By John Gruber

• Archive
• The Talk Show
• Dithering
• Projects
• Contact
• Colophon
• Feeds / Social
• Sponsorship

The European Union’s Interinstitutional Style Guide on Boldfacing for ‘Emphasis’ ★

Here’s an interesting bit of follow-up. Last month, when linking to the European Commission’s announcement of “two specification proceedings to assist Apple in complying with its interoperability obligations under the Digital Markets Act”, I wrote a sidenote on the EC’s seemingly willy-nilly use of boldface text:

Honest question: Can someone explain to me the Commission’s use of boldfacing? In the first 265 words of the press release, 66 of them are bold, across 13 different spans. They seemingly use boldfacing the way Trump capitalizes words in his tweets: indiscriminately. I find it highly distracting, like trying to read a ransom letter. It’s not just this press release, they do it all the time.

It turns out, the EU publishes an Interinstitutional Style Guide, and it has an entire entry on emphasis:

Bold type is often used in titles and headings. It can also be used in running text to show changes of subject, to highlight keywords or for emphasis in the same way that some other languages use italics. However, it should be used sparingly.

If the text is already in bold roman, words to be emphasised should be in light roman characters.

Do not overuse typographical variations for emphasis. It can have a detrimental effect on getting the message across quickly and clearly, as shown in the following examples.

Their examples, showing how overuse of boldfacing makes text harder to read, look exactly like the announcement that prompted my sidenote. Whoever writes these announcements from the Commission should read the EU’s own style guide and follow its advice.

See Also: The EU style guide’s entry on italics, which they reserve for purposes other than emphasis.

FIDO Alliance Is Working on Making Passkeys Portable Across Platforms ★

Tim Hardwick, reporting for MacRumors:

The FIDO Alliance is developing new specifications to enable secure transfer of passkeys between different password managers and platforms. Announced on Monday, the initiative is the result of collaboration among members of the FIDO Alliance’s Credential Provider Special Interest Group, including Apple, Google, Microsoft, 1Password, Bitwarden, Dashlane, and others.

Passkeys are an industry standard developed by the FIDO Alliance and the World Wide Web Consortium, and were integrated into Apple’s ecosystem with iOS 16, iPadOS 16.1, and macOS Ventura. They offer a more secure and convenient alternative to traditional passwords, allowing users to sign in to apps and websites in the same way they unlock their devices: With a fingerprint, a face scan, or a passcode. Passkeys are also resistant to online attacks like phishing, making them more secure than things like SMS one-time codes.

The draft specifications, called Credential Exchange Protocol (CXP) and Credential Exchange Format (CXF), will standardize the secure transfer of credentials across different providers. This addresses a current limitation where passkeys are often tied to specific ecosystems or password managers.

This initiative would address one of David Heinemeier Hansson’s primary complaints about passkeys, in a post I linked to earlier today.

Hardwick mentions un-phishability as an advantage of passkeys, and that’s very true. In fact, I think that was one of the primary selling points Apple emphasized when they introduced passkey support at WWDC two years ago. A scammer who gets a victim on the phone can’t trick them into revealing a passkey like they can with passwords or one-time numeric codes. But that use case is optimized for non-technical users.

A friend texted me with another argument for passkeys: it’s somewhat common for websites to break password autofill. Maybe it’s deliberate, in the name of fighting bots? But whether deliberate or not, with passkeys, they have to work with your browser’s connected password manager. So maybe passkeys are a net win for convenience, even for technically-knowledgeable users who are unlikely to fall for phishing scams.

Apple Passwords’ Generated Strong Password Format ★

Speaking of passwords, Ricky Mondello — who has long been a leading member of Apple’s “Authentication Experience” team — has an interesting blog post describing the algorithm Apple uses when it suggests new strong passwords:

To make these passwords easier to type on suboptimal keyboard layouts like my colleague’s game controller, where the mode switching might be difficult, these new passwords are actually dominated by lowercase characters. And to make it easier to short-term have in your head little chunks of it to bring over to the other device, the passwords are based on syllables. That’s consonant, vowel, consonant patterns. With these considerations put together, in our experience, these passwords are actually a lot easier to type on a foreign, weird keyboard, in the rare instances where that might be needed for some of our users.

And we weren’t going to make any changes to our password format unless we can guarantee that it was as strong or stronger than our old format. So if you want to talk in terms of Shannon entropy once again, these new passwords have 71 bits of entropy, up from the 69 from the previous format. And a little tidbit for folks who are trying to match our math — [note that] we actually have a dictionary of offensive terms on device that we filter these generated passwords against and we’ll skip over passwords that we generate that contain those offensive substrings.

I’ve noticed some of these details, like that the passwords are comprised of little “fake words” and are dominated by lowercase letters, but I hadn’t noticed all of them. It’s a bunch of clever little touches, all in the aim of making strong passwords that are convenient in odd situations (like typing them with a game controller).

DHH Argues Against Passkeys ★

David Heinemeier Hansson:

Yes, passwords have problems. If you’re using them without a password manager, you’re likely to reuse them across multiple services, and if you do, all it takes is one service with awful password practices (like storing them in plain text rather than hashing them with something like bcrypt), and a breach will mean hackers might get access to all your other services.

But just because we have a real problem doesn’t mean that all proposed solutions are actually going to be better. And at the moment, I don’t see how passkeys are actually better, and, worse still, can become better. Unless you accept the idea that all your passwords should be tied to one computing ecosystem, and thus make it hard to use alternative computers. [...]

Bottom line, I’m disappointed to report that passkeys don’t appear worth the complexity of implementation (which is substantial!) nor the complexity and gotchas of the user experience. So we’re sticking to passwords and emails. Encouraging opt-in 2FA and password managers, but not requiring them.

