By John Gruber

• Archive
• The Talk Show
• Dithering
• Projects
• Contact
• Colophon
• Feeds / Social
• Sponsorship

The ‘xz’ Back Door ★

Dan Goodin, writing for Ars Technica:

The compression utility, known as xz Utils, introduced the malicious code in versions ​​5.6.0 and 5.6.1, according to Andres Freund, the developer who discovered it. There are no known reports of those versions being incorporated into any production releases for major Linux distributions, but both Red Hat and Debian reported that recently published beta releases used at least one of the backdoored versions — specifically, in Fedora Rawhide and Debian testing, unstable and experimental distributions. A stable release of Arch Linux is also affected. That distribution, however, isn’t used in production systems. [...]

Several people, including two Ars readers, reported that the multiple apps included in the HomeBrew package manager for macOS rely on the backdoored 5.6.1 version of xz Utils. HomeBrew has now rolled back the utility to version 5.4.6. Maintainers have more details available here.

There are several notable things about this hack. One is that it was years in the making — “Jia Tan”, the developer who added the back door, had been contributing legit patches to the xz project for years. Another is that it was very subtle: the ultimate goal was a back door in OpenSSH but the attacker(s) put their code in a compression library that was sometimes a dependency for another library that was itself only sometimes a dependency of OpenSSH. Yet another is that it seems nearly miraculous that it was discovered — Andres Freund, the Microsoft engineer who uncovered it, only became suspicious when he noticed that his SSH connections initiated from the command line went from taking about 0.2 seconds to 0.7 seconds. It pays to be picky sometimes!

Question 1: How do we keep this from happening again?

Question 2: How do we know similar back doors haven’t been successfully put in place already?

More from Goodin here, including a good overview diagram.

Evan Boehs: “Everything I Know About the XZ Backdoor”.

Tuesday, 2 April 2024

Amazon Ditches ‘Just Walk Out’ Checkouts at Its Grocery Stores ★

Maxwell Zell, writing for Gizmodo:

Amazon is phasing out its checkout-less grocery stores with “Just Walk Out” technology, first reported by The Information Tuesday. The company’s senior vice president of grocery stores says they’re moving away from Just Walk Out, which relied on cameras and sensors to track what people were leaving the store with.

Just over half of Amazon Fresh stores are equipped with Just Walk Out. The technology allows customers to skip checkout altogether by scanning a QR code when they enter the store. Though it seemed completely automated, Just Walk Out relied on more than 1,000 people in India watching and labeling videos to ensure accurate checkouts. The cashiers were simply moved off-site, and they watched you as you shopped.

It was The Information, too, that broke the story about how labor-intensive “Just Walk Out” was, reporting last May:

For its part, Amazon still relies on a significant amount of human staffing to power Just Walk Out behind the scenes, according to a person who has worked on the technology. Amazon had more than 1,000 people in India working on Just Walk Out as of mid-2022 whose jobs included manually reviewing transactions and labeling images from videos to train Just Walk Out’s machine learning model, the person said. The reliance on backup humans explains in part why it can take hours for customers to receive receipts after walking out of a store, the person said.

Molly White, back in January, regarding the purported AI-generated George Carlin comedy special:

Need to start keeping a list of all the times some big supposed display of bleeding edge technology turns out to just be A Guy.

Google to Delete Search Data From Tens of Millions of Users Who Used ‘Incognito’ Mode in Chrome ★

Bobby Allyn, reporting for NPR:

Google will destroy the private browsing history of millions of people who used “incognito” mode in its Chrome browser as a part of a settlement filed to federal court on Monday in a case over the company’s secret tracking of web activity. For years, Google simply informed users of Chrome’s internet browser that “you’ve gone Incognito” and “now you can browse privately,” when the supposedly untraceable browsing option was turned on — without saying what bits of data the company has been harvesting.

Yet, according to a 2020 class-action lawsuit, the tech giant continued to scrape searches by hoovering up data about users who browsed the internet in incognito mode through advertising tools used by websites, grabbing “potentially embarrassing” searches of millions of people. Google then used this data to measure web traffic and sell ads. [...]

As the suit was pending, Google changed the splash screen of incognito mode to state that websites, employers and schools and internet service providers can view browsing activity in incognito mode. But under the deal, Google will have to state that the company itself can also track browsing during incognito mode.

That was quite the omission. I’m not sure there was ever a product in history more purposefully misleadingly named than Chrome’s “Incognito” mode.

Yahoo Is Acquiring Artifact, Folding It Into Yahoo News ★

Also from David Pierce at The Verge:

The two sides declined to share the cost of the acquisition, but both made clear Yahoo is acquiring Artifact’s tech rather than its team. Mike Krieger and Kevin Systrom, Artifact’s co-founders, will be “special advisors” for Yahoo but won’t be joining the company. Artifact’s remaining five employees have either gotten other jobs or are planning to take some time off.

The acquisition comes a bit more than a year after Artifact’s launch and about three months after Systrom and Krieger announced its death. “We have built something that a core group of users love,” the co-founders wrote in January, “but we have concluded that the market opportunity isn’t big enough to warrant continued investment in this way.” They said that the biggest reason to shut down was in order to focus on “newer, bigger and better things that have the ability to reach many millions of people.” The bet behind Artifact was always that AI had the potential to be a huge, internet-changing technology; maybe there were just more interesting things to work on than a news app without a big news audience. [...]

Artifact, the app, will go away once the acquisition is complete. But Artifact’s underlying tech for categorizing, curating, and personalizing content will soon start to show up on Yahoo News — and eventually on other Yahoo platforms, too. “You’ll see that stuff flowing into our products in the coming months,” says Downs Mulder. It sounds like there’s also a good chance that Yahoo’s apps might get a bit of Artifact’s speed and polish over time, too.

“Yahoo, where scrappy startup acquisitions go to thrive”, said no one, ever.

