed to reset my iPhone’s photo library sync state. It didn’t delete my photos, but once I was signed back in to iCloud, the Photos app was trying to re-upload my entire library (over 28,000 photos and 1,100 videos) back to iCloud. I don’t think it was actually uploading them — I think that’s just the word Photos uses to indicate what it’s doing — but rather checking each of the photos on the phone against each of the photos in my iCloud library.

It got through most of them fairly quickly, but the last 4,500 or so were effectively stuck. This process was proceeding really slowly. Profoundly slowly. I kept the phone plugged in last night and checked every hour, and it was only processing about 15 or 16 items per hour. I let it run overnight and it only moved from 4,183 remaining items to just over 4,000.

Effectively, I think what happens is that when you turn off iCloud Photo Library, it leaves all the photos and videos on your phone in your local library. When you turn iCloud Photo Library back on, it has no idea which of the items in your local iPhone library are duplicates of items in your iCloud library, and so it has to check them one by one. Whatever algorithm it’s using for this is slow as molasses.

Adam Engst wrote about a similar problem on the Mac earlier this year:

I was seeing some strange problems on my 27-inch iMac running macOS 10.13.3 High Sierra. Messages wasn’t getting or sending messages, Wi-Fi calling wasn’t working, and after upgrading to 10.13.3, I was unable to enable auto-unlock with my Apple Watch. To solve these problems, I turned iCloud off and back on. Despite the iCloud preference pane throwing an ominous error, the problems did indeed disappear.

However, there’s a nasty side effect of turning iCloud off and back on: iCloud Photo Library needs to re-upload all your photos. It does this in order to compare the library’s contents to the synchronization “truth” at iCloud. Fair enough, except that this process can take days, depending on the size of your Photos library and the speed of your Internet connection. Bad Apple! We don’t see that sort of poor performance with Dropbox or Google Drive, and this behavior is both unnecessary and driving people away from iCloud Photo Library.

That’s pretty much exactly what I was seeing on my iPhone.

What surprised me about this isn’t just that it’s so dreadfully slow, but that iCloud Photo Library has gotten amazingly good in the last few years. It’s not just very reliable, but very fast. I took a lot of photos using three different iPhones (my old iPhone X, and my review unit iPhones XS and XS Max) while writing my XS review last month. And I worked on the review on two different Macs. Every photo and video I took on every iPhone synced to all the other devices in a matter of seconds every single time. iCloud Photo Library made the whole process ridiculously easy.

Wiping and restoring my entire iPhone seemed like overkill when the only issue I was having was photo syncing. So my next idea was to delete all the photos from my phone and start over from scratch with iCloud Photo Library.

So here’s what I did, and it seems to have worked. First, I eyeballed all the recent photos and videos I’d shot using my iPhone and double-checked that they had all already been synced to iCloud. They were — I could see all my recent shots on my other devices.

Next, I disabled iCloud Photo Library on my iPhone again. You do that by going into the Apple ID section of Settings (where your name is shown at the very top of the root level) → iCloud → Photos and turned off everything. When it asked if I wanted to download a copy of the photos and videos from my iCloud library I declined.

Next, I wanted to delete every single photo and video from my iPhone. To my knowledge there is no easy way to do this on the iPhone itself. (There are a lot of tasks like this that are easy on the Mac thanks to Edit → Select All that are painfully tedious on iOS. Update: Here’s a clever way to use iOS 12’s Shortcuts app to delete all photos and videos from your Library.) I connected the iPhone to my Mac with a Lightning cable and used Image Capture to delete all photos and videos from my phone. Image Capture just treats the iPhone like a regular camera. Image Capture crashed three times during this process (I’m still running MacOS High Sierra 10.13.6, for what it’s worth), but after the fourth run the iPhone had no photos or videos left.

Then I re-enabled iCloud Photo Library on the phone, and about 20 minutes later, everything was back to normal. My iPhone reported exactly the same number of photos and videos in my library as on all my other devices. Most of those items are still just placeholders, even as I write this, but they’re filling in steadily — which is exactly how iCloud Photo Library works when you start syncing a large library to a new device.

