Adam Fields (work stuff)

Avoid the dangerous conclusions of Google’s basic account hygiene study

Google recently published the results of a study to get actual data on how to keep accounts secure. They conclude that phone number verification (e.g.: SMS 2FA) works and is effective in a large number of cases. 

Our research shows that simply adding a recovery phone number to your Google Account can block up to 100% of automated bots, 99% of bulk phishing attacks, and 66% of targeted attacks that occurred during our investigation.

While it’s true that this will stop _most_ attacks, the important thing is the ones that it doesn’t. If you’re specifically targeted, and specifically if you’re targeted by SIM hijacking, SMS 2FA will not only do nothing to protect you, it may even provide an easier attack surface for someone to compromise your accounts. Every day seems to bring another story of someone who was targeted for a crypto wallet or their instagram or twitter account, and their SMS 2FA was bypassed by SIM hijacking.

The conclusions of this study are interesting, but primarily in an academic way. If you’re _only_ at risk for automated compromise, SMS 2FA will help you. But if you’re at any risk of targeted account compromise which is getting easier every day and who knows what you have that’s valuable to someone, SMS 2FA will do you more harm than good. The only excuse for using SMS 2FA is that it’s convenient. We should deprecate it entirely in favor of TOTP with site verification (which 1Password does with their browser extensions) or hardware keys (yubikeys are the most common, but until they’re wirelessly supported on iOS, this is a non-starter for a lot of folks). Apple should stop making it easy for users to use by populating codes from Messages, and support TOTP seeds in keychain. Web application creators should stop pushing SMS verification on people and switch to TOTP. If you have that option instead of SMS 2FA, use it. If you don’t have that option, ask for it. Companies won’t know they should change unless you tell them. I’ve had several services I use switch after I expressed concern.

If you’re forced to use SMS 2FA, and probably even if you don’t, you should have a transfer PIN on your wireless account. Here’s a guide to get started with the common wireless carriers: https://clark.com/scams-rip-offs/sim-hijacking-how-to-add-pin-mobile-phone/ 

Some thoughts on the history and future of the iPad

Since the introduction of the original slabby iPad, this little mobile-but-not-pocket device has been and remained my favorite computing platform. It’s the first computer I use in the morning, and the last one I use before I go to bed at night. I primarily read news on it, watch videos, browse photos, and stay in touch with social media. I also use it extensively at work for taking notes in meetings, though I still use the Mac heavily for development and “real work”.

Since that first model, every yearly revision has brought “must upgrade” benefits for me. The iPad 2 shed a good chunk of the weight of the original. The iPad 3 brought a retina screen but at the cost of adding back a lot of that weight and a little performance. The iPad 4 kept the retina screen but fixed those problems. The iPad Air slimmed down the bezel and dropped even more weight, and the iPad Air 2 took that even further. All of these revisions with the exception of the iPad 3 brought substantial (usually double) speed boosts.

Since I first laid my hands on the original, I’ve wanted a larger one. A larger screen is naturally a tradeoff with portability, but the benefits are worth it to me. I correctly predicted that the slimmer bezel of the iPad Air would herald the arrival of a larger iPad, which manifested two years later in the 12.9” iPad Pro. The first revision of that form factor performed nicely, but it was fairly heavy. After 18-24 months, the 2016 model (which I still have in rotation for watching movies, largely because resale values for used 12.9” iPads seem to have dropped to around 30% of original retail price after a year, compared to around 70% for smaller models, which is its own sort of annoyance) is still okay, but it lags noticeably in regular use and isn’t fast enough to be my primary tablet. The 2017 model as of now has no such problem. Along the way, other models have arrived for smaller sizes, but for me, I’ve always wanted the largest iPad I could get my hands on.

