Tag: web

Categories
Thoughts

Internet Safety Tips

A distancing duck avoids being phished

Lots of weird things just happened at once.

It’s always important to be cognizant of what and who you interact with online, but phishing is way up right now, so be extra careful with emails, links, and articles sent to you that you didn’t initiate or request. And while email phishing is often a main focus for scams, there are additional methods to be aware of and keep in mind. Reseller and rental sites like eBay, Craigslist and Airbnb present similar opportunities for scams, however these scams are crafted differently since you are often the one initiating the contact with an unverified third party (instead of the other way around).

So weirdness, here’s what happened

Over the course of the afternoon, 5 phishy things happened to three different groups of people I know.

  1. Three people in the same family individually received notices that a PayPal, credit card, and Instagram account were hacked.
  2. A friend got an email that someone signed into their Instagram on a new device.
  3. Another fiend stumbled across a Craigslist apartment rental phishing scheme. (The exact one covered in this report. Word for word, save for a change in company name and a different person in nearly identical photos)

This very coincidental timing, but it’s a good opportunity for an internet safety refresher!

Safety tips & reminders:

I shared these with family and friends after all this weirdness, but will aggregate them here.

1. When in doubt, go to the actual site

If you get an email from PayPal (or your bank or Instagram) about an account issue, go to the PayPal website yourself to check out the notification. Don’t click on any links sent to you. You can hover over links to see where they really go, but even then, it can be easy to miss smaII deta1ls.

paypa1

So to be safe, go to PayPal using the app, by searching for PayPal (trusting the wisdom of the search engine crowd), or by manually going to https://www.paypal.com.

Better yet once your are on the PayPal.com that you know is the actual PayPal.com, add it to your favorites and use your own personal trusted bookmark to get back to the real PayPal every time. This way you don’t make a mistake later by mistyping the url and ending somewhere you don’t expect. (And yes, I’m purposefully not linking to PayPal from here. Go build that muscle)

This tip applies to phone calls too!

Summary: It’s your best bet to search for the site/article/etc or go directly to the url if you have it saved somewhere.

2. Use a password manager

You can visit every site you go to as carefully as possible, but if you reuse passwords, one security breach can cause issues across your accounts.

A password manager creates strong, unique passwords for every one of your accounts and securely keeps track of them all for you. You only need to remember your master password to unlock the account.

Some good options are LastPass, Dashlane, and 1Password.

They can also help you more easily change passwords if one is stolen or part of a data breach. You can check to see if your accounts have been part of a data breach using Have I Been Pwned (just don’t enter your current passwords).

Password managers can be difficult to transition to at first, as you need to manually change passwords one at a time, but if you use a password manager solely to keep track of new accounts, you can quickly start to see the benefit.

Read this exhaustive post to learn more before you set up a password manager. A quote:

Password managers are programs that remember passwords for you, along with the email address or other user identifier you use for each account. They make it easier to use strong passwords: those that are sufficiently random, long, and different for every one of your accounts. They also make it easier to lose all your passwords at once, or for attackers to steal all your passwords in one instant.

Summary: See above quote, but you should probably be using one of these.

3. Set up two factor authentication (2FA)

After setting up strong passwords, you can go a step further to safeguard that even if one of your account credentials is compromised, you are still in control of signing into the account.

Two factor authentication satisfies the “something you know, something you have” paradigm for online security (or the first two parts of multi-factor authentication). You know your password and have either a code or USB key or app to verify you are you. If your password is compromised, the second factor of authentication ensures someone with just your password cannot log in.

Needing a second factor can cause problems, however, if you (who is in reality, is you) loses the second factor of authentication. Then you can be locked out just as if you were an attacker.

Also, if multiple people use the same account, two factor authentication can be difficult. With 2FA enabled someone may try to log into an account and the 2FA code can be sent so someone else (which also happened to my family today).

Read this other equally exhaustive post to learn more before you set up 2FA.

Summary: Two factor auth can help keep your accounts secure, but comes with some extra challenges.

4. Keep third party communication within app and website services

This one is related to staying safe when reaching out to others you don’t know online. Talking to strangers! 😱

Whenever possible, keep communication within the app or website service you are using. If buying on eBay, communicate on eBay. If renting on Airbnb, use their chat functionality. Let the site intermediate communication. Don’t share your email or phone number to talk with a third party seller or host outside of the service. Major sites like eBay and Airbnb have measures in place to help you stay safe (and allow you to provide evidence in case of an issue), but only if you leverage their tools.

Be extra cognizant on Craigslist where direct email communication is the standard! I’ll put this Anatomy of a rental phishing scam post here again as a reminder to read it. A quote:

The first red flag was “So we’ll keep our communication to email if that’s ok with you”.

This tip also applied to articles you read or videos you watch. If you aren’t sure of the source, don’t trust, verify 🙃

Summary: There are more signs of a scam than only asking for your bank account and credit card information.

5. Bonus Tip: Use Zoom on your phone or browser

If you use Zoom, you should know that Google banned it’s employees from using the desktop app, and suggests to use mobile or web.

Employees who have been using Zoom to stay in touch with family and friends can continue to do so through a web browser or via mobile

Google’s guidance is to uninstall and block the app completely (maybe because they prefer everyone to use Hangouts 🤷‍♂️). In any case, if you’re interested, here’s how you can uninstall the desktop version on Mac and PC.

A legitimate reason behind allowing mobile and web, but blocking desktop, stems from the fact that mobile and web platforms have security and containment measures in place that limit sites and apps from accessing your underlying device. Whereas apps installed from the internet can do whatever they want after you type in your computer account password to allow higher level device access.

To continue using Zoom on a desktop, here’s Zoom’s support article on how to join a call using your web browser. The link is a bit hidden (and misleading), but it looks like this:

zoom

Summary: Use your phone to show off your Zoom backgrounds

 

That’s all for now

Stay safe. Wash your hands. Wear a mask. Don’t touch your face or click on links in your email 🧼

Categories
Thoughts Travel

Learnings From My First Conference Talk

This past Tuesday I gave my first conference talk at View Source in Amsterdam! It was an awesome experience at an amazing venue in a rainy city where people from all corners of the web came together to discuss many of the challenges, opportunities, and learnings for browsers, web development and the overall landscape of the internet.

I work on creating experiences to help people stay safe and have greater privacy online, so it was enlightening to hear from such a wide range of topics about the web. I’m always impressed by the depth of understanding and passion people have about their subjects of work, and the speakers and attendees at View Source carried an overwhelming amount of inspiration.

Just to name a few, gaming, entertainment, monetization, accessibility, connectivity, and rethinking digital utopianism were all covered. I love hearing about what people are working on. It shows how there is so much to think about and is a humbling reminder that my work is a small piece of a vibrant community.

