Category: Longform
You are viewing all posts from this category, beginning with the most recent.
Microsoft to Buy GitHub?
I can’t help but feel concerned about the news that Microsoft may be buying GitHub. I know they’re big on open source now, and even use GitHub themselves. But I remember how antithetical to open-source they used to be, so that worries me. And it rarely works out well when a big company buys up a small, interesting one.
Beware of Email Apps Storing Passwords
Email apps, especially ones that offer advanced services like “send later,” may be storing our usernames and passwords on their servers.
To be clear what that means: if you use Gmail, for example, you put your Google username and password into the app when you set it up. You expect the app to store them securely on your device. But some apps may also be storing that username and password — your keys to all the Google services in this example — on computers owned by the company that makes the app. Computers over which neither you nor Google has any control.
I’m not suggesting that the company I talk about below, or any other, is doing anything nefarious. They need to be able to log in to your mail server in order to send your mail later. But I hadn’t realised until now what that means, and I’m guessing neither will a lot of people. And to my mind they don’t make what they’re doing clear enough.
Worst of all, having passwords stored on unknown servers — at the very least, that’s worrying.
Background
On episode194 of the Connected podcast, Myke Hurley and Federico Viticci were reviewing the latest version of the iOS (and Mac) app Spark. It’s a fine email app, which I was using on my iPhone and iPad. So I was alarmed when they mentioned in passing that mail handled by the app is routed through Readdle’s servers. That didn’t seem likely at first. Spark is an email client. You tell it what servers handle your mail, and it connects to them to receive and send. The servers belonging to the company that makes the app have no business getting involved in that.
I did some digging. Whether or not Myke was right™ about mail going through their servers, the reality turned out to be much worse.
Digging
I tweeted at the Spark account. Here’s what happened:
@SparkMailApp Hi, I was listening to a podcast today on which it was suggested that if I use Spark, then my email is routed through your servers. Is that true?
— Martin McCallion (@devilgate) May 25, 2018
Which podcast said that?
— Terry Blanchard (@terryblanchard) May 25, 2018
The latest episode of Connected, with Myke Hurley and Federico Viticci.
— Martin McCallion (@devilgate) May 25, 2018
The only time Spark servers access your email is to create a push notification (to create sender, subject, and message snippet) The content is cached until the notification is sent, but removed after that.
— Terry Blanchard (@terryblanchard) May 25, 2018
OK, seems fair. Thanks. Probably all a misunderstanding, either by them or me. Just out of interest, is the “send later” feature done on the client?
— Martin McCallion (@devilgate) May 25, 2018
Ah, forgot about that one! We will store it on our server until the send later time, then we send it through your email server and it is removed from our server.
— Terry Blanchard (@terryblanchard) May 25, 2018
OK. Isn’t that a problem, in that you must be storing your users’ mail server credentials on your servers? I’m pretty sure it doesn’t say that in your Ts&Cs.
— Martin McCallion (@devilgate) May 25, 2018
It’s the second item that we mention in our privacy policy. https://t.co/WpQSIDGPgx
— Terry Blanchard (@terryblanchard) May 25, 2018
I had already found their privacy policy:
OAuth login or mail server credentials: Spark requires your credentials to log into your mail system in order to receive, search, compose and send email messages and other communication. Without such access, our Product won’t be able to provide you with the necessary communication experience. In order for you to take full advantage of additional App and Service features, such as “send later”, “sync between devices” and where allowed by Apple – “push notifications” we use Spark Services. Without using these services, none of the features mentioned above will function.
The wording “Spark requires your credentials to log into your mail system in order to receive, search, compose and send email messages” suggests that Spark the app needs to log into your server, which it does. But nothing about that says that your credentials will be stored on their servers.
Further down, in point 4, “How Long Personal Data is Stored For,” in a table that includes “Type of information,” we see (emphasis mine) :
Email address, email content for Spark Services, mail server credentials
So there it is. They do store your username and password on their servers, and they do tell you; though only if you read well into the kind of document that notoriously goes unread.
Final Thoughts
For features like “send later” they need to store the fact that you want to send an email at a specific time, and log in to your server in order to send it. And to be fair, I’m sure they can’t be alone in keeping that kind of data. Lots of clients offer “send later” and similar services, and all of them will have to log in to your mail server to work. So they have to store your credentials on their servers to do it.
