Skip to content
Thoughtful, detailed coverage of everything Apple for 33 years
and the TidBITS Content Network for Apple professionals
Show excerpts

TidBITS#1391/23-Oct-2017

The recently revealed KRACK vulnerability that affects most Wi-Fi connections has caused a good deal of concern in the Apple world, but as Glenn Fleishman explains, it’s not all that it’s KRACKed up to be. Jeff Carlson joins us this week to look at iOS 11’s new long exposure feature, which makes it easy for any photographer to take what were once labor-intensive shots. Adam Engst reviews Cardhop, a new Mac contact manager from the creators of Fantastical, and Julio Ojeda-Zapata examines the hardware announcements from Google’s latest event in the context of how they compete with Apple products. Notable software releases this week include GraphicConverter 10.5.1, SEE Finance 1.1.11, Merlin Project 4.3, Fantastical 2.4.3, Delicious Library 3.7, EagleFiler 1.8.1, BBEdit 12.0.1, and DEVONthink/DEVONnote 2.9.16.

Adam Engst 7 comments

Take Control Books Having a 50%-Off Sale This Week

Apple has been pushing out new releases lickety-split, and our friends at Take Control have been working hard to keep up, publishing and updating books about iOS 11, High Sierra, iCloud, and more. This week only, you can save 50 percent on all orders.

It’s also the perfect opportunity for you to fill out your library with any of the dozens of Take Control books on Apple apps (like Preview, Pages, and iTunes), the cloud, privacy and security, Mac productivity and automation, and even how to preserve your digital legacy. The sale will be over before pumpkin spice products disappear from the shelves, and you’ll never see lower prices on Take Control books.

Jeff Carlson 4 comments

Using Long Exposure in iOS 11’s Photos App

Take a look at this photo:


I captured this image under bright, mid-afternoon light at Snoqualmie Falls, a popular tourist spot outside Seattle. The silky-smooth waterfall catches the eye because it’s different: we know waterfalls are more textured and violent than this. And it’s a pretty effect.

The usual way to get this shot is to mount your camera on a tripod and set a slow shutter speed (perhaps half a second or longer) so the image sensor records the light reflecting from the water over a period of time, not just a fraction of a second’s worth. The tripod is necessary because you don’t want the camera to move during that time, which would introduce blur. The other challenge with long-exposure photography like this is that the sensor records all the light in the scene, not just the waterfall, so you can end up with an overexposed image, particularly in the middle of the day.

There are ways to compensate. You can set the aperture to a high value (f/16 or f/22) to restrict the amount of light coming through the lens. The preview on your camera will be dark, but the buildup of light during the exposure makes the final image more balanced. However, very high apertures can cause distortion or softness on some lenses.

Another way to compensate would be to add a neutral density filter in front of the lens, which also restricts the amount of light hitting the sensor and makes longer exposure times possible. But you may not have a filter that’s dark enough — again, especially in bright daylight conditions. Here’s a photo I took using my Fujifilm X-T1 camera at 1/4 second using an aperture of f/8.0 and with a 0.9 neutral density filter (which lets in about 12 percent of light):


If I really wanted to get the shot using the X-T1, I could have doubled up two or three filters (I also have 0.6 and 1.2 filters in my standard kit), but that introduces severe vignetting and some softness.

So how did I get that first image?

I pulled my iPhone 8 Plus out of my pocket and took one exposure, handheld, with the Live Photos feature turned on. And then I applied Apple’s new Long Exposure effect in the Photos app. That’s it.

Here’s the original image I captured, before I applied Long Exposure:


What’s Going On? — When you’re using the Camera app on an iPhone or iPad, it continuously analyzes the scene and even records it, but does not save the footage. As soon as you tap the shutter button, the app evaluates the scene in milliseconds and delivers what it thinks is the best exposure for that moment. With Live Photos enabled, it also saves a video file containing 3 seconds of frames around that still image. Pressing and holding the image when viewing it in the Photos app plays back that video, giving you that Harry Potter-esque moving picture.

In iOS 11, Apple added three new effects that take advantage of the Live Photos video footage. Loop replays the video endlessly from beginning to end. Bounce plays the video start-to-finish and then reverses it to play finish-to-start, and back again as a loop.

The third effect is Long Exposure, which blends all the frames from the video into one image. It’s the same principle as making a “real” long exposure by leaving the camera’s shutter open for a relatively long period of time, but instead of just absorbing more light, it’s combining the light in each of the frames. This happens algorithmically, which enables the app to keep the tones and detail in the sky and surrounding areas balanced.

The Long Exposure effect is dirt-simple to use. When viewing a Live Photo in the Photos app, swipe up to reveal more options, and choose Long Exposure under Effects.


Here it is in action:

You can also apply the effect in Photos in macOS 10.13 High Sierra. Select the Live Photo, click Edit, and choose Long Exposure from the Effects pop-up menu (below the lower-right corner of the image).


Good as it is, the Long Exposure feature isn’t perfect. If you zoom in and look closely, you’ll notice that it loses a lot of detail in the rocks and sky compared to the original. It’s fine on a small screen but doesn’t stand up to scrutiny on larger displays. Applying Long Exposure also crops the image to account for camera movement; if you’re intentionally capturing photos that will use any of the Live Photo effects, be sure to allow extra room around your subject.