Which brings me to the 2018 revision of the 12.9” iPP. They’re in short supply, and while my internet order slipped from 1-3 business days into weeks for delivery, I managed to pick one up at an Apple store. I tried it out for a few days, and then went back to the 2017 for a few days. I’m somewhat sad to report that after a few days back with the 2017 iPP, I’ve made the decision to return the 2018, and this seems noteworthy. The 2018 may be a better _computer_, but I think the 2017 is a better *tablet* experience (and the 2018 is still not a great computer in any way that would make it a substitute for the Mac for me). This new revision is a dramatic change in a few different ways that may not be evident without using it.

One of the biggest problems is the inexplicable departure of eliminating a complete fullscreen mode for some older apps that haven’t yet been updated and may never be updated. I don’t think I really appreciated it until it was gone, but fullscreen mode without any surrounding chrome (in this case the status bar with the clock) is one of the standout features of the tablet experience vs. a traditional computer. Removing this possibility for a whole class of apps is a crippling change. There may be technical complexities I’m not seeing here, but it doesn’t seem that hard to simply hide the status bar when an app uses an older method of going fullscreen. Apple has always pushed forward into what they see as better interaction patterns without worrying too much about accommodating those who won’t keep up, and most of the time I’m along for the ride, but this particular change is jarring and poor.

The original thinning bezel of the iPad Air was welcomed - technical limitations and the weight of the original iPad made the original blocky square bezel larger than it needed to be and removing it made the holding experience better. Flat out - the bezel on the 2018 iPad is too narrow. This is not a tablet that wants to be held - the thinness of the bezel makes it difficult to hold without obscuring the screen and sometimes tapping or sliding erroneously.

The original Touch ID when introduced on the iPhone was hit or miss, but after several revisions, it grew into itself and became extremely reliable. Face ID isn’t there yet. On the iPhone, it’s a revelation, but almost always when you’re using your phone, you’re looking straight at the device. On the iPad, it works wonderfully… if you’re looking straight at the device, which I am about 40% of the time. It does not work reliably or well when lying on my side in bed or on the couch, with the iPad flat on the surface. Granted, this is a steep occluded angle and I’d be surprised if it did work, but that’s how I use it, and Touch ID has no such problems with it. Trying to fit Face ID into this results in having to move to accommodate my device when I’m comfortably reclining, and that’s not what I want my technology to make me do. It’s a dream when it’s sitting upright in the keyboard case on a desk and I’m staring straight at it - as I said, this is nice computer, but not a superlative tablet. Removing the home button is not as transparent as it was on the iPhone. It’s _okay_ and I think I’d get used to it over time, but it does not feel as natural due to the much larger hand movements required. Navigating around the 2018 iPP involves a _LOT_ of swiping. I guess here is also the place to put my complaint that Apple still seems to view this device as primarily to be used in portrait mode, but I almost never use it that way. The Face ID camera should be on the side.

Finally - while the keyboard cover is a massive improvement in feel over the previous model, I hate the folio case design. The smart covers are great, and I’ve always used a back case with my iPads as well - they are most vulnerable when falling off of a surface (like a bed or a couch), and cracking the edge on the floor. They _need_ corner protection, and the folio case designs provide almost none. The device is simply not durable enough for me to feel confident slinging it around with a case like this, and I was constantly paranoid about dropping it in a way I haven’t been with the 2017. The Pencil seems like a nice improvement over the 1.0, but I have terrible handwriting and I rarely used the 1.0 Pencil for anything other than doodling with Amaziograph.

The 2018 12.9” iPP is a nice improvement over the previous models in slimming down the weight, but the size of the 2017 has never been an issue for me and if I have to give up the adequate bezel space I’d take a larger screen in the case size of the 2017 iPP instead, without hesitation.

The speed of the 2018 is definitely faster, but the 2017 doesn’t (until iOS 13, maybe) lag, and I don’t feel like any of my apps are waiting on the machine. This is the first time I’ve felt that a speed boost isn’t a welcome change - the software isn’t pushing even the 2017 device to its limits.

