Musings after buying a smart plug

I know that people will go and start ranting on using terms like “Internet of Shit” just for the title I’m using here. Despite being as wary and cynical about the subject of connected appliances as the next security-aware engineer, I want to point out that those reactions are blind and lacking empathy. So if your answer is to think that you’re smarter than the plug and me combined, there’s maybe no reason for you to stay around to read the post.

I also need to put the usual disclaimer forward: I work for Google, a company that produces “smart” appliances. I don’t have anything to do with the hardware products, have no special insight into them, and I am her talking about things as myself alone. I’m also not really talking about Google hardware beside for a few references to the Assistant here and there, and that’s simply because I happen to be using Google Home as my hub.

As I said I’m fairly cynical about smart appliances. It took quite a bit for me to even buy a single one, but I’m now a very happy user of a LIFX Mini Colour smart bulb. It was probably this year’s best gadget buy for me, and it is not just about the ability to control the light with an app on my phone — or with the Assistant. The bulb can dim, change colours, and can be set onto a dynamic schedule. It’s extremely convenient, and an improvement in my quality of life, particularly by setting it to red as I go to sleep, instead of keeping it bright white.

Of course, like always when buying a device that relies on external services to work (the infamous “cloud”), I am still worried about the risk of the company going under, or dropping support for my specific device, and letting me deal with the broken pieces. But quite honestly, if you tried to avoid all the cloud-based services and hardware nowadays, you will end up a luddite. And maybe you want that. Besides IKEA, that requires their full bridge, I don’t know of any other smart home brand that provides local-only controls — and local-only means no talking to the Assistant to turn on the light as part of the morning routine.

I’m happy enough that my LIFX can be controlled without an active Internet connection (this happened before). Maybe I’ll follow Matthew Garrett’s example and start reverse engineering it into a Python script for the rainy days.

But I digressed enough. What I wanted to talk about was rather smart plugs. Because that’s a device I’m not entirely sold on the idea of smart plugs, I started the original draft of this post because I thought they were completely useless. I changed my own mind as I was writing this, and that’s why I actually wanted to post this.

So why did I buy a smart plug if I am not sold on the idea? Well, since this is our first Christmas together, my girlfriend wants to have a proper Christmas tree at home. And since I would like to see the tree while I approach the apartment on the bus or on foot (hey, I have not had a Christmas Tree for more than a decade, I can have some fun!), I would like to have IFTTT turn it on for me.¹

I ended up buying a TP-Link Smart Plug (UK version), which comes with their own app, and integration with the various services including IFTTT and Google Assistant. Which means we’ll be able to say “Hey Google, turn on the Christmas Tree!”

There are differences between a smart bulb and a plug though. The former adds a significant amount of value add, with things like dimming, different colours, and so on. A smart plug is still only a binary operator, it’s either on, or off. You cannot do fine-grained control over that, you can only turn things on or off.

So after thinking about this, I realized there are a few requirements for something to make sense to have connected to a smart plug:

It needs to be something that cannot stay on standby the whole day. Because if it can, there’s no real advantage in having a smart plug for it, keeping it in stand by is easier, and can easily be cheaper, as the stand-by of the plug connected to WiFi might be higher consumption than the device itself.

It needs to be something that can be at least “readied” unattended. Turning on the plug for a hairdryer is not going to be very useful, if you’re not there to use it. Also if readying something unattended is too risky, it’s a bad idea to use a smart plug. This is the case for clothes irons for instance; I wouldn’t want to turn mine on if I’m not there to make sure that it’s not on top of something it shouldn’t be.

If it’s something that comes with consumables, it needs to have big enough reserves, or a way to feed itself. Going back to the clothes iron, the one I have does not have enough of a water tank. If I was to turn it on too soon, it would just waste all of it and I would go and find it empty, which is just as bad.

Given these considerations, one of the common suggestions I hear is coffee makers. At first I thought this was pointedly American, as indeed a percolator style coffee can be filled in in the evening, and then be set to turn on in the morning and make coffee for you to drink. When I spent extensive time in Los Angeles, I used the timer on a percolator to make sure I would have hot “coffee” ready immediately after waking up. But then I realized that this is very similar for Italian-style espresso machines, too: they have an internal boiler that takes a while to get to temperature and be usable, they usually have a tank big enough for a full day (or in some cases they may be connected to the water mains), and they consume enough power in standby that you wouldn’t want to keep it turned on overnight. For those who don’t drink coffee, the same can be true of automated teawakers or teamakers — I had one from Twinings back in Italy.

Another appliance that fits the bill fairly well is the electric bathroom heater, or towel rack. Heating in general is likely better suited by a smarter “whitebox” approach — indeed I have booked an appointment to install a Nest thermostat at my apartment, after getting my landlord’s permission, because I want to be able to automate hot water availability and easily tweak the temperature over the day. But in some cases, you have additional bathroom heating that has less control: I have on/off towel racks in my bathrooms in London, and my mother uses a small electric heater in Italy, after we messed up with the house’s heating plan by replacing a bulky and leaky boiler with a more modern and efficient one.

Now for both of these examples, smart plugs are not the only obvious solution. Indeed, percolators, teawakers, and espresso machines, as well as many small electric heater, often come with their own timer. This works great for the people who have a clear schedule and fixed routine. In my case that’s rarely the case: I wake up at a different time depending on what my day looks like, sometimes I oversleep because I had a bad night, sometimes I’m up earlier than average because my girlfriend is staying over and she has to go to work. A similar result exists for my mother due to different requirements: she lives alone and really doesn’t have any reason to get up a fixed time unless she’s waiting for deliveries, services, or stuff like that. And since the house is on two floors, and she has knee pain, being able to turn on the heating, get the bathroom ready, or make sure that the coffee machine is warmed up without having to get downstairs immediately, would be a very nice feature.

