Red Sweater Blog Mac & Technology Writings by Daniel Jalkut Sun, 13 Apr 2014 16:49:25 +0000 en-US hourly 1 Heartbleed Statement Sun, 13 Apr 2014 16:14:46 +0000 By now many people have heard about The Heartbleed Bug, last week’s internet-wide security issue based in a problem with the popular OpenSSL encryption libraries. I have put off making a public statement not because of ignorance about the bug but because I wasn’t sure it was appropriate or necessary. Over the past week I’ve become convinced that it’s a good idea for any affected company or site to fully disclose their exposure and response to the bug.

What was Red Sweater’s exposure?

Our only customer-facing service exposed via HTTPS is the Red Sweater Store, which was affected by the bug. In practice, this means that private customer data including credit card numbers as well as customer names, addresses, email addresses, could theoretically have been exposed to an attacker during the exposure window. Credit card numbers used in the purchase of Red Sweater products are never stored on Red Sweater servers, but are held in memory for a short time in the creation of encrypted transactions with PayPal, our credit card processor.

What was the exposure window?

Although the bug existed in OpenSSL for almost 3 years, I was somewhat lucky in that I had only updated the Red Sweater Store to an affected version of OpenSSL on March 6, 2014, about one month before the vulnerability was disclosed.

What was Red Sweater’s response?

While some larger services were apparently notified of the bug earlier, it was not shared with the public until Monday, April 7. Red Sweater’s secure server was updated with fixed software at around 3:30AM Pacific time on April 8. By 9:00AM Pacific, I had created a new private key for Red Sweater, reissued, and installed the updated certificates. From this point onward there is no known risk of exposure of any private customer data submitted to the Red Sweater Store.

What should customers do?

Theoretically, any affected site has been vulnerable to possible eavesdropping during the exposure window. Because the Red Sweater Store does not incorporate a password or cookie-based credentials system, there is nothing that needs proactive changing to limit further exposure. Because of the wide-reaching nature of this bug, I would advise all users of all web sites to be on guard about possible exposure of private information including credit card numbers. Because of the small exposure window and relatively low profile of Red Sweater, I think the risk to my customers on this site in particular is low.

If you have any questions at all about my response to the Heartbleed bug or to any other security issue, do not hesitate to contact me (Daniel Jalkut, founder of Red Sweater).

]]> 3
Ten Dollar Apps Tue, 08 Apr 2014 12:58:42 +0000 I’m launching an experiment today, possibly permanent, in which the prices of four of my apps will drop to just $9.95 each. Black Ink, FastScripts, FlexTime, and Clarion are all just $9.95 for a single-user license, or $14.95 for a family-pack license.

I’ve long held fairly strong opinions about software pricing. I have written extensively about my rationale for maintaining relatively higher, dare I say premium prices on my software. I still believe that pricing too low is a mistake: it attracts users who don’t value good work, and leaves them lacking a sense of ownership. If a developer treats his or her software as disposable, then I think users are likely to treat it the same way.

But in a post-App Store world, I am no longer convinced that $10 is a disposable price point. The four apps I’m adjusting the price on could be sustainable at that price point, thanks to their relatively modest support requirements. If the sales of these apps doubles or triple as a result of the price change, I will probably see a net gain financially, and will definitely be making a greater overall impression with my work.

I’m sticking with $39.95 for MarsEdit because it’s a more nuanced and powerful app, requiring both more development time and more nuanced support from me. And although many people perceive it as mass-market software, it’s still a relatively niche market in which people who know how to get the most out of it are delighted to spend the money.

I hope the new price points for these four apps will attract some of you to give them a try and to share the news about them with friends and colleagues. Let me know if you do try them out and have any feedback.

]]> 1
Black Ink 1.6: Welcome To The Sandbox Tue, 08 Apr 2014 12:30:56 +0000 I’m pleased to announce that Black Ink 1.6 is now available from the Black Ink home page. It will be available in the Mac App Store as soon as Apple approves the update.

Black Ink is a dedicated app for solving crossword puzzles, and the nature of the app is perfectly suited to Apple’s “Application Sandbox” technologies, which give developers a means of restricting the access an app has to files and services on your Mac.

Previously, Black Ink could theoretically read or write any file that the user running it had permission to view. Now, it only reads and writes to files within Red Sweater’s sandboxed group container, or to files explicitly chosen by the user.

When Apple announced the sandboxing technologies a few years ago, I was quite a bit more disheartened than inspired. Adopting the sandbox turns upside down the approach we’ve had to desktop software development for decades. That approach always was that users must trust developers not to write apps that screw up their computer, and developers had to tread very carefully for fear of betraying that trust.

I have to admit I like the reassurance sandboxing gives me as a developer that although I still need to be careful with users’ data, there is a limit to how large of an impact even the worst mistake could make.