Google Podcasts Moves to the Google Dump ★

David Pierce, writing for The Verge:

Google Podcasts is dead. It has been dying for months, since Google announced last fall that it was killing its dedicated podcast app in order to focus all its podcasting efforts on YouTube Music. This is a bad idea and a big downgrade, and I’d be more mad if only I were more surprised.

The Podcasts app is just the latest product to go through a process I’ve come to call The Google Cycle. It always goes the same way: the company launches a new service with grandiose language about how this fits its mission of organizing and making accessible the world’s information, quickly updates it with a couple of neat features, immediately seems to forget it exists, eventually launches a competitor out of some other part of the company, obviously begins to deprecate it and shift focus to the new competitor, and then, years later, finally shuts it down for real. The Google Graveyard is full of apps like Reader, Duo, Inbox, Allo, Wallet, and countless others that have been through The Google Cycle, and it feels just as bad every time.

The saying goes, “Fool me once, shame on you; fool me twice, shame on me.” With people who come to rely on new apps from Google, it’s more like “Well, you’ve fooled me a dozen times so far, please don’t do it again with this new thing you made that I like.”

I haven’t been bitten by Google killing an app or service since Google Reader, because I never again trusted them. I suppose this might be a lot more difficult for Android users, but I honestly don’t even remember the last time I added a new Google app or service to the set of tools I rely upon. The only Google services I use are YouTube (and even there, I have complaints), Google Search (and even there, it hasn’t been my default web search for nearly a decade), and Gmail (and even there, I access it via IMAP from Apple Mail and Mimestream). The only Google apps on my iPhone are YT Studio (which, given how infrequently I publish videos to my channel, I probably don’t need), Chrome, and Google Keep. And the only reason I have Chrome and Keep installed is for syncing browser tabs and notes between my iPhone and my burner-device-to-see-how-things-are-on-Android Pixel phone. I wouldn’t be surprised if they shut down Google Keep and start an all new Google-branded notes app soon.

Oh, and the Nest app. I have that because we have (and love) Nest thermostats, but I don’t really think of that as a Google app.

I don’t eschew Google products as any sort of statement. I just don’t like most of what they make, and what I do like, I don’t trust them to keep around. It’s rather glorious living a nearly Google-free digital life.

Monday, 1 April 2024

Trump Media Plunges as Truth Social’s $58 Million Loss Reported ★

Drew Harwell, reporting for The Washington Post:

Former president Donald Trump’s social media company said Monday it lost more than $58 million last year, sending its stock plunging more than 21 percent only days after a highflying public debut set the company’s value at more than $8 billion.

Trump Media and Technology Group, which owns Truth Social, said in a Securities and Exchange Commission filing that the company generated just over $4 million in revenue last year, including less than $1 million in the last quarter.

The nosediving share price of the company — which uses the stock ticker DJT, for Trump’s initials — fell to its lowest level since Trump Media went public last week and shaved more than a fifth of its market value in a single day. It also slashed the value of Trump’s 57 percent ownership in the company by roughly $1 billion, to $3.8 billion.

The company’s 8-K filing is just bananas. They not only aren’t turning a profit, they don’t foresee ever making one. They don’t track any sort of metrics typical for a social media company — signups, monthly active users, average revenue per user — none of it. And they don’t plan to, either. To call it a scam gives scams a bad name.

I want to laugh, but: If Trump is elected again in November — which, based on the close results of 2016 and 2020, and the current polling data, is definitely possible — shaking down lobbyists and foreign governments with exorbitant rates for ads on Truth Social seems like a much better grift than running a hotel across the street from the White House. A corrupt president owning a social media site would be a grift that scales. If there’s any rational reason for Trump Media to have any value at all, it’s that. It’s worthless today, but could be a veritable goldmine in a second Trump administration.

Donald Trump’s Easter Madness ★

Taegan Goddard, writing at Political Wire:

While you were spending time with family over the weekend, enjoying the start of the baseball season or watching college basketball, Donald Trump was glued to Truth Social. After 71 mostly all caps posts, Trump finally had this Easter message.

It’s 168 words, the first 165 of which are (ostensibly) a single sentence. You really need to see it for yourself. Here’s a screenshot; here’s a link to the post on Truth Social.

Goddard:

There are only so many ways we can say Trump’s behavior is not normal. If someone close to you behaved this way, you would desperately try to get them psychiatric help.

Cleveland Plain Dealer Editor Chris Quinn: ‘You Saw It’ ★

Chris Quinn, in his Letter From the Editor column at The Cleveland Plain Dealer:

The north star here is truth. We tell the truth, even when it offends some of the people who pay us for information.

The truth is that Donald Trump undermined faith in our elections in his false bid to retain the presidency. He sparked an insurrection intended to overthrow our government and keep himself in power. No president in our history has done worse.

This is not subjective. We all saw it. Plenty of leaders today try to convince the masses we did not see what we saw, but our eyes don’t deceive. (If leaders began a yearslong campaign today to convince us that the Baltimore bridge did not collapse Tuesday morning, would you ever believe them?) Trust your eyes. Trump on Jan. 6 launched the most serious threat to our system of government since the Civil War. You know that. You saw it.

The facts involving Trump are crystal clear, and as news people, we cannot pretend otherwise, as unpopular as that might be with a segment of our readers. There aren’t two sides to facts. People who say the earth is flat don’t get space on our platforms. If that offends them, so be it.

There’s no need for any straight news publication to tie itself in knots over Trump and Trumpism. There are all sorts of reasons left-leaning Americans were opposed to right-leaning policies when Trump was president. Likewise, there are all sorts of reasons right-leaning Americans are opposed to left-leaning policies of the Biden administration. That’s called politics. And it makes sense that straight news publications try to stay above the fray on those divides.

What Trump did after losing the 2020 election isn’t on that spectrum. As Quinn put it so well, you know that. You saw it. We all saw it. It’s that simple.

Saturday, 30 March 2024

Kolide ★

My thanks to Kolide for sponsoring DF this week. Kolide has seen cyber insurance premiums go up by 40 percent in just the last two years, and got curious about:

• What’s driving the increases?
• Who really needs cybersecurity insurance?
• How can the average company reduce their premiums?