Passkeys seemed promising, but not all good intentions result in good solutions.

I don’t have strong feelings about passkeys, but I am vaguely unsettled by them. There’s no way to use passkeys without using a proper password manager, like Apple Passwords with iCloud Keychain, or 1Password. But if you’re using a proper password manager, your passwords should all be unique and random, and you should have convenient access to 2FA codes. So what’s the point of passkeys if they can only be used by people who are already using a good password manager? Perhaps the thinking is that too many users just can’t be budged from the risky habit of using passwords they have memorized, and passkeys are a way to break that habit because they can’t be memorized.

Also, I really dislike the practice of replacing passwords with email “magic links”. Autofilling a password from my keychain happens instantly; getting a magic link from email can take minutes sometimes, and even in the fastest case, it’s nowhere near instantaneous. Replacing something very fast — password autofill — with something slower is just a terrible idea. For people who actually prefer email magic links, it’s fine as an option, but it shouldn’t be the default, and it certainly shouldn’t be the only way to sign into an account.

Things Are Not Going Well at Automattic ★

Samantha Cole, reporting for 404 Media:

In July, before the latest WP Engine blowup, an Automattic employee wrote in Slack that they received a direct message from Mullenweg sending them an identification code for Blind, an anonymous workplace discussion platform, which was required to complete registration on the site. Blind requires employees to use their official workplace emails to sign up, as a way to authenticate that users actually work for the companies they are discussing. Mullenweg said on Slack that emails sent from Blind’s platform to employees’ email addresses were being forwarded to him. If employees wanted to log in or sign up for Blind, they’d need to ask Mullenweg for the two-factor identification code. The implication was that Automattic — and Mullenweg — could see who was trying to sign up for Blind, which is often a place where people anonymously vent or share criticism about their workplace.

“We were unaware that Matt redirected sign-up emails until current Automattic employees contacted our support team,” a spokesperson for Blind told me, adding that they’d “never seen a CEO or executive try to limit their employees from signing up for Blind by redirecting emails.”

That does not seem compatible with a culture of trust within a company. Cole also reports that Mullenweg has made another buyout offer this week, and is threatening employees who leak to the press. This very report from 404 Media, under the headline “Employees Describe an Environment of Paranoia and Fear Inside Automattic Over WordPress Chaos”, is not going to help. The whole situation is just very depressing.

Wednesday, 16 October 2024

The Secretive Dynasty That Controls the Boar’s Head Brand ★

Maureen Farrell, writing for The New York Times:

In May 2022, the chief financial officer of Boar’s Head, the processed meat company, was asked a simple question under oath.

“Who is the C.E.O. of Boar’s Head?”

“I’m not sure,” he replied.

“Who do you believe to be the C.E.O. of Boar’s Head?” the lawyer persisted.

The executive, Steve Kourelakos, who had worked at the company for more than two decades and was being deposed in a lawsuit between owners, repeated his answer: “I’m not sure.”

It is odd, to say the least, when a top executive of a company claims not to know who his boss is. And Boar’s Head is no fly-by-night enterprise. The company is one of the country’s most recognizable deli-meat brands; it generates what employees and others estimate as roughly $3 billion in annual revenue and employs thousands of people.

There’s secretive, and then there’s secretive.

Tuesday, 15 October 2024

Apple Announces New iPad Mini, With A17 Pro and Pencil Pro Support ★

Apple Newsroom:

Apple today introduced the new iPad mini, supercharged by the A17 Pro chip and Apple Intelligence, the easy-to-use personal intelligence system that understands personal context to deliver intelligence that is helpful and relevant while protecting user privacy. With a beloved ultraportable design, the new iPad mini is available in four gorgeous finishes, including a new blue and purple, and features the brilliant 8.3-inch Liquid Retina display. A17 Pro delivers a huge performance boost for even the most demanding tasks, with a faster CPU and GPU, a 2× faster Neural Engine than the previous-generation iPad mini, and support for Apple Intelligence. The versatility and advanced capabilities of the new iPad mini are taken to a whole new level with support for Apple Pencil Pro, opening up entirely new ways to be even more productive and creative. [...]

Starting at just $499 with 128GB — double the storage of the previous generation — the new iPad mini delivers incredible value and the full iPad experience in an ultraportable design.

Interesting that it sports the A17 Pro, not the regular A17. Update: Whoops, I got my A-series numbers confused — the A17 Pro is the chip from last year’s iPhone 15 Pro models, and, notably, there was no non-“Pro” variant. Still, though: an interesting chip to use for iPad Mini. Here’s a link to the tech specs for the 2021 6th-gen iPad Mini for comparison.

Also interesting that it still uses Touch ID, not Face ID. Not surprising though — the iPad Mini has always been sort of, but not quite, a mini iPad Air. And in the iPad lineup, Face ID remains a Pro-exclusive feature.

Sunday, 13 October 2024

Sponsorship Openings at Daring Fireball, Q4 Edition ★

After being sold out for months, the upcoming sponsorship schedule at DF is unusually open at the moment — including this upcoming week.

Weekly sponsorships have been the top source of revenue for Daring Fireball ever since I started selling them back in 2007. They’ve succeeded, I think, because they make everyone happy. They generate good money. There’s only one sponsor per week and the sponsors are always relevant to at least some sizable portion of the DF audience, so you, the reader, are never annoyed and hopefully often intrigued by them. And, from the sponsors’ perspective, they work. My favorite thing about them is how many sponsors return for subsequent weeks after seeing the results.

If you’ve got a product or service you think would be of interest to DF’s audience of people obsessed with high quality and good design, get in touch. And again, this coming week remains open.

