Recent Articles

[Glenn Fleishman on changes to ‘Find my iPhone’][1]:

> So even if you wipe your iPhone remotely, you don’t have to worry about anyone else ever being able to use it again. If it’s later recovered, you can easily restore from your most recent backup, entering your Apple ID and password when prompted.

Read his entire post, some really great security changes for iPhone users. It seems pretty clear to me that Apple is serious about helping users secure their devices (at least from non-NSA types — I can’t speak to what they are doing on the NSA front).

[1]: http://tidbits.com/article/14113

#### The Good
1. The lock screen is fucking gorgeous — I don’t care what anyone says.
2. Control center negates the need for any flashlight apps and generally makes me a very happy man.
3. The Today view in notification center is near perfection and eerily accurate. It’s the best way to keep your day on track and I hope developers (like [todo list apps][1]) are able to tie into that in the future.
4. Auto-update is fantastic.
5. You can set any IMAP account to archive emails instead of delete them. *Praise be…*
6. In Settings, under Phone, you can set a list of blocked numbers. I put all the phone numbers of my exes in there — I recommend you do the same because it is glorious.
7. Don’t be fooled, the Calendar app is a winner. I don’t care what anyone says.

#### The Not Good

1. “Designers” still won’t shut up about the icons and typography.
2. You still can’t get rid of Newsstand.
3. Despite #1 on this list, the Camera app icon is horrid.
4. Apple made it harder to manage playlists. When you wanted to add new songs to a playlist you used to be able to click `Edit > +` and you would see a list of all your songs, but then you could tab to your Playlists to add songs from another playlist. For some asinine reason this has been removed. I hate whoever made this call.
5. You can now swipe to unlock from anywhere on the lock screen — meaning not just in the “slider area”. This annoys me to no end because it feels imprecise.

Carry on.

[1]: http://beginapp.co

[Justin Williams][1]:

> If Path or App.net can show verifiable success in their respective ventures it will likely lead to other services copy-catting the idea of charging their users for the service they are offering. I can certainly think of worse things to copy.

While I can’t bring myself to trust Path (what is this of Dave Morin using a day *and* night phone?), I can certainly get behind this notion of copying paid services.

I think the key to offering a paid service is to be paid from day one. Path is going the opposite route and that never seems to work in the long run.

If people know they need to pay from day one then the standard has been set. If the service then offers free later on (with reduced whatever) that service stands a much better chance of converting free users to paid users because the service has never been devalued by being free in the consumer mind.

[1]: http://carpeaqua.com/2013/09/17/the-path-of-opportunity/

This morning Contrast launched [Perfect Weather for iPhone][1]. A weather app — oh — I must take a look at it. Perfect Weather is $2.99 — so it is looking right at me and daring me to install it — blue icon and all.

##### Background Time

First a little bit about the current state of my weather apps. On my home screen for the past few months have been two weather apps: Dark Sky, and Apple’s iOS 7 weather app. I like the iOS weather app, but I hate one thing about it: no precipitation percentages for future days. This really irks me, but for some reason I just like that app so I keep using it.

##### Back to the App At Hand

Enter Perfect Weather. When David Barnard emailed me about the app he noted that *this* was the perfect weather app for him. (Honestly, at this point how could I not write about this app?)

I am happy to say that Perfect Weather quickly displaced the Apple weather app on my phone. Here’s what I like about Perfect Weather:

– The precipitation forecast is right there with no extra taps for today and the rest of the week. This is immensely helpful for me.
– The app is highly glanceable, with a lot of in-depth data buried just a tug and swipe away. ((That sounds dirty, I know, but you gotta love that phrasing.))
– The icon. Yes, that blue square. *I* like it.

Ok, now on to the part you wanted to read. Here’s what I don’t like:

– I am not a fan of the fold out animation when you pull down on the gripper. It doesn’t feel like the right animation.
– The light weight of the fonts makes the smaller temps, and specifically the low temps, hard to read.
– Lastly, when you are using your current location as the location for the weather data, Perfect Weather gives you little indication of what location it thinks you are at. And yes, the radar map helps, but that’s not a great indicator. I personally would like to see a zip code or something to indicate that the app is accurate on this front.

##### Overall

I like Perfect Weather. It’s going to stick on my home screen for a while so I can put it through it’s paces. Even though my time with the app has been limited, I think it is the best weather app on my iPhone. (Please note: Nothing can touch Dark Sky, but it’s a specific app for a specific use, not a general weather app like Perfect Weather.)

[1]: http://contrast.co/perfect-weather/

[Brian Roemmele on Quora][1]:

> To use Touch ID you will also have to create a passcode as a backup. Only that passcode can unlock the phone if the phone is either rebooted (example full battery drain) or hasn’t been unlocked for 48 hours. This is a genius feature that is meant to set a time limit for criminals if try to find a way to circumvent the fingerprint scanner.

This makes Touch ID just about the most secure method out there. Additionally it would seem to make it near impossible for police to compel you to unlock your phone. All you have to do is power it off, or have your lawyer buy you 48 hours, and then you can see the passcode which is legally much harder to be forced to hand over. Neither should be too hard.

The more I read about this Touch ID system the more I love it.

[1]: http://www.quora.com/Apple-Secure-Enclave/What-is-Apple%E2%80%99s-new-Secure-Enclave-and-why-is-it-important

[Joseph Menn for Reuters][1]:

> Despite emphatic predictions of waning business prospects, some of the big Internet companies that the former National Security Agency contractor showed to be closely involved in gathering data on people overseas – such as Google Inc. and Facebook Inc. – say privately that they have felt little if any impact on their businesses.
> Insiders at companies that offer remote computing services known as cloud computing, including Amazon and Microsoft Corp, also say they are seeing no fallout.

The argument is that because there has been no measurable business impact that people were wrong to predict bad things for US companies. Menn has effectively jumped the gun here. There’s a few things to understand about “businesses”:

1. They are incredibly slow to move. Even when IT has been given the directive to “get us off these NSA services” it could take a year or more to do so. IT has to test and try out many services, look into migration, send reports to management, management has to decide on if the cost is worth it, think about it more, ask IT a question that takes a month for IT to get back to management on because the current email server just shit itself… You get the point. Things don’t happen fast in this world — they still use BlackBerries at some companies after all.
2. There are very few, if any, better solutions to existing tools. It’s hard to replace Google Apps, Amazon cloud computing, or whatever Microsoft sells people. It really is. Think about it like this: if you are an all Windows company, how long would it *actually* take to switch to Macs everywhere? That would be a massive undertaking, and there is already a (hopefully) viable solution to switch too. Now imagine instead of Windows to Mac, you are going Windows to Linux — that’s closer to what we are talking about. It is a massive undertaking for most companies.
3. For the great majority of companies that use U.S. companies the privacy impact of the NSA and GCHQ programs are not *yet* of great concern because so far the only bad thing to happen is some bad PR for the NSA. Until there is a real privacy breach, until Snowden or another leaker posts actual data the NSA is storing from a big company — until then there is likely no user demand for companies to change. It’s likely that most privacy conscious companies are looking into other solutions so that *when* push comes to shove they can move quickly.

So yes, there is a huge potential risk of lost business globally for these U.S. service providers, but it won’t happen immediately. This will be a slow change — not an overnight action. That is where the danger really is, because when change is slow, sometimes you don’t realize you needed to react at all.

[1]: http://www.reuters.com/article/2013/09/15/us-usa-security-snowden-tech-analysis-idUSBRE98E08S20130915

I really hate shopping for undergarments of any sort — be it socks, boxers, or undershirts — it’s all a gamble that rarely pays off. It seems to me that the market is pretty well set by one factor: price. You either pay $19 an item, or you pay $19 for a *pack* of that item.

The thing is, it’s really fucking hard to find out if any of these items are good before you buy them. I don’t mind splurging and buying a set of undershirts at $19 a pop if I know two things:

1. They are going to be great.
2. They are going to last at least two years.

I’d buy ten and call it a day. The problem is, unlike gadgets, no one really talks about this stuff — well no one that I know. I’ve bought some undershirts that I have seen recommended on sites here and there, typically they are over priced and shitty — a clear indication to me that they were compensated for talking about the products.

For the past three and a half years I have been wearing v-neck, white, undershirts. Prior to that I went with crew neck — I was uneducated, clearly. I have yet to find a really great v-neck undershirt, but that doesn’t mean I can’t share with you what I *have* found thus far. Please keep in mind that this isn’t me wearing these shirts once, and reviewing them. No I have worn each brand of these shirts (and still wear most of them) for over 6 months each. During the tests these shirts have been washed and dried countless times — I am speaking about them then on the level of what they will be like after the “new” wears off.

## Ribbed Tee

We start our adventure with the oh-so-popular [ribbed-tee brand of v-neck undershirts][1]. These are the shirts that look like what is commonly called, in the U.S. at least, a “wife-beater”. They hug your body, and are ribbed (amazing right?).

I hate these shirts, so let’s list out why:

– They are pricey, at $20. UPDATE: Sorry it was $20 for a two pack, or $10 each.
– They fall apart. I bought three and within 3 months two had hems that came apart. That’s a 66.667% failure rate. ((Science!))
– They are too short. I am 6′-3″ and most of that is in my torso. I need Large-Talls in almost everything — but most undershirts still work because they are typically made to be long. These shirts are so short I can’t even tuck them in. I don’t have much of a gut, but there is no way in hell I would be caught wearing just this shirt.
– The sleeve holes are too tight. You know, they give your armpits wedgies.

That’s the bad, and it’s pretty bad. The good though:

– I like the ribbed nature because they cling to your body well and let your dress shirt flow a little better.
– They hold their shape incredibly well (when they don’t come unstitched).
– They stay nice and bright white.

Overall: don’t buy these.

## UnderArmor

When I found out [UnderArmor made undershirts I was stoked][2]. I thought they would be great, but `meh` is what I found. Here’s what I don’t like about these:

– They are really pricey — $25 each.
– They always seem to get that static cling crap going on.
– They gray up. By that I mean they are no longer white, see this picture for a comparison. Yuck.
– Because of the type of fabric, and this is a big issue, they tend to allow your shirt to come untucked a lot easier. I can’t stand how my shirt seems to glide in and out of my pants when I wear these undershirts. They must be made for that super hip guy that wears v-neck undershirts but never tucks anything in (that’s a thing, right?).

What I like about these shirts:

– They hold their shape really well.
– They feel like angels wrapped on my body.
– I assume they are some kind of armor that protects me from things.

Overall: save your money.

##### Now Things Get Stupid

The above two brands are really easy to talk about, they have very clear versions that I can point you to. But the next shirts I am about to talk about, are, um, probably ones that are going to be harder to find the exact version of for one, and easily mistaken for other ones. I point this out, as yet another example of how much these undershirt makers hate their customers. I’M LOOKING AT YOU JORDAN.

## Jockey, Blue Labeled…

[These are easily the best shirts][3] of the lot.

What I like:

– They held their shape well.
– They stayed very white over the course of a 6 month test.
– The v is not too deep, or too shallow.

What I didn’t like:

– Too short.
– Minimal wrinkling of the cuffs, particularly around the waist band section.

Overall: good buy if you are not freakishly tall.

## Hanes with Red Labels…

[These may be the worst of the lot][4]. I bought these in a store, so who knows what specific model they are/were, the link here is my best guess. There’s nothing I liked, instead here are the issues I found:

– Too short.
– Too boxy.
– An amorphous blob holds its shape better.
– Discolored after only a few months.
– Lots more.

These shirts suck a lot.

Overall: I’d rather use Windows… 3.1.1

##### Tall

OK, so my main complaint with most of these shirts is that they are far too short for me. It never once occurred to me that Tall sizes were made in undershirts, but (no shit) they are. Man I feel dumb. I have ordered a [couple][5] of [tall][6] versions and will report back after I have had a few months to test them.

### Final Thoughts

If you can buy standard clothes off the rack, your best bet (that I have tried) is the Jockey’s that I mentioned above. For reference, here is an awe inspiring shot of the shirts so you can see color change in a side by side comparison.

[1]: http://ribbedtee.com/store/product/classic-fit-white-v-neck-undershirt/
[2]: http://www.underarmour.com/shop/us/en/mens-the-original-ua-fitted-vneck-undershirt/pid1230361-100
[3]: http://www.amazon.com/exec/obidos/ASIN/B002ZMOZAC/ref=nosim&tag=brooksreview-20
[4]: http://www.amazon.com/exec/obidos/ASIN/B00ACIFB90/ref=nosim&tag=brooksreview-20
[5]: http://www.amazon.com/exec/obidos/ASIN/B007IRM1NM/ref=nosim&tag=brooksreview-20
[6]: http://www.amazon.com/exec/obidos/ASIN/B00CEH0MSM/ref=nosim&tag=brooksreview-20

[Andrea Peterson reporting on remarks by former NSA and CIA director, Michael Hayden][1]:

> “We built it here, and it was quintessentially American,” he said, adding that partially due to that, much of traffic goes through American servers where the government “takes a picture of it for intelligence purposes.”

*Sigh.*

[1]: http://www.washingtonpost.com/blogs/the-switch/wp/2013/09/15/former-nsa-and-cia-director-says-terrorists-love-using-gmail/

[Dave Pell reacting to the new iPhone TouchID system (fingerprint scanner)][1]:

> In order to give us the promise of more security, companies will want to know even more about us. It feels like we’ve passed a point of no return. So much about us is stored in the cloud (our finances, our communication, our social lives) that we can’t turn back. The only way to protect what you’ve shared so far is to share some more. Protect your data with a password. Protect the password with some secret, personal questions. Protect all of that with your fingerprint or your heartbeat. Before long, you’ll have to give a DNA swab to access a collection photos you took yourself. It’s a trend worth watching. The last decade was about sharing. The next decade will be about protecting.

Pell’s thoughts are cogent, and while we know little about the day-to-day operation of Apple’s new Touch ID — there has thankfully been a mostly healthy debate around the workings of the device.

[Rich Mogull over at TidBITS has a very evenly written and well explained take][2] on Touch ID and how it works — I suggest you read it before we go any further.

[Cory Doctorow over at Boing Boing has this to say][3] (in response absurd reports that fingers are now going to get cut off):

> This is the paradox of biometric authentication. The biometric characteristics of your retinas, fingerprints, hand geometry, gait, and DNA are actually pretty easy to come by without your knowledge or consent.

He’s right, not only do we drip this information everywhere we go, we can’t ever change it. But I believe it is a wrong-headed assumption to assume that this is any more problematic than any passcode.

While you could lift my finger print from a pane of glass, who’s to say how time consuming it might be (and expensive) to create a copy of my finger which would allow you into my phone. Add to that: you also need possession of my phone. Then, if you get both of those, you would need your finger replica to work the first time so that I don’t remote wipe the device before you get a chance to read my data.

It would actually be *easier* to just cut off my finger (not that I advocate that). What would also be easier would be to take the zoom lens on a camera, follow me for 30 minutes and snag my four digit passcode — but that’s not inflammatory enough to drive blog post traffic, so…

[Over on Motherboard][4], Patrick McGuire makes the case that we have no reason to trust Apple that there is no NSA backdoor into the encrypted A7 chipset to get our fingerprint. I agree, there is no reason to trust Apple on this, but *yet again* I have to argue that this seems like more work (and risk of exposure) than the reward is.

To assume that the NSA is secretly working with Apple, or hacking iPhones, to get fingerprint data is also to assume that this would be the easiest way to get that information. Logically, thanks to Doctorow, we know that simply is not the case. Do you have a passport? Have you been arrested? Worked with children? Gotten a security clearance? Real Estate broker in Washington State? Then the NSA *has* your fingerprint already.

It’s stupid to assume the NSA would spend that much time to try and get fingerprint data when a good spy could covertly get it (spies they already have trained and paid for), or even just calling the local cops and asking them to pick up the suspect for a random reason.

Just use some logic here people.

*** 
Now, for something [actually troubling from Marcia Hofmann][5]:

> But if we move toward authentication systems based solely on physical tokens or biometrics — things we have or things we are, rather than things we remember — the government could demand that we produce them without implicating anything we know. Which would make it less likely that a valid privilege against self-incrimination would apply.

Essentially, the government has a harder time to compel you to give up a password, or combination, but it looks as though forcing you to use your finger to unlock something would not violate your rights.

This compels me to once again urge *all* apps to provide an option for passcode locks on the app. If your app contains content created by the user of the device, give us the option to add another layer of protection on that data. Then if compelled to unlock our phones, we can’t necessarily be compelled to turn over the passcodes for each app. All the government gets then is out contacts and call log — both of which they likely already got from the NSA.

[1]: http://nextdraft.com/current/
[2]: http://tidbits.com/article/14089
[3]: http://boingboing.net/2013/09/12/why-fingerprints-make-lousy-au.html
[4]: http://motherboard.vice.com/blog/the-iphones-fingerprint-scanner-is-an-exercise-in-trust
[5]: http://www.wired.com/opinion/2013/09/the-unexpected-result-of-fingerprint-authentication-that-you-cant-take-the-fifth/

It’s just that they don’t open them in the way that you think they do. WNC InfoSec has a post from *vintsurf* [about something he caught Dropbox doing with Word documents][1]:

> All .doc embedded HoneyDocs appear to have been accessed…from different Amazon EC-2 instance IPs.

Essentially what he found was that every time a *new* Word document is uploaded, it is opened on an Amazon server in libreoffice — it appears to only be opened once. Ok, so before we get too riled up we need to look at reasonable explanations for this behavior.

The most reasonable explanation is that this is done to render a preview of the file for the web interface. And that makes a lot of sense. [Hacker News][2] seems to agree with this notion as well.

Two weeks ago I would have given Dropbox the benefit of the doubt that, yes, this is likely *just* to render previews and that I was OK with that.

But this isn’t two weeks ago.

I have no reason to trust Dropbox — to trust that the NSA hasn’t subverted their systems some how. That’s unfortunate for Dropbox, and for me.

Dropbox has always held the encryption keys for user files, and has repeatedly said there is a vigorous security system in place to keep prying eyes from our files. Since making those statements here are a few things we know to be fact:

1. The NSA probably has a more vigorous security system in place, and Snowden stole so many documents that the NSA isn’t even sure what he has.
2. Dropbox clearly allows Amazon instances access to user files. At the very least to render previews.
3. The NSA is known to weaken cryptography and get backdoors installed for them, and there is simply no way to verify that this hasn’t happened at Dropbox *or* Amazon.
4. We know that Dropbox was/is a target for NSA’s PRISM program — there’s little reason to doubt that the NSA places a high value on getting access to user files stored in the cloud.

So, in light of all of this, as of 10:54am PT I cancelled my Dropbox account. I didn’t just stop using it this time, I deleted it.

For now the biggest bottle neck will be 1Password syncing, but more on that in a later post. *([You can see some of my alternative Dropbox solutions here][3].)*

I highly suggest you either get rid of your Dropbox account or encrypt every file on it that you wouldn’t want getting leaked into the public domain.

This sucks — for everyone.

[1]: http://www.wncinfosec.com/dropbox-opening-my-docs/
[2]: https://news.ycombinator.com/item?id=6374945
[3]: https://brooksreview.net/2013/09/goodbye-dropbox/

The title of the latest Guardian report by [Glenn Greenwald, Laura Poitras and Ewen MacAskill and sourced by Edward Snowden][1], would rightfully seem to say everything in the headline. That’s what I thought when I saw it, but that headline severely downplays how damning this latest article truly is.

Let’s get to some block quoting, as the title says, this is centering around a non-legally binding sharing agreement entered into between the U.S. and Israel. Here’s what is (essentially) shared:

> According to the agreement, the intelligence being shared would not be filtered in advance by NSA analysts to remove US communications. “NSA routinely sends ISNU the Israeli Sigint National Unit minimized and unminimized raw collection”, it says.

What’s important about that is the wording “minimized”. That’s what the NSA refers to as stripping information about non-targets and U.S. citizens. So effectively the U.S. is handing over raw data, without going through it first, to another country.

Ok, Ben, but that’s what the headline says and I am bored with this NSA crap. I’m bored with it too, but, it’s still important (like reading loan documentation).

It’s important because when you go through it you find out about stuff like the fact that the NSA may also be spying on the U.S. Government and elected officials, ((Cited in same article.)) but just asks that if Israel gets any info relating to U.S. Government officials that they, *you know*, delete it and pretend they never saw it.

##### Welcome to the Circle of Trust

Which is noble, but then you read (in the same article), this:

> In another top-secret document seen by the Guardian, dated 2008, a senior NSA official points out that Israel aggressively spies on the US. “On the one hand, the Israelis are extraordinarily good Sigint partners for us, but on the other, they target us to learn our positions on Middle East problems,” the official says. “A NIE [National Intelligence Estimate]() ranked them as the third most aggressive intelligence service against the US.”

So Israel is one of the top countries that spies on the U.S., and early in the article we learned that Israel is a top-three country for the U.S. to spy on, but hey — why not just share the raw data the NSA is snatched up with them?

I’m not done…

> In its statement, the NSA said: “We are not going to comment on any specific information sharing arrangements, or the authority under which any such information is collected. The fact that intelligence services work together under specific and regulated conditions mutually strengthens the security of both nations.

I think they forgot to add: by willfully infringing on the constitutional rights of U.S. citizens, while also turning over intelligence on innocent people to a foreign government. But hey, *terrorism*.

[1]: http://www.theguardian.com/world/2013/sep/11/nsa-americans-personal-data-israel-documents