Slashdot Mirror

Google claims:

While most features of goo.gl will eventually sunset, all existing links will continue to redirect to the intended destination.

Someone already asked that question and it has been answered.

https://security.googleblog.co...

Basically, browsers recognize the domain on a list and the browser enforces https.

See here for an explanation: https://security.googleblog.co...

TL;DR is the entire TLD is on the HSTS preload list.

Why link to Engadget when you can link to the actual article itself? https://security.googleblog.co...

Must be kickbacks to msmash.

You could read the article or the original blog post:
https://security.googleblog.co...

Basically they hash your passwords locally, and compare the first few characters of the hash against the hashes in the database. If there are possible matches the full hashes are downloaded to your browser for further comparison.

Your full plaintext password and full hashed password are never set to Google.

There's a nice diagram on the blog post that explains everything at a fairly deep level.

Google Security Blog Info.

Chrome Extension

I wouldn't call the chance non-zero. Google may way see this a a thread to them, especially if it goes global. They have a vested interest in this not being a thing. Apple has already fought against this kind of thing in the US courts, so I wouldn't be surprised if they don't take a stand as well.

Here's how at least one part of Google feels about it: https://android-developers.googleblog.com/2018/05/insider-attack-resistance.html.

TL;DR we're trying to make it technically impossible for us to decrypt user data on Pixel devices. Not to prevent law enforcement access, but to ensure that no insider, no matter how privileged, can do it. This has the -- pleasant, in my personal opinion -- side effect of making laws like this ineffective. Until/unless, of course, they attempt to force companies to build in what amount to active back doors. I'm pretty confident Google would fight that (note that that's a personal opinion; I do not decide or communicate legal policy). Also, we're planning to eventually mandate this in all Android devices of a certain class.

From the Android Pie Compliance Definition Document, emphasis mine:

[C-SR] are STRONGLY RECOMMENDED to provide insider attack resistance (IAR), which means that an insider with access to firmware signing keys cannot produce firmware that causes the StrongBox to leak secrets, to bypass functional security requirements or otherwise enable access to sensitive user data. The recommended way to implement IAR is to allow firmware updates only when the primary user password is provided via the IAuthSecret HAL. IAR will likely become a requirement in a future release.

Of course, this only affects data stored on Android devices. User data that is shared with Google through the use of Google's apps and services, is obviously available to Google in plaintext, else it couldn't be used to provide said services, and couldn't be used for ad targeting which in many cases is the "fee" for those services. Not without major breakthroughs in homomorphic encryption, anyway. That data is subject to normal warrants and subpoenas, of course, no need for this decryption law. However, warrants and subpoenas are also subject to judicial oversight and court challenges, and the legal team can redact and filter the provided data to narrow it to just what the court actually requires.

https://ai.googleblog.com/2015...

You can't be 'Internet Awesome', Google tells children on their 'Certificates of Internet Awesomeness', unless 'You know how to tell the difference between the real and the fake.' By that standard, Google itself is not 'Internet Awesome.' From Tuesday's Google Online Security Blog post: "Last week, BuzzFeed News provided us with information that helped us identify new aspects of an ad fraud operation across apps and websites that were monetizing with numerous ad platforms, including Google. While our internal systems had previously caught and blocked violating websites from our ad network, in the past week we also removed apps involved in the ad fraud scheme so they can no longer monetize with Google. Further, we have blacklisted additional apps and websites that are outside of our ad network, to ensure that advertisers using Display & Video 360 (formerly known as DoubleClick Bid Manager) do not buy any of this traffic. We are continuing to monitor this operation and will continue to take action if we find any additional invalid traffic. While our analysis of the operation is ongoing, we estimate that the dollar value of impacted Google advertiser spend across the apps and websites involved in the operation is under $10 million."

This isn't some new behavior for Google - just an expansion of an already existing program. Google has been collecting your off-line purchases for years now. They're
boasting about it, too.

Here's a relevant quote: ...even if your business doesn't have a large loyalty program, you can still measure store sales by taking advantage of Google's third-party partnerships, which capture approximately 70% of credit and debit card transactions in the United States. So, more than two thirds of your non on-line purchases are tracked by Google and sold to all and sundry.

Of course, as a simple citizen, you get no option or recourse. Even if you haven't ever signed on with Google, even if aren't using any of their properties, or if you tried to opt out of everything, you' still can't escape their stalking. Every breath you take, every move you make, they'll be watching you.

