About Rob Pegoraro

Freelance journalist who covers (and is often vexed by) computers, gadgets and other things that beep.

Weekly output: Windows XP (x2), Google Docs

It really is extraordinary (or maybe just sick) that this past week saw me still writing about an operating system that debuted in 2001.

Yahoo XP story in IE 64/8/2014: Die, XP, Die! Why the Operating System from 2001 Won’t Go Away, Yahoo Tech

I’ve been looking forward to writing this column for several years, and when the end of Microsoft’s support for Windows XP finally arrived I found it strangely enjoyable to revisit stories I’d written five and 10 years ago about XP. I’ve since heard from a few readers who say they prefer XP to Windows 7 or 8 not just because they need to run legacy apps or don’t want to buy a new PC, but because XP is easier. I’m wary of questioning a reader’s subjective judgment, but… um, no.

(Screenshot shows how the story renders in a copy of Internet Explorer 6 in Windows XP. Don’t ask how I sourced that image.)

4/8/2014: Windows XP, WTOP

I talked for a few minutes about the end of XP support and what users of that fossilized malware magnet of an operating system could do to stay safe.

4/13/2014: Why your browser doesn’t like copy and paste, USA Today

To judge from the low number of Facebook and Twitter shares displayed next to this story, almost nobody read my attempt to concisely how the intersection of browser security models with Web apps that look and work like local ones can lead to dysfunctional results. I’ll try to find a more enticing topic next week.

About these ads

Heartbleed and bleeding-heart open-source advocacy

For at least the last decade, I’ve been telling readers that open-source development matters and helps make better software. If everybody can read the code of an application or an operating system, there can’t be any hidden backdoors; if anybody can rewrite that code to fix vulnerabilities and add features, the software’s progress can’t be thwarted by any one company’s distraction, fraud or bankruptcy.

OpenSSL pitchMy glowing endorsement of Mozilla Firefox 1.0 in November 2004 set the tone:

…the beauty of an open-source product like this is that you can participate in its evolution. Firefox’s code is open for anybody to inspect and improve...

Since then, I’ve recommended open-source operating systems, office suites, anti-virus utilitiessecure-deletion tools, file-encryption software, two-factor authentication apps, PDF exporters, DVD rippers and video-playback toolkits. And I’ve had one phrase in mind each time: Given enough eyeballs, all bugs are shallow.

My experience using open-source software tells me this is true–even if that doesn’t guarantee a constant rate of improvement or an elegant interface.

And if any genre of software should benefit from this method of development, it ought to be code that Web sites use to secure their interactions with users from eavesdropping: Everybody sending or storing private information needs this feature, billions of dollars of transactions are at stake, and you don’t even have to worry about wrapping a home-user-friendly UI around it.

True, right? Except Heartbleed happened. Two years ago, an update to the widely-used OpenSSL encryption library added a “heartbeat” function that made it easier for sites to keep an encrypted session going. But it also harbored an disastrous vulnerability to buffer-overflow attacks that would cause a site to return 64 kilobytes of whatever happened to be adjacent in the server’s memory to an attacker: usernames, passwords, e-mail content, financial transactions, even the private key the site uses to encrypt the session. And the attacked site can’t check afterwards to see if it got hit. I defy the NSA to script a better hack.

And despite buffer overflows being a well-known risk with documented defenses, nobody caught this for two years. Two years! It took a Google researcher and engineers at the Finnish security firm Codenomicon to find the bug separately and report it to the OpenSSL team.

How bad is this? Ask security researcher Bruce Schneier:

“Catastrophic” is the right word. On the scale of 1 to 10, this is an 11.

It seems that everything that could go right in open source development went wrong in this case. As an excellent story from Craig Timberg in the Post outlines, the free nature of OpenSSL made it an obvious choice for hundreds of thousands of sites and something of a natural monopoly, that same enormous deployment of OpenSSL encouraged people to assume that they themselves didn’t need to inspect the code that carefully, and OpenSSL developers got so little financial support from the corporations relying on their work that they couldn’t even subject their code to a proper security audit.

The stupid thing is, we knew this could happen. See John Viega’s 2000 essay, “The myth of open source security,” in which he outlines how thousands of users failed to catch “a handful of glaring security problems” in code he’d contributed to the Mailman mailing-list manager:

Everyone using Mailman, apparently, assumed that someone else had done the proper security auditing, when, in fact, no one had.

That doesn’t mean that closed-source development suddenly looks better. (When all this is done, Microsoft’s proprietary and hideous Internet Explorer 6 may still have greased the skids for more successful attacks than OpenSSL.) But it does mean that selfishness/laziness/distraction and open source can become a toxic mix, one we should have seen coming.

Updated, 10:25 a.m., to add a link to Viega’s prescient article.