I was fortunate to attend the conference with a group of us from the Microsoft Edge team. It was a great team bonding experience to get to know others from different parts of the team who I don’t normally work with. While it’s not always possible, I would highly recommend going to conferences with folks from your team. It’s great to have others with a similar frame of reference to talk about new ideas and to be more connected when you get back to work.

My colleague Lillian Kravitz and I spoke about the privacy principles we’ve developed for Edge. Melanie Richards gave a talk about the simple and actionable steps to help make your site accessible to everyone by considering of various contrast and theme settings, and others on the team held “conversation corner” discussions about web compatibility and more. The talks were recorded, and I’ll post a link here when it’s available. (Here it is! And me tweeting about the talk.)

A main theme of our privacy talk was listening, learning, and trying to gain a fresh perspective on a topic we thought we were familiar with. I know I am not at all familiar with giving talks on a big stage, but the aspect of learning something new and having a different perspective on presenting my work still felt as fitting to the process of giving the talk as it did to the contents of the talk itself.

I can come back to more about the talk when the recording is posted, but for now, while the experience is still fresh in my mind, I wanted to reflect on the things I learned, what went well, and what I could improve for next time. Because, yes, giving a talk is exhilarating and this one will not be my last.

IMG_9365

Preparing

Our talk was second to last on the last day of the conference. It’s tough having a time slot late in the day on a later day of a conference (this post and comments came to mind when I learned of our time). You almost need to leave something small to clean up and keep working on during the conference because if you show up on day 1 ready to go, you’ll have to keep your excitement and preparedness high for quite a while.

It would be great to be at peak preparation the night before the talk, but even then, we ended up waiting 8 hours the day of as our talk was at 5pm and the events started at 9am. At breakfast the morning of, excitement needs to be reserved because adrenaline could give out well before the talk. I likened the situation to an athlete or musician where a game or performance is late at night (worth looking more into how they manage energy). You need you energy and focus to be up at an hour different than your normal operating schedule.

Which leads to another interesting aspect of this conference. Traveling to a different time zone can be debilitating for the first few days. Especially when it’s many hours different than you’re used to (And seemingly more-so when going east around the globe?).

I am not one to take naps normally, but when your schedule is turned upside down, naps can be your friend.

Luckily the hotel was nearby the conference theater, so it was easy to go back to sleep. I was conflicted because I wanted to listen to all the talks, but I knew if I wanted to have the energy for my talk, I’d need sleep a bit before we were up.

My pre-talk routine (but maybe not a routine because I only did it once), was check the slides early in the morning before the first talk, listen to the first few talks, go for a nap, head back for lunch, listen to more talks (three hours before ours), regroup for a bit just before getting mic’ed up, the go on stage. Seemed fine. I think the whole process would have been easier in my normal time zone, but this helped manage energy and focus well enough.

The talk

It’s impossible to even scratch the surface of all you need to know going into something you’ve never done before. You have to put yourself out there and figure things out as you go.

There’s a lot of “tribal speaker knowledge” I learned from this first talk. Questions I hadn’t considered asking because they didn’t even come to mind before, and issues I could have mitigated had I known a bit more about the process. All good takeaways though. Makes me want to try again soon to test out my new perspective.

First, I think I was a little too reliant on my slide notes. I wanted to be sure to hit the speaking points we planned, but the talk felt less conversational as a result. The story we were going for lent itself to a more prescription presentation style, as we were sharing a process others might be able to apply, but I enjoyed the more casual and friendly sounding style of some other presenters that was more akin to giving a well thought out answer to a question rather than reading a speech.

Awareness of my over reliance on notes cropped up when, under some unforeseen circumstances, a few of my notes got cut off from the presenter screen. Without the expected cue, I stumbled a bit to keep with the flow I’d practiced when leading from an idea on one slide to the next. This was unfortunate because we checked the presenter screens before the talk, I just missed the few slides that had issues.

But when things don’t go according to plan, you’ve got to improvise! You can’t do a dance and walk off stage. You have to keep going!

Second was a simple problem of struggling with the clicker having issues advancing slides. At one point I thought I was ahead of where I was only to realize I missed a slide. (Sorry folks, that one image transition really made the talk 🙃).

After the talk when we went backstage to the “green room” talking about how it went, in an eye opening detail to me, another presenter mentioned that before his talk he asked the AV team where to point the clicker. I hadn’t even considered doing that. I figured the thing would just work (and I really think it just should), but for such a simple, yet crucial piece of presentation consistency, it was important to understand. This was some tribal knowledge that one who had given talks might know from variance of venues and presentation setups, but for me, it had not even crossed my mind.

Overall though, I think we did well. We connected ideas from other talks in the conference about privacy, collaboration, and the future of the web, and presented our customer focus as a way to reframe thinking about developing experiences. We realized there is always more to learn, and listening to feedback to spur continuous improvement was a common theme encompassing our time at the conference.

So yeah, that was the talk. Lots to think about for next time, but mostly minor tweaks to smooth out delivery. It was a great start to what I am look forward to as the beginning of many more to come. I definitely have areas to improve, and am anxiously awaiting the recordings to come out to kick myself over all the little things I didn’t get quite right. But I’m not going to hark on the mistakes. I’m going to learn from them to make my next talk even better. Can’t wait.

Touristing

Oh, and I mentioned the talk was in Amsterdam!? How about a quick travel update to round out the trip.

Side note, I think the concept of being a tourist and trying to avoid touristy things is funny. Why try so hard? Just go, enjoy the culture, and have a good time!

Side side note, a couple weeks ago at an organized bike ride in Seattle, which I would consider a very local thing to do, I met a couple who traveled from Missouri (I think it was Missouri, can’t remember exactly) who were visiting specifically to do the bike ride. No idea how they found out about it, but I was amazed at their ability to be local tourists. Pretty cool.

Anyway, I really like Amsterdam. The bikes, canals, frites, stroopwaffles, and tiny red cars all come together into a bustling culture. People are friendly, even if I often misunderstand what’s said under a Dutch accent (a taxi driver asked me how long I had to wait for the ride, and I answered I would be returning to the US. Thought he asked where I was heading… Sorry!).

Amsterdam is the first country outside of USA and Canada I’ve now been to twice, and I would definitely go again. Here are some photos from the rainier and sunnier parts of quickly playing tourist while on a trip for work.

Categories
News Feed

Google transferred ownership of Duck.com to DuckDuckGo

This made quite the ruffle today when Google transferred the domain duck.com to the privacy focused search engine DuckDuckGo.

Google’s ownership of Duck.com was previously a source of frustration for DuckDuckGo, when it would redirect users to Google’s rival homepage instead of DuckDuckGo. Google kindly tried to clear up this confusion in July by adding a DuckDuckGo link to the page. Visiting Duck.com now redirects users straight to DuckDuckGo.

via The Verge

The best part is the previous page for duck.com

Continue reading “Google transferred ownership of Duck.com to DuckDuckGo”
Categories
News Feed Technology

Sunday Reading: Thoughts on The Tech Industry’s War on Kids

Person sitting at a table reading a book with a bowl of cereal and cup of tea

Reflecting on The Tech Industry’s War on Kids: How psychology is being used as a weapon against children

Richard Freed is a child psychologist who focuses on helping families work through “extreme overuse of phones, video games, and social media.”

