Before the introduction of specific protection for privacy, like all Posix-compliant operating systems, macOS had just a standard system of privileges and permissions, augmented by ACLs. Although proven in terms of security, they are too coarse to be used to protect different classes of information within the same level of privilege.

When you run an app, it naturally runs with your full user’s privileges, and has access to everything according to the permissions set on folders and files. Just as you want your privileges to give the Finder and your mail client access to all your emails and their enclosures, all other apps that you run enjoy those same privileges. But would you also want a third-party note-taking or photo-editing app to have that same level of access, even without your knowledge? Similarly, while you want FaceTime to have access to your Mac’s camera and microphone, would you be happy for any other app to access them without your being asked?

Although robust security provides a foundation for the protection of privacy, they are quite different. Your FileVault and user passwords must be protected by good security, but entries in your address book and calendar aren’t the same, and primarily a concern for privacy protection.

Consent and intent

Privacy centres on controlling access to information and devices that provide it, and there are two approaches used to give you that control, your consent and your intent. These are used throughout privacy protection in macOS.

For an app to gain access to images from your Mac’s built-in camera, the app has to ask to use it, and macOS then has to ask you to give your consent to that request. Although that may seem tedious and even pointless at times, the decision remains yours and not the app’s or that of macOS. If the whole purpose of an app is to provide web conferencing, then its consent dialog may seem pointless: after all, what’s the point of opening the app if it can’t have access to your camera? But you’ll sometimes be surprised at which apps do want camera access.

Protected folders are different. You might want almost any app to save a document you’ve been editing in your ~/Documents folder or on a removable volume. So when you use the File Save dialog, you expect macOS to give the app that ability, by expressing your intent. Apps may access files in other ways, in which your intent isn’t expressed: a search tool might want to look in all the files in your ~/Documents folder, but you can’t express your intent for every one, so for that macOS may ask for your consent instead.

Command tools and helpers

Expressing intent and obtaining consent are proven methods that work for apps with a human interface. Code is run in many other ways that don’t present any interface to the user. This applies to command tools, helper apps, and similar. To apply the same principles there relies on another fundamental concept in privacy protection, the attribution chain. Although you won’t normally encounter this in the GUI, if you ever need to understand how protection works, and if you have to resort to looking at logs, you’ll find it essential.

Let’s say I have an app that builds an index of files containing references to keywords, and does so using a command tool keyindexer. For that command tool to access files in my Documents folder, it can’t rely on intent for each one, so must seek consent. As it has no interface, the only way that can be obtained is through its parent app, through the attribution chain. If I were to run that same command from Terminal, then the Terminal app would be its parent, found by macOS using its attribution chain, and that’s why many prefer to give Terminal Full Disk Access.

Universal, not extensible, permanent

One of the more common complaints about privacy protection is that it’s universal. You as a user may not keep anything private in your Documents folder, but there’s no opt-out that lets you remove that from protection. That ensures that all apps are written on the assumption that ~/Documents is a protected folder, and ensures that hostile software can’t remove protection from any folder.

Unlike permissions, you can’t extend privacy protections to other locations or features. Although that could be attractive, privacy protection is complicated enough to negotiate without it being applied to almost anything you might fancy.

Until recently, when you gave consent for an app to have access to protected locations or features, that was set until you changed it. macOS 15 Sequoia has changed that, in that you’re now reminded periodically if you have given screen recording consent for an app. This has proved problematic, with many criticisms and persistent bugs.

Informative texts and entitlements

Depending on the privacy protection, Apple can apply restrictions as to which apps can request the user for consent to access a protected resource. This is implemented in two ways: a requirement for the app to provide in its Info.plist the text to be shown to the user in the consent dialog, and an entitlement to access the protected resource that is baked into the app’s signature.

Those are far from universal across all protections, but can be inspected in the app using Apparency for verification purposes.

Apple’s reference lists

Info.plist keys
Entitlements

Articles in this series

Protected folders and places
Protected devices
Protection of location information
Protection of network devices, automation, and others

Appendix: Protection and lists

For macOS 15.3.1 Sequoia, protected resources are as follows.

Protected locations:

• ~/Desktop
• ~/Documents
• ~/Downloads
• iCloud Drive
• Third-party cloud storage
• Removable volumes
• Network volumes via local network devices
• Time Machine backups.

Protected data:

• Calendars
• Contacts
• HomeKit
• Media & Apple Music
• Photos
• Reminders
• Focus
• Motion & Fitness.

Protected devices:

• Bluetooth
• Camera
• Input Monitoring, of mouse, trackpad, keyboard
• Local Network devices
• Microphone
• Screen & System Audio Recording
• Speech Recognition.

Protected features:

• Passkeys Access for web browsers
• Accessibility, control over the Mac
• App Management, to update or delete other apps
• Automation, control other apps, giving access to their data and documents
• Developer Tools, to run software that doesn’t meet macOS security rules
• Remote Desktop.

Possible list arguments for tccutil:

• Accessibility
• AddressBook
• All
• AppleEvents
• AudioCapture
• BluetoothAlways
• BluetoothPeripheral
• BluetoothWhileInUse
• Calendar
• Camera
• ContactsFull
• ContactsLimited
• DeveloperTool
• FileProviderDomain
• FileProviderPresence
• FinancialData
• FocusStatus
• KeyboardNetwork
• MediaLibrary
• Microphone
• Motion
• Photos
• PostEvent
• Reminders
• RemoteDesktop
• ScreenCapture
• SpeechRecognition
• SystemPolicyAllFiles
• SystemPolicyAppData
• SystemPolicyDesktopFolder
• SystemPolicyDeveloperFiles
• SystemPolicyDocumentsFolder
• SystemPolicyDownloadsFolder
• SystemPolicyNetworkVolumes
• SystemPolicyRemovableVolumes
• WebBrowserPublicKeyCredential

for use in
tccutil reset [list] [appID]
where [list] is one of the lists above, and the optional [appID] is the identifier of the app whose privacy settings are to be removed.

Apple has just released an update to XProtect for all supported versions of macOS, bringing it to version 5290. As usual, Apple doesn’t release information about what security issues this update might add or change.

This version adds a single new Yara rule for MACOS.SLEEPYSTEGOSAURUS.SYM.

You can check whether this update has been installed by opening System Information via About This Mac, and selecting the Installations item under Software.

A full listing of security data file versions is given by SilentKnight, LockRattler and SystHist for El Capitan to Sequoia available from their product page. If your Mac hasn’t yet installed this update, you can force it using SilentKnight, LockRattler, or at the command line.

If you want to install this as a named update in SilentKnight, its label is XProtectPlistConfigData_10_15-5290.

Sequoia systems only

This update has just been released for Sequoia via iCloud. If you want to check that manually, use the Terminal command
sudo xprotect check
then enter your admin password. If that returns version 5290 but your Mac still reports an older version is installed, you can force the update using
sudo xprotect update

Hurrah!

I have updated the reference pages here which are accessed directly from LockRattler 4.2 and later using its Check blog button.

Updated 1840 GMT 11 March 2025, announcing iCloud release!

Apple has just released an update for macOS Sequoia bringing it to version 15.3.2. There are also Safari updates available for Sonoma and Ventura.

The update for Apple silicon is about 1.45 GB in size, while that for Intel Macs is around 600 MB.

Security release notes are already available, and list a single WebKit vulnerability, that Apple states is a supplementary fix for an attack that was blocked in iOS 17.2, and in iOS had been exploited before it was fixed in iOS 17.2.

Updated with Safari info, 1930 GMT 11 March 2025.

Facial expressions are a rich source of information about our emotions, state of mind, and when we are in pain. While heroes always grin and bear it, and sometimes the most unlikely person appears remarkably stoical, the grimace of pain is an important feature in some narrative paintings. In some this has become so uniform as to become a stereotype.

In Caravaggio’s Judith Beheading Holofernes from about 1598-9, he tells most of this story in facial expressions alone. Judith’s combines anxiety with repulsion, revealing her ambivalence in killing her victim, while the expression of her aged maid is even stronger in its grim determination. Holofernes’ face is grimaced in shocked agony, just as death is freezing it in place, and his arms show a futile effort to press himself up from his bed. The artist is believed to have used a Roman courtesan, Fillide Melandroni, as the model, and to have recalled what he had seen earlier at the public execution of Beatrice Cenci.

Jacob Jordaens’ Prometheus Bound from about 1640, features an almost identical expression on the face of Prometheus as an eagle feeds from his liver.

Later rottenpockets in Dante’s Inferno contain thieves, those who gave fraudulent counsel, those who sowed discord, and falsifiers and imposters of various kinds. In Joseph Anton Koch’s fresco in the Casa Massimo, Rome, thieves are attacked repeatedly by snakes and grimace in their agony.

This expression continued well into nineteenth century history painting, in Jules-Élie Delaunay’s Ixion Plunged into Hades from 1876. This shows Ixion writhing in agony in the Underworld, as he is bound to a wheel by snakes, his expression still conforming to Caravaggio’s Holofernes.

In Arnold Böcklin’s puzzling painting from 1898, Nessus the centaur is far from part-human, and Deianeira isn’t the beauty she was claimed to be. As those two wrestle grimly, Hercules has stolen up behind them, and is busy pushing a spear into Nessus’ bulging belly. Blood pours from the wound, and the centaur’s face has the same open mouth grimace of pain, now a full three centuries since Caravaggio.

Some still found scope for more studied and original expressions of pain.

Rembrandt’s early painting of The Operation, from his late teens in 1624-25, shows a barber-surgeon and his assistant performing surgery on the side of a man’s head. This is most likely to have been the lancing of a boil or removal of a tumour from the scalp or pinna of the ear. In the absence of any form of anaesthesia, this visibly resulted in considerable pain for the long-suffering patient, whose eyes and mouth are closed, and his arms are tensed with fists clenched.

Jan Steen’s The Village School (c 1665) shows physical punishment in a contemporary school. The child at the right holds out a hand for teacher to strike it with a wooden spoon, as he is already wiping tears from his eyes. A girl in the middle of the canvas is grimacing in sympathy.

I finish with two animal curiosities.

A Courtesan Pulling the Ear of a Cat, Allegory of the Sense of Touch was painted in Jan van Bijlert’s workshop around 1625-70, and is clearly composed on the theme of touch. A florid courtesan plays with her cat, pulling its ear, resulting in its grimace of pain and anger.

Exhibited at the Paris Salon of 1878, August Friedrich Schenk’s Anguish, painted in 1876-78, shows a ewe lamenting the death of her lamb in the snow, as a thoroughly menacing murder of crows assembles around the defiant mother. Although the ewe’s face isn’t contorted, her open mouth and visible breath cries pain and anguish.

Since XProtect Remediator (XPR) went live during the summer of 2022, it has run daily sets of checks for known malware in macOS Catalina and later using its scanning modules. Those have been sufficiently regular and reliable that some of my apps, including Skint and SilentKnight, check that they’re occurring and report normal and healthy results. Just over a month ago, I provided a detailed account of XPR’s different types of scan, and how they are scheduled and dispatched in XPR version 149. Last week in XPR version 151, Apple changed all that, and Skint, SilentKnight and XProCheck may now show few scans and frequent warnings.

As Apple has never provided anything other than the vaguest of information about XPR, I have no idea whether this is the new normal, or the result of bugs. As XPR scans now vary greatly between different Macs, and run least on those with large numbers of Time Machine backups accessible, I’m inclined to suspect at least some of this is unintended behaviour.

XPR scans

There are still three types of timed scan:

• a fast scan, com.apple.XProtect.PluginService.agent.fast.scan, performed at intervals of 6 hours (21600 seconds), and run when on battery;
• a standard scan, com.apple.XProtect.PluginService.agent.scan, performed at intervals of 24 hours (86400 seconds), but not run when on battery;
• a slow scan, com.apple.XProtect.PluginService.agent.slow.scan, performed at intervals of 7 days (604800 seconds), but not run when on battery.

In the standard scan, each of the scanning modules is run in turn, once using the agent version running as the current user, normally 501, and once using the daemon version as root, user 0.

Fast scans do run every six hours, but don’t currently include any of the scanning modules, so leave little trace in the log. They are also run soon after starting up and logging in as a user, where they’re referred to as a startup scan when run as root, and a login scan when run as the current user, usually 501.

As a slow scan is only run once a week, I still haven’t been able to observe one.

With XPR version 151 installed, you’re likely to see the following sets of scans after user login:

• Paired startup and login scans, no scanning modules used, taking about 46 seconds for root and 9 seconds for user 501.
• Timed low priority scans as root and user, using just the Eicar scanning module, and taking about 2 and 1 seconds respectively.
• Timed standard scans as root and user using all the scanning modules, and taking around 175 seconds for root, and up to 600 seconds as user. These may be cancelled by the XP Timer firing, which kills the current scanning module and terminates that set of scans, leaving them incomplete.

Thereafter, every six hours a fresh fast scan is performed, and every 24 hours a standard scan is attempted, although the latter may be terminated without completing any scanning modules at all.

