Category Archives: The Internet

Posts related to things on the Internet, or thoughts about the Internet.

Tech is a garbage industry filled with people making garbage decisions

Posted on by
1

I work with some great people in the tech space. But the fact that there are terrific people in tech is not a valid reason to ignore how garbage our industry can be. It’s not even that we do bad things intentionally, we’re just oblivious to the possible bad outcomes. There are a number of paths by which I could come to this conclusion, but two recent stories prompted this post.

Can you track me now?

The first was an article last Tuesday that revealed AT&T, T-Mobile, and Sprint made it really easy to track the location of a phone for just a few hundred dollars. They’ve all promised to cut off that service (of course, John Legere of T-Mobile has said that before) and Congress is taking an interest. But the question remains: who thought this was a good idea? Oh sure, I bet they made some money off of it. But did no one in a decision-making capacity stop and think “how might this be abused?” Could a domestic abuser fork over $300 to find the shelter their victim escaped to? This puts people’s lives in danger. Would you be surprised if we learned someone had died because their killer could track them in real time?

It just looks like AI

And then on Thursday, we learned that Ring’s security system is very insecure. As Sam Biddle reported, Ring kept unencrypted customer video in S3 buckets that were widely available across the company. All you needed was the customer’s email address and you could watch their videos. The decision to keep the videos unencrypted was deliberate because (pre-acquisition by Amazon), company leadership felt it would diminish the value of the company.

I haven’t seen any reporting that would indicate the S3 bucket was publicly viewable, but even if it wasn’t, it’s a huge risk to take with customer data. One configuration mistake and you could expose thousands of people’s homes to public viewing. Not to mention that anyone on the inside could still use their access to spy on the comings and goings of people they knew.

If that wasn’t bad enough, it turns out that much of the object recognition that Ring touted wasn’t done by AI at all. Workers in the Ukraine were manually labeling objects in the video. Showing customer video to employees wasn’t just a side effect of their design, it was an intentional choice.

This is bad in ways that extend beyond this example:

Bonus: move fast and brake things?

I’m a little hesitant to include this since the full story isn’t known yet, but I really love my twist on the “move fast and break things” mantra. Lime scooters in Switzerland were stopping abruptly and letting inertia carry the rider forward to unpleasant effect. Tech Crunch reported that it could be due to software updates happening mid-ride, rebooting the scooter. Did no one think that might happen, or did they just not test it?

Technology won’t save us

I’m hardly the first to say this, but we have to stop pretending that technology is inherently good. I’m not even sure we can say it’s neutral at this point. Once it gets into the hands of people, it is being used to make our lives worse in ways we don’t even understand. We cannot rely on technology to save us.

So how do we fix this? Computer science and similar programs (or really all academic programs) should include ethics courses as mandatory parts of the curriculum. Job interviews should include questions about ethics, not just technical questions. I commit to asking questions about ethical considerations in every job interview I conduct. Companies have to ask “how can this be abused?” as an early part of product design, and they must have diverse product teams so that they get more answers. And we must, as a society, pay for journalism that holds these companies to account.

The only thing that can save us is ourselves. We have to take out our own garbage.

We can’t replace Facebook with personal websites

Posted on by
1

Facebook is a….troublesome…company. The rampant disregard for personal privacy or the negative effects of the platform are concerning at best and actively evil at worst. So it’s not surprise that Jason Koebler’s recent Motherboard article about replacing Facebook with personal websites got a lot of traction, particularly among my more technoliterate friends.

But it’s not an easy solution as that. In the late 90s and early 00s, we had a collection of personal websites. There’s a reason that the centralized social media model (MySpace, Facebook, etc) took hold: a decentralized social network is hard.

The first hard part is getting people to use it. Facebook, to a degree not previously seen, made it really easy for the average person to have an online presence. They could easily share updates and post photos without having to know much of anything about computers or the Internet. They don’t have to worry about keeping anything except their content up-to-date.

The other hard part is connecting to those other people. It’s easy to broadcast your message out to the world. It’s harder to find those you want to keep up with. If someone is on Facebook, they’re findable. If you’re not sure it’s the John Doe you’re looking for, you have additional contextual cues like mutual friends, etc to make it more clear. That’s less clear with John Doe’s WordPress site.

