Tag: Technology

Categories
Technology Thoughts

Privacy Nutrition Labels for the Top Apps of 2020

With the release of iOS and iPadOS 14.3, all app updates in the App Store are now required to include Privacy Details, or “nutrition labels”.

App Privacy Labels

At a high level, there are three categories of nutrition label:

  • Data Used to Track You
    • “May be used to track you across apps and websites owned by other companies”
  • Data Linked to You
    • “May be collected and linked to your identity”
  • Data Not Linked to You
    • “May be collected but it is not linked to your identity”

Within each category, there is additional info split into types of data collected and ways data is used.

Types of data an app can collect includes:

  • contact info
  • health & fitness
  • financial info
  • location
  • sensitive info
  • contacts
  • user content
  • browsing history
  • search history
  • identifiers
  • purchases
  • usage data
  • diagnostics
  • other data

Ways data is used include:

  • third-party advertising
  • developer’s advertising or marketing
  • analytics
  • product personalization
  • app functionality
  • other purposes
App Privacy See Details The developer, Zoom, indicated that the app's privacy practices may include handling of data as described below. For more information, see the developer's privacy policy. Data Linked to You The following data may be collected and linked to your identity: Location o Contact Info User Content Identifiers Usage Data Diagnostics Privacy practices may vary, for example, based on the features you use or your age. Learn More
Zoom Privacy Details – apps.apple.com

Putting it all together, when looking at an app in the store, like Zoom for example, you can see the app collects your location, contact info, user content, identifiers, usage data, and diagnostics and links the data to you. If this data was in the “not linked to you” category, the data would still be collected, but done so anonymously.

The top level information tells you what data the app collects, but to see how the data is used, you need to select the “See Details” link at the top right of the App Privacy section.

From the expanded view, you can see that Zoom collects data for advertising & marketing, analytics, and general app functionality. This may look like a lot, but Zoom’s data use is comparatively short. Details for Facebook’s data use scroll for days.

And the distinction between data collection and data use is important. For example, an app may collect your location and use it to tell you the weather nearby. Granting permission to location would make sense if you are downloading a weather app. But an app may also collect your location and use it to tell ad providers all the places you go. In this case, giving access to your location would be sketchy if you were downloading a calculator app.

There is also an inherent level of trust associated with Apple’s new model for privacy details, as for app developers:

“You’re responsible for keeping your responses accurate and up to date.”

This means, to apply these new privacy labels, app developers must self report their data use when submitting updates to the app store. Apple does not read through all the code or monitor network traffic to automatically create an app’s privacy details. 

Apps can change their behavior with any update, but developers are required to update on their own. App reviewers do not flag when the privacy details need an update.

So while the longevity and robustness of the new privacy nutrition labels remains to be seen, we can take a look at how the most popular apps of 2020 report their privacy nutrition details.

Top 2020 Apps

If you have updated to iOS 14.3, it’s interesting to flip through some of the apps you use to see how they report their data collection and use. Although, it’s not exactly easy to compare two apps.

Since Apple recently unveiled the top games and apps of 2020, you can look at all the privacy nutrition label details in search of trends from the apps everyone are using.

So I did. And compiled the Privacy Nutrition Label Data for the Top Apps of 2020.

This starts off with general info regarding what data is collected, then looks at how specific apps and games report data use, and finally lists insights and questions from the investigation. (All the spreadsheets and data are included at the end).

Nutrition Label Data

General statistics
  • 80 total apps
    • 20 free apps
    • 20 paid apps
    • 20 free games
    • 20 paid games
  • 51 updated to report privacy data
    • 32 apps
    • 19 games
  • Top collected data types across all three categories
    • identifiers (70)
    • usage data (70)
    • diagnostics (59)
    • purchases (46)
    • location (42)
    • user content (36)
    • contact info (35)
    • other data (21)
    • search history (16)
    • contacts (14)
    • financial info (12)
    • browsing history (11)
    • sensitive info (7)
    • health and fitness (6)
  • Top collected data types (used to track you)
    • identifiers (27)
    • usage data (23)
    • purchases (12)
    • contact info (10)
    • diagnostics (10)
    • location (10)
    • other data (8)
    • user content (4)
    • browsing history (3)
    • contacts (1)
    • financial info (1)
    • health and fitness (1)
    • search history (1)
    • sensitive info (1)
  • Top collected data types (linked to you)
    • usage data (30)
    • identifiers (28)
    • diagnostics (26)
    • user content (24)
    • purchases (23)
    • location (22)
    • contact info (22)
    • search history (13)
    • contacts (12)
    • other data (11)
    • financial info (10)
    • browsing history (7)
    • health and fitness (4)
    • sensitive info (4)
  • Top collected data types (not linked to you)
    • diagnostics (23)
    • usage data (17)
    • identifiers (15)
    • purchases (11)
    • location (10)
    • user content (8)
    • contact info (3)
    • sensitive info (2)
    • search history (2)
    • other data (2)
    • health and fitness (1)
    • financial info (1)
    • contacts (1)
    • browsing history (1)
By Apps and Games
  • Most types of data collection (17)
    • Facebook
    • Instagram
    • Spotify
    • Twitter
  • No data collection (* these are all paid apps/games)
    • HotSchedules
    • AutoSleep Track Sleep on Watch
    • Shadowrocket
    • EpocCam Webcamera for Computer
    • Arcadia – Arcade Watch Games
  • Only collects data not linked to you
    • Widgetsmith
    • Among Us!
  • Most data types used to track you
    • Twitter (7)
    • Subway Surfers (6)
    • Spotify (5)
Free vs Paid
  • Average types of data collected (overall)
    • Free (10.5)
    • Paid (3.6)
  • Median types of data collected (overall)
    • Free (10)
    • Paid (4)
  • Average types of data (used to track you)
    • Free (2.9)
    • Paid (0.3)
  • Average types of data (linked to you)
    • Free (6.3)
    • Paid (1.1)
  • Average types of data (not linked to you)
    • Free (1.3)
    • Paid (2.2)

