In her article “I Have a Lot to Say About Signal’s Cellebrite Hack”, the extremely qualified Riana Pfefferkorn argues that Signal’s blog post, “Exploiting vulnerabilities in Cellebrite UFED and Physical Analyzer from an app’s perspective”, could have been a bit more serious and professional:

On the other hand, although this was serious work with a serious point to it, the unseriousness of Signal’s tone in the blog post and video hampered public understanding of the point they were making. You aren’t helping your cause when a reporter can’t tell which parts of your blog post are jokes and which parts are serious, or what you mean by your weird coy phrasing. This blog post was plainly written in order to impress and entertain other hackers and computer people. But other hackers aren’t the real target audience; it’s lawyers and judges and the law enforcement agencies that are Cellebrite’s customers. They tend to prefer clear communication, not jokes and references to 25-year-old cult films.

To be clear, Pfefferkorn is way more qualified to have an opinion on this than I am. Still, as I said in a Hacker News comment:

Eh, I can’t be bothered to care. Cellebrite hoards 0-days so they can use them to hack phones. They know about exploitable vulnerabilities but aren’t saying anything about them because they profit from insecurity. Thing is, just because Cellebrite knows about a thing doesn’t mean, say, China’s CCP or the Russian mafia or anyone else doesn’t also know about that thing. You and I are less safe just because Cellebrite wants to profit off of those vulnerabilities.

I just can’t work up the ability to sympathize with Cellebrite. The law may have something to say about Moxie’s writing, but in my opinion he has the clear ethical upper ground in this argument.

Pfefferkorn goes on to say:

But if Cellebrite machines stop working reliably, or the evidence obtained from them is hella sus and can’t be relied upon in court, then that safety valve — the ability for the cops to get courtroom-worthy evidence off phones notwithstanding strong encryption — gets plugged up. And closing the safety valve adds more pressure. It’ll become easier for law enforcement to make the case for why smartphone encryption needs to be backdoored.

That may be true, but I contend:

I also disagree with the notion that it’s good that Cellebrite exists because without them we’d have stronger anti-encryption laws. That’s hypothetical and all we know is what we have today. I’m not thrilled that someone is peeing on my basement carpet instead of peeing in my living room; I’d rather not have someone peeing on any of my rugs.

It’s not that I disagree with Pfefferkorn on an intellectual or legal level. She’s the expert. If our factual positions disagree, listen to her, not me. It’s just that I don’t care if Signal was crude in their anti-Cellebrite post. It brought a lot of attention to Cellebrite’s awful ethical stance, and for that I’m grateful to Signal’s CEO, Moxie Marlinspike.

Jellycuts for iOS and iPadOS is 2 things:

1. A text-based language for writing Shortcuts,
2. A compiler that turns the text language into “real” Shortcuts, and
3. An IDE for writing the language.

As a programmer, this is super exciting to me because it feels like I spend too much time fighting against the limitations of the visual language. Now I can use the programming tools I work with every day to write my little applets, and store them in version control so that I can track changes and roll back mistakes.

It’s not a perfect system as the design of the Shortcuts app means that getting the compiled code into it is a little convoluted (but automated and as smooth as possible). That’s on Apple, though, and not Jellycuts. The author has done an amazing job with the tools available to them.

Jellycuts is a game changer. I haven’t gotten far with it yet, but if it works as promised on larger projects, I see it becoming the way I write Shortcuts. Get it at https://apps.apple.com/us/app/jellycuts/id1522625245.

I’ve been using Apple’s Fitness+ service since it came available. It’s still a young product and has lots of room to improve, but its fundamentals are solid. This is what I like and dislike about it.

What I like: doing the exercises

First, the workouts themselves are excellent. They offer exercises I’m not used to, and I’ve found that working with a trainer, even a pre-recorded one that isn’t talking to me personally, motivates me to push harder than I do when I’m working out alone. At the end of a workout I’m exhausted, and the next day my body reminds me that I did something difficult.

This is the litmus test, after all. A trainer that doesn’t challenge and doesn’t push me harder than I would push myself isn’t much of a trainer. Fitness+ meets this requirement in spades.

