Pixel Envy

Written by Nick Heer.

Dust and Tedium

Casey Johnston, the Outline:

I was in the Grand Central Station Apple Store for a third time in a year, watching a progress bar slowly creep across my computer’s black screen as my Genius multi-tasked helping another customer with her iPad. My computer was getting its third diagnostic test in 45 minutes. The problem was not that its logic board was failing, that its battery was dying, or that its camera didn’t respond. There were no mysteriously faulty innerworkings. It was the spacebar. It was broken. And not even physically broken — it still moved and acted normally. But every time I pressed it once, it spaced twice.

“Maybe it’s a piece of dust,” the Genius had offered. The previous times I’d been to the Apple Store for the same computer with the same problem — a misbehaving keyboard — Geniuses had said to me these exact same nonchalant words, and I had been stunned into silence, the first time because it seemed so improbable to blame such a core problem on such a small thing, and the second time because I couldn’t believe the first time I was hearing this line that it was not a fluke. But this time, the third time, I was ready. “Hold on,” I said. “If a single piece of dust lays the whole computer out, don’t you think that’s kind of a problem?”

Johnston’s keyboard isn’t an outlier: various people and organizations she spoke with have indicated that dust under the keys — in particular, under the spacebar — is a common affliction of the latest generation of Apple laptop keyboards. Apple provides instructions on how to remove dust, but they are ridiculous: you must hold your laptop in one hand at a recommended 75° angle and spray the keyboard with compressed air while rotating your computer in midair.

I do not baby my electronics, but I want them to last. These instructions seem like a fantastic way to shatter the display or destroy the case.

Stephen Hackett kept running into this problem, too, with his months-old MacBook Pro, and he followed Apple’s steps to clean it:

After a couple days of light usage, the problem got worse.

The bottom lip of the key began to flip up a little bit as the key tried sprinting back up after being depressed. Light was leaking around it, and eventually this happened:

[…]

One of the tiny arms that the key cap clips onto is broken. My nearly $2,000 laptop that I bought less than a year ago is now missing a key, as I shared with our Connected audience this weekend.

This is, frankly, inexcusable. I was already hesitating on upgrading from my five-year-old MacBook Air because this generation of MacBook Pros still seems like a work-in-progress; now, I will absolutely be waiting another generation to see if this problem gets fixed.

By the way, I know there will be some people suggesting that plenty of generations of Apple products have had their teething issues. I don’t deny that; the MacBook Pro was recalled for graphics issues, the first-generation iPod Nano scratched like crazy and the battery could overheat, and the unibody plastic MacBook’s bottom case peeled off.

But input devices should always — and I mean always — work, in hardware and in software. If a speck of dust affects the functionality of the most-used key because of an attribute inherent to the design of the keyboard, that’s a poor choice of keyboard design, especially for a portable computer.

On a related note, too, there’s an existing bug in recent versions of MacOS where key and cursor inputs are sometimes delayed. I notice the keyboard bug especially frequently in Messages when I haven’t switched to it for a while, and I experience delayed trackpad input often in Safari and in Photos. But it seems to persist throughout the system, and it is infuriating. I’m glad that apps on my Mac crash less frequently but I would genuinely rather have Safari crash on me as much as it used to than I would like to keep seeing problems with input mechanisms. I can choose a different web browser; I can’t choose a different way for MacOS to process my keystrokes.

Problems like these should not escape Cupertino.

Sketchy Mattress Review Websites

David Zax, in a must-read article for Fast Company, describes the litigation initiated by Casper against several mattress review websites:

On April 29, 2016, Casper filed lawsuits against the owners of Mattress Nerd, Sleep Sherpa, and Sleepopolis (that is, Derek), alleging false advertising and deceptive practices.

Mattress Nerd and Sleep Sherpa quickly settled their cases, and suddenly their negative Casper reviews disappeared from their sites, in what many onlookers speculated was a condition of the settlements. But by the end of 2016, when I started closely studying the lawsuits, Derek’s Casper review remained, defiantly, up on Sleepopolis. He was soldiering on in his legal battle with the mattress giant. People who knew him called Derek a fighter; one of his nicknames was “Halestorm.”

Casper had another way of referring to him. Derek was “part of a surreptitious economy of affiliate scam operators who have become the online versions of the same commission-hungry mattress salesmen that online mattress shoppers have sought to avoid,” Casper’s lawsuit alleged. The company complained that Derek was not forthright enough about his affiliate relationships, noting his disclosures were buried in a remote corner of his site. This did violate recently issued FTC guidelines, and Derek updated his site to comply.

This is a deeply disturbing piece. Derek Hales, the founder of Sleepopolis, was doing some shady things that seemed to be driven by the value of affiliate links more than his honest opinion of the mattresses. But Casper’s practices are even more suspect, beginning with this correspondence between CEO Phillip Krim and Jack Mitcham of Mattress Nerd:

In January 2015, Krim wrote Mitcham that while he supported objective reviews, “it pains us to see you (or anyone) recommend a competitor over us.”