Even so, I managed to capture a darn good long-exposure waterfall photo just by raising an iPhone and snapping a shot. As someone who has captured silky-looking waterfalls before, I know how much work is required to get them. And now everyone with an iPhone 6s or later running iOS 11 can get something very close to that with hardly any effort at all.

Glenn Fleishman 19 comments

Wi-Fi Security Flaw Not As Bad As It’s KRACKed Up To Be

Don’t panic about the new Wi-Fi security problem that you’ve likely seen trumpeted on news sites. Yes, the KRACK exploits reveal a fundamental flaw in the process by which a Wi-Fi device — like a Mac, iPhone, Windows computer, point-of-sale terminal, or smart fridge — connects securely to a Wi-Fi access point. You shouldn’t underestimate how significant that is (it’s huge), but also don’t overestimate how likely it is to affect you (very unlikely).

The KRACK exploits involve how Wi-Fi Protected Access version 2, known as WPA2, lets a client device negotiate encryption keys and cryptographic elements with a base station, while keeping those elements secret from any parties trying to intercept communications, masquerade as the client, or decipher data later.

Every operating system and every device that can initiate a Wi-Fi network connection and that supports WPA2 encryption is vulnerable to at least one of the lines of attack revealed, and the researcher who discovered them has already found more attacks that he hasn’t yet released. Wi-Fi access points aren’t directly affected.

However, just because every device in the world could have its traffic sniffed doesn’t mean that every device will. Remember that Wi-Fi is local area networking: attackers must be within range of their targets.

The KRACK vulnerabilities can be easily patched in hardware that can be updated. Apple told me that all four of its operating systems already have patches in place in the current beta releases, which will roll out in the near future for macOS, iOS, watchOS, and tvOS. Other operating systems and older Apple hardware will not be so lucky. Fortunately, many experts see ways for base stations to be updated too, but with the same proviso: many base stations lack an automatic update process, meaning they’ll remain unable to prevent unpatched clients from becoming targets.

A Quick Look at KRACK — On 16 October 2017, security researcher Mathy Vanhoef presented proofs-of-concept of several different kinds of attacks in a paper he wrote months ago and only now released in advance of an upcoming presentation. He dubbed the series of attacks “KRACKs” (Key Reinstallation AttaCKs), as all major vulnerabilities now need clever names. He disclosed the vulnerabilities carefully, and US-CERT ultimately took over disseminating the information so many companies would have patches ready or nearly so by the
disclosure date. (Details were accidentally disclosed earlier than intended, as Ars Technica explained.)

The various WPA2 negotiations rely on what’s called a “four-way handshake” and take into account a client failing to receive the key (or failing to acknowledge receipt) during the stage in which the key is delivered. This might be due to interference or an operating system glitch or another anomaly — remember that WPA2 was developed in 2004, when everything, especially wireless devices, was slower and less reliable.

As a result, the Wi-Fi access point can retransmit the key when it believes the client hasn’t received it, and the client device then installs it and resets a counter that’s used to create a stream of encrypted information that only it and certain other parties like the access point can decipher.

That’s where the flaw lies: an attacker can record and replay the transmission of the key, and the client dutifully resets the counter. With that information in hand, a malicious party knowing the contents of certain data packets or guessing they contain plain text (even in an email or Web page) can then decrypt other packets without obtaining the encryption key. An attacker can’t join the Wi-Fi network, but can still extract information from it!

Not every operating system suffers from this problem for every kind of negotiation. Windows and iOS, for instance, weren’t vulnerable to several types of attack, but were to others. As long as one sort of handshake can have a KRACK used against it, data in transit is vulnerable. Forged data could also be inserted into a network, which could allow ransomware and other malware to be delivered to vulnerable devices.

More terrifying than the flaw itself is the fact that it has existed since WPA2 appeared in 2004, and that it was found by a single person — a graduate student, not a team of veteran security researchers at an anti-intrusion software company — following a slender thread of an idea of something to test after writing a paper on a related topic. (Vanhoef credits his research supervisor on the paper for his guidance.)

So far, there’s no evidence of KRACKs being used in the wild. However, the ease with which Vanhoef found it means that it’s likely that government intelligence agencies have already found and have exploited the flaw in targeted surveillance, because it’s exactly the kind of thing that they would be looking for.

Although all this sounds bad, Vanhoef’s disclosure of the KRACKs is actually good news: a researcher dedicated to a responsible disclosure ensured that companies had time to patch before cracking tools were updated. Plus, if bad actors have been exploiting these vulnerabilities, their windows of opportunity will be closing, as I explain next.

Everything That Can Be Patched Will Be — Apple already has patches in its update stream to fix the various KRACKs in all its operating systems (see “Apple Has Already Patched the WPA2 KRACK Weakness in OS Betas,” 16 October 2017). (Apple said nothing about AirPort base stations, but we can always hope.) On 10 October 2017, Microsoft shipped updates to Windows 7 and later and Server 2012 and later. Google has more vaguely promised Android updates in the coming weeks, according to the Verge, but individual Android hardware vendors will have their own schedules. Other operating system and hardware makers have updates shipping now or will release them soon. The Wi-Fi Alliance, which certifies gear that bears the Wi-Fi label, will also update its testing. These responses will rapidly close the largest and most lucrative vectors of attack, those against people with recent hardware, especially mobile devices.

