GoDaddy Terminates Texas Spy Site

GoDaddy gives Texas abortion website notice: Find new host ASAP:

The highly controversial and regressive Texas abortion law went into effect on September 1. With the law comes the Texas Right to Life group’s website where anyone can submit allegations that a woman had an abortion past the state’s six-week cutoff mark. The state’s new abortion law also allows private citizens to target anyone accused of helping facilitate an abortion.
[…]
Amid the hacktivism is an outcry directed at GoDaddy, the company that hosts the website. Many have called on the company to cut off its services to Texas Right to Life, a call that has been heard. According to a statement GoDaddy provided to The New York Times, Texas Right to Life has been given 24 hours to find a different host for its website.

Even GoDaddy, of creepily sexy advertising fame, knows the Texas neighbor-stalking website is immoral.

I don’t ever want to hear another word about “government overreach” from the Texas GOP. Not a word.

What HIPAA's Privacy Rule Says

As someone who deals with HIPAA’s privacy compliance as part of my job, I don’t ever want to hear the word HIPAA again from someone who isn’t adjacent to healthcare. Almost no one understands what it is, but a hundred million people are explaining their wrong ideas of it to each other in a giant game of telephone.

Here’s a short summary of HIPAA’s Privacy Rule, as described by the U.S. Department of Health & Human Services:

Who it applies to: a healthcare provider such as a doctor or hospital, health plans, their business associates, and other people who manage patients’ healthcare information.

What it does: limit the information a covered entity can share about their patients to fulfill specific medical and business requirements.

What it doesn’t do: apply to anyone else except those covered entities; prevent you from sharing your own information; prevent others from asking you about your health, including vaccination status.

Anyone who says that doesn’t allow you to ask whether they’ve been vaccinated, or prevents them from answering, is factually wrong.

The Itanic Has Sunk

By today, July 29, 2021, Intel has shipped the last of its Itanium processors, the last holdout of a rough decade of their history. You’d be forgiven for not having heard of this unusual CPU as they carved a niche of a few supercomputers in the early 2000s and some legacy mainframe holdouts.

In 1994, Intel and HP looked around and saw a wide variety of successful server CPU architectures like Alpha, MIPS, SPARC, and POWER. This annoyed them and they decided to make a new CPU that no one would want to use. To these ends they invented an instruction set architecture that was impossible to program efficiently, planning that future compilers would be clever enough to make software run acceptably well. (This never happened because it turned out that anyone smart enough to write these compilers would rather be doing almost anything else.)

In 2000, Intel launched the NetBurst Pentium 4 CPU. It had serious design compromises that would hypothetically allow CPUs to run at upwards of 10GHz. Since these beasts could fry an egg at 3GHz, it was good that they never came anywhere near 10GHz as the heat would likely be sufficient to induce nearby hydrogen atoms to fuse.

Customers begged Intel to release a 64-bit Pentium-compatible CPU. They refused because they knew this would canibalize Itanium. Why write software for a weird and uncommon architecture if you could use something like the terrible x86 instruction set you already knew, but better?

In 2003, AMD launched their 64-bit, but Pentium-compatible, Opteron CPU. Everyone stopped buying Intel CPUs for a while. Within a few years Intel made their own 64-bit, but AMD-compatible, CPUs to avoid entirely losing the desktop and small server market. They were right earlier: almost everyone immediately embraced AMD’s instruction set and no one but HP wanted anything to do with Itanium.

And then, for a long time, nothing much happened. That’s happy news when you’re talking about earthquakes or tornados, but not so hot when you’re talking about sales of processors you spent a few billion dollars developing.

In 2015, HP admitted defeat and launched a line of mainframes using AMD’s 64-bit instruction set so developers could write and test software on systems that cost both over and under a million dollars.

Intel was contractually obligated to keep Itanium limping along but it was apparent their heart wasn’t in it. In 2019 they accepted the inevitable and announced that Itanium would be officially dead as of today. The final batch of CPUs was built on a 32nm process when everyone else was on to 10nm, 7nm, and 5nm designs.

Goodbye, Itanic. You were a strange, unloved little detour, better known for the good designs you killed than for any successes of your own. Few will miss you.

Ironically, in 2020 Apple launched their own desktop-class CPU that wasn’t compatible with more common Intel or AMD designs. The difference was that Apple’s M1 was actually nice and fast, both for developers and end users.

Opt-Out Tracking is an Awful Idea

Someone invented a new standardized way to opt out of telemetry for command line applications. This is a horrid idea.

The existence of the setting establishes “tracking is OK!” as the default, and makes opting out the responsibility of the end user. With this in place, if a company collects the names of all the files in my home directory, it’s my fault for not tweaking some random setting correctly. (For technical types: don’t forget to set the “don’t track me!” variable in your crontabs, or else they’ll run with tracking enabled! Be sure to add it to your sudoers file, or now root commands spy on you!)