Krim went on: “As you know, we are much bigger than our newly formed competitors. I am confident we can offer you a much bigger commercial relationship because of that. How would you ideally want to structure the affiliate relationship? And also, what can we do to help to grow your business?”

[…]

Krim then upped his offer, promising to boost Mitcham’s payouts from $50 to $60 per sale, and offering his readers a $40 coupon. “I think that will move sales a little more in your direction,” replied Mitcham on March 25, 2015. In the months that followed, Mattress Nerd would become one of Casper’s leading reviews site partners. (The emails surfaced due to another mattress lawsuit, GhostBed v. Krim; if similar correspondence exists with Derek Hales, it has not become public.)

It certainly sounds like Krim was, behind the scenes, financially incentivizing reviewers to push the Casper mattress. You’ll want to read Zax’s full article for the kicker to the Sleepopolis saga. It’s atrocious.

Major Security Vulnerabilities Now Have Marketing Campaigns

Shannon Vavra, Axios:

There’s a four-way handshake that establishes a key for securing traffic, but the third step allows the key to be resent multiple times, which allows encryption to be undermined, according to a researcher briefed on the vulnerability. The researchers, the United States Computer Emergency Readiness Team and KU Leuven, report this breach, called KRACK (Key Reinstallation Attacks) could allow connection hijacking and malicious code injection.

Mathy Vanhoef discovered the vulnerability, which comprises ten CVEs. And, yeah, it’s a big problem, but we’re not all completely screwed. Alex Hudson explains:

Remember, there is a limited amount of physical security already on offer by WiFi: an attack needs to be in proximity. So, you’re not suddenly vulnerable to everyone on the internet. It’s very weak protection, but this is important when reviewing your threat level.

Additionally, it’s likely that you don’t have too many protocols relying on WPA2 security. Every time you access an https site – like this one – your browser is negotiating a separate layer of encryption. Accessing secure websites over WiFi is still totally safe. Hopefully – but there is no guarantee – you don’t have much information going over your network that requires the encryption WPA2 provides.

Juli Clover, MacRumors:

Apple’s iOS devices (and Windows machines) are not as vulnerable as Macs or devices running Linux or Android because the vulnerability relies on a flaw that allows what’s supposed to be a single-use encryption key to be resent and reused more than once, something the iOS operating system does not allow, but there’s still a partial vulnerability.

Apple’s latest round of betas, released to developers today, include a patch.

Here’s the thing about this: it’s clearly a bad bug, but it is both generally fixable and the fear is — at least to some extent — driven by the researcher’s PR campaign around it. Much like Heartbleed, KRACK has a cool name and a logo.

But compare the immediate groundswell of attention around Heartbleed and KRACK against, say, a critical flaw in the widely-used RSA encryption library, also announced today. Dan Goodin, Ars Technica:

The weakness allows attackers to calculate the private portion of any vulnerable key using nothing more than the corresponding public portion. Hackers can then use the private key to impersonate key owners, decrypt sensitive data, sneak malicious code into digitally signed software, and bypass protections that prevent accessing or tampering with stolen PCs. The five-year-old flaw is also troubling because it’s located in code that complies with two internationally recognized security certification standards that are binding on many governments, contractors, and companies around the world. The code library was developed by German chipmaker Infineon and has been generating weak keys since 2012 at the latest.

This bug isn’t receiving anywhere near the same attention as KRACK, despite RSA being used to generate some — not all — keys for PGP and GitHub, and potentially all keys for Microsoft BitLocker and identity cards for Estonia and Slovakia.

I get why security researchers are dialling up the campaigns behind major vulnerabilities. CVE numbers aren’t interesting or explanatory, and the explanations that are attached are esoteric and precise, but not very helpful for less-technical readers. A catchy name gives a vulnerability — or, in this case, a set of vulnerabilities — an identity, helps educate consumers about the risks of having unpatched software, and gives researchers an opportunity to take public credit for their work. But, I think the histrionics that increasingly come with these vulnerabilities somewhat cheapens their effect, and potentially allows other very serious exploits to escape public attention.

Twitter’s Abuse Problem Comes Down to a Failure of Leadership and a Reliance on Algorithms

Natasha Lomas, TechCrunch:

Twitter has clearly not fixed the problem of abuse on its platform — and very clearly also continues to fail to fix the problem of abuse on its platform.

Leaning on algorithms to do this vital work appears to be a large part of this failure.

But not listening to the users who are being abused is a even greater — and more telling — lapse of leadership.

There’s an enormous disconnect between what tech companies feel compelled to restrict and what users feel is worth restricting. The New York Times illustrates this today with an interactive feature about what Facebook considers hate speech worthy of removal. The second phrase — “Poor black people should still sit at the back of the bus.” — would likely not be considered hate speech on its own by Facebook’s standards:

While Facebook’s training document lists any call for segregation as an unacceptable attack, subsets of protected groups do not receive the same protection, according to the document. While race is a protected category, social class is not, so attacks targeting “poor black people” would not seem to qualify as hate speech under those rules, Ms. Citron said. That is because including social class in the attack negates the protection granted based on race.

