Weekly output: tax prep, Google Glass, Heartbleed, Nearby Friends, online banking

This was a multiple-microphone week, and two of my three broadcast appearances involved shows that hadn’t booked me as a guest before. That’s good.

In other news: Happy Easter!

4/15/2014: The Strange and Successful Campaign to Make Taxes More Taxing, Yahoo Tech

A lot of material had to get left out of this already-long column denouncing the crony-capitalism campaign by Intuit and such Washington groups as Americans for Tax Reform and my former client CCIA to stop governments from letting citizens file and pay taxes at their own sites. (For example, these direct-filing sites cost little to run–$80,000 a year at California’s ReadyReturn, $150,000 for Pennsylvania’s soon-to-be-shuttered padirectfile.)  Comments debuted at Yahoo Tech late Tuesday afternoon, and as you can see I did not wait long to show up in them myself.

Speaking of feedback, you might as well see ATR’s latest post opposing IRS-run tax prep and stories, mine included, that suggest it would be a good thing… which, in a coincidence too weird for me not to disclose, was written by the guy who’s done my taxes since 2012.

4/16/2014: Google Glass and privacy, Al Jazeera

The news network’s Arabic-language channel had me on the air to talk about Google Glass and privacy issues. Since I was being translated into Arabic in real time, the producer emphasized that I speak slowly and simply–a challenge when my usual habit is to speak too fast on the air.

To the Point Heartbleed show4/16/2014: Heartbleed and Internet Security, To the Point

KCRW’s news show had me on to discuss the Heartbleed bug and how  open-source development broke down in this case. I wish I’d thought to compare major tech companies’ unwillingness to kick in any money to the OpenSSL Foundation with all the effort they’ve put into finding ways to pipe income to shell corporations in overseas tax havens.

Most of my input happened in the first 20 minutes or so, but keep listening to hear Internet Governance Project founder Milton Mueller discard some silly objections from the Information Technology and Innovation Foundation’s Daniel Castro to the government’s proposal to hand over supervision of the DNS root zone.

4/18/2014: Nearby Friends, WTOP

D.C.’s news station had me on the air for a few minutes via Skype to talk about Facebook’s new location-based option, its privacy implications and how it competes with such existing apps as Foursquare and the D.C. startup SocialRadar.

4/20/2014: Safety you can bank on: Chromebook, Linux, phone, USA Today

A relative’s question about whether he should buy a Chromebook for his online banking gave me an opportunity to note a couple of cheaper options to separate your Web financial transactions from your regular use: booting your computer off a Linux CD or flash drive, or using your bank’s app or the built-in browser on your phone or tablet.

About these ads

Tax-time thoughts: now with slightly less incompetent accounting!

I have survived, I think, another tax season as a self-employed individual, and I’m increasingly convinced that if I keep doing this I will someday know what I’m doing.

Misc. incomeOnce again, my worst enemy was my inattentive and sloppy accounting. I was still forgetting to tag some expenses as business transactions in Mint until last spring, and It took me until mid-September to lock in the habit of logging every cash expense within minutes of it happening. Memo to Google: This would be easier if the Google Drive app could edit spreadsheets offline.

For cash transactions not properly noted at the time, I had to recreate records months after the fact. That involved the tedious, time-consuming routine of cross-referencing my calendar, e-mail and Foursquare check-ins.

Importing the credit-card purchases that Mint had recorded automatically was the same as ever, which is not good: Intuit’s site still provides no way to limit a transaction search to a date range short of hand-editing a Web address. Intuit, this is idiotic. Try spending some of the money you sink into astroturfed lobbying into adding this most basic of features.

Last year also saw client income (Sulia and WordAds) arrive via PayPal deposits, a first for me. I liked the invoice-free convenience of those payments, but I made two rookie accounting mistakes. The big one was not identifying all of the subsequent PayPal transfers to my bank as freelance income; the little one was using some of a freelancing-inflated PayPal balance to reimburse my share of an Airbnb apartment rented for Mobile World Congress instead of first moving the sum of those freelance payments to my bank, then covering the lodging expense with a separate withdrawal from my bank.

The fact that I realized most of these errors in late March by itself represented my single biggest accounting failure–I spent too much of 2013 in a financial fog, which is stupid. So after cleaning up last year’s records, I set aside a couple of hours last weekend to do the same for those from the first quarter of this year. Like I said: I do learn, just not quickly.

Weekly output: Windows XP (x2), Google Docs

It really is extraordinary (or maybe just sick) that this past week saw me still writing about an operating system that debuted in 2001.