I… think they’re trying to turn the iPad into the computing device of the future, but I fear they’re sacrificing what made it great as a tablet.The big drawback for being productive on the ipad for me is the limited screen real estate and the cumbersome way multitasking works. It’s fine…._ish_ for occasional uses. It’s terrible for the real-world scenarios where I’m constantly flipping between four or five or eight or sixteen apps at a time and need to refer to multiple browser windows at once. The 2018 iPad does nothing to address that. After several days back with the 2017, I have no longing for anything the newer one has to offer, and I’m finding a lot of relief from the things they made worse. At the prices they’re going for now, a fully loaded 2017 iPP at around $800 seems like a much better buy to me than a fully loaded 2018 iPP at around $2k.

The 2018 iPP is not a bad machine, per se — it’s just diminished from the 2017 in several ways that matter to me. I think if it was a choice between the 2016 iPP and the 2018 iPP, I would choose the 2018 and live with the things I don’t like — the 2016 is too slow and heavy, and does not have the 120Hz screen or true tone color matching. These are substantial feature upgrades that overpower the drawbacks of the 2018 compared to the 2017. I just don’t think the 2018 is a $2,000 upgrade over the 2017.

This makes me sad, and for the first time in the iPad’s history, I’m hoping that they fix some of these mistakes rather than being excited about what they come up with next.

How to get named EBS device identifiers back with CentOS instances on m5 and c5 EC2 Instances

This is probably a fairly niche problem, but if it affects you, it probably affects you badly.

We mount EBS volumes on specific mount points so they can be easily referenced according to what they do - swap goes on /dev/sds, data volumes go on /dev/sdd, dedicated log volumes on /dev/sdl, etc… This worked fine on EC2 until very recently, but the m5 and c5 instances with the new stock CentOS AMI switch over to using nvme, which does not honor specific mount points and maps the disks in straight incrementing numeric order, which ruins this scheme.

However, there’s a way to get them back. The ec2-utils rpm, which is preinstalled on Amazon Linux 2, will automatically create symlinks from the correct /dev/sdx paths to the nvme device mappings at boot time. There’s no external repository for that rpm, but if you spin up an Amazon Linux 2 instance (t2.nano will do), you can grab the rpm file with yumdownloader, and then install it with yum on your CentOS instances and it’ll work just fine. After rebooting, you’ll have the device symlinks for all of your attached volumes. We’re baking this into our base AMI with packer so new instances don’t need a reboot to get it.

On the Amazon Linux 2 instance:

sudo yumdownloader ec2-utils

On the CentOS instance:

sudo rpm -ivh ec2-utils-0.5-1.amzn2.noarch.rpm

Hope this helps you!

The huge catch in the iPhone Upgrade Program that no one is talking about.

“Because the iPhone Upgrade Program isn’t tied to a single carrier, you don’t need a multiyear service contract. If you don’t have any carrier commitments, you’re free to select a new carrier or stick with the one you have.”

Those are the beautiful sounding words of the new iPhone Upgrade Program, which promises to free you from carrier restrictions forever. As we know, there are actually two models of the 6s (and two models of the 6s+) - one for AT&T, and one for “everyone else”. The common wisdom is that the AT&T phone has LTE band 30, but the phones are otherwise identical. i.e.: if you get an AT&T phone, it will work on the other carriers, just not with band 30 which they don’t have. If you get an “everything else” phone, it will still with work AT&T, just not with band 30.

Except - that’s not the case. As Apple has now revealed on their LTE specifications page, the two phones are not cross-compatible. The AT&T phone works on AT&T and only on AT&T. The "everything else” phone doesn’t work on AT&T at all. And by “works”, I’m talking about LTE service. It’s 2015 - you can’t say that a flagship iPhone (or any recent iPhone for that matter) is really functional without LTE service.

This seems hugely deceptive to me, and the tech press has completely overlooked it. The most prominent article I could find about the upgrade program states "Everyone else is getting model A1687/88. (I’ve confirmed this with the three other carriers.) This is identical to A1633/34 except for Band 30 (which I’ve confirmed with Apple.) Both models work ideally on Sprint, T-Mobile and Verizon Wireless. Model A1687/88 will work fine on AT&T—it’ll get LTE and everything—but as time passes and Band 30 is more heavily built out, it will show somewhat slower LTE speeds than the A1633/34 model.”

