Weekly output: Facebook’s Supreme Court, Twitter data breach, Russian disinformation campaigns, Facebook data partners (x2)

Looking at my last possible day of Christmas shopping reminds me of one evening in pre-Amazon days when I wrapped up the season’s gift procurement on my walk home along Connecticut Avenue–by ducking into the shops I found interesting. That was not a cheaper time, but in some ways it was a simpler time.

Yahoo Facebook-appeals post12/18/2018: Facebook wants to give you a way to fight having your posts taken down, Yahoo Finance

I had meant to write this earlier, but breaking news kept interrupting my progress. Fortunately, Facebook kept getting tripped up by new reports of its erratic enforcement of its own rules.

12/18/2018: Twitter country-code data breach, Al Jazeera

I had my first spot on the Arabic-language news station in a several weeks to talk about Twitter’s disclosure of a data breach that revealed the country codes of the phone numbers of some users–a data point that could have helped certain foreign intelligence agencies. My spot comes up at about 18 minutes into this clip.

12/18/2018: Russian disinformation campaigns, Al Araby

I had a second appearance on an Arabic-language channel this Tuesday, this time to talk about the two reports commissioned by the Senate Intelligence Committee about Russian disinformation campaigns. I’m on at 35 minutes in.

12/20/2018: Facebook’s data partners, Al Jazeera

I returned to AJ to talk about the New York Times report documenting Facebook’s history of poorly-governed data-sharing deals with other companies; I start to discuss this some 19 minutes into this clip.

12/23/2018: No, Netflix and Spotify weren’t spying on your Facebook Messenger account, Yahoo Finance

I thought of one good angle to put into this post about messaging interoperability while I was on my way to Al Jazeera’s studio Thursday: Facebook’s abandoned, now-largely-forgotten plan to turn its messaging service into an email alternative that you could use from any browser.

Advertisements

Three ways to track freelance income–none of which may be right

My work for this year isn’t done, but my income almost is. One client’s payment arrived today (having that happen less than three weeks after invoicing ranks as a Christmas miracle), another has told me to expect a direct deposit next week, and that’s all the positive cash flow I’m expecting for 2018.

Nearing that taxation-and-accounting finish line has me thinking once again of how I try to keep track of what I’m making throughout the year. I have three different models for this, and each can be wrong in their own ways.

What I file in a month: This approach has has the advantage of focusing on the one thing I can control the most. But a lot can happen after I file my copy, by which I mean it can go through a prolonged edit that pushes back completion of the work by weeks.

Or by months: An editor’s departure at one site earlier this year left a post collecting dust for several weeks until one of his now-overworked colleagues could tend to it between other tasks.

What I invoice in a month: Sending in the form itemizing your work and requesting payment has a pleasing finality, but not everybody sends the direct deposit or the check on the same timetable. Thirty days is typical, but USA Today and Wirecutter usually beat that number by at least a couple of weeks (having two of America’s largest newspapers turn around a payment that quickly continues to amaze me). Sometimes the same client’s payments arrive on wildly varying schedules for no apparent reason.

Last year, I also had a client reject an invoice because of a glitch with the bank deposit information I’d provided, and because the parent firm of this site picked an invoicing system for its fundamental meanness, I had to start the invoicing process for that story from scratch. Fortunately, I’ve not yet had to send more than a few nagging e-mails to get a invoice paid out, which is not a given in this line of work.

What I get paid in a month: There’s no arguing with the numbers on a bank statement, but this can often be a fake metric because it reflects work done months later. And for every month where a round of overdue payments finally land and make me look like a business genius, there’s going to be another where a couple of invoices get processed just late enough to have that money hit my account not on the 29th or the 30th but on the 1st or the 2nd of the following month.

As it happens, it looks like I’ll get a reasonably large deposit from one site early next month. I’ll try not to let that cash flow get to my head… because I really thought I would have seen a chunk of that change by now.

Weekly output: Google hearings (x2), Microsoft wants facial-recognition rules, Google Maps and Lime scooters, U2F security keys, U.S. newspapers vs. the GDPR

My calendar for the coming week looks strange: There isn’t a single work appointment on it. I plan to celebrate that by not shaving tomorrow.

12/10/2018: Congress will grill Google’s CEO this week — here’s what to expect, Yahoo Finance

The House Judiciary Committee–in particular, certain of its Republican members–obliged me by living up so completely to this preview of Google chief executive Sundar Pichai’s Tuesday appearance there.

12/10/2018: Microsoft is asking the government to regulate the company’s facial recognition tech, Yahoo Finance

Microsoft president Brad Smith came to the Brookings Institution last week to make an unusual plea: Please regulate us before we get dragged into a race to the bottom with ethically-unbounded vendors of facial-recognition technology.

12/13/2018: Google Maps will now help you find Lime scooters, Yahoo Finance

I got an advance on this news from one of Lime’s publicists; by itself, this new feature isn’t a huge development, but covering it allowed me to discuss broader failings in both Google and Apple’s navigation software.

12/13/2018: On privacy, Google CEO’s congressional hearing comes up short, The Parallax

I wrote about several security and privacy questions that should have been asked during Pichai’s grilling but never came up. The single worst omission: Not a single representative even mentioned the name of a non-Google search engine.

12/14/2018: Primer: How to lock your online accounts with a security key, The Parallax

I’ve had the idea of an explainer about “U2F” security keys on my to-do list for a while. In the time it took for me to sell the piece, Microsoft and Apple finally began moving to support this particularly secure two-step verification option.

12/16/2018: Post-Dispatch, Tribune haven’t caught up with EU rules, Gateway Journalism Review

My former Washington Post colleague Jackie Spinner wrote about how the sites of some U.S. newspapers continue to block European readers instead of complying with the European Union’s General Data Protection Regulation. She gave me a chance to critique this self-defeating practice–I’d earlier griped about it in a Facebook comments thread with her–and I was happy to give her few quotes.

