Techie people regularly rediscover paper and write about how they’ve created a good note taking system with it. I’m envious of them, as I’ve tried this many times but can’t do it. I keep thinking I’ll like writing on paper, but I don’t and likely never will.

A few years ago I started keeping a digital daily journal, not so much a diary with entries like “today I feel…”, but a record like “changed the van’s oil. Drove the kid to camp. Called Mom.”¹ I was using Drafts on my iPhone as a sort of bullet journal, augmented with an action group I wrote. After a year of this, articles rhapsodizing on the wonderfulness of handwritten notes convinced me to switch to a paper journal and to get a nice fountain pen.² I’ve used the physical process for about a year and a half now, and when I fill up this current notebook next month, that’s it. I’m going back to digital.

As I keep having to be reminded, pen and paper note taking is vastly inferior to digital in every way I care about. Other people love writing notes and that’s awesome, but I can’t escape the fact that I hate handwriting, and I often cut my thoughts short because I want to quit scribbling. Worse, the analog notes aren’t actionable. My Drafts workflow turns my day’s worth of bullet-style notes into a set of digital diary entries, new calendar events, and tasks in my task manager. I already carry my iPhone with me almost everywhere³ so I don’t have to remember to drag something else along. If I’m jogging and think of something worth remembering, I can say “hey Siri, remind me to…” and it records a note without me having to pause and jot the thought down. Paper would be nice for impromptu drawings, but since keeping a paper journal, not once have I drawn something in it.

For me, for my workflow, digital is vastly superior. Paper has its strengths, but none of them apply to how I want to use it. I mention all this for the benefit of other people reading articles about the benefits of paper note taking, and who feel vaguely guilty for not toting a notebook with them all the time. I think the important part is writing a note, not the medium it’s taken with.

There are a lot of neat third-party email applications available for Mac and iOS. From an end user perspective, many of them are amazing and useful. From an information security, privacy, or legal perspective, many are horrible.

For example, Readdle makes a popular email client, Spark. Now, to be clear, I think Readdle is a good, competent, well-meaning company and that Spark is a nice app. My problem with their product isn’t because I don’t trust them, but because I have to trust them, and unnecessarily.

Here’s why.

How first-party email apps work

When I refer to a first-party mail client, I mean Apple’s own Mail.app, or the app that an email service company made to support their own system (such as Google’s Gmail app). These are a direct link between your computer and your email service, and are widely regarded as trustworthy and safe to use. That is, if you don’t trust Mail.app with your email, you probably wouldn’t be using a Mac or iPhone in the first place. If you don’t trust the Gmail app, you shouldn’t trust the Gmail service either. A third-party app, then, is one made by someone other than the company who made your computer’s operating system or your email service.

With that out of the way, here’s how the process of receiving an email works on these clients:

• A friend sends you email.
• Mail.app periodically checks your email account to see if you have new mail, then fetches it.
• Mail.app gives you some sort of notification that you have a new message.

Alternatively:

• A friend sends you email.
• The Gmail mail server sends a “push notification” to your phone, waking it up and alerting it that you have new email.
• The Gmail app on your phone fetches it.
• The Gmail app on your phone notifies you that you have a new message.

That’s straightforward.

How some third-party email apps work

Spark could have been written to work like Mail.app, but Readdle chose not to, for a good reason that I understand and appreciate. All that “do I have new email?” checking can eat up a phone’s battery, and if someone sends you an email right this moment, it may take several minutes before you get a notification. However, this is where a giant privacy and security issue pops up. Spark works like this:

• The Spark app on your phone sends your email username and password to Readdle’s server where it’s stored until you ask Readdle to delete it.
• A friend sends you email.
• Readdle’s server continually checks your account for new email, and then fetches it.
• Depending on the contents of the email, Readdle’s server may do some extra processing on your behalf, and may send the Spark app on your phone a push notification to tell it you have new mail.
• The Spark app on your phone fetches your email from your mail server.
• The Spark app on your phone notifies you that you have a new messages.