Preteen and teen girls refuse to get off their phones, even though it’s remarkably clear that the devices are making them miserable. I also see far too many boys whose gaming obsessions lead them to forgo interest in school, extracurricular activities, and anything else productive. Some of these boys, as they reach their later teens, use their large bodies to terrorize parents who attempt to set gaming limits. A common thread running through many of these cases is parent guilt, as so many are certain they did something to put their kids on a destructive path.

Kids might be struggling with technology, but adults may also act like children if older folks had to go a day without technology. Maybe we should all take a digital detox.

Captology

BJ Fogg directs the Stanford Persuasive Technology Lab. There is tons of research and design practices used by today’s most popular apps, websites, and games, but we can still use this newfound power for good. Although, whether good or bad, the techniques are still shaping human behavior without consent.

Fogg’s website also has lately undergone a substantial makeover, as he now seems to go out of his way to suggest his work has benevolent aims, commenting, “I teach good people how behavior works so they can create products & services that benefit everyday people around the world.” Likewise, the Stanford Persuasive Technology Lab website optimistically claims, “Persuasive technologies can bring about positive changes in many domains, including health, business, safety, and education. We also believe that new advances in technology can help promote world peace in 30 years.”

Why don’t we make it easy for kids and adults to spend their time doing the things society deems productive. Part of the challenge is exposing kids to new opportunities and experiences to help them understand their real world potential, even at their age.

While persuasion techniques work well on adults, they are particularly effective at influencing the still-maturing child and teen brain. “Video games, better than anything else in our culture, deliver rewards to people, especially teenage boys,” says Fogg. “Teenage boys are wired to seek competency. To master our world and get better at stuff. Video games, in dishing out rewards, can convey to people that their competency is growing, you can get better at something second by second.” And it’s persuasive design that’s helped convince this generation of boys they are gaining “competency” by spending countless hours on game sites, when the sad reality is they are locked away in their rooms gaming, ignoring school, and not developing the real-world competencies that colleges and employers demand.

Motivation/inspiration, Ability/capability, Trigger/feedback

According to B.J. Fogg, the “Fogg Behavior Model” is a well-tested method to change behavior and, in its simplified form, involves three primary factors: motivation, ability, and triggers. Describing how his formula is effective at getting people to use a social network, the psychologist says in an academic paper that a key motivator is users’ desire for “social acceptance,” although he says an even more powerful motivator is the desire “to avoid being socially rejected.” Regarding ability, Fogg suggests that digital products should be made so that users don’t have to “think hard.” Hence, social networks are designed for ease of use. Finally, Fogg says that potential users need to be triggered to use a site. This is accomplished by a myriad of digital tricks, including the sending of incessant notifications urging users to view friends’ pictures, telling them they are missing out while not on the social network, or suggesting that they check — yet again — to see if anyone liked their post or photo.

It seems we should be able to reframe the three motivation, ability, and triggers behavioral factors into a more productive framing of inspiration, capability, and reinforcement. For example, a kid who enjoys watching YouTube creators may be inspired to make a channel of their own. YouTube, influencers, or another service, can help kids build their movie making capabilities. Feedback on work can help reinforce learning and growth. In the end, kids are still spending time where they want to, but the behavioral model focuses on a healthy balance of creation and consumption leading to development in modern day, “real world capabilities”.

Mostly terrifying

the startup Dopamine Labs boasts about its use of persuasive techniques to increase profits: “Connect your app to our Persuasive AI [Artificial Intelligence] and lift your engagement and revenue up to 30% by giving your users our perfect bursts of dopamine,” and “A burst of Dopamine doesn’t just feel good: it’s proven to re-wire user behavior and habits.”

Ramsay Brown, the founder of Dopamine Labs, says in a KQED Science article, “We have now developed a rigorous technology of the human mind, and that is both exciting and terrifying. We have the ability to twiddle some knobs in a machine learning dashboard we build, and around the world hundreds of thousands of people are going to quietly change their behavior in ways that, unbeknownst to them, feel second-nature but are really by design.”

Facebook Messenger Kids

How has the consumer tech industry responded to these calls for change? By going even lower. Facebook recently launched Messenger Kids, a social media app that will reach kids as young as five years old. Suggestive that harmful persuasive design is now honing in on very young children is the declaration of Messenger Kids Art Director, Shiu Pei Luu, “We want to help foster communication [on Facebook] and make that the most exciting thing you want to be doing.”

Facebook’s narrow-minded vision of childhood is reflective of how out of touch the social network and other consumer tech companies are with the needs of an increasingly troubled generation. The most “exciting thing” for young children should be spending time with family, playing outside, engaging in creative play, and other vital developmental experiences — not being drawn into the social media vortex on phones or tablets. Moreover, Facebook Messenger Kids is giving an early start to the wired life on social media that we know poses risks of depression and suicide-related behavior for older children.

In response to the release of Facebook’s Messenger Kids, the Campaign for a Commercial-Free Childhood (CCFC) sent Facebook a letter signed by numerous health advocates calling on the company to pull the plug on the app. Facebook has yet to respond to the letter and instead continues to aggressively market Messenger Kids for young children.

Conscious workflows vs impulsive habits

President John F. Kennedy’s prescient guidance: He said that technology “has no conscience of its own. Whether it will become a force for good or ill depends on man.”

From Cal Newport:

Workflows are arguably more important than your high-level habits when it comes to impacting how effectively you produce valuable things (my preferred definition of “productivity”), but they’re a topic that’s often ignored.

Indeed, for most people, the workflows that drive their professional life are processes that haphazardly arose without much intention or consideration.

This fall, in other words, consider spending some serious time evaluating your workflows before turning your attention to the habits that help you deal with the obligations these flows generate.

Technology gives us the tools to do more. It’s up to us to decide how we leverage our new powers.

The best analogy I’ve ever heard is Scientific American, I think it was, did a study in the early 70s on the efficiency of locomotion, and what they did was for all different species of things in the planet, birds and cats and dogs and fish and goats and stuff, they measured how much energy does it take for a goat to get from here to there. Kilocalories per kilometer or something, I don’t know what they measured. And they ranked them, they published the list, and the Condor won. The Condor took the least amount of energy to get from here to there. Man was didn’t do so well, came in with a rather unimpressive showing about a third of the way down the list.

But fortunately someone at Scientific American was insightful enough to test a man with a bicycle, and man with a bicycle won. Twice as good as the Condor, all the way off the list. And what it showed was that man is a toolmaker, has the ability to make a tool to amplify an inherent ability that he has. And that’s exactly what we’re doing here.