Another article talking about carrier switching says nothing about LTE not working when crossing from AT&T to Verizon.

Yet, Apple’s page is clear. I called T-Mobile, and they told me that the AT&T model can’t be activated for LTE service on their network.

The upgrade program was supposed to make this easier, yet it seems to have made things arbitrarily more difficult, and no one seems to have any good information about what actually works and what doesn’t. Apple’s sales reps don’t know. The carrier salespeople don’t know. This is all extremely frustrating. The iPhone 6s is an amazing phone, but I feel like I’ve been sold on a lie. I switched away from AT&T to Verizon because they wouldn’t let me activate a new 6s on my unlimited data plan. The data service has been pretty terrible so far and I was planning on switching to T-Mobile to try it out, then back to AT&T if that didn’t work out. But now it appears that’s not possible. I wish someone would definitively answer these questions (and I wish Apple had done so beforehand).

Twitter: An Open Love Letter

( Originally posted on my Medium page: https://medium.com/@fields/twitter-an-open-love-letter-efa256044a9c )

I love Twitter, I do a lot of work with Twitter’s data, I am an active Twitter user, and I think its capability for global change and influence remains unmatched in the social sphere. I’m not here to eulogize Twitter, but I want to provide a frank discussion of what I think is great about the experience and some concrete suggestions for how to fix some of the problems I see. Some of these are problems we’ve been working on at Graphika, and a few will be up to Twitter to solve. Some of this post echoes the points raised by Chris Sacca in his letter about what Twitter can be, but I am not a Twitter investor and my thoughts are more about features and functionality as an end-user than long-term strategy.

(NB: whenever I say “content”, I mean the aggregated stuff you find of value in tweets — primarily links, discussions, media, jokes, and cat gifs.)

I think Twitter can be a great experience, but it is not the same experience for everybody. For some, the unfiltered stream and the time it takes to produce useful content by cultivating that stream is invaluable, but for others, it’s a chore. Who are you following today? Who’s following you? Are you keeping your stream small enough that you can read all of it, or are you resigned to missing interesting items? Are you logged in? Are you interacting?

Your view of Twitter probably also differs dramatically depending on what your objectives are. Are you looking for news? Are you looking to hang out and chat with your friends? Are your friends even on Twitter, and do you expect them to be? Are you using Twitter for work? Do you expect a lot of engagement when you post things? Are you getting that level of engagement? Are you looking to promote something (a brand, your content, an opinion, a political position)? Are you trying to organize like-minded individuals to some cause? Are you happy with the way people are responding to you? The answers to all of these questions color your experience and expectations accordingly. If you’re a high-profile journalist on Twitter, your experience is going to be very different from that of the average high-schooler, but both can be just as rewarding.

Adrienne LaFrance and Robinson Meyer note that, “Something is wrong on Twitter. And people are noticing.”

There’s a common refrain that Twitter is competing with Facebook, and should be more like Facebook to steal ad dollars away from Facebook. I think there is room for both, and their use cases don’t seem to overlap much. I use both social networks extensively, but my social circles on the two networks are about as apart as can be. My Facebook friends are, generally speaking, my friends. They’re the people I know IRL, and some work acquaintances. The people I’m following on Twitter are, for the most part, people I’ve never met, but found interesting for some reason. I would probably never share random pictures of my kids with my Twitter friends (until my kids start doing things they should get public acclaim for. Hold tight.).

Twitter is amazing, but it can be hard to see that with the way it’s currently presented, and it’s hard to generalize about why that is. Users may have many different objectives and stumbling blocks — for new users, it can be difficult to find interesting people to follow, while for more experienced users, it can be hard to build a following. As it is now, it takes a tremendous amount of effort to cultivate your collection of people to follow to get a good experience, and the tools to get yourself noticed are awkward.

So then the question remains — why use Twitter? What does Twitter have that no other social network does?