See the problem? Readdle has your login information and uses it to check email on your behalf. From their privacy policy:

INFORMATION WE COLLECT AND HOW WE USE THIS INFORMATION

OAuth login or mail server credentials: Spark requires your credentials to log into your mail system in order to receive, search, compose and send email messages and other communication. Without such access, our Product won’t be able to provide you with the necessary communication experience. In order for you to take full advantage of additional App and Service features, such as “send later”, “sync between devices” and where allowed by Apple – “push notifications” we use Spark Services. Without using these services, none of the features mentioned above will function.

By its design, you have to trust Readdle to read all your email if you want to use the Spark app, and that’s not OK. Depending on what line of work you’re in, it may not even be legal for you to allow another company to access your email if you don’t have a signed data use agreement (DUA) or HIPAA Business Associate Agreement (BAA) in place with that company. Google will sign a BAA if you ask them. Apple’s Mail.app design doesn’t require that because Apple never has access to your email account (unless you use iCloud email, which you shouldn’t be doing anyway if you’re working with HIPAA data). In fact, Apple can’t access your email usernames and passwords. From their iCloud security overview:

These features and their data are transmitted and stored in iCloud using end-to-end encryption:

• iCloud Keychain (includes all of your saved accounts and passwords)

And all of this to support push notifications, which are nice but that Mail.app never had in the first place. Note: Readdle’s service isn’t “push” behind the curtain, as their server has to regularly poll your email service to see if you have new mail. The difference is that it’s their server doing the polling using their electricity, not your iPhone. That’s a handy feature, but is it worth it? In my opinion, it isn’t. Further, I disagree with Readdle’s statement that the “send later” and “sync between devices” features require this arrangement. They could have been built to use an end-to-end encrypted service like iCloud, but Readdle chose not to. Again, they probably did that for decent reasons because Readdle is a good company, but they didn’t have to.

Conclusion

I’m using Readdle’s Spark as an example, but mail clients are all over the place privacy-wise.

Airmail’s privacy policy says:

If “Real-Time Mailbox Monitoring” is enabled for Gmail or Outlook, Office365, IMAP, and Exchange accounts, we store credentials solely to send push notifications.

Superhuman also stores your login information:

Authentication Tokens. When you sign in to the Service, we collect and store encrypted Gmail authentication tokens.

Postbox doesn’t collect your credentials:

We only communicate with Google’s email servers through IMAP, POP, and SMTP protocols, and never receive or store any messages or data from your Google email accounts on our servers. You can revoke Postbox’s access to Google services at any time.

That’s one of the less creepy terms in their privacy policy, though:

We may use information about your publicly available social media information, or your contacts’ publicly available social media information, in connection with our Services.

MailMate has a clear policy:

Passwords are most often required for MailMate to access the emails in your IMAP accounts and to send emails using SMTP servers. Regular passwords are stored (if you allow it) in the Keychain of macOS. Depending on your settings, this might be an iCloud-based keychain synchronized to your other devices.

Some accounts support OAuth2 authentication. In this case, a browser is used for authenticating your accounts and MailMate only gains access to so-called OAuth2 tokens. The tokens are used to access your accounts and MailMate never sees and never stores your password. The tokens are stored in your Keychain as described above.

If an app doesn’t have a privacy policy, don’t use it. If it does, read the policy. And if you work in a regulated industry like finance or healthcare, get your company’s legal team’s opinion before using a third-party app!

When I spend my days programming, I don’t often use a mouse. I have a nice keyboard and use as many keyboard shortcuts as possible so that I rarely move my hands away from it. I’d been doing a lot of non-programming work lately, though, involving clicking around in a lot of spreadsheets and the like.

All that mousing and clicking had been killing my wrist. I’d been using an Apple Magic Mouse that I use to like, except that using its touchpad-style “buttons” required rotating my hand inward to place my hand flat upon it. As it happens, twisting my hand that way while clicking and scrolling is a recipe for pain. It had gotten bad enough that I was starting to weigh my medical options.

