You can sign up to receive each day’s Start Up post by email. You’ll need to click a confirmation link, so no spam.
A selection of 10 links for you. Demand a recount if you want. I’m @charlesarthur on Twitter. Observations and links welcome.
“Mobile voting is a horrific idea,” said election security expert Joe Hall when I asked him about a West Virginia experiment with blockchain-based mobile voting back in August.
But on Tuesday, The New York Times published an opinion piece claiming the opposite.
“Building a workable, scalable, and inclusive online voting system is now possible, thanks to blockchain technologies,” writes Alex Tapscott, whom the Times describes as co-founder of the Blockchain Research Institute.
Tapscott is wrong—and dangerously so. Online voting would be a huge threat to the integrity of our elections—and to public faith in election outcomes.
Tapscott focuses on the idea that blockchain technology would allow people to vote anonymously while still being able to verify that their vote was included in the final total. Even assuming this is mathematically possible—and I think it probably is—this idea ignores the many, many ways that foreign governments could compromise an online vote without breaking the core cryptographic algorithms.
For example, foreign governments could hack into the computer systems that governments use to generate and distribute cryptographic credentials to voters. They could bribe election officials to supply them with copies of voters’ credentials. They could hack into the PCs or smartphones voters use to cast their votes. They could send voters phishing emails to trick them into revealing their voting credentials—or simply trick them into thinking they’ve cast a vote when they haven’t.
Tapscott says these concerns are no big deal because voters can always check later to see if their vote was recorded properly.
“Because of the clear chain of custody, citizens could prove that their voting tokens had been stolen,” he writes.
But let’s think about how this would play out in practice. Suppose it’s mid-November 2020 and Donald Trump has narrowly won reelection. A few thousand voters in key swing states come forward to say that they intended to vote for Trump’s opponent but their vote was recorded for Trump instead. Thousands of others say they tried to vote for Trump—or against him—but their votes weren’t counted.
Was that due to hackers meddling with the vote, technical snafus, or user error? Were some of them just misremembering how they had cast their ballots? There would be no way to know for sure.
Why replace something that everyone understands with something that doesn’t? Paper ballots are simple, really hard to forge, checkable.
link to this extract
The title “We Are the Nerds” doesn’t really fit the tale. “We Are the Trolls” would have made much more sense. “I was always kind of an [expletive],” [co-founder Steve] Huffman explains early on. [The author, Christine] Lagorio-Chafkin bluntly calls him “a total troll.” He was also a genius programmer. The great achievement of the social internet was to unleash jerkdom for many while monetizing it for a few.
The Reddit tale is an indictment of Silicon Valley, something Lagorio-Chafkin seems to sense but never confronts head-on, perhaps because she is so grateful for access to Huffman and [co-founder Alexis] Ohanian. “Two nice guys who made it, by crafting something incredible and yet ridiculously unwieldy, with no lack of turbulence along the way,” Lagorio-Chafkin writes in an author’s note. A more accurate summation might be: “Two inexperienced young guys created something they didn’t understand and couldn’t control.”
It’s all here anyway: the lack of adult oversight; the suck-up press; the growth-at-any-cost mentality; the loyal employees, by turns abused and abusive (memo from management: “You do realize you were talking about penises for 90 minutes, right?”); the defense of horrendous behavior as “free speech”; the jettisoning of “free speech” when it served corporate purposes; the way no one seeks permission but all expect forgiveness…
…Reddit became so offensive it was difficult to work there. A community manager who had a brief tenure in 2015 told Lagorio-Chafkin some of the reasons: “Child molesters, child porn, vicious stalking, rape threats, serious harassment, people taking the harassment offline and people filing police reports on each other.” One chief executive, stressed beyond endurance, simply stopped showing up for work. His replacement, Ellen Pao, tried to impose order in the office and on the site. The backlash led to her abrupt departure. Huffman returned and purged most of the staff.
Right, because purging the staff would accomplish..? At least we’re getting a history of this period of the internet.
link to this extract
When smartphones first appeared, major corporations rushed to make apps. Then they realized it was a real headache to maintain them. Every time you update information on your website or promote a product, you have to do the same on your app. And every time a handset manufacturer updates its operating system, you have to debug your app to make sure it keeps working — plus there are the pains of managing bugs on different brands, models, and screen sizes. If you’ve ever been involved in mobile app development, you know what I’m talking about.
The truth is, unless you are a major retailer or content publisher that needs to sell or deliver to customers frequently, all you really need is a mobile-friendly website. If information is all people want, they’re going to Google it in a browser.
Given the first two points, this third is a logical evolution and is already happening in some parts of the world. It’s what the industry calls “building an ecosystem.” The strategy involves binding users’ daily behaviors and spending into their mobile apps.