Yahoo XP story in IE 64/8/2014: Die, XP, Die! Why the Operating System from 2001 Won’t Go Away, Yahoo Tech

I’ve been looking forward to writing this column for several years, and when the end of Microsoft’s support for Windows XP finally arrived I found it strangely enjoyable to revisit stories I’d written five and 10 years ago about XP. I’ve since heard from a few readers who say they prefer XP to Windows 7 or 8 not just because they need to run legacy apps or don’t want to buy a new PC, but because XP is easier. I’m wary of questioning a reader’s subjective judgment, but… um, no.

(Screenshot shows how the story renders in a copy of Internet Explorer 6 in Windows XP. Don’t ask how I sourced that image.)

4/8/2014: Windows XP, WTOP

I talked for a few minutes about the end of XP support and what users of that fossilized malware magnet of an operating system could do to stay safe.

4/13/2014: Why your browser doesn’t like copy and paste, USA Today

To judge from the low number of Facebook and Twitter shares displayed next to this story, almost nobody read my attempt to concisely how the intersection of browser security models with Web apps that look and work like local ones can lead to dysfunctional results. I’ll try to find a more enticing topic next week.

Heartbleed and bleeding-heart open-source advocacy

For at least the last decade, I’ve been telling readers that open-source development matters and helps make better software. If everybody can read the code of an application or an operating system, there can’t be any hidden backdoors; if anybody can rewrite that code to fix vulnerabilities and add features, the software’s progress can’t be thwarted by any one company’s distraction, fraud or bankruptcy.

OpenSSL pitchMy glowing endorsement of Mozilla Firefox 1.0 in November 2004 set the tone:

…the beauty of an open-source product like this is that you can participate in its evolution. Firefox’s code is open for anybody to inspect and improve...

Since then, I’ve recommended open-source operating systems, office suites, anti-virus utilitiessecure-deletion tools, file-encryption software, two-factor authentication apps, PDF exporters, DVD rippers and video-playback toolkits. And I’ve had one phrase in mind each time: Given enough eyeballs, all bugs are shallow.

My experience using open-source software tells me this is true–even if that doesn’t guarantee a constant rate of improvement or an elegant interface.

And if any genre of software should benefit from this method of development, it ought to be code that Web sites use to secure their interactions with users from eavesdropping: Everybody sending or storing private information needs this feature, billions of dollars of transactions are at stake, and you don’t even have to worry about wrapping a home-user-friendly UI around it.

True, right? Except Heartbleed happened. Two years ago, an update to the widely-used OpenSSL encryption library added a “heartbeat” function that made it easier for sites to keep an encrypted session going. But it also harbored an disastrous vulnerability to buffer-overflow attacks that would cause a site to return 64 kilobytes of whatever happened to be adjacent in the server’s memory to an attacker: usernames, passwords, e-mail content, financial transactions, even the private key the site uses to encrypt the session. And the attacked site can’t check afterwards to see if it got hit. I defy the NSA to script a better hack.

And despite buffer overflows being a well-known risk with documented defenses, nobody caught this for two years. Two years! It took a Google researcher and engineers at the Finnish security firm Codenomicon to find the bug separately and report it to the OpenSSL team.

How bad is this? Ask security researcher Bruce Schneier:

“Catastrophic” is the right word. On the scale of 1 to 10, this is an 11.

It seems that everything that could go right in open source development went wrong in this case. As an excellent story from Craig Timberg in the Post outlines, the free nature of OpenSSL made it an obvious choice for hundreds of thousands of sites and something of a natural monopoly, that same enormous deployment of OpenSSL encouraged people to assume that they themselves didn’t need to inspect the code that carefully, and OpenSSL developers got so little financial support from the corporations relying on their work that they couldn’t even subject their code to a proper security audit.

The stupid thing is, we knew this could happen. See John Viega’s 2000 essay, “The myth of open source security,” in which he outlines how thousands of users failed to catch “a handful of glaring security problems” in code he’d contributed to the Mailman mailing-list manager:

Everyone using Mailman, apparently, assumed that someone else had done the proper security auditing, when, in fact, no one had.

That doesn’t mean that closed-source development suddenly looks better. (When all this is done, Microsoft’s proprietary and hideous Internet Explorer 6 may still have greased the skids for more successful attacks than OpenSSL.) But it does mean that selfishness/laziness/distraction and open source can become a toxic mix, one we should have seen coming.

Updated, 10:25 a.m., to add a link to Viega’s prescient article.

Weekly output: Turkey and Twitter, activity trackers, MVNOs

 

This week provided a rare excuse, however tangential, to apply some of my Georgetown book learning on things like international relations and European history.