As of right now, 93% of over 60,000 Times readers think that statement constitutes hate speech, and I think most reasonable people would agree on that: the historical connotations of forcing black people to sit at the back of a bus far overwhelm the income status of the subject. Surely there’s enough context within that single phrase to establish that it’s driven by race, right?

But this is the thing: tech companies are generally run by people who are not subjected to abuse or targeted hate speech on their platforms. It would be prudent of them to take seriously the concerns raised by affected users. But this is also another reason why executive teams need to comprise more diverse perspectives because, as far more eloquent writers have pointed out, not doing so creates a huge blind spot.

Tech companies need to mature to a point where they recognize the responsibility they have to the billions of people on this planet, because that’s the scale they operate at now.

A Decade of Airlines Ignoring Hyphenated Names

John Scott-Railton:

United Airlines keeps changing my hyphenated last name, costing me up to hours of trouble when I travel. When an airline like United changes travelers names, all parts of a trip can be affected I am not alone in this: hyphenated users have complained about this for a decade. There are tens of thousands of hits on Google for this problem.

By deleting hyphens, United Airlines creates a Passenger Name Record mismatch, which torpedoes smooth air travel. Here are some common problems for people with hyphens who fly on United, I have encountered all of them: Online check-ins don’t work, forcing travelers to arrive early at the airport to get a paper boarding pass, or miss their flights. Customs flags travelers arriving in the US for extra scrutiny, resulting in long waits. TSA may send travelers back to airline counters.

United has publicly shrugged about this for over a decade. Noted security expert Bruce Schneier even blogged about the issue of hyphenations nine years ago. @united can be found on twitter advising passengers to simply delete their hyphens, which is bad advice and may result in a records mismatch, and delays. In 2017 the problem is still not fixed. Is United Airlines incapable of such a simple change?

Scott-Railton published this back in June, and Freia Lobo of Mashable noted at the time that this issue isn’t isolated to United Airlines: Delta’s ticketing system has the same problem.

But I’m linking to it today because Delta recently updated their app to remove the check-in process and issue boarding passes automatically. That’s terrific. Unfortunately, there’s no indication that Delta or any other airline has addressed the issue with hyphenated names — I found tweets from as recently as August with the same issue, and complaints about similar character validation problems from September.

These kinds of problems are almost certainly due to legacy or outdated equipment. There’s probably some key part of these airlines’ ticketing infrastructure that will simply never accept anything other than A–Z characters — at least, not without replacing it. But with the huge number of people out there who do have hyphens, apostrophes, or diacritical marks in their names, surely a modernization of their character palette should be a higher priority.

At the very least, this shouldn’t be a passenger problem a decade after it Schneier pointed it out. If a name needs to have characters dropped for compatibility reasons, it shouldn’t trigger a security warning or require additional scrutiny for passengers.

Google Disables Touch Functionality on Home Mini After a Reviewer’s Device Recorded Ambient Audio Constantly

Artem Russakovskii, Android Police:

Several days passed without me noticing anything wrong. In the meantime, as it turns out, the Mini was behaving very differently from all the other Homes and Echos in my home – it was waking up thousands of times a day, recording, then sending those recordings to Google. All of this was done quietly, with only the four lights on the unit I wasn’t looking at flashing on and then off.

[…]

Further clarifications arrived. The Google Home Mini supports hotword activation through a long press on the touch panel. This method allows people to activate the Google Assistant without saying the hotword. On a very small number of Google Home Mini devices, Google is seeing the touch panel register “phantom” touch events.

In response, the updated software disables the long press to activate the Google Assistant feature. Once the Google Home Mini devices receive the updated software, all long press events (real or phantom) will be ignored and Google Assistant will not be invoked accidentally.

I’m not paranoid, but it’s events like these that shake my confidence in the security of ambient audio-based assistant devices. Google’s a big company, and something like this really should have been caught far earlier; bugs like these — and, for what it’s worth, the malfunctioning LTE bug that affected the Apple Watch — suggest that far more thorough quality assurance processes are necessary.

Aaron Mamiit, Tech Times:

While it would certainly have been much better if the issue never existed in the first place, the speed and finality of Google’s response to the controversy certainly deserve praise from the technology industry and its customers.

Why, exactly, should we praise Google for this? A fast reaction is the bare minimum response anyone should expect for a device that’s unintentionally always recording and uploading audio in the background. I don’t see anything particularly praiseworthy about not including a bug that enables such an egregious privacy violation on a shipping device.

Denise Young Smith at the One Young World Summit

Aamna Mohdin, Quartz:

Apple, like many other tech titans such as Google, and Microsoft, is trying to take key steps in addressing the problem of having a lack of diversity, which has been highlighted by investors. But it does look like the company is making progress. Apple’s latest statistics show that a majority of new hires in the US are from ethnic minorities, although white employees still account for 56% of the overall current workforce.

