Writing ⋅ Podcast ⋅ Video

OS X Mavericks forces iOS calendar, contact syncing into iCloud

The relationship between your computer and your iDevices is about to get a lot less personal.

Title of the fast-growing thread on Apple's support forums.

Title of the fast-growing thread on Apple’s support forums.

The OS X Mavericks update gets rid of SyncServices, a proprietary framework in earlier versions of OS X that let you locally sync calendars and contacts from your iOS device to your Mac. So, if you upgrade to Mavericks, you’ll now have to use either iCloud or some other network solution to sync your devices with your computer–local syncing by connecting a device to a computer with a cable no longer exists.

Not surprisingly, there’s a growing outcry about this in Apple’s support forums. And there should be: it’s astonishing that in this climate of electronic spying and cloud insecurity, Apple would, without a word, disable local syncing and force users of Mavericks and iTunes 11 into cloud-based sync. It’s a move that literally wrests control of your contact and calendar data away from you and your devices and forces it into the cloud, for no discernible reason and with absolutely zero warning.

Hilariously, Apple notes in its support article about SyncServices that “Mavericks supports sharing your information using several network-based and cloud-based solutions.” Sharing, indeed: iCloud has significant security vulnerabilities: researcher Vladimir Katalov demonstrated just this month that, as Chester Wisniewski writes, “by simply acquiring the Apple ID and password of another user, whether they have enabled two-factor authentication or not, he can download their iPhone/iPad/iPod backups and documents from iCloud and see their pictures, music, emails, contacts, documents, presentations, spreadsheets or anything else without the victim being alerted.”

That’s because, to summarize Katalov’s research, Apple doesn’t use two-factor authentication to protect iCloud backups and documents, stores them on third-party servers, stores the encryption keys along with the encrypted files, and of course, can disclose the entire decrypted contents to law enforcement, should they come knocking.

Basically, iCloud is appallingly insecure, and Apple has just dramatically increased the volume of information that’s about to start flowing through it–names, email addresses, home addresses, and phone numbers in droves, not to mention your doctor’s visits.

And while, in theory, warrants or probable cause are required before the U.S. government and law enforcement can snoop through that data, commenters on the Apple support thread are noting that users users outside the United States may have virtually no protections for personal data that leaves their control. And, as one points out, “I legally have to maintain control over all data from my business contacts, or might get sued over EU privacy law violations either by my clients or by competitors.”

Fortunately (this is sarcasm here), if you care about maintaining local control of your contact and calendar information, the workaround is simple! All you have to do is upgrade to OS X Mavericks Server for $19.99 and then set up a local CardDAV and CalDAV server to enable local network sync between your devices. It couldn’t be simpler! Of course, you don’t have to do it with Mavericks, there are plenty of helpful tutorials for setting up a local sync server with something like Debian, and heck, there are even a few free tools out there to make it easier. That’s a relief, right?

The alternative to those alternatives, according to Apple, is simply to revert to a previous version of OS X. Discussions on Apple’s forums about why the change may have occurred and any security implications are, according to moderators, outside the Terms of Service of the support forums and therefore prohibited.

These are the lengths that paying customers have to go to in order to keep their own data under local control when all they want to do is keep calendar and contact information synced across multiple devices? By the way, don’t post in the support forums if you’re outraged like you should be. Send direct feedback here.

Now there is one positive note. On Windows, SyncServices is what powers local syncing through iTunes. Interestingly, it appears that local syncing is still possible on a PC, using iTunes 11. So, maybe Apple just wants you to … get a PC!

Hat tip: The Verge

Read more →

Mad Molly and Adam Curry: the podcast?

Here’s the thing about brilliant and complicated people: they don’t make things easy. My friend Adam Curry is one of those people. He’s smart, he’s provocative, he’s sometimes (uh, often) outrageous, and he’s sometimes (uh, often) kind of difficult.

But I love that. I feel challenged by it, and I respect Adam and anyone’s right to say what they think, to ask all the questions they want to ask, and to make people uncomfortable sometimes in service of getting more information. However, I recently got really angry at Adam over some comments he made on the No Agenda show about my then-colleague and current friend Emily Dreyfuss. And since Adam and I have been kicking around the idea of doing a tech podcast together, I wanted to clear the air before we proceeded.

So, I called him up and yelled at him for a while about being a sexist, and he yelled back about hyperactive political correctness, and then we decided we should record all this yelling and clear the air publicly, and frankly, kind of figure out if we even thought we should do a show together since we tend to argue a lot about politics and sexism and vaccines and whatnot. And the result was about a two-hour battle, an apology to Emily (mostly), and, I’m pretty sure, an interesting conversation–interesting enough that I decided to post it here.

Listen: Sexism, society, and whether blunt truths can save us from ourselves

The conversation also made me feel like Adam and I would do a great show together–not because we set aside our differences but because we embrace them.

But if we do a tech podcast, I promise you now that it will be about tech. It’s not a tech version of No Agenda and it’s not a show about trying to fix society–this recording is a one-time experiment. And it won’t be about the gadget of the week and the rumor cycle and the thing that everyone else is talking about. What I love about technology is its ability to change the world–for better or for worse. I want to do the research on the stories that really matter and then talk about what I really think about those stories. As Adam says, I’ve taken a “vow of authenticity,” and I guess it’s time to test it out with someone who pushes my boundaries a lot.

