random($foo)

Archive for the ‘Business’ Category

Apple: Untrustable

Tuesday, September 9th, 2014

As excitement of Apple’s new product announcements dominate today’s press coverage, and the memory of the celebrity iCloud hacks fade to obscurity (already seemingly long forgotten), completely un-remarked and un-addressed at today’s event (a good PR move, to be sure), I felt it might be worth posting some of my personal thoughts on the matter, as the silence from Apple on the issue has been quite disquieting.

To be clear, I’m a long-time fan of Apple design and engineering, and today’s keynote is a reminder of
Apple’s best-in-class in hardware and device software. I also own a not-insignificant amount of AAPL shares, but while I’d like to give them the benefit of the doubt, it seems to be increasingly clear that Apple should not be trusted with my personal information.

It’s famously well known that despite their technical prowess in hardware and software, Apple is just not very good at hosted services. Terrible at it really. From their earliest web-based apps, to their ongoing capacity problems, or their laughable attempts at building social services (Ping, anyone?), Apple’s online components are sometimes passable or on par, but more commonly they are mediocre, not-well thought out, clunky, outdated, or just plain broken; “not serious,” was the phrase a friend used. The problem is that today, the online components are as integral to a product as the device hardware or software. They are bound together, and sadly, the weakest link will cause the chain to break. Also, unfortunately, these traits seem to carry through for security for these services as well, which is definitely serious.

Over two years ago now, a friend, Mat Honan, had his Apple account (and digital life) hacked, in much the same way (via an almost identical vector) as the recent celebrity hacks. He’s a journalist, so he wrote all about it, and got a fair amount of press along the way, appearing on news shows, getting writeups, and generally making a big hubbub about it.

If you’re not familiar with that incident, it’s worth taking a look. Also worth reading is some of the analysis on the latest compromises:

Apple issued a terse official statement last week which denied any “breach” in any Apple systems and claimed that the accounts were compromised due to “targeted attack[s].” From a lawyerly perspective, this is perhaps technically accurate, aimed at deflecting blame and absolving responsibility, if not liability. Of course, like most such statements, especially looked at in context of the afore-mentioned writeups, it is quite misleading.

The attacks used to reset passwords via security questions and acquire iCloud access and backups were so frequent and common-place that discussions and communities had formed not just on the darknet, but on public forums/websites.

Either Apple’s security was so incompetent or negligent that they have not been aware of what was going on, or they knew, but actively ignored the issue and decided that it was not worth fixing. I’ll leave it to the reader to decide which scenario is worse.

Today, Apple announced their “Most Personal Device Ever”. They also announced Apple Pay (the only mentions of “security” and “privacy” in today’s event), and are rolling out health tracking and home automation in iOS 8.

Given their feckless track record, would you really trust Apple with (even more of) your digital life?

Some notes:

  • Last week, the same day where the big Apple news was the hiring of designer Marc Newson, Mike Hearn published a fascinating writeup of his anti-spam/abuse work at Google. Maybe unfair, but it struck me as an interesting contrast.
  • Over the years that these compromises have been happening, I haven’t heard of anyone that has been informed by Apple of a compromised account, or any information on their customer-facing forensic abuse team. Ignoring the larger issues of systemic security-holes (Apple can talk about “no breaches” but between non rate-limited/info-leaking endpoints, allowing resets via VPNs, lack of device pinning/access notices, they’ve left the door wide open for widely known attack vectors), what kind of support does Apple give you once your information is stolen?
  • Much hoopla has been made on 2FA. iCloud’s 2FA is less useful than you might think.
  • Not Safe For Not Working On – Dan Kaminsky writes about some of the implications of cloud security; also worth a read is What if I was a cloud? by iBrute‘s author. It’s obvious that cloud services need to seriously rethink how they store and authenticate personal information.
  • If you’re not already using fake security answers to security questions, you should. If you are, it may also be worth considering using a password manager to store unique nonsense answers for those questions

Apple’s A7

Sunday, September 15th, 2013

I don’t spend as much time keeping track of consumer tech these days, but I stumbled on an interesting article on Apple’s new A7 that got me to dig a bit more:

While in the short-term there have been more last-minute leaks from components suppliers, and it may be a losing battle, it looks like Apple is attacking strategic leaks by increased vertical integration: building/buying a fab may only be the first step (keeping in minde that Apple has over $100B in offshore cash).

Plastic cases are one thing, but it’ll be interesting to see how secret Apple can keep its AppleTV and iWatch developments. I think it’s fair to expect the former may end up attacking the living room/XBone a lot more directly than past efforts, and the latter will have a pretty big personal sensing/informatics component. These are both things that are pretty untapped markets for Apple that would benefit from a 360 ecosystem.

