Longform
Beware of Email Apps Storing Passwords
Email apps, especially ones that offer advanced services like “send later,” may be storing our usernames and passwords on their servers.
To be clear what that means: if you use Gmail, for example, you put your Google username and password into the app when you set it up. You expect the app to store them securely on your device. But some apps may also be storing that username and password — your keys to all the Google services in this example — on computers owned by the company that makes the app. Computers over which neither you nor Google has any control.
I’m not suggesting that the company I talk about below, or any other, is doing anything nefarious. They need to be able to log in to your mail server in order to send your mail later. But I hadn’t realised until now what that means, and I’m guessing neither will a lot of people. And to my mind they don’t make what they’re doing clear enough.
Worst of all, having passwords stored on unknown servers — at the very least, that’s worrying.
Background
On episode194 of the Connected podcast, Myke Hurley and Federico Viticci were reviewing the latest version of the iOS (and Mac) app Spark. It’s a fine email app, which I was using on my iPhone and iPad. So I was alarmed when they mentioned in passing that mail handled by the app is routed through Readdle’s servers. That didn’t seem likely at first. Spark is an email client. You tell it what servers handle your mail, and it connects to them to receive and send. The servers belonging to the company that makes the app have no business getting involved in that.
I did some digging. Whether or not Myke was right™ about mail going through their servers, the reality turned out to be much worse.
Digging
I tweeted at the Spark account. Here’s what happened:
@SparkMailApp Hi, I was listening to a podcast today on which it was suggested that if I use Spark, then my email is routed through your servers. Is that true?
— Martin McCallion (@devilgate) May 25, 2018
Which podcast said that?
— Terry Blanchard (@terryblanchard) May 25, 2018
The latest episode of Connected, with Myke Hurley and Federico Viticci.
— Martin McCallion (@devilgate) May 25, 2018
The only time Spark servers access your email is to create a push notification (to create sender, subject, and message snippet) The content is cached until the notification is sent, but removed after that.
— Terry Blanchard (@terryblanchard) May 25, 2018
OK, seems fair. Thanks. Probably all a misunderstanding, either by them or me. Just out of interest, is the “send later” feature done on the client?
— Martin McCallion (@devilgate) May 25, 2018
Ah, forgot about that one! We will store it on our server until the send later time, then we send it through your email server and it is removed from our server.
— Terry Blanchard (@terryblanchard) May 25, 2018
OK. Isn’t that a problem, in that you must be storing your users’ mail server credentials on your servers? I’m pretty sure it doesn’t say that in your Ts&Cs.
— Martin McCallion (@devilgate) May 25, 2018
It’s the second item that we mention in our privacy policy. https://t.co/WpQSIDGPgx
— Terry Blanchard (@terryblanchard) May 25, 2018
I had already found their privacy policy:
OAuth login or mail server credentials: Spark requires your credentials to log into your mail system in order to receive, search, compose and send email messages and other communication. Without such access, our Product won’t be able to provide you with the necessary communication experience. In order for you to take full advantage of additional App and Service features, such as “send later”, “sync between devices” and where allowed by Apple – “push notifications” we use Spark Services. Without using these services, none of the features mentioned above will function.
The wording “Spark requires your credentials to log into your mail system in order to receive, search, compose and send email messages” suggests that Spark the app needs to log into your server, which it does. But nothing about that says that your credentials will be stored on their servers.
Further down, in point 4, “How Long Personal Data is Stored For,” in a table that includes “Type of information,” we see (emphasis mine) :
Email address, email content for Spark Services, mail server credentials
So there it is. They do store your username and password on their servers, and they do tell you; though only if you read well into the kind of document that notoriously goes unread.
Final Thoughts
For features like “send later” they need to store the fact that you want to send an email at a specific time, and log in to your server in order to send it. And to be fair, I’m sure they can’t be alone in keeping that kind of data. Lots of clients offer “send later” and similar services, and all of them will have to log in to your mail server to work. So they have to store your credentials on their servers to do it.
And consider, if you use Gmail, that means your username and password not just for Gmail, but for all Google’s services, are now stored on somebody else’s servers. Their security might be great, but how do we know?
The more I think about this, the more concerned I become. Passwords should only be stored in one place: a secure, trusted password manager. But above all, these services need to be much clearer about the fact that they’re storing our passwords.
It's Inconvenient to Talk
On Trump’s phone (mis)use:
Trump’s call-capable cellphone has a camera and microphone, unlike the White House-issued cellphones used by Obama.
I mean, it’s not going to be much use at making calls without a microphone.