When asked whether she would be focusing on any group of people, such as black women, in her efforts to create a more inclusive and diverse Apple, [VP of Diversity Denise Young Smith] says, “I focus on everyone.” She added: “Diversity is the human experience. I get a little bit frustrated when diversity or the term diversity is tagged to the people of color, or the women, or the LGBT.” Her answer was met with a round of applause at the session.

Young Smith went on to add that “there can be 12 white, blue-eyed, blonde men in a room and they’re going to be diverse too because they’re going to bring a different life experience and life perspective to the conversation.” The issue, Young Smith explains, “is representation and mix.” She is keen to work to bring all voices into the room that “can contribute to the outcome of any situation.”

I get where Young Smith is coming from here — that diversity is more than a single-item checkbox question. Nobody should feel like the token person on a team, only there to meet a diversity quota; everyone should feel valued. I recently attended a discussion panel concerning equity in the arts in Calgary, and a similar point was made there as well.

But it is unfair and disingenuous to make this argument without also acknowledging that the tech industry is dominated by individuals within a very narrow spectrum of diversity — typically white, typically male, and typically wealthy or from wealthier backgrounds. This tendency is more pronounced the higher up one looks at a company’s corporate ladder. Of course, these stereotypes are not fully representative — and, even if they are, those individuals may have different life experiences; that’s what Young Smith is getting at — but it’s hard to see the framing of twelve white men as a “diverse” group as anything other than a cop-out after Apple’s investors once again voted against a diversity proposal earlier this year.

Omar Ismail on Quora, responding to a user’s question about whether they’re privileged simply because they are white:

It doesn’t mean you’re rich. It doesn’t mean you’re luckier than a lucky black guy. Nobody wants you to be crippled with guilt. Nobody has ever wanted that, or means those things.

It means you have an advantage, and all anyone is asking is that you *get* that. Once you get that, it’s pretty straightforward to all the further implications.

DeRay Mckesson made a similar point in response to Young Smith’s answer at the summit:

You didn’t work hard for every band aid to look like you, for every baby doll to look like you, for the world to treat you as human, and everything as ‘other’ is not the result of your personal hard work — that’s what white privilege is.

Tech companies have a massive responsibility. They may overwhelmingly be based in the United States, but they play a significant role in how the world communicates. Right now, their senior leadership does not look like the world in which they reside. When that changes, we can start really looking at the life experience of twelve white men and how that substantially contributes to the company’s diversity objectives — however, bigger steps are needed before we can get to that point. I think we need to reconsider how people are educated, hired, and promoted. But, as I wrote near the top of this piece, nobody should feel like they’re a “token” person in a team; that can start with companies pursuing truly comprehensive opportunities to make their staff at all levels more like the world they connect.

Update: I worry that companies more lax in their diversity efforts will use this kind of defence as an excuse for hiring just 36 black Americans in a whole year.

Seven Years and One Month Since Microsoft’s Funeral for the iPhone

Peter Bright reports for Ars Technica earlier this week:

During the weekend, Microsoft’s Joe Belfiore tweeted confirmation of something that has been suspected for many months: Microsoft is no longer developing new features or new hardware for Windows Mobile. Existing supported phones will receive bug fixes and security updates, but the platform is essentially now in maintenance mode.

Microsoft already announced last year that they would stop making phones, and I expected this announcement would follow sooner than it actually did. Nevertheless, it’s unsurprising, and made worse by a cringeworthy funereal procession that Microsoft held for shipping Windows Phone 7 — their first try at an iPhone OS competitor — three and a half years after Apple first demonstrated the iPhone.

Vlad Savov writing for Engadget in September 2010:

An elaborate parade, replete with hearses and black capes, was organized last week to denote the passing of the BlackBerry and iPhone into the land of unwanted gadgets. We’d say this is done in poor taste, but we don’t enjoy stating the obvious. We will, however, enjoy the fallout from this poorly judged stunt.

They also danced to Michael Jackson’s “Thriller” at the same parade. To be fair to them, BlackBerry really has all but vanished from everyone’s pockets, but its replacements run iOS and Android, not Windows Mobile.

Uber’s iPhone App Had Screen Recording Capabilities

Kate Conger, Gizmodo:

To improve functionality between Uber’s app and the Apple Watch, Apple allowed Uber to use a powerful tool that could record a user’s iPhone screen, even if Uber’s app was only running in the background, security researchers told Gizmodo. After the researchers discovered the tool, Uber said it is no longer in use and will be removed from the app.

The screen recording capability comes from what’s called an “entitlement” — a bit of code that app developers can use for anything from setting up push notifications to interacting with Apple systems like iCloud or Apple Pay. This particular entitlement, however, was intended to improve memory management for the Apple Watch. The entitlement isn’t common and would require Apple’s explicit permission to use, the researchers explained. Will Strafach, a security researcher and CEO of Sudo Security Group, said he couldn’t find any other apps with the entitlement live on the App Store.

