Weekly output: Google hearings (x2), Microsoft wants facial-recognition rules, Google Maps and Lime scooters, U2F security keys, U.S. newspapers vs. the GDPR

My calendar for the coming week looks strange: There isn’t a single work appointment on it. I plan to celebrate that by not shaving tomorrow.

12/10/2018: Congress will grill Google’s CEO this week — here’s what to expect, Yahoo Finance

The House Judiciary Committee–in particular, certain of its Republican members–obliged me by living up so completely to this preview of Google chief executive Sundar Pichai’s Tuesday appearance there.

12/10/2018: Microsoft is asking the government to regulate the company’s facial recognition tech, Yahoo Finance

Microsoft president Brad Smith came to the Brookings Institution last week to make an unusual plea: Please regulate us before we get dragged into a race to the bottom with ethically-unbounded vendors of facial-recognition technology.

12/13/2018: Google Maps will now help you find Lime scooters, Yahoo Finance

I got an advance on this news from one of Lime’s publicists; by itself, this new feature isn’t a huge development, but covering it allowed me to discuss broader failings in both Google and Apple’s navigation software.

12/13/2018: On privacy, Google CEO’s congressional hearing comes up short, The Parallax

I wrote about several security and privacy questions that should have been asked during Pichai’s grilling but never came up. The single worst omission: Not a single representative even mentioned the name of a non-Google search engine.

12/14/2018: Primer: How to lock your online accounts with a security key, The Parallax

I’ve had the idea of an explainer about “U2F” security keys on my to-do list for a while. In the time it took for me to sell the piece, Microsoft and Apple finally began moving to support this particularly secure two-step verification option.

12/16/2018: Post-Dispatch, Tribune haven’t caught up with EU rules, Gateway Journalism Review

My former Washington Post colleague Jackie Spinner wrote about how the sites of some U.S. newspapers continue to block European readers instead of complying with the European Union’s General Data Protection Regulation. She gave me a chance to critique this self-defeating practice–I’d earlier griped about it in a Facebook comments thread with her–and I was happy to give her few quotes.

Advertisements

This is the worst interface I’ve ever seen

Our water heater broke sometime Monday, and we found out the analog way: Only cold water came out of the tap.

A visit to the basement revealed that the heater had already been reporting a problem in the least intuitive way possible. A single green LED on an assembly near its base was blinking out a pattern–eight flashes in a row, followed by a pause of a few seconds and then two more flashes.

That sequence, a small sticker explained, was the heater’s way of saying “Temperature sensor fault detected.” This same sticker listed 17 other sequences of flashes and pauses that could report anything from “No faults” to “Flammable vapor sensor fault detected.”

(The temperature sensor had indeed gone bad, although it took multiple visits by techs to confirm that and then return with a working replacement. This has left me with a renewed appreciation for household modern conveniences.)

That’s an awful user interface. It’s also what happens when you supply a single, single-color LED to display the status of a fairly complex home appliance. Bradford White, the manufacturer, could have put in a light that changed color–seeing a once-green indicator turn to red is usually your tip that something’s changed for the worse–or put in two or more LEDs.

Or that firm could have splurged on a digital readout capable of showing numeric error codes, bringing the discoverability of this interface up to that of the “DSKY” control of the Apollo Guidance Computer that NASA astronauts sometimes struggled to decipher on their way to the Moon.

Instead, sticking with that sole green LED and offloading the work of discovering its Morse-code-esque interface to customers may have saved Bradford White a dime per heater. On the upside, I’m now pretty sure I’ve seen the worst possible UI. I mean, not even Lotus Notes got this bad.

Weekly output: DriveSavers vs. locked smartphones

Yes, I got your CES PR pitch. If it’s of interest, I’ll reply sometime this week… but I reserve the right to redefine “this week” in my favor.

12/6/2018: For $3,900, DriveSavers says it can open locked smartphones, The Parallax

My one post to get published this week (as opposed to three others filed and now in various stages of editing) tried to unpack the puzzling claim by the data-recovery firm DriveSavers that its Password Lockout Data Recovery service could unlock any Android or iOS phone to allow a rescue of the data on the device. The experts I talked to had no solid idea what DriveSavers was talking about–not that the firm’s vague descriptions gave them much to work with–but they did share some theories of how DriveSavers might go about this task.

LastPass shows how to do two-step verification wrong

I finally signed up for LastPass Premium after years of using the free version of that password-management service. And I’m starting to regret that expense even though $2 a month should amount to a rounding error.

Instead of that minimal outlay, I’m irked by LastPass’s implementation of the feature I had in mind when typing in credit-card digits: support for Yubikey U2F security keys as a form of two-step verification.

Two-step verification, if any reminder is needed, secures your accounts by confirming any unusual login with a one-time code. The easy but brittle way to get a two-step code is to have a service text one to you, which works great unless somebody hijacks your phone number with a SIM swap. Using an app like Google Authenticator takes your wireless carrier’s security out of the equation but requires regenerating these codes each time you reset or switch phones.

Using a security key–Yubikey being one brand, “U2F” an older standard, “WebAuthn” a newer and broader standard–allows two-step verification independent of both your wireless carrier and your current phone.

Paying for LastPass Premium allowed me to use that. But what I didn’t realize upfront is that LastPass treats this as an A-or-B choice: If you don’t have your Yubikey handy, you can’t click or type a button to enter a Google Authenticator code instead as you can with a Google account.

A LastPass tech-support notice doesn’t quite capture the broken state of this user experience:

If multiple Authentication methods are used, only one will activate per login attempt. If you disable one, then another will activate on the next log in attempt. Because only one activates at a time, you cannot have multiple prompts during the same log in.

The reality you see if you happened to leave your Yubikey at home or just have your phone closer at hand: an “I’ve lost my YubiKey device” link you’re supposed to click to remove that security option from your account.

This absolutist approach to two-step verification is not helpful. But it’s also something I should have looked up myself before throwing $24 at this service.

Weekly output: Apple Tax on storage, CrowdStrike CEO, Facebook Pages, Rod Rosenstein on security and encryption

This year is officially in the home stretch, but some of this week’s work almost certainly won’t show up in my bank account until 2019. Remembering your clients’ varying payment schedules is essential to keeping some level of freelance accounting sanity.

11/28/2018: New MacBook Air and Mac mini show the Apple Tax on storage lives on, USA Today

As I’d pledged a few weeks ago, I returned to the subject of Apple’s belated updates to the Mac mini and MacBook Air to take a whack at these computers’ stingy entry-level storage allocations and the steep price to upgrade their solid-state drives. Note the correction on this column: I saw that Apple only offered a 256-gigabyte SSD on the entry-level iMac but stupidly neglected to check the storage options on other configurations.

11/29/2018: CrowdStrike CEO on political infosec lessons learned (Q&A), The Parallax

I talked to CrowdStrike chief executive George Kurtz at Web Summit and transcribed my interview on the flight home. Then this writeup–one not pegged to any breaking news–took a little longer to run.

11/30/2018: Facebook still hasn’t fixed this loophole for fake accounts, Yahoo Finance

This post started with some Thanksgiving tech support that revealed some highly sketchy pages in a relative’s News Feed, and then my inquiries with Facebook led the social network to nuke two pages with a combined 3.4 million Likes. Today, a reader pointed me to several other pages apparently run by the same people behind those two removed pages, so you probably haven’t read my last thoughts on this issue.

11/30/2018: Deputy AG Rosenstein calls on Big Tech to protect users, Yahoo Finance

Deputy U.S. attorney general Rod Rosenstein brought two messages to Georgetown Law’s Cybercrime 2020 symposium–and they contradicted each other to a fair amount.

Should I be on Patreon?

I’m not a millennial and I don’t have any tattoos or piercings, so I would appear to be wildly ineligible for Patreon.

Yet I’m still curious about using that crowdfunding site to give people a chance to underwrite my work if they feel so inspired. I can’t tell if that is me being entrepreneurial or vain, so I’m writing this post to try to untangle my thoughts.

I first encountered Patreon when founder Jack Conte gave an exuberant presentation on the site’s backstory at 2013’s XOXO conference. (His talk rambles a bit–which is fine if you enjoy dancing robots–but overall merits 24 minutes of your time.) I decided that letting fans pledge as little as a dollar or two a month to indie creatives was a smart response to declining ad rates and the overall horribleness of the content industry. And then I thought little more about that concept until I started seeing more people and sites I know pop up on Patreon.

You can sum up the Patreon proposition as “Kickstarter over time.” Instead of asking for support for a particular project, creators invite fans to kick in a defined sum each month to support their ongoing efforts–and can also offer extra rewards for contributions above a certain level.

For example, my friend Glenn Fleishman‘s typographic-centric pitch includes exclusive or early access to his articles, science-minded podcaster Rose Eveleth offers a patrons-only newsletter, and the Arlington news site ARLNow.com touts a private Facebook group for more-generous contributors.

After conversations with a few Patreon fans at XOXO this September, I e-mailed Glenn to ask how that was working for him.

His two bits of advice: Find something you can provide to Patreon contributors that they couldn’t get elsewhere, and show what their support lets you do that you couldn’t accomplish otherwise.

I think I have a good answer for that first item: my time. As most people who have e-mailed me can attest, getting my attention when I’m constantly changing channels between stories and clients is… problematic. If I could offer something like a private Slack group or some other closed forum, I’d like to think that would appeal to people who miss the Web chats I did at the Post. (I miss them too.)

The second thing, though, is harder to answer. I think I do a decent job of selling enough stories from each out-of-town event to cover my travel costs… although conferences like the Online News Association’s annual gathering routinely defy my attempts to monetize them. Would that be enough of a what-you-helped-me-do story?

My other concerns: I wouldn’t have enough time to tend a Patreon page (note that I’m typing this near 10 p.m. on a Saturday); nobody would support it; worst of all, nobody would support it, and outsiders would then point and laugh.

At the same time, I like the idea of generating another stream of income, even if it only underwrites one trip a year. Getting acquainted with the inside of a crowdfunding platform seems like an overdue to-do item for me. And the last few months have made me increasingly uneasy about relying on my Facebook page for occupational banter with readers.

Having spent this much time musing about crowdfunding, I might as well crowdsource part of this decision. Please take the poll below, and if you have suggestions for what you’d want me to do at Patreon or another crowdfunding platform, please share them in the comments.

 

Weekly output: Facebook maintenance as Thanksgiving tech support

Once again, time put into helping family members with their gadgetry over this holiday weekend has yielded a pretty good idea for a post–or so I hope my editors will think. 

usat-facebook-thanksgiving-tech-support11/21/2018: Thanksgiving tech to-do: Start a Facebook diet with all the trimmings, USA Today

You can think of this column as a sequel to a post I wrote for Yahoo Finance in August. This time around, I didn’t get so far into the weeds about adjusting Facebook notification settings–having to confine your work to 500+ words instead of as much as a thousand will do that–and used some of the space conserved to explain two newer smartphone features to regulate your time on the social network. A third option may now be available in your iOS or Android Facebook app: “Your Time on Facebook” tracking of the minutes and hours you while away on Facebook.