XP Timer termination

At varying times after the start of a standard scan running its sequence of scanning modules, they may be interrupted by the firing of the XP Timer, and you’ll see a sequence of entries in the log describing how that not only kills the current scanning module, but terminates the whole of that set of scans:
16.438 com.apple.XProtectFramework 34294 XP Timer fired, killing activity
16.438 com.apple.XProtectFramework 34784 Received SIGTERM, canceling running plugins then exiting
16.439 XProtectRemediatorAdload Cancellation handler called for reason: Dispatch recieved SIGTERM
16.442 XProtectRemediatorAdload {"caused_by"[], "execution_duration":0.0002809762954711914, "status_message":"PluginCanceled", "status_code":30}

It’s that status_message and status_code that is detected by XProCheck, SilentKnight and Skint, and reported there as a warning.

16.450 com.apple.XProtectFramework Finished system scan, ran as 501
16.451 com.apple.duetactivityscheduler COMPLETED <_DASActivity: "501:com.apple.XProtect.PluginService.agent.scan:BD32B7", Utility, 60s, [09/03/2025, 07:39:13 - 10/03/2025, 07:39:13], Started at 09/03/2025, 19:52:35, Group: com.apple.dasd.default, Intensive: CPU Disk, PID: 2254>
16.453 com.apple.xpc.activity Rescheduling: com.apple.XProtect.PluginService.agent.scan (0x653344140)
16.457 com.apple.duetactivityscheduler Completed <private>, ran for 9.7 mins, total runtime 9.7 mins

The next daily standard set of scans are then submitted to DAS for rescheduling, to be run in about 24 hours:
16.465 com.apple.duetactivityscheduler Submitted: 501:com.apple.XProtect.PluginService.agent.scan:15B497 at priority 30 with interval 86400 (Mon Mar 10 07:52:34 2025 - Tue Mar 11 07:39:13 2025)

Although referred to as the XP Timer, times when it will fire range widely, from a few seconds to nearly ten minutes, and there’s no indication of how that is determined.

Effects

XPR checks now differ greatly between Macs. Most basic systems running from their internal SSD with a minimum of external storage, with just a modest set of Time Machine backups, still appear to complete standard scans normally, as they did in previous versions of XPR.

Macs with multiple external disks and long series of Time Machine backups may now complete few if any standard scans. Instead, most or all of them are terminated prematurely by the XP Timer, so triggering warnings in XProCheck, SilentKnight and Skint.

If you wish to run a set of XPR scans manually, then you still can, either in XProCheck or by running the XProtect app yourself. Those are run as the current user, not as root, but may be sufficient to restore your confidence in XPR’s protection.

This leaves me with a dilemma: should those apps suppress those warnings and tell you that everything is fine with XPR’s checks, or should they continue to report them? Given all the problems with XProtect updates in Sequoia, would it be simplest just to abandon my attempts to check anything in macOS security? Are these bugs, and should they be reported to Apple, or is this the new normal we have to look forward to for the future?

Ovid has raced through the destruction of Troy and its nobility, including the death of Priam, the herding together of the Trojan women to be taken as trophies, and the vicious murder of Astyanax.

As the Greek ships prepare to depart, Priam’s widow Hecuba is the last to board. Her youngest son Polydorus has been secretly in the care of King Polymestor in Thrace, who was paid a great sum to protect him. With Troy destroyed and that source of income lost, Polymestor slit the child’s throat and threw his body into the sea.

The Greek fleet shelters off the coast of Thrace, again waiting for favourable winds. While there, the ghost of Achilles appears and demands the sacrifice of Hecuba’s daughter Polyxena in appeasement.

As with Iphigenia’s sacrifice a decade earlier, it’s now the turn of Hecuba’s daughter to be sacrificed to secure good weather. Polyxena is taken from the arms of her mother and put before the altar where Neoptolemus, son of Achilles, stands ready with his knife. Polyxena pleads eloquently for her body to be given to her mother without a ransom, a speech bringing even the priest to tears. Nevertheless, he thrusts the knife into her breast, and she falls to her knees, still resolute, but dead. The Trojan women mourn her and care for her body, so her mother can embrace her in final farewell. Hecuba then responds in a long speech of lament.

Merry-Joseph Blondel’s fine painting of Hecuba and Polyxena, from after 1814, is superb in its treatment of fabrics, but more puzzling in its narrative. Hecuba, the older woman, appears to have fainted, presumably at the announcement of Polyxena’s imminent sacrifice, with her daughter kneeling at her feet.

Several paintings show the sacrifice of Polyxena, of which Charles Le Brun’s from 1647 is arguably the finest, and in superb condition. Polyxena is being led to the altar as Hecuba tries to hold her back. Behind Polyxena is the same Neoptolemus who threw Astyanax to his death, threatening to kill her where she is.

Giovanni Francesco Romanelli’s The Sacrifice of Polyxena, from about the same time, shows the moment the priest is about to sink his knife into the woman’s breast. A young assistant, their head averted, kneels ready with a large bowl to catch the sacrificial blood.

Hecuba then walks down to the beach for a jar of seawater, and stumbles across the body of her son Polydorus. She is initially struck dumb, and freezes like a rock with the shock. As that subsides, her wrath grows. She makes her way to meet with Polymestor, on the pretext of wanting to show him some hidden gold. He immediately starts lying to her, so she flies at him, burying her fingers deep into his eyes to blind him. She is then stoned by Thracians, and is transformed into a dog, and that place is named Cynossema, the dog’s tomb.

The Vengeance of Hecuba is a magnificent Macao tapestry from the seventeenth century, showing Hecuba and three other women sealing Polymestor’s fate for his murder of Polydorus. Hecuba is poking his eyes out, as the others swing long wooden clubs at him.

Giuseppe Crespi probably painted his version of Hecuba kills Polymestor in the early eighteenth century. His skilful composition makes it a chilling but carefully implicit image, as a woman associate holds the king down, and Hecuba reaches up to remove his eyes. Crespi has minimised the amount of limb visible in the upper part of the painting, to keep the composition there clean and clear. He seems to have compensated for that in the legs of the lower half, made even more complex by deep shadow.

The goddess Aurora joins in the lament over the destruction of Troy. She had not only supported the Trojan cause, but her son Memnon had been killed by Achilles in combat. She is stricken with grief, and can’t bear to watch his cremation on the funeral pyre. She kneels before Jupiter and begs him that her dead son might be granted an honour. Jupiter agrees, and the smoke from Memnon’s pyre darkens the whole sky, as might have happened during a major volcanic eruption. That smoke is then transformed into a flock of birds, the Memnonides, in honour of Memnon.

Bernard Picart’s engraving from the early eighteenth century of Memnon, son of Eos and Tithonus shows a young warrior in Egypt, looking into Aurora’s dawn light. He may be sat on his own sarcophagus too.

The two colossi at Al Bairat near Luxor in Egypt were known in classical times, and became popular motifs for ‘orientalist’ artists in the nineteenth century, several of whom show them in dramatic lighting.

Gustav W. Seitz’s Egypt: the Statues of Memnon, seen here as a colour lithograph of his original watercolour, is highly atmospheric, and an excellent demonstration of the moon illusion.

The colours in Charles Vacher’s watercolour of The Statues of the Memnons (1864) are superb.

Finally, Albert Zimmermann’s oil painting of The Memnon Statues captures the heat haze, and a snake moving through the water.

I hope that you enjoyed Saturday’s Mac Riddles, episode 298. Here are my solutions to them.

1: Causing to act with a tress of hair stops the thief from using your Mac.

Click for a solution

Activation Lock

Causing to act (activation) with a tress of hair (a lock of hair) stops the thief from using your Mac (what it does).

2: Twice 250 validates your account with two pieces of evidence.

Click for a solution

2FA

Twice (2) 250 (FA in hexadecimal) validates your account (authentication) with two pieces of evidence (what Two-factor authentication does).

3: Complete safety measures set in recovery.

Click for a solution

Full Security

Complete (full) safety measures (security) set in recovery (it’s set in Startup Security Utility in Recovery mode).

The common factor

Click for a solution

They’re all requirements for the Find My service.

I look forward to your putting alternative cases.

So far in this series explaining how you can control access to potentially sensitive features and data in macOS, I have covered the following topics:

• Gaining access to privacy-protected folders,
• Managing privacy-protected devices,
• Managing access to location information.

This article rounds those off with a brief survey of other privacy controls, including an account of the newest of them all, over local network devices.

Additional privacy controls

There are several controls over specific classes of data, including

• Calendars
• Contacts
• HomeKit
• Media & Apple Music
• Photos
• Reminders
• Focus
• Motion & Fitness.

These are normally the preserve of specialist apps that are required to seek your explicit consent, and are controlled in their own entries in Privacy & Security settings. General access to their files can be given through Full Disk Access as well, where appropriate.

There’s a final group of controls whose purposes overlap more, and as a result may appear confusing:

• Passkeys Access for Web Browsers, required if you want a third-party browser to use passkeys for authentication.
• Accessibility, allowing control over your Mac, as in Automator and AppleScript. These can be added manually.
• App Management, allowing an app to update or delete other apps, which can be added manually.
• Automation, allowing control over other apps, so giving access to the data and documents within controlled apps, and to perform actions with them, but that doesn’t include Automator itself.
• Developer Tools, required to run software locally that doesn’t meet macOS security rules such as the requirement for notarization. This is primarily for developers, and can be added manually.
• Local Network, allowing access to network devices, as described below.
• Remote Desktop, allowing access to the contents of the screen.

As with other controls, these are all managed by TCC, and their individual lists can be cleared and reset using the command
tccutil reset [list]
where [list] is one of the following:

• Accessibility
• AddressBook (for the Contacts list)
• AppleEvents (for the Automation list)
• Calendar (note the singular, for the Calendars list)
• ContactsFull
• DeveloperTool
• FocusStatus
• MediaLibrary
• Motion
• Photos
• Reminders
• RemoteDesktop
• ScreenCapture

Local network privacy

This is one of the latest, introduced in macOS Sequoia. Although common to macOS, iOS, iPadOS and visionOS, it doesn’t work the same in each. It’s explained in TN3179 of 31 October 2024, and seems likely to evolve in the future.

Many apps access remote locations outside your local network; currently there are no privacy restrictions imposed on those, but code that accesses devices inside your local network, including your router, comes within the scope of this control. Some apps that work with devices on your local network do so using code that’s automatically given local network access because it’s a Launch Daemon or running with root privileges. Together with command line tools run in Terminal or over SSH, those aren’t controlled by TCC.

Regular apps and other code that attempt to access the local network will result in the user being asked to give their consent. While apps are invited to provide the text to be used in this dialog, in an NSLocalNetworkUsageDescription in their Info.plist, at the moment that isn’t enforced as a requirement, nor is there a required entitlement. You’re thus unable to verify whether an app should be expected to request access to local network devices.

This can apply to any app that tries to list other devices on the local network, whether over wired Ethernet or Wi-Fi. Those that also access Bluetooth will additionally request that, in a separate consent dialog.

Those who know Bryan Christianson’s excellent network utility WhatRoute may already have discovered that opening it for the first time in macOS Sequoia results in a privacy consent dialog. This might appear puzzling for an app that’s all about Internet connections, but as it does look at your router and can be used within your local network, macOS includes it within this new privacy category.

For the moment, Apple doesn’t appear to provide a service name that can be used with tccutil to reset its privacy settings, and disabling them in System Settings doesn’t remove them from the list. If you really need to reset that list, you’ll have to use
tccutil reset All [appID]
with the appID of each app that has already been given access.

Finally, because of the problems with network controls in early versions of macOS Sequoia, don’t rely on local network privacy in releases prior to 15.3.

Summary: local network privacy

• Sequoia introduces consent dialogs for access to devices on the local network, including routers, via Ethernet or Wi-Fi.
• This doesn’t apply to connections made to remote locations on the Internet.
• Launch Daemons, code running with root privileges and command tools in Terminal or via SSH aren’t affected.
• Access by other apps may result in a consent dialog, and an entry in Privacy & Security settings.
• Currently tccutil can’t reset all local network privacy settings in a single command.

In the first of this weekend’s two articles, I showed how the Valèncian artist Joaquín Sorolla painted the arduous lives of fishermen working from local beaches, during the 1890s. Although he had been taught by Ignacio Pinazo, who had probably depicted Malvarrosa Beach for the first time in 1887, Sorolla doesn’t appear to have started to paint such scenes for a few years into the twentieth century.

His large Afternoon Sun, Beaching the Boat (1903) is another scene of fishermen working hard with three teams of oxen to bring a fishing boat ashore, in the spirit of Return from Fishing, and there’s still not a well-dressed young lady in sight.

In 1905, he travelled south from València to paint another view of the rocky coast there, at Isla del Cap Marti, Jávea.

The White Boat, Jávea, with its skilful use of broken reflections and underwater views, came from the same summer campaign.

Then by 1908, fishermen and the hindquarters of oxen were replaced by After the Bath, again on the beach at València.

His Beach of València by Morning Light, again from 1908, shows mothers taking their children into the water on El Cabañal beach, València, with his favourite fishing boats in the background.

In 1909, he painted another of what had now become his signature works on the beach at València, Strolling Along the Seashore. Although novel to Sorolla, he may have been influenced by prior art, for example in the painting below from one of the Danish Impressionists who had gathered at Skagen in Denmark.

Just as French Impressionism was born on the beaches of northern France, so the movement spread around the world on its sand coasts, under the warm light of the sun. Danish Impressionists like Peder Severin Krøyer gathered to enjoy a Summer Evening on Skagen’s Southern Beach from 1893, one of a series of similar views painted by Krøyer on this remote strand at the northern tip of Jylland (Jutland), the northernmost part of Denmark.