I can definitely see myself appreciating the idea of saying “Hey Google, Good Morning”, and know that by the time I finished listening to the BBC News headlines, the coffee is ready and still hot for me, while the bathroom is warm enough to take a shower in. Doesn’t really work for me here, because I make pour-over coffee, and the towel rack is not controlled by a normal plug, but I can dream can’t I?

By the way, Google Assistant can do that, although it’s a bit hidden: from the [Home](https://play.google.com/store/apps/details?id=com.google.android.apps.chromecast.app app, go into the Account tab (the last one on the right), click Settings, go to the Assistant tab, and then select Routines. From there you can set up the actions you want taken when you give it a specific hotphrase.

For most of other appliances, I would probably need more whitebox smartness. I already rely on the timer for my washing machine, but it would be nice to just put it into “standby”, loaded and locked, but not start it until I wake up, or until I’m actually leaving the apartment (I don’t get woken up by the noise of the one I have here in London, but I would have been by the one in Dublin). And something that can remind me was I get home (“Hey Google, I’m home”) that I need to unload the dishwasher.

One of the things that I actually nearly considered giving a smart plug to was the Air Wick freshner. While I would love having a fine grained intensity control that would keep a background fragrance during the day, but raise it just as I’m ready to get home, to make me feel good, just having the ability to turn it off the moment I leave and on again when I come back home, would be a very nice thing to have. On the other hand, it turns out that the plug-in device consumes significantly less power than the smart plug in stand-by, so it makes no sense as it is.

I guess using more sophisticated fragrance delivery devices, such as Yankee Candle’s Scenterpiece (that my mother has, at home) would make more sense. Alternatively, Muji has very nice oil burners, though they have a small tank for water, and candle warmers are getting more common (these are probably better than the Scenterpiece in my experience). Unfortunately these are usually table-top devices, rather than plug-in, and I don’t have the space where I would want to use it. So if someone from Air Wick or Ambi Pur is reading, consider that I would pay just as much as a smart plug to have a smart plug-in freshener that can be set to adjust the intensity over the day!

So to close it up, I’m somewhat skeptical about getting more smart plugs for myself, but I can definitely see a number of useful cases for them, as well as for smarter “whitebox” appliances. Indeed, if my mother had a decent Internet connection in 2018, I would probably set her up with quite a few of those, to make her life easier. Call them accessibility helpers, maybe.

You may remember that I have some particular attachment to Christmas lights Rube Goldberg machinery. The idea of having my own IFTTT-compatible smart Chrimast light tube did pass through my head. ↩

Ads, spying, and my personal opinion

In the past year or so, I have seen multiple articles, even by authors who I thought would have more rational sense to them, over the impression that people get about being spied upon by technology and technology companies. I never got particularly bothered to talk about them, among other things because the company I work for (Google) is one that is often at the receiving end of those articles, and it would be disingenuous for me to “defend” it, even though I work in Site Realiability, which gives me much less insight in how tracking is done than, say, my friends who work in media at other companies.

But something happened a few weeks ago gave me an insight on one of the possible reasons why people think this, and I thought I would share my opinion on this. Before I start let me make clear that what I’m going to write about is something that is pieced together with public information only. As you’ll see soon, the commentary is not even involving my company’s products, and because of that I had access to no private information whatsoever.

As I said in other previous posts, I have had one huge change in my personal life over the past few months: I’m in a committed relationship. This means that there’s one other person beside me that spends time in the apartment, using the same WiFi. This is going to be an important consideration as we move on later.

Some weeks ago, my girlfriend commented on a recent tourism advertisement campaign by Lithuania (her country) on Facebook. A few hours later, I received that very advertisement on my stream. Was Facebook spying on us? Did they figure out that we have been talking a lot more together and thus thought that I should visit her country?

I didn’t overthink it too much because I know it can be an absolute coincidence.

Then a few weeks later, we were sitting on the sofa watching Hanayamata on Crunchyroll. I took a bathroom break between episodes (because Cruncyroll’s binge mode doesn’t work on Chromecast), and as I came back she showed me that Instagram started showing her Crunchyroll ads — “Why?!” We were using my phone to watch the anime, as I have the account. She’s not particularly into anime, this was almost a first as the material interested her. So why the ads?

I had to think a moment to give her an answer. I had to make a hypothesis because obviously I don’t have access to either Crunchyroll or Instagram ads tracking, but I think I’m likely to have hit close to the bullseye and when I realized what I was thinking of, I considered the implications with the previous Facebook ads, and the whole lot of articles about spying.

One more important aspect that I have not revealed yet, is that I requested my ISP to give me a static, public IPv4 address instead of the default CGNAT one. I fell for the wet dream, despite not really having used the feature since. It’s handy, don’t get me wrong, if I was to use it. But the truth is that I probably could have not done so and I wouldn’t have noticed a difference.

Except for the ads of course. Because here’s how I can imagine these two cases to have happened.

My girlfriend reads Lithuanian news from her phone, which is connected to my WiFi when she’s here. And we both use Facebook on the same network. It’s not terribly far-fetched to expect that some of the trackers on the Lithuanian news sites she visits are causing the apartment’s stable, static, public IP address to be added to a list of people possibly interested in the country.

Similarly, when we were watching Crunchyroll, we were doing so from the same IP address she was checking Instagram. Connect the two dots and now you have the reason why Instagram thought she’d be a good candidate for seeing an advert for Crunchyroll. Which honestly would make more sense if they intended to exclude those who do have an account, in which case I would not have them trying to convince me to… give them the money I already give them.

Why do I expect this to be IP tracking? Because it’s the only thing that makes sense. We haven’t used Facebook or Messenger to chat in months, so they can’t get signal from that. She does not have the Assistant turned on on her phone, and while I do, I’m reasonably sure that even if it was used for advertisement (and as far as I know, it isn’t), it would not be for Facebook and Instagram.

IP-based tracking is the oldest trick in the book. I would argue that it’s the first tracking that was done, and probably one of the least effective. But at the same time it’s mostly a passive tracking system, which means it’s much easier to accomplish under the current limits and regulations, including but not limited to GDPR.

