Bitsplitting.org http://bitsplitting.org Chasing the impossible with Daniel Jalkut Thu, 11 Dec 2014 18:23:42 +0000 en-US hourly 1 http://wordpress.org/?v=4.0.1 Blockpass For Dummieshttp://bitsplitting.org/2014/12/11/blockpass-for-dummies/ http://bitsplitting.org/2014/12/11/blockpass-for-dummies/#comments Thu, 11 Dec 2014 18:23:42 +0000 http://bitsplitting.org/?p=690 After I wrote recently about my tool for preventing accidental typing of my password into plain text fields, I received a large number of requests asking if I would open source the tool. I generally hesitate to open source my private tools, because I throw them together with understandably lower standards than the code that I ship to users, and because I often rely upon my accumulated convenience classes and frameworks to get the job done expeditiously.

But for some reason I’m deciding to share Blockpass on GitHub. I had to do some work to make using and running it a little more bulletproof. Rather than rewrite keychain access to avoid using my private “RSKeychain” class, I decided to just include that.

Details about how to configure and install the tool are detailed in the Readme file on the GitHub project page. You probably should not pursue the project unless you are comfortable using Xcode and building projects from scratch. I may consider building a standalone version of the tool someday, but today is not that day.

If you have any specific questions or feedback, feel free to open an issue on the project or drop me a line on Twitter.

]]>
http://bitsplitting.org/2014/12/11/blockpass-for-dummies/feed/ 0
Push Notification Trapshttp://bitsplitting.org/2014/12/10/push-notification-traps/ http://bitsplitting.org/2014/12/10/push-notification-traps/#comments Wed, 10 Dec 2014 18:26:04 +0000 http://bitsplitting.org/?p=680 Recently Marco Arment bemoaned Apple’s use of push notifications for promotional purposes. Apple sent a notification promoting their project (RED) products for sale in the App Store, which Marco judged as user-hostile and in poor taste, even if it can be argued it was “for a good cause.” I tend to agree with Marco on this point.

In the latest episode of the Accidental Tech Podcast, Marco, along with co-hosts John Siracusa and Casey Liss, talked more about the problem of notification spam in general and the difficulty of enforcing it at app review time. They seemed to be in agreement that the only realistic tool at Apple’s disposal is to devise a crowd-sourced flagging system for inappropriate notifications, and to use that collective information to pinpoint the worst offenders, and then to use that information to impose consequences upon them.

They went on to lament that Apple is not very good at these kinds of crowd-sourcing solutions, and that in all probability the vast majority of iOS users are not concerned or aware that they should be concerned about notification spam. The lack of consumer awareness about the nature of the problem could itself be a limiting factor in any crowd-sourced solution.

But I propose that Apple does have tools at its disposal that could help flag the worst offenders immediately, without the cooperation of the public, and without violating any user’s privacy.

All remote push notifications are delivered from an app’s developer to an end-user’s device via the Apple Push Notification service. This is good, because it puts Apple in a position to intercept and e.g. immediately shut down a bad actor from delivering notifications to any of its intended recipients. However, the content of all these notifications passing through Apple’s service is encrypted. This is good, even required, because it protects developer and company data from being eavesdropped. But it’s bad from an enforcement sense because it thwarts possible solutions such as using a Bayesian filter on content to flag spam, similarly to the way an app like SpamSieve works on the Mac.

So Apple has complete control over the distribution mechanism, but zero ability (apart from metadata including the originating company and the target device) to examine the content passing through. Game over? I don’t think so.

Apple can still use its unique role as the center of all things iOS to devise a system through which they would themselves be virtually subscribed to all unremarkable notifications from a particular app’s developer. Think about the worst notification spam you’ve seen. In my experience it’s not super-personalized. In fact, it’s liable to be an inducement to keep using the app, to advance in a game, to become more engaged, etc. I think Apple would collect a ton of useful information about spammy developers if they simply arranged that every app on the App Store that is capable of sending push notifications included, among its list of registered devices, a “pseudo-device” in Cupertino whose sole purpose was to receive notifications, scan them for spammy keywords, apply Bayesian filters, and flag questionable developers.

Because Apple controls the namespace for device IDs, has access to the executables for all the apps in the store, and is technically equipped to run these apps in contrived environments, they could coax applications to perceive themselves as having been installed and run on a device with ID of Apple’s choosing. In fact, it’s probably simplest if this very thing happens while App Store reviewers are evaluating apps. It’s true that they won’t see the spammy notifications during review, but the mechanics of triggering an app’s registration for future notifications would ensure delivery to a “trap device,” actually a giant database against which arbitrary research could be conducted.

This would not be a violation of anybody’s privacy, because only the artificial App Store review team’s data (if any) would be involved. Most likely, it would not capture most bona fide useful notifications, because reviewers wouldn’t use the app to the extent that such notifications are generated. But it would capture all the “send a notice to everybody whose every launched the app” and “send a notice to folks who haven’t launched lately” type spam. That seems like a pretty big deal.

At the very least, such a system could serve as a baseline mechanism for flagging developers, and in the event that some future crowd-sourced solution was unveiled, it would layer nicely on a system in which Apple was already collecting massive amounts of data about the most humdrum, spammy notifications that developers send.