If this should exist at all, it should be in the form of a “go ahead and spy on me!” whitelist, with all telemetry and other spyware disabled unless explicitly enabled. Then it becomes the responsibility of each application’s author to encourage their users to enable it. Or better, get over the bizarre and radical notion of enabling spyware in command line utilities.

Quackbooks.

It seems like Intuit is never any the news for anything good that benefits normal people.

Previously:Inside TurboTax’s 20-Year Fight to Stop Americans From Filing Their Taxes for Free”.

For more than 20 years, Intuit has waged a sophisticated, sometimes covert war to prevent the government from doing just that, according to internal company and IRS documents and interviews with insiders. The company unleashed a battalion of lobbyists and hired top officials from the agency that regulates it. From the beginning, Intuit recognized that its success depended on two parallel missions: stoking innovation in Silicon Valley while stifling it in Washington. Indeed, employees ruefully joke that the company’s motto should actually be “compromise without integrity.”

We would have had free websites that allowed taxpayers to easily file their returns if Intuit hadn’t spent a fortune to block them.

Yesterday:Intuit sabotages the Child Tax Credit”.

I have done web-design for large government clients. I understand that there are constraints that can reduce the quality of the final product. But Intuit isn’t your average IRS contractor – they’re a company that was caught bribing, intimidating and poaching IRS employees.

It should have been easy for low income families to apply for the Child Tax Credit they’re entitled to, but Intuit botched the application website.

Today:Intuit to Share Payroll Data from 1.4M Small Businesses With Equifax”.

“Your employees may need to verify their income and employment info when applying for things like loans, credit, or public aid. Before, you likely had to manually provide this info to lenders, creditors or government agencies. These verifications will be automated by The Work Number, which helps employees get faster approvals and saves you time.”

In other words, Intuit “helpfully” exports their customers’ payroll information to a monstrosity called The Work Number that lets other entities stalkverify employment and salary information for most Americans.

It’s always something with this crew.

Antivaxxers not owed a soapbox

In a new post in Science Translational Medicine’s “In the Pipeline” blog, Derek Lowe announced that he’s tired of antivaxxer spam:

But – and you know where this is going – there have also been several commentators here who have for some time been abusing this site’s hospitality. I have mentioned to these people that they don’t have to be here, that starting constant wrangling arguments about vaccines, pandemic statistics, etc. in the comments section does not have to be a regular feature of their day. No one’s taken the hint.

He then gets to the crux of it:

Do what you like but don’t do it here. You are free to contribute your thoughts on other topics if you honestly have something to add or some question to ask, but any sign of attempted pandemic flaming will be deleted as quickly as I see it. Go away and tell everyone that Big Pharma muzzled you, if that makes you feel better. But in the end, you’re already going to be the last people standing after the vaccines wipe the rest of us out, right? Isn’t that enough?

I think this is the right take. It’s not censorship: no one is telling antivaxxers or other conspiracy nuts that they can’t say dumb things. It’s just that Lowe doesn’t feel obligated to give them a platform to spread their idiocy.

Digital notes are better than paper

Techie people regularly rediscover paper and write about how they’ve created a good note taking system with it. I’m envious of them, as I’ve tried this many times but can’t do it. I keep thinking I’ll like writing on paper, but I don’t and likely never will.

A few years ago I started keeping a digital daily journal, not so much a diary with entries like “today I feel…”, but a record like “changed the van’s oil. Drove the kid to camp. Called Mom.1 I was using Drafts on my iPhone as a sort of bullet journal, augmented with an action group I wrote. After a year of this, articles rhapsodizing on the wonderfulness of handwritten notes convinced me to switch to a paper journal and to get a nice fountain pen.2 I’ve used the physical process for about a year and a half now, and when I fill up this current notebook next month, that’s it. I’m going back to digital.

As I keep having to be reminded, pen and paper note taking is vastly inferior to digital in every way I care about. Other people love writing notes and that’s awesome, but I can’t escape the fact that I hate handwriting, and I often cut my thoughts short because I want to quit scribbling. Worse, the analog notes aren’t actionable. My Drafts workflow turns my day’s worth of bullet-style notes into a set of digital diary entries, new calendar events, and tasks in my task manager. I already carry my iPhone with me almost everywhere3 so I don’t have to remember to drag something else along. If I’m jogging and think of something worth remembering, I can say “hey Siri, remind me to…” and it records a note without me having to pause and jot the thought down. Paper would be nice for impromptu drawings, but since keeping a paper journal, not once have I drawn something in it.

For me, for my workflow, digital is vastly superior. Paper has its strengths, but none of them apply to how I want to use it. I mention all this for the benefit of other people reading articles about the benefits of paper note taking, and who feel vaguely guilty for not toting a notebook with them all the time. I think the important part is writing a note, not the medium it’s taken with.