This obviously has side effects that are even more annoying. If the advertisers start to target IP address indiscriminately, it would be impossible for me or my girlfriend to search for surprises for each other. Just to be on the safe side, I ordered flowers for our half-year anniversary from the office, in the off-chance that the site would put me on a targeting list for flower ads and she could guess about it.

This is probably a lot less effective for people who have not set up static IP addresses, since there should be a daily or so rotation of IP addresses that confuses the tracking enough. But I can definitely see how this can also go very wrong when a household dynamic are pathological, if the previous holder of the address managed to get the IP on targeted lists for unexpected announces.

I have to say that in these cases I do prefer when ads are at least correctly targeted. You can check your Ads preferences for Google and Facebook if you want to actually figure out if they know anything about you that you don’t want them to. I have yet to find out how to stop the dozens of “{Buzzword} {Category} Crowdfunding Videos” pages that keep spamming me on Facebook though.

Updated “Social” contacts

Given the announcement of Google+ shutdown (for consumer accounts, which mine actually was not), I decided to take some time to clean up my own house and thought it would be good to provide an update of where and why you would find me somewhere.

First of all, you won’t find me on Google+ even during the next few months of transition: I fully deleted the account after using the Takeout interface that Google provides. I have not been using it except for a random rant here and there, or to reach some of my colleagues from the Dublin office.

If you want to follow my daily rants and figure out what I actually complain the most loudly about, you’re welcome to follow me on Twitter. Be warned that a good chunk of it might just be first-world London problems.

The Twitter feed also gets the auto-share of whatever I share on NewsBlur, which is, by the way, what I point everyone to when they keep complaining about Google Reader. Everybody: stop complaining and just feel how much better polished Samuel’s work is.

I have a Facebook account, but I have (particularly in the past couple of years), restricted it to the people I actually interact with heavily, so unless we know each other (online or in person) well enough, it’s unlikely I would accept a friend request. It’s not a matter of privacy, given that I have written about my “privacy policy”, it’s more about wanting to have a safe space I can talk with my family and friends without discussions veering towards nerd-rage.

Also, a few years ago I decided that most of my colleagues, awesome as they are, should rather stay at arms’ length. So with the exception of a handful of people who I do go out with outside the office, I do not add colleagues to Facebook. Former colleagues are more likely.

If you like receiving your news through Facebook (a negative idea for most of tech people I know, but something that the non-tech folks still widely prefer it seems), you can “like” my page, which is just a way for WordPress to be able to share the posts to Facebook (it can share to pages, but not to personal accounts, following what I already complained before about photos). The page also gets the same NewsBlur shared links as Twitter.

Talking about photos, when Facebook removed the APIs, I started focusing on posting only on Flickr. This turned out to be a bit annoying for a few of my friends, so I also set up a page for it. You’re welcome to follow it if you want to have random pictures from my trips, or squirrels, or bees.

One place where you won’t see me is Mastodon or other “distributed social networks” — the main reason for it is that I got already burnt by Identi.ca back in the days, and I’m not looking forward to have a repeat of the absolute filter bubble there, or the fact that, a few years later, all those “dents” got lost. As much as people complain how Twitter is ephemeral, I can still find my first tweet, while identi.ca just disappeared, as I see it, in the middle of nowhere.

And please stop even considering following me on Keybase please.

Yesterday’s Disruptors, Today’s Encumbents

You know, I always found it annoying how online stores such as Amazon, or even IKEA, have been defined “disruptors” all these years. But nowadays I can mostly see how they changed the rules of the game, particularly in favour of the customers themselves, against their own workers, and suppliers. And so, nowadays, I can accept that they have been called that way for a reason.

Of course that’s not to say that I agree them being called that way still.

Since I have moved to London last year, I have been using both Amazon and IKEA shipping quite a bit, whether it is for the random bits and bobs (Amazon) or full blown household furniture (IKEA). It’s kind of needed sometimes, or at least very convenient, because you know there’s selection and (usually) good customer support.

But at the same time, things are no longer smooth as they used to be. Or maybe they are just as smooth, but we (I) got to expect better from them.

Let’s take IKEA: I wanted to order a number of items from them just last week: a garbage bin, a bedding set and some extra towels, as well as some spice jars. I put everything in my “bag”, and tried checking out. Somehow the PayPal integration failed, the loading page got stuck, and I tried restarting… and the site decided to lock my bag “for up to 45 minutes” because of the incomplete checkout.

I’m not sure how the locking is done and timed out, because an hour later it still didn’t let me order, despite logging out and back in. So I ended up going to Marks and Spencer’s website and order (more expensive) bedding set and towels from there. Alas their shipping option appears to be significantly worse as a track record (it got split into three deliveries, and only one made to my office’s mailroom by the expected date, but it was not urgent at all). But the checkout worked perfectly fine.

Unfortunately M&S didn’t have a bin, so I looked for one at Amazon and found something I liked for £25, so on Friday I ordered it with a “nominated day delivery” of Tuesday. That should be enough lead time, no? I also ordered a smaller trash container for the bathroom, to throw things like the non-sharps injection side-results.

Fast forward to Tuesday, when I took a day off work (because I needed to relax anyway), which I spent assembling the daybed I got from IKEA… a year ago (oops!) By 2pm I see that the smaller of the two bins is “Out for delivery”, but the bigger one (the one I really needed!) was not. Although with an expected delivery of the same day, between 7am and 10pm. I have immediately contacted Amazon on Twitter, pointing out the low likelihood of them delivery on the day, but they insisted that it was still going to be delivered.

Cue 4pm when I get an email (but obviously enough no Android push notification) that tells me that they are sorry, but a delay caused the delivery to be skipped on the day and that it would happen in a one-week window following it.