Why Automation Is Problematic

Monday, September 2nd, 2013

It’s Labor Day here in the US, and automation and its implications is something that again, has been weighing on my mind.

Here’s the short, to the point summary in two graphs:

Changes in Productivity and Hourly Compensation since 1948

Change in Productivity and Wages since 1979

To spell it out: the fundamental problem with automation is that when workers (lets call them the “proletariat”) are displaced by automation, they don’t see any of society’s productivity gains – those benefits are instead captured and concentrated by a smaller and smaller set of owners/capitalists (lets call them “bourgeoisie”).

Economic and technological logic is no doubt going to inexorably drive this displacement, but it’s not going to address the resulting social instability creating a massive and literally unsustainable underclass.

Related recent articles/discussion:

Some Notes on Labor, Technology and Economics

Tuesday, March 26th, 2013

I think that we are all aware that advanced capitalism is leading us down a road that as a society, we may not want to travel – constant crisis due to increasingly advanced, complex, and unstable financialization, an increasingly vicious trend toward plutocracy and plutonomy that has obliterated socioeconomic mobility via massively increasing inequality, and of course, as an engine of unsustainability, where environmental, health, and social costs are externalized and reality is subsumed via a twisted economic logic.

All these things really should be teased out into much larger discussions, but a few recently related links/discussions I want to make note of (I’m slowly moving some things back out of Evernote into a way that can be narratized):

  • HN: Confessions of a Job Destroyer – a good essay that highlights what technological “disruption” really means; relevant to software, robotics and all sorts of enabling technologies
  • HN: Unfit for work (npr.org) – NPR is doing a weeklong series on how the disability program is hiding massive collapses in the workforce

Also, this image popped up in my Twitter stream recently…

A quick Google search shows that it’s been floating around for at least a year, and the bottom text references an organization that ceased to exist in 1982 so it is probably quite old, but still resonates as much (if not more) today. Here’s the text transcribed (via)

If you’re unemployed it’s not because there isn’t any work

Just look around: A housing shortage, crime, pollution; we need better schools and parks. Whatever our needs, they all require work. And as long as we have unsatisfied needs, there’s work to be done.

So ask yourself, what kind of world has work but no jobs. It’s a world where work is not related to satisfying our needs, a world where work is only related to satisfying the profit needs of business.

This country was not built by the huge corporations or government bureaucracies. It was built by people who work. And, it is working people who should control the work to be done. Yet, as long as employment is tied to somebody else’s profits, the work won’t get done.

- The New American Movement (NAM)

Searching for this led to this interesting article:

KIN Lessons

Thursday, July 8th, 2010

There’s been a lot of recent reporting on the complete failure of the KIN (and Microsoft in general). Of these, I think that this comment from a Danger employee posted on Mini-Microsoft both sums things up, and serves as an object lesson for anyone in tech, and is worth reposting in full:

To the person who talked about the unprofessional behavior of the Palo Alto Kin (former Danger team), I need to respond because I was one of them.

You are correct, the remaining Danger team was not professional nor did we show off the amazing stuff we had that made Danger such a great place. But the reason for that was our collective disbelief that we were working in such a screwed up place. Yes, we took long lunches and we sat in conference rooms and went on coffee breaks and the conversations always went something like this…”Can you believe that want us to do this?” Or “Did you hear that IM was cut, YouTube was cut? The App store was cut?” “Can you believe how mismanaged this place is?” “Why is this place to dysfunctional??”

Please understand that we went from being a high functioning, extremely passionate and driven organization to a dysfunctional organization where decisions were made by politics rather than logic.

Consider this, in less than 10 years with 1/10 of the budget Microsoft had for PMX, we created a fully multitasking operating system, a powerful service to support it, 12 different device models, and obsessed and supportive fans of our product. While I will grant that we did not shake up the entire wireless world (ala iPhone) we made a really good product and were rewarded by the incredible support of our userbase and our own feelings of accomplishment. If we had had more time and resources, we would of come out with newer versions, supporting touch screens and revamping our UI. But we ran out of time and were acquired and look at the results. A phone that was a complete and total failure. We all knew (Microsoft employees included) that is was a lackluster device, lacked the features the market wanted and was buggy with performance problems on top of it all.

When we were first acquired, we were not taking long lunches and coffee breaks. We were committed to help this Pink project out and show our stuff. But when our best ideas were knocked down over and over and it began to dawn on us that we were not going to have any real affect on the product, we gave up. We began counting down to the 2 year point so we could get our retention bonuses and get out.

