Why I don’t and (probably) won’t use an ad blocker

It will cost me a few hundred dollars to try iOS 9’s new support for ad-blocking tools, courtesy of that feature not working on my vintage iPad mini. (Thanks for not documenting that and other incompatibilities, Apple.) But even after I upgrade to an iPad mini 4, I probably still won’t treat myself to an ad-reduced mobile Web by paying for such popular content blockers as Crystal or Purify.

IiOS 9 ad blockers mentioned the reasons why in a comment on my Yahoo Tech post Tuesday, but the answer deserves a little more space.

It’s not about a sense of professional loyalty, although I would feel more than a little dirty undercutting the advertising revenue that helps news sites pay me and my friends in the business.

(Ars Technica founder Ken Fisher made that argument well in this March 2010 post.)

This is more a case of me trying to keep a little of the common touch online. In general, I stick with default settings so I will experience the same issues as the average Web user (also, I’m lazy). I will depart from defaults to keep my devices secure–that’s why Flash isn’t on this laptop–but installing extra apps to get a cleaner Web experience gets me too far from that ideal.

In particular, relying on ad blocking invites me to recommend sites without realizing their annoyance factor. If a site’s going to throw a sign-up-for-our-newsletter dialog before you can read every story, I don’t want to learn about that behavior afterwards from grumpy readers.

(My occasional client PCMag.com often presents that kind of newsletter dialog. And yet I gladly refer people there, because their journalists do good work. See, it’s complicated!)

I also need to know if my regular clients are getting obnoxious with the ads–remember, I was at the Post when an overload of ads and social-media widgets began to bog down everybody’s reading–on the chance that my complaint to management improves matters. You’ll tell me about that kind of problem, right?

Nexus 4 update: a little more life with Lollipop

One of the key reasons why I bought my Nexus 4 a little over two years ago was knowing that I wouldn’t have to wait for Google’s software updates. And then I waited weeks to install Google’s Android 5.0 Lollipop update after its first appearance on my phone in late November–the slight risk of the update bricking my phone was not something I wished to run during the combined insanity of the holidays and CES.

Nexus 4 with LollipopI should have waited longer. That 5.0 release and the subsequent 5.0.1 update exhibited a freakish and annoying bug: I could hear the other person in a phone call, but they couldn’t hear me.

The workaround suggested in a reddit thread about changing a developer-level setting made the problem go away most of the time, and it’s yet to resurface in Android 5.1. But I’m still completely puzzled as to how a flaw this widespread could have escaped QA testing

I don’t regret installing this update overall, though–not least since Google does appear to have fixed the problem it created.

The best feature so far has been battery life that seems notably longer than under Android 4.4. And seeing a current estimate of how many more hours the phone’s good for–combined with having its Battery Saver option prolong its runtime for a good hour or so–leaves me feeling a little more in control of this Nexus 4’s useful time away from a charger.

After that I’d rank the updated Quick Settings panel you access by swiping down from the top of the screen. This puts my phone’s hotspot feature one tap away–before, it was multiple levels deep in the Settings app–and finally adds the flashlight feature that previously required adding somebody else’s app.

Android Lollipop Quick SettingsThe rest of the Material Design interface Google made so much of a big deal about at last year’s I/O developer conference hasn’t made as much of a difference as I expected. I’ve quickly gotten used to the idea that different apps will turn the menu bar different colors–except when some of these hues get a little too close to Battery Saver’s bright orange.

And I feel like I can zip through open apps much faster in Lollipop’s recent-apps list, or at least I do since telling Android to show Chrome only once in this list instead of including a preview of every page open in that browser.

I wish I could be more enthusiastic about Smart Lock, the option to bypass the lock screen based on your phone’s proximity to a trusted component of one sort or another. But so far, I’ve only set it to trust my desktop computer via Bluetooth–and because that iMac can be iffy about connecting automatically to the phone, I can’t count on this working.

I should explore the other unlock options available. For instance, I happen to have a spare NFC tag or two around that I could stick in our car’s dashboard for an automatic unlock when I tap the phone to it. But haven’t gotten around to that yet.

