Black Ink 1.6.1: Premium Puzzles

May 5th, 2014

Black Ink 1.6.1 is now available for download from the Black Ink home page and from the Mac App Store. This is a free update.

The big change in this release is addition of built-in support for downloading from two authenticated “premium” puzzle sources: The New York Times and the American Values Crossword. Black Ink does not offer subscription sales to these services, but for users who do have a subscription, Black Ink now supports entering your username and password to authorize automatic downloading of the source’s latest puzzle.

For a long time now many users have enjoyed direct downloads of the New York Times premium puzzle because of the happy coincidence that Black Ink and Safari could share the same web browser “cookies.” This meant that if you had logged in to your premium New York Times account via Safari, downloads of those puzzles (after configuring a custom puzzle source) would work automatically. That functionality was broken with Black Ink 1.6 as an unexpected side effect of security sandboxing: Black Ink can no longer access Safari’s cookies. With this update cookie sharing is no longer required for this functionality.

Complete list of changes:

  • New support for premium puzzle downloads from New York Times and American Values Club
  • Fix a bug where the puzzle chooser would appear upon launch even when already opening a document
  • Fix a crash that could sometimes occur while closing a puzzle

I hope these changes make Black Ink even more enjoyable for you puzzle lovers out there.

MarsEdit 3.6.4: Authentication & Bug Fixes

April 28th, 2014

MarsEdit 3.6.4 is available now from the MarsEdit home page, and has been submitted to the Mac App Store for review by Apple.

This release catches MarsEdit up with some recent security-related changes at both Tumblr and Flickr, as well as fixing a number of minor glitches and UI defects.

Tumblr users who have chosen to take advantage of the recently announced two-factor authentication support will want to update to this release to get authentication from MarsEdit working properly again. To connect from MarsEdit, just connect to your Tumblr settings page and click the option to “Generate mobile password.” Yes, this terminology is not the most accurate Tumblr could have possibly used. (Update May 2, 2014: Tumblr now calls them “app passwords” and alludes to other apps. Great improvement.)

TumblrMobilePass

Here is the complete list of changes for MarsEdit 3.6.4:

  • Fix a problem with Tumblr 2-factor “mobile” passwords
  • Update Flickr authentication to support new HTTPS API requirements
  • Fix to support relative URLs in the rich editor, loaded relative to the home page URL
  • Fix to prevent blank display of embedded YouTube videos lacking a URL scheme (http or https)
  • Fix to prevent preview window from reloading completely when a post’s title is edited
  • Fix a Voiceover issue that prevented contextual menus from appearing in the blogs and posts lists
  • Fix some cosmetic issues in the blog settings panel UI
  • Fix an issue where the main window showed up in an awkard position on first launch
  • Fix bugs that caused documents to sometimes show changes when there hadn’t been any

Enjoy!

Heartbleed Statement

April 13th, 2014

By now many people have heard about The Heartbleed Bug, last week’s internet-wide security issue based in a problem with the popular OpenSSL encryption libraries. I have put off making a public statement not because of ignorance about the bug but because I wasn’t sure it was appropriate or necessary. Over the past week I’ve become convinced that it’s a good idea for any affected company or site to fully disclose their exposure and response to the bug.

What was Red Sweater’s exposure?

Our only customer-facing service exposed via HTTPS is the Red Sweater Store, which was affected by the bug. In practice, this means that private customer data including credit card numbers as well as customer names, addresses, email addresses, could theoretically have been exposed to an attacker during the exposure window. Credit card numbers used in the purchase of Red Sweater products are never stored on Red Sweater servers, but are held in memory for a short time in the creation of encrypted transactions with PayPal, our credit card processor.

What was the exposure window?

Although the bug existed in OpenSSL for almost 3 years, I was somewhat lucky in that I had only updated the Red Sweater Store to an affected version of OpenSSL on March 6, 2014, about one month before the vulnerability was disclosed.

What was Red Sweater’s response?

While some larger services were apparently notified of the bug earlier, it was not shared with the public until Monday, April 7. Red Sweater’s secure server was updated with fixed software at around 3:30AM Pacific time on April 8. By 9:00AM Pacific, I had created a new private key for Red Sweater, reissued, and installed the updated certificates. From this point onward there is no known risk of exposure of any private customer data submitted to the Red Sweater Store.

What should customers do?

Theoretically, any affected site has been vulnerable to possible eavesdropping during the exposure window. Because the Red Sweater Store does not incorporate a password or cookie-based credentials system, there is nothing that needs proactive changing to limit further exposure. Because of the wide-reaching nature of this bug, I would advise all users of all web sites to be on guard about possible exposure of private information including credit card numbers. Because of the small exposure window and relatively low profile of Red Sweater, I think the risk to my customers on this site in particular is low.

If you have any questions at all about my response to the Heartbleed bug or to any other security issue, do not hesitate to contact me (Daniel Jalkut, founder of Red Sweater).

Ten Dollar Apps

April 8th, 2014

I’m launching an experiment today, possibly permanent, in which the prices of four of my apps will drop to just $9.95 each. Black Ink, FastScripts, FlexTime, and Clarion are all just $9.95 for a single-user license, or $14.95 for a family-pack license.

I’ve long held fairly strong opinions about software pricing. I have written extensively about my rationale for maintaining relatively higher, dare I say premium prices on my software. I still believe that pricing too low is a mistake: it attracts users who don’t value good work, and leaves them lacking a sense of ownership. If a developer treats his or her software as disposable, then I think users are likely to treat it the same way.

But in a post-App Store world, I am no longer convinced that $10 is a disposable price point. The four apps I’m adjusting the price on could be sustainable at that price point, thanks to their relatively modest support requirements. If the sales of these apps doubles or triple as a result of the price change, I will probably see a net gain financially, and will definitely be making a greater overall impression with my work.

I’m sticking with $39.95 for MarsEdit because it’s a more nuanced and powerful app, requiring both more development time and more nuanced support from me. And although many people perceive it as mass-market software, it’s still a relatively niche market in which people who know how to get the most out of it are delighted to spend the money.

I hope the new price points for these four apps will attract some of you to give them a try and to share the news about them with friends and colleagues. Let me know if you do try them out and have any feedback.