I purchase music outright because I'm old. I often buy from what at least used to be called the iTunes Music Store. The biggest advantage for me for doing so over, say, buying from Amazon or directly from the artist's site (which I often do, or buy from Bandcamp if available), is that Apple Music will stream those songs for me even if I didn't download them locally, so they're accessible any time I have an Apple device (or Windows!) and a network connection.

Well, almost. It doesn't work from my HomePod, you know, the device I spent a few hundred bucks on TO PLAY MUSIC.

All these phrases except maybe one used to work at some point. It used to be I could use the magic phrase "from my library" and get things to work, or say the name of a specific album. No longer!

And "shuffle my library" used to always work even when nothing else did. I'd sometimes get shuffle even when asking for something specific -- and Siri would tell me so before ignoring what I'd really requested ("Now playing your music library shuffled"). That shuffling the full library worked always drove me crazy because it'd tell me the music was there, Siri just wasn't going to play the way I wanted it.

Anyhow, the main course (Warning: this may say "Hey Siri" several times and light up as many Apple devices as you have within listening range):

Transcript:

Me: Hey Siri, play The Warning from my library.

Siri: The Warning Now Playing.

Also Siri: Sorry, there was a problem with Apple Music.

Me: Hey Siri, play Keep Me Fed.

Siri: Now playing Escapism by The Warning.

Me, silently: [Escapism? Isn't that the sixth song on the...]

Also Siri: Sorry, there was a problem with Apple Music.

Me: Hey Siri, play The Rolling Stones.

Siri: Here's The Rolling Stones.

Also Siri: Sorry, there was a problem with Apple Music.

Me: Hey Siri, shuffle songs from my... library.

Siri: Playing all songs, shuffled.

LONG PAUSE

Siri: Sorry, there was a problem with Apple Music.

I think that's a clear QA fail. Shouldn't these be well-established "user stories" by now? If they worked before, someone made it work. Did they do that on their own time or were they asked to? What happened to those tests? Why aren't those scenarios tested any more?

Like, I get it. I'm a dinosaur in a way that hasn't become cool again. I'm reminded of this Twitter ad I saw from the RIAA (boo! hiss!) last week (Oct 23rd):

I AM the 2%! There's are dozens of us...

Still, I think back to that picture of Jobs with the Tiffany lamp and hifi. Today's Apple seems to have completely lost the thread of Steve Jobs' "Thoughts on Music".

It continues. On Apple's HomePod feedback page, the most recent HomePod OS version you can select is 16.5. Mine, after searching the Home app for a while, is apparently on 17.6 and is downloading 18 now. How much money does this company have again?

Labels: apple, apple fail, Apple Music, homepod, siri

From stackoverflow.com:

Taken from MSDN's page on InvalidOperationException: "InvalidOperationException is used in cases when the failure to invoke a method is caused by reasons other than invalid arguments." 

– STW

 Commented Apr 21, 2009 at 19:44

I often forget what the "right" exception is to throw when it's not an argument issue -- and linters are getting better at reminding me not to be lazy and to stop using Exception with no subtype. "Code is evidence of the beliefs of its authors" after all.

I suppose InvalidOperationException is as good a fallback as any.

Labels: c#, noteToSelf

TL;DR -- If you Ikea stiffed you some 101350 fluted dowels, you can buy 5/16" dowels from Home Depot, 50 for under $4.

Depending on the precise usage, however, you may have to cut them down.

One of the funniest things about Ikea is that they're scamming all sorts of bougie yuppies to save Ikea the cost of actually assembling furniture. Don't get me wrong: They're maestros at making it so most anyone who's walked past someone with a handy gene can, with enough desire, get from flatpack to functional in an hour. Still, if you're Ikea, you've got all sorts of schmoes who clock $80+ an hour at their place of employment doing $15 an hour work for you, for free. That's an amazing ability to employ the most widely distributed micro-gig workforce, allowing you to have tons more in your warehouses, save crudloads on shipping, etc etc.

But, you know what, I really enjoy putting them together. There's something about assembling the furniture that's very Lego-like, which might not be too surprising, as the companies' headquarters are a long but doable drive away from each other. Must be in the water.