The important bit about this update is this: Lollipop has breathed a little more life into a two-year-old phone. And that, in turn, means I don’t yet have to choose between continuing with the Nexus line in the form of the unacceptably huge Nexus 6 or going with another Android phone or even (it could happen…) switching to an iPhone.

Cert-ifiable: How my Mac didn’t trust a new secure site from the Feds

For about three minutes on Monday, I thought I’d uncovered a gigantic security flaw in a new government site set up to push other .gov sites towards secure browsing: When I tried visiting The HTTPS-Only Standard, my iMac’s copy of Safari reported that it couldn’t verify that site’s identity and its copy of Chrome said my connection wasn’t private.

https.cio.gov cert errorBut when you think you’ve uncovered an obvious error in a site that’s been out for over a week, it’s usually your own setup at fault. And within minutes of my tweeting about those warnings, I got a reply from the guy who configured the site saying he couldn’t reproduce the problem.

After some quick testing on this computer, my MacBook Air, my iPad and my phone (during which I silently congratulated myself for editing some accusatory sarcasm out of that tweet before posting it), I realized this fault was confined to Safari and Chrome on my two Macs. Every other browser, including Firefox on my iMac, got through to that HTTPS-Only site normally.

Further Twitter conversations pointed me to each Mac’s store of saved site certificates, accessible in the Keychain Access app. For Safari and Chrome to encrypt a connection to that government site, OS X needed to match its digital certificate against a sort of master key, a “root certificate” stored in the system.

old Comodo certificate(For a better description of how the mathematical magic of encrypted browsing happens, consult my friend Glenn Fleishman’s 2011 explainer for the Economist.)

Both Macs had an old copy of Comodo Group’s root certificate, one not listed on Apple’s inventory of trusted root certs. I tried deleting that certificate, figuring it probably wouldn’t make things worse–and that was all it took for the HTTPS-Only site to work as advertised and for one or two other sites to stop coughing up security warnings.

With my encrypted browsing back to normal, I’m left to wonder how my system keychains got tangled up like that. Any theories? Before you ask: Yes, I’ve done a full scan with the ClamXav malware scanner and haven’t found any issues.

Correlation or causation: Verizon, LastPass and last weekend’s USAT column

The reaction to last weekend’s USA Today column has been interesting and a little confusing.

LastPass logoOn one hand, I’ve seen a variety of reader reports–more in reader e-mail and in comments on the post I wrote here first to see if this was a wider problem as well as on the Facebook page post in which I shared the column than in comments on the column itself–of other Verizon login failures.

On the other hand, Verizon is now thinking that this is related to my using LastPass. My PR contact there said that one of his colleagues had noticed the screenshot in my post here revealed that I use that password-manager service and suggested I try disabling its extension in the problematic copy of Safari.

I thought that a somewhat ridiculous suggestion, since each time I’d typed in the password instead of letting LastPass enter it for me. But once I did that, I could log in normally. And when I enabled it again, I got the same login failure as before. There’s correlation here. Causation? I don’t know.

I e-mailed LastPass’s CEO Joe Siegrist (not because I thought this a CEO-level issue, but because we met a few years ago and I’ve always found him quick to reply to a query) to ask his people to look into things.

If they can reproduce and, better yet, document a problematic interaction, that would be good to know and a good thing to add to the column. If they can’t (a distinct possibility considering that the guy I quoted in the column having a similar problem, PhoneScoop editor Rich Brome, told me he doesn’t use LastPass), the mystery will continue.

In the meantime, I’ll throw this question out there: If you use LastPass, have you seen any other cases of a login with a valid password failing?

PGP and me

If you’ve received an e-mail from me in the past week or so, you may have noticed something extra in the message’s headers: an indication that it was digitally signed with my Pretty Good Privacy key.

GPGTools iconAs yet, no recipient has asked about that, much less complimented my digital hygiene or sent a reply encrypted with my PGP public key. Which is pretty much what I expected: The last time I had a PGP setup in operation, I had to ask Post readers to send me an encrypted message before I got any.

