The results of quite a large study (120,000 participants) appear to show that ‘digital’ screen time, on average, correlates with increased well-being in teenagers up to a certain point, after which the correlation is, on average, mildly negative (but not remotely as bad as, say, skipping breakfast). There is a mostly implicit assumption, or at least speculation, that the effects are in some way caused by use of digital screens, though I don’t see strong signs of any significant attempts to show that in this study.

While this accords with common sense – if not with the beliefs of a surprising number of otherwise quite smart people – I am always highly sceptical of studies that average out behaviour, especially for something as remarkably vague as engaging with technologies that are related only insofar as they involve a screen. This is especially the case given that screens themselves are incredibly diverse – there’s a world of difference between the screens of an e-ink e-reader, a laptop, and a plasma TV, for instance, quite apart from the infinite range of possible different ways of using them, devices to which they can be attached, and activities that they can support. It’s a bit like doing a study to identify whether wheels or transistors affect well-being. It ain’t what you do, it’s the way that you do it. The researchers seem aware of this. As they rightly say:

“In future work, researchers should look more closely at how specific affordances intrinsic to digital technologies relate to benefits at various levels of engagement, while systematically analyzing what is being displaced or amplified,” Przybylski and Weinstein conclude. 

Note, though, the implied belief that there are effects to analyze. This remains to be shown. 

Address of the bookmark: https://www.eurekalert.org/pub_releases/2017-01/afps-tut011217.php

As Cory Doctorow notes, why this headline should single out Japanese girls as being particularly at risk – and that this is the appeal of it – is much more disturbing than the fact that someone figured out how to lift fingerprints that can be used to access biometric authentication systems from photos taken using an ‘ordinary camera’ at a considerable distance (3 metres). He explains the popularity of the news story thus:

“I give credit to the news-hook: this is being reported as a risk that young women put themselves to when they flash the peace sign in photos. Everything young women do — taking selfies, uptalking, vocal fry, using social media — even reading novels! — is presented as a) unique to young women (even when there’s plenty of evidence that the trait or activity is spread among people of all genders and ages) and b) an existential risk to the human species (as in, “Why do these stupid girls insist upon showing the whole world their naked fingertips? Slatterns!”)“

The technical feat intrigued me, so I found a few high-res scans of pictures of Churchill making the V sign, taken on very good medium or large format film cameras (from that era, 5″x4″ press cameras were most common, though some might have been taken on smaller formats and/or cropped) with excellent lenses, by professional photographers, under various lighting conditions, from roughly that distance. While, on the very best, with cross-lighting, a few finger wrinkles and creases were partly visible, there was no sign of a single whorl, and nothing like enough detail for even a very smart algorithm to figure out the rest. So, with a tiny fraction of the resolution, I don’t think you could just lift an image from the web, a phone, or even from a good compact camera to steal someone’s fingerprints unless the range were much closer and you were incredibly lucky with the lighting conditions and focus. That said, a close-up selfie using an iPhone 7+, with focus on the fingers, might well work, especially if you used burst mode to get slightly different images (I’m guessing you could mess with bas relief effects to bring out the details). You could also do it if you set out to do it. With something like a good 400mm-equivalent lens,  in bright light, with low ISO, cross-lit, large sensor camera (APS-C or higher), high resolution, good focus and small aperture, there would probably be enough detail. 

Address of the bookmark: https://boingboing.net/2017/01/12/moral-panic-japanese-girls-ri.html

Interesting. For $10USD/month, you get unlimited access to the latest versions of what is promised to be around 300 commercial Mac apps. Looking at the selection so far (about 50 apps), these appear to be of the sort that usually appear in popular app bundles (e.g. StackSocial etc), in which you can buy apps outright for a tiny fraction of the list price (quite often at a 99% reduction). I have a few of these already, for which I paid an average of 1 or 2 dollars apiece, albeit that they came with a bunch of useless junk that I did not need or already owned, so perhaps it’s more realistic to say they average more like $10 apiece. Either way, they can already be purchased for very little money, if you have the patience to wait for the right bundle to arrive. So why bother with this?

The main advantage of SetApp’s model is that, unlike those in bundles, which often nag you to upgrade to the next version at a far higher price than you paid almost as soon as you get them, you always get the latest version. It is also nice to have on-demand access to a whole library at any time: if you can wait for a few months they will probably turn up in a cheap pay-what-you-want app bundle anyway, but they are only rarely available when you actually need them.  I guess there is a small advantage in the curation service, but there are plenty of much better and less inherently biased ways to discover tools that are worth having. 

The very notable disadvantage is that you never actually own the apps – once you stop subscribing or the company changes conditions/goes bust, you lose access to them. For ephemerally useful things like disk utilities, conversion tools, etc this is no great hassle but, for things that save files in proprietary formats or supply a cloud service (many of them) this would be a massive pain. As there is (presumably) some mechanism for updating and checking licences, this might also be an even more massive pain if you happen to be on a plane or out of network range when either the app checks in or the licence is renewed. I don’t know which method SetApp uses to ensure that you have a subscription but, one way or another, lack of network access at some point in the proceedings could really screw things up. When (with high probability) SetApp goes bust, you will be left high and dry. Also, I’m guessing that it is unlikely that I would want more than a dozen or thereabouts of these in any given year, so each would cost me about $10 every year at the best of times. Though that might be acceptable for a major bit of software on which one’s livelihood depends, for the kind of software that is currently on show, that’s quite a lot of money, notwithstanding the convenience of being able to pick up a specialist tool when you need it at no extra cost. 

This is a fairly extreme assault on software ownership but closed-source software of all varieties suffers from the same basic problem: you don’t own the software that you buy.  Unlike use-once objects like movies or books, software tends to be of continuing value. The obvious solution is to avoid closed-source altogether and go for open source right the way down the stack: that’s always my preference. Unfortunately, there are still commercial apps that I find useful enough to pay for and, unfortunately, software decays. Even if you buy something outright that does the job perfectly, at some point the surrounding ecosystems (the operating system, network, net services, etc) will most likely render it useless or positively dangerous at some point. There are also some doubly annoying cases where companies stop supporting versions, lose databases, or get taken over by other companies, so software that you once owned and paid for is suddenly no longer yours (Cyberduck, I’m looking at you). Worst of all are those that depend on a cloud service over which you have no control at all and that will almost definitely go bust, or get taken over, or be subject to cyberattack, or government privacy breaches, or be unavailable when you need it, or that will change terms and conditions at some point to your extreme disadantage. Though there may be a small niche for such things and the immediate costs are often low enough to be tempting, as a mainstream approach to software provision, it is totally unsustainable.

Address of the bookmark: https://setapp.com/

Hell.

Pebble made my favourite smart watches. They were somewhat open, and the company understood the nature of the technology better than any of the mainstream alternatives. Well, at least they used to get it, until they started moving towards turning them into glorified fitness trackers, which is probably why the company is now being purchased by Fitbit.

So, no more Pebble and, worse, no more support for those that own (or, technically, paid for the right to use) a Pebble. If it were an old fashioned watch I’d grumble a bit about reneging on warranties but it would not prevent me from being able to use it. Thanks to the cloud service model, the watch will eventually stop working at all:

“Active Pebble watches will work normally for now. Functionality or service quality may be reduced down the road. We don’t expect to release regular software updates or new Pebble features. “

Great. The most expensive watch I have ever owned has a shelf life of months, after which it will likely not even tell the time any more (this has already occurred on several occasions when it has crashed while I have not been on a viable network). On the bright side (though note the lack of promises):

“We’re also working to reduce Pebble’s reliance on cloud services, letting all Pebble models stay active long into the future.”

Given that nearly all the core Pebble software is already open source, I hope that this means they will open source the whole thing. This could make it better than it has ever been. Interesting – the value of the watch would be far greater without the cloud service on which it currently relies. 

Address of the bookmark: https://www.kickstarter.com/projects/597507018/pebble-2-time-2-and-core-an-entirely-new-3g-ultra/posts/1752929

The Signal protocol is designed for secure, private, encrypted messaging and real-time calling. The protocol, designed by Open Whisper Systems, is used in an increasingly large range of tools (including by Facebook and Google), but their own app is the most interesting application of it. 

The (open, GPL) Signal app is a secure, private messaging and voice chat app for iOS and Android, offering guaranteed and strong end-to-end encryption without having to sign up for a service with dubious privacy standards or further agendas (e.g. Facebook, Apple, Google, Whatsapp, Viber etc). No ads, no account details kept by the company, no means for them (or anyone) to store or intercept messages or calls, the organization is funded by donations and grants. The app uses your phonebook to discover other contacts using Signal – I don’t have many yet, but hopefully a few of my contacts will see this and install it. Call quality seems excellent – as good as Skype used to be before Microsoft maimed it – though I haven’t used it enough yet to assess its reliability. One disadvantage is that, if you have more than one phone and phone number, there seems to be no obvious way to link them together. That’s a particular nuisance on a dual-SIM phone.

It needs a real, verified phone number to get started but, once you have done that, you can link it to other devices too, including PCs (via Chrome or a Chrome-based browser like the excellent Vivaldi), using a simple QR code (no accounts!) so this is a potentially great replacement for things like Whatsapp, Skype, Allo, Viber, etc. No video calling yet, though you can send video messages (and most other things).

Address of the bookmark: https://whispersystems.org/#page-top

Some time ago, while comparing the virtues of paper and electronic books, I predicted that the current generation would one day wax lyrical about the smell of a new iPhone much as those from my generation get gooey over the scent of old books.

That day has arrived.

Address of the bookmark: http://www.alphr.com/apple/1004449/get-that-new-mac-smell-all-the-time-with-a-24-scented-candle

Cory Doctorow is on excellent form discussing the evils of DRM and the meaning of ownership. The title is lifted from William Blackstone, referring to what it means to own something –  “that sole and despotic dominion which one man claims and exercises over the external things of the world, in total exclusion of the right of any other individual in the universe.” Doctorow’s central argument here is that, at least in the US (where DMCA 1201 denies people the right to break DRM locks), the presence of copyrighted DRM’d code in almost every object manufactured, from books to rectal thermometers, means that they cannot ever be owned by anyone other than their manufacturer, protected by law and unaccountable to anyone. 

“DMCA 1201 gave publishers and movie studios and game companies the power to make up their own private laws and outsource their enforcement to the public courts and police.”

Among the results of this are that security researchers cannot reveal flaws that may be dangerous or even deadly (think cars, insulin pumps, etc, not to mention the Internet of Hackable Things) while criminals can exploit them freely. It means that companies like Volkswagen can conceal cheating on emissions tests, that makers of thermostats can prevent you from controlling heat in your own home, that books you bought can be taken away from you on a whim or an error, that printer manufacturers can introduce code to break your printer if you don’t use their cartridges the way they want you to use them, that security agencies can demand that manufacturers let them use your webcam to spy on you, that abandoned games on a long extinct platform cannot be ported to modern hardware, that your watch will stop working if its manufacturer goes bust, and so on. It means that, mostly without our consent or knowledge, we no longer own what we own. As Doctorow puts it:

“There’s a word for this: feudalism. In feudalism, property is the exclusive realm of a privileged few, and the rest of us are tenants on that property. In the 21st century, DMCA-enabled version of feudalism, the gentry aren’t hereditary toffs, they’re transhuman, immortal artificial life-forms that use humans as their gut-flora: limited liability corporations.”

Address of the bookmark: http://www.locusmag.com/Perspectives/2016/11/cory-doctorow-sole-and-despotic-dominion/

Very interesting – a real-time, largely browser-based video, audio, chat, screen-sharing, etc system requiring no sign-up, no fees, no persistent data. Just pick a URL for a web meeting (webinar), and share it with 15 or more other people. It’s not exactly Adobe Connect, but it has all the main features needed for quick, easy web conferencing with no need for proprietary plugins.

There are no ads, it runs on most browsers that support WebRTC (best on Chrome, Firefox, or one of their many derivatives) and there are mobile apps for it. It’s not just a connection service for WebRTC – there are TURN and STUN servers involved too, so this costs a fair bit for the company to develop and run. It took me a while to figure out how they ever intend to make any money but I think it seems to involve a model much like that of BigBlueButton, with paid-for services like recording, app integration, broadcast etc available through TalkyCore. 

Like all WebRTC implementations, much depends on the browser and router, so this might not work for everyone all the time, but I think it looks very promising, especially now that Firefox has removed Hello from its browser.

Address of the bookmark: https://talky.io/

tl;dr – forcing people to regularly change their passwords is counter-productive and actually leads to less security (not to mention more errors, more support calls, more rage against the machine). Of course, in the event of a security breach, it is essential to do so. But to enforce regular changes not only doesn’t help, it actually hinders security. The more frequently changes are required, the worse it gets.

This article draws, a bit indirectly, from a large-scale study of forced password changing, available at https://www.cs.unc.edu/~reiter/papers/2010/CCS.pdf though it is far from the only one, including this at http://people.scs.carleton.ca/~paulv/papers/expiration-authorcopy.pdf which provides a mathematical proof that frequent password changing is not worth the hassles and complications it causes. NIST in the US and CESG in the UK have advised against it in recent years because it is ineffective and counterproductive.

Athabasca University has recently implemented a new ‘frequent change’ policy that is patchily enforced across different systems. We need to rethink this. It is 1970s thinking based on a technician’s hunch, and the empirical evidence shows clearly that it is wrong.

In a perfect world we would find ways to do away with this outmoded and flaky approach to authentication, but the mainstream alternatives and even some more exotic methods are not that great. Most rely on something you have – typically a cellphone or fob device – as well as something you know, the same general principle as chip-and-pin (still one of the most effective authentication methods). I don’t mind having to do that for things that demand high security, and I use two-factor authentication where I can for accounts that I care about, but it’s a big pain. If we’re going to use passwords, though, they need to be good ones, and we should not be forced to change them unless they might have been compromised.

Address of the bookmark: http://arstechnica.com/security/2016/08/frequent-password-changes-are-the-enemy-of-security-ftc-technologist-says/