By John Gruber

• Archive
• The Talk Show
• Dithering
• Projects
• Contact
• Colophon
• Feeds / Social
• Sponsorship

Linked List: September 28, 2016

Wednesday, 28 September 2016

Shake Shack Founder Danny Meyer Introducing Apple Watch to the Hospitality Industry ★

Daniela Galarza, reporting for Eater:

When Meyer’s 30-year-old Union Square Cafe reopens in Manhattan next month, every floor manager and sommelier will be wearing an Apple Watch. And when a VIP walks through the front door, someone orders a bottle of wine, a new table is seated, a guest waits too long to order her or his drink, or a menu item runs out, every manager will get an alert via the tiny computer attached to their wrist.

It took a few years for the full potential of the iPhone to surface as an app platform. The same is proving true for Apple Watch. This system sounds very clever — and discreet.

Financial Times: ‘Spotify in Advanced Talks to Buy SoundCloud’ ★

Matthew Garrahan, Madhumita Murgia, and James Fontanella-Khan, reporting for the FT:

Spotify, the music streaming service, is in advanced talks to acquire SoundCloud, as competition heats up with Apple for the future of digital music, said people briefed on the discussions.

SoundCloud, which raised $100m in June from a group of investors including Twitter, was last valued at about $700m. […]

A deal between Spotify and SoundCloud, two of Europe’s top tech start-ups, comes as Silicon Valley titans such as Apple and Amazon have recently launched their own music streaming services, forcing independent players to consolidate to survive.

On paper this seems like a good match. Spotify is the leader in streaming music, but their library is based on acts signed to major record labels. SoundCloud has a strong foothold with indie music acts (although they’re not paying them), but their own streaming service can’t compete with Spotify, Apple Music, et al on major record label content.

NYT: ‘Defending Against Hackers Took a Back Seat at Yahoo, Insiders Say’ ★

Nicole Perlroth and Vindu Goel, reporting for the NYT:

[Alex Stamos, Yahoo’s former chief information security officer], also dispatched “red teams” of employees to break into Yahoo’s systems and report back what they found. At competitors like Apple and Google, the Yahoo Paranoids developed a reputation for their passion and contributions to collaborative security projects, like Threat Exchange, a platform created by Yahoo, Dropbox, Facebook, Pinterest and others to share information on cyberthreats.

But when it came time to commit meaningful dollars to improve Yahoo’s security infrastructure, Ms. Mayer repeatedly clashed with Mr. Stamos, according to the current and former employees. She denied Yahoo’s security team financial resources and put off proactive security defenses, including intrusion-detection mechanisms for Yahoo’s production systems. Over the last few years, employees say, the Paranoids have been routinely hired away by competitors like Apple, Facebook and Google.

Mr. Stamos, who departed Yahoo for Facebook last year, declined to comment. But during his tenure, Ms. Mayer also rejected the most basic security measure of all: an automatic reset of all user passwords, a step security experts consider standard after a breach. Employees say the move was rejected by Ms. Mayer’s team for fear that even something as simple as a password change would drive Yahoo’s shrinking email users to other services.

The Times’s sources are really throwing Mayer under the bus. Sounds like it might be deserved, but man, this is brutal. This report has prompted a “What did Yahoo know and when did they know it?” inquiry from Senator Pat Leahy.

Rene Ritchie on Apple’s iMessage Metadata Logs ★

Rene Ritchie, writing for iMore:

My understanding is that, at some point, Apple’s iMessage engineers decided they needed to keep a metadata log in order to detect and fix problems with iMessage dispatch. […]

Doing dispatch properly is hard, and so engineers did what engineers do, and started collecting data to try and make it better. Because of privacy concerns, though, they only keep that data live for 30 days.

In other words, the logs are there for troubleshooting problems like when you switch a phone number from iOS to Android and iMessage users are still trying to send you iMessages instead of SMS messages.

30 days still seems like a long time to me, but I agree this is not surprising. And even if Apple didn’t keep these logs, they could be required to start keeping them under court order.

Phoneys ★

Sarah Perez:

Got iOS 10? Want to mess with your friends? A hilarious new iMessage App called Phoneys lets you prank others by sending stickers that look exactly like iMessage text bubbles. And thanks to the new layering feature in the updated version of iMessage, you can place these stickers — which say things like “My political views are totally wrong” or “I have terrible taste in music” — overtop your friend’s message to make it look like they texted these self-deprecating statements to you.

Yep, you can actually put words in your friend’s mouth, then laugh while they try to figure out if they’ve lost their mind, or their phone has been hacked.

This is very clever, and I can see how it could be damn funny, but I wouldn’t be surprised if Phoneys gets pulled from the App Store.

iMessage Contact Lookups Are Stored by Apple for 30 Days ★

Sam Biddle, writing for The Intercept:

Every time you type a number into your iPhone for a text conversation, the Messages app contacts Apple servers to determine whether to route a given message over the ubiquitous SMS system, represented in the app by those déclassé green text bubbles, or over Apple’s proprietary and more secure messaging network, represented by pleasant blue bubbles, according to the document. Apple records each query in which your phone calls home to see who’s in the iMessage system and who’s not.