Others had travelled south to the Midi to do the same. Théo van Rysselberghe’s Divisionist La Promenade (1901) captures the rich light of one of the beaches in the south of France.

Beach paintings had come of age at last.

Over the last nine years, few of my articles here have been about XProtect, other than those announcing its updates. Until September 2024 and the release of macOS 15 Sequoia. This is now the tenth article I have written about the problems brought by XProtect updates in Sequoia over those six months, when there have been just 13 updates. The result of the last, on 4 March, was that for two days afterwards, many Macs running Sequoia were still using its data from 26 February rather than that in the new version 5289.

This not only affects XProtect, but the other front-line tool in macOS to detect and remove malicious software, XProtect Remediator (XPR). Earlier this year, I reported that at least 17 of the 24 scanning modules in XPR now use Yara definitions provided by XProtect’s data. All those Macs still running the superseded version of XProtect would also have had XPR scans run using that old version of the Yara rules.

XPR is a recent addition to these tools, introduced just three years ago, but XProtect goes way back before Yosemite in 2014. Although there have been occasional brief glitches in delivery of its updates, they have almost invariably completed quickly and reliably, leaving very few Macs stuck with an outdated version 24 hours after an update.

I have now come to dread XProtect updates because of the problems we encounter, and the latest update to 5289 was a good example. There’s a flurry of comments and emails from those whose Macs had failed to complete the update, previously a rare exception. For XProtect 5287 on 5 February, for example, there were 33, including my responses. For version 2184 exactly a year earlier there’s not one comment about that XProtect update.

Sole documentation provided about XProtect’s updates in Sequoia is the man file for its command tool, xprotect, which refers only to updates provided via iCloud, and doesn’t explain how those delivered via the traditional mechanism in softwareupdate might be involved. Yet we know there is a relation: the latest update has still not been supplied via iCloud, not even four days later, but relied instead on XProtectUpdateService working with an update obtained via softwareupdate. Previously that could be invoked using the xprotect update command, but that no longer works, leaving users with two versions of XProtect data, of which the copy used by XProtect and XPR is the older.

Late last year, when xprotect update appeared to be working as expected, I decided that my app SilentKnight would need to use that command in order to download and install updates. As that requires elevated privileges, I have been looking at how to implement a privileged helper app to perform that. With the latest update, that approach would have failed until the version in iCloud had been brought up to date. Instead we’re now reduced to restarting our Macs and hoping that, some time in the next day or two, they might update.

There’s a further problem emerging with the updates of 4 March. Many users have noticed subsequent XPR scans being terminated before completion. Although in most cases that fault appears to go away in later scans, in some Macs it prematurely terminates every set of XPR scans, leaving several of its scanning modules unused.

For example, this iMac Pro has failed to scan using ten of its 24 modules. This occurs because XPR apparently runs a timer, and when a round of scans is deemed to be taking too long, that timer fires and brings XPR to an abrupt halt. Indications are this is most likely when there are many Time Machine backups accessible; as those are all immutable snapshots and haven’t changed since they were made months ago, this is strange behaviour, and hadn’t occurred prior to the updates of 4 March.

Six months ago, if anyone had told me that macOS security protection in Sequoia was going to become less reliable, I wouldn’t have believed them. The truth is that, for many, it now has. As things stand in 15.3.1, a Mac is now more likely to be using an out of date version of XProtect’s detection rules, and for XPR scans to detect and remove malware. And there’s nothing you can do about that until Apple returns to using an update mechanism that’s both timely and reliable. Is that really too much to expect of this front-line security protection?

Selected previous articles:

What is happening with XProtect updates?
XProtect tormentor
How XProtect has changed in macOS Sequoia
A simple guide to how XProtect installs and updates in Sequoia
XProtect has changed again in macOS Sequoia 15.2
What happened with XProtect?
What has happened to XProtect in Sequoia?

València in Spain is well known in art from the dozens of paintings of well-dressed young ladies on its beaches, made by Joaquín Sorolla during the early years of the twentieth century. This weekend I look at how his art evolved from his earlier works of social realism to reach the brightly lit beach.

Sorolla was born in València in 1863, and started learning to draw and paint at the age of nine. Among his teachers when he was studying in his home town was another Valèncian, Ignacio Pinazo Camarlench (1849-1916), who had developed a loose Impressionist style in 1874.

In 1887, shortly after Pinazo stopped teaching at the Academy, he painted one of the earliest depictions of Malvarrosa Beach, the most popular in València, a painting almost certainly seen by the young Sorolla.

Sorolla would also have seen and been influenced by the paintings of Francisco Pradilla (1848-1921) from Zaragoza, a history painter who had been Director of the Academy of Spain in Rome, and Enrique Simonet (1866-1927), another Valèncian.

Simonet must have painted his Málaga Beach at Dusk when he was back in Spain during a visit from his studies in Rome in 1889. It shows well his increasing attention to detail which was taking him away from his early Impressionist style.

By the 1890s, although working primarily in Madrid, Sorolla began to use the fishermen of València as a source of motifs. Early among those is this man Peeling Potatoes (1891) in one of the fishing boats hauled up just above the sea on the beach there. Relatively small and quite sketchy, this may have been a study he intended to develop into a larger more finished work.

Sorolla’s And They Still Say Fish is Expensive! from 1894 is set in the hold of one of the larger fishing vessels, amid spare tackle, a large barrel, and some of its catch. Two older men are attending to a youth, who appears to have been wounded, presumably as the result of an accident at sea. Around the boy’s neck is a pendant good-luck charm; he is stripped to the waist and pale, and one of the men is pressing a dressing against his abdomen. Lit from an open hatch at the top left, the painting has the immediacy of a photographic snapshot and looks documentary.

Sorolla’s title is incisive social comment about the values of a society that was happy to see young boys go to sea to fish, putting their lives at risk for those ashore to enjoy cheap seafood. This was painted during the summer of 1894, again in València, and went on to great acclaim in the Paris Salon the following year, where it was bought for the Museo del Prado in Madrid.

At the same time that he was painting that work, Sorolla was busy on his even larger Return from Fishing (1894), now one of the most visually impressive exhibits in the Musée d’Orsay in Paris, following its purchase for the French state from the Salon of 1895, where it won a gold medal. Romantic though this may appear today, it’s a carefully detailed account of the complex, strenuous, dangerous and above all primitive working conditions of the local fishermen of València, who still used teams of oxen to haul their boats up the beach.

Valencian Fishermen (1895) is perhaps a little more relaxed, and a far smaller essay on the work of the fishermen as they maintain their gear at the water’s edge.

Although known primarily for his portraits and figurative works, Sorolla painted some fine landscapes, which may have had a more personal significance. The Cape of San Antonio, Jávea from 1896 shows this part of the southern end of the Gulf of Valencia, here from Cap Marti to the south.

Sorolla’s best-known painting from this Naturalist period is his large Sad Inheritance (1899), which won him the Grand Prix and medal of honour at the 1900 Exposition Universelle in Paris, and a medal in Madrid the following year. As ever, its apparent spontaneity is deceptive: this is one of his most carefully prepared paintings.

It shows a group of young boys from a local charitable hospital enjoying a visit to the sea in the care of a lone priest, and celebrates the mission of the Hospitaller Order of St John of God, who had built the hospital in 1892 at the end of Malvarrosa Beach (Platja de la Malva-rosa). Sorolla later said that he had witnessed this scene one evening in a remote corner of the beach, and once he had been given permission to paint the boys, he made an initial oil sketch from memory.

Although Sad Inheritance was Sorolla’s last large Naturalist painting, he continued to create works in similar style. Lunch on the Boat, painted the previous year, shows a group of Valèncian men and boys eating an improvised lunch under the awning on their fishing boat.

Here are this weekend’s Mac riddles to entertain you through family time, shopping and recreation.

1: Causing to act with a tress of hair stops the thief from using your Mac.

2: Twice 250 validates your account with two pieces of evidence.

3: Complete safety measures set in recovery.

To help you cross-check your solutions, or confuse you further, there’s a common factor between them.

I’ll post my solutions first thing on Monday morning.

Please don’t post your solutions as comments here: it spoils it for others.

Early versions of classic Mac OS didn’t offer a lot of choice in terms of settings, and those that did were often implemented in their own tools as printers and networking were in the Chooser. Separate Control Panels came of age with System 7 in 1991, where they became applets accessible from Apple Menu Options. Originally, most were implemented as cdev code resources, but by the time of Mac OS 9 many had become full-blown apps.

Mac OS 9: Control Panels

The Energy Saver control panel offered three separate settings for sleep, each with its own slider: for putting your whole Mac to sleep, including its CPU, and optional separate controls for the display and hard disk(s).

In those days, virtual memory was controlled by the user in the Memory control panel, and RAM disks were popular among those Macs with ample physical memory.

Internet access and app settings were largely configured in a dedicated control panel, among the more complex in classic Mac OS. Details entered here, particularly for incoming and outgoing mail, applied to all compliant apps.

Mac OS X 10.0: System Prefs

By the end of classic Mac OS, there were 32 control panels, from the original Apple Menu Options to Web Sharing. Reproviding similar support in the first version of Mac OS X came in System Prefs, before its name was expanded to System Preferences a little later. These stepped away from being apps, and became the modernised equivalent of cdevs, using the NSPreferencePane API from Mac OS X 10.1 in 2001, and are assembled into bundles. Those have survived to the present, through System Preferences to the current System Settings.

Unlike control panels, System Prefs constrained all its panes to a fixed size, leading to deep and labyrinthine interfaces.

The QuickTime preference pane from 2002 illustrates how complicated these became.

In 2001, the Network pane was still used to configure AppleTalk, as supported by Apple’s own printers, the last of which had been discontinued in 1999. This also shows how individual panes had to cross-reference others, making navigation messy.

Individual views often contained remarkably few settings, here just five popup menus.

Mac OS X: System Preferences

At some time after 2002, System Prefs was expanded in name to System Preferences in a redesign, although its panes remained fixed in size.

QuickTime’s pane changed remarkably little in Mac OS X 10.3 Panther (2003).

In Mac OS X 10.4 Tiger (2005), the customisable favourites bar at the top was replaced by a navigation bar with search. Accessibility had been introduced as Universal Access, and in Mac OS X 10.8 Mountain Lion of 2012 it was revamped under its current name. The following screenshots show examples from around OS X 10.11 El Capitan in 2015.

The most visually impressive of all these panes was that for the Trackpad, containing embedded video clips demonstrating each gesture. These came at a cost, though: the pane was almost 100 MB in size as a result.

Bucking the trend to increasingly complex detail, Energy Saver in El Capitan was stripped down from its three separate sliders of Mac OS 9.

At its peak in macOS 12 Monterey in 2021-22, System Preferences provided around 30 panes arranged in what was intended to be logical order. Only after extensive use did many know where each was located. As some like Touch ID were model-specific, even experienced users sometimes took several seconds to locate the pane they wanted. Some, like Security & Privacy, had long outgrown the limitations imposed by their tiny windows.

macOS 13: System Settings

Apple’s radical redesign in macOS 13 Ventura of 2022 shocked many. Although it finally brought resizing to the System Settings window, that was confined to the vertical direction, resulting in many panes becoming long lists arranged in no obvious order. Given that almost all displays are wider than they are tall, that appeared an odd decision. Moreover, although it’s thought that SwiftUI was used to implement System Settings, little use has been made of its rich and extensible controls.

This is System Settings’ entry view in macOS Sequoia of 2025. Although its search feature has been improved, locating the appropriate section without using that remains a challenge for most.

Extensive use is made of floating modal windows, which in some settings can be nested so deep that reversing out of them is disorientating.

The greatest sin of all was that the wonderful video clips used previously in the Trackpad item had been dropped completely, and replaced by unhelpful static designs. After mass protests, Apple recanted and added animations, as shown above, but they were a pale shadow of System Preferences.

For all its shortcomings, and the limitations of fixed window size, System Preferences is one feature that many would like to see reinstated. Maybe the next redesign will be better conceived and received.

Women in towns and cities were widely engaged in light factory work, commonly that involving the production of fabrics and garments such as spinning, weaving and assembly. Large numbers were also employed in domestic service industries including laundry and sewing, the subject of this article.

Concentration of people in urban areas transformed what had been a small-scale household function into a sizeable service industry that was eventually industrialised by companies who have concentrated on the hotel trade. Individual washerwomen who might have been servants in households collected, laundered and finished clothing and linen that were then returned to the customer.

On a grey day of showers in 1842, the major French landscape artist Eugène Isabey caught laundresses at work above The Town and Harbour of Dieppe. There’s a second group at the extreme left edge whose washing looks in danger of being blown away over the town below.

The landscape painter Johan Jongkind returned to Paris in 1859, where he painted this view of Le Pont de la Tournelle, Paris, with a small group of washerwomen at work by the water’s edge. The bridge shown here connects the city to the south with the Île Saint-Louis, which had originally been two smaller islands close to the Île Notre Dame, on which the cathedral stands. Jongkind isn’t interested in the market for topographic paintings, though, and his attention is on the washerwomen and the old bridge.