A good example is how restaurants and cafes are integrating into food delivery apps instead of maintaining their own online order and delivery systems. In turn, these food delivery apps are consolidating with mobile wallet or ride-share apps to provide synergy and convenience to users. Consider Go-Jek, the biggest motorcycle ride-share app in Indonesia. To many people, it’s an all-in-one mobile wallet, ride-hailing, food delivery, and lifestyle services app.
Go-Jek took its inspiration from China’s WeChat, the biggest instant messaging app in that country, which has integrated just about every lifestyle service you can think of into their mobile wallet section.
The “platform rolling up apps” might apply in China, and possibly some parts of Asia, but I don’t see it happening in Europe. And for mobile apps: you do the updates to the web page and the app simultaneously via an API.
link to this extract
Modern production codebases are extremely complex and are updated constantly. To create a system that can automatically find fixes for bugs — without help from engineers — we built a tool that learns from engineers’ previous changes to the codebase. It finds hidden patterns and uses them to identify the most likely remediations for new bugs.
This tool, called Getafix, has been deployed to production at Facebook, where it now contributes to the stability of apps that billions of people use. Getafix works in conjunction with two other Facebook tools, though the technology can be used to address code issues from any source. It currently suggests fixes for bugs found by Infer, our static analysis tool that identifies issues such as null pointer exceptions in Android and Java code. It also suggests fixes — via SapFix — for bugs detected by Sapienz, our intelligent automated testing system for our apps. Having previously given an overview of SapFix and Sapienz, we are now offering a deep dive into how Getafix learns how to fix bugs (using the term broadly to refer to any code issues, not just those that will cause an app to crash).
The goal of Getafix is to let computers take care of the routine work, albeit under the watchful eye of a human, who must decide when a bug requires a complex, nonroutine remediation. The tool works by applying a new method of hierarchical clustering to many thousands of past code changes that human engineers made, looking at both the change itself and also the context around the code change. This method allows it to detect the underlying patterns in bugs and the corresponding fixes that previous auto-fix tools couldn’t.
This is amazing.
link to this extract
Despite their respective merits, every one of these [proposed] solutions [to “replace the password”] has a massive shortcoming that severely limits their viability and it’s something they simply can’t compete with:
Despite its many flaws, the one thing that the humble password has going for it over technically superior alternatives is that everyone understands how to use it. Everyone.
This is where we need to recognise that decisions around things like auth schemes go well beyond technology merits alone. Arguably, the same could be said about any security control and I’ve made the point many times before that these things need to be looked at from a very balanced viewpoint. There are merits and there are deficiencies and unless you can recognise both (regardless of how much you agree with them), it’s going to be hard to arrive at the best outcome…
…Almost a year ago, I travelled to Washington DC and sat in front of a room full of congressmen and congresswomen and explained why knowledge-based authentication (KBA) was such a problem in the age of the data breach. I was asked to testify because of my experience in dealing with data breaches, many of which exposed personal data attributes such as people’s date of birth. You know, the thing companies ask you for in order to verify that you are who you say you are! We all recognise the flaws in using static KBA (knowledge of something that can’t be changed), but just in case the penny hasn’t yet dropped, do a find for “dates of birth” on the list of pwned websites in Have I Been Pwned. So why do we still use such a clearly fallible means of identity verification? For precisely the same reason we still use the humble password and that’s simply because every single person knows how to use it.
This is why passwords aren’t going anywhere in the foreseeable future and why [insert thing here] isn’t going to kill them. No amount of focusing on how bad passwords are or how many accounts have been breached or what it costs when people can’t access their accounts is going to change that.
Essentially, we’re stuck with what we started with, because it’s so widely used. Though biometrics on phones do offer even less friction, and are increasingly hard to fool.
link to this extract
The company, the Taiwanese supplier to Apple, has been trying to tap Chinese engineers through internal transfers to supplement staffing for the Wisconsin plant, according to people familiar with the matter.
The state pledged $3 billion in tax and other “performance-based” incentives to help lure Foxconn, and local authorities added $764 million. Foxconn must meet hiring, wage and investment targets by various dates to receive most of those benefits.
The company promised the state it would invest $10bn and build a 22-million-square-foot liquid-crystal display panel plant, hiring 13,000 employees, primarily factory workers along with some engineers and business support positions.
Foxconn said its “Wisconsin first commitment remains unchanged,” in a written statement to The Wall Street Journal in response to questions about its hiring plans. In a separate statement it said it still plans to ultimately hire 13,000, and the majority “will work on high-value production and engineering assignments and in the research and development field.”
Foxconn says: nope nope nope. But Wisconsin’s unemployment rate is well below the national average.
link to this extract
Following the highly publicized “ban” in early August, Jones’ show and much of the removed InfoWars news content appears to have moved swiftly back onto the Facebook platform.
Here’s the deal: I was not tracking the InfoWars accounts that were inevitably going to reappear after the official accounts were banned on Facebook. In fact, when I encountered the Alex Jones’ livestream shown in the image below, I wasn’t looking for InfoWars. I was looking for Soros conspiracies.