What Kolide found was that insurance companies themselves can help get us out of this crisis, by mandating some (pretty basic) security requirements for their customers — things like MFA, endpoint security, and retiring end-of-life software. Read their full report to learn more about their findings.

The Talk Show: ‘You’ve Never Seen Email Like This Before’ ★

The one and only John Moltz returns to the show to talk about the relative dearth of original content for Vision Pro, WWDC rumors and guesses, and, yes, a wee bit about Apple’s regulatory/antitrust tribulations.

Sponsored by:

• Nuts.com: The world’s best snacks, delivered fast and fresh.
• Squarespace: Make your next move. Use code talkshow for 10% off your first order.

---

---

Friday, 29 March 2024

Meta Used Its Onavo VPN to Snoop on Users’ Encrypted Snapchat Traffic ★

Lorenzo Franceschi-Bicchierai, reporting for TechCrunch:

“Whenever someone asks a question about Snapchat, the answer is usually that because their traffic is encrypted we have no analytics about them,” Meta chief executive Mark Zuckerberg wrote in an email dated June 9, 2016, which was published as part of the lawsuit. “Given how quickly they’re growing, it seems important to figure out a new way to get reliable analytics about them. Perhaps we need to do panels or write custom software. You should figure out how to do this.”

Facebook’s engineers solution was to use Onavo, a VPN-like service that Facebook acquired in 2013. In 2019, Facebook shut down Onavo after a TechCrunch investigation revealed that Facebook had been secretly paying teenagers to use Onavo so the company could access all of their web activity.

After Zuckerberg’s email, the Onavo team took on the project and a month later proposed a solution: so-called kits that can be installed on iOS and Android that intercept traffic for specific subdomains, “allowing us to read what would otherwise be encrypted traffic so we can measure in-app usage,” read an email from July 2016. “This is a ‘man-in-the-middle’ approach.” [...]

Later, according to the court documents, Facebook expanded the program to Amazon and YouTube. Inside Facebook, there wasn’t a consensus on whether Project Ghostbusters was a good idea. Some employees, including Jay Parikh, Facebook’s then-head of infrastructure engineering, and Pedro Canahuati, the then-head of security engineering, expressed their concern. “I can’t think of a good argument for why this is okay. No security person is ever comfortable with this, no matter what consent we get from the general public. The general public just doesn’t know how this stuff works,” Canahuati wrote in an email, included in the court documents.

There’s the Facebook we know and love.

In 2018 Apple removed Onavo from the App Store, but the fact that Facebook was using Onavo in this way was known a year earlier.

WhatsApp: The World’s Default Communication App ★

Pranav Dixit, writing for Engadget:

“WhatsApp is kind of like a media platform and kind of like a messaging platform, but it’s also not quite those things,” Surya Mattu, a researcher at Princeton who runs the university’s Digital Witness Lab, which studies how information flows through WhatsApp, told Engadget. “It has the scale of a social media platform, but it doesn’t have the traditional problems of one because there are no recommendations and no social graph.”

Indeed, WhatsApp’s scale dwarfs nearly every social network and messaging app out there. In 2020, WhatsApp announced it had more than two billion users around the world. It’s bigger than iMessage (1.3 billion users), TikTok (1 billion), Telegram (800 million), Snap (400 million) and Signal (40 million.) It stands head and shoulders above fellow Meta platform Instagram, which captures around 1.4 billion users. The only thing bigger than WhatsApp is Facebook itself, with more than three billion users .

WhatsApp has become the world’s default communications platform. Ten years after it was acquired, its growth shows no sign of stopping. Even in the US, it is finally beginning to break through the green and blue bubble battles and is reportedly one of Meta’s fastest-growing services. As Meta CEO Mark Zuckerberg told the New York Times last year, WhatsApp is the “next chapter” for the company.

Anecdotally, I’m seeing more American usage of WhatsApp too. Putting aside the (deeply misguided, IMO) antitrust arguments about iMessage, Apple’s decade ago decision to eschew an iMessage client for Android might be proven to have been a mistake the old-fashioned way: through market forces.

Evan Gershkovich’s Stolen Year in a Russian Jail ★

Eliot Brown, writing for The Wall Street Journal:

Evan Gershkovich was supposed to be with his friends in Berlin the first week of April 2023.

The Wall Street Journal Russia correspondent was set to stay in an Airbnb in the edgy Neukölln neighborhood, a base to explore the city’s cobble-lined streets with his tightknit crew of journalist pals exiled there from Moscow. He was going to drink coffee in hipster cafes and chat into the night over glasses of beer.

It was the start of his stolen year.

Russian authorities detained Evan in Yekaterinburg on March 29, 2023, and threw him into a jail cell in Moscow. He was a fully accredited journalist on a reporting trip and was detained on an allegation of espionage, which he, his employer and the U.S. government vociferously deny.

Kudos to the Journal for putting together a huge package to raise awareness of Gershkovich’s unjust incarceration. Tons of coverage online, but man, sometimes print design can do things that otherwise can’t be expressed. What a statement today’s front page makes.

Thursday, 28 March 2024

‘MLB for VisionOS Strikes Out on Opening Day’ ★

More sports-on-Vision-Pro news from Jason Snell:

That might still happen, but just before Opening Day the app was updated to support real, live baseball games, and all the exciting stuff is gone. Today I took it for a spin and was deeply disappointed — it’s essentially just a front end for watching games via MLB TV, and a buggy one at that.

I couldn’t find support for Gameday when I first used the app, though later when playing back an archived stream, I did find Gameday available — from within the video playback, so you can’t use it for a game you’re not watching on the app. And it’s immersive, so you can’t put it up and then do something else, which is also probably a mistake.

The app also only plays back a single video at a time, even if multiple games are going on at once — despite the fact that watching multiple video streams at once is basically what VR was made for.