The biggest problem, as with many security attacks, come from three related areas: Google’s Android OS, Linux, and Internet of Things (IoT) devices, which are often powered by a form of Linux. In this case, it’s also because there’s a serious flaw in a commonly used software module that handles the WPA2 negotiation. That flaw is bad: the encryption key in hardware running this module resets to all zeroes when an attacker attempts to replay the captured encryption key — that’s right: all zeroes! Because the attacker now knows that key, they can immediately decrypt all data sent by the client. With other operating systems, an intruder has to work harder and capture a lot of data and run more KRACK attacks before deciphering some
of the communication. This glaring bug isn’t old — it was introduced in a relatively recent update that’s incorporated into Android 6.0 and other newer hardware, and affects about 50 percent of all Android devices in use.

Android has long suffered from an update abandonment problem, with Google and its partners quickly dropping support for older releases. A lot of older Android hardware can’t be upgraded to even the next major release of the system — or to any incremental improvement. This abandonment problem affects hundreds of millions of older Android devices that can never receive security updates. Review MasterKey, Stagefright, and Broadpwn for three examples. (Apple typically supports Macs for at least 7 years
and sometimes releases very late-in-cycle security updates for even older Macs. With iOS, it’s closer to 5 years.)

Even worse are Internet of Things devices that use embedded operating systems with which you never interact directly, many of which can’t be updated at all. Even when products can be updated, dodgy manufacturers and cut-rate prices often result in the abandonment of support for a particular model months after it appears. Updates are often difficult to install and manufacturers don’t notify customers (or have any way to do so), making it unlikely that an average user will learn of a security fix or, discovering it, be able to install it. KRACK will become another tool in an attacker’s kit for recruiting devices like DVRs and nursery webcams into botnet armies.

Conversations with a few security experts made it clear that while the Wi-Fi access point side of the equation isn’t at fault for these negotiation flaws, even consumer-focused access points could be updated to block, resist, or report KRACKs. (There’s one exception: corporate-scale access points that support “fast handoff” act a little bit like a client in that mode, and routers with that feature have to be patched, too.)

At the enterprise level, vendors are already on top of the problem. In addition, corporate-scale intrusion-detection systems have long monitored for the unauthorized or fake access points that KRACKs require. Cisco, for instance, has provided a short primer to customers to make sure they have enabled the right options to detect KRACK-style intruders.

Public Wi-Fi networks are unlikely to be affected by the KRACK attacks. Most rely on a portal page to control access to an unsecured network, rather than WPA2. If they do employ WPA2 for access, it’s typically to restrict usage to customers, as it doesn’t provide real security from other users on the same network. In either case, you should always treat public hotspots as untrustworthy.

What You Can Do — You can and should take steps to protect yourself against KRACKs. Here’s how:

  • Install KRACK-related updates as soon as they are available for any Wi-Fi-enabled device you have.

  • Check your Wi-Fi base stations’ configuration settings and make sure you aren’t using the mixed WPA/WPA2 Personal mode in an Apple base station or TKIP encryption or TKIP/AES on other makers’ hardware. You’ll typically find these settings under Wireless or Wireless Security. These modes are more easily broken in general and offer more risk with KRACKs, too. Instead, make sure to use only WPA2 Personal (or WPA2 Enterprise where available) and AES-CCMP, sometimes listed just as AES. (You can’t set WPA2 security on a phone or computer, only at the router.)


  • Check your email client and make sure that you’re using an encrypted connection to your mail host and that any advanced option to allow backing down to an unencrypted connection is disabled.

  • For macOS Web browsers other than Safari, install HTTPS Everywhere from EFF. (Apple doesn’t allow https redirection at the right stage to prevent an insecure connection at the start of a Web session.)

  • Use a VPN when working on any untrusted network, which could include your home network if updates haven’t been released for all your hardware devices. While a VPN doesn’t prevent KRACKs, it does ensure that the data encrypted by the VPN client and server is protected from someone intercepting traffic.

KRACKs won’t disappear. Because hundreds of millions of unpatched devices will remain on the Internet, these attacks will surely be added to research-oriented hacking software and black-hat cracking tools, and will be used by governments and criminal organizations to target individuals who use an old Android phone or an outdated webcam.

But the odds are against KRACKs having a significant impact on overall Internet security.

Adam Engst 12 comments

Cardhop Puts Contacts Front and Center

I hated Apple’s Contacts app even when it was called Address Book. It’s just a bad app, with terrible use of space and a clumsy, modal user experience. BusyMac did a good job at creating a better monolithic contacts app with BusyContacts back several years ago (see “BusyContacts Turbo Charges Mac Contact Management,” 17 March 2015), but Flexibits, makers of Fantastical, have now introduced a completely different take on contact management: Cardhop.

Part of the problem with contact management is that it’s basically database work. Create a record, edit fields, perform searches, etc. It’s all stuff that any database can do, but until Cardhop, interacting with a contact manager wasn’t much different than using FileMaker. Cardhop relies on exactly the same system-level contact database that Contacts and BusyContacts use, but how you add, edit, and use contacts is rather different.

First off, Cardhop is an attractive menu-bar app with light and dark modes. By default, it appears as a popover when you invoke it and disappears when you switch away from it. However, you can drag its popover off the menu bar to turn it into a standalone window that remains visible when you move to another app.