Additional reading

BJ Fogg commented on the article and provided a list of his works to raise awareness about the ethics of persuasive tech.

A recent Atlantic article, “Have Smartphones Destroyed a Generation?,” by Dr. Jean Twenge

Stratechery article on Tech’s Two Philosophies: Some problems are best solved by human ingenuity; others by collective action

Categories
Thoughts

Short Codes (aka Messages & Two Factor Authentication from Random Five to Six Digit Numbers)

There are some cool new security features in the latest versions of iOS and Android to help you keep your accounts secure. Android’s updated Messages app and iMessage in iOS 12 both bring simplified one-time passcodes and two factor authentication (2FA) management.

iMessage – iOS 12

iMessage Security code AutoFill
Security code AutoFill. SMS one-time passcodes will appear automatically as AutoFill suggestions, so you never have to worry about memorizing them or typing them again.

 

Android Messages

Copy one-time passwords with one tap
Copy one-time passwords with one tap
Now, when you receive a message with a one-time password or code from a secure site—such as your bank—you can save time by copying that password directly from the message with a tap.

 

With both Apple and Google updating their messaging apps to ease use of text message (SMS) based two factor authentication, I’ve been thinking about why copying a verification code is the feature we need to bring more people to use 2FA. While cutting down steps required to use 2FA will make for a more streamlined experience, there seems to be an opportunity elsewhere to improve general usability of SMS based 2FA.

Understand there has been plenty of discussion regarding the security risks of these features, but putting aside discussion of the entire 2FA ecosystem and the shortcomings of SMS based 2FA, let’s look at a quirk of how people experience 2FA on their phones.

An example

Android Messages two factor authentication shortcut

Take the Capitol One notification from this article discussing the “copy 2FA code” feature in Android Messages. The message from number 227898 says “From Capitol One” and provides a code: 939966. There are two things we need to figure out here. One, that this is in fact the message from Capitol One, and two, this message contains the 2FA one-time passcode we need to complete the log on process.

First off, while the message says it’s from Capitol One, we know from our phishing lessons that we shouldn’t use the content of a message to influence our trust decision making process. The timing of getting this message in relation to attempting to log in to a bank account would make it seem like the message is legitimately from Capitol One, but how can we be sure? What is that 227898 number? Can we look it up like a phone number to verify it is registered to Capitol One?

The second bit of confusion is recognizing the 2FA verification code is 939966 not the big bold 227898 number at the top of the message. Usually the distinction between sender and message is clear with a regular 10 digit phone number or a message from someone in your contact list, but when you are sent a six digit code from a six digit number you need to do more mental processing choose the right number. Google has partially resolved the issue by giving an explicit action to copy the 2FA code, but it feels a little strange not being able to see the actual code in the message.

An aside

Slightly off topic, but while researching YubiKeys (after listening to Scott Hanselman’s podcast with Sarah Squire), I came across Two Factor Auth which maintains a list of sites that support, well, two factor auth. Exploring the various service, I noticed very few banks support usb hardware tokens. Wells Fargo seemed the only big bank with support. Clicking though the WF link from the Two Factor Auth chart, I ended up on the Advanced Access page trying figure out how WF does U2F. It turns out they use RSA SecurID (not usb U2F) which was uninteresting, but the footnote caught my attention:

We always send our text messages from 93557. Incoming calls with an Advanced Access code will come from 1-800-956-4442. We recommend adding these numbers to your phone’s address book so you can easily identify our incoming text messages and calls.

via Wells Fargo Advanced Access

Is this really the case? Every Wells Fargo communication and two factor authentication message comes from 93557? What’s the significance of 93557? And does every company always use the same number?

If so, this is a fantastic piece of advice buried in a random support page

We recommend adding these numbers to your phone’s address book so you can easily identify our incoming text messages and calls.

Why doesn’t every company and service mention this?

An investigation

To figure that out, I first needed to learn what that 5 digit non-phone number is really called. Naturally, I went online and searched “what is the number for two factor sms?”

This article from The Verge was at the top: Facebook admits SMS notifications sent using two-factor number was caused by bug

Not what I was looking for, but at least a clue.

Facebook uses the automated number 362-65, or “FBOOK,” as its two-factor authentication number

So these numbers have some T9 significance (remember landlines and flip phones?).

I figured that if facebook’s number is known, maybe there are some resources that include more of these numbers, so I quickly searched 362-65 and got 297. 😑

After getting rid of the minus sign, there was this Facebook Support link with people confused after receiving a random text seemingly from Facebook with a link to “fb.com”, a non-“facebook.com” website (here’s another example).

They are right to be concerned.

A little more searching, and boom: short codes

Short Codes

Is this a name people knew about? It’s the first time I came across the phrase “short code” even though I have been using the things for some time now.

It turns out there is an official US Short Code registrar run by CTIA and icontectiv:

Short Code Registry

Short Codes offer marketers unique opportunities to engage their audiences via text messaging. Short Codes are five- or six-digit codes that may be personalized to spell out a company, organization or a related word. Many organizations may choose to use Short Codes to send premium messages, which may charge subscribers additional fees for informative or promotional services such as coupons or news updates.

The Short Code Registry maintains a single database of available, reserved and registered short codes. CTIA administers the Common Short Code program, and iconectiv became the official U.S. Short Code Registry service provider in January, 2016.

For more information, please see the Short Code Registry’s Best Practices and the Short Code Monitoring Handbook.

The iconectiv site routes to https://usshortcodes.com/ where you can learn all about registering, case studies, and best practices. But I still want to know how to verify the sender of that 2FA message.

This is where US Short Code Directory comes in.

The U.S. Short Code Directory and the team at Tatango has assumed responsibility for the indexing of these unique phone numbers, creating the industry’s only public address book.

via https://usshortcodedirectory.com/about/

What do you know, the first code in the directory: Facebook, 32665. But wait, that’s not what’s listed in the Verge article… That’s 32665 vs 36265. Not sure what the deal is there, but may be a typo by The Verge (3-F, 2-B, 6-O, 6-O, 5-K in T9).

Just for a sanity check, does the Wells Fargo short code match their Advanced Access list? Yep! And so does the Capitol One code.

Cool! We figured out a way to verify the sender of SMS based 2FA! Remember though, this does not only apply to 2FA, but also other SMS based communication from the company.

Short Codes in the Wild

Check out this recent Wells Fargo ad on YouTube.

Wells Fargo account alert text message from YouTube ad

At the 17 second mark the narrator mentions “alerting you to certain card activity we find suspicious“. How do they do this? By SMS of course. And what number is the alert from? 93733!? NOOOOO! That’s not 93557.  WF was so close. Missed an opportunity to tie everything back to that random support page. The ad has a caveat “Screen images simulated”, so ¯\_(ツ)_/¯. For what it’s worth the phone number to call is in fact for WF Customer Service.