Weekly output: Turkey and Twitter, activity trackers, MVNOs

 

This week provided a rare excuse, however tangential, to apply some of my Georgetown book learning on things like international relations and European history.

Yahoo Turkey Twitter column41/2014: Turkey Blocks Twitter. Could It Happen Here? It’s Come Close Already., Yahoo Tech

I’d been wondering how I could cover the strange campaign by Turkish premier Recep Tayyip Erdoğan against Twitter and social media in general, and then I realized how many of their actions matched up with things that have been done or advocated in the U.S. (Fortunately, Erdoğan complied with an unfavorable court ruling and ended the block on Thursday.)

4/1/2014: Activity trackers, WTOP

The news station had me on to talk about the utility of activity-tracking wristbands, pods and apps. I had a brief deer-in-the-ON-AIR-lights moment when I realized I was about to mix up the names of a few phone apps… but you can’t hear it since WTOP’s site seems to have stopped archiving each day’s broadcasts on an “ICYMI” page. Hence there’s also no link.

4/6/2014: How wireless service resellers stack up, USA Today

A query from a friend became the kick in the rear I needed to conduct an overdue evaluation of the pros and cons of some major wireless resellers: Consumer Cellular, Credo Mobile, Net10, Republic Wireless, Straight Talk and TracFone.

 

Reader suggestions for fixing an iMessage mess

Sunday’s USA Today Q&A about getting one’s mobile number untangled from Apple’s iMessage service looks to be one of the most-read columns I’ve done there. It’s also drawn more than the usual amount of reader feedback–including two reports of remedies that I had not discovered during the week or so I spent digging into this issue.

iPhone Messages settingsOne came from an AT&T subscriber in Minnesota:

A few days before the article I had the same problem and called AT&T.  They had me text the word ‘stop’ to 48369, to which I got the response: “FREE MSG: Apple iCloud ID Verification: You have been unsubscribed and will no longer receive messages. 1-800-275-2273″

I’ve since found one confirmation of that fix in a Reddit comment and a posting on Apple’s tech-support forum. There’s also an Apple tech support notice… which only describes this procedure as a way to stop Apple from sending AppleCare identity-verification messages to a wrong number.

A reader in Washington who said he works “at a major phone retailer” sent in a different suggestion that he said “always” works: Reset your Apple ID password.

Go to https://iforgot.apple.com/password/verify/appleid Enter your Apple ID in the space and just reset your Apple ID password. Even if you don’t have access to that email or security questions, it will remove all Apple registered devices from iMessage instantly.

In case you were wondering: Neither suggestion came up in the background conversations I had with Apple PR, even though one is allegedly endorsed by Apple support.
But that’s not nearly as important as whether either cure can earn an endorsement from you. If you’ve found either one successfully exfiltrated a number from iMessage–or if you have a different fix to share–please leave a comment with the details.

Weekly output: Sprint-T-Mobile, Tech Night Owl, iMessage

I was a lot more productive than usual this week (much of that activity went into a project that’s not ready to post yet), even though I lost all of Monday to travel. Funny how that works…

3/25/2014: Dear Feds: Hang Up on a Sprint/T-Mobile Merger, Yahoo Tech

I still don’t know if Sprint is going to try to go through with what seems a phenomenally bad idea, but I wanted to go on the record about my dislike of further consolidation of the four big wireless carriers. I also thought this was a good time to denounce the idea that government regulators can manage away the risks of mega-mergers by imposing complicated conditions on the conduct of the combined firm; saying “no” is easier, cheaper and permanent.

3/29/2014: March 29, 2014 — Rick Broida, Daniel Eran Dilger and Rob Pegoraro, Tech Night Owl

I made one of my occasional appearances on Gene Steinberg’s Apple-centric podcast; we talked about the arrival of Microsoft Office on the iPad and my column on Sprint-T-Mobile.

USAT column on iMessage mess3/30/2014: iMessage: How to make it stop, USA Today

I’ve been hearing complaints from friends and acquaintances for at least the last year about how switching from an iPhone to a non-Apple device (especially if that switch happens after the loss or theft of the iPhone in question) causes text messages from friends on other iPhones to vanish. I finally looked into this for my column and found things were even worse than I’d thought: You can have messages go down a black hole even if you do things right, Apple’s documentation is woefully incomplete, and the company’s tech support can’t be relied on to play by even the undocumented rules.

Note that until we can get a revision in, the column describes one aspect of iMessage incorrectly: I wrote that iMessage-routed messages appear in green bubbles and regular texts show up in blue when it’s the other way around. If Apple fans seize on that error to call the rest of the column into question–well, they’d be wrong, but it’s still my job to get the details right.