Second, Fitness+ has a lot of workouts. When it’s time to use one, I want help picking one that’s appropriate to me. The app’s “discoverability” is… decent:

• I pick a type of workout (like strength, core, or yoga) I’d like to try, and use the filter to choose a length of time I’d like to work out. I want to do strength training for 20 minutes? Here’s a list.
• From that list I choose a trainer. This is convenient if there’s one I like and I want to see more of their workouts, but not as helpful for choosing between them. The app makes the trainers’ biographies available but I was overwhelmed with choices the first time.

If I know what workout I want to do, and which trainer I want to work with, Fitness+ is fine.

What I don’t like: finding the exercises

But that discoverability is barely sufficient, and leads to my sole criticism. Fitness+ could and should help me find new workouts that are appropriate for me personally, and today it doesn’t.

Within selections, the main differentiator in a screenful of similar-seeming workouts is the genre of background music. I know people may have strong preferences here but I don’t. As of writing there are 15 “Strength with Gregg” workouts. At a glance, I can’t tell the difference between them. Every screenshot shows exercises for both upper and lower body, even though most workouts target certain muscles. Navigating through each available workout exposes that information but it’s a lot of work when I’m ready to start lifting weights and would rather lift than investigate. Better titles like “Leg Strength with Gregg” would help a lot here.

There’s not an option to like or dislike workouts. I want a recommendation system like Apple Music’s: tell me what I might like based on what I’ve enjoyed, not just what’s similar to what I did last time.

Descriptions of workouts are more vague than they should be. For example, one reads “the focus of this workout is upper body, with a new element added to each move as you go.” But what part of my upper body? I want to know:

• Which exercises a workout includes. If my shoulder hurts, I might want to skip lateral raises.
• Which muscles groups it exercises. Sometimes I’d like to target specific areas like glutes or biceps or shoulders or quads.

If Fitness+ had filters that let me specify that I’d like to work my triceps and lats for 20 minutes, or find one that includes hammer curls because that sounds good today, I’d use it a lot.

Workouts need more audio cues. I spend a lot of effort trying to look at the TV so I can pace myself with the trainer, and would like a consistent signal to complete a rep. I wish the producer would add a chime or beep after each movement so that I could follow along without contorting to see the screen.

Finally, many other Apple apps use Siri to power smart recommendations. Putting all the above together, I’d like to see a Fitness+ notification like “you skipped leg day. Here’s a good leg workout you’ll going to like.” It’s easy to rationalize skipping a workout, but harder when someone’s reminding you that you’ve been a couch potato and giving you personalized suggestions for changing that.

Summary

It’s tricky to find an exercise I want in Fitness+, but that’s because there are so very many excellent ones to choose from. And that’s the important part: once I find workouts I like, they motivate me to work harder than I would on my own. I’ve found the accountability, even if it’s to someone who can’t see me and who I’ll never meet, to keep me moving. I am stronger and healthier for using the app than I would be without it.

Apple Fitness+ may have some rough edges, but for a new service that’s still improving, I’m into it.

I’ve been playing with Hook, an app I’ve started hearing about. It’s an interesting bird, and its own docs didn’t explain why I should want to use it. That’s too bad, because after downloading it and playing around for a few days, I understand why people are excited about Hook.

Let me try my own explanation:

It makes deep links into apps

Hook knows how to talk to a lot of other apps (about 150 as of now) and ask or direct them to do a few things:

• Get the ID of the active item in the app, like the omnifocus:///task/... link of the selected item in OmniFocus.
• Open the item in the app with a given ID.
• Get the name of the active item in the app, like the title of the front tab in Safari.
• Create a new item in the app.

Those first 2 options are interesting because many of its supported apps don’t offer their own URL scheme. You can refer to a web page by its address or an OmniFocus object by its URL as seen above, but Apple’s own Notes app doesn’t offer a way to make a link to a specific note. Hook solves this by offering its own URL scheme. For instance, if I try to open the URL hook://notes/dt/1498065293 on my Mac, it opens the Hook app, which sees that it’s supposed to open the Notes app, and uses AppleScript or JavaScript wizardry to go straight to the desired note. Or consider emails, each with their own unique Message-ID. Hook accepts URLs like hook://email/[Message-ID] and opens them in your favorite mail app, even if you’ve moved the mail to a different folder or switch mail apps since you copied the link.

