05
Mar 14

Considering CarPlay

Late last week, some buzz began building that Apple, alongside automaker partners, would formally reveal the first results of their “iOS in the Car” initiative. Much as rumors had suspected, the end result, now dubbed CarPlay, was demonstrated (or at least shown in a promo video) by initial partners Ferrari, Mercedes-Benz, and Volvo. If you only have time to watch one of them, watch the video of the Ferrari. Though it is an ad-hoc demo, the Ferrari video isn’t painfully overproduced as the Mercedes-Benz video unfortunately is, and isn’t just a concept video as the Volvo is.

The three that were shown are interesting for a variety of reasons (though it is also notable that all three are premium brands). The Ferrari and Volvo videos demonstrate touch-based navigation, and the Mercedes-Benz video uses what (I believe) is their knob-based COMAND system. While CarPlay is navigable using all of them, using the COMAND knob to control the iOS-based experience feels somewhat contrived or forced; like using an old iPod click wheel to navigate a modern iPhone). It just looks painful (to me that’s a M-B issue, not an Apple issue).

Outside of the initial three auto manufacturers, Apple has said that Honda, Hyundai, and Jaguar will also have models in 2014 with CarPlay functionality.

So what exactly is CarPlay?

As I initially looked at CarPlay, it looked like a distinct animal in the Apple ecosystem. But the more I thought about it, the more familiar it looked. Apple pushing their UX out into a new realm, on a device that they don’t own the final interface of… It’s sort of Apple TV, for the car. In fact, pondering what the infrastructure might look like, I kept getting flashbacks to Windows Media Center Extenders, which are remote thin clients that rendered a Windows Media Center UI over a wired or wireless connection.

Apple’s  CarPlay involves a cable-based connection (this seems to be a requirement at this point, I’ll talk about it a bit later) which is used to remotely display several key functions of your compatible iPhone (5s, 5c, 5) on the head unit of your car. That is, the display is that of your auto head unit – but for CarPlay features, your iPhone looks to be what’s actually running the app, and the head unit is simply a dumb terminal rendering it. All data is transmitted through your phone, not some in-car LTE/4G connection, and all of the apps reside, and are updated on your phone, not on the head unit. CarPlay seems to be navigable regardless of the type of touch support your screen has (if it has touch), but also works with buttons, and again, works with knob-based navigation like COMAND.

Apple seems to be requiring two key triggers for CarPlay – 1) a voice command button on the steering wheel, and 2) an entry point into CarPlay itself, generally a button on the head unit (quite easy to see if you watch the Ferrari video, labeled APPLE CARPLAY). Of course these touches are in addition to integrating in the required Apple Lightning cable to tether it all together.

In short, Apple hasn’t done a complete end around of the OEM – the automaker can still have their own UI for their own in-car functions, and then Apple’s distinct CarPlay UI (very familiar to anyone who has used iOS 7) is there when you’re “in CarPlay”, if you will. It seems to me that CarPlay can best be thought of as a remote display for your iPhone, designed to fit the display of your car’s entertainment system. Some have said that “CarPlay systems” are running QNX – perhaps some are. The head unit manufacturer doesn’t really appear to be important here. The main point of all of this is it appears the OEM doesn’t have to do massive work to make it functional, it really looks to primarily be integrating in the remote display functionality and the I/O to the phone. In fact, the UI of the Ferrari as demonstrated doesn’t look to be that different from head units in previous versions of the FF (from what I can see). Also, if you watch the Apple employee towards the end, you can see her press the FF “app”, exiting out to the FF’s own user interface, which is distinctly different from the CarPlay UI. The CarPlay UI, in contrast, is remarkably consistent across the three examples shown so far. While the automakers all have their own unique touches, and controls for the rest of the vehicle, these distinct things that the phone is, frankly, better at, are done through the CarPlay UI.

