Careful with WiFi names on your iPhone.

A few weeks ago, Schou and his not-for-profit group, Secret Club, which reverse-engineers software for research purposes, found that if an iPhone connected to a network with the SSiD name %p%s%s%s%s%n it would cause a bug in iOS’ networking stack that would disable its Wi-Fi, and system networking features like AirDrop would become unusable.

A possible explanation for this bug from 9to5 Mac:

the ‘%[character]’ syntax is commonly used in programming languages to format variables into an output string. In C, the ‘%n’ specifier means to save the number of characters written into the format string out to a variable passed to the string format function.

The Wi-Fi subsystem probably passes the Wi-Fi network name (SSID) unsanitized to some internal library that is performing string formatting, which in turn causes an arbitrary memory write and buffer overflow.

This will lead to memory corruption and the iOS watchdog will kill the process, hence effectively disabling Wi-Fi for the user.

Basecamp’s crazy week…

First, Casey Newton broke the news on some controversy from Basecamp that happened due to a list:

The controversy that embroiled enterprise software maker Basecamp this week began more than a decade ago, with a simple list of customers.

Around 2009, Basecamp customer service representatives began keeping a list of names that they found funny. More than a decade later, current employees were so mortified by the practice that none of them would give me a single example of a name on the list. One invoked the sorts of names Bart Simpson used to use when prank calling Moe the Bartender: Amanda Hugginkiss, Seymour Butz, Mike Rotch.

Many of the names were of American or European origin. But others were Asian, or African, and eventually the list — titled “Best Names Ever” — began to make people uncomfortable. What once had felt like an innocent way to blow off steam, amid the ongoing cultural reckoning over speech and corporate responsibility, increasingly looked inappropriate, and often racist.

Discussion about the list and how the company ought to hold itself accountable for creating it led directly to CEO Jason Fried announcing Tuesday that Basecamp would ban employees from holding “societal and political discussions” on the company’s internal chat forums. The move, which has sparked widespread discussion in Silicon Valley, follows a similar move from cryptocurrency company Coinbase last year.

Fried’s memo was revised and updated several times; co-founder David Heinemeier Hansson followed with one of his own. Together, they are two of the most outspoken leaders in the entire tech industry on issues related to company culture, remote work, and collaboration. The company has published five books on work culture, one of which was a New York Times bestseller.

But both of their posts avoided discussing the actual series of events that had led up to the policies, which were related directly to the workplace. In fact, the events all took place on Basecamp’s own software, which it sells to other companies on the promise of improving cohesion and reducing stress in the workplace.

Employees say the founders’ memos unfairly depicted their workplace as being riven by partisan politics, when in fact the main source of the discussion had always been Basecamp itself.

“At least in my experience, it has always been centered on what is happening at Basecamp,” said one employee — who, like most of those I spoke with today, requested anonymity so as to freely discuss internal deliberations. “What is being done at Basecamp? What is being said at Basecamp? And how it is affecting individuals? It has never been big political discussions, like ‘the postal service should be disbanded,’ or ‘I don’t like Amy Klobuchar.’”


Basecamp employees are encouraged to discuss the company’s own political positions — or, perhaps more accurately, the founders’ political positions — as much as they like. Keeping track of which issues of the moment are up for discussion thus becomes one more chunk of mental overhead for employees who are already struggling.

Hansson told me that the rules are not draconian — no one is going to be bounced out the door for occasionally straying out of bounds. The founders’ goal is to reset the culture and focus on making products, he said, not to purge political partisans from the workforce.

But to employees, the move was received more as a shift to willful ignorance — about the world around them, and about the lived experiences of the employees who occupied it.

“There’s always been this kind of unwritten rule at Basecamp that the company basically exists for David and Jason’s enjoyment,” one employee told me. “At the end of the day, they are not interested in seeing things in their work timeline that make them uncomfortable, or distracts them from what they’re interested in. And this is the culmination of that.”