A few weeks later, my inbox once again featured only un-encrypted e-mail.

Then some fumbled corporate transitions and the switch to OS X left the open-source MacGPG as the most appealing option on my Mac–and a slow and slowing pace of updates left it an increasingly awkward fit. Without ever consciously deciding to give up on e-mail encryption, I gave up.

(I should have felt guiltier than I did when I offered a Post colleague a tutorial on crypto that I didn’t bother to operate on my own machine. On that note, if you have a key for robp@washpost.com or rob@twp.com in your own PGP keychain, please delete it.)

I finally returned to the fold two weeks ago, when I ducked into a “crypto party” tutorial at the Computers, Freedom & Privacy conference. Jon Camfield of Internews explained that things had gotten a lot better and pointed me to a newer, far more elegant open-source implementation called GPGTools. I downloaded it, installed it, and within minutes had a new set of public and private keys plugged into my copy of Mail (no need to copy and paste a message into a separate decryption app as I did in MacGPG), with my public key uploaded to a keyserver for anybody else to use to encrypt mail to me.

My key ID is 03EE085A, my key fingerprint is FD67 6114 46E8 6105 27C3 DD92 673F F960 03EE 085A, and the key itself is after the jump. Do I expect to get a flood of encrypted messages after this post? Not really. But if somebody does want to speak to me with that level of privacy, they now have an option I should have provided all along, and that’s what counts.

Continue reading

Mail merge? Work, home and other e-mail addresses

I keep telling myself that one of ways I maintain what’s left of my work/life balance is to have separate home and work e-mail addresses. And yet I have to ask who I’m kidding when these two Google Apps accounts, each at its own domain name, constitute separate lines or windows in a mail client, and when I’m sometimes corresponding with the same person from each address on alternate days. Meanwhile, many people I know seem to function perfectly fine with one all-purpose e-mail address.

MailboxIn a prior millennium, it was an easier call. After having lost a bunch of messages from friends during a transition from one e-mail system to another at the Post–and then discerning the dreadfulness of the new Lotus Notes system–I had little interest in trusting personal correspondence to my employer’s IT department.

I also figured that I would have less trouble staying on top of friends-and-family e-mail if it weren’t competing for space and attention in the first screen of my inbox with random PR pitches, interoffice memos and chit-chat with other journalists. And the address that wasn’t listed on a major newspaper’s Web site should, in theory, get vastly less spam.

(Because I am this persnickety about my communications tools, I also have a regular Gmail account that I use for almost all of my online commerce, financial transactions and other things that are neither personal- nor work-related. I don’t mind the ads there, while my Google Apps inboxes have no such distractions, courtesy of Google ending ad scanning for Apps users–even those on the free version it no longer offers to new users.)

It’s been years since I’ve had to worry about IT-inflicted mail misery. What about the other virtues of this split setup?

  • Being able to flag messages for follow-up means I’m now less likely to forget to answer an important message, whatever address it was sent to.
  • But I don’t need 11 different folders to sort my home e-mail after I’ve dealt with it. Less cognitive load is a good thing.
  • Having to ask myself nit-pick questions like “since I’m asking a friend about something that may lead to him being quoted in a story, should I send this message from my work address?” increases my cognitive load.
  • Searching for messages and then looking over the results is faster when I’m excluding an entire account’s worth of e-mail. But when I ask Mail for OS X to query all of the gigabytes of messages that have accumulated at both addresses… ugh.
  • My anti-spam strategy has been a total bust. When I checked earlier this morning, Google had quarantined almost 1,500 spam messages in my home account, about 100 of which were messages on my neighborhood mailing list that shouldn’t have been screened as junk.

On that last note, here’s a question for you all to ponder: That mailing list will soon be moving to a commercial hosting service subsidized by ads, and of course I haven’t yet read its privacy policy. Should I switch my subscription to my Gmail address, where I can read those messages alongside those from my neighborhood’s smaller Nextdoor group, or should I keep using my home address there?