The Book of Dust vol 1: La Belle Sauvage by Philip Pullman (Books 2018, 12)
The first volume in Pullman’s “equel” trilogy: part prequel, part sequel, to His Dark Materials. This one is pure prequel, about trying to protect baby Lyra from the forces of the Magisterium.
If you’re already a fan, you’ll want to read this. It’s a real page-turner. If you’re not already a fan, don’t start here, obviously. You’re looking for Northern Lights.
Which I might be just about to start rereading, because that’s what finishing this one makes me want to do.
Office Foliage
(Error loading gallery)
At my desk these are attacking from either side.
(Error loading gallery)The view above, and the room as a whole.
Norse Mythology by Neil Gaiman (Books 2018, 11)
Gaiman takes on Thor, Loki, Odin, and the rest. Most of my knowledge of the Norse gods comes from Marvel Comics, with a bit of general cultural osmosis (for example, everyone has heard of Yggdrasil the World Tree, right?)1
I enjoyed it, but it feels like a slight work. That’s a shame, because these are mighty tales, or should be. I guess it’s a book meant at least partly for children, but it’s not marketed that way. And even if It’s meant for kids, the telling should be strong.
I suspect that if you already know the tales, this won’t offer much new to you. And that’s where the problem lies, I think. Instead of turning them into real narratives with proper characters, each story is not much more than a summary of the events. So he’s telling us the story of the story, rather than really telling (showing) the story. It’s a shame, because I know Gaiman could have done something much more interesting with these.
I’m probably being too harsh, though. It’s not like it’s bad. I enjoyed reading it.
-
In searching for the link to put in there, I discovered the existence of Explain XKCD (or just possibly, rediscovered it, as it does seem a little familiar). Which is cool. Some people put a lot of time into contributing to things online, to the benefit of us all, and I salute them. ↩︎
Duplex Duplicity?
In A Little Duplex Skepticism, John Gruber says what I’ve been thinking about the Google Duplex demo:
It’s totally credible that Google would be the first to achieve something like Duplex, but the fact that all they did — as far as I’ve seen — was play a recording just seems off. It feels like a con.
I’ve only heard a bit of the “booking a haircut“ recording on a podcast. I thought it sounded a) impressive if real, but b) very possibly fake.
That kind of technology will come, eventually; but are we that close to it today?
(If we are, then whether or not we want it to be used in the kind of way demonstrated, is a whole other question.)
Google, of course, gave no timelines, no suggestion of when such a feature might be available. Given that, it makes you wonder why they even bothered to demo it.
Looped
It’s six years old, but I finally got round to watching Looper. Interesting. Not sure about it. Some of the time-travel stuff didn’t make sense — or was confusing, at least. The loopers do their killing and body-disposal in the past, but by the time Bruce Willis comes into it, everyone involved is in the same time, 2044, the past of the movie.
Also I thought I had heard that it wasn’t well thought of, but Rotten Tomatoes has it at 82% from audiences and 93% from critics. That’s pretty good, isn’t it?
This review at The Mary Sue is good on the weak points. Some interesting discussion in the comments, too.
The future was unconvincing — people still driving petrol-burning cars in 2044 and 2074? And the status of women was terrible. You can be a sex worker or a farming mom in future America. I mean, OK, we didn’t see the rest of society, but it’s not great. And a major Bechdel fail. Oh yes, and: the currency is silver? Actual, metallic silver? Time travel has really messed things up.
I enjoyed it on the whole, though, and the ending is great. We could have done without the voiceover, but maybe Rian Johnson, the director, has plans to release a cut without it in one possible future. Now where have I come across that idea before?
Top-Ten Album Lists
Two album-related memes have been doing the rounds on Facebook lately. Both involve posting cover images of ten favourite albums across ten days. One involves doing so without any comment, but the more interesting one to me involves the poster writing about their thoughts on each album. I was nominated by my friend Peter to join in with the long-form version.
I’m all about owning my own content, as you know, and not having it locked away in Facebook’s walled garden. So my plan is to write about ten albums, but to do so here, on my blog. Links to the posts will automatically be crossposted to Facebook anyway.
I started compiling a list of possibles, and thinking about starting to write posts. First I decided to restrict it one per artist. Otherwise I could just pick five by The Beatles and five by The Clash.
But then I played some albums, and thought some more.
See, I knew right up front that it was going to be almost entirely a white-guy fest. I wanted to approach it honestly, and not try to appear to be anything I’m not, so that’s how it would have to be. It would be reflecting my life as a music fan. As it stands the long list has one woman and no non-white people.