]]>
http://bitsplitting.org/2014/12/10/push-notification-traps/feed/ 0
Insecure Keyboard Entryhttp://bitsplitting.org/2014/12/09/insecure-keyboard-entry/ http://bitsplitting.org/2014/12/09/insecure-keyboard-entry/#comments Tue, 09 Dec 2014 15:19:55 +0000 http://bitsplitting.org/?p=671 If you use a passphrase to control access to your computer, as you probably should, then it has no doubt become second nature to type it quickly when you sit down to get to work. If you’ve set an aggressive lock-screen timeout, as you probably also should, then you have become blazingly efficient at typing this password. Perhaps too blazing, perhaps too efficient.

If this sounds like you so far, perhaps I can complete the picture by describing the heart-stopping horror of sitting down to your computer after a short time away, methodically typing your password in to unlock it, only to realize the computer wasn’t locked at all, and you just typed it into a chat window, or worse, posted it to Twitter?

I set out recently to address this problem on my computer by writing my own nefarious little tool, which would act as a global keystroke sniffer, looking for any indication that I am typing my password, at which point it puts up a helpful reminder:

Panel reminding me not to type my password in plain text fields.

The beauty of this tool is it catches me at the moment I type my password (actually just a prefix of it, but that’s a technicality), and by nature of putting up a modal dialog that jumps in my face, absorbs any muscle-memory-driven effort to complete the password and press return in whatever insecure text field I might have been typing into.

You may wonder whether this prevents the legitimate entry of my password, e.g. into fields such as the system presents when asking me to confirm an administrator task? The answer is no, because part of the beauty of those standardized password fields is that Apple has taken care to enable a secure keyboard entry mode while these fields is active. While a standard password field is focused, none of your typing is (trivially) available to other processes on the system. So my tool, along with any other keyboard loggers that may be installed on the system, are at least prevented from seeing passwords being typed.

I’ve been running my tool for a few weeks, confident in the knowledge that it will prevent me from accidentally typing my password into a public place. But its aggressive nature has also revealed to me a couple areas that I expected to be secure, but which are not.

Insecure Input Fields

The first insecure input area I noticed was the Terminal. As a power-user, it is not terribly uncommon for me to invoke super-user powers in order to e.g. clean up a system-owned cache folder, install additional system packages, kill system-owned processes that are flying out of control, or simply poke around at parts of the system that are normally off-limits. For example, sometimes I edit the system hosts file to force a specific hostname to map to an artificial IP address:

sudo vi /etc/hosts
Password:

The nice “” is new to Yosemite, I believe. Previously tools such as sudo just blocked typing, leaving a blank space. But in Yosemite I notice the same “secure style” bullet is displayed in both sudo and ssh, when prompting for a password. To me this implies a sense of enhanced security: clearly, the Terminal knows that I am inputting a password here, so I would assume it applies the same care that the rest of the system does when I’m entering text into a secure field. But it doesn’t. When I type my password to sudo something in the Terminal, my little utility barks at me. There’s no way around it: it saw me typing my password. I confirmed that it sees my typing when entering an ssh password, as well.

The other app I noticed a problem with is Apple’s own Screen Sharing app. While logged in to another Mac on my network, I happened to want to connect back, via AppleShare, to the Mac I was connecting from. To do this, I had to authenticate and enter my password. Zing! Up comes my utility, warning me of the transgression. Just because the remote system is securely accepting my virtual keystrokes, doesn’t mean the local system is doing anything special with them!

What Should You Do?

If you do type sensitive passwords into Terminal or Screen Sharing, what should you do to limit your exposure? Terminal in particular makes it easy to enable the same secure keyboard entry mode that standard password fields employ, but to leave it active the entire time you are in Terminal. To activate this, just choose Terminal -> Secure Keyboard Entry. I have confirmed that when this option is checked, my tool is not able to see the typing of passwords.

Why doesn’t Apple enable this option in Terminal by default? The main drawback here is that my tool, or other tools like it, can’t see any of your typing. This sounds like a good thing, except if you take advantage of very handy utilities such as TextExpander, which rely upon having respectful, trusted access to the content of your typing in order to provide a real value. Furthermore, if you rely upon assistive software such as VoiceOver, enabling Secure Keyboard Entry could impact the functionality of that software. In short: turning on secure mode shuts down a broad variety of software solutions that may very well be beneficial to users.

As for Screen Sharing, I’m not sure there is anyway to protect your typing while using it. As a “raw portal” to another machine, it knows nothing about the context of what you’re doing, so as far as it’s concerned your typing into a password field on the other machine is no different from typing into a word processor. Unfortunately, Screen Sharing does not offer a similar option to Terminal’s application-wide “Secure Keyboard Entry.”

What Should Apple Do?

Call me an idealist, but every time that tell-tale appears in Terminal, the system should be protecting my keystrokes from snooping processes. I don’t know the specifics of how or why for example both ssh and sudo receive the same treatment at the command-line, but I suspect it has to do with them using a standard UNIX mechanism for requesting passwords, such as the function “getpass()” or “pam_prompt()”. Knowing little about the infrastructure here, I’m not going to argue that it’s trivial for Apple to make this work as expected, but being in charge of all the moving parts, they should make it a priority to handle this sensitive data as common sense would dictate.