Yahoo Turkey Twitter column41/2014: Turkey Blocks Twitter. Could It Happen Here? It’s Come Close Already., Yahoo Tech

I’d been wondering how I could cover the strange campaign by Turkish premier Recep Tayyip Erdoğan against Twitter and social media in general, and then I realized how many of their actions matched up with things that have been done or advocated in the U.S. (Fortunately, Erdoğan complied with an unfavorable court ruling and ended the block on Thursday.)

4/1/2014: Activity trackers, WTOP

The news station had me on to talk about the utility of activity-tracking wristbands, pods and apps. I had a brief deer-in-the-ON-AIR-lights moment when I realized I was about to mix up the names of a few phone apps… but you can’t hear it since WTOP’s site seems to have stopped archiving each day’s broadcasts on an “ICYMI” page. Hence there’s also no link.

4/6/2014: How wireless service resellers stack up, USA Today

A query from a friend became the kick in the rear I needed to conduct an overdue evaluation of the pros and cons of some major wireless resellers: Consumer Cellular, Credo Mobile, Net10, Republic Wireless, Straight Talk and TracFone.

 

Reader suggestions for fixing an iMessage mess

Sunday’s USA Today Q&A about getting one’s mobile number untangled from Apple’s iMessage service looks to be one of the most-read columns I’ve done there. It’s also drawn more than the usual amount of reader feedback–including two reports of remedies that I had not discovered during the week or so I spent digging into this issue.

iPhone Messages settingsOne came from an AT&T subscriber in Minnesota:

A few days before the article I had the same problem and called AT&T.  They had me text the word ‘stop’ to 48369, to which I got the response: “FREE MSG: Apple iCloud ID Verification: You have been unsubscribed and will no longer receive messages. 1-800-275-2273″

I’ve since found one confirmation of that fix in a Reddit comment and a posting on Apple’s tech-support forum. There’s also an Apple tech support notice… which only describes this procedure as a way to stop Apple from sending AppleCare identity-verification messages to a wrong number.

A reader in Washington who said he works “at a major phone retailer” sent in a different suggestion that he said “always” works: Reset your Apple ID password.

Go to https://iforgot.apple.com/password/verify/appleid Enter your Apple ID in the space and just reset your Apple ID password. Even if you don’t have access to that email or security questions, it will remove all Apple registered devices from iMessage instantly.

In case you were wondering: Neither suggestion came up in the background conversations I had with Apple PR, even though one is allegedly endorsed by Apple support.
But that’s not nearly as important as whether either cure can earn an endorsement from you. If you’ve found either one successfully exfiltrated a number from iMessage–or if you have a different fix to share–please leave a comment with the details.

Weekly output: Sprint-T-Mobile, Tech Night Owl, iMessage

I was a lot more productive than usual this week (much of that activity went into a project that’s not ready to post yet), even though I lost all of Monday to travel. Funny how that works…

3/25/2014: Dear Feds: Hang Up on a Sprint/T-Mobile Merger, Yahoo Tech

I still don’t know if Sprint is going to try to go through with what seems a phenomenally bad idea, but I wanted to go on the record about my dislike of further consolidation of the four big wireless carriers. I also thought this was a good time to denounce the idea that government regulators can manage away the risks of mega-mergers by imposing complicated conditions on the conduct of the combined firm; saying “no” is easier, cheaper and permanent.

3/29/2014: March 29, 2014 — Rick Broida, Daniel Eran Dilger and Rob Pegoraro, Tech Night Owl

I made one of my occasional appearances on Gene Steinberg’s Apple-centric podcast; we talked about the arrival of Microsoft Office on the iPad and my column on Sprint-T-Mobile.

USAT column on iMessage mess3/30/2014: iMessage: How to make it stop, USA Today

I’ve been hearing complaints from friends and acquaintances for at least the last year about how switching from an iPhone to a non-Apple device (especially if that switch happens after the loss or theft of the iPhone in question) causes text messages from friends on other iPhones to vanish. I finally looked into this for my column and found things were even worse than I’d thought: You can have messages go down a black hole even if you do things right, Apple’s documentation is woefully incomplete, and the company’s tech support can’t be relied on to play by even the undocumented rules.

Note that until we can get a revision in, the column describes one aspect of iMessage incorrectly: I wrote that iMessage-routed messages appear in green bubbles and regular texts show up in blue when it’s the other way around. If Apple fans seize on that error to call the rest of the column into question–well, they’d be wrong, but it’s still my job to get the details right.