While adapting Black Ink to the sandbox, I also took the opportunity to make a few long-standing fixes I’d wanted to make to the UI. The clue list used to suffer a problem in which a particularly long clue would run off the edge of the list, and be unreadable. Now the list will wrap as much as needed to show the whole clue. Compare the appearance of the old clue list with the new one and you’ll see there were some other clean-ups as well:

Black Ink 27
(Black Ink 1.5.3)
BlackInkNew 1
(Black Ink 1.6)

I also updated Black Ink in 1.6 to embrace some of Apple’s new technologies in 10.7 to support autosaving and version browsing of documents. While this might not be the kind of app where browsing previous versions is common, it’s nice that you can now quit and reopen Black Ink with confidence that the puzzle you were working on will pop right back open.

The complete list of changes for Black Ink 1.6 is below:

  • Sandboxed for increased security
  • Now supports autosave and document version browsing on 10.7 Lion or later
  • Clue list rows now resize height to guarantee showing entire clue
  • Puzzle solving – improvements to the mechanics of when checked and revealed indicators are shown
  • Fix an issue where typing a clue number too high for puzzle could crash
  • Fix a crash when starting the puzzle Timer on Mac OS X 10.6.8

If you like solving crosswords and haven’t given Black Ink a try, grab it from my site or the Mac App Store and let me know what you think!

]]> 0
MarsEdit 3.6.3: Images, Mavericks, and Tumblr Thu, 02 Jan 2014 18:25:23 +0000 MarsEdit 3.6.3 is available now from the MarsEdit home page, and has been submitted to the Mac App Store for review by Apple.

This release addresses a few stability issues and some subtle usability problems related to image workflow and full-screen integration on Mavericks. It also fixes a nagging issue for Tumblr users who preferred to have images remain in the same format as they provided. Previously the images were unilaterally converted to PNG format.

Here is the complete list of changes for this release:

  • Fix to Tumblr image uploads to preserve original image filetype (e.g. JPEG)
  • Fix a bug where image sizing constraints were enabled even when full-size option selected
  • Fix a bug that prevented reliable searching/replacing of multiple spaces in Rich Text mode
  • Fix a crash that would occur if the “Send to Blog” button was clicked twice instead of once
  • Fix an issue with OS X Mavericks where window positions changed when switching from a full screen app to MarsEdit

Please let me know if you run into any issues with the update!

]]> 0
Markdown On Wed, 20 Nov 2013 02:01:33 +0000 The folks at have great news for fans of Markdown. It’s now built-in by default to every blog, and it’s super-easy to enable:

To start using Markdown, go to Settings → Writing in your blog dashboard, check the box next to Use Markdown for posts and pages, and save.

I just enabled it for one of my test blogs and am happy to report that MarsEdit works perfectly for publishing with Markdown to They mention that it’s best to stick to the “plain text” editor on, and the same is true for MarsEdit. You’ll want to stick with editing in “HTML Text” mode so the plain Markdown text can get to your blog without being wrapped in HTML generated by MarsEdit’s rich editor.

I wrote recently about MarsEdit’s ability to automatically convert Markdown to HTML before publishing a post. It’s worth noting that if you use the new Markdown functionality on WordPress, you probably want to avoid MarsEdit converting to HTML. This is because WordPress’s implementation of the Markdown feature does things “the right way” in my opinion, storing the original Markdown as the text of the post, so you can make further edits to the post by editing the original Markdown and not the converted HTML.

The only downside I’ve noticed so far is that when you download a post through the API from MarsEdit or from the official WordPress apps, the content is converted to HTML even though it shouldn’t be. The original Markdown does show up in the web-based WordPress admin panel. I’m going to report this as a bug and hopefully they will agree that it should be fixed.

]]> 3
OS X Mavericks Compatibility Tue, 22 Oct 2013 20:29:55 +0000 All Red Sweater apps are compatible with OS X Mavericks.

Over the past-several months we have tested all our apps against pre-release versions of OS X Mavericks. Minor bug-fixes were required here and there but have been actively deployed in the released versions of apps for several months.

Should you run into any issues at all with OS X Mavericks, please get in touch and we will make it a priority to address any outstanding compatibility issues as soon as possible.

]]> 2
Markdown Anywhere With MarsEdit Mon, 07 Oct 2013 15:00:42 +0000 For years, MarsEdit has supported Markdown in a manner that makes it easy to write, preview, and publish to a blog without ever dealing in HTML or Rich Text.

However, for years it has also been confusing how exactly one goes about using Markdown with MarsEdit. Because there is no explicit “Markdown mode,” many people assume there is no support for Markdown. I agree that Markdown should be more explicitly supported, but the extent of Markdown support in MarsEdit may surprise you.

