Heartbleed and bleeding-heart open-source advocacy

For at least the last decade, I’ve been telling readers that open-source development matters and helps make better software. If everybody can read the code of an application or an operating system, there can’t be any hidden backdoors; if anybody can rewrite that code to fix vulnerabilities and add features, the software’s progress can’t be thwarted by any one company’s distraction, fraud or bankruptcy.

OpenSSL pitchMy glowing endorsement of Mozilla Firefox 1.0 in November 2004 set the tone:

…the beauty of an open-source product like this is that you can participate in its evolution. Firefox’s code is open for anybody to inspect and improve...

Since then, I’ve recommended open-source operating systems, office suites, anti-virus utilitiessecure-deletion tools, file-encryption software, two-factor authentication apps, PDF exporters, DVD rippers and video-playback toolkits. And I’ve had one phrase in mind each time: Given enough eyeballs, all bugs are shallow.

My experience using open-source software tells me this is true–even if that doesn’t guarantee a constant rate of improvement or an elegant interface.

And if any genre of software should benefit from this method of development, it ought to be code that Web sites use to secure their interactions with users from eavesdropping: Everybody sending or storing private information needs this feature, billions of dollars of transactions are at stake, and you don’t even have to worry about wrapping a home-user-friendly UI around it.

True, right? Except Heartbleed happened. Two years ago, an update to the widely-used OpenSSL encryption library added a “heartbeat” function that made it easier for sites to keep an encrypted session going. But it also harbored an disastrous vulnerability to buffer-overflow attacks that would cause a site to return 64 kilobytes of whatever happened to be adjacent in the server’s memory to an attacker: usernames, passwords, e-mail content, financial transactions, even the private key the site uses to encrypt the session. And the attacked site can’t check afterwards to see if it got hit. I defy the NSA to script a better hack.

And despite buffer overflows being a well-known risk with documented defenses, nobody caught this for two years. Two years! It took a Google researcher and engineers at the Finnish security firm Codenomicon to find the bug separately and report it to the OpenSSL team.

How bad is this? Ask security researcher Bruce Schneier:

“Catastrophic” is the right word. On the scale of 1 to 10, this is an 11.

It seems that everything that could go right in open source development went wrong in this case. As an excellent story from Craig Timberg in the Post outlines, the free nature of OpenSSL made it an obvious choice for hundreds of thousands of sites and something of a natural monopoly, that same enormous deployment of OpenSSL encouraged people to assume that they themselves didn’t need to inspect the code that carefully, and OpenSSL developers got so little financial support from the corporations relying on their work that they couldn’t even subject their code to a proper security audit.

The stupid thing is, we knew this could happen. See John Viega’s 2000 essay, “The myth of open source security,” in which he outlines how thousands of users failed to catch “a handful of glaring security problems” in code he’d contributed to the Mailman mailing-list manager:

Everyone using Mailman, apparently, assumed that someone else had done the proper security auditing, when, in fact, no one had.

That doesn’t mean that closed-source development suddenly looks better. (When all this is done, Microsoft’s proprietary and hideous Internet Explorer 6 may still have greased the skids for more successful attacks than OpenSSL.) But it does mean that selfishness/laziness/distraction and open source can become a toxic mix, one we should have seen coming.

Updated, 10:25 a.m., to add a link to Viega’s prescient article.

About these ads

#corrected: Fixing your errors on Twitter

I screwed up on Twitter yesterday morning. In the grip of nerd rage over a story about an Apple patent application–and without sufficient caffeine in my body–I tweeted that the Cupertino, Calif., company had received a patent on a feature that had debuted in a third-party app some three years before its 2012 filing.

Delete tweetThe problem was, Apple had only applied for a patent on a text-while-you-walk system that would overlay message conversations on your phone camera’s view of your surroundings. Oops.

So I tweeted something, um, transparently wrong. Now what? I’ve attended more than one panel discussion on this, and the answers usually get stuck on one of two conflicting imperatives: Don’t let the error go unfixed, but don’t look like you’re hiding the mistake either.

(See my earlier post about documenting changes to your story, if necessary in comments you leave yourself.)

Since you can’t edit the incorrect tweet or even flag it as wrong in the way you could amend a flawed story or blog post, letting it stand risks perpetuating the mistake. But if you delete it, then the evidence of your error vanishes.

What I decided to do was to delete the tweet, follow up by saying what I’d gotten wrong, and then redo the original tweet with a reasonably obvious hashtag, #corrected, to indicate that it was a “CX” for an earlier version:

Does that routine work for you all? Or am I once again seriously overthinking something that people with real jobs don’t worry about at all?