Insights and Questions

Many of these points stem from the descriptions of Types of data and Data use sections of Apple’s privacy details page.

Free apps
On Apple’s categories:
  • “Identifiers” is a vague name, but it’s related to device and user IDs. These types of IDs are often static and used to link your information across apps and services
  • “User content” from apps not creating user content is interesting (Disney Plus and Netflix). Guessing these are related to the “Customer Support” category.
    • And how does an app have “User Content” not linked to you?
  • “Purchases” is not included by Netflix (as you can’t subscribe in the app)
On companies:
  • Google hasn’t updated info for any of their apps yet
  • Widgetsmith was a breakout iOS 14 app of the year. It only collects anonymous purchase and diagnostic data.
  • WhatsApp is Facebook’s least offensive app.
  • What is Spotify doing with browsing history?
  • Twitter is doing a lot of tracking
On trends:
  • “Data linked to you” is largest category and shows most first party data use
    • “Data used to track you” is “owned by other companies”
  • Companies should move usage data and diagnostics collection from “linked” to “not linked” categories
    • Free games do a somewhat better job collecting anonymous data (but also use the same data types to track you)
  • Top free apps do less data sharing (tracking) than expected

Overall, rules are new, so companies are still getting used to the categories. Guessing they’ve over-reported as it is easier to move to a more private usage category. Companies may interpret rules differently (Twitter vs Facebook vs TikTok, why so different?)

Free games
Paid apps
  • Top paid apps do less tracking and data collection overall
    • Also have most non-updated apps in the top 2020 list
  • “Data Not Collected” is a tag (took going through a lot of apps to find that out…)
App Privacy The developer, HotSchedules, indicated that the app's privacy practices may include handling of data as described below. For more information, see the developer's privacy policy. Data Not Collected The developer does not collect any data from this app. Privacy practices may vary, for example, based on the features you use or your age. Learn More
Paid games
  • Very few top games have updated
  • Seems Facebook SDK could require Identifiers, location, usage data, diagnostics
Overall
  • Apple, what’s up with the random ordering of data types? Seems to be consistent by count, but not across all apps
  • Health and fitness apps were not very popular this year
  • How do changes to data collection and use get reported? Is there a notification added to the nutrition label?

Wrap up

Probably can do a lot more analysis on all this data, but it’s the holidays and everyone is asking me why I’m working. So I’ll leave it at that. As more apps update with their privacy nutrition details, we can expect to learn more about about how the apps we use use our data, and how Apple’s new system changes with time.

Charts and Graphs

Here is all the raw data if you want to compare: Top 2020 Apps – Privacy Summary

☃️ 🛷 ❄️

Categories
Thoughts

This Is Phishing

Password managers can help you identify when you’re on the site you want, or might be somewhere you do not intend. By comparing the url of the site you’re on, to the urls saved in the password manager, the password manager can indirectly alert you to a suspicious situation.

Here’s an example. In the Robinhood app (which registers on iOS as Robinhood.com), you are prompted for a Wells Fargo account and password.

This sure looks a lot like Wells Fargo, but the password manager (Dashlane) tells you it detected that you’re actually entering this information on Robinhood.com.

If you ever find yourself in a situation where your password manager credentials don’t match or don’t autocomplete on a site where you expect they should, it should set off all sorts of alarms in your head.

This is not the login page for the site you think you’re on.

So then why does Robinhood make it seem like you are entering your information on Well Fargo?

In this case, the app is not trying to steal your bank information (or so they say), instead, it’s trying to help you log in quickly, so you can get back to using the app as soon as possible.