The Gizmodo story acknowledges later that this entitlement could have been sandboxed to function only within Uber’s app — though Apple wouldn’t say one way or another — and Uber said that it was only live for a single version of the app to make the Apple Watch app run more smoothly. Even so, given Uber’s outrageous history of violations of privacy and basic decency, it seems quite risky to me for Apple to have granted Uber’s app this entitlement. I’m sure precautions were taken, but I cannot imagine any other developer having this kind of influence, particularly an indie developer or one with such a poor track record.

App Review Should Screen Apps for Discrepancies In Device Requirements

I’ve been on vacation for the past few days and I was curious about what was stored on my hotel room keycard. So I downloaded one of those NFC-reading apps, opened it, and was surprised to see a message indicating that my device was incompatible. I re-checked the listing in the App Store and it said that my iPhone was compatible; I also remembered that my 6S does not support the new NFC-reading API in iOS 11.

I looked at a few other NFC-reading apps in the store and they all indicate that my phone is compatible, even though I know it isn’t. It turns out that there is a way for a developers to indicate when the new API is a requirement — it’s just that many developers don’t use it.

I think App Review ought to do a better job of screening apps for discrepancies between what apps say they do and what requirements they need. Dedicated NFC-reading apps that don’t correctly indicate which devices are compatible ought to be rejected, as should apps with similar inconsistencies.

Boy, Do I Feel Naïve

Laura Wagner of Deadspin reacts to Joseph Bernstein’s blockbuster story for Buzzfeed on how Breitbart cultivated a destination for white supremacists, misogynists, and other scum:

Is there a word for when you feel embarrassed about your naïveté? Because I feel dumb as hell. I assumed that when [Olivia Nuzzi] and her down-the-middle cohorts wrote things like this glowing profile of Mike Cernovich in New York magazine, they went home and immediately took a hot shower to wash off the stink. I didn’t realize they were just writing about their friends.

A very charitable part of me wants to believe that none of the writers now shown to be quite cozy with Steve Bannon and his ilk were aware of the impact of being associated with Breitbart’s brand of conspiracy-tinged journamalism. But I still don’t understand why anyone would want to be associated with them in any way, particularly after the outright discriminatory, racist, sexist, and irrationally caustic articles they’re well-known for.

Apple Releases High Sierra Security Update

This update includes fixes for the encrypted disk password-as-hint bug as well as the keychain exfiltration bug that was revealed last week.

Unfortunately, Apple recommends that those affected by the encrypted disk bug install this security update, then format and restore their drive. This applies mostly to those who think that there’s a chance that their disk password may have been exposed — I don’t set password hints, so this bug didn’t affect me. But if you’re one of the unlucky ones who are affected, you know how you’ll be spending your weekend.

I still want to know how a bug like the latter bypassed quality control checks and a multi-month developer beta, though. It’s not confidence-inspiring.

MacOS High Sierra Vulnerability Exposes Passwords of Encrypted APFS Containers

Matheus Mariano:

This week, Apple released the new macOS High Sierra with the new file system called APFS (Apple File System). It wasn’t long before I encountered issues with this update. Not a simple issue, but a potential vulnerability.

The vulnerability? Under certain not-so-uncommon conditions, a drive or container formatted as APFS can show the actual password as the hint.

Via Michael Tsai:

The bug was easy to reproduce on my Mac. Plugging the drive into another Mac also shows the password as the hint. So I’m guessing it’s not actually an APFS flaw but rather that Disk Utility is passing the wrong variable as the hint parameter.

That seems to be the case. Felix Schwarz:

Creating a volume via diskutil, the hint, not the pw is shown. Looks like the root cause is Disk Utility storing the password as hint.

So, from the looks of it, if you haven’t specified a password hint – or if you haven’t used Disk Utility, you’re probably safe.

Disk Utility was made extraordinarily buggy in a rewrite two years ago and we’re still feeling the effects of that decision. That’s a big problem for an app as consequential as Disk Utility.

Update: Apple told Rene Ritchie that they’re rolling out a fix for this today. That’s a fast response, but this is a bug that should have been caught far sooner. Why wasn’t it?

The Verge’s Preview of Google’s New Pixel 2 Phones

Dieter Bohn of the Verge got an early look at Google’s new Pixel 2 and Pixel 2 XL phones, officially announced today:

The speakers on both phones got plenty loud without too much distortion. I’m sure it was a priority to get those speakers in there, but I’m also sure I would rather have smaller bezels. The overall audio story on Pixel 2 is a big deal: it does away with the headphone jack, but it also supports a bunch of new audio codecs over Bluetooth 5. I can also tell you that the Pixel 2 is a thousand percent better at recognizing when I say “OK Google” than last year’s phone.