That’s slick, and if Hook only allowed me to deep link straight into Mail and Notes and Finder and iTerm (!!!) and VS Code (now you’re showing off), it would be invaluable.

It keeps a database of bidirectional links

The “a-ha!” moment was understanding that Hook itself stores links between objects, even if they’re not editable. For example, suppose you’re viewing a PDF and it reminds you of a web page. You can ask Hook to copy the PDF’s location in Finder. When you open the web page in Safari, you can use Hook’s “Hook to Copied Link” action to make a two-way link (the eponymous “hook”) between the PDF and the web page. That is, if you come back to that web page a week later and wonder what PDF it reminds you of, you can press the Hook shortcut and it will pop up a list of all documents “hooked” to that web page. Use the arrow keys to scroll down to the PDF and press enter, then voila!, it opens the PDF for you.

This is the magic in Hook: you can make linkages between resources that aren’t under your own control. You don’t download a webpage and then edit its metadata to link to the PDF. Hook says “oh, when you’re looking at this page, I’ll remember that it made you interested in this PDF”. And even if that PDF can’t be edited to add a link to the webpage, Hook manages that association for you.

In this sense, Hook is like a personal wiki, except that you don’t have to edit a page to associate bits of data and that doesn’t have to be in the same app. You open the first item and press a few keys, then open the second item and press a few more, and now your system knows that you think these 2 items are related and can remind you of that later. That’s powerful. It’s easy enough to make a link from a Things action to its information resources in DEVONthink. Linking from DEVONthink information back to Things so that you can bounce right back to your project planning without lifting your hands from the keyboard? That’s harder, and it’s the true value of Hook.

A note on terminology: giving things a good name is hard, but I might’ve called “Hook to Copied Link” almost anything else. My mind kept reading “Hook” as a noun, as though I were converting it to a “Copied Link” similar to calling “JPEG to PNG” in a graphics program. Instead it’s a verb: “create a link back to the item whose link is in the clipboard” is clearer to me, although too verbose.

It lets you share links with friends and coworkers

Hook is available in a free version that’s focused on opening links, not making them. The idea is that you can send your coworker a link to a file stored in Git or Dropbox, or an email they were Cc’ed on, and they can go straight to it. That’s nifty, but in practice I can’t imagine my friends tolerating this: “hey Tom, I’m going to send you a link, and you’ll need to download this free app from…” “Stop right there.” Hook is cool and I’ve told several friends about it, but I’m not kidding myself about the likelihood of them all installing it.

Maybe I’ll look back on this in a few years and laugh at my own skepticism because it became the universal standard app that everyone uses, but I’m not counting on it.

Licensing

CogSci, Hook’s authors, have an interesting licensing model: if you buy the “essentials” or “pro” version, you can use any new versions that come out within 12 months of your purchase date for free, forever. If newer versions come out with features you can’t live without, you can buy a discounted renewal license that’s good for another 12 months of updates.

I love this idea. I hate renting software, and this is a nice compromise between an unsustainable “buy it once and get free support for the rest of your life” and “keeps working as long as you keep paying”. I wish this licensing model were the norm.

Drawbacks

The few things I dislike about Hook are minor:

1. It’s not available for iPhone and iPad. I’m not sure how an iOS version of Hook would work (perhaps through the Share action? Through drag and drop?), but I wish it were on my favorite mobile platforms. I’m using my iPad for a lot of work I’d would have used my Mac for before and cross-platform tools are splendid. An mobile “Hook Lite” version that supported opening hook:// links would help a lot.
2. I haven’t met another person using it. Although I’ve read articles about Hook, I’m the only person among my friends, family, and coworkers who has it installed. The link sharing idea could be brilliant if it becomes ubiquitous but I don’t want to be its lone evangelist among the people I know, many of whom are still annoyed by my Emacs and Amiga days.
3. CogSci: please ask someone who doesn’t work with you to review your home page. All the information there is technically accurate, but much of it only becomes clear to users who’ve downloaded Hook and experimented with it. If I hadn’t been evaluating the app on the recommendation of a friend, I might not have downloaded it. Your app is cool. Give it some marketing love!