Questions, Concerns & Opportunities

This feels like the tip of the short code iceberg and I still have a lot of questions. How long do short codes last? Do companies change numbers? Can short code be reused? Can I trust that the next time I receive a message from a short code number that it is from the same company as last time? Can messaging apps label the code like caller id?

I don’t have all the answers, but there are definitely more things to be done to help fight the next generation of phishing. As more companies continue to recommend 2FA and send updates over SMS, we need tools in place to ensure we can trust the messages we receive.

Wells Fargo’s advice to add their numbers to your address book is good, as long as the short code (and normal telephone) numbers do not change over time. While it may be uncommon, it is possible for companies switch numbers, and (possibly more common) previously used numbers can become available for a different company to re-register. In the former, people will see an unknown number seemingly masquerading as a service they do use, which should be a cause for suspicion (although benign). For the latter, people will assume trust in the content from number they recognize (creating a phishing opportunity). While instances of these issues may be unsubstantiated (there’s very little info on how short code numbers change hands and “Best Practices” are all about marketing), this is a reason to have service driven trust management keeping track of ownership and identity.

There is an opportunity for services like US Short Code Directory and tatango to provide access to their index of short codes, so companies like Apple and Google can continue to improve their messaging services. If the Short Code Directory had a public API to query and verify short codes, messaging apps could implement a new style of caller id (essentially a DNS for SMS, but not this) to let you know the message from 227898 that says its “From Capitol One”, is legitimately from Capitol One.

At the end of the day, it should be easier to stay safe online, even if improving short codes are just an obscure part of the solution. Now to see if I can get Wells Fargo and The Verge to fix their typos.

Popular Company Short Codes

Disclaimer, I have not received messages from all of these numbers, so I cannot verify their legitimacy nor comprehensiveness. Given the issues noted above, these numbers may change or companies may start using additional numbers for SMS communication (Google already has at least 5. They may consolidate or add another).

Facebook: 32665 and 3266

Twitter: 40404

Google: 22000, 23333 and others

Apple: 272273 and others

Microsoft: 365365, 51789 and others

Amazon: 262966, 58988 and others

Capital One: 227898 and others

Chase: 28107,  24273 and others

Wells Fargo: 93557 and others

Bank of America: 73981 and others

American Express: 25684 and others

Intuit: 75341 and others

Discover: 347268 and others

PayPal: 729725777539

Venmo: 86753

AT&T: 88170, 883773 and others

Verizon: 27589 and others

T-Mobile: 37981

FedEx: 37473 and others

USPS: 28777 and others

Walmart: 40303 and others

Twilio: 22395 and others

Uber: 82722289203

Additional Reading

Categories
Thoughts

Google, Data Privacy, and Unconscious Oversharing

Pushpins overturned on a map of the world

Pushpins overturned on a map of the world

Google is tracking your location. Did we not already realize this?

Yesterday the Associate Press released a story titled Google tracks your movements, whether you like it or not. The gist of the article is there are at least two settings on your Google account relevant to your location, “Location History” and “Web and App Activity”, and you need to be aware of how you’ve configured both to limit the extent to which Google tracks and saves your location data.

Privacy Settings

via Google’s Activity Controls:

Location History

Saves where you go with your devices to give you personalized maps, recommendations based on places you’ve visited, and more.

Web and App Activity

Saves your activity on Google sites and apps to give you faster searches, better recommendations, and more personalized experiences in Maps, Search, and other Google services.

Question

Which setting do you need to disable to stop Google from saving locations of the places you’ve been?

(Second question: Did you know these settings exist?)

For the first, what did you go with? Location History? That seems to make sense but turns out not to be enough.

Answer, from AP and Google

To stop Google from saving these location markers, the company says, users can turn off another setting, one that does not specifically reference location information. Called “Web and App Activity” and enabled by default, that setting stores a variety of information from Google apps and websites to your Google account.
When paused, it will prevent activity on any device from being saved to your account. But leaving “Web & App Activity” on and turning “Location History” off only prevents Google from adding your movements to the “timeline,” its visualization of your daily travels. It does not stop Google’s collection of other location markers.

Um, what? Actually, this is not too surprising. Leveraging location makes Google services better. Knowing your location allows Google Search to show you the conditions outside when you search for “weather” instead of a definition for the word. It also lets you see concert tickets at venues in your city and movie times at your local theaters without the need to include your physical address in the search. Plus, driving directions in Maps would be useless if you didn’t let Google know your GPS coordinates.

Unconscious Over-sharing

The real issue here is not that we give up some privacy to make online services better as we use them, but the fact that transparency is virtually nonexistent into how companies use our data in ways we don’t consider. We are unconsciously over-sharing our personal information.

Take Maps again as an example. Not only does the service help us get from point A to B without the need of a physical map, but it also gets us there on the fastest route, optimized to include time in traffic.

Did you specifically let Google know that you are sitting in traffic? Unless you’re an active Wazer, the answer is probably no. So how did they determine there is a slowdown ahead? Remember, data lets companies improve their apps and services in ways indirectly related to the original value proposition. So while you are going 20 on the highway, using Google Maps to direct you home, Google is using your changes in location to measure your position and speed and recognize you are sitting in traffic.

Do you like that Google Maps includes traffic data? How would you feel if Google removed the “Traffic” feature from Maps? No one focuses on the benefit that’s given to you when you hand over your data and the service gets better.

It would be interesting to learn exactly how Google implements Traffic in Maps. As a thought experiment, would Traffic still work if everyone on the planet disabled Web & Activity Data? Clearly for Google Maps to give you directions, you must give it your location. But is the transaction single use? Does Google read your location, update your directions, then throw away your GPS point? They could reuse your location data to help improve the service for everyone else. They could even go as far as saving that data point for later, just in case another service could benefit from the information in the future. Each of these are not a “could”, Google is doing all of this.

But because the industry is so shady in its reporting practices for collecting data, it’s confusing what benefit you’re actually getting because it’s all just very opaque I give you my data and what am I getting out of it? This confusion leads to a default reaction is to turn off all data sharing settings, but in reality the services don’t work if they have no data. Kind of a Catch-22.

Companies have also streamlined the app onboarding experience and skirted away the finer details of what apps give and take. Google’s activity controls are not mentioned when you set up an Android phone or create a new Google account. So how are we supposed to be proactive about the privacy settings?

We need to flip the script on data privacy and give people the information they need as they need it. Not retroactively as a “clean up” feature.

Random thoughts

Ad Market Cap. Ad companies like Google and Facebook need as much information as possible about you to create a profile about you to sell ads and show ads to people like you. Facebook still knows a lot about you based on how you’ve used Instagram even if you’ve never posted a single picture. They can track scrolling, clicking, stopping, screenshotting.

Inastapaper GDPR. We still have no idea what Intapaper and Pinterest were doing that was against GDPR in the EU. It would be nice to know how companies use the data we so generously hand over.