In the early years of the Impressionist movement, Berthe Morisot’s Hanging the Laundry out to Dry (1875) shows a communal drying area at the edge of a town, probably one of the suburbs of Paris. The women have a large black cart to transport the washing, and are busy putting it out on the lines to dry in sunny spells. Next to that area is a small allotment where a man is growing vegetables, and in the distance are the chimneys of the city.

Early in his career, Edgar Degas started painting a series of works showing laundresses. Woman Ironing (c 1869) shows one of the army of women engaged or enslaved in this occupation in Paris at the time. She is young yet stands like an automaton, staring emotionlessly at the viewer. Her right hand moves an iron (not one of today’s convenient electrically-heated models) over an expanse of white linen in front of her. Her left arm hangs limply at her side, and her eyes are puffy from lack of sleep. She is surrounded by pieces of her work.

Degas’ less gloomy painting of a Woman Ironing (c 1876-87) maintains the impression of this being protracted, backbreaking work, only slightly relieved by the colourful garments hanging around the laundress.

Washing, drying and ironing clothes was long and arduous, paying but a pittance. At the end of the day came exhaustion.

Fernand Pelez’s early portrait of a Sleeping Laundress from about 1880 is one of a group of works showing poor women reclining. For all her obvious poverty, there is a faint smile on her face, as she enjoys a brief rest from her long hours of washing.

In Christian Krohg’s view, young women came to the city to work as seamstresses, who later ended up as prostitutes. The young woman seen in his Tired from 1885 is one of many thousands who worked at home at that time, toiling for long hours by lamplight for a pittance. At the left is an empty cup, which had probably contained the coffee she drank to try to stay awake at her work. Krohg and others claimed that the paltry income generated by sewing quickly proved insufficient and drove women to seek alternatives. Prostitution was tolerated in Oslo (then known as Kristiania) from 1840, with the introduction of police and medical supervision of women sex-workers.

Eva Bonnier’s Dressmakers (1887) features two women dressed in plain working clothes, who are collaborating on the making of a dress for a special occasion.

Judging by the sheer volume of garments in Hans Best’s undated Sewing Women in the Room, these two women are professional seamstresses working at home, sharing the single sewing machine.

It took two world wars in the following century to start changing the division of labour between men and women.

Macs and almost all devices assemble information about their location from local Wi-Fi networks, GPS systems (not Macs), and other sources. Access to location information in macOS is controlled in Privacy & Security settings, but unlike most of the items listed there it isn’t managed the same using TCC, but by its own service locationd in Location Services.

Tracking

In addition to those, Safari and other browsers include their own controls over tracking and location. In Safari, these are gathered in the Privacy section of its Settings, and the Location item in Websites. If you subscribe to iCloud+, you can access Private Relay in the iCloud+ section in your Apple Account.

Sharing and Find My…

Location Services are unique in that, when enabled, location data are invariably shared in iCloud, a feature you can’t control in iCloud settings. The only way to stop the sharing of locations across your iCloud-connected devices is to turn the whole service off, which is also true for iOS and iPadOS devices. Although it might seem tempting to disable Location Services altogether, that improved privacy comes at the cost of some valuable services: in particular, Find My… and Activation Lock, and many system services and apps also need Location Services to be enabled.

Settings

Location Services is the most complex of all the sections in Privacy & Security settings, and nests many of its controls deeply. This was inherited from the days of System Preferences, and hasn’t yet been redesigned to take advantage of System Settings. Above its last item, System Services, is a list of those apps over which you have direct control of their access to location data, although they can only be enabled or disabled and not removed from the list, neither can you add other apps.

Unusually, the About Location Services & Privacy button opens a window containing a mixture of help and privacy information, which is worth reading to give you better insight into what’s managed and how data is shared. It points out one important message: by giving a third-party app access to your location, that app’s vendor is in control of your location data in accordance with their terms and privacy policies, not those of Apple. If your location data is sensitive, then you shouldn’t give third-party apps access to it unless you’re confident they will protect it appropriately.

Further important controls are revealed in another window when you click on the Details… button for System Services. This lists some of the purposes for which macOS uses location data, giving you fine control over them.

The final layer in this onion is revealed when you click on the Details… button next to Significant Locations: a listing of all those locations that macOS considers to be ‘significant’. On a static Mac with mobile iOS devices, those are largely based on location data gathered from those, and are mirrored in similar lists on each device.

If you’ve never inspected these Significant Locations, you may be surprised at how much detail they contain: exact location, shown on a local street map, with time periods, over the last few months. It might be possible to reconstruct a lot of your life and activities from them. This window allows you to clear its history, in case you don’t want anyone to know where you’ve been.

Internals

Behind these is the system service locationd and its database locked away in /var/db/locationd. The official description of locationd is that it obtains geographic location data and manages access to it. When you’re prompted to give access to location data, that’s the CoreLocationAgent in action on its behalf. Apps that can ask for location data from Location Services should have the com.apple.security.personal-information.location entitlement and provide NSLocationUsageDescription information, something you can check using Apparency.

The /var/db/locationd directory contains one file that’s simple to read and holds important information, clients.plist, and various opaque data files. A sub-directory /Library has a surprising collection of scripts and cached data.

clients.plist is a standard Property List containing a dictionary of all the apps and other software that could access Location Services data. Those that are currently granted access contain the key Authorized set to <true>. In general, these should match apps and other items in the Location Services list in Privacy & Security settings, although that doesn’t apply to public or private frameworks that are included. There’s also a flag available for the key Hide suggesting that some apps or services can be given access to locations but won’t be displayed in Location Services settings.

While other privacy protections can be managed by the tccutil command tool, there’s no equivalent for Location Services. Besides, clearing its database would affect a lot of system services, including Find My… and Activation Lock, with their wider security implications.

Because of the reliance of Location Services on hardware and network features, they don’t function in Virtual Machines running on Apple silicon Macs, even though you can opt to ‘enable’ them.

Summary

• Geographic location data is derived from Wi-Fi networks and other sources, and delivered in Location Services.
• Although controls are included in Privacy & Security settings, they work differently from others, using the locationd service rather than TCC.
• Location Services are required for Find My…, Activation Lock and other macOS apps and services.
• By giving a third-party app access to your location, that app’s vendor is in control of your location data in accordance with their terms and privacy policies, not Apple’s.
• Significant Locations can give a detailed history of your movements.
• There’s no command tool to manage Location Services.

The history of clocks is a story of largely unwanted technical capability driven by the requirement for accurate navigation, until the arrival of railways in the middle and late nineteenth century. Until people needed to catch a train run according to a timetable, even towns and cities could proceed at their own pace, and as long as they got the right day, the country could amble along too. Clocks were mostly features of churches and public buildings, and often weren’t even synchronised with the next town. Accordingly, clocks were rare, and were more items of furniture than rulers of the day.

Where they do appear in paintings before the nineteenth century, they’re normally an anachronism.

The title given to this painting by Domenico Maroli from about 1655 is Euclid of Megara Dressing as a Woman to Hear Socrates Teach in Athens, which is baffling enough. Given that Euclid of Megara lived between about 435-365 BCE, the ornate clock at the upper right corner is badly out of time and place. No one is too sure of the time that such clocks first appeared, but it must have been at least 1500 years later.

It gets worse, though. Euclid of Megara was a real figure, a minor Greek philosopher and a pupil of Socrates. He ended up wearing women’s clothing because citizens of Megara were banned from entering Athens, so in order to hear his master’s teaching, he dressed as a woman and entered the city after dark. But Marolì confused that Euclid with the much better-known Euclid of Alexandria, the famous mathematician and geometer, and surrounded the minor philosopher with everything you might associate with the other Euclid, including his anachronistic clock.

When we reach the nineteenth century, clocks feature in remarkably few interiors.

One of the earliest is William Holman Hunt’s The Awakening Conscience, painted during the period 1851-53. Sat in its glass bell case on the top of the piano it an ornate gilt clock, its face turned away but apparently showing the time as five to twelve.

The fashionable young man seated at the piano in this small house in the leafy suburbs of London is clearly in an extra-marital relationship with the young woman, who has half-risen from his lap and now stares absently into the distance. Around them are signs that she’s a kept mistress with time on her hands. Her companion, a cat, is under the table, where it has caught a bird with a broken wing, a symbol of her plight. At the right edge is a tapestry with which to while away the hours, and her wools below form a tangled web in which she is entwined.

Thomas Brooks’ painting of The New Pupil from 1854 shows a disorderly rabble in an English country school, as a mother introduces her reluctant son to his new class. Behind the teacher, at the left, one the boys reaches up to adjust the time on the pendulum clock on the wall, no doubt moving its hand forward to bring a premature end to classes for the day.

Charles Hunt’s Visit to the Schoolroom from 1859 shows a more impressive educational establishment, with a grandfather clock supervising the class from the middle of the back wall. To the left of it is a barometer, even more unusual in a school at that time.

In Rebecca Solomon’s The Appointment from 1861, a beautiful woman stands in front of a mirror and looks intently at a man, who’s only seen in his reflection and stands in a doorway behind the viewer’s right shoulder. The woman is dressed to go out, and is holding a letter in her gloved hands. The clock on the mantelpiece shows that it’s about thirteen minutes past seven, either on a summer’s evening, or in the morning.

Another splendid longcase clock, of a type known as Comtoise or Morbier, appears in the right background of Pascal Dagnan-Bouveret’s An Accident from 1879. At this time, the factory making them in the Franche-Comté region of France was delivering over sixty thousand of them each year, but they’re unusual in paintings.

Viktor Mikhailovich Vasnetsov’s Russian Preference (1879) shows three players of the game known as ‘Russian Preference’ or Preferans. According to the grandfather clock at the right it’s just after four o’clock, which could be in the afternoon or the small hours of the morning. Cast natural light in the doorway suggests it’s still daylight outside, though, as these three play cards to while away the time.

Like those homes, that in Évariste Carpentier’s undated The Reprimand may lack signs of material wealth but they have given their grandfather clock pride of place in the living room. The son is sat on the corner of a simple table with one of his wooden clogs dropped onto the floor. Dressed in multiply patched clothing, he’s being reprimanded by a figure out of the image, beyond its left edge. His mother stands preparing food to the right, and his grandmother sits at the table. Even the family’s black and white dog faces towards the wall, as if in disgrace.

Long before the days of radio let alone television, reading became popular entertainment. LA Ring’s Housewife’s Evening Party from 1905 shows a very different sort of party from those being painted at the time in cities like Paris. This housewife sits knitting, as her husband and a friend discuss a book by the light of the kerosene lantern. They aren’t poor by any means: there are portrait paintings on the wall, and a clock ticking softly above them, showing the time as seventeen minutes to eight.

During the twentieth century, mantelpiece clocks became almost universal, as timekeeping became the rule rather than an exception, but longcase clocks grew increasingly rare. Now it seems few younger people can even read the face of an analogue clock.

As those running macOS 15 Sequoia are only too painfully aware, the way that XProtect’s data is updated has changed from that still used in older versions of macOS. Instead of accessing that data in XProtect.bundle in the path /Library/Apple/System/Library/CoreServices, in Sequoia the data used is in /private/var/protected/xprotect. While the old location can still be updated using Software Update, SilentKnight and softwareupdate, the only way to update the copy in the new location is using the xprotect command tool, which normally obtains its updates through a connection to iCloud.

Updating in Sequoia

Since Sequoia 15.0, there has been a way to update data in the new location from XProtect.bundle in the old location, using the command
sudo xprotect update
If that finds a newer version of the bundle in the old location, it installs its contents in the new location, so updating XProtect in Sequoia. At least, it did until the release of Sequoia 15.3 or 15.3.1.

When Apple released XProtect version 5288 on 26 February, it did so through both connections, and all versions of macOS were able to update promptly and successfully. That didn’t work with its successor 5289 on 4 March, though. Although the Software Update version was successfully updated in the old location to 5289, no iCloud update was made available, and sudo xprotect update proved unable to update from that to the new location.

This has left those running Sequoia 15.3.1 with version 5289 in the old location, but 5288 stuck in the new location. As Apple doesn’t tell us of these updates, nor of how XProtect is supposed to work in Sequoia or earlier, it’s impossible to tell whether this is intended, or an unintended failure.

Which rules does XProtect now use?

One potential explanation is that XProtect has returned to using its old location for the Yara rules, in /Library/Apple/System/Library/CoreServices/ XProtect.bundle/Contents/Resources/XProtect.yara. That’s fairly easy to check in the log, where it states the location of the rules it’s using to check an app for malware. The answer is
com.apple.xprotect Using XProtect rules location: /var/protected/xprotect/XProtect.bundle/Contents/Resources/XProtect.yara
that’s the new location for Sequoia, and hasn’t changed since 15.0.

How does macOS now update the correct rules?

By chance, a few minutes after I had started my Mac mini M4 Pro yesterday, I opened SilentKnight and discovered that XProtect had successfully been updated to version 5289, something it wouldn’t do the previous evening following its release. At that time:

• XProtect in its old location had been updated to 5289 the previous evening.
• SilentKnight now reported XProtect in its new location was 5289.
• sudo xprotect check reported the version in iCloud was still 5288.
• sudo xprotect update reported that it was already up to date.
• xprotect version reported that 5289 had just been installed, about 2.5 minutes after starting up.

This was an ideal opportunity to discover how XProtect had updated this time, by looking in the log with LogUI. That showed the update had been dispatched as a background activity by DAS, with ID com.apple.security.syspolicy.xprotect-update. That’s a scheduled background activity run every 24 hours, and in this case appears to have been dispatched because of the recent boot.

That activity connects to XProtectUpdateService, which then runs the check and updates as necessary, connecting to iCloud using CloudKit. On this occasion it ‘found’ the 5289 update, although maybe in its old location rather than in iCloud, and updated XProtect’s data in its new location.

How to keep XProtect up to date

From this experience, bearing in mind that everything might change again in the future, my advice is to:

• Check for updates as usual using SilentKnight, Software Update, or softwareupdate.
• When offered an update by any of those, install it gratefully.
• Run SilentKnight a few minutes later. If that update isn’t reflected in the version shown, restart your Mac and leave it for 10 minutes or so before checking again.
• If it still doesn’t update correctly, check again in about 24 hours, by which time DAS should have dispatched com.apple.security.syspolicy.xprotect-update with any luck.

I suppose that’s progress?

The world still looks to Paris for the height of fashion in clothing, a phenomenon already well-established by the late nineteenth century. This of course included hats, and in this second article on the reading of hats in paintings, I show a selection of works illustrating fashionable headwear of that period. These are the works of just five painters who seem, in one way or another, to have specialised in fashionable women’s headwear: Georges Clairin, Jean Béraud, Pierre-Georges Jeanniot, Henri Gervex and Edgar Degas.

Georges Clairin’s undated Elegant Couple at the Coast comes not from the Rococo, but as indicated by the painterly style of the slippery rocks, was most probably painted in the early years of the twentieth century. It’s a study of one of the few disadvantages of hats, particularly extensive fashionable adornments, in their behaviour in wind. The very pink young galante woman is a textbook example of how to make a figure look windswept, although her partner seems mysteriously to be unaffected by the breeze.

The English word for specialists in fashionable hats for women, milliner, comes from that for an inhabitant of Milan, one of the former centres of the hat trade in Europe. Milliners and their shops were associated with the height of fashion, and drew the attention of Edgar Degas among others.

Degas looked carefully at one of the delights of the middle and upper class modern woman, the selection of hats in The Millinery Shop (1879/86). Here he also experiments with unusual views and cropping, as he examines the tricky process of assessing and choosing a hat.

Around this fashionably-dressed Milliner on the Champs Elysées, Jean Béraud carefully balances painterly background foliage and sky, and the atmospheric detail of distant carriages. His Milliner on the Pont des Arts from 1879-82 (below) shows the same model drawing admiring looks on a windy day by the River Seine.

Pierre-Georges Jeanniot’s At the Milliner (1901) contrasts with those of Degas in its relatively fine detail, and his use of mirror play to show the milliner herself, at the right. His swirling hats, and the huge ginger cat, are marvellous.

Millinery was one of the staples of fashion houses like that of Paquin, whose success was characteristic of the late nineteenth century, and shown in Henri Gervex’s Five Hours at Paquin’s from 1906.

The purpose of these expensive hand-made hats was for show, when the lady was seen in appropriate surroundings. Jeanniot’s painting of the patrons of one of the most fashionable hotels in Paris shows all the hats out on parade in the fine weather in the inner garden of the Paris Ritz.

Others captured the role of hats to those heading downward through society.

In Béraud’s The Letter (1908) the man looks rough and is unshaven, although the woman is elegantly dressed, and apparently engaged in writing a letter. In front of each of them is a glass of absinthe, notorious for its association with alcoholism. His battered old brown bowler hat suggests a working past before he succumbed to drink.

Although I’ve concentrated almost exclusively on hats seen in Europe on the head of Europeans, the nineteenth century was also a time when hats from overseas were becoming more frequent sights.

Georges Clairin’s paintings of Ouled Naïl women provide glimpses of those from this nomadic group from the foothills of the Atlas Mountains. Exotic they certainly are, with elaborate headwear, richly decorated clothing, and no doubt over their identity.

Of all the artists of this period, it was Clairin who appears to have been most fascinated by hats.

His extraordinary Bust of a Woman in Profile (1899) is perhaps a sea-nymph, wearing the most bizarre headgear that appears to have grown from coral. It has peculiar pedicles which sweep over her hair, and excrescences resembling the bodies of fabulous birds, making it the ultimate hat of them all.

With more new M4 Macs in the offing, one question that I’m asked repeatedly is whether you should save money by getting a Mac with the smallest internal SSD and extend that using cheaper external storage. This article considers the pros and cons.

Size and prices

In Apple’s current M4 models, the smallest internal storage on offer is 256 GB. For the great majority, that’s barely adequate if you don’t install any of your own apps. It might suffice in some circumstances, for example if you work largely from shared storage, but for a standalone Mac it won’t be sufficient in five years time. Your starting point should therefore be a minimum of 512 GB internal SSD. Apple’s typical charge for increasing that to 2 TB is around $/€/£ 600.

The alternative to 2 TB internally would be an external 2 TB SSD. Unless you’re prepared to throw it away after three years, you’ll want to choose the most versatile interface that’s also backward compatible. The only choice here is Thunderbolt 5, which currently comes at a small premium over USB4 or Thunderbolt 3. Two TB would currently cost you $/€/£ 380-400, although those prices are likely to reduce in the coming months as TB5 SSDs come into greater supply.

Don’t be tempted to skimp with a USB 3.2 Gen 2 external SSD if that’s going to be your main storage. While it might seem a reasonable economy now, in 3-5 years time you’ll regret it. Besides, it may well have severe limitations in not Trimming as standard, and most don’t support SMART health indicators.

Thus, your expected saving by buying a Mac with only 512 GB internal storage, and providing 2 TB main storage on an external SSD, is around $/€/£ 200-220, and that’s really the only advantage in not paying Apple’s high price for an internal 2 TB SSD.

Upgrading internal storage in an Apple silicon model currently isn’t feasible for most users. As Apple doesn’t support such upgrades, they’re almost certain to invalidate its warranty and any AppleCare+ cover. That could change in the future, at least for some models like the Mac mini and Studio, but I think it unlikely that Apple would ever make an upgrade cheaper than initial purchase.

External boot disk

One of the few compelling reasons for choosing a Mac with minimal internal storage is when it’s going to be started up from an external boot disk. Because Apple silicon Macs must always start their boot process from their internal storage, and that Mac still needs Recovery and other features on its internal SSD, you can’t run entirely from an external SSD, but you could probably get away with the smallest available for its other specifications, either 256 or 512 GB.

Apple silicon Macs are designed to start up and run from their internal storage. Unlike Intel Macs with T2 chips, they will still boot from an external disk with Full Security, but there are several disadvantages in them doing so. Among those are the fact that, on an external boot disk, FileVault encryption isn’t performed in hardware and is inherently less secure, and AI isn’t currently supported when booted from an external disk. Choosing to do that thus involves compromises that you might not want to be stuck with throughout the lifetime of that Mac.

External media libraries

Regardless of the capacity of a Mac’s internal storage, it’s popular to store large media libraries on external storage, and for many that’s essential. This needs to be planned carefully: some libraries are easier to relocate than others, and provision has to be made for their backups. If you use hourly Time Machine backups for your working folders, you’ll probably want to back up external media libraries less frequently, and to different external storage.

External Home folder

Although it remains possible to relocate a user’s entire Home folder to external storage, this seems to have become more tricky in recent versions of macOS. Home folders also contain some of the most active files, particularly those in ~/Library, so moving them to an external SSD is going to require its good performance.

A more flexible alternative is to extend some working folders to external storage, while retaining the Home folder on internal storage. This can fit well with backup schedules, but you will still need to ensure the whole Home folder is backed up sufficiently frequently. This does have an unfortunate side-effect in privacy protection: this may require most of your working apps to be given access to Removable Volumes in the Files & Folders item in Privacy & Security settings. Thankfully, that should only need to be performed once when first using an app with external storage.

How much free space do you need?

When you’re weighing up your options to minimise the size of your new Mac’s internal storage, you also need to allow sufficient free space on each disk. APFS is very different from HFS+ in this respect: on external disks, in particular, HFS+ continues to work happily with just a few MB free, and could be filled almost to capacity. APFS, modern macOS and SSDs don’t work like that.

Measuring how much free space is needed isn’t straightforward either, as macOS trims back on its usage in response to falling free space. Some key features, such as retaining log entries, are sacrificed to allow others to continue. Snapshots can be removed or not made. Perhaps the best measurements come from observing the space requirements of VMs, where total virtual disk space much below 50 GB impairs running of normal functions. That’s the total size of the virtual disk, not the amount of free space, and doesn’t apply when iCloud or AI are enabled.

The other indicator of minimum free space requirements is for successful upgrading of macOS, which appears to be somewhere between 30-40 GB. This makes it preferable to keep an absolute minimum of around 50 GB free at all times. When possible, 100 GB gives more room for comfort.

SSD wear and performance

When the first M1 Macs were released, base models with just 8 GB of memory and 128 GB internal SSDs were most readily available, with custom builds (BTO) following later. As a result, many of those who set out to assess Apple’s new Macs ended up stress-testing those with inadequate memory and storage for the tasks they ran.

Many noticed rapid changes in their SSD wear indicators, and some were getting worryingly close to the end of their expected working life after just three years. Users also reported that SSD performance was falling. The reasons for those are that SSDs work best, age slowest, and remain fastest when they have ample free space. One common rule of thumb is to keep at least 20-25% of SSD capacity as free space, although evidence is largely empirical, and in places confused.

The simplest factor to understand is the effect of SSD size on wear. As the memory in an SSD is expected to last a fixed number of erase-write cycles, all other things being equal, writing and rewriting the same amount of data to a smaller SSD will reach that number more quickly. Thus, in general terms and under the same write load, a 512 GB SSD will last about half as long as a 1 TB SSD.

All other things aren’t equal, though, and that’s where wear levelling and Trim come into play. Without levelling the number of erase-write cycles across all the memory in an SSD, some would reach their limit far sooner than others. To tackle that, SSDs incorporate mechanisms to even out the use of individual memory cells, as wear levelling. The less free space available on an SSD, the less effective wear levelling can be, giving larger SSDs a significant advantage if they also have more free space.

Trimming is performed periodically to allow storage that has already been made available for reuse, for example when a file has been deleted, to be erased and made ready. Both APFS and HFS+ will Trim compatible SSDs when mounting a volume, but Trim support for external SSDs is only provided by default for those with NVMe interfaces, not SATA, and isn’t available for other file systems including ExFAT. Some SSDs may still be able to process available storage in their routine housekeeping, but others won’t. Without Trimming, an SSD gradually fills with unused memory waiting to be erased, and will steadily grind to a halt, with write speeds falling to about 10% of new.

Thus, to ensure optimum performance and working life, SSDs should be as large as possible, with much of their storage kept free. Experience suggests that a healthy amount of free space is 20-50% of their capacity.

Striking the best compromise

Apple silicon Macs work best and fastest when largely running from their internal SSDs. By all means reduce the capacity required by moving more static media libraries, and possibly large working folders, to an external SSD. But there’s no escaping the evidence that your Mac will work best and longest when its internal storage has a minimum of 20% free at all times, and you must ensure that never falls below 50 GB free space. Finally, consider your needs not today, but when you intend replacing that Mac in 3-5 years time, or any savings made now will prove a false economy.

Apple has just released updates to XProtect for all supported versions of macOS, bringing it to version 5289, and to XProtect Remediator for all macOS from Catalina onwards, to version 151. As usual, Apple doesn’t release information about what security issues these updates might add or change.

Yara definitions in this version of XProtect add two new rules for MACOS.TAILGATOR.RST.CT and MACOS.TEPIDTEA.

XProtect Remediator doesn’t change the list of scanner modules.

There is a new Bastion rule 13 for the behavioural version of XProtect (Ventura and later). This watches for execution of PasswordManagerBrowserExtensionHelper in CoreServices, in the App Cryptex, and makes an immediate report with the Signature Name of macOS.PasswordExtension.Exec if that occurs.

You can check whether these updates have been installed by opening System Information via About This Mac, and selecting the Installations item under Software.

A full listing of security data file versions is given by SilentKnight, LockRattler and SystHist for El Capitan to Sequoia available from their product page. If your Mac hasn’t yet installed this update, you can force it using SilentKnight, LockRattler, or at the command line.

If you want to install these as named updates in SilentKnight, their labels are XProtectPayloads_10_15-151 and XProtectPlistConfigData_10_15-5289.

Sequoia systems only

This update hasn’t yet been released for Sequoia via iCloud. If you want to check that manually, use the Terminal command
sudo xprotect check
then enter your admin password. If that returns version 5289 but your Mac still reports an older version is installed, you can force the update using
sudo xprotect update

This version is currently only available via Software Update, softwareupdate, or in SilentKnight, and not via iCloud. If your Mac is running Sequoia and you download it that way, the xprotect update command might take a while to use that downloaded version to update your Mac properly. As a result, the version of XProtect shown may remain at 5288, but should later change to 5299.

I have updated the reference pages here which are accessed directly from LockRattler 4.2 and later using its Check blog button.

Updated 1720 GMT 5 March 2025 following a ‘spontaneous’ update at 1631, although sudo xprotect check is still reporting the old version.

I have just replaced LogUI 1.0 build 25 with build 27. This:

• completes support for Signposts by including them in RTF files,
• changes the Settings dialog to use Full Fields for consistency,
• updates technical info with a link to original source code.

You can now download build 27 from here: logui127
or from the link in the original article.

It wasn’t that long ago that it was most unusual to go out without wearing a hat. Although they’ve made something of a comeback in recent decades, in much of the world they’re still far from popular unless it’s unusually cold. In this week’s two articles about the reading of paintings, I show a selection where reading the hats can be useful. However, I avoid two other types of headgear that commonly appear in art, as they’ve been covered elsewhere: helmets and halos.

People have put hats on their head since long before recorded history. Some distinctive forms of hat have unusual histories, and puzzling representations in art. Among the many quirks in the amazing paintings of Hieronymus Bosch are figures in or wearing funnels.

Their origin goes back to the Jewish diaspora of the Middle Ages, when Ashkenazi Jews (in particular) migrated to northern Europe, from about 800 CE. Predominantly Christian powers sought to make visible signs to distinguish Jews, and to a lesser extent Muslims, from local Christians, and for many centuries the migrants were persecuted, confined to Jewish ghettos, and generally kept in isolation as much as possible.

One common discriminatory technique employed in much of northern Europe was to require Jews to wear distinctive hats. This played on religious requirements for Jews to cover their heads, and the fact that most people wore hats when outdoors. The patterns of Jewish hat most often recorded are pointed or conical, and some have highly distinctive ‘bobbles’ at the top.

This detail from the centre panel of Bosch’s Haywain Triptych from about 1510-16 shows some unusual headgear probably derived from the appearance of the Jewish hat.

They’re also to be seen in more recent historically accurate depictions of the Middle Ages, as shown by Carl Gustaf Hellqvist in the right of his wonderful large history painting of Valdemar Atterdag Holding Visby to Ransom, 1361 (1882). There’s a rich range of military helmets, and one obvious conical hat being worn by a Jew, seen in the detail below.

In time, conical hats remained visible signs of discrimination. Charles Hunt’s Visit to the Schoolroom from 1859 shows the range of hats worn by children, and at the far right a dunce stands on a chair wearing the trademark conical hat.

As with all forms of clothing and personal decoration, hats have long been objects of fashion, used by individuals to distinguish and adorn, and feed their personal vanity. One of the best examples of this is in Bartholomäus Strobel’s long panoramic view of the Decapitation of Saint John the Baptist at Herod’s Banquet from about 1630-33.

Gathered in this grand banquet are many ranks of nobility wearing contemporary dress with an astonishing range of headgear, from armoured helmets to feathery confections. At the far right, the executioner stands by John’s headless corpse, a large pool of bright blood on the ground where its head once lay. A young woman (who might be Salome) looks up to heaven, her hands clasped in prayer, while an older woman (presumably Herodias) chats with the executioner.

During the English Civil War of 1642-51, hats assumed an even greater importance, to distinguish the two sides, so-called Cavaliers and Roundheads.

William Frederick Yeames’ And when did you last see your Father? indicates this in the Puritan dress of conical hats and plain clothes. This contrasts with the opulent silks of the mother and children, who are clearly Royalists. The young boy is being questioned, presumably as given in the title, for him to reveal the whereabouts of his Cavalier father, an act that’s bringing anguish to his sisters and mother.

Not to be outdone by their subjects, Kings and their bishops had to have their own hats in the form of crowns and mitres.

Probably the most famous depiction of any major coronation is that of Raphael and his workshop in this fresco of the Coronation of Charlemagne from 1514-15, with its serried ranks of mitres and just the one crown to rule them all. The rows of bishops here wear what is the exact opposite of the monks’ bare tonsured heads.

It didn’t take long for the church and other organisations to express rank and superiority in subtle variations of hat.

Raphael’s magnificent Portrait of a Cardinal from 1510-11 pays particular attention to the surface textures of the fabrics. Three quite distinct fabrics are shown in the cardinal’s choir dress: the soft matte surface of the biretta on his head, the subtly patterned sheen of his mozzatta (cape), and the luxuriant folds of his white rochet (vestment). In that scarlet biretta is great power.

Some well-known characters in paintings are instantly recognisable by their hat, in this case the Florentine poet Dante, shown below with Virgil as they are being ferried in the Inferno.

In 1822, the young Eugène Delacroix painted this Barque of Dante, one of his finest narrative works, showing Dante and Virgil crossing a stormy river Acheron in Charon’s small boat. Dante is inevitably wearing his signature red chaperon. This had evolved before 1200 as a hooded short cape, and developed into variants that remained popular until becoming unfashionable in about 1500. For his part, Virgil wears a laurel wreath honouring an epic poet of his stature.

Some of these ancient hats have been perpetuated in formal dress, such as that worn by academics for ceremonial.

In Jean Béraud’s undated The Thesis of Madeleine Brès or The Doctoral Jury he shows us one of the early woman doctoral students defending her thesis before the academic jury, who are wearing what might now appear to be fancy dress hats. At the time this was a major landmark in the improvements in women’s rights, and the archaic headwear serves to emphasise that change.

Finally, hats aren’t always good signs, but can signify the sinister and worse. Although most of us associate the silk top hat with elegant opulence, in its day it gained some dark associations.

Jean-Louis Forain’s Dancer and Admirer Behind the Scenes from 1903 whispers its disturbing message of the association between the top hat and white tie, and under-age prostitution that was rife at the time among dancers of the Paris ballet. It’s not just the hat, but the context in which it’s worn.

Last week I introduced my new prototype log browser, LogUI, which seems to have been popular with many. As I now use it in preference to its predecessor Ulbow, I’ve spent a little time adding some new and improved features to bring you version 1.0 build 25. Changes include:

• support for discontinuous selection of log entries,
• support for copying text from selected log entries,
• subsystem names are now case-insensitive,
• support for Signposts,
• window names change to include the start time of each log excerpt,
• RTF saved file names change to reflect the start of each log excerpt.

Settings

These now let you set app defaults for displaying full log entries, and for fetching and displaying Signposts.

Browser controls

The only addition to these is the option to Show Signposts. When that’s ticked, Get Log also fetches all Signposts during the set period, and displays them inline with regular log entries.

LogUI now supports all types of log entry:

• regular log entries,
• Activities, events such as clicks/taps and others,
• Boundaries, markers such as the start of the boot process,
• Signposts, used to record significant steps and assess performance.

Signposts have their own custom fields, including signpost ID, name, and type, which are displayed when Full Fields are enabled. The only caution with Signposts is that they can outnumber regular log entries, so if you don’t need to see them, it’s better to leave them turned off.

I’m grateful to Joe for asking for the subsystem to be case-insensitive. This means that you can enter com.apple.TimeMachine or com.apple.timemachine as the subsystem and LogUI will display entries with a subsystem name of com.apple.TimeMachine for both. No longer will case trip you up.

Log entries

The biggest changes are in the selection and copying of log entries. You can now select log entries in a browser window. Selections can be multiple continuous using the Shift key modifier, and discontinuous using the Command key modifier. When one or more entries have been selected, you can then copy their text contents using the Copy command or Command-C. Copied text can then be pasted into an app that supports handling of text items in the Clipboard.

Because there are many different fields possible in each entry, copied text consists of a standard set:
date level sender process subsystem message
each separated by a Tab character.

If you want more fields with colour, save the log excerpt in RTF, open it in an RTF editor and copy from that.

If you’re a developer and are wondering how I have implemented this copy feature for a SwiftUI List, let me know and I’ll explain how I managed to pin this tail on the donkey while I was blindfolded, or how persistent guessing overcame the absence of documentation or example code.

Naming

To distinguish between windows and saved RTF files, LogUI now automatically names and renames its windows and the default file names suggested when saving files. Names are based on the Start date and time of the current log excerpt in that window. To begin with, when there’s no log extract, each new window is named LogUI. When it gains its first extract, the date and time are appended to that, e.g. LogUI 2025_03_03_08-14-00, and a similar default file name is offered. When you obtain a new log excerpt in the same window, those names are updated to reflect the changed Start date and time.

Help book

This has been updated to include all these changes.

LogUI 1.0 build 27 is now available from here: logui127
It still requires a minimum macOS version of 14.6, I’m afraid, because of the SwiftUI features it has to rely on.

Enjoy!

Postscript

I have replaced build 25 with 27. This completes support for Signposts, by including them in saved RTF files. I’ve also taken the opportunity to make a small correction in the Settings dialog, and to add a link to the technical info to the log access source code.

Ovid closed Book Twelve of his Metamorphoses with the death of the great Greek warrior Achilles at Troy. As was customary, his arms and armour were then to be passed on to a successor. As they had been made specially for him by the god Vulcan (Hephaestus), they were particularly sought-after. Two contenders emerged, Ajax the Great and Ulysses. Agamemnon therefore summoned his leading warriors to determine who was to be given these unique arms and armour.

Ovid uses the speeches of Ajax and Ulysses as a means of quickly summarising some of the action that had taken place in the war against Troy up to this moment.

Ajax puts his case first. He claims that, when Hector tried to set fire to the Greek fleet, it was he who stayed to fight the Trojans. He mentions that Ulysses was late joining the combat, as his rival had feigned madness, but he had been there from the start. When his colleague Philoctetes was dying, Ulysses had abandoned him to die alone. Ajax even had to save Ulysses on the battlefield, and finally he says that he needed a new shield as his current one was worn out with fighting, but Ulysses’ shield had barely been used.

Ajax concludes by proposing that the two should settle the matter in a fight, in which he feels Ulysses would stand no chance. This elicits applause from the surrounding crowd.

Ulysses doesn’t play to that gallery, but when he steps up, he delivers an eloquent argument to the leaders who are to make the decision. He says that he found Achilles hiding on the island of Scyros, and brought him to the war, so can claim Achilles’ successes as his. It was he who convinced Agamemnon to sacrifice Iphigenia in the first place, so enabling the thousand ships of the Greek fleet to sail on Troy. He had worked hard at diplomatic solutions during the first nine years of the war, when Ajax had done nothing. He had also convinced both Agamemnon and Ajax not to abandon the campaign.

Ulysses had killed a Trojan spy, Dolon, and unlike Ajax had been wounded in battle. He also denies Ajax’s claim to have saved the fleet from fire, arguing that had been Patroclus in disguise. Ulysses had later carried Achilles’ dead body from the battlefield, and will recover that of Philoctetes.

To emphasise that, at least in Ovid’s world of Metamorphoses, it is words that carry greater weight than deeds, Achilles’ armour is awarded to Ulysses.

Ajax’s response is sudden and shocking: he literally falls on his sword, and like Hyacinthus before, his blood is turned into the purple hyacinth flower, its leaves marked with the letters AI, both the start of Ajax’s name and a cry of grief.

This, created by the ‘Taleides Painter’ in about 520 BCE, shows the warriors being held apart as they vie for the arms and armour.

Leonaert Bramer’s small painting on copper of The Quarrel between Ajax and Odysseus was made between about 1625-30. The pair stand in their armour, next to tents pitched at the foot of Troy’s mighty walls. At their feet is the armour of Achilles, and all around them are Greek warriors, some in exotic dress to suggest more distant origins.

Just a year or two later, Ajax’s suicide appeared prominently in one of Nicolas Poussin’s greatest narrative paintings: The Empire of Flora.

Poussin painted this in early 1631 for someone named Valguarnera, who turned out to be a thief of uncut diamonds, whose prosecution in court enables its unusually precise dating. At that time it was simply known as Spring. It’s set in a garden, with trees in the left background, a flower-laden system of pergolas, a large water feature, and dancing putti. In this are a series of well-known characters, one of whom is Ajax, shown in the act of falling on his sword.

Poussin has already used the purple hyacinth for the death of Hyacinthus, so here places under Ajax a white carnation which will shortly turn blood red.

Ovid races through the final destruction of Troy and its nobility: the death of Priam, the herding together of the Trojan women to be taken as trophies, and the vicious murder of Astyanax, Hector’s young son, who is thrown from one of the city’s towers.

There are many paintings showing the sacking and destruction of Troy, of which my favourite, for its truly apocalyptic vision, is this, attributed to Gillis van Valckenborch.

The story of Astyanax is a relatively recent addition, and probably developed well after 700 BCE.

The clearest narrative painting showing this is Edouard-Théophile Blanchard’s winning entry for the Prix de Rome in 1868, The Death of Astyanax. It breaks convention in depicting Neoptolemus, Achilles’ vicious son, as a North African. Given that Achilles was the king of Thessaly, in central Greece, that seems a stretch of the imagination. Andromache pleads on her knees with the warrior to spare her son, her left hand vainly trying to prevent him from being slung from the wall. Two men cower in fear in the background. Two of Troy’s famous towers are shown, but there is no smoke or other evidence of a sacking in progress, neither is there any sign of King Priam.

Georges Rochegrosse enjoyed great success at the Salon in 1883 with Andromache, a huge and gruesome painting nearly nine metres (27 feet) high. She is at the centre, being restrained by four Greeks prior to her abduction by Neoptolemus. Her left arm points further up the steps, to a Greek warrior in black armour holding the infant Astyanax, as he takes him to the top, where another Greek is shown in silhouette, to murder him. There is death and desolation around the foot of the steps: a small pile of severed heads, a jumble of living and dead, and the debris of the sacking.