I am sorry you had to witness that amazing group behave so poorly. Trust me, they were (and still are) the best group of people ever assembled to fight the cellular battle. But when the leaders are all incompetent, we just wanted out.

(On another note, every time I read the minimsft comments, I just can’t get over how fucked MSFT’s corporate culture is. There’s just so much wrong on every level, it’d pretty much be impossible to succeed.)

And an interesting follow-up comment from another insider on project particulars:

Microsoft is a large enough company that experience in one part of it may not be applicable to other parts. (Duh). In PMX, there was no backstabbing or people out to get people. There was only poor management, a poorly designed and implemented product, and an insane delivery schedule.

Some random thoughts:

PMX was said to be a risky project. You don’t fire people who fail at risky projects, because if you do, eventually nobody will be willing to take a risk. Nobody will get fired and whatever accountability there is will happen behind closed doors.

PMX was very poorly run. One HR manager involved with the Danger onboarding actually described the failure as a ‘cluster f***’. Danger was lied to about the reason for the purchase and that set the tone of the relationship between ex-Danger people and PMX. It would only get worse as the project continued. The onboarding was typical of the quality of management. The MS-Poll results, some of the worst on record, were accurate, even though they were written off as “influenced by disgruntled Danger people.”

The Verizon deal was made by business development folk before engineering had been consulted. There was no way a phone capable of selling in the marketplace could have been developed using Microsoft software management process in the time frame.

In addition, between inception and delivery, the market place changed dramatically but Microsoft was unable to move agilely enough to compensate.

The phone should never have gone to market. It is too poorly designed, too buggy, too incomplete, and too overpriced. When Microsoft became aware of the data plan pricing that Verizon proposed, the project should have been cancelled, saving a couple hundred million in development and advertising.

It did sell more than 500, but I doubt anyone is going to argue against the Wall Street Journal assessment that it sold fewer than 10,000.

The number ‘2 billion’ is floating around as an estimate of the cost of PMX over its life. That number is too high, but ‘1 billion’ is too low.

…Now I Am The Master

Friday, April 9th, 2010

From Apple’s 1984 commercial:

Today, we celebrate the first glorious anniversary of the Information Purification Directives. We have created, for the first time in all history, a garden of pure ideology, where each worker may bloom, secure from the pests purveying contradictory truths. Our Unification of Thoughts is more powerful a weapon than any fleet or army on earth. We are one people, with one will, one resolve, one cause. Our enemies shall talk themselves to death and we will bury them with their own confusion. We shall prevail!”

From Apple’s iPhone 4 SDK iPhone Developer Program License Agreement:

3.3.1 — Applications may only use Documented APIs in the manner prescribed by Apple and must not use or call any private APIs. Applications must be originally written in Objective-C, C, C++, or JavaScript as executed by the iPhone OS WebKit engine, and only code written in C, C++, and Objective-C may compile and directly link against the Documented APIs (e.g., Applications that link to Documented APIs through an intermediary translation or compatibility layer or tool are prohibited).

Some discussion at Boing Boing and Hacker News. (see also)

Paul Graham Nails It

Friday, November 20th, 2009

I’m not always in agreement with Paul Graham, but he’s absolutely spot on with his essay on how broken the Apple App Store is and how it’s disastrous.

So I bought it, but I bought it, for the first time, with misgivings. I felt the way I’d feel buying something made in a country with a bad human rights record. That was new. In the past when I bought things from Apple it was an unalloyed pleasure. Oh boy! They make such great stuff. This time it felt like a Faustian bargain. They make such great stuff, but they’re such assholes. Do I really want to support this company?

This essay is just chock full of good stuff and worth a full read.

How would Apple like it if when they discovered a serious bug in OS X, instead of releasing a software update immediately, they had to submit their code to an intermediary who sat on it for a month and then rejected it because it contained an icon they didn’t like?

By breaking software development, Apple gets the opposite of what they intended: the version of an app currently available in the App Store tends to be an old and buggy one.

If your company seems evil, the best programmers won’t work for you. … But the real problem for Microsoft wasn’t the embarrassment of the people they hired. It was the people they never got. And you know who got them? Google and Apple. If Microsoft was the Empire, they were the Rebel Alliance. And it’s largely because they got more of the best people that Google and Apple are doing so much better than Microsoft today.

Trent Reznor Interview

Sunday, April 26th, 2009

If you missed/passed on this the first time around like I did, check it out if you want to hear some thoughtful talk on the music industry, etc.

UPDATE: err, for whatever reason, this embed makes my browser run like crap, so here’s a link to the interview instead.