Setting out space, putting together a minimalist's toolset, and solving a beginner's level brainteaser seems a small price to pay for furniture that... isn't embarrassing. Probably won't get listed by name in your will, but functionally excellent. I've put together a wide swath of Ikea choices over the years, from a kitchen table for six, with a leaf that lets it expand to eight that was so easy to assemble that it should have the Ikea label taken off, to a chest of drawers (and its slimmer sidekick, apparently no longer available) whose drawers really do slide open and closed with a special grace on those Ikea rails, to a loft/desk/closet unit with ladder for a kid that, um, was more complex to assemble.

Anyhow, as one does, I recently got a Tarva queen-sized bedframe, which comes with slats in place of box springs for $149. I've got an extra mattress and space for a bed, so... why not?

Opening it up, I was already impressed. What seemed like a great deal also seemed like $40 of plywood sitting on my bedroom floor. I mean, there's some metal for support rails and the fancy slats, but Ikea has to maintain a decent profit margin. Like it's literally just a bunch of 1"x4"s and 1.5"x1.5"s with nicely predrilled holes.

Not patient enough to stain the pine, which is likely a mistake, I did the usual.

1. Open box.
2. Toss aside cardboard packing spacers.
3. Organize pieces by material.
4. Open plastic bags of small things.
5. Separate small things into matching groups.
6. Scan the page in the instructions depicting the small pieces with the faintest attention. (This will be important later.)
7. Start following instructions.

Problem: I got to step 7. of the Tarva instructions and noticed I didn't have enough dowels. Like not nearly enough. I didn't notice until I had one side assembled and screwed down, but if I only used one dowel for every two indicated on the second side, I'd make it. So that's what I did, and tightened everything up.

Well, until I got to step 9, where I needed four more. So I gave up, feeling guilty I'd skimped on the headboard anyway, and took that last half of the headboard that only had half the dowels intended back apart.

Options:

1. Call Ikea and hope they'd mail me some dowels before, well, before too long.
2. Wait until I'm back near an Ikea, the closest being about 3 1/2 hours' drive away.
3. Find another dowel source.

So after taking one of the dowels with me to Home Depot, it turns out the 5/16" dowels they carry are right close, and almost exactly the right diameter. Fifty count for under $3.50!! That's got to less trouble than the cost of my time bugging Ikea for freebees.

Took them home, opened them up, and started in. Now they're a little longer than the Ikea part number 101350 dowels, but I'd noticed putting it together that longer might've be better anyhow, because leaving the dowels more than half-way out had let me catch just the end of each, making pushing the side board down and together easier. Or so I thought.

I put them in each missing hole on the middle, inner board and pushed the headboard slats in. No problem! Worked fine! Makes some sense. If you need a couple different sizes of dowel, but one length would be within tolerance and make do for each of those usages, of course Ikea just gives you a ton of the universal fit dowel. Saves them money and makes it easier for you now that you don't have to keep them organized by size. The Home Depot dowels are just over a quarter-inch longer. They work fine on the inside of the slats. That means they likely should work as-is all over!

Oops. That is what we call in the Ikea trade "an insurmountable gap".

So here's the deal: The holes on the inside can take longer dowels, but the holes on the outside can't. The drilled holes aren't deep enough. Two options.

• Remove all the short dowels from the inside of the slats and replace with longer ones, then use those short ones on the outside.

Downside: I'd still come up three dowels short. For this to really work, you'd need to take the first half of backboard slats back apart.

For some reason I really hate taking things apart that have been put together "right" already.

... orrrrrr ...

• Cut down some of the longer dowels.

You can guess what I did. First I put aside four Ikea dowels for the step 9 (having discovered that some usages require the regulation-length Ikea dowels, I didn't want to risk it on unknown step 9), I pulled out all the short dowels on the inside of the headboard with my teeth, just like you should when the Home Depot dowels say "Warning: Carcinogen" (hopefully Ikea dowels aren't made of the same stuff?), and went outside to hacksaw three Home Depot dowels down to Ikea 101350 dowel height.

