Month: February 2016

Larry Neumeister and Tami Abdollah, writing for the Associated Press:

The U.S. Justice Department cannot force Apple to provide the FBI with access to a locked iPhone data in a routine Brooklyn drug case, a magistrate judge ruled Monday. […]

Orenstein concluded that Apple is not obligated to assist government investigators against its will and noted that Congress has not adopted legislation that would achieve the result sought by the government.

Orenstein set a huge precedent as Apple goes into their higher-profile case against the FBI in San Bernardino. This is great news for those of us who side with Apple in this case and don’t want to see them compelled to create an all-access pass.

Put it this way: if you’re an American, would you want to see Apple capitulate if it were any other country demanding access? If you’re not an American, do you think their government should have a golden ticket?

Update: As much as this is a win for Apple in their case, it’s a far greater win for all of us.

Dave Wiskus, of the band Airplane Mode:

Early on we ran into a problem where our Connect profile avatar was replaced with a photo of a rapper who had briefly tried to use the name “Airplane Mode” before realizing it was taken. We got things squared away with the name, but their photo remained. […]

Two weeks ago I got an email stating that I had been granted access to the Connect profile for Airplane Mode. I thought this was odd, since I already had access, so I took a look. Rather than swap out images, the Connect support folks created a new profile for us with the correct photo (which we still can’t change, by the way).

The frustration would end here if not for one little side-effect: we lost all of our posts and all of our followers. Worse yet, those posts and followers are still attached to a now-unmanned “Airplane Mode” profile, so not only do we not have any way of telling our fans to follow the new profile, they have no way of even knowing that we relocated. Anyone who was following us can now assume that we’ve just stopped making new things.

How many followers did we lose? No idea. How do we get them back? We can’t.

Like nearly every experiment from Apple in social media,1 Connect feels half-assed, half-baked, and completely unnecessary. It’s too “heavy” and complex — they’ve made it feel like a big Mercedes when social media wants to be a zippy Lotus. According to Wiskus, Connect’s artist experience blows, and that’s felt by listeners through almost no posts or interaction from the artists.

I follow 138 artists on Connect. The most recent post is from DJ Shadow, five hours ago, with a track appropriately titled “Ghost Town”; the next most recent is from School of Seven Bells from three days ago. Of the most recent thirty posts I have in my feed, not one had any interaction from the artists, and few had more than a handful of comments and likes. That doesn’t surprise me in the slightest.

  1. Game Centre — the service, not the app — iMessage, and FaceTime being the exceptions. And the latter two can barely be considered “social media” in the broadcast-and-connect sense. ↥︎

Michael Tsai put together an excellent roundup of this weekend’s issue with iMac Ethernet drivers due to an automatic, pushed update from Apple.

Apple has support instructions for fixing the issue; however, they’re not straightforward enough for average users to follow —the simplest scenario requires the use of Terminal commands. In a more challenging situation, where the iMac cannot connect to WiFi, it’s necessary to dive into recovery mode. On top of that, as Tsai points out, Apple messed up their own instructions:

Note that Apple’s example rm -rf command is incorrect. You should use straight quotes rather than smart quotes.

Not their finest hour.

I don’t usually share tips here, but I think this one is too good to pass up.

Despite my many complaints with my internet provider, one of the nice services they offer is free Wi-Fi access points in public spaces across Canada. They all have the same SSID, so any time I’m in one of those spaces, it automatically connects.

One of those hotspots happens to be in the lobby of the building where I work. My office also has a Wi-Fi network, of course, and when I sit down at my desk, my iPhone oftentimes attempts to stay connected to the lobby network. Because it carries a weak signal into the office, I have to manually change the network upon arrival; otherwise, web access on my phone will be spotty throughout the day.

So I asked today on Twitter whether there was a way of changing the priority of WiFi networks on iOS, and Allen Tan replied:

Not on iOS, but you can change them in OSX’s network preferences and I think they’ll sync over.

Allen appears to be right — they do sync between Macs and iOS devices with the same iCloud account.

To adjust the priority of your Wi-Fi networks, head into System Preferences on your Mac and choose Network. Select “Wi-Fi” in the lefthand panel, and click the “Advanced…” button. In the “Preferred Networks” list, simply drag each network to prioritize them as you’d like.

This can be a bit of a pain in the ass, as the list and the window are not resizable, but it can also be a little nostalgic. Between all of the Macs, iPads, and iPhones I’ve ever owned, I have about ten countries and probably a hundred networks in my network history, many of which trigger distinct memories. Neat.

Update: As of MacOS Ventura 13.0, this tip no longer works because there is no way to set Wi-Fi priority in System Settings.

Charlie Savage, New York Times:

The Obama administration is on the verge of permitting the National Security Agency to share more of the private communications it intercepts with other American intelligence agencies without first applying any privacy protections to them, according to officials familiar with the deliberations.

The change would relax longstanding restrictions on access to the contents of the phone calls and email the security agency vacuums up around the world, including bulk collection of satellite transmissions, communications between foreigners as they cross network switches in the United States, and messages acquired overseas or provided by allies.

The idea is to let more experts across American intelligence gain direct access to unprocessed information, increasing the chances that they will recognize any possible nuggets of value. That also means more officials will be looking at private messages — not only foreigners’ phone calls and emails that have not yet had irrelevant personal information screened out, but also communications to, from, or about Americans that the N.S.A.’s foreign intelligence programs swept in incidentally.

While this has probably been on the books for a while, I have no doubt that the Apple-FBI case accelerated these talks. The NSA soaks up everything; imagine what it’s like when that raw data is shared with other agencies. I see little reason why anyone would not want their data encrypted any more.

Greg Howard, writing for Deadspin:

Last week, Vox Media’s SB Nation published “Who Is Daniel Holtzclaw?”, a 12,000-word profile of a 29-year-old former Oklahoma City police officer who this winter was tried for raping 13 black women while on duty; convicted on 18 of 36 charges of rape, sexual battery, forcible oral sodomy, and burglary; and sentenced to 263 years in prison. The story was reported and written by journalist Jeff Arnold and edited by Glenn Stout, head of the SB Nation Longform vertical. It was published at noon on a Wednesday, and the response was immediate and swift. Those who read it were furious with the story, which was so sympathetic that it comfortably qualified as apologia and read as an attempt to humanize a monster at the expense of his black, female victims. […]

Among other things, this story serves as an example of why diversity in the newsroom is so important. It isn’t because diversity is charity, or because giving opportunities to people other than white men is a Christlike thing to do, but because everyone has blind spots, and everyone fucks up. Bergeron was there, and the best-suited to work on the story alongside Arnold and Stout—not just because she’s the only person of color and the only woman among’s top layer of editors, but because she’s capable and experienced. Not only did Stout never enlist her to cover his and Arnold’s blindspots, though, but when she did so anyway, he disregarded her, and was empowered to do so.

The ongoing push for greater diversity in tech is absolutely critical, as it is in every other industry. There are a variety of voices, opinions, ideas, and thoughts that are held by people from widely-differing backgrounds that are being ignored and sidelined. Diversity isn’t a checkbox or a department, but a set of values. It’s something that cannot be added to a company; it must be earned. Adding these voices to an environment or a discussion is essential, but they must be listened to — this sounds obvious, but it clearly is not.

Dina Bass, Bloomberg:

Microsoft Corp. will file an amicus brief next week to support Apple Inc. in its fight with the U.S. government over unlocking a terrorist’s iPhone, President and Chief Legal Officer Brad Smith said at a congressional hearing Thursday to discuss the need for new legislation to govern privacy.

Google parent Alphabet Inc. and Facebook Inc. plan to file a separate industry brief according to people familiar with the matter, and Twitter Inc. said it expects to join a friend of the court brief as well.

Olga Kharif, also Bloomberg:

Verizon Communications Inc., the largest U.S. wireless-service provider, sided with Apple Inc. in a dispute with the U.S. government and said it supports encryption of mobile phones to protect customer privacy over the needs for law enforcement access to user information.

It’s a little disappointing that it’s taken a week for other companies to throw their weight behind Apple, but they’ve done so nevertheless. Between this support and Apple’s totally awesome motion to vacate, I’m hesitantly optimistic.

Apple filed a motion to vacate, which is a legal term for “take that decision back”. It’s 65 pages in total, but remarkably readable for a legal document. You might still need a coffee to chug through it, though:

The All Writs Act (or the “Act”) does not provide the judiciary with the boundless and unbridled power the government asks this Court to exercise. The Act is intended to enable the federal courts to fill in gaps in the law so they can exercise the authority they already possess by virtue of the express powers granted to them by the Constitution and Congress; it does not grant the courts free-wheeling authority to change the substantive law, resolve policy disputes, or exercise new powers that Congress has not afforded them. Accordingly, the Ninth Circuit has squarely rejected the notion that “the district court has such wide-ranging inherent powers that it can impose a duty on a private party when Congress has failed to impose one. To so rule would be to usurp the legislative function and to improperly extend the limited federal court jurisdiction.”

Congress has never authorized judges to compel innocent third parties to provide decryption services to the FBI. Indeed, Congress has expressly withheld that authority in other contexts, and this issue is currently the subject of a raging national policy debate among members of Congress, the President, the FBI Director, and state and local prosecutors. Moreover, federal courts themselves have never recognized an inherent authority to order non-parties to become de facto government agents in ongoing criminal investigations. Because the Order is not grounded in any duly enacted rule or statute, and goes well beyond the very limited powers afforded by Article III of the Constitution and the All Writs Act, it must be vacated.

This is a totally cogent position, especially when coupled with Apple’s explanation on the eighth and ninth pages that CALEA covers the areas of the law in question and, therefore, the All Writs Act cannot apply. There’s a lot at stake here; this decision needs to be right for now, and for the future. The myopic arguments so far made by the FBI and other law enforcement agencies are dangerous in their precedent.

Tim Bradshaw, Financial Times:

Apple is working on new ways to strengthen the encryption of customers’ iCloud backups in a way that would make it impossible for the company to comply with valid requests for data from law enforcement, according to people familiar with its plans.

The move would bolster Apple customers’ security against hackers but also frustrate investigators who are currently able to obtain data from Apple’s servers through a court order.

As Christopher Soghoian said, Apple is effectively treating this saga as one of the most significant bug reports they’ve received. They are entirely absolving themselves of the burden of users’ data; users are about to become entirely responsible for what they upload, and Apple’s services are merely the conduit. This will help clarify the conflicting ways Apple describes iCloud backup security, too.

If you’re still concerned about the security and privacy of your backups after this change is made — and it’s a valid concern — it would be best to continue to create a local, encrypted backup instead.

Yves Raimond and Justin Basilico of Netflix:

On the 6th of January, we simultaneously launched Netflix in 130 new countries around the world, which brings the total to over 190 countries. Preparing for such a rapid expansion while ensuring each algorithm was ready to work seamlessly created new challenges for our recommendation and search teams. In this post, we highlight the four most interesting challenges we’ve encountered in making our algorithms operate globally and, most importantly, how this improved our ability to connect members worldwide with stories they’ll love.

This kind of behind-the-scenes post is fascinating to me because it reveals the complexity with which every additional language and region requires. I may (regularly) complain about how poor my Siri and Apple Music recommendations are, but every company faces these same challenges. That’s not an excuse, but it is an explanation.

Matt Apuzzo and Katie Benner, New York Times:

Apple built its recent operating systems to protect customer information. As Mr. Cook wrote in a recent letter to customers, “We have even put that data out of our own reach, because we believe the contents of your iPhone are none of our business.”

But there is a catch. Each iPhone has a built-in troubleshooting system that lets the company update the system software without the need for a user to enter a passcode. Apple designed that feature to make it easier to repair malfunctioning phones.

In the San Bernardino case, the F.B.I. wants to exploit that troubleshooting system by forcing Apple to write and install new software that strips away several security features, making it much easier for the government to hack into the phone. The phone in that case is an old model, but experts and former Apple employees say that a similar approach could also be used to alter software on newer phones. That is the vulnerability Apple is working to fix.

The original headline of the linked article — as you can tell from its slug — was “Apple Is Said to Be Working on an iPhone Even It Can’t Hack”. When it was published, I was curious about the way that title was phrased; it seemed clear that it would be a hardware-related upgrade as it specified “an iPhone”, not iOS.

The article now carries a new title, “Apple Is Said to Be Trying to Make It Harder to Hack iPhones”. This headline is much less interesting than the one it replaced, but that change makes me equally curious. Perhaps some of these security features can be introduced via a software update.

Also, John Gruber is pretty convinced that this is a controlled leak; it certainly reads like it is. Apple rarely provides the press with advanced information of any kind, so when they do, it’s notable.

For what it’s worth, I’ve left virtually all of these settings alone and I get great battery life. I don’t ever toggle my cellular connection or WiFi, almost all of my apps are allowed to refresh in the background, and notifications are enabled based solely on need-to-know rather than battery life.

Nobody should ever have to worry about these settings. You should be able to use your phone normally and assume that it will manage battery life for you; at least, in an ideal world.

Dan Gillmor, writing for Backchannel:

Google, as noted, is no shrinking violet. And a big incentive for news organizations to participate in AMP is to satisfy their AMP “general partner” (my expression, not Google’s) on another front — better placement on Google’s search results. Google’s bread and butter is the ads it can sell based on search, and the company has made clear its intention to rank loading speed high in how it calculates search results. Google insists it won’t favor sites using AMP just because they’re serving up AMP pages, but that may become a distinction with little difference.

[Google news head Richard Gingras] told me last week that Google’s search bots had seen AMP pages from more than 1,000 domains — including many major media companies — and, so far, 33 countries. Sites will have to create separate versions of stories, including at least one for AMP mobile pages and another for regular (desktop/laptop) rendering. Kinsey Wilson, ‎the New York Times’ executive vice president for product and technology, calls AMP “probably the most publisher-friendly solution we’ve seen to date” from the big tech companies, but making it all work takes real effort and staff time.

The Times has ample staff to make it all work; smaller publishers face a bigger hurdle. Even if it’s (relatively) simple to build AMP pages alongside the regular ones going forward, they’ll suffer to some degree if they don’t do this for the archives. (And, as open-standards advocate Kevin Marks notes, by relying on Google JavaScript code, not traditional HTML, for page rendering, AMP pages could ultimately make parts of the web even more fragile and difficult to archive.)

I’ve been researching AMP extensively since it was announced late last year and I have so far emerged with vastly more questions than answers. As best as I can figure, AMP is a reduced, derivative version of HTML that doesn’t allow for many interactive elements — like forms and arbitrary JavaScript — and looks way faster because of “lazy loading” and prefetching techniques, as Google will shout at you in a blog post. That’s fine — speed is good.

But there are a lot of questions here. First, all AMP pages require a base JavaScript file that sets up a lot of the framework, lazy loading, and so forth. It’s even required to display images, video, and iframe elements due to AMP’s proprietary HTML tags. This file is 158 KB; for comparison, a typical page on my site is less than 100 KB, with all text, images, and the tiny amount of JavaScript I use. How is requiring a file larger than a reasonably-optimized webpage supposed to help speed up the web?1

The people behind AMP will tell you that all AMP-enabled pages are cached around the world, so transmission times become vastly shorter.2 But you could pick up an Amazon S3 bucket paired with CloudFront and get a similar effect.

AMP is designed to run only on smartphones — the “M” stands for “mobile”, after all — and its creators recommend serving different pages to desktop users. Why shouldn’t everyone benefit from a faster web?

What compels major third-party publishers to feel comfortable using a nonstandard, somewhat proprietary — if open source — variant of HTML, the development of which is primarily driven by a single company?

Most of all, what problems does AMP solve that could not be fixed through the careful optimization of resources? My site isn’t perfect, but a page almost always loads in about a second and weighs less than 100 KB. I use shared hosting on a single server, too — imagine if I had a dedicated host with a worldwide CDN.3

Between AdSense and DoubleClick, Google has a virtual monopoly on web advertising. They could easily implement strict limitations on what ads can contain, how large they can be, and how fast they need to load. They could optimize their own ad loading scripts and reduce resource consumption of their own advertising and analytics products. AMP’s goals are admirable, but I haven’t yet heard a compelling reason for why speeding up the web requires changing the fundamental architecture of webpages and places the control over their resources in the hands of a third party.

Also, there is a palpable irony in publishing an article about how slow and bloated the web has become on Medium.

Update: Clarified the role of the AMP JavaScript file in the second paragraph following the blockquote.

  1. I checked a couple of sites using AMP and found that this base script is set to expire from a local browser cache in less than a day, so it doesn’t benefit significantly by leveraging a locally-cached version. ↥︎

  2. Server location still plays a remarkable role in the speed of your site. I occasionally visit Sina Weibo, which is hosted in China, and it’s extremely slow despite fairly average page sizes. ↥︎

  3. Actually, it probably wouldn’t make much difference because I have so few resources. ↥︎

Kevin Lo (via Allen Tan):

In the case of colour, Pantone Inc. holds incredible influence with their increasingly marketed and mediatised Colour of the Year campaigns. Purportedly determined through a prescient reading of the cultural zeitgeist (by a select cabal of colour specialists), it is important to understand that the company, and the industry it serves, have their own specific interests and agendas that drive these selections. Pantone’s choice of “Rose Quartz” and “Serenity” as the 2016 Colour of the Year is the most insidious move by this colour-industrial-complex since “Blue Iris” in 2008. As with “Blue Iris”, Pantone has once again mined the subcultural landscape and used their monopoly within the creative industries to propagate their colour properties to the world.

At just a few thousand words, I’m not sure this qualifies as an “epic” article, but it certainly has the depth of research to have suggested that quality to me. Do yourself a favour and really dig into this one.