But as I played those albums — albums I love — and as I thought about them, I realised two things:
- I know these albums too well. I’m not bored of them, but they can drift past without me really being aware of them, through overfamiliarity.
- This won’t be very interesting, and certainly won’t have any surprises for anyone who knows me.
So I’ve come to a decision, I think: I’m going to do it slightly differently. I’m going to write about ten albums that I like now. Ones that I’ve discovered in the last few years, maybe, or that I’ve known for a while but have listened to a lot more in recent years.
I’m not entirely sure what that list is going to look like. I only have two, maybe three definites on it at the moment, and it’s going to take a while to construct it. But I think it could be a much more interesting list — certainly for me — when it’s done.
And I’ll do a post with a rundown of what the original list would have been, just for completeness.
So watch out for those in the next few days.
Injection Vols 1-3 by Warren Ellis, Declan Shalvey, and Jordie Bellaire (Books 2018, 10)
This is a great story about how some people have to fix things in the aftermath of something they did that may change the world fundamentally, if not destroy it. With that description it sounds very similar to Ellis’s earlier webcomic (with Paul Duffield), Freak Angels.
Which is a fair enough assessment, though the triggering event in this case is a combination of AI, the internet, and old magic; as opposed to the psychic powers in the older work. Ellis has deeply embedded the “start late” advice often given to aspiring authors. Both of the works under discussion, and some of his others, start long after the events that set their plots in motion.
It can be a very effective device. We get to know characters who already know each other, and the past events are revealed gradually, through conversation and flashbacks. And the fact that the protagonists don’t at first fully understand what they did means that we learn along with them.
This is great, but the only frustrating thing is that these three volumes — comprising fifteen issues of the comic — are to date all that there is. I don’t know if they plan to continue it, but the last issue came out in November, and the story is far from over. Googling has not so far revealed the answer to this.
Recommended, though.
Bizarre Romance by Audrey Niffenegger and Eddie Campbell (Books 2018, 9)
The book that I got at the British Library event last week. It’s short stories by Niffenegger, illustrated and/or converted into comics by Campbell. Some of them very good, and the collection as a whole is well worth a look.
Themes include cats, angels, fairies, and more. Worth a look.
Lovecraft Country by Matt Ruff (Books 2018, 8)
I read this reviewed in The Guardian, and immediately bought the Kindle book. Sometimes a review is like that.
And it lived up to the praise. But here’s the thing: the horror, the weirdness in it: they’re not really what we’d think of as Lovecraftian.
There’s nothing wrong with that, and part of the reason for the title is that a couple of the main characters are fans of Lovecraft’s work, and they refer to parts of New England as “Lovecraft country.” But as the review makes clear, the real horror here is much more down to Earth: the racism of 50s America.
My Kindle edition was slightly oddly titled: Lovecraft Country: TV Tie-In. You expect that on a physical book to some degree. But putting it right in the title is new to me. A page on the author’s site confirms that it is going to be made as a series by HBO (which is annoying, because that means it’ll be on Sky Atlantic over here). JJ Abrams1 and Jordan Peele are both involved.
I’m slightly surprised to see that Ruff is not black. I wonder how long before he’ll be accused of “cultural appropriation” for writing from the viewpoint of African-Americans.
-
I mean, obviously: he’s involved in everything, right? ↩︎
The Illuminatus! Trilogy by Robert Shea and Robert Anton Wilson (Books 2018, 7)
As I said in the last books post, reading the JAMs’ Illuminatus-inspired attempt made me want to read the real thing again. Seems I read it about every four years or so, based on the fact that I wrote about it last in 2014.
It doesn’t lose any of its charm. I suppose I’d have to say, if we judge by number of rereads, that this must be my favourite book of all time.
If you haven’t read it, it’s probably because there’s a conspiracy to stop you doing so. Kick out the jams and go get it. Hail Eris!
The Audrey and Eddie Show
I went to a thing at the British Library. It was an author event with Audrey Niffenegger and Eddie Campbell. They’ve made a book together. And, it turns out, they’re married. To each other, that is.
I had no idea that this was the case. Who’s in charge of telling me about things? Cos they’re falling down on the job.
Not that there’s any reason why I should know, of course. They’re both creators whose work I’ve enjoyed in the past, but that’s all.
Anyway, this was the standard sort of author talk/interview thing, led by a guy who didn’t introduce himself, but according to the event page was “international comics expert, and man at the crossroads, Paul Gravett“.1
It was all very good. I bought the book, Bizarre Romance. Looks like it’ll be fun. I didn’t stay for the signing, because I’m not that bothered about autographs. And I couldn’t think of any questions at the Q&A, which is also normal.