In other news, earlier this afternoon I was glad to see that the Ask Patents clearinghouse for prior art will include this Apple filing in an upcoming call for submissions:


Snapshots from SXSW

It’s now been three days since I got off the plane at National Airport, officially ending this year’s SXSW itinerary, and it’s taken me that long to catch up on sleep, do laundry and edit and upload pictures. (The traditional post-conference LinkedIn binge remains undone.)  And maybe I’ve gained a smidgeon of perspective on the event too.

Attendees make their way through the convention center.Once again, my primary first-world problem was deciding which panels and talks to attend. I was more ruthless and/or lazy this time, deciding I wouldn’t even try to get to such relatively distant locations as the AT&T Conference Center at the University of Texas’s campus (where my 2012 panel drew maybe 20 people) or the Hyatt Regency at the other end of the Congress Avenue Bridge.

But then I wound up not watching any panels outside the convention center and the Hilton across the street. Of those, remote interviews with Julian AssangeEdward Snowden and Glenn Greenwald topped my list. But I was also fascinated by a debate about net neutrality in which law professor Tim Wu noted our own responsibility in putting a handful of giant companies in charge (“we don’t have a culture on the Internet of preferring alternatives”), a talk about wearable computing that pivoted to discussions of “implantables” and “injectables,” and an honest unpacking of the failure of tech journalists to break the NSA-surveillance story (TechCrunch co-editor Alexia Tsotsis: “We need to step back from our role as cheerleaders and give a more critical eye to the people we’re surrounded with”).

My geographically-restricted attendance led me to miss many other discussions that had looked interesting beforehand. Not only was this narrow-minded conduct, it stopped me from walking around more to make up for all the food I ate.

It would be hard to avoid putting on a few pounds while in Austin on a normal weekend, but when you don’t have to pay for most of your food, courtesy of pervasive corporate and PR sponsorship, the city becomes a thoroughly enabling environment. And a delicious one! For example: the brisket at La Barbecue (thanks, Pinterest), algorithm-driven cuisine at IBM’s food truck, and breakfast tacos at Pueblo Viejo (that was on my own dime, and you should be happy to spend yours there too when you’re in Austin).

Austin’s nightlife hub on the first night of SXSW Interactive.As for empty calories–um, yeah, they’re not hard to find at SXSW either. This is the single booziest event on my calendar. That can be an immense amount of fun (my Sunday night somehow involved both seeing Willie Nelson play a few songs with Asleep at the Wheel from maybe 20 feet away, followed by the RVIP Lounge’s combination of touring bus, open bar and karaoke machine), but waking up the next morning can be brutal. To anybody who had a 9:30 a.m. panel on Sunday, only hours after the time change cut an hour out of everybody’s schedule: I’m so sorry.

And then the night after I left, some drunk-driving idiot crashed through a police barricade and killed two people.

Even before that, the “do we really need this event now that it’s been overrun by marketing droids?” conversation about SXSW was louder than usual. I have to note that three of the most interesting panels–the Assange, Snowden and Greenwald interviews–featured subjects thousands of miles away; in theory we all could have watched those from home.

But this is also an event where you meet people you wouldn’t otherwise see and might not ever meet–a long-ago Post colleague from copy-aide days, Internet activists you should know for future stories, journalists who put up with the same problems as you, entrepreneurs with interesting ideas that might go somewhere, and so on. Maybe this is a colossal character defect on my part, but I enjoy those conversations–even the ones with the marketing droids. And that’s why I do this every year.

(After the jump, my Flickr set from the conference.)

(7:30 p.m.: Tweaked a few sentences because I could.)

Continue reading

So long, Sulia: lessons from an experiment in compressed journalism

My time contributing short updates to the microblogging site Sulia wrapped up unceremoniously Monday morning when an e-mail–”ending our paid arrangement”–landed in my inbox. The site’s pivoting in another direction that doesn’t involve paying for my input or that of what seems to be most other contributors it had signed up (for example, my friend Rocky Agrawal); so it goes.

Sulia compose dialogThe departure of any one freelance client isn’t that big of a deal, but in this case it was a different sort of medium, and I learned some things along the way that seem worth sharing.

The basic idea here was to get paid a little for writing the equivalent of three tweets in a row–a minimum of 700 characters, a maximum of 2,500. On clicking the “Post” button at Sulia, those updates would appear automatically under my name on Twitter and at my public Facebook page–and that’s when I was met with confusion. Readers had no idea what the heck Sulia was or what I was doing there, leading me to post an explanation here after the first three weeks.

