Author: Christopher Parsons

Policy wonk. Torontonian. Photographer. Not necessarily in that order.

Categories
Writing

Feature Parity in Apple Notes

I have a love and occasional hate relationship with Apple Notes. And a mostly hate and kind fond memory relationship with my longstanding notes application, Evernote. So for the past few months I’ve slowly and tediously shifting a few thousand notes from one service to another.

This is the story of why, the joys and miseries of the decision, and what I hope Apple changes in future versions of its note taking application.

Evernote’s Trust and Pricing Deficit

Evernote has some serous problems to my eye. I like some of its features, such as the ability to search .PDFs and adding tags to different notes. But these features aren’t enough to overcome the baseline problem that I no longer trust Evernote with my content. There are two core reasons underscoring this lack of trust: the company’s questionable stance on users’ privacy and the company’s willingness to increase prices without providing a corresponding improvement in their services.

In case you missed it, Evernote announced a plan to have specific employees read the content their users added to their notes. The employee would be reading users’ notes to improve on the machine learning algorithms that Evernote was rolling out. Those algorithms, themselves, meant to improve the services provided to users.

So the company was only going to infringe on its users’ privacy for the best of reasons.

The company backed off from its decision pretty quickly in the wake of a media backlash. Nevertheless, the initial decision left a bad taste in my mouth. How could I trust a company that had so cavalierly indicated a willingness to intrude upon their users’ private content? Some people use Evernote for personal journaling, others to manage their businesses, some to store medical information, and yet others for their research and professional writing. On what possible grounds could anyone at a company based on storing people’s thoughts and dreams think it would be appropriate to have employees read potentially sensitive notes? I was already somewhat uneasy with the company but seriously started exploring ways out of their service following this particular privacy SANFU.

The second problem I had with the company was its decision to raise prices for professional users without providing a real benefit to end users. I get that companies sometimes have to adjust their pricing but as a long-standing user it seemed like I was being penalized after trusting the company in its infancy. It just seemed wrong to penalize very early adopters such as myself who’d championed the application from an early point in the company’s existence. There should have been a grace period, at the very least, if not an actual grandfathering of long term users’ prices.

So in the advent of these issues, combined with a decreasing enjoyment of the user interface and user experience more generally, I decided that I wanted out.

Enter Apple Notes

I’ve used Apple Notes off and on for a lot of years. And until the updates that came in iOS 9 I’ve generally stayed away. The service has just been deeply underwhelming in terms of its organization of different notes, to say nothing of the annoyances I had with sharing notes with other people.

The worst of those annoyances have been dealt with in a few ways:

  1. I can organize folders and use macOS to nest different folders in one another, which is essential for me to keep my notes in some semblance of order.
  2. I can search through notes with relative ease on all my Apple devices, though I admit this is an area where improvements would be delightful.
  3. I have more faith in Apple to push back against efforts to access my notes through a legal process, and to protect the privacy of my notes’ contents using best security practices.

Furthermore, I’m already paying for iCloud storage. As a result, shifting my Evernote documents to Apple Notes will likely leave me with a little more money in my bank account each year.

The actual writing experience in Apple Notes is a bit threadbare. That’s ok on the whole – the ability to add headings and titles, along with some baseline formatting is almost enough – and share sheets have made it a lot more pleasant to send a note to a colleague or collaborator.

Aside: The Miseries of Note Migration

There are some automated ways to pull data out of Evernote and into other note taking applications, including Apple Notes. But I’m not using them for two separate reasons.

First, I want to be able to re-curate all the stuff that’s collected in Evernote over then past years. So that means that I want to put my own eyes on old notes to determine what should and shouldn’t make the cut. I’ve shed about a thousand notes thus far and I’m pretty sure that even are going to vanish into the digital ether.

Second, the way I organized notes in Evernote changed over the years that I was using it. I did a lot of learning while using the application which mean that I changed my tagging and notebook structures a few times. That meant there was a pretty bad mess I’d built up and I wanted that cleaned up.

I should acknowledge that Evernote also put a lot of really badly formatted notes in my various notebooks and I’m spending more time than is really appropriate to fix up those notes. Specifically, I used the company’s web clipping tool on a regular basis and the way it clipped pages was often sub-par (to be generous). In some cases it meant that HTML was laced through notes. In others, the clipped pages were filled with ads and other badly formatted junk; this was the result of website publishers having to incorporate ads and ruin the user experience.