In short, Twitter is public. That tweets are meant to be seen as widely as possible ingrained in Twitter’s DNA, and that makes it fundamentally different from most other social networks. It’s a place to find out what the world thinks is important right now, to examine the pulse of the public network. But importantly — “the public” isn’t just one audience, and “the world” isn’t just one set of publishers. People who are producing content want it to be seen by people who will be interested in it, people want to see content that they’re interested in, and obviously if you just throw the entire internet together, there’s going to be a lot of mismatch there. Twitter as it stands now is a bit more “egalitarian” than Facebook in that respect — if you publish something, it can be seen by everyone (there is no algorithm in the way artificially holding back content to some small percentage of your audience unless you pay), but that doesn’t mean it will be seen by everyone. Popular tweets will be amplified by the network, but everything else is just happenstance of timing. So the challenge remains — how to solve the problem of connecting the people making content with the people who want that content, and encouraging a good level of engagement to make everybody happy. Some people will want to just consume that content, others will want to give feedback on it, and still others will want to get feedback on their feedback. The key to user happiness is not just in providing the right content, but also in the right level of interaction.

There are a lot of ways to make this better without killing the core that makes Twitter great — the amazing content, the access to express an opinion to anyone (which may be received or ignored), and the timeliness of conversations.

Here are some specific problems I see:

• It’s too hard to find the right people to follow for your detailed interests. This is a specific problem that we at Graphika directly address with our influencer identification in community segmentation, with a very high degree of specificity. Global popularity is a terrible way to figure out what’s important. If popularity is your only measure, popular items stick out like a sore thumb. It doesn’t take much analysis to tell you that Neil Patrick Harris is popular. Want to know who the main influencers are for Liberal Activists, or the Rheumatoid Arthritis community, or Los Angeles Food, or Data Journalists? We can tell you that (and many others), but Twitter doesn’t really help you out much here.
• The follower and stream model is a little bit broken. To be sure, the unfiltered stream of people you follow is a great thing, and it should be preserved. It leads to amazing serendipity that can’t be replicated elsewhere — it’s a main way to discover parts of the network we didn’t know we were interested in. But it’s not everything, and it has some drawbacks. If I want to follow everything that someone writes, there’s no easy way to ensure that I see it (lists are cumbersome, and checking individual profiles is infeasible). Similarly, there are probably great discussions going on that you’re not even aware of because you’re not following the right people to hook you in. “While you were away” is not a bad solution for this, but it’s a bit of an afterthought. The biggest drawback is that it still only includes tweets from your timeline, where the best kind of this interaction will necessarily include people you don’t follow (or at least, people you don’t follow yet). Similarly, this is an area we’ve done a lot of work on at Graphika, and we can help you find those interesting conversations. Which brings me to:
• It’s too hard to follow conversations. The threading model doesn’t lend itself to long involved conversations. I’ve already written about this with respect to what app.net did right and some of what I’d like to see Twitter adopt. Top-level posts and conversation threads are fundamentally different things, and Twitter hasn’t done a great job of making it easy to navigate them. There isn’t even a social agreement about when it’s appropriate to have a conversation. One of my biggest personal frustrations with Twitter is responding to someone I don’t know and receiving no indication of whether they thought my response was appropriate, or funny, or what. Just… nothing. I saw the value in Twitter and eventually figured out that the only real way around it is to interact with enough people that someone will eventually respond, but this is a terrible new user experience and obviously many people don’t power through. So on to the next point:
• There’s no way to signal when attention is unwanted. Harassment is a huge problem I’m not really going to address here, and Twitter needs to figure it out. But annoyance and rejection are also problems, especially for user adoption. Blocking and muting are blunt instruments that give no feedback to the target of those actions. This may be warranted in the case of harassment, but there are legitimately other unwanted interactions in a public space that don’t reach the level of harassment. Is it ok to inject your thoughts in the middle of a conversation? Many people would say yes, of course — if you didn’t want the thoughts of random strangers then why are you having this conversation on a globally accessible public network? But those interjections can just as easily and very quickly become unwanted, if people just want to have a semi-private conversation with their friends. Twitter needs these social signals. It needs a way to say “don’t take this personally, but please go away, or please go away for now”, as a precursor to deciding that this is harassment. Right now, people learn through experience that their normal social radar isn’t necessarily applicable here, and they get discouraged. A slight corollary to this is that there’s no public way to draw people’s attention to a tweet other than tweeting it at them, which just adds to the confusion of reading someone’s timeline.
• There’s too much noise, but noise can be difficult to discern from unpredictability. Unpredictability is a great part of the experience, and throwing that away when you’re eliminating noise is a problem. I never know what’s going to be interesting. Using the Graphika platform, Twitter’s inherent noise is substantially reduced as a byproduct of browsing the tweets of interest to particular segments, but this doesn’t solve the whole problem. I’m mostly including this in the discussion because the unpredictability is such a tremendous part of the experience, and overfiltering to provide only one viewpoint is a trap I don’t want us to fall into.
• Lastly, I believe that third-party innovation was a huge driver for Twitter’s success, and re-embracing the developer community is critical for Twitter’s future.