Long story only slightly shorter: It worked! I cut the dowels down to match the stock 101350 length and poof! Didn't even have to whittle down the edges to fit; they went right in. After a bit of lining things up, the pieces went together and tightened up without a fight.

So, again, a trip to Home Depot, $3.50, and only another hour of my time and look! I didn't even have to call Ikea and wait for them to send me the missing dowels! What a bargain. And, once I got done with Tarva step 7 fully doweled, I even went ahead and finished up steps 9, 10, and 12 [sic] before writing this and going to sleep!

Good thing I got those dowels at Home Depot and saved so much time. I'm obviously in a real hurry.

Labels: ikea, Other Stuff, problem solved

From the Nikkor - The Thousand and One Nights Collection's 13th night (ostensibly about the <New> Reflex-Nikkor 500mm F8, which I may have recently purchased on eBay) at Nikon.com:

We used to call Mr. TSUNASHIMA with affinity and respect "Boss, TSUNASHIMA". Certainly, he was a big-brother type person and took thought for younger men. His dynamic manner did not limit to work-related things. Mr. TSUNASHIMA, who would play tennis for years, was a hard drinker equal to Mr. MORI, introduced in Tale Nine. Let me introduce you an episode of "Boss, TSUNASHIMA" at a drinking party.

It was about my freshman's time. At a drinking party on a company trip, several people (hard drinkers) of us were sitting in a circle and drinking sake (Japanese rice wine). Sake bottles were rapidly emptied one after another. The party really came alive and people's laughing voice and cheers echoed. Finally, all the sake bottles were emptied. So, Boss, TSUNASHIMA gave a cry to me, one of organizers, "Hey, SATO! Sake is empty." So I said, "Yes, sir," and brought several bottles of beer. Then, Boss, TSUNASHIMA exclaimed, "Hey, SATO! Is this really sake ?" I replied, "Well ?" Boss, TSUNASHIMA suggested, "Well, this is an alcoholic beverage called BEER, isn't it ?" So I knew that after all, a heavy drinker was different. The scales dropped from my eyes. I realized that I could not join in the party unless understanding their delicate manner and feelings.

That's, um, unexpected.

I've always thought reflex lenses were interesting, but always read about their poor image quality and small aperture, meaning you couldn't take very quick pictures in low light, so I never really gave them a serious thought.

But after buying a used, manual focus 300mm f/4.5 lens years ago and really enjoying using it on my D40, I've been a little less adverse about putting really old lenses on really new cameras.

I've got a few pictures on Wikipedia that I took during NFL games years ago, and kinda missed having my camera with me when I went to a game last week. But the rules have changed, and my old 80-200mm technically shouldn't be allowed in any more, since it's over the new rule of a max length of 5" on detachable lenses.

You can probably see where this is going. How can I get an ultratelephoto lens into an NFL game? Well, you get a 500mm reflex mirror lens that's 109mm long (so 4.3") to a bright arena without much in the way of shadows, and see what you've got.

We'll see how good of a specimen I bought when it arrives, and I'm a little worried about how narrow the depth of field is, but that does seem to go with the wide-open telephoto territory. I think the extra ISO digital allows will more than make up for the loss of one stop of maximum aperture.

Will be fun to give it a shot in any event. Don't know that I'll have much to report about sake or BEER, however, other than my absolute horror at how many $18 cans people around me seem to be downing. Seriously, dropping $50 to buy your best friends a round seems, um, a little steep.

And a little more context on why Mr. Tsunashima factored into what amounts to a blog on the history of Nikon's reflex lenses:

The optical system was designed by Mr. TSUNASHIMA, Teruyoshi of 1st Optical Section, Optical Designing Department (then). Mr. TSUNASHIMA ranked with Mr. MORI, Ikuo, introduced in Tale Nine, and Mr. SHIMIZU, Yoshiyuki, introduced in Tale Five, was one of the designers who built up the golden age of old Nikkor lenses.

He completed optical design of Reflex-Nikkor 500mm f/8 (New) in August 1982 and, later, obtained patent right both in U. S. and Japan.

Waiting until the time was ripe, the lens was on sale in spring of 1984, when trees put out leaves. The specifications of the lens, being light and compact and having amazingly short closest focusing distance of 1.5m, got publicity and accelerated the Reflex-lens boom of those days.