So if you temporarily turn off iCloud Photo Library and turn it back on, it might be easier to just delete all your photos from your iPhone first, and let them all sync back from iCloud. 


Latest Revision to ARM Instruction Set Includes Optimizations Just for JavaScript 

Greg Parker:

More precisely: ARMv8.3 adds a new float-to-int instruction with errors and out-of-range values handled the way that JavaScript wants. The previous [instructions] to get JavaScript’s semantics were much slower. JavaScript’s numbers are double by default so it needs this conversion a lot.

Back when the iPhone XS first shipped, people noticed that it performed seemingly impossibly well on JavaScript benchmarks. E.g., David Heinemeier Hansson:

The iPhone XS is faster than an iMac Pro on the Speedometer 2.0 JavaScript benchmark. It’s the fastest device I’ve ever tested. Insane 45% jump over the iPhone 8/X chip. How does Apple do it?!

Apple touts the new A12 as “only” 15 percent faster than the A11 at CPU tasks, and JavaScript is mostly (entirely?) CPU-bound. These new instructions make that big a difference. The iMac Pro is a professional desktop and it’s getting beaten by a phone. [Update: Turns out JavaScriptCore (Safari’s JavaScript engine) doesn’t use this new instruction yet — it should make things even faster once it does but the A12 chip is getting these benchmark scores without this new instruction’s help.]

Everyone can enjoy the fact that ARMv8.3 makes JavaScript faster. Comp sci nerds can further enjoy the fact that we now have CPUs being optimized for a specific weird programming language and not the other way around.

The Pixel 3: Everything You Need to Know About Google’s New Phone 

I watched the Made by Google keynote video, and was in New York yesterday for some hands-on time with their new products. Nicole Nguyen’s summary of the Pixel 3 is the best I’ve seen — really does capture just about everything you should know about it. She’s got a video of the new Call Screening feature in action — man oh man, do I want that feature on iOS. (I got to see a live demo as well.)

DuckDuckGo Search Growth 

DuckDuckGo, on Twitter:

DuckDuckGo fun fact: it took us seven years to reach 10 million private searches in one day, then another two years to hit 20 million, and now less than a year later we’re at 30 million!

What a great little upstart DuckDuckGo is. I’ve been using DuckDuckGo as my primary web search engine for years now, and it keeps getting better.

Twitter Makes Moments Creation a Desktop Exclusive 

Chance Miller, writing for 9to5Google:

Twitter has announced today that it is removing the ability to create Twitter Moments from its iOS and Android applications. The company says that making Moments will still be possible from the desktop web version of Twitter, while you’ll also still be able to view Moments from iOS and Android.

In a series of tweets this afternoon, Twitter explained that when features aren’t used very often, it removes them in an effort to focus on building other features. In this instance, support for creating Twitter Moments through the iOS and Android applications has been around since 2016, so it’s certainly noticeable to see Twitter pulling the plug on the capability.

If Moments isn’t getting enough use, sure, kill the feature. But kill it everywhere. It makes no sense to keep it but make it desktop-only. Mobile is where people use Twitter most.

Wi-Fi Switches From Obscure Protocol Names to Simple Generation Numbers 

Glenn Fleishman — who knows more about Wi-Fi than anyone I know — explains the whole “Wi-Fi 6” thing:

The Wi-Fi Alliance’s new numbering system focuses on generations of speed improvements but looks back only to 802.11n, which is a decade old. Given that 802.11a and 802.11b were approved at the same time, implicitly calling them Wi-Fi 1 and Wi-Fi 2, and extending Wi-Fi 3 to 802.11g, isn’t quite right. But we anticipate people will do it anyway.

Simplifying device compatibility through better naming seems like a clever idea that’s long overdue, and one that should help people who have no interest in technical standards arcana. The next time someone asks me what Wi-Fi router they should buy, I look forward to saying, “Wi-Fi 6. Look for it on the box.”