  1. This is enough of a trigger for me to remember that day when I look back at it later. It’d be useless for anyone else reading it, but I write for me, not for a hypothetical person who gives a care about what I was doing in 2021. ↩︎

  2. Rhodia Webnotebook A5. Lamy Safari fountain pen, Noodler’s Baystate Blue ink. If I were ever going to enjoy handwriting in a book, I’m sure this is the setup that would have won me over. ↩︎

  3. None of this applies while on camping trips. I take a paper notebook with me to write in because I don’t have to charge it. ↩︎

Pain-free with a Logitech MX Vertical Mouse

When I spend my days programming, I don’t often use a mouse. I have a nice keyboard and use as many keyboard shortcuts as possible so that I rarely move my hands away from it. I’d been doing a lot of non-programming work lately, though, involving clicking around in a lot of spreadsheets and the like.

All that mousing and clicking had been killing my wrist. I’d been using an Apple Magic Mouse that I use to like, except that using its touchpad-style “buttons” required rotating my hand inward to place my hand flat upon it. As it happens, twisting my hand that way while clicking and scrolling is a recipe for pain. It had gotten bad enough that I was starting to weigh my medical options.

One day a friend happened to mention his new vertical mouse. A what? I hadn’t heard of such a thing. However, it instantly made sense. The device is built like a regular mouse, although on its side at an angle that’s close to the natural position my hand is in when I raise it to desk height. A little research narrowed the options to three main candidates:

  • The Anker 2.4G Wireless Vertical Ergonomic Optical Mouse has good ratings, but doesn’t support Bluetooth and has buttons that aren’t supported on my Mac. I know myself well enough to accept that I’d inevitably lose the little USB wireless adapter, and having buttons I couldn’t use would drive me bonkers. The price is amazing, though.
  • Evoluent makes a whole range of vertical mice, and they’re available in several sizes. For example, the Evoluent VerticalMouse D Medium is available in small and large, too. I was irked that it was almost impossible for me to find which version of their mouse was the newest (answer: they’re in order 3, 4, C, then D… I think?). These were the most expensive commonly recommended vertical mice I found, and although they’re said to be well made, a lot of reviewers disliked their slick metal finish. Worse, only one old version 4 model supports Bluetooth. I skipped the Evoluent mice, although they have a lot of happy reviews and I’m sure they’re nice.
  • I ended up with the Logitech MX Vertical Wireless Mouse. Yay for Bluetooth! Yay for all buttons being fully supported on my Mac! Yay for not being the most expensive option I looked at, for once!

Setup was a breeze and the Logitech mouse configuration app worked fine on my Big Sur system — minus a warning that the mouse and any Logitech keyboards might be unavailable right after a reboot if they’re connected via Bluetooth and FileVault drive encryption is enabled. If my mouse or keyboard wasn’t compatible with drive encryption, I’d take it out in the backyard and burn it. Luckily, that wasn’t the case for me. Instead, I was happy to find that the app supported binding a large set of gestures to various mouse buttons, including all of the ones I’d been using on my Magic Mouse. I expected to have to dig into Keyboard Maestro to configure it the way I was used to, and while I still might, I liked that I don’t have to.

The mouse itself felt great in my hand. It’s hefty enough to feel substantial and have some inertia as I move it around, yet light enough to be comfortable. The buttons are placed conveniently for my medium-sized hand, which is important because you lightly grip it instead of laying your hand on it like a regular mouse, so everything needs to be reachable when your hand is wrapped around it. The new hand position felt very odd at first but I grew accustomed to it after a couple of hours.

Most importantly, my wrist stopped hurting almost immediately. I was used to wincing when I picked up my old mouse and that pain completely stopped. Yes, completely. If I had known that a tiny change could end the constant aching, I would have tried this experiment long ago. Although the Logitech MX Vertical mouse is more expensive than most normal mice, I would happily pay 10 times its price not to hurt at work anymore. I’m thrilled that I didn’t have to.

I love my new vertical mouse. After only a few days of using it, I doubt I’d go back to a traditional model.

Bing is censoring Tank Man search results

Bing is censoring images of the Tiananmen Square “tank man” image. DuckDuckGo, who uses Bing’s search backend, is too.

Here’s the result of a Bing search for “tank man” with safe search on the default “moderate” setting:

Bing's "safe search: moderate" result for "tank man"

Perhaps the image is too graphic and safe search is hiding the results? No. Turning safe search off gives the same answer:

Bing's "safe search: off" result for "tank man"

At first, DuckDuckGo was returning 4 images of men next to tanks:

DDG's first "safe search: moderate" result for "tank man"

Shortly afterward, it was updated so that the exact same search settings didn’t return anything at all:

DDG's later "safe search: moderate" result for "tank man"

DuckDuckGo’s “safe search: off” results were empty from the start:

DDG's "safe search: off" result for "tank man"

Full credit to Google here who returns a long list of images:

Google's default settings search result for "tank man"

Shame on you, Microsoft, for censoring this important historical record.