Summary: try it.

I like Hook. I haven’t registered it yet but I’m leaning that way. Again, if Hook only allowed me to create deep links into apps that don’t natively support them, that’s enough reason to buy it. I’m not sold on the life-changingness of the bidirectional links between documents — not because I don’t think it’s an wonderful idea, but because I’m a sucker for things that promise to be the cure for what ails ya and then become disillusioned when they’re not as amazing as I’d hoped. For example, I’d heard that Zettlekasten note keeping is the magic key to life-long productivity, but realized that it’s a nice solution to problems I don’t have. I’m being cautious about Hook for the same reason. But skepticism aside, I think its core conceit that making links between all your related resources is valuable has merit, and Hook makes this easy. I’m still in the trial period my wish is it’s as helpful as CogSci thinks it will be.

Try Hook. I think we’re going to like it.

Updated: November 11, 2022

There are several excellent Mastodon apps for iOS and iPadOS. These are the ones I’ve tried.

Criteria:

• A good app is stable and (at least nearly) crash-free. This rules out a few apps I’ve tried that I’m not including here.
• Mastodon evolves with new features like polls. The best apps are updated with support for these new features.
• I use an iPhone and an iPad. Apps that don’t support both platforms are non-starters for me. It’s possible I could find a brilliant, flawless iOS-only app and a different iPadOS-only app and be happy with the combination, but that’s unlikely to happen. Bonus points for apps that have Mac versions.

Here are my recommendations that mostly meet those requirements.

Metatext

I stumbled across Metatext and I’m glad I did. It feels native in ways that other apps don’t and looks beautiful on my phone and iPad. I’ve used it as my main app since its release and recommend it to all my friends. Development has slowed down recently, but it feels “finished” without any obvious bugs or missing features. If you’re bored with your current app and want to try something new, get Metatext.

Toot!

Toot! is a favorite. It’s rock solid, updated frequently, and good looking on both iPhone and iPad. I suggest this for anyone getting started with Mastodon. The sole thing I don’t love is that it doesn’t always “feel” like a native iOS app, as opposed to say an alternative web interface. I’m picking nits, though: if you stop reading and install Toot!, you’ll be fine. It’s great.

Mast: for Mastodon

Mast looks and feels different from the other popular apps with its multi-column layout, and I appreciate its fresh take on how a Mastodon client can work. It’s a beautiful experiment. I can’t recommend it right now because it has significant bugs, like crashes and timelines which don’t refresh even when you try to manually refresh them. Its author released a popular Twitter app, Aviary, which I suspect has been taking their attention. This means it hasn’t been updated recently and I worry that it might be abandoned. Still, Mast supports iPhone and iPad and Mac and Apple Watch, which is amazing, and I’m watching it to see if the author resumes regular development. I hope they do.

Mercury for Mastodon

Mercury is a gorgeous, new, native-feeling app. I think it’s going to be a good option. It’s iPhone-only today with iPad support on their published roadmap, and I’d like to see that happen because it’s already a solid alternative for people who just use an iPhone. I’m monitoring Mercury’s development, too.

Honorable mention: Linky for Twitter and Mastodon

Linky is for posting to Mastodon, not reading it. I use this brilliant little app for sharing links to interesting websites, photos, or songs I’m listening to. It’s scriptable with x-shortcut-url, so if you’re technically savvy you can use Shortcuts, Drafts, or other apps to post things you’ve written. If you share a lot of content to Mastodon from other apps, Linky is your friend.

See also

Mastodon for iPhone and iPad is the official app brought to you by the people who made Mastodon. In spite of that, it lacks (or at least hides) vital Mastodon features, such as the local timeline. It’s ok if you’re joining one of the large, generic instances like mastodon.social that don’t have meaningful local communities, but offers a substandard experience on cozier instances.

This morning the US Supreme Court ruled for Google in Oracle’s case against them. This is wonderful news for American software engineering as the opposite ruling would have been disastrous for the entire industry.