...

In other words, Mr. TSUNASHIMA designed the Reflex-lens in person, struggled to produce it in large quantities, and strictly controlled its quality by himself to put it on sale. Consequently, Mr. TSUNASHIMA participated in the own designed lens up to a stage just before shipment, which was the nearest stage to users.

Labels: Nikon, Other Stuff, photography, photos

Okay, I've had this open in drafts too long. I think it's got most of the info I wanted, so let's cut it loose for when I need it in the future.

I often take a different laptop with me when I'm travelling than whatever the "prime" development box is for a project, often to ensure I don't lose sensitive information if the laptop "disappears" while I'm out. When doing this, I usually copy the folder I'm working in, remotes (so personal access tokens, VPN setup, etc) be darned, and work from that.

The issue is often getting that work back onto the "prime" boxen. That usually means remembering how to make and apply git patches.

Look, here's the deal... ;)

If you want to copy over and preserve individual commits, you want to use "email" formatted patches. You can envision why. If you came before the time when everyone had shared remotes or if your workforce is distributed and most simply don't have remote access, it's easy to schlep around code via email. And so git has email support built-int! Though do note we're only using the format, as it carefully preserves each commit separately; we're not actually emailing anything. Unless you really want to.

On the travelling box:

Let's say I wanted the last 5 commits. I'd use this command to create an email-formatted patch file:

git format-patch -k --stdout HEAD~5 > patch.patch

Open up the text file and take a look! It's actually kinda interesting, begging for an SMTP server to send it on its way.

On the "prime" development box:

git am -3 patch.patch

Now look, if you used git apply here, it would apply EVERYTHING IN THE FILE AS A SINGLE ACTION and not commit anything. It's like rolling all the changes into a single worksession that needs to be committed. Using git apply for an email versioned patch reduces to the same operation as creating a diff with git diff and git applying it.

We DON'T want that. You have to use git am to get the email action going.

The -3 is for three-way merge if there's a conflict git can't resolve, and is the way I (and several other StackOverflow users, apparently) best prefer to manage conflicting patch applications. But you really shouldn't run into that much if you just worked on an existing branch.

Do make sure you're on the right branches on both boxes.

TODO: How do you get the patch to include staged files?

Labels: git, noteToSelf

Okay, look, if there's one thing I'm tired of, it's half-baked example code that doesn't anticipate changes needed to push it into production.

Like the good ole WeatherForecastController from the .NET Core WebAPI template.

using Microsoft.AspNetCore.Mvc;

namespace MyApp .Controllers
{
    [ApiController]
    [Route("[controller]")]
    public class WeatherForecastController : ControllerBase
    {
        private static readonly string[] Summaries = new[]
        {
            "Freezing", "Bracing", "Chilly", "Cool", "Mild", 
            "Warm", "Balmy", "Hot", "Sweltering", "Scorching"
        };

        private readonly ILogger<WeatherForecastController> _logger;

        public WeatherForecastController(ILogger<WeatherForecastController> logger)
        {
            _logger = logger;
        }

        [HttpGet(Name = "GetWeatherForecast")]
        public IEnumerable<WeatherForecast> Get()
        {
            return Enumerable.Range(1, 5).Select(index => new WeatherForecast
            {
                Date = DateOnly.FromDateTime(DateTime.Now.AddDays(index)),
                TemperatureC = Random.Shared.Next(-20, 55),
                Summary = Summaries[Random.Shared.Next(Summaries.Length)]
            })
            .ToArray();
        }
    }
}

I mean, Visual Studio immediately complains:

Remove this unread private field '_logger' or refactor the code to use its value.

Well, duh. We have an endpoint with no logging. When would we need to log? Probably when we're doing something more complicated than creating random 8-ball style forecasts.

So let's pretend it's more difficult, throw in a try... catch, and actually log the exception.

