Apple Card's stil broken after Apple broke it
After Apple broke my Apple Card yesterday, I thought I’d found the correct, undocumented, undiscoverable way to update the App Store to use my new card information. Nope. Apple is still declining transactions from their own card after they unilaterally decided to change it.
I’m anticipating the moment they tell me they’ve canceled my account for nonpayment. What an unnecessary mess.
Apple updated my Apple Pay so that I couldn't pay Apple
I got an email this weekend that Apple was updating my Apple Card’s expiration date. The old date would work for purchases through the end of the year.
Today Apple Music said I can’t play songs until I update my payment info. I clicked the offered button and got an unworking form with unlabeled, required fields.
When I guessed the right value for the unlabeled field (which wasn’t asking for my name; it didn’t allow me to type a space character), it told me it already had that card information on file. I closed that and went into System Settings > me > Payment & Shipping. There was no way to update the payment information there. A quick trip to Kagi said I have to update that through the App Store app instead.
So I went into that app and clicked Manage Payments. It prompted me to enter my credit card info there. That didn’t work, once again because that card was already on file. I clicked the Back button on that form and it took me to a different screen I hadn’t seen before that listed my payment methods. The form on the new screen wouldn’t let me edit my Apple Card, but it did allow me to delete that card altogether and add it right back. That seems to have been the right combination of incantations. I can listen to music again.
To recap:
- Apple made changes to my Apple Card.
- They didn’t apply those changes to their own internal system.
- The prompt for me to do it myself didn’t work.
- Neither did the second place I tried.
- Neither did the third.
- …until a random button click took me to the hidden screen I needed in the first place.
Does anyone at Apple use this themselves? I’m doubtful.
Last night we said goodbye to Gigi after a sudden medical event. She went to sleep surrounded by a heartbroken family who loved her very much.
Goodnight, sweet pup.
If you want to really understand how Internet protocols work, I heartily recommend writing your own on top of UDP. You don’t have to work in the kernel. You can use just about any language you want. You can make it as simple or complex as you desire. Try it sometime! It’s instructive.
I was making the bed while the cat laid on it, surfing the waves of bedding as I shifted things around carefully to avoid chasing her off. Then it struck me that I’ll never be able to make the dog into the bed again, which was one of her favorite things. That hit unexpectedly hard.
Miss you, girl.
The comet C/2023 A3 Tsuchinshan-ATLAS as taken from our suburban back porch right in the middle of the Bay Area. It was easily visible to the naked eye. If you haven’t gone outside to look at it yet, do it!
Silent Hill 2 is not fun. It’s beautiful. It’s immersive. It’s engaging. But it’s not fun. Everything that happens comes back to your decision to do this to yourself. No one forced you to go there. To ignore the warnings. To follow a fog-enshrouded vaguely human but not quite shape through a gore-smeared hole in the base of a wall. You chose to. And now there are consequences.
It’s excellent and you should totally play it. I can’t say you’ll exactly enjoy it, though.
Python 3.13 launched today. I’ve done it. I’ve lived long enough to see a less-GIL’ed Python released to the public. Until now there’s been an unvirtuous cycle:
Python isn’t good at running CPU-intensive threaded code. → No one writes code like that. → There was no pressure to remove the GIL because no one writes code that would benefit from it. → Repeat.
I hope this is the first giant step toward good Python multithreading.
Ugh, “walkable” cities. 🙄
To get dinner, we had to:
- Walk a couple of blocks
- Pause for my wife to pet a dog
- Watch sunset at a table behind a taqueria
- …where my wife had to pet another dog
- Stroll past the monthly outdoor fest with live bands and a bunch of vendor booths
- Wait for my wife to pet a dog again
- Walk back past the European market, where we walked in to get dessert snacks
- …and for my wife to pet the owner’s dogs
Simply intolerable.
Google writes safer code with Rust
From “Google hails move to Rust for huge drop in memory vulnerabilities”:
In Google’s own shift towards using memory safe programming languages there has been a significant drop in the number of memory-related vulnerabilities, with memory safe vulnerabilities down to 24% in 2024 - a stark contrast from 2019 [76%] and well below the industry norm of 70%.
Memory safety is not the same as safety. You can still write bad logic in any language. It “just” gets rid of the majority of bugs so that programmers can concentrate on the more interesting parts.
Also, yes, of course you can write safe C code. No one with a large codebase ever has in practice, but it’s at least hypothetically possible. Wouldn’t rather not have to, though?
It astounds me that in 2024 there’s no canonical way to select which CSS to use for a web browser on a phone screen. You have to guess at how many CSS pixels wide your target device is. If next year’s device is any larger than a hardcoded threshold, they may get your desktop layout instead.
I know there are people who’ve made their careers out of memorizing all the edge cases of this monstrosity. Those are lifetimes lost to toil because no one can agree on an official way to look nice on a cell phone, or the one true way to center an image. It’s madness.
The fine folks who make iA Writer wrote about their challenges supporting Android.
My first impressions:
- I’m glad Google is taking user privacy so seriously.
- …but I didn’t know it was so Kafka-esque for developers to comply with their requirements.
I hear “why would devs ever tolerate Apple’s App Store shenanigans when Android is right there?” Well, because the grass isn’t always greener.
Ideally, both Apple and Google would make it easier for devs. Nothing about this requires either’s processes to be more complicated than they inherently are. As it stands today, both shift a lot of extra effort and compliance guesswork onto developers.
My Raspberry Pi 4 started running hot when I moved it from a freestanding case to a fanless server rack. I’d often SSH in and see idling it at 65C or warmer, with log messages showing it had been thermally throttled. That’s not great.
