The HomePod is Good

I had no interest in the HomePod when it was announced. I had no interest when it was finally released after months of delay. I ended up buying one, almost on a whim, because of Sonos.

I’ve had Sonos speakers in every room for years. I really like them. But two things happened recently. The first is that Sonos announced AirPlay 2 was coming, but then didn’t bring it to a single speaker I own. Then they announced the Beam. I was all ready to buy a Beam. But somehow, despite years of its users begging for great audio codec support (Dolby Digital Plus, DTS, to say nothing of Dolby Atmos), and despite now having the HDMI port that was previously missing for these to be supported, Sonos is stubbornly sticking to its anti home theatre support position on its home theatre products.

Aside from the home theatre setup, I mostly listen to Podcasts, but the podcast service selection on Sonos is not great. PocketCasts is about it. Yes, Stitcher is there, but I would prefer to live in a world where I can pretend that it isn’t. And even with PocketCasts, you don’t get important features like 30 second skips, chapters, and silence trimming.

I tried Bluetooth speakers, but I hate them. I don’t mind Bluetooth headphones, but speakers are terrible. I switch between devices often when listening at home, and Bluetooth makes this a chore.

So I decided to try a HomePod. And you know what, it is really good. I like it more than I expected. As every other review has noted it sounds amazingly great. Nothing else in that size compares. No matter where I place it in the room, it fills it.

I can AirPlay from any device with ease. Well, almost. Mac support for AirPlay is still odd at times. Though AirFoil does fix this for the most part. Not everything is AirPlay 2 yet, but the fallback to the original AirPlay works for me for now. I know it seems like it should be minor but the difference in sending audio to a Bluetooth speaker vs sending to an AirPlay speaker really makes the latter a far superior experience for me.

And then there is Siri. Siri is imperfect, and definitely does sometimes fall down in places where Alexa does not. However, this is not always the case. Oddly our ceiling fans, which are compatible with both HomeKit and Alexa work far better with Siri. I would say about half the time Alexa fails, even though it indicates success. Siri commands work nearly every time. In fact, for smart home devices I now prefer Siri over Alexa. A big part of this is the Home app. Having an option beyond voice control is really nice.

The biggest issue for the HomePod at this point is price. That $349 is really a tough sell. I think if they could knock $100 off it would be more interesting to people. They don’t need to get it to Echo Dot levels, but there is something about sub $250 that makes it easier to justify.

But overall I think it is a solid product. More solid than I expected. I am excited to see where it goes. I am really hoping that iOS 12 Shortcuts is a preview of how Apple is going to finally push Siri forward. Should you run out and get one? Probably not. I fully expect a version 2 at some point, and likely a price drop. If Apple’s usual pattern holds, the current HomePod will eventually become the entry model with a newer one above it. It’s a wait and see game for now. No, it has not taken the world by storm, but this product doesn’t have to. Steady improvement is what it needs. I am hopeful that this will happen.

Apps for June 2018

I swapped out a few apps for June.

  • Browser: I have not given Firefox a try in a while. I like Mozilla. I believe they actually care about the open web, as well as have a respect for user privacy. So far I have been quite happy with the performance of the browser. Their tracking protection is basically a built in content blocker. One of the few third party browsers on iOS with a functional blocker. And calling it “Tracking Protection” is genius. Sites that want you to turn it off can’t hide their true motivations.
  • Podcasts: Oh boy has a lot happened here. Pocket Casts, my pick last month, was purchased by a combination of NYC and Chicago public radio. I am a member of WNYC. I love public radio. But this acquisition makes me nervous. Then came Castro 3. Wow oh wow. I am so loving this app. It fixed nearly all the issues that kept me from using it previously (almost - my kingdom for an iPad app.) The queue system in Castro is simply genius. Aside from some bugs I am extremely happy here.
  • Mail: I was really excited for Spark 2. Then it came out. I am no longer excited by Spark 2. Not only was the launch unstable for days, but the app seems to be moving toward a “suck up all your data” model that makes me really uncomfortable. They now keep your actual full emails on their server according to their privacy policy. The teams feature is not compelling at all, but seems to be their focus going forward. And they use Facebook analytics. Lastly the design is starting to look very dated. I’ve moved back to AirMail, hoping the many months since I last tried has brought it stability.
  • Productivity: When Agenda launched on macOS I found it interesting but ultimately didn’t do much with it. Now that it is on iOS also I’m going to give it a fair shake. Not sure if it will have the ability to knock me off of Bear and Things. That will be incredibly difficult. But I am interested in if I can find a place for it, particularly around project management.