I watched the end of the Yankees opener against the Houston Asterisks wearing Vision Pro, and share all of Snell’s gripes about the app. It’s downright bizarre that the app has a “main” window that, if closed, quits the entire app — but that’s not the window where you watch video!

And so many little paper cuts, like the fact that the app doesn’t integrate with the system Keychain APIs, so you don’t get autofill for passwords. I’m so used to password autofill across all my devices that it felt like I was using some sort of retro device, entering my MLB.com password manually.

Glad to see MLB have a native app on Opening Day, but man, they have a long way to go before it’s actually good.

Andrew Aude, in Happier Times, Before Anyone Could Argue Apple Pay Was a Monopoly ★

A DF reader with a better memory than mine thought Andrew Aude’s name rang a bell, and lo, I mentioned him once before, while he was still a student at Stanford in 2014. Aude cleverly figured out how the ultimately-doomed, but then-nascent CurrentC payments app worked while it was still in invitation-only testing.

iOS 17’s Creepy-Sounding ‘Discoverable by Others’ Journaling Setting Isn’t Actually Creepy ★

Speaking of The Wall Street Journal and Apple’s new Journal app, Joanna Stern has a great column about a creepy-sounding Journal setting:

You can turn on Journaling Suggestions. This recommends topics to write about based on things your phone (but not Apple) knows about you — music you’ve listened to, people you’ve called or messaged, photos you’ve recently taken, places you’ve visited, etc. You decide if you want to turn this on. When you first launch the Journal app, it will prompt you to do that. Those suggestions aren’t ever shared with Apple.

Here’s where it gets weird. When you go into Settings → Privacy & Security → Journaling Suggestions, you’ll see that Discoverable by Others is enabled by default — even if you never turned on suggestions. Under the setting it says, “Allow others to detect you are nearby to help prioritize their suggestions.” [...]

A company spokeswoman said claims on social media that Apple is sharing your name and location with others are inaccurate. The phone can use Bluetooth to detect the number of devices nearby that are in your contacts. It doesn’t store which of these specific contacts were around but instead may use this as context to improve and prioritize journaling suggestions, the spokeswoman said.

Here’s an example provided by Apple: Say, you hosted a dinner party at your house, with friends who are in your contacts. The system might prioritize that in the suggestions, as it knows from the head count that there was something different about that event. It wasn’t just your average night at home with your family.

This is a fine feature, and I think it’s fine that it’s on by default. But the description of the feature in Settings is just atrocious. It sounds creepy as hell. I suspect this is one of those cases where everyone at Apple involved with the feature knew that everything related to the new Journal app and associated new journaling-prompt APIs is, in fact, extraordinarily private. Just like with Health data, everything is stored on-device, including the keys, and iCloud sync is E2EE. Even if faced with a law enforcement warrant, Apple has nothing to turn over related to Journal.

But most people don’t know this. And many people — quite reasonably! — are deeply suspicious that all big tech companies are spying on them and play loosey-goosey with anything related to privacy. To someone at Apple — especially those who work on Health and Journal stuff — it’s absurd to think that Apple would even consider adding a setting to iOS that makes you personally “discoverable” by anyone, friends and strangers alike, if you’re simply within Bluetooth range of their iPhone. Let alone make that setting on by default!

But that’s exactly what the description of this feature in Settings → Privacy & Security → Journaling Suggestions sounds like. When describing features like this, Apple needs to presume that the user is assuming the worst.

Apple Sues Former Employee for Leaking to Reporters From The Wall Street Journal and The Information ★

Joe Rossignol, reporting for MacRumors:

Apple this month sued its former employee Andrew Aude in California state court, alleging that he breached the company’s confidentiality agreement and violated labor laws by leaking sensitive information to the media and employees at other tech companies. Apple has demanded a jury trial, and it is seeking damages in excess of $25,000. [...]

In April 2023, for example, Apple alleges that Aude leaked a list of finalized features for the iPhone’s Journal app to a journalist at The Wall Street Journal on a phone call. That same month, The Wall Street Journal’s Aaron Tilley published a report titled “Apple Plans iPhone Journaling App in Expansion of Health Initiatives.”

Using the encrypted messaging app Signal, Aude is said to have sent “over 1,400” messages to the same journalist, who Aude referred to as “Homeboy.” He is also accused of sending “over 10,000 text messages” to another journalist at the website The Information, and he allegedly traveled “across the continent” to meet with her.

10,000 text messages seems like ... a lot? Makes me wonder if there was a personal aspect to that relationship, beyond leaking. MacRumors has posted a copy of Apple’s lawsuit, which includes this gem:

Apple learned of Mr. Aude’s misconduct in the fall of 2023. When Apple met with him to discuss his improper disclosures, Mr. Aude promptly confirmed his guilt through his actions, if not his words. At the start of his November 7, 2023 interview, Mr. Aude repeatedly denied that he had leaked any information to anyone. He also claimed that he did not have his Apple-issued work iPhone with him. Feigning the need to visit the bathroom mid-interview, Mr. Aude then extracted his iPhone from his pocket during the break and permanently deleted significant amounts of evidence from his device. This included the Signal app, which memorialized his history of leaking information to “Homeboy” (and likely others) via encrypted communications.

Part of the evidence Aude left behind were screenshots he kept of otherwise secure messages:

In connection with one leak, Mr. Aude admitted that he violated his obligations to Apple so he could “kill” products and features with which he took issue. As his frequent Google searches, article shares, and screenshots saved to his Apple-issued work iPhone reveal, vanity and personal enjoyment of the media’s attention also played a significant role in his malfeasance. In Mr. Aude’s screenshot below memorializing his exchange with the WSJ journalist, Mr. Aude exclaimed that he could not “wait for chaos to break out” in reaction to a forthcoming article reflecting his leaked information.

Worth noting that Aaron “Homeboy” Tilley was a reporter for The Information until September 2019, when he left to join the WSJ. Anyway, I’m sure the WSJ will help Aude out with his legal bills.