Forgotten? No. VP8 lead to VP9, which is used by YouTube and Netflix. The work on what was to be VP10 was merged into AV1, which also includes contributions from Cisco's Thor and Mozilla's Daala.

VP8 hasn't been forgotten so much as its development has been continued.

I work for Google Search. We launch multiple new features daily. Thing is, you don't necessarily see them all.

Some changes affect ranking; improving the algorithm, bringing you even better results, coping with misbehaving websites, and more. You won't see any UI changes here, but the search results get better. This could affect all of search (rare, but happens), or queries of a specific domain (e.g., queries about music), or a specific subset of results (e.g., sites that don't use https).

Some changes affect performance. A change that shaves a dozen milliseconds off the result page's load-time isn't something you'll notice, but in aggregate, these make Google Search better. Again, some of these optimizations apply to all searches, some to subclasses of searches, or to some devices only.

Some changes make our direct answers better. You're probably familiar with Google's calculator, for example; how many people would note if it suddenly starts answering queries involving a few more units, or different ways of asking about math? Google also provides answers about sports, weather, stock quotes, movie showtimes, and more. A new feature could involve better weather predictions, or supporting new leagues worldwide, or having fresher results. (If you're following the soccer World Cup, try searching for that on Google.)

Some changes involve only specific languages, or specific platforms (only desktop, or only mobile, or only iOS, ...). Some changes are experimental, and are removed after a while if they don't prove popular with users, or ephemeral, and are removed after a while because they're no longer relevant.

In short... to say that Google rolls out few and far between updates is somewhat inaccurate, and I'm sure the same is true for all the other websites you mention in your question.

[I work for Google but this response represents only my personal opinion and is not official in any way or manner.]

I'm not sure to what extent it relates to the specific offline translation modules in the translate app, but a while back the Google Research blog had a post on multi-lingual machine translation models (and that let them do translation between two languages for which they didn't have direct translation training corpus). So at least in that case, there is just a single translation model rather than separate input and output models that go to and from an IR.

https://ai.googleblog.com/2016...

This policy of users trump device owners is BS. I'm surprised Google just hasn't mandated that all sites must be signed by their CA to be included in their search results and to work in Chrome / Android.

Their engineers care only about one thing: Making sure that the data Google receives is track-able and sell-able to advertisers. They could care less about the end user's security. If they did care about the end user's security, they wouldn't make stupid changes like not trusting end-user / admin installed CA certs by default. Since when does removing / forbidding the user's input on trust somehow boost their security?!?!?

Nevermind the fact that most won't even know what the log represents or how to interpret it, but with the big flashy graphics and error messages, IT departments everywhere will be getting complaints, and further questions of "are you snooping on me?" even if they aren't, or if they are snooping, they'll get burned at the stake without the idiots realizing "If you want privacy, don't involve others, including their devices." It's simple. Do your banking / shopping / porn surfing at home if you don't want your boss finding out about it. If you do it at work, then you have no right to complain when they find out about it.

We know GMail at least used to keep offline backups because they've had to restore from backups before.

v=spf1 +mx include:spf.mandrillapp.com ip4:214.3.140.16/32 ip4:214.3.140.255/32 ip4:214.3.115.12/32 ip4:214.3.115.10/32 ip4:214.3.115.225/32 ip4:214.3.115.14/32 ip4:214.3.140.22/32 ~all

-so only email servers that don't check SPF would accept your fake email, which isn't as many as one would think.

Android sucks for patching because it's all up to the vendors who don't care about old machines - they want you to buy a new device.

However Apple sucks too - they force everyone to the latest version to get patches, and that version may run so slowly that you need to buy a new device.

Actually Google have a clever idea called Project Treble to solve the update problem

https://android-developers.goo...

The idea is that there's a stable vendor interface to the low level parts so the stuff above that can be swapped out. Bad news is that it will only be in Android O and later. So it won't do anything to fix all the ageing Android devices out there as they slip out of vendor's support window.

User accounts are not something unique to GitHub, and I would expect any service that lets you pick usernames to allow reuse, otherwise eventually you are left with random letters and numbers as users move on.

12 best practices for user account, authorization and password management
https://cloudplatform.googlebl...

Also direct from Google showing that this is not for non-mobile devices:

Although speed has been used in ranking for some time, that signal was focused on desktop searches. Today we’re announcing that starting in July 2018, page speed will be a ranking factor for mobile searches.

https://webmasters.googleblog....

Link to technical details for those that want it: https://security.googleblog.co...

https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html

Crossing privilege boundaries appears to be an issue for only Intel chips. And as you can see here, Google says that they "are unaware of any successful reproduction of this vulnerability that would allow unauthorized information disclosure on ARM-based Android devices"

Scripts are only one of the many, many types of files that your browser must parse with perfection.

Ehhhhhh. To take advantage of this vulnerability, an attacker first must be able to run malicious code on the targeted system.

Again, if I'm not clicking ads and opening strange files, I'm really only worried about privilege escalation (Like Intel Management Engine :-/ )

From Google's post: "Testing also showed that an attack running on one virtual machine was able to access the physical memory of the host machine, and through that, gain read-access to the memory of a different virtual machine on the same host."

Source: http://security.googleblog.com...

So yes, for the average home user, no big deal. For anyone running something on a cloud provider, bigger deal that the host gets patched.

From the twenty seconds I spent researching this, it looks like companies that do e-mail tracking tell that Apple devices are the ones getting like 45% of the e-mails - just check https://emailclientmarketshare... . I find this number a little bit too high and probably biased, so let us forget about these companies. Anyhow, there are better ways to track your future ex. Like breaching into Facebook, using WhatsApp or diving into Google location history.

No school today...because the vendor pushed out an untested update again.

Let me help you, as it appears you didn't do 30 seconds of Googling to help yourself. Chrome OS is heavily beta tested, and is built upon Chromium OS, which it itself is heavily beta tested. As a Google admin for a public K-12 school (~1200 Chromebooks), I have the option of assigning all my Chrome devices into one of three categories of development. Google "recommends" I activate a policy that will randomly assign 5% of all devices to a beta channel* to assist them with testing and development, though our district chooses to use stable-only software.

Occasionally, a serious bug actually does make it through to a stable, but if it is found, Google has been incredibly quick to prioritize its fix and release an update. It's only when there's a doozie like this where suddenly everyone starts the finger-shaming.

* The first time I turned this on, the very next day, we had about five Chromebooks all come into our office. Every one of them had Chrome crashing randomly, usually within about 30 seconds of it opening up. All had the exact same version of Chrome on it, v.51 I think, when every other one of our Chromebooks had v.50 or below. The only way we were able to fix them was to use a CrOS repair drive utility to reinstall CrOS with a previous version. When I saw that other Chromebooks that had v.50 couldn't be upgraded to v.51, I reasoned that these were the beta tested Chromebooks. I turned that feature back off, but I still saw a few more Chromebooks trickle into my office over the next few days that also "got lucky". After that, never again.

Google invented a technology that does everything HPKP did, and also handles key rotations, allows you to monitor for someone else issuing keys in your name, doesn't have the "HPKP ransom" vulnerability and actually scales well. You should read about certificate transparency and the Expect-CT header.

It's really gauche to accuse Google of doing anti-security things when they're single-handedly advancing the state of the art and have caught state actors breaking PKI. In fact that's the incident which led Google to invent HPKP in the first place, and they knew the problems with it at the time which is why they then went on to invent certificate transparency to replace it.

> Chess is a deterministic problem as most games are, I never believed computers wouldn't ever be better than humans.

Right, but you probably grew up in an age where computers were already better at chess than humans. Before they were better, Kasparov (the chess grand master), was famous for saying that computers would never beat humans because "Chess is a unique cognitive nexus, a place where art and science come together in the human mind and are then refined and improved by experience.".

> I'd be willing to bet (tooth picks) that playing poker with AI would not be as deterministic, that the humans would win at least some times

Poker was, until very recently, "unsolved" with regard to AI. Only in the last couple of years has AI bested poker experts. Again, people said it couldn't be done, and now it's done. The best heads up texas no limit poker players are now AI. No, they don't win every hand, what they do is beat human experts statistically and consistently over many hands. It is extremely unlikely humans will ever be able to take back the position of best poker player, just as it is unlikely that anyone will ever again beat computers at chess.

> In sort, some things can be learned and trained, but throw a poker playing computer into a game of Gin Rummy would not garner very many wins

We don't do it yet, but again, there is no reason why we can't reuse the same AI to play multiple card games. Furthermore, with enough advances there is no reason a more generalised AI won't be able to pick up new games simply by reading the rules and a bit of practice (internally, against itself). Think of it as changing the goal posts from building an AI to play poker, to building an AI to play cards in general. We're definitely on the path to something as 'simple' as that to being feasible in the next few years.

Your arguments are as simple minded as Kasparov's... just because it hasn't been done yet is no reason to believe it won't be done (and soon I bet!).

I actually think the next big step in AI is training the same neural network to perform very many and varied tasks, as opposed to training many and varied AIs each to do one task. Some form of multimodal AI. Then it will be able to apply cross domain knowledge, and do exactly what you are currently claiming it cannot do... including learning new games by simply being told the rules for it.

As a counter example you should look into multimodal AI.

https://research.googleblog.co...

This machine has different types of inputs, and different types of outputs, and the same AI learns many different tasks as opposed to just one very narrowly task.

Apparently this machine is capable of performing many different tasks at equivalent to where the state of the art was just five years ago. I don't believe it will take long for it to 'catch up'.

> Computers will be useful for specifically defined tasks, but they will neither recognize the boundaries of what they know or choose to stray outside their limits. They will always just respond as they have been programed to.

Now the real interesting thing about it is that in some cases it was able to use information it had learned from previous tasks in new tasks that it was given... and so was actually able to perform so called "zero shot learning"... it already new enough about the world to perform well on tasks it had never been trained to do!

So, as AI evolves, I think that AI will be very capable at tasks outside of its original training.

I support the authority of any government to lawfully query any company under its jurisdiction for as much data as it wants.

The ultimate problem here is that companies still control all your data. The long term solution is you should have a "my cloud" box in your basement. That's where your data lives, or at least the O(1) encryption keys for the O(n) amount of data you have elsewhere. In that situation government will need to request data from you directly if they want it.

There really is a strictly technical solution to these problems and we are getting closer every day to the solutions. https://security.googleblog.co...

C. Good luck getting your private CA's root certificate installed on the devices of non-technical friends and family visiting your home who just want to view the videos on your NAS in full screen. I'm not even sure it's possible on Android 7 "Nougat" and later, as each app has to opt into trusting user-installed certificates through the network security configuration in its package. If the user's web browser hasn't, too bad.

I thought Android 7 "Nougat" and later didn't trust user-installed root certificates unless a particular app opts into trusting user-installed root certificates through the network security config file in the application's package.

You are completely correct. So your two options are:

1. As per your own link, add the CA to your app's config. If you're talking about your own apps then you already control those configuration files. If you're talking about other people's apps...
2. Stop supporting Android Nougat and later devices.

Nothing is stopping you from self-signing a cert and then telling your browsers to trust it

Not even a change to how Android handles certificates?

As of Android 7 "Nougat", Android apps distrust Android's counterpart to /etc/ssl/certs by default. In addition, I haven't tested all major models of media player appliance that stream from a web server running on one's home NAS, but I imagine some have no user-editable counterpart to /etc/ssl/certs.

Then how does one obtain a certificate for a domain in .test and use it on all devices on a home LAN? I thought Android 7 "Nougat" and later didn't trust user-installed root certificates unless a particular app opts into trusting user-installed root certificates through the network security config file in the application's package. Chrome for Android appears to opt in, but Firefox for Android is untested. Using cleartext HTTP is not an option because more sensitive APIs are unavailable outside secure contexts.

The Mad Gadget vulnerability strikes again. https://opensource.googleblog....

Android Treble may finally help with this disaster - but for now, those of you that can, should try LineageOS.

Android 8 "Oreo" has moved "Install apps from unknown sources" from a system-wide setting to a finer-grained permission for each app. This means F-Droid users won't need to put the whole operating system's shields down anymore. So if you have Oreo, and you don't download from Google Play Store, and you "Uninstall updates/Disable" any carrier-installed crap that's not part of AOSP or other core functionality, then you sacrifice a few genres of apps but gain the theoretical safety of publicly auditable software that F-Droid's inclusion policy enables.

As for the install permission on Google Play Store, on the one hand, you'd want to leave it off to keep kids from installing crap. On the other hand, you'd want to leave it on to apply security updates to core OS components, such as Google Chrome and Gboard. But until Oreo gets delivered OTA, I don't know how to find out whether this setting would even work for Google Play Store.

