STOPTHEMADNESS SHIPS ON IOS & MAC OCSP APPOCALYPSE: MACOS CAUGHT PHONING HOME UNENCRYPTED SIX MONTHS OF APPLE SILENCE, THEN FULL DISCLOSURE PHILOSOPHY DEGREE, OBJECTIVE-C HABIT LAPCAT SOFTWARE EST. 2016 STOPTHEMADNESS SHIPS ON IOS & MAC OCSP APPOCALYPSE: MACOS CAUGHT PHONING HOME UNENCRYPTED SIX MONTHS OF APPLE SILENCE, THEN FULL DISCLOSURE PHILOSOPHY DEGREE, OBJECTIVE-C HABIT LAPCAT SOFTWARE EST. 2016
Jeff Johnson, illustrated portrait
Lapcat Software // Indie Mac & iOS

Jeff Johnson

He reads Apple's privacy promises closely enough to notice the exact moment they quietly disappear. Then he files the bug report.

StopTheMadnessPrivacyObjective-C Safari ExtensionsOCSP Appocalypse
Share this profile X / Twitter LinkedIn Facebook Instagram
The Profile

Jeff Johnson works alone, and that is precisely why one of the world's largest companies keeps having to answer his questions. From a one-person studio called Lapcat Software, he writes the apps that hand your browser back to you and the blog posts that catch Apple doing things it would rather you not see.

Open Safari, click a link, try to copy a sentence, and discover the website won't let you. Somewhere a developer decided your right-click menu was theirs to disable. Johnson's answer to that small daily indignity is StopTheMadness, an extension that quietly restores cut, copy, paste, drag, drop, autocomplete and the context menu the moment a site tries to break them. It is the rare privacy tool that fixes something you can feel in your hands within five seconds of installing it.

That instinct - that the computer belongs to the person using it - runs through everything he ships. StopTheFonts. StopTheScript. Link Unshortener, which peels open the tracking redirects hiding behind shortened URLs. Homecoming for Mastodon. Bonjeff, his open-source window into the Bonjour services humming on your local network. The names are blunt and a little funny. The code underneath is not joking.

"I never want any data sent to Apple unless I'm directly, intentionally using an Apple service such as browsing an online store, or manually checking for software updates." - Jeff Johnson

The OCSP Appocalypse

In November 2020, Mac users discovered their machines slowing to a crawl. Apps refused to launch. The cause turned out to be a service called OCSP - a behind-the-scenes check that phones Apple every time you open an application to confirm its developer certificate hasn't been revoked. When Apple's server hiccuped, the whole platform stuttered.

Johnson had been pulling at that thread already. He was among the first to point out that the traffic was running unencrypted over the open internet, meaning anyone between you and Apple could watch which apps you opened and when. The episode got a name that stuck: the OCSP appocalypse. Apple promised a user-facing opt-out. Johnson kept the receipts, and later documented that the promised setting never fully arrived.

This is the pattern. A year earlier, in December 2019, he had reported a macOS privacy-protection bypass to Apple's Security Bounty program. He asked for status updates in January, in April, in June. Six months of silence. So he published the entire thing, walking the public through a hole that Mojave, Catalina, and Big Sur all shared.

2016Went Indie
269Stars on Bonjeff
8 yrsAt Rogue Amoeba
ManyCVE Credits

A Philosopher Who Ships

Before the Objective-C, there was Aristotle. Johnson holds a bachelor's and a master's in philosophy from the University of Wisconsin-Madison, which explains a great deal about how he argues. He is unusually careful about the difference between a claim and an assumption, and he treats Apple's public statements like a logician treats a proof: every step has to hold, and a quietly removed setting is a step that doesn't.

When critics insisted he wasn't enough of a cryptography expert to question Apple's Enhanced Visual Search feature, he didn't reach for jargon. He reached for first principles. "It doesn't take an expert to make these decisions," he wrote. "They're very personal decisions, to be made by each user independently." Then he noted, dryly, that he'd "managed to bring more attention to Apple's blog post than Apple itself did."

"

It doesn't take an expert to make these decisions. They're very personal decisions, to be made by each user independently.

"

I'm just a software developer. I'm also wise enough to know my limitations.

"

Those complaining about Apple's current Mac lineup are not haters, they're lovers. They've spent 10+ years and 5+ figures on Macs.

"

I never want any data sent to Apple unless I'm directly, intentionally using an Apple service.

Twenty Years of Other People's Code

Lapcat is the headline, but Johnson has been shipping Mac software since the mid-2000s. He spent eight years at Rogue Amoeba - the studio behind Audio Hijack - writing what the company described as "rock-solid code" for Airfoil, Intermission, Pulsar, and Radioshift. Earlier he built Knox, a Mac encryption tool that AgileBits later folded into the 1Password universe, and a pile of internal developer tools with names like Radar, Sonar, and Espresso.

He co-led Vienna RSS, the open-source feed reader, and administered ClickToFlash, the plugin a generation of Mac users installed to put a leash on Flash. Two decades in, he still writes a lot of Objective-C while the rest of the industry sprints toward Swift - not out of stubbornness, but because the old language does exactly what he tells it to.

StopTheMadness

Stops websites from breaking copy, paste, and your right-click menu in Safari.

Link Unshortener

Unwraps shortened, tracking-laden URLs before you click them.

Bonjeff

Open-source live view of every Bonjour service on your network. 269 stars.

StopTheFonts

Blocks remote web fonts, a quiet vector for tracking and bloat.

Homecoming

A companion utility for navigating Mastodon more sanely.

PrivateWindow

Open Safari URLs in private or non-private windows on demand.

The Long Argument

In 2023 he left Twitter "forever" and rebuilt his audience on Mastodon, where thousands now follow a feed of bug reports, Apple critiques, and the occasional joke. The blog, The Desolation of Blog, keeps going regardless of platform. As recently as March 2026 he was documenting how Apple has been steadily stripping user-facing privacy controls out of Safari across both macOS and iOS - the same vigilance, the same receipts, a new chapter.

The handle says it all. "Lapcat" is a small nested joke: the cat sits on the lap, the lap holds the Mac. It is cozy, a little absurd, and entirely his own - which is more or less the philosophy of a developer who decided that the most radical thing he could do was make software that simply does what the user wants, and then say so out loud when the platform doesn't.

  • Holds both a B.S. and an M.A. in philosophy from the University of Wisconsin-Madison.
  • The company name "Lapcat" is a pun - the cat sits on the lap that holds the Mac.
  • Still writes plenty of Objective-C in a Swift-first era.
  • Popularized the phrase "OCSP appocalypse" for Apple's 2020 certificate-check outage.
  • Carries a long list of CVE security credits across macOS, Safari, iOS, and WebKit.

Find Jeff Johnson

WebsiteLapcat Softwarelapcatsoftware.com AppsUnderpass App Co.underpassapp.com CodeGitHubgithub.com/lapcat SocialMastodon@lapcatsoftware ArchiveX / Twitter@lapcatsoftware WritingThe Desolation of Bloglapcatsoftware.com/articles
URL copied to clipboard