{"version":"https://jsonfeed.org/version/1","title":"Matthew Price","home_page_url":"https://mattprice.me/","feed_url":"https://mattprice.me/feed.json","author":{"name":"Matthew Price"},"items":[{"id":"https://mattprice.me/2020/razer-data-security-update/","title":"Razer Data Security Update","date_published":"2020-09-21T06:00:00-04:00","date_modified":"2022-12-04T17:47:55+01:00","url":"https://mattprice.me/2020/razer-data-security-update/","content_html":"
Dear Sir/Madam,
\n\n\n\n\nWe were recently made aware of a server misconfiguration that potentially exposed certain customer information from our eCommerce online platform for a short period of time.
\n
Translation: “We definitely leaked your personal information to the world. Those bastards at Google even picked it up, so now it’s cached forever.”
\n\n\n\n\nThe server misconfiguration had been fixed on 9 September, 2020, prior to the lapse being made public and there is no indication of any unauthorized access to the information.
\n
“We have no idea when we fucked up, but it was probably when we first set up the server. We didn’t realize we should disable public access to Elasticsearch, so we also have no clue if anyone accessed your information. Our lawyers say that’s a good thing: no proper security logs means we also have ‘no indication of any unauthorized access.’”
\n\n\n\n\nThe server misconfiguration potentially exposed order details, customer and shipping information.
\n
“We definitely leaked your name, where you live, and everything you’ve ordered from us before. You should make sure you lock your doors.”
\n\n\n\n\nFor avoidance of doubt, no sensitive information such as credit card numbers, bank account details, national identification numbers or passwords was exposed.
\n
“Listen, I know you’re upset, but we could have fucked up even worse.”
\n\n\n\n\nIn addition, no other information from the servers for our other software or services was exposed.
\n
“We spent a lot more effort on Synapse 3 than we did protecting your personal information, and no one has ever complained about it. The files on your computer are probably fine. You only use it for gaming, right?”
\n\n\n\n\nWe sincerely apologize for the lapse and have taken all necessary steps to fix the issue as well as conduct a thorough review of our IT security and systems. We remain committed to ensuring the digital safety and security of all our customers.
\n
“We are committed to saying whatever it takes for you to keep buying gaming hardware from us, and not much else. I assume you’ve stopped reading by this point.”
\n"},{"id":"https://mattprice.me/2020/sysdiagnose-wifidiagnostics-logs/","title":"How I Ended Up With 70GB of WiFiDiagnostics Logs","date_published":"2020-07-06T06:00:00-04:00","date_modified":"2022-12-04T17:47:55+01:00","url":"https://mattprice.me/2020/sysdiagnose-wifidiagnostics-logs/","content_html":"Sometime this winter, I noticed sysdiagnose would randomly max out my CPU and generate WiFiDiagnostics logs in /private/var/tmp/
. This happened the most on my work computer, resulting in over 70GB of log files before I discovered them and cleaned them out. Both my work and home computers are connected to ethernet, so with no logical reason for this to happen, I resigned myself to living in log hell and worked on ways to automatically remove them.
Last month, I finally got frustrated enough to search for a proper solution. After toying around with search terms, I ran across a StackOverflow post with my answer:
\n\n\n\n\nIt looks like cmd+ctrl+option+shift+w triggers a WiFi Diagnostics session.
\n
Ah ha! So a keyboard shortcut introduced in macOS Catalina was the culprit.
\n\nI use an application called Karabiner Elements to remap my Caps Lock key to a hyperkey (Control+Option+Command+Shift), and I use the hyperkey to quickly swap between applications. Hyperkey+W was set to my email client, which I open several times a day during work. Every time I opened my email, I was unwittingly generating hundreds of megabytes of WiFi Diagnostic logs. I’m slightly disappointed I didn’t notice the pattern.1
\n\nI spent some time searching for a way to disable the diagnostics shortcut, but I never found one. I eventually gave in and changed my email shortcut to something else.2
\n\nDear Apple,
\n\nIt would be nice to see a notification that WiFi Diagnostics is running whenever you trigger the keyboard shortcut. ↩
\nI should also note that Control+Option+Command+Shift+. will trigger a different set of diagnostics, although this one opens Finder to the log file once it’s finished. ↩
\nThis has been a rough year, and we’re not even halfway through. I’m tired of reading the news because each day brings another depressing event. I’ve started quickly scrolling past to the happier posts, but many people can’t do the same. They can’t escape from their sick loved ones, or the color of their skin, or their gender, or their sexuality, or the natural disasters that have upended their lives.
\n\nI can, at least for now, and it’s likely you can too. I can work from home and pay to have my groceries delivered, reducing my chances of getting sick. I can turn off the news and ignore the protests that are occurring half a world away. I can turn on my TV and watch movies and play games, worrying about what to buy next instead of how to afford my mortgage.
\n\nIt’s important to recognize what a luxury that is. Someone is out there delivering my food so they can pay for their own. Someone is out protesting in the street, fighting for their life, in the US, and Hong Kong, and India. Someone is trying to recover from a fire that took everything from them.
\n\nGive back to the people who aren’t as privileged every chance you get. You have plenty of causes to pick from this year, and there are a lot of people who could use your help with a fresh start.