And Facebook provides more social features. You can tag your friends in photos (for better and worse). It has group communication features. It has event management. It provides access control. Sure, you could put a decentralized version of that together, but that increases the complexity. At some point, if you want it to be widely used outside of the tech community, you need some kind of centralized service to act as a directory. And then at that point, why not just make the centralized service the host?

I’m not saying that a company like Facebook is inevitable. With regulation or better ethics (or both!) Facebook or a service a lot like it could provide similar value without trampling on democracy and privacy. But it’s clear that “just have a personal website” is not a real replacement for Facebook.

So long, Google Voice

Posted on by
3

I signed up for Google Voice in about 2008 or 2009. This was back when providers actually charged you for text messages and I didn’t really use them. So I registered for an account and didn’t do a whole lot with it until I changed jobs and ended up in the basement. RIP cell phone signal. Google Voice made it possible to call one number and ring either my cell phone if I was above ground or my office phone if I was in the office.

It turns out that was pretty useful to me, so by the time I was moved to a different office, my Google Voice number was the number I told everyone to use. Being able to text and make phone calls from my web browser was a great feature. But as carriers started catching up, Google Voice sat stagnant. I braced myself for Google to decide they were going to drop the service.

Instead, they finally added the ability to send and receive pictures. In 2014. For a long time, that was only available if you used Hangouts for your Voice messages. But then the Voice app got support and all was right with the world. Unless you wanted to do videos. It’s something Google is supposedly close to rolling out.

But a few weeks ago, I bought a Samsung Galaxy Watch. That meant making phone calls or sending texts would come from my carrier number. Since I’ve been giving people my Google Voice number for nearly a decade, I figured that would just lead to confusion. So I decided to ditch Google Voice and port my number to my carrier.

It was fairly straightforward, albeit slightly slow. This is apparently due to the fact that Google Voice numbers are treated as landlines, so there’s more process involved. But not getting texts reliably for a few days was much easier than trying to get everyone to switch to using a new number for me.

I decided that the features I use are more important than the features I don’t use. I haven’t had Google Voice forward to anything except my cell phone for years. T-Mobile’s DIGITS service provides the web-based functionality I got from Google Voice (admittedly not quite as well, but I expect they’ll catch up). While I don’t often talk to my phone, the fact that Google Assistant can’t use Google Voice to send messages is a longstanding frustration.

Google had a chance to really make a great product here. Apart from search and GMail, Google Voice was the most valuable Google service for me. But the years of seeming neglect finally took its toll. Maybe some day I’ll move my number back, but for right now, I don’t really miss it.

Naming your files is important

Posted on by
1

I recently shared a Tweet about file names.

The inspiration for this was adding a new podcast to my podcatcher. For reasons that are mostly nerdy, I use bashpodder. I run it a couple of times an hour during my waking hours and stream or copy the files to whatever device I happen to be at. It’s a setup that works pretty well for me in general.

The downside is that all of the files get dumped into a directory by date. Some podcasts (e.g. Marketplace) do a good job of naming files: I know what show it is and when it’s from just by looking at the file name. Others use the network (e.g. “GLT” for Gimlet Media) and a string of numbers without any obvious meeting. The worst offender is Art19.com, from where I get “The Greatest Generation” and Akimbo. Those shows have UUIDs as filenames.

I can understand why, on the backend, that is beneficial. The files themselves are just one part of (I assume) a database of shows. No human ever has to touch it, so you might as well name it in a way that minimizes the risk of a naming collision. But it’s extremely hostile to the user.

I suspect that most podcast listeners these days use an app and don’t directly download the files. But for those that do, sane file names are important. A friend asked about using just the date as the file name, as he apparently does for recordings from his church. That’s even worse, because it assumes that the listener saves them in a unique location.

When it comes to media that you intend for others to download, it’s vitally important to not make any assumptions how they will store it. Maybe they save everything to their Downloads folder and never move it. If two separate items were produced on the same day, one of them will potentially get overwritten. That’s probably not what you want to happen.

Wrists on with the Samsung Galaxy Watch

Posted on by
Reply

I’ve owned the same watch for two decades or so. It’s a Timex Expedition that I paid about $25 for. I’ve paid far more than that to replace batteries over the years. But recently I decided to get a new watch, so I popped into the T-Mobile store to get the Samsung Galaxy Watch.