Uniquely bad identity branding

My company has an account with a certain identity provider so we can test that our single sign-on feature works. Today one of my coworkers asked for an account with the IdP before he started working on that part of our code. I tried to create his user but got an error that the “username must be unique”. Huh. I double-checked our user list to ensure we didn’t have an account for him. We didn’t. I tried again and got the same error. That’s when I reached out to their support. They quickly replied:

To resolve this issue, please navigate to Administration > Settings > Branding and toggle the custom branding switch to green. Then try to create a user and it should allow you!

What. This had nothing to do with branding, and the switch in question looks like this:

"Custom branding" checkbox

But alright, I figured I’d try their suggestion.

It worked.

I supposed what likely happened was that support quickly found and fixed and issue, then gave me a switch to flip to make it feel like I was fixing something. I replied to them:

So we couldn’t add that user (but could add other users) because we didn’t have custom branding enabled? That can’t be right.

Their response?

It could be possible that the same username could exist in another customer’s tenant. So, once you enable the custom branding it would only look for your tenant for a unique username. With branding currently being disabled, the system is considering all tenants.

In short, if you click a logo to use your own theme for their site, usernames only have to be unique within your organization. If you don’t customize the site’s theme, they have to be unique across the whole identity provider. Furthermore, that uniqueness check only happens when you create a new user. If you flip the branding/namespace switch on, create an account, then flip the switch back off, the account is still active and usable even though it’s not globally unique. Even if you think that tying branding to uniqueness is a good idea — and it’s not — it doesn’t even work.

That whole setup is nuts.

How I get things done

After years — decades — of experimentation, I’ve learned this about myself: when I follow a certain workflow, I’m happy and productive. When I don’t follow it, I’m stressed, anxious, and unproductive. There’s no in-between state. If I want to feel good about all the cool things I’m doing, I have to trust the process and follow it rigorously.

These are the things I use to stay sane and productive.

An inbox

My workflow is inspired by Getting Things Done (aka GTD), but I’m not dogmatic about most of it. The critical part is that I have an “inbox” where I record all of the things I need to do. This isn’t like an email inbox where people send me things they think are important, but the opposite: I decide what’s important enough for me to remember, and those things go into it. I can’t overstate the importance of having this.

Rationale

The GTD book goes into detail about the psychology of it, but the gist is:

  • If I’ve recorded all the commitments I’ve made in a place where I trust myself to remember them later, my mind can let go of worrying about remembering to do them.
  • If there are things I haven’t recorded, my mind will get hung up dwelling on them: “don’t forget to buy the widget! Don’t forget to email your boss! Don’t forget to respond to the customer!”

It’s the intrusive thought that I’m about to forget something vitally important that creates stress and diverts my attention from what I’d prefer to be thinking about.

Specific recommendations

I’m a huge OmniFocus fan, and I recommend it for everyone serious about organizing their whole life this way.1 Anything is better than not having a system, though. If you have Apple devices, the built-in Reminders app is a great way to get started. It lacks OmniFocus’s powerful features, but has everything needed to get up and running for free. There’s even nothing wrong with a notebook and pen, although that’s a lot less flexible in important ways and those are more things I have to remember to always take with me.

Don’t underestimate the convenience of a voice assistant here. If I’m out running with my wife and suddenly remember something I need to do, I can say “Hey Siri, remind me to …” and trust that it’ll be waiting for me later. Then I can go back to paying attention to how much I hate running.

A daily plan

Every workday, I sit down and sort the things I’ve recorded in my inbox into project areas like “Personal”, “Family”, “Work”, or a few others. Then I decide what I’m going to try go get done that day. I review each of those project areas for urgent things such as paying a bill or preparing for a meeting, and flag those for my “today” list (which is an OmniFocus “perspective” that shows all the things I want to work on right now). Then I choose a few more things I’d like to get done until I feel like I’ve planned a day’s worth of work.

Rationale

Sorry, GTD purists! This is where my process diverges from The GTD Way, which looks closer to:

  • Find the most important thing to be working on right now.
  • Do it.
  • Repeat.

I’ve tried to follow that flow many times but it doesn’t work for me. I’d rather dedicate time each morning to planning my day than continually revisit my list of possible tasks as I go.