You read that right. They suggested that, for an item that was meant to delivered on October 2nd, and missed delivery, the new delivery window would be October 3rd to 9th. You can imagine just how happy, as a customer, I would be about that. So I called Amazon up, and asked them to cancel the delivery, because I already skipped a day of work (sure I was going to take the day off anyway, but I could have gone out to Kew Gardens instead of staying in to wait for them), and I wouldn’t want to spend an unbound amount of days home in the hope that they would be able to deliver a garbage bin. They confirmed it would be done and an email sent to me “within 24-48 hours” and I thanked them.

Then, I ordered a (different) bin on Argos. They actually had the same bin, but at £32. I didn’t need anything as fancy, and their lower end was actually much better looking than Amazon’s, so I settled for a £10 model. And for £3.95, they allow you to select a 3 hours delivery window — If I did that right when I realize the delivery would have been missed, Argos would have delivered the same day, instead I had to settle for the following day, Wednesday, between 7am and 10am. Indeed the day after, at at 7.20am, I was the happy owner of a cheap, simple garbage bin.

This is not the first time that, on Amazon’s failure, I redirected on Argos. And after this adventure, I think they’ll just be my first and default destination for anything that I want delivered at home (which is usually bulky stuff too uncomfortable to bring across London on the Piccadilly). The last time, it was a clothes iron and board, that somehow Amazon refused to do any nominated day delivery for. Argos was happy to deliver them on a Saturday morning intead. And practically speaking, a 7am-10am delivery weekday window means I can receive at any day, before heading to the office.

I wish that it all ended there, though.

On the same Wednesday that I received the Argos delivery, while at work, the Amazon app on my phone decided to notify me that the bin (the one that I asked to cancel the delivery of), was going to be delivered that day. I once again turned to Twitter where Amazon informed me that the request for cancellation might not have been reflected yet, and that they will not deliver if it was requested not to.

Except that at around 6pm, while I was commuting home, I also received another notification to tell me that the package was delivered. Checking this, it reported the package was delivered “to the resident” — except that my building requires a fob to access, and I was nowhere near home to let them in. So either they left it in the corridor (assuming someone else opened them the main door) or they left it outside altogether (in which case, it would be unlikely for it to stay around until I made it home).

Since the Amazon Android app allows you to contact them via chat, I did so, selecting the order with the bins, explain the situation, and explicitly talking about the nominated day delivery failure. At which point they confirm they would prepare a return request, and that they would organize for pick up. I also note with them that it’s a 40 litres bin, which makes the box very big and not something I’d bring to the post office myself. I also made sure to point out with them that, as I would not have an idea where they manage to leave the box without me, I would just leave it there, and let them pick it up the same way they left them. They confirmed all of this is okay, and after greetings disconnected the chat.

A few minutes later I get an email confirming the return request for… an unrelated set of bamboo spoons that arrived the same day. Not the one I was talking about, which would have been clear from both the bulk of the object we have been talking about, the delivery type, and the delivery address. And of course the price of the spoons was significantly lower than the bin. Sigh.

Another round of chat with Amazon, and they issued the return for the right item. They also told me not to worry about the pick up, and that I could keep the bin… which I don’t need anymore and would take a lot of space. I asked explicitly for a pick up anyway, and they agreed to organize it with Hermes. It was not until I got home and checked the email they sent me, that they expected me to print the return label — but I have no printer at home.

At least expecting Hermes to contact me, if anything to complain that they can’t access the building, I left the box in the hallway where they left it for the day after. Two days later, no pick up, no note, and no call later, I checked the status of the return to find out that they marked it as “completed”. While leaving the box with me. And I now have a fancy bin in the master bathroom, which is open to a good home in West London if someone were to want to deal with it (but probably not worth doing).

I’ll add a few more words about this later on, as Amazon in particular seems to be going the wrong way, for me at least.

Software systems and institutional xenophobia

I don’t usually write about politics, because there are people with more sophisticated opinions and knowledge out there, compared to me, playing at the easiest level, to quote John Scalzi, and rarely having to fear for my future (except for when it comes to health problems). But today I need to point out something that worries me a lot.

We live in a society that, for good or bad (and I think it’s mostly for good), is more and more tied to computer systems. This makes it very easy for computer experts of one kind or another (like me!) to find a job, particularly a good paying job. But at the same time it should give us responsibilities for what we do with our jobs.

I complained on Twitter how most of the credit card application forms here in the UK are effectively saying “F**k you, immigrant scum” by not allowing you to complete the application process if you have less than three years’ addresses in the UK. In the case of a form I tried today, even though the form allows you to specify an “Overseas address” as previous address, which allows you to select Ireland as a country, it still verifies the provided post code to UK standards, and refuses you to continue the process without it.

This is not the first such form. Indeed, I ended up getting an American Express credit card because they were the only financial institution that could be convinced to take me on as a customer, with just two months living in this country, and a full history of addresses for the previous five years and more. And even for them, it was a bit of an issue to find an online form that did indeed allow me to type that in.

Yet another of the credit card companies rejected my request because “[my] file is too thin” — despite being able to prove to them I’m currently employed full time with a very well paying company, and not expecting to change any time soon. This is nearly as bad as the NatWest employee that wanted my employer’s HR representative to tell them how long they expected me to live in the UK.

But it’s not just financial institutions, it’s just at any place where you provide information, and you may end up putting up limitations that, though obviously fine for your information might not be for someone else. Sign-up forms where putting a space in a name or surname field is an error. Data processing that expects all names to only have 7-bit ASCII encoding. Electoral registries where names are read either as Latin 1 or Latin 2.

All of these might be considered smaller data issues of nearsighted developers, but they also show how these can easily turn into real discrimination.

When systems that have no reason to discard your request on the basis of the previous address have a mistake that causes the postcode validation to trigger on the wrong format, you’re causing a disservice and possible harm to someone who might really just need a credit card to be able to travel safely.

When you force people to discard part of their name, you’re going to cause them disservice and harm when they will need a full history of what they did — I had that problem in Ireland, applying for a driving learner permit, not realising that the bills for Bord Gáis Energy wrote down my name wrong (using Elio as my surname).