It took longer for me to pace myself so that I wouldn’t be rushing to finish my weekly quota of 10 posts in the last hours of Sunday–and to figure out what topics fit best into this pressurized container. In retrospect, holding off on live-tweeting interesting talks so I could post a longer recap on Sulia was a mistake, while it was smarter to use that greater character count to break some local wireless news in slightly more depthdo the cost-of-ownership math for a new smartphone, or recount my experience upgrading an operating system.

Overall, this site filled a useful void in my work by allowing me to share my notes in a medium slightly longer and less evanescent than Twitter while also getting paid (and without having to send an invoice first). I‘m not sure how I’ll replace that.

Among no-payment options, Twitter puts me back in a 140-character box, Facebook and Google+ have enough of my personal business already, LinkedIn seems too business-focused, and as for Medium–well, I already have a blog here. Alas, my WordAds revenue has been so minimal to date that it’s not worth thinking about the potential income from any one extra post.

Or perhaps the Sulia experiment was a mistake all along, and I should have put the time spent crafting those 40-some morsels a month into finding three or four good stories to sell elsewhere. Either way: on to the next thing…

Time-zone arbitrage

Spending the past five days in Barcelona, six hours ahead of the East Coast, has me thinking anew about the finer points of having different digits on your clock and those of editors and readers. 

World clockYes, jet lag sucked. I woke up Monday at 4:30 a.m. and then couldn’t get back to sleep, leading to a couple of naps in the press room. (A laptop does not make a good pillow.) But a day later, my eyelids no longer felt like they weighed 200 pounds, and I realized again that the time-zone gap can also be my friend.

Specifically, it turns the morning into—not an accountability-free zone, but at least a self-directed time, thanks to almost nobody in a position to direct my coverage being awake. Then it allows my copy to arrive early in an editor’s day for a change. If my editor is based in the Bay Area, I look even more prompt: The story sent at 5 p.m. arrives at 9 a.m.

At some point, this equation will flip and I’ll have an evening upended when an editor decides my copy needs another run through the typewriter. But so far, the worst that’s happened is me turning into that annoying guy who answers e-mails on his phone during dinner.

Social media also highlights that temporal shift: Twitter and Facebook look a lot quieter than usual until lunchtime, to the point where I question the wisdom of tweeting out observations that will get lost in the timelines of most of my usual audience. But then I  have my phone pinging with notifications until I go to sleep myself.

Back at home, the three-hour gap between the East and West Coast should also benefit me when dealing with editors there. But it’s too easy to waste that advantage until it’s 6 p.m. here and I have a different deadline looming in my own time zone: cooking dinner.

Flying to the West Coast, meanwhile, permits jet lag to work for me: On the first couple of days, I usually snap awake not much later than 5 a.m., and I am never more productive than in those hours before I finally get breakfast. And if the event I’m covering won’t have people committing news after lunch—for example, Google I/O keynotes usually start at 9 a.m. and run until about noon—my workday will also end earlier than usual.

But then I also have to deal with the 7-9 p.m. keynote that opens each CES. Not only does it throw a wrench in my scheduling machinery, it ensures I can’t eat until a time that feels more like 11 p.m. At least I don’t have to write stories about those things anymore.

Storytelling about story selling

Earlier this week, I did a foolish thing: I wrote an article without even trying to get paid for it. The piece in question–a 313-word listicle relating ten thoughts about Facebook on the day of its tenth birthday–only took a few minutes to write, and in the moment my Facebook page seemed like an apt spot for it.

Tumblr post buttonMost of the time, however, I’m not in such a rush and I do want to make some kind of money for writing something longer than a few paragraphs. (For about a year, this blog generated no income, but since the spring of 2012 WordPress.com’s ads have been paying me an exceedingly low per-word rate.) But if I have an idea that’s not an obvious fit for one of my regular clients, where do I try to sell it?

For me, the answer is not always the obvious “whoever will pay the most money.” Assuming the options are all offering about the same range, other considerations come into play:

Audience: If I’m writing something that I hope will change people’s minds, then I’d rather a site be able to get my words before more people. If it’s more of a personal essay or some specialized topic that won’t get a large readership anyway, that’s not such a concern, and I’ll even write behind a paywall.

Old or new client? I don’t want to let my connections with editors go stale–when an editor knows you and your work well enough, you can pitch a story and get it assigned to you in a minute’s worth of Twitter direct messages. But if I’m not getting my byline to show up in different places, it feels like I’m not trying hard enough.