1Password ★

My thanks to 1Password — which, earlier this year, acquired longtime DF sponsor Kolide — for sponsoring last week at DF. In a 2023 survey of IT and security professionals, 50 percent of respondents said that their organization’s vulnerability management program had support from leadership to “a large/great extent”. That’s good for them. But it also leaves a full half of respondents without enough support from leadership.

If you’re trying to get buy-in at your own organization, come equipped with the facts about the risks you’re facing, and come with a clear plan to remediate them. To learn more about how vulnerability management is changing, read 1Password’s blog post, and come prepared.

Cabel Sasser’s Talk at XOXO 2024 ★

The less you know about this talk, the more you’ll enjoy watching it unfold. Just remarkably good. Trust me, watch it now, before anything about it is spoiled for you.

Mosaic Netscape 0.9 Was Released 30 Years Ago Today ★

Jamie Zawinski:

For those of you who are unaware of these finer details, 0.9 was the first release of the Netscape browser (which begat Firefox) available to the general public. This beta release was an unannounced surprise. Prior to this, everyone assumed that what we were doing was going to be a standard for-sale product where you sent off your $35 and then some time later got a disc in the mail with a license key. That we just said, “Here’s our FTP site, come get it, go crazy” was, at the time, shocking to people.

The thing that confuses people sometimes about new platforms is that while the platform and its clients are different things, you usually need both to be great for the whole thing to succeed. The World Wide Web, as conceived by Tim Berners-Lee, was and remains a remarkable, world-changing platform. But it really didn’t take off until Netscape hit. It was just such a great app, including on the Mac. It was the browser the web needed.

Friday, 11 October 2024

‘Elon Musk Makes Bold Claims About Tesla Robotaxi in Hollywood Backlot’ ★

Jonathan Gitlin, automotive editor at Ars Technica, on Tesla’s vaporware event last night:

Over time, Musk claimed the operating costs of his Cybercab would be 20 cents per mile, “and yes you’ll be able to buy one,” he told the crowd to excited shrieks. “We expect the cost to be below $30,000,” Musk said, before expounding on a business model where instead of the company owning and operating these allegedly revenue-generating assets itself, they are instead owned by private individuals who each give Tesla its regular cut. This week another four top executives left the company in advance of last night’s event, including “the global vehicle automation and safety policy lead.”

“It’s going to be a glorious future,” Musk said, albeit not one that applies to families or groups of three or more.

Musk claims that Tesla “expects to start” fully unsupervised FSD next year on public roads in California and Texas. A recent analysis by an independent testing firm found the current build requires human intervention about once every 13 miles, often on roads it has used before.

Donald Trump, Yesterday, on Autonomous Cars ★

Donald F. Trump, yesterday in Detroit:

“Do you like autonomous? Does anybody like an autonomous vehicle? Know what that is? Right? When you see a car driving along? Some people do, I don’t know. A little concerning to me, but the autonomous vehicles we’re going to stop from operating.”

This, on the very day Tesla was set to hold a high-profile event to promote autonomous vehicles. This, after Elon Musk dropped to his knees and begged for Trump’s approval — exactly as Trump predicted Musk would — at one of Trump’s Hitlerjugend rallies just last week.

It’s almost enough to make you think Trump is only in it for himself and will eventually betray and humiliate every single person who believes he’s on their side, and that his screws are now so loose that it only takes days, not weeks or months, for him to forget who his ostensible oligarchic allies are.

Why Are News Organizations Giving Any Credence to Elon Musk’s Claims About Tesla’s Previewed Self-Driving Taxi and Bus? ★

Abhirup Roy and Akash Sriram, reporting for Reuters:

CEO Elon Musk showcased on Thursday a long-awaited robotaxi with two gull-wing doors and no steering wheel or pedals and surprised with robovan, betting on a shift in focus from low-priced mass-market cars to robotic vehicles. At a glitzy unveiling, Musk reached the stage in a “Cybercab” to be produced from 2026 — eventually in high volume — and priced under $30,000. He then introduced the robovan which can carry up to 20 people though offered few further details.

But Musk, who has a record of missing projections — and himself said he tended to be optimistic with time frames — did not say how quickly Tesla could ramp up robotaxi production, clear inevitable regulatory hurdles or implement a business plan to leapfrog robotaxi rivals such as Alphabet’s Waymo.

Even with the disclaimer of Musk’s “record of missing projections”, this is far too much credence. The availability dates, the prices — they’re all just made up. It’s a complete distraction from the fact that Tesla is way behind. Waymo is actually operating in four cities today. Somewhere in San Francisco or Austin, there’s probably a Daring Fireball reader reading this post while riding in a self-driving Waymo.

Wake me up when Tesla ships any of these vehicles. Until then, stop using the present tense about any of it. It’s all vaporware for now. (And the stock market isn’t buying it — on a day when markets are flat, Tesla is down 8 percent as I type. Update: It closed down close to 9 percent for the day.)

Also: How stupid is a two-seat taxi? “Well, there are three of us, so we better hail two rides...” It makes no sense.

---

---

Thursday, 10 October 2024

Calvin’s Dad Explains the Pre-Color World ★

Given that Calvin and Hobbes is almost certainly the best (and almost more certainly, the most beloved) comic strip ever, it’s devilishly hard to pick a favorite. But this might be mine. I thought about it often as I raised my own son.

Update: I sent this one to my son, and he sent me this one back. My boy gets me.

Internet Archive Hacked, Data Breach Impacts 31 Million Users ★

Lawrence Abrams, reporting for Bleeping Computer:

Internet Archive’s “The Wayback Machine” has suffered a data breach after a threat actor compromised the website and stole a user authentication database containing 31 million unique records. News of the breach began circulating Wednesday afternoon after visitors to archive.org began seeing a JavaScript alert created by the hacker, stating that the Internet Archive was breached.