Not Voting Doubles the Value of Someone Else’s Vote 

David Foster Wallace, back in 2000:

If you are bored and disgusted by politics and don’t bother to vote, you are in effect voting for the entrenched Establishments of the two major parties, who please rest assured are not dumb, and who are keenly aware that it is in their interests to keep you disgusted and bored and cynical and to give you every possible psychological reason to stay at home doing one-hitters and watching MTV on primary day. By all means stay home if you want, but don’t bullshit yourself that you’re not voting. In reality, there is no such thing as not voting: you either vote by voting, or you vote by staying home and tacitly doubling the value of some Diehard’s vote.

Jason Kottke:

Please check your registration status and register to vote… it takes two minutes. Voter registration deadlines are fast approaching in many US states — there are deadlines tomorrow in Arizona, Arkansas, Florida, Georgia, Indiana, Kentucky, Louisiana, Michigan, Mississippi, New Mexico, Ohio, Pennsylvania, Tennessee, and Texas.

Kottke wrote that yesterday, so those registration deadlines are today. I don’t care who you want to vote for, I implore you to register and vote. And if you think you are registered, double-check. It really does just take a minute.

Named Source in ‘The Big Hack’ Has Doubts About the Story 

Hardware security researcher Joe Fitzpatrick was one of the very few named sources in Bloomberg’s blockbuster “The Big Hack” story. He provided only background information on the potential of hardware exploits in general — he claimed no knowledge of this specific case. On Patrick Gray’s Risky Business (great name) podcast, he expresses serious unease with the story Bloomberg published. The whole episode is worth a listen, but here’s partial transcript:

Fitzpatrick: But what really struck me is that like all the details that were even remotely technical, seemed like they had been lifted from from the conversations I had about theoretically how hardware implants work and how the devices I was making to show off at Black Hat two years ago worked.

Gray: So I guess what you are saying here is, the report, I mean all of the technical details of the report, you’d covered that ground with that reporter.

Fitzpatrick: Yeah, I had conversations about all the technical details and various contexts. But there are a lot of filters that happen, you know? When I explain hardware things even to software people, I don’t expect people to get it the first time and I don’t expect people to be able to describe it accurately all the time. So there is definitely a lot of telephone exchange happening

Gray: OK but why did that make you feel uneasy? Could it be the case that you know that the technical things you told him lined up perfectly with the technical things that some of these 17 of the anonymous sources told him?

Fitzpatrick: You know, I’m just Joe. I do this stuff solo. I am building hardware implants for phones to show off at conferences. I’m not a pro at building hardware implants. I don’t work for any nation or any state building and shipping these as products. I feel like I have a good grasp at what’s possible and what’s available and how to do it just from my practice. But it was surprising to me that in a scenario where I would describe these things and then he would go and confirm these and 100 percent of what I described was confirmed by sources.

Gray: And that’s what he was telling you through this process?

Fitzpatrick: That’s what I read in the article.

Gray: OK, right. You find that a bit strange? That every single thing you seem to tell him, or a large proportion of what you told him, was then confirmed by his other sources.

Fitzpatrick: Yeah, basically. Either I have excellent foresight or something else is going on.

I’m going to go with “something else is going on”.

‘Facebook Unveils the Portal, a Video Chat Camera for the People Who Still Trust Facebook’ 

Geoffrey Fowler, writing for The Washington Post:

The Portal is a sleek new video camera and screen that makes chats with family and friends look great.

It has just one problem: It was made by Mark Zuckerberg.

On Monday, Facebook unveiled the $200 Portal, the first-ever consumer hardware from the world’s largest social network. The toaster-size gadget, along with a larger $350 version called Portal+, is a cross between a smart speaker, video camera and digital photo frame. But at a time when CEO Zuckerberg’s privacy and security decisions are a matter of congressional inquiry, how many people will trust one in their living room?

Say what you want about putting any of these always-on listening devices in your home, anyone who buys one of these — which doesn’t just listen but has a camera too — is nuts. Is there any company you’d trust less than Facebook with this?