‘2023 MLS Cup Highlights’: 5-Minute Apple Immersive Video for Vision Pro Debuts Tonight ★

Jason Snell, writing at Six Colors:

Apple announced today that the first Apple Immersive Video documentary for Vision Pro, featuring highlights from last year’s MLS playoffs, will debut tonight (March 28) at 6 p.m. Pacific. [...]

I’m excited to see the finished product — all of Apple’s immersive videos have been pretty amazing — but I have to point out that this five-minute highlight packages is being released 110 days after last year’s MLS Cup Final. That’s not great turnaround time. If immersive video for sports is going to be a thing, turnaround is going to need to be a lot faster.

In addition to the four-month turnaround time, there’s also the fact that five minutes is pretty short. Perhaps the single most surprising aspect of Apple’s launch plan for Vision Pro is the relative dearth of original immersive content. It’s the most compelling experience with the product but there’s hardly any of it. I would have thought Apple would drop new immersive content at least a few times per month, if not weekly, but this MLS Cup highlight film is the first new one since launch.

Wednesday, 27 March 2024

Kara Swisher Interviews Margrethe Vestager ★

Terrific interview; Kara Swisher is so damn good at this. I learned a lot. Vestager comes across as very likable and very sharp. I disagree with her on quite a bit, but I like her. The segment on Apple’s Core Technology Fee was particularly interesting. (I remain of the opinion that the CTF will stand, with only minor tweaks.)

(Vox Media’s CMS (seemingly?) makes it maddeningly difficult to link to a single podcast episode, so here are direct links for Apple Podcasts and Overcast.)

Tuesday, 26 March 2024

The Talk Show: ‘Less Space Than a Nomad? Lame’ ★

Jason Snell returns to the show to talk about the DOJ’s antitrust lawsuit against Apple. And sports gambling.

Sponsored by:

• Squarespace: Make your next move. Use code talkshow for 10% off your first order.
• Trade Coffee: The best coffee is made at home. Enjoy a free bag of roasted-to-order coffee and $15 off select plans when you join Trade.

Canva Acquires Affinity ★

Affinity — makers of a terrific suite of design apps — back in September 2022, when the now-aborted acquisition of Figma by Adobe was announced:

Ain’t nobody acquiring us 😎

Affinity CEO Ashley Hewson today:

I am thrilled to announce that Affinity is joining the Canva family.

---

---

Tuesday, 26 March 2024

WWDC 2024: June 10–14 ★

No changes to the format: online conference with in-person attendance for the Monday keynote:

WWDC24 will include an in-person experience on June 10 that will provide developers the opportunity to watch the keynote at Apple Park, meet with Apple team members, and take part in special activities. Space will be limited, and details on how to apply to attend can be found on the Apple Developer site and app.

Announced pretty much right on schedule too. 2020 was an unusual year, to say the least, but starting in 2021 the WWDC dates were announced March 30, April 5, March 29, and now March 26.

Update: Greg Joswiak on Twitter/X:

Mark your calendars for #WWDC24, June 10-14. It’s going to be Absolutely Incredible!

“Absolutely Incredible” with capital letters. No idea what that could mean. A true puzzle for the ages.

---

---

Monday, 25 March 2024

The Original Original ‘Apple Vision’ ★

I thought going back to the 1990s was old, but here’s an Integer BASIC graphics and sound demo from 1978 named “Apple-Vision”. (Thanks to DF reader James Mitchell.)

Data Suggests Twitter/X Is Bleeding Users ★

David Ingram, reporting for NBC News:

Data from two research firms and figures published by Musk and X suggest a deteriorating situation for X by some metrics. Musk has marketed it as the world’s “town square,” but in number of users it continues to lag far behind social media rivals that focus on video, such as Instagram and TikTok.

In February, X had 27 million daily active users of its mobile app in the U.S., down 18% from a year earlier, according to Sensor Tower, a market intelligence firm based in San Francisco. The U.S. user base has been flat or down every month since November 2022, the first full month of Musk’s owning the app, and in total it’s down 23% since then, Sensor Tower said.

You know I’m skeptical regarding Sensor Tower’s data, but if they’re measuring all social network mobile app use the same way, it seems like a fair comparison against other social networks. And it jibes with my personal anecdata.

‘How Comics Were Made: A Visual History of Printing Cartoons’ ★

Glenn Fleishman:

If you love newspaper comic strips, you will love my new book How Comics Were Made: A Visual History from the Drawing Board to the Printed Page. I’ve combined years of research and the diligent collection of unique comics printing artifacts with dozens of interviews with cartoonists, historians, and production people to tell the story of how a comic starts with an artist’s hand, and makes it way through transformations into print and, more recently, onto a digital screen. I need your help to make it happen!

The book will be a glorious full-color celebration of the art form, heavily illustrated from the 1890s to the present day with materials that you’ve never seen before, drawn from my personal collection and museums, cartoonists and their estates, and institutions around the United States. It will also feature never-before-published strips and versions of some popular comics.

I’m a sucker for labor-of-love books, and remain fascinated by the history of printing technology. So of course I’m backing Fleishman’s Kickstarter campaign. But I’ll bet a lot of you might share the same interest. Here’s a brief taste: “The Week in Doonesbury That Wasn’t” on YouTube.

The campaign is just over 75 percent funded with three days to go.

The Original ‘AppleVision’ Lineup ★

I quipped in my post linking to Apple’s updated style guide that if Vision Pro had been a product from the 1990s, Apple might have named it “AppleVision”. Turns out Apple did make products under that name — a short-lived line of CRT displays. From a little birdie who worked on them:

It was an ill-fated (and largely disgraced) line of CRTs with automatic color calibration built-in. [...] The on-screen brightness and volume controls that still grace macOS today are there largely because of the AppleVision product, though an earlier form of them showed up on a 14” CRT just prior. Also, DigitalColor Meter (now styled as “Digital Color Meter”) came out of that software effort as well.