[HttpGet(Name = "GetWeatherForecast")]
public IEnumerable<WeatherForecast> Get()
{
    try
    {
        return new ActionResult<IEnumerable<WeatherForecast>>(Enumerable.Range(1, 5).Select(index => new WeatherForecast
        {
            Date = DateOnly.FromDateTime(DateTime.Now.AddDays(index)),
            TemperatureC = Random.Shared.Next(-20, 55),
            Summary = Summaries[Random.Shared.Next(Summaries.Length)]
        }));
    }
    catch (Exception e)
    {
        _logger.LogError(e, "Something failed");
        return BadRequest("that didn't work");
    }
}

Guess what? Now we got TWO errors! YAY!!

1. CS0029 Cannot implicitly convert type 'Microsoft.AspNetCore.Mvc.ActionResult<System.Collections.Generic.IEnumerable<MyApp.WeatherForecast>>' to 'System.Collections.Generic.IEnumerable<MyApp.WeatherForecast>'
2. CS0266 Cannot implicitly convert type 'Microsoft.AspNetCore.Mvc.BadRequestObjectResult' to 'System.Collections.Generic.IEnumerable<MyApp.WeatherForecast>'. An explicit conversion exists (are you missing a cast?)

Dare you to tell me what to do next. Heck, I don't know. I do know WebAPIs have been around so long there are tons of wrong answers on the net.

Let's just show one example that does work and call it a day.

[HttpGet(Name = "GetWeatherForecast")]
public ActionResult<IEnumerable<WeatherForecast>> Get()
{
    try
    {
        return new ActionResult<IEnumerable<WeatherForecast>>(Enumerable.Range(1, 5).Select(index => new WeatherForecast
        {
            Date = DateOnly.FromDateTime(DateTime.Now.AddDays(index)),
            TemperatureC = Random.Shared.Next(-20, 55),
            Summary = Summaries[Random.Shared.Next(Summaries.Length)]
        }));
    }
    catch (Exception e)
    {
        _logger.LogError(e, "Something failed");
        return BadRequest("that didn't work");
    }
}

Why do I need to wrap the return type with ActionResult to be able to return BadRequest REST code? I don't know man. It should implicitly cast imo into any hard type return value. I mean it's not like we're literally returning IEnumerable<WeatherForecast> in the original code. We are doing some magic behind the scenes to make that a JSON return value for our consumers. Why not do the same for any REST code convenience type too?

Anyhow, I just want to remember this trick for the next time it happens so to the blog it goes.

:sigh:

Labels: .NET, c#, noteToSelf, web API

Grubes on the economics of Android and Chrome:

Chrome makes no money at all on its own. It’s just a funnel for Google Search. Android maybe sort of kind of makes a little money for Google on its own, through the sale of Pixel devices, but it’s negligible. Like Chrome, Android really only exists as a funnel to keep users using Google search and within the broader Google digital ecosystem.

The best counterargument I could come up with was that both serve as first-party digital private investigators, which is likely worth something, though even that ultimately reduces to "broader Google ecosystem" which, itself, also seems to reduce down to search. Does Google sell its behavioral analytics data?

There's an interesting example of the power of this surveillence in The Trust Engineers podcast. Facebook had somewhat naively demonstrated that they had users [nearly everyone?] involved in several A/B style psychological tests at once, and were modifying feeds in ways that seemed to change those users' outlooks on life in general. Horrible ethical optics, and it sounds like potentially horrible ethical outcomes. Can you convince people to shop more? Spend more in specific categories? Give to charities less? Support fringe causes? Change political positions? Break family bonds? Etc.

I guess that's the power that Android and Chrome bring, though there is a bit of an underpants gnomes feel in here somewhere. Either this stuff is so effective I completely miss it or my inclination is accurate: They really don't know how to sell me music, books, goods that I actually like yet, even with all the extra information I've given them, intentionally or not. One day they might make a hard right into exploitation, but so far it doesn't really feel like they're even trying. I might have a profile they sell to companies who buy advertisements, but the advertisements aren't that much more effective than they were 20 years ago, and they should be waaaaay more effective by now!

Still, the point is a very interesting one: What's the long game for these culturally-central open source projects Google backs? Because it's certainly not as simple a profit-seeking setup as, say, selling lemonade on a hot day.