Day One's Bad Week

Day One is my favorite journaling app for Mac and iOS. But they had a bad, bad week. Sync was down for several days due to a hardware failure. When it finally returned, the fallout turned out to be pretty catastrophic for an app that stores private information. From their post:

New user accounts are created with sequential IDs. Since the restored cluster did not contain the newest account IDs, new accounts created on May 8 were receiving lower IDs than expected, which overlapped with existing accounts in the original database. As a result, those new accounts had IDs matching some of the existing journal records, and received access to a few existing journals.

That’s really bad. Who knows what kind of deeply personal information may have been disclosed to unknown parties.

Day One has an optional end-to-end encryption feature.

We do not currently have information on how many of those journals used end-to-end encryption, but any such journals would have been protected against disclosure.

This is precisely why those of us who care about encryption are so absolute about having strong, backdoor-free encryption. It not only proactively protects your data, it reactively protects your data. What happened to Day One was an accident, but if you had end-to-end encryption turned on, you were safe. The problem here is that it is off by default, and not easy to discover within the app, so I expect the number of people using it is incredibly low.

If you are a Day One user, go to Settings > Journals and turn it on for all of your individual journals now. The only downside is that the Android app and Web app currently do not support this. Assuming you don’t need either, there is no reason not to. Put the private key in your password manager and you are good to go.

Day One did the right thing in disclosing what happened. But going forward I would love to see them, and everyone who stores sensitive data on a remote server enable end-to-end encryption as the default. The only data that you cannot leak is the data that you do not have.

Let Me Paste My Password

An unfortunately common tactic taken by websites in a misguided attempt at security is to prevent pasting a password. The NIST officially recommends against this.

Verifiers SHOULD permit claimants to use “paste” functionality when entering a memorized secret. This facilitates the use of password managers, which are widely used and in many cases increase the likelihood that users will choose stronger memorized secrets.

I ran into this personally a few days ago. An organization I belong to forced a password change. Upon generating my random password, I was unable to paste it into the field. I decided to reach out to the organization, pointing out that this actually encourages worse passwords, not better ones.

Their initial response:

Thanks for reaching out. [Our] decision on updating the password requirements comes from an increase in security requirements. The extended minimum length, mandatory special, upper, lower and number characters, and one year life span increases the complexity and lowers the chance of any breach attempt. We do not allow copy and pasting due for security reasons. Viruses, Malware, and other intrusive programs can copy all data saved to the clipboard for later use. Furthermore, users may by accidentally past their password to their username and save it as auto fill, thus view-able to other programs.

This is always the response. “Security reasons.” Of course neither of the examples they game me make any sense.

  • If you have malware on your computer, it does not need to steal from the clipboard. It can just log keystrokes.
  • Users can accidentally type their password into the wrong field. I have seen this happen. Particularly among users with poor typing skills. They almost never look at the screen.

I raised these objections. The response back:

Thanks for getting back to us. We do not allow copying an pasting passwords upon creating as to mitigate possible typos and for security. Yes as key loggers would most likely be user use on a comprised computer, we still want to mitigate any other possible problems. After creation users who use complex passwords are more than welcome to copy and paste their password on the login page though.

So in order to prevent typos, they require you to type. Um? You know how to guarantee you aren’t making a typo? Copy and Paste!!!