Facebook and Google “Shadow profile”. All the data and information we didn’t explicitly give, but is intuited by algorithms from less visible forms of input (location from ip address, activity by linking signed in & out accounts). Even with all these settings disabled, to some unknown extent, Google et all stills know about our location and how we use the internet. It’s our right to know they know.

We need apps people pay for.

Product & service privacy settings

If you are concerned about companies knowing too much about you and your whereabouts, be sure to double check privacy settings for Location Services on all your devices.

Devices

iPhone
Settings > Privacy > Location Services

Android
Settings > Security & location > Location

Mac
Apple menu > System Preferences > Security & Privacy > Location Services

Windows
Settings > Privacy > Location

Chromebook/Chrome
Settings > Advanced > Privacy and security > Content settings > Location
(or search “Location”)

Apps & Services

Google

Microsoft

Apple

Instagram

Facebook
(Use a VPN)

Strava
So many toggles… read the article

My settings

Just saying, turn everything off. Google won’t be the same, but at least you’ll be in greater control of your data privacy.

Activity Controls

Screenshot of Google's Activity Controls permissions settings webpage

My Activity

Screenshot of Google's My Activity control page

Oh, and pot, meet kettle

“They build advertising information out of data,” said Peter Lenz, the senior geospatial analyst at Dstillery, a rival advertising technology company. “More data for them presumably means more profit.”

Categories
Books Technology Thoughts

How Asia (and social networking) Works

After over three years on the bookshelf, I finally picked up the Bill Gates recommended, How Asia Works by Joe Studwell. The review sparked my interest in the book then, but the intrigue was rekindled recently when I discovered Strange Parts on YouTube (don’t ask how it took me so long to find Scotty). Seeing another side of technology, the technological fringe, so to speak, I was fascinated by how the electronics manufacturing and recycling industries worked. So looking for a more worldly view, and with years of anticipation, I started reading How Asia Works.

And then, still in the roman numerals, I put the book down because I was so surprised at how taken aback I was by this comment.

“If a country does not trade and interact with the world, it is all but impossible to get ahead in the development game” – How Asia Works, page xx

The idea was not meant to be a large part of the story, as it was literally telling why Studwell would not be including further discussion about countries low on the United Nations Human Development Index, but the impact of the implication in today’s globally networked world really struck me. It’s silly, but I haven’t been able to continue reading the book because the thought has been on my mind for the last week. I had to make sense of this line before moving on to the next.

I am having trouble reconciling the positive benefits of networking in the digital age with the draining effects of the attention economy.

Will those who abstain from social networking share the same demise as the “politically and economically introverted” countries Studwell mentions? Or is it still possible to develop when withdrawn from our hyper connected society.  Existentially, does this mean I am going the way of these disconnected countries? I have a Facebook account, but I don’t use it, and I rarely post on Twitter.

Cal Newport on Social Networking

There is a way to connect digitally with others, and Cal Newport calls it the Social Internet from his post On Social Media and Its Discontents.

The social internet describes the general ways in which the global communication network and open protocols known as “the internet” enable good things like connecting people, spreading information, and supporting expression and activism.

Social media, by contrast, describes the attempt to privatize these capabilities by large companies within the newly emerged algorithmic attention economy, a particularly virulent strain of the attention sector that leverages personal data and sophisticated algorithms to ruthlessly siphon users’ cognitive capital.

I support the social internet. I’m incredibly wary of social media.

So do I. I am trying to contribute to the social internet, but it is difficult to be found without the leverage of the social media’s network effects. Newport has thoughts on this too:

The tricky question, of course, is how exactly one enables a useful social internet in the absence of the network effects and economic resources provided by the algorithmic attention economy.

One intriguing answer is the idea of augmenting the basic infrastructure of the internet with social protocols.

In short, these protocols would enable the following two functions:

  • A way for individuals to create and own a digital identity that no one else can manipulate or forge.
  • A way for two digital identities to agree to establish a descriptive social link in such a way that outside observers can validate that both identities did in fact agree to form that link.

There are few serious technical obstacles to implementing these protocols, which require only standard asymmetric cryptography primitives. But their impact could be significant.

This has glimmers of dana boyd’s Faceted Id/entity thesis, but the key point of Newport’s idea is this:

In this ecosystem, many different applications can leverage this distributed social graph to offer useful features to users. By eliminating the need for each such social application to create a network from scratch, a vibrant competitive marketplace can emerge.

Ben Thompson talks about open sourcing Facebook’s social graph all the time, more from the perspective of fostering competing services, but still the idea is similar:

All social networks should be required to enable social graph portability — the ability to export your lists of friends from one network to another. Again Instagram is the perfect example: the one-time photo-filtering app launched its network off the back of Twitter by enabling the wholesale import of your Twitter social graph. And, after it was acquired by Facebook, Instagram has only accelerated its growth by continually importing your Facebook network. Today all social networks have long since made this impossible, making it that much more difficult for competitors to arise.

via Manifestos and Monopolies and here and here

Strategies and Future Developments

Blockchain could flip the internet paradigm on its head, creating a decentralized network akin to Pied Piper, which could solve the online identity problem.

For all their brilliance, the inventors of the open protocols that shaped the internet failed to include some key elements that would later prove critical to the future of online culture. Perhaps most important, they did not create a secure open standard that established human identity on the network. Units of information could be defined — pages, links, messages — but people did not have their own protocol: no way to define and share your real name, your location, your interests or (perhaps most crucial) your relationships to other people online.

via Beyond the Bitcoin Bubble

So while we wait for blockchain to save us, what are we stuck with for the time being? We can “change [our] relationship with these services to shift from compulsive to controlled use“. Or, how about some slightly ironic info about how to use Twitter, from someone on Twitter. It’s actually quite optimistic and intellectual:

Follow weird stuff. Follow unusual corners. I enjoy Nigerian tech twitter. I enjoy short-story twitter. I enjoy urban design twitter. I enjoy the zillions of clever bots . I keep meaning to get into opera twitter, but never quite manage it.

via @michael_nielsen

Hey, at least he’s contributing to the network.

That’s all for now

I’m still thinking about all this, but I had to get some initial thoughts out of my head so I can keep reading the book. I’ll let you know what happens after the introduction.

One more thing, here’s John Oliver on the subject of China.

Categories
Thoughts

Why I Switched to WordPress.com

(Insert generic inspirational quote here)

I spent the entire weekend trying to sort out why changing my WordPress theme brought down my site. There was this error and I just couldn’t figure out what was happening. I exported my data, moved to a temporary free WordPress.com account as a backup, and re-installed WordPress on my self hosted site.

Before we get to far into it, to clarify, WordPress is a technology that lets you create blogs. You can either run WordPress on your own server (in the cloud) or let a company manage your installation. WordPress.com is a company that manages WordPress installations, so you can blog away and let WordPress.com handle the technical details of running the site.