DHH’s own post has some interesting takes as well:

Casey’s reporting for The Verge brought some of the dirty laundry that helped motivate our change of directionregarding societal politics at Basecamp onto the public record. It erased part of that fine line we try to toe between sharing as much of the inner workings at the company as possible while respecting the confidentiality of employees, internal deliberations, and heated discussions. That’s why we didn’t include it in the public announcements in the first place. It’s difficult to retain good working relationships if you’re concerned about what might be turned into a story or not.

At the same time, leaks of all kinds have brought serious issues to light in the industry. And investigative reporters are not only completely within their right to cultivate and use such leaks, I’d say they’re obligated to do it! So it’s only right and fair that when this is turned at Basecamp, at least when evaluating the reporting, we take it on the chin.

Either way, now that particularly the incident regarding the Best Names List (read Casey’s piece for his reporting based on employee leaks) is on the public record, I think it’s also only right and fair to share our internal response, as well as the specific comment that ended up being reported to HR. Then it’s out there for anyone to consider for themselves.


So if that is something you want, I continue to believe that a diverse workforce _should_ be something that you want, you have to consider what guardrails to put on the internal discourse. My belief is that the key to working with other people of different ideological persuasions is to find common cause in the work, in the relations with customers, in the good we can do in the industry. Not to repeatedly seek out all the hard edges where we differ. Those explorations are better left to the smaller groups, to discussions outside of the company-wide stage, and between willing participants.

I respect that others will come to different conclusions on all of these questions. Particularly around whether the new direction we’ve set at Basecamp, where these societal political questions unrelated to work are being moved from company workspaces to private employee channels, is incompatible with what they want out of a company. We all have our principles, and I will always respect people who are willing to follow theirs.

Yesterday, we offered everyone at Basecamp an option of a severance package worth up to six months salary for those who’ve been with the company over three years, and three months salary for those at the company less than that. No hard feelings, no questions asked. For those who cannot see a future at Basecamp under this new direction, we’ll help them in every which way we can to land somewhere else.

These are really hard questions. I’ve been inundated with emails from executives and employees who are wrestling with them at their companies. I hope that the airing of our dirty laundry, and the shitstorm its caused, can help others answer their own questions better. Whatever the answer they deem right for them.

It’s also a really hard time. We’ve always been a remote company, but we’ve never gone a year and a half without seeing each other. Normally, we’d all have met up thrice during this time to recharge, reconnect, and rehumanize. Add to that all the stress from the pandemic, from those societal politics, from, well, everything we’ve been through recently, and it’s no wonder that everyone is extra vulnerable, extra quick to jump to conclusions, extra likely to escalate. We’re human and that’s a human response.

At Basecamp, it’s going to be a tough transition. We’ve committed to a deeply controversial stance, some employees are relieved, others are infuriated, and that pretty well describes much of the public debate around this too. But this too shall pass. We’ve been in business for over twenty years. Been through a myriad of controversies and challenges, and we’ll be through this too.

You’ll have to read the full posts for yourself to really decide what side you want to see. I think that in the end, Basecamp just needs to follow their own advice, as they said in chapter 87 of their book Getting Real:

When you rock the boat, there will be waves. After you introduce a new feature, change a policy, or remove something, knee-jerk reactions, often negative, will pour in.

Resist the urge to panic or rapidly change things in response. Passions flare in the beginning. But if you ride out this initial 24-48 hour period, things will usually settle down. Most people respond before they’ve really dug in and used whatever you’ve added (or gotten along with what you’ve removed). So sit back, take it all in, and don’t make a move until some time has passed. Then you’ll be able to offer a more reasoned response.

Is Heroku Still Relevant?

The decline of Heroku
Even Heroku’s founders recognize that the revolutionary web development platform has run out of steam. How did Heroku lose its magic, and could a new, modern Heroku revive the PaaS?

Heroku has long been held up as the gold-standard platform as a service (PaaS) for software developers to easily deploy their code without having to worry about the underlying infrastructure, while others see it as akin to a magical fallen civilization with a limited future.