And consider, if you use Gmail, that means your username and password not just for Gmail, but for all Google’s services, are now stored on somebody else’s servers. Their security might be great, but how do we know?
The more I think about this, the more concerned I become. Passwords should only be stored in one place: a secure, trusted password manager. But above all, these services need to be much clearer about the fact that they’re storing our passwords.
It's Inconvenient to Talk
On Trump’s phone (mis)use:
Trump’s call-capable cellphone has a camera and microphone, unlike the White House-issued cellphones used by Obama.
I mean, it’s not going to be much use at making calls without a microphone.
The Book of Dust vol 1: La Belle Sauvage by Philip Pullman (Books 2018, 12)
The first volume in Pullman’s “equel” trilogy: part prequel, part sequel, to His Dark Materials. This one is pure prequel, about trying to protect baby Lyra from the forces of the Magisterium.
If you’re already a fan, you’ll want to read this. It’s a real page-turner. If you’re not already a fan, don’t start here, obviously. You’re looking for Northern Lights.
Which I might be just about to start rereading, because that’s what finishing this one makes me want to do.
Office Foliage
(Error loading gallery)
At my desk these are attacking from either side.
(Error loading gallery)The view above, and the room as a whole.
Norse Mythology by Neil Gaiman (Books 2018, 11)
Gaiman takes on Thor, Loki, Odin, and the rest. Most of my knowledge of the Norse gods comes from Marvel Comics, with a bit of general cultural osmosis (for example, everyone has heard of Yggdrasil the World Tree, right?)1
I enjoyed it, but it feels like a slight work. That’s a shame, because these are mighty tales, or should be. I guess it’s a book meant at least partly for children, but it’s not marketed that way. And even if It’s meant for kids, the telling should be strong.
I suspect that if you already know the tales, this won’t offer much new to you. And that’s where the problem lies, I think. Instead of turning them into real narratives with proper characters, each story is not much more than a summary of the events. So he’s telling us the story of the story, rather than really telling (showing) the story. It’s a shame, because I know Gaiman could have done something much more interesting with these.
I’m probably being too harsh, though. It’s not like it’s bad. I enjoyed reading it.
-
In searching for the link to put in there, I discovered the existence of Explain XKCD (or just possibly, rediscovered it, as it does seem a little familiar). Which is cool. Some people put a lot of time into contributing to things online, to the benefit of us all, and I salute them. ↩︎
Duplex Duplicity?
In A Little Duplex Skepticism, John Gruber says what I’ve been thinking about the Google Duplex demo:
It’s totally credible that Google would be the first to achieve something like Duplex, but the fact that all they did — as far as I’ve seen — was play a recording just seems off. It feels like a con.
I’ve only heard a bit of the “booking a haircut“ recording on a podcast. I thought it sounded a) impressive if real, but b) very possibly fake.
That kind of technology will come, eventually; but are we that close to it today?
(If we are, then whether or not we want it to be used in the kind of way demonstrated, is a whole other question.)
Google, of course, gave no timelines, no suggestion of when such a feature might be available. Given that, it makes you wonder why they even bothered to demo it.
Looped
It’s six years old, but I finally got round to watching Looper. Interesting. Not sure about it. Some of the time-travel stuff didn’t make sense — or was confusing, at least. The loopers do their killing and body-disposal in the past, but by the time Bruce Willis comes into it, everyone involved is in the same time, 2044, the past of the movie.
Also I thought I had heard that it wasn’t well thought of, but Rotten Tomatoes has it at 82% from audiences and 93% from critics. That’s pretty good, isn’t it?
This review at The Mary Sue is good on the weak points. Some interesting discussion in the comments, too.
The future was unconvincing — people still driving petrol-burning cars in 2044 and 2074? And the status of women was terrible. You can be a sex worker or a farming mom in future America. I mean, OK, we didn’t see the rest of society, but it’s not great. And a major Bechdel fail. Oh yes, and: the currency is silver? Actual, metallic silver? Time travel has really messed things up.
I enjoyed it on the whole, though, and the ending is great. We could have done without the voiceover, but maybe Rian Johnson, the director, has plans to release a cut without it in one possible future. Now where have I come across that idea before?