I gave up on the communication at this point. I ended up manually typing my extremely long and complex password into the form. But how many users will do this versus just give up and type out P@ssw0rd1 instead? After all, it meets all of the requirements, and it sure is easy.

If you run a website or service that uses passwords, I beg of you. Read the NIST guidelines. Please help those of us who are trying to teach users good security habits.

Apps for May 2018

I use a ton of apps, and I very frequently move between them. I like trying out new things and knowing what else is out there. So I’m going to do a regular check in on what I am using. These aren’t necessarily recommendations, as I don’t feel I can recommend something without knowing a person’s workflow. But I do think these are worth trying out.

  • Mail: Spark is the only third party mail app I use that is available on both mobile and desktop, has the features I want, and is stable enough for day to day use. Not sure why so few mail apps have integration with other apps and services, but Spark does.
  • Calendar: Fantastical. Nothing beats the natural language entry. I can copy and paste sentences from an email and it figures out the event details.
  • To Do: Things really wowed me with their recent automation release. It’s also beautiful.
  • Notes: Bear is perhaps my favorite new app. So many notes apps are bloated, slow, or ugly. Bear is none of those things. It has great integration with other apps and supports some great automation workflows. Notes are plain text, so you are not locked in.
  • Writing: Ulysses is where I write these very words. A great app for drafting and organizing my blog posts, as well as writing for my day job.
  • Storage: DEVONthink is one of those power user apps that can do almost anything. When I moved from Evernote I sent notes to Bear, and everything else here. It’s my “everything” bucket.
  • Password Manager: 1Password is the longest running app I have ever used. I’ve been on it since the original release. I wouldn’t say you need any apps on this list with one exception. You need this one.
  • Finance: Banktivity has been on my home screen since back when it was called iBank (and on my Mac before the iPhone even existed).
  • RSS: On iOS I use Fiery Feeds, and on the Mac Reeder. Inoreader is my sync engine.
  • Read Later: Pocket won me over as a longtime Instapaper user. I still like Instapaper, but being owned by a social network makes me very nervous. Mozilla owns Pocket, and I trust their motivations more.
  • Podcasts: Pocket Casts is my current daily podcast app. I jump around a lot here. Pocket Casts wins in large part because of Sonos integration. I still love Overcast too, but Pocket Casts checks more boxes. I feel like Pocket Casts gets overlooked because it is also an Android app and many of those on iOS are terrible ports. This one isn’t. It’s a good iOS citizen. I also like the queue management better than Overcast, though not as much as Castro’s.
  • Running: I record with the built in Apple Watch app, because unlike the others I never experience crashes with it. Then I use RunGap to sync it to the services I use.
  • Automation: A combination of Drafts 5 and Workflow. Don’t know what I would do without them.

A Fresh Beginning

I’m hitting the reset button. My old blog was getting stale. I wasn’t updating nearly as often as I wanted to. The old site was a WordPress site. WordPress gets a bad rap, mostly because too many sites get setup and never secured or patched. I was pretty good about that, but it still wasn’t working for me anymore.

WordPress felt heavy. As I tried to make my pageloads faster and my security headers more strict, I was constantly running up against the heaviness of a CMS generated webpage.

So I am trying out Hugo. I like the idea of returning to simple, static pages. I write in Markdown anyway, so why not use a site generator that accepts it natively. I also am using a very lightweight theme that uses no trackers. Simple, secure, and clean.

I’ve also decided not to import the old posts. Most were outdated, and many of the series I wanted to run were never finished. Also, there was a mix of personal and professional on there. Going to stick more toward the professional side here, but still with my own voice.

This allow allows me to do something else I have wanted to do, which is license my writing under Creative Commons. I wasn’t comfortable doing this with personal posts. The new license does not cover the old content. Just this reborn version of the site.

I’m going to try to commit to posting more often, and for those to be more useful. Also I am still in the process of grokking Hugo’s fullness, so there may be some wild changes to the site until I get more comfortable with how it works.