“Have you ever felt like the Internet Archive runs on sticks and is constantly on the verge of suffering a catastrophic security breach? It just happened. See 31 million of you on HIBP!,” reads a JavaScript alert shown on the compromised archive.org site.

The text “HIBP” refers to is the Have I Been Pwned data breach notification service created by Troy Hunt, with whom threat actors commonly share stolen data to be added to the service.

Hunt told BleepingComputer that the threat actor shared the Internet Archive’s authentication database nine days ago and it is a 6.4GB SQL file named “ia_users.sql”. The database contains authentication information for registered members, including their email addresses, screen names, password change timestamps, Bcrypt-hashed passwords, and other internal data.

As if that weren’t enough to make for a bad week for the Internet Archive — a seemingly irreplaceable stalwart resource of the web — they’re also under a DDoS attack. Jason Scott, archivist at Internet Archive, on Mastodon:

Someone is DDOSing the internet archive, so we’ve been down for hours. According to their twitter, they’re doing it just to do it. Just because they can. No statement, no idea, no demands.

Humane, Not Dead Yet, Ships CosmOS 1.2 Update for AI Pin ★

Bethany Bongiorno, on X:

• insane battery life (17 hours with profiled usage)
• calendar recall
• speak in over 50 languages — in your own voice
• vision gesture for quick multi-modal questions
• playlist support
• timers, alarms, world clock
• touchcode gesture unlock
• pinpoint — locate your pin!

Sometimes all you can do is put your nose to the grindstone and keep plugging. But man, I don’t even hear jokes about the AI Pin any more. (Full change log.)

Alarmo — A New $100 Alarm Clock From Nintendo ★

Kind of crazy to create an alarm clock in this era of bedside phones, but like just about everything from Nintendo, it does seem fun. (Would seem a bit more appealing if it could serve as a Bluetooth audio speaker.)

Dan Riccio, Longtime Apple Hardware Executive, Is Retiring ★

Mark Gurman, reporting for Bloomberg:

Apple Inc.’s Dan Riccio, who oversaw the company’s push into mixed-reality headsets and previously served as its hardware engineering chief, is retiring.

The veteran executive, a vice president who reports to Chief Executive Officer Tim Cook, is leaving Apple this month, according to people with knowledge of the move. Employees in Riccio’s Vision Products Group, which includes a couple thousand engineers working on headsets and related technology, were told they would become the responsibility of John Ternus, Apple’s hardware boss.

Mike Rockwell, Riccio’s current lieutenant, will continue to lead the Vision Products Group on a day-to-day basis, said the people, who asked not to be identified because the changes aren’t public.

Gurman’s framing here in his lede could leave casual readers with the impression that Riccio is perhaps leaving because of the tepid consumer response to Vision Pro, but as Gurman subsequently mentions, this timeline was seemingly in the cards ever since Riccio stepped down as senior vice president of all hardware (a role now filled by John Ternus) in 2021.

Wednesday, 9 October 2024

Crazy Stupid Tech ★

A new website/newsletter from Om Malik and Fred Vogelstein:

Both of us together have followed Silicon Valley’s innovation engine for more than 50 years. We’ve seen a lot. But one observation stands out: The best ideas — the ones that launch meaningful companies — need to seem crazy and stupid at first.

Amazon, Google and Facebook are among the most powerful companies in the world today, but each of them seemed absolutely preposterous when launched. When Jeff Bezos started Amazon as an online bookstore 30 years ago, most didn’t even know what the internet was. Larry Page and Sergey Brin founded Google in 1998 when most believed search was going nowhere. In the 2000s, Mark Zuckerberg bet Facebook could fundamentally change the way billions of people used the internet — to share everything back when most were terrified about sharing anything.

It’s this messianic belief in a vision that makes many entrepreneurs so quirky — and so interesting. It takes a unique personality to spend years saying “I’m right” when most around you say “That’s wrong.”

Love this statement of purpose.

Moom 4 Is Excellent, But Not Available in the Mac App Store ★

Many Tricks:

Moom 4 is only available directly from Many Tricks; it is not available on the Mac App Store. If it were our choice, it would also be in the Mac App Store, but it’s not our choice.

Why isn’t it in the Mac App Store? Because the Mac App Store does not allow apps that aren’t sandboxed. And Moom 4 cannot be sandboxed, as its use of the Accessibility API makes that impossible. So how was Moom 3, which also uses the Accessibility API, on the Mac App Store? Simple: Moom 3 was in the store before Apple required all Mac App Store apps to be sandboxed, so it was allowed to remain in the store, as long as we never added new features.

If Apple ever changes the rules, we will submit Moom 4 for Mac App Store review, but until/unless those rules change, you can only get Moom 4 directly from us.

What a perfect example of the shortcomings of the Mac App Store. MacOS 15 Sequoia adds new window-tiling features that, on the surface, you might think Sherlock Moom — a longstanding Mac utility that automates window resizing/arranging. But Moom does so much more than Sequoia’s tiling features. It’s a fabulous utility from a great developer, but Many Tricks isn’t allowed to offer it through the Mac App Store.

Microsoft’s Final Surface Duo Software Update ★

Zac Bowden, writing for Windows Central:

The Surface Duo 2 has just received its likely final security update, marking an end to Microsoft’s brief return to the smartphone market. The company originally launched Surface Duo 2 in October 2021, and promised to support the product with software updates for three years. Microsoft was only able to deliver one major Android version update in that time, a pitiful number for a $1,500 device.

It wasn’t that Microsoft was only able to deliver one major Android version update in 3 years. They’re Microsoft, for chrissakes. It’s that they could only be bothered to deliver one major upgrade. Commitment is vastly underestimated in the hardware game.

CoverSutra (I Think!) Is Returning ★

Fun Halloween-themed teaser.

Home Depot Is Slowly Rolling Out Apple Pay Support ★

Chance Miller, writing for 9to5Mac:

According to multiple 9to5Mac readers and reports across social media, Home Depot has also recently started rolling out Apple Pay support. Home Depot has been a major Apple Pay holdout, resisting pressure from its customers to add support for Apple’s tap-to-pay platform. Notably, Lowe’s — Home Depot’s biggest competitor — began rolling out Apple Pay support last December. It certainly seems possible that this move by Lowe’s put pressure on Home Depot to change its strategy.

Home Depot hasn’t commented on this change in policy, and the details of the rollout aren’t explicitly clear. It appears to be a very gradual rollout that started at a small number of locations over the summer and has recently picked up momentum. Your mileage may vary for the time being, though.

I could be completely wrong, but I don’t think Home Depot was ever opposed to Apple Pay. I just think they bought into a weird point-of-sale system that didn’t support it. They’re weird terminals. And I suspect what’s happening now isn’t a come-to-Jesus moment regarding Apple Pay in particular, but a replacement of those crummy POS terminals with new ones that do support Apple Pay.

Walmart is still the biggest Apple Pay holdout by a wide margin, and the company has shown no signs of changing its tune.

With Walmart, I do think it’s strategic that they don’t support Apple Pay. I think it’s wrongheaded though, and they’ll change their minds sooner (probably) or later. Walmart, just a few years ago, was spearheading the dumbass CurrentC “pay via QR code” system. Apple Pay, from a user’s perspective, is just a private way to pay via credit or debit card — no more, no less. Whatever strategic reasons Walmart has to oppose it — which I think boil down to wanting customers to instead use a Walmart-proprietary digital payment system — aren’t worth it.

Tuesday, 8 October 2024

Apple Hosted a ‘Cozy’ Mini WWDC for VisionOS ★

Todd Heberlein:

Cozy mysteries are a genre of crime fiction where the stories take place in small, socially intimate communities, and any violence is limited or happens offscreen. Yesterday, I experienced a “Cozy WWDC,” and it was wonderful!

The event took place in an intimate setting with about 170 developers. There were no highly produced skits, no jabs at the competition, no speculative non-existent products designed to make the media and influencers lose their shit, and no media. The event, titled “Envision the Future: Build Great Apps for visionOS,” was held at the Apple Developer Center in Cupertino on October 2nd.

It focused solely on visionOS and spanned just one day.

The presenters were live. Many wrote code and showed the results live. Sometimes demos didn’t work the first time.

I have heard from a few other attendees that this was an excellent and very productive little event.

Transmit Drops Support for Google Drive Because of Google’s Overbearing Annual Code Inspections ★

Panic:

Well, Google has a new set of policies that require apps that connect to Google Drive to go through expensive, time-consuming annual reviews, and this has made it extremely difficult for us to reasonably maintain Google Drive access. You may have seen iA Writer’s announcement that they are stopping development of their Android version for similar reasons. Our experience was different, but our circumstances are similar. [...]

Between the weeks of waiting, submitting the required documentation and the process of scanning the code, it took a significant amount of time from our engineers. For example, Google provided a Docker image for running the scanner, but it didn’t work. We had to spend more than a week debugging and fixing it. And because the scanner found no problems, it didn’t result in any improvements to Transmit. No one benefitted from this process. Not Google, not Panic, and not our users. [...]

But then… a couple of months later, Google completely removed the option for us to scan our own code. Instead, to keep access to Google Drive, we would now have to pay one of Google’s business partners to conduct the review. They promised a discounted minimum price, but no maximum price. We realized that either we’d most likely be paying someone else a chunk of cash to run the same scanner we were running, or our bill would end up much higher.

Never been gladder that I don’t use Google Drive for anything.

The New York Times, Finally: ‘Trump’s Rambling Speeches Reinforce Question of Age’ ★

Peter Baker and Dylan Freedman, reporting for The New York Times, with the conspicuous absence of Maggie Haberman from that shared byline:

Former President Donald J. Trump vividly recounted how the audience at his climactic debate with Vice President Kamala Harris was on his side. Except that there was no audience. The debate was held in an empty hall. No one “went crazy,” as Mr. Trump put it, because no one was there.

Anyone can misremember, of course. But the debate had been just a week earlier and a fairly memorable moment. And it was hardly the only time Mr. Trump has seemed confused, forgetful, incoherent or disconnected from reality lately. In fact, it happens so often these days that it no longer even generates much attention.

He rambles, he repeats himself, he roams from thought to thought — some of them hard to understand, some of them unfinished, some of them factually fantastical. He voices outlandish claims that seem to be made up out of whole cloth. He digresses into bizarre tangents about golf, about sharks, about his own “beautiful” body. He relishes “a great day in Louisiana” after spending the day in Georgia. He expresses fear that North Korea is “trying to kill me” when he presumably means Iran. As late as last month, Mr. Trump was still speaking as if he were running against President Biden, five weeks after his withdrawal from the race.

Better late than never, but if it were Joe Biden who had rambled on about “the audience going crazy” at a debate that had no audience, the New York Times would have been all over it the next day, not a month later.

I don’t think Donald Trump was ever hooked up right. But he’s clearly losing the few marbles he ever had to dementia, just like his father did. The signs were clear during his 2017–2021 term in office:

John F. Kelly, his second White House chief of staff, was so convinced that Mr. Trump was psychologically unbalanced that he bought a book called “The Dangerous Case of Donald Trump,” written by 27 mental health professionals, to try to understand his boss better. As it was, Mr. Kelly came to refer to Mr. Trump’s White House as “Crazytown.”

Of course the Times had to both-sides this story, and this is who they found to do it:

Sam Nunberg, a former Trump political adviser, said he still talked with people who see him almost daily, and had not heard of any concerns expressed about the former president’s age. “I don’t really see any major difference,” he said. “I just don’t see it.”

Nunberg is the guy who showed up shitfaced drunk on half a dozen cables news appearances at the height of the Robert Mueller investigation. That’s the guy saying, sure Trump is OK in the head today.

If you haven’t watched Trump speak in a while — because you’re on team “fuck that guy”, like any sane voter — you should watch the video clips the Times culled for this piece. Like I said, I don’t think the guy was ever hooked up right, but it’s very clear he’s in serious decline today.

My suggestion to the Harris campaign is that they should repeatedly describe Trump as “an 80-year-old”, and force Trump surrogates to correct them that he’s “only” 78.

Two Russian YouTubers Post Videos Unboxing Purported M4 MacBook Pro Base Models ★

Joe Rossignol, writing for MacRumors:

The latest video of what could be a next-generation MacBook Pro was shared on YouTube Shorts today by Russian channel Romancev768, just one day after another Russian channel shared a similar video. The clip shows a box for a 14-inch MacBook Pro that is apparently configured with an M4 chip with a 10-core CPU and a 10-core GPU, 16GB of RAM, 512GB of storage, three Thunderbolt 4 ports, and a Space Black finish. [...]

The source of these leaks is unclear. Last week, “ShrimpApplePro” claimed that at least one of the unannounced 14-inch MacBook Pro units was apparently being offered for sale in a private Facebook group. In a follow-up post on X on Sunday, the leaker claimed that he saw someone online who was apparently advertising 200 of the unannounced 14-inch MacBook Pro units for sale, leading him to believe this leak originates from a warehouse. It is unclear if these details are accurate, but this whole situation is clearly very sketchy.

It’s somewhat weird that the box art is identical to that of last year’s M3 MacBook Pros, but I lean toward thinking these are real. Best guess is that someone stole 200 of these from China and some or all of them wound up in Russia? No sympathy for Apple here if that’s what happened — if you assemble your products in a dictatorship, stuff like this is bound to happen. Kinda surprising it hasn’t happened with iPhones, which would garner far more attention and value a month ahead of launch. That it hasn’t happened with iPhones probably indicates that Apple puts more security around them than they do MacBook Pros.

Apple Tweaks Screen Recording App Permissions in MacOS 15.1 Beta ★

Juli Clover, MacRumors:

In the release notes for the sixth beta of the macOS Sequoia 15.1 update, Apple says that users aren’t going to see as many popups for apps they regularly use.

Applications using our deprecated content capture technologies now have enhanced user awareness policies. Users will see fewer dialogs if they regularly use apps in which they have already acknowledged and accepted the risks.

Why in the world didn’t Apple take regular use of a screen-recording app into account all along?

Monday, 7 October 2024

The Talk Show: ‘An Acoustic Nightmare’ ★

Tyler Stalman joins the show to discuss the iPhone 16 lineup’s cameras, and the state of iPhone photography.

Sponsored by:

• Squarespace: Make your next move. Use code talkshow for 10% off your first order.
• Memberful: Monetize your passion with membership. Start your free trial today.

Judge Bends Google Over the Barrel in Final Epic v. Google Ruling ★

Sean Hollister, writing for The Verge:

Google’s Android app store is an illegal monopoly — and now it will have to change. Today, Judge James Donato issued his final ruling in Epic v. Google, ordering Google to effectively open up the Google Play app store to competition for three whole years. Google will have to distribute rival third-party app stores within Google Play, and it must give rival third-party app stores access to the full catalog of Google Play apps, unless developers opt out individually.

These were Epic’s biggest asks, and they might change the Android app marketplace forever — if they aren’t immediately paused or blocked on appeal. And they’re not all that Epic has won today. Starting November 1st, 2024, and ending November 1st, 2027, Google must also:

• Stop requiring Google Play Billing for apps distributed on the Google Play Store (the jury found that Google had illegally tied its payment system to its app store)
• Let Android developers tell users about other ways to pay from within the Play Store
• Let Android developers link to ways to download their apps outside of the Play Store
• Let Android developers set their own prices for apps irrespective of Play Billing

If this ruling holds on appeal, it’s a real loss for Google, not a token loss.

Update: Regarding the bit in the first paragraph above, about rival app stores getting access to all apps in the Play Store unless the developers opt out, I was originally confused how this could possibly work. I should have read the injunction first. It states:

For a period of three years, Google will permit third-party Android app stores to access the Google Play Store’s catalog of apps so that they may offer the Play Store apps to users. For apps available only in the Google Play Store (i.e., that are not independently available through the third-party Android app store), Google will permit users to complete the download of the app through the Google Play Store on the same terms as any other download that is made directly through the Google Play Store. Google may keep all revenues associated with such downloads. Google will provide developers with a mechanism for opting out of inclusion in catalog access for any particular third-party Android app store. Google will have up to eight months from the date of this order to implement the technology necessary to comply with this provision, and the three-year time period will start once the technology is fully functional.

This is far less radical a dictum than Hollister’s description led me to believe. What Judge Donato is demanding is effectively pass-through to the actual Play Store listing for any apps and games that aren’t available in a third-party app store. So if you search in the Brand X app store for “FooApp” but FooApp isn’t available in the Brand X store, Brand X’s store app can let you install and download FooApp from the Play Store. But that counts as a regular Play Store installation. It’s just a way to encourage users of third-party stores to search those stores first, even though the vast majority of apps will likely remain exclusively in the Play Store.