For Screen Sharing, I would argue that Apple should offer a similar option to Terminal’s “Secure Keyboard Entry” mode, except that perhaps with Screen Sharing, it should be enabled by default. The sense of separation and abstraction from the “current machine” is so great with Screen Sharing, that I’m not sure it’s valuable or expected that keyboard events should be intercepted by processes running on the local machine.

What Should Other Developers Do?

Apple makes a big deal in a technical note about secure input, that developers should “use secure input fairly.” By this they mean to stress that any developer who opts to enable secure input mode (the way Terminal does) should do so in a limited fashion and be very conscientious that it be turned back off again when it’s no longer needed. This means that ideally it should be disabled within the developer’s own app except for those moments when e.g. a password is being entered, and that it should absolutely be enabled again when another app is taking control of the user’s typing focus.

Despite the strong language from Apple, it makes sense to me that some applications should nonetheless take a stronger stance in enabling secure input mode when it makes sense for the app. For example, I think other screen sharing apps such as Screens should probably offer a similar (possibly on by default) option to secure all typing to an open session. I would see a similar argument for virtualization software such as VMware Fusion. It’s arguable that virtualized environments tend to contain less secure data, but it seems dangerous to make that assumption, and I think it does not serve the user’s expectations for security that whole classes of application permit what appears to be secure typing (e.g. in a secure field in the host operating system) that is nonetheless visible to processes running on the system that is running the virtualization.

What Should I Do?

Well, apart from writing this friendly notice to let you know what you’re all up against, I should certainly file at least two bugs. And I have:

  • Radar #19189911 – “Standard” password input in the Terminal should activate secure input
  • Radar #19189946 – Screen Sharing should offer support for securing keyboard input

Hopefully the information I have shared here helps you to have a better understanding of the exposure Terminal, Screen Sharing, and other apps may be subjecting you to with respect to what you might have assumed was secure keyboard input.

]]>
http://bitsplitting.org/2014/12/09/insecure-keyboard-entry/feed/ 0
Manton’s Twitter Appshttp://bitsplitting.org/2014/11/24/mantons-twitter-apps/ http://bitsplitting.org/2014/11/24/mantons-twitter-apps/#comments Mon, 24 Nov 2014 21:21:03 +0000 http://bitsplitting.org/?p=665 My long-time friend and podcasting partner, Manton Reece, is finally saying a painful goodbye to all of his apps that use Twitter’s API. Reacting to Twitter’s recent announcements about full-history search:

I was thrilled by this upgrade to the Twitter service. That the search was so limited for so long was the primary reason I built Tweet Library and Watermark to begin with. Unfortunately, this functionality is only for the official Twitter apps. It will not be made available to third-party developers.

Manton is probably the most earnest developer I know. He is eager and ambitious in his indie pursuits, but always slightly more interested in serving the greater good than in serving his own interests. To me this is a charming, admirable quality, even if it has lead to some inevitable frustrations and disappointment.

It’s easy to imagine how a developer like Manton Reece would have been so eager to participate in the Twitter developer platform of 2007, and how devastating it must have been for him to watch as his ambitions for the platform became less and less viable over time.

]]>
http://bitsplitting.org/2014/11/24/mantons-twitter-apps/feed/ 0
How Many Blogs Do You Have?http://bitsplitting.org/2014/10/17/how-many-blogs-do-you-have/ http://bitsplitting.org/2014/10/17/how-many-blogs-do-you-have/#comments Fri, 17 Oct 2014 15:10:22 +0000 http://bitsplitting.org/?p=660 One of the things that has kept me from blogging more over the years has been the problem of worrying that, or at least wondering if, the specific thing that is on my mind right now is particularly useful or interesting for my readers.

I find it sort of charming when people write “whole person” blogs that may contain material spanning from their personal emotions, to the culture they appreciate, to the work that they do, and the politics they believe in. But I also find it kind of irritating when I don’t happen to value or share in common one or more of those many disparate interests. Slogging through myriad posts about renaissance faires or meat rendering techniques, just to get the rare morsel about, say, optimizing Objective-C code, is not my idea of enjoying the written word as a reader of blogs.

And so I am very sensitive to try to keep things pertinent to the blog at hand. This has led to my having had for a long time now at least two, and often far more active blogs at a time. I started with just a single LiveJournal blog more than a decade ago, but when I started building Red Sweater it made sense to add a company blog as well. I pushed the limits of what is appropriate for a company blog, frequently using it as soapbox for my own personal beliefs, usually about tech issues, but occasionally straying into discussions about the environment, or endorsing a political candidate. I even eulogized my dad when he passed away four years ago.

I enjoyed a significant audience on the Red Sweater Blog, but I became increasingly uncomfortable with the fact that it was a personal blog more than a professional one. Sure, I announced all my product news, but also wrote about, well, almost anything I felt like. That didn’t seem right.

There was also a ton of stuff I didn’t write about at all. Stuff that wasn’t related to my business and furthermore wasn’t related to technology. For this, I kept an old “personal blog” at Blogspot, which was basically the evolution of my original LiveJournal blog. Here, for example, I wrote a long post on buying a car, sharing the tips I’d picked up in my own process of doing so.