One day a friend happened to mention his new vertical mouse. A what? I hadn’t heard of such a thing. However, it instantly made sense. The device is built like a regular mouse, although on its side at an angle that’s close to the natural position my hand is in when I raise it to desk height. A little research narrowed the options to three main candidates:

• The Anker 2.4G Wireless Vertical Ergonomic Optical Mouse has good ratings, but doesn’t support Bluetooth and has buttons that aren’t supported on my Mac. I know myself well enough to accept that I’d inevitably lose the little USB wireless adapter, and having buttons I couldn’t use would drive me bonkers. The price is amazing, though.
• Evoluent makes a whole range of vertical mice, and they’re available in several sizes. For example, the Evoluent VerticalMouse D Medium is available in small and large, too. I was irked that it was almost impossible for me to find which version of their mouse was the newest (answer: they’re in order 3, 4, C, then D… I think?). These were the most expensive commonly recommended vertical mice I found, and although they’re said to be well made, a lot of reviewers disliked their slick metal finish. Worse, only one old version 4 model supports Bluetooth. I skipped the Evoluent mice, although they have a lot of happy reviews and I’m sure they’re nice.
• I ended up with the Logitech MX Vertical Wireless Mouse. Yay for Bluetooth! Yay for all buttons being fully supported on my Mac! Yay for not being the most expensive option I looked at, for once!

Setup was a breeze and the Logitech mouse configuration app worked fine on my Big Sur system — minus a warning that the mouse and any Logitech keyboards might be unavailable right after a reboot if they’re connected via Bluetooth and FileVault drive encryption is enabled. If my mouse or keyboard wasn’t compatible with drive encryption, I’d take it out in the backyard and burn it. Luckily, that wasn’t the case for me. Instead, I was happy to find that the app supported binding a large set of gestures to various mouse buttons, including all of the ones I’d been using on my Magic Mouse. I expected to have to dig into Keyboard Maestro to configure it the way I was used to, and while I still might, I liked that I don’t have to.

The mouse itself felt great in my hand. It’s hefty enough to feel substantial and have some inertia as I move it around, yet light enough to be comfortable. The buttons are placed conveniently for my medium-sized hand, which is important because you lightly grip it instead of laying your hand on it like a regular mouse, so everything needs to be reachable when your hand is wrapped around it. The new hand position felt very odd at first but I grew accustomed to it after a couple of hours.

Most importantly, my wrist stopped hurting almost immediately. I was used to wincing when I picked up my old mouse and that pain completely stopped. Yes, completely. If I had known that a tiny change could end the constant aching, I would have tried this experiment long ago. Although the Logitech MX Vertical mouse is more expensive than most normal mice, I would happily pay 10 times its price not to hurt at work anymore. I’m thrilled that I didn’t have to.

I love my new vertical mouse. After only a few days of using it, I doubt I’d go back to a traditional model.

Bing is censoring images of the Tiananmen Square “tank man” image. DuckDuckGo, who uses Bing’s search backend, is too.

Here’s the result of a Bing search for “tank man” with safe search on the default “moderate” setting:

Perhaps the image is too graphic and safe search is hiding the results? No. Turning safe search off gives the same answer:

At first, DuckDuckGo was returning 4 images of men next to tanks:

Shortly afterward, it was updated so that the exact same search settings didn’t return anything at all:

DuckDuckGo’s “safe search: off” results were empty from the start:

Full credit to Google here who returns a long list of images:

Shame on you, Microsoft, for censoring this important historical record.

My company has an account with a certain identity provider so we can test that our single sign-on feature works. Today one of my coworkers asked for an account with the IdP before he started working on that part of our code. I tried to create his user but got an error that the “username must be unique”. Huh. I double-checked our user list to ensure we didn’t have an account for him. We didn’t. I tried again and got the same error. That’s when I reached out to their support. They quickly replied:

To resolve this issue, please navigate to Administration > Settings > Branding and toggle the custom branding switch to green. Then try to create a user and it should allow you!

What. This had nothing to do with branding, and the switch in question looks like this:

But alright, I figured I’d try their suggestion.

It worked.

I supposed what likely happened was that support quickly found and fixed and issue, then gave me a switch to flip to make it feel like I was fixing something. I replied to them:

So we couldn’t add that user (but could add other users) because we didn’t have custom branding enabled? That can’t be right.

Their response?

It could be possible that the same username could exist in another customer’s tenant. So, once you enable the custom branding it would only look for your tenant for a unique username. With branding currently being disabled, the system is considering all tenants.

In short, if you click a logo to use your own theme for their site, usernames only have to be unique within your organization. If you don’t customize the site’s theme, they have to be unique across the whole identity provider. Furthermore, that uniqueness check only happens when you create a new user. If you flip the branding/namespace switch on, create an account, then flip the switch back off, the account is still active and usable even though it’s not globally unique. Even if you think that tying branding to uniqueness is a good idea — and it’s not — it doesn’t even work.