The built-in iPhone apps supported with CarPlay at this point appear to be:

  • Phone
  • Messages
  • Maps
  • Music
  • Podcasts

The obvious scenarios here are making/receiving phone calls or sending/receiving SMS/iMessages with your phone’s native contact list, and navigation. Quick tasks. Not surfing or searching the Web while you’re driving. Yay! The Maps app has an interesting touch that the Apple employee chose to highlight in the Ferrari video, where maps you’ve been sent in messages are displayed in the list of potential destinations you can choose from. Obviously the CarPlay solution enables Apple’s turn-by-turn maps. If you’re an Apple Maps fan, that’s great news (I’m quite happy with them at this point, personally). If you like using Google Maps or another mapping/messaging or VOIP solution, it looks like you’re out of luck at this point.

In addition to touch, button, or knob-based navigation, Siri is omnipresent in CarPlay, and the system can use voice as your primary input mechanism (triggered through a voice command button on the steering wheel), and is used for reading text messages out loud to you, and responding to them. I use that Siri feature pretty often, myself.

The Music and Podcasts seem like obvious apps to make available, especially now that iTunes Radio is available (although most people either either love or hate the Podcasts app). Just as importantly, Apple is making a handful of third-party applications at this point. Notably:

  • Spotify
  • iHeartRadio
  • Stitcher

Though Apple’s CarPlay site does call out the Beats Music app as well, I noticed it was missing in the Ferrari demo.

Overall, I like Apple’s direction with this. Of course, as I said on Twitter, I’m so vested in the walled garden, I don’t necessarily care that it doesn’t integrate in with handsets from other platforms. That said, I do think most OEMs will be looking at alternatives and implementing one or more of them simultaneously (hopefully implementing all of them that they choose to in a somewhat consistent manner).

Personally, I see quite a few positives to CarPlay:

  • If you have an iPhone, it takes advantage of the device that is already your personal  hub, instead of trying to reinvent it
  • It isolates the things the manufacturer may either be good at or may want to control, and the CarPlay UX. In short, Apple gets their own UX, presented reliably
  • It uses your existing data connection, not yet another one for the car
  • It uses one cable connection. No WiFi or BLE connectivity, and charges while it works
  • I trust Apple to build a lower-distraction (Siri-centric) UI than most automakers
  • It can be updated by Apple, independent of the car head unit
  • Apple can push new apps to it independent of the manufacturer
  • Apple Maps may suck in some people’s perspective (not mine), but it isn’t nearly as bad as some in-dash nav systems (watch some of Brian’s car reviews if you don’t believe me), and doesn’t require shelling out for shiny-media based updates!

Of course, there are some criticisms I or others have already mentioned on Twitter or in reviews:

  • It requires, and uses, iOS 7. Don’t like the iOS 7 UI? You’re probably not going to be a fan
  • It requires a cable connection. Not WiFi or BLE. This is a good/bad thing. I think in time, we’ll see considerate design of integrated phone slots or the like – push the phone in, flat, to dock it. The cables look hacky, but likely enable the security, performance, low latency, and integrated charging that are a better experience overall (also discourages you from picking the phone up while driving)
  • Apple Maps. If you don’t like it, you don’t like it. I do, but lots of people still seem to like deriding it
  • It is yet another Apple walled garden (like Apple TV, or iOS as a whole). Apple controls the UI of CarPlay, how it works, and what apps and content are or are not available. Just like Apple TV is at present. The fact that it is not an open platform or open spec also bothers some.

Overall, I really am excited by what CarPlay represents. I’ve never seen an in-car entertainment system I really loved. While I don’t think I really love any of the three head units I’ve seen so far, I do relish the idea of being able to use the device I like to use already, and having an app experience I’m already familiar with. Now I just need to have it hit some lower-priced vehicles I actually want to buy.

Speaking of that; Apple has said that, beyond the makers above, the following manufacturers have also signed on to work with CarPlay:

BMW Group (which includes Mini and Rolls-Royce), Chevrolet, Ford, Kia, Land Rover, Mitsubishi, Nissan, Opel PSA Peugeot Citroen, Subaru, Suzuki, and Toyota.