But that personal blog wasn’t really suitable, or I didn’t think so anyway, for technical rants or programming advice. If I wanted to make broad observations about a tech company, or wanted to share advice about code signing, these didn’t really belong on either Red Sweater or my personal site.

So I’ve basically added blogs until I no longer hem and haw about whether or not to post something. There’s still a challenge sometimes in deciding which of my blogs to post to, but never a limitation of there not being a suitable outlet if I want it.

The only problem is that now whenever I post a new blog entry and share it on Twitter, somebody will have inevitably seen the blog for the first time and ask “how many blogs do you, anyway”

Let’s see if I can enumerate them all, as well as my rough idea of the audience they serve and the correlated limitations on content.

  • Red Sweater Blog. My official company blog serves to inform existing users about updates to my software in a casual way that includes more verbose explanation about the changes than a mere bullet list of changes. The blog also, at its best, will share tips and tricks about using not only my software but software that is highly pertinent to Mac and iOS users as a whole.
  • Bitsplitting. This is my technical soapbox. If something feels technical in nature but is not clearly tied to my work at Red Sweater in such a way that it’s meaningful to Red Sweater customers, then it goes here. I find this particularly liberating because it gives me a chance to share opinions about tech companies and people that might be less appropriate coming from an official company blog.
  • Indie Stack. Some of my best posts on the Red Sweater Blog were long excursions into the process of debugging or programming for the Mac and iOS. Granted, some normal people found these posts interesting, but for the most part they fly right over the heads of those who are tuning in to learn about either my products or my philosophies about technology. Indie Stack is the nerd haven where anything goes so long as it’s suitable to other developers or people who happen to be interested in developer technologies.
  • Punk It Up. Often neglected for long periods of time, this is where my non-technical writing belongs. Observations about social situations, jokes, advice about buying cars, etc. If it’s suitable for a general audience, it goes here. Wait, that’s not right, because this is also my blog for crude, relatively unedited quips on whatever subject. In short, these are my liberal arts writings, but they have also sometimes been uncensored. Perhaps that’s an opportunity for further bifurcation.

And unless I’m missing something, that’s how many blogs I have. Oh, but I forgot the podcasts and audio:

  • Core Intuition. My weekly podcast with Manton Reece. We talk about anything related to being a Mac and iOS “indie” developer. Geared towards both developers and people who enjoy a peek inside the minds of two guys actively pursuing our indie ambitions.
  • Bitsplitting Podcast. Spun off from the Bitsplitting blog, the idea with the podcast was to fill a void I perceived in other tech podcasts: a failure to dive deeper into the backstory of individuals being interviewed. The format for this show is a long-form interview that doesn’t hesitate to get philosophical about the life ambition of a guest, and how their stories have fulfilled that ambition thus far.
  • TwitPOP. Born from my idea one day that (nearly) literal renditions of poetic tweets in musical form would be a good way to start doing something musical again, and to explore my fascination with the elegance of Twitter’s 140-character expressions.

You might wonder how a crazy person like myself manages to keep this many blogs going. I’m far from perfect, so of course there is some amount of neglect. I just posted to Punk It Up for the first time in four years, but it was nice to have it there when I finally got around to it.

But the other thing is this is only possible because MarsEdit makes editing a large number of distinct blogs somewhat sane. All of my blog posts and podcast episodes start in a familiar, Mac-based editor interface where all my favorite keyboard shortcuts, scripts, saved images, macros, etc., all live. Whether I’m writing to my company’s users or to the few people who take joy in my musical tweets, the interface for doing so is the same.

To be fair, there is certainly a cost to splitting everything up like this. Whatever notoriety I may gain with one blog is unlikely to transfer directly to the others. So if I wanted as many people as possible to see a specific post, it would have to go to the most visited blog, whether it was suitable content or not.

The compromise I’ve taken to address this problem is to treat Twitter as the over-arching, meta-topicked super-blog that acts as the umbrella to all the others. Regardless of the blog I post to, I’m likely to link to it from my @danielpunkass Twitter account. Sure, folks who follow me on Twitter may get tired of seeing links to various subjects that don’t interest them, but that is far less tedious to dig through than whole articles placed where they clearly don’t belong.

Now you know about all my blogs, and why they exist in such numbers. Just don’t ask how many Twitter accounts I have …

]]>
http://bitsplitting.org/2014/10/17/how-many-blogs-do-you-have/feed/ 0
The 2014 Retina Webhttp://bitsplitting.org/2014/09/29/the-2014-retina-web/ http://bitsplitting.org/2014/09/29/the-2014-retina-web/#comments Mon, 29 Sep 2014 20:24:00 +0000 http://bitsplitting.org/?p=656 When Apple announced the first “Retina” HiDPI device, the iPhone 4, it set into motion a slow (slower than I expected, anyway!) migration away from a web on which it was safe to assume every client had roughly the same screen resolution, towards one in which the resolutions of some clients would be so much higher as to warrant distinct image resources.

From a HiDPI device, it’s obvious to most people when a site has taken care to ensure that all the images are suitably high resolution to look sharp on screen. Sites that are not updated look blurry if not downright pixelated, and really take the shine off these fancy displays.

So it seems obvious to me, and should seem obvious to you, that if it’s at all feasible, every web publisher should ensure that her or his site renders beautifully on a HiDPI device. But how feasible is it, really?