\n"},{"id":"https://mattprice.me/2020/notarization-rundown/","title":"A Quick Rundown on Notarization","date_published":"2020-06-08T06:00:00-04:00","date_modified":"2022-12-04T17:47:55+01:00","url":"https://mattprice.me/2020/notarization-rundown/","content_html":"I get periodically asked about Apple’s notarization requirements, so I thought I’d amass my knowledge in one place and link people to when they have questions. This is not an extensive overview, but I’ve tried to strike a balance between technical and understandable. Hopefully you’ll find it useful, especially if I’ve just sent you this link.
\n\nStarting with macOS Catalina (10.15), applications that are not distributed through the Mac App Store must be notarized by Apple. In short, after building an application, you need to upload the build to Apple, have them sign it with their certificate, and then download a receipt from them which gets stapled to the application to show that it is notarized. During this process, Apple verifies the application does not contain malware.
\n\nImportantly, you can only staple notarization receipts to packaged applications, which are basically fancy folders containing the application’s files. It is not currently possible to staple a receipt to a standalone executable since there is nowhere to store it. The only workaround is to convert the executable into a packaged application.
\n\nWhen most applications are run (see below for exceptions), Apple will verify the stapled receipt. If a receipt wasn’t stapled to the application, macOS will check with Apple’s servers to see if the application is notarized. If a receipt exists, or the server responds positively, then the application will run normally. If both checks fail, macOS will display an error and refuse to run the application.
\n\n\n\nNotarization is built on top of a technology called Gatekeeper, which is built on top of extended file attributes. Starting with OS X 10.5, files downloaded via certain methods, such as a web browser, receive a quarantine flag. When users launch an application, Gatekeeper checks for the quarantine flag. In macOS 10.15, if the quarantine flag is present, Gatekeeper will verify the application is notarized and prevent it from running if it is not. Previous versions of macOS would only display a warning.
\n\nThe current implementation introduces a loophole: the quarantine flag is not set for all downloaded files. For example, games downloaded by Steam do not currently have a quarantine flag, so the notarization check is not run for those games. This loophole extends to basically all applications downloaded or updated by custom mechanisms.
\n\nIn a session from WWDC 2019, an Apple employee recommended that all software be notarized (emphasis mine):
\n\n\n\n\nFirst, sign and notarize all the software that you distribute, even if it doesn’t get quarantined today.
\n
We don’t know if the loophole for Steam and other downloads is intentional and will remain forever, but their wording leaves the possibility of an expanded quarantine in the future, and Apple is the type of company that chooses their words carefully.
\n\nWe should hopefully receive more information during WWDC20, but it’s probably a safe bet that we’ll see more changes to notarization in the next version of macOS.
\n"},{"id":"https://mattprice.me/2020/programmatically-modify-spotlight-ignore/","title":"How to Programmatically Add Folders to the Spotlight Ignore List","date_published":"2020-05-25T06:00:00-04:00","date_modified":"2022-12-04T17:47:55+01:00","url":"https://mattprice.me/2020/programmatically-modify-spotlight-ignore/","content_html":"Automating additions to the Spotlight ignore list used to be as simple as using defaults write
, but the release of macOS 10.15 Catalina brought some changes that make it slightly more complicated:
VolumeConfiguration.plist
file has moved. After upgrading to Catalina, you now have multiple volumes even though Finder shows the volumes combined. The config’s actual location is now: /System/Volumes/Data/.Spotlight-V100/VolumeConfiguration.plist
.defaults
no longer seems to work on VolumeConfiguration.plist
. Instead, it now complains the domain does not exist.PlistBuddy does still work, although it’s less elegant. Thankfully, there are some straightforward examples in the man pages that we can copy:
\n\nsudo /usr/libexec/PlistBuddy -c \"Add :Exclusions: string /path/to/folder/\" /System/Volumes/Data/.Spotlight-V100/VolumeConfiguration.plist\n
Once you’re done editing the ignore list, a restart of your computer should trigger Spotlight to detect the changes.1 You may also be able to trigger it by opening the Spotlight Privacy preferences, or just waiting around for the next index.
\n\nIn practice, I’m using this to automatically ignore dependency folders like node_modules
in my dotfiles. Quite often, one package I’m working on depends on another, and it’s annoying for Spotlight and Alfred to display a packaged version instead of my development copy. Automating them away on all my machines makes life just a little bit easier.
In previous versions of macOS, you could manually stop and start the “mds” process to trigger the changes, but that silently fails now that mds is considered a protected process. ↩
\nAt my previous job, we ran one of our frontend services through an HTTPS proxy to ensure our development environment was as close to production as possible (cookie policies, content security warnings, etc). We also used an HSTS policy to direct browsers to only use the HTTPS version of our site. Unfortunately, when Safari picks up on this, it insists on redirecting all localhost requests to HTTPS.
\n\nIdeally, Safari would ignore those directives for special domains such as “localhost” or take the port number into account, but until it does, you can reset the HSTS settings by running these lines in Terminal:
\n\nsudo killall nsurlstoraged\nrm -f ~/Library/Cookies/HSTS.plist\nsudo launchctl start com.apple.nsurlstoraged.plist\n
Note that this shortcut will reset the HSTS settings for all websites. If you’re using a lot of open networks, where people could monitor your traffic, feel free to edit the file manually.
\n"}]}