That’s the sole mention of the headphone port in Bohn’s preview. That’s weird, because less than a year ago, Bohn agreed with Nilay Patel’s sentiment that removing the headphone port was “user-hostile”. Even two months ago, Bohn was “going to continue to be a curmudgeon about” the removal of 3.5mm headphone port on today’s smartphones.

By the way, both Google and Apple include 3.5mm adaptors in the box. If you want to buy an extra one, Apple will charge you $9 for their Lightning-to-3.5mm adaptor, but Google will charge a whopping $20 for a USB-C-to-3.5mm adaptor. Just throwing that out there.

Bohn again:

That’s not to say there aren’t impressive design elements to point out. There are no visible antenna lines anywhere on the XL’s aluminum unibody. Even though the 6-inch screen on the XL might not technically count as edge-to-edge, it still fits a much larger screen in a body that’s just a little bigger than last year’s Pixel XL, which had a 5.5-inch screen. On both, you’ll see that there is no camera bump beyond a slight raised ridge around the lens.

But there is a camera bump, right? Either there is or there isn’t, and the photo in this article indicates that it’s virtually the same treatment as that on my iPhone 6S — a treatment that Bohn previously described as a “camera bump” and “aesthetically aggravating”.

Rather than go with dual lenses and a camera bump like Apple, […]

There is a camera bump. I get it: nobody likes camera bumps. Depending on who you ask, they’re either a symptom of an obsession with smartphone thinness, or a tolerable — if not ideal — compromise. But Bohn can’t make the bump go away by denying its existence, and I’m not sure what to make of his attempts to do so.

iPhone 8 and Qi Inductive Charging

Ben Bajarin:

There is a lot to like about the promise of wireless charging. That said, I’ve used wireless charging solutions from many smartphone manufacturers through the years, and I’ve never had a flawless experience with any of them. Unfortunately, the same is true with Apple’s latest offering with iPhone 8/8 Plus. In the few weeks, I’ve been using an iPhone 8 and the Mophie wireless charging pad I have woken up the next day to an iPhone that did not charge and has less than 10% battery at least several times a week. This last week alone it happened three times. For a myriad of reasons, from charging coils, to pad design, etc., when using this pad the iPhone and Mophie pad have to be aligned just right, or it won’t charge. You can’t just drop it down anywhere on the pad but instead need to align it just right. Where this impacts me, is throughout the night my phone may get a notification buzz and as a result will move off the sweet spot and then stop charging.

Via Michael Tsai who received a tip from Phil Wu that Panasonic’s QE-TM101 charger — which, as far as I can figure out, was never officially sold outside of Japan — includes moving charging coils that automatically align to your phone. There are also Qi charging pads that have multiple coils to reduce the likelihood of a phone slipping out of range.

Even so, this shows why Qi isn’t a real wireless charging standard. True wireless charging shouldn’t care that your phone is within a couple of centimetres of a precise area. True wireless charging wouldn’t care which way up your phone is placed, either — maybe I’m just a little bitter about that because my sleep tracking app of choice requires my iPhone to be placed screen side down on my nightstand.

There may be some relief coming: Apple says that they’re going to release a software update that will enable faster charging speeds, and the coming AirPower charger will have support for multiple devices, which indicates to me that you won’t have to be quite so precise in placing any particular device.

But I still don’t see Qi as anything more than an obvious stepping stone between a cable plugged directly into your phone, and some kind of power emitter placed in the general vicinity of your phone. Until that latter technology arrives, I think the intermediate solutions will feel half-baked and inadequate.

Designing Apps for the iPhone X’s Notch

Max Rudberg has followed his excellent piece on designing UI elements for the bottom of the iPhone X’s display with this piece about designing for the top. There are a lot of great ideas here that, to my eye, make the most of a less-than-satisfactory resolution of the sensor housing. These design decisions are currently being made without an iPhone X in hand, though; I’m very interested to see the evolution of app design within, say, the first few months of the X’s availability.

IRS Awards Multimillion-Dollar Fraud-Prevention Contract to Equifax

Steven Overly and Nancy Scola, Politico:

The IRS will pay Equifax $7.25 million to verify taxpayer identities and help prevent fraud under a no-bid contract issued last week, even as lawmakers lash the embattled company about a massive security breach that exposed personal information of as many as 145.5 million Americans.

A contract award for Equifax’s data services was posted to the Federal Business Opportunities database Sept. 30 — the final day of the fiscal year. The credit agency will “verify taxpayer identity” and “assist in ongoing identity verification and validations” at the IRS, according to the award.

The notice describes the contract as a “sole source order,” meaning Equifax is the only company deemed capable of providing the service. It says the order was issued to prevent a lapse in identity checks while officials resolve a dispute over a separate contract.

This is the single greatest example of incompetence I’ve seen today, and that includes the American president flinging paper towels at suffering people in Puerto Rico and confusing the Coast Guard and Air Force at a press conference.