Consider a comprehensive, albeit farfetched, analogy that illustrates how the API is actually used by a programmer. Imagine that you can, via certain keystrokes, instruct a robot to move to a particular file cabinet, to open a certain drawer, and to pick out a specific recipe. With the recipe in hand, the robot then moves to your kitchen and gives it to a cook to prepare the dish. This example mirrors the API’s task-related organizational system. Through your simple command, the robot locates the right recipe and hands it off to the cook. In the same way, typing in a method call prompts the API to locate the correct implementing code and hand it off to your computer. And importantly, to select the dish that you want for your meal, you do not need to know the recipe’s contents, just as a programmer using an API does not need to learn the implementing code. In both situations, learning the simple command is enough.

I think that’s a great analogy, if I do say so myself.

I think Copied is the best clipboard manager available for Apple devices.

I use Copied constantly. It lets me copy 3 different things I see on a web page, then quickly paste them into a text editor without bouncing between the two apps several times. It lets me search my history for stuff I’ve copied earlier, even if I’ve done other things since then. It’s one of the first apps I install on a new device.

I have a few a hard requirements for a clipboard manager:

• It must sync across all my devices. Sometimes I start work on my iPad, or even my iPhone, and later move to a Mac. Other times I start on my Mac then switch to a portable device. I want the things I’ve copied to be available in all these places.
• It has to be rock solid. When I’ve become used being able to access my clipboard history, and then discover it’s not available because the app has crashed and hasn’t been recording, I’m not happy.
• It’s got to be quick. If I’m in the zone working on a project, I want to summon the app with a key press, select the item I want to paste with my keyboard, paste it with my keyboard, then have the app go away.
• The user interface has to be simple. See above. A clipboard manager is a tool that I want to use for one thing and have it disappear until the next time I need it. I don’t want to spend more time playing with its interface than is necessary. It’s not an app I’m going to have open for a while as I poke around in it.

Copied meets all those requirements, and a one time $6 purchase (with family sharing!) covers Mac, iPad, and iPhone apps that sync together with iCloud. It’s simple, quick, reliable, and available everywhere I work. And did I mention it’s a one time purchase? There’s nothing more I could want.

Note that development had paused for a long time after its version 3 came out, and the app stopped working on macOS Catalina. In late 2020 the author released an updated version 4 that works perfectly with Catalina and Big Sur. A few old reviews lament that it broke with an OS upgrade but that’s old information.

If you’ve wished you could copy several things in a row and paste them, or recall something you copied last week, install Copied. It’s great.

Alternatives

Apple’s own Universal Clipboard is excellent, but limited: it uses only Bluetooth to sync directly between devices and requires them to be near each other, it doesn’t keep a history of previously copied items, and it doesn’t support older devices. You can’t beat free, though.

Paste is another great app, but it has two things I don’t like:

• The user interface is pretty but much more complex. This is a matter of personal taste but I find it too powerful. Again, I want to pop in and out of a clipboard manager as quickly as possible, and don’t want anything that slows this down or breaks me out of my thinking.
• It’s hella expensive at $10 per year, or $15 per year for the family plan. That’s way more than I want to spend for a utility that spends almost all its time in the background.

Pastebot is a wonderful Mac-only app. If it had iOS and iPad apps that it synced with, I’d have a hard time deciding between it and Copied. Alas, it doesn’t.

Gladys, Anybuffer, Yoink, and Unclutter are beautiful shelf apps, but are way more complicated than I want in a clipboard manager, and not as good at that specific task as the dedicated apps are. Several of these don’t have cross-platform sync.

Update 2022-03-29: From what I can tell, Copied is dead. Its web page is empty and it’s no longer available in the app store. That’s a pity and I miss it. Until a better option comes along, I’ve bitten the bullet and subscribed to Paste.