Mike Ash, with a great explanation of what the function is of the secure enclave in iPhones 5S and newer:

On most systems, if you can get into the OS kernel then you own the entire system. The kernel can do anything. It can read and write every byte of system memory, it can control all of the hardware, and it’s in charge of all of the application code the system runs, which it can subvert at will.

Since the Secure Enclave is a separate CPU mostly cut off from the rest of the system, it isn’t under the kernel’s control. On an older iPhone, owning the kernel means owning everything done by the system, including the passcode verification process. With the Secure Enclave, no matter who is in control of the main CPU, no matter what code is in the OS running on it, the basic security functions remain intact.

Ash gets somewhat speculative, owing largely to Apple’s arguably necessary secrecy around the specifics of how the secure enclave functions. Fascinating stuff.

So much for FBI director James Comey’s assertion that this “isn’t about trying to set a precedent”, but we all knew that was bunk from the get. Devlin Barrett, Wall Street Journal:

The Justice Department is pursuing court orders to force Apple Inc. to help investigators extract data from iPhones in about a dozen undisclosed cases around the country, in disputes similar to the current battle over a terrorist’s locked phone, according to people familiar with the matter.

The other phones are at issue in cases where prosecutors have sought, as in the San Bernardino, Calif., terror case, to use an 18th-century law called the All Writs Act to compel the company to help them bypass the passcode security feature of phones that may hold evidence, these people said.

The specifics of the roughly dozen cases haven’t been disclosed publicly, but they don’t involve terrorism charges, these people said.

James Comey, writing for the Brookings Institute’s Lawfare Blog:

The San Bernardino litigation isn’t about trying to set a precedent or send any kind of message. It is about the victims and justice. Fourteen people were slaughtered and many more had their lives and bodies ruined.

We absolutely intend to use a closely-watched and high-profile case to set a precedent for other times when we need to unlock an iPhone. And if you’re surprised by this, you don’t know the FBI. Even the Manhattan DA is on board.1

The particular legal issue is actually quite narrow. The relief we seek is limited and its value increasingly obsolete because the technology continues to evolve.

To our frustration, Apple and other companies continue to stand in our way and we will need their continued cooperation — that’s why they call it precedent. We threw in this comment because it would otherwise be far too obvious what we are demanding.

We simply want the chance, with a search warrant, to try to guess the terrorist’s passcode without the phone essentially self-destructing and without it taking a decade to guess correctly. That’s it.

We would like Apple to create a tool so that we can guess any passcode at any time in the future from any iPhone. And because this case is so high-profile and so clear-cut, we figured Apple would quietly and unquestioningly capitulate.

Also, why am I writing this on a blog, for heaven’s sake? Don’t we have a PR department any more?

We don’t want to break anyone’s encryption or set a master key loose on the land.

We would love to break everyone’s encryption. Except our own. And we’d really like it if no foreign nations could break everyone’s encryption because we live in a fantasy land where it’s possible for American intelligence agencies to be granted near-universal access to information, but other countries would be locked out.

I hope thoughtful people will take the time to understand that.

I hope nobody takes the time to understand all facets of this case.

Reflecting the context of this heart-breaking case, I hope folks will take a deep breath and stop saying the world is ending, but instead use that breath to talk to each other.

I have resorted to hyperbolic mockery because I cannot believe that anyone would question my organization’s power. This possibility simply didn’t arise in any meetings, and we are scrambling to control the narrative here, hence this hurried blog post.

Although this case is about the innocents attacked in San Bernardino, it does highlight that we have awesome new technology that creates a serious tension between two values we all treasure: privacy and safety. That tension should not be resolved by corporations that sell stuff for a living. It also should not be resolved by the FBI, which investigates for a living. It should be resolved by the American people deciding how we want to govern ourselves in a world we have never seen before.

I know as well as anyone else that encryption is a very complicated subject to grasp, and that the nuances of this case are well beyond the understanding of most people.

So I hope folks will remember what terrorists did to innocent Americans at a San Bernardino office gathering and why the FBI simply must do all we can under the law to investigate that. And in that sober spirit, I also hope all Americans will participate in the long conversation we must have about how to both embrace the technology we love and get the safety we need.

I really hope as few people as possible understand the implications of what we are asking of Apple here, because if the pushback and skepticism becomes too great, our big chance at making strong encryption illegal is fucked.

  1. ‘Charlie Rose recently interviewed Mr. Vance and asked if he would want access to all phones that were part of a criminal proceeding should the government prevail in the San Bernardino case.

    ‘Mr. Vance responded: “Absolutely right.”’ ↥︎