A timer

Deciding what do to is good. Doing it is better. I use the pomodoro technique to make that happen. The short version is:

  • Pick the first thing on my daily plan.
  • Work on that thing for 25 minutes uninterrupted. This time is sacred: I don’t do anything else, with the minor exception that if I discover something else I need to do, I’ll pause for a moment to add that thing to my inbox so that I can stop thinking about it and go back to the current task.
  • Take a 5 minute break, doing anything but working on the task at hand. Return texts. Check Slack. Browse Hacker News.
  • If I’ve finished the task, mark it off and move on to the next one.
  • Repeat.

Rationale

I can’t work on 1 thing for 8 hours straight (unless it’s something that’s letting me procrastinate, in which case I’ll see you tomorrow). I can’t do it. But I can work on anything for 25 minutes, even if it’s not something I enjoy doing. That’s long enough to get an appreciable amount of work done, but short enough that my focus doesn’t drift. It allows me to concentrate intensely on 1 thing at a time without worrying that I’m neglecting important messages from family or coworkers — or worse, getting bored. Because I know that I’ll be able to check my texts a few minutes from now, I’m free to think about my current work.

Specific recommendations

I like Focus by Masterbuilders. It works on all the platforms I use, has nice reports, integrates with OmniFocus, and syncs perfectly. I’ve tried every similar app I can find, but keep returning to Focus.

But any timer can work, from an app on your phone to a physical wind-up time stolen from your kitchen.

Conclusion

Put together, these 3 ingredients give me superpowers:

  • I never forget the things I’ve promised do to.
  • I always know what the most important things are.
  • I have a way of getting them done that matches the way my brain works.

Without them, I’m a ball of unproductive anxiety. With them, I can do anything. When I find myself feeling swamped by new things to do flying at me faster than I can finish the old ones, my mantra is “rely on the tools”. They always see me through.

  1. Update: I’ve switched to using Reminders. OmniFocus is amazing but I don’t always need so much organizing power. ↩︎

Tripping on a Cracked Sidewalk

Amazon Sidewalk is a new project which allows Amazon devices (like Alexa, Ring doorbells, etc.) with different owners to share their Internet connections. In short, your Alexa talks to your neighbor’s Alexa. If your Internet connection goes down, your neighbor’s device will relay messages for your device so that it can keep working. Similarly, if your Ring doorbell is closer to your neighbor’s Alexa than to your own WiFi router, it can send alerts to you through their Alexa.

This is a terrible idea.

This means that a device on your home network — a device you bought and paid for yourself — is letting other devices you don’t control borrow your Internet connection. Amazon claims to have designed this as a secure system, but people in infosec know that a new security protocol written and implemented by a single company is going to be a mess. When (not if, but when) an attacker finds a flaw in the Sidewalk protocol or the devices it runs on, 2 terrible scenarios seem likely to happen:

  • However good and strong your WiFi password is, if an attacker can access your neighbor’s network, they can hack your neighbor’s Alexa and then use it to gain access to your own wireless network.
  • A braver attacker could sit outside your house with a hacked Alexa, or an app on their laptop that acts like one, and use it to connect to your Ring doorbell and then attack the other computers on your network.

If you have any Amazon devices, I strongly recommend you follow their instructions to turn off Sidewalk immediately. Because Amazon plans to turn this on for everyone who hasn’t explicitly asked them not to, if you don’t follow those instructions, you’ll be allowing people near your home to use your WiFi. Some owners have claimed that they turned off Sidewalk but that it turned itself back on after a software update. If this happens in my home, I will literally throw our Alexas out in the trash.

Amazon Sidewalk is a solution without a problem. Turn it off. This is a potential disaster in the making.

Can't hire? Pay more.

Many recent news stories feature companies having a hard time hiring workers. In capitalism, this means one thing: they’re not paying enough. Period. It’s that simple.

The law of supply and demand says that if demand for a resource outstrips its supply, then price for that resource increases. If a buyer wants to purchase that resource, they have to pay more to compete with the other people who want to buy it. That’s one of the defining features of a free market, and it’s unreasonable to complain that no one is selling at the price they’d like to pay.

There are things that increase the supply of people willing to work for a company, thus lowering the price it can expect to pay, such as offering excellent benefits or earning a reputation as a wonderful employer. Those are forms of compensation that potential employees can and will consider. Conversely, having a reputation as a bad employer decreases the supply. I could name companies that would have to pay me more than I’d be worth to them before I’d even think of working for for them.

Either way, the market — in this case, the other employers competing to hire workers — sets the price of the resource. If a company can’t hire, they need to pay more. The labor market has determined that their current combination of pay and benefits isn’t good enough to attract new employees.

In other words, stop complaining and crack open that wallet.

Wisdom of the ages

The iOS App Store recommended that I check out a meditation app named “Calm”, featuring “Wisdom from Shawn and Camila”. Shawn is 22 years old; Camila is 24.

"Wisdom from Shawn and Camila", 2 people in their very early 20s

With due respect, Apple, I’m not expecting a lot of wisdom from a couple younger than the sweater I’m wearing.