But the AppleVision displays were, despite a huge amount of innovation, extremely unreliable. It was the first time Apple had attempted to build a multiscan CRT on their own, and it turns out that multiscan CRTs are really, really hard to get right. Apple took a large (for the time, in the mid 90s) financial hit on the AppleVision 1710 and 1710av, in particular. The name was eventually abandoned as it had been tarnished beyond usefulness.

Saturday, 23 March 2024

‘Harrison Bergeron’ ★

The overriding gist of the DOJ’s lawsuit against Apple brought to mind, for DF reader E.G., Kurt Vonnegut’s dystopian short story Harrison Bergeron. Despite being an enormous Vonnegut fan, I couldn’t recall reading it before. It’s so apt. As E.G. quipped in his email to me, “Only in making all products, services, and experiences equally bad, will we have equality and fairness.”

There are a couple of plain text versions of the story on the web, but none that do justice to the story typographically. So, channeling my inner Dean Allen, I typeset one. Curl up with it on your iPad — or, dare I suggest, go old-school and print it out.

Update: “Harrison Bergeron” is included in Vonnegut’s short story collection Welcome to the Monkey House, available from Amazon, Bookshop, and Apple Books (which includes it in its free preview).

Digital Wallets and Per-Merchant Card Numbers ★

Matt Birchler, writing at Birchtree:

It’s notable that it’s called a DPAN and not “the Apple Pay number” — it’s a generic term, and that’s because this is a standard feature of digital wallets everywhere, not just Apple Pay. Google Pay and Samsung Pay are the biggest other digital wallets in the U.S. and they both do exactly the same thing. While it’s not technically using a DPAN since the payment runs through different companies, Amazon Pay and Shop Pay buttons also obscure the actual FPAN (full card number) from merchants.

I feel like this comes up a lot, but I can not stress enough to you how little merchants want to ever ever ever handle your actual credit card number. It adds so much risk on their end and modern payment acceptance tools make it easy to collect payment details in a way that makes sure as few people as possible have access to the real card info.

Gruber mentions banks absolutely not wanting to use DPANs themselves, but we actually don’t need to speculate about this, we have this info already. Numerous banks from Walls Fargo to Chase to Bank of America have (or had) digital wallets, all of which used DPANs to protect your plain text account number. Paze is what a few big U.S. banks use today and it of course uses DPANs as well. In fact the top reason they give for why you should use Paze is, “Paze does not share your actual card number with the merchant.”

The Exception That Proves the Rule: HP Sold PCs With iTunes Pre-Installed in 2004 ★

Apple press release from January 2004:

Working to provide consumers with the most compelling digital content whenever and wherever they desire, HP and Apple today announced a strategic alliance to deliver an HP-branded digital music player based on Apple’s iPod, the number one digital music player in the world, and Apple’s award-winning iTunes digital music jukebox and pioneering online music store to HP’s customers.

As part of the alliance, HP consumer PCs and notebooks will come preinstalled with Apple’s iTunes jukebox software and an easy-reference desktop icon to point consumers directly to the iTunes Music Store, ensuring a simple, seamless music experience. This offering is yet another way that HP is helping consumers enjoy more from their personal digital entertainment content.

My point stands that iTunes on Windows was successful largely from users who installed it themselves, but it’s worth a correction to point out that it was pre-installed on HP PCs for a while, and at the time HP was the second-biggest PC maker. Hard to believe I forgot this, because the most remarkable part of the deal wasn’t that HP pre-installed iTunes, but that Apple granted HP a license to sell HP-branded iPods.

WorkOS ★

My thanks to WorkOS for sponsoring last week at DF. WorkOS is a modern identity and user management platform that enables B2B SaaS companies to accelerate enterprise adoption. Free up to 1 million MAUs, WorkOS brings a modular approach to B2B Auth with enterprise-ready features like SSO, SCIM, and User Management.

The APIs are flexible and easy to use, designed to provide an effortless experience from your first user all the way through your largest enterprise customer.

Today, hundreds of high-growth scale-ups are already powered by WorkOS, including ones you probably know, like Vercel, Webflow, and Loom.

Friday, 22 March 2024

Seven Years of Institutional Anti-‘Big-Tech’ Bias at The New York Times Might Lead to Cognitive Dissonance ★

Brian X. Chen — the “Tech Fix” columnist for The New York Times who is so unenthused about tech products that he advised readers to “just use flash” rather than upgrade their phone if their low-light photos look bad — in a column on Roku’s recent licensing shenanigans:

Roku’s no-good month stirred discussions in online forums about what it means when a company can essentially deactivate the device you paid for. That’s similar to how companies like Apple, Google and Microsoft can decide to stop issuing software updates for older devices, which gradually degrades their performance.

That’s just stated as fact. But here’s Chen back in 2017, in a column headlined “A New Phone Comes Out. Yours Slows Down. A Conspiracy? No.”:

The phenomenon of perceived slowdowns is so widespread that many believe tech companies intentionally cripple smartphones and computers to ensure that people buy new ones every few years. Conspiracy theorists call it planned obsolescence.

That’s a myth. While slowdowns happen, they take place for a far less nefarious reason. That reason is a software upgrade.

So getting software updates was the cause for slowdowns in 2017, but not getting software updates is now the cause in 2024. Got it.

New Humane Demo Video: ‘What Is Ai Pin?’ ★

Humane is getting closer to shipping, and better at making videos. One clever trick each presenter in this new video does is continue talking to the audience while waiting for responses from the Ai Pin (which, it seems, can take a while).

Thursday, 21 March 2024

The Verge: ‘CarPlay Is Anticompetitive, Too, US Lawsuit Alleges’ ★

Andrew J. Hawkins, reporting for The Verge:

“By applying the same playbook of restrictions to CarPlay, Apple further locks-in the power of the iPhone by preventing the development of other disintermediating technologies that interoperate with the phone but reside off device,” the lawsuit says.

The inclusion of CarPlay, as well as digital key functions through Apple’s Wallet feature, came as a surprise to some analysts, who say that the DOJ may be misunderstanding the utility and functions of the phone-mirroring system.