Initially, Cardhop shows you the people whose birthdays are coming up shortly (I turned this off by deselecting View > Show Birthdays), followed by people whose contact info you’ve worked with recently in Cardhop. You can click All Contacts at the bottom to see everyone, but realistically, you won’t want to do that most of the time. Similarly, you can expand the window to see contact groups, and click one to restrict the search results to people in that group. Again, I doubt you’ll want to do this much.

That’s because Flexibits built Cardhop around its natural language parser, so even though you can click buttons and choose menu items to run Cardhop, it’s designed so that you can type at it. That might sound like a throwback to command-line tools, but actual usage is far more fluid and intuitive than the command line.

Adding, Searching, and Editing — For instance, imagine you want to add a contact for your new friend Tim Cook. Press the hotkey you’ve defined to bring up Cardhop and then start typing. Enter “Tim Cook Apple [email protected] @tim_cook 408-555-1212” and Cardhop immediately starts creating a new card and filling it out with the name, company name, email address, Twitter handle, and phone number. You can even copy and paste all that information into Cardhop, and it will work similarly. Press Return or click Add Contact and you’re done.

Want to add an address? First you have to find Tim Cook’s contact card. Invoke Cardhop, and start typing a portion of his name (first or last, it doesn’t matter). That’s all there is to a search, which is why I don’t think you’ll want to browse through all contacts or restrict searches to groups in most cases. It’s just too easy to find the person you want with a few keystrokes. If you have multiple people named Tim in your contacts, you might need to type “tim co” to get the right contact, or you could just
type “cook.”

Once Cardhop has selected the right contact, you can add Tim Cook’s address just by typing it. Then enter “work 1 Infinite Loop Cupertino CA 95014” and Cardhop adds it as soon as you press Return. Notice that I put “work” at the start to indicate this is a work address; “home” and “other” are also possibilities, or you can just leave that word out to default to a home address.

Need to delete some data, like an old phone number? Invoke Cardhop and type “cook delete phone.” Cardhop even colorizes the word “delete” so you know it’s a command and not data.

It doesn’t seem that you can change details via Cardhop’s parser, but as soon as you select a contact and see their information, you can click any field to edit it right away — there’s no need to switch to a special editing mode, as in Contacts. You can also change field names like this, if you want to specify that a phone number is an iPhone, not a work phone.

Other actions require more traditional forms of interface too. If you want to add a field, click the Add Field button at the bottom of the screen. Want to add a note about the contact? Click in the omnipresent note field at the bottom of the card and type your note. Unlike Contacts, that notes field will always be visible, making it easier to use.

Interacting with Contacts — Contact management isn’t just about maintaining a database; it’s about using contact information. Here too Cardhop relies on its parser, which understands a number of commands, and doesn’t care whether you enter the command before or after selecting a contact.

So, if you wanted to send email to Tim Cook, you could just type “email tim cook” and press Return to have Cardhop create the message in your default email client. In all likelihood, Cardhop would have found the right contact after just one or two characters of the name since you’ve been using it recently, so it knows to guess at Tim Cook before any other guys named Tim. Plus, you can add a Subject line by including it after the name, as in “email tim cook Feedback about iTunes.”

Cardhop understands quite a few commands for everyday interactions with contacts:

  • “call Tim” calls the contact via your iPhone through Continuity or Wi-Fi Calling, or sends the call to a phone paired with the Mac via Bluetooth. You can choose the default behavior in Cardhop’s preferences, or switch per call by pressing Option-Return. Synonyms are “dial” and “phone.”
  • “copy Tim” copies contact information. It shows you which piece of information it will copy by default (which varies by contact), but you can specify specific properties too, as in “copy Tim work email.”
  • “email Tim” creates an email message as mentioned above. The word “mail” works too.
  • “facetime Tim” starts a FaceTime call with the contact. You can abbreviate it to “ft” or specify a FaceTime Audio call with “facetimeaudio,” “audio,” “facetime audio,” or just “fta.”
  • “message Tim” starts a conversation in Messages with that contact. There are lots of synonyms, including: “imessage,” “text,” “txt,” “im,” and “ping.” Alas, you can’t enter a message to send as well.
  • “skype Tim” initiates a Skype call with the contact.
  • “search Tim” is supposed to start a Spotlight search for the contact, but neither it nor its synonyms of “spotlight” or “find” are working right now.
  • “tweet Tim” sends a tweet to the contact. You could also say “twitter Tim.”
  • “web Tim” opens the URL associated with a contact — also try “website,” “webpage,” or “url.”
  • “map Tim” displays a map to the contact’s address. You can also enter “maps,” “directions,” and “route.”
  • “show Tim” displays phone number and address information in large type so you can read it easily. You’ll likely want to specify the information, as in “show Tim address” or “show Tim mobile.” Command variants include “large,” “banner,” and “big.”

Interestingly, many of these commands can be used with freeform information that isn’t associated with a contact as well. So you could type “call 408-555-1212” or “email [email protected]” and Cardhop would happily send those commands off to the appropriate apps.

Since typing even short commands may be overly cumbersome for certain tasks, Cardhop offers four Quick Actions that appear as buttons when you hover over a contact in the list and in each contact. Plus, you can invoke them with Command-1 through Command-4. By default, Cardhop sets the Quick Actions to Message, Email, Call, and Video, but you can change them globally in Cardhop’s preferences or even for individual contacts (Control-click one of the Quick Action buttons to change it).

