Introducing "Free Agents" ¬


Jason Snell introducing the new Free Agents podcast he’s co-hosting:

For a long time Mac Power Users co-host David Sparks and I would meet when I was visiting southern California and we’d talk about how our jobs were grinding us down. Then all of a sudden, he and I were both out on our own and grappling with any number of issues involving being independent workers after 20 years of working in a traditional job.


If you’re interested in hearing us talk about the issues around being an independent worker, check it out. The show will be short and appear fortnightly, and we’re hoping to do two short topic-based episodes followed by an interview with an independent working person.

Naturally, this subject matter is now near and dear to me. The first episode was a good, solid, quick listen.

New attack bypasses HTTPS protection on Macs, Windows, and Linux ¬


Dan Goodin writing for Ars Technica regarding a web browser proxy protocol issue that can expose full URLs of webpages you’re browsing, even over HTTPS:

The attack can be carried out by operators of just about any type of network, including public Wi-Fi networks, which arguably are the places where Web surfers need HTTPS the most. It works by abusing a feature known as WPAD (short for Web Proxy Autodisovery) in a way that exposes certain browser requests to attacker-controlled code. The attacker then gets to see the entire URL of every site the target visits. The exploit works against virtually all browsers and operating systems. It will be demonstrated for the first time at next week’s Black Hat security conference in Las Vegas in a talk titled Crippling HTTPS with Unholy PAC.


With the exception of the full URL, all other HTTPs traffic remains unaffected by the attack. Still, in some cases, disclosure of the URL can prove fatal for security. The OpenID standard, for instance, uses URLs to authenticate users to the sites and services that support it. Another example is document sharing services, such as those offered by Google and Dropbox, that work by sending a user a security token that’s included in the URL. Many password-reset mechanisms similarly rely on URL-based security tokens. Attackers who obtain such URLs in any of these cases are often able to gain full access to a target’s account or data.

Good to be aware of and yet another reason to be especially careful when using public WiFi. Fortunately, web browsers could mitigate this:

Still, browsers can largely work around the vulnerability by following the lead of Microsoft’s Edge and Internet Explorer 11 browsers, which invoke the FindProxyForUrl function with URLs that are truncated to host names only, as opposed to full URLs, which may contain authentication tokens or credentials.

Santa: A binary Whitelisting/Blacklisting System for Mac OS X ¬


While developed internally by Google, Santa is not their Santa Tracker:

Santa is a binary whitelisting/blacklisting system for macOS. It consists of a kernel extension that monitors for executions, a userland daemon that makes execution decisions based on the contents of a SQLite database, a GUI agent that notifies the user in case of a block decision and a command-line utility for managing the system and synchronizing the database with a server.


Santa is written with the intention of helping protect users from themselves. People often download malware and trust it, giving the malware credentials, or allowing unknown software to exfiltrate more data about your system. As a centrally managed component, Santa can help stop the spread of malware among a larger fleet of machines. Additionally, Santa can aid in analyzing what is running in your fleet.

While it’s not 1.0 yet, this is definitely a project for macOS (née OS X) administrators to watch.

Managed Preferences (MCX) was deprecated way back in OS X 10.8 Mountain Lion, though it still works in OS X 10.11 El Capitan, and is the only other way I’m familiar with for blacklisting or whitelisting apps on OS X. MCX settings can even be applied using Profiles via your favorite deployment method (mcxToProfile is a handy tool for that). Unfortunately, I’ve found it to be very problematic and unreliable in practice (often needing to resort to whitelisting entire folders, which is not particularly secure), so this is a very welcome addition to the macOS management toolset. The ability to monitor binary usage across clients is another huge benefit.

Lepton Image Compression: Saving 22% Losslessly from Images at 15MB/s ¬


Two weeks ago Dropbox made a fascinating announcement of a new “streaming image format”:

Lepton achieves a 22% savings reduction for existing JPEG images, by predicting coefficients in JPEG blocks and feeding those predictions as context into an arithmetic coder. Lepton preserves the original file bit-for-bit perfectly. It compresses JPEG files at a rate of 5 megabytes per second and decodes them back to the original bits at 15 megabytes per second, securely, deterministically, and in under 24 megabytes of memory.