I should be blunt: I was working around the deficiencies of Evernote’s clipping service. Apple Notes has its own problems and deficiencies and, between the two, Evernote is actually better at clipping than Apple.

Limitations of Apple Notes

There’s still room for improvements with Apple Notes.

iOS is definitely an area that is still developing, and I periodically come across things that haven’t been implemented for some reason. One of the teething struggles associated with iOS’s Notes s linked with share sheets: why can I share a note with someone, but not a folder containing multiple notes? My use case is this: I often collect resources for ongoing projects in folders and it’d be great to be able to share all of those items, at once, as opposed to on an individual basis.

In a related vein, I’d be delightful to be able to:

  • Add hyperlinks to text in the Notes applications for iOS;
  • Create sub-folders in the iOS application (I can do it in macOS so why not in iOS?);
  • In macOS, automatically create a note when I drag a file — such as a .pdf, .doc, or other file — into the application.

I also really, really wish that Notes on iOS and macOS supported smart folders and tags. macOS already supports that kinds of functionality in Finder and (to an extent) iTunes and Photos! Adding these kinds of functions into the Notes application would mean I could more easily use the same note in multiple folders. The use case? I often keep reviews of articles and documents in Apple Notes and subsequently want to organize them into additional folders for specific papers that I’m writing or blog posts I’m drafting. As it stands now I need to make total copies of notes and re-create them in folders for the given paper or blog. That’s nuts: I shouldn’t be doubling or tripling notes.

But maybe it’s just too hard to do all that. So if I had to ask for a smaller thing it’d be this: please, please, please just let me pin important notes to the top of different folders in notes.

Finally, it’d be amazing if there was some integration of Markdown functionality. I don’t imagine that’s going to happen anytime soon, but it’d be nice.1 A better web clipping service would also be helpful: Evernote did a not good but generally serviceable if not good job of that and Notes just sucks in comparison.

NOTE: This was originally posted on Medium.

  1. 1: Yes, services like Bear might actually provide a better experience. And its support for Markdown makes it super tempting. But I’d rather pay for fewer services as part of some 2017 ‘financial cleaning’. ↩︎
Categories
Reviews

Review: Security Engineering

Anderson has successfully synthesized an incredibly diverse set of literature and, as a result, the book is useful for any person who is involved in security. The first section of the book outlines different threat models, offers accessible ways to develop and implement security designs, and also addresses issues of economics, psychology, and basic security issues that must be considered from the outset of security planning. Because different threat situations are raised throughout the book the reader will learn to appreciate the value of adopting comprehensive threat planning. This approach is not meant to drive a ‘secure everything’ mentality but to encourage readers to reflect on, and understand, what is actually being protected, why it is being protected, and what it is being protected from. As a result, a manager or team lead not invested in the day-to-day securing of a principle can have intelligent and critical discussions with their security staff, ensuring that principles are properly identified and resources assigned to ensure desired levels of threat protection. For staff involved in implementing policy, reading this first section may help to couch concerns in a language that is better understood by management. It will also let those same staff members more precisely plan and implement policies that are handed down from higher levels in an organizational framework. 

In the second section of the book, Anderson addresses a series of ‘topic areas’ such as multilateral security, banking and bookkeeping, monitoring and metering, security printing and seals, API attacks, copyright, telecom security, and more. In each section he leaves the reader with an excellent topical understanding of the historical issues these areas have encountered, how issues in various sections often relate to one another, and where and why errors in judgement have been made. The regular demonstrations of security failures – often due to side channel attacks – operate as powerful reminders that adequate policies that precisely identify how fault situations unfold are (arguably) amongst the most important elements of any security policy. It also demonstrates how what appear to be robust systems can be made to be quite brittle, thus emphasizing the need to think about how to develop effective defence in depth policies. This section is essential reading for both the actual implementers of security as well as whomever is making purchasing decisions on behalf of organizations. With the rapid growth of the ‘security industry’ and ever-increasing number of vendors that are invested in selling their latest products/snake oil, this section provides the reader with tools needed to critically interrogate products and make better purchasing and implementation decisions. 