Getting Used to Cardhop — Cardhop is a fine app, and a compelling rethinking of how you can interact with contact information, but it still faces an uphill battle for acceptance. The problem is that we’ve all built up habits that will be hard to break. For instance, if I’m going to send someone email, I’ll switch to Mailplane, start a new message, and enter their name. If I want to call someone, I’ll pull out my iPhone, tap the Phone app, tap Favorites or Contacts, and tap the appropriate item in the list. I’m not saying that these techniques are efficient, but they’re what I’ve done for years.

I’ve had only a few days with Cardhop so far, and although I’ve been forcing myself to use it as much as I can, it hasn’t yet become second nature. I think that’s in part because most of my communications are either reactive (someone sends me email and I reply) or ongoing (I start by pulling up an existing Messages or Slack conversation). Nonetheless, I’m sufficiently intrigued by the parser-based approach that Flexibits has taken that I’m willing to keep trying.

At the moment, Cardhop is purely a Mac app, although I wouldn’t be surprised to see Flexibits adapt it to iOS if it succeeds on the Mac. If nothing else, if you accustom yourself to contact-first thinking on the Mac, it might feel awkward to switch back to app-first thinking on the iPhone.

Should you check out Cardhop? If you dislike Contacts and haven’t already found a better solution, yes. Or, if you inherently think in a contact-first way, rather than an app-first approach, Cardhop could be the dashboard around which you initiate your communications. Regardless, Flexibits provides a 21-day free trial version of Cardhop, so you can give it a real-world try.

Cardhop requires OS X 10.11 El Capitan or later, and is available both from Flexibits and the Mac App Store for $14.99 as a special launch price; the regular price will be $19.99.

Julio Ojeda-Zapata 5 comments

New Google Gear Once Again Takes Aim At Apple Products

For roughly a year now, Google has been unleashing a flurry of hardware products – and related software and services – that compete directly with Apple products.

Two recent press events followed this unmistakable pattern (see “Google Aims to Attract Apple Users with Google I/O Announcements,” 22 May 2017, and “Google Event Unveils Smartphones, Wi-Fi, VR, and Streaming Devices,” 11 October 2016).

On 4 October 2017, Google did it again. Its third major press event within one calendar year boasted the company’s most extensive line of new hardware to date – often with features that will seem familiar to Apple users.

These products include:


  • A home speaker with a voice-controlled intelligent assistant
  • A super-thin laptop with USB-C and phone tethering
  • A fresh line of smartphones bereft of headphone jacks
  • A phone camera that can take portrait-style photos with blurred backgrounds along with still photos that are also mini-videos
  • Wireless earbuds with voice control that come with a charging case

Google is also clearly thinking about other competitors, such as Amazon’s Alexa-powered Echo devices and Microsoft’s Surface machines that blend notebook and tablet attributes.

These announcements were Google’s most aggressive indications so far that it intends to be a contender in consumer hardware, ranging from mobile computers and home-security devices to home entertainment and the brave new world of augmented (and virtual) reality. Google also touted the growing intelligence of its gadgets, powered by the Siri-like Google Assistant that is finding its way into more and more of the company’s products.

Pixel 2 Smartphones — Hard on the heels of Apple’s recent iPhone 8 and X reveals (see “Apple Introduces iPhone 8, iPhone 8 Plus, and iPhone X,” 12 September 2017), Google trotted out second-generation Pixel smartphones.

Aesthetically, the 5-inch Pixel 2 and 6-inch Pixel 2 XL look much like their precursors — that is, they more resemble the iPhone 8 than the iPhone X.


The lure here is less about looks and more about features that make the new Pixels worthy iPhone competitors. Notable Pixel 2 features include:

  • OLED displays, which the iPhone X offers but the iPhone 8 and iPhone 8 Plus do not.

  • Active Edge, a way to get at Google Assistant by squeezing the left and right edges of the phones. This supposedly works even when the Pixel devices are in cases.

  • A Shazam-like Now Playing feature that can identify songs playing around the user via a music database already installed on the device.

  • Ambient Services, a software feature that adjusts the handset settings based on changes in the environment. Notably, this includes the Google equivalent of iOS 11’s new Do Not Disturb While Driving capability.

The Pixel 2’s rear-facing camera (it’s the same for both models) is perhaps the most significant upgrade, one that has earned it a near-perfect 98 score from independent camera site DxOMark (the iPhone 8 Plus scored 94 immediately prior to that).

Notable camera features include:

  • The Google equivalent of Apple’s Portrait Mode, with the difference being that it’s achieved with one camera, instead of a dual-camera setup like those on larger iPhones (see “Behind the iPhone 7 Plus’s Portrait Mode,” 24 September 2016). As a result, users of either Pixel 2 phone can play with bokeh — unlike users of the smaller, single-camera iPhones. The front-facing camera does portrait mode, as well, which no iPhone can do. But Google doesn’t have anything like Portrait Lighting that the iPhone 8 Plus and iPhone X offer.
  • The equivalent of Live Photos, which Google calls “motion photos.” The execution is similar: when taking a picture, the Pixel 2 will also “capture a few seconds of video around the shot so you can relive the moment around the picture.”