#corrected: Fixing your errors on Twitter

I screwed up on Twitter yesterday morning. In the grip of nerd rage over a story about an Apple patent application–and without sufficient caffeine in my body–I tweeted that the Cupertino, Calif., company had received a patent on a feature that had debuted in a third-party app some three years before its 2012 filing.

Delete tweetThe problem was, Apple had only applied for a patent on a text-while-you-walk system that would overlay message conversations on your phone camera’s view of your surroundings. Oops.

So I tweeted something, um, transparently wrong. Now what? I’ve attended more than one panel discussion on this, and the answers usually get stuck on one of two conflicting imperatives: Don’t let the error go unfixed, but don’t look like you’re hiding the mistake either.

(See my earlier post about documenting changes to your story, if necessary in comments you leave yourself.)

Since you can’t edit the incorrect tweet or even flag it as wrong in the way you could amend a flawed story or blog post, letting it stand risks perpetuating the mistake. But if you delete it, then the evidence of your error vanishes.

What I decided to do was to delete the tweet, follow up by saying what I’d gotten wrong, and then redo the original tweet with a reasonably obvious hashtag, #corrected, to indicate that it was a “CX” for an earlier version:

Does that routine work for you all? Or am I once again seriously overthinking something that people with real jobs don’t worry about at all?

In other news, earlier this afternoon I was glad to see that the Ask Patents clearinghouse for prior art will include this Apple filing in an upcoming call for submissions:

 

Weekly output: Internet governance, Kojo Nnamdi Show, old camcorders

For once, the combined universe of smartphones and tablets did not constitute the majority of my coverage over a week.

3/18/2014: No, the U.S. Isn’t Really Giving Up the Internet—It Doesn’t Own It Anyway, Yahoo Tech

This story was not the easiest one to write, courtesy of Monday being a snow day in which most of my queries went unanswered while my wife and I had to keep our daughter entertained. DNS root-zone supervision is an exceedingly wonky topic; did I keep my explanation of it out of the weeds, or is mine too far above the ground to provide enough understanding of the topic?

Kojo Nnamdi Show on wireless service

3/18/2014: Choosing A Cell Phone And Mobile Data Plan, The Kojo Nnamdi Show

WAMU host Kojo Nnamdi, CNET columnist Maggie Reardon and I discussed the changing shape of the wireless market–in particular, T-Mobile’s hanging up on subsidized handset pricing. T-Mo marketing v.p. Andrew Sherrard joined us via phone for part of the show and provided a number I hadn’t seen before: From 10 to 20 percent of its customers now bring their own devices to the carrier.

3/23/2014: How to rescue vintage camcorder footage, USA Today

As it has before, my neighborhood’s mailing list proved to be a fruitful source of Q&A column material–and this time around, my research into a neighbor’s problems getting video off an old MiniDV camcorder involved a house call.

This digital life: A reset of the TV set

The joke people used to share about the coming computerization of consumer electronics was that we could all look forward to rebooting the TV. Well, ha ha, because that’s exactly what I did Saturday night.

TV powerAnd I should have seen that coming. For a few days before, the power LED on our 2009-vintage Sony had been blinking red. I ignored it (we watch so little TV it’s almost un-American), and then we decided to change up our toddler’s post-dinner routine by letting her watch the episode of “Cosmos” we’d recorded earlier. (We’re bringing our kid up right!) But only minutes into the show, the TV clicked, shut off and rebooted.

And then it did the same, again and again, until Daddy gave up after having possibly expanded his daughter’s vocabulary.

Some quick searching determined that a flashing red light indicated that “there may be an issue with the TV.” Unplugging the TV for a minute and then plugging it back in didn’t cure the issue, so it was time to reset the set to its factory defaults.

(Before I look like I’m whining too much about Sony, I should note that this TV got free software updates through April 2012, which is far better support than most smartphones get.)

The procedure was uncommonly like resetting a Mac’s NVRAM or System Management Controller: Hold down the up-arrow button on the remote, press and release the power button on the TV, release the remote’s up-arrow button.

A moment later, the TV asked me to go through the setup routine I had not done since unboxing it in the summer of 2009: Zip code for its no-longer-supported over-the-air program guide, date, time, cable or antenna, and so on. I knew it had finished detecting all 30-odd digital broadcasts when salsa music began blasting out of its speakers–courtesy of the sole remaining analog TV broadcast in the Washington area, WDCN’s low-power, audio-only signal.

And I couldn’t lower the volume: With the TV in its setup mode, the remote’s volume buttons didn’t work, while those on the side of the set only stepped forward or backwards through this configuration routine. With our daughter’s bedtime at hand, I gave up, then resumed the effort the next day, when I had to sit, wait and listen as the TV took an improbably long time to detect its wired Internet connection and conclude its setup.

