I’m baffled as to why programmers put their trust in this advertising company to do the right thing, or why companies would stake their reputation on go. Several people tell me that Google handed over control to open source, but the main landing page for go, golang.com, the place were everyone needs to go to program in the language, says:

The Go website (the “Website”) is hosted by Google. By using and/or visiting the Website, you consent to be bound by Google’s general Terms of Service and Google’s general Privacy Policy.

Go the go privacy policy page, and you’re sent to Google’s own privacy policy page.

The copyright page, which a lot of folks point to, actually says:

Except as noted, the contents of this site are licensed under the Creative Commons Attribution 3.0 License, and code is licensed under a BSD license.

… which means Google can exempt whatever it wants from the CC & BSD licenses. A good legal argument could be made about the BSD license for the code as the commas make things more open to interpretation. The term “code” could include HTML and other markup. But IANAL

Back to my main point, Google’s reputation is not good based on their behavior. I would not want to stake my company or my coding on them.

(Picture via Roman Synkevych (@synkevych) on Unsplash)

AI can now easily (8 seconds) change the identity of someone in a film or video.
Multiple services can now scan a few hours of someone’s voice and then fake any sentence in that person’s voice. […]
Don’t buy anything from anyone who calls you on the phone. Careful with your prescriptions. Don’t believe a video or a photo and especially a review. Luxury goods probably aren’t. That fish might not even be what it says it is.
But we need reputation. The people who are sowing the seeds of distrust almost certainly don’t have your best interests in mind-we’ve all been hacked. Which means that a reshuffling is imminent, one that restores confidence so we can be sure we’re seeing what we think we’re seeing. But it’s not going to happen tomorrow, so now, more than ever, it seems like we have to assume we’re being conned.
Sad but true.
What happens after the commotion will be a retrenchment, a way to restore trust and connection, because we have trouble thriving without it.

(Via The end of reputation; photo via Raphael Lovaski on Unsplash)

Apologies to Seth for quoting nearly his whole post, but it’s important and scary.

Neal Stephenson, in his book Fall; Or, Dodge in Hell 🇺🇸 🇯🇵, addresses this very issue of reputation and authenticity. In very simplistic & basic terms, it involves leveraging something like blockchain to “check in” or “sign in” to legitimate things by you or things you control. He also talks about Editors, who are human professional social media filters, which takes us down a different rabbit hole.

As I move my on-line life as much on to platforms I control or trust, I am thinking about how to validate “me” outside of that without that validation coming back to bite me later, assuming such a thing is possible.

What do you think?

Many apps I used are moving to a subscription model (a.k.a. Software-as-a-Service in the corporate world). As they move to the SaaS model I take a deep look.

Immediate red flags for me are when devs explain their move in these ways:

  • Implemented a custom proprietary sync mechanism
  • Implemented encryption
  • Costs are rising
  • Push notifications (in most apps, unnecessary chrome)
  • Theming, styling, icons &| dark mode (again, unnecessary chrome)

There are select apps in the subscription model to which I subscribe and why:

  • Apollo (Reddit reader app): superior to the native app & other options; theming; and to support development
  • CARROT Weather (Weather app) Tier 2: additional data sources; Apple Watch; map layers; and other stuff
  • Fiery Feeds (RSS reader app): for “Smart Views” ; to support development; and I read a lot of feeds
  • Overcast (Podcast app): to remove adds; to support development; and I listen to a lot of podcasts

Apollo violates two of my red flags, yet the developer is crazy responsive; his app is heads & shoulders better than the native Reddit app; and he regularly pushes out updates for security/bug fixes/functionality/chrome.

CARROT Weather also often pushes out updates for security/bug fixes/functionality/chrome, and is also better than the other options.

Overcast does, too, but more judiciously based less on chrome. I like PocketCasts, too, but less so.

Some apps that I avoid in the subscription model but use in their legacy or alternate license mode:

It turns out that there is a problem downloading from the GNU [ELPA] archive that’s related to TLS. Happily, the answer is simple: just add

(setq gnutls-algorithm-priority "NORMAL:-VERS-TLS1.3")

to your init.el file. […]

If you’re getting weird errors when you download from the GNU repository, try adding the above line to your file. It worked well for me.

(Via Irreal)

I ran into this very issue the other day but didn’t have time to run it down.

Security Monitor by Riccardo Mori:

Now I’ve switched to ‘active distrust’ mode towards Apple. I don’t feel 10.14 Mojave brings anything particularly useful to me, and 10.15 Catalina even less so. Nothing really worth leaving High Sierra and its general stability behind. Everything I’m reading about Catalina, the experiences of those valiant people trying out the beta, and the technical observations of the more expert users and Mac developers, gives me the impression that Catalina is perhaps the first version of Mac OS that is more useful to Apple rather than their users, if you get my drift.