And what did I get? The live high-definition stream of Jones’ show on Facebook — broadcast on one of the many InfoWars-branded Pages that is inconspicuously named “News Wars.”
Alex Jones’ program found me. To add more context, a couple weeks ago, I was looking for posts on Facebook related to the Soros-funded “caravan” rumor. For one of my searches, Jones’ live stream above, titled “A New Caravan of Invaders,” was one of the top twenty results returned on Facebook from the search.
What this unfortunate stoke of luck meant was that I found out Jones’ show has been broadcast nearly every day for the past three months on at least two Infowars-branded Facebook Pages. Nice ban.
News Wars, and a Page called “Infowars Stream” were being promoted by Facebook via its search and video recommendation algorithms for searches about conspiracies and politics — such as my query for “Soros caravan.”
Since the first day of August — the same week Jones’ and the largest of the InfoWars Pages were taken down — Jones’ InfoWars broadcasts — primarily the streams of Alex Jones’ daily “censored” talk show on InfoWars — have been viewed at least five million times. And over the same time period, these two Pages, with less than 30,000 followers combined, have reported almost 700,000 interactions.
Pages and Groups: real conduits for misinformation.
link to this extract
It could be a lot worse. This simple demonstration is not malicious. An attacker could craft a script which phished for user credentials, tried to hijack the administrators’ cookies, or mined cryptocurrency. In short, a user or administrator could not trust the content on the page.
This was the site owner’s response to my investigation.
There’s also the issue of trust in the website. If an attacker can rewrite the page – even temporarily – they could convince users to transfer money, ownership, or attention elsewhere.
When you view content on ArtChain, you have no way of knowing whether it is official or hacked. When the site displays a BitCoin address, it could be ArtChain’s – or it could be an attacker’s.
Blockchain can’t save you from hubris, ArtChain.
link to this extract
Marco Arment uses a Mac mini at home as a home theatre mixer, Plex server, scanner server, photos backup and a host for his NAS (network attached storage); now he’s tested the new one, and really likes it:
It seemed for a while that Apple lacked any interest in making Macs anymore, especially desktops.
Last year, with the introduction of the absolutely stellar iMac Pro, Apple showed us a glimpse of a potential new direction. It was downright perfect — a love letter to the Mac and its pro desktop users, and a clear turnaround in the way the company views the Mac for the better.
We didn’t know until now whether the iMac Pro’s greatness was a fluke. But now we have another data point: the last two desktops out of Apple have been incredible. After this, I have faith that they’re going to do the new Mac Pro justice when it finally ships next year.
The new Mac Mini is a great update, out of nowhere, to a product we thought would never be updated again.
Of course, with Apple’s track record on the Mac Mini, it may never be updated after this. This is either the first in a series of regular updates with which Apple proves that they care about the Mac Mini again, or it’s the last Mac Mini that will ever exist and we’ll all be hoarding them in a few years. We can’t know yet.
The only negative is that it doesn’t have optical-out. But: four – count ’em – USB-C ports. It looks like a hell of a machine if you can find a static need for it.
link to this extract
This Thanksgiving let us all give thanks for the lack of a Touch Bar. The MacBook Pro’s touch-screen strip has proved to be nothing more than a novelty.
Absolutely not a novelty: Touch ID. The fingerprint sensor, embedded in the upper right corner of the new Air’s keyboard, beats typing in passwords. But why no Face ID, after two iPhone generations and a new iPad, not to mention Apple’s insistence that face recognition is more reliable and secure? Windows Hello, Microsoft ’s facial recognition for PCs, is quite good.
Performance should be the deciding factor between the MacBook Air and the MacBook Pro. If your days are filled with some combination of web browser tabs, email, documents, presentations, spreadsheets and light video or photo work, you won’t feel a performance difference between the Air and the Pro. In my tests, applications performed as snappily. But I saw a difference in more processor-intensive tasks—exporting or rendering video files, opening large batches of files, etc. For instance, the 2017 MacBook Pro exported a 4K video 45% faster than the new Air.
If you’re considering the small MacBook instead of the Air… just don’t. It costs more, runs slower and has shorter battery life.
The old Air’s battery life was once industry-leading: Thirteen hours—two cross country-flights—without needing a charge. The new Air delivers just around the same, depending on your usage and screen brightness. I made it through a full workday of intermittent use, plus more work after dinner, without needing to charge.
However, my tests indicate that the old Air still lasts longer.
She points out that the HP Spectre lasts even longer (15hr) and comes with more storage as standard (256GB); the 128GB of the base model here is “a blatant upsell”. And she’s not delighted by the new keyboard.
Apple’s PC line definitely doesn’t make sense now – the MacBook price is crazy – and Stern hits it right on the head: this upgrade is at least three years overdue.
Her video review is done in a hot air balloon (air, geddit?) and as always, deserving of your time.
link to this extract
Errata, corrigenda and ai no corrida: none notified