Rich Mogull on How the Apple Watch Series 4 Will and Won’t Save Lives 

Rich Mogull — a trained paramedic, in addition to being a terrific information security expert — writing at TidBITS:

Even if the Apple Watch Series 4’s health-monitoring features are imperfect, even if they detect only a subset of issues and incidents, wearing one will allow some people to live longer and healthier lives.

Now that Apple has put its stake in the ground, I expect a few advancements moving forward.

It sounds corny to say that a new digital watch is going to save lives, but I think it’s undeniably true here. Dozens, hundreds, thousands? I don’t know the number. But some number of people are going to get help for heart problems who otherwise would not have, and another number of people are going to get EMS help after a bad fall who otherwise would not have.

After thinking about it for a few weeks, though, my thoughts turn to the long run, not the near future. This is clearly just a first step. 80 years ago, a family in the U.S. likely had one audio system — a big cabinet-sized AM radio in their living room. How many “audio” devices does a typical family own today? Dozens, and they’re with us all day every day in the form of phones and headphones. In a few decades, we’re all going to be monitored by connected devices all day every day. I think it’s likely such devices will be able to identify things like heart attacks and strokes before they happen. Apple Watch is the first serious step in that direction.

Apple Tells Congress It Found No Signs of Hacking Attack 

Reuters:

Apple Vice President for Information Security George Stathakopoulos wrote in a letter to the Senate and House commerce committees that the company had repeatedly investigated and found no evidence for the main points in a Bloomberg Businessweek article published on Thursday, including that chips inside servers sold to Apple by Super Micro Computer Inc (SMCI.PK) allowed for backdoor transmissions to China.

“Apple’s proprietary security tools are continuously scanning for precisely this kind of outbound traffic, as it indicates the existence of malware or other malicious activity. Nothing was ever found,” he wrote in the letter provided to Reuters.

Update: Here’s the entire letter.

Statement From DHS Press Secretary on Recent Media Reports of Potential Supply Chain Compromise 

Official statement from DHS:

The Department of Homeland Security is aware of the media reports of a technology supply chain compromise. Like our partners in the UK, the National Cyber Security Centre, at this time we have no reason to doubt the statements from the companies named in the story. Information and communications technology supply chain security is core to DHS’s cybersecurity mission and we are committed to the security and integrity of the technology on which Americans and others around the world increasingly rely. Just this month — National Cybersecurity Awareness Month — we launched several government-industry initiatives to develop near- and long-term solutions to manage risk posed by the complex challenges of increasingly global supply chains. These initiatives will build on existing partnerships with a wide range of technology companies to strengthen our nation’s collective cybersecurity and risk management efforts.

For me, having the current U.S. government weighing in publicly on this issue does not fill me with any sense of confidence or reassurance on either side of this story.

But, still: Bloomberg’s Big Hack story should eventually be fully-corroborated, if true. According to their report, there are thousands of compromised servers out there. If there are, security experts will eventually identify these rogue chips and document them.

And whatever you think of a statement from DHS, from what I’ve heard, this is only beginning. Apple is not letting this go.

Skillshare 

My thanks to Skillshare for sponsoring this week’s DF RSS feed. With over 4 million members and more than 20,000 classes, Skillshare is basically Netflix for online learning. Interested in web development or data science? How about UX design or SEO? Mobile photography, filmmaking, creative writing, even coffee brewing? Skillshare truly has it all.

And it’s all professionally produced — well-shot, well-edited, high-quality audio. The production quality is just so much better than what you expect from online video. I’ll repeat a personal recommendation: “Logo Design With Aaron Draplin”. Yeah, that Aaron Draplin — cofounder of Field Notes and designer/raconteur extraordinaire. He’s one of my favorite designers in the world, a generous teacher, and fantastically compelling on camera. Get the free demo and watch Draplin’s course. (Draplin has a bunch of great courses on Skillshare already.)

And for this week only, Skillshare is offering the first 1,000 Daring Fireball readers two free months of Skillshare Premium.