Robinhood, like many other financial apps, uses a service called Plaid (owned by Visa) to sign in to your bank accounts. Plaid touts itself as “The easiest way for users to connect their financial accounts to an app”. Incidentally it’s also the easiest way to condition people to fall for phishing schemes.

“Secure and private”, or “encrypted transfers and no access by Robinhood”, boils down to you trusting Plaid with your financial account information.

Is using Plaid any worse than sending your bank account and routing numbers? Well, at least you can change your password easily enough after giving your old one to Plaid. Changing a bank account is a bit more cumbersome.

Just be aware, the same tricks Plaid is using to make you think you’re logging into your bank can be used by more nefarious actors. And if you’re not using a password manager to help you recognize these tricks, you just might fall for one.

Stay safe. Wash your hands. Wear a mask. And use a password manager 🧼

Categories
Thoughts

Internet Safety Tips

A distancing duck avoids being phished

Lots of weird things just happened at once.

It’s always important to be cognizant of what and who you interact with online, but phishing is way up right now, so be extra careful with emails, links, and articles sent to you that you didn’t initiate or request. And while email phishing is often a main focus for scams, there are additional methods to be aware of and keep in mind. Reseller and rental sites like eBay, Craigslist and Airbnb present similar opportunities for scams, however these scams are crafted differently since you are often the one initiating the contact with an unverified third party (instead of the other way around).

So weirdness, here’s what happened

Over the course of the afternoon, 5 phishy things happened to three different groups of people I know.

  1. Three people in the same family individually received notices that a PayPal, credit card, and Instagram account were hacked.
  2. A friend got an email that someone signed into their Instagram on a new device.
  3. Another fiend stumbled across a Craigslist apartment rental phishing scheme. (The exact one covered in this report. Word for word, save for a change in company name and a different person in nearly identical photos)

This very coincidental timing, but it’s a good opportunity for an internet safety refresher!

Safety tips & reminders:

I shared these with family and friends after all this weirdness, but will aggregate them here.

1. When in doubt, go to the actual site

If you get an email from PayPal (or your bank or Instagram) about an account issue, go to the PayPal website yourself to check out the notification. Don’t click on any links sent to you. You can hover over links to see where they really go, but even then, it can be easy to miss smaII deta1ls.

paypa1

So to be safe, go to PayPal using the app, by searching for PayPal (trusting the wisdom of the search engine crowd), or by manually going to https://www.paypal.com.

Better yet once your are on the PayPal.com that you know is the actual PayPal.com, add it to your favorites and use your own personal trusted bookmark to get back to the real PayPal every time. This way you don’t make a mistake later by mistyping the url and ending somewhere you don’t expect. (And yes, I’m purposefully not linking to PayPal from here. Go build that muscle)

This tip applies to phone calls too!

Summary: It’s your best bet to search for the site/article/etc or go directly to the url if you have it saved somewhere.

2. Use a password manager

You can visit every site you go to as carefully as possible, but if you reuse passwords, one security breach can cause issues across your accounts.

A password manager creates strong, unique passwords for every one of your accounts and securely keeps track of them all for you. You only need to remember your master password to unlock the account.

Some good options are LastPass, Dashlane, and 1Password.

They can also help you more easily change passwords if one is stolen or part of a data breach. You can check to see if your accounts have been part of a data breach using Have I Been Pwned (just don’t enter your current passwords).

Password managers can be difficult to transition to at first, as you need to manually change passwords one at a time, but if you use a password manager solely to keep track of new accounts, you can quickly start to see the benefit.

Read this exhaustive post to learn more before you set up a password manager. A quote:

Password managers are programs that remember passwords for you, along with the email address or other user identifier you use for each account. They make it easier to use strong passwords: those that are sufficiently random, long, and different for every one of your accounts. They also make it easier to lose all your passwords at once, or for attackers to steal all your passwords in one instant.

Summary: See above quote, but you should probably be using one of these.

3. Set up two factor authentication (2FA)

After setting up strong passwords, you can go a step further to safeguard that even if one of your account credentials is compromised, you are still in control of signing into the account.

Two factor authentication satisfies the “something you know, something you have” paradigm for online security (or the first two parts of multi-factor authentication). You know your password and have either a code or USB key or app to verify you are you. If your password is compromised, the second factor of authentication ensures someone with just your password cannot log in.

Needing a second factor can cause problems, however, if you (who is in reality, is you) loses the second factor of authentication. Then you can be locked out just as if you were an attacker.

Also, if multiple people use the same account, two factor authentication can be difficult. With 2FA enabled someone may try to log into an account and the 2FA code can be sent so someone else (which also happened to my family today).

Read this other equally exhaustive post to learn more before you set up 2FA.

Summary: Two factor auth can help keep your accounts secure, but comes with some extra challenges.