There are many wonderful things youth can bring. Experience of a life long-lived is not one of them. I don’t want to sound curmudgeonly, but they’re 22 and 24, and I expect they’ll have little to offer on mid-career thoughts, or watching one’s parents grow older, or coming to grips with mortality. Like, the guy’s been quarantined for the majority of the time it’s been legal for him to drink.

Taking one for the team

Scene: Nick’s intermediate league baseball game.

Bottom of the last inning. Other team at bat. 2 outs. 2 on base. Winning hitter at bat. Fly to right field. Nick makes a beautiful diving catch and comes up with the ball, ending the game for his team to win…

…then runs off the field holding his arm.

One rushed trip to the office for x-rays later, and it’s confirmed: he broke the same wrist that he broke last year when he fell off his skateboard.

I’ll hand it to the kid: he plays hard. If you’re going to get hurt, you may as well do it heroically.

Signal was cheeky, but right

In her article “I Have a Lot to Say About Signal’s Cellebrite Hack”, the extremely qualified Riana Pfefferkorn argues that Signal’s blog post, “Exploiting vulnerabilities in Cellebrite UFED and Physical Analyzer from an app’s perspective”, could have been a bit more serious and professional:

On the other hand, although this was serious work with a serious point to it, the unseriousness of Signal’s tone in the blog post and video hampered public understanding of the point they were making. You aren’t helping your cause when a reporter can’t tell which parts of your blog post are jokes and which parts are serious, or what you mean by your weird coy phrasing. This blog post was plainly written in order to impress and entertain other hackers and computer people. But other hackers aren’t the real target audience; it’s lawyers and judges and the law enforcement agencies that are Cellebrite’s customers. They tend to prefer clear communication, not jokes and references to 25-year-old cult films.

To be clear, Pfefferkorn is way more qualified to have an opinion on this than I am. Still, as I said in a Hacker News comment:

Eh, I can’t be bothered to care. Cellebrite hoards 0-days so they can use them to hack phones. They know about exploitable vulnerabilities but aren’t saying anything about them because they profit from insecurity. Thing is, just because Cellebrite knows about a thing doesn’t mean, say, China’s CCP or the Russian mafia or anyone else doesn’t also know about that thing. You and I are less safe just because Cellebrite wants to profit off of those vulnerabilities.

I just can’t work up the ability to sympathize with Cellebrite. The law may have something to say about Moxie’s writing, but in my opinion he has the clear ethical upper ground in this argument.

Pfefferkorn goes on to say:

But if Cellebrite machines stop working reliably, or the evidence obtained from them is hella sus and can’t be relied upon in court, then that safety valve — the ability for the cops to get courtroom-worthy evidence off phones notwithstanding strong encryption — gets plugged up. And closing the safety valve adds more pressure. It’ll become easier for law enforcement to make the case for why smartphone encryption needs to be backdoored.

That may be true, but I contend:

I also disagree with the notion that it’s good that Cellebrite exists because without them we’d have stronger anti-encryption laws. That’s hypothetical and all we know is what we have today. I’m not thrilled that someone is peeing on my basement carpet instead of peeing in my living room; I’d rather not have someone peeing on any of my rugs.

It’s not that I disagree with Pfefferkorn on an intellectual or legal level. She’s the expert. If our factual positions disagree, listen to her, not me. It’s just that I don’t care if Signal was crude in their anti-Cellebrite post. It brought a lot of attention to Cellebrite’s awful ethical stance, and for that I’m grateful to Signal’s CEO, Moxie Marlinspike.

Review: Jellycuts

Jellycuts for iOS and iPadOS is 2 things:

  1. A text-based language for writing Shortcuts,
  2. A compiler that turns the text language into “real” Shortcuts, and
  3. An IDE for writing the language.

As a programmer, this is super exciting to me because it feels like I spend too much time fighting against the limitations of the visual language. Now I can use the programming tools I work with every day to write my little applets, and store them in version control so that I can track changes and roll back mistakes.

It’s not a perfect system as the design of the Shortcuts app means that getting the compiled code into it is a little convoluted (but automated and as smooth as possible). That’s on Apple, though, and not Jellycuts. The author has done an amazing job with the tools available to them.

Jellycuts is a game changer. I haven’t gotten far with it yet, but if it works as promised on larger projects, I see it becoming the way I write Shortcuts. Get it at https://apps.apple.com/us/app/jellycuts/id1522625245.

Review: Apple Fitness+

I’ve been using Apple’s Fitness+ service since it came available. It’s still a young product and has lots of room to improve, but its fundamentals are solid. This is what I like and dislike about it.

