LittleBITS: Inadvertent Mail Deletion, TidBITS Security Vulnerability, and iOS Update Error 1100
In this week’s installment of LittleBITS, I point to a fascinating discussion in TidBITS Talk that could explain why messages sometimes go missing in Apple’s Mail on the Mac, share an email interaction with a Pakistani security researcher, and pass on a tip from a reader that supports my general distrust of USB hubs.
Beware Control-H in Mail
Over in TidBITS Talk, user Tall Trees has contributed another entry in the “I Didn’t Know That!” category. It turns out that in Apple’s Mail app on the Mac, pressing Control-H deletes a message, which could be surprising or even problematic. Jeffrey Jones suggested that the reason was probably related to the fact that Control-H generates the standard ASCII control character for Backspace, which generally maps to the key labeled Delete on modern keyboards. Although David C. pointed out that such ASCII control characters should work only in apps running in an ASCII-like terminal session, Apple’s developers must have explicitly decided to code that keyboard mapping for Mail as well.
It may have started back in Unix. Most people probably don’t know that Cocoa apps on the Mac have built-in support for keybindings from the Emacs text editor. Apple documents some of these, including Control-H, on its Mac Keyboard Shortcuts page. That means pressing Control-H deletes the character to the left of the insertion point when editing text, just like Backspace. So perhaps a Mail developer wanted to extend the delete shortcut they were accustomed to in Emacs beyond the Mail text-editing environment to managing messages or was a devotee of a Unix mail app that relied on Control-H to delete messages. Whatever the reason, inadvertent presses of Control-H could explain why messages disappear occasionally. Now you know.
Fixing a Security Vulnerability on Our WordPress Site
A few weeks ago, I received an email from a Pakistani security researcher named Mahad Ali, alerting me to a clickjacking vulnerability on our WordPress site that could theoretically have been exploited to capture usernames and passwords from users logging in. I initially thought the message might have been some sort of phishing attempt, but I was able to replicate Mahad’s proof of concept. While my developer wasn’t sure how common such attacks were, he too was able to confirm the vulnerability, and it was trivially easy for him to tweak our site to block such attacks.
The aspect of the exchange that I hadn’t previously experienced was that Mahad said in the original message that he was hoping for a bounty reward for responsibly disclosing the vulnerability. That felt awkward, but there was no implied threat, and when I replied that we had no budget for such bounties, he politely asked if I’d write a LinkedIn endorsement. I’m hesitant to do that based on such a brief contact, especially given the extent to which I and others in the TidBITS world help those in need with no expectation of direct acknowledgment. That said, I can also imagine that being a self-employed tech guy just out of college in Pakistan might lend itself to some alternative ways of trying to get ahead in the tech world.
So in lieu of a LinkedIn endorsement, I’m mentioning Mahad here in TidBITS. I hope that will be even more valuable to him, in that anyone searching for his name will be more likely to run across this account of our interaction.
Avoid USB Hubs with iOS Updates
Here’s another potentially helpful tip from a TidBITS reader. Charles Reeves, Jr. wrote to tell me that he had problems using his Mac to update his iPhone 8 to iOS 15.1 and then to iOS 15.2. Both times, the update stalled, throwing an unknown error 1100. Although Apple has a page listing iOS update and restore errors, 1100 isn’t among them (it may be numbered, but it’s apparently still unknown).
Charles poked around on the Internet and finally found a suggestion that the problem might be related to connecting the iPhone to the Mac via a USB hub, which he was doing. When he switched to a USB port on his external monitor, he was able to update to iOS 15.1. That didn’t work with iOS 15.2, but connecting it directly to his Mac with a different cable resolved the problem.
In fact, one of the categories of errors that Apple discusses suggests trying different USB cables, different USB ports, and a USB port on a different computer, so avoiding a USB hub (which the monitor is) makes a lot of sense. Personally, I’ve never trusted USB hubs with important connections like backup drives, so Charles’s report offers another data point in support of my distrust. Now that I examine my rationale for directly updating all my iPhones and iPads using Settings > General > Software Update instead of my Mac, the desire to remove potentially dodgy cables and USB ports from the equation plays a significant role.