Contract: Most freelance contracts are written to reserve as much of the post-publication upside as possible for the client. Ones that instead let me keep copyright to my work and resell it later on (thanks, The Atlantic Cities and The Magazine) easily get my attention.

CMS: Being an outside contributor generally insulates me from whatever horrible content-management system a newsroom uses, but if a site uses a good CMS it gets a little extra credit. For example, it doesn’t hurt that Yahoo Tech uses Tumblr, and one big reason I want to write something for The Magazine’s venture on Medium is to spend some quality time in that CMS without writing for free.

Comments: Because I’m one of those weirdos who actually enjoys reading and responding to reader comments, I appreciate writing for sites that make it easy to do so–and have commenters who generally know what they’re talking about. (Yes, Yahoo Tech doesn’t have comments yet. A custom system that, per, David Pogue, will “attempt to eliminate awful anonymous drive-by potshots that add nothing meaningful to the discussion” is on the way; when it launches, you will see me on it.)

Ease of payment: I usually don’t think to ask about this until after I’ve filed, but if I don’t even have to invoice the client to get paid, that’s great. Having the payment deposited directly in my business account or sent via PayPal helps too, but my bank’s nearest branch is only a 10-minute walk away, and I could always use its app to scan in a check. Really, just don’t make me have to invoice twice and I’ll be happy enough.

Making use of misfit review hardware

One of the recurring First World problems in technology journalism is possessing review hardware that you don’t get around to reviewing anywhere. That’s easier to happen than you might think: The device you want to review only works with another one that doesn’t warrant a writeup from you; a PR shop sends along a gadget you don’t need along with one you requested; you ask for a loaner device but then can’t interest a paying client in a story on it.

Chromebook Pixel with Galaxy Note 3 and Republic Wireless Moto XEither way, I hate to send the hardware in question back without getting some journalistic value out of it. (No, I don’t get to keep review hardware for my own use–and selling it on eBay isn’t an option either.) Here’s how I’ve tried to make additional use out of three gadgets that found their way to me without making it into a detailed review by me.

Galaxy Note 3: This size-XL phone was a supporting actor in my reviews of Samsung’s Galaxy Gear watch. I’ve since used this Sprint-spec Note 3 as a guinea pig in tests of the charging speed of its forked USB 3 cable (it was only about 22 percent faster than a generic USB cable) and of Absolute Software’s Lojack kill-switch app. I’ve also been taking notes on which of Samsung’s default settings merit changing–starting with that annoying whistle notification sound. Look for a cheat sheet on that topic, here or somewhere else.

Moto X: When Republic Wireless sent me its version of this phone, I was sure I could sell somebody on an assessment of how its WiFi-centric wireless service has evolved since last summer’s cruder offering. Nope! The loaner unit got a brief mention in a post about some positive trends in the mobile-phone industry and hasn’t shown up in any stories since then. I’ve used it to check the speed of Sprint’s LTE in my neighborhood (just now at my desk, a weak 4.51 Mbps down and 4.58 Mbps up) and to check its battery life (unsurprisingly enough, it’s vastly better on WiFi).

Chromebook Pixel: At Google’s I/O conference this May, journalists were invited to take home loaner units of this $1,299 Chrome OS laptop. I thought it would be educational to see how the Web looked on an ultra-high-resolution, 2560-by-1700-pixel display. Answer: pretty sharp! But I’ve spent surprisingly little time on the thing. For me, at least, the utility of a laptop with all of my usual apps trumps the beauty of a screen bereft of those tools. My last intensive use of the machine was to set up a fake Facebook account so I could check the social network’s default settings for a how-to post at Yahoo Tech, but this laptop’s smooth gray finish has also served as a backdrop in a few gadget close-up shots.

If you have any lingering questions about these devices that I might be able to answer, speak up now–sometime in the next few days, they’re all going home.

I don’t like sketchy ads either

Almost two years ago, I got invited to join WordPress.com’s WordAds program, and for the most part it’s worked well–aside from these advertisements failing to earn me truckloads of money, as opposed to enough for a nice dinner every now and then.

Walmart voucher adBut a week or so ago, a few of the ads sent here by this program started looking distinctly sketchier. One made diet claims unlikely to survive scrutiny by the Food and Drug Administration, while another made the economically implausible offer of a free $1,000 Walmart voucher. And sometimes the appearance of these ads was followed by one of those spammy pop-up ads for the MacKeeper app–also served by the same Tribal Fusion ad network.

That’s not the “high quality” content WordPress promised when it launched this partnership with Federated Media. So I posted a cranky tweet about it and then followed up with a complaint sent through the appropriate form, saying that “If you don’t kick these garbage advertisers out of WordAds, I’ll drop out of the program.” (That was an easy threat to make, since I don’t have that much money at stake.)