4. Keep third party communication within app and website services

This one is related to staying safe when reaching out to others you don’t know online. Talking to strangers! 😱

Whenever possible, keep communication within the app or website service you are using. If buying on eBay, communicate on eBay. If renting on Airbnb, use their chat functionality. Let the site intermediate communication. Don’t share your email or phone number to talk with a third party seller or host outside of the service. Major sites like eBay and Airbnb have measures in place to help you stay safe (and allow you to provide evidence in case of an issue), but only if you leverage their tools.

Be extra cognizant on Craigslist where direct email communication is the standard! I’ll put this Anatomy of a rental phishing scam post here again as a reminder to read it. A quote:

The first red flag was “So we’ll keep our communication to email if that’s ok with you”.

This tip also applied to articles you read or videos you watch. If you aren’t sure of the source, don’t trust, verify 🙃

Summary: There are more signs of a scam than only asking for your bank account and credit card information.

5. Bonus Tip: Use Zoom on your phone or browser

If you use Zoom, you should know that Google banned it’s employees from using the desktop app, and suggests to use mobile or web.

Employees who have been using Zoom to stay in touch with family and friends can continue to do so through a web browser or via mobile

Google’s guidance is to uninstall and block the app completely (maybe because they prefer everyone to use Hangouts 🤷‍♂️). In any case, if you’re interested, here’s how you can uninstall the desktop version on Mac and PC.

A legitimate reason behind allowing mobile and web, but blocking desktop, stems from the fact that mobile and web platforms have security and containment measures in place that limit sites and apps from accessing your underlying device. Whereas apps installed from the internet can do whatever they want after you type in your computer account password to allow higher level device access.

To continue using Zoom on a desktop, here’s Zoom’s support article on how to join a call using your web browser. The link is a bit hidden (and misleading), but it looks like this:

zoom

Summary: Use your phone to show off your Zoom backgrounds

 

That’s all for now

Stay safe. Wash your hands. Wear a mask. Don’t touch your face or click on links in your email 🧼

Categories
Thoughts

Flash Seats Usability, Security, and Privacy

The Quora Conundrum

Quora reported a data breach earlier this month and the company outlined the stolen data, what they are doing, and what you can do in an email to those affected:

The following information of yours may have been compromised:

  • Account and user information, e.g. name, email, IP, user ID, encrypted password, user account settings, personalization data
  • Public actions and content including drafts, e.g. questions, answers, comments, blog posts, upvotes
  • Data imported from linked networks when authorized by you, e.g. contacts, demographic information, interests, access tokens (now invalidated)
Continue reading “Flash Seats Usability, Security, and Privacy”
Categories
News Feed

21 Lessons for the 21st Century

Yuval Noah Harari on the Talks at Google podcast (and in video form)

He’s marketing his new book extremely well and a New York Times interview on the subject garnered attention:

It made him sad, he told me, to see people build things that destroy their own societies, but he works every day to maintain an academic distance and remind himself that humans are just animals. “Part of it is really coming from seeing humans as apes, that this is how they behave,” he said, adding, “They’re chimpanzees. They’re sapiens. This is what they do.”

. . .

“It’s just a rule of thumb in history that if you are so much coddled by the elites it must mean that you don’t want to frighten them,” Mr. Harari said. “They can absorb you. You can become the intellectual entertainment.”

. . .

He told the audience that free will is an illusion, and that human rights are just a story we tell ourselves. Political parties, he said, might not make sense anymore. He went on to argue that the liberal world order has relied on fictions like “the customer is always right” and “follow your heart,” and that these ideas no longer work in the age of artificial intelligence, when hearts can be manipulated at scale

Not the most heartening view of the future.

21 Lessons is also recommended by Bill Gates as one of 5 books he loved in 2018 (to further corroborate Harari’s points)

The trick for putting an end to our anxieties, he suggests, is not to stop worrying. It’s to know which things to worry about, and how much to worry about them. As he writes in his introduction: “What are today’s greatest challenges and most important changes? What should we pay attention to? What should we teach our kids?”

Or maybe we should be a bit more like Newt Scamander

My philosophy is that worrying means you suffer twice.

Categories
Thoughts

Short Codes (aka Messages & Two Factor Authentication from Random Five to Six Digit Numbers)

There are some cool new security features in the latest versions of iOS and Android to help you keep your accounts secure. Android’s updated Messages app and iMessage in iOS 12 both bring simplified one-time passcodes and two factor authentication (2FA) management.

iMessage – iOS 12

iMessage Security code AutoFill
Security code AutoFill. SMS one-time passcodes will appear automatically as AutoFill suggestions, so you never have to worry about memorizing them or typing them again.

 

Android Messages

Copy one-time passwords with one tap
Copy one-time passwords with one tap
Now, when you receive a message with a one-time password or code from a secure site—such as your bank—you can save time by copying that password directly from the message with a tap.