To assist customers who wish to write in Markdown when publishing to their blogs, I present these guidelines for making the most of MarsEdit. Note that if you happen to want to use another markup script such as Textile or MultiMarkdown, these guidelines also apply.

Guideline 1: Edit In “HTML Text” Mode

MarsEdit supports two modes of editing: “HTML Text” and “Rich Text.” It’s important to appreciate that in Rich Text mode, everything is converted to pure HTML before publishing to your blog. There is no room within “pure HTML” for Markdown to exist. Any Markdown content will be wrapped up in pure HTML tags, which prevents the Markdown from being rendered either by MarsEdit’s preview window or on your blog.

In MarsEdit, “HTML Text” is a synonym for “unadulterated markup.” It’s called HTML Text because that’s what the majority of users understand it to be useful for. In fact, you can type arbitrary text content in “HTML Text” mode and MarsEdit will not alter it, with one exception that I’ll get to later.

In MarsEdit’s preferences, you can opt to have posts open in “HTML Text” mode by default. Alternatively, you can switch to HTML Text mode at any time by selecting Post -> Edit HTML Text.

Guideline 2: Set The Preview Filter To “Markdown”

MarsEdit supports a flexible preview system designed to simulate how your blog content will look after it is published to the site. The two main components of this system are the preview template, which consists of arbitrary HTML with placeholders for your blog entry contents, and the preview filter, which transforms the content of your post to simulate server-side transformations.

By default, MarsEdit uses a preview filter called “Convert Line Breaks,” which simulates the common behavior across many blog systems of converting blocks of text separated by two newlines into “paragraphs.” This is what enabled you to write in “HTML Text” mode with paragraph clumps, and have it appear in the preview window as paragraphs, even though strict HTML would treat those clumps as a contiguous block of text.

Markdown is also included as a built-in preview filter, so you can write your “HTML Text” using Markdown syntax, and see how it will look after your blog processes it.

Skitched 20131006 001532

This assumes your blog knows how to process Markdown. Some blog systems include Markdown support by default, but many do not. If your blog system doesn’t understand Markdown by default, pay close attention to the next and final guideline.

Guideline 3: Convert Markdown To HTML If Needed

Generally speaking I encourage Markdown fans to keep their content in Markdown format when possible. For example if you publish a long post and want to go back to make substantial edits later, it will always be preferable to have the original in Markdown format.

Unfortunately preserving content in Markdown format is not feasible for all blogs. If you are publishing to a blog system that does not recognize Markdown, and you can’t for example install a custom WordPress plugin to facilitate such recognition, you will need to see that your Markdown content is converted to HTML before publishing.

Starting in MarsEdit 3.6, a new per-blog option makes it easy to automatically convert Markdown content to HTML when you publish to a blog.


Simply check the “Apply preview filter to content” box in the blog settings for your blog, and whatever preview filter is configured for your preview window will also be applied to the content before submitting it to your blog. This is the great exception to my previous promise that MarsEdit will not alter your content in “HTML Text” mode. If you check this box, your content may be dramatically altered, but hopefully to your great delight.

Guideline 4: Have Fun

Experiment with MarsEdit’s versatile previewing system, and let me know how the Markdown support is working for you. I have ideas for improving it even further, but your feedback will help to clarify those ideas as I move forward.

]]> 7
MarsEdit 3.6.2: Tumblr Security Fix Wed, 17 Jul 2013 19:06:28 +0000 MarsEdit 3.6.2 is available now from the MarsEdit home page, and has been submitted to the Mac App Store for review by Apple.

Last night Tumblr revealed on their staff blog that the Tumblr for iOS app sends a user’s password in plain-text when authenticating for the service. They published an updated version of the app which addresses the problem by connecting to Tumblr using the secure HTTPS protocol.

MarsEdit had precisely the same flaw in the way it communicates with Tumblr, so the fix is the same as Tumblr’s: use HTTPS when communicating a user’s password to Tumblr.

Who Should Update?

If you use MarsEdit to connect to a Tumblr blog, you should update to ensure that your password is sent securely to Tumblr.

What Was The Risk?

Because MarsEdit communicated a user’s Tumblr password in plain-text across a regular HTTP connection, it was theoretically possible for the communication to be intercepted en-route and read by an untrusted person.

What Else Should I Do?

After updating to MarsEdit 3.6.2, you may want to change your Tumblr password to be absolutely sure that it has not been compromised. Starting with MarsEdit 3.6.2 your Tumblr password will never be transmitted insecurely to Tumblr’s servers.

Tumblr uses an authentication system through which clients can maintain permission to connect even after your password has been changed. To be absolutely sure that your password is secure and that no unauthorized entities have authentication tokens to your blog, I recommend visiting Tumblr’s Apps Settings Page, where you can view a list of authenticated applications and revoke access to any that you are uncertain about.