What I like: doing the exercises

First, the workouts themselves are excellent. They offer exercises I’m not used to, and I’ve found that working with a trainer, even a pre-recorded one that isn’t talking to me personally, motivates me to push harder than I do when I’m working out alone. At the end of a workout I’m exhausted, and the next day my body reminds me that I did something difficult.

This is the litmus test, after all. A trainer that doesn’t challenge and doesn’t push me harder than I would push myself isn’t much of a trainer. Fitness+ meets this requirement in spades.

Second, Fitness+ has a lot of workouts. When it’s time to use one, I want help picking one that’s appropriate to me. The app’s “discoverability” is… decent:

  • I pick a type of workout (like strength, core, or yoga) I’d like to try, and use the filter to choose a length of time I’d like to work out. I want to do strength training for 20 minutes? Here’s a list.
  • From that list I choose a trainer. This is convenient if there’s one I like and I want to see more of their workouts, but not as helpful for choosing between them. The app makes the trainers’ biographies available but I was overwhelmed with choices the first time.

If I know what workout I want to do, and which trainer I want to work with, Fitness+ is fine.

What I don’t like: finding the exercises

But that discoverability is barely sufficient, and leads to my sole criticism. Fitness+ could and should help me find new workouts that are appropriate for me personally, and today it doesn’t.

Within selections, the main differentiator in a screenful of similar-seeming workouts is the genre of background music. I know people may have strong preferences here but I don’t. As of writing there are 15 “Strength with Gregg” workouts. At a glance, I can’t tell the difference between them. Every screenshot shows exercises for both upper and lower body, even though most workouts target certain muscles. Navigating through each available workout exposes that information but it’s a lot of work when I’m ready to start lifting weights and would rather lift than investigate. Better titles like “Leg Strength with Gregg” would help a lot here.

There’s not an option to like or dislike workouts. I want a recommendation system like Apple Music’s: tell me what I might like based on what I’ve enjoyed, not just what’s similar to what I did last time.

Descriptions of workouts are more vague than they should be. For example, one reads “the focus of this workout is upper body, with a new element added to each move as you go.” But what part of my upper body? I want to know:

  • Which exercises a workout includes. If my shoulder hurts, I might want to skip lateral raises.
  • Which muscles groups it exercises. Sometimes I’d like to target specific areas like glutes or biceps or shoulders or quads.

If Fitness+ had filters that let me specify that I’d like to work my triceps and lats for 20 minutes, or find one that includes hammer curls because that sounds good today, I’d use it a lot.

Workouts need more audio cues. I spend a lot of effort trying to look at the TV so I can pace myself with the trainer, and would like a consistent signal to complete a rep. I wish the producer would add a chime or beep after each movement so that I could follow along without contorting to see the screen.

Finally, many other Apple apps use Siri to power smart recommendations. Putting all the above together, I’d like to see a Fitness+ notification like “you skipped leg day. Here’s a good leg workout you’ll going to like.” It’s easy to rationalize skipping a workout, but harder when someone’s reminding you that you’ve been a couch potato and giving you personalized suggestions for changing that.

Summary

It’s tricky to find an exercise I want in Fitness+, but that’s because there are so very many excellent ones to choose from. And that’s the important part: once I find workouts I like, they motivate me to work harder than I would on my own. I’ve found the accountability, even if it’s to someone who can’t see me and who I’ll never meet, to keep me moving. I am stronger and healthier for using the app than I would be without it.

Apple Fitness+ may have some rough edges, but for a new service that’s still improving, I’m into it.

Review: Hook by CogSci

I’ve been playing with Hook, an app I’ve started hearing about. It’s an interesting bird, and its own docs didn’t explain why I should want to use it. That’s too bad, because after downloading it and playing around for a few days, I understand why people are excited about Hook.

Let me try my own explanation:

Hook knows how to talk to a lot of other apps (about 150 as of now) and ask or direct them to do a few things:

  • Get the ID of the active item in the app, like the omnifocus:///task/... link of the selected item in OmniFocus.
  • Open the item in the app with a given ID.
  • Get the name of the active item in the app, like the title of the front tab in Safari.
  • Create a new item in the app.

Those first 2 options are interesting because many of its supported apps don’t offer their own URL scheme. You can refer to a web page by its address or an OmniFocus object by its URL as seen above, but Apple’s own Notes app doesn’t offer a way to make a link to a specific note. Hook solves this by offering its own URL scheme. For instance, if I try to open the URL hook://notes/dt/1498065293 on my Mac, it opens the Hook app, which sees that it’s supposed to open the Notes app, and uses AppleScript or JavaScript wizardry to go straight to the desired note. Or consider emails, each with their own unique Message-ID. Hook accepts URLs like hook://email/[Message-ID] and opens them in your favorite mail app, even if you’ve moved the mail to a different folder or switch mail apps since you copied the link.

That’s slick, and if Hook only allowed me to deep link straight into Mail and Notes and Finder and iTerm (!!!) and VS Code (now you’re showing off), it would be invaluable.