Virgin America’s Crappy Online User Experience

Monday, April 6th, 2009

These days I mostly prefer to fly on Virgin America. Their flight experience is a huge step above most of the other domestic carriers (friendly service, decent seats, regular non-prison inmate faucets, etc.) and touches like plugs in every seat, a good entertainment system (although there’s also a huge unfinished post about improving that), and now wifi, all at a competitive price makes it pretty much a no-brainer for me.

So, it’s always been a little surprising that for an airline with such a strong focus on branding and flight experience that seems targeted at people like me would have such a bad online experience.

I’m actually not going to bitch too much about the website (you know, about how it’s slow, has weird bookmark-unfriendly urls with weird sessions, is much too dependent on Flash with lots of weird interactions where it consistently takes me multiple times to log in because it’s login form doesn’t tab properly, etc). but rather to focus something that happened to me today that should have been a good thing.

I had a 2PM-ish flight back home today. At 11:30AM, an email gets sent to me from telling “Virgin America Guest Services” about an “Important Schedule Change Notification”:

Your flight has been impacted by a schedule change which may result in the departure time of your flight being earlier than previously scheduled.

That’s actually great – well, certainly better to be notified as soon as possibly than not to find out at all. And besides being good customer service, I’m sure it’s good on VA’s end if they can reduce the amount of shuffled seating that kind of schedule change might cause. However, it continues:

We’d encourage you to login to the Check-In / Travel Manager section of our website at virginamerica.com to view your current itinerary. You’ll need your elevate login information or your confirmation code (see below) and your last name to access your itinerary. If you have any questions regarding the new time please contact our Reservations call center at 1.877.FLY.VIRGIN (1.877.359.8474) between the hours of 3:30am – 11:30pm PST. You may already be aware of the new departure time and will not need to take any action at this time.

Now, this is cut and pasted directly from the email. It is an HTML email, but it doesn’t include even a link to the site, not to mention a link to the flight information. This of course is made doubly frustrating by the fact that it is a personalized email that includes my name, address, and confirmation number. Now, I’m not a rocket scientist, couldn’t they just save a step and include the flight information and what changed? If for some reason they couldn’t, why wouldn’t they include a direct link to that information? That’s all before you try to load the VA site on your phone. (Which works, barely, on my iPhone. Good luck with that if you don’t have 3G or WebKit.)

It seems that VA would actually save money if they could streamline this, since as it is, they probably get a lot of people calling rather than looking at the email and finding out what they need.

Since I like VA, the next step for me was replying and letting them know that it’d be great if they could include the information, a link or something mobile friendly. Unfortunately, once I got home, I saw that it was sent to a no-reply email address (bounced!). There’s no other contact VA from the email, unless you want to spend time on the call center, which isn’t a good use of anyone’s time.

Well, since I really do like VA (have I mentioned it’s incredibly easy to standby on an earlier flight?), I decide to go to the website and contact them… and after writing out my brief issues with 4 bullet points, it turns out there’s a 1024 character limit (yes, that’s 7 tweets and no dynamic character counter).

At this point, I probably should have given up, but I’m a sucker for sunk costs, so I went to look for an online character counter and started shaving off characters and doing some txt squeezing. In the end, they got my “feedback,” but it did get me thinking about this whole chain of events, and about how lots of these little bad UX decisions can compound to ultimately burn good will really quickly (and how difficult this sort of thing is to measure).

Now, I don’t think that this had a particularly big effect on my feelings about VA getting me from point A to point B decently, however it’s interesting to me when I compare say their level of quality/attention to detail for things like their safety video (the best I’ve seen) vs their online/digital UX.

From my perspective, I also think that there’s a pretty strong business case, and at least from some of these, ROI is calculable (ie, bucket-testing call % or missed flight percentage if you A/B test variations of the initial email), but for most of the rest of it, it’s not. To some degree, I also wonder whether a company like VA (or almost any company) really values how much of their UX and ultimately, (marketing, customer service, and brand) is dictated/deeply impacted by their online experience. They must have the numbers on what percent of their sales come through the website and what percentage of them are subscribed to email or use the mobile web.

Anyway, enough rambling. Now I’m just putting off all the work I need to do before my next flight…

Jim Cramer on The Daily Show

Friday, March 13th, 2009

Jon Stewart is able to articulate some of the things that are so exasperating about this whole situation and that the “real” media has been remiss on. Worth watching.

For geeks wondering about whether these systemic issues might be fixable, Toby Segaran and Jesper Andersen gave an interesting talk at ETech about developing a more robust credit rating system (it picks up in the last third where they start demoing what they’ve been doing). Check out Freerisk to see what they’re up to.