I just bought a Argon Fan HAT. I installed it and fired up a large Rust compile with 4 concurrent jobs. 20 minutes later and the RPi averaged about 54C with no throttling.
Get your Pi a fan. It wants one very much.
So we were all talking about Palm Pilots, and someone mentioned that they’re available dirt cheap off eBay.
Sigh. I didn’t need this, but it arrived today anyway.
Frankly, a lot of the IIIxe’s assets hold up well. One hardware button press and the relevant app is open and ready half a second later. My fingers remember how to write Graffifi. No notifications, except calendar event reminders I configured. I’ve used less productive devices all too recently.
BetterDisplay Pro fixed my multi-monitor pet peeve
I have a 32" monitor and a 27" monitor on my desk. Don’t ask. But although they’re different sizes, they both have the same native 3840x2160 resolutions. The 27" just has smaller pixels.
This is fine 99% of the time. When I’m working away with different windows open on each screen, all is peachy. It’s only slightly annoying that the menu bar on one screen is a tiny bit larger than on the other, but I’m tough. I can live with that.
What I can’t tolerate is that it’s impossible to exactly line up graphics across the 2 monitors. If I flick my mouse cursor from one to the other at the top of the screen – I have the physical screen tops aligned at the exact same height – it flies smoothly over the gap. If I try the experiment near the bottom, the cursor jumps in altitude as it crosses the border because “2000 pixels down from the top” is a farther distance in inches on a 32" monitor than on a 27" screen. And if I dare drag a window from one screen to the other, its position and size change as it crosses over. This will not do.
A friend recently nudged me to look at BetterDisplay Pro, and my life is better for it. It has exactly one feature I care about: the ability to enter a custom screen resolution, which I can then select from the normal Displays system setting. I did these things in order:
- Installed BetterDisplay Pro.
- Looked up my monitors’ specs. One has pixels .1554mm square. The other’s are .1810mm square.
- Computed a new resolution for the smaller monitor. I was running the larger monitor at a virtual resolution of 2560x1440 because at full res I’d need a telescope to read this text. I multiplied those numbers by .1554/.1810 to get a new resolution of 2196x1236.
- Added that to BetterDisplay Pro as a custom scaled resolution.
- Opened Displays and selected the new resolution.
- Dragged windows back and forth between the 2 in unadulterated joy as they’re now the same physical size on both monitors, and both the tops and bottoms of windows exactly line up as they cross over.
Wow, wow, wow. After many long months of mortal anguish, that annoyance is completely gone. My monitors play nicely together as I always wished they would.
Note: Yes, now there’s a slightly different nit, in that it slightly irks me that my resolution has a very strange non-integer scaling factor of 180:103. I don’t care. I can live with it. macOS still sends a 3840x2160 signal to the displays, and the pixels are so tiny that I can’t visibly tell it’s not running at native resolution. Of course, that non-integer scaling might slow the display down very slightly, but this is on an M1 Max system and why pay for the TFLOPS if you’re not going to use them? It’s totally worth the tradeoff.
When we got this kitty, she was darn near feral. Now she won’t leave me alone.
The coffee shop is fine
I hear too many acquaintances worry that employees might work from a coffee shop or other public network, putting their whole company at risk. So what if they do? The idea that a coffee shop’s Wi-Fi is insecure implies that there’s a mythical “secure” network that can be trusted with the company’s secrets. That’s almost never true.
Work-from-home employees are on a tame home Wi-Fi setup, right? Don’t count on it. Is their gear current? Are they sharing Wi-Fi with their neighbors? Are they using their apartment building’s network? Who’s their ISP? Although their home setup might – or might not – have fewer people on it than the local cafe’s, that doesn’t make it trustworthy.
What about the employees we coerced into returning to a legacy office and using its Wi-Fi? Oh. You mean that named network that sits around with a target on its back as belonging to important people? Unless you manage your own office, and it’s in a Faraday cage blocking all outbound or inbound radio signals, and you pretend that MAC filtering is a security feature, and all your equipment is patched with the latest security updates, and you have guards walking around with fox hunt antennas to spot rogue access points, it’s not substantially better in the ways that count. If you can read this at work, at least a few of those assumptions are likely wrong.
The idea of a “trusted network” is dead. It’s time we stop pretending. If an employee can be compromised at the coffee shop, they can be compromised at the office. We have to design our defenses as though our staff are working from the free network at DEF CON. That means making sure all employee devices and servers are patched. That all connections are encrypted, even those between internal systems. That authentication uses cryptography, not passwords. That we don’t pretend that “route all traffic” VPNs are a good idea. That we don’t rely on allowlisted IPs as a critical defense. That we don’t trust any network our employees might use, and that our systems are robust enough to endure hostile environments. Yes, even the ones we tell ourselves are safe.
And if we’re not comfortable with our coworkers typing away next to a fresh latte, it’s our responsibility to figure out what part of that bothers us and then fix it. The issues that would make that scenario dangerous affect the “secure” office, too.
It’s an Aperol spritz kind of afternoon.
I found a odd control in AWS Security Hub’s CIS Benchmark 3 findings. It reports “IAM Access Analyzer external access analyzer should be enabled”, even if it is enabled in another account with organization-wide scope. Support’s advice is to disable the control.
Fine. It seems like an edge case, although maybe a common one for orgs with multiple accounts. I’m OK with silencing the false positive since we monitor that other account with its own CIS Benchmark 3 report.
We went to the local swap meet across the channel from the Port of Oakland. Photos don’t do justice to the enormousness of the container ships moored here daily.