We've seen what they want to do either by changing the search results for politically contentious issues, effective shadow bans err "limited states" on youtube without breaking community guidelines, or outright deleted services with no reason of conservative voices. All the while training their AI to do it (see blog post). That isn't even mentioning the accusations that they manipulated searches to favor Clinton during the campaign.

It seems pretty clear what google wants to do for political thought. They want to isolate, disenfranchise, and ban political thought they don't like.

That "manifesto" was the most offensive document I've seen come out of Google.

So when youtube(google) decided to push a pro-censorship agenda, you didn't find that offensive? You're so thin skinned that words hurt your feelings, not words being spoken to your face. But words which have no vocal inflection what-so-ever hurt your feelings.

Believe me, customers will never notice the difference.

I don't believe you. YouTube already established that VP9 produces a measured difference for customers and viewers. Your perspective is narrow. You're not thinking globally.

All of those still need encoding.

And YouTube encodes them all to their preferred bitrates and resolutions. It doesn't matter what format you upload to YouTube, it always re-encodes it. YouTube transcoded their catalog to VP9 to add VP9 support a few years ago.

Actually, my question is: why does an OS have to make that choice for people?

The same old usual, boring way: The OS maintainer says "Hey customers! We're including the libraries & paying the licensing so you can use [this codec]."

Apple has a pluggable system for codec support in QuickTime - if you want VPx, Theora, Opus -- get the plugin, and the codec works. It's not unlike adding a codec in GStreamer. That said, you can only install the codec plugin on a Mac.

For more special-purpose hardware (iOS and Apple TV), you can compile codec support into your app - VLC for iOS & tvOS includes VP9 and WebM support, for example.

I could perhaps see the point of Google choosing NOT to support a format in which you need pay royalties, but why would Apple NOT choose to support a free format in addition?

The fact that the format has zero cost to license does not make it gratis. Engineering hardware and software, QA, and providing tech support all cost money. The cost/benefit to has got to work out.

You don't say explicitly, but I'm going to guess you're referring to VPx (VP8/WebM and VP9). There are two decent reasons I'd ignore WebM and VP9: Hardware and AV-1:

* Hardware: Battery life is much better when encode & decode is done in hardware. Apple designs its own chips, so supporting VP9 would mean they'd spend time & money to support VP9 in hardware. The cost/benefit has to work out for them.
* AV-1: Why bother with VP9 when 70-80% of all content uploaded to YouTube is in h.264, and ~0.4% is 4k or higher? The amount of native VP9 uploads is in the single digits, and h.264 is good enough. There's clearly time left in h.264's life to wait for AV-1 -- and skipping VP9 entirely.

Minor nitpick: HEVC doesn't have a single patent pool -- which is, of course, a big part of the problem.

The MPEG LA's license pool is one of them, but there are pools controlled by HEVC Advance, Technicolor, one from Velos Media...

So instead of one license body trying to shakedown customers, there are four -- and the price to license HEVC is at least 4x that of AVC. There's a reason HEVC has been around for four years and hasn't seen significant adoption... they've priced themselves out of the market.

I personally think Apple is adding support to HEVC because it's the ISO codec, it's available now, and a codec adopted by for 4k Blu-ray, as well as a lot of the UHD video cameras -- Apple is clearly supporting their "pro" creative users. It makes sense to support HEVC across the board.

Roughly 80% of YouTube videos are uploaded in h.264, and the amount of 4k & 8k video uploaded hovers around 0.4%. It doesn't look like Apple has much to lose by ignoring VP9 entirely.

That said, I doubt anybody will ignore AV-1 (nor can they afford to).

I suspect Google will support h.265 in addition to their own codecs

No. They use VP9 on YouTube and have been for two years. They dropped support for 4K video in H.264 on YouTube a while back. YouTube will start encoding video with AV1 around six months after the bitstream is finalized.

H.265 is futureless for web video. Major streaming services are members of the Alliance for Open Media (Google, Netflix, Hulu, Amazon) because they want to use AV1 on their service. They recognize correctly that H.265's licensing mess makes it a poor option.

I don't know about preexisting as in 'before youtube went up', as that is aeons ago. There are however agreements of some nature: c.f. https://youtube-creators.googl...