This is the worst interface I’ve ever seen

Our water heater broke sometime Monday, and we found out the analog way: Only cold water came out of the tap.

A visit to the basement revealed that the heater had already been reporting a problem in the least intuitive way possible. A single green LED on an assembly near its base was blinking out a pattern–eight flashes in a row, followed by a pause of a few seconds and then two more flashes.

That sequence, a small sticker explained, was the heater’s way of saying “Temperature sensor fault detected.” This same sticker listed 17 other sequences of flashes and pauses that could report anything from “No faults” to “Flammable vapor sensor fault detected.”

(The temperature sensor had indeed gone bad, although it took multiple visits by techs to confirm that and then return with a working replacement. This has left me with a renewed appreciation for household modern conveniences.)

That’s an awful user interface. It’s also what happens when you supply a single, single-color LED to display the status of a fairly complex home appliance. Bradford White, the manufacturer, could have put in a light that changed color–seeing a once-green indicator turn to red is usually your tip that something’s changed for the worse–or put in two or more LEDs.

Or that firm could have splurged on a digital readout capable of showing numeric error codes, bringing the discoverability of this interface up to that of the “DSKY” control of the Apollo Guidance Computer that NASA astronauts sometimes struggled to decipher on their way to the Moon.

Instead, sticking with that sole green LED and offloading the work of discovering its Morse-code-esque interface to customers may have saved Bradford White a dime per heater. On the upside, I’m now pretty sure I’ve seen the worst possible UI. I mean, not even Lotus Notes got this bad.

Weekly output: DriveSavers vs. locked smartphones

Yes, I got your CES PR pitch. If it’s of interest, I’ll reply sometime this week… but I reserve the right to redefine “this week” in my favor.

12/6/2018: For $3,900, DriveSavers says it can open locked smartphones, The Parallax

My one post to get published this week (as opposed to three others filed and now in various stages of editing) tried to unpack the puzzling claim by the data-recovery firm DriveSavers that its Password Lockout Data Recovery service could unlock any Android or iOS phone to allow a rescue of the data on the device. The experts I talked to had no solid idea what DriveSavers was talking about–not that the firm’s vague descriptions gave them much to work with–but they did share some theories of how DriveSavers might go about this task.

LastPass shows how to do two-step verification wrong

I finally signed up for LastPass Premium after years of using the free version of that password-management service. And I’m starting to regret that expense even though $2 a month should amount to a rounding error.

Instead of that minimal outlay, I’m irked by LastPass’s implementation of the feature I had in mind when typing in credit-card digits: support for Yubikey U2F security keys as a form of two-step verification.

Two-step verification, if any reminder is needed, secures your accounts by confirming any unusual login with a one-time code. The easy but brittle way to get a two-step code is to have a service text one to you, which works great unless somebody hijacks your phone number with a SIM swap. Using an app like Google Authenticator takes your wireless carrier’s security out of the equation but requires regenerating these codes each time you reset or switch phones.

Using a security key–Yubikey being one brand, “U2F” an older standard, “WebAuthn” a newer and broader standard–allows two-step verification independent of both your wireless carrier and your current phone.

Paying for LastPass Premium allowed me to use that. But what I didn’t realize upfront is that LastPass treats this as an A-or-B choice: If you don’t have your Yubikey handy, you can’t click or type a button to enter a Google Authenticator code instead as you can with a Google account.

A LastPass tech-support notice doesn’t quite capture the broken state of this user experience:

If multiple Authentication methods are used, only one will activate per login attempt. If you disable one, then another will activate on the next log in attempt. Because only one activates at a time, you cannot have multiple prompts during the same log in.

The reality you see if you happened to leave your Yubikey at home or just have your phone closer at hand: an “I’ve lost my YubiKey device” link you’re supposed to click to remove that security option from your account.

This absolutist approach to two-step verification is not helpful. But it’s also something I should have looked up myself before throwing $24 at this service.

Weekly output: Apple Tax on storage, CrowdStrike CEO, Facebook Pages, Rod Rosenstein on security and encryption

This year is officially in the home stretch, but some of this week’s work almost certainly won’t show up in my bank account until 2019. Remembering your clients’ varying payment schedules is essential to keeping some level of freelance accounting sanity.

11/28/2018: New MacBook Air and Mac mini show the Apple Tax on storage lives on, USA Today

As I’d pledged a few weeks ago, I returned to the subject of Apple’s belated updates to the Mac mini and MacBook Air to take a whack at these computers’ stingy entry-level storage allocations and the steep price to upgrade their solid-state drives. Note the correction on this column: I saw that Apple only offered a 256-gigabyte SSD on the entry-level iMac but stupidly neglected to check the storage options on other configurations.

11/29/2018: CrowdStrike CEO on political infosec lessons learned (Q&A), The Parallax

I talked to CrowdStrike chief executive George Kurtz at Web Summit and transcribed my interview on the flight home. Then this writeup–one not pegged to any breaking news–took a little longer to run.

11/30/2018: Facebook still hasn’t fixed this loophole for fake accounts, Yahoo Finance

This post started with some Thanksgiving tech support that revealed some highly sketchy pages in a relative’s News Feed, and then my inquiries with Facebook led the social network to nuke two pages with a combined 3.4 million Likes. Today, a reader pointed me to several other pages apparently run by the same people behind those two removed pages, so you probably haven’t read my last thoughts on this issue.

11/30/2018: Deputy AG Rosenstein calls on Big Tech to protect users, Yahoo Finance

Deputy U.S. attorney general Rod Rosenstein brought two messages to Georgetown Law’s Cybercrime 2020 symposium–and they contradicted each other to a fair amount.