The “a-ha!” moment was understanding that Hook itself stores links between objects, even if they’re not editable. For example, suppose you’re viewing a PDF and it reminds you of a web page. You can ask Hook to copy the PDF’s location in Finder. When you open the web page in Safari, you can use Hook’s “Hook to Copied Link” action to make a two-way link (the eponymous “hook”) between the PDF and the web page. That is, if you come back to that web page a week later and wonder what PDF it reminds you of, you can press the Hook shortcut and it will pop up a list of all documents “hooked” to that web page. Use the arrow keys to scroll down to the PDF and press enter, then voila!, it opens the PDF for you.

This is the magic in Hook: you can make linkages between resources that aren’t under your own control. You don’t download a webpage and then edit its metadata to link to the PDF. Hook says “oh, when you’re looking at this page, I’ll remember that it made you interested in this PDF”. And even if that PDF can’t be edited to add a link to the webpage, Hook manages that association for you.

In this sense, Hook is like a personal wiki, except that you don’t have to edit a page to associate bits of data and that doesn’t have to be in the same app. You open the first item and press a few keys, then open the second item and press a few more, and now your system knows that you think these 2 items are related and can remind you of that later. That’s powerful. It’s easy enough to make a link from a Things action to its information resources in DEVONthink. Linking from DEVONthink information back to Things so that you can bounce right back to your project planning without lifting your hands from the keyboard? That’s harder, and it’s the true value of Hook.

A note on terminology: giving things a good name is hard, but I might’ve called “Hook to Copied Link” almost anything else. My mind kept reading “Hook” as a noun, as though I were converting it to a “Copied Link” similar to calling “JPEG to PNG” in a graphics program. Instead it’s a verb: “create a link back to the item whose link is in the clipboard” is clearer to me, although too verbose.

Hook is available in a free version that’s focused on opening links, not making them. The idea is that you can send your coworker a link to a file stored in Git or Dropbox, or an email they were Cc’ed on, and they can go straight to it. That’s nifty, but in practice I can’t imagine my friends tolerating this: “hey Tom, I’m going to send you a link, and you’ll need to download this free app from…” “Stop right there.” Hook is cool and I’ve told several friends about it, but I’m not kidding myself about the likelihood of them all installing it.

Maybe I’ll look back on this in a few years and laugh at my own skepticism because it became the universal standard app that everyone uses, but I’m not counting on it.

Licensing

CogSci, Hook’s authors, have an interesting licensing model: if you buy the “essentials” or “pro” version, you can use any new versions that come out within 12 months of your purchase date for free, forever. If newer versions come out with features you can’t live without, you can buy a discounted renewal license that’s good for another 12 months of updates.

I love this idea. I hate renting software, and this is a nice compromise between an unsustainable “buy it once and get free support for the rest of your life” and “keeps working as long as you keep paying”. I wish this licensing model were the norm.

Drawbacks

The few things I dislike about Hook are minor:

  1. It’s not available for iPhone and iPad. I’m not sure how an iOS version of Hook would work (perhaps through the Share action? Through drag and drop?), but I wish it were on my favorite mobile platforms. I’m using my iPad for a lot of work I’d would have used my Mac for before and cross-platform tools are splendid. An mobile “Hook Lite” version that supported opening hook:// links would help a lot.
  2. I haven’t met another person using it. Although I’ve read articles about Hook, I’m the only person among my friends, family, and coworkers who has it installed. The link sharing idea could be brilliant if it becomes ubiquitous but I don’t want to be its lone evangelist among the people I know, many of whom are still annoyed by my Emacs and Amiga days.
  3. CogSci: please ask someone who doesn’t work with you to review your home page. All the information there is technically accurate, but much of it only becomes clear to users who’ve downloaded Hook and experimented with it. If I hadn’t been evaluating the app on the recommendation of a friend, I might not have downloaded it. Your app is cool. Give it some marketing love!

Summary: try it.

I like Hook. I haven’t registered it yet but I’m leaning that way. Again, if Hook only allowed me to create deep links into apps that don’t natively support them, that’s enough reason to buy it. I’m not sold on the life-changingness of the bidirectional links between documents — not because I don’t think it’s an wonderful idea, but because I’m a sucker for things that promise to be the cure for what ails ya and then become disillusioned when they’re not as amazing as I’d hoped. For example, I’d heard that Zettlekasten note keeping is the magic key to life-long productivity, but realized that it’s a nice solution to problems I don’t have. I’m being cautious about Hook for the same reason. But skepticism aside, I think its core conceit that making links between all your related resources is valuable has merit, and Hook makes this easy. I’m still in the trial period my wish is it’s as helpful as CogSci thinks it will be.

Try Hook. I think we’re going to like it.