Smartwatch withdrawal

For the first time since last summer, I’m about to depart for a trip without including a smartwatch and its charger in my luggage: I returned the Moto 360 and Samsung Gear Live I’ve been trying out to Google PR on Wednesday.

The 360’s face picks up a lot of glare.(I took advantage of having to go to NYC for the day to hand-deliver those Android Wear watches and a few other loaner devices to a Google publicist–less because of the money I’d save on FedEx, more because I wouldn’t have to find a box and enough bubble wrap for all of these things.)

I don’t miss having to charge a smartwatch–always with a proprietary adapter that’s easy to misplace, not easy to replace–every day. But I do miss the soothing sense that if something important happens in my digital life, a device on my wrist will tell me about it and relieve me of the need to grab my phone.

Somebody used the phrase “digital triage” to describe that aspect of smartwatch usage, and that sounds about right: Unlike a beep or a buzz from a phone, the name and subject of an e-mail flashed across a watch’s face tell you instantly if the message is something that demands quick attention or can wait.

That use case seems as compelling to me as it did after two months of trying the Gear Live–maybe more so after I realize how often I was checking my phone during a dinner Thursday night. Fortunately, I was with other tech types, so I’m sure my fellow diners weren’t offended. Much.

And, sure, I once again have to reach for my phone to tell the time.

This trip will take me to Barcelona for Mobile World Congress, where I expect to see a new crop of smartwatches–Apple’s excluded, as that company doesn’t show off its products at other people’s events.

Some of them should be thinner and lighter and run longer on a charge than the Motorola and Samsung watches. Some may do away with the need for a proprietary charger, either by accepting a standard micro-USB charger or using wireless charging. Some may even look sharp enough to wear with a suit. With each of those advances, the odds of me buying one of these things will tick forward another notch.

Correlation or causation: Verizon, LastPass and last weekend’s USAT column

The reaction to last weekend’s USA Today column has been interesting and a little confusing.

LastPass logoOn one hand, I’ve seen a variety of reader reports–more in reader e-mail and in comments on the post I wrote here first to see if this was a wider problem as well as on the Facebook page post in which I shared the column than in comments on the column itself–of other Verizon login failures.

On the other hand, Verizon is now thinking that this is related to my using LastPass. My PR contact there said that one of his colleagues had noticed the screenshot in my post here revealed that I use that password-manager service and suggested I try disabling its extension in the problematic copy of Safari.

I thought that a somewhat ridiculous suggestion, since each time I’d typed in the password instead of letting LastPass enter it for me. But once I did that, I could log in normally. And when I enabled it again, I got the same login failure as before. There’s correlation here. Causation? I don’t know.

I e-mailed LastPass’s CEO Joe Siegrist (not because I thought this a CEO-level issue, but because we met a few years ago and I’ve always found him quick to reply to a query) to ask his people to look into things.

If they can reproduce and, better yet, document a problematic interaction, that would be good to know and a good thing to add to the column. If they can’t (a distinct possibility considering that the guy I quoted in the column having a similar problem, PhoneScoop editor Rich Brome, told me he doesn’t use LastPass), the mystery will continue.

In the meantime, I’ll throw this question out there: If you use LastPass, have you seen any other cases of a login with a valid password failing?

Tales from the software-CD crypt

Wednesday’s “worst version of Windows” column for Yahoo Tech was a fun stumble down memory lane, and not just because it allowed me to re-read reviews of Windows Me and Windows XP: I also got to dig out some of my semi-treasured collection of software CDs.

Old and obscure software CDsI started collecting them once I had a desk of my own at the Post, and these things soon became a core part of my cubicle decor there. Beyond the Windows CDs you saw in the photo atop that column, I have:

  • a BeOS CD that I then tried out on my Mac clone and thought was a revelation compared to the Mac OS of 1997;
  • a CD for the Snap online service CNet launched with EarthLink in 1997, and which I’m sure nobody else remembers today;
  • a system CD from the Power Mac Cube I reviewed for the Post;
  • a rectangular CD for Windows Media Player 7 that was supposed to portray that awful music app’s interface, and which would be unusable on any computer with a slot-loading optical drive;
  • a CD of Insignia Software’s SoftWindows, an emulation app that shipped for the first Power Macs.

These obscurities don’t function as any sort of decor now that they’re stashed in an interoffice envelope. But they do help remind me of where the industry’s come (remember when the only way the Mac was going to survive is if you could run Windows programs miserably slowly on it?) and of reviews that I perhaps could have done better.

And they’re also a type of keepsake that’s been rendered obsolete by the online delivery of almost all software. What am I going to do, take a screengrab of the .zip file that contained my beta download of Windows 10?

Mac settings changes you might miss going from Snow Leopard to Yosemite

One of the major Christmas presents at my in-laws was a shiny new 13-inch MacBook Air that replaced a 2010-vintage MacBook–which meant that one of my major presents was getting apps, data and settings transferred from the old Mac to the new one, then completing the rest of the setup.