The final section is, arguably, most needed by mid- to high-level organizational planners. Civil issues are raised – how does security/surveillance impact individuals’  rights? – as are step-by-step methodological systems for establishing threat patterns in relation to larger organizational concerns (e.g. profitability, consumer loyalty and trust). It also includes suggested practices for addressing potential security errors introduced in the generation of a digital or coded product, and how to establish an environment conducive to ensuring product- and process-based integrity, authenticity, and security. The final section is particularly needed for anyone looking into compliance seals and assurances. Anderson outlines the positive and deficient aspects of external audits, and also identifies how auditing systems have been gamed by nation-state actors and the reasons behind such gaming. While some organizations may be more concerned about receiving seals for bureaucratic purposes, for the agency that is concerned about the actual security value of the seals, this section provides much-needed resources to understand the nature of seal and certification systems. 

I cannot recommend this book highly enough. Quite often, security books will emphasize a particular line of attack and bypass the broader conceptual systems underlying the incursion. This book largely takes the opposite track, focusing first on the conceptual deficiencies and the intellectual demands of designing secure systems. It then proceeds to outline attacks that often use the systems’ logic to the attackers advantage. As a result, the reader will leave with a critical appreciation of the concepts and implementations of security. The emphasis on the conceptual conditions of security mean that the book will continue to age well, with readers being able to apply what is learned in this book to their work for years to come. 

Categories
Links Writing

Why We Need to Reevaluate How We Share Intelligence Data With Allies

Last week, Canadians learned that their foreign signals intelligence agency, the Communications Security Establishment (CSE), had improperly shared information with their American, Australian, British, and New Zealand counterparts (collectively referred to as the “Five Eyes”). The exposure was unintentional: Techniques that CSE had developed to de-identify metadata with Canadians’ personal information failed to keep Canadians anonymous when juxtaposed with allies’ re-identification capabilities. Canadians recognize the hazards of such exposures given that lax information-sharing protocols with US agencies which previously contributed to the mistaken rendition and subsequent torture of a Canadian citizen in 2002. 

Tamir Israel (of CIPPIC) and I wrote and article for Just Security following these revelations. We focused on the organization’s efforts, and failure, to suppress Canadians’ identity information that is collected as part of CSE’s ongoing intelligence activities and the broader implications of erroneous information sharing. Specifically, we focus on how such sharing can have dire life consequences for those who are inappropriately targeted as a result by Western allies and how such sharing has led to the torture of a Canadian citizen. We conclude by arguing that the collection and sharing of such information raises questions regarding the ongoing viability of the agency’s old-fashioned mandates that bifurcate Canadian and non-Canadian persons’ data in light of the integrated nature of contemporary communications systems and data exchanges with foreign partners.

Read the Article

Categories
Writing

So Now I’m Here

For the past decade and a half I’ve been publishing on a variety of platforms. Livejournal. Tumblr (a bunch of different times). A long lasting WordPress instantiation (and a few that weren’t so long lasting), plus some offline places where I reflect on more personal things and some online places that died relatively fast or of ignominious ends (remember Posterous?).1

The Experience of Online Publishing

Each of the online platforms I’ve previously used have seen me experiment with different aspects of self-publishing. From spreading my content all over the Internet I’ve learned about a few things about what matters to me:

  1. Publishing platforms need to emphasize the importance of user interfaces and user experiences.
  2. Platforms need to appreciate that if they aren’t seen trustworthy then fewer people will publish using them.
  3. In some cases, companies that are offering online platforms need to help users make at least some tweaks to the publishing environment so that they can personalize the space to their content.
  4. Publishing platforms need to consider how to help users develop and foster a positive community that is inviting to new users and readers.

I’ve ultimately grown disenchanted with each of the major and minor writing platforms I’ve used over the years for one reason or another:

  • Livejournal (that social network of yore) was a product of its time in every sense. The user interface was crude, if serviceable. The community finding aspects were pretty decent for its time. But innovation slowed and being sold to a Russian company raised pretty serous questions about censorship arose. (I went from Livejournal to WordPress, where a lot of my content has lived ever since.)
  • Tumblr remains, at least as I’ve experienced it, a burning garbage fire of user interface issues. I’ve gone back several times over the past six or seven years and it never seems to have really improved from its basic state. The sale to Yahoo! – a company that can’t secure itself from toddlers, it seems – makes that a space less than inviting to add content to: will it be there tomorrow? And if so, who will be in charge of losing users’ logins, passwords, security questions, and content next?
  • While I use WordPress on a regular basis, and one installation has held my professional work for a decade, I don’t want yet another platform I have to secure from third-parties. The functionality is great but maintenance is something I want to do less of, not more.

But, if I’m being entirely honest, only part of the problem of finding outlets for my creative instincts has to do with the different platforms. A bigger problem is directly tied to me.

Professional Appropriation of Creativity

My professional job involves a lot of writing. The majority of the writing that I’ve done for ‘myself’ over the past decade has generally linked my public and professional personas. To my chagrin, most of the public places I’ve written have ultimately been appropriated by, and arguably undermined by, that public-professional persona.2

The result is that I really haven’t had (or maintained) a good place to place my creative outputs that extend beyond my professional work. Things that are about different pieces of technology I’m using and why, what I think about different photos that I’ve taken over the years, or comments on politics, reflections on poignant books or articles I’ve come across, as well as other things that catch my fancy. Sure there are microblogging sites but I want something more substantive and meaty and long-lasting than 140 characters.

If I thought I could write more personal, non-professional, pieces on the website that bears my own name I probably would. But that doesn’t feel like a real option for me: doing so would overlap my professional and personal lives more than I’m comfortable with, while also running the risk of weakening the professional ‘value’ I’ve build up in that long-lasting website.

So, Now I’m Here.

Medium has terrific typography and the people who routinely write here that I follow tend to be doing interesting and involving work. The topics are diverse. The publishing process seems pretty solid and made with the user in mind. And I already know a lot of people who are writing here, which definitely helps to make this a more inviting writing space.

So while my professional work is going to remain stovepiped in my long lasting WordPress blog, I think I’m going to see what it’s like to use Medium as a place for my own work. Things that are less serious. Things that just don’t really belong in my other writing environments. Things that are personal but not so personal that they have to be kept from public eye entirely.

NOTE: This was initially published on Medium in early 2017.

  1. 1 I’m excluding the other ‘microblogging’ sites that we all use, like Twitter, Facebook, or Instagram. ↩︎
  2. 2 To say that I’ve had bad work-life balance in the past is an understatement. I was 90% work, 10% life. I attribute that lack of balance, in part, to my professional appropriation of my creative spaces. ↩︎
Categories
Links

$1,700 per month to live in a rebuilt garage in the Junction Triangle

Not everyone wants to live in such a small space. And—surprise, surprise—the suite isn’t legal, which is why the owners requested that we not publish their full names or address. And then there’s the fact that the kitchen doesn’t have a stove or oven, just a hot plate.

Let’s see how quickly the city finds this, and shuts it down, given the publicity that Toronto Life gave it. Separately: it costs $1,700 to live in a garage in Toronto right now?!

Categories
Links

Ransomware app hosted in Google Play infects unsuspecting Android user

Ars Technica:

In 2012, Google unveiled a cloud-based scanner dubbed bouncer that was billed as a way for the company to detect malicious apps before they were made available in Play. Five years later, discovery of malicious apps like Charger are a regular occurrence. Google makes little reference to the tool these days.

Android: a new bag of hurt found each week.

 

Categories
Links Writing

WhatsApp’s new vulnerability is a concession, not a backdoor

The underlying weakness has to do with alerts rather than cryptography. Although they share the same underlying encryption, the Signal app isn’t vulnerable to the same attack. If the Signal client detects a new key, it will block the message rather than risk sending it insecurely. WhatsApp will send that message anyway. Since the key alert isn’t on by default, most users would have no idea.

It’s a controversial choice, but WhatsApp has good reasons for wanting a looser policy. Hard security is hard, as anyone who’s forgotten their PGP password can attest. Key irregularities happen, and each app has different policies on how to respond. Reached by The Guardian, WhatsApp pointed to users who change devices or SIM cards, the most common source of key irregularities. If WhatsApp followed the same rules as Signal, any message sent with an unverified key would simply be dropped. Signal users are happy to accept that as the price of stronger security, but with over a billion users across the world, WhatsApp is playing to a much larger crowd. Most of those users aren’t aware of WhatsApp’s encryption at all. Smoothing over those irregularties made the app itself simpler and more reliable, at the cost of one specific security measure. It’s easy to criticize that decision, and many have — but you don’t need to invoke a government conspiracy to explain it.

A multitude of secure messaging applications are vulnerable to keys being changed at the server level without the end-user being notified. This theoretically opens a way for state security agencies to ‘break into’ secured communications channels but, to date, we don’t have any evidence of a company in the Western or Western-affiliated world engaging in such behaviours.

There are laws that require some types of communications to be interceptable. Mobile communications carried by telecommunications carriers in Canada must be interceptable, and VoIP along with most other kinds of voice communications that are transmitted by equivalent carriers are subject to interception in the United States. There are not, however, similar demands currently placed on companies that provide chat or other next-generation communications system.

While there are not currently laws mandating either interception or decryption of chat or next-generation communications it remains plausible that laws will be introduced to compel this kind of functionality. It’s that possibility that makes how encryption keys are managed so important: as politicians smell that there is even the possibility of demanding decrypted communications the potential for such interception laws increases dramatically. Such laws would formalize and calcify vulnerabilities into the communications that we use everyday, to the effect of not just ensuring that domestic authorities could always potentially be listening, but foreign and unauthorized parties as well.

Categories
Links

Evaluating the Buzzfeed dossier, by a former Intelligence Analyst

Individual details, like lawyer Michael Cohen’s trip to Prague or the spelling of a name or two, may indeed be disproven. Not everything in these reports is 100% accurate.

However, it is extremely important to emphasize that micro-level inaccuracies do not detract from the credibility of the two broad points that I establish above: that Trump’s organization has had a relationship with the Kremlin and that he is subject to blackmail.

This is one of the better analyses of how to understand the dossier that was released this week on Donald Trump’s activities in Russia and involvement with the Russian government.

Categories
Links Writing

Demand for secret messaging apps is rising as Trump takes office

From The Verge:

Marlinspike’s goal isn’t unicorn riches, but unicorn ubiquity. For that, he wants to make encrypted messaging as easy — as beautiful, as fun, as expressive, as emoji-laden — as your default messaging app. His reason: if encryption is difficult, it self-selects for people willing to jump through those hoops. And bad guys are always willing to jump through the hoops. “ISIS or high-risk criminal activity will be willing to click two extra times,” he told me. “You and I are not.”

Marlinspike’s protocol for secure communication is incredibly effective at protecting message content from third party observation. Few protocols are nearly as effective, however, and most chat companies now claim that they offer ‘secure’ communciations. Almost no consumers are situated to evaluate those claims: there are known deficient applications that are widely used, despite the security community having identified and discussed their problems. Encryption isn’t actually going to provide the security that most users think it does so unless the best-of-class protocols are widely adopted.1

The problem of imperfect consumer knowledge is a hard one to solve for, in part because the security community cannot evaluate all claims of encryption. In work that I’ve been involved in we’ve seen simplistic ciphers, hard coded passwords, and similar deficiencies. In some cases companies have asserted they secure data but then fail to encrypt data between smartphone apps and company servers. It’s laborious work to find these deficiencies and it’s cheap for companies to claim that they offer a ‘secure’ product. And it ultimately means that consumers (who aren’t experts in cryptography, nor should they be expected to be such experts) are left scratching their head and, sometimes, just throwing their hands up in frustration as a result of the limited information that is available.

  1. Admittedly, Marlinspike’s goal is to spread his protocol widely and the result has been that the largest chat service in the world, WhatsApp, not provides a robust level of communications security. To activate the protocol in other chat services, such as Google’s Allo or Facebook’s Messenger you need to first set up a private conversation. 

 

Categories
Links

Google warns journalists and professors: Your account is under attack

From Ars Technica:

A Google spokesman, citing this overview of the warnings, said it’s possible that the recent flurry may refer to hacking attempts that happened over the past month, as opposed to events that occurred more recently. He said Google officials deliberately delay warnings to prevent those behind the attacks from learning researchers’ sources and methods for detecting the attacks. The delays apply only to attack attempts, rather than cases where attacks result in a successful account takeover.

Phishing and account takeover is a very real threat. Yes, particular persons are sometimes targeted because they are personally identified as ‘high value targets’. However, persons antecendent to them are also targeted because high value targets can be more mindful of possible efforts to phish their credentials, while less mindful about clicking links from friends and family. As a result, the persons who the high value target communicates with may be used as the proxy to attacking the high value target.

Do you know someone who might be a target? Such as a prominent lawyer, business person, or politician? Or just someone who, themselves, would have access to such prominent persons or to sensitive information? If so, then you could be targeted by a sophisticated attacker not because you, yourself, are interesting but because you’re a gateway to those who are.