 

With both Apple and Google updating their messaging apps to ease use of text message (SMS) based two factor authentication, I’ve been thinking about why copying a verification code is the feature we need to bring more people to use 2FA. While cutting down steps required to use 2FA will make for a more streamlined experience, there seems to be an opportunity elsewhere to improve general usability of SMS based 2FA.

Understand there has been plenty of discussion regarding the security risks of these features, but putting aside discussion of the entire 2FA ecosystem and the shortcomings of SMS based 2FA, let’s look at a quirk of how people experience 2FA on their phones.

An example

Android Messages two factor authentication shortcut

Take the Capitol One notification from this article discussing the “copy 2FA code” feature in Android Messages. The message from number 227898 says “From Capitol One” and provides a code: 939966. There are two things we need to figure out here. One, that this is in fact the message from Capitol One, and two, this message contains the 2FA one-time passcode we need to complete the log on process.

First off, while the message says it’s from Capitol One, we know from our phishing lessons that we shouldn’t use the content of a message to influence our trust decision making process. The timing of getting this message in relation to attempting to log in to a bank account would make it seem like the message is legitimately from Capitol One, but how can we be sure? What is that 227898 number? Can we look it up like a phone number to verify it is registered to Capitol One?

The second bit of confusion is recognizing the 2FA verification code is 939966 not the big bold 227898 number at the top of the message. Usually the distinction between sender and message is clear with a regular 10 digit phone number or a message from someone in your contact list, but when you are sent a six digit code from a six digit number you need to do more mental processing choose the right number. Google has partially resolved the issue by giving an explicit action to copy the 2FA code, but it feels a little strange not being able to see the actual code in the message.

An aside

Slightly off topic, but while researching YubiKeys (after listening to Scott Hanselman’s podcast with Sarah Squire), I came across Two Factor Auth which maintains a list of sites that support, well, two factor auth. Exploring the various service, I noticed very few banks support usb hardware tokens. Wells Fargo seemed the only big bank with support. Clicking though the WF link from the Two Factor Auth chart, I ended up on the Advanced Access page trying figure out how WF does U2F. It turns out they use RSA SecurID (not usb U2F) which was uninteresting, but the footnote caught my attention:

We always send our text messages from 93557. Incoming calls with an Advanced Access code will come from 1-800-956-4442. We recommend adding these numbers to your phone’s address book so you can easily identify our incoming text messages and calls.

via Wells Fargo Advanced Access

Is this really the case? Every Wells Fargo communication and two factor authentication message comes from 93557? What’s the significance of 93557? And does every company always use the same number?

If so, this is a fantastic piece of advice buried in a random support page

We recommend adding these numbers to your phone’s address book so you can easily identify our incoming text messages and calls.

Why doesn’t every company and service mention this?

An investigation

To figure that out, I first needed to learn what that 5 digit non-phone number is really called. Naturally, I went online and searched “what is the number for two factor sms?”

This article from The Verge was at the top: Facebook admits SMS notifications sent using two-factor number was caused by bug

Not what I was looking for, but at least a clue.

Facebook uses the automated number 362-65, or “FBOOK,” as its two-factor authentication number

So these numbers have some T9 significance (remember landlines and flip phones?).

I figured that if facebook’s number is known, maybe there are some resources that include more of these numbers, so I quickly searched 362-65 and got 297. 😑

After getting rid of the minus sign, there was this Facebook Support link with people confused after receiving a random text seemingly from Facebook with a link to “fb.com”, a non-“facebook.com” website (here’s another example).

They are right to be concerned.

A little more searching, and boom: short codes

Short Codes

Is this a name people knew about? It’s the first time I came across the phrase “short code” even though I have been using the things for some time now.

It turns out there is an official US Short Code registrar run by CTIA and icontectiv:

Short Code Registry

Short Codes offer marketers unique opportunities to engage their audiences via text messaging. Short Codes are five- or six-digit codes that may be personalized to spell out a company, organization or a related word. Many organizations may choose to use Short Codes to send premium messages, which may charge subscribers additional fees for informative or promotional services such as coupons or news updates.

The Short Code Registry maintains a single database of available, reserved and registered short codes. CTIA administers the Common Short Code program, and iconectiv became the official U.S. Short Code Registry service provider in January, 2016.

For more information, please see the Short Code Registry’s Best Practices and the Short Code Monitoring Handbook.

The iconectiv site routes to https://usshortcodes.com/ where you can learn all about registering, case studies, and best practices. But I still want to know how to verify the sender of that 2FA message.

This is where US Short Code Directory comes in.

The U.S. Short Code Directory and the team at Tatango has assumed responsibility for the indexing of these unique phone numbers, creating the industry’s only public address book.

via https://usshortcodedirectory.com/about/

What do you know, the first code in the directory: Facebook, 32665. But wait, that’s not what’s listed in the Verge article… That’s 32665 vs 36265. Not sure what the deal is there, but may be a typo by The Verge (3-F, 2-B, 6-O, 6-O, 5-K in T9).

Just for a sanity check, does the Wells Fargo short code match their Advanced Access list? Yep! And so does the Capitol One code.

Cool! We figured out a way to verify the sender of SMS based 2FA! Remember though, this does not only apply to 2FA, but also other SMS based communication from the company.

Short Codes in the Wild

Check out this recent Wells Fargo ad on YouTube.

Wells Fargo account alert text message from YouTube ad

At the 17 second mark the narrator mentions “alerting you to certain card activity we find suspicious“. How do they do this? By SMS of course. And what number is the alert from? 93733!? NOOOOO! That’s not 93557.  WF was so close. Missed an opportunity to tie everything back to that random support page. The ad has a caveat “Screen images simulated”, so ¯\_(ツ)_/¯. For what it’s worth the phone number to call is in fact for WF Customer Service.

Questions, Concerns & Opportunities

This feels like the tip of the short code iceberg and I still have a lot of questions. How long do short codes last? Do companies change numbers? Can short code be reused? Can I trust that the next time I receive a message from a short code number that it is from the same company as last time? Can messaging apps label the code like caller id?

I don’t have all the answers, but there are definitely more things to be done to help fight the next generation of phishing. As more companies continue to recommend 2FA and send updates over SMS, we need tools in place to ensure we can trust the messages we receive.

Wells Fargo’s advice to add their numbers to your address book is good, as long as the short code (and normal telephone) numbers do not change over time. While it may be uncommon, it is possible for companies switch numbers, and (possibly more common) previously used numbers can become available for a different company to re-register. In the former, people will see an unknown number seemingly masquerading as a service they do use, which should be a cause for suspicion (although benign). For the latter, people will assume trust in the content from number they recognize (creating a phishing opportunity). While instances of these issues may be unsubstantiated (there’s very little info on how short code numbers change hands and “Best Practices” are all about marketing), this is a reason to have service driven trust management keeping track of ownership and identity.

There is an opportunity for services like US Short Code Directory and tatango to provide access to their index of short codes, so companies like Apple and Google can continue to improve their messaging services. If the Short Code Directory had a public API to query and verify short codes, messaging apps could implement a new style of caller id (essentially a DNS for SMS, but not this) to let you know the message from 227898 that says its “From Capitol One”, is legitimately from Capitol One.

At the end of the day, it should be easier to stay safe online, even if improving short codes are just an obscure part of the solution. Now to see if I can get Wells Fargo and The Verge to fix their typos.

Popular Company Short Codes

Disclaimer, I have not received messages from all of these numbers, so I cannot verify their legitimacy nor comprehensiveness. Given the issues noted above, these numbers may change or companies may start using additional numbers for SMS communication (Google already has at least 5. They may consolidate or add another).

Facebook: 32665 and 3266

Twitter: 40404

Google: 22000, 23333 and others

Apple: 272273 and others

Microsoft: 365365, 51789 and others

Amazon: 262966, 58988 and others

Capital One: 227898 and others

Chase: 28107,  24273 and others

Wells Fargo: 93557 and others

Bank of America: 73981 and others

American Express: 25684 and others

Intuit: 75341 and others

Discover: 347268 and others

PayPal: 729725777539

Venmo: 86753

AT&T: 88170, 883773 and others

Verizon: 27589 and others

T-Mobile: 37981

FedEx: 37473 and others

USPS: 28777 and others

Walmart: 40303 and others

Twilio: 22395 and others

Uber: 82722289203

Additional Reading

Categories
News Feed Thoughts

Workplace Design

Coffee mug and open notebook on a wooden desk

My team is moving back from open to private offices, so it’s an opportune time to find inspiration for the new space. There are all sorts of studies about collaboration and productivity level in open space vs closed offices, but Joel Spolsky and Anil Dash from Stack Overflow and Fog Creek have perspectives from the lens of software engineers that still hold nearly fifteen years later.

Office space seems to be the one thing that nobody can get right and nobody can do anything about. There’s a ten year lease, and whenever the company moves the last person anybody asks about how to design the space is the manager of the software team, who finds out what his new veal-fattening pens, uh, cubicle farm is going to be like for the first time on the Monday after the move-in.

Well, it’s my own damn company and I can do something about it, so I did.

Bionic Office by Joel Spolsky

Mindset

Building great office space for software developers serves two purposes: increased productivity, and increased recruiting pull. Private offices with doors that close prevent programmers from interruptions allowing them to concentrate on code without being forced to stop and listen to every interesting conversation in the room. And the nice offices wow our job candidates, making it easier for us to attract, hire, and retain the great developers we need to make software profitably. It’s worth it, especially in a world where so many software jobs provide only the most rudimentary and depressing cubicle farms.