Interestingly (and maybe this is already common knowledge too) Niffenegger is writing a sequel to The Time Traveller’s Wife2 to be called The Other Husband.
-
Oh, OK, he published Escape magazine. I used to get that sometimes. ↩︎
-
I insist on spelling the title correctly. ↩︎
Tab Convert
That’s convert, with the stress on the first syllable. The noun, in other words. As in, “I am a tab convert.” A convert, that is, to using tabs for indentation of source code, instead of spaces.
A Background of Spaces
From the earliest time that I learned about the tabs vs spaces debate, I’ve been a spaces guy. This is at least partly because of the influence of my then-colleague Benjamin Geer. He has gone on to other, no doubt better, things, but he was probably the best programmer I’ve ever worked with. He introduced me to the idea that you should always use four spaces for indentation. The reason being that if you use tabs, people can have their editor’s tab size set to all sorts of different values, and it leads to source files not looking as you expect them to.
Whereas spaces are spaces: you can’t go wrong with a space (or four).
I’ve changed, though. I have become a convert, in my job, and maybe philosophically, to tabs.
Stack Overflow Survey
About a year ago there was a survey of developers on Stack Overflow. Among many questions, they asked about whether people used spaces or tabs. The detail that got most attention was that developers who use spaces were paid more on average than those who use tabs. I strongly suspect that correlation is not causation in this case, but it seemed noteworthy at the time.
More interesting to me was the fact that more people used tabs, at 42.9% against 37.8%. I was surprised: I thought spaces had won years ago. Though I often wondered (sometimes publicly, and I’m surprised to see that was only last year) why the default setting for Eclipse was tabs.
Maybe that default, and others like it, is part of the reason for the statistics. Most people don’t change defaults. On the other hand, surely developers are the kind of people who are most likely to change defaults?
Anyway, after the survey came out there were various posts about it, notably John Gruber, who said he was “a devout user of tabs”. OK, he’s not a developer these days, but there were others who are who said similar things. The one that struck me was one that I can’t locate now that said “tabs are semantic.” In other words, pressing the tab key means “indent here.” Four spaces means… four spaces? Could be an indentation, could be something else.
Everything Changes Imperially
So I was primed for the idea of switching to tabs, even though I still used spaces in my own projects. And then I started my new job at Imperial College. When I first started looking at the code, I quickly realised that it was indented with tabs throughout. I checked with my co-worker who is the main contributor. He didn’t mind, but they had always used tabs.
Obviously I didn’t want to introduce a mixture. That’s what really messes up the display of code in different editors. You have to be consistent within a project. So if I were to change the project to spaces I would have to change every file. That was an unnecessary step; and per the above, I was primed to use tabs. They’re semantic, after all.
I switched my IDE to indent using tabs, with the tab-stop value set to 4. And so we proceed, tabbing away merrily.
So far I prefer it this way.
2023: A Trilogy by The Justified Ancients of Mu Mu (Books 2018, 6) 📚🎵
This book could have been written for me. Seriously, during the first part it felt like it was targeted right at me.
I am, as you probably know, a fan and repeat reader of The Illuminatus! Trilogy. As clearly are Bill Drummond and Jimmy Cauty, or the KLF, as they used to be known. This book is — what, a spoof of, a homage to? — Illuminatus. Explicitly modelled on it, referring back to it constantly.
Plus there are lots of Beatles references, and I’ve been into them for even longer. Then among the characters are Alan Moore, who (in this corner of the multiverse) is a member — along with Cauty and Drummond — of Extreme Noise Terror. Our world’s version of that band did collaborate with the KLF, but as far as I can tell they had no connection with Moore.
So don’t expect to get too much accurate information about popular culture out of this. Plenty of references, though. Other characters include Michelle O’Bama, M’Lady Gaga, Yoko Ono (two versions), Lady Penelope, and her chauffeur/hitman Aloysius Parker.
It’s a lot of fun. The downside is that it’s not very well written, at least as far as the dialogue is concerned. Most notable is the complete absence of contractions. Which is fine for an odd thing, or maybe to give one character a particular voice, but when no-one uses them, it all gets a little strange.
The story is fun, though, and I finished it and immediately started rereading Illuminatus yet again, so there’s that.
Speaking of Spring...
Blossom, of course, and… paper boats on the canal? Hmmm. I’m assuming it was a promotion for something, but I’ve no idea what, so it didn’t work very well.
How the Seasons Change
h.
This was a test of the Sunlit iOS app, though it has long since been edited from that original version.