Yahoo Announces That All Three Billion User Accounts Were Compromised in 2013

Hey, remember that gigantic security breach at Yahoo? No, not that one. No, not that one either. The one where they announced that over a billion user accounts had been compromised. Well, Oath’s PR department dropped a doozy of a press release today:

Subsequent to Yahoo’s acquisition by Verizon, and during integration, the company recently obtained new intelligence and now believes, following an investigation with the assistance of outside forensic experts, that all Yahoo user accounts were affected by the August 2013 theft. While this is not a new security issue, Yahoo is sending email notifications to the additional affected user accounts. The investigation indicates that the user account information that was stolen did not include passwords in clear text, payment card data, or bank account information. The company is continuing to work closely with law enforcement.

Yep — every single one of the three billion accounts that Yahoo was in charge of maintaining had its information stolen. If you ignore the press release’s spin of what wasn’t stolen, you’ll notice that they omit what was: as acknowledged previously, that includes names, email addresses, MD5 hashed passwords, phone numbers, birthdates, and security questions and answers.

This is the second greatest example of incompetence I’ve seen today.

There’s an Easy Apple Maps Joke Here, I Just Know It

Kirk McElhearn:

I set up two-factor authentication for my Apple ID yesterday. I had tried previously, and it was a disaster. In spite of some confusing instructions from Apple, it seems to have worked so far.

But I was surprised to find that, when I was logging into different devices, it didn’t show the correct location.

I’m not near London; I’m about 100 miles away.

Glenn Fleishman, Macworld:

[…] My wife routinely is told she’s logging in from about 30 miles south, although on the same home network, it’s more accurate for me. If we both had this issue, I’d expect that the IP address of our network was misplaced in whatever geo-identification system Apple relied on to match IPs with a rough place on the globe.

This is particularly troubling because two factor authentication is promoted as being a more secure login option. If a typical user were to set that up and then be shown a map of a login attempt from miles away, they may be concerned, and reasonably so. I get that the map is supposed to help authenticate a login attempt with an additional piece of information, but is that enough of a reason to display it, if it is unreliable? I’m not so sure.

Taking Responsibility for Algorithms

Two great articles on the rash of bullshit — not inaccurate, not erroneous, but bullshit — stories that dominated the top of Google’s search results after Sunday night’s tragedy in Las Vegas and, indeed, after every major tragedy in recent years.

First, Charlie Warzel, Buzzfeed:

Facebook hopes to become a top destination for breaking news, but in pivotal moments it often seems to betray that intention with an ill-conceived product design or a fraught strategic decision. In 2014, it struggled to highlight news about the shooting of Michael Brown and the ensuing Ferguson protests. News coverage of the events went largely unnoticed on the network, while instead, News Feeds were jammed with algorithmically pleasing Ice Bucket Challenge videos. And during the 2016 US presidential election, it failed to moderate the fake news, propaganda, and Russian-purchased advertising for which it is now under congressional scrutiny. Meanwhile, it has made no substantive disclosures about the inner workings of its platform.

Google has had its fair share of stumbles around news curation as well, particularly in 2016. Shortly after the US presidential election, Google’s top news hits for the final 2016 election results included a fake news site claiming that Donald Trump won both the popular and electoral votes (he did not win the popular vote). Less than a month later, the company came under fire again for surfacing a Holocaust denier and white supremacist webpage as the top results for the query “The Holocaust.”

And William Turton, the Outline:

The only reasonable conclusion at this point is that tech companies like Google and Facebook do not care about fixing this. Based on Google’s statements it does not appear that the company plans to prevent 4chan from popping up in its top stories module in the future. Instead it defers to the vagaries of its algorithms, as if doing anything proactive would be interfering with their sacred work. “There are trillions of searches on Google every year. In fact, 15 percent of searches we see every day are new. Before the 4chan story broke, there wasn’t much surfacing about [geary danley], and so we weren’t showing a Top Stories section for this set of queries. So when the fresh 4chan story broke, it triggered Top Stories which unfortunately led to this inaccurate result,” the company said in an email. The wording from Google here is strange, as 4chan has no news stories, only threads populated with the images and musings of 4chan users.

As with advertising on their platforms, Google and Facebook are only too happy to take credit for the successes of the algorithms they built, but demur to take the blame when their code does something stupid. They will gladly own their code — do you think Google would ever make public their precise methodology behind search rankings? — but refuse to take responsibility for it.

Senate Confirms Ajit Pai to New Five-Year Term at FCC

David Shepardson, Reuters:

The U.S. Senate on Monday confirmed Federal Communications Commission Chairman Ajit Pai for another five-year term on the telecommunications regulatory panel where he faces decisions over dismantling Obama-era internet protections and a major television station merger.

Pai won confirmation by 52-41 over objections from Democrats, who criticized him for moving to deregulate U.S. telecommunications rules. Republicans praised him for taking steps to boost rural internet service.

The FCC under Pai was recently criticized for their slow response to the aftermath of hurricanes devastating Puerto Rico, and couldn’t be bothered to check FCC regulatory filings before demanding that Apple activate nonexistent FM radio chips in iPhones.