I got a quick acknowledgment saying that my gripe was legitimate, followed the next day by a report that the advertiser had removed the offending items and pledged to clean up its act.

I haven’t seen any objectionable ads since; it appears the system worked. But if you see ads making a pitch that looks dodgy, let me know about it. Bad ads are a Web-wide problem, and the least I can do is not have my little corner of the Web contribute to it.

CES 2014 journalism-tech report

For once, I made it through a CES without my phone dying. But it was close: Wednesday night, I arrived at a party with my phone showing 2 percent of a charge left. One of the hosts asked if I wanted a drink, and I replied that I could use an outlet first.

Phone battery charging

America’s annual gadget gathering is an unfriendly environment for gadgets. Too many people using too many phones, tablets and laptops result in jammed airwaves and a severe power shortage.

And this year, I gambled a little by not bringing any a spare review phone or two for backup. Plugging in my Nexus 4 every time I was sitting down helped the phone survive the show. But I also think I tweeted less than last year and didn’t take as many pictures as I expected (including only one panorama and no “photo spheres”).

I should have packed an external phone charger–my MacBook Air, unlike the ThinkPad I brought to CES in 2012, can’t charge a phone when closed and asleep in my bag, and it’s not that fast at replenishing my phone when awake. (On the other hand, the ThinkPad doesn’t have a backlit keyboard, making it far inferior to the MacBook for keynote note-taking.) I also should have remembered to pack my travel power strip, which I sorely missed on press-conference day but survived without the rest of the trip.

WiFi was not quite as reliable as last year, but it did suffice in the only places Ethernet was a viable option–meaning I never used the MacBook’s USB-to-Ethernet adapter.

The Canon 330 HS camera I’d picked up at a low, low sale price on the Wirecutter’s advice worked out better than I’d expected (see my Flickr set from CES to judge for yourself). I never even had to recharge the battery, and it was compact enough to leave in a jacket pocket full-time.

But after I couldn’t get the Canon’s WiFi linked to my phone–the upcoming 340 HS that I saw at CES should ease that by automating the pairing process with NFC wireless–I was stuck geotagging and uploading photos on a computer, same as ever.

That communication breakdown also cost me the chance to have the phone fix the incorrect date I’d set on the camera. Yes, I was the guy still writing “2013″ on his photos, something I only noticed when I couldn’t find them at the end of my iPhoto library. Everybody point and laugh now… because I’m totally sure this mistake will have been engineered out of possibility by the time I pack for CES 2015.

More questions answered about my role at Yahoo Tech

LAS VEGAS–My involvement with the new Yahoo Tech site hasn’t been a secret since the holiday preview posted in December, but with yesterday’s launch at Yahoo CEO Marissa Mayer’s CES keynote it’s a lot more public. Following, answers to some of the questions I’ve gotten since then.

Yahoo Tech languageQ. Is this your new job?

A. No. Writing a weekly “The Rules of Tech” column is my new freelance gig. I will continue to have the pleasure of making four large estimated-tax payments to the IRS a year.

Q. What about your other work?

A. My assignment at Yahoo is to cover tech policy (not just laws and regulations, but the boundaries and limits set by corporations and each other). So don’t expect to see me getting into that area of technology elsewhere–that’s why I had to bid farewell to my tech-policy blogging at the Disruptive Competition Project.

But outside of that, I can continue to write elsewhere. Further, I should continue to write elsewhere–staying current with people’s tech frustrations in my USA Today column and reviewing gadgets elsewhere will make me a more informed tech-policy writer. That outside work can also let me indulge my wonkier instincts instead of plunging into the weeds in every single Yahoo post.

I may, however, have a little less bandwidth in the near term for other assignments as I work my way from “conscious incompetence” to “conscious competence” in this new role.

Q. Where are the comments? Why no RSS feed?

A. Shocking but true: Sometimes sites launch without every intended feature. I’m told those things are coming, so please keep clicking refresh at least once a day.

Q. Are they hiring? Taking on other freelancers?

A. Too soon to say, and those questions are also kind of above my pay grade. I can say that it’s been a busy few weeks; right now, I think we’re all dreading the fact that we only have [checks watch] maybe another hour to sit and admire our handiwork before getting back to it.

Q. Are you worried about being associated with a Web property that’s made so many technological missteps in the past?

A. That’s not a very nice way to talk about the Washington Post. (I kid, I kid! Just judge me by my work, okay?)