I *think* initially Youtube did the DMCA dodge of 'if you report it we take it down, until then we didn't know, we didn't do bad, we'll pull THAT upload'. Around the time google acquired it(?) they switched to the automated detecting and either 'royalties or yanked' method. Some groups don't offer the choice - video is taken down regardless. I know with japanese music groups there are lists of the ones that permit uploads and take the revenue from; while others seek to have your account banned if you try, no mercy. So does seem there are agreements with the artists...but that might be the RIAA's issue: maybe they aren't getting their 'fair share' for doing nothing.

What's got me slightly pissed off is why the fuck these assholes all went "Nope, fuck off" to all of those in turn?

They didn't. VP9 is used, for example, by YouTube, Netflix, and Wikipedia. Watch a video on YouTube, right click on it and select "Stats for nerds". If your browser supports VP9 then chances are the video will be playing back in VP9.

AV1 is the successor to VP9.

Fuzzing is essentially harnessing the power of our modern computational power in a brute force fashion, combined with the knowledge that many errors (especially crashes), by nature, can be leveraged into an exploit.

In my own scripting language project, I have two fuzz tests I perform - I first fuzz a set of source scripts, and in another test, I fuzz a set of compiled bytecode, which exercises both the lexer/parser and runtime interpreter phases. I didn't even bother with a library either, just a small routine that randomly swaps and corrupts source from the original. It's really amazing how simple something like that will catch so many bugs.

Honestly, I was implementing this just for the sake of robustness. No one but me is using the library yet, and it's just for local use in my game engine. But if you're connected to the internet in any way, there's really no excuse these days for not having a set of fuzzing tests you regularly run during your normal regression testing, and there are some great libraries available to help do this. You can even leverage Google's massive computational resources for testing for free (perhaps even get paid a small bounty) if your project is important enough, which OpenVPN certainly is. Hopefully the OpenVPM devs/maintainers take note of this and make this happen, and we'll all be more secure for it.

BTW, if you ever want to read about an incredibly comprehensive test and regression suite, check out SQLite's description of their testing methodology: https://www.sqlite.org/testing...

Every browser allows self-signed certificates.

I was under the impression that the developer of an application for Android 7 had to explicitly opt in to trusting user-installed root certificates. Does Chrome for Android 7 opt in?

What's the problem?

Even apart from the Chrome for Android 7 issue, it might not be so trivial to install your home NAS's private root certificate on laptops, tablets, and smartphones carried by friends and family visiting your LAN.

I don't know that many people who habe domains just for their own devices at home ...

The manufacturer of such a device is expected to follow the following steps:

1. Register a domain for devices to use.
2. Submit this domain to Mozilla's Public Suffix List so that cookies and certificates from one device don't leak to others.
3. Issue a subdomain of this domain to each device.
4. Operate a dynamic DNS service so that devices can set their AAAA and TXT records.

The cost of steps 1 and 4 would be rolled into the price of each device.

Sure, it's technically possible, but it's also possible for the user to operate their own CA

It may not be possible for the user to configure a particular device to trust his own CA's root certificate. For example, under Android 7 "Nougat", an application will not trust user-added root certificates unless the application's developer has opted in, and there's no rule that all web browser developers must opt in. See "Changes to Trusted Certificate Authorities in Android Nougat" by Chad Brubaker

HEVC is out now

VP9 is out now and has broader use than HEVC.

as well as software players like Microsoft and Apple

Microsoft supports VP9 in Edge.

VP9 has virtually zero mindshare outside the Googleplex

Netflix uses VP9. Wikipedia uses VP9. And, of course, even though it's inside the Googleplex it's difficult to ignore that YouTube uses VP9. YouTube no longer offers 4K video to Safari by default due to Safari's lack of VP9 support.

set top boxes, etc. that support VP9

Roku has VP9 support, Chromecast Ultra has VP9 support, Android phones have VP9 support, etc, etc.

AV1, on the other hand, looks very compelling... it actually has broad industry support, from big players like Microsoft, Cisco, Netflix, Google, all the way down to silicon makers like Broadcom, Xilinx, RealTek, ARM, AMD, and NVIDIA.

Right. Just like VP9. When will Apple add VP9 support?

It's disingenuous to complain that Apple isn't going to include AV1 when it isn't - and won't be - ready before High Sierra.

Show me where I complained that AV1 won't be in High Sierra. Quote me. Maybe re-read what I wrote.

In the meantime, let's acknowledge that Apple hasn't joined the Alliance for Open Media. When will Apple join?