The New Fog Creek Office by Joel Spolsky

Just take a look at the long list of requirements for the office space:

  • Gobs of well-lit perimeter offices
  • Desks designed for programming
  • Glass whiteboards
  • Coffee bar and lunchroom
  • A huge salt water aquarium
  • Plenty of meeting space
  • A library
  • A shower
  • Wood floors, carpet, concrete

The link to photos of the space is broken, but not because the space didn’t work out; Joel’s ideas on workplace design outlasted Picasa. Luckily the NYTimes article on the Fog Creek office still has a few thumbnail sized images. Plus street view is still a thing.

They used bold, playful colors and bright common areas to foster in-the-trenches camaraderie and created private soundproof offices where the programmers can go to get their jobs done.

A Software Designer Knows His Office Space, Too via NYTimes

Spolsky wanted a space designed intentionally for deep work and collaboration, and he put a considerable amount of thought to ensure he built a productive environment for the people at Fog Creek. It paid off.

Results

Spolsky has a treasure trove of knowledge on his blog that spills out amongst others on his team. The rich history is pervasive across those he influences.

With a private office, you’re in control of your space and attention: you can choose when to close the door and avoid interruptions, and when to go play ping-pong, talk with coworkers or work out of the coffee bar. In an open office you’re at the mercy of the people around you: if they’re talking, the best you can do is crank up your headphones and hope to drown them out, and if they’re playing foosball then good luck.

Everybody has their own rhythm. People come in at different times, take breaks at different times, need to socialize at different times, and have their most productive hours at different times. Management’s job is to accommodate that and create a space where all those conflicting needs don’t congeal into a persistent hum of distraction — not to enforce some top-down ideal of openness and creativity. Private offices put the people who do the actual work in control.

Why We (Still) Believe in Private Offices by David Fullerton

Fullerton’s post shows how teams can create a “magnificent culture of non-distraction” by using technology to keep people in control of how they work. At first, the idea typing out a chat, going back and forth seems less efficient than tapping someone on the shoulder for help, but leveraging technology as a tool to help people stay in the flow actually makes sense.

Whenever we get a new hire in the office, I make it a point to sit down with them in their first week and explain that they should not go to someone’s office when they have a question. Instead, ping them in chat and then jump on a hangout. The result is exactly the sort of culture that open offices are supposed to promote but better:

  • If someone else sees the message, they can chime in with the answer
  • If someone else is interested in the discussion, they can jump onto the hangout
  • And, crucially, if someone is working heads-down and doesn’t want to be distracted, all they have to do is close the chat window.

But what about marketing and design? And how about expanding teams?

We don’t actually even give everyone private offices: some people are doubled up in offices, and the sales and marketing teams sit in larger open spaces because they feel that’s an important part of how they work.

Evolution

Putting employees first is always at the heart of how we create great places to work.

In 2017 Fog Creek moved to it’s fourth headquarters (1, 2, 3, 4). They could have recreated a bigger version of their office 3.0, but instead they reflected on their team dynamic and arrived at a design that allows people to work in a variety of ways. With a largely remote workforce and a larger percentage of people in non-technical roles, Anil Dash (Fog Creek CEO as of December 2016) understood the existing office design could be enhanced.

The new office also includes a variety of work spaces that accommodate different work modes. Anil mentioned personal offices for standalone work, but they also work well for collaborative work like pair programming. There are workstations for independent or individual co-working, and phone booths for external communication such as sales calls or podcast appearances. There’s also our conference room — known as the “quiet car” — which can be used across a number of different work modes. And true to the nature of our office being flexible and experimental, we are already re-configuring some of these spaces based on how we use them.

Beyond Open Offices: The New Fog Creek Headquarters by Maurice Cherry

Fog Creek treats their office like any other product they produce. With Spolsky at the helm, the company researched best designs, planned with it’s people in mind, built it’s ideal vision, and iterated on the product, improving with each new update.

As the company has grown and changed over the years, so has our office space. Joel’s grand visions for what a work environment should do for employees have been part of Fog Creek from the very beginning, and we have tried to honor that legacy. We also have plenty of plans for the future, and look forward to continuing our tradition of incubating new teams and ideas from within our company and beyond.

Inspiration

For those of you looking to revitalize your open space or bring the aesthetics of open plan spaces to a private office from Design Milk 2017 Where I Work Year in Review. Since these aren’t Fog Creek offices, the productivity may not be at the same level, but they look cool.

All the links

View at Medium.com

View at Medium.com

Categories
News Feed

Edge Computing

Self-driving cars are, as far as I’m aware, the ultimate example of edge computing. Due to latency, privacy, and bandwidth, you can’t feed all the numerous sensors of a self-driving car up to the cloud and wait for a response. Your trip can’t survive that kind of latency, and even if it could, the cellular network is too inconsistent to rely on it for this kind of work.