  • Google Lens, a camera feature that can identify landmarks, book covers, film posters, works of art and more, responding with relevant and useful information about what it identifies. It can also identify URLs, the contact info on business cards, and so on. That’s more impressive than the QR code scanning Apple finally brought to iOS 11. Apple users shouldn’t expect to see Google Lens as part of the Google Assistant app for iPhone; it’s exclusive to Pixel 2 phones for now.

  • Augmented Reality Stickers, which will be familiar to iPhone users who have played with apps incorporating Apple’s new ARKit (see “ARKit: Augmented Reality for More Than Gaming,” 28 July 2017). Emojis and other virtual characters can be plopped into Pixel photos and videos, thereby seeming to become part of the physical world, and these creatures can interact. Google said the stickers are coming soon.

The Pixel 2 phones also have some notable omissions. Google hasn’t added facial recognition for user authentication, instead sticking with its rear-mounted fingerprint sensor. Nor do the Pixels have wireless charging, as do the latest iPhones (and many Android phones).

In the final omission, Google has emulated Apple in dropping the standard 3.5mm headphone jack. Users have to buy a $9 adapter for the phone’s USB-C port (Google is not providing wired earphones, as Apple does), or go wireless.

Google Pixel Buds — That missing headphone jack leads us to another of the company’s product announcements: a set of wireless earbuds called the Google Pixel Buds.


As with Apple’s AirPods (see “Apple’s Wireless AirPods Were Worth the Wait,” 20 December 2016), the Pixel Buds are intended to soften the blow of losing the headphone jack, while amping up the cool factor and providing some advanced features.

In physical design, the Pixel Buds more closely resemble the Beats X wireless earbuds made by Apple-owned Beats. In both cases, the earpieces have a connecting audio cord that drapes behind the head. Portions of the cord loop at either end to fit in either ear, along with the earpieces, to ensure that the accessory won’t easily be dislodged. Audio controls are built into a touchpad on the right earpiece — forward and backward swipes control the volume, and tapping plays and pauses.

Also like AirPods, the Pixel Buds come with a battery-equipped case for recharging the earbuds when they are not in use. The case provides up to 24 hours of listening time. It even emulates the AirPod case by offering to pair with a Pixel (or other Android phone) when its lid flips open.


The AirPods and Beats X buds provide access to Siri — a relevant point since the Pixel Buds have comparable Google Assistant support. Here is where things get really interesting. Google Assistant support in the Pixel Buds includes on-the-fly translations — somewhat along the lines of a Star Trek universal translator, or the Babel fish in “The Hitchhiker’s Guide to the Galaxy.” When turned on, it enables conversation with a person who speaks another language — the earbud user
hears translations via the earpieces, and the other person hears his or her translations via the Pixel’s speakers, with Google Assistant as an active intermediary.

Google Pixelbook — Google has produced several notebook computers intended to compete with those from Apple and Microsoft — but with its own spin on such products.

A few years ago, it released the Chromebook Pixel, a fancy notebook (or “Chromebook”) that ran its browser-like Chrome OS, but was pricey ($999 and up). This laptop has been discontinued. More recently, Google put out the Pixel C, an Android tablet with a detachable keyboard and a more palatable price tag (around $600, not including the keyboard). It resulted in an imperfect experience because the phone-centric Android operating system doesn’t adapt as well to a bigger screen as Apple’s iOS does.

Now Google is taking another tack with its 12.3-inch Google Pixelbook, a “convertible” computer running Chrome OS that can be used in different configurations — laptop, tablet, freestanding video terminal — thanks to a display that can rotate 360 degrees to place the machine in a variety of positions.


In this sense, it’s like many Windows-based convertible computers — and somewhat like Microsoft’s Surface machines, which are tablets with add-on keyboards for laptop-like use.

It’s different from Apple’s MacBook line, which takes a traditional notebook approach, but more similar to the iPad Pro, a tablet that can be used like a notebook with a Smart Keyboard cover. Google even offers the Pixelbook Pen, a stylus to rival the iPad Pro’s Apple Pencil stylus (and Microsoft’s Surface Pen), for use with the Pixelbook’s touch-sensitive display.

The Pixelbook’s specs are robust: Intel Core i5 and i7 processors, up to 512 GB of on-board storage, 10 hours of battery life, and more. Like the latest MacBooks, the Pixelbook uses USB-C for charging and peripheral connectivity.

It’s the first such machine with the Google Assistant built in. It also offers easy tethering with Pixel phones for cellular access to the Internet, much like macOS makes it straightforward to use an iPhone or a cellular-equipped iPad as an online hotspot.

At $999 and up, however, the Pixelbook revives a thorny question: how many people will pay a laptop-like price for a Chrome OS machine that is basically just a window onto the Web? Most so-called Chromebooks are much less expensive, which is one reason why they’re so popular in schools, but the Pixelbook occupies an entirely different price point.

Meet Max and Mini — When Amazon’s Echo speaker with its built-in Alexa assistant took the tech world by storm a few years ago, Google responded with the Google Home speaker with Google Assistant built-in.

With Amazon just announcing a bunch of new Echo devices (see “Amazon Unveils New Fire TV and Echo Smart Speakers,” 28 September 2017), and Apple unveiling of its HomePod in a few months (see “Apple Will Enter Smart Speaker Market in December with HomePod,” 5 June 2017), Google is expanding its Home line.