Banksy Painting Self-Destructs After Fetching $1.4 Million at Sotheby’s 

Simply brilliant.

Buzzfeed: ‘Apple Insiders Say Nobody Internally Knows What’s Going on With Bloomberg’s China Hack Story’ 

John Paczkowski and Charlie Warzel, reporting for BuzzFeed:

“We tried to figure out if there was anything, anything, that transpired that’s even remotely close to this,” a senior Apple security executive told BuzzFeed News. “We found nothing.”

A senior security engineer directly involved in Apple’s internal investigation described it as “endoscopic”, noting they had never seen a chip like the one described in the story, let alone found one. “I don’t know if something like this even exists”, this person said, noting that Apple was not provided with a malicious chip or motherboard to examine. “We were given nothing. No hardware. No chips. No emails.”

Equally puzzling to Apple execs is the assertion that it was party to an FBI investigation — Bloomberg wrote that Apple “reported the incident to the FBI.” A senior Apple legal official told BuzzFeed News the company had not contacted the FBI, nor had it been contacted by the FBI, the CIA, the NSA or any government agency in regards to the incidents described in the Bloomberg report. This person’s purview and responsibilities are of such a high level that it’s unlikely they would not have been aware of government outreach.

This is an extraordinary stalemate. There’s no equivocation in Apple’s response, but Bloomberg stands by their story. Keep in mind, Bloomberg isn’t some fringe publication — they’re a very well-respected news organization with a lot at stake here. They’ve published some dubious stuff about Apple in the past — this piece last year claiming Apple “let suppliers reduce accuracy of the phone’s Face ID system to speed up production” comes to mind — but that’s just gossip. This “Big Hack” story isn’t gossip; it’s as serious as it gets. But Apple, officially, and now from multiple unnamed senior executives and engineers in this BuzzFeed story, are saying flat out that at least as pertains to them, it did not happen. (Keep in mind too that every single source in Bloomberg’s story was unnamed.)


Bloomberg’s ‘The Big Hack’

Bloomberg Businessweek today published an absolutely incredible story alleging that Chinese intelligence compromised thousands of data center servers by infiltrating the supply chain to insert hard-to-detect rogue chips on motherboards from a company named Supermicro. The entire report, by Jordan Robertson and Michael Riley, is worth reading in full.

Bloomberg alleges that Apple and Amazon were both among the companies that installed the compromised hardware. Apple and Amazon both vehemently deny the report. Someone is either wrong or lying. This cannot all be true.

From Bloomberg’s report, regarding Amazon:

Nested on the servers’ motherboards, the testers found a tiny microchip, not much bigger than a grain of rice, that wasn’t part of the boards’ original design. Amazon reported the discovery to U.S. authorities, sending a shudder through the intelligence community. Elemental’s servers could be found in Department of Defense data centers, the CIA’s drone operations, and the onboard networks of Navy warships. And Elemental was just one of hundreds of Supermicro customers.

Regarding Apple:

Apple was an important Supermicro customer and had planned to order more than 30,000 of its servers in two years for a new global network of data centers. Three senior insiders at Apple say that in the summer of 2015, it, too, found malicious chips on Supermicro motherboards. Apple severed ties with Supermicro the following year, for what it described as unrelated reasons.

And regarding both companies’ denials:

The companies’ denials are countered by six current and former senior national security officials, who — in conversations that began during the Obama administration and continued under the Trump administration — detailed the discovery of the chips and the government’s investigation. One of those officials and two people inside AWS provided extensive information on how the attack played out at Elemental and Amazon; the official and one of the insiders also described Amazon’s cooperation with the government investigation. In addition to the three Apple insiders, four of the six U.S. officials confirmed that Apple was a victim.

The companies’ denials are seemingly unequivocal, however. Apple’s statement to Bloomberg:

Over the course of the past year, Bloomberg has contacted us multiple times with claims, sometimes vague and sometimes elaborate, of an alleged security incident at Apple. Each time, we have conducted rigorous internal investigations based on their inquiries and each time we have found absolutely no evidence to support any of them. We have repeatedly and consistently offered factual responses, on the record, refuting virtually every aspect of Bloomberg’s story relating to Apple.