The fact that my council appears to think that they need to use Latin-2 to encode names, suggests they may expect that their residents are all either English or Eastern European, which in turn leads to the idea of some level of segregation of them away from Italian, French or Irish, all of which depend on Latin-1 encodings instead.

The “funnies” in Ireland was a certain bank allowing you to sign up online with no problems… as long as you had a PPS (tax ID) issued before 2013 — after that year, a new format for the number was in use, and their website didn’t consider it valid. Of course, it’s effectively only immigrants who, in 2014, would be trying to open a bank account with such codes.

Could all of these situation be considered problems with incompetence? Possibly yes. Lots of people are incompetents, in our field. But it also means that there was no coverage for these not-so-corner cases in the validation. So it’s not just an incompetent programmer, it’s an incompetent programmer paired with an incompetent QA engineer. And an incompetent product manager. And an incompetent UX designer… that’s a lot of incompetence put together for a product.

Or the alternative is that there is a level of institutional xenophobia when it comes to software development. In the UK just as in Ireland, Italy and in the United States. The idea that the only information that are being tested are those that are explicitly known to the person doing the development is so minimalist as to be useless. You may as well not validate anything.

Not having anyone from the stakeholders to the developers and testers consider “Should a person from a different culture with different naming, addressing, or {whatever else} norms be able to use this?” (or worse, consider it and answering themselves “no”), is something I consider xenophobia¹.

I keep hearing calls to pledge ethics in the field of machine learning (“AI”) and data collection. But I have a feeling that those fields have much less impact on the “median” part of the population. Which is not to say you shouldn’t have ethical consideration in them at all. But rather than we should start with teaching ethics in everyday’s data processing too.

And if you’re looking for some harsh laugh after this mood-killing post, I recommend this article from The Register.

Yes I’m explicitly not using the word “racism” here, because then people will focus on that, rather than the problem. A form does not look at the colour of your skin, but does look at whether you comply with its creators idea of what’s “right”. ↩

Passwords, password managers, and family life

Somehow, I always end up spending time writing about passwords when I even breach the subject on Twitter.

In this case, I’ve been asking around about password managers, as after many years with LastPass I want to reconsider if there is a better alternative, particularly as my needs have changed (or rather, are going to, in the not too distant future).

One of the thing that I’m looking for is a password manager that can generate diceware/xkcd-style passwords: a set of words in a certain language that are easy to say on (say) the phone, and type on systems where there is no password manager app. The reason for this is that there are a few places in which I need to be able to give the password to someone else who might not otherwise be trusted with the full password list. For instance the WiFi password for my apartment, or my mother’s house.

But it’s a bit more complicated than that. There are a number of situations where an account is not just an user. Or rather, you may want to allow h multiple users (people) to access the same account. Say for instance my energy provider’s dashboard. Or the phone provider. Or the online grocery shopping…

All of these things expect a single (billing) account, but they may rather be shared with a household than with a single individual. A few services do have a concept of a shared account, but very few do, and that makes less and less sense as the world progresses to such an everything-connected level.

I think it might be easy to figure out from the way I’ve been expressing this just above, but just to make sure not to leave “clues” rather than clear information that can be obviously be taken for public knowledge, I got to think about this because I have (finally, someone might say) found a soulmate. And while we don’t yet live together, I start to see the rough corners of these. We have not gotten to “What’s the Netflix password, again?” but I did end up changing the password to the account for Los Angeles transport card, to give her access, after setting it first with LastPass (we were visiting, and I added both of our TAP cards to the same account).

As I made clear earlier, part of this was a (minor) problem with my mother, too. But significantly less so: she never cared to have access to the power provider, phone company, and so on. Just as long as she had a copy of the invoices from time to time (which I solved by having a mailing list, which only the two of us subscribe to, as the contact address for all the services I use or used for the household in Italy).

Service providers take note: integrating with Google Drive or Dropbox so that the invoices get automatically added to a shared folder would be a lovely feature to have. And not just for households. I would love if it was easier to just have a copy of my invoices automatically added to, and indexed by, Google Drive.

But now, with a partner, it’s different. As the word implies, it’s a partnership, an equal standing. Once we will move in, we’ll share the expenses, and that means sharing the access to the accounts. Which means I don’t want to be the only one having the passwords. So I need a password manager that not only allows me to share the passwords easily, but also that allows her to use the passwords easily — which likely will translate to be able to read them off the phone, and type in a work computer’s incognito window (because she likely won’t be allowed to install the password manager on a work computer).

Which is why I’m looking for a new password manager: LastPass is actually fairly great when it comes to sharing passwords with other accounts. But it’s effectively useless when it comes to “typeable” passwords. Their “Make pronounceable” option is okay to make it easier to spell out, but I don’t want to have to use an eight-letters password to be able to type it easily, when I could just as easily use a three-words combination that is significantly stronger.

And while I could just use xkcdpass on my laptop and generate those shared passwords (which is what I did with my mother’s router), that does not really scale (it still keeps me as the gatekeeper), and it does not make the security usability for my SO. And it wouldn’t be fair to keep the password hygiene for me only.

Similarly, any solution that involves running personal infrastructure (servers, cron, git, whatever) is not an option: not only I’m increasingly not relying on it myself (I even gave up on running my own blog’s webapp!), but most of my family is not even slightly interested in figuring out how to do that. And I don’t blame the least, they have enough of their own things to care about.

If you have any suggestions for a new password manager, please do let me know. I think I may try 1Password next, if nothing else because I think Troy Hunt’s opinion is worth something, and if he backed 1Password, there has to be a reason.