Getting back to it, I reinstalled three more times because each time I ran into a different problem. I think the issue came down to a database incompatibility, but it was just one in a series of problems I’ve encountered over the last few years while running my own site. My site was “defaced” via an exploit in an out of date version of WordPress, was unable to connect to Jetpack services, and needed to be re-installed one too many times. This iteration was the last straw. I needed to switch from site maintenance mode and get back to blogging.

Self Hosting

There’s a lot you need to keep up with when running your own WordPress install. I enjoyed learning all the details over the years of running my site. Finding the pieces and putting them all together was fun and made for fulfilling work when the site decided to play along. Although, when something went wrong, managing this workflow and disjoint accounts brought my progress writing posts to a complete halt.

Here are many of the pieces required to run a WordPress site (all of which WordPress.com will handle for you):

Hosting

Your site needs to live somewhere (search for “WordPress hosting” to find a few options)

Domain Name

A site needs a url, so you have to ensure your domain name registration is up to date every year, AND linked to the WordPress install. The latter is a constant source of struggle. (Namecheap, Google, GoDaddy, Hover, etc)

Certs

Want that green lock on your site? You’ll need an SSL certificate. Site certificates let people connect securely and communicate privately with your blog, so it’s important that your has the correct certs. (Let’s Encrypt, Comodo, Namecheap, etc)

Backup

Site backups are crucial in case anything every goes wrong (which through my experience seems common), but they are costly, unintuitive, and require manual configuration.

Updates

WordPress must be kept up to date, with a self-hosted site, you need check for updates. It requires active engagement. I try to write posts on a weekly cadence, but sometimes there would be long stretches of time I didn’t go on the site. You can configure auto-updates to the WordPress core, but there are many caveats. In either case, it’s another task you need to keep in the back of your mind, using up resources I could allocate elsewhere.

Customization

Do you spend way too much time setting up your video game character, even before starting the game? You’ll do the same with WordPress site customization. While seemingly a differentiator, a site’s look is not nearly as important as it’s content. (Ironically, switching from a highly customized theme to the default Twenty Seventeen theme kicked off this whole ordeal)

In then end, all this mental overhead was cutting into my time and creativity. Running the technology distracted from what I wanted to do with my site. And with that, I handed over the keys to WordPress.com.

Going Forward with WordPress.com

Note, this is not a review of WordPress.com. I’ve only used the service a couple days, so I’m still deciding if it’s the right fit. However, I had five accounts to manage everything related to my website, and now I have one.

Blog spectrum of User customization and control to One experience fits all (Doing my best Stratechery impression)

WordPress.com sits in the middle of the blogging platform spectrum of user control and one experience fits all. I can still modify my the site to make it feel like my own, but I don’t have the same level of configuration as a self-hosted site. It’s a good first step to building a focus on writing, because I don’t want bells and whistles anymore. I want to write and develop something new.

Technology works best when it’s invisible. I am optimistic that getting the site administration work out of the way will free up headspace to think and give me time to create more.

My site has a history on WordPress, so there is some lock in to the technology. As I searched for a platform that just lets me write, switching to WordPress.com was an easy first option to explore. Since it’s easy to transfer WordPress data from one hosting service to the next, I brought all my posts with me to WordPress.com.

With that said, I am going to keep iterating, with new formats, platforms, and mediums. I am now a customer of WordPress.com. If I decide their services improve my ability to create, I will stick with them. Otherwise, as WordPress.com says in their own words “You own your data – take it anywhere”.

Medium.com leans further towards the one experience fits all side of the blogging platform spectrum. On Medium, you get a title, and a story. That’s it, but it’s amazing. The focus is on the content of the words on the page, not the theme of the website.

I have a Medium account with zero posts (until know). Starting today I will be cross posting longer form thoughts like this under the Medium Partner Program (and I checked, this is allowed by the Medium Content Guidelines). All my posts will still be on my site, but I want to experiment with Medium to learn how the different communities interact.

So let’s see how this goes. The content of my blog has changed over the years from small ideas (Seth Godin-style), to connecting things I read/hear/watch, weekly reviews, back to connections, and now a news feed. I can already tell this latest iteration is working well. It’s easier to get back to writing and integration with email updates, social media, and reader feedback is better overall. There’s less in the way of getting things done, and I’m hopeful this new format will keep my momentum going strong.

Be on the lookout for a future post explaining “Why I’m Staying with WordPress.com” or perhaps “Why I Switched to Medium”.

Categories
Technology Thoughts

What we learned from Facebook this week

A puppy. This is why people use Facebook, right?
Puppy! 👍💖😆
For all the talk with Facebook CEO Mark Zuckerberg in the US Senate and House this week, there was very little surprising content. We give consent to use the Facebook service, we upload images, write posts, and like articles. We have control at every step of our interaction to decide how much to share with Facebook and what we give the company is exactly what is given back to us in the data archive download tool. It’s shocking to see every interaction you’ve ever made on Facebook in one place, but there is nothing here we don’t expect. There is no post we didn’t make or image we didn’t take. Facebook remembers what we do on the service as long as we have an account.

But that doesn’t mean everything from the last week was old information.

What was clarified?

An important point Zuckerberg reiterated is that Facebook does not sell user data. This would be a silly business move because Facebook’s value to advertisers is in the uniqueness of its data. It is in Facebook’s best interests to keep it’s trove of data secure, as it requires advertisers to keep coming back. There’s no other place advertisers can go to get the same level of targeting.

Instead of selling data, Facebook actually collects all the details from every person “in the community” and compiles the best advertising opportunity for a given ad. Facebook assures advertisers their ad placement will reach the intended audience with the greatest possibility of interaction. It is this assurance that gives Facebook it’s gazillion dollar market cap.

The Cambridge Analytica case was different, but still Facebook never sold data. Instead, Cambridge Analytica got raw Facebook user data from an app developer who used a survey app to harvest data. In 2014, it was within Facebook terms for a 3rd party app developer to use the Facebook developer platform to collect just about all the information about you and all your friends ever entered onto the site.

Listen to Exponent episode 146 “Facebooks Real Mistake” (link at the end) for background on how Facebook’s past push to be a platform landed the company in this situation. The takeaway? Had Facebook realized it’s value as an ad network, the company would never have given the same level of data access in the first place.

This is why the current Facebook fiasco is not a data security breach, but a data privacy leak. Hackers did not break into Facebook systems to obtain user data, but a developer (which could have been anyone) used Facebook sanctioned tools to collect your information. Facebook has since locked down it’s platform to prevent such unrestricted access to user data, but it does not change the fact that massive amounts of user data left the platform seemingly without consent of its users. And yes, it’s true that by signing up you agreed to the terms that allowed developers to leverage the wide open API to gather profile information, but did you really know that was part of the agreement?

What was surprising and novel?