The style is nice. The 42mm bidy fits my wrists well. While the strap won’t win any design awards, it’s unobtrusive. Of course, the face can be whatever you want. I have the “Analog Utility” face, but in fancier situations, I might set it to something a little more elegant. Or not.

Setting up the watch was simple. I like that I can decide which apps will notify on the Watch. The Galaxy Wearable app on my phone made it simple to apply updates and install new apps to the Watch. Of course, the app selection for the Tizen operating system is pretty limited. Samsung Health and replies to incoming texts and Facebook Messenger messages are about the limit of my usage so far.

Composing those replies has been a trip. The default input method is to write the letters with a finger. That generally works pretty well, but the character set is limited. Typing on the T9 option takes some getting used to, since it isn’t the T9 you remember from your featurephone days. Speech-to-text is…underwhelming. It’s clear that Bixby is not in the same league as Google Assistant.

The battery life is pretty good. I’ve been wearing my Watch all night and charging it during the day when I’m at my desk. Even over the weekend, it doesn’t take long on the wireless charger to get enough juice. I could probably get close to two days without charging. Longer would be nice, but this is good enough for me.

I have the built-in SIM, although I haven’t used the Watch away from the phone yet. I can’t see myself doing that too often. But using it for payment instead of pulling out my phone is slightly more convenient. Samsung Pay makes it easy to quickly select which card I want to use. Still, I’m more likely to have already pulled out my wallet by the time I realize that using Samsung Pay is an option.

What’s been most interesting to me is how the Watch has changed my behavior. I’ve noticed I have my phone out less now because I can get notifications on my wrist. From there I can decide whether to pull out my phone or just wait a bit. As a parent who sometimes gets too distracted by his phone, I appreciate this. I also like that it can count my steps without having to remember to put my phone back in my pocket. Having sleep data and heart rate data is interesting, although I haven’t done much with it. I see that data as something to look at retrospectively.

In all, I’m pretty happy with the Galaxy Watch. It won’t last as long as my Timex, but if I get a few solid years out of it, I’ll probably buy a new one.

Why subscribe to a newsletter you don’t read?

Posted on by
6

Why would you subscribe to a newsletter that you don’t read? I mean, maybe you intend to. Maybe it’s sitting there in your inbox unread just waiting for you to get around to it Real Soon Now. Or maybe you filter it off to some folder where email does to die. I get that. I do that all the time.

No, what I’m thinking about is the case where an obvious spam account signs up for a newsletter. As of this writing, my newsletter has 283 subscribers — a number that has grown 27% in the past month. But only 40 people at most have ever opened it. The number of opens has stayed relatively constant even as the subscriber count has gone up.

So why do I think the accounts are spam? For one, there’s the fact that most of them haven’t opened any newsletters. Sure, maybe there’s a reason for that. But also they look…spammy. The addresses are often yahoo or other domains that have fallen out of favor. The names represented by the addresses don’t look like the names of people I know. I can’t imagine why people I do know read my newsletter, nevermind why strangers would. Taken all together, I feel safe calling many of these accounts spam.

But to what end? I understand spam accounts on Twitter liking random posts in the hopes that someone will look at the profile and click a link to whatever thing someone’s trying to peddle. Or maybe follow the account and get clicks that way. That makes sense to me. But what can a spammer do with a newsletter subscription? Is it a really crappy denial of service attack? Do they hope that after a few years my subscriber list will exceed Mailchimp’s free tier? Maybe it’s done to hide nefarious activity in a flood of confirmation emails. That seems like the most likely answer, but it doesn’t seem very efficient. Then again, I’m not a spammer, so what do I know?

If everyone followed good password advice, we’d be less secure

Posted on by
1

Passwords are hard. To be useful, they must be hard to guess. But the rules we put in place to make them hard to guess also make them hard to remember. So people do the minimum they can get away with.

Earlier this week, security company Webroot took a look at the unintended consequences of password constraints. The rules organizations set in order to ensure passwords are sufficiently complex reduce the total number of possible passwords. This can make automated password guessing more

Good passwords are easy for the user to remember and hard for computers and other humans to guess. Let’s say I wanted to use a password like 2Clippy2Furious!! Various password checking sites rate it highly. It’s 18 characters long and contains upper- and lower-case letters, digits, and special characters. But because it contains consecutive repeating letters, some companies won’t allow it.