I can’t agree more. My personal machines – a 2011 Mac Mini Server and 2015 MacBook Pro are still on High Sierra because Apple is IMHO no more reliable than any other vendor. My work 2015 MacBook Air is force updated by the CIO Office to the latest macOS release – major, minor, and supplemental – to the point where internal sites are filling up with complaints about forced reboots during client meetings, presentations, customer maintenance, end-of-month/-quarter activities, and other sensitive moments.

Which makes me wonder yet again: why do people forget about availability when talking about security?

Finally got my Emacs setup just how I like it:

Now I just need a Mac IIcx to put it in and I’m good to go. Thanks, mly!

Previously, previously, previously, previously, previously, previously, previously, previously.

(Via jwz)

#jealous

No clue what to do about it, but sure something should be done about it, and picking the wrong thing to do about it: the Trump administration in a nutshell. There’s already been a “sensational case” – the San Bernadino one in 2016 – and the FBI paid an Israeli company about $1m to break into the iPhone in question, to find nothing useful. There was more, and better, data on the terrorists’ Facebook profiles.
unique link to this extract

(Via The Overspill)

Similar to my earlier post on AG Barr’s complete lack of understanding about how encryption actually works and benefits the entire economy.

Attorney General William Barr Really Wants to Read Your iMessages:

It is almost impressive how people with no clue about how encryption works have, time and time again, ignored the advice of actual experts in it. If [US Attorney General William] Barr were in charge of NASA, he’d demand a faster-than-light Space Shuttle even after being told that it is impossible.

(Via Pixel Envy)

This Ars Technica article is a pretty good summary of Barr’s latest attack on working encryption.

IBM: Breach Costs Impact Firms For Years:

The average global cost of a data breach has risen again, with experts at IBM claiming the financial impact can be felt for years after an incident. […]

The headline figure has risen from $3.86m to $3.92m over the past year, and in total by over 12% over the past five years, IBM claimed. However, in the US it is more than double this figure, at $8.19m.

Smaller companies with fewer than 500 employees suffered losses on average of over $2.5m, a potentially fatal sum. Mega breaches of over one million records cost $42m, while those of 50 million records are estimated to cost companies $388m.

For the first time, IBM measured the financial impact of a data breach over several years. It found that on average 67% of data breach costs were realized within the first year after a breach, but over a fifth (22%) accrued in the second year and another 11% did so more than two years after the initial incident.

Organizations in highly regulated environments like healthcare and financial services were more likely to see higher costs in the second and third years, it claimed.

Malicious breaches accounted for the majority (51%) of cases, up 21% over the past six years, and cost firms more – on average $4.45m per breach. However, accidental breaches accounted for nearly half (49%) of all incidents, with human error ($3.5m) and system glitches ($3.24m) costing slightly less than the global breach average.

For the ninth year in a row, healthcare organizations suffered the highest cost of a breach – nearly $6.5m on average.

IBM claimed that extensively tested incident response plans can minimize the financial impact of a breach, saving on average $1.23m.

Other factors affecting the cost of a breach include how many records were lost, whether the breach came from a third party and whether the victim organization had in place security automation tech and/or used encryption extensively.

(Via Infosecurity)

Highlights from my employer’s annual Cost of a Data Breach study. The live version including the calculator is here. Check it out (registration required).

Emacs! In the New York Times!:

Paul Ford, co-founder and chief executive of Postlight, has a delightful paean to open source in The New York Times Magazine. In the article, Letter of Recommendation: Bug Fixes, Fords talks about the joys of open source and the pleasures of browsing through a program’s history with a version control system like Git. He says he likes to read commits like a newspaper. It tells him what he can do today that he couldn’t do yesterday. One of the main examples he gives of an important open source project is Emacs.

He talks about Emacs going back 40 years and how much one can learn by examining how the code evolved. Over 600 people made almost 140,000 commits to make Emacs what it is today. It is, he says, the Ship of Theseus in code form. Ford remarks, “I read the change logs, and I think: Humans can do things.

None of this is news to Irreal readers, of course, but it is significant that it’s appearing in a general purpose publication like the New York Times. Most often, what we do appears to be mysterious and arcane to the general public. Ford does a good job of capturing the flavor of some of it.

(Via Irreal)

Sweet! It’s a bit Utopia-ish, but I like the shout out for Emacs (naturally).