“The history of IT is littered with platforms people thought were fantastic that don’t exist anymore,” said James Governor, a founder of the developer-focused analyst firm RedMonk. “It had a good run and a huge influence, but nothing lasts forever.”

Founded in 2007 by three Ruby developers—James Lindenbaum, Adam Wiggins, and Orion Henry—Heroku was bought just three years later, when the SaaS giant Salesforce eventually beat out VMware to pick the company up for $212 million when it still had only 30 people on staff and supported only the Ruby programming language.


“The next big thing for Heroku is the deep integration of its capabilities with the rest of the Salesforce Platform via Salesforce Functions,” a Salesforce spokesperson said. Salesforce Functions “lets developers write code that integrates with their data and events on the Salesforce Platform, then run it on-demand with elastic scale in a serverless environment.”

If serverless were to become the next industry standard, there is certainly an opportunity there for Heroku to reshape itself for that next wave of change. “I would leapfrog microservices for serverless if I did this again today,” said PensionBee’s Lister Parsons. “Serverless could be the ‘phoenix from the ashes’ moment for Heroku.”

I still use Heroku for some projects but it’s usage is getting less and less.

Switching from Google Analytics to Plausible.

I’ve been using Google Analytics for years but decided to try new tools. But I just wanted to move onto a new Analytics tool that was faster and more private.

What I eventually ended up choosing was Plausible.  Plausible is a powerful yet simple analytics platform. The simplicity is what got me happy about it. I actually get to see all my data when visiting my dashboard. I can even see my goals at a glance.

Compare with Google Analytics, where there’s some digging to see most of my data. You can customize your dashboard on Google to display more of the information you want, but I hate having to carry this across all my different sites.

Switching between sites is easy, and just a matter of a drop down.

The line of script you insert into your site is small, much nicer than using Google Analytics:

<script async defer data-domain=""src=""></script>

Goals are a big thing for me, and Plausible’s goal tracking is one of the platform’s nicer features:

To track goals, you want to add an extra line to code:


For example, on the flybase home page, I use a custom event called 404, Then on the 404 page for flybase home, I add this snippet:

window.plausible("404",{props: {path: document.location.pathname}});

That’s it, any page that hits 404 will now get stored as a custom event goal and let me see what pages they may be.

DNS issues took down Microsoft Teams and Xbox Live for over two hours but have recovered

Microsoft Teams and Xbox Live were down for over two hours but have recovered
A DNS issue has been mitigated.

Many Microsoft services, including Microsoft Teams and Xbox Live, were down for more than two hours Thursday evening. The company says the services have fully recovered.

“We have mitigated the issue impacting some service interruptions that customers may have experienced,” a Microsoft spokesperson said in a statement.

The company’s Microsoft 365 status page said there was a “DNS issue affecting multiple Microsoft 365 and Azure services,” but it has been resolved.

“We’ve successfully resolved the issue that was causing residual impact for SharePoint Online and we’ve confirmed that all Microsoft 365 services have returned to a healthy state,” Microsoft said in a statement on the status page. “We’ll continue to monitor our services to ensure stable and reliable availability.”

This outage also affected Azure and several MS 365 services.

The Mess at Medium

The mess at Medium
Behind the dysfunctional company famous for its routine mistreatment of writers

Last week, a partnerships manager at Medium working with the White House found that there was a strange problem with the platform: President Joe Biden was being served porn.

The manager was in a video conference with a White House staffer to discuss how Biden, who had used Medium as a campaign blog in 2020, could begin posting to the official Medium @POTUS account. While sharing his screen with the White House, the staffer logged in to @POTUS and saw the first article recommended to him by Medium: “A is for After,” which a sub-headline described as “a cuckold love story.”


The episode captured Medium in all its complexity: a publishing platform used by the most powerful people in the world; an experiment in mixing highbrow and lowbrow in hopes a sustainable business would emerge; and a devotion to algorithmic recommendations over editorial curation that routinely caused the company confusion and embarrassment.