On this we can be very clear: Apple has never found malicious chips, “hardware manipulations” or vulnerabilities purposely planted in any server. Apple never had any contact with the FBI or any other agency about such an incident. We are not aware of any investigation by the FBI, nor are our contacts in law enforcement.

That statement is credited only to “Apple”, so presumably it was written by Apple PR. Amazon issued a similar statement to Bloomberg, but later published a full response, signed by Steve Schmidt, the company’s chief information security officer. Schmidt is adamant and clear:

There are so many inaccuracies in this article as it relates to Amazon that they’re hard to count. We will name only a few of them here. First, when Amazon was considering acquiring Elemental, we did a lot of due diligence with our own security team, and also commissioned a single external security company to do a security assessment for us as well. That report did not identify any issues with modified chips or hardware. As is typical with most of these audits, it offered some recommended areas to remediate, and we fixed all critical issues before the acquisition closed. This was the sole external security report commissioned. Bloomberg has admittedly never seen our commissioned security report nor any other (and refused to share any details of any purported other report with us).

The article also claims that after learning of hardware modifications and malicious chips in Elemental servers, we conducted a network-wide audit of SuperMicro motherboards and discovered the malicious chips in a Beijing data center. This claim is similarly untrue. The first and most obvious reason is that we never found modified hardware or malicious chips in Elemental servers. Aside from that, we never found modified hardware or malicious chips in servers in any of our data centers.

I see no way around it: either Bloomberg’s report is significantly wrong, at least as pertains to Amazon and Apple, or Apple and Amazon have issued blatantly false denials. You can, perhaps, chalk up Apple’s denial to it being written by Apple PR. I don’t think this would happen, but hypothetically this issue could be deemed so sensitive — either within the company or as a national security issue — that the people at Apple with knowledge of the situation lied to Apple PR. But in my experience, Apple PR does not lie. Do they spin the truth in ways that favor the company? Of course. That’s their job. But they don’t lie, because they understand that one of Apple’s key assets is its credibility. They’d say nothing before they’d lie.

Schmidt signing his name to Amazon’s response is more telling. Presumably no one at Amazon would be more familiar with the details of such a breach than Schmidt.

One way or the other, there is more to come on this story, and the credibility of either Bloomberg, or Apple and Amazon, is going to take a significant hit. Currently those are the two most valuable publicly-traded companies in the world.

A few other notable tidbits. From Bloomberg’s report:

One government official says China’s goal was long-term access to high-value corporate secrets and sensitive government networks. No consumer data is known to have been stolen.

And then this from Amazon’s response:

Because Elemental appliances are not designed to be exposed to the public internet, our customers are protected against the vulnerability by default.

I do not understand how, if these servers are not exposed to the public internet, they could “phone home” to Chinese servers outside the data centers.

Technical details aside, the whole central thesis of the story rings true — China cannot be trusted as a state actor, but the entire technology industry is dependent upon the Chinese supply chain. It is completely credible that the managers of Chinese factories are susceptible to bribes and threats of “inspections” that would shut down their plants. From the Bloomberg report:

Over the decades, the security of the supply chain became an article of faith despite repeated warnings by Western officials. A belief formed that China was unlikely to jeopardize its position as workshop to the world by letting its spies meddle in its factories. That left the decision about where to build commercial systems resting largely on where capacity was greatest and cheapest. “You end up with a classic Satan’s bargain”, one former U.S. official says. “You can have less supply than you want and guarantee it’s secure, or you can have the supply you need, but there will be risk. Every organization has accepted the second proposition.”

Lastly, whatever the veracity of the report, Bloomberg deserves kudos for this sentence:

Two of Elemental’s biggest early clients were the Mormon church, which used the technology to beam sermons to congregations around the world, and the adult film industry, which did not.

Update: Apple has issued a stronger denial of Bloomberg’s report