Jules Joseph Lefebvre won the Prix de Rome in 1861 with his Death of Priam; Georges Rochegrosse was later to become one of his students. A thoroughly conventional and Spartan Neoptolemus is just about to swing his sword at the prostrate figure of King Priam, who is lying on the floor by the altar to Zeus. Priam looks up at his killer, knowing that he has only seconds to live. Behind Neoptolemus is another body, presumably that of Priam’s son Polites. To the right, in the darkness behind, Queen Hecuba tries to comfort other Trojans. At the left, a young Trojan is trying to sneak away, back into the burning city, with smoke twisting its way into the dark sky.

I hope that you enjoyed Saturday’s Mac Riddles, episode 297. Here are my solutions to them.

1: Can still spin a disc with five between two five-hundreds.

Click for a solution

DVD Player

Can still spin a disc (although now hidden away, it can still play DVDs) with five between two five-hundreds (Roman numeral V between D and D).

2: Joins overhead and face together in shared video.

Click for a solution

Desk View

Joins overhead and face together (it’s used to merge overhead desktop and face-on views) in shared video (for FaceTime in particular).

3: Railway inspector for the hound of Hades.

Click for a solution

Ticket Viewer

Railway inspector (who checks tickets by viewing them) for the hound of Hades (it’s used to check Kerberos tickets, named after the multi-headed dog that guards the underworld in classical myth).

The common factor

Click for a solution

They’re all apps now hidden away in /System/Library/CoreServices/Applications

I look forward to your putting alternative cases.

Some of the oldest privacy protections in macOS are those applied to devices such as cameras and microphones. In recent years, those have been extended to cover other types of device. This article covers the following items protected in macOS Sequoia, and listed in Privacy & Security settings:

• Bluetooth, can also be added by the user;
• Camera, requires the app to have both user text and entitlement;
• HomeKit data;
• Input Monitoring, to allow monitoring the mouse or trackpad, and keyboard, can also be added by the user;
• Local Network, to allow the app to find and communicate with network devices;
• Microphone, requires the app to have both user text and entitlement;
• Screen & System Audio Recording, to allow the app to record screen and/or audio, can also be added by the user;
• Speech Recognition, to allow access to speech recognition features.

In each case, access to the protected device is normally requested by the app, although those noted can also be added manually by the user. For an app to be allowed to access these devices, it normally has to provide text explaining why it’s doing that, and may be required to have an appropriate entitlement. In at least some cases, including camera and microphone, those are required, and an app that doesn’t provide both text and entitlement will be crashed by macOS if it tries to access that device.

In addition to those regular privacy protections, Intel laptops with T2 chips and Apple silicon laptops also feature hardware microphone disconnect, that automatically disables the microphone when their lid is closed. There is no override for that protection.

App requirements

Occasionally, when looking through the lists in Privacy & Security settings, you may come across apps that surprisingly have access to what appear to be inappropriate devices, or you may be confronted with an unexpected request for access. Don’t feel obliged to consent, but quit the app if it’s running and check its Info.plist and entitlements to establish whether this is legitimate and provides a valid reason.

This is easily accomplished using Mothers Ruin’s superb free Apparency. Open the app with that, and browse its Info Property List.

There you should see all the text it uses to populate its privacy requests. Each NS[name]UsageDescription should provide meaningful information about why the app is making that request. If you don’t see a good explanation there, then refer to the app’s documentation. Apple lists all these keys here. Note that Apple’s bundled apps don’t use text in their Info.plist and shouldn’t make privacy access requests, although its App Store apps should follow the same rules as those for third parties.

Then switch to the list of Entitlements for that app.

If the app uses cameras or microphones, you should there see respective entries for com.apple.security.device.* regardless of whether that app runs in a sandbox. You may also see additional com.apple.security.* entitlements for other protected features. Apple lists all those entitlements here.

So, for an app to make a legitimate request for access to a camera, you should see both

• NSCameraUsageDescription text in its Info.plist giving the reason for access, and
• com.apple.security.device.camera in its entitlements giving it that capability.

For access to a microphone, you should see both

• NSMicrophoneUsageDescription text in its Info.plist giving the reason for access, and
• com.apple.security.device.audio-input in its entitlements giving it that capability.

If you’re still not happy, delete the privacy setting or deny the app’s request. You can always accept the request at a later time if you wish.

Maintenance

There are times when we want to clear out some of the apps that we gave access to devices in the past. For those categories where you can remove individual settings, that’s usually the simplest course of action. But you can’t do that with camera and microphone access, for example. The only way to clear those categories is to reset them completely, then when each app requests access again to grant it to those you want to allow.

The only way to do this is in Terminal’s command line using the tccutil command tool. For example, to reset settings for microphones, enter the command
tccutil reset Microphone
and for cameras use
tccutil reset Camera

Apple doesn’t seem to document the names to be used for each category, but those worth trying according to circumstances include:

• Accessibility
• AddressBook (for the Contacts list)
• AppleEvents (for the Automation list)
• Calendar (note the singular, for the Calendars list)
• Camera
• Microphone
• Photos
• Reminders
• ScreenCapture (for the Screen Recording list)
• SystemPolicyAllFiles (for the Full Disk Access list)
• SystemPolicyDesktopFolder
• SystemPolicyDeveloperFiles (which doesn’t match any of the lists in privacy settings)
• SystemPolicyDocumentsFolder
• SystemPolicyDownloadsFolder
• SystemPolicyNetworkVolumes
• SystemPolicyRemovableVolumes
• SystemPolicySysAdminFiles (which doesn’t match any of the lists in privacy settings).

If only one or two apps are involved, then you can reset their settings with
sudo tccutil reset All com.vendor.appname
for the app with the identity com.vendor.appname, also easily discovered using Apparency.

Beyond that, a full reset can be performed using
sudo tccutil reset All
but that should remove all your consents, which would then need to be recreated one by one.

Summary

• Privacy & Security settings now control access to several types of device, including cameras and microphones.
• T2 and Apple silicon laptops have hardware microphone disconnect to disable their microphone when their lid is closed.
• Apps make requests to have access to protected devices, and some types can also be added by the user.
• Requests for access should give a meaningful reason, and some also require an entitlement.
• If in doubt, use Apparency to check their Info.plist and entitlements.
• Allow access only when you’re satisfied that it’s legitimate and for good reason.
• Device categories in Privacy & Security that can’t be changed by the user can be reset using the tccutil reset command with their category name.
• Be cautious about resetting all consents using sudo tccutil reset All as you’ll then have to recreate them all one at a time.

To follow yesterday’s account of the painting patronage of Isabella d’Este (1474-1539), Duchess of Mantua, today I look at her husband’s lover and one of the most famous femmes fatales, Lucrezia Borgia (1480-1519), Duchess of Ferrara, Modena and Reggio. She had no aspirations as a patron of the arts, and instead has been portrayed in several paintings.

Her father was Cardinal Rodrigo de Borgia, later to become Pope Alexander VI, and her mother was one of his several mistresses who were kept discreetly outside the city of Rome. She was born on 18 April 1480, and received an unusually broad education, becoming proficient in four main languages, as well as being able to read Latin and Greek.

Before she was even eleven years old, marriage was arranged for her, first with a Valencian noble, then with the Count of Procida. After her father became Pope, that was changed again to a second-rank count in the House of Sforza. Lucrezia married him when she was just thirteen, for the Pope’s political gain.

The papal court soon lost interest in the Sforzas, so the Pope ordered her husband’s execution. Lucrezia warned him, enabling him to flee, and their marriage was annulled on the basis of non-consummation, sparing his life. It’s generally thought that, while awaiting the annulment, Lucrezia had an affair resulting in her pregnancy, and the birth of a son, Giovanni Borgia, although two papal bulls were issued contradicting that, and one another.

When she was eighteen, Lucrezia was married a second time, to Alfonso d’Aragon, the Neapolitan half-brother of her brother-in-law. The following year it was she, rather than her husband, who was appointed governor of Spoleto, and a year later, in 1500, her husband was murdered, apparently on the orders of Lucrezia’s brother Cesare because of changing political allegiances.

Her father, the Pope, then arranged a third marriage, to Alfonso d’Este, the Duke of Ferrara, which proved both more lasting and productive of eight children. However, neither husband nor wife was faithful in the slightest: Lucrezia had a long and thoroughly physical affair with her brother-in-law Francesco Gonzaga, the Marquess of Mantua, Isabella d’Este’s husband, which he had to terminate when his syphilis became too overt to hide any longer.

Lucrezia also had a more emotional affair with the poet Pietro Bembo, who is now commemorated in the font of that name. She fell seriously ill after the birth of her tenth child in June 1519, and died on 24th of that month.

The closest that we have to a portrait of Lucrezia is this panel attributed to Dosso Dossi, and claimed to show Lucrezia Borgia, Duchess of Ferrara from some time between 1519-30. Inevitably that remains a matter of dispute, and doesn’t match contemporary descriptions of her having long and thick blonde hair.

It has been proposed that Lucrezia modelled for the title role of Pinturicchio’s wonderful fresco of St Catherine’s Disputation in the Borgia Apartments in the Vatican Palace. She would therefore be the woman wearing a red cloak over a patterned blue dress to the left of the centre foreground. As this was painted between 1492-94, she would only have been 12-14 at the time, and in the throes of her first marriage.

There are two other contemporary portraits claimed to be of Lucrezia, both painted by Bartolomeo Veneto, and otherwise unidentified.

Veneto’s early Portrait of a Young Lady, probably from about 1500-10, has been thought to have a Ferrarese origin, and one of the beads worn by her is inscribed ‘SAP’. Her hair isn’t blonde, and she’s dressed in sombre clothing bearing emblems of the Passion. If the dating of this work is correct, Lucrezia would have been in her twenties at the time.

The second of Veneto’s paintings claimed to show Lucrezia is more scandalous, and was probably completed shortly after her death. Known as an Idealised Portrait of a Courtesan as Flora (c 1520), it does at least show a blonde, but the Duchess of Ferrara exposing her left breast?

Had those been the only paintings possibly of Lucrezia Borgia, she would hardly have made her mark in art. But Dante Gabriel Rossetti developed an obsession with her, and revived her image on several of his watercolours in the late nineteenth century.

In the first, The Borgias painted in 1851, Rossetti has Lucrezia playing a lute in the midst of her family, two of her children dancing in front. All the figures look disturbingly sinister, particularly the man leaning on her right shoulder.

In 1860, Rossetti returned to her when his interest in her family was rekindled. In Lucrezia Borgia (1860–61), he shows Lucrezia washing her hands in a small sink after she has poisoned her husband Alfonso d’Aragon in 1500. Shown in cameo, in a reflection in the upper left, are Lucrezia’s father, the Pope, helping her husband to walk in order to hasten the effects of the poison and bring about his death. Rossetti revised her face at a later date.

Ten years later, in 1871, Rossetti returned to this same scene and composition, and painted Lucrezia Borgia again. The only minor change is the decoration on the tall pot under the sink.

Among Lucrezia’s children who survived to adulthood, one was the Duke of Ferrara for over fifty years, a second became Archbishop of Milan, and another – Leonora d’Este – was a nun and probably the composer of religious motets. The d’Este family, particularly Isabella, wife of Lucrezia’s lover and brother-in-law Francesco Gonzaga, were major patrons of art in the Renaissance. Isabella was patron to Bellini, Leonardo da Vinci, Mantegna, Perugino, Raphael, Titian, Correggio, Dosso Dossi, and others, but it was Lucrezia who inspired artists as recent as Dante Gabriel Rossetti.

Reference

Wikipedia.

‘Tis impossible to be sure of any thing but Death, Taxes and macOS updates.
(Modified with apology from the original, said by Toby Guzzle in Christopher Bullock’s play The Cobbler of Preston (1716), quoted in turn by Daniel Defoe and most famously by Benjamin Franklin in 1789.)

Last week my iMac Pro was updated against my wishes from macOS Sequoia 15.1.1 to 15.3.1. Although it wasn’t my intention, it proved a relief in two ways, first that my ageing iMac Pro survived the process without losing any data or dying completely, and second that I had at last caught a forced update red-handed. For some years I have been aware of many who suffered a similar fate, where they had been careful to avoid upgrading or updating macOS, but had eventually succumbed to it unwittingly. At last I was able to experience this at first hand, and capture log excerpts to discover just what happened.

Deceit

My conclusions were:

• Software update notifications tricked me into unwittingly agreeing to perform a macOS update.
• That update was expressly against my Software Update settings.
• I was given no second chance to confirm I intended the update to take place.
• The update was scheduled to be performed when my Mac was unattended.
• DAS scheduling and dispatch were unaware of the scheduled backups to be performed later that night, and dispatched the update at a time before those backups were scheduled. Had anything gone wrong in the update, I could have had to fall back on backups made nearly 24 hours earlier, and would have lost a whole day’s changes.

What I’d like to see is a change to the process initiated by opting to perform a delayed update, either later or that night. If the user opts for that, then Software Update should display a clear confirmation dialog, offering options to cancel the update or postpone it further. If the user does accept, then they should be offered a timeframe for the update to be performed, to allow it to be scheduled after any nightly backups.

Above all, the user should never be given a forced choice between updating now or later tonight, and there should always be a third option to defer further.