On Tuesday, it also cost dozens of journalists their jobs. In a blog post, billionaire Medium founder Ev Williams announced the latest pivot for the nearly nine-year old company. Just over two years into an effort to create a subscription-based bundle of publications committed to high-quality original journalism — and in the immediate aftermath of a bruising labor battle that had seen its workers fall one vote short of forming a union — Williams offered buyouts to all of its roughly 75 editorial employees.


In his blog post, Williams said he “can see more focused, high-affinity publications working well as part of the Medium bundle.” But staffers I spoke with at Medium’s existing publications largely do not expect them to survive, at least in their current form. A skeleton crew of editors will likely be kept on to promote user-generated posts to the relevant sites; what once had been publications are now likely better thought of as topic pages.

Meanwhile, the company will continue to rely on Google and Facebook traffic to generate hits it can convert into paid subscribers. The acquisition of the e-book publisher, Glose, is intended to create a bigger library of “evergreen” content on Medium that will drive more traffic to the site via search engines. Like Blogger and Twitter before it, Medium will bet on unpaid labor and algorithms.

All of which might be fine to the dozens of journalists about to lose their jobs, if Williams would publicly claim some responsibility for his part in the chaos — ”this crazy ride,” as he called it yesterday. Instead, he points to changes in the industry and shrugs. The media business — what can you do?

But of the employees who remain, few are buying it.

“He keeps talking like this company founded in 2012 is a brand new startup finding its way,” one told me. “At a certain point you’re not nimble and iterating. You’re just floundering and failing to follow through and execute.”

Medium has been a mess for years, this latest pivot is just one more piece.

NFTs are a dangerous trap

NFTs are a dangerous trap
Like most traps, they’re mysterious and then appealing and then it’s too late. An NFT is digital treasure chest, a status symbol and an apparent item of value. Like a Pokemon card, or a…

Seth Godin:

Like most traps, they’re mysterious and then appealing and then it’s too late.

An NFT is digital treasure chest, a status symbol and an apparent item of value.

Like a Pokemon card, or an original Picasso drawing or the actual frame of a Disney animated film from 1955, NFTs are designed to be the one and only, a shred of non-fungible reality in a world gone digital.

You either own this thing or you don’t.

To make it really clear, consider Honus Wagner. A Honus Wagner baseball card is quite rare (Wagner didn’t permit the card to be made because he wanted nothing to do with cigarettes, foreshadowing some of the stuff below) and so there were fewer than 200 all in before production shut down. One of the cards last sold for more than $3,000,000.

Owning a Honus Wagner card doesn’t mean you own Honus Wagner. Or a royalty stream or anything else but the card itself.

For years, this was part of the business model of the collectible card industry. Make billions of cards, most get thrown out, some rookies get famous, some cards go up in value.


The trap, then, is that creators can get hooked on creating these. Buyers with a sunk cost get hooked on making the prices go up, unable to walk away. And so creators and buyers are then hooked in a cycle, with all of us up paying the lifetime of costs associated with an unregulated system that consumes vast amounts of precious energy for no other purpose than to create some scarce digital tokens.

New iPad Pros in April

Apple Nears Launch of New iPads After Stay-At-Home Sales Boost
Apple Inc. plans to announce new iPads as early as April, adding to a product line that has performed particularly well as people work and study from home, according to people with knowledge of the matter.

Mark Gurman:

Apple Inc. plans to announce new iPads as early as April, adding to a product line that has performed particularly well as people work and study from home, according to people with knowledge of the matter.

The company is planning a refresh to its iPad Pro line, adding a better processor and improved cameras, the people said. The new models will look similar to the current iPad Pros and come in the same 11-inch and 12.9-inch screen sizes.

The devices will have an updated processor that is on par with the faster M1 chip in the latest MacBook Air, MacBook Pro and Mac mini.


In testing, the new iPad Pros have used a Thunderbolt connector, the same port on the latest Macs with custom Apple processors. The port doesn’t require new chargers, but it would enable connectivity with additional external monitors, hard drives and other peripherals. It’s also faster at syncing data than the USB-C technology used in the current models.