That whole setup is nuts.

After years — decades — of experimentation, I’ve learned this about myself: when I follow a certain workflow, I’m happy and productive. When I don’t follow it, I’m stressed, anxious, and unproductive. There’s no in-between state. If I want to feel good about all the cool things I’m doing, I have to trust the process and follow it rigorously.

These are the things I use to stay sane and productive.

An inbox

My workflow is inspired by Getting Things Done (aka GTD), but I’m not dogmatic about most of it. The critical part is that I have an “inbox” where I record all of the things I need to do. This isn’t like an email inbox where people send me things they think are important, but the opposite: I decide what’s important enough for me to remember, and those things go into it. I can’t overstate the importance of having this.

Rationale

The GTD book goes into detail about the psychology of it, but the gist is:

• If I’ve recorded all the commitments I’ve made in a place where I trust myself to remember them later, my mind can let go of worrying about remembering to do them.
• If there are things I haven’t recorded, my mind will get hung up dwelling on them: “don’t forget to buy the widget! Don’t forget to email your boss! Don’t forget to respond to the customer!”

It’s the intrusive thought that I’m about to forget something vitally important that creates stress and diverts my attention from what I’d prefer to be thinking about.

Specific recommendations

I’m a huge OmniFocus fan, and I recommend it for everyone serious about organizing their whole life this way.¹ Anything is better than not having a system, though. If you have Apple devices, the built-in Reminders app is a great way to get started. It lacks OmniFocus’s powerful features, but has everything needed to get up and running for free. There’s even nothing wrong with a notebook and pen, although that’s a lot less flexible in important ways and those are more things I have to remember to always take with me.

Don’t underestimate the convenience of a voice assistant here. If I’m out running with my wife and suddenly remember something I need to do, I can say “Hey Siri, remind me to …” and trust that it’ll be waiting for me later. Then I can go back to paying attention to how much I hate running.

A daily plan

Every workday, I sit down and sort the things I’ve recorded in my inbox into project areas like “Personal”, “Family”, “Work”, or a few others. Then I decide what I’m going to try go get done that day. I review each of those project areas for urgent things such as paying a bill or preparing for a meeting, and flag those for my “today” list (which is an OmniFocus “perspective” that shows all the things I want to work on right now). Then I choose a few more things I’d like to get done until I feel like I’ve planned a day’s worth of work.

Rationale

Sorry, GTD purists! This is where my process diverges from The GTD Way, which looks closer to:

• Find the most important thing to be working on right now.
• Do it.
• Repeat.

I’ve tried to follow that flow many times but it doesn’t work for me. I’d rather dedicate time each morning to planning my day than continually revisit my list of possible tasks as I go.

A timer

Deciding what do to is good. Doing it is better. I use the pomodoro technique to make that happen. The short version is:

• Pick the first thing on my daily plan.
• Work on that thing for 25 minutes uninterrupted. This time is sacred: I don’t do anything else, with the minor exception that if I discover something else I need to do, I’ll pause for a moment to add that thing to my inbox so that I can stop thinking about it and go back to the current task.
• Take a 5 minute break, doing anything but working on the task at hand. Return texts. Check Slack. Browse Hacker News.
• If I’ve finished the task, mark it off and move on to the next one.
• Repeat.

Rationale

I can’t work on 1 thing for 8 hours straight (unless it’s something that’s letting me procrastinate, in which case I’ll see you tomorrow). I can’t do it. But I can work on anything for 25 minutes, even if it’s not something I enjoy doing. That’s long enough to get an appreciable amount of work done, but short enough that my focus doesn’t drift. It allows me to concentrate intensely on 1 thing at a time without worrying that I’m neglecting important messages from family or coworkers — or worse, getting bored. Because I know that I’ll be able to check my texts a few minutes from now, I’m free to think about my current work.

Specific recommendations

I like Focus by Masterbuilders. It works on all the platforms I use, has nice reports, integrates with OmniFocus, and syncs perfectly. I’ve tried every similar app I can find, but keep returning to Focus.

But any timer can work, from an app on your phone to a physical wind-up time stolen from your kitchen.