Old MacBook and new MacBookThe first hiccups came in OS X’s Migration Assistant: It estimated the data transfusion would take five-plus hours over the home WiFi. But neither machine saw the other over a faster Ethernet link (using a USB-to-Ethernet adapter on the Air), and an ad hoc, computer-to-computer WiFi network didn’t work until I resorted to the un-Mac-like workaround of turning on Internet sharing on the source laptop.

Then I realized the work Migration Assistant had left for me: configuring parts of OS X Mavericks (preloaded on the new MacBook) and Yosemite (promptly installed as a free update) that had no equivalent in the old MacBook’s Snow Leopard, then changing OS X settings that would confuse anybody used to that five-year-old operating system.

Atop the first category: the social-media integration Apple began adding to OS X in 2012’s Mountain Lion release. My in-laws aren’t on Twitter and don’t spend much time in Facebook–but that integration’s ability to share a photo to Facebook from the Finder does address a pain point I’d heard from them.

An Apple ID is far more important in Yosemite than in Snow Leopard, courtesy of so many updates running through the Mac App Store. So I had to verify that hitherto-dusty account worked and had current billing info, without which we couldn’t download the free Yosemite update.

Migration Assistant had siphoned over a few long-ignored PowerPC applications that OS X hasn’t been able to run since 2011’s disappointing Lion, so I had to delete those myself.

OS X Yosemite General system prefsI thought I was done at that point, and then I heard my father-in-law complaining about not being able to scroll. He had bumped into Apple’s foolish decision to make scroll bars invisible until you mouse over them or use a two-finger gesture to move up or down the page. I hadn’t thought to fix that setting (open System Preferences and click “General”) because I’d fixed it on my own Mac after maybe two hours with Lion. Oops.

The last round of settings to change were in the minds of Yosemite users who had been used to Snow Leopard. From that perspective, the Notifications icon at the top-right corner of the screen means nothing (and requires tweaking to avoid info pollution), while Launchpad’s rocketship Dock icon doesn’t exactly shout that you no longer need click around the Finder to run apps that aren’t already in the Dock.

I’ve spent a decent amount of time walking my wife’s folks through those angles, but I suspect I’ll be getting questions about the new computer for months to come. See also: “the gift that keeps on giving.”

Apple Mail malaise (update)

There’s no program on my Mac that’s annoyed me more over the last year than Mail. Which is funny, because for years I held up that program as an example of Apple working to fix customers’ problems while Microsoft let Outlook Express decay.

Apple Mail about boxBut sometime during the development of OS X Mavericks, Mail went off the rails. It shipped with a bug that made syncing with a Gmail account awkward to implausible. Apple fixed that within weeks, but other problems lingered through many or all of its updates to Mavericks:

  • Searching for old messages was intolerably slow, to the point where it would be faster to grab my iPad, log into the relevant account and start the search… after first running up and down the stairs to find that tablet.
  • Switching back to Mail from other apps would leave the insertion point randomly shifted to a point months or years in the past–which, to be fair, is great for cheap nostalgia.
  • Some mailboxes would be shown sorted by subject instead of date, never mind that sorting by subject is a total waste of time unless a mail client can’t handle search (ahem).
  • More recently, Mail began forgetting the custom app passwords Google generates for mail clients and other apps that can’t process its two-step verification codes.

Apple’s updates fixed some of these issues before OS X Yosemite. I don’t think I’ve seen a mailbox randomly sorted by subject in months, and I haven’t had to open Keychain Access to copy a saved Google app password back into Mail since last month.

Yosemite, to judge from its performance on my MacBook Air, has also returned search in Mail to a state of good repair. I can only hope Apple keeps working on these other issues. Because between Web-mail’s issues with offline access and working with other apps and the lack of a compelling alternative client (understandable, given how many people rely on Web-mail or don’t spend as much time in a mail client as me), firing this app just doesn’t seem too practical.

And at least the prominent mentions of Mail in Apple’s product page for Yosemite suggests the company realizes it can’t leave this app in maintenance mode. If only I could say the same for iPhoto…

Your con-call invitation isn’t as enticing as you think

I enjoy talking shop, but not so much when I first need to call a toll-free number, punch in a four-to-six-digit code, press the pound key, speak my name after the beep and be dumped into a cybernetic void in which I must wait to hear the sound of another human voice.

Con-call invite from OutlookNo, I’m not a fan of conference calls. Part of that is a common rationale–they allow a PR minder to be on the line and make sure nobody says anything too compromising–but, really, most of it is the exasperating user experience.

That starts with the con-call invitation, which inexorably arrives on my Mac as a blank e-mail consisting only of a “Mail Attachment.ics” file. OS X’s Quick Look won’t reveal its contents, so I must open it in Calendar to see that it contains the number, con-call code and time that should have been in the e-mail itself.