FreeStyle Libre and first responders

Over on Twitter, a friend asked me a question related to the FreeStyle Libre, since he knew that I’m an user. I provided some “soundbite-shaped” answers on the thread but since I got a few more confused replies afterwards, I thought I would try to make the answer a bit more complete:

@EoghanCon11 @FreeStyleDiabet @FreeStyleLibre @AmbulanceNAS @Hannah199911 @flameeyes any idea if this is possible?… twitter.com/i/web/status/1…
—
Ciarán Handley (@ciaranhandley) July 29, 2018

Let’s start with a long list of caveats here: I’m not a doctor, I’m not a paramedic, I do not work for or with Abbott, and I don’t speak for my employer. All the opinions that follow are substantiated only by my personal experiences and expertise, which is to say, I’m an user of the Libre system and I happen to be a former firmware engineer (in non-medical fields) and have a hobby of reverse engineering glucometer communication protocols. I will also point out that I have explicitly not looked deeply into the NFC part of the communication protocol, because (as I’ll explain in a minute), that crosses the line of what I feel comfortable releasing to the public.

Let me start with the immediate question that Ciarán asks in the tweet. No, the communication between the sensor and the reader device (or phone app) is not authenticated or protected by a challenge/response pair, as far as I know. From what I’ve been told (yes I’m talking through hearsay here, but give me a moment), the sensor will provide the response no matter who is asking. But the problem is what that response represent.

Unlike your average test strip based glucometer, the sensor does not record actual blood glucose numbers. Instead it reports a timeseries of raw values from different sensors. Pierre Vandevenne looked at the full response and shed some light onto the various other values provided by the sensor.

How that data is interpreted by the reader (or app) depends on its calibration, which happens in the first 60 minutes of operation of the sensor. Because of this, the official tools (reader and app) only allows you to scan a sensor with the tool that started it — special concessions are made for the app: a sensor started by a reader device can be also “tied” to the app, as long as you scan it with the app during the first hour of operation. It does not work the other way, so if you initialize with the app, you can’t use the reader.

While I cannot be certain that the reader/app doesn’t provide data to the sensor to allow you to do this kind of dual-initialization, my guess is that they don’t: the launch of the app was not tied with any change to the sensors, nor with warnings that only sensors coming from a certain lot and later models would work. Also, the app is “aware” of sensors primed by the reader, but not vice-versa, which suggests the reader’s firmware just wouldn’t allow you to scan an already primed sensor.

Here is one tidbit of information I’ll go back to later on. To use the app, you need to sign up for an account, and all the data from the sensor is uploaded to FreeStyle’s servers. The calibration data appears to be among the information shared on the account, which allows you to move the app you use to a new phone without waiting to replace the sensor. This is very important, because you don’t want to throw away your sensor if you break your phone.

The calibration data is then used together with non-disclosed algorithms (also called “curves” in various blogs) to produce the blood glucose equivalent value shown to the user. One important note here is that the reader and the app do not always agree on the value. While I cannot tell for sure what’s going on, my guess is that, as the reader’s firmware is not modifiable, the app contains newer version of the algorithms, and maybe a newer reader device would agree with the app. As I have decided not to focus on reversing the firmware of the reader, I have no answer there.

Can you get answers from the sensor without the calibration data? As I’m not sure what that data is, I can’t give a definite answer, but I will note that there are a number of unofficial apps out there that purport of doing exactly that. These are the same apps that I have, personally, a big problem with, as they provide zero guarantee that their results are at all precise or consistent, and scare the crap out of me, if you plan on making your life and health depend on them. Would the paramedics be able to use one of those apps to provide vague readings off a sensor? Possibly. But let me continue.

The original tweet by Eoghan asks Abbott if it would be possible for paramedics to have a special app to be able to read the sensor. And here is where things get complicated. Because yes, Abbott could provide such an app, as long as the sensor was initialized or calibration-scanned by the app within the calibration hour: their servers have the calibration data, which is needed to move the app between phones without losing data and without waiting for a new sensor.

But even admitting that there is no technical showstopper to such an app, there are many more ethical and legal concerns about it. There’s no way that the calibration data, and even the immediate value, wouldn’t be considered Sensitive Personal Data. This means for Abbott to be able to share it with paramedics, they would have to have a sharing agreement in place, with all the requirements that the GDPR impose them (for good reason).

Adding to this discussion, there’s the question of whether it would actually be valuable to paramedics to have this kind of information. Since I have zero training in the field, I can’t answer for sure, but I would be cautious about trusting the reading of the sensor, particularly if paramedics had to be involved.

The first warning comes from Abbott themselves, that recommend using blood-based test strips to confirm blood sugar readings during rapid glucose changes (in both directions). Since I’m neither trained in chemistry nor medicine, I don’t know why that is the case, but I have read tidbits that it has to do with the fact that the sensor reads values from interstitial fluid, rather than plasma, and the algorithms are meant to correlate the two values. Interstitial fluid measurements can lag behind the plasma ones and thus while the extrapolation can be correct for a smooth change, it might be off (very much so) when they change suddenly.

And as a personal tale, I have experienced the Libre not reporting any data, and then reporting very off values, after spending a couple of hours in very cold environment (in Pittsburgh, at -14°C). Again, see Vandevenne’s blog for what’s going on there with temperatures and thermal compensation.

All in all, I think that I would trust better a single fingerprick to get a normal test-strip result, both because it works universally, whether you do have a sensor or not, and because its limitations are much better understood both by their users and the professionals. And they don’t need to have so many ethical and legal implications to use.

Two words about my personal policy on GitHub

I was not planning on posting on the blog until next week, trying to stick on a weekly schedule, but today’s announcement of Microsoft acquiring GitHub is forcing my hand a bit.

So, Microsoft is acquiring GitHub, and a number of Open Source developers are losing their mind, in all possible ways. A significant proportion of comments on this that I have seen on my social media is sounding doomsday, as if this spells the end of GitHub, because Microsoft is going to ruin it all for them.

Myself, I think that if it spells the end of anything, is the end of the one-stop-shop to work on any project out there, not because of anything Microsoft did or is going to do, but because a number of developers are now leaving the platform in protest (protest of what? One company buying another?)