This is especially true for the next-generation version, which prosecutors described insidiously as taking “over all of the screens, sensors, and gauges in a car, forcing users to experience driving as an iPhone-centric experience if they want to use any of the features provided by CarPlay.”

That’s misleading, said Sam Abuelsamid, principal analyst at Guidehouse Insights and an expert on vehicle software. “Even with the next-gen system, OEMs [original equipment manufacturers] don’t actually have to let Apple take over all the screens,” he said in an email. “They can limit the interface to whichever screens they want.”

“Misleading” is too kind. It’s just flat-out wrong. The biggest problem with CarPlay 2 is its relative dearth of adoption to date — previewed only by Porsche and Aston Martin, neither of which is even vaguely a mainstream brand.

Apple Style Guide, March 2024 Edition ★

Another terrific resource from Apple’s documentation team, also available as a PDF. Apple has long made its style guide publicly available, but I suspect many people aren’t aware of it. The previous edition was from 2022.

Worth noting though that this is Apple’s style bible, and while most of it is inarguably good advice, some of it is simply arbitrary. For example, Apple famously styles some of its product names without title-casing them: Mac mini, iPod nano, macOS, visionOS, watchOS, etc. That’s purely style though, not spelling, and my style — like most publications — is to capitalize proper names.

A new entry, some of the idiosyncrasies of which many of you have likely already noticed in Apple’s marketing and documentation:

Apple Vision Pro — Always use the full name. In general references, don’t use the with Apple Vision Pro. It’s OK to use another article or a possessive adjective: Adjust the fit of your Apple Vision Pro.

You put on and take off Apple Vision Pro. When you have it on, you’re wearing it.

Put on Apple Vision Pro and adjust the fit.
Don’t run while you’re wearing Apple Vision Pro.

In text, don’t write the name Apple Vision Pro by combining the  symbol with Vision Pro.

Correct: Get started with Apple Vision Pro.
Incorrect: Get started with Vision Pro.

Don’t refer to Apple Vision Pro as a headset. In most cases, use the product name; in content where the name is repeated frequently, you can use device.

Outside Cupertino, no one eschews the in front of Apple product names when doing so sounds natural, and everyone calls the Vision Pro a “headset”, because, well, it is a headset.

(I keep thinking that if it had come out in the 1990s, it might have been named AppleVision Pro, closed-up and camel-cased, and also keep thinking that it kind of looks cool that way. Similarly: AppleWatch.)

Jason Snell on US v. Apple ★

Jason Snell, writing at Six Colors, with a first take I found myself nodding my head in agreement with throughout:

For me, the most unexpected part of the document was the DoJ’s explanation that Apple’s success as a company largely stems from… the DoJ itself. It points out that Apple’s resurgence early in this century was due to the release of the iPod, which only became a hit when it arrived on Windows. The DoJ argues that the iPod’s presence on Windows was only due to Microsoft being under a consent decree from the DoJ for monopolistic behavior.

I don’t know enough about the specifics of the Microsoft consent decree to weigh in on the idea that an unconstrained Microsoft would have made it impossible for Apple to make the iPod compatible with Windows. It’s a pretty big hypothetical, and I’m skeptical, but I’m impressed that the DoJ would try to place its current case within the larger DoJ Connected Universe.

You don’t need to be a lawyer to see that this is a nonsensical claim. Microsoft played all sorts of hardball with Windows’s licensing to PC makers back in the 1990s, but nothing they did would have ever stopped Apple from making iTunes for Windows and allowing iTunes for Windows to manage an iPod connected over USB. That’s one thing Windows (and DOS before it) always was: open to third-party software, and open to connected peripherals. iTunes, to my recollection, was always software that users downloaded and installed themselves. iTunes was not pre-installed on PCs and thus subject to Microsoft’s licensing shenanigans (e.g. the way Microsoft used licensing discounts to discourage PC makers from shipping computers with Netscape pre-installed). At a technical level I don’t even see how Microsoft could have hindered iTunes or the iPod even if they had wanted to.

[Update: I forgot about the 2004 HP-iPod deal, which included pre-installing iTunes on HP PCs, but the larger point stands.]

What strikes me most about this document is that people… like using the iPhone? This suit (joined by 16 other attorneys general, mostly of blue states) has a political element to it, in the sense of trying to send a message that your government is looking out for your rights and protecting you from big, bad tech companies.

What happens when that collides with a product that has extremely high customer satisfaction ratings? Those of us in the know are well aware of all the ways that Apple plays hardball, and understand that the company is so powerful that really the only way it will be convinced to change its ways is under threat of government intervention. But will American iPhone users feel like the government is on their side, in taking on an American tech giant that makes a product they actually enjoy using?

I wonder very much about this too. The biggest US antitrust case in my lifetime was the breakup of Ma Bell, a.k.a. AT&T Classic. The “phone company” was universally reviled at the time, if only for the exorbitant long-distance phone call rates they charged. Ma Bell was both unpopular and inarguably a monopoly — the Bell system was the only way to place telephone calls.

I think the public, by and large, was ambivalent about Microsoft’s monopoly abuse in the 1990s. But Apple is popular, the iPhone in particular. And many of the complaints lodged by the DOJ regarding the iPhone are for the very things that make it popular.

Merrick Garland’s Remarks on the Lawsuit Against Apple’s Supposed Monopoly ★

Attorney General Merrick Garland:

When an iPhone user puts a credit or debit card into Apple Wallet, Apple inserts itself in a process that could otherwise occur directly between the user and card issuer. This introduces an additional potential point of failure for the privacy and security of Apple users.

Apple Pay through Wallet obfuscates your actual credit card numbers, which retailers infamously use to track customers. It’s far more private than using your credit card itself. I highly doubt any banks or credit card issuers would do this themselves if given access to NFC tap-to-pay.