Conclusion

Put together, these 3 ingredients give me superpowers:

• I never forget the things I’ve promised do to.
• I always know what the most important things are.
• I have a way of getting them done that matches the way my brain works.

Without them, I’m a ball of unproductive anxiety. With them, I can do anything. When I find myself feeling swamped by new things to do flying at me faster than I can finish the old ones, my mantra is “rely on the tools”. They always see me through.

Amazon Sidewalk is a new project which allows Amazon devices (like Alexa, Ring doorbells, etc.) with different owners to share their Internet connections. In short, your Alexa talks to your neighbor’s Alexa. If your Internet connection goes down, your neighbor’s device will relay messages for your device so that it can keep working. Similarly, if your Ring doorbell is closer to your neighbor’s Alexa than to your own WiFi router, it can send alerts to you through their Alexa.

This is a terrible idea.

This means that a device on your home network — a device you bought and paid for yourself — is letting other devices you don’t control borrow your Internet connection. Amazon claims to have designed this as a secure system, but people in infosec know that a new security protocol written and implemented by a single company is going to be a mess. When (not if, but when) an attacker finds a flaw in the Sidewalk protocol or the devices it runs on, 2 terrible scenarios seem likely to happen:

• However good and strong your WiFi password is, if an attacker can access your neighbor’s network, they can hack your neighbor’s Alexa and then use it to gain access to your own wireless network.
• A braver attacker could sit outside your house with a hacked Alexa, or an app on their laptop that acts like one, and use it to connect to your Ring doorbell and then attack the other computers on your network.

If you have any Amazon devices, I strongly recommend you follow their instructions to turn off Sidewalk immediately. Because Amazon plans to turn this on for everyone who hasn’t explicitly asked them not to, if you don’t follow those instructions, you’ll be allowing people near your home to use your WiFi. Some owners have claimed that they turned off Sidewalk but that it turned itself back on after a software update. If this happens in my home, I will literally throw our Alexas out in the trash.

Amazon Sidewalk is a solution without a problem. Turn it off. This is a potential disaster in the making.

Many recent news stories feature companies having a hard time hiring workers. In capitalism, this means one thing: they’re not paying enough. Period. It’s that simple.

The law of supply and demand says that if demand for a resource outstrips its supply, then price for that resource increases. If a buyer wants to purchase that resource, they have to pay more to compete with the other people who want to buy it. That’s one of the defining features of a free market, and it’s unreasonable to complain that no one is selling at the price they’d like to pay.

There are things that increase the supply of people willing to work for a company, thus lowering the price it can expect to pay, such as offering excellent benefits or earning a reputation as a wonderful employer. Those are forms of compensation that potential employees can and will consider. Conversely, having a reputation as a bad employer decreases the supply. I could name companies that would have to pay me more than I’d be worth to them before I’d even think of working for for them.

Either way, the market — in this case, the other employers competing to hire workers — sets the price of the resource. If a company can’t hire, they need to pay more. The labor market has determined that their current combination of pay and benefits isn’t good enough to attract new employees.

In other words, stop complaining and crack open that wallet.

The iOS App Store recommended that I check out a meditation app named “Calm”, featuring “Wisdom from Shawn and Camila”. Shawn is 22 years old; Camila is 24.

With due respect, Apple, I’m not expecting a lot of wisdom from a couple younger than the sweater I’m wearing.

There are many wonderful things youth can bring. Experience of a life long-lived is not one of them. I don’t want to sound curmudgeonly, but they’re 22 and 24, and I expect they’ll have little to offer on mid-career thoughts, or watching one’s parents grow older, or coming to grips with mortality. Like, the guy’s been quarantined for the majority of the time it’s been legal for him to drink.

Scene: Nick’s intermediate league baseball game.

Bottom of the last inning. Other team at bat. 2 outs. 2 on base. Winning hitter at bat. Fly to right field. Nick makes a beautiful diving catch and comes up with the ball, ending the game for his team to win…

…then runs off the field holding his arm.

One rushed trip to the office for x-rays later, and it’s confirmed: he broke the same wrist that he broke last year when he fell off his skateboard.

I’ll hand it to the kid: he plays hard. If you’re going to get hurt, you may as well do it heroically.