Re: USB hubs and iOS updates
For what it’s worth, I’ve installed all the iOS updates this year on an iPhone Xs by connecting it to my 2020 iMac 27 via an OWC Thunderbolt 4 hub. Sort of a USB hub, but on steroids.
No issues.
Re: Control-H in Mail
Thanks for this tip. I immediately re-mapped “control-H” in Mail to something innocuous (Highlight Conversations) using Keyboard Shortcuts in System Preferences, just to avoid this being a problem in the future.
I got a “beg bounty” email a couple of weeks ago. No details on the supposed vulnerability were given. The guy mentioned a website which looked legit. I made the error of replying. And then he didn’t stop asking for money. The supposedly legit website didn’t reply to an email from me about the guy. So count yourself really lucky!
There’s a wonderful site, https://www.osstatus.com/, which digs into all the header files to find error codes. 1100 could be
kODErrorSessionProxyCommunicationErrorfrom CFOpenDirectory.h. I’m not sure that would have helped solve the problem, but it would point to some issue in accessing files.If I was forced to get a hub, I’d definitely go for a high-end Thunderbolt hub like this, since I suspect the build and component quality are higher than for inexpensive USB-only hubs.
Ugh, sorry to hear it! That was why I was initially suspicious, but Mahad’s email was really clear and provided all the necessary detail, which helped a lot.
Was the Wordpress issue just that it was missing updates? Or custom work? I leave mine set to Auto on version, patches, and plugins.
One note about the OWC Tbolt hub, I have older gen and hope to replace it with CalDigit. The iPhone would have issues (no errors, just slow or have to unplug, move to MacMini directly) unless off the MacMini’s USB. Otherwise, seems the iOS updates are the only culprit.
AppleInsider mentions and recommends the top end CalDigit hub. I’ve heard of both CalDigit and OWC spoken of respectfully over the years. I think I’m ready to echo @ace and switch to to a hub on steroids for next Mac. Have had many many issues on hubs and USB devices like drives! That’s what eventually got me to get rid of a dozen drives and get a DAS with 5 14 TB drives in RAID 5.
@ace Gracefully written and clear description of your interaction across the world and various cultures. I’m glad this was what seems to have been benevolent. I don’t think I would have gotten through as well as you did. Too bad it could be in the newly named “beg bounty” category.
Great idea, @MR. I just did the same. Thank you!
It seems that WordPress doesn’t automatically prevent its sites from being displayed in an IFRAME. See this:
And this page might also add some context. I’ll admit that this isn’t something I know much about; I defer to my developer on the topic.
After using several TB/TB2/TB3 docks with all kinds of ports I recently converted my primary workspace to a CalDigit TB4 “Element” hub. It offers 4x TB4 and 4x USB-A (3.2 gen 2, 10 Gbps) ports.
https://www.amazon.com/gp/product/B08FF7X3BY
So far it has worked great. The only downside I can recognize is that it doesn’t offer a full 100W of upstream power (60-W limit) so charging a 16" under load is going to take longer. Since I have a 14" I don’t care. What is solid about it though is that those 60 W are guaranteed at all time. They don’t get reduced because of power draw on the other TB4 or USB-A ports, as is the case with some cheaper hubs.
What I particularly like about this TB4 hub is the fact that it offers many plain TB4 ports instead of just a few plus dedicated ports (like my previous TB2/3 docks, incl. the CalDigit TS3 Plus). So here you add Gigabit or DP or HDMI not via a dedicated port, but rather by choosing an appropriate cable. Full flexibility, no wasted or unused ports. And if you need more than 4 TB4 ports, well just grab another one of these and daisy chain them. Simple and versatile. Not cheap, but very nice indeed.
Hear, hear - like you, I also use the CalDigit Element TB4 hub with a 14" and they work very well indeed. I like that the hub works with SuperDrive, can supply 7.5W to USB-A and 15W to USB-C ports, while providing full 60W to the 14". Since the 14" has an SD card reader, the lack of reader on the hub is not a concern. The hub also works flawlessly with the LG 5K which is a relief. I bought the hub directly from CalDigit Taiwan which provided great customer service - fast action (placed order at 5pm TW time on a Friday, packed the shipment at 7pm!), fast shipping (not cheap though) while accommodating my request for a UK power plug.