Writing for Webroot, Randy Abrams says “it’s length, not complexity that matters.” And he’s right. That’s the point behind the “correct horse battery staple” password in XKCD #936. So let’s all do that, right?

Well…it’s not so simple. If I were trying to brute force passwords, and I knew everyone was using four (or five or six) words, suddenly instead of “CorrectHorseBatteryStaple” being 26 characters, it’s four. Granted, the character set goes from 95 to (using /usr/share/dict/words on my laptop) 479,828. “CorrectHorseBatteryStaple” is many powers of 10 more secure if the attacker doesn’t know you’re using words.

And let’s be real: they don’t. This hypothetical weakness has a long time before it becomes a real concern. Don’t believe me? Just look at the password dumps when a site gets hacked. There are a lot of really bad passwords out there. If we took all the constraints off (except for minimum length), people would just use really dumb, easily-guessed passwords again. But it amuses me that if everyone followed good password advice, we’d actually make it worse for ourselves. Passwords are hard.

Sidebar: Yes, I know

The savvier among you probably read this and thought “it’s better to use a random string that you never have to memorize because your password manager handles it for you. Just set a very long and memorable password on that and you’re good to go.” Yes, you’re right. But people, even those who use password managers, will often go to memorable passwords for low-risk sites or passwords they have to use often (e.g. to log in to their computer so they can access the password manager). 

You are responsible for (thinking about) how people use your software

Posted on by
Reply

Earlier this week, Marketplace ran a story about Michael Osinski. You probably haven’t heard of Osinski, but he plays a role in the financial crisis of 2008. Osinksi wrote software that made it easier for banks to package loans into a trade-able security. These “mortgage-backed securities” played a major role in the collapse of the financial sector ten years ago.

It’s not fair to say that Osinski is responsible for the Great Recession. But it is fair to say he did not give sufficient consideration to how his software might be (mis)used. He told Marketplace’s Eliza Mills:

Most people realized that we wrote a good piece of software that we sold in the marketplace. How people use that software is … you know, you really can’t control that.

Osinski is right that he couldn’t control how people used the software he wrote. Whenever we release software to the world, it will get used how the user wants to use it — even if the license prohibits certain fields of endeavor. This could be innocuous misuse, the way graduate students design conference posters in PowerPoint or businesspeople use Excel for all conceivable tasks. But it could also be malicious misuse, the way Russian troll farms use social media to spread false news or sew discord.

So when we design software, we must consider how actual users — both benevolent and malign — will use it. To the degree we can, we should mitigate against abuse or at least provide users a way to defend themselves from it. We are long past the point where we can pretend technology is amoral.

In a vacuum, technological tools are amoral. But we don’t use technology in a vacuum. The moment we put it to use, it becomes a multiplier for both good and evil. If we want to make the world a better place, we cannot pretend it will happen on its own.

“You’ve been hacked” corrects behavior

Posted on by
1

Part of running a community means enforcing community norms. This can be an awkward and uncomfortable task. I recently saw a Tweet that suggests it might be easier than you thought:

It’s nice because it’s subtle and gives people a chance to self-correct. On the other hand, there’s some value in letting community members (and potential community members) see enforcement actions. Not as a punitive measure, but as a signal that you take your code of conduct seriously.

This won’t work for every case, but I do like the idea as a response to the first violation, so long as it’s a minor violation. Repeated or flagrant violation of the community’s code of conduct will have to be dealt with more strongly.

Twitter interactions are not a polling mechanism

Posted on by
Reply

Way back in the day, clever Brands tried to conduct Twitter polls by saying “retweet for the first choice and favorite (now like) for the second choice.” This was obviously very prone to bias. The first choice’s fans will spread the poll, so virality favors the first option. But it was also the best choice available, other than linking to an external poll site (which means a much lower interaction rate).

Then Twitter introduced native polls. Now you can post a question with up to four answers. It even makes a nice bar chart of the results. Twitter interactions are not a polling mechanism, so why are you using them?!

The answer lies in the word “interaction”. Social media interactions are a way for Brands to measure the success of their social media efforts. Conducting polls via interactions instead of the native polling mechanism are a cheap way to drive up interactions. It’s a good indication that you’re not interested in the answers. People who want actual answers can use polls.

This concludes today’s episode of “Old man yells at cloud”.