Solutions in 2010

The problem in 2010 was that HiDPI seemed to take the web by such surprise that there was no drop-dead stupid way of updating a web site so that it served higher resolution files to the new devices while continuing to serve smaller images, which were also by definition a better fit, for lower-resolution screens. An undoubtedly non-exhaustive list of solutions advised at the time were:

  • Serve @2x images. Where you used to have a 100×100 pixel JPG, serve a 200×200 JPG but keep the width and height at 100. It works as expected for older devices, but newer devices with reasonable browsers will take advantage of the extra information density to draw the image with greater precision. The main downside to this approach was that even older devices would be forced to download the larger, higher-resolution image files.
  • Use CSS background images. This approach took advantage of the ability for CSS to specify that specific CSS rules should be applied only on devices where the ratio of pixels to screen points was e.g. 2 instead of 1. Because the CSS would be evaluated before any resources are loaded, using this technique would allow a browser to download only the image suitable for display on the current device. The main downside I saw to this was that it encouraged moving away from semantic “img” tags and towards using e.g. div tags that just happen to behave just like images. Things tend to go to hell when printing a page that uses this trick, and I have to imagine it isn’t super friendly to screen-reading technologies.
  • Use JavaScript hacks. I say “hacks” with a careful tongue, meant to express both disdain and admiration. Actually, I don’t know how many bona fide solutions there were in the early days, but I seem to recall people talking of dynamic scripts that would rewrite the “src” attributes of image URLs depending on whether they were being loaded on a HiDPI screen or not. The downsides here are that is feels super fiddly, and there were questions, borne out as justified I think, as to whether the tricks would work universally or not.

I jumped to update most of the Red Sweater pages. Why? Mainly for the reasons I listed in Target The Forward Fringe:

HiDPI customers may be a fringe group, but they are a forward-facing fringe. They represent the users of the future, and the more we cater to them now, the more deeply embedded our products and designs will be in their culture. The future culture.

Great thinking, Daniel. Only, in spite of more-or-less supporting Retina very early on, I never really got good at it. I embraced a combination of “just serve @2x images” and “use CSS background images.” But both solutions have bugged me, and made it less fun to change anything about the graphical make-up of my sites. Thus, I have mostly adopted the “if it ain’t broke” approach for the past 4 years, and that has been fine.

Except no, it hasn’t been fine. Because it is broke. Only after finally getting my first Retina MacBook Pro earlier this year have I finally found myself in front of a HiDPI browser frequently enough to become truly judgmental of the LoDPI web. And wouldn’t you know it, one of the offenders is none other than the Red Sweater site. The main page and product pages all sport fancy HiDPI graphics of the application icons, but incidental badges and, worst of all, screenshots of my apps are fuzzy when viewed on a HiDPI Mac. The very “forward fringe” I’m supposed to be catering to will not be so confident of that fact if they rely solely upon my screenshots. So this morning I took to the long-postponed task of correcting my Retina ways.

Solutions in 2014

Surely in 2014, having had four years to bake, the methods for supporting HiDPI on the web will have gelled into a few no-brainer, 100% effective techniques? I had heard a few things over the years about image sets, picture tags, etc., but nothing really jumped out as being the obvious way to support Retina. That’s annoying. I even took to Google and tried searching for definitive rundowns of the 2014 state of the art. Admittedly, my Google-fu is weak (does adding “site:alistapart.com” to any query count as deep-diving in the web realm?), but I wasn’t turning up anything very promising. I took to Twitter:

My reference to “srcset” alluded to my barely understood impression that a smart-enough browser would interpret the presence of a “srcset” attribute on img tags, and use the content of that attribute to deduce the most suitable image resource for the HTML view being served.

Unfortunately I didn’t get a definitive response along the lines of “you should go read this ‘The 2014 Retina Web’ article.” I’m assuming that’s because it’s really hard to pin down a definitive approach when so many different people have differing priorities: how much effort do you put into supporting older browsers, how important is it to minimize bandwidth costs, are you willing to take on 3rd party JavaScript libraries, yadda, yadda, yadda.

In the absence of such an article, I guess that’s what I’m trying to approximate here. This is for myself and for all my peers who have not paid a ton of attention to the state-of-the-art since 2010, and who would at least set themselves down the path towards making an informed decision. My take thus far about the rough approach to the choices we have today is probably all wrong because I just learned most of it 5 minutes ago, but because I think I would have nonetheless benefited from such a rundown, here it is:

  • Keep doing things the 2010 way. That is, if it actually ain’t broke, or you actually don’t care.
  • Use srcset and associated technologies. These are specified in the W3C’s HTML draft standard as the new “picture” tag and extension to the “img” tag with attributes such as srcset. To answer my own question “can I just use srcset?” I think the answer is more or less “yes,” as long as you don’t mind degrading to a lower-resolution experience for any browser that doesn’t support the new evolving standard. And I’m not 100% sure yet, but I think I don’t mind.
  • Use a polyfill. I just learned that a polyfill is a fancy word for a JavaScript library specifically geared towards providing a compatibility layer such that older browsers behave even when you use newer web technologies. I think the gist of this approach is to more or less use the W3C draft standard features including picture tags and srcset attributes, but to load a JavaScript library such as Picturefill to ensure that the best possible experience is had even by folks with clunky old browsers.
  • Use 2014 JavaScript hacks. You could argue the polyfill approach is also a hack, but distinct from that is a popular approach in which a robust library such as Retina.js is used, not to facilitate the use of any kind of semi-standard W3C-approved approach, but to simply get the job done using runtime JavaScript substitution in a manner that does not require extensive changes to your existing HTML source code. The gist of Retina.js in particular is that in its simplest deployment, it will look for any img tags and replace the src attribute with URL that points to the @2x version of the asset, if appropriate for the screen you’re being loaded on.