And now everything seems to be fine. I hope it stays that way. But, really, should I even complain that much? One factory reset in five years makes this Linux-based device one of the most reliable computer-ish things I’ve ever owned.

Weekly output: SXSW, cable modems

Spending the first half of the week out of town for SXSW put more of a dent in my schedule than I realized–as you can see from the unusually late time I’m posting this. Seriously, where did the second half of the week go?

Yahoo Tech SXSW post3/10/2014: The News from SXSW: Technology Will Liberate Us! Unless It Enslaves Us First., Yahoo Tech

I pretty much had to focus my writeup of the conference on the remote interviews of Julian Assange and Edward Snowden–both outspoken critics of the surveillance state, both beset by glitches with their Internet-video links. It’s crazy to think that a year ago, almost nobody at SXSW had any idea of what the NSA had been up to; the mood in Austin seemed a lot cheerier about the prospects of technology back then.

3/16/2014: Buyer beware: ‘Gray market’ cable modem can trip you up, USA Today

A reader had bought a cable modem after reading my recommendation to do so last August. Then Comcast said she couldn’t use her purchase. And things got really weird. A reader has since complained that the column left him “totally confused” about whether he can buy a modem on Comcast’s approved-devices list and have it work; I’m going to have to tell him he has correctly read a confusing situation.

Snapshots from SXSW

It’s now been three days since I got off the plane at National Airport, officially ending this year’s SXSW itinerary, and it’s taken me that long to catch up on sleep, do laundry and edit and upload pictures. (The traditional post-conference LinkedIn binge remains undone.)  And maybe I’ve gained a smidgeon of perspective on the event too.

Attendees make their way through the convention center.Once again, my primary first-world problem was deciding which panels and talks to attend. I was more ruthless and/or lazy this time, deciding I wouldn’t even try to get to such relatively distant locations as the AT&T Conference Center at the University of Texas’s campus (where my 2012 panel drew maybe 20 people) or the Hyatt Regency at the other end of the Congress Avenue Bridge.

But then I wound up not watching any panels outside the convention center and the Hilton across the street. Of those, remote interviews with Julian AssangeEdward Snowden and Glenn Greenwald topped my list. But I was also fascinated by a debate about net neutrality in which law professor Tim Wu noted our own responsibility in putting a handful of giant companies in charge (“we don’t have a culture on the Internet of preferring alternatives”), a talk about wearable computing that pivoted to discussions of “implantables” and “injectables,” and an honest unpacking of the failure of tech journalists to break the NSA-surveillance story (TechCrunch co-editor Alexia Tsotsis: “We need to step back from our role as cheerleaders and give a more critical eye to the people we’re surrounded with”).

My geographically-restricted attendance led me to miss many other discussions that had looked interesting beforehand. Not only was this narrow-minded conduct, it stopped me from walking around more to make up for all the food I ate.

It would be hard to avoid putting on a few pounds while in Austin on a normal weekend, but when you don’t have to pay for most of your food, courtesy of pervasive corporate and PR sponsorship, the city becomes a thoroughly enabling environment. And a delicious one! For example: the brisket at La Barbecue (thanks, Pinterest), algorithm-driven cuisine at IBM’s food truck, and breakfast tacos at Pueblo Viejo (that was on my own dime, and you should be happy to spend yours there too when you’re in Austin).

Austin’s nightlife hub on the first night of SXSW Interactive.As for empty calories–um, yeah, they’re not hard to find at SXSW either. This is the single booziest event on my calendar. That can be an immense amount of fun (my Sunday night somehow involved both seeing Willie Nelson play a few songs with Asleep at the Wheel from maybe 20 feet away, followed by the RVIP Lounge’s combination of touring bus, open bar and karaoke machine), but waking up the next morning can be brutal. To anybody who had a 9:30 a.m. panel on Sunday, only hours after the time change cut an hour out of everybody’s schedule: I’m so sorry.

And then the night after I left, some drunk-driving idiot crashed through a police barricade and killed two people.

Even before that, the “do we really need this event now that it’s been overrun by marketing droids?” conversation about SXSW was louder than usual. I have to note that three of the most interesting panels–the Assange, Snowden and Greenwald interviews–featured subjects thousands of miles away; in theory we all could have watched those from home.

But this is also an event where you meet people you wouldn’t otherwise see and might not ever meet–a long-ago Post colleague from copy-aide days, Internet activists you should know for future stories, journalists who put up with the same problems as you, entrepreneurs with interesting ideas that might go somewhere, and so on. Maybe this is a colossal character defect on my part, but I enjoy those conversations–even the ones with the marketing droids. And that’s why I do this every year.

(After the jump, my Flickr set from the conference.)

(7:30 p.m.: Tweaked a few sentences because I could.)

Continue reading