Chinese Government Hackers Compromise ‘Back Door for the Good Guys’ in U.S. Communication Networks ★

Sarah Krouse, Dustin Volz, Aruna Viswanatha, and Robert McMillan, reporting for The Wall Street Journal:

For months or longer, the hackers might have held access to network infrastructure used to cooperate with lawful U.S. requests for communications data, according to people familiar with the matter, which amounts to a major national security risk. The attackers also had access to other tranches of more generic internet traffic, they said. Verizon Communications, AT&T and Lumen Technologies are among the companies whose networks were breached by the recently discovered intrusion, the people said.

The widespread compromise is considered a potentially catastrophic security breach and was carried out by a sophisticated Chinese hacking group dubbed Salt Typhoon. It appeared to be geared toward intelligence collection, the people said. [...]

The surveillance systems believed to be at issue are used to cooperate with requests for domestic information related to criminal and national security investigations. Under federal law, telecommunications and broadband companies must allow authorities to intercept electronic information pursuant to a court order. It couldn’t be determined if systems that support foreign intelligence surveillance were also vulnerable in the breach.

This incident should henceforth be the canonical example when arguing against “back doors for the good guys” in any networks or protocols. It’s not fair to say that all back doors will, with certainty, eventually be compromised, but the more sensitive and valuable the communications, the more likely it is that they will. And this one was incredibly sensitive and valuable. There are downsides to the inability of law enforcement to easily intercept end-to-end encrypted communication, but the potential downsides of back doors are far worse. Law enforcement is supposed to be hard work.

We should rightfully blame China first for this attack — and the U.S. government ought to start treating such attacks by China as part of the second Cold War that they are, and retaliate in big ways — but secondary blame must go to Congress for passing the Communications Assistance for Law Enforcement Act (CALEA) in 1994, and to the FCC for broadening its interpretation a decade later. Verizon, AT&T, and the other companies whose networks were breached were — and remain — required by law to provide the back doors that the Chinese hackers exploited.

John Naughton on Dave Winer ★

John Naughton, writing for The Guardian:

Once the use of RSS feeds had become common, someone had the idea that audio files could be attached to them, and Dave implemented the idea with a nice geeky touch — attaching a song by the Grateful Dead. Initially the new technology was called audio blogging, but eventually a British journalist came up with the term “podcasting” and it stuck.

So Dave was present at the creation of some cool stuff, but it was blogging that brought him to a wider public. “Some people were born to play country music,” he wrote at one stage. “I was born to blog. At the beginning of blogging I thought everyone would be a blogger. I was wrong. Most people don’t have the impulse to say what they think.” Dave was the exact opposite. He was (and remains) articulate and forthright. His formidable record as a tech innovator meant that he couldn’t be written off as a crank. The fact that he was financially secure meant that he didn’t have to suck up to anyone: he could speak his mind. And he did. So from the moment he launched Scripting News in October 1994 he was a distinctive presence on the web.

One of Winer’s numerous aphorisms that resonates deeply with me: People return to places that send them away.

30 Years of Dave Winer’s Seminal Blog, Scripting News ★

Dave Winer:

Today is the 30th anniversary of this blog. Hola!

I did a roundup of thoughts when this blog turned 25. I stand by what I wrote then, but I’d add this. My blog started because I needed content to test a script I had written that sent emails on my Mac using Eudora, which was an early scriptable app and I had a nice scripting system that worked with it. I looked around for something to send (30 years ago today), and shot out an email to the people whose business cards I had collected at various tech conferences. It was a thrill, so I did it again, and again and three more times, before I realized hey I could use this thing to get my own ideas out there. And thus began this thing that I still do to this day. Look at the two posts I wrote about WordPress in the last few days. There may be hope to find a blogosphere buried somewhere in there. And it may be possible to give them some sweet new writing tools so they can get excited about writing on the web the way we did all those years ago. I actually am kind of optimistic about that. Maybe we can stand up something in the midst of the noise. When we booted up podcasting, approx 20 years ago, we had a slogan — “Users and developers party together.” It worked! That is still the way I want to build stuff, it’s the only way I know how to do it. Blogging started out as a programming adventure and eventually became a form of literature. How about that. I’m up for doing more of that if you all are. But please expect to make contributions, don’t expect it all to come to you for free, because as we know nothing really is free.

Winer is rightfully renowned for his technical achievements — outliners as an application genre, RSS in general, and RSS in the specific context of podcasting in particular — but what’s kept me reading Scripting News for the entirety of Scripting News’s 30-years-and-counting run is his writing. He has such a distinctive writing voice that is impossible to imagine in any medium other than the web. But I think that’s because he helped define what writing not just on the web, but for the web, even meant.

Thanks for it all, Dave.

Croissant 1.0 ★

Aaron Vegh and Ben Rice McCarthy (of Obscura renown) have teamed up to create Croissant, a new app — currently iPhone-only — for cross-posting to Mastodon, Threads, and Bluesky. 15 years ago I wrote “Twitter Clients Are a UI Design Playground” and that piece stands up, but it’s not Twitter/X in particular (certainly not anymore — X support is conspicuously omitted from Croissant’s current lineup up supported platforms), but tweet-like platforms in general. Croissant proves that this domain remains a UI playground. It’s both visually distinctive and intuitively familiar, with a fun and fluid UI. It’s the sort of app that I want to find reasons to use.

Free to download and try with a single account; $3/month, $20/year, or $60 as a one-time purchase for multi-account support, which is where Croissant really shines.

See also: Dan Moren at Six Colors, John Voorhees at MacStories, and Nick Heer at Pixel Envy.