This log also includes the date and time when you entered a number, along with your IP address — which could, contrary to a 2013 Apple claim that “we do not store data related to customers’ location,” identify a customer’s location. Apple is compelled to turn over such information via court orders for systems known as “pen registers” or “trap and trace devices,” orders that are not particularly onerous to obtain, requiring only that government lawyers represent they are “likely” to obtain information whose “use is relevant to an ongoing criminal investigation.” Apple confirmed to The Intercept that it only retains these logs for a period of 30 days, though court orders of this kind can typically be extended in additional 30-day periods, meaning a series of monthlong log snapshots from Apple could be strung together by police to create a longer list of whose numbers someone has been entering.

It shouldn’t be surprising that Messages does a lookup on each phone number and email address you attempt to send an iMessage to. If there wasn’t some sort of directory lookup, how would the messages get routed? Here’s Apple’s own description, from their iOS Security Guide (page 41):

Users start a new iMessage conversation by entering an address or name. If they enter a phone number or email address, the device contacts the IDS to retrieve the public keys and APNs addresses for all of the devices associated with the addressee. If the user enters a name, the device first utilizes the user’s Contacts app to gather the phone numbers and email addresses associated with that name, then gets the public keys and APNs addresses from the IDS.

IDS is Apple’s directory service. What’s unclear is why Apple is keeping a log of these lookups for 30 days. Biddle’s article, and the leaked law enforcement document upon which his reporting is based, only mentions phone numbers, but I think it’s almost certainly the case that the same information is logged for email address Apple IDs. Also worth pointing out: these logs don’t even indicate whether the sender ever communicated with the receiver — only that they looked up that phone number or email address in Messages. You know when you type a phone number in the To: field in Messages and it turns from green to blue? That’s the lookup that gets logged.

Maybe I’m missing something but it seems like Apple would be better off flushing these logs at much shorter intervals. The only reason I can think of to log them is for fraud detection — to aid in identifying bad players who are attempting to spam a list of Apple IDs. There must be a better way to do that.

Update: This didn’t occur to me yesterday, but a few readers have suggested that these 30-day logs could be useful when investigating claims of abuse.

Zero Day: ‘How One Amazon Kindle Scam Made Millions of Dollars’ ★

Fascinating exposé by Zack Whittaker, reporting for Zero Day:

Moore was just one of hundreds of pseudonyms employed in a sophisticated “catfishing” scheme run by Valeriy Shershnyov, whose Vancouver-based business hoodwinked Amazon customers into buying low-quality ebooks, which were boosted on the online marketplace by an unscrupulous system of bots, scripts, and virtual servers.

Catfishing isn’t new — it’s been well documented. Some scammers buy fake reviews, while others will try other ways to game the system.

Until now, nobody has been able to look inside at how one of these scams work — especially one that’s been so prolific, generating millions of dollars in royalties by cashing in on unwitting buyers who are tricked into thinking these ebooks have some substance.

Shershnyov was able to stay in Amazon’s shadows for two years by using his scam server conservatively so as to not raise any red flags.

What eventually gave him away weren’t customer complaints or even getting caught by the bookseller. It was good old-fashioned carelessness. He forgot to put a password on his server.

Sounds like it’s time for the U.S. Department of Justice to investigate iBooks again.

Apple to Create Stunning New London Headquarters at Battersea Power Station ★

Jonathan Prynn, reporting for The London Evening Standard:

Apple is to create a spectacular new London headquarters at Battersea Power Station in a massive coup for the developers behind the £9 billion project.

The iPhone and iPad maker will move 1,400 staff from eight sites around the capital into what it calls “a new Apple campus” at the Grade II* listed former electricity generator.

Its employees will occupy all six floors of office space in the brick “cathedral of power”, which is being painstakingly restored after 33 years standing derelict on the banks of the Thames.

Looks like a majestic building at a great location.

*Update: I knew I’d seen it before. Battersea Power Station is the building on the cover of Pink Floyd’s Animals.

Michael Tsai’s Mac Terminal Tips ★

I wasn’t aware of any of these shortcuts.

Update: If you liked this, you’ll love this 2014 list of Terminal tricks and tips from Craig Hockenberry.

U.S. Consumer Product Safety Commission Issues Warning Regarding Samsung Washing Machine Explosions ★

Jill Disis, reporting for CNN Money:

The warning comes more than a month after Samsung was hit with a federal class-action lawsuit by customers who said their machines had exploded during use.

Customers in Texas, Georgia and Indiana all said they were washing clothes when they heard a violent boom. A washer belonging to a McAllen, Texas, woman “exploded with such ferocity that it penetrated the interior wall of her garage,” according to court filings. A woman in Dallas, Georgia, said it felt and sounded as if “a bomb went off.”

The lawsuit, filed in federal court in New Jersey, references similar reports collected by local news and filed online with regulators. It also claims Samsung “has moved aggressively to collect and destroy all evidence of the defective machines” after they exploded.

It’s the lawsuit filed by these people claiming their washing machines exploded that claims Samsung “has moved aggressively to collect and destroy all evidence of the defective machines”, not the Consumer Product Safety Commission, but that’s a pretty serious allegation. Rough month for Samsung.

BlackBerry Misses Sales Estimates; Stops Making Smartphones ★

The end of an era. There still will be BlackBerry-branded handsets, but they’ll be made and distributed by other companies.