This has been a long-running flaw in the behaviour of macOS that has shocked and antagonised many users over several years. Although we’re all in favour of Apple encouraging and facilitating us to keep macOS up to date, there’s neither need nor excuse to do so by deceiving us by trickery. Deceit undermines confidence in both Apple and its products and is notoriously bad marketing and support.

This chart shows how I believe the process works, from the initial notification options to starting the update.

Opacity and persistence

During my investigation of how this unwanted update had occurred, I hadn’t expected to meet my old friend Duet Activity Scheduler (DAS). As I traced through the log extracts it became clear that, once the update had been scheduled by DAS, the only way to postpone or abort it would have been to shut the Mac down. Activities scheduled by DAS-CTS are hidden from the user, who has neither awareness nor control over them.

DAS and its linked XPC Activity subsystem, alias Centralised Task Scheduling or CTS, now manage over 500 background activities in macOS, including Time Machine backups and XProtect Remediator scans. They’re one of the few parts of the system that remains almost inaccessible. DAS manages lists of activities that can’t be inspected, and dispatches them according to opaque criteria. Once an activity is scheduled by DAS, there’s no way a user can remove it from its lists, so it will inexorably attain a score sufficient to pass that set by DAS as its threshold. For a few brief moments that activity will be visible among running processes, then vanish again into obscurity.

If I wanted to design persistent code that periodically harvests and send sensitive data to a remote server, DAS-CTS would be highly attractive. As there’s no way to inspect its scheduled activities, no security software could discover the existence of that activity, unless they were fortunate enough to catch it while it’s running briefly. Such activities don’t need a tell-tale LaunchDaemon or LaunchAgent, but can be arbitrary code in a completion handler within an apparently innocent app. They’re run using XPC, but without its formalities or restrictions.

DAS-CTS seems to rely largely on security through obscurity, and opening up inspection of its activity lists could be a valuable first step in preventing its abuse. It has enjoyed a decade since its release in 2014 apparently without being exploited, although its opacity makes it difficult to know that with any confidence. Perhaps it’s time for a reassessment.

This weekend I look at two Italian duchesses, today Isabella d’Este (1474-1539), Duchess of Mantua, and tomorrow her rival Lucrezia Borgia (1480-1519), Duchess of Ferrara, Modena and Reggio, and lover of Isabella’s husband.

Isabella d’Este was an unusually well-educated woman who became one of the best-known of all the Renaissance patrons of art. She was born to the Duke of Ferrara and his wife Eleanor of Naples in 1474, the oldest and favourite of their children. Her mother ensured she received an excellent education, even by male standards of the day, emphasising the classics including Greek and Latin. She seems to have struggled more in learning to read Latin, and in adult life received additional lessons to help her reading skills. She was particularly fond of music, singing and dancing, and learned to play several instruments including the lute and harpsichord. Her taste in music was predominantly secular.

When she was only six years old she was betrothed to Francesco, who was expected to succeed as Marquess of Mantua, a city and small province in Lombardy, about a hundred miles (160 km) from Venice. They were married by proxy ten years later, by which time the young Francesco had inherited both title and realm, which he was to rule until his death in 1519. He was also the commander-in-chief of the army of the Republic of Venice, which frequently took him away from their palace in Mantua. In 1509, he was held captive as a hostage in Venice, and wasn’t released for three years.

Although Isabella had eight children between 1493-1508, six of whom survived into adult life, a remarkably high figure for the time, her marriage was blighted by Francesco’s sexual incontinence. His most famous affair was with the notorious Lucrezia Borgia, which started in 1503, and only came to an end when Francesco contracted syphilis from his contacts with prostitutes.

In contrast, Isabella seems to have lived a virtuous life and became an accomplished statesman and diplomat, with shrewd political judgement even when dealing with the likes of Cesare Borgia. She saw Mantua promoted to a Duchy, and ruled it from the death of Francesco in 1519 until her son Federico came of age some years later. She still hankered after political involvement, and in 1527 moved to Rome. On her return to Mantua, she promoted the education of girls and finally took charge of the town of Solarolo until her death in 1539, at the age of 64.

Isabella started to collect objets d’art soon after she moved to her palace in Mantua. As far as paintings are concerned, she was foremost a collector who relied on the advice of others in the court, rather than a connoisseur in her own right. Surprisingly, her purchases had to be made from her own wealth, which was quite limited, and in times of hardship she resorted to pawning jewellery to raise funds. Her patronage concentrated mainly on music and sculpture. She was unusual for promoting women as singers and placing them in choirs. Her literary sponsorship was limited: she seems to have enjoyed swashbuckling stories of chivalry, such as those in Ludovico Ariosto’s Orlando Furioso, and was a loyal supporter of his work.

Her sponsorship and taste in paintings is largely reflected in the works she commissioned for her private study, her famous studiolo, which thankfully have been well preserved as they passed to the French Kings, and most are now in the Louvre as a result. Combined with records in her copious correspondence and a crucial inventory, her studiolo has been reconstructed in detail. Her period of collecting covered the appointments of two court painters in Mantua: Andrea Mantegna until his death in 1506, thereafter Lorenzo Costa. When Isabella was most active in collecting paintings in the early 1500s, Mantegna was around 70 years old, and Costa in his forties.

Mantegna arranged to be recommended to Isabella through her former tutor, but his first attempt to impress her with a portrait in 1493 met with a stony reception: Isabella declined it as being so badly painted that it didn’t resemble her.

Despite that discouraging start, her first commission for a painting for her study was awarded to Mantegna, for his painting of Mars and Venus, known better as Parnassus (1496-97). She had apparently grown to like his finely finished and old-fashioned tempera paintings, and the artist probably painted this largely in tempera, only for it to be repainted using oils after his death.

This refers to the classical myth of the affair between Mars and Venus, the latter being married to Vulcan, who caught them in bed together and cast a fine net around them for the other gods to come and mock their adultery. The lovers are shown standing together on a flat-topped rock arch, as the Muses dance below. To the left of Mars’ feet is Venus’ child Cupid aiming his blowpipe at Vulcan’s genitals, as he works at his forge in the cave at the left. At the right is Mercury, messenger of the gods, with his caduceus and Pegasus the winged horse. At the far left is Apollo making music for the Muses on his lyre.

It’s an unusual theme for a woman of the time to have chosen, although it has largely been interpreted with reference to a contemporary poem that seems less concerned with the underlying story of adultery exposed.

A couple of years later, Isabella returned to commission Mantegna to paint a more moralistic allegory of The Triumph of the Virtues, or Pallas Expelling the Vices from the Garden of Virtue (1499-1502), again largely in tempera. The scene is a garden with a pond, near a river meandering down to a lush valley in the distance. Inside its arched perimeter Pallas Athena, at the left with her distinctive helmet and shield, is chasing away figures representing the Vices.

At the far left is a tree representing Virtue Deserted, and to the right of Athena’s feet is the armless Vice of Idleness. Also in the pond is a centaur who carries a standing figure, usually read as Diana, on its back. At the far right is the Virtue of Prudence represented as a message from within her prison, and in the sky are the Virtues of Justice, Temperance and Fortitude.

An unusual and personal twist indicating the extent of Isabella’s involvement in this composition is Athena’s spear. Although one of her normal attributes, its head has broken off and rests on the ground. This is a reference to a broken lance that Francesco presented to Isabella following his command of the Holy League (Venetian) forces at the Battle of Fornovo in 1495.

After Leonardo da Vinci had painted The Last Supper, he visited the court at Mantua, where he made this chalk Portrait of Isabella d’Este (c 1499-1500). Isabella apparently disliked wasting time sitting for portraits, and this elegant profile is one of few known to have been made of her. Leonardo and Isabella corresponded afterwards, she inviting him to undertake commissions for her including one for a painting of Christ at the age of twelve, but he turned her offers down.

She was also unsuccessful in getting Giovanni Bellini to paint a proper commission for her. She had originally asked him in 1496 to paint an allegory, no doubt destined for her study, but by late 1502 she reluctantly wrote that she’d settle for a Nativity so long as it included Joseph, “the beasts” and Saint John the Baptist. Bellini refused to include the last of those, which she finally agreed to. His painting arrived in 1504, but that work now appears to be lost. Isabella asked Bellini a third time in 1505, promising not to hold him to any detailed description of the painting, but nothing came of that.

Isabella’s third painting was made by another artist reaching the end of his career, Pietro Perugino (1448–1523), who is believed to have taught Raphael. The latter may have been working for Perugino at the time that his former master painted The Combat of Love and Chastity in 1503, using Mantegna’s favourite medium of tempera despite Perugino’s accomplishment in oils.

Mantegna worked in Mantua, so little of Isabella’s correspondence gives insight into the process of his commissions. She had to write to Perugino, though, and there’s a trail of letters revealing how much detail she specified about this work, even supplying a drawing. Its theme is literary, as laid down in the contract by Isabella’s court poet, and shows a fight between the personifications of Love and Chastity, which may have worked well in words but doesn’t translate into visual art at all well.

It features a gamut of mythological figures in no particular order, including Apollo and Daphne, Jupiter and Europa, Polyphemus and Galatea, and Pluto and Proserpina – all couples in which the man abducted and/or raped the woman. In front is Pallas Athene about to kill Eros with a lance, and a more even match between Diana with her bow and Venus, who is singeing the huntress with a burning brand. Isabella laid out strict instructions, for example requiring that Venus, who is traditionally shown naked, was clothed. Even the owl perched in the branches of the sacred olive tree at the left was prescribed in the commission. When Perugino didn’t follow these, she protested, and on completion she wrote that it should have been better finished to set alongside her Mantegnas, and was clearly unimpressed. For this the artist was paid a mere 100 ducats.

Isabella then turned to Lorenzo Costa (1460–1535) for The Garden of the Peaceful Arts or The Crowning of a Female Poet (1504-06), painted in oil and tempera. Mantegna had originally been commissioned to paint this, but died before he could make much progress. Costa started from scratch, and under Isabella’s direction according to her poet’s literary theme produced this strange painting often known as an allegory of Isabella’s coronation, or construed as an account of Sappho’s career.

Figures identified include Diana, at the front on the right, and Cadmus, but reading this work coherently now seems impossible.

Another commission that Mantegna had started to work on before he died was completed by Costa in 1511, The Reign of Comus, again using tempera for a complex composition. Comus, ruler of a land of bacchanalia, sits talking to a near-naked Venus in the left foreground. Just to the right of the centre foreground, Nicaea is lying unconscious through alcohol, against Dionysus (Bacchus), who got her into a stupor so that he could rape her.

Under the arch is the unmistakable two-faced Janus with Hermes, apparently repelling potential newcomers to the bacchanal. In the centre is a small group of musicians, and various naked figures are cavorting in the waters behind.

Isabella is believed to have commissioned other paintings that weren’t destined for her study, including some religious works.

One surviving painting that appears to have been commissioned by Isabella but remained outside the private world of her study is by Francesco Bonsignori (1460–1519), who made this chalk study of Isabella d’Este in 1519.

Bonsignori’s painting of the Blessed Osanna Andreasi followed later that year. This beatified Mantuan woman was the daughter of a Gonzaga, who started reporting visions when she was only six. She rejected an arranged marriage and secretly took orders, becoming a Dominican tertiary. She developed stigmata, learned to read and write in a miracle, and became a mystic. She died in Mantua in 1505, and Isabella led the campaign for her veneration.

Isabella is shown in profile, kneeling at the left, with her lifelong friend Margherita Cantelma. On the right, among the Dominican nuns, is Isabella’s daughter Ippolita, one of three of her children who took holy orders.

Late additions to Isabella’s study were a pair of tempera allegories by Antonio da Correggio (1489–1534), Allegory of Vices (1529-30) above, and Allegory of Virtues (1531) below. The latter reflects a detailed commission, as it shows once again Pallas Athena holding the broken spear that Francesco had brought back from battle for Isabella.

Inevitably, her portrait was painted by Titian (1490–1576). The original version from 1523 was made from life, but in about 1536, when she was in her early sixties, she sent an old portrait made by Francia in 1511 for Titian to paint from, with suitably updated fashionable dress of the day. The result is the anachronistic Isabella d’Este, Duchess of Mantua, which flatters more than it reveals.

With few exceptions, Isabella’s commissions were very personal, so much so that their elaborate stories and allegories are now elusive. More than one of the artists who painted for her must, at some stage, have wished that she had learned to paint. Those masters were used as proxy craftsmen, to turn the words of her court poet into images for her study. No doubt she amazed distinguished guests by explaining their symbols and references when they were taken on a tour of her collection.

Isabella’s understanding of visual art was limited, her paintings fascinating, but of no consequence to the Renaissance or the history of painting. For the great masters of the day, who were changing art history by their paintings, Isabella’s commissions were to be avoided like the plague. They would have been archaic in style, stifled original creation, and could only have led to great dissatisfaction for all concerned.

Isabella d’Este was an outstanding example of what education and ability can achieve, and a great woman of any age. But as far as painting is concerned, her reputation as a great and influential patron is at best misleading.

References

Wikipedia.

Alison Cole (2016) Italian Renaissance Courts: Art, Pleasure and Power, Laurence King, ISBN 978 1 78067 740 8.
Christine Shaw (2019) Isabella d’Este, A Renaissance Princess, Routledge, ISBN 978 0 367 00247 3.