Of particular interest to the Apple universe is the Google Home Max, a compact but powerful home speaker that, like the original Home, incorporates Google Assistant. The $399 Home Max is clearly gunning for the HomePod. Both have robust specifications along with the intelligence to tailor their audio to their physical surroundings.


The Home Max’s design is a bit more versatile, being a rectangle that can be positioned on a flat surface vertically or horizontally, unlike the cylindrical HomePod that has just one upright position.

The Home Max could have an advantage over the HomePod in its support of multiple music services like iHeartRadio, Pandora, Spotify, and TuneIn, along with its own Google Play Music and YouTube Music. The HomePod reportedly will support only Apple Music to start.

With a much smaller gizmo called the Home Mini, Google is aiming at Amazon’s Echo Dot, the miniature variation of the Echo. The Home Mini’s rounded, pebble-like, fabric-covered design is a bit more appealing than the utilitarian-looking Echo Dot. The Google device is said to sound a bit better, too.


Other Google News — Google threw in a few other announcements at its press event, including:

  • Google Clips, a compact, standalone photo- and video-capture camera that is said to have enough intelligence to activate itself at the right moments — when particular family members come into view, for instance — and get better at this over time. Google will provide a companion iOS app along with an Android app for wireless syncing with either kind of device.


  • An upgraded version of its Daydream goggles, which are intended to be paired with a Google phone for augmented-reality and virtual-reality use. Daydream goggles work with software known as ARCore, Google’s equivalent of ARKit, and are a good way to experience the aforementioned Augmented Reality Stickers.


  • Google Assistant, the company’s Siri counterpart, which merits another mention since it was woven into nearly every part of the Google press event. Google is aggressively pushing Google Assistant as a secret sauce of a sort, a way for the company to stand out from its rivals given how dramatically its expertise in machine learning and artificial intelligence has evolved in recent years. This argument might resonate with Apple users who have trouble getting Siri to cooperate.

Google vs. Apple — At first, Google was just an Internet search company. Later, it expanded into other Internet services like Gmail and Google Maps, and still later, it got serious about software, including the Chrome Web browser and Android operating system.

But now Google is very much also a hardware company. From smartphones and wireless earbuds to notebook-tablet crossovers and smart speakers, the latest Google products clearly aim to be Apple alternatives.

As good as they are, these products probably won’t lure many people out of Apple’s extended ecosystem, but they may prevent more people from switching from Android to iOS.

TidBITS Staff No comments

TidBITS Watchlist: Notable Software Updates for 23 October 2017

GraphicConverter 10.5.1 — Lemkesoft has released GraphicConverter 10.5.1, adding a new Show Depth Data contextual menu command (if data is available in HEIC files), both a depth blur filter and a depth black & white filter, and an inverse fisheye effect. The graphic conversion and editing utility will also now check preferences upon launch and offer a rebuild/restore option if they are invalid. ($39.95 new from Lemkesoft or the Mac App Store, free update, 177 MB, release notes, 10.9+)

Read/post comments about GraphicConverter 10.5.1.

SEE Finance 1.1.11 — Scimonoce Software has issued SEE Finance 1.1.11, a maintenance update for the personal finance app with feature adjustments and fixes. The release corrects an issue with OFX Direct Connect downloads to accommodate for missing trailing slashes in institution URLs, stops exporting the Split category to QIF files, fixes a bug with macOS 10.13 High Sierra that prevented dates from being generated for some regions, resolves an issue introduced in version 1.1.10 where drop down windows wouldn’t be dismissed on 10.8 Mountain Lion or earlier, and addresses a bug with sorting categories and report
items by name when they include numbers. ($49.99 new from Scimonoce Software and the Mac App Store, free update, 34 MB, release notes, 10.6+)

Read/post comments about SEE Finance 1.1.11.

Merlin Project 4.3 — ProjectWizards has released version 4.3 of Merlin Project, bringing full support for macOS 10.13 High Sierra to the project management software. The update also adds Japanese and Simplified Chinese localizations, resolves an issue where user-defined number or duration fields were not cumulated, corrects a problem that prevented a document with sub-projects that was reverted back to a previous state from working properly, and resolves a bug with some mappings of columns in CSV documents to Merlin Project fields.

The full professional edition of Merlin Project costs $289 (upgrades from version 3 are free and $159 from version 2). If that’s overkill for an occasional project, check out Merlin Project Express, which is optimized for home and semi-professional users and received the same changes as the full edition. It’s available on a subscription basis through the Mac App Store and the Setapp subscription service — both of which provide a free one-month trial. ($289 new, free update, 25.3 MB, release notes,
10.10.5+)

Read/post comments about Merlin Project 4.3.

Fantastical 2.4.3 — Flexibits has released Fantastical 2.4.3 to add support for the company’s new Cardhop contacts app (see “Cardhop Puts Contacts Front and Center,” 18 October 2017). With Cardhop installed, viewing a person’s contact details from an invitation, birthday, or anniversary in Fantastical’s calendar now shows the contact in Cardhop. Fantastical also adds an option to skip empty days for Day and List views when printing multiple days and fixes a potential crash when using AppleScript to add items. ($49.99 new from
Flexibits and the Mac App Store, free update, 14.4 MB, release notes, 10.11+)

Read/post comments about Fantastical 2.4.3.