Most likely, it’ll be the fundamentalists that will drop their projects away to GitHub. And depending on what they decide to do with their projects, it might even not show on anybody’s radar. A lot of people are pushing for GitLab, which is both an open-core self-hosted platform, and a PaaS offering.

That is not bad. Self-hosted GitLab instances already exist for VideoLAN and GNOME. Big, strong communities are in my opinion in the perfect position to dedicate people to support core infrastructure to make open source software development easier. In particular because it’s easier for a community of dozens, if not hundreds of people, to find dedicated people to work on it. For one-person projects, that’s overhead, distracting, and destructive as well, as fragmenting into micro-instances will cause pain to fork projects — and at the same time, allowing any user who just registered to fork the code in any instance is prone to abuse and a recipe for disaster…

But this is all going to be a topic for another time. Let me try to go back to my personal opinions on the matter (to be perfectly clear that these are not the opinions of my employer and yadda yadda).

As of today, what we know is that Microsoft acquired GitHub, and they are putting Nat Friedman of Xamarin fame (the company that stood behind the Mono project after Novell) in charge of it. This choice makes me particularly optimistic about the future, because Nat’s a good guy and I have the utmost respect for him.

This means I have no intention to move any of my public repositories away from GitHub, except if doing so would bring a substantial advantage. For instance, if there was a strong community built around medical devices software, I would consider moving glucometerutils. But this is not the case right now.

And because I still root most of my projects around my own domain, if I did move that, the canonical URL would still be valid. This is a scheme I devised after getting tired of fixing up where unieject ended up with.

Microsoft has not done anything wrong with GitHub yet. I will give them the benefit of the doubt, and not rush out of the door. It would and will be different if they were to change their policies.

So here's a more serious discussion of what 'GitHub' is, and why Microsoft's acquisition of it is so important: Chi… twitter.com/i/web/status/1…
—
Robᵉʳᵗ Graham 🤔 (@ErrataRob) June 03, 2018

Rob’s point is valid, and it would be a disgrace if various governments would push Microsoft to a corner requiring it to purge content that the smaller, independent GitHub would have left alone. But unless that happens, we’re debating hypothetical at the same level of “If I was elected supreme leader of Italy”.

So, as of today, 2018-06-04, I have no intention of moving any of my repositories to other services. I’ll also use a link to this blog with no accompanying comment to anyone who will suggest I should do so without any benefit for my projects.

The dot-EU kerfuffle — or how EURid is messing with their own best supporters

TL;DR summary: be very careful if you use a .eu domain as your point of contact for anything. If you’re thinking of registering a .eu domain to use as your primary domain, just don’t.

I have forecasted a rant when I pointed out I changed domain with my move to WordPress.

I have registered flameeyes.eu nearly ten years ago, part of the reason was because flameeyes.com was (at the time) parked to a domain squatter, and part because I have been a strong supported of the European Union.

In those ten years I started using the domain not just for my website, but as my primary contact email. It’s listed as my contact address everywhere, I have all kind of financial, commercial and personal services attached to that email. It’s effectively impossible for me to ever detangle from it, even if I spend the next four weeks doing nothing but amending registrations — some services just don’t allow you to ever change email address; many requires you to contact support and spend time talking with a person to get the email updated on the account.

And now, because I moved to the United Kingdom, which decided to leave the Union, the Commission threatens to prevent me from keeping my domain. It may sound obvious, since EURid says

A website with a .eu or .ею domain name extension tells your customers that you are a legal entity based in the EU, Iceland, Liechtenstein or Norway and are therefore, subject to EU law and other relevant trading standards.

But at the same time it now provides a terrible collapse of two worlds: technical and political. The idea that you any entity in control of a .eu domain is by requirement operating under EU law sounds good on paper… until you come to this corner case where a country leaves the Union — and now either you water down this promise, eroding trust in the domain by not upholding this law domain, or you end up with domain takeover, eroding trust in the domain on technical merit.

Most of the important details for this are already explained in a seemingly unrelated blog post by Hanno Böck: Abandoned Domain Takeover as a Web Security Risk. If EURid will forbid renewal of .eu domains for entities that are no longer considered part of the EU, a whole lot of domains will effectively be “up for grabs”. Some may currently be used as CDN aliases, and be used to load resources on other websites; those would be the worst, as they would allow the controller of the domains to inject content in other sites that should otherwise be secure.

But even more important for companies that used their .eu domain as their primary point of contact: think of any PO, or invoice, or request for information, that would be sent to a company email address — and now think of a malicious actor getting access to those communications! This is not just the risk that me (and any other European supporter who happened to live in the UK, I’m sure I’m not alone) as a single individual have — it’s a possibly unlimited amount of scams that people would be subjected to, as it would be trivial to pass for a company, once their domain is taken over!

As you can see from the title, I think this particular move is also going to hit the European supporters the most. Not just because of those individuals (like me!) who wanted to signal how they feel part of something bigger than their country of birth, but also because I expect a number of UK companies used .eu domain specifically to declare themselves open to European customers — as otherwise, between pricing in Sterling, and a .co.uk domain, it would always feel like buying “foreign goods”. Now those companies, that believed in Europe, find themselves in the weakest of positions.

Speaking of individuals, when I read the news I had a double-take, and had to check the rules for .eu domains again. At first I assumed that something was clearly wrong: I’m a European Union citizen, surely I will be able to keep my domain, no matter where I live! Unfortunately, that’s not the case:

In this first step the Registrant must verify whether it meets the General
Eligibility Criteria, whereby it must be:
(i) an undertaking having its registered office, central administration or
principal place of business within the European Union, Norway, Iceland
or Liechtenstein, or
(ii) an organisation established within the European Union, Norway, Iceland
or Liechtenstein without prejudice to the application of national law, or
(iii) a natural person resident within the European Union, Norway, Iceland or
Liechtenstein.

If you are a European Union citizen, but you don’t want your digital life to ever be held hostage by the Commission or your country’s government playing games with it, do not use a .eu domain. Simple as that. EURid does not care about the well-being of their registrants.