As a VW fan, I was disheartened to not see VW on the list. Frankly I wouldn’t be terribly surprised to see a higher-end VW marque opt into it before too long (Porsche, Audi, or Bentley seem like obvious ones to me – but we’ll see). Also absent? Tesla. But I wouldn’t be surprised to see that show up in time as well.

It’s an interesting start. I look forward to seeing how Google, Microsoft, and others continue to evolve their own automotive stories over the coming years – but I think one thing is for sure; the beginning of the phone as the hub of the car (and beyond) is just beginning.


03
Mar 14

Here’s a fun game… guess the executive

No Googling – that’s cheating. Tell me the executive (a former CEO) and the company. I’ve paraphrased a couple of parts that would give it away.

“<he’s> been the primary architect of a failed transformation of <the company> from its core <redacted> heritage to some expansive consumer-centric organization, which we think employees, <partners>, and investors have found to varying degrees to be somewhat incomprehensible.”

 

Answer key: The above is a redacted quote about Jacques Nasser, the ousted CEO of Ford.


17
Jan 14

Running Windows XP after April? A couple of suggestions for you

Yesterday on Twitter, I said the following:

Suggestion… If you have an XP system that you ABSOLUTELY must run after April, I’d remove all JREs, as well as Acrobat Reader and Flash.

This was inspired by an inquiry from a customer about Windows XP support that arrived earlier in the day.

As a result of that tweet, three things have happened.

  1. Many people replied “unplug it from the network!” 1
  2. Several people asked me why I suggested doing these steps.
  3. I’ve begun working on a more comprehensive set of recommendations, to be available shortly. 2

First off… Yes, it’d be ideal if we could just retire all of these XP systems on a dime. But that’s not going to happen. If it was easy (or free), businesses and consumers wouldn’t have waited until the last second to retire these systems. But there’s a reason why they haven’t. Medical/dental practices have practice management or other proprietary software that isn’t tested/supported on anything newer, custom point of sale software from vendors that disappeared, were acquired, or simply never brought that version of their software… There’s a multitude of reasons, and these systems aren’t all going to disappear or be shut off by April. It’s not going to happen. It’s unfortunate, but there are a lot of Windows XP systems that will be used for many years still in many places that we’d all rather not see happen. There’s no silver bullet for that. Hence, my off the cuff recommendations over Twitter.

Second, there’s a reason why I called out these three pieces of software. If you aren’t familiar with the history, I’d encourage you to go Bing (or Google, or…) the three following searches:

  1. zero day java vulnerability
  2. zero day Flash vulnerability
  3. zero day Acrobat vulnerability

Now if you looked carefully, each one of those, at least on Bing, returned well over 1M results, many (most?) of them from the last three years. In telling me that these XP systems should be disconnected from the Web, many people missed the point I was making.

PCs don’t get infected from the inside out. They get infected from the outside in. When Microsoft had the “Security Push” over ten years ago that forced us to reconsider how we designed, built and tested software, it involved stopping where we were, and completely thinking about how Windows was built. Threat models replaced ridiculous statements like, “We have the very best xx encryption, so we’re ‘secure'”. While Windows XP may be more porous than Vista and later are (because the company was able to implement foundational security even more deeply, and engineer protections deeply into IE, for example, as well as implement primordial UAC), Windows XPSP2 and later are far less of a threat vector than XPSP1 and earlier were. So if you’re a bad guy and you want to get bad things to happen on a PC today, who do you go after? It isn’t Windows binaries themselves, or even IE. You go next for the application runtimes that are nearly as pervasive. Java, Flash, and Acrobat. Arguably, Acrobat may or may not be a runtime, depending on your POV. But the threat is still there, especially if you haven’t been maintaining these as they’ve been updated over the last few years.

As hard as Adobe and Oracle may try to keep these three patched, these three codebases have significant vulnerabilities that are found far too often. Those vulnerabilities, if not patched by vendors and updated by system owners incredibly quickly, become the primary vector of infecting both Windows and OS X systems by executing shellcode.

After April, Windows XP is expected to get no updates. Got that? NO UPDATES. NONE. Nada. Zippo. Zilch. So while you may get antivirus updates from Microsoft and third parties, but at that point you honestly have a rotting wooden boat. I say this in the nicest way possible. I was on the team shipping Windows XP, and it saddens me to throw it under the bus, but I don’t think people get the threat here. Antivirus simply cannot protect you from every kind of attack. Windows XP and the versions of IE (6-8) have still regularly received patches almost every month for the past several years. So Windows XP isn’t “war hardened”, it is brittle. So after April, you won’t even get those patches trying to spackle over newly found vulnerabilities in the OS and IE. Instead, these will become exploit vectors ready to be hit by shellcode coming in off of the Internet (or even the local network) and turned into opportunistic infections.

Disclaimer: This is absolutely NOT a guarantee that systems won’t get infected, and you should NOT remove these or any piece of Microsoft or third-party software if a business-critical application actually depends on them or if you do not understand the dependencies of the applications in use on a particular PC or set of PCs! 

So what is a business or consumer to do? Jettison, baby. Jettison. If you can’t retire the entire Windows XP system, retire every single piece of software on that system that you can, beginning with the three I mentioned above. Those are key connection points of any system to the Web/Internet. Remove them and there is a good likelihood of lessening the infection vector.   But it is a recommendation to make jetsam of any software on those XP systems that you really don’t need. Think of this as not traveling to a country where a specific disease is breaking out until the threat has passed. In the same vein, I’d say blocking Web browsers and removing email clients coming in a close second, since they’re such a great vector for social engineering-based infections today.

Finally, as I mentioned earlier, I am working on an even more comprehensive set of recommendations to come in a more comprehensive report to be published for work, in our next issue, which should be live on the Web during the last week of January. My first recommendation would of course be to, if at all possible, retire your Windows XP systems as soon as possible. But I hope that this set of recommendations, while absolutely not a guarantee, can help some people as they move away, or finally consider how to move away, from Windows XP.

Footnotes

  1. Or unplug the power, or blow it up with explosives, or…
  2. These recommendations will be included in the next issue of Update.

14
Jan 14

What did I learn from Nest?

So today Google announced that they will pay US$3.2B for Nest Labs. Surely the intention here is to have the staff of Nest help Google with home automation, the larger Internet of Things (IoT) direction, and user interfaces. All three of these are, frankly, trouble spots for Google, and if they nurture the Nest team and let them thrive, it’ll be a good addition to Google. Otherwise, they will have wound up paying a premium to buy out a good company and lose the employees as soon as they can run.

In 2012, just after I received it, I wrote about my experience with the first generation Nest thermostat. As I said on Monday evening when asked how I liked my Nest, I said:

It hasn’t exactly changed my life, but it has saved on energy costs, and it’s not hideous like most thermostats.

As I noted on Twitter as well, today’s news makes me sad. I bought Nest because it felt like they truly cared about thoughtful design. I also got the genuine feeling from the beginning that they cared genuinely about privacy.

Last year, I wrote the following about the dangers in relying on software (and hardware) that relies upon subscriptions:

Google exemplifies another side of this, where you can’t really be certain how long they will continue to offer a service. Whether it’s discontinuing consumer-grade services like Reader, or discontinuing the free level of Apps for Business, before subscribing to Google’s services an organization should generally not only raise questions around privacy and security, but just consider the long-term viability of the service. “Will Google keep this service alive in the future?” Perhaps that sounds cynical – but I believe it’s a legitimate concern. If you’re moving yourself or your business to a subscription service (heck, even a free one), you owe it to yourself to try and ascertain how long you’ve got before you can’t even count on that service anymore.

Unfortunately, my words feel prophetic now. If I’d known two years ago what I know today, maybe I’d have wavered more and decided against the Nest. Maybe not.

As I look back at Nest, it helps me frame the logic I’ll personally use when considering future IoT purchases. Ideally from now on, I’d like to consider instead:

  1. Buying devices with open APIs or open firmware. If the APIs or firmware of Nest were opened up, the devices could have had alternative apps built against them by the open-source community (to generally poor, but possible, effect). This is about as likely to happen now as Nest sharing their windfall with early adopters like myself.
  2. Buying devices with standards-based I/O (Bluetooth 4.0, Wi-Fi) and apps that can work without a Web point of contact. While a thermostat is a unique device that does clamor for a display, I think that most devices on the IoT should really have a limited, if any, display and rely on Web or smart phone apps over Wi-Fi or BT 4.0 in order to be configurable. Much like point 1, this would mean some way out if the company shutters its Web API.
  3. Buying devices from larger companies. Most of the major thermostat manufacturers are making smarter thermostats now, although aesthetically, most are still crap.
  4. Buying “dumb” alternatives. A minimalist programmable or simple non-programmable thermostat again.

In short, it’ll probably be a while before I spend money – especially premium money – on another IoT device.

Peter Bright wrote a great piece the other day on why “smart devices” were a disaster waiting to happen. Long story short, hardware purveyors suck at creating devices that stand any sort of chance of being updated. In many ways, the unfortunate practice we’ve seen with Android phones will likely become the norm with lots of embedded devices (in cars or major appliances). What seems so cool and awesome the day we buy a new piece of technology will become frustrating as all hell when it won’t work with your new phone or requires a paid subscription but used to be free.

In talking with a colleague today, I found myself taking almost a Luddite’s perspective on smart devices and the IoT. It isn’t that these devices, done right, can’t make our lives easier. It’s that we always must be wary of who we’re buying them from, whether they truly make our life easier or not, and what future they have. I’ve never been a huge believer in smart devices, but if designed considerately, I think they can be beneficial. As for me, I think the main thing I learned from Nest is to always consider the worst possible outcome of the startup I buy hardware from (yes, to me, Google was just shy of the worst possible outcome, which would have been seeing it shut down).

While I had hopes that Apple would buy Nest, as I noted on Twitter, that idea probably never really made sense. Nest made custom hardware and custom (non Apple, of course) software that had far more to do with Google’s software realm than Apple’s. I also think that while the thermostat is a use case that lots of people “just get”, I’m not sure that the device fits well in Apple’s world. While the simple UI of the Nest is very Apple-like, it doesn’t seem like a war Apple would choose to fight. I think when it comes to home automation, Apple will be standing back and letting Bluetooth 4.0 interconnected home devices take the helm in the smart home, but having iOS play the role of conductor. I also had hopes that Nest could try to be bold and push the envelope of home automation beyond the hacky do-it-yourself approaches that have been around for years before the Nest arrived, but I’m fearful whether the Nest team will succeed with that at Google. I guess time will tell. It pains me to see Nest become part of Google, but I have to congratulate the Nest team on pushing the envelope as they did, and I hope for their sake and Google’s that they can continue to push that envelope successfully from within Google.


05
Jan 14

Bimodal tablets (Windows and Android). Remember them when they’re gone. Again.

I hope these rumors are wrong, but for some odd reason, the Web is full of rumors that this year’s CES will bring a glut of bimodal tablets; devices that are designed to run Windows 8.1, but also feature an integrated instance of Android. But why?

For years, Microsoft and Intel were seemingly the best of partners. While Microsoft had fleeting dalliances with other processor architectures, they always came back to Intel. There were clear lines in the sand;

  1. Intel made processors
  2. Microsoft made software
  3. Their mutual partners (ODMs and OEMs) made complete systems.

When Microsoft announced the Surface tablets, they crossed a line. Their partners (Intel and the device manufactures) were stuck in an odd place. Continue partnering just with Microsoft (now a competitor to manufacturers, and a direct purveyor of consumer devices with ARM processors), or find alternative counterpoints to ensure that they weren’t stuck in the event that Microsoft harmed their market.

For device manufacturers, this has meant what we might have thought unthinkable 3 years ago, with key manufacturers (now believing that their former partner is now also a competitor) building Android and Chrome OS devices. For Intel, it has meant looking even more broadly at what other operating systems they should ensure compatibility with, and evangelization of (predominantly Android).

While the Windows Store has grown in terms of app count, there are still some holes, and there isn’t really a gravitational pull of apps leading users to the platform. Yet.

So some OEMs, and seemingly Intel, have collaborated on this effort to glue together Windows 8.1 and Android on a single device, with the hopes that the two OSs combined in some way equate to “consumer value”. However, there’s really no clear sign that the consumer benefits from this approach, and in fact they really lose, as they’ve now got a Windows device with precious storage space consumed by an Android install of dubious value. If the consumer really wanted an Android device, they’re in the opposite conundrum.

Really, the OEMs and Intel have to be going into this strategy without any concern for consumers. It’s just about moving devices, and trying to ensure an ecosystem is there when they can’t (or don’t want to) bet on one platform exclusively. The end result is a device that instead of doing task A well, or task B well, does a really middling job with both of them, and results in a device that the user regrets buying (or worse, regrets being given).

BIOS manufacturers and OEMs have gone down this road several times before, usually trying to put Linux either in firmware or on disk as a rapid-boot dual use environment to “get online faster” or watch movies without waiting for Windows to boot/unhibernate. To my knowledge most devices that ever had these modes provided by the OEM were rarely actually used. Users hate rebooting, they get confused by where their Web bookmarks are (or aren’t) when they need them, etc.

These kinds of approaches rarely solve problems for users; in fact, they usually create problems instead, and are a huge nightmare in terms of management. Non-technical users are generally horrible about maintaining one OS. Give them two on a single device? This will turn out quite well, don’t you think? In the end, these devices, unless executed flawlessly, are damaging to both the Windows and Android ecosystems, the OEMs, and Intel. Any bad experiences will likely result in returns, or exchanges for iPads.


29
Dec 13

My predictions for wearables in 2014

It’s the season for predictions, so I thought I’d offer you my predictions about wearables in 2014.

  1. Wearables will continue to be nerd porn in 2014 (in other words, when you say “wearable devices”, most normal people will respond, “what?”)
  2. Many wearable devices will be proposed by vendors.
  3. Too many of those will actually make it to market.
  4. A few of those will be useful.
  5. A handful of those will be aesthetically pleasing.
  6. A minute number (possibly 0) of those will actually be usable.

20
Dec 13

Security and Usability – Yes, you read that right.

I want you to think for a second about the key you use most. Whether it’s for your house, your apartment, your car, or your office, just think about it for a moment.

Now, this key you’re thinking of is going to have a few basic properties. It consists of metal, has a blade extending out of it that has grooves along one or both sides, and either a single set of teeth cut into the bottom, or two sets of identical teeth cut into both the top and bottom.

If it is a car key, it might be slightly different; as car theft has increased, car keys have gotten more complex, so you might be thinking about a car key that is just a wireless fob that unlocks and or starts the car based on proximity, or it might be an inner-cut key as is common with many Asian and European cars today.

Aside from the description I just gave you, when was the last time you thought about that key? When did you actually last look at the ridges on it?

It’s been a while, hasn’t it? That’s because that key and the lock it works with provide the level of security you feel that you need to protect that place or car, yet it doesn’t get in your way, as long as the key and the lock are behaving properly.

Earlier this week, I was on a chat on Twitter, and we were discussing aspects of security as they relate to mobile devices. In particular, the question was asked, “Why do users elect to not put a pin/passcode/password on their mobile devices?” While I’ve mocked the idea of considering security and usability in the same sentence, let alone the same train of thought while developing technology, I was wrong. Yes, I said it. I was wrong. Truth be told, Apple’s Touch ID is what finally schooled me on it. Security and usability should be peers today.

When Apple shipped the iPhone 5s and added the Touch ID fingerprint sensor, it was derided by some as not secure enough, not well designed, not a 100% replacement for the passcode, or simply too easy to defeat. But Touch ID does what it needs to do. It works with the user’s existing passcode – which Apple wisely tries to coax users into setting up on iOS 7, regardless of whether they have a 5s or not – to make day to day use of the device easier while living with a modicum of security, and a better approach to securing the data, the device, and the credentials stored in it and iCloud in a better way than most users had prior to their 5s.

That last part is important. When we shipped Windows XP, I like to think we tried to build security into it to begin with. But the reality is, security wasn’t pervasive. It took setting aside a lot of dedicated time (two solid months of security training, threat modeling, and standing down on new feature work) for the Windows Security Push. We had to completely shift our internal mindset to think about security from end to end. Unlike the way we had lived before, security wasn’t to be a checkbox, it wasn’t a developer saying, “I used the latest cryptographic APIs”, and it wasn’t something added on at the last minute.

Security is like yeast in bread. If you add it when you’re done, you simply don’t have bread – well, at least you don’t have leavened bread. So it took us shipping Windows XP SP2 – an OS update so big and so significant many people said it should have been called a new OS release – before we ever shipped a Windows release where security was baked in from the beginning of the project, across the entirety of the project.

When it comes to design, I’ve mentioned this video before, but I think two of Jonathan Ives’ quotes in it are really important to have in your mind here. Firstly:

“A lot of what we seem to be doing in a product like that (the iPhone) is getting design out of the way.”

and secondarily:

“It’s really important in a product to have a sense of the hierarchy of what’s important and what’s not important by removing those things that are all vying for your attention.”

I believe that this model of thought is critical to have in mind when considering usability, and in particular where security runs smack dab into usability (or more often, un-usability). I’ve said for a long time that solutions like two-factor security won’t take off until they’re approachable by, and effectively invisible to, normal people. Heck, too much of the world didn’t set ever set their VCR clocks for the better part of a decade because it was too hard, and it was a pain in the ass to do it again every time the power went out. You really don’t understand why they don’t set a good pin, let alone a good passcode, on their phone?

What I’m about to say isn’t meant to infer that usability isn’t important to many companies, including Microsoft, but I believe many companies run, and many software, hardware or technology projects are started, run, and finished, where usability is still just a checkbox. As security is today at Microsoft, usability should be embraced, taught, and rewarded across the organization.

One can imagine an alternate universe where a software project the world uses was stopped in it’s tracks for months, redesigned, and updated around the world because a user interface element was so poorly designed for mortals that they made a bad security decision. But this alternate universe is just that, an alternate universe. As you’re reading the above, it sounds wacky to you – but it shouldn’t! As technologists, it is our duty to build hardware, software, and devices where the experience, including the approach to security, works with the user, not against them. Any move that takes the status quo of “security that users self-select to opt into” and moves it forward a notch is a positive move. But any move here also has to just work. You can’t implement nerd porn like facial recognition if it doesn’t work all of the time or provide an alternative for when it fails.

Projects that build innovative solutions where usability and security intersect should be rewarded by technologists. Sure, they should be critiqued and criticized, especially if designing in a usable approach really compromises the security fundamentals of the – ideally threat-modeled – implementation. But critics should also understand where their criticism falls down in light of the practical security choices most end users make in daily life.

Touch ID,  with as much poking, prodding, questioning, and hacking as it received when it was announced, is a very good thing. It’s not perfect, and I’m sure it’ll get better in future iterations of the software and hardware, and perhaps as competitors come up with alternatives or better implementations, Apple will have to make it ever more reliable. But a solution that allows that bar to be moved forward, from a place where most users don’t elect to set a pin or passcode to a place where they do? That’s a net positive, in my book.

As Internet-borne exploits continue to grow in both intensity and severity, it is so critical that we all start taking the usability of security implementations by normal people seriously. If you make bad design decisions about the intersection where security and usability collide, your end users will find their own desire path through the mayhem, likely making the easiest, and not usually the best, security decisions.

 


17
Dec 13

Goodbye, Facebook

As I posted on Facebook earlier today. Don’t worry, FB, I’m still not using G+ either, as you two rapidly collide into each other.

I’m not going to make this complicated, Facebook. It’s not me, it’s you.

I liked it when we first met, I thought it was cool how you’d help me find friends, family, co-workers I hadn’t talked to for years, even some people I’ve known since preschool. That was nice, and you didn’t try to grab my wallet every time a friend would join, like some of the “social networks” did before you came along (looking at you, Classmates).

But over the years, you’ve gotten a little bit creepy, and you rarely tell me anything new or important anymore. In fact, in terms of a “social network”, you don’t really do much for me in terms of telling me what family and friends are really up to. Instead, my wall isn’t about what is important to me, it’s ads, links from Upworthy, ThinkProgress, and other sites that have learned how to game the social graph to become front and center. Now your content is just as worthless as when Google let Demand Media and others game SEO to backfill the Web with crap content.

I’m not exactly sure what demographic you’re trying to tune Facebook for, and it sure seems like you may not know either.

So with that, Facebook, I’m gonna have to let you go. I’ve downloaded my archive (man, we did have some good times), and I’m going to have to let you go. Tomorrow afternoon, I’m pulling the plug. If you ever need to find me, I’m easy enough to find on the Web, email, and Twitter.

Take care, Facebook. I hope you figure out what the heck you want to be when you grow up.

Wes Miller


15
Dec 13

Letter from Thomas Jefferson to Eli Whitney Regarding the Cotton Gin

Jefferson, Thomas
Nov. 16. 1793
Germantown
Eli Whitney
Whitney, Eli
TO ELI WHITNEY J. MSS.

Germantown,
Nov. 16. 1793.

Sir, —
Your favor of Oct. 15. inclosing a drawing of your cotton gin, was received on the 6th inst. The only requisite of the law now uncomplied with is the forwarding a model, which being received your patent may be made out delivered to your order immediately.

As the state of Virginia, of which I am, carries on household manufactures of cotton to a great extent, as I also do myself, and one of our great embarrassments is the clearing the cotton of the seed, I feel a considerable interest in the success of your invention, for family use. Permit me therefore to ask information from you on these points. Has the machine been thoroughly tried in the ginning of cotton, or is it as yet but a machine of theory? What quantity of cotton has it cleaned on an average of several days, worked by hand, by how many hands? What will be the cost of one of them made to be worked by hand? Favorable answers to these questions would induce me to engage one of them to be forwarded to Richmond for me. Wishing to hear from you on the subject I am c.

P.S. Is this the machine advertised the last year by Pearce at the Patterson manufactory?

Thomas Jefferson

Excerpt From The Works of Thomas Jefferson, Vol. 8.


09
Dec 13

Thomas Jefferson on congressional conflict of interest

“I said that the two great complaints were that the national debt was unnecessarily increased, that it had furnished the means of corrupting both branches of the legislature. That he must know everybody knew there was a considerable squadron in both whose votes were devoted to the paper stock-jobbing interest, that the names of a weighty number were known several others suspected on good grounds. That on examining the votes of these men they would be found uniformly for every treasury measure, that as most of these measures had been carried by small majorities they were carried by these very votes. That therefore it was a cause of just uneasiness when we saw a legislature legislating for their own interests in opposition to those of the people”

Excerpt From The Works of Thomas Jefferson, Vol. 1.

The more things change, the more they stay the same.