Saturday, 5 October 2024

WorkOS ★

My thanks to WorkOS for, once again, sponsoring the week at Daring Fireball. WorkOS is a modern identity platform for B2B SaaS. Start selling to enterprise customers with just a few lines of code. Ship complex features like SSO and SCIM (pronounced skim) provisioning in minutes instead of months.

Today, some of the fastest growing startups are already powered by WorkOS, including Perplexity, Vercel, and Webflow.

For SaaS apps that care deeply about design and user experience, WorkOS is the perfect fit. From high-quality documentation to self-serve onboarding for your customers, it removes all the unnecessary complexity for your engineering team.

CNBC: ‘WordPress CEO Matt Mullenweg Goes “Nuclear” on Silver Lake, WP Engine’ ★

Another good overview of the Automattic/WP Engine saga, this one from Ari Levy at CNBC:

Mullenweg may be openly enthusiastic and grateful for the employees he still has on board, but the WordPress community is a mess. Many WP Engine customers are suffering, and Automattic is gearing up for a legal fight against a private equity firm with over $100 billion in assets.

Hard not to be reminded, somewhat, of the righteous indignation fueling Steve Jobs’s end of life crusade against Google for creating Android. Some big fundamental differences, of course. WordPress is GPL open source and iOS isn’t open at all. It’s the righteous fervor of the founder/leader of the company that’s reminiscent.

The Verge Summarizes the Nasty WordPress/Automattic/WP Engine Feud ★

Emma Roth does the yeoman’s work of summarizing the complex and fast-moving legal feud between WordPress’s commercial arm and WP Engine, a major WordPress hosting provider:

Over the past several weeks, WordPress cofounder Matt Mullenweg has made one thing exceedingly clear: he’s in charge of WordPress’ future.

Mullenweg heads up WordPress.com and its parent company, Automattic. He owns the WordPress.org project, and he even leads the nonprofit foundation that controls the WordPress trademark. To the outside observer, these might appear to be independent organizations, all separately designed around the WordPress open-source project. But as he wages a battle against WP Engine, a third-party WordPress hosting service, Mullenweg has muddied the boundaries between three essential entities that lead a sprawling ecosystem powering almost half of the web.

To Mullenweg, that’s all fine — as long as it supports the health of WordPress long-term.

See also: Mullenweg’s “alignment” offer to Automattic’s nearly 1,900 employees.

Friday, 4 October 2024

Why Is Jack Smith’s Unsealed Motion, Outlining Trump’s Criminal Actions to Overturn the 2020 Election, Not the Top Story? ★

Taegan Goddard, writing at Political Wire:

It’s worth recalling that a major reason Trump won in 2016 was that, just before the election, news broke about emails related to a closed investigation into Hillary Clinton’s emails being found on Anthony Weiner’s computer, the estranged husband of a top Clinton aide.

In the end, nothing came of this discovery, but the extensive news coverage of it almost certainly swayed the election. It was the top story in every major newspaper.

But this new evidence presented against Trump wasn’t even the lead story in the New York Times or Washington Post this morning. And it didn’t even make the front page of the Wall Street Journal or USA Today.

It’s true that millions of words have already been written about Trump’s attempt to overturn the 2020 election. But there was plenty of new information included in this filing which is directly relevant to the biggest news story this month.

This, I think, is entirely explained by the conventional wisdom that the U.S. news media is “liberal”, a decades-long work-the-refs strategy from Republicans. The truth is the news media is effectively in the tank for Trump, sanewashing his literal nonsense, outright lies, and violence-inspiring hate speech against even legal immigrants. But our major political news media remains so hyper-focused on appearing not to favor one political side over the other that it’s completely lost sight of what ought to be their north star: the truth. If the truth favors one party over the other, so be it. That’s the job of reporting the news.

The difference between how these same publications treated Hillary Clinton’s “but her emails” nonsense in 2016 compared to Jack Smith’s motion this week could not be more stark.

Update: If you prefer, imagine if a special counsel appointed by the Attorney General submitted a brief alleging any crimes at all committed by Kamala Harris. Let’s say personal tax evasion — crimes, but insignificant compared to multiple attempts to overthrow the results of the last presidential election. The major U.S. newspapers and cable channels would have covered nothing else in the days since. Yet for this brief laying out copious evidence that Trump attempted the worst crime imaginable against U.S. democracy itself, it’s relative crickets chirping and shoulder shrugs. Remember too that Trump is already a convicted felon. If Harris had been convicted of a felony this year, do you think it would be mentioned more frequently in news stories than it actually is for Trump? If you don’t, I have a bridge to sell you.

MLB Sold Ads on Players’ Batting Helmets for the Postseason ★

I missed this announcement from MLB a month ago:

Major League Baseball today announced a new multi-year international partnership with European workwear leader STRAUSS that makes the German company the Official Workwear Partner of MLB. The partnership marks STRAUSS’ first league-wide deal in the United States. STRAUSS entered the U.S. market in late 2023, and American brand awareness is the cornerstone of its marketing efforts. The new partnership also affords STRAUSS marketing rights with MLB across Canada, Mexico and Europe. As part of the deal, STRAUSS’ name and logo will adorn MLB batting helmets during the Postseason and regular season games in Europe, as well as MiLB batting helmets all season long, beginning in 2025.

But I couldn’t miss it watching postseason games on TV this week: there’s a ridiculous-looking “Strauss” on both sides of every player’s batting helmet now, as prominent as the team logo on the front. It looks even more desperate and obsequious on the helmets than it does printed in all-caps in MLB’s bootlicking press release. This is the sort of gimmick you expect from a struggling independent minor league team, not Major League Baseball.

They should’ve put the rights to these on-helmet ads up for public auction. I’d have chipped in for a fan-backed initiative to buy that on-helmet ad space to affix this slogan: “FIRE ROB MANFRED”.

---

---

---