[Update: Whoops, I was wrong about that. Matt Birchler, who works in the payments industry, has a great explainer about how this works, and it turns out major banks and credit cards do generate per-merchant “DPAN” numbers for tap-to-pay transactions. I stand by my argument that Apple Wallet is at least as, if not more secure than, any digital payment app provided by a card issuer.]

And that is just one way in which Apple is willing to make the iPhone less secure and less private in order to maintain its monopoly power. The Supreme Court defines monopoly power as “the power to control prices or exclude competition.”

As set out in our complaint, Apple has that power in the smartphone market.

Defining the iPhone as a monopoly when it has somewhere around 55 percent market share in the U.S. is obviously the first thing the DOJ needs to prove. Microsoft had roughly 95 percent market share of the PC operating system market when the DOJ sued them in the late 1990s. The DOJ tries to get around the uncomfortable fact of Apple’s mere 55 percent share by defining a market for “performance smartphones”. I don’t really see how Apple has any power over the price of phones made by other companies.

Now, having monopoly power does not itself violate the antitrust laws. But it does when a firm acquires or maintains monopoly power — not because it has a superior product or superior business acumen — but by engaging in exclusionary conduct. As set out in our complaint, Apple has maintained its power not because of its superiority, but because of its unlawful exclusionary behavior.

Completely backwards. Superiority is exactly what made the iPhone what it is — superior hardware, superior software, superior integration. Even a superior retail experience. Not only is the DOJ’s take on the iPhone’s success a complete misunderstanding of the actual market dynamics for phones, it’s flabbergastingly insulting.

U.S. Department of Justice Sues Apple, Accusing It of Illegally Abusing an iPhone Monopoly ★

David McCabe and Tripp Mickle, reporting for The New York Times:

The lawsuit filed Thursday focuses on a group of practices that the government said Apple had used to shore up its dominance.

The company “undermines” the ability of iPhone users to message with owners of other types of smartphones, like those running the Android operating system, the government said. That divide — epitomized by the green bubbles that show an Android owner’s messages — sent a signal that other smartphones were lower quality than the iPhone, according to the lawsuit.

But of course SMS is a vastly lower-quality platform than iMessage. Without having read the actual lawsuit yet, I’m curious what they think Apple should do differently on this front. Is Apple obligated to ship an iMessage client for other platforms? For free?

Apple has similarly made it difficult for the iPhone to work with smartwatches other than its own Apple Watch, the government argued. Once an iPhone user owns an Apple Watch it becomes far more costly for them to ditch the phone.

Apple peripherals and Apple software exclusive to Apple devices is, in a nut, what Apple does and what has made their products popular. This summary reeks of technical naivety. The DOJ is alleging that, for example, Apple Watch and iPhone work better together than third-party watches with iPhones not because of specific integration, but because Apple is locking third parties out. Same with Tile trackers vs. AirTags. The only alternative would be to allow third parties to install system software extensions on iOS, like on a Mac or PC.

Watching the DOJ press conference (transcripts of the prepared statements, including Attorney General Merrick Garland’s, are here), there’s a strong undercurrent to the DOJ’s argument that iPhone users are, en masse, trying to switch to Android but finding it too difficult and expensive. That’s not based on reality. Every customer satisfaction survey I’ve seen, from 2007 onward, has shown iPhone owners to be overwhelmingly happy. It’s not just the most successful consumer electronics product in history — perhaps product, period — but it’s arguably the most liked.

Wednesday, 20 March 2024

Apple Support: ‘Manuals, Specs, and Downloads’ ★

New home page for Apple Support documentation. Worth a bookmark.

Update: It’s so comprehensive that it has tech specs — but alas, not the documentation — going back to the original 1984 Macintosh.

Keyboard Maestro 11 ★

Another recent-ish update to one of my essential Mac utilities:

Keyboard Maestro 11 expands on the powerful base of previous versions, improving the editor, adding many new actions and triggers, New Macro Wizard, a new Security preference pane, a keyboardmaestro command line tool, support for Apple Text Recognition, and more. Keyboard Maestro 11 requires macOS 10.13 High Sierra or later.

My number one tip for anyone looking to up their Mac power-user game is to get Keyboard Maestro. It’s like having super powers. $36 for a new license, $25 to upgrade. And of course there’s a free trial.

BBEdit 15 ★

BBEdit 15.0.2 just shipped, which reminded me that I never linked to BBEdit 15. Most interesting and useful to me, among many new features:

There’s a new document type, “ChatGPT Worksheet”. This is created from File → New as with other document types, and provides an interface for conversational exchanges with ChatGPT. In order to use this feature, you will need a ChatGPT account, and an API key. [...]

ChatGPT worksheets work similarly to a shell worksheet: type something in, and press the Enter key to send it to ChatGPT. (You can also use the “Send Command” keyboard equivalent, as set in the “Worksheets” section of BBEdit’s “Menus & Shortcuts” preferences. The default for this command is Control-Return.) After some period of time, you’ll receive a response which BBEdit will insert into the document window.

If you wish to cancel your request before the response arrives, Command-period or Control-C will do that.

Responses from ChatGPT are automatically quoted, as long as the worksheet’s language is set to “Markdown”. If you change the worksheet’s language, this quoting will not occur.

(Since worksheets are Markdown, you can use “Preview in BBEdit” on a worksheet to visualize it.)

Because chats depend heavily on history, a worksheet saves your prompts and the server’s responses. Thus, the document size will grow over time and context is preserved, even if you delete previous prompts and responses from the text area.

BBEdit ChatGPT worksheets are my favorite interface to ChatGPT in general, but they particularly shine when using ChatGPT for programming advice. It’s so convenient to have the chat in a freeform format right there in your text editor.

Other tentpole new features include a minimap palette, customizable cheat sheets, and significant improvements to “projects”. BBEdit remains my favorite app in the world. $60 for a new license, $30 to upgrade from an older version, or $4/month or $40/year from the Mac App Store.

See also: Michael Tsai and Jason Snell.

Display Preferences

Copyright © 2002–2024 The Daring Fireball Company LLC.