AirDrop apologists have some opinions

Who knew suggesting that an Apple interface enabled undesirable outcomes and ought to be changed would be so controversial? Me–I’ve been critiquing Apple’s products since before the company was doooomed in 1996.

But even so, the level of enraged techsplaining that greeted last weekend’s Yahoo post about AirDrop file-sharing has been something else. To recap that briefly: While AirDrop’s default contacts-only setting is safe, accepting a file transfer from somebody not in your contacts requires setting it to “Everyone”–a setting that does not time out but does automatically display a preview of the incoming image. The predictable result: creeps spamming strangers who had set AirDrop to Everyone and then forgot to change it back, and by “spamming” I mean “sending dick pics from iPhones with anonymous names.”

AirDrop settings screen on an iPhone.(For more details, see my Aug. 2017 USA Today column or this Dec. 4 post from the security firm Sophos.)

Suggesting that Apple have the Everyone setting time out or not auto-preview images did not go over well the people–most apparently men–who filled the replies to my tweet Sunday sharing the post. Let me sum up the major points these individuals vainly attempted to make, as seen in quotes from their tweets:

“It’s contacts only by default.” Yes, and if nobody ever interacted with people who weren’t in their contacts and offered to use this handy feature to share in a file, you would have a point. As is, this request comes up all the time–my wife saw it from Apple Store employees–as I explained in the post that these techbros apparently did not finish reading.

“Still trying to make a big deal of something I’ve never experienced.” Thank you, sir, for proving my exact point about the problems of having development teams dominated by white men. As writing about “Gamergate” made obvious, things are often different for the rest of humanity, and “I don’t have this problem” is not a valid defense of a social feature without confirmation from people outside your demographic background. Sorry if asking you to acknowledge your privilege is so triggering, by which I mean I’m not sorry.

“At some point, you have to take some goddamn responsibility.” Ah yes, the old blame-the-customer instinct. I hope the multiple people who expressed some version of “why are you coddling people too dumb to turn Everything off” don’t and never will work in any customer-facing role.

“you don’t have to accept every airdrop item that comes in.” What part of “automatically display a preview” don’t you understand?

“What I don’t understand is why these creeps aren’t reported by the receivers to authorities.” What part of “iPhones with anonymous names” don’t you understand? And before you next resort to victim blaming like this, you should really read up on the relevant history.

“There are far worse UX issues in iOS if that is what you are concerned about.” News flash, whataboutists: I write about problems in the tech industry all the time. Stick around and you’ll see me take a whack at a company besides your sainted Apple.

And that brings me to the annoying subtext beneath all these aggrieved responses: The notion that questioning Apple’s design choice is an unreasonable stretch, so we should look anywhere else for solutions to what even most of my correspondents agreed was a problem. Well, if that’s your attitude, turn in your capitalist card: You’re not a customer, you’re a supplicant. And I don’t have to take your opinion here seriously.

Advertisements

Here’s my Web-services budget

The annual exercise of adding up my business expenses so I can plug those totals into my taxes gave me an excuse to do an extra and overdue round of math: calculating how much I spend a year on various Web services to do my job.

The result turned out to be higher than I thought–even though I left out such non-interactive services as this domain-name registration ($25 for two years) and having it mapped to this blog ($13 a year). But in looking over these costs, I’m also not sure I could do much about them.

Google One

Yes, I pay Google for my e-mail–the work account hosted there overran its 15 gigabytes of free storage a few years ago. I now pay $19.99 a year for 100 GB. That’s a reasonable price, especially compared to the $1.99 monthly rate I was first offered, and that I took too long to drop in favor of the newer, cheaper yearly plan.

Microsoft Office 365

Getting a Windows laptop let me to opting for Microsoft’s cloud-storage service, mainly as a cheap backup and synchronization option. The $69.99 annual cost also lets me put Microsoft Office on one computer, but I’ve been using the free, open-source LibreOffice suite for so long, I have yet to install Office on my HP. Oops.

Evernote Premium

This is my second-longest-running subscription–I’ve been paying for the premium version of my note-taking app since 2015. Over that time, the cost has increased from $45 to $69.99. That’s made me think about dropping this and switching to Microsoft’s OneNote. But even though Microsoft owns LinkedIn, it’s Evernote that not only scans business cards but checks LinkedIn to fill in contact info for each person.

Flickr Pro

I’ve been paying for extra storage at this photo-sharing site since late 2011–back when the free version of Flickr offered a punitively-limited storage quota. This cost, too, has increased from $44.95 for two years to $49.99 a year. But now that Yahoo has sold the site to the photography hub SmugMug, the free tier once again requires serious compromises. And $50 a year doesn’t seem that bad, not when I’m supporting an indie-Web property instead of giving still more time to Facebook or Google.

Private Internet Access

I signed up for this virtual-private-network service two years ago at a discounted rate of $59.95 for two years, courtesy of a deal offered at Techdirt. Absent that discount, I’d pay $69.95, so I will reassess my options when this runs out in a few months. Not paying for a VPN service, however, is not an option; how else am I supposed to keep up on American news when I’m in Europe?