But cars also represent a full shift away from user responsibility for the software they run on their devices. A self-driving car almost has to be managed centrally. It needs to get updates from the manufacturer automatically, it needs to send processed data back to the cloud to improve the algorithm

What is edge computing? via The Verge

The decision to avoid an obstacle or slam on the brakes needs to happen instantaneously. A self driving car does not have the luxury of time to wait for a decision to beam down from the cloud. A car must have the latest decision-making ability available on board, so it can react to inputs using it’s current understanding and update the model in the cloud to enhance the driving capabilities of the entire fleet cars.

Further reading/viewing:

The End of Cloud Computing by Peter Levine

Categories
News Feed

Aggregation and Integration

breaking up a formerly integrated system — commoditizing and modularizing it — destroys incumbent value while simultaneously allowing a new entrant to integrate a different part of the value chain and thus capture new value.

Why aggregation matters is that it is the means by which new integrations are achieved:

  • Netflix leveraged its position as an aggregator of video content into the integration of the customer relationship and content creation, undoing the integration of linear channels and content creation
  • Airbnb/Uber and other similar services integrate the customer relationship with the driver/homeowner relationship, undoing the integration of cars/property with payment
  • Google and Facebook integrated content discovery with advertising, undoing the integration of editorial and advertising

Zillow is embracing a model that, should it be successful, tears down the status quo: this will not only enrage Zillow’s customers, but also endanger Zillow’s primary revenue stream.

Thompson outlines evolving his method of explaining trends in technology. While his initial thoughts on aggregation theory captured most of the story, Zillow’s recent news expanded his thinking such that aggregation must leverage integration to transform value chains. This pivot does not discount his previous mindset but gives an opportunity to reflect on older insights and use the new frame of reference going forward.

Zillow, Aggregation, and Integration via Stratechery

 

Categories
Articles Productivity Thoughts

Slow Social Media

In his recent posts, Cal Newport outlines why our attention will benefit from individuals owing their own domains. We may need tools to help us do it, but companies will assist us from behind the scenes allowing us to build our own brands. People should be able to move their brand (and data) from one platform to another when improvements come along. This is the social internet, and it will power the economy of the future. Value online comes from those who create it. All we can do as technologists is empower others to make their art with greater efficiency.

Context: On Social Media and its Discontents and Beyond Delete Facebook by Cal Newport

Categories
Technology

Fixing the Blog

Hammer and bent nails on a wood block

Thank you Jetpack Support

First of all, Jetpack support is amazing. Automattic is known for its customer service oriented culture, and it shows. I was running into an issue where Jetpack would not connect to my site, so I reached out to their support team. They were responsive in helping me figure out the tech at all hours of the day, and they even researched how to solve a problem with a non-Automattic product. Great stuff, I appreciate it!

Here’s the link if you need help with Jetpack.

WordPress and Site Address URL

The first issue has been with the site since day one. For custom WordPress installs, the WordPress Address and Site Address URLs should be the same (both set to https://ryancropp.com in this case) no matter what they say:

Site Address (URL):

Enter the address here if you want your site home page to be different from your WordPress installation directory.

Just don’t try to manually update WordPress and Site address to your custom domain from wp-admin dashboard. You will get locked out.

To fix the issue you need to FTP into your site and update the siteurl in the functions.php file for your installed theme:

update_option('siteurl','https://ryancropp.com');
update_option('home','https://ryancropp.com');

Refresh WordPress admin and then remove the update_option code.

Clear site cache

Just for good measure, clear the Project Nami blob cache so no old site configurations are left hanging around. The instructions are in the readme of the Blob-cache download (why!?).

An aside on Cron expressions

They’re kind of fun, but how are these still a thing? I guess we have Unix to thank. I need to use them 0 0 0 0 0 ? 2018/2 or 0 0 0 0 0 ? 2018/3 at best. Here are some docs from Oracle and Quartz to figure out what that means.

Jetpack and Project Nami

Turns out everything up to this point had nothing to do with getting Jetpack to work. It certainly didn’t hurt, but attempting to link Jetpack still showed the error “Verification secrets not found”.

Jetpack verification secrets error message

On a whim I decided to look into the compatibility issues with Jetpack and Project Nami, the caching mechanism for WordPress on Azure. And what do you know, Issue #237 on the Project Nami GitHub had the answer.

One should now be able to solve the issue by adding the following to the site’s wp-config.php:

define( ‘JETPACK_DISABLE_RAW_OPTIONS’, true );

See Automattic/jetpack#7875 for more info.

So finally, if you’re following along at home, disable Jetpack raw options for Project Nami…

And it works!

You can sign up for email subscriptions in the sidebar.

A red-herring extension

Turning off browser extensions may or may not have helped. I turned off Ghostery in the middle of the process, forgot about it, then realized it was still off some time later.

Happy blogging