To his and Republicans’ credit, Pai is taking steps to improve broadband access for those in rural communities, but he’s also proposing to reduce the standard of what constitutes “broadband” internet access. If the latter adjustment passes, that could allow the FCC to fudge the numbers on how many Americans have sufficient access to broadband internet.

Even so, Pai’s proposal to reject attempts to regulate large internet service providers cum media conglomerates, and prevent them from restricting competing services or certain websites is dogmatic crappy policy, and should have been enough to turf this jackass.

This vote is retroactive; Pai’s new five-year term began in July of last year.

Equifax Announces More Americans Impacted by Security Breach

Equifax’s press release today, announcing the conclusion of Mandiant’s investigation:

The completed review determined that approximately 2.5 million additional U.S. consumers were potentially impacted, for a total of 145.5 million. Mandiant did not identify any evidence of additional or new attacker activity or any access to new databases or tables. Instead, this additional population of consumers was confirmed during Mandiant’s completion of the remaining investigative tasks and quality assurance procedures built into the investigative process.

The relatively good news is that the number of Canadians impacted is far lower than previously estimated.

Additionally, it strikes me as slimy and opportunistic of Equifax to announce this while news of the worst mass shooting in post-war American history is on everyone’s mind. Their inability to adequately secure even more Americans’ information can wait until people have time to mourn, grieve, and — over time — find any means of turning their pain into ideas and policies that make the country a better place to live.

Western Digital Bungled Their Attempt to Purchase Toshiba’s Flash Storage Business

Pavel Alpeyev and Ian King, Bloomberg:

Tempers first flared at an April meeting at Western Digital’s headquarters, where [Western Digital CEO Steve Milligan] sat across from Toshiba’s head of the chip unit, Yasuo Naruke. The American CEO made a low-ball offer of $13 billion for the business and said he’d use his rights as Toshiba’s partner to block a sale to anyone else, according to people who attended the meeting.

With a helmet of dark hair parted neatly on the side, Naruke projects an image of calm restraint, but the 62-year-old engineer fumed the whole way home to Tokyo on the airplane, according to the people. He believed Milligan was trying to take advantage of Toshiba’s problems to buy the chip business on the cheap, they said.

Ultimately, a Bain Capital consortium that includes Apple bought the division for $18 billion, which means a couple of things: Western Digital blew a major chance to own a big slice of one of the hottest industries on the planet, and this acquisition will likely be seen in the future similarly to how we now see Apple’s purchase of P.A. Semi in 2008. The biggest differences between the acquisition of P.A. Semi and this Toshiba buy are in exclusivity — Apple is just one of several buyers — and total price tag. But even if Apple won’t be taking over Toshiba’s entire production, it should give them an opportunity to lower their costs — and, hopefully, prices to consumers — in a complicated market.

Documenting Our Experiences

Hannah S. Ostroff, on Twitter, responded to Arielle Pardes’ article last week in Wired about Instagram-friendly art installations:

Let’s stop looking down on how people experience the world around them […]

People take photos to document their lives and share them with friends. This was true before Instagram. Time to embrace it.

Social media won’t put an end to educational exhibitions, thoughtful discourse. It can open up the conversation in new ways.

An always-connected camera on all of us affords such a great opportunity to artists and institutions like museums and galleries. I look forward to a new generation of exhibitions that are more cognizant of this change.

The Equifax Investigation So Far

Michael Riley, Jordan Robertson, and Anita Sharpe, in a lengthy feature for Bloomberg:

The impact of the Equifax breach will echo for years. Millions of consumers will live with the worry that the hackers — either criminals or spies — hold the keys to their financial identity, and could use them to do serious harm. The ramifications for Equifax and the larger credit reporting industry could be equally severe. The crisis has already claimed the scalp of Richard Smith, the chief executive officer. Meanwhile, the federal government has launched several probes, and the company has been hit with a flurry of lawsuits. “I think Equifax is going to pay or settle for an amount that has a ‘b’ in it,” says Erik Gordon, a University of Michigan business professor.

If you call a $90 million golden parachute a scalping, you can scalp me any time.

I’m struggling to come to grips with the likely long-term ramifications of the Equifax breach. The entire model of the credit reporting industry rests on the idea that they can secure the financial details of millions of people. But the reputation of all of this industry — and, I would argue, any company that collects sensitive information en masse — has been deeply undermined by this breach and others like it.

Lawsuits are a predictable response. However, even if this attack puts Equifax out of business — and I wholly doubt that it could — the effects of this breach will be felt for decades to come by American consumers.

I know that regulation is a touchy subject, but the kind of data that is held by companies in pretty much every major industry is far too valuable to allow for anything other than a perfect security record. If we are going to permit mass data retention, there ought to be standards for how this information is secured: latest patches must be applied immediately, frequent audits need to be conducted to ensure that data centres are secured, and there ought to be steep penalties for any violation. Self-regulation isn’t working, and failures have massive consequences.