We have used Lepton to encode 16 billion images saved to Dropbox, and are rapidly recoding our older images. Lepton has already saved Dropbox multiple petabytes of space.

I’m not a fan of the JPEG image format, but since it’s so pervasive and everyone is taking and storing so many photos at this point, this is important and very impressive. Read the full post on the Dropbox Technical Blog for all the technical details. Lepton is open source under the Apache license and available on GitHub, so we all benefit.

[Via TechCrunch]

The iPad Paradox ¬


Michael Gartenberg writing for iMore:

I know many smart folks, folks who aren’t remotely Apple fanboys like Steven Sinofsky, who barely use their Macs (or Surface) but do use an iPad Pro.

I’m using my iPad Pro as my primary computer as well, and almost everyone I’ve shown it to has bought one. Yep, bought one … or tried to steal mine. Clearly, there are a lot of people who would buy an iPad.

So why aren’t the sales higher? I think iPad is suffering from the “TiVo paradox.”

Having switched to just an iPad mini for my personal computer, I’ve been wondering the same. Before departing Small Dog Electronics I began wondering why companies are not switching most desktops and laptops out for iPads in droves.

I agree with Michael’s conclusion.

An Affiliate Link Tagging Textpattern Plug-in ¬


Now that I’m independent and posting more frequently, I’ve joined the iTunes Affiliate Program to help the site earn its own keep. I host this site on Textattern, an excellent, light weight, and very flexible CMS (Content Management System) and—wanting to work smarter, not harder—decided to write a plug-in that could automatically rewrite any iTunes/iBooks/App Store affiliate URL I post in an articles using my iTunes Affiliate Program ID. This will make it easier to just copy links to music, books, or apps from the appropriate store and not have to run them through a different tool to appropriately tag them to hopefully earn a little commission.

Let me introduce the new mta_affiliate Textpattern plug-in. It’s a simple plug-in which, once installed, gives you a pair of preferences to enable URL rewriting and enter your iTunes Affiliate Program affiliate ID. It provides a <txp:mta_affiliate></txp:mta_affiliate> container tag which you can then use in your pages/forms to automatically rewrite any iTunes Affiliate Program URL (“clean” or “legacy”, see Advanced Affiliate Linking) contained within (including those produced by other Textpattern tags). In my case, I wrapped my article bodies with this tag, as well as a some custom fields which I generally store URLs in and output from.

I had previously developed similar functionality for Small Dog Electronics, though not in the same way, so this is far from my first time working with iTunes Affiliate Program URLs or the concept of parsing & rewriting URLs within content. I intend to support further affiliate programs in the future.

Download the latest version from the development page, the GitHub project, or You can get usage assistance, report any issues, and request additional affiliate programs support in the Textpattern Plugin support forums.

Neon Drive and Demoscene Roots ¬


Neon Drive is a fun, retro-futuristic game for iOS which I reviewed for the 959th issue of Small Dog Electronics’ Kibbles & Bytes newsletter back in November:

It’s not a traditional racing game, but, to quote the web site, it’s a “slick retro-futuristic obstacle-dodging game”. The graphics have a neon retro-futuristic theme (think the Tron movies) with some fun visual effects and the music has an 80’s techno/tracker feel to it. One of the best parts of the game to me is the fact that the game is timed to the music, or the music to the game, and so it becomes very immersive if you put on headphones and get into the flow. You can really build your muscle & auditory memory to get through it. That’s not to say it’s too easy as it switches up the gameplay styles for an effective challenge.

Neon Drive screenshot

The combination of the visual effects and music style hearkens back to the demoscene, for me anyway.

They’ve since expanded the levels and now have Mac (Mac App Store or Steam) & Windows (Steam) versions. Check out the Neon Drive website for more extras like the soundtrack and desktop pictures.

Oh, and don’t forget to read my original, full review in Kibbles & Bytes for a bit of demoscene history.