Further Reading

My searching and the responses of folks on Twitter turned up some valuable resources that may help to paint a clearer picture of what’s been going on. In no particular order:

</pseudofacts>

I want to emphasize that this post is an exposition of a few inklings of truth that I gleaned from surveying the web and some friendly, responsive folks on Twitter. There’s no need to roast me for being wrong about anything here, because I don’t claim to know anything about the topic. Well, maybe 5 minutes worth of research more than you…

Many thanks to @edwardloveall, @tomdiggle, @samuelfine, @josephschmitt, @adamklevy, @octothorpe, @seiz, @nico_h and others I no doubt missed or who chimed in after I published this piece, for responding to my Twitter query and helping me to start painting a picture of the current state of the art.

]]>
http://bitsplitting.org/2014/09/29/the-2014-retina-web/feed/ 0
Brent Goes To Omnihttp://bitsplitting.org/2014/09/29/brent-goes-to-omni/ http://bitsplitting.org/2014/09/29/brent-goes-to-omni/#comments Mon, 29 Sep 2014 16:51:28 +0000 http://bitsplitting.org/?p=653 Well, I’ll be darned.

Brent is a great developer and a great friend, who will now be working, in addition to his capacities at Q Branch, for the great, great Omni Group.

There are a few people in the Mac/iOS realm whose reputations are almost universally celebrated and admired. And there are a few companies that enjoy the same kind of respect. Brent and Omni are each of that ilk and it’s going to be very interesting to see what kinds of work they do together.

]]>
http://bitsplitting.org/2014/09/29/brent-goes-to-omni/feed/ 0
15 Lessons From Anilhttp://bitsplitting.org/2014/09/27/15-lessons-from-anil/ http://bitsplitting.org/2014/09/27/15-lessons-from-anil/#comments Sat, 27 Sep 2014 14:30:43 +0000 http://bitsplitting.org/?p=644 I’ve been trying to get back into the groove of more regular blogging. Like most habits, blogging is hard to keep up when you let the inertia of inaction take hold. Lately I’ve been trying to remind myself when I have a lively conversation with a friend, or when I start overloading Twitter with multiple tweets on the same subject, that I may as well use it as an opportunity to blog.

This ambition to blog more makes me especially receptive to rallying cries restating the value of blogging, especially when they come with advice for how to blog well. Anil Dash’s 15 Lessons from 15 Years of Blogging is full of observations and advice that ring true to me from my shorter yet still-significant blogging career. There are many gems here but I particularly like his emphasis on the difficulty of gauging the impact of a given post. Sometimes it feels like you’re sharing your thoughts with a black hole, but I’ve also experienced the phenomenon Anil describes:

The most meaningful feedback happens on a very slow timeframe. It’s easy to get distracted in the immediacy of people tweeting replies in realtime, but the reason I write is for those rare times, years later, when I get an email from someone I might only barely know, saying that something I wrote meant something to them.

The only thing Anil says that doesn’t ring completely true to me is his observation about blogging tools:

The tools for blogging have been extraordinarily stagnant. One of the reasons the art form of blogging isn’t particularly respected lately is because the tools essentially stopped evolving a decade ago.

At the very least I think this point needs elaboration: which tools in particular is he alluding to? I think the only reasonable interpretation is that he’s alluding to the hosted blogging services that facilitate “easy” blogging for the vast majority of people. 10 years ago, WordPress was still in its infancy, and my impression was that most people used (original) Blogger, Movable Type, LiveJournal, or Blosxom (a rudimentary text-based system) to share their thoughts.

The web interfaces to these early blog systems were laughably bad, so much that desktop apps like MarsEdit were celebrated essentially for simply providing a reliable text field in which to compose and send text to a blog. There was no Tumblr, whose interface was a revelation for many when it came on the scene and suggested that blogging could be something breezier than the pseudo-journalistic style that had been taken as the standard. Inclusion of photos or videos in blog posts was an insane exercise that only the most intrepid web-worker would dare to tackle. These days? Blog authors can easily share photos and videos from the palms of their hands, while riding a roller-coaster at Disneyland, before the ride stops.

Which is not to say that I think blogging tools are perfect. Far from it. As the developer of MarsEdit, my challenge is to observe the ways in which web-based tools fall short, and strive to fill those gaps with the native Mac-based app. Believe, me there are lots of shortcomings, but it’s also literally awesome how much the tools have improved over the years.

Because I work on a blogging tool, and because I’m friends with a lot of people who I will lovingly refer to as “internet hipsters,” I often get asked by these folks for whom blogging is old news, whether I think blogging is “on the way out.” Far from it, thanks in no small part to those massive improvements in blogging tools. In my experience from selling blogging software and from socializing in and out of tech circles, more people than ever are writing in blogs.

I regularly visit non-technical family in the rural midwest of the United States. Five years ago when I explained to them what I did for a living, the usual response I got was “what’s a blog?” or at best “how is a blog different from a newspaper?” They didn’t get the idea at all that a blog was something they could participate in personally. This year, one of those relatives finally started a blog of her own. And it’s good! Her dipping her toes into this “new” self-publishing platform will undoubtedly serve as a template for the rest of her friends and family. I’m sure we’ll continue to see a lot of new blogs and a lot of improvement to the current tools.

]]>
http://bitsplitting.org/2014/09/27/15-lessons-from-anil/feed/ 0
iPhone 5: A Form Factor Worth Keepinghttp://bitsplitting.org/2014/09/26/iphone-5-a-form-factor-worth-keeping/ http://bitsplitting.org/2014/09/26/iphone-5-a-form-factor-worth-keeping/#comments Fri, 26 Sep 2014 12:47:56 +0000 http://bitsplitting.org/?p=640 Since I got my new iPhone 6 (not plus), my biggest concern has been the increased size. There are certainly things to like about the larger screen, but I am one of those people who looks at the phone primarily as something that empowers me to do great things with a minimum of extra weight or bulk. I don’t wear skinny pants, per se, but I don’t wear cargo pants, either. I like to have the phone at easy reach but I also like to travel light, and to move through life with a certain bounce in my step that makes me feel vulnerable with a larger phone.

With those biases in mind, I’ve noticed after a week of using the new iPhone 6 that in fact the pocket feel is not too much of a problem. The main time I recognize it is when I’m stepping over a baby gate in our house that requires me to lift one leg completely to the level of my waist. In this situation, the iPhone 6 in my pocket is stressed in a way that my iPhone 5 was not. I don’t think it’s going to bend or break, and sure, I could always just open the gate. But the point is this is impacting my life even if in a very minor way.

I am also an avid runner. Given my hesitation to carry bulky items, you might laugh when I admit that for years now I have been carrying my iPhone 4 and then 5 with me on all my runs. I used to carry an iPod mini but switched to the iPhone when my habit of listening to podcasts made it more frustrating to synchronize than to just carry the dang phone. Fortunately, a running belt like the Run Lite Pack makes this a relatively low-impact proposition. After getting in the habit of having the phone, of course it became both an occasional aid and a constant reassurance. I take sometimes long runs of up to 10 miles, and having access to the maps and phone for emergency purposes is a nice perk.

When the iPhone 6 arrived, one of the first letdowns I noticed was that it doesn’t really fit in the Run Lite Pack. I can fit it, but it’s awkward to squeeze in, and zipping the pouch feels like packing a suitcase where you have to sit on the top to get the zipper shut. Here was another real-life impact of the iPhone 6’s size. So I ordered this larger Nathan 5K running belt which I am assured will hold the iPhone 6 comfortably.

All of this finally got me thinking: why don’t I just use my iPhone 5 when I run? The original reason for carrying a phone was to make sure all my podcasts stayed in sync. With podcasting apps like Overcast that sync subscriptions and playback status, this should be possible across two iPhones. Unless I paid for an extra data plan for the old phone, I’d be stuck without maps when I get lost, but thanks to the emergency 911 support that carriers are required to provide even on deactivated phones, I would still have some reassurance of a lifeline in an emergency. It still fits easily in my running belt, and I am significantly less concerned about damages that might occur from impact or moisture.

But part of the rationale in upgrading to a new phone is often that the older phone can still be sold for some profit. There is probably at least $200 or more of value in my iPhone 5. Is it really worth hanging on to it just for the benefit of being able to easily fit a smaller phone in my running belt?

Now I start to think about the upcoming Apple Watch, and how I will almost certainly convince myself to buy one of those, as well. As you know, the Apple Watch is only moderately useful unless an iPhone is in close proximity. Importantly, the watch itself doesn’t have GPS support but relies upon the phone for this and other functionality. But these specific activities where GPS is valuable, are the same activities that tend to favor carrying a smaller phone. Thus, for sporting purposes, isn’t it lucky that the watch supports pairing with the iPhone 5?

Many of us have reacted with flip disdain for larger phone sizes, but as I said earlier most of the perceived problems have not turned out to be a problem for me thus far. The actual problems however are worth noticing, and will hopefully justify to Apple that a 4″ form factor is worth keeping for the long haul. I still haven’t decided whether to keep the iPhone 5 around “just” for the purposes of running and other sporting activities, but a theoretical 4″ iPhone 7 would certainly get my attention for all the benefits of a smaller size that I’ve described.

]]>
http://bitsplitting.org/2014/09/26/iphone-5-a-form-factor-worth-keeping/feed/ 0
Hotshotshttp://bitsplitting.org/2014/09/22/hotshots/ http://bitsplitting.org/2014/09/22/hotshots/#comments Mon, 22 Sep 2014 21:59:41 +0000 http://bitsplitting.org/?p=635 I’ve had a pretty successful life. I quit high school when I was 15 only to graduate from college when I was 20. I went straight from college to full-time employment at Apple, where I worked for around 7 years before leaving as a “Senior Software Engineer.” Not wanting to waste any more of my valuable, young life, I leapt from Apple to San Francisco State University, where I earned a second BA degree in Music. In the mean time, I started consulting and established what would evolve away from client work and into the software product company, Red Sweater Software, which sustains me and my family to this day.

In short, I’m a hotshot. When I put it all down in one paragraph like that, even I’m impressed by myself!

But if asked about my “biggest weakness” I would probably say it’s self-deprecation, because I tend to focus more on my own shortcomings than on my talents. I have always known that I am capable, but suffer a great deal of that hard-to-pinpoint impostor syndrome that afflicts so many people. Sometimes I wonder if giving a name to this “syndrome” is only a shorthand reminder that each and every one of us considers him or herself unworthy of credit for what we’ve achieved.

And yet some things I have felt unabashedly smug about over the years. For example, I have always valued my ability to “make things work” under tight constraints. That is to say, I will put almost anything off until the last minute, even if there is no rational reason for doing so. You could say I’m a procrastinator but I think it’s more complicated than that. Even tasks I look forward to and anticipate enjoying might be put off in the name of making them, I don’t know, more dramatic upon their completion? Under psychoanalysis this might reveal an affinity for the adrenaline rush that comes with “following through just in time.” Why write that school paper ahead of time when you can binge on reading and writing the night before it’s due? Why dig into tax-filing research in January when the (US) government gives you until April 15, or if you’re like me, until October 15 to finally file?

There’s something about the thrill of delaying action up until the edge of failure, only to follow through and complete a task in the nick of time, that makes me feel somehow more accomplished. More like a hotshot.

The unfortunate price for this “heroism” is needless anxiety in groping for essay ideas at 3AM, or racing to the post office at 11:50PM the night tax-filing postmarks are due. Or worse, if the hotshot-compulsion extends to one’s personal life, arriving a chronic 5-10 minutes late for appointments because you respect punctuality enough to aim for on-time, but because you value the thrill of last-minute travel sorcery just a tad more.

Lately I’ve become, on an intellectual level at least, increasingly convinced that real hotshots don’t complete tasks, solve problems, or meet acquaintances at the last minute. I’ve come to envy the folks who file taxes in February, and then proceed to enjoy spring and summer without the increasing weight of that obligation weighing on their shoulders. I respect the college student who studies, drafts, then rewrites an essay a week in advance, so they can truly enjoy their down time outside of class. And I see the Buddha-like wisdom of the person who compulsively leaves for every appointment ten minutes early instead of aiming for the precise moment of departure that will more-or-less ensure their timely arrival.

This post was completed at 5:59PM, because I gave myself 20 minutes to write it when I started at 5:40PM.

]]>
http://bitsplitting.org/2014/09/22/hotshots/feed/ 0
Breach Of Trusthttp://bitsplitting.org/2014/09/16/breach-of-trust/ http://bitsplitting.org/2014/09/16/breach-of-trust/#comments Tue, 16 Sep 2014 13:34:52 +0000 http://bitsplitting.org/?p=623 There’s a spectrum, as with all things, to the reactions people have had to Apple’s promotional gifting of U2’s new album, “Songs of Innocence.” On one end you’ll hear ridiculous, conspiracy-minded talk about how Apple has violated customer privacy by, you know, giving them a free album. On the other end you’ll hear ridiculous derision of anybody who, even upon careful reflection, finds fault with the way Apple and U2 carried out this PR stunt.

I tend to agree with Marco Arment’s take, both about it being a mistake to overlook the nuances of this situation, and that the nut of the problem, the part especially worthy of scrutiny by Apple’s fans, is the extent to which this move, and the threat of more moves like it, erodes our trust that the company has our best interests at heart.

Hold up a minute, I hear you choking on your disbelief that I could actually believe a giant corporation has my best interests at heart. I get it: to them, in the big scheme of things, I’m nothing. We’re all “nothing.” But their actions over the course of many years tell a different story. Whether they ultimately care about our interests or not, it has been a primary business practice to respect not only customer privacy, but customer primacy. It’s important to Apple that we trust them to safeguard our personal data, but it’s also important that we trust them to let us choose the desktop picture, the system beep sound, and the computer’s name. The notion that Macs, iPhones, and iPads are personalized devices runs deep in Apple’s history and remains a powerful marketing message.

So, many of the people who complained about the U2 album suddenly appearing in their “Purchased” list weren’t outraged by a petty act of gifting an album that they may or may not like. They were instead annoyed, and perhaps a little scared by the implication that Apple doesn’t respect the boundaries that separate “customer stuff” from “Apple stuff.”

I can’t help but draw a parallel between the ongoing debate about the merits of Facebook’s algorithmic timelines vs. Twitter’s (up to now) more-or-less self-curated timelines. Over the course of years, Twitter has trained customers to believe that we have control over our timelines, while Facebook has not. Does it matter in the big scheme of things if Twitter injects an ad here or there, or treats a friend’s favorited tweet as a retweet? Not really. In the same sense that it doesn’t matter much that Apple inserts an unwanted music album into your purchased list. But even a little move in a direction that threatens the primacy of users is a relatively big move for companies like Twitter or Apple, whose track records have inspired us to trust that we retain more authority over the personalization of these products than perhaps we do.

]]>
http://bitsplitting.org/2014/09/16/breach-of-trust/feed/ 0