Delicious Library 3.7 — Delicious Monster has released Delicious Library 3.7, a required update for the media cataloging app that restores searching, item lookups, and recommendations from Amazon stores around the world, with one caveat: Amazon Japan terminated its partner agreement with Delicious Monster, so Delicious Library can no longer load item information from that particular store. Because all access keys were required to change, you must update to version 3.7 as all previous versions of Delicious Library can no longer access Amazon’s product database. ($39 new from Delicious Monster and the Mac App Store, free update, 88.3 MB, release notes, 10.10+)

Read/post comments about Delicious Library 3.7.

EagleFiler 1.8.1 — C-Command Software has released EagleFiler 1.8.1, which adds support for HEIC images and fixes bugs. The document organization and archiving app now displays Sketch files using Sketch’s Quick Look plug-in instead of just showing the file icon, adds the capability to paste Return-delimited tag names into the Tags fields, works around a bug in macOS 10.13 High Sierra that caused crashes in Core Animation, resolves an issue that prevented large PDF files from displaying properly in High Sierra, and sorts out an internal error when opening a library window. ($40 new with a 20 percent discount for TidBITS members from C-Command Software or from the Mac App Store, free update, 19.7 MB, release notes, 10.6.8+)

Read/post comments about EagleFiler 1.8.1.

BBEdit 12.0.1 — Bare Bones Software has issued BBEdit 12.0.1, the first maintenance update to the company’s recently released version 12 (see “Modernized BBEdit 12 Manipulates Columnar Data and More,” 14 October 2017). The long-standing text editor addresses the “probable cause” of a crash that occurred in macOS 10.13 High Sierra, improves stability when determining whether a given file location is within a Git or Subversion working copy, fixes a bug where items within Zip archives were not filtered correctly during multi-file search/text factory processing,
and guards against spurious “preference changed” notifications in High Sierra. See the release notes for a complete list of bug fixes.

You can upgrade from BBEdit 11 for $29.99 or from an earlier version for $39.99 (upgrades for purchases made after 1 March 2017 are free). Upgrade prices apply to copies purchased from the Mac App Store as well. ($49.99, $29.99 or $39.99 upgrade, free update from version 12, 13.5 MB, release notes, 10.11.6+)

Read/post comments about BBEdit 12.0.1.

DEVONthink/DEVONnote 2.9.16 — DEVONtechnologies has updated all three editions of DEVONthink (Personal, Pro, and Pro Office) and DEVONnote to version 2.9.16 with enhancements to DEVONthink’s built-in synchronization, enabling you to import multiple databases at the same time from a sync location. Pending items are automatically downloaded from the next available location, merging records is more efficient, and sync connections to WebDAV servers, Box.com, and Dropbox work better.

All four apps improve compatibility with macOS 10.13 High Sierra, fix a bug where the group selector wouldn’t close on High Sierra-equipped MacBook Pro models with a Touch Bar, and resolve an issue with search results not appearing in three-pane and split views.

The three editions of DEVONthink also fix a number of issues related to PDF annotations, improve indexing and importing of large numbers of files, improve handling of Finder tags, rectify an issue where large numbers of entries in the Log panel could slow down importing or indexing files, and resolve a crash related to closing databases in 10.11 El Capitan. Finally, DEVONthink Pro Office improves importing and OCR capabilities. (All updates are free. DEVONthink Pro Office, $149.95 new, release notes; DEVONthink Professional, $79.95 new, release notes; DEVONthink Personal, $49.95 new, release notes; DEVONnote, $24.95 new, release notes; 25 percent discount for TidBITS members on all editions of DEVONthink and DEVONnote. 10.9+)

Read/post comments about DEVONthink/DEVONnote 2.9.16.

TidBITS Staff No comments

ExtraBITS for 23 October 2017

In ExtraBITS this week, Apple CEO Tim Cook said that the Mac mini is important to Apple’s future (we’ll believe him when we see a real update!), Apple recommends running a specific Terminal command before selling a MacBook Pro with a Touch Bar, and we learn what the iPod’s creator is up to now.

Tim Cook Calls the Mac mini “Important” — It has been three years since Apple last updated the Mac mini, and that revision was in many ways a downgrade from its predecessor. Despite that dubious history, Apple CEO Tim Cook told a MacRumors reader via email that Apple plans for the Mac mini to be an “important part of the company’s product lineup in the future.” Given that Apple has ignored the Mac mini for so long, we’re taking Cook’s claim with the proverbial grain of salt, but we’d love to see Apple put a new spin on the idea of a miniature Mac.

Read/post comments

Use This Terminal Command Before Selling a MacBook Pro with Touch Bar — Before you sell or give away a MacBook Pro with Touch Bar (which has a Touch ID sensor), Apple recommends that you boot the Mac into macOS Recovery and execute this Terminal command: xartutil –erase-all. We’re not entirely sure what it does, and Apple doesn’t offer any explanations, but we suspect it acts to clear the Secure Enclave that stores your fingerprint data. Regardless, it would be wise to follow Apple’s advice.

Read/post comments

What the iPod’s Creator Is Up To — Tony Fadell designed the iPod at Apple and then created the Nest thermostat that was eventually purchased by Google. Now with his new venture, Future Shape, Fadell is going after the concept of Silicon Valley as a tech hub by funding startups from Paris, France. Fadell has taken his fair share of criticism over the years for being overbearing and opinionated (shades of Steve Jobs), but he is also one of the most successful Apple alums and is worth keeping an eye on.

Read/post comments