In a popular Indian parable, a group of blind people are asked to describe an elephant. Each touches a part and declares that the elephant is like that part, when in reality the elephant is all of these things. Similarly, Twitter is many things, and most of them aren’t evident if you only look at an individual user’s experience, or even the experience of your immediate circle of friends. The nature of the network is that a small number of people expressing an opinion can easily look like a common occurrence, and quickly dominate your perspective. I’d like to see the whole elephant.

On those Apple Watch estimate numbers

Slice Intelligence is reporting that they estimate that 957,000 people preordered an Apple Watch on the first day. Let’s look at those numbers a bit.

There are around 324 million people in the US, so they’re claiming that this means that they estimate that about 1 person in every 338 preordered a watch. Slice has about 2 million users. If we apply those numbers to their user base, then that’s only about 5,900 preorders (for about 7600 watches). Without additional information to back up this claim, I am highly skeptical of the assertion that Slice customers are 100% representative of the general buying public and that these numbers can actually be extrapolated in any meaningful way to actual sales numbers (they may be much lower or much higher). 

iCloud Photo Library seems to be still not entirely perfect

During the iCloud Photo Library beta, none of my machines ever displayed the same counts for photos and videos. Having upgraded everything to the release version and dumped my entire iPhoto library in, it still seems to be having sync problems. New photos appear to be syncing properly, and quickly even, but the counts for everything are off.

iCloud Library says everything is fully synced, but here are the numbers:

Photos.app: 27165 photos, 432 videos (27597)
icloud.com: 27581 photos and videos
iPhone: 27,125 photos, 416 videos (27541)
iPad: 27,164 photos, 416 videos (27580)

So close.

Interesting piece on last line errors in copied code blocks

‘I have studied numbers of errors caused by using the Copy-Paste method and can assure you that programmers most often tend to make mistakes in the last fragment of a homogeneous code block. I have never seen this phenomenon described in books on programming, so I decided to write about it myself. I called it the “last line effect”.’

http://www.viva64.com/en/b/0260/print/

Eye seems to be the process monitor I was looking for

I’ve been using god for a long time to monitor ruby servers in production, but I’ve never been entirely happy with it - early versions had memory leaks and needed to be restarted, and more recent versions are very hit or miss. When setting up identical installations on several machines, about half of them simply failed to restart the server processes they were monitoring, for no discernible reason.

I’ve switched to eye recently, and it’s been working well. Migrating the setup from the god configs was a breeze - it uses a similar ruby DSL.

This is a good eye quickstart guide.

The iPad Air wifi connection speed is significantly faster than the iPad 4

Just an interesting followup to my previous analysis of iPad wifi performance attributes: the iPad Air gets a significantly faster connection to the Airport Extreme, almost as fast as the 2010 Macbook Pro.

For comparison, this was the fastest I could get out of the iPad 4: