tommorris.org

Discussing software, the web, politics, sexuality and the unending supply of human stupidity.







This press release from the Royal College of Arts is an amazing and spectacular collection of bad writing.

This is an unprecedented opportunity to extend and deepen our subject landscape allowing a more leading-edge approach grounded in experience and expertise, with new initiatives underpinned by our reputation for innovation and skill. Our challenge is to combine scale with opportunity and agility, looking to lead change from the front. Our motivation is to help build a better world; our new structure is designed to support that ambition.

A perfect illustration of Orwell’s indictment: “phrases​ tacked together like the sections of a prefabricated hen-house”.

Do read the whole thing. There’s so much audaciously obscurantist art-speak that one could almost interpret it as a piece of performance art in its own right.


Lessons from trying to help with Android/iOS transfer

This weekend, I have been helping an Android user I know switch over to iOS.

What a fucking mess. The tech industry really ought to feel collective shame for the horror movie that is trying to switch from one platform to another.

Let’s start with the official route for moving from Android to iOS: Apple’s Move to iOS app.

  1. You can only run the app at the point of initial setup. If you managed to miss the option, enjoy wiping your iPhone and restarting.
  2. The fucking thing crashes repeatedly and there’s no way to resume the transfer. It starts from scratch. This is an infuriating process.
  3. If you try and Google anything related to this app, you get anything-but-helpful answers from the fandroid community. Instead of a detailed description of the technical issues with the app and how to get around them, you get helpful nuggets like:

Why would i move to ios, most android phones today out perform iphones. Quad core vs dual core, 4k vs 720p, freedom vs being told how your phone should look. Choice is yours.

FREEDOM! CHOICE! OPENNESS! (Except the freedom, choice and openness to move data between platforms easily etc.)

And things like this:

Moving to iOS was backwards logic. It’s like putting a straight jacket on your phone. Why jailbreak when you can use an open source OS like Android?

How about because the user might fucking prefer it? How about because you don’t want your phone pwned by the hilarious cascade of systemic security failure that is the Android ecosystem?

And one more:

Like I’d ever consider switching to using an iPhone… and as for that slow and buggy Watch of theirs, words can’t describe what a useless pile of overpriced crap it is.

Quite what the Apple Watch has to do with an app to help you move data between Android and iOS, I’m not sure. All discussions of going between mobile OSes ends up in pitiful religious argumentation and if you are just trying to get shit done, it does nothing but incite a lot of eye-rolling.

Fanboy awfulness aside, we re-ran the Move to iOS app once more but deselected the transfer of photos. I kind of figured that if we could get it to transfer things like old text messages and contacts and so on, then we could maybe move the 14Gb of pictures onto the iPhone by hand. They’ll all be stored as JPEGs on either the SD card or the internal storage on the phone.

After waiting some more, Move to iOS chunters everything it can except the pictures over. It kinda worked in a slow, clunky, crashy kind of way. Hardly as “seamless and simple as possible”, to quote Lifehacker.

Next job, let’s get the photos out. I had an Android phone many years ago. This should be easy. Plug it in, it mounts up as a USB mass storage device, drag and drop. That’s, y’know, what everyone tells me that Android did that iOS didn’t—no futzing around with iTunes, it’s just a USB mass storage device.

You’d think that. In the meantime, Samsung have deprecated USB mass storage in their Android devices and replaced it with the Media Transfer Protocol (MTP). Despite coming from the same place as Windows Media DRM nonsense, MTP sounds like a nice idea: unlike USB mass storage, it is a simpler protocol that implements much simpler operations than a traditional I/O interface, perfect for shunting the odd MP3 and JPEG around.

In practice though, actually using MTP from my Mac is soul-gnawingly awful. Obviously, there’s no filesystem that is mounted. For a while, I thought there must be some issue with the cable or that the Android phone had some formatting issue. Silent failures aren’t fun. Eventually, I find out how to switch the device into MTP mode and it then tells me that I ought to download the Android File Transfer app for Mac (you probably shouldn’t be surprised to learn that it isn’t open source). The UI is horrible. Cmd+A doesn’t work. It just randomly disconnects from the phone. And, worse, because MTP has no parallelism, transferring substantial quantities of data is godawfully slow. Especially if it is having to walk a directory tree and retrieve file lists. I’ve now dragged mostly all of the pictures off the phone and stored them on a computer, but systematically getting things other than the pictures off the filesystem has been unsuccessful.

There’s some alternatives, but all require effort. There’s libmtp, which I’m sure is excellent. There’s a rather nice looking Go program called go-mtpfs which will mount MTP devices as FUSE filesystems. That looks like it might be an improvement on the horrible OS X frontend at least.

What’s next then? How about WhatsApp messages? WhatsApp stores messages differently depending on whether you are using Android or iOS and all the methods for transferring between them look pretty damn rickety. They mostly involve shareware Windows apps from websites that give me that disconcerting feeling of talking to a sleazy second hand car dealer. I don’t quite trust any of the purported solutions to this.

I started looking into it myself. The files in WhatsApp for Android are stored in an encrypted SQLite store using a crypto system called crypt7 and/or crypt8. I have managed to extract this file from Android and I just need to decrypt it. There are some tools for this online. Pushing that data to iOS looks pretty simple. On the Mac, iCloud data is stored in ~/Library/Mobile Documents, and within there is a folder for WhatsApp containing a backup of WhatsApp conversations (in SQLite format) as well as media sent via WhatsApp. If one can retrieve the data from Android, it shouldn’t be too hard to push it into iCloud for the iPhone app to use.

All of this is way too fucking hard for non-programmers. The stuff on people’s phones is documentation of their life—their holidays, their families, their relationships, their co-workers. It’s not a part of some stupid platform war bullshit or an ideological debate about free software or DRM or whatever. It’s their stuff and they should be able to transfer it onto any device they choose to use. At the same time technologists have debated the ideal solutions for data portability, and churned out a thousand bullshit specs and documents that don’t do shit, ordinary people switching between iOS and Android (in either direction) have a hellish time doing ordinary stuff like WhatsApping with their friends and family. That’s a ludicrously poor show from our industry.

This is a shitshow. Be ashamed, fellow technologists. We have made a world that disempowers users and locks them in. And when they go online to find out why, all we have to show is a bunch of religious apologists telling them that this is okay because they are locked into a platform for their own freedom. Absolutely fucking terrible.


Today I learned: meta description tags are actually used by Slack for rendering link previews.

It may be invisible (partially visible, really) but when that data seeps through, it can often be wrong.


The Guardian have an interesting piece about Marissa Mayer and Yahoo! I concur with the general point: the primary problem with Yahoo! isn’t Mayer, it is the company itself.




Open plan offices are basically terrible in every way

There’s a growing consensus in the scientific literature that open plan offices damage the mental and physical health of employees, destroy their morale and generally make their work lives less pleasant. Let us first look at some studies.

Evans and Johnson, 2000:

Forty female clerical workers were randomly assigned to a control condition or to 3-hr exposure to low-intensity noise designed to simulate typical open-office noise levels. The simulated open-office noise elevated workers’ urinary epinephrine levels, but not their norepinephrine or cortisol levels, and it produced behavioral aftereffects (fewer attempts at unsolvable puzzles) indicative of motivational deficits. Participants were also less likely to make ergonomic, postural adjustments in their computer work station while working under noisy, relative to quiet, conditions.

Epinephrine is another word for adrenaline, which plays a role in the body’s “fight or flight” response. So, open plan makes you feel like you are being preyed upon by someone trying to kill you, and it makes you less motivated to work on hard problems, and it makes you less likely to adjust your work station posture, meaning you are more likely to get a nasty physical problem like RSI. That sounds great. Just the sort of place you can relax and focus on solving hard problems, as knowledge workers are asked to do every day.

What about the noise in our offices? Professor Adrian Davis from University College London told The Guardian last year:

The noise in open-plan corporate offices and call centres, for instance, may not damage hearing but can cause raised blood pressure, sleep and mood disturbance and other long-term health problems.

Of course, to avoid the distraction caused by noise in the modern open plan office, people turn to playing music to drown out the noise. Which itself can cause hearing issues.

I currently have some temporary hearing loss, not caused by loud music but by a minor physical condition that I am awaiting surgery for, so I’m very interested in work environments and hearing loss at the moment.

The British deafness/hearing loss charity Action on Hearing Loss estimate that 1 in 5 people currently suffer from some form of hearing loss. In a recent report, ACH estimate that £24.8 billion is lost from the British economy due to people not able to work as a result of deafness/hearing loss. Under British law, specifically under the Equality Act 2010, employers must make reasonable adjustments for staff with disabilties including deafness/hearing loss.

Open plan offices present special issues for those with hearing difficulties, whether temporary (like mine) or permanent. A person who has damaged their hearing in one ear are often less able to parse spoken language in noisy rooms—impaired speech discrimination (the ability to discriminate between the speech one ought to be focussing on from the background noise, sometimes called the “cocktail party effect”).

Guess what—there’s a paper on this too: Suter, 1979:

Theoretically, open‐plan offices are designed so that their occupants may study without being distracted, as well as converse with each other and on the telephone. Design criteria using masking noise are based on assumptions that talkers, listeners, and listening conditions are “average.” These assumptions are reviewed, especially as they affect hearing impaired people. There is evidence that noise levels of 47–50 dBA can degrade communication of the hearing impaired without affecting those who hear normally. A study of speech discrimination in noise showed that even people with mild hearing losses had considerably more difficulty understanding speech than their normal‐hearing counterparts.

So even if the added noise that an open plan office is designed to have doesn’t affect those with normal hearing, it can make it much harder for those who have hearing difficulties to hear. The increased use of breakout areas, informal meetings in cafeterias and so on (which are often caused by the fact that there either aren’t enough meeting rooms, or because booking time in meeting rooms requires an overly bureaucratic process or requires managerial approval) don’t help here either. The technology industry’s increased use of “agile” standup meetings and scrums means more noise and more problems for the hearing impaired.

And the damage done on hearing impaired people isn’t simply audiological, it can also mean more stress and fatigue. So sayeth Jachncke and Hallin, 2012, in a study comparing two small groups of hearing impaired and normal hearing people working in open plan offices:

In each experimental session they worked for two hours with basic memory and attention tasks. We also measured physiological stress indicators (cortisol and catecholamines) and self-reports of mood and fatigue. The hearing impaired participants were more affected by high noise than the normal hearing participants, as shown by impaired performance for tasks that involve recall of semantic information. The hearing impaired participants were also more fatigued by high noise exposure than participants with normal hearing, and they tended to have higher stress hormone levels during the high noise compared to the low noise condition.

People with hearing impairments struggle more to understand what’s being said in an open plan office, and the general noise makes them worse at their job. Oh well. They are only a fifth of the British population.

If an accessibility issue were affecting a fifth of a company’s customer or user base, that would be a pretty reasonable thing to invest in, as web accessibility advocates frequently argue. It seems curious that such little attention is paid to improving the environment that people find themselves working in every day given the disproportionate effect that it has both on the well-being of people with a disability, and on the negative outcomes for their productivity.

Even if you don’t care about people with hearing loss (again, 20% of the population and growing), let me just give the most pragmatic, hard-nosed business reason why you should care.

Pejtersen et al., 2011:

Occupants sharing an office and occupants in open-plan offices (>6 occupants) had significantly more days of sickness absence than occupants in cellular offices.

They just don’t bloody work. They make people without hearing loss or disability spend more time off work sick.

Let’s recap then. Open plan offices make things worse for employees. Those employees take more time off work sick, are less able to focus at work, escape from the agony of the chatterbox by playing loud music on headphones so as to filter out the noise. They are more stressed, more likely to develop a whole variety of physical health problems, and less motivated at work. And it has a disproportionate effect on people with hearing disabilities, which could potentially lead to legal liability under the Equality Act. None of this seems good for employers or workers.

If there were a chemical substance that caused the same health outcomes as an open plan office, it would be restricted as a potential public health hazard. Copycat management and cost-cutting has led to the creation of these toxic workplaces. The same people who will understand that knowledge workers need to be “in the zone” to get productive, creative work done put them in environments least conducive to that happening. We have articles giving tips on how to survive an open plan office, as if it were a bad case of the flu or a screaming child on an aeroplane. The truth is far worse: open plan is very likely to be the rest of your working life.

Is there an alternative? Well, we could have old-style offices. Some people would object, but peace and quiet and privacy sounds like it would be absolutely amazing. We could have a mass transition to remote working, which means people wouldn’t have to commute either and could live wherever they felt like. Almost anything would be better than open plan at this point. Whatever the future is, we can’t carry on with open plan for much longer. It is a profoundly broken model.

Jean-Paul Sartre is often quoted as saying “hell is other people”.1 Open plan offices have been an extremely successful attempt to prove such sentiment right.

  1. He kinda didn’t say that though, like with so many quotations.



The Reverse XY Problem

  1. Mediocre tech blog tells me Service X solves Problem Y.
  2. Service X has a website filled with jargon and bullshit (“enterprise-grade”, “Gartner’s magic quadrant”).
  3. I sign up for Service X and download their software for my computer.
  4. Service X does not actually solve Problem Y.
  5. “Delete account”.
  6. Repeat.

Sigh.




vim-gitgutter is perhaps my new favourite Vim plugin.

It isn’t quite as nice visually as the same effect that you get in IntelliJ’s range of IDEs, but it is good to have something similar.



Ignore the talking heads: TalkTalk's security issues run much deeper

I have to say I’m rather intrigued by the TalkTalk hack. First of all, they’ve found the 15-year-old who allegedly did it, arrested him and bailed him pending investigations. Hopefully, if said person did it, he’ll be quite interested in helping the police with their inquiries and with a bit of luck, the customers aren’t going to have their personal or financial details released. TalkTalk have waived cancellation fees for customers who want to leave, but only if a customer has sustained a financial loss.

Meanwhile, Brian Krebs reports that the TalkTalk hackers demanded £80k worth of Bitcoin from the ISP. We’ve now had the media tell us it is “cyberjihadis”, a fifteen year old boy, and people holding it ransom for Bitcoin.

What’s curious though is how the mainstream media have not really talked very much to security experts. Yesterday, I listened to the BBC Today programme—this clip in particular. It featured an interview with Labour MP Hazel Blears (who was formerly a minister in the Home Office) and Oliver Parry, a senior corporate governance adviser at the Institute of Directors.

Here’s Mr Parry’s response to the issue:

The threat is changing hour by hour, second by second—and that’s one of the real problems, but as I said, I don’t think there’s one way to deal with this. We just need to reassure consumers, shareholders and other wider stakeholder groups that they have something in place.

Just a few things. This attack was a simple SQL injection attack. That threat isn’t “changing hour by hour, second by second”. It’s basic, common sense security that every software developer should know to mitigate, that every supervisor should be sure to ask about during code reviews, and that every penetration tester worth their salt will check for (and sadly, usually find).

As Paul Moore has pointed out in this excellent blog post, there are countless security issues with TalkTalk’s website. Craptastic SSL, no PCI compliance. The talking heads are going on about whether or not the data was “encrypted” or not. The SSL transport was encrypted but you could request that they encrypt traffic with an obsolete 40 or 56-bit key rather than the 128-bit that is considered secure.

There are new and changing threats, but SQL injection isn’t one of them. That’s a golden oldie. And it also doesn’t matter if the data is encrypted if the web application and/or the database is not secured against someone injecting a rogue query.

Mr Parry is right that there is not “one way to deal with this”. There are plenty. First of all, you need to hire people with some security expertise to build your systems. You need to hire independent experts to come and test your systems. That’s the in house stuff. Unfortunately, TalkTalk seem to have lost a whole lot of their senior technical staff in the last year, including their CIO. Perhaps they weren’t confident in the company’s direction on security and technology matters.

Then there’s the external facing stuff. Having a responsible disclosure process that works and which gives incentives for people to disclose. Have a reward system. If you can’t afford that, have a guarantee that you won’t seek prosecution or bring legal action against anyone who engages in responsible disclosure. Have an open and clear log where you disclose your security issues after fixing them. Actually fix the issues people report to you. Again, Paul Moore’s post linked above notes that he tried to contact TalkTalk and was ignored, disrespected and threatened. That’s not how you should treat security consultants helping you fix your issues.

All of this stuff should be simple enough for an ISP that has over four million paying customers. It isn’t rocket science. The fact that they aren’t doing it means they are either incompetent or don’t give a shit.

Brian Krebs nailed this corporate failure to care about security recently in a discussion on Reddit:

I often hear from security people at organizations that had breaches where I actually broke the story. And quite often I’ll hear from them after they lost their job or quit out of frustration, anger, disillusion, whatever. And invariably those folks will say, hey, we told these guys over and over…here are the gaps in our protection, here’s where we’re vulnerable….we need to address these or the bad guys will. And, lo and behold, those gaps turned out to be the weakest link in the armor for the breached organization. Too many companies pay good money for smart people to advise them on how to protect the organization, and then go on to ignore most of that advice.

Mr Parry said that the important thing was reassuring customers that their information was safe, not actually ensuring that customers data is safe. This is exactly the problem. I don’t want to be “reassured”, I want it to be safe. I don’t want to be reassured that my flight isn’t going to crash into the Alps—I actually want my flight to not crash into the Alps. Reassuring me requires salespeople and professional bullshitting, not crashing requires well trained pilots and staff, engineers doing proper checks, the designers of the plane making sure that they follow good engineering practices, constant testing. Engineering matters, not “reassurance”.

So long as business thinks “reassuring” customers matters more than actually fixing security problems, these kinds of things will keep happening. It would be really nice if the media actually spoke to security experts who could point out how trivially stupid and well-known the attack on TalkTalk was, so this kind of industry avoidance tactic could be properly squelched.