Did you check if your info was collected by Cambridge Analytica? Go ahead, I’ll wait ⌚😊

After you’ve read through your activity log and exported your data, take a minute and think about what stands out from the content (I think this tinfoil hat scandal is all a ploy to get us to go on Facebook even more. Feel free to finish reading in the meantime, the export takes a while). Once you get to the details, you can see the majority of the information came from you, but there is a small subset which reveals the inner working of the Facebook machine.

To put things in perspective, focus on your ad preferences and take a look at your ad demographics information. This is a window to the 9698 categories from the Senate hearing. Advertiser demographic is the result of running all our interactions on Facebook through a proprietary algorithm. Of all the information in the data archive, this piece is novel. We didn’t explicitly tell Facebook this information, but they determined it based on what we’ve done on the site.

This is why the Facebook hearing this week is only the tip of the iceberg. If we are concerned that Cambridge Analytica could sway an election with a slice of our data, what kind of power does Facebook have? Sure we didn’t entrust Cambridge Analytica with our data, but why does opting into a puppy video sharing service change our perception of possible psychological manipulation?

What does Facebook do with all our data? And what can they do?

We need greater transparency on how our data is used. I can control and know what I upload, but what happens with the data “I own” once it’s handed over?

When I upload a photo to Facebook, what algorithms are tuned as a result? How does the content of the photo affect ads I see?

WhatsApp communication is encrypted, so it’s private between those in the conversation, but in what way does Facebook link my WhatsApp, Instagram, Facebook accounts? I’ve logged into all three on the same device so they must know it’s the same person (even though I signed up for all three as separate users).

And what about activity coming from the same IP address or GPS location? Does Facebook correlate data of those physically closest to me, outside of our connections on it’s services? What about when I’m on Facebook but signed out?

The consumer facing fun part seems like a front for the stingy advertising business on the back end. What is the difference between the two? It’s telling that Zuckerberg doesn’t fully understand the difference (from questioning by Brian Schatz). From Facebook’s perspective, the “fun part” is the user feature set that drives advertising revenue. It’s the top of the funnel for all of Facebook’s algorithms and drives the companies valuation.

For a platform that relies on its users to generate value, the company doesn’t provide much information to said users on how the internal cogs work. Perhaps it’s best to be blissfully unaware, or maybe it’s not a requirement, but when 2 billion people feel like the product and not the customer, it’s reasonable for them to want a little more information on how they’re being used.

And if this is Facebook, what about Google? (You can also export Google data)

What can you do to stay in control?

  1. Adjust log-in behavior to prevent future data leaks
  2. Check permissions when using Facebook (or Google or any over service) to sign up for a new site. To keep the same convenience, sign up for a password manager like Dashlane or LastPass which can generate and remember a new login for each site you visit. This adds a layer of security to your accounts and removes the possibility of another Cambridge Analytica style data leak.
  3. Prevent cross site tracking
  4. Use a separate browser just for Facebook. Only log in to Facebook on that browser and do all your other web stuff in another. Or use extensions like Ghostery (which also tracks your trackers, so maybe just turn off the internet for the day…) or the Facebook Container for Firefox.
  5. Limit sharing data
  6. Just use Facebook less? Deactivate for a week and see how you feel. You can always reactivate.
    Go old school and use an rss reader.
    Stick with iMessage/FaceTime.
    This is always an option.

All sorts of links

Video of Zuckerberg’s Senate hearing (transcript) and appearance before House committee (transcript)
Day 2 from MIT Technology Review
What was Facebook Thinking by James Allworth
The Facebook Current and The Facebook Brand from Stratechery
Facebook and Cambridge Analytica Explained from NYTimes
Facebook’s Real Mistake and Facebook Fatigue from Exponent Podcast
Mark Zuckerberg is Either Ignorant or Deliberately Misleading Congress from The Intercept
Mark Zuckerberg on Facebook’s hardest year, and what comes next from Vox
What is GDPR?
General Data Protection Regulation
Coachella streams 1, 2, and 3

Categories
Articles Productivity Thoughts

Slow Social Media

In his recent posts, Cal Newport outlines why our attention will benefit from individuals owing their own domains. We may need tools to help us do it, but companies will assist us from behind the scenes allowing us to build our own brands. People should be able to move their brand (and data) from one platform to another when improvements come along. This is the social internet, and it will power the economy of the future. Value online comes from those who create it. All we can do as technologists is empower others to make their art with greater efficiency.

Context: On Social Media and its Discontents and Beyond Delete Facebook by Cal Newport

Categories
Technology

Fixing the Blog

Hammer and bent nails on a wood block

Thank you Jetpack Support

First of all, Jetpack support is amazing. Automattic is known for its customer service oriented culture, and it shows. I was running into an issue where Jetpack would not connect to my site, so I reached out to their support team. They were responsive in helping me figure out the tech at all hours of the day, and they even researched how to solve a problem with a non-Automattic product. Great stuff, I appreciate it!

Here’s the link if you need help with Jetpack.

WordPress and Site Address URL

The first issue has been with the site since day one. For custom WordPress installs, the WordPress Address and Site Address URLs should be the same (both set to https://ryancropp.com in this case) no matter what they say:

Site Address (URL):

Enter the address here if you want your site home page to be different from your WordPress installation directory.

Just don’t try to manually update WordPress and Site address to your custom domain from wp-admin dashboard. You will get locked out.

To fix the issue you need to FTP into your site and update the siteurl in the functions.php file for your installed theme:

update_option('siteurl','https://ryancropp.com');
update_option('home','https://ryancropp.com');

Refresh WordPress admin and then remove the update_option code.

Clear site cache

Just for good measure, clear the Project Nami blob cache so no old site configurations are left hanging around. The instructions are in the readme of the Blob-cache download (why!?).

An aside on Cron expressions

They’re kind of fun, but how are these still a thing? I guess we have Unix to thank. I need to use them 0 0 0 0 0 ? 2018/2 or 0 0 0 0 0 ? 2018/3 at best. Here are some docs from Oracle and Quartz to figure out what that means.

Jetpack and Project Nami

Turns out everything up to this point had nothing to do with getting Jetpack to work. It certainly didn’t hurt, but attempting to link Jetpack still showed the error “Verification secrets not found”.

Jetpack verification secrets error message

On a whim I decided to look into the compatibility issues with Jetpack and Project Nami, the caching mechanism for WordPress on Azure. And what do you know, Issue #237 on the Project Nami GitHub had the answer.

One should now be able to solve the issue by adding the following to the site’s wp-config.php:

define( ‘JETPACK_DISABLE_RAW_OPTIONS’, true );

See Automattic/jetpack#7875 for more info.

So finally, if you’re following along at home, disable Jetpack raw options for Project Nami…

And it works!

You can sign up for email subscriptions in the sidebar.

A red-herring extension

Turning off browser extensions may or may not have helped. I turned off Ghostery in the middle of the process, forgot about it, then realized it was still off some time later.

Happy blogging