If you’re a European company, do think twice on whether you want to risk that a change in government for the country you’re registered in would lead you to open both yourself, your suppliers and your customers into the a wild west of overtaken domains.

Effectively, what EURid has signalled with this is that they care so little about the technical hurdles of their customers, that I would suggest against ever relying on a .eu domain for anyone at all. Register it as a defense against scammers, but don’t do business on it, as it’s less stable than certain microstate domains, or even the more trendy and modern gTLDs.

I’ll call this a self-goal. I still trust the European Union, and the Commission, to have the interests of the many in their mind. But the way they tried to apply a legislative domain to the .eu TLD was brittle at best to begin with, and now there’s no way out of here that does not ruin someone’s day, and erode the trust in that very same domain.

It’s also important to note that most of the bigger companies, those that I hear a lot of European politicians complain about, would have no problem with something like this: just create a fully-own subsidiary somewhere in Europe, say for instance Slovakia, and have it hold onto the domain. And have it just forward onto a gTLD to do business on, so you don’t even give the impression of counting on that layer of legislative trust.

Given the scary damage that would be caused by losing control over my email address of ten years, I’m honestly considering looking for a similar loophole. The cost of establishing an LLC in another country, firmly within EU boundaries, is not pocket money, but it’s still chump change compared to the amount of damage (financial, reputation, relationships, etc) that it would be a good investment.

UK Banking, Attempt 3: Tesco Bank (and the Irish credit card)

It feels like most of what I end up writing nowadays is my misadventures across a wide range of financial service companies. But here we go (I promise I’ll go back writing about reverse engineering Really Soon Now™).

The last post on this topic was my rant, about how Fineco lacks some basic tools to be used as sole, or primary bank account in the UK. Hopefully they will address this soon, and a sane bank will be available in this country, but for now I had to find alternatives.

Since the various Fintech companies also don’t provide the features I needed, I found myself having to find a “high street bank”. And since my experience up to this point both with Barclays and NatWest was not particularly positive, I decided to look for a different option. Since I have been a mostly-happy customer of Tesco Bank for nearly four years, I decided to give their UK service a try.

At first it appeared to have an online sign-up flow that looked sweet for this kind of problem… except at the end of it, they told me to wait for them to ask me for paperwork to send them through. Turns out the request was for proof of identity (which needs to be certified) and proof of address (which needs to be in original) — the letter and form I could swear is the same that they sent me when I applied for the Irish credit card, except the information is now correct (in Ireland, the Garda will not certify a passport copy, though it appears the UK police forces would).

Let’s ignore the fact that by mailing me at that address, Tesco Bank provided their own proof of address, and let’s focus instead on the fact that they do not accept online print outs, despite almost every service (and, as I found out now, themselves) defaulting to paperless bills and statements. I actually have had a number of bills being mailed to me, including from Hounslow Council, so I have a wide range of choices of what to provide them, but as it turns out, I like a challenge and having some fun with corner cases (particularly as I already solved the immediate need for a bank account by the time I looked into this, but that’s a story for another day).

Here is a part of the story I have not told yet. When I moved to the UK I expected to have to close every account I had still in Ireland, both because Ulster Bank Private is a bloody expensive service, and because at least in Italy I was told I was not entitled to keep credit cards open after I left the country. So as soon as I was in working order over here, I switched over all the billings to Revolut. Unfortunately I couldn’t do that for at least three services (Online.net, Vodafone Italy and Wind/3 Italy) — in two cases because they insist they do not accept anything but Italian cards, while somehow still accepting Tesco Ireland cards.

While trying to figure out an ad-interim solution I got to find out that Tesco Bank has no problem with me still having the “Irish” credit card, and they even allowed me to change the address (and phone number) on file to my new London one. We had some snag regarding the SEPA direct debit, but once I pointed out that they were suggesting breaching the SEPA directives, all was good and indeed the card is debited to the EUR Fineco account.

This also means i get that card’s statements to my London address. So of course I ended up sending, to Tesco Bank, as proof of address… a Tesco Bank Ireland credit card statement. As a way of saying “Do you feel silly enough, now?” to whoever had to manually verify my address and send the paperwork back to me. Turns out it worked just fine, and I got not even a passive aggressive note about it.

Now let’s put aside the registration and let’s take a look at the services provided. Because if I have to rant, I would like at least to rant with some information to others to make up their own mind.

First off, as I said, the first part of the registration is online, after which they get in touch with you to send them the proofs they need. It’s very nice that during the whole time, they “keep in touch” by SMS: they remind you to send the paperwork back, they tell you that the account was open before you receive the snail mail, and so on.

I got a lot of correspondence from Tesco Bank: in addition to the request of proofs, and the proofs being mailed back, I received a notification about the account being opened, the debit card PIN, and a “temporary access number” to sign up online. The debit card arrived separately and through a signature-required delivery. This is a first for me in the UK, as most other cards just got sent through normal mail — except for Fineco, as they used Fedex, and they let me receive it directly at the office, despite it not being the proof of address I sent them.

Once signing up for the online banking, they ask you for an 8-digits security code, a long(er) password, and a selection of verbal question/answers, that are the usual terrible security (so as usual I’ve answered them at random and noted down what I told them the answers were). They allow you to choose your username, but they suggest it to stay the email address on file.

The login for the first time from a different computer is extremely awkward: it starts with two digits of the security code, followed by a SMS second factor authentication, followed by the password (not a subset thereof, so you can use a password manager easily for this one), all through different forms. The same happens for the Mobile Banking application (which is at least linked directly from their website, and very easy to install). The mobile banking login appears to work fairly reliably (and you’ll see on the next post why I call this out explicitly).

I set up the rent standing order on this account, and it was a straightforward and painless process, which is the same as a one-time transaction, except for saying “I want to repeat this every month” checkbox. All in all, it looks to me like it’s a saner UI than Barclays, and proper enough for the needs I have. I will report back if there is anything particularly different from this that I find over time, of course.