Progress bars suck at predicting how long things will take. I’ll tell you what I want (what I really really want): a system-wide resource that receives a description of what the progress bar will be measuring and uses it to make an informed estimate the entire process’s duration. For example, suppose that an application installer will do several things in series, one after another. Perhaps an explanation of that process could be written in a machine-readable format like this:

vendor: Foo Corp
name: My Cool App installer
stages:
- Downloading files:
  - resource: internet
    size: 1000  # Number of MB to download
- Extracting files:
  - resource: disk_read
    size: 1000  # Size of the downloaded archive file, in MB
  - resource: disk_write
    size: 2000  # Size of the extracted archive file, in MB
- Copying files into place:
  - resource: disk_read
    size: 2000  # Now we read the extracted files...
  - resource: disk_write
    size: 2000  # and copy them elsewhere.
- Configuring:
  - resource: cpu
    size: 100  # Expected CPU time in some standard-ish unit

Because I’ve used the progress bar resource before, it knows about how long each of those things might take:

• Since I’m currently on my fast home Internet, that download will probably last about 20 seconds.
• I have a fast SSD, so the “Extracting files” step might be 6 seconds long.
• “Copying files into place” will run at about the same speed, for another 8 second.
• My shiny new CPU can chew through 100 CPU units in 10 seconds.

Ta-da! The whole installation should run about 44 seconds. When the installer runs, instead of updating the progress bar manually like

update_progress_bar(percent=23)

it would tell the resource how far it had gotten in its work with a series of updates like

update_progress_bar('Downloading files', internet=283)
...
update_progress_bar('Copying files into place', disk_read=500)
update_progress_bar('Copying files into place', disk_write=500)
...
update_progress_bar('Configuring', cpu=30)

The app itself would not be responsible for knowing how what percent along it is. How could it? It knows nothing about my system! Furthermore, statistical modeling could lead to more accurate predictions with observations like “Foo Corp always underestimates how many CPU units something will take compared to every other vendor so add 42% to their CPU numbers” or “Bar, Inc.’s website downloads are always slow, so cap the Internet speed at 7MB/s for them.” Hardware vendors could ship preconfigured numbers for new systems based on their disk and CPU speeds where the system can make decent estimates right out of the box. But once a new system is deployed, it gathers observations about its real performance to make better predictions that evolve as it’s used.

We should be able to do a much better job at better job of guessing how long it’s going to take to install an app. This solution needs to exist.

To sign kids up for our city’s Little League baseball program, you have to prove that they’re residents, which is reasonable. What’s not reasonable is the amount of information you have to provide on the registration website. You have to upload scans of a document in each of 3 categories:

Proof of Residency 1 Choose one of the following: Driver’s license, School records, Vehicle records, Employment records, Insurance documents

Proof of Residency 2 Choose one of the following: Welfare/child care records, Federal records, State records, Local records, Support payment records, Homeowner or tenant records, Military records

Proof of Residency 3 Choose one of the following: Voter’s registration, Utility bills, Financial records, Medical records, Internet, cable, or satellite bills

That alone is ripe for identity theft, but couple it with their privacy policy which includes this (emphasis mine):

Without limitation, this typically requires the use of certain personal information, including registration data, event data, and other personal information, to provide program information, special offers or services through Little League and/or its trusted sponsors, partners, or licensees, to fulfill your requests for information or products/services, to maintain a list of verified and eligible participants, to maintain a list of volunteers and provide them with the operating tools to manage leagues, or to respond to your inquiries about our programs.

In other words, you have to upload your most private information and agree to allow them to do as they like with it, including sharing it with whomever they like for any reason they choose.

This is unacceptable.

Update 2021-05-20

I contacted the company that manages Little League’s registrations and asked them to delete the documents I uploaded in order to sign up. They replied that their policy is to do that as soon as they’ve been evaluated. I asked the company to verify that they’d deleted our documents specifically. They replied with a video demonstrating that the files were no longer available. Great! The video included the PII of the families on either side of us on the list. Not great!

And that’s one big reason why I didn’t want to trust them with our information in the first place.

My favorite new command is zoxide. It’s like a faster z, autojump, or fasd.

In summary, it learns which directories you visit often with your shell’s cd command, then lets you jump to them based on pattern matching. In the event of a tie it picks the one you’ve used most frequently and recently. For instance, if I type z do then it executes cd "~/Library/Application Support/MultiDoge" for me because that’s the best match for “do” in recent history. An optional integration with fzf lets you interactively search your directory history before jumping to one.

It’s lightning fast and integrates perfectly with common shells (even Fish which is my favorite).

I didn’t even know I’d been missing a tool like this.