Make me open another program to see what you’re talking about in your e-mail? No.

To judge from the headers of these messages, this is a Microsoft Outlook-transmitted social disease–sending a calendar invitation from inside that sprawling program must not offer the sender any hint of how it will be displayed to a recipient. In my case, it’s badly: Not only does Mail for OS X throw up its hands, the Gmail app for Android doesn’t even show this file.

(And yet Mail for iOS displays a nifty calendar widget for those invitation messages. Apple’s inability to keep its desktop mail client at feature parity with its mobile mail client is a subject for a future rant.)

After the aforementioned routine of punching in numbers and waiting for a response, I often face an extra challenge in con-calls with more than one executive, or in which the publicist and the executive are of the same gender: figuring out which of two or three white guys is speaking at any one time.

And have I mentioned that this is the tech business? There are good, Web-based conference systems that let you connect by clicking a link and then make it easy to tell who’s there and who’s talking. I’ve used UberConference and it was terrific; I hear great things about Speek but haven’t used it yet (note that a friend works at that D.C.-based startup); video chat through apps like Skype, Google+ Hangouts, Vidyo or Rabbit works too, as long as I tidy up the parts of my home office within camera view.

And yet when a company wants to talk up its technological prowess, we must jack into the AOL chat room of group voice communication. PR friends, if your client insists on that routine, can you at least do me a favor and dial my phone directly before patching me into the call?

Heartbleed and bleeding-heart open-source advocacy

For at least the last decade, I’ve been telling readers that open-source development matters and helps make better software. If everybody can read the code of an application or an operating system, there can’t be any hidden backdoors; if anybody can rewrite that code to fix vulnerabilities and add features, the software’s progress can’t be thwarted by any one company’s distraction, fraud or bankruptcy.

OpenSSL pitchMy glowing endorsement of Mozilla Firefox 1.0 in November 2004 set the tone:

…the beauty of an open-source product like this is that you can participate in its evolution. Firefox’s code is open for anybody to inspect and improve...

Since then, I’ve recommended open-source operating systems, office suites, anti-virus utilitiessecure-deletion tools, file-encryption software, two-factor authentication apps, PDF exporters, DVD rippers and video-playback toolkits. And I’ve had one phrase in mind each time: Given enough eyeballs, all bugs are shallow.

My experience using open-source software tells me this is true–even if that doesn’t guarantee a constant rate of improvement or an elegant interface.

And if any genre of software should benefit from this method of development, it ought to be code that Web sites use to secure their interactions with users from eavesdropping: Everybody sending or storing private information needs this feature, billions of dollars of transactions are at stake, and you don’t even have to worry about wrapping a home-user-friendly UI around it.

True, right? Except Heartbleed happened. Two years ago, an update to the widely-used OpenSSL encryption library added a “heartbeat” function that made it easier for sites to keep an encrypted session going. But it also harbored an disastrous vulnerability to buffer-overflow attacks that would cause a site to return 64 kilobytes of whatever happened to be adjacent in the server’s memory to an attacker: usernames, passwords, e-mail content, financial transactions, even the private key the site uses to encrypt the session. And the attacked site can’t check afterwards to see if it got hit. I defy the NSA to script a better hack.

And despite buffer overflows being a well-known risk with documented defenses, nobody caught this for two years. Two years! It took a Google researcher and engineers at the Finnish security firm Codenomicon to find the bug separately and report it to the OpenSSL team.

How bad is this? Ask security researcher Bruce Schneier:

“Catastrophic” is the right word. On the scale of 1 to 10, this is an 11.

It seems that everything that could go right in open source development went wrong in this case. As an excellent story from Craig Timberg in the Post outlines, the free nature of OpenSSL made it an obvious choice for hundreds of thousands of sites and something of a natural monopoly, that same enormous deployment of OpenSSL encouraged people to assume that they themselves didn’t need to inspect the code that carefully, and OpenSSL developers got so little financial support from the corporations relying on their work that they couldn’t even subject their code to a proper security audit.

The stupid thing is, we knew this could happen. See John Viega’s 2000 essay, “The myth of open source security,” in which he outlines how thousands of users failed to catch “a handful of glaring security problems” in code he’d contributed to the Mailman mailing-list manager:

Everyone using Mailman, apparently, assumed that someone else had done the proper security auditing, when, in fact, no one had.

That doesn’t mean that closed-source development suddenly looks better. (When all this is done, Microsoft’s proprietary and hideous Internet Explorer 6 may still have greased the skids for more successful attacks than OpenSSL.) But it does mean that selfishness/laziness/distraction and open source can become a toxic mix, one we should have seen coming.

Updated, 10:25 a.m., to add a link to Viega’s prescient article.