So, consider this our coming-out party, I guess. We’re still working on a name for the show–your ideas are welcome. And your feedback, too. I’m curious to know what you think of an experiment like this.

But before you comment, let me tell you a quick story. Once upon a time, a long time ago (in the early 2000s), I wrote a letter to PC Magazine about a writer they had there, this guy John C. Dvorak. The irony is staggering, I know. I don’t even know what he wrote anymore but I know that it incensed me (it particularly incensed me that he was randomly capitalizing tech phrases in the midst of it). I was convinced he should be fired, and I said so.

I got a very thoughtful response back from his editor, who pointed out that sometimes, it’s good to have voices around that bug you. In fact, it’s often good to have voices around that bug you, because they make you think more, fight harder, and they help you define your own thoughts and feelings in a way that wouldn’t happen if you were constantly validated by the agreeing and agreeable opinions of everything you consumed.

I can disagree with Adam–sometimes vehemently–and still like him, and I think the conversation is better as a result. I hope you agree, and I want to know what you think because if we do a show together, you’re the only thing that’ll make it work. So, let us have it. And thanks for listening.

Read more →

I’m turning off Follow on Facebook

My apologies to my Facebook subscribers, but I’m turning off Follow on Facebook. The problem is the Facebook policy that changes my default posting settings permanently every time I post. So, if I post something publicly so all my followers can see it, like show information or updates about work, my default setting is then Public (i.e., “last used”) until I change it back.

Make one post public, overshare forever.

Make one post public, overshare forever.

The result of that policy is that, today, for about the third time, I posted a photo of my child (including his name and some school information) publicly by accident. I have, as a user, sent feedback to Facebook and asked them to change this policy–the fact that I post something publicly ONCE should not mean your postings should be public thereafter–but the simple realization is that mixing personal and professional just doesn’t work.

And yes, of course I could be more diligent about checking to see whether my post is labeled “public” or not, but it’s obviously just not realistic to expect that I’ll do that reliably, and my privacy is too important to get tripped up by a setting that turns all my future posts public despite the fact that I have historically tried to employ as much privacy as possible. I do not want to “check twice, upload once,” as one user suggested. I know Facebook will constantly try to force me into ever greater public behavior against my will, and I simply want to minimize the opportunity for mistakes.

Should this happen to you, you can, of course, set a public post to private by clicking the globe icon next to the post. But let’s say 80 people have already “liked” the photo you mistakenly posted: even if you set it to private in the future, those “likes” show up in the likers’ timelines, meaning it’s very hard to take back a public post without deleting it outright. It’s a simple fix for Facebook–either make a commitment that privacy is a default (yeah, no, I know, I’m cracking up, too) or serve an intercept asking a user who changes a post setting whether they want that setting to apply to all posts in the future.

This latest mistake comes at a time when I’ve already dramatically reduced my use of Facebook–I don’t trust it, I don’t always find the content interesting (since Facebook insists on manipulating my feed and showing me what it thinks is relevant, rather than a stream of news from people and brands I chose myself) and I’ve had too many privacy run-ins to consider it an essential part of my life. And I’m not alone. Facebook does not work as a public outlet for personal brands, and it’s too untrustworthy to work well as a private space for sharing. I’m starting to wonder what it’s good for, to be honest.

Anyway, if you want to follow my public exploits, please find me on Twitter or on Google Plus, which will be exclusively public. Again, I’m sorry to those of you who followed and engaged with me on Facebook; I hope to find you elsewhere on the Web.

Read more →

The AT&T third-party eBill verification process, in 50 easy steps

Ok, this is what it takes to sign up to get eBills from AT&T (for phone and Internet service — don’t ask) delivered to my bank.

First, you click “get bills online” on the bank site. When you do this with, say, Visa or Verizon, you get a pop-up asking you to verify, which you do, and the e-bills show up a couple of cycles later. Not so with AT&T. You get the same verification pop-up, and you click ok, and it seems like you’re off to the races.

Ha ha.

A few days later, you get a call with an 8-digit activation code. Personally, I had no idea what to do with this code other than write it down until I got an email, about a week later, reminding me to verify my third-party eBill service provider. Finally! A link!

Now, to verify the provider, you first have to create an Account Manager account (I’m not making this up) with AT&T. To do this, you enter your phone number, then you can verify with either the last 4 of your SSN, or a 3-digit code found on your bill.

But even after all that, in order to create the account, you have to get an online registration code. To request an online registration code, you click “request an online registration code,” (natch). But there’s nothing online about the online registration code. You have two options for receipt: AT&T will either MAIL IT TO YOU VIA U.S. POST (seriously!) or call you with it 10 minutes later.

Once you have THAT 8-digit code, you’re ready to create the account that will let you enter the other 8-digit code to verify that you do, in fact, want online billing. Right?

Oh, no. Once you have the code, you can, in fact, sign up for the account, and sign up for electronic billing from AT&T. But by this time, the site has completely forgotten that you want to verify a third-party eBill provider.

To do that, you have to go back to the email they sent, click the link in the email that takes you to the verify page, even though the link is labeled, “create an Account Manager account,” log in again with shiny new account credentials, and THEN verify that you want them to send third-party eBills.

That last step, by the way, did not involve the 8-digit code that they originally gave me, and insisted I would need.

Of course not. Why would it?

By the end of this process, the only thing I wanted to verify was my new Comcast service.

Read more →