Labels: business, chrome, gruber, privacy

Okay, this is pretty seriously "other stuff", but as I'm watching the end of the Tour de France, I figured I'd note I finally pulled in a sprinting jersey in Zwift. Zwift is a virtual bike riding service where you hook your bike onto a "smart trainer" that translates the work you're doing to a computer (I use an iPad mini) connected via bluetooth. It's neat virtual world... the smart trainers make things more difficult when you go up a virtual hill and faster on the way down. It does feel like road biking, but from the safety of my garage.

There are usually sprint segments in each Zwift route in their many virtual worlds, from routes based in Paris to London to Richmond, VA. So if you're going for a 20 mile ride, you might have three sprint segments sprinkled in that route that range from a sixth to a quarter-mile or so.

And if you're the fastest person to have ridden a sprint in the last hour or so, your virtual in-game rider is awarded a "sprint jersey", kind of like sprint jerseys that are awarded in the Tour de France.

I have a love-hate relationship with the sprint segments in the middle of routes. If I try, I can usually get times that land me in the top 5-10% of riders (most of which probably aren't even going out of their way to sprint, to be fair), and I do lots better the shorter the sprint. But then I'm absolutely shot for miles and my overall route time craters. It's a weird risk-reward. It's fun to look like a dope in my garage peddling like a madman to get my name up on a leaderboard, but it's sad seeing my wattage (they measure the power you're producing and put it on your screen at [essentially] all times) crash.

Anyhow, there was a fancy virtual "kit" (biking outfit) that you could get this month on Zwift if you fully ran any two routes in France (Paris or the countryside) this month, give or take, and I was starting my second French-based route this month when a sprint segment rolled up. I knew it'd kill my fairly long ride to sprint hard, but as the starting line appeared, I noticed I was speeding up for a good sprint start. I didn't quite "leave it all out on the road" in the hopes I wouldn't completely ruin the rest of my ride, but it was danged close.

The result? I was one hundredth of a second away from winning the sprint. DAGGUMMIT! This is what you get when you don't quite sell out to something, I guess. Let this be a lesson to you.

But then, about four miles later down the road, it looks like the rider in front of me on the sprint leaderboard dropped offline, promoting you-know-who to sprint leader. AMAZE. Woohoo! I almost didn't notice, but suddenly my usual kit wasn't visible and it had been replaced by a dark green jersey.

Turns out I didn't get the normal bright green Zwift sprint jersey -- maybe because I'm "in France" during the Tour -- I got the official Tour jersey, Skoda green with a Tour logo on the right breast.

At the very least, Zwift (free for 25 [virtual] km each month!) tricked me into working a little harder by making me think sprinting like a madman on a 25 year-old mountain bike in my garage is fun. 😉

Labels: Other Stuff, zwift

I've been using BBEdit as my compare tool on macOS for a few years now, but recently noticed that it keeps opening a window that's maybe 90% of my screen's width and height. That might be useful on a large monitor, but my 13" MacBook Air felt especially cramped.

Welp, to change the default size of a window in BBEdit, you apparently use the menu! Feels very OS 9-. /nostalgia

From "BBEdit > New Window Size & Location > Set Default" on ArsTechnica:

When I began my search for how to set the default location for new windows in BBEdite, I was certain that to set this required a "write defaults" from the command line.

Not so -- no need for BBEdit Expert Preferences for this ... it's in the menu:

Menubar > Window > Save Default <type of> Window

The Save Default Window command stores the position and size of the front window in BBEdit’s preferences, and BBEdit will create all new windows of the same type with the stored position and size.

In my case, the "type of" is "Difference".

So, to be overly clear, first open a difference window, size and position it to taste, and then run the "Menubar > Window > Save Default Window" jive.

I'm sure I've mentioned I've been using BBEdit since the year of its birth (not sure exactly, but certainly in 1992. I still fondly remember [a few years later] using it in tandem with Transmit). I'd wandered away from BBEdit for years, using Ultra-Edit on Windows for a while, then VIm, Visual Studio, and a number of language-specific editors (sort of like (and including) PhpStorm), Coda (super briefly), Sublime Text, and now largely (and largely happily) VS Code crossplatform.