Finally, as a matter of general internet security, don’t use the same password on any two services. By using unique passwords for each of the various web services you connect to, a compromised password will only ever provide an attacker with access to a single system.

What About Other Systems?

Many popular blogging systems use authentication schemes that are less secure than they ideally would be. For example, the XMLRPC-based APIs that WordPress, Movable type, and many other systems are based upon also require clients such as MarsEdit to communicate the authentication password in plain-text to the server.

However, many of these systems also support accessing the API endpoint via HTTPS, which ameliorates the problem. If you are connecting to a blog, the HTTPS version of the API Endpoint URL should be set up for you automatically. If you are connecting to a self-hosted WordPress blog, you may need to ask your hosting providers about whether you can switch to an HTTPS URL for accessing the blog.

For WordPress-style systems, you can get a sense for whether MarsEdit is connecting to your blog via a secure HTTPS connection by examining the blog settings in MarsEdit:

Screenshot of MarsEdit's blog settings

Note that for Google Blogger blogs that although the API Endpoint URL is HTTP-based, the authentication is handled separately from that URL, using a mechanism that prevents transmitting the password as plain text over the internet.

Anything Else?

MarsEdit 3.6.2 is primarily a “one-fix wonder,” but it also addresses some minor memory-usage issues, and another subtle
Tumblr authentication issue. Here are all the changes for this release:

  • Improve security of Tumblr connections
  • Fix an issue where MarsEdit would fail to re-authenticate with Tumblr after revoking privileges
  • Fix some memory performance issues
]]> 0
MarsEdit 3.6: Bug Fixes With A Twist Tue, 02 Jul 2013 17:11:54 +0000 MarsEdit 3.6 is now available. This is a free update for licensed MarsEdit customers. The update has been submitted to the Mac App Store and will be available there when Apple approves the update.

This update is primarily a “bug fixes” release, that is to say, no new features. However, I am allergic to version numbers such as “3.5.10″, which was where MarsEdit was heading. I decided to jump to 3.6 with this release, on the basis of a bug-fix change with wider implications:

MarsEdit can now apply the preview filter as part of the publishing process.

This is primarily of interest to folks who write in HTML Text mode with a text filter such as Markdown, but publish to a blog that doesn’t support it natively. Now you can check a box in the blog’s settings to ensure that the preview filter runs when you publish, causing for example the Markdown content to be converted automatically to HTML as part of the publishing process. Given that MarsEdit supports custom preview filter scripts, the sky is the limit for how you choose to manipulate your post content as part of the publishing process.


Generally I strongly encourage folks to set up their blogs in such a way that Markdown can be used natively and preserved for later editing, but this is not always possible. This is a great option for folks who want the convenience of writing in Markdown but need to publish in HTML.

The change was actually made to address a change of behavior with Blogger, where historically plain text separated by newlines was automatically converted to paragraphs. They changed this behavior sometime in the past few months, so that the paragraphs are “crunched together” if you write in HTML Text mode and were relying on automatic line breaks. Using the new “Apply preview filter” feature, you can work around the bug by causing MarsEdit’s default “Convert Line Breaks” filter to process the content of your post as it is being published.

There are a number of other bug fixes in this release. Complete change notes below:

  • Restore auto-configuration functionality for Blogger/Blogspot blogs
  • Fix a bug where an authentication dialog was not appearing for some LiveJournal and Squarespace configurations
  • Fix a bug that prevented Flickr short-name being used in Flickr page links
  • Fix a bug that prevented undo from working in some editor fields
  • Fix a bug that allowed rich text to be pasted into Tumblr quotation text field
  • Fix a bug that caused Tumblr quotation source text to be treated as plain instead of as HTML
  • Fix a bug where new image albums for Blogger were created with public permissions
  • Fix a cosmetic glitch with the Date Editor panel


Update: 3.6 had a bug that caused the flagship “apply preview filter” feature to fail on some blog types including WordPress and Movable Type. 3.6.1 is now available and should address the problem.

]]> 4
Blogger Auto-Configuration Failures Wed, 19 Jun 2013 13:21:21 +0000 Recently something changed in the format of Blogger blogs such that MarsEdit’s method of “auto-configuring” is now failing. This does not affect existing configurations in MarsEdit, but any new Blogger blog added to MarsEdit will fail to connect with a cryptic “Invalid Blog ID” error.

I’ve added a workaround of the problem to the Red Sweater Forums. The long and short of it is the “API Endpoint URL” and “Blog ID” fields in MarsEdit’s configuration need to be manually corrected.

I am working on a permanent fix for the next update to MarsEdit.

]]> 0