Apple plans to refresh its cheapest iPad aimed at students with a thinner and lighter design later this year, Bloomberg News has reported. It’s also preparing to launch a new iPad mini with a larger screen as early as this year, an increase from the 7.9-inch display used since the first model. The iPad mini was last upgraded in 2019 with support for the Apple Pencil stylus and a faster processor.

Could be an interesting year for iPads.

Clubhouse Is Recording Your Conversations. That’s Not Even Its Worst Privacy Problem

Clubhouse Is Recording Your Conversations. That’s Not Even Its Worst Privacy Problem
The popular new social media platform is scooping up more data than you might think.

Clubhouse was sort of perfectly made for the pandemic. People aren’t going out, and they’re desperately searching for social connections and entertainment. The app provides both in a way, while capitalizing on the draw of celebrity influencers on the platform.

It’s also built on one of the most effective strategies for generating buzz and excitement–scarcity. To join Clubhouse, you have to have an invite from someone who is already a member. Not only that, whoever invites you has to have your phone number and has to give Clubhouse access to their iPhone contacts. No access, no invites.

From a business standpoint, it certainly makes sense that Clubhouse is taking this approach. Building a social graph from scratch is very hard, and requiring users to upload their contacts list is the most effective way to determine connections.

There’s a problem, however. As always, the problem comes down to figuring out the right balance between protecting user privacy and the use of data to provide the best experience for both the user and the business behind the app.

In that sense, it’s worth considering that Clubhouse has a few policies that aren’t exactly privacy-friendly. Even worse is the fact that you have to do a bit of digging to even understand what those policies actually are. I reached out to Clubhouse multiple times but did not immediately receive a response to my questions about how it uses data.


It seems pretty clear that Clubhouse is getting ready to monetize the platform it’s building. That’s fair–every business should have a plan for making money. If that plan includes monetizing its users’ activity and data, I think we can all agree it should be upfront and transparent about that fact.

I’m all for Clubhouse making money, but I agree with Jason, they need to be upfront and tell people what they are using data for.

Cyberpunk and Witcher hackers claim they’ll auction off stolen source code for millions of dollars

Cyberpunk and Witcher hackers auction off stolen source code for millions of dollars
Cyberpunk 2077 source code is for sale.

Nick Statt:

The hackers who targeted video game developer CD Projekt Red (CDPR) with a ransomware attack are now auctioning off the stolen source code they acquired for a payday of potentially millions of dollars.

The breach, which CDPR first disclosed yesterday after learning of it on Monday of this week, involved critical game code related to high-profile releases like The Witcher 3 and Cyberpunk 2077. CDPR said at the time that it had no intention of meeting the hackers’ demands, even if that meant stolen material from the hack began circulating online.


But a cybersecurity firm called KELA, which specializes in providing threat intelligence to companies based on analyses of dark web websites and communities, says it has reason to believe the auctions are, in fact, legitimate.

“We do believe that this is a real auction by a real seller who accessed the data. The seller offers to use a guarantor and he allows only those who have a deposit to participate — a tactic that is used by many sellers to show that they are serious and to ensure that no scam will occur,” a spokesperson for KELA tells The Verge.


KELA says the auction is offering source code files for both the Red Engine and CDPR game releases, including The Witcher 3: Wild Hunt, Thronebreaker: The Witcher Tales spinoff, and the recently released Cyberpunk 2077. The stolen material is also believed to include internal documents, though it’s not clear what types of documents or additional material the full cache includes.

KELA says the starting price of the auction is $1 million, with higher bids in increments of $500,000 and a buy-it-now price of $7 million. Only users who deposit 0.1 bitcoin can participate, which is why Kivilevich believes the hackers are serious about hosting the auction and that the material for sale is likely legitimate because it ensures nobody participating in the auction is trying to scam the sellers

Projekt Red just can’t catch a break.