It's kinda neat to have a daily use for the "old grey lady" of text editing again and to continue not to be disappointed in its feature-set. BBEdit doesn't suck.

Labels: BBEdit, noteToSelf

I recently had a process called XProtectRemediatorRedPine eating 95% of one CPU core on my MacBook Air when it wasn't plugged in. That name seemed... strange, and I wondered if it was legit.

Turns out it's probably Apple looking for malware.

The Secrets of XProtectRemediator

Found a blog post called "The Secrets of XProtectRemediator" that has a section called "Reverse Engineering the RedPine Remediator. They apparently picked the Red Pine remediator at random...

With all that background out the way, let’s open up one of the XPR scanners in Binary Ninja and actually see what this looks like. There’s no particular reason for choosing RedPine, they all look pretty much the same.

...

Since there are 24 remediators, I won’t cover them all in detail.

In a results section, they give the "notable results" on Red Pine (and a few others):

Now this one I’m not totally confident about, but it’s givinggg TriangleDB from Operation Triangulation5. I wonder where Red Pines grow? 🦅🇺🇸

What is TriangleDB?

And there's a link included with more on TriangleDB, which is probably the most interesting link in this blog post. Here's a snippet:

The implant, which we dubbed TriangleDB, is deployed after the attackers obtain root privileges on the target iOS device by exploiting a kernel vulnerability. It is deployed in memory, meaning that all traces of the implant are lost when the device gets rebooted. Therefore, if the victim reboots their device, the attackers have to reinfect it by sending an iMessage with a malicious attachment, thus launching the whole exploitation chain again. In case no reboot occurs, the implant uninstalls itself after 30 days, unless this period is extended by the attackers.

...

Once the implant launches, it starts communicating with the C2 server, using the Protobuf library for exchanging data. The configuration of the implant contains two servers: the primary and the fallback (contained in the lS and lSf configuration fields).

...

The C2 server responds to heartbeat messages with commands. Commands are transferred as Protobuf messages that have type names starting with CRX. The meaning of these names is obscure: for example, the command listing directories is called CRXShowTables, and changing C2 server addresses is handled by the command CRXConfigureDBServer. In total, the implant we analyzed has 24 commands designed for:

• Interacting with the filesystem (creation, modification, exfiltration and removal of files);
• Interacting with processes (listing and terminating them);
• Dumping the victim’s keychain items, which can be useful for harvesting victim credentials;
• Monitoring the victim’s geolocation;
• Running additional modules, which are Mach-O executables loaded by the implant. These executables are reflectively loaded, with their binaries stored only in memory.

[emphais mine -mfn]

Overview/quick history of XProtect

The relationship of Red Pines to TriangleDB is supported by another source titled "The Three XProtects of Christmas". It also gives us a good, quick overview of the XProtect system as a whole.

By 2021, Apple had decided to replace MRT with something more modern and capable. The first version of XProtect Remediator was installed in macOS Monterey 12.3 on 14 March 2022, and over the following summer it grew to replace MRT, which was last updated on 29 April 2022, and is now no longer installed with macOS although it may still be obtained as an update.

XProtect Remediator (XPR) is installed and updated outside macOS updates, in the XProtect.app bundle in /Library/Apple/System/Library/CoreServices, in macOS 10.15 Catalina and later. It contains individual executable scanning modules, one of which covers old malware that MRT dealt with. Its first standalone update on 17 June 2022 brought the total of its named malware scanners to eight, and it has grown steadily ever since to a total of 22 in its current version 122.

...

RedPine, added in 114 on 12 October 2023, believed to cover TriangleDB malware;

I'm not going to suggest that I've given you an exhaustive breakdown on what's happening such that you could elevator speech the important parts to someone else (usually my goal), but I think that's enough of a lead for us to figure it out if we wanted to.

In any event, I think this...

1. Says the process is likely legit.
   • ("likely" because you could always name your malware after something legit)
2. Makes me think the "efficiency cores" are very efficient, because otherwise this would've killed my battery.
   • Though weird that a process looking for in-memory malware would use so much CPU for so long. 🤔

Eh, kinda interesting. I guess this sort of topic helps explain why my blog makes the big bucks.

Labels: apple, security