LastPass Premium

I decided to pay for the full-feature version of this password manager last year, and I’m already reconsidering that. Three reasons why: The free version of LastPass remains great, the premium version implements U2F two-step verification in a particularly inflexible way, and the company announced last month that the cost of Premium will increase from $24 a year to $36.

Combined and with multi-year costs annualized, all of these services added up to $258.96 last year. I suspect this total compares favorably to what we spend on news and entertainment subscriptions–but that’s not math I care to do right now.

We finally got an Amazon Echo

More than four years after I first tried out an Amazon Echo, there’s now one in our house. Even by my late-adopter habits, that’s an exceptionally long time for us to pick up on a tech trend.

But waiting so many years did allow us to get an Echo at a good price: $0.00. Late last year, Verizon added a free Echo to its menu of promotions to new and renewing Fios subscribers, and the company (also the parent firm of my client Yahoo Finance) included us in this offer even though we only pay it for Internet access.

(Even weirder, this free Echo came on top of being offered a lower rate for a faster connection. I guess I should see that as belated compensation for us missing out on other new-customer incentives Verizon’s offered since our fiber-optic connection went live nine years ago today.)

We got the code to redeem for a free second-generation Echo a couple of weeks after our speed upgrade went through, I waited a week to cash it in, and our new voice-controlled gadget arrived Friday. I promptly found a spot for this cybernetic cylinder in our kitchen.

So far, I’ve set up our Echo with only a few skills: it can play Pandora Internet radio, read the news from WAMU and can control our Philips Hue lightbulbs. (The Echo’s role as a smart-home hub is the use case that I utterly ignored in the first-look post I wrote for Yahoo Tech.) I’ve already determined that the Alexa app does not make for a great grocery-list manager, so I’m now going to see if Todoist can better handle that role. And I’ve changed one setting from the default: Because we have an eight-year-old at home, purchasing by voice is off.

There’s a lot to learn, but at least I’m no longer quite so illiterate at such a major tech platform. I just hope I can keep up with our kid, who already talks to Alexa far more than my wife and I combined.

2018 in review: security-minded

I spent more time writing about information-security issues in 2018 than in any prior year, which is only fair when I think about the security angles I and many of other people missed in prior years.

Exploring these issues made me realize how fascinating infosec is as a field of study–interface design, business models, human psychology and human villainy all intersect in this area. Plus, there’s real market demand for writing on this topic.

2018 calendarI did much of this writing for Yahoo, but I also picked up a new client that let me get into the weeds on security issues. Well after two friends had separately suggested I start writing for The Parallax–and after an e-mail or two to founder Seth Rosenblatt had gone unanswered–I spotted Seth at the Google I/O press lounge, introduced myself, and came home with a couple of story assignments.

(Lesson re-learned: Sometimes, the biggest ROI from going to conference consists of the business-development conversations you have there.)

Having this extra outlet helped diversify my income, especially during a few months when too many story pitches elsewhere suffered from poor product-market fit. My top priority for 2019 is further diversification: The Parallax is funded by a single sponsor, the Avast security-software firm, which on one hand frees it from the frailty of conventional online advertising but on the other leaves it somewhat brittle.

I’d also like to speak more often at conferences. Despite being half-terrified of public speaking in high school, I’ve become pretty good at what think of as the performance art of journalism. This took me some fun places in 2018, including my overdue introduction to Toronto. (See after the jump for a map of my business travel.)

My focus on online security and privacy extended to my own affairs. In 2018, I made Firefox my default browser and set its default search to DuckDuckGo, cut back on Facebook’s access to my data, and disabled SMS two-step verification on my most important accounts in favor of app or U2F security-key authentication.

At Yahoo, it’s now been more than five years since my first byline there–and with David Pogue’s November departure to return to the New York Times, I’m the last original Yahoo Tech columnist still writing for Yahoo. My streak is even longer at USA Today, where I just hit my seventh anniversary of writing for the site (and sometimes the paper). Permanence of any sort is not a given in freelance journalism, and I appreciate that these two places have not gotten bored with me.

I also appreciate or at least hope that you reading this haven’t gotten bored with me. I’d like to think this short list of my favorite work of 2018 had something to do with that.

Thanks for reading; please keep doing so in 2019.

Continue reading

LastPass shows how to do two-step verification wrong

I finally signed up for LastPass Premium after years of using the free version of that password-management service. And I’m starting to regret that expense even though $2 a month should amount to a rounding error.

Instead of that minimal outlay, I’m irked by LastPass’s implementation of the feature I had in mind when typing in credit-card digits: support for Yubikey U2F security keys as a form of two-step verification.

Two-step verification, if any reminder is needed, secures your accounts by confirming any unusual login with a one-time code. The easy but brittle way to get a two-step code is to have a service text one to you, which works great unless somebody hijacks your phone number with a SIM swap. Using an app like Google Authenticator takes your wireless carrier’s security out of the equation but requires regenerating these codes each time you reset or switch phones.

Using a security key–Yubikey being one brand, “U2F” an older standard, “WebAuthn” a newer and broader standard–allows two-step verification independent of both your wireless carrier and your current phone.

Paying for LastPass Premium allowed me to use that. But what I didn’t realize upfront is that LastPass treats this as an A-or-B choice: If you don’t have your Yubikey handy, you can’t click or type a button to enter a Google Authenticator code instead as you can with a Google account.

A LastPass tech-support notice doesn’t quite capture the broken state of this user experience:

If multiple Authentication methods are used, only one will activate per login attempt. If you disable one, then another will activate on the next log in attempt. Because only one activates at a time, you cannot have multiple prompts during the same log in.

The reality you see if you happened to leave your Yubikey at home or just have your phone closer at hand: an “I’ve lost my YubiKey device” link you’re supposed to click to remove that security option from your account.

This absolutist approach to two-step verification is not helpful. But it’s also something I should have looked up myself before throwing $24 at this service.

A different default browser with a different default search

Several weeks ago, I switched my laptop to a setting I’d last maintained in the previous decade: Mozilla Firefox as the default browser.

Firefox took the place of Microsoft’s Edge, which I’d decided to give a shot as part of my reintroduction to Windows before seeing Edge crash too often. In another year, I would have made Google’s Chrome the default instead–but a combination of privacy and security trends led me to return to an old favorite.

Firefox had been my default browser in Windows since February of 2004, when it was an obvious pick over the horrific Internet Explorer 6. But a few years after the 2008 introduction of Chrome, Firefox had stopped keeping up, and I began relying on Chrome in Windows.

I kept Safari as the default on my Macs for its better fit with the operating system–although its memory-hogging habits had me close to also dumping it for Chrome until a recent round of improvements.

Last year, however, Mozilla shipped a faster, more memory-efficient version of Firefox. That browser has since finally caught up with Chrome in supporting “U2F” two-step verification, where you plug in a cryptographically signed USB flash drive to confirm a login. And as I realized when writing a browser-comparison columns for USA Today, Firefox comes close to Safari at protecting your privacy across the Web–especially if you install its Facebook Container extension, which blocks Facebook’s tracking at other sites.

This doesn’t mean I’ve dropped Chrome outright. I almost always keep both browsers open, with much of my Chrome tabs devoted to such Google services as Gmail and Google Docs. (Confession: I only learned while writing this that Google Docs’ offline mode now works in Firefox.) Chrome continues to do some things better than Firefox–for instance, while it doesn’t offer a simplified page-display option like Firefox’s Reader View, it’s been more aggressive at disciplining intrusive ads.

When I set Firefox as the default in Windows, I also switched its default search from Google to the privacy-optimized DuckDuckGo. That’s something I’d done in my iPad’s copy of Safari years ago, then recommended to readers last July in a Yahoo post; it seemed a good time to expand that experiment to a browser I use more often.

Since DuckDuckGo doesn’t match such Google features as the option to limit a search to pages published within a range of dates, I’m still flipping over to Chrome reasonably often for more specialized searches. But even there, I’ve reduced my visibility to Google by setting a sync password to encrypt my browsing history.

All this adds up to considerably less Google in my Web life. I can’t say it’s been bad.

A travel to-do for Android Pie: enable lockdown

The first new feature in Android Pie that I noticed after installing it on my Pixel 12 days ago was its Adaptive Battery feature, which hunts and handcuffs energy-hungry apps (yes, that seems like a feature that shouldn’t have had to wait for a 9.0 release). The first new setting I changed was Pie’s “lockdown” option.

That’s the feature Google left out of the keynote sessions at Google I/O in May and instead saved for the closing minutes of a more technical briefing on the last day of the conference. Lockdown disables your phone’s fingerprint unlock and hides all notifications from the lock screen–a useful option if, as Android security manager Xiaowen Xin said during this presentation, “you need to hand it over for inspection at a security checkpoint.”

Or as avgeek blogger Seth Miller phrased things in a tweet then, it’s Android’s “airport mode.” It’s how you’d want your phone to behave if you must hand it over to somebody you shouldn’t automatically trust.

But lockdown isn’t on by default or all that easy to find. You have to open the Settings app, tap “Security & location,” tap “Lock screen preferences,” and then tap the slider next to “Show lockdown option” so it’s highlighted in blue.

Turning it on isn’t super-obvious either: Wake but don’t unlock your phone by pressing the power button, then hold down the power button again for about a second. You should see a “Lockdown” button on a menu that will pop out of the right side of the screen; tap that, and your fingerprint’s no good to unlock the device.

Now you know. Whenever you get Android Pie on your phone–yes, I realize that could be many months, unless